Microsoft - SC-100: Microsoft Cybersecurity Architect
Sample Questions
Question: 160
Measured Skill: Design solutions that align with security best practices and priorities (20–25%)
You have a Microsoft 365 subscription.
You are designing a user access solution that follows the Zero Trust principles of the Microsoft Cybersecurity Reference Architectures (MCRA).
You need to recommend a solution that automatically restricts access to Microsoft Exchange Online, SharePoint Online, and Teams in near-real-time (NRT) in response to the following Azure AD events:
- A user account is disabled or deleted.
- The password of a user is changed or reset.
- All the refresh tokens for a user are revoked.
- Multi-factor authentication (MFA) is enabled for a user.
Which two features should you include in the recommendation?
(Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.)| A | Continuous access evaluation |
| B | Azure AD Application Proxy |
| C | A sign-in risk policy |
| D | Azure AD Privileged Identity Management (PIM) |
| E | Conditional Access |
Correct answer: A, EExplanation:
Token expiration and refresh are a standard mechanism in the industry. When a client application like Outlook connects to a service like Exchange Online, the API requests are authorized using OAuth 2.0 access tokens. By default, access tokens are valid for one hour, when they expire the client is redirected to Azure AD to refresh them. That refresh period provides an opportunity to reevaluate policies for user access. For example: we might choose not to refresh the token because of a Conditional Access policy, or because the user has been disabled in the directory.
Timely response to policy violations or security issues really requires a "conversation" between the token issuer (Azure AD), and the relying party (enlightened app). This two-way conversation gives us two important capabilities. The relying party can see when properties change, like network location, and tell the token issuer. It also gives the token issuer a way to tell the relying party to stop respecting tokens for a given user because of account compromise, disablement, or other concerns. The mechanism for this conversation is continuous access evaluation (CAE). The goal for critical event evaluation is for response to be near real time, but latency of up to 15 minutes may be observed because of event propagation time; however, IP locations policy enforcement is instant.
The initial implementation of continuous access evaluation focuses on Exchange, Teams, and SharePoint Online.
Reference: Continuous access evaluation
Question: 161
Measured Skill: Design security solutions for applications and data (20–25%)
You have an Azure subscription and an on-premises datacenter. The datacenter contains 100 servers that run Windows Server. All the servers are backed up to a Recovery Services vault by using Azure Backup and the Microsoft Azure Recovery Services (MARS) agent.
You need to design a recovery solution for ransomware attacks that encrypt the on-premises servers. The solution must follow Microsoft Security Best Practices and protect against the following risks:
- A compromised administrator account used to delete the backups from Azure Backup before encrypting the servers.
- A compromised administrator account used to disable the backups on the MARS agent before encrypting the servers.
What should you use for each risk?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Deleted backups: A security PIN for critical operations
Disabled backups: Soft delete of backups |
| B | Deleted backups: A security PIN for critical operations
Disabled backups: Multi-user authorization by using Resource Guard |
| C | Deleted backups: Encryption by using a customer-managed key
Disabled backups: Soft delete of backup |
| D | Deleted backups: Multi-user authorization by using Resource Guard
Disabled backups: A security PIN for critical operations |
| E | Deleted backups: Soft delete of backups
Disabled backups: Encryption by using a customer-managed key |
| F | Deleted backups: Soft delete of backups
Disabled backups: Multi-user authorization by using Resource Guard |
Correct answer: BExplanation:
Concerns about security issues, like malware, ransomware, and intrusion, are increasing. These security issues can be costly, in terms of both money and data. To guard against such attacks, Azure Backup now provides security features to help protect hybrid backups.
Checks have been added to make sure only valid users can perform various operations. These include adding an extra layer of authentication, and maintaining a minimum retention range for recovery purposes.
As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN when you perform Stop Protection with Delete data and Change Passphrase operations.
Multi-user authorization (MUA) for Azure Backup allows you to add an additional layer of protection to critical operations on your Recovery Services vaults and Backup vaults. For MUA, Azure Backup uses another Azure resource called the Resource Guard to ensure critical operations are performed only with applicable authorization. MUA protects against disabling backups and reducing retention for backups.
References:
Security features to help protect hybrid backups that use Azure Backup
Multi-user authorization using Resource Guard
Question: 162
Measured Skill: Design security solutions for applications and data (20–25%)
You have a Microsoft 365 subscription.
You need to design a solution to block file downloads from Microsoft SharePoint Online by authenticated users on unmanaged devices.
Which two services should you include in the solution?
(Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.)| A | Azure AD Conditional Access |
| B | Azure Data Catalog |
| C | Microsoft Purview Information Protection |
| D | Azure AD Application Proxy |
| E | Microsoft Defender for Cloud Apps |
Correct answer: A, EExplanation:
We should configure a conditional access policy to control sessions with SharePoint Online using Defender for Cloud Apps. Creating a session policy with Conditional Access App Control enables you to control user sessions by redirecting the user through a reverse proxy instead of directly to the app. From then on, user requests and responses go through Defender for Cloud Apps rather than directly to the app.
Conditional Access App Control enables user app access and sessions to be monitored and controlled in real time based on access and session policies. Access and session policies are used within the Defender for Cloud Apps portal to further refine filters and set actions to be taken on a user. With the access and session policies, you can:
Prevent data exfiltration: You can block the download, cut, copy, and print of sensitive documents on, for example, unmanaged devices.
Require authentication context: You can reevaluate Azure AD Conditional Access policies when a sensitive action occurs in the session. For example, require multi-factor authentication on download of a highly confidential file.
Protect on download: Instead of blocking the download of sensitive documents, you can require documents to be labeled and encrypted when you integrate with Microsoft Purview Information Protection. This action ensures the document is protected and user access is restricted in a potentially risky session.
Prevent upload of unlabeled files: Before a sensitive file is uploaded, distributed, and used by others, it's important to make sure that the sensitive file has the label defined by your organization's policy. You can ensure that unlabeled files with sensitive content are blocked from being uploaded until the user classifies the content.
Block potential malware: You can protect your environment from malware by blocking the upload of potentially malicious files. Any file that is uploaded or downloaded can be scanned against Microsoft threat intelligence and blocked instantaneously.
Monitor user sessions for compliance: Risky users are monitored when they sign into apps and their actions are logged from within the session. You can investigate and analyze user behavior to understand where, and under what conditions, session policies should be applied in the future.
Block access: You can granularly block access for specific apps and users depending on several risk factors. For example, you can block them if they're using client certificates as a form of device management.
Block custom activities: Some apps have unique scenarios that carry risk, for example, sending messages with sensitive content in apps like Microsoft Teams or Slack. In these kinds of scenarios, you can scan messages for sensitive content and block them in real time.
Reference: Protect apps with Microsoft Defender for Cloud Apps Conditional Access App Control
Question: 163
Measured Skill: Design solutions that align with security best practices and priorities (20–25%)
You have an operational model based on the Microsoft Cloud Adoption Framework for Azure.
You need to recommend a solution that focuses on cloud-centric control areas to protect resources such as endpoints, databases, files, and storage accounts.
What should you include in the recommendation?| A | Security baselines in the Microsoft Intune Admin Center |
| B | Modern access control |
| C | Network isolation |
| D | Security baselines in the Microsoft Cloud Security Benchmark |
Correct answer: DExplanation:
The Microsoft cloud security benchmark (MCSB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure and your multi-cloud environment.
Security baselines are standardized documents for Azure product offerings, describing the available security capabilities and the optimal security configurations to help you strengthen security through improved tooling, tracking, and security features. Microsoft currently has service baselines available for Azure only.
Security baselines for Azure focus on cloud-centric control areas in Azure environments. These controls are consistent with well-known industry standards such as: Center for Internet Security (CIS) or National Institute for Standards in Technology (NIST). Our baselines provide guidance for the control areas listed in the Microsoft cloud security benchmark v1.
Each baseline consists of the following components:
- How does a service behave?
- Which security features are available?
- What configurations are recommended to secure the service?
References:
Overview of Microsoft cloud security benchmark (v1)
Security baselines for Azure
Question: 164
Measured Skill: Design security solutions for infrastructure (20–25%)
You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain.
You have an on-premises datacenter that contains 100 servers. The servers run Windows Server and are backed up by using Microsoft Azure Backup Server (MABS).
You are designing a recovery solution for ransomware attacks. The solution follows Microsoft Security Best Practices.
You need to ensure that a compromised administrator account cannot be used to delete the backups.
What should you do?| A | From Azure Backup, configure multi-user authorization by using Resource Guard. |
| B | From Microsoft Azure Backup Setup, register MABS with a Recovery Services vault. |
| C | From a Recovery Services vault, generate a security PIN for critical operations. |
| D | From Azure AD Privileged Identity Management (PIM), create a role assignment for the Backup Contributor role. |
Correct answer: CExplanation:
Concerns about security issues, like malware, ransomware, and intrusion, are increasing. These security issues can be costly, in terms of both money and data. To guard against such attacks, Azure Backup now provides security features to help protect hybrid backups.
Checks have been added to make sure only valid users can perform various operations. These include adding an extra layer of authentication, and maintaining a minimum retention range for recovery purposes.
As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN when you perform Stop Protection with Delete data and Change Passphrase operations.
Reference: Security features to help protect hybrid backups that use Azure Backup