Practice SC-100 Recommend security best practices and priorities questions with full explanations on every answer.
Start practicing
Recommend security best practices and priorities — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is designing a defense-in-depth strategy for their Azure environment. They want to ensure that if a virtual machine is compromised, the attacker cannot move laterally to other VMs in the same virtual network. Which security control should they prioritize?
2A company uses Azure Policy to enforce compliance. They have a custom policy that denies creation of storage accounts without encryption enabled. A developer reports that they cannot create a storage account even though they specified encryption. What is the most likely cause?
3A company is moving to a zero-trust security model. Which principle is most important for securing network traffic?
4A company uses Azure Security Center and Azure Sentinel. They want to prioritize remediation of vulnerabilities based on risk. Which metric should they use to rank vulnerabilities?
5A company is implementing a cloud security governance strategy. They need to ensure that all Azure resources are compliant with internal security policies before deployment. Which approach should they use?
6A company wants to protect sensitive data in their Azure SQL Database from unauthorized access. Which feature should they enable?
7A company is using Azure Active Directory (Azure AD) for identity management. They want to implement a policy that requires all users to use multi-factor authentication (MFA) when accessing Office 365 from outside the corporate network. Which conditional access policy setting should they configure?
8A company is planning a migration to Azure and wants to ensure that their security operations center (SOC) has visibility into all Azure resources. They need to collect security logs from multiple subscriptions into a central workspace. Which Azure service should they use?
9Which TWO of the following are best practices for securing Azure Kubernetes Service (AKS)?
10Which THREE of the following are key components of a defense-in-depth strategy?
11Which TWO of the following are true about Azure Policy initiatives?
12Refer to the exhibit. A company creates this Azure Policy definition and assigns it to a subscription. A developer attempts to create a storage account with blob encryption enabled. The creation fails. What is the most likely reason?
13Refer to the exhibit. The ContosoPlatform management group has an Azure Policy assignment that denies all deployments without encryption. The App1 subscription contains a storage account that was created without encryption. Why is the storage account still non-compliant?
14You are the lead security architect for a multinational corporation that recently completed a merger. The new entity, Contoso Ltd., has a complex Azure environment with over 200 subscriptions spread across multiple management groups. The company's security team has identified several critical issues: (1) many subscriptions have Azure Security Center's Secure Score below 30%, (2) there are numerous unmanaged VMs with public IP addresses, (3) there is no centralized logging for security events, and (4) identity management is fragmented with multiple Azure AD tenants. The CEO mandates a 'zero-trust' security posture within 12 months. You have a limited budget and must prioritize the most impactful actions. Which course of action should you take first?
15A company is deploying Microsoft Defender for Cloud to protect a multi-cloud environment that includes Azure and AWS. The security team wants to prioritize the highest-risk recommendations. Which feature should they use to identify and focus on the most critical security issues?
16A financial services organization is designing a zero-trust architecture for its Azure environment. They need to ensure that all administrative access to critical systems uses just-in-time (JIT) access and that privileged role assignments are time-bound. Which combination of Microsoft security best practices should they implement?
17A company uses Azure DevOps for CI/CD. The security team wants to ensure that secrets like API keys and connection strings are never stored in code repositories. Which best practice should they recommend?
18A large enterprise is implementing Microsoft Defender for Cloud to improve their security posture. Which TWO actions should they take to prioritize and remediate security recommendations effectively? (Choose two.)
19Refer to the exhibit. A security architect reviews the Azure AD Conditional Access policy JSON. The policy is intended to require MFA for all users accessing Azure management (Microsoft Azure Management app ID 797f4846-ba77-4853-9e6f-4433c3e1d1c5), except for the BreakGlassAdmin account and from trusted locations. However, some users report being prompted for MFA even when connecting from the corporate office (which is marked as a trusted location). What is the most likely cause?
20You are the security architect for a multinational corporation that uses Azure Active Directory (Azure AD) and Microsoft 365. The company has recently experienced a security incident where a compromised user account was used to access sensitive data from a legacy application that does not support modern authentication. To mitigate this risk, you have been asked to recommend a set of security best practices and priorities. The environment includes 50,000 users, 200 applications (many legacy), and a hybrid identity setup with Active Directory Domain Services (AD DS) synchronized to Azure AD via Azure AD Connect. The security team wants to reduce the attack surface, enforce least privilege, and improve identity protection. Current issues include: (1) many users have standing admin privileges on workstations, (2) legacy apps use shared service accounts with weak passwords, (3) Conditional Access policies are not applied consistently, and (4) there is no process for reviewing privileged role assignments. Which course of action should you recommend as the highest priority?
21Order the steps to configure Azure DDoS Protection Standard for a virtual network.
22Order the steps to configure Azure Policy to enforce tagging on resources.
23Match each compliance framework to its focus area.
24Match each Azure policy effect to its behavior.
The Recommend security best practices and priorities domain covers the key concepts tested in this area of the SC-100 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SC-100 domains — no account required.
The Courseiva SC-100 question bank contains 24 questions in the Recommend security best practices and priorities domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Recommend security best practices and priorities domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included