Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-100DomainsDesign security solutions for infrastructure
SC-100Free — No Signup

Design security solutions for infrastructure

Practice SC-100 Design security solutions for infrastructure questions with full explanations on every answer.

231questions

Start practicing

Design security solutions for infrastructure — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SC-100 Domains

Design solutions that align with security best practices and prioritiesDesign security operations, identity, and compliance capabilitiesDesign security solutions for infrastructureDesign a Zero Trust strategy and architectureDesign security solutions for applications and dataEvaluate GRC and security operations strategiesDesign security for infrastructureDesign a strategy for data and applicationsRecommend security best practices and priorities

Practice Design security solutions for infrastructure questions

10Q20Q30Q50Q

All SC-100 Design security solutions for infrastructure questions (231)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to design a solution to detect lateral movement attempts from compromised on-premises servers to Azure VMs. Which data connector should you prioritize?

2

A company plans to use Microsoft Defender for Cloud to secure a multi-cloud environment including Azure, AWS, and GCP. What is the first step to enable multi-cloud visibility?

3

You are designing a secure DevOps pipeline using GitHub Advanced Security and Microsoft Defender for Cloud. The development team uses a mix of Python and JavaScript. Which tool should you integrate to detect secrets (e.g., API keys) committed to the repository?

4

Which TWO Azure policies should you assign to enforce secure configuration of Azure SQL Database? (Select two.)

5

Which THREE features of Microsoft Defender for Cloud help secure Azure Kubernetes Service (AKS) clusters? (Select three.)

6

Which TWO actions should you take to improve the security posture of an Azure subscription using Microsoft Defender for Cloud? (Select two.)

7

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy accomplish?

8

Refer to the exhibit. You need to ensure that the storage account 'seccorpstorage' is only accessible from a specific Azure virtual network. What should you do?

9

Refer to the exhibit. You are deploying an ARM template for a network security group. What is the security implication of this configuration?

10

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only approved applications can run on corporate devices. Which Intune feature should you configure?

11

You need to design a solution to protect Azure VMs from malware and vulnerabilities. Which Microsoft service should you use?

12

Your company uses Azure Firewall to filter outbound traffic from a virtual network. You need to allow only HTTP and HTTPS traffic to specific FQDNs, while blocking all other outbound traffic. Which Azure Firewall rule type should you use?

13

You are designing a secure hybrid network connectivity solution between an on-premises datacenter and Azure. The requirement is to have encrypted traffic and high availability. Which service should you use?

14

You need to ensure that Azure SQL Database always encrypts data at rest and in transit. Which features should you enable?

15

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to automatically respond to a confirmed compromise of a domain controller by isolating the affected VM. Which automation feature should you use?

16

Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to design a solution to detect lateral movement attempts using pass-the-hash attacks. Which data source should you prioritize for ingestion?

17

Your company is designing a Zero Trust network for a hybrid workforce. Remote users connect via VPN to on-premises resources, while cloud apps use Microsoft Entra ID. You need to enforce conditional access based on device compliance and user risk. Which Microsoft security solution should you integrate with Entra ID to provide real-time device posture signals?

18

You are designing a secure infrastructure for an e-commerce platform hosted on Azure. The platform must meet PCI DSS compliance. Which Azure service should you use to centrally manage and monitor security policies across subscriptions?

19

A multinational corporation uses Microsoft Entra ID with hybrid identities. They need to design a solution that automatically remediates risky sign-ins without user intervention. Which feature should you enable?

20

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that automatically creates an incident in Sentinel when a Defender XDR alert fires. Which integration should you configure?

21

Your company is migrating to Azure and needs to secure virtual networks with network segmentation. You need to design a solution that filters traffic between subnets based on application requirements. Which Azure service should you use?

22

Your organization uses Microsoft Defender for Cloud to assess security posture. You need to design a solution that automatically applies a security baseline to new Azure VMs. Which feature should you use?

23

Your company uses Microsoft Intune to manage devices. You need to design a solution that prevents users from installing unauthorized applications on corporate Windows 10 devices. Which Intune policy should you configure?

24

Your organization uses Microsoft Purview to classify data assets. You need to design a solution that automatically scans data sources in Azure SQL Database for sensitive information. Which Purview scanner should you configure?

25

Which TWO actions should you take to secure an Azure Kubernetes Service (AKS) cluster using Microsoft Defender for Cloud?

26

Which THREE components are required to implement a Zero Trust network architecture using Microsoft Entra Internet Access (formerly Microsoft 365 Network Connectivity)?

27

Which TWO Azure services should you use to implement a defense-in-depth strategy for protecting Azure virtual machines?

28

You are designing a hybrid identity solution for an organization that uses Microsoft Entra ID and an on-premises Active Directory. The organization requires that users who are located in a remote office without a direct VPN connection to the main office can authenticate against on-premises resources using their Entra ID credentials. The solution must minimize latency and support passwordless authentication. Which feature should you implement?

29

Your organization is designing a secure network infrastructure for a multi-cloud environment that includes Azure, AWS, and on-premises datacenters. The security team requires that all traffic between these environments be inspected for threats and that any malicious traffic be automatically blocked. The solution must minimize complexity and use a single pane of glass for policy management. Which Azure service should you use as the central hub?

30

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. The security team wants to ensure that all virtual machines are covered by Defender for Cloud's vulnerability assessment capabilities. Which plan must be enabled?

31

Your organization is deploying Azure Kubernetes Service (AKS) and plans to use Azure Policy to enforce security controls on the cluster. The security team wants to automatically audit and deny the creation of privileged containers. Which Azure Policy initiative should you assign?

32

You are designing a secure access solution for an on-premises application that uses legacy authentication protocols. The organization plans to migrate to Microsoft Entra ID but the application vendor has not yet provided a modern authentication update. The solution must enable single sign-on (SSO) and support multifactor authentication (MFA) for this application without modifying the application code. Which approach should you recommend?

33

Your organization uses Microsoft Intune to manage endpoints. The security team wants to ensure that devices that cannot be enrolled in Intune (e.g., unmanaged BYOD devices) are still subject to security policies when accessing corporate resources. Which Microsoft Entra ID feature should you use?

34

You are designing a security solution for a critical Azure SQL Database that must be protected against data exfiltration by a compromised admin account. The solution must ensure that even a database administrator cannot copy data to an external storage account. Which Azure service should you configure?

35

Your organization is planning to use Microsoft Sentinel for security information and event management (SIEM). The security team wants to ensure that Sentinel can ingest logs from on-premises servers that are not connected to the internet. The solution must use Azure Arc for management. Which data connector should you use?

36

Which TWO Azure services can you use to implement a zero-trust network architecture that verifies identity and device compliance before granting access to on-premises applications? (Choose two.)

37

Which THREE components are required to implement a Microsoft Sentinel solution that collects security logs from a multi-cloud environment including AWS and Azure? (Choose three.)

38

Which TWO of the following are valid methods to enforce multifactor authentication (MFA) for users accessing Microsoft 365 services? (Choose two.)

39

You are designing a secure hybrid network architecture for a company that uses Azure and an on-premises datacenter. The company requires that all traffic between Azure and on-premises traverses Microsoft's backbone network and never the public internet. Additionally, the solution must provide automatic failover if the primary connection fails. Which Azure service should you include in the design?

40

A company is planning to deploy a multi-tier application in Azure. The web tier must be accessible from the internet, while the database tier must be accessible only from the web tier and management jump boxes. The solution should minimize exposure to the internet. Which Azure architecture should you recommend?

41

Your company has a Microsoft Defender for Cloud environment with Azure Arc-enabled on-premises servers. The security team wants to ensure that all servers have the Log Analytics agent installed and that missing updates are automatically remediated for critical vulnerabilities. Which policy initiative should you assign to the management group containing these servers?

42

A multinational corporation is designing a secure access solution for remote employees using company-managed devices. The solution must enforce device compliance before granting access to corporate resources, support single sign-on (SSO) for SaaS applications, and provide conditional access policies based on risk. Which combination of Microsoft security products should you recommend?

43

Your organization is implementing a zero-trust network strategy. You need to ensure that all network traffic between Azure virtual machines is encrypted and authenticated at the IP layer, regardless of the virtual network they are in. Which Azure feature should you configure?

44

Refer to the exhibit. You are reviewing an Azure Policy definition that is assigned to a subscription. What is the primary effect of this policy?

45

Your company uses Microsoft Sentinel as its SIEM. You need to design a solution to detect lateral movement attempts within the corporate network using Windows Event Logs collected from domain controllers and workstations. Which data source and analytic rule type should you use?

46

You need to secure Azure Kubernetes Service (AKS) clusters by ensuring that only approved container images from a private Azure Container Registry (ACR) can be deployed. The solution should enforce this at admission time. Which Azure Policy effect should you use?

47

Your company is migrating to a cloud-native security operations center (SOC) using Microsoft Sentinel. You need to design a solution that automatically investigates and remediates common incidents like brute-force attacks on Azure VMs. The solution should use playbooks triggered by analytics rules. Which Microsoft service should you use to create the playbooks, and what is the recommended authentication method?

48

A company is designing a secure baseline for Azure VMs using Azure Policy and Microsoft Defender for Cloud. Which TWO recommendations should you include to ensure VMs are protected against common threats?

49

You are designing a secure access strategy for Azure SQL Database. The solution must use Microsoft Entra authentication and ensure that only specific client IP addresses can connect. Additionally, all connections must be encrypted in transit. Which THREE components should you configure?

50

Your company uses Microsoft Defender for Endpoint and Microsoft Intune to manage endpoints. You need to ensure that devices are healthy before they can access corporate resources. Which TWO settings should you configure in Microsoft Intune compliance policies to enforce device health?

51

Refer to the exhibit. You are reviewing a PowerShell script that configures network security. What is the effect of the NSG rule created in this script?

52

Refer to the exhibit. You are reviewing an ARM template for an Azure App Service configuration. What is the effect of the ipSecurityRestrictions array?

53

Your organization has deployed Microsoft Defender for Cloud with the CSPM (Cloud Security Posture Management) plan enabled. You need to ensure that all Azure subscriptions are covered and that security recommendations are automatically remediated for critical findings. Which two actions should you take? (Choose two.)

54

Your organization plans to use Microsoft Defender for Cloud to protect a hybrid environment with servers in Azure and on-premises. You need to ensure that security policies are consistently applied across all servers. What should you configure?

55

Refer to the exhibit. You are designing a security solution for Azure SQL Database. The exhibit shows an Azure Policy definition. When this policy is assigned, which problem might occur?

56

A company uses Azure Firewall to protect their virtual network. They need to allow outbound HTTPS traffic to a specific external website while blocking all other outbound traffic. What should they configure?

57

You are designing a secure hybrid network for a multinational company. They require encrypted communication between on-premises data centers and Azure, with high availability and no single point of failure. Which solution should you recommend?

58

Refer to the exhibit. You run the PowerShell script to check compliance of the 'RequireSQLEncryption' policy assignment. The script returns no output. What is the most likely reason?

59

Your company uses Microsoft Entra ID for identity management. You need to implement a solution to automatically detect and remediate risky sign-ins using machine learning. What should you configure?

60

You are designing a security solution for Azure Kubernetes Service (AKS). You need to ensure that only authorized container images from a private container registry can run in the cluster. What should you configure?

61

Refer to the exhibit. You run the PowerShell script to apply an NSG to a subnet. However, connectivity tests show that the NSG rule is not being applied. What is the most likely reason?

62

You need to secure Azure Blob Storage by encrypting data at rest using customer-managed keys stored in Azure Key Vault. What should you configure?

63

Which TWO actions should you take to protect Azure Virtual Machines from ransomware? (Choose two.)

64

Which THREE components are required to implement a secure Azure DevOps CI/CD pipeline that scans for secrets in code? (Choose three.)

65

Which TWO Microsoft Purview solutions should you use to protect sensitive data in Microsoft 365? (Choose two.)

66

You are designing security for a multi-region Azure application. You need to ensure that traffic between virtual networks in different regions is encrypted and uses Microsoft backbone. What should you implement?

67

Refer to the exhibit. You are deploying an ARM template for a Windows VM. The adminPassword parameter references a secret in Key Vault. However, the deployment fails with an access denied error. What is the most likely cause?

68

Your company is deploying Microsoft Sentinel to centralize security logs from Azure, on-premises, and other clouds. You need to ensure logs are ingested cost-effectively while maintaining search performance for the last 30 days. What should you configure?

69

Your organization is deploying a new web application in Azure and needs to secure it against common web attacks like SQL injection and cross-site scripting. You need to configure a solution that provides centralized protection at the network edge. Which Azure service should you use?

70

You are designing a secure hybrid network architecture that connects an on-premises data center to Azure. The requirements include: encrypted traffic, high availability across two Azure regions, and automatic failover. You need to recommend a connectivity solution that meets these requirements. What should you use?

71

Your company uses Azure Virtual Machines (VMs) running Windows Server. You need to ensure that only approved applications can run on the VMs. Which Azure security feature should you use?

72

You are designing a security solution for containers running on Azure Kubernetes Service (AKS). The requirements include: scanning container images for vulnerabilities, enforcing runtime security, and generating alerts for suspicious activities. Which combination of services should you use?

73

Your organization has a Microsoft 365 E5 subscription and uses Microsoft Entra ID for identity. You need to implement a solution to secure privileged access to Azure resources, requiring just-in-time access and approval workflows. What should you configure?

74

You are designing a security solution for Azure SQL Database. The requirements include: encrypting data at rest and in transit, and masking sensitive data from non-privileged users. Which two features should you implement? (Choose two.)

75

Your company uses Azure DevOps to manage CI/CD pipelines. You need to ensure that secrets such as API keys are securely stored and automatically injected into pipeline tasks without being exposed in logs. What should you use?

76

You are designing a security solution for Azure API Management. The requirements include: protecting APIs from abuse, throttling requests, and validating JSON payloads. Which combination of features should you use?

77

Your organization is migrating on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can authenticate to on-premises resources using their Entra ID credentials. Which feature should you implement?

78

You need to design a solution to protect Azure VMs from malware and provide security recommendations. Which Azure service should you enable?

79

You are designing a secure access solution for an Azure App Service web application that authenticates users via Microsoft Entra ID. The requirements include: only allowing users from a specific Entra ID tenant, and blocking access from certain countries. Which two features should you combine? (Choose two.)

80

Your company uses Azure Backup to protect VMs. You need to ensure that backup data is encrypted at rest and during transit. Which features should you enable? (Choose three.)

81

Refer to the exhibit. You are reviewing an Azure Policy definition. What is the effect of this policy?

82

Refer to the exhibit. You review a PowerShell script that configures an NSG rule. What is the likely security issue with this rule?

83

Refer to the exhibit. A KQL query in Microsoft Sentinel is used to detect potential brute-force attacks. What does this query detect?

84

A company is designing a security solution for their hybrid infrastructure that includes on-premises servers and Azure virtual machines. They need to ensure that all administrative access to servers is just-in-time (JIT) and just-enough-administration (JEA). Which Azure service should they use?

85

A global enterprise uses Azure Firewall and Azure Virtual Network Manager (AVNM) to manage network security. They want to deploy a new spoke virtual network that must be isolated from all other spokes except one specific shared services hub. The hub uses Azure Firewall to inspect traffic. What is the most secure and scalable way to enforce this isolation?

86

A company plans to migrate their on-premises Active Directory to Microsoft Entra ID. They need to ensure that legacy applications using NTLM authentication continue to work during the transition. What should they configure?

87

An organization uses Microsoft Sentinel to monitor their hybrid infrastructure. They need to detect brute-force attacks against their on-premises Windows servers. Which data source should they connect to Sentinel?

88

A multinational corporation is designing a secure infrastructure for their Azure Kubernetes Service (AKS) clusters. They require network policies to restrict pod-to-pod communication based on namespaces and label selectors. They also need to integrate with Azure Policy for compliance. Which network policy engine should they use?

89

A small business uses Microsoft 365 Business Premium and wants to secure their Windows 10 devices with Microsoft Intune. They need to ensure that only devices compliant with the company's security policies can access corporate email. What should they configure?

90

A company uses Azure Front Door to publish a web application globally. They need to protect against DDoS attacks and web application attacks (SQL injection, XSS). Which two services should they enable in combination?

91

A financial services company is designing a secure infrastructure for their Azure SQL Database. They need to encrypt data at rest using customer-managed keys (CMK) stored in a key vault with soft-delete and purge protection enabled. The encryption must be transparent to applications. What should they configure?

92

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to receive alerts when a resource is deployed without encryption enabled. What should they configure?

93

Which TWO actions should you take to secure Azure SQL Database against SQL injection attacks?

94

Which THREE components are required to implement a zero-trust network architecture in Azure using Microsoft security solutions?

95

Which TWO Azure services can be used to protect a virtual network from inbound DDoS attacks at the network layer?

96

Refer to the exhibit. An administrator is reviewing a just-in-time (JIT) access request in Microsoft Entra Privileged Identity Management (PIM) for Azure resources. The request was approved. What does the roleDefinitionId 'b24988ac-6180-42a0-ab88-20f7382dd24c' correspond to?

97

Refer to the exhibit. A security analyst runs the following KQL query in Microsoft Sentinel. What is the purpose of this query?

98

Refer to the exhibit. An administrator is deploying an Azure Firewall using the ARM template snippet. After deployment, traffic from the 10.0.0.0/16 subnet to www.microsoft.com on HTTPS is allowed. What is a potential security issue with this configuration?

