Microsoft SC-100 Online Practice
Questions and Exam Preparation
SC-100 Exam Details
Exam Code
:SC-100
Exam Name
:Microsoft Cybersecurity Architect
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:350 Q&As
Last Updated
:Jul 12, 2026
Microsoft SC-100 Online Questions &
Answers
Question 341:
You need to recommend a solution to secure the MedicalHistory data in the ClaimsDetail table. The solution must meet the Contoso developer requirements.
What should you include in the recommendation?
A. row-level security (RLS) B. Transparent Data Encryption (TDE) C. Always Encrypted D. data classification E. dynamic data masking
The company has two Azure virtual machine scales sets hosted on different virtual networks.
The company plans to contract developers in India.
You need to recommend a solution to provide the developers with the ability to connect to the virtual machines over SSL from the Azure portal. The solution must meet the following requirements:
1. Prevent exposing the public IP addresses of the virtual machines.
2. Provide the ability to connect without using a VPN.
3. Minimize costs.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a hub and spoke network by using virtual network peering. B. Deploy Azure Bastion to each virtual network. C. Enable just-in-time VM access on the virtual machines. D. Create NAT rules and network rules in Azure Firewall. E. Deploy Azure Bastion to one virtual network.
A. Create a hub and spoke network by using virtual network peering. E. Deploy Azure Bastion to one virtual network.
Explanation
Azure Bastion is a fully managed service that provides more secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to virtual machines (VMs) without any exposure through public IP addresses.
Provision the service directly in your local or peered virtual network to get support for all the VMs within it.
Connect to your virtual machines in your local and peered virtual networks over SSL, port 443, directly in the Azure portal.
Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional bastion host.
Architecture
When VNet peering is configured, Azure Bastion can be deployed in hub-and-spoke or full-mesh topologies.
You have a Microsoft 365 E5 subscription and an Azure subscription.
You are designing a Microsoft deployment.
You need to recommend a solution for the security operations team. The solution must include custom views and a dashboard for analyzing security events.
What should you recommend using in Microsoft Sentinel?
A. playbooks B. workbooks C. notebooks D. threat intelligence
B. workbooks
Explanation
After you connected your data sources to Microsoft Sentinel, you get instant visualization and analysis of data so that you can know what's happening across all your connected data sources. Microsoft Sentinel gives you workbooks that provide you with the full power of tools already available in Azure as well as tables and charts that are built in to provide you with analytics for your logs and queries. You can either use built-in workbooks or create a new workbook easily, from scratch or based on an existing workbook.
You need to recommend a Microsoft 365 Defender solution to enhance security for the tenant. The solution must meet the following requirements:
1. Identify users that are downloading an unusually high number of files from Microsoft SharePoint Online sites and are possibly involved in a data exfiltration attempt.
2. Block Microsoft Teams messages that contain potentially malicious content by using zero-hour auto purge (ZAP).
What should you recommend for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Question 346:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing the encryption standards for data at rest for an Azure resource.
You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.
Solution: For Azure SQL databases, you recommend Transparent Data Encryption (TDE) that uses customer-managed keys (CMKs).
Does this meet the goal?
A. Yes B. No
A. Yes
Explanation
We need to use customer-managed keys.
Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
In Azure, the default setting for TDE is that the Database Encryption Key (DEK) is protected by a built-in server certificate. The built-in server certificate is unique for each server and the encryption algorithm used is AES 256.
TDE protector is either a service-managed certificate (service-managed transparent data encryption) or an asymmetric key stored in Azure Key Vault (customer-managed transparent data encryption).
Note: Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. You can use rotation policy to configure rotation for each individual key. Our recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices.
This feature enables end-to-end zero-touch rotation for encryption at rest for Azure services with customer-managed key (CMK) stored in Azure Key Vault. Please refer to specific Azure service documentation to see if the service covers end- to-end rotation.
You have an on-premises datacenter. The datacenter contains 20 servers that run Windows Server. Each server is onboarded to Azure Arc and is protected by using Microsoft Defender for Servers Plan 1.
You have a Microsoft 365 subscription.
You need to recommend a solution to identify which servers have outdated hardware drivers or firmware.
What should you include in the recommendation?
A. Change all the servers to Microsoft Defender for Servers Plan 2. B. Add the Microsoft Intune Suite add-on. C. Onboard all the servers to Azure Update Manager. D. Add Microsoft Defender Vulnerability Management add-ons.
D. Add Microsoft Defender Vulnerability Management add-ons.
Question 348:
HOTSPOT
You have an Azure subscription that contains multiple storage accounts, which include Azure Files shares and Azure Blob Storage containers. The accounts have encryption scopes and infrastructure encryption enabled.
You need to implement customer-managed key-based encryption for the shares and containers. The solution must ensure that the encryption keys are applied at the most granular level.
At which level should you apply the encryption keys?
To answer, select the appropriate options in the answer area.
Each correct selection is worth one point.
Box 1: Blob
For containers
Azure Storage Blobs, Create and manage encryption scopes. Encryption scopes enable you to manage encryption with a key that is scoped to a container or an individual blob. You can use encryption scopes to create secure boundaries between data that resides in the same storage account but belongs to different customers.
Your company has the virtual machine infrastructure shown in the following table.
The company plans to use Microsoft Azure Backup Server (MABS) to back up the virtual machines to Azure.
You need to provide recommendations to increase the resiliency of the backup strategy to mitigate attacks such as ransomware.
What should you include in the recommendation?
A. Use geo-redundant storage (GRS). B. Implement Azure Site Recovery replication. C. Use customer-managed keys (CMKs) for encryption. D. Require PINs to disable backups.
D. Require PINs to disable backups.
Explanation
Azure Backup
Checks have been added to make sure only valid users can perform various operations. These include adding an extra layer of authentication. As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN before modifying online backups.
Authentication to perform critical operations
As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN when you perform Stop Protection with Delete data and Change Passphrase operations.
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. app registrations in Azure Active Directory (Azure AD) B. OAuth app policies in Microsoft Defender for Cloud Apps C. Azure Security Benchmark compliance controls in Defender for Cloud D. application control policies in Microsoft Defender for Endpoint
D. application control policies in Microsoft Defender for Endpoint
Explanation
A. Azure Active Directory (Azure AD) Conditional Access App Control policies
B. OAuth app policies in Microsoft Defender for Cloud Apps
C. app protection policies in Microsoft Endpoint Manager
D. application control policies in Microsoft Defender for Endpoint Notice that only the wrong answers were changed. I'd vote D based on what I know about application control policies.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Microsoft exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SC-100 exam preparations
and Microsoft certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.