Online Access Free SC-100 Exam Questions

No.# Selected Answer: D
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location

https://docs.microsoft.com/en-us/power-platform/admin/restrict-access-online-trusted-ip-rules

No.# Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

No.# GIT Workflow ---> Protected Branch
Secure Deployment credentials --> Keyvault
Ref : https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/best-practices/secure-devops

No.# By using Microsoft 365 Defender, you can evaluate the security posture of Windows 11 devices managed by Microsoft Intune. This solution provides advanced threat protection, detection, and response capabilities for endpoints within the Microsoft 365 environment.

For the evaluation of Azure Storage accounts and Azure virtual machines, you should utilize Microsoft Defender for Cloud (formerly known as Azure Defender). It offers comprehensive threat protection and security monitoring for various Azure services, including Azure Storage accounts and Azure virtual machines. This will help you assess their security configurations, detect vulnerabilities, and receive security recommendations.


Microsoft 365 Defender includes both of those and quite a bit else.

https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide
"Here's a list of the different Microsoft 365 Defender products and solutions:
Microsoft Defender for Endpoint
Microsoft Defender for Office 365
Microsoft Defender for Identity
Microsoft Defender for Cloud Apps
Microsoft Defender Vulnerability Management
Azure Active Directory Identity Protection
Microsoft Data Loss Prevention
App Governance
Microsoft Defender for Cloud"...

No.# Data security:
Access keys stored in Azure Key Vault: This ensures that sensitive keys are securely stored and managed, reducing the risk of unauthorized access.
Network access control:
Azure Private Link with network service tags: This provides secure and private connectivity to Azure services, ensuring that data transfer occurs over a private network rather than the public internet.

No.# D
Users can sign into Azure Virtual Desktop from anywhere using different devices and clients. However, there are certain measures you should take to help keep yourself and your users safe. Using Azure Active Directory (Azure AD) Multi-Factor Authentication (MFA) with Azure Virtual Desktop prompts users during the sign-in process for another form of identification in addition to their username and password. You can enforce MFA for Azure Virtual Desktop using Conditional Access, and can also configure whether it applies to the web client, mobile apps, desktop clients, or all clients.

No.# To enable Azure AD authentication for App1, use Azure AD application
To implement access requests for App1, use an access package in identity governance

To enable Azure AD authentication for App1 and provide access security, the recommended solution is to use an Azure AD application. You should create an Azure AD application, configure the necessary permissions, and assign users and groups to the application.

An access package in identity governance should be used to implement access requests for App1. Identity Governance provides access packages that allow users to request access to specific applications, groups, or roles. The request is routed to the appropriate approver, who can either approve or reject the request. Access packages can be created, managed, and assigned in the Azure portal, and can be customized to include specific access policies and permissions. This provides a streamlined and secure way to manage access to App1, ensuring that only authorized users can access sensitive data or resources....

No.# I would go for:
a) Azure AD application (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management)
b) An access package in identity governance (https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-create)

No.# Segment Microsoft Sentinel workspaces by: Region and Azure AD tenant
Do that because the case study states "...mergers and acquisitions. The acquisitions include several companies based in France."

Relevant information from Microsoft is on this Best Practices page for workspace architecture:
https://docs.microsoft.com/en-us/azure/sentinel/best-practices-workspace-architecture#region-considerations

Lighthouse is correct for Box2

No.# For the database administrators: Always Encrypted
For the operators: Dynamic Data Masking

Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national/regional identification numbers. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine.

https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver16

Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal effect on the application layer.

No.# Branch policies in Azure Repos provide a way to enforce code review policies before a pull request can be completed and merged into a target branch. This ensures that all code changes are submitted through a pull request and reviewed by other members of the team before being deployed by the CI/CD workflow.

Branch policies can be configured to require specific reviewers, require a minimum number of approvals, and block direct pushes to the target branch. This helps to ensure that code changes are thoroughly reviewed and meet the established standards before being merged into the target branch.

No.# This rapid modernization plan (RAMP) will help you quickly adopt Microsoft's recommended privileged access strategy.

No.# 1️⃣ What is Multi-User Authorization (MUA) with Resource Guard?
Multi-User Authorization (MUA) is a feature provided by Azure Backup that ensures critical operations (like deleting backups or changing security configurations) require multiple authorized users.
Resource Guard is used to enforce this multi-user approval mechanism, making it harder for a single compromised administrator account to perform destructive actions.
2️⃣ Why Resource Guard is the Best Choice:
Prevents a single point of failure: If an admin account is compromised, the attacker cannot delete backups without additional authorization.
Separation of Duties (SoD): Resource Guard enforces strict role-based access control (RBAC) to ensure that only authorized users can approve sensitive backup operations.
Immutable Backups: Protects your backups from accidental or malicious deletion.

No.# C
Among the options provided, C. Enable self-healing in Microsoft 365 Defender is the one that aligns most closely with this goal.

Self-healing capabilities in Microsoft 365 Defender can automatically detect, investigate, and remediate security threats, which would otherwise require manual intervention by SOC analysts. By automating these processes, you can minimize the operational load on Tier 1 analysts and allow them to focus on more complex security issues.

Options A, B, and D are relevant to various aspects of security and compliance but don't specifically target the operational load on Tier 1 SOC analysts in the same way that option B does. Therefore, the correct answer is:
B. Enable self-healing in Microsoft 365 Defender.

No.# • Project managers must verify that their project group contains only the current members of their project team.
This means access reviews, Lifecycle Workflow would do all of this automatically based on the user attributes (such as department or team)

You have multiple project teams. Each team has an **AD DS group** that **syncs with Azure AD.** (these being the key to find the correct answer)
Each group has permissions to a unique SharePoint Online site and a Windows Server shared folder for its project. Users routinely move between project teams.

The correct answer is "Enable group write back for the existing synced group."

No.# Exfiltration of data - Defender for Cloud Apps
Data across domains - Defender for Identity
Reference: MCRA Slide 15

No.# A read-only lock on a storage account prevents users from listing the account keys ----> https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json

No.# Hybrid Connections is a feature in Azure App Service that provides a way to access application resources in other networks. It uses a secure, outbound-only connection that doesn’t require opening inbound ports to your on-premises network. This makes it a suitable choice for accessing on-premises databases without exposing additional internet-accessible endpoints.

No.# A playbook is a collection of these remediation actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually on-demand on entities (in preview - see below) and alerts, or set to run automatically in response to specific alerts or incidents, when triggered by an automation rule.

No.# Azure SQL Database with Intel Software Guard Extensions (Intel SGX) enclaves
This recommendation meets all the specified requirements:
Minimizes risks of malware using elevated privileges: Always Encrypted with Intel SGX enclaves protects sensitive data from high-privilege users and malware in the database environment3.
Prevents database administrators from accessing sensitive data: Always Encrypted provides separation between those who own the data and those who manage it but should have no access3.
Enables pattern matching for server-side database operations: Intel SGX enclaves support rich confidential queries, including pattern matching, on encrypted data8.
Supports Microsoft Azure Attestation: Intel SGX enclaves in Azure SQL Database work with Azure Attestation for verifying the authenticity of the secure enclave6.
Uses hardware-based encryption: Intel SGX is a hardware-based technology that provides stronger security guarantees compared to virtualization-based security (VBS) enclaves4.
Additionally, Intel SGX enclaves offer the highest level of data protection among the options, as they are resistant to attacks from the host operating system...