Microsoft SC-100 Online Practice
Questions and Exam Preparation
SC-100 Exam Details
Exam Code
:SC-100
Exam Name
:Microsoft Cybersecurity Architect
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:350 Q&As
Last Updated
:Jul 12, 2026
Microsoft SC-100 Online Questions &
Answers
Question 61:
You have a Microsoft 365 subscription.
You are designing a user access solution that follows the Zero Trust principles of the Microsoft Cybersecurity Reference Architectures (MCRA).
You need to recommend a solution that automatically restricts access to Microsoft Exchange Online, SharePoint Online, and Teams in near-real-time (NRT) in response to the following Azure AD events:
1. A user account is disabled or deleted.
2. The password of a user is changed or reset.
3. All the refresh tokens for a user are revoked.
4. Multi-factor authentication (MFA) is enabled for a user.
Which two features should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. continuous access evaluation B. Azure AD Application Proxy C. a sign-in risk policy D. Azure AD Privileged Identity Management (PIM) E. Conditional Access
A. continuous access evaluation E. Conditional Access
Explanation
Continuous access evaluation
Key benefits
User termination or password change/reset: User session revocation will be enforced in near real time.
Network location change: Conditional Access location policies will be enforced in near real time.
Token export to a machine outside of a trusted network can be prevented with Conditional Access location policies.
Scenarios
There are two scenarios that make up continuous access evaluation, critical event evaluation and Conditional Access policy evaluation.
* Critical event evaluation
Continuous access evaluation is implemented by enabling services, like Exchange Online, SharePoint Online, and Teams, to subscribe to critical Azure AD events. Those events can then be evaluated and enforced near real time. Critical event evaluation doesn't rely on Conditional Access policies so it's available in any tenant. The following events are currently evaluated:
User Account is deleted or disabled Password for a user is changed or reset Multi-factor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Azure AD Identity Protection
* Conditional Access policy evaluation
Exchange Online, SharePoint Online, Teams, and MS Graph can synchronize key Conditional Access policies for evaluation within the service itself.
This process enables the scenario where users lose access to organizational files, email, calendar, or tasks from Microsoft 365 client apps or SharePoint Online immediately after network location changes.
Your company finalizes the adoption of Azure and is implementing Microsoft Defender for Cloud.
You receive the following recommendations in Defender for Cloud
1. Access to storage accounts with firewall and virtual network configurations should be restricted.
2. Storage accounts should restrict network access using virtual network rules.
3. Storage account should use a private link connection.
4. Storage account public access should be disallowed.
You need to recommend a service to mitigate identified risks that relate to the recommendations.
What should you recommend?
A. Azure Policy B. Azure Network Watcher C. Azure Storage Analytics D. Microsoft Sentinel
A. Azure Policy
Explanation
An Azure Policy definition, created in Azure Policy, is a rule about specific security conditions that you want controlled. Built in definitions include things like controlling what type of resources can be deployed or enforcing the use of tags on all resources. You can also create your own custom policy definitions.
Note: Azure security baseline for Azure Storage This security baseline applies guidance from the Azure Security Benchmark version 1.0 to Azure Storage. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Storage.
You can monitor this security baseline and its recommendations using Microsoft Defender for Cloud. Azure Policy definitions will be listed in the Regulatory Compliance section of the Microsoft Defender for Cloud dashboard.
For example:
* 1.1: Protect Azure resources within virtual networks
Guidance: Configure your storage account's firewall by restricting access to clients from specific public IP address ranges, select virtual networks, or specific Azure resources. You can also configure Private Endpoints so traffic to the storage service from your enterprise travels exclusively over private networks.
* 1.8: Minimize complexity and administrative overhead of network security rules
Guidance: For resource in Virtual Networks that need access to your Storage account, use Virtual Network Service tags for the configured Virtual Network to define network access controls on network security groups or Azure Firewall. You can use service tags in place of specific IP addresses when creating security rules.
You are designing the security architecture for a cloud-only environment.
You are reviewing the integration point between Microsoft 365 Defender and other Microsoft cloud services based on Microsoft Cybersecurity Reference Architectures (MCRA).
You need to recommend which Microsoft cloud services integrate directly with Microsoft 365 Defender and meet the following requirements:
1. Enforce data loss prevention (DLP) policies that can be managed directly from the Microsoft 365 Defender portal.
2. Detect and respond to security threats based on User and Entity Behavior Analytics (UEBA) with unified alerting.
What should you include in the recommendation for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Question 64:
You have an Azure subscription with multiple Azure Blob Storage accounts.
You are tasked with recommending a solution to detect threats in files after they have been uploaded to a blob container.
What should be included in your recommendation?
A. sensitive data threat detection in Microsoft Defender for Storage B. runtime threat protection in Microsoft Defender for Containers C. vulnerability assessment in Microsoft Defender for Containers D. malware scanning in Microsoft Defender for Storage
D. malware scanning in Microsoft Defender for Storage
Explanation
Defender for Cloud, Malware scanning in Defender for Storage Malware Scanning in Defender for Storage helps protect your Azure Blob Storage from malicious content by performing a full malware scan on uploaded content in near real time, using Microsoft Defender Antivirus capabilities. It's designed to help fulfill security and compliance requirements for handling untrusted content. The Malware Scanning capability is an agentless SaaS solution that allows simple setup at scale, with zero maintenance, and supports automating response at scale.
Your company uses a third-party software as a service (SaaS) app named App1 that is integrated with an Azure AD tenant.
You need to design a security strategy to meet the following requirements:
1. Users must be able to request access to App1 by using a self-service request.
2. When users request access to App1, they must be prompted to provide additional information about their request.
3. Every three months, managers must verify that the users still require access to App1.
What should you include in the design?
A. Microsoft Entra Identity Governance B. connected apps in Microsoft Defender for Cloud Apps C. access policies in Microsoft Defender for Cloud Apps D. Azure AD Application Proxy
A. Microsoft Entra Identity Governance
Question 66:
HOTSPOT
You have an Azure subscription.
You plan to deploy an Azure App Service app named App1 that will access an external web service by using a username and password.
You need to recommend a password storage solution for App1 that meets the following requirements:
1. Ensures that the password is stored securely.
2. Ensures that App1 can authenticate to the service that will store the password.
Which service should you use to store the password, and which authentication method should App1 use to access the service? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Question 67:
Your company has an Azure subscription that has enhanced security enabled for Microsoft Defender for Cloud.
The company signs a contract with the United States government.
You need to review the current subscription for NIST 800-53 compliance.
What should you do first?
A. From Defender for Cloud, review the Azure security baseline for audit report. B. From Defender for Cloud, review the secure score recommendations. C. From Defender for Cloud, enable Defender for Cloud plans. D. From Azure Policy, assign a built-in initiative that has a scope of the subscription.
D. From Azure Policy, assign a built-in initiative that has a scope of the subscription.
Explanation
The Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in NIST SP 800-53 Rev. 5.
The following mappings are to the NIST SP 800-53 Rev. 5 controls. Use the navigation on the right to jump directly to a specific compliance domain. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the NIST SP 800-53 Rev. 5 Regulatory Compliance built-in initiative definition.
For a Microsoft cloud environment, you need to recommend a security architecture that follows the Zero Trust principles of the Microsoft Cybersecurity Reference Architectures (MCRA).
Which security methodologies should you include in the recommendation? To answer, drag the appropriate methodologies to the correct principles. Each methodology may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Box 1: Segment access
Assume breach
Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
Box 2: Data classification
Verify explicitly
Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
Box 3: Just-in-time (JIT) access
Use least-privilege access
Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.
You have a Microsoft Entra tenant named contoso.com and are using Microsoft Intune. Each user in contoso.com holds a Microsoft Entra ID P1 license and has a Windows 11 device with the Global Secure Access client installed.
You plan to configure Microsoft Entra Internet Access with the following setup:
1. Enable a baseline profile.
2. Create a security profile called Profile1, with a priority of
300. This profile contains a single web content filtering policy, WCFPolicy1.
WCFPolicy1 will be configured as follows:
1. Set the Action to Allow.
2. Include a rule targeting the fully qualified domain name (FQDN) adatum.com.
3. Link Profile1 to a Conditional Access policy named CAPolicy1, which is applied to all users. The policy grants access unless a user's device is noncompliant.
You need to assess the impact of this deployment on traffic to the following resources:
1. https://www.adatum.com:8433
2. https://www.fabrikam.com
What two traffic scenarios will occur?
A. Traffic to https://www.fabrikam.com will be allowed from all the devices. B. Traffic to https://www.adatum.com:8433 will be blocked from all the devices. C. Traffic to https://www.adatum.com:8433 will be allowed from all the devices. D. Traffic to https://www.fabrikam.com will be allowed from compliant devices only. E. Traffic to https://www.adatum.com:8433 will be allowed from compliant devices only. F. Traffic to https://www.fabrikam.com will be blocked from noncompliant devices only.
B. Traffic to https://www.adatum.com:8433 will be blocked from all the devices. D. Traffic to https://www.fabrikam.com will be allowed from compliant devices only.
Explanation
Traffic to
https://www.adatum.com:8433:
In WCFPolicy1, the only rule specifies *.adatum.com as the allowed domain but without specifying a particular port.Typically,webcontentfilteringappliesonlytostandardHTTP/HTTPStraffic(ports80and443).Sincethistrafficisoverport8433,whichisnon-standard,itwouldnotmatchtheallowruleinWCFPolicy1.Thus,itwillbeblockedfromalldevices.
Traffic to
https://www.fabrikam.com:
Since there is no rule in WCFPolicy1 to specifically allow or block traffic to fabrikam.com, the Conditional Access policy CAPolicy1 will govern access. is configured to grant access only if a user's device is compliant. Therefore, traffic to CAPolicy1 will be allowed only from compliant devices.
https://www.fabrikam.com
Question 70:
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. app registrations in Azure AD B. application control policies in Microsoft Defender for Endpoint C. app discovery anomaly detection policies in Microsoft Defender for Cloud Apps D. Azure AD Conditional Access App Control policies
B. application control policies in Microsoft Defender for Endpoint
Explanation
Windows Defender Application Control is designed to protect devices against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run.
Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run on a PC.
Incorrect:
Not C: A Cloud Discovery anomaly detection policy enables you to set up and configure continuous monitoring of unusual increases in cloud application usage. Increases in downloaded data, uploaded data, transactions, and users are considered for each cloud application. Each increase is compared to the normal usage pattern of the application as learned from past usage. The most extreme increases trigger security alerts.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Microsoft exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SC-100 exam preparations
and Microsoft certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.