Skip Navigation Links

Microsoft - SC-100: Microsoft Cybersecurity Architect

Sample Questions

Question: 117
Measured Skill: Design a strategy for data and applications (20–25%)

Your company uses Microsoft 365 and Azure services and resources.

You have been asked to ensure the availability of two recently deployed web applications named finance-web-app and hr-web-app.

To complete this project, you need to design a high-availability architecture for each app, based on the following requirements:

  • The solution must support Layer 7 load balancing.
  • The solution must support SSL offloading.
  • The solution must facilitate high availability.
  • The solution must perform DNS-based load balancing.
What solution should you recommend for each app?

(To answer, select the appropriate options from each list in the answer area. NOTE: Each correct selection is worth one point.)

Afinance-web-app: Azure Application Gateway
hr-web-app: Azure Load Balancer
B finance-web-app: Azure Application Gateway
hr-web-app: Azure Traffic Manager
C finance-web-app: Azure Load Balancer
hr-web-app: Azure Traffic Manager
D finance-web-app: Azure Load Balancer
hr-web-app: Azure Application Gateway
E finance-web-app: Azure Traffic Manager
hr-web-app: Azure Traffic Manager
F finance-web-app: Azure Traffic Manager
hr-web-app: Azure Application Gateway

Correct answer: B


Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Traditional load balancers operate at the transport layer (OSI layer 4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.

Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers. For example, you can route traffic based on the incoming URL. So if /images is in the incoming URL, you can route traffic to a specific set of servers (known as a pool) configured for images. If /video is in the URL, that traffic is routed to another pool that's optimized for videos. This type of routing is known as application layer (OSI layer 7) load balancing. Azure Application Gateway can do URL-based routing and more.

Azure Traffic Manager is a DNS-based traffic load balancer. This service allows you to distribute traffic to your public facing applications across the global Azure regions. Traffic Manager also provides your public endpoints with high availability and quick responsiveness.

Traffic Manager uses DNS to direct the client requests to the appropriate service endpoint based on a traffic-routing method. Traffic manager also provides health monitoring for every endpoint. The endpoint can be any Internet-facing service hosted inside or outside of Azure. Traffic Manager provides a range of traffic-routing methods and endpoint monitoring options to suit different application needs and automatic failover models. Traffic Manager is resilient to failure, including the failure of an entire Azure region.


What is Azure Application Gateway?

What is Traffic Manager?

Question: 118
Measured Skill: Design a Zero Trust strategy and architecture (30–35%)

Your client has implemented Microsoft Sentinel as its cloud-based Security Information and Event Management (SIEM) solution.

The client wants to maximize the value of their investment and has asked you how they can enhance the incident management lifecycle by cost-effectively detecting and responding to threats before they cause damage or disrupt their business.

You need to identify the Sentinel components that will help the client to reach this goal.

Which Sentinel tool should you recommend for each scenario?

(To answer, drag the appropriate tool to the correct incident management activity. Each tool may be used once, more than once, or not at all. NOTE: Each correct selection is worth one point.)

AAutomatically isolate an infected machine: Notebook
Visualize and monitor threat data: Workbook
Analyze data with Python machine learning: Playbook
B Automatically isolate an infected machine: Playbook
Visualize and monitor threat data: Workbook
Analyze data with Python machine learning: Notebook
C Automatically isolate an infected machine: Workbook
Visualize and monitor threat data: Notebook
Analyze data with Python machine learning: Runbook
D Automatically isolate an infected machine: Runbook
Visualize and monitor threat data: Playbook
Analyze data with Python machine learning: Notebook

Correct answer: B


Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal. They allow you to tap into multiple data sources from across Azure, and combine them into unified interactive experiences. Workbooks can be found under log analytics workspace resource or Microsoft Sentinel itself. It is like a custom dashboard which lets a user create graphs and other visuals using Kusto query language.

Playbooks are related to Microsoft Sentinel. They are basically Logic Apps with a trigger that activates the Log App/Playbook when an Microsoft Sentinel query rule is matched.

Notebooks provide a kind of virtual sandbox, complete with its own kernel, where you can carry out a complete investigation. Your notebook can include the raw data, the code you run on that data, the results, and their visualizations. Notebooks may be helpful when your hunting or investigation becomes too large to remember easily, view details, or when you need to save queries and results. The Microsoft Sentinel notebooks use many popular Python libraries such as pandas, matplotlib, bokeh, and others. 

Runbooks are an Azure Automation Process Automation feature. There are several types of runbooks available. PowerShell runbooks, for example, are based on Windows PowerShell. You directly edit the code of the runbook using the text editor in the Azure portal. You can also use any offline text editor and import the runbook into Azure Automation.


What is Microsoft Sentinel?

Use Jupyter notebooks to hunt for security threats

Azure Automation runbook types

Question: 119
Measured Skill: Design a strategy for data and applications (20–25%)

Your company wants to optimize using Azure to protect its resources from ransomware.

You need to recommend which capabilities of Azure Backup and Azure Storage provide the strongest protection against ransomware attacks. The solution must follow Microsoft Security Best Practices.

What should you recommend?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

AAzure Backup: Access policies
Azure Storage: Access tiers
B Azure Backup: Access tiers
Azure Storage: A security PIN
C Azure Backup: Encryption by using platform-managed keys
Azure Storage: Immutable storage
D Azure Backup: Immutable storage
Azure Storage: Access policies
E Azure Backup: A security PIN
Azure Storage: Immutable storage
F Azure Backup: A security PIN
Azure Storage: Encryption by using platform-managed keys

Correct answer: C


Your backup data that’s securely stored in an Azure resource called Recovery Services Vault or Backup Vault is isolated. This vault is a management entity, any application or guest don’t have direct access to these backups, thus prevents malicious actors to perform destructive operations on the backup storage, such as deletions or tampering of backup data.

The following practices protect backups against security and ransomware threats:

  • Manage access to back up resources using Azure role-based access control (Azure RBAC).

  • Ensure soft delete is enabled to protect backups from accidental or malicious deletes

  • Ensure Multi-user authorization (MUA) is enabled to protect against rogue admin scenario.

  • Set-up alerts and notifications for critical backup operations.

  • Ensure network connectivity between backup services and workloads is secure.

  • Ensure backup data is encrypted.

  • Regularly monitor your backups

  • Validate backups periodically by performing test restores.

Immutable storage for Azure Blob Storage enables users to store business-critical data in a WORM (Write Once, Read Many) state. While in a WORM state, data cannot be modified or deleted for a user-specified interval. By configuring immutability policies for blob data, you can protect your data from overwrites and deletes.

Immutable storage for Azure Blob Storage supports two types of immutability policies:

  • Time-based retention policies: With a time-based retention policy, users can set policies to store data for a specified interval. When a time-based retention policy is set, objects can be created and read, but not modified or deleted. After the retention period has expired, objects can be deleted but not overwritten.

  • Legal hold policies: A legal hold stores immutable data until the legal hold is explicitly cleared. When a legal hold is set, objects can be created and read, but not modified or deleted.


Frequently asked questions - Protect backups from Ransomware

Store business-critical blob data with immutable storage

Question: 120
Measured Skill: Design security for infrastructure (20–25%)

You use Azure Pipelines with Azure Repos to implement continuous integration and continuous deployment (CI/CD) workflows.

You need to recommend best practices to secure the stages of the CI/CD workflows based on the Microsoft Cloud Adoption Framework for Azure.

What should you include in the recommendation for each stage?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

AGit workflow: Azure Key Vault
Secure deployment credentials: Protected branches
B Git workflow: Custom roles for build agents
Secure deployment credentials: Resource locks in Azure
C Git workflow: Custom roles for build agents
Secure deployment credentials: Custom roles for build agents
D Git workflow: Protected branches
Secure deployment credentials: Azure Key Vault
E Git workflow: Resource locks in Azure
Secure deployment credentials: Azure Key Vault
F Git workflow: Resource locks in Azure
Secure deployment credentials: Custom roles for build agents

Correct answer: D


Azure Pipelines automatically builds and tests code projects. It supports all major languages and project types and combines continuous integration, continuous delivery, and continuous testing to build, test, and deliver your code to any destination.

Continuous Integration

Continuous Integration (CI) is the practice used by development teams of automating, merging, and testing code. CI helps to catch bugs early in the development cycle, which makes them less expensive to fix. Automated tests execute as part of the CI process to ensure quality. CI systems produce artifacts and feed them to release processes to drive frequent deployments.

Continuous Delivery

Continuous Delivery (CD) is a process by which code is built, tested, and deployed to one or more test and production environments. Deploying and testing in multiple environments increases quality. CD systems produce deployable artifacts, including infrastructure and apps. Automated release processes consume these artifacts to release new versions and fixes to existing systems. Systems that monitor and send alerts run continually to drive visibility into the entire CD process.

Stage 1: Git workflow

Code changes, not just to software, but also to pipeline as code and infrastructure as code, are saved and managed in Git. Git is a distributed source code management software. When code is pushed from local computers to the centralized Git server, business rules can be applied before it's accepted.

Pull requests and collaboration

The industry standard workflow, regardless of your software configuration management (SCM) software as a service (SaaS) vendor, is to use pull requests, which can act both as an automated quality gatekeeper and a manual approval step before source code is accepted.

The pull request workflow is designed to introduce healthy friction, which is why it should only be applied to secure specific Git branches. Especially the branches that will trigger automated workflows that can deploy, configure, or in any other way affect your cloud resources. These branches are called protected branches and typically follow naming conventions such as production or releases/*.

It's common for pull requests to require:

  • Peer reviews
  • Passing continuous integration (CI) builds
  • Manual approval

If the requirements are met, the code changes are accepted and can be merged.

Stage 3: Secure your deployment credentials

Pipelines and code repositories should not include hard-coded credentials and secrets. Credentials and secrets should be stored elsewhere and use CI vendor features for security. Because pipelines run as headless agents, they should never use an individual's password. Pipelines should run using headless security principals instead, such as service principals or managed identities. Access to this security principal's credentials, database connection strings, and third-party API keys should also be securely managed in the CI platform.

How a credential is secured, gates, and approvals are vendor-specific features. When choosing a CI platform, make sure it supports all the features you require.

Azure Pipelines is an enterprise-scale continuous integration solution where credentials are stored as service connections, upon which you can configure approvals and checks. This configuration includes manual approval and specific branch or pipeline authorizations.

If your CI platform supports it, consider storing credentials in a dedicated secret store, for example Azure Key Vault. Credentials are fetched at runtime by the build agent and your attack surface is reduced.


What is Azure Pipelines?

Securing the pipeline and CI/CD workflow

Question: 121
Measured Skill: Design a Zero Trust strategy and architecture (30–35%)

You are designing a ransomware response plan that follows Microsoft Security Best Practices.

You need to recommend a solution to limit the scope of damage of ransomware attacks without being locked out.

What should you include in the recommendations?

APrivileged Access Workstations (PAWs)
B Emergency access accounts
C Device compliance policies
D Customer Lockbox for Microsoft Azure

Correct answer: B


It is important that you prevent being accidentally locked out of your Azure Active Directory (Azure AD) organization because you can't sign in or activate another user's account as an administrator. You can mitigate the impact of accidental lack of administrative access by creating two or more emergency access accounts in your organization.

Emergency access accounts are highly privileged, and they are not assigned to specific individuals. Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used. Microsoft recommends that you maintain a goal of restricting emergency account use to only the times when it is absolutely necessary.

Why use an emergency access account

An organization might need to use an emergency access account in the following situations:

  • The user accounts are federated, and federation is currently unavailable because of a cell-network break or an identity-provider outage. For example, if the identity provider host in your environment has gone down, users might be unable to sign in when Azure AD redirects to their identity provider.
  • The administrators are registered through Azure AD Multi-Factor Authentication, and all their individual devices are unavailable or the service is unavailable. Users might be unable to complete Multi-Factor Authentication to activate a role. For example, a cell network outage is preventing them from answering phone calls or receiving text messages, the only two authentication mechanisms that they registered for their device.
  • The person with the most recent Global Administrator access has left the organization. Azure AD prevents the last Global Administrator account from being deleted, but it does not prevent the account from being deleted or disabled on-premises. Either situation might make the organization unable to recover the account.
  • Unforeseen circumstances such as a natural disaster emergency, during which a mobile phone or other networks might be unavailable.

Create emergency access accounts

Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the * domain and that are not federated or synchronized from an on-premises environment.

Reference: Manage emergency access accounts in Azure AD

Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test

© Copyright 2014 - 2023 by