Microsoft - SC-100: Microsoft Cybersecurity Architect
Sample Questions
Question: 310
Measured Skill: Design security solutions for applications and data (20–25%)
You have an Azure subscription.
You need to use a federated model in Azure API Management to control access to your organization’s APIs. The solution must meet the following requirements:
- Support the use of role-based access control (RBAC) to manage the APIs.
- Support the use of keys to control the consumption of the APIs.
To which scope should you associate each control method?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | RBAC roles: Products
Keys: Subscriptions |
| B | RBAC roles: Products
Keys: Workspaces |
| C | RBAC roles: Subscriptions
Keys: Products |
| D | RBAC roles: Subscriptions
Keys: Workspaces |
| E | RBAC roles: Workspaces
Keys: Products |
| F | RBAC roles: Workspaces
Keys: Subscriptions |
Correct answer: FExplanation:
Workspaces support a federated API management model by allowing decentralized API development teams to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. Each workspace contains APIs, products, subscriptions, and related entities that are accessible only to the workspace collaborators. Access is controlled through Azure role-based access control (RBAC). Each workspace is associated with one or more workspace gateways that route API traffic to its backend services.
Products are how APIs are surfaced to API consumers such as app developers. Products in API Management have one or more APIs and can be open or protected. Protected products require a subscription key, while open products can be consumed freely.
Subscription keys are used to authenticate and authorize consumers of the APIs. These are tied to subscriptions, which are associated with products and users, enabling fine-grained control over API usage.
References:
What is Azure API Management?
Federated API management with workspaces
Subscriptions in Azure API Management
Question: 311
Measured Skill: Design security operations, identity, and compliance capabilities (30–35%)
You have a Microsoft Entra tenant. The tenant contains a security group named Group1. Group1 contains the members of your company's IT support team.
You have an Azure subscription. The subscription contains 800 Windows devices that are Microsoft Entra joined and 200 Windows devices that are Microsoft Entra registered.
You have 200 standalone macOS devices.
You deploy 10 Windows devices that are Microsoft Entra joined and have the Microsoft Entra ExtensionAttribute1 value set to SecureWorkstation.
You need to recommend a Conditional Access solution that meets the following requirements:
- Only allows access to Microsoft Entra resources from devices that run Windows 10 or Windows 11.
- Restricts Windows Azure Service Management API access to the following users:
- The members of Group1
- Users that authenticate by using multifactor authentication (MFA).
- Users that connect from a device that has the SecureWorkstation ExtensionAttribute1.
The solution must minimize the number of required policies and maximize security.
What should include in the recommendation?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Conditional Access policies: 1
Device filters: Two include device filters |
| B | Conditional Access policies: 1
Device filters: Two exclude device filters |
| C | Conditional Access policies: 2
Device filters: Two include device filters |
| D | Conditional Access policies: 2
Device filters: One include device filter and one exclude device filter |
| E | Conditional Access policies: 3
Device filters: Two exclude device filters |
| F | Conditional Access policies: 3
Device filters: One include device filter and one exclude device filter |
Correct answer: CExplanation:
We need to create one Conditional Access policy that applies to All users, is targeted to "All ressources (formerly All cloud apps)", and has a device platforms filter that includes Windows devices as shown below.
We need to create a second Conditional Access policy that applies to Group1 only, is targeted to "Azure API Management", requires MFA, and has a Filter for devices as shown below.
Reference: Conditional Access: Filter for devices
Question: 312
Measured Skill: Design security operations, identity, and compliance capabilities (30–35%)
You have a Microsoft Entra tenant named contoso.com that syncs with an Active Directory Domain Services (AD DS) domain named corp.contoso.com.
The domain contains 100 devices that have the following configurations:
- Hybrid joined
- Enrolled in Microsoft Intune
- Disabled built-in local administrator account
- Contain a local user account named User1 that is a member of the local administrators group
You need to recommend a solution that meets the following requirements:
- Ensures that the Directory Services Restore Mode (DSRM) credentials of each domain controller are backed up to the AD DS database
- Ensures that the password of User1 changes automatically every 60 days
- Ensures that the credentials of User1 are stored in an encrypted store
- Prevents the User1 password from being changed manually
- Whenever possible, stores all credentials in contoso.com
- Minimizes administrative effort
What should you include in the recommendation?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | For the User1 credentials: Microsoft Entra Password Protection
For the DSRM credentials: Microsoft Entra Password Protection for Active Directory Domain Services |
| B | For the User1 credentials: Microsoft Local Administrator Password Solution (Microsoft LAPS)
For the DSRM credentials: Microsoft Local Administrator Password Solution (Microsoft LAPS) |
| C | For the User1 credentials: Windows Local Administrator Password Solution (Windows LAPS)
For the DSRM credentials: Microsoft Entra Password Protection |
| D | For the User1 credentials: Windows Local Administrator Password Solution (Windows LAPS)
For the DSRM credentials: Windows Local Administrator Password Solution (Windows LAPS) |
| E | For the User1 credentials: Microsoft Entra Password Protection for Active Directory Domain Services
For the DSRM credentials: Microsoft Local Administrator Password Solution (Microsoft LAPS) |
| F | For the User1 credentials: Windows Local Administrator Password Solution (Windows LAPS)
For the DSRM credentials: Microsoft Local Administrator Password Solution (Microsoft LAPS) |
Correct answer: DExplanation:
Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it.
