Microsoft Microsoft Certified: Cybersecurity Architect Expert SC-100 Questions & Answers

• Question 161:

  Your company is developing an invoicing application that will use Azure Active Directory (Azure AD) B2C. The application will be deployed as an App Service web app.

  You need to recommend a solution to the application development team to secure the application from identity-related attacks.

  Which two configurations should you recommend? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Azure AD workbooks to monitor risk detections

  B. Azure AD Conditional Access integration with user flows and custom policies

  C. smart account lockout in Azure AD B2C

  D. access packages in Identity Governance

  E. custom resource owner password credentials (ROPC) flows in Azure AD B2C

  Correct Answer: BC

  B. Azure AD Conditional Access integration with user flows and custom policies

  C. Smart account lockout in Azure AD B2C.

  Conditional Access in Azure Active Directory (Azure AD) is a feature that enables you to enforce security policies and control access to applications based on specific conditions

  https://docs.microsoft.com/en-us/azure/active-directory-b2c/threat-management

  https://docs.microsoft.com/en-us/azure/active-directory-b2c/conditional-access-user-flow?pivots=b2c-user-flow

• Question 162:

  Your company is developing a new Azure App Service web app.

  You are providing design assistance to verify the security of the web app.

  You need to recommend a solution to test the web app for vulnerabilities such as insecure server configurations, cross-site scripting (XSS), and SQL injection.

  What should you include in the recommendation?

  A. dynamic application security testing (DAST)

  B. static application security testing (SAST)

  C. interactive application security testing (IAST)

  D. runtime application self-protection (RASP)

  Correct Answer: A

  Dynamic application security testing (DAST) is a process of testing an application in an operating state to find security vulnerabilities. DAST tools analyze programs while they are executing to find security vulnerabilities such as memory

  corruption, insecure server configuration, cross-site scripting, user privilege issues, SQL injection, and other critical security concerns.

  Incorrect:

  Not B: SAST tools analyze source code or compiled versions of code when the code is not executing in order to find security flaws.

  Not C: IAST (interactive application security testing) analyzes code for security vulnerabilities while the app is run by an automated test, human tester, or any activity “interacting” with the application functionality.

  IAST works inside the application, which makes it different from both static analysis (SAST) and dynamic analysis (DAST). This type of testing also doesn't test the entire application or codebase, but only whatever is exercised by the

  functional test.

  Not D: Runtime Application Self Protection (RASP) is a security solution designed to provide personalized protection to applications. It takes advantage of insight into an application's internal data and state to enable it to identify threats at

  runtime that may have otherwise been overlooked by other security solutions.

  RASP's focused monitoring makes it capable of detecting a wide range of threats, including zero-day attacks. Since RASP has insight into the internals of an application, it can detect behavioral changes that may have been caused by a novel

  attack. This enables it to respond to even zero-day attacks based upon how they affect the target application.

  Reference: https://docs.microsoft.com/en-us/azure/security/develop/secure-develop

• Question 163:

  Your company has a Microsoft 365 ES subscription.

  The Chief Compliance Officer plans to enhance privacy management in the working environment.

  You need to recommend a solution to enhance the privacy management. The solution must meet the following requirements:

  1.

  Identify unused personal data and empower users to make smart data handling decisions.

  2.

  Provide users with notifications and guidance when a user sends personal data in Microsoft Teams.

  3.

  Provide users with recommendations to mitigate privacy risks. What should you include in the recommendation?

  A. communication compliance in insider risk management

  B. Microsoft Viva Insights

  C. Privacy Risk Management in Microsoft Priva

  D. Advanced eDiscovery

  Correct Answer: C

  Privacy Risk Management in Microsoft Priva gives you the capability to set up policies that identify privacy risks in your Microsoft 365 environment and enable easy remediation. Privacy Risk Management policies are meant to be internal

  guides and can help you:

  Detect overexposed personal data so that users can secure it.

  Spot and limit transfers of personal data across departments or regional borders.

  Help users identify and reduce the amount of unused personal data that you store.

  Incorrect:

  Not B: Microsoft Viva Insights provides personalized recommendations to help you do your best work. Get insights to build better work habits, such as following through on commitments made to collaborators and protecting focus time in the

  day for uninterrupted, individual work.

  Not D: The Microsoft Purview eDiscovery (Premium) solution builds on the existing Microsoft eDiscovery and analytics capabilities. eDiscovery (Premium) provides an end-to-end workflow to preserve, collect, analyze, review, and export

  content that's responsive to your organization's internal and external investigations.

  Reference: https://docs.microsoft.com/en-us/privacy/priva/risk-management

• Question 164:

  You need to recommend a solution to resolve the virtual machine issue. What should you include in the recommendation?(Choose Two)

  A. Onboard the virtual machines to Microsoft Defender for Endpoint.

  B. Onboard the virtual machines to Azure Arc.

  C. Create a device compliance policy in Microsoft Endpoint Manager.

  D. Enable the Qualys scanner in Defender for Cloud.

  Correct Answer: AD

  Scenario: 20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud.

  Existing Environment. Problem Statements

  The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.

  All the virtual machines must be compliant in Defender for Cloud.

  Note: Deploying Microsoft Defender for Endpoint is a two-step process.

  Onboard devices to the service

  Configure capabilities of the service

  Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm https://docs.microsoft.com/en-us/microsoft-365/security/defenderendpoint/switch-to-mde-phase-3?view=o365-worldwide