Microsoft SC-100 Online Practice
Questions and Exam Preparation
SC-100 Exam Details
Exam Code
:SC-100
Exam Name
:Microsoft Cybersecurity Architect
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:350 Q&As
Last Updated
:Jul 12, 2026
Microsoft SC-100 Online Questions &
Answers
Question 11:
HOTSPOT
You have an Azure subscription that contains three Azure App Service web apps.
You need to secure the apps by using Azure Web Application Firewall (WAF) on Azure Front Door. The solution must meet the following requirements:
1. Block attempts to access the apps from malicious bots.
2. Rate limit incoming connections to the apps.
The solution must minimize administrative effort.
What should you configure for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Question 12:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing the encryption standards for data at rest for an Azure resource.
You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.
Solution: For Azure SQL databases, you recommend Transparent Data Encryption (TDE) that uses Microsoft-managed keys.
Does this meet the goal?
A. Yes B. No
A. Yes
Explanation
We need to use customer-managed keys.
Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. In Azure, the default setting for TDE is that the Database Encryption Key (DEK) is protected by a built-in server certificate. The built-in server certificate is unique for each server and the encryption algorithm used is AES 256. TDE protector is either a service-managed certificate (service-managed transparent data encryption) or an asymmetric key stored in Azure Key Vault (customer-managed transparent data encryption).
Note: Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. You can use rotation policy to configure rotation for each individual key. Our recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices.
This feature enables end-to-end zero-touch rotation for encryption at rest for Azure services with customer-managed key (CMK) stored in Azure Key Vault. Please refer to specific Azure service documentation to see if the service covers end- to-end rotation.
You plan to deploy multiple containerized microservice-based apps to Azure Kubemetes Service (AKS)
You need to recommend a solution that meets the following requirements:
1. Manages secrets
2. Provides encryption
3. Secures service-to-service communication by using mTLS encryption
4. Minimizes administrative effort
What should you include in the recommendation?
A. Flux B. Envoy C. Dapr D. Istio
D. Istio
Question 14:
HOTSPOT
You have on-premises servers and virtual machines that run Windows Server, Red Hat Enterprise Linux (RHEL) 7, or RHEL 8.
You have an Azure subscription that contains virtual machines running Windows Server Datacenter: Azure Edition.
You need to recommend a solution to manage operating system updates for the on-premises servers and the virtual machines. The solution must meet the following requirements:
1. Enable hotpatching for the Azure virtual machines.
2. Enable on-demand inventory and deployment of updates.
3. Enable the deployment of Extended Security Update (ESU) patches to the on-premises servers.
What should you include in the recommendation?
To answer, select the options in the answer area.Each correct answer is worth one point.
Box 1: Azure Update Manager
For update management, use:
Support matrix for Azure Update Manager Operating system updates Update Manager supports operating system updates for both Windows and Linux.
Extended Security Updates (ESU) for Windows Server Using Azure Update Manager, you can deploy Extended Security Updates for your Azure Arc-enabled Windows Server 2012 / R2 machines.
Incorrect:
* Azure Automation Update Management
Azure Automation Update Management will retire on 31 August 2024.
* System Center Updates Publisher
System Center Updates Publisher (Updates Publisher) is a stand-alone tool that enables independent software vendors or line-of-business application developers to manage custom updates. This custom updates management includes updates that have dependencies, like drivers and update bundles.
Using Updates Publisher, you can:
Import updates from external catalogs (non-Microsoft update catalogs). Modify update definitions including applicability, and deployment metadata.
Export updates to external catalogs.
Publish updates to an update server.
Box 2: The Azure Connected Machine agent On the on-premises operating systems, install:
The Update Manager extension is installed and managed by using:
Azure VM Windows agent or the Azure VM Linux agent for Azure VMs. Azure Arc-enabled servers agent (also known as the Azure Connected Machine agent) for non-Azure Linux and Windows machines or physical servers. The Azure Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers.
Your company plans to evaluate the security of its Azure environment based on the principles of the Microsoft Cloud Adoption Framework for Azure.
You need to recommend a cloud-based service to evaluate whether the Azure resources comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
What should you recommend?
A. Compliance Manager in Microsoft Purview B. Microsoft Defender for Cloud C. Microsoft Sentinel D. Microsoft Defender for Cloud Apps
B. Microsoft Defender for Cloud
Question 16:
You have an Azure subscription that has Microsoft Defender for Cloud enabled. You need to enforce ISO 2700V2013 standards for the subscription.
The solution must ensure that noncompliant resources are remediated automatical What should you use?
A. the regulatory compliance dashboard in Defender for Cloud B. Azure Policy C. Azure Blueprints D. Azure role-based access control (Azure RBAC)
You have a Microsoft 365 E5 subscription and an Azure subscription.
You need to evaluate the existing environment to increase the overall security posture for the following components:
1. Windows 11 devices managed by Microsoft Intune
2. Azure Storage accounts
3. Azure virtual machines
What should you use to evaluate the components? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Box 1: Microsoft 365 Defender
The Microsoft 365 Defender portal emphasizes quick access to information, simpler layouts, and bringing related information together for easier use. It includes Microsoft Defender for Endpoint.
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
You can integrate Microsoft Defender for Endpoint with Microsoft Intune as a Mobile Threat Defense solution. Integration can help you prevent security breaches and limit the impact of breaches within an organization.
Microsoft Defender for Endpoint works with devices that run:
1. Android
2. iOS/iPadOS
3. Windows 10
4. Windows 11
Box 2: Microsoft Defender for Cloud Microsoft Defender for Cloud currently protects Azure Blobs, Azure Files and Azure Data Lake Storage Gen2 resources. Microsoft Defender for SQL on Azure price applies to SQL servers on Azure SQL Database, Azure SQL Managed Instance and Azure Virtual Machines.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing the encryption standards for data at rest for an Azure resource.
You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.
Solution: For blob containers in Azure Storage, you recommend encryption that uses customer-managed keys (CMKs).
Does this meet the goal?
A. Yes B. No
A. Yes
Explanation
We need to use customer-managed keys.
Azure Storage encryption for data at rest.
Azure Storage uses service-side encryption (SSE) to automatically encrypt your data when it is persisted to the cloud. Azure Storage encryption protects your data and to help you to meet your organizational security and compliance commitments.
Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption.
Data in a new storage account is encrypted with Microsoft-managed keys by default. You can continue to rely on Microsoft-managed keys for the encryption of your data, or you can manage encryption with your own keys. If you choose to manage encryption with your own keys, you have two options. You can use either type of key management, or both:
* You can specify a customer-managed key to use for encrypting and decrypting data in Blob Storage and in Azure Files.
* You can specify a customer-provided key on Blob Storage operations. A client making a read or write request against Blob Storage can include an encryption key on the request for granular control over how blob data is encrypted and decrypted.
Note: Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. You can use rotation policy to configure rotation for each individual key. Our recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices.
This feature enables end-to-end zero-touch rotation for encryption at rest for Azure services with customer-managed key (CMK) stored in Azure Key Vault. Please refer to specific Azure service documentation to see if the service covers end- to-end rotation.
You have an Azure subscription. The subscription contains an Azure SQL database named DB1 that stores customer data.
You have a Microsoft 365 subscription that uses Microsoft SharePoint Online, OneDrive, and Teams.
Users frequently create Microsoft Office documents that contain data from DB1.
You need to recommend a Microsoft Purview solution that meets the following requirements:
1. Identifies Office documents that contain customer addresses and phone numbers sourced from DB1
2. Generates an alert if a user downloads an above average number of files that contain data from DB1
3. Minimizes the number of false positives.
What should you include in the solution for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Question 20:
Your company has a Microsoft 365 ES subscription.
The Chief Compliance Officer plans to enhance privacy management in the working environment.
You need to recommend a solution to enhance the privacy management. The solution must meet the following requirements:
1. Identify unused personal data and empower users to make smart data handling decisions.
2. Provide users with notifications and guidance when a user sends personal data in Microsoft Teams.
3. Provide users with recommendations to mitigate privacy risks.
What should you include in the recommendation?
A. communication compliance in insider risk management B. Microsoft Viva Insights C. Privacy Risk Management in Microsoft Priva D. Advanced eDiscovery
C. Privacy Risk Management in Microsoft Priva
Explanation
Privacy Risk Management in Microsoft Priva gives you the capability to set up policies that identify privacy risks in your Microsoft 365 environment and enable easy remediation. Privacy Risk Management policies are meant to be internal guides and can help you:
Detect overexposed personal data so that users can secure it.
Spot and limit transfers of personal data across departments or regional borders.
Help users identify and reduce the amount of unused personal data that you store.
Incorrect:
Not B: Microsoft Viva Insights provides personalized recommendations to help you do your best work. Get insights to build better work habits, such as following through on commitments made to collaborators and protecting focus time in the day for uninterrupted, individual work.
Not D: The Microsoft Purview eDiscovery (Premium) solution builds on the existing Microsoft eDiscovery and analytics capabilities. eDiscovery (Premium) provides an end-to-end workflow to preserve, collect, analyze, review, and export content that's responsive to your organization's internal and external investigations.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Microsoft exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SC-100 exam preparations
and Microsoft certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.