Skip Navigation Links
 

Microsoft - SC-100: Microsoft Cybersecurity Architect

Sample Questions

Question: 100
Measured Skill: Design a strategy for data and applications (20–25%)

Your company has Microsoft 365 E5 licenses and Azure subscriptions. The company plans to automatically label sensitive data stored in the following locations:
  • Microsoft SharePoint Online
  • Microsoft Exchange Online
  • Microsoft Teams
You need to recommend a strategy to identify and protect sensitive data.

Which scope should you recommend for the sensitivity label policies?

(To answer, drag the appropriate scopes to the correct locations. Each scope may be used once, more than once, or not at all. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

ASharePoint Online: Items
Microsoft Teams: Schematized data assets
Exchange Online:
B SharePoint Online: Items
Microsoft Teams: Schematized data assets
Exchange Online: Items
C SharePoint Online: Groups & sites
Microsoft Teams: Schematized data assets
Exchange Online: Schematized data assets
D SharePoint Online: Groups & sites
Microsoft Teams: Groups & sites
Exchange Online: Items
E SharePoint Online: Schematized data assets
Microsoft Teams: Items
Exchange Online: Items
F SharePoint Online: Groups & sites
Microsoft Teams: Groups & sites
Exchange Online: Groups & sites

Correct answer: D

Explanation:

When you create a sensitivity label, you're asked to configure the label's scope which determines two things:

  • Which label settings you can configure for that label
  • Where the label will be visible to users

This scope configuration lets you have sensitivity labels that are just for items such as documents and emails, and can't be selected for containers. And similarly, sensitivity labels that are just for containers and can't be selected for documents and emails. You can also select the scope for schematized data assets for Microsoft Purview Data Map:

By default, the Items scope (previously named Files & emails) is always selected.

Reference: Learn about sensitivity labels



Question: 101
Measured Skill: Design a strategy for data and applications (20–25%)

You have a hybrid cloud infrastructure.

You plan to deploy the Azure applications shown in the following table.



What should you use to meet the requirement of each app?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AApp1: Azure AD B2B authentication with Conditional Access
App2: Azure VPN Gateway with network security group rules
B App1: Azure AD B2C custom policies with Conditional Access
App2: Azure VPN Point-to-Site connections
C App1: Azure Application Gateway Web Application Firewall policies
App2: Azure AD B2C custom policies with Conditional Access
D App1: Azure Firewall
App2: Azure Firewall
E App1: Azure VPN Gateway with network security group rules
App2: Azure Application Gateway Web Application Firewall policies
F App1: Azure VPN Point-to-Site connections
App2: Azure AD B2B authentication with Conditional Access

Correct answer: C

Explanation:

To protect App1 against cross-site scripting (XSS), we should use Azure Application Gateway Web Application Firewall policies.

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks.

WAF on Application Gateway is based on the Core Rule Set (CRS) from the Open Web Application Security Project (OWASP).

Note: A VPN connection between the on-premises network and Azure seems to be a good solution. But, a VPN connection does not prevent cross-site scripting (XSS). A VPN connection only limits the devices that can connect to the app.

App2 requires the use of Azure Active Directory B2C. Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities (including LinkedIn accounts) to get single sign-on access to your applications and APIs.

References:

What is Azure Web Application Firewall on Azure Application Gateway?

What is Azure Active Directory B2C?

Add Conditional Access to user flows in Azure Active Directory B2C



Question: 102
Measured Skill: Design a Zero Trust strategy and architecture (30–35%)

You are designing an auditing solution for Azure landing zones that will contain the following components:
  • SQL audit logs for Azure SQL databases
  • Windows Security logs from Azure virtual machines
  • Azure App Service audit logs from App Service web apps
You need to recommend a centralized logging solution for the landing zones. The solution must meet the following requirements:
  • Log all privileged access.
  • Retain logs for at least 365 days.
  • Minimize costs.
What should you include in the recommendation?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AFor the SQL audit logs: A Log Analytics workspace
For the Security logs: A Log Analytics workspace
For the App Service audit logs: Azure Application Insights
B For the SQL audit logs: A Log Analytics workspace
For the Security logs: A Log Analytics workspace
For the App Service audit logs: A Log Analytics workspace
C For the SQL audit logs: Azure Application Insights
For the Security logs: A Log Analytics workspace
For the App Service audit logs: Microsoft Sentinel
D For the SQL audit logs: Microsoft Defender for SQL
For the Security logs: Microsoft Sentinel
For the App Service audit logs: Azure Application Insights
E For the SQL audit logs: Microsoft Defender for SQL
For the Security logs: A Log Analytics workspace
For the App Service audit logs: Microsoft Sentinel
F For the SQL audit logs: Microsoft Sentinel
For the Security logs: Microsoft Sentinel
For the App Service audit logs: Microsoft Sentinel

Correct answer: B

Explanation:

A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration but might combine data from multiple services.

You can use a single workspace for all your data collection. You can also create multiple workspaces based on requirements such as:

  • The geographic location of the data.
  • Access rights that define which users can access data.
  • Configuration settings like pricing tiers and data retention.

There's no direct cost for creating or maintaining a workspace. You're charged for the data sent to it, which is also known as data ingestion. You're charged for how long that data is stored, which is otherwise known as data retention.

By default, all tables in a workspace are Analytics tables, which are available to all features of Azure Monitor and any other services that use the workspace. You can configure Analytics tables for data retention from 30 days to 730 days.

References:

Log Analytics workspace overview

Create a Log Analytics workspace



Question: 103
Measured Skill: Design a strategy for data and applications (20–25%)

You are designing security for a runbook in an Azure Automation account. The runbook will copy data to Azure Data Lake Storage Gen2.

You need to recommend a solution to secure the components of the copy process.

What should you include in the recommendation for each component?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AData security: Access keys stored in Azure Key Vault
Network access control: Azure Private Link with network service tags
B Data security: Access keys stored in Azure Key Vault
Network access control: Automation Contributor buil-in role
C Data security: Automation Contributor buil-in role
Network access control: Azure Web Application Firewall rules with network service tags
D Data security: Automation Contributor buil-in role
Network access control: Access keys stored in Azure Key Vault
E Data security: Azure Private Link with network service tags
Network access control: Azure Web Application Firewall rules with network service tags
F Data security: Azure Web Application Firewall rules with network service tags
Network access control: Azure Private Link with network service tags

Correct answer: A

Explanation:

To ensure data security, we should store the account key or credentials of the managed identity used to access the Azure Data Lake Storage Gen2 data storage in Azure Key Vault.

To implement network access control, we should make use of Azure Private Link endpoints with network service tags. Azure Private Link is a service that allows IT teams to run an Azure platform as a service (PaaS) offering directly within their virtual network (VNet) by mapping it to a private endpoint. IT teams retain control over which endpoints can access which PaaS resources. Since the private endpoint is mapped to a resource, not the service, there is more protection against data leakage.

References:

Copy and transform data in Azure Data Lake Storage Gen2 using Azure Data Factory or Azure Synapse Analytics

What is a private endpoint?



Question: 104
Measured Skill: Design security for infrastructure (20–25%)

You open Microsoft Defender for Cloud as shown in the following exhibit.



Which statements are true?

(Use the drop-down menus to select the answer choice that complete each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

ATo increase the score for the Restrict unauthorized network access control, implement Azure Active Directory (Azure AD) Conditional Access policies.
To increase the score for the Enable endpoint protection control, implement private endpoints.
B To increase the score for the Restrict unauthorized network access control, implement Azure Active Directory (Azure AD) Conditional Access policies.
To increase the score for the Enable endpoint protection control, implement Microsoft Defender for Resource Manager.
C To increase the score for the Restrict unauthorized network access control, implement Azure Web Application Firewall (WAF).
To increase the score for the Enable endpoint protection control, implement Microsoft Defender for servers.
D To increase the score for the Restrict unauthorized network access control, implement Azure Web Application Firewall (WAF).
To increase the score for the Enable endpoint protection control, implement Microsoft Defender for Resource Manager.
E To increase the score for the Restrict unauthorized network access control, implement network security groups (NSGs).
To increase the score for the Enable endpoint protection control, implement Microsoft Defender for servers.
F To increase the score for the Restrict unauthorized network access control, implement network security groups (NSGs).
To increase the score for the Enable endpoint protection control, implement private endpoints.

Correct answer: E

Explanation:

To increase the score of the Restrict unauthorized network access control, we should protect the virtual machines using Network Security Groups (NSGs).

To increase the score of the Enable endpoint protection control, we should install the Log Analytics agent on the VMs to enable Microsoft Defender for Servers.





 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2022 by cert2brain.com