Skip Navigation Links
 

Microsoft - SC-100: Microsoft Cybersecurity Architect

Sample Questions

Question: 187
Measured Skill: Design security solutions for infrastructure (20–25%)

You have a Microsoft 365 E5 subscription that uses Microsoft Exchange Online.

You need to recommend a solution to prevent malicious actors from impersonating the email addresses of internal senders.

What should you include in the recommendation?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AService: Microsoft Entra ID Protection
Policy type: Anti-spam
B Service: Microsoft Entra ID Protection
Policy type: Insider risk management
C Service: Microsoft Defender for DNS
Policy type: Insider risk management
D Service: Microsoft Defender for Office 365
Policy type: Anti-phishing
E Service: Microsoft Purview
Policy type: Data loss prevention (DLP)
F Service: Microsoft Purview
Policy type: Anti-phishing

Correct answer: D

Explanation:

When it comes to protecting its users, Microsoft takes the threat of phishing seriously. Spoofing is a common technique that's used by attackers. Spoofed messages appear to originate from someone or somewhere other than the actual source. This technique is often used in phishing campaigns that are designed to get user credentials. The anti-spoofing technology in EOP specifically examines forgery of the From header in the message body, because that header value is the message sender that's shown in email clients. When EOP has high confidence that the From header is forged, the message is identified as spoofed.

Anti-phishing policies in EOP and Microsoft Defender for Office 365, anti-phishing policies contain the following anti-spoofing settings:

  • Turn spoof intelligence on or off.
  • Turn unauthenticated sender indicators in Outlook on or off.
  • Specify the action for blocked spoofed senders.

Anti-phishing policies in Defender for Office 365 contain addition protections, including impersonation protection. 

References:

Anti-spoofing protection in EOP

Anti-phishing policies in Microsoft 365



Question: 188
Measured Skill: Design security operations, identity, and compliance capabilities (30–35%)

You are designing a privileged access strategy for a company named Contoso, Ltd. and its partner company named Fabrikam, Inc.

Contoso has a Microsoft Entra ID tenant named contoso.com. Fabrikam has a Microsoft Entra ID tenant named fabrikam.com.

Users at Fabrikam must access the resources in contoso.com.

You need to provide the Fabrikam users with access to the Contoso resources by using access packages. The solution must meet the following requirements:
  • Ensure that the Fabrikam users can use the Contoso access packages without explicitly creating guest accounts in contoso.com.
  • Allow non-administrative users in contoso.com to create the access packages.
What should you use for each requirement?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AEnsure that the Fabrikam users can use the Contoso access packages without explicitly creating guest accounts in contoso.com: A connected organization
Allow non-administrative users in contoso.com to create the access packages by creating: Administrative units
B Ensure that the Fabrikam users can use the Contoso access packages without explicitly creating guest accounts in contoso.com: A connected organization
Allow non-administrative users in contoso.com to create the access packages by creating: Catalogs
C Ensure that the Fabrikam users can use the Contoso access packages without explicitly creating guest accounts in contoso.com: An external organization
Allow non-administrative users in contoso.com to create the access packages by creating: Programs
D Ensure that the Fabrikam users can use the Contoso access packages without explicitly creating guest accounts in contoso.com: An external organization
Allow non-administrative users in contoso.com to create the access packages by creating: Administrative units
E Ensure that the Fabrikam users can use the Contoso access packages without explicitly creating guest accounts in contoso.com: An identity provider
Allow non-administrative users in contoso.com to create the access packages by creating: Catalogs
F Ensure that the Fabrikam users can use the Contoso access packages without explicitly creating guest accounts in contoso.com: An identity provider
Allow non-administrative users in contoso.com to create the access packages by creating: Programs

Correct answer: B

Explanation:

A connected organization is another organization that you have a relationship with. In order for the users in that organization to be able to access your resources, such as your SharePoint Online sites or apps, you'll need a representation of that organization's users in that directory. Because in most cases the users in that organization aren't already in your Microsoft Entra directory, you can use entitlement management to bring them into your Microsoft Entra directory as needed.

If you want to provide a path for anyone to request access, and you are not sure which organizations those new users might be from, then you can configure an access package assignment policy for users not in your directory. In that policy, select the option of All users (All connected organizations + any new external users). If the requestor is approved, and they don’t belong to a connected organization in your directory, a connected organization will automatically be created for them.

If you want to only allow individuals from designated organizations to request access, then first create those connected organizations. Second, configure an access package assignment policy for users not in your directory, select the option of Specific connected organizations, and select the organizations you created.

All access packages must be in a container called a catalog. A catalog defines what resources you can add to your access package. If you don't specify a catalog, your access package goes in the general catalog. Currently, you can't move an existing access package to a different catalog.

An access package can be used to assign access to roles of multiple resources that are in the catalog. If you're an administrator or catalog owner, you can add resources to the catalog while you're creating an access package. You can also add resources after the access package has been created, and users assigned to the access package will also receive the additional resources.

If you're an access package manager, you can't add resources that you own to a catalog. You're restricted to using the resources available in the catalog. If you need to add resources to a catalog, you can ask the catalog owner.

All access packages must have at least one policy for users to be assigned to them. Policies specify who can request the access package, along with approval and lifecycle settings, or how access is automatically assigned. When you create an access package, you can create an initial policy for users in your directory, for users not in your directory, or for administrator direct assignments only.

References:

Manage connected organizations in entitlement management

Create an access package in entitlement management



Question: 189
Measured Skill: Design security operations, identity, and compliance capabilities (30–35%)

Your network contains an on-premises Active Directory Domain Services (AD DS) domain. The domain contains a server that runs Windows Server and hosts shared folders.

The domain syncs with Microsoft Entra ID by using Microsoft Entra Connect. Microsoft Entra Connect has group writeback enabled.

You have a Microsoft 365 subscription that uses Microsoft SharePoint Online.

You have multiple project teams. Each team has an AD DS group that syncs with Microsoft Entra ID.

Each group has permissions to a unique SharePoint Online site and a Windows Server shared folder for its project. Users routinely move between project teams.

You need to recommend Microsoft Entra Identity Governance solution that meets the following requirements:
  • Project managers must verify that their project group contains only the current members of their project team.
  • The members of each project team must only have access to the resources of the project to which they are assigned.
  • Users must be removed from a project group automatically if the project manager has NOT verified the group's membership for 30 days.
  • Administrative effort must be minimized.
What should you include in the recommendation?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AIdentity Governance feature: Microsoft Entra Privileged Identity Management (PIM)
Project team configuration: Enable group writeback for the existing synced groups.
B Identity Governance feature: Entitlement management
Project team configuration: Enable group writeback for the existing synced groups.
C Identity Governance feature: Access reviews
Project team configuration: From Entra ID, create a new cloud-only security group for each project.
D Identity Governance feature: Microsoft Entra Privileged Identity Management (PIM)
Project team configuration: From Entra ID, create a new cloud-only security group for each project.
E Identity Governance feature: Access reviews
Project team configuration: From Entra ID, create a security group for each project and enable group writeback for each group.
F Identity Governance feature: Entitlement management
Project team configuration: From Entra ID, create a security group for each project and enable group writeback for each group.

Correct answer: E

Explanation:

Access reviews in Microsoft Entra ID, part of Microsoft Entra, enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed regularly to make sure only the right people have continued access.

To ensure that group membership changes are written back to the on-premises Active Directory, we need to configure the group writeback status in the groups' properties. By default, groups are not written back.

Note: Group writeback is only supported for groups created in the cloud.

References:

What are access reviews?

Plan for Microsoft Entra Connect group writeback



Question: 190
Measured Skill: Design security solutions for applications and data (20–25%)

You have an Azure SQL database named DB1 that contains customer information.

A team of database administrators has full access to DB1.

To address customer inquiries, operators in the customer service department use a custom web app named App1 to view the customer information.

You need to design a security strategy for DB1. The solution must meet the following requirements:
  • When the database administrators access DB1 by using SQL management tools, they must be prevented from viewing the content of the CreditCard attribute of each customer record.
  • When the operators view customer records in App1, they must view only the last four digits of the CreditCard attribute.
What should you include in the design?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AFor the database administrators: Always Encrypted
For the operators: Row-level security (RLS)
B For the database administrators: Always Encrypted
For the operators: Dynamic data masking
C For the database administrators: Dynamic data masking
For the operators: Transparent Data Encryption (TDE)
D For the database administrators: Row-level security (RLS)
For the operators: Always Encrypted
E For the database administrators: Transparent Data Encryption (TDE)
For the operators: Row-level security (RLS)
F For the database administrators: Transparent Data Encryption (TDE)
For the operators: Always Encrypted

Correct answer: B

Explanation:

Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national/regional identification numbers (for example, U.S. social security numbers), stored in Azure SQL Database, Azure SQL Managed Instance, and SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine. This provides a separation between those who own the data and can view it, and those who manage the data but should have no access - on-premises database administrators, cloud database operators, or other high-privileged unauthorized users. As a result, Always Encrypted enables customers to confidently store their sensitive data in the cloud, and to reduce the likelihood of data theft by malicious insiders.

Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal effect on the application layer. It's a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database isn't changed.

For example, a service representative at a call center might identify a caller by confirming several characters of their email address, but the complete email address shouldn't be revealed to the service representative. A masking rule can be defined that masks all the email address in the result set of any query. As another example, an appropriate data mask can be defined to protect personal data, so that a developer can query production environments for troubleshooting purposes without violating compliance regulations.

References:

Always Encrypted

Dynamic data masking



Question: 191
Measured Skill: Design security solutions for applications and data (20–25%)

You have an on-premises datacenter named Site1.

You have an Azure subscription that contains a virtual network named VNet1 and multiple Azure App Service apps.

Site1 is connected to VNet1 by using a Site-to-Site (P2S) VPN connection. The apps are accessed by using public internet connections.

You need to recommend a solution for providing secure access to the apps. The solution must meet the following requirements:
  • Servers on Site1 must use a VPN connection to access the apps.
  • Access to the apps must be restricted to specific servers on Site1.
  • Security administrators for VNet1 must be able to control which servers can access the apps.
  • Costs must be minimized.
What should you include in the recommendation?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AProvide access to the apps for the servers on Site1 by using: Azure Private Link
Enable the security administrators to control access to the apps by using: Azure Web Application Firewall (WAF)
B Provide access to the apps for the servers on Site1 by using: Azure Private Link
Enable the security administrators to control access to the apps by using: App Service static IP address restrictions
C Provide access to the apps for the servers on Site1 by using: Private endpoints
Enable the security administrators to control access to the apps by using: Network Security Groups (NSGs)
D Provide access to the apps for the servers on Site1 by using: Private endpoints
Enable the security administrators to control access to the apps by using: App Service static IP address restrictions
E Provide access to the apps for the servers on Site1 by using: Service endpoints
Enable the security administrators to control access to the apps by using: Azure Web Application Firewall (WAF)
F Provide access to the apps for the servers on Site1 by using: Service endpoints
Enable the security administrators to control access to the apps by using: Azure Firewall

Correct answer: C

Explanation:

You can use private endpoint for your App Service apps to allow clients located in your private network to securely access the app over Azure Private Link. The private endpoint uses an IP address from your Azure virtual network address space. Network traffic between a client on your private network and the app traverses over the virtual network and a Private Link on the Microsoft backbone network, eliminating exposure from the public Internet.

Using private endpoint for your app enables you to:

  • Secure your app by configuring the private endpoint and disable public network access to eliminating public exposure.
  • Securely connect to your app from on-premises networks that connect to the virtual network using a VPN or ExpressRoute private peering.
  • Avoid any data exfiltration from your virtual network.

To filter inbound network traffic to VNet1, we should use a network security group (NSG) as it is the most cheap valid solution.. 

Note: Azure App Service access restrictions don't apply to traffic entering through a private endpoint.

References:

Using Private Endpoints for App Service apps

What is the difference between Service Endpoints and Private Endpoints?

Azure App Service access restrictions

Network security groups





 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2024 by cert2brain.com