You can use Windows LAPS for several primary scenarios:
Back up local administrator account passwords to Microsoft Entra ID (for Microsoft Entra-joined devices)
Back up local administrator account passwords to Windows Server Active Directory (for Windows Server Active Directory-joined clients and servers)
Back up DSRM account passwords to Windows Server Active Directory (for Windows Server Active Directory domain controllers)
Back up local administrator account passwords to Windows Server Active Directory by using legacy Microsoft LAPS
Reference: What is Windows LAPS?
Question: 313
Measured Skill: Design security solutions for applications and data (20–25%)
You have a Microsoft 365 subscription that contains a Microsoft SharePoint Online site named Site1.
You have a Conditional Access policy named Policy1 that only allows workload identities from trusted locations to access SharePoint Online.
You plan to move all business-sensitive information to Site1.
You need to ensure that CAPolicy1 applies to Site1 only.
Which three actions should you perform in sequence?
(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.)
| A | Sequence: 3, 2, 5 |
| B | Sequence: 4, 1, 5 |
| C | Sequence: 3, 1, 5 |
| D | Sequence: 4, 2, 5 |
Correct answer: BExplanation:
Authentication context secures data and actions in applications, including custom applications, line-of-business (LOB) applications, SharePoint, and applications protected by Microsoft Defender for Cloud Apps.
For example, an organization might store files in SharePoint sites, such as a lunch menu or a secret BBQ sauce recipe. Everyone can access the lunch menu site, but users accessing the secret BBQ sauce recipe site might need to use a managed device and agree to specific terms of use.
First, we should create an an authentication context for labeled sites. Second, we should modify the target resources of the Conditional Access policy and make sure the policy applies to the authentication context. Lastly, we need to configure and apply a sensitivity label for Site1.
References:
Conditional Access: Target resources
Conditional access policy for SharePoint sites and OneDrive
Question: 314
Measured Skill: Design solutions that align with security best practices and priorities (20–25%)
You have an Azure subscription that contains the Azure Virtual Machine Scale Sets shown in the following table.
You are evaluating Azure Update Manager and automatic virtual machine guest patching.
Which virtual machine scale sets will automatic guest patching support?| A | VMSS1 only |
| B | VMSS2 only |
| C | VMSS1 and VMSS3 only |
| D | VMSS2 and VMSS4 only |
| E | VMSS1, VMSS2, VMSS3, and VMSS4 |
Correct answer: CExplanation:
Enabling automatic guest patching for your Azure Virtual Machines (VMs) and Scale Sets (VMSS) helps ease update management by safely and automatically patching virtual machines to maintain security compliance, while limiting the blast radius of VMs.
Automatic VM guest patching has the following characteristics:
- Patches classified as Critical or Security are automatically downloaded and applied on the VM.
- Patches are applied during off-peak hours for IaaS VMs in the VM's time zone.
- Patches are applied during all hours for VMSS Flex.
- Azure manages the patch orchestration and follows availability-first principles.
- Virtual machine health, as determined through platform health signals, is monitored to detect patching failures.
- Application health can be monitored through the Application Health extension.
- Works for all VM sizes.
If automatic VM guest patching is enabled on a VM, then the available Critical and Security patches are downloaded and applied automatically on the VM. This process kicks off automatically every month when new patches are released. Patch assessment and installation are automatic, and the process includes rebooting the VM as configured.
Automatic VM guest patching supports Azure Virtual Machine Scale Sets in flexible orchestration mode only.
Automatic VM guest patching supports both Windows and Linux platform images. Custom images or any other publisher, offer, sku combinations aren't supported.
Reference: Automatic Guest Patching for Azure Virtual Machines and Scale Sets
Reference:
https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching