Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-100DomainsDesign security solutions for applications and data
SC-100Free — No Signup

Design security solutions for applications and data

Practice SC-100 Design security solutions for applications and data questions with full explanations on every answer.

207questions

Start practicing

Design security solutions for applications and data — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SC-100 Domains

Design solutions that align with security best practices and prioritiesDesign security operations, identity, and compliance capabilitiesDesign security solutions for infrastructureDesign a Zero Trust strategy and architectureDesign security solutions for applications and dataEvaluate GRC and security operations strategiesDesign security for infrastructureDesign a strategy for data and applicationsRecommend security best practices and priorities

Practice Design security solutions for applications and data questions

10Q20Q30Q50Q

All SC-100 Design security solutions for applications and data questions (207)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

Your organization is deploying a new line-of-business application on Azure App Service. The app must authenticate users from Microsoft Entra ID and also access a downstream API that requires a client secret. You need to recommend the most secure method for managing the client secret. What should you use?

2

Your company uses Microsoft Defender for Cloud to protect Azure resources. A critical application uses an Azure SQL Database. You need to ensure that all queries to the database are encrypted in transit and that the encryption protocol is the most secure version available. Which configuration should you enforce?

3

Your organization stores sensitive customer data in Azure Blob Storage. You need to implement data classification and labeling using Microsoft Purview. Which resource should you use to automatically scan and classify the data?

4

A company uses Microsoft Entra ID to authenticate users for a web application. They want to enable self-service password reset (SSPR) for users. What is the minimum licensing requirement?

5

Your organization uses Microsoft Defender for Cloud to protect Azure SQL databases. You notice that a particular database is flagged with a high-severity recommendation to enable 'Advanced Data Security'. What does enabling Advanced Data Security provide?

6

Your company is designing a solution to store sensitive documents in Azure Files. The files must be encrypted at rest and in transit. Which two configurations are required? (Each correct answer presents part of the solution.)

7

Your organization uses Microsoft Purview Information Protection to label and protect sensitive emails and documents. You need to ensure that when a user applies a 'Highly Confidential' label, the content is automatically encrypted and a watermark is added. Which configuration should you use?

8

A company uses Azure API Management to expose backend APIs. They need to implement OAuth 2.0 authorization with Microsoft Entra ID. The APIs are called by a SPA application. Which OAuth 2.0 grant type should be used?

9

Your organization is planning to use Microsoft Sentinel for security information and event management (SIEM). You need to ingest security logs from on-premises Active Directory. What should you deploy?

10

Your company is developing a microservices application that will run on Azure Kubernetes Service (AKS). The application must authenticate to Azure SQL Database using managed identities. Which type of managed identity should you assign to the AKS cluster?

11

Your organization uses Azure Cosmos DB with SQL API. You need to implement data encryption at rest and control access to the encryption keys. Which two actions should you take? (Choose two.)

12

Your company uses Microsoft Intune to manage mobile devices. You need to protect corporate data on mobile devices by ensuring that work files are encrypted and not accessible by personal apps. What three configurations should you implement? (Choose three.)

13

Your organization uses Azure Data Lake Storage Gen2 for big data analytics. You need to secure access to the data using Azure RBAC and ACLs. Which two methods can you use to authorize access? (Choose two.)

14

Refer to the exhibit. You are reviewing an Azure Policy definition that uses a 'modify' effect. The policy is intended to automatically enable transparent data encryption (TDE) on Azure SQL databases after they are created. Which condition must be met for the modify effect to work?

15

Refer to the exhibit. You are analyzing sign-in failures in Microsoft Sentinel using a KQL query. What does this query identify?

16

Your organization uses Microsoft Defender for Cloud to protect Azure resources. You need to ensure that only authorized applications can access Azure Key Vault secrets. The solution must use managed identities and least privilege. What should you configure?

17

You are designing a data classification strategy for Microsoft Purview. The compliance team requires that documents containing personally identifiable information (PII) like credit card numbers are automatically labeled and encrypted when stored in Microsoft SharePoint Online. The solution must use built-in sensitive information types. What should you include in the design?

18

Your company uses Microsoft Defender for Cloud Apps to discover and control shadow IT. You need to block the use of a newly discovered unsanctioned cloud storage app that poses a high risk. What should you configure?

19

You are designing an API management solution using Azure API Management. The security team requires that all API calls must be authenticated using OAuth 2.0 and that only specific Azure AD applications can access the APIs. Additionally, the solution must support rate limiting and IP filtering. What should you configure?

20

Your organization uses Microsoft Defender for Endpoint (MDE) for endpoint detection and response. You need to protect sensitive data on Windows 10 devices from being exfiltrated via USB drives. The solution must be able to audit file copy operations to USB and block them for high-risk users. What should you configure?

21

You are designing a secure DevOps pipeline using GitHub Actions and Azure. The security team requires that all container images pushed to Azure Container Registry (ACR) are scanned for vulnerabilities before deployment. If critical vulnerabilities are found, the pipeline must fail. What should you integrate into the pipeline?

22

Your company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. You need to prevent users from sharing credit card numbers via email in Outlook on the web. The policy should notify users when they try to send such data and allow them to override with a business justification. What should you configure?

23

You are designing a solution to protect Azure SQL Database from SQL injection attacks. The solution must use a web application firewall (WAF) and also ensure that queries from the application are parameterized. Which two components should you include? (Choose two. Each correct answer presents part of the solution.)

24

Your organization is using Microsoft Sentinel for security information and event management (SIEM). You need to ensure that data from Azure Activity Logs is ingested into Sentinel. What should you configure?

25

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy do?

26

Refer to the exhibit. You run the PowerShell command shown in the exhibit. The command returns the secret value in plain text. The Key Vault has soft-delete and purge protection enabled. What is the most likely reason that the command succeeded?

27

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. What is the purpose of this query?

28

Your organization is designing a data protection strategy using Microsoft Purview. You need to classify and label all sensitive data stored in Azure SQL Database. The solution must automatically detect credit card numbers and apply a sensitivity label. Which three actions should you take? (Choose three.)

29

You are designing a secure access strategy for Azure App Service web applications. The requirements are: use Azure AD for authentication, restrict access to specific IP ranges, and require multi-factor authentication (MFA) for all users. Which two components should you configure? (Choose two.)

30

Your organization uses Microsoft Defender for Cloud Apps. You need to detect and prevent the use of unsanctioned cloud apps. The solution should generate alerts when users access high-risk apps and block access to very high-risk apps. Which three actions should you take? (Choose three.)

31

A company uses Microsoft Defender for Cloud Apps to control data exfiltration from sanctioned SaaS apps. Security admins want to block downloading sensitive files from SharePoint Online to unmanaged devices. Which method should be used?

32

Refer to the exhibit. A security architect is reviewing an ARM template for an Azure Key Vault. The vault must be accessible from a backend subnet via private endpoint. What is the missing configuration component?

33

A company stores sensitive customer data in Azure SQL Database. They need to encrypt the data at rest and control access to encryption keys. Which solution should they use?

34

A company deploys a line-of-business application on Azure App Service. The application uses a managed identity to access Azure SQL Database. Security policy requires that the database connection string must not contain credentials. How should the connection string be configured?

35

Refer to the exhibit. A security architect is reviewing a Microsoft Purview sensitivity label configuration for a financial services company. The compliance team requires that employees must provide justification when downgrading a document labeled 'Confidential - Financial' to 'General'. Which configuration is missing?

36

A company uses Microsoft Entra ID for identity management. They want to ensure that only approved users can access a custom web application. The solution must support single sign-on (SSO) and require multi-factor authentication (MFA) for external users. Which approach should they use?

37

Your organization stores sensitive data in Azure Blob Storage. You need to ensure that data is encrypted at rest and that the encryption keys are rotated every 90 days. You also need to maintain your own key material. Which solution should you use?

38

Refer to the exhibit. A security analyst is reviewing a Windows security event log from a domain controller. The event indicates an attempted logon failure. Which type of attack is most likely being attempted?

39

A company is designing a security solution for a new application that will be deployed on Azure Kubernetes Service (AKS). They need to protect secrets and ensure that only authorized pods can access them. Which TWO actions should they take? (Choose two.)

40

A company is implementing Microsoft Purview to protect sensitive data in Microsoft 365. They need to prevent users from sharing credit card numbers via email. Which THREE components must be configured? (Choose three.)

41

A company uses Microsoft Defender for Cloud to secure their Azure workloads. They need to ensure that all Azure SQL databases have threat detection enabled. Which TWO actions should they take? (Choose two.)

42

Refer to the exhibit. A security architect is reviewing an Azure Policy definition. What is the effect of this policy?

43

A company uses Microsoft Sentinel for SIEM. They need to ensure that security events from Azure Active Directory (now Microsoft Entra ID) are ingested into Sentinel. Which data connector should they enable?

44

Refer to the exhibit. A security architect is reviewing the network configuration of an Azure App Service app named 'finance-app'. The app needs to be accessible from a backend subnet via private endpoint. Which additional configuration is required?

45

A company uses Microsoft 365 and wants to protect sensitive documents from being shared externally. They need a solution that automatically classifies documents containing personally identifiable information (PII) and applies appropriate protection. Which two services should they combine?

46

Your organization uses Microsoft Defender for Cloud to protect Azure workloads. You need to ensure that all Azure SQL Databases have Threat Detection enabled and Advanced Threat Protection notifications are sent to the security team. What should you do?

47

Your company is deploying Microsoft Entra ID for application authentication. You need to register a new web application that uses OAuth 2.0 for user sign-in. Which authentication flow should you use?

48

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Microsoft Teams. You need to prevent users from sharing credit card numbers in Teams chat messages. However, the policy should allow sharing with external vendors if they are in your organization's approved list. What should you configure?

49

Your team develops a web application hosted on Azure App Service. You need to secure the application against common web vulnerabilities like SQL injection and cross-site scripting. What should you implement?

50

Your organization uses Microsoft Sentinel to detect threats. You need to design a solution that automatically remediates a detected threat on an Azure VM by isolating the VM from the network. What should you use?

51

Your company uses Microsoft Intune for mobile device management. You need to ensure that corporate data on iOS devices is protected by requiring a PIN and encrypting the device. What configuration should you create?

52

Your organization is deploying Microsoft Defender for Cloud Apps. You need to create a policy that blocks downloads of sensitive files from sanctioned cloud apps to unmanaged devices. What type of policy should you create?

53

Your organization uses Azure API Management (APIM) to expose APIs to external partners. You need to ensure that only authorized partners can access the APIs and that the API requests are rate-limited to prevent abuse. What should you implement?

54

Your organization uses Microsoft Purview to govern data assets across Azure and on-premises. You need to automatically classify sensitive data such as credit card numbers in Azure SQL Database. What should you use?

55

You are reviewing the ARM template snippet for an Azure Storage container. What does the 'denyEncryptionScopeOverride' property set to 'true' ensure?

56

You are analyzing sign-in logs in Microsoft Sentinel. The query returns users with ResultType 50074. What does this result type indicate?

57

You run the PowerShell command to retrieve the vulnerability assessment baseline for rule VA2108 on an Azure SQL Database. The command returns a baseline with multiple rows. What is the purpose of this baseline?

58

Your organization is designing a solution to protect sensitive data in Microsoft 365. You need to implement Microsoft Purview Data Loss Prevention (DLP) policies. Which TWO actions can a DLP policy take when a match occurs? (Choose TWO.)

59

Your company is using Microsoft Defender for Cloud to protect Azure resources. You need to implement just-in-time (JIT) VM access. Which THREE components are required? (Choose THREE.)