99

Your organization uses Microsoft Defender for Cloud to secure a hybrid environment. You need to ensure that virtual machines running on-premises are assessed for security misconfigurations. What should you deploy?

100

Your company plans to use Microsoft Sentinel to manage security incidents. You need to design a solution that reduces alert fatigue by grouping related alerts into incidents. Which feature should you enable?

101

Your organization has a Microsoft Defender for Cloud Apps policy that detects suspicious OAuth app permissions. You need to ensure that when a high-risk app is detected, the app is automatically disabled and the user is notified. What is the most efficient design?

102

You are designing a secure remote access solution for on-premises web applications using Microsoft Entra ID. The solution must support multifactor authentication (MFA) and conditional access. Which service should you use?

103

Your company uses Microsoft Intune to manage devices. You need to ensure that corporate data is wiped from a device if it reports a jailbroken status. What is the best approach?

104

You are designing a privileged access solution for your Azure infrastructure. You need to ensure that just-in-time (JIT) access is required for all administrative actions on Azure VMs. What should you configure?

105

Your organization uses Microsoft Purview to classify sensitive data in Azure storage. You need to ensure that a file containing PII is automatically protected when uploaded to an Azure Blob Storage account. What should you use?

106

Your company plans to use Microsoft Sentinel to detect threats across multiple Azure subscriptions. You need to design a cost-effective solution that ingests logs from all subscriptions. What should you use?

107

Refer to the exhibit. You are reviewing an Azure Policy definition in JSON. What does this policy do?

108

Refer to the exhibit. You run the PowerShell cmdlet and see that EnabledForDiskEncryption is false. You need to ensure that this key vault can be used for Azure Disk Encryption. What should you do?

109

Refer to the exhibit. You are reviewing a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

110

Which TWO of the following are features of Microsoft Defender for Cloud that help secure infrastructure? (Choose two.)

111

Which THREE of the following are best practices for securing Azure Kubernetes Service (AKS) clusters? (Choose three.)

112

Which TWO of the following are requirements for implementing Azure Disk Encryption on Windows VMs? (Choose two.)

113

Your organization uses Microsoft Defender for Office 365. You need to design a solution to protect users from malicious links in email. What should you configure?

114

Your organization is designing a hybrid identity infrastructure with Microsoft Entra ID. You need to ensure that users can access on-premises applications using passwordless authentication and that the solution minimizes latency for authentication requests. What should you implement?

115

Your company plans to deploy Microsoft Defender for Cloud to secure a multi-cloud environment that includes Azure, AWS, and GCP. You need to ensure that security recommendations from all three cloud providers are centrally visible. What should you configure?

116

Refer to the exhibit. You are reviewing an Azure Policy definition that denies deployment of virtual machines without encryption at host enabled. A developer reports they cannot deploy a VM that already has encryption at host enabled. What is the most likely cause?

117

Your organization is deploying Microsoft Intune to manage Windows 11 devices. You need to ensure that devices automatically receive security updates and that users cannot defer updates. Which configuration profile setting should you configure?

118

You are designing a network security architecture for an Azure application that uses Azure Front Door and Azure Application Gateway. The application must be protected from DDoS attacks and common web exploits. Application traffic should be inspected by a web application firewall (WAF) before reaching the backend. What is the recommended deployment order?

119

Refer to the exhibit. You run the PowerShell command to retrieve information about a Managed HSM in Azure. The output shows that the HSM is in 'Provisioned' state and has two security domains. What is the purpose of the security domains?

120

Your company uses Microsoft Sentinel for security operations. You need to detect brute-force attacks against Azure VMs by correlating failed sign-in events from multiple sources. Which data connector should you enable?

121

You are designing a zero-trust network architecture for a hybrid environment using Azure Virtual WAN. You need to secure all traffic between on-premises sites and Azure virtual networks using Microsoft's security services. The solution should include next-generation firewall capabilities and TLS inspection. What should you deploy?

122

Refer to the exhibit. You are reviewing an ARM template that deploys a storage account. The compliance team requires that all storage accounts use TLS 1.2 or higher. Does this template meet the requirement?

123

Your organization is planning to deploy Microsoft Defender for Cloud Apps (formerly Cloud App Security). You need to discover shadow IT usage and control access to cloud apps. Which TWO capabilities should you enable? (Choose TWO.)

124

Your company is designing a secure baseline for Azure Linux virtual machines using Azure Policy. You need to ensure that all Linux VMs have SSH access restricted, disk encryption enabled, and vulnerