Microsoft - SC-100: Microsoft Cybersecurity Architect
Sample Questions
Question: 284
Measured Skill: Design security solutions for infrastructure (20–25%)
You have an Azure subscription that contains an Azure key vault named Vault1.
You plan to deploy multiple virtual machines that will host a custom app named App1. App1 will use secrets stored in Vault1. The virtual machines will be redeployed regularly based on the usage demands of App1.
You need to recommend a solution that will enable App1 to access the secrets stored in Vault1. The solution must meet the following requirements:
- Minimize the number of security principals that can access Vault1.
- Minimize the storage of sensitive data on the virtual machines.
- Minimize administrative effort.
Which type of endpoint should App1 use to access the secrets, and which type of identity should App1 use?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Endpoint type: Azure Instance Metadata Service (IMDS)
Identity type: System-assigned managed identity |
| B | Endpoint type: Azure Instance Metadata Service (IMDS)
Identity type: User-assigned managed identity |
| C | Endpoint type: Microsoft Graph REST API v1.0
Identity type: Service principal |
| D | Endpoint type: Microsoft Graph REST API v1.0
Identity type: System-assigned managed identity |
| E | Endpoint type: Microsoft Identity Platform OAuth 2.0 access token
Identity type: Service principal |
| F | Endpoint type: Microsoft Identity Platform OAuth 2.0 access token
Identity type: User-assigned managed identity |
Correct answer: AExplanation:
The Azure Instance Metadata Service (IMDS) provides information about currently running virtual machine instances. IMDS is a REST API that's available at a well-known, non-routable IP address (169.254.169.254). You can only access it from within the VM. Communication between the VM and IMDS never leaves the host. IMDS allows the VM to retrieve an access token for its system-assigned managed identity without storing credentials.
A system-assigned managed identity ensures that only the VM can use the identity to request tokens from Microsoft Entra ID and minimizes administrative effort. A system-assigned managed identity is tied to the lifecycle of the Azure resource it belongs to. When the Azure resource is deleted, Azure automatically deletes the managed identity.
References:
Azure Instance Metadata Service
What are managed identities for Azure resources?
Question: 285
Measured Skill: Design security solutions for infrastructure (20–25%)
You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named AKS1. AKS1 hosts a Windows node pool named Pool1 and a Linux node pool named Pool2.
You are designing a pool update strategy for AKS1.
You need to recommend how often to replace the operating system images deployed to the nodes. The solution must meet the following requirements:
- Minimize how long it takes to apply operating system updates once the updates are released.
- Minimize administrative effort.
What should you recommend for each pool?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Pool1: Weekly
Pool2: Monthly |
| B | Pool1: Weekly
Pool2: Quarterly |
| C | Pool1: Monthly
Pool2: Weekly |
| D | Pool1: Monthly
Pool2: Quarterly |
| E | Pool1: Quarterly
Pool2: Weekly |
| F | Pool1: Quarterly
Pool2: Monthly |
Correct answer: CExplanation:
As a cluster operator, you need to have a plan for keeping your clusters up to date and monitoring Kubernetes API changes and deprecations over time.
There are three types of updates for AKS, and each one builds on the previous update:
Update types
Node OS security patches (Linux only): For Linux nodes, both Canonical Ubuntu and Azure Linux make operating system security patches available once a day. Microsoft tests and bundles these patches in the weekly updates to node images.
Weekly updates to node images: AKS provides weekly updates to node images. These updates include the latest OS and AKS security patches, bug fixes, and enhancements. Node updates don't change the Kubernetes version. Versions are formatted by date (for example, 202311.07.0) for Linux and by Windows Server OS build and date (for example, 20348.2113.231115) for Windows.
Quarterly Kubernetes releases: AKS provides quarterly updates for Kubernetes releases. These updates enable AKS users to use the latest Kubernetes features and enhancements, such as security patches and node image updates.
Reference: Azure Kubernetes Service patch and upgrade guidance
Question: 286
Measured Skill: Design security solutions for applications and data (20–25%)
You have an Azure subscription that contains App Service apps in four Azure regions. Users connect to the apps from the internet.
You plan to block requests to the apps if the requests contain security threats specified in the Core Rule Set (CRS) of the Open Web Application Security Project (OWASP).
You need to design a solution to block the requests. The solution must meet the following requirements:
- Maintain access to the apps in the event of a region outage.
- Minimize the number of resources required.
What should you include in the design?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Resource type to provision: Azure Application Gateway
Option to enable: Azure Web Application Firewall (WAF) |
| B | Resource type to provision: Azure Application Gateway
Option to enable: Azure Firewall web categories |
| C | Resource type to provision: Azure Firewall Premium
Option to enable: Intrusion detection and prevention system (IDPS) |
| D | Resource type to provision: Azure Firewall Premium
Option to enable: Threat intelligence-based filtering |
| E | Resource type to provision: Azure Front Door
Option to enable: Azure Web Application Firewall (WAF) |
| F | Resource type to provision: Microsoft Defender for App Service
Option to enable: Intrusion detection and prevention system (IDPS) |
Correct answer: EExplanation:
Azure Front Door is Microsoft's advanced cloud Content Delivery Network (CDN) designed to provide fast, reliable, and secure access to your applications' static and dynamic web content globally. By using Microsoft's extensive global edge network, Azure Front Door ensures efficient content delivery through numerous global and local points of presence (PoPs) strategically positioned close to both enterprise and consumer end users.
Azure Web Application Firewall on Azure Front Door provides centralized protection for your web applications. A web application firewall (WAF) defends your web services against common exploits and vulnerabilities. It keeps your service highly available for your users and helps you meet compliance requirements.
Azure Front Door integrates with Azure Web Application Firewall (WAF) that supports the Core Rule Set (CRS) from the Open Web Application Security Project (OWASP).
Note: Azure Application Gateway can't route traffic across regions. Since we need to minimize the number of resources required, we should choose Azure Front Door over Azure Application Gateway.
References:
What is Azure Front Door?
Azure Web Application Firewall on Azure Front Door
Question: 287
Measured Skill: Design solutions that align with security best practices and priorities (20–25%)
You have the resources shown in the following table.
You need to configure multi-user authorization (MUA) for Azure Backup to protect the Recovery Services vaults. The solution must maximize the security of the MUA configuration.
To which location should you deploy Resource Guard, and which role-based access control (RBAC) role should you assign to the team responsible for managing the backup?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Location: Sub2 in the East US Azure region
Role: Contributor |
| B | Location: Sub1 in the West US Azure region
Role: Contributor |
| C | Location: Sub1 in the East US Azure region
Role: Owner |
| D | Location: Sub2 in the West US Azure region
Role: Owner |
| E | Location: Sub2 in the East US Azure region
Role: Reader |
| F | Location: Sub1 in the West US Azure region
Role: Reader |
Correct answer: EExplanation:
Multi-user authorization (MUA) for Azure Backup allows you to add an additional layer of protection to critical operations on your Recovery Services vaults and Backup vaults. For MUA, Azure Backup uses another Azure resource called the Resource Guard to ensure critical operations are performed only with applicable authorization.
Azure Backup uses the Resource Guard as an additional authorization mechanism for a Recovery Services vault or a Backup vault. Therefore, to perform a critical operation (described below) successfully, you must have sufficient permissions on the associated Resource Guard as well.
Before you configure Multi-user authorization for a Recovery Services vault, ensure that the following prerequisites are met:
The Resource Guard and the Recovery Services vault must be in the same Azure region.
The Backup admin must not have Contributor, Backup MUA Admin, or Backup MUA Operator permissions on the Resource Guard. You can choose to have the Resource Guard in another subscription of the same directory or in another directory to ensure maximum isolation.
The subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions or tenants) must be registered to use the providers - Microsoft.RecoveryServices and Microsoft.DataProtection
References:
About Multi-user authorization using Resource Guard
Configure Multi-user authorization using Resource Guard in Azure Backup
Question: 288
Measured Skill: Design security operations, identity, and compliance capabilities (30–35%)
You have an Azure subscription that contains a Microsoft Sentinel workspace named MWS1 and an Azure Data Lake Storage account named lake1. Firewall log data is ingested into MWS1.
You plan to export historical firewall log data from MWS1 to lake1.
You need to ensure that security analysts can perform threat hunting from MWS1. The solution must ensure that the firewall logs stored in lake1 can be included in threat hunting queries.
What should you configure?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Microsoft Sentinel feature: A notebook
Azure resource: An Azure Synapse workspace |
| B | Microsoft Sentinel feature: A notebook
Azure resource: An Azure Data Factory pipeline |
| C | Microsoft Sentinel feature: A playbook
Azure resource: An Azure Logic Apps connector |
| D | Microsoft Sentinel feature: A playbook
Azure resource: An Azure Data Factory pipeline |
| E | Microsoft Sentinel feature: A Threat Intelligence Platforms data connector
Azure resource: An Azure Synapse workspace |
| F | Microsoft Sentinel feature: A Threat Intelligence Platforms data connector
Azure resource: An Azure Logic Apps connector |
Correct answer: AExplanation:
To export historical data from a Microsoft Sentinel workspace to Azure Data Lake Storage (ADLS) either one-time or continuously, you can make use of the new historical data export notebook. The new notebook approach allows for more granular control over the export process compared to the previously used Sentinel data export tool.
The historical data export notebook provides the ability to filter and transform data before exporting it to ADLS.
The historical data export notebook uses Azure Synapse to work with data at scale.
The template notebook is available via the Sentinel UI or from GitHub.
References:
Export Historical Log Data from Microsoft Sentinel
Export data from sentinel to external systems