60

Your organization is using Microsoft Sentinel for security operations. Which THREE data sources can be connected to Microsoft Sentinel out of the box? (Choose THREE.)

61

A company uses Microsoft Defender for Cloud Apps to enforce session policies. The security team needs to block downloads of sensitive files from Microsoft 365 when accessed from unmanaged devices. Which type of policy should they configure?

62

A healthcare organization is designing a zero-trust application security strategy. They use Microsoft Entra ID for identity and plan to deploy a legacy on-premises web application with no modern authentication support. The solution must ensure that only authorized users can access the app and that access is logged for auditing. Which Microsoft security service should they use to secure access?

63

A multinational corporation uses Microsoft Purview to classify and protect sensitive data. They need to ensure that any email containing a patient health record (PHI) is encrypted before delivery. Which capability should they use?

64

A company uses Microsoft Sentinel for security operations. They want to collect logs from a custom application running on Azure Virtual Machines. The application writes logs to a local file. Which data connector should they use?

65

An organization is using Microsoft Defender for Cloud to secure their Azure workloads. They have several Azure SQL databases that store sensitive financial data. The security team wants to receive alerts when a user attempts to access the database from a suspicious IP address or at an unusual time. Which Defender for Cloud plan provides this capability?

66

A company is developing a web API that will be consumed by partner applications. They need to secure the API using OAuth 2.0 and issue access tokens that expire after 1 hour. Which Microsoft Entra ID feature should they use?

67

A security architect is designing a data protection strategy for a Microsoft 365 tenant. The company must prevent users from sharing sensitive documents with external users via SharePoint Online. They want to apply a policy that automatically detects sensitive content and blocks external sharing. Which Microsoft Purview solution should they use?

68

A company uses Microsoft Defender for Cloud to protect their hybrid environment. They have on-premises servers that are monitored by Microsoft Defender for Servers. The security team notices that some servers are missing critical security updates. They want to automatically remediate missing updates on these servers. Which feature should they enable?

69

A company uses Microsoft Intune to manage corporate devices. They want to ensure that only compliant devices can access corporate email in Outlook Mobile. Which type of policy should they configure?

70

A company is designing a data classification strategy using Microsoft Purview. They need to automatically classify and protect sensitive data stored in Azure Blob Storage. Which TWO capabilities should they use? (Choose TWO.)

71

A financial services company uses Microsoft Sentinel for SIEM. They need to detect potential data exfiltration from their Azure SQL Database. Which THREE data sources should they connect to Sentinel to achieve this? (Choose THREE.)

72

A company uses Microsoft Defender XDR (formerly Microsoft 365 Defender) to protect their Microsoft 365 environment. They want to ensure that sensitive data is not leaked through Microsoft Teams messages. Which TWO capabilities should they use? (Choose TWO.)

73

Refer to the exhibit. A security administrator is reviewing a Conditional Access policy JSON. They want to ensure that users with medium risk level are prompted for multi-factor authentication (MFA), while high-risk users are blocked. The policy is not working as expected. Which issue is present in the policy?

74

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel to find high-risk sign-ins. The query returns no results, but they know there were high-risk sign-ins. What is the most likely reason?

75

Refer to the exhibit. A security architect is reviewing an ARM template that deploys an Azure Storage container. They want to ensure the container is not publicly accessible. What is the security implication of this template?

76

Your company is migrating a legacy on-premises web application to Azure App Service. The application uses Windows Integrated Authentication and connects to a SQL Server database. You need to design a security solution that minimizes changes to the application code while ensuring secure authentication and data protection. What should you use to authenticate users?

77

Your organization uses Microsoft Sentinel to detect threats. You need to ensure that sensitive data stored in Azure SQL Database is protected from unauthorized access by Sentinel playbooks. What should you implement?

78

Your organization is designing a data protection strategy for Microsoft 365 using Microsoft Purview. You need to protect sensitive data from being shared externally via email. Which TWO capabilities should you include?

79

A company deploys a multi-tier application on Azure Kubernetes Service (AKS). The application uses Azure Key Vault to store secrets. You need to ensure that pod-level access to secrets is restricted to only the pods that require them. What should you implement?

80

Your company develops an API that will be consumed by external partners. You need to secure the API using Azure API Management (APIM). Which authentication mechanism should you recommend for partner applications?

81

Your organization is designing a solution to protect sensitive data in Microsoft SharePoint Online. You need to ensure that documents containing credit card numbers are automatically encrypted when shared with external users. What should you configure?

82

Your company is designing a zero-trust security posture for a new application in Azure. The application uses Azure Functions, Azure SQL Database, and Azure Blob Storage. You need to ensure that data in transit is encrypted and that the application can authenticate without storing secrets in code. Which THREE actions should you take?

83

Refer to the exhibit. You are reviewing an Azure Policy definition for storage accounts. You assign this policy with effect set to 'Deny' on a resource group. Which of the following scenarios will be blocked by this policy?

84

Your organization uses Microsoft Defender for Cloud to assess security posture. You need to ensure that your Azure App Service web applications are protected against common web vulnerabilities like SQL injection. What should you enable?

85

Your company uses Microsoft 365 and wants to prevent sensitive data from being copied to personal cloud storage services like Dropbox. Which TWO Microsoft Purview capabilities should you use?

86

Your company is developing a Microsoft Teams app that accesses user profiles. You need to ensure the app only accesses minimal required data. What should you implement?

87

Refer to the exhibit. You are reviewing an ARM template for an Azure Function App. The function app uses a user-assigned managed identity and references a Key Vault secret for the storage connection string. The deployment fails because the function app cannot access the Key Vault secret. What is the most likely cause?

88

Your organization uses Microsoft Entra ID for identity and access management. You need to design a solution that allows external partners to access a specific SharePoint Online site without creating guest accounts. What should you use?

89

Refer to the exhibit. This is a risk alert from Microsoft Entra ID Identity Protection for user jdoe@contoso.com. You are designing an automated response using Microsoft Sentinel. Which condition should you use to trigger a high-severity incident?

90

Your organization is implementing a secure DevOps pipeline for Azure. You need to ensure that secrets (e.g., API keys) are not stored in source code and that access to production resources is controlled. Which THREE practices should you implement?

91

Your organization is designing a new application that will store sensitive customer data in Azure Cosmos DB. You need to ensure that data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. What should you configure?

92

Your company uses Microsoft Purview to classify and protect sensitive data. You need to automatically detect and protect credit card numbers in documents stored in SharePoint Online. Which solution should you implement?

93

You are designing a microservices application running on Azure Kubernetes Service (AKS). You need to ensure that secrets (e.g., API keys, connection strings) are securely stored and automatically rotated without application downtime. What is the recommended approach?

94

Your organization uses Microsoft Entra ID for identity and access management. You are developing a web application that needs to access Microsoft Graph API on behalf of the signed-in user. Which authentication flow should you implement?

95

You are designing a solution to protect an Azure App Service web application from common web attacks like SQL injection and cross-site scripting. What should you implement?

96

Your company uses Microsoft Purview to manage data governance. You need to create a data classification rule that scans Azure Data Lake Storage for personally identifiable information (PII) such as email addresses. The rule must also apply a sensitivity label automatically. Which approach should you use?

97

You are designing a CI/CD pipeline for a containerized application using Azure DevOps. You need to ensure that container images are scanned for vulnerabilities before being deployed to production. Which service should you integrate?

98

Your organization is adopting Microsoft Copilot for Microsoft 365. You need to ensure that Copilot respects the existing sensitivity labels when processing data. What should you configure?

99

You are designing a solution for an Azure SQL Database that stores sensitive financial data. The compliance team requires that all queries are audited and that access to sensitive columns is restricted for certain users. What should you implement?

100

You need to design a secure solution for a web application that authenticates users via Microsoft Entra ID and calls a downstream API. Which TWO should you implement to secure the application? (Choose TWO.)

101

Your organization uses Microsoft Purview to protect sensitive data. You need to implement a solution that automatically detects and protects personally identifiable information (PII) in Microsoft 365. Which THREE should be part of your solution? (Choose THREE.)

102

You are designing an API management solution using Azure API Management. Which TWO should you implement to protect the API from unauthorized access? (Choose TWO.)

103

Refer to the exhibit. You are deploying an Azure Storage container for storing compliance records. The ARM template snippet above configures the container. Which statement accurately describes the configuration?

104

Refer to the exhibit. You are auditing an Azure subscription. The Azure Policy assignment above is targeting a resource group. The policy definition ID corresponds to a built-in policy that audits if SQL databases have transparent data encryption (TDE) enabled. What is the effect of this policy assignment?

105

Refer to the exhibit. You are investigating a security incident in Microsoft Sentinel. The KQL query above is used to identify potential brute-force attacks. What does the query return?

106

Your company is developing a web application that stores sensitive customer data in Azure SQL Database. The data must be encrypted at rest and in transit. Additionally, you need to ensure that only the application can access the database, not individual administrators. Which two technologies should you implement? (Choose two.)

107

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Microsoft 365. You need to ensure that when a user attempts to share a document containing credit card numbers externally, the action is blocked and the user is shown a policy tip. Which DLP rule configuration should you use?

108

You are designing a solution to securely store and manage secrets for a cloud-native application deployed on Azure Kubernetes Service (AKS). The application needs to retrieve database connection strings and API keys at runtime without hardcoding them. The solution must minimize administrative overhead and integrate with Azure Active Directory (now Microsoft Entra ID) for access control. Which service should you use?

109

Your organization is implementing Microsoft Defender for Cloud Apps to protect against malicious OAuth app permissions. Users have been granting permissions to third-party apps that request excessive scopes. What should you configure to automatically revoke such permissions?

110

You are designing a data security solution for a Microsoft 365 tenant that contains highly confidential files. You need to ensure that these files are encrypted and can only be accessed by authorized users, even if the files are downloaded and stored on a personal device. Which technology should you use?

111

Your company runs a critical application on Azure VMs. You need to ensure that only authorized applications can run on the VMs to prevent malware. Which Azure security feature should you enable?

112

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to create an analytics rule that detects when a user account is created outside of business hours from an unusual IP address. Which type of rule should you use?

113

You are designing a solution to protect sensitive data in Azure Blob Storage. The data must be encrypted at rest using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, you need to ensure that only specific virtual networks can access the storage account, and all access must be logged. Which three configurations should you implement? (Choose three.)

114

Your company is developing a mobile application that uses Microsoft Authenticator to sign in users. The app needs to call a web API that is protected by Microsoft Entra ID. You need to ensure that the app uses the OAuth 2.0 authorization code flow with PKCE. Which Microsoft authentication library should you recommend?

115

Your organization is using Microsoft Defender for Cloud to assess the security posture of your Azure resources. You need to ensure that all storage accounts have secure transfer required enabled. Which Defender for Cloud feature should you use?

116

You are designing a data classification strategy for a Microsoft 365 tenant. You need to automatically classify documents that contain personally identifiable information (PII) and apply a retention label. Which Microsoft Purview feature should you use?

117

Your company uses Microsoft Azure to host a critical application that processes credit card payments. The application must comply with PCI DSS. You need to ensure that all access to cardholder data is logged and monitored, and that any unauthorized access attempts trigger an alert. Which combination of services should you use?

118

A company is designing a secure API for a customer-facing application that will handle sensitive personal data. They need to ensure that only authorized client applications can call the API and that the identity of the end-user is verified. Which of the following should they implement?

119

A financial services company is deploying a new application on Azure Kubernetes Service (AKS). The application must meet PCI DSS compliance requirements, which mandate encryption of data at rest and in transit, as well as network segmentation. The application will use Azure SQL Database. What is the MOST secure approach to meet these requirements?

120

You are designing a solution for a healthcare organization that needs to share patient health information (PHI) with a partner organization. The partner must be able to query the data but should not be able to modify it. Both organizations use Microsoft Entra ID. What should you use?

121

Your organization is developing a new application that will use Azure Cosmos DB. The security team requires that all data be encrypted at rest and in transit, and that access to the database is limited to specific Azure services and IP addresses. The application will run on Azure VMs. Which three actions should you take? (Choose three.)

122

Your organization is using Microsoft Defender for Cloud to secure applications running on Azure. You need to ensure that all Azure Storage accounts have secure transfer required enabled. What is the BEST way to enforce this?

123

You are designing a solution for a multi-national corporation that uses Microsoft Purview to govern data across Azure SQL Database, Azure Data Lake Storage, and Microsoft 365. The data classification labels must be automatically applied based on sensitive data types such as credit card numbers and passport numbers. Which Microsoft Purview capability should you use?

124

A company is building a new SaaS application that will be used by external customers. The application uses Azure API Management (APIM) to expose APIs. The security requirements include: (1) Only authenticated and authorized customers can call the APIs, (2) The API keys must be rotated automatically every 90 days, (3) The APIs must be protected against common web vulnerabilities. What should you implement?

125

Your organization uses Microsoft 365 and wants to prevent users from sharing sensitive documents externally via email. The solution must be able to detect credit card numbers and automatically block the email. Which technology should you use?

126

You are designing a secure data sharing solution for a research organization that needs to share large datasets with external universities. The data must be encrypted at rest and in transit, and access must be time-limited. The solution should minimize administrative overhead. What should you use?

127

A company is using Microsoft Defender for Cloud to secure their Azure environment. They have enabled the 'Defender for Cloud's integrated workload protection' plan for Azure SQL Database. Which TWO of the following security features are included in this plan?

128

You are designing a solution to protect a web application hosted on Azure App Service. The application uses Azure SQL Database and stores sensitive customer data. You need to ensure that the data is encrypted at rest and in transit, and that the application is protected from common web attacks. Which TWO of the following should you implement?

129

A company is deploying a new application that uses Azure Cosmos DB. The security requirements include: data encryption at rest, data encryption in transit, and the ability to audit all data access. Which THREE of the following should you implement?

130

Refer to the exhibit. What is the effect of this Azure Policy definition?

131

Refer to the exhibit. A security administrator needs to ensure that the storage account 'securestore' is compliant with the company policy that requires encryption at rest using customer-managed keys and network access restricted to a specific virtual network. Which of the following statements is correct?

132

Refer to the exhibit. What is the purpose of this KQL query?

133

Your organization is deploying a customer-facing web application in Azure. The application must authenticate users via Microsoft Entra ID and access Microsoft Graph to read user profiles. The security team requires that the application never has access to user passwords. Which authentication flow should you recommend?

134

Your company uses Microsoft Defender for Cloud Apps to discover shadow IT. You need to ensure that data exfiltration from sanctioned cloud apps is blocked in real-time. Which control should you configure?

135

A healthcare organization uses Microsoft Purview Information Protection to classify and protect patient data. They want to automatically apply a 'High Confidentiality' label to any document containing a patient ID pattern (###-####). The label should also encrypt the document. Which configuration should they use?

136

Your organization uses Microsoft Sentinel to centralize security monitoring. You need to detect anomalous access to a critical Azure SQL Database from unusual geographic locations. Which data connector and analytic rule should you use?

137

Your company uses Microsoft Defender for Cloud to secure Azure workloads. You need to ensure that all storage accounts have the 'Secure transfer required' setting enabled. What should you use?

138

A company is implementing Microsoft Priva to manage subject rights requests. Users submit requests to access their personal data stored in Exchange Online, SharePoint, and Teams. The privacy team needs to automate the retrieval of data from these sources. Which Priva capability should they use?

139

Your organization uses Microsoft Entra Verified ID to issue verifiable credentials to employees. You need to design a solution that allows employees to prove their employment status to third-party apps without exposing their full identity. What should you implement?

140

Your organization is developing a Power BI dashboard that uses data from an Azure SQL Database. The data includes personally identifiable information (PII). You need to mask the PII from certain users while allowing full access to data owners. What should you use?

141

Your company uses Microsoft Intune to manage mobile devices. You need to ensure that corporate data in Microsoft 365 apps cannot be copied to personal apps on the same device. What should you configure?

142

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Microsoft 365. You need to create a DLP policy that detects and blocks sharing of credit card numbers in Exchange Online emails. Which TWO components must you configure?

143

A company is designing a solution to protect Azure Functions that process sensitive data. They need to ensure that only authenticated and authorized callers can invoke the function, and that secrets are not hard-coded. Which THREE actions should they take?

144

Your organization wants to enable Microsoft Defender for Cloud Apps to monitor and control the use of Box and Dropbox. Which TWO steps must you perform?

145

You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy is intended to block sign-ins from high-risk users. However, some high-risk users are still able to sign in. What is the most likely reason?

146

You have created a custom Azure RBAC role named 'Custom SQL DB Reader' as shown in the exhibit. You assign this role to a user. The user reports they cannot read data from an Azure SQL Database. What is the most likely cause?

147

You are reviewing an ARM template snippet that creates a blob container. The security team requires that the container be accessible only via authorized Azure AD identities, not via anonymous access. Based on the exhibit, is the configuration correct?

148

Your company develops a web application hosted on Azure App Service. The application uses Azure SQL Database and requires managed identities to access the database. You need to ensure that the application can authenticate to Azure SQL without storing credentials in code. Which authentication method should you implement?

149

Your organization uses Microsoft Defender for Cloud Apps to protect SaaS applications. You need to configure a policy that blocks downloads of files tagged as 'Highly Confidential' from SharePoint Online and triggers an automated investigation. Which policy type should you use?

