Microsoft Microsoft Certified: Cybersecurity Architect Expert SC-100 Questions & Answers
Question 21:
You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain.
You are designing an Azure DevOps solution to deploy applications to an Azure subscription by using continuous integration and continuous deployment (CI/CD) pipelines.
You need to recommend which types of identities to use for the deployment credentials of the service connection. The solution must follow DevSecOps best practices from the Microsoft Cloud Adoption Framework for Azure.
What should you recommend?
A. a managed identity in Azure
B. an Azure AD user account that has role assignments in Azure AD Privileged Identity Management (PIM)
C. a group managed service account (gMSA)
D. an Azure AD user account that has a password stored in Azure Key Vault
Correct Answer: D
Question 22:
You are designing a ransomware response plan that follows Microsoft Security Best Practices.
You need to recommend a solution to minimize the risk of a ransomware attack encrypting local user files.
What should you include in the recommendation?
A. Windows Defender Device Guard
B. Microsoft Defender for Endpoint
C. Azure Files
D. BitLocker Drive Encryption (BitLocker)
E. protected folders
Correct Answer: B
Question 23:
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator
authorizes the application.
Which security control should you recommend?
A. Azure AD Conditional Access App Control policies
B. Azure Security Benchmark compliance controls in Defender for Cloud
C. app protection policies in Microsoft Endpoint Manager
D. application control policies in Microsoft Defender for Endpoint
Correct Answer: D
Explanation:
Windows Defender Application Control is designed to protect devices against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run.
Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run on a PC.
Note: Windows Defender Application Control is designed to protect devices against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run.
Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run on a PC.
Incorrect:
Not C: App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of
actions that are prohibited or monitored when the user is inside the app. A managed app is an app that has app protection policies applied to it, and can be managed by Intune.
Mobile Application Management (MAM) app protection policies allows you to manage and protect your organization's data within an application. Many productivity apps, such as the Microsoft Office apps, can be managed by Intune MAM.
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator
authorizes the application.
Which security control should you recommend?
A. app registrations in Azure AD
B. application control policies in Microsoft Defender for Endpoint
C. app discovery anomaly detection policies in Microsoft Defender for Cloud Apps
D. Azure AD Conditional Access App Control policies
Correct Answer: B
Explanation:
Windows Defender Application Control is designed to protect devices against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run.
Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run on a PC.
Incorrect:
Not C: A Cloud Discovery anomaly detection policy enables you to set up and configure continuous monitoring of unusual increases in cloud application usage. Increases in downloaded data, uploaded data, transactions, and users are
considered for each cloud application. Each increase is compared to the normal usage pattern of the application as learned from past usage. The most extreme increases trigger security alerts.
Your company plans to evaluate the security of its Azure environment based on the principles of the Microsoft Cloud Adoption Framework for Azure.
You need to recommend a cloud-based service to evaluate whether the Azure resources comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
What should you recommend?
A. Compliance Manager in Microsoft Purview
B. Microsoft Defender for Cloud
C. Microsoft Sentinel
D. Microsoft Defender for Cloud Apps
Correct Answer: D
Question 26:
Your company uses Azure Pipelines and Azure Repos to implement continuous integration and continuous deployment (CI/CD) workflows for the deployment of applications to Azure.
You are updating the deployment process to align with DevSecOps controls guidance in the Microsoft Cloud Adoption Framework for Azure.
You need to recommend a solution to ensure that all code changes are submitted by using pull requests before being deployed by the CI/CD workflow.
What should you include in the recommendation?
A. custom roles in Azure Pipelines
B. branch policies in Azure Repos
C. Azure policies
D. custom Azure roles
Correct Answer: B
Explanation:
Securing Azure Pipelines
YAML pipelines offer the best security for your Azure Pipelines. In contrast to classic build and release pipelines, YAML pipelines:
*
Can be code reviewed. YAML pipelines are no different from any other piece of code. You can prevent malicious actors from introducing malicious steps in your pipelines by enforcing the use of Pull Requests to merge changes. Branch policies make it easy for you to set this up.
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator
authorizes the application.
Which security control should you recommend?
A. app discovery anomaly detection policies in Microsoft Defender for Cloud Apps
B. Azure AD Conditional Access App Control policies
C. adaptive application controls in Defender for Cloud
D. app protection policies in Microsoft Endpoint Manager
Correct Answer: C
Explanation:
Use adaptive application controls to reduce your machines' attack surfaces
Adaptive application controls are an intelligent and automated solution for defining allowlists of known-safe applications for your machines.
When you've enabled and configured adaptive application controls, you'll get security alerts if any application runs other than the ones you've defined as safe.
Incorrect:
Not A: A Cloud Discovery anomaly detection policy enables you to set up and configure continuous monitoring of unusual increases in cloud application usage. Increases in downloaded data, uploaded data, transactions, and users are
considered for each cloud application. Each increase is compared to the normal usage pattern of the application as learned from past usage. The most extreme increases trigger security alerts.
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. OAuth app policies in Microsoft Defender for Cloud Apps
B. Azure Security Benchmark compliance controls in Defender for Cloud
C. application control policies in Microsoft Defender for Endpoint
D. app discovery anomaly detection policies in Microsoft Defender for Cloud Apps
Correct Answer: C
Explanation:
Windows Defender Application Control is designed to protect devices against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run.
Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run on a PC.
Incorrect:
Not A: Microsoft Defender for Cloud Apps OAuth app policies.
OAuth app policies enable you to investigate which permissions each app requested and which users authorized them for Office 365, Google Workspace, and Salesforce. You're also able to mark these permissions as approved or banned.
Marking them as banned will revoke permissions for each app for each user who authorized it.
Note: In addition to the existing investigation of OAuth apps connected to your environment, you can set permission policies so that you get automated notifications when an OAuth app meets certain criteria. For example, you can
automatically be alerted when there are apps that require a high permission level and were authorized by more than 50 users.
Your company is developing an invoicing application that will use Azure AD B2C. The application will be deployed as an App Service web app.
You need to recommend a solution to the application development team to secure the application from identity-related attacks.
Which two configurations should you recommend? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Azure AD Conditional Access integration with user flows and custom policies
B. smart account lockout in Azure AD B2C
C. access packages in Identity Governance
D. custom resource owner password credentials (ROPC) flows in Azure AD B2C
Correct Answer: AB
Explanation:
A: Add Conditional Access to user flows in Azure Active Directory B2C Conditional Access can be added to your Azure Active Directory B2C (Azure AD B2C) user flows or custom policies to manage risky sign-ins to your applications. Azure Active Directory (Azure AD) Conditional Access is the tool used by Azure AD B2C to bring signals together, make decisions, and enforce organizational policies.
B: Mitigate credential attacks in Azure AD B2C with smart lockout Credential attacks lead to unauthorized access to resources. Passwords that are set by users are required to be reasonably complex. Azure AD B2C has mitigation techniques in place for credential attacks. Mitigation includes detection of brute-force credential attacks and dictionary credential attacks. By using various signals, Azure Active Directory B2C (Azure AD B2C) analyzes the integrity of requests. Azure AD B2C is designed to intelligently differentiate intended users from hackers and botnets.
Incorrect:
Not C: Identity Governance though useful, does not address this specific scenario: to secure the application from identity-related attack in an Azure AD B2C environment.
Note: Identity Governance gives organizations the ability to do the following tasks across employees, business partners and vendors, and across services and applications both on-premises and in clouds:
Govern the identity lifecycle
Govern access lifecycle
Secure privileged access for administration
Specifically, it is intended to help organizations address these four key questions:
Which users should have access to which resources?
What are those users doing with that access?
Are there effective organizational controls for managing access?
Can auditors verify that the controls are working?
Note: An access package enables you to do a one-time setup of resources and policies that automatically administers access for the life of the access package.
Not D: In Azure Active Directory B2C (Azure AD B2C), the resource owner password credentials (ROPC) flow is an OAuth standard authentication flow. In this flow, an application, also known as the relying party, exchanges valid credentials
for tokens. The credentials include a user ID and password.
Your company has on-premises Microsoft SQL Server databases.
The company plans to move the databases to Azure.
You need to recommend a secure architecture for the databases that will minimize operational requirements for patching and protect sensitive data by using dynamic data masking. The solution must minimize costs.
What should you include in the recommendation?
A. SQL Server on Azure Virtual Machines
B. Azure Synapse Analytics dedicated SQL pools
C. Azure SQL Database
Correct Answer: C
Explanation:
Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics support dynamic data masking. Dynamic data masking limits sensitive data exposure by masking it to non-privileged users.
Azure SQL Database is cheaper as its offer DTU's based tier and also vCore based for more intensive workflow.
Hovewer, Managed Instance offers almost ~100% compatibility with on-prem Microsoft SQL Server.
Incorrect:
Not A: SQL Server does not support dynamic data masking.
Not B: Synapse Analytics is more expensive compared to Azure SQL Database.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Microsoft exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SC-100 exam preparations and Microsoft certification application, do not hesitate to visit our Vcedump.com to find your solutions here.