Microsoft - SC-100: Microsoft Cybersecurity Architect

Sample Questions

Explanation:

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Manual handling of secrets and certificates are a known source of security issues and outages. Managed identities eliminate the need for developers to manage these credentials. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.

A managed identity is an identity that can be assigned to an Azure compute resource (Azure Virtual Machine, Azure Virtual Machine Scale Set, Service Fabric Cluster, Azure Kubernetes cluster) or any App hosting platform supported by Azure. Once a managed identity is assigned on the compute resource, it can be authorized, directly or indirectly, to access downstream dependency resources, such as a storage account, SQL database, Cosmos DB, and so on. Managed identity replaces secrets such as access keys or passwords. In addition, managed identities can replace certificates or other forms of authentication for service-to-service dependencies.

There are two types of managed identities:

• System-assigned. Some Azure resources, such as virtual machines allow you to enable a managed identity directly on the resource. When you enable a system-assigned managed identity:

• A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is tied to the lifecycle of that Azure resource. When the Azure resource is deleted, Azure automatically deletes the service principal for you.
• By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID.
• You authorize the managed identity to have access to one or more services.
• The name of the system-assigned service principal is always the same as the name of the Azure resource it's created for. For a deployment slot, the name of its system-assigned managed identity is <app-name>/slots/<slot-name>.

• User-assigned. You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more Azure Resources. When you enable a user-assigned managed identity:

• A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is managed separately from the resources that use it.
• User-assigned managed identities can be used by multiple resources.
• You authorize the managed identity to have access to one or more services.

Reference: What is managed identities for Azure resources?

• Ensures that the password is stored securely
• Ensures that App1 can authenticate to the service that will store the password

Explanation:

Azure Key Vault provides a way to store credentials and other secrets with increased security. But your code needs to authenticate to Key Vault to retrieve them. Managed identities for Azure resources help to solve this problem by giving Azure services an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, including Key Vault, without having to display credentials in your code.

Reference: Tutorial: Use a managed identity to connect Key Vault to an Azure web app in .NET

• Blocks SSH traffic on Sub1_VNet20 and Sub2_VNet20 by using network security groups (NSGs)
• Blocks SSH traffic on Sub1_VNet1 through Sub1_VNet19 and Sub2_VNet1 through Sub2_VNet19
• Allows SSH traffic on Sub1_VNet20 and Sub2_VNet20
• Blocks FTP traffic on all the virtual networks
• Minimizes administrative effort

Explanation:

Azure Virtual Network Manager is a centralized management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions and tenants.

With Virtual Network Manager, you can define network groups to identify and logically segment your virtual networks. Then you can determine the connectivity, security, and routing configurations you want and apply them across all the selected virtual networks in network groups at once, ensuring consistent network policies across your entire infrastructure.

Cross-tenant support in Azure Virtual Network Manager allows you to add subscriptions and management groups from other tenants to your Azure Virtual Network Manager instance, or network manager. You can establish cross-tenant support in your network manager by establishing a two-way connection between the network manager and target tenants. Once connected, the network manager can deploy configurations to virtual networks across those connected cross-tenant subscriptions and management groups.

We need one Azure Virtual Network Manager, one rule collection/NSG deployed to Sub*_VNet1–19 to block SSH and block FTP, and a second rule collection/NSG deployed to Sub*_VNet20 to allow SSH but block FTP.

References:

What is Azure Virtual Network Manager?

Cross-Tenant Support in Azure Virtual Network Manager

• Use the Microsoft Cloud Adoption Framework for Azure to evaluate compliance with cloud governance policies.
• Use the Azure Well-Architected Framework to secure individual workloads.

Explanation:

Cloud governance enforcement means implementing controls, processes, and tools so that cloud usage adheres to the governance policies. We should use Azure Policy with Microsoft Defender for Cloud to evaluate compliance with cloud governance policies. Azure's primary governance tool is Azure Policy. Supplement Azure Policy with Microsoft Defender for Cloud (security), Microsoft Purview (data), Microsoft Entra ID Governance (identity), Azure Monitor (operations), management groups (resource management), infrastructure as code (IaC) (resource management), and configurations within each Azure service.

Microsoft Defender Vulnerability Management is used to secure workloads on Azure by identifying, prioritizing, and helping to remediate vulnerabilities, directly aligning with the Security pillar of the Azure Well-Architected Framework. The framework provides a holistic guidance structure, and Defender Vulnerability Management provides a practical tool for implementing security best practices to protect individual workloads and critical assets.

References:

What is the Microsoft Cloud Adoption Framework for Azure?

What is the Azure Well-Architected Framework?

Enforce cloud governance policies

What is Microsoft Defender Vulnerability Management

Explanation:

The way people work changed. Instead of working in traditional offices, people now work from nearly anywhere. As applications and data move to the cloud, the modern workforce needs an identity-aware, cloud-delivered network perimeter. This new network security category is called Security Service Edge (SSE).

Microsoft Entra Internet Access and Microsoft Entra Private Access comprise Microsoft's Security Service Edge (SSE) solution. Global Secure Access is the unifying term used for both Microsoft Entra Internet Access and Microsoft Entra Private Access. Global Secure Access is the unified location in the Microsoft Entra admin center. Global Secure Access is built upon the core principles of Zero Trust to use least privilege, verify explicitly, and assume breach.

Microsoft Entra Internet Access protects access to internet and SaaS apps with an identity-based Secure Web Gateway (SWG), blocking threats, unsafe content, and malicious traffic.

Microsoft Entra Private Access provides your users - whether in an office or working remotely - secured access to your private, corporate resources. Microsoft Entra Private Access builds on the capabilities of Microsoft Entra application proxy and extends access to any private resource, port, and protocol.

Microsoft Entra Private Access provides zero Trust-based access to a range of IP addresses and/or Fully Qualified Domain Names (FQDNs) without requiring a legacy VPN and supports Conditional Access integration.

References:

What is Global Secure Access?

Introduction to Microsoft Global Secure Access Deployment Guide