150

Your company uses Microsoft Purview to classify and protect sensitive data. You need to ensure that when a user sends an email containing a credit card number, the email is automatically encrypted and a notification is sent to the user. Which Microsoft Purview feature should you configure?

151

Your organization uses Microsoft Intune to manage devices. You need to deploy a line-of-business (LOB) app to iOS devices that is not available in the public App Store. The app is signed with an enterprise certificate. Which app deployment method should you use?

152

Your company uses Microsoft Sentinel for security operations. You need to design a solution that automatically remediates a detected threat by blocking a malicious IP address on Azure Firewall. Which Microsoft Sentinel feature should you use?

153

Your organization uses Microsoft Defender for Cloud to secure multi-cloud workloads. You need to ensure that Azure, AWS, and GCP resources are assessed against a common set of security standards. Which capability should you use?

154

Your application uses Azure Key Vault to store secrets. You need to ensure that the application rotates secrets automatically without downtime. Which feature should you enable?

155

Your company uses Microsoft Entra ID for identity management. You need to implement a solution that allows external partners to access a specific application using their own identity providers, while ensuring that their accounts are automatically deprovisioned when removed from their home organization. Which feature should you use?

156

Your organization uses Microsoft Purview to map and classify data across Azure, on-premises, and multi-cloud sources. You need to ensure that sensitive data assets are automatically discovered and classified. Which Microsoft Purview component should you configure?

157

Your company uses Microsoft Defender for Cloud Apps to protect its SaaS environment. You need to configure settings to detect and block risky user activities. Which TWO actions should you take? (Choose TWO.)

158

Your organization is deploying a new application on Azure Kubernetes Service (AKS). You need to secure container access to Azure resources using managed identities. Which THREE components are required? (Choose THREE.)

159

Your company uses Microsoft Intune to manage corporate devices. You need to protect company data on devices by preventing data leakage to personal apps. Which TWO policies should you configure? (Choose TWO.)

160

Refer to the exhibit. You are designing an API Management instance for a production environment. The exhibit shows a snippet of an ARM template. Which security concern is most critical to address before deploying to production?

161

Refer to the exhibit. You run the PowerShell script to protect high-confidentiality resources. After execution, you find that some resources with tag 'Confidentiality=High' are still unprotected. What is the most likely reason?

162

Your organization, Contoso Ltd., is a multinational company with 50,000 employees. They use Microsoft 365 E5, Azure, and Microsoft Sentinel. The security team wants to implement a data security solution that meets the following requirements: 1. All sensitive data stored in SharePoint Online and OneDrive for Business must be automatically classified and protected using sensitivity labels. 2. When a user attempts to share a file labeled 'Highly Confidential' with an external user, the action should be blocked and an alert sent to the security team. 3. The solution must detect and prevent data exfiltration from endpoints by monitoring copy/paste and print actions on sensitive data. 4. All data security events must be centralized in Microsoft Sentinel for correlation and investigation. 5. The solution must comply with regulatory requirements that mandate data retention and eDiscovery capabilities. You need to design the data security solution. Which combination of Microsoft security components should you use?

163

Your organization uses Microsoft Entra ID and plans to implement a custom line-of-business application that accesses Microsoft Graph APIs. The application will be used by employees and external partners. You need to ensure that the application can authenticate users and obtain appropriate permissions without exposing the client secret. What should you implement?

164

A company is deploying a new application that will store sensitive customer data in Azure SQL Database. The security team requires that all data at rest be encrypted using a customer-managed key stored in Azure Key Vault. Additionally, they need to ensure that the database can be restored to a point in time and that the encryption key is rotated every 90 days. Which combination of features should you configure?

165

You are designing security for a web application that will be developed by an external vendor. The vendor will have access to the source code repository and the development environment. You need to ensure that no secrets (e.g., API keys, connection strings) are stored in the source code. What is the best approach to manage secrets for this application?

166

Your organization uses Microsoft Defender for Cloud to protect its Azure workloads. You have an application that runs on Azure Virtual Machines and uses a storage account to store sensitive data. The security team wants to detect when the storage account access keys are used from an unexpected location. What should you configure?

167

A company is designing a microservices architecture on Azure Kubernetes Service (AKS). Each microservice needs to authenticate to Azure SQL Database using its own identity. The security team requires that no service principal secrets or certificates be stored in the cluster. What should you implement to authenticate the microservices to Azure SQL Database?

168

Your organization uses Microsoft Purview to classify and protect sensitive data. You need to prevent users from accidentally sharing files that contain credit card numbers via email. What should you configure in Microsoft Purview?

169

You are designing a solution to protect an Azure App Service web app that authenticates users via Microsoft Entra ID. The app needs to ensure that only users from specific external partner organizations can access it. You do not want to create user objects for each partner user in your tenant. What should you configure?

170

A company is migrating a legacy on-premises application to Azure. The application currently uses Windows Integrated Authentication (Kerberos) and requires access to a SQL Server database on the same network. In Azure, the application will run on Azure Virtual Machines and the database will be migrated to Azure SQL Managed Instance. You need to ensure the application can authenticate to the database without storing credentials. What should you implement?

171

Your organization uses Microsoft Sentinel as its SIEM. You need to collect logs from a custom line-of-business application that does not support standard syslog or Windows Event Log. The application writes logs to a text file on a Windows server. What is the most efficient way to ingest these logs into Microsoft Sentinel?

172

A company is designing a secure data sharing solution with a partner organization. The data will be stored in Azure Blob Storage. Requirements include: encryption at rest with customer-managed keys, granular access control to specific blobs, and the ability to expire access automatically. Which TWO solutions should you combine? (Choose two.)

173

Your organization uses Azure DevOps for CI/CD. You need to ensure that secrets (e.g., API keys) used in pipeline tasks are securely stored and accessed. The security requirements are: secrets must be encrypted at rest, access must be audited, and secrets must be automatically rotated. Which THREE services or features should you use? (Choose three.)

174

A company is deploying a new API management solution using Azure API Management. The APIs will be consumed by external partners. Security requirements include: protecting against OWASP Top 10 attacks, throttling requests per subscription, and validating JSON schemas. Which TWO policies should you configure? (Choose two.)

175

A large financial services company is migrating its customer-facing web application to Azure. The application handles sensitive personal data and must comply with PCI DSS. The solution will use Azure App Service (Linux) with a custom container, Azure SQL Database, and Azure Redis Cache. The security architect mandates that all data in transit be encrypted using the latest TLS version, and that the application must be protected against common web vulnerabilities. The company also wants to ensure that only authenticated users can access the Redis cache. Users will authenticate via Microsoft Entra ID. The operations team needs to be able to monitor for SQL injection attempts and anomalous access patterns. You need to design the security configuration. Which of the following is the most comprehensive approach that meets all requirements?

176

A healthcare organization is using Microsoft Purview to govern its data estate. They have multiple Azure Data Lake Storage accounts and Azure SQL Databases. They need to classify sensitive data such as patient health information (PHI) and apply protection automatically when data is exported from these sources to an external location. The organization also wants to prevent unauthorized users from accessing sensitive data in Azure SQL Database by using built-in security features. The compliance team requires that any access to sensitive data be logged and auditable. You need to design a solution that meets these requirements. What should you implement?

177

A company uses Microsoft Defender for Cloud Apps to protect SaaS applications. The security team receives alerts about suspicious file downloads from a specific user. They want to automatically block the user's account when the risk score exceeds 80. What should they configure?

178

You are designing a secure data classification strategy for documents in Microsoft 365. The compliance officer wants to automatically apply a 'Confidential' label to documents containing credit card numbers. Which Microsoft Purview feature should you use?

179

Refer to the exhibit. You are evaluating a custom Azure Policy definition for storage accounts. The policy is assigned with effect set to 'Deny'. An administrator attempts to create a new storage account with network rules configured to allow all traffic (defaultAction set to Allow). What will happen?

180

A retail company uses Microsoft Defender for APIs to protect its online store API. The security team notices unusual API calls from an IP address that is not in the allowed list. They want to block this IP address for 24 hours. What should they configure?

181

You are designing a secure CI/CD pipeline for a web application deployed to Azure Kubernetes Service (AKS). The security team requires that container images are scanned for vulnerabilities before deployment. Which two services should you integrate?

182

A company uses Microsoft Sentinel to detect threats. They want to automatically send an email to the security team when a high-severity incident is created. What should they configure?

183

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Exchange Online. The compliance team wants to prevent users from sending emails containing Social Security numbers to external recipients. What should you configure?

184

A company uses Azure Cosmos DB with Microsoft Defender for Cloud to protect its NoSQL database. The security team wants to audit all data plane operations for compliance. Which diagnostic setting should they enable?

185

Which TWO data protection mechanisms should you implement to protect data at rest in Azure SQL Database?

186

Which THREE actions should you take to secure a CI/CD pipeline using Azure DevOps and GitHub?

187

Which TWO Microsoft Purview features can be used to classify and label data in Microsoft 365?

188

Which THREE security controls should you implement to protect a web application against common OWASP Top 10 vulnerabilities?

189

Which TWO actions should you take to secure Azure Functions with HTTP triggers?

190

Your company is deploying a new AI-powered customer service chatbot using Azure OpenAI Service. The chatbot will access customer data stored in Azure Cosmos DB. The security team requires that all data in transit is encrypted, and that the chatbot only accesses data necessary for its function. Additionally, the chatbot must use managed identities to authenticate to Cosmos DB. You need to design the security architecture. Which combination of controls should you implement?

191

Your organization uses Microsoft Defender for Cloud Apps to monitor shadow IT. You discover that employees are using a third-party file sharing app that is not sanctioned. The security team wants to block access to this app from managed devices and require authentication for unmanaged devices. You need to configure the appropriate controls in Defender for Cloud Apps. What should you do?

192

Your company, Fabrikam, is a global financial services firm that handles sensitive customer data. You are designing a security solution for a new customer-facing web application that processes credit card transactions. The application will be deployed on Azure Kubernetes Service (AKS) and will use Azure SQL Database for data storage. Compliance requirements include PCI DSS and GDPR. You need to ensure that data at rest and in transit is encrypted, and that access to the database is tightly controlled. You plan to use Azure Key Vault for managing encryption keys. Which combination of actions should you implement?

193

Contoso, a healthcare provider, is deploying a new patient portal on Azure App Service that stores electronic health records (EHR) in Azure Cosmos DB for NoSQL. The solution must comply with HIPAA and HITRUST. You need to ensure that data is encrypted at rest and in transit, and that access is restricted based on user roles. Cosmos DB must be configured with a private endpoint to prevent public internet access. You plan to use Azure Key Vault to manage encryption keys. Additionally, the application will access Cosmos DB using a system-assigned managed identity. Which of the following is the most complete and secure design?

194

A multinational retail company, Northwind Traders, is building a new e-commerce platform on Azure. The platform includes a public-facing API built on Azure API Management (APIM) that processes orders containing personal data (PII). The company uses Microsoft Entra ID for identity management. You need to design a security solution that protects the API from common web vulnerabilities (e.g., SQL injection, XSS) and ensures that only authenticated users with the appropriate role can place orders. Additionally, you need to log and monitor all API requests for security auditing. Which combination of services should you use?

195

Your organization, Adatum, is migrating its on-premises applications to Azure. The applications include a legacy .NET Framework web app that uses Windows authentication and a modern ASP.NET Core API that uses OAuth 2.0. You need to design a secure solution for these applications using Azure App Service. The security requirements include: (1) enforce HTTPS only, (2) restrict access to the web app based on the user's corporate identity, (3) allow the API to access an Azure SQL Database using a managed identity. Which of the following is the correct design?

