Microsoft SC-100 Online Practice
Questions and Exam Preparation
SC-100 Exam Details
Exam Code
:SC-100
Exam Name
:Microsoft Cybersecurity Architect
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:350 Q&As
Last Updated
:Jul 12, 2026
Microsoft SC-100 Online Questions &
Answers
Question 301:
You have a Microsoft 365 subscription that uses Microsoft Purview.
You need to recommend a solution that will provide guidance on how to ensure that Personally Identifiable Information (PII) in the subscription adheres to local privacy regulations. The solution must minimize administrative effort.
Which Microsoft Purview solution should you include in the recommendation?
A. Data Loss Prevention B. Information Protection C. Insider Risk Management D. Compliance Manager
D. Compliance Manager
Question 302:
HOTSPOT
Your company has offices in 10 countries.
You have a Microsoft 365 subscription that contains 1,000 users. Each user is assigned a Microsoft 365 E5 license.
You plan to deploy a compliance assessment solution.
The solution must meet the following requirements:
1. Ensure that compliance is assessed based on the regulations of the country of each office.
2. Provide improvement action guidance to ensure compliance of the subscription.
You need to recommend the service that should be used to perform the assessments, and identify additional costs that will be incurred.
What should you recommend and what should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Question 303:
You have an Azure subscription that contains 100 virtual machines, a virtual network named VNet1, and 20 users. The virtual machines run Windows Server and are connected to VNet1. The users work remotely and access Azure resources from Linux workstations.
You need to ensure that the users can connect to the virtual machines from the workstations by using Secure Shell {SSH). The solution must meet the following requirements:
Ensure that the users authenticate by using their Microsoft Entra credentials.
Prevent the users from transferring files from the virtual machines by using SSH.
Prevent the users from directly accessing the virtual machines by using the public IP address of the virtual machines.
What should you include in the solution?
A. Azure Bastion B. Azure NAT Gateway C. just-in-time (JIT) VM access D. Point-to-Site (P2S) VPN
A. Azure Bastion
Question 304:
HOTSPOT
You need to recommend a security methodology for a DevOps development process based on the Microsoft Cloud Adoption Framework for Azure.
During which stage of a continuous integration and continuous deployment (CI/CD) DevOps process should each security-related task be performed? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Box 1: Plan and develop
Plan and develop
Typically, modern development follows an agile development methodology. Scrum is one implementation of agile methodology that has every sprint start with a planning activity. Introducing security into this part of the development process should focus on:
* Threat modeling to view the application through the lens of a potential attacker
* IDE security plug-ins and pre-commit hooks for lightweight static analysis checking within an integrated development environment (IDE).
* Peer reviews and secure coding standards to identify effective security coding standards, peer review processes, and pre-commit hooks.
It's not mandatory to add all these steps. But each step helps reveal security issues early, when they're much cheaper and easier to fix.
Box 2: Operate
Go to production and operate.
When the solution goes to production, it's vital to continue overseeing and managing the security state. At this stage in the process, it's time to focus on the cloud infrastructure and overall application.
Configuration and infrastructure scanning Penetration testing Actionable intelligence
The tools and techniques in this guidance offer a holistic security model for organizations who want to move at pace and experiment with new technologies that aim to drive innovation. A key element of DevSecOps is data-driven, event-driven processes. These processes help teams identify, evaluate, and respond to potential risks. Many organizations choose to integrate alerts and usage data into their IT service management (ITSM) platform. The team can then bring the same structured workflow to security events that they use for other incidents and requests.
Box 3: Build and test Build and test Many organizations use build and release pipelines to automate and standardize the processes for building and deploying code. Release pipelines let development teams make iterative changes to sections of code quickly and at scale. The teams won't need to spend large amounts of time redeploying or upgrading existing environments.
Using release pipelines also lets teams promote code from development environments, through testing environments, and ultimately into production. As part of automation, development teams should include security tools that run scripted, automated tests when deploying code into testing environments. The tests should include unit testing on application features to check for vulnerabilities or public endpoints. Testing ensures intentional access.
Dynamic application security testing (DAST)
In a classical waterfall development model, security was typically introduced at the last step, right before going to production. One of the most popular security approaches is penetration testing or pen testing. Penetration testing lets a team look at the application from a black-box security perspective, as in, closest to an attacker mindset.
To meet the application security requirements, which two authentication methods must the applications support? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Security Assertion Markup Language (SAML) B. NTLMv2 C. certificate-based authentication D. Kerberos
A. Security Assertion Markup Language (SAML) D. Kerberos
Explanation
A: SAML
Litware identifies the following application security requirements: Identify internal applications that will support single sign-on (SSO) by using Azure AD Application Proxy.
You can provide single sign-on (SSO) to on-premises applications that are secured with SAML authentication and provide remote access to these applications through Application Proxy. With SAML single sign-on, Azure Active Directory (Azure AD) authenticates to the application by using the user's Azure AD account.
D: You can provide single sign-on for on-premises applications published through Application Proxy that are secured with integrated Windows authentication. These applications require a Kerberos ticket for access. Application Proxy uses Kerberos Constrained Delegation (KCD) to support these applications.
Incorrect:
Not C: Certificate. This is not a custom domain scenario!
If you're using a custom domain, you also need to upload the TLS/SSL certificate for your application.
To configure an on-premises app to use a custom domain, you need a verified Azure Active Directory custom domain, a PFX certificate for the custom domain, and an on-premises app to configure.
You have a Microsoft Entra tenant named contoso.com.
You are collaborating with an external partner that has a Microsoft Entra tenant named fabrikam.com.
You need to recommend an identity governance solution for contoso.com that meets the following requirements:
Enables users in both contoso.com and fabrikam.com to communicate via shared Microsoft Teams channels.
1. Manages access to shared Teams channels in contoso.com using groups from fabrikam.com.
2. Supports single sign-on (SSO).
3. Minimizes administrative effort.
4. Maximizes security.
What should you include in the recommendation?
A. Cross-tenant synchronization B. Microsoft Entra B2B collaboration C. B2B direct connect D. Microsoft Entra Connect Sync
C. B2B direct connect
Explanation
B2B direct connect is a feature of Microsoft Entra External ID that lets you set up a mutual trust relationship with another Microsoft Entra organization for seamless collaboration. This feature currently works with Microsoft Teams shared channels. With B2B direct connect, users from both organizations can work together using their home credentials and a shared channel in Teams, without having to be added to each other's organizations as guests. Use B2B direct connect to share resources with external Microsoft Entra organizations. Or use it to share resources across multiple Microsoft Entra tenants within your own organization. B2B direct connect requires a mutual trust relationship between two Microsoft Entra organizations to allow access to each other's resources. Both the resource organization and the external organization need to mutually enable B2B direct connect in their cross-tenant access settings. When the trust is established, the B2B direct connect user has single sign-on access to resources outside their organization using credentials from their home Microsoft Entra organization.
You need to recommend a solution to evaluate regulatory compliance across the entire managed environment. The solution must meet the regulatory compliance requirements and the business requirements.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Box 1: Azure Policy initiatives to management groups
If your organization has many Azure subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Management groups provide a governance scope above subscriptions. You organize subscriptions into management groups the governance conditions you apply cascade by inheritance to all associated subscriptions.
If you plan to apply a policy definition to multiple subscriptions, the location must be a management group that contains the subscriptions you assign the policy to. The same is true for an initiative definition.
With an initiative definition, you can group several policy definitions to achieve one overarching goal. An initiative evaluates resources within scope of the assignment for compliance to the included policies.
Incorrect:
Not: Azure Policy initiatives to subscriptions Must use a management group as we have multiple subscriptions.
Scenario:
Requirements. Business Requirements
Litware identifies the following business requirements:
1. Minimize any additional on-premises infrastructure.
2. Minimize the operational costs associated with administrative overhead.
Box 2: Azure Arc
With Azure Arc:
Meet governance and compliance standards for apps, infrastructure, and data with Azure Policy.
Take advantage of elastic scale, consistent on-premises and multicloud management, and cloud-style billing models.
Note: Azure Arc is a bridge that extends the Azure platform to help you build applications and services with the flexibility to run across datacenters, at the edge, and in multicloud environments. Develop cloud-native applications with a consistent development, operations, and security model. Azure Arc runs on both new and existing hardware, virtualization and Kubernetes platforms, IoT devices, and integrated systems.
Your company has devices that run either Windows 10, Windows 11, or Windows Server.
You are in the process of improving the security posture of the devices.
You plan to use security baselines from the Microsoft Security Compliance Toolkit.
What should you recommend using to compare the baselines to the current device configurations?
A. Microsoft Intune B. Local Group Policy Object (LGPO) C. Windows Autopilot D. Policy Analyzer
D. Policy Analyzer
Explanation
Microsoft Security Compliance Toolkit 1.0, Policy Analyzer.
The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include: Highlight when a set of Group Policies has redundant settings or internal inconsistencies.
Highlight the differences between versions or sets of Group Policies.
Compare GPOs against current local policy and local registry settings Export results to a Microsoft Excel spreadsheet
Policy Analyzer lets you treat a set of GPOs as a single unit. This treatment makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
Note: The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
The SCT enables administrators to effectively manage their enterprise's Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
Security Compliance Toolkit Tools:
Policy Analyzer
Local Group Policy Object (LGPO) Set Object Security GPO to Policy Rules
Incorrect:
Not B: Local Group Policy Object (LGPO)
What is the Local Group Policy Object (LGPO) tool?
LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non- domain-joined systems. LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted "LGPO text" files. It can export local policy to a GPO backup. It can export the contents of a Registry Policy file to the "LGPO text" format that can then be edited, and can build a Registry Policy file from an LGPO text file.
Your on-premises network contains an Active Directory Domain Services (AD DS) domain, along with a hybrid deployment between a Microsoft Exchange Server 2019 organization and an Exchange Online tenant. The AD DS domain includes a group named Group1, which is a member of the Organization Management role group for the Exchange deployment.
You have a Microsoft 365 E5 subscription that utilizes Microsoft Defender, as well as an Azure subscription that integrates with Microsoft Sentinel.
You need to recommend a solution to ensure that Group1 is designated as a sensitive group and that any changes to Group1 trigger an alert in Microsoft Sentinel. The solution must minimize administrative effort.
What should you include in your recommendation?
A. Microsoft Defender for Identity B. Microsoft Entra ID Protection C. Microsoft Entra Privileged Identity Management (PIM) D. Microsoft Defender for Office 365
A. Microsoft Defender for Identity
Explanation
Alert changes to sensitive AD groups using MDI (Microsoft Defender for Identity) Microsoft Defender for Identity is a very powerful tool when it comes to track changes to users and groups in your on-prem Active Directory. When used in combination of the advanced hunting capabilities available in the Microsoft 365 Defender portal and custom detection rules you can very easily automate the change tracking.
If you protect any on-prem Active Directory, you should be aware to changes to any privileged groups.
Microsoft itself list a few of them in their documentation on Active Directory Domain Services and in the Defender for Identity documentation adds additional ones. In total there are 17 groups marked as sensitive.
Automate vulnerability code scanning for public and private repositories
Configuring secret scanning for your repositories
Who can use this feature: People with admin permissions to a public repository can enable secret scanning for the repository.
Secret scanning alerts for partners runs automatically on public repositories and public npm packages to notify service providers about leaked secrets on GitHub.com.
Secret scanning alerts for users are available for free on all public repositories. Organizations using GitHub Enterprise Cloud with a license for GitHub Advanced Security can also enable secret scanning alerts for users on their private and internal repositories. For more information, see "About secret scanning" and "About GitHub Advanced Security."
Box 2:
Automate the generation of pull requests that remediate identified vulnerabilities.
Automatically updating dependencies with known vulnerabilities with Dependabot security updates Dependabot can help you fix vulnerable dependencies by automatically raising pull requests to update dependencies to secure versions.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Microsoft exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SC-100 exam preparations
and Microsoft certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.