196

Trey Research, a biotech firm, is developing a machine learning model on Azure Machine Learning that uses sensitive genomic data. The data is stored in Azure Blob Storage. The company requires that all data be encrypted at rest using customer-managed keys stored in Azure Key Vault, and that access to the storage account be restricted to the Azure Machine Learning workspace and specific data scientists via Azure AD authentication. Additionally, the storage account must be accessible only from the company's virtual network. Which of the following configurations should you implement?

197

Wide World Importers is deploying a critical line-of-business application on Azure Kubernetes Service (AKS). The application processes financial transactions and must meet SOX compliance. You need to design a security solution that includes: encryption of secrets (e.g., database connection strings) using Azure Key Vault, automatic certificate rotation for TLS termination, network isolation of the AKS cluster, and audit logging of all access to secrets. The solution should use a managed identity for the AKS cluster to access Key Vault. Which of the following designs meets the requirements?

198

A startup, Alpine Ski House, is developing a mobile app that allows users to book ski lessons. The app communicates with an Azure Function App backend via REST APIs. The function app stores data in Azure Cosmos DB. The company wants to secure the API endpoints using OAuth 2.0 with Microsoft Entra ID and ensure that only authenticated users can invoke the functions. The function app should also use a managed identity to access Cosmos DB. Which of the following configurations should you implement?

199

Your company, Lucerne Publishing, is migrating its on-premises SQL Server databases to Azure SQL Managed Instance. The databases contain sensitive customer data subject to GDPR. You need to design a security solution that includes: (1) Always Encrypted for sensitive columns, (2) dynamic data masking for non-privileged users, (3) auditing of all data access, and (4) encryption at rest using customer-managed keys stored in Azure Key Vault. Which of the following configurations should you implement?

200

A software company, SouthRidge, is deploying a multi-tier application on Azure Virtual Machines. The web tier runs IIS, the application tier runs a .NET application, and the data tier runs SQL Server. You need to ensure that all traffic between tiers is encrypted, and that the application tier can access the database using a managed identity. The solution should also include a web application firewall (WAF) to protect the web tier from common attacks. Which of the following designs should you use?

201

A government agency, Northwind, is deploying a sensitive application on Azure App Service Environment (ASE) v3. The application handles classified data and must meet FedRAMP High requirements. You need to design a security solution that includes: (1) encryption at rest for the app's content and configuration, (2) encryption in transit with TLS 1.2 or higher, (3) network isolation using VNet integration and private endpoints, (4) identity-based access to Azure SQL Database using managed identity, and (5) certificate management for custom domains using Azure Key Vault. Which of the following designs meets all requirements?

202

Your organization is designing a security solution for a new web application that will be deployed on Azure App Service. The application will access an Azure SQL Database and an Azure Storage account. The security requirements include: (1) use managed identities for authentication, (2) encrypt data at rest and in transit, (3) restrict network access to the database and storage account to only the App Service, and (4) use Azure Key Vault for secrets management. Which TWO of the following should you implement?

203

A hospital, Contoso Health, is deploying an Azure API Management (APIM) instance to expose healthcare APIs that comply with HIPAA. The APIs are hosted on Azure Functions and Azure Logic Apps. You need to design a security solution that includes: (1) authentication and authorization using Microsoft Entra ID, (2) protection against OWASP top 10 threats, (3) encryption of sensitive data in transit and at rest, and (4) logging and monitoring of all API calls. Which THREE of the following should you implement?

204

Your company, Fabrikam, is designing a solution to securely store and manage secrets (e.g., API keys, database passwords) for cloud applications. The solution must use Azure Key Vault and support automatic rotation of secrets. The applications will run on Azure VMs and Azure App Service. Which TWO of the following should you include in your design?

205

A financial institution, Contoso Bank, is deploying a new application on Azure Kubernetes Service (AKS) that processes credit card transactions (PCI DSS). The application uses Azure SQL Database and Azure Redis Cache. You need to design a security solution that meets PCI DSS requirements. Which THREE of the following should you implement?

206

A software company, Northwind, is developing a mobile app that uses Microsoft Entra ID for authentication. The app accesses an Azure Function App backend that stores data in Azure Cosmos DB. The company wants to implement a defense-in-depth security strategy. Which TWO of the following should you implement?

207

Your organization, Contoso Ltd., is a multinational financial services company that handles sensitive customer financial data. They are migrating a critical loan origination application from on-premises to Azure Kubernetes Service (AKS). The application uses SQL Server on Azure VMs for data storage. Compliance requirements mandate encryption at rest and in transit, and data classification labels must be applied automatically to all financial documents stored in Azure Blob Storage. The security team wants to use Microsoft Defender for Cloud to monitor for misconfigurations and threats. You need to design a security solution for the application and data that meets these requirements. Which of the following actions should you take first?

Practice all 207 Design security solutions for applications and data questions

Other SC-100 exam domains

Design solutions that align with security best practices and prioritiesDesign security operations, identity, and compliance capabilitiesDesign security solutions for infrastructureDesign a Zero Trust strategy and architectureEvaluate GRC and security operations strategiesDesign security for infrastructureDesign a strategy for data and applicationsRecommend security best practices and priorities

Frequently asked questions

What does the Design security solutions for applications and data domain cover on the SC-100 exam?

The Design security solutions for applications and data domain covers the key concepts tested in this area of the SC-100 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SC-100 domains — no account required.

How many Design security solutions for applications and data questions are in the SC-100 question bank?

The Courseiva SC-100 question bank contains 207 questions in the Design security solutions for applications and data domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Design security solutions for applications and data for SC-100?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Design security solutions for applications and data questions for SC-100?

Yes — the session launcher on this page draws questions exclusively from the Design security solutions for applications and data domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SC-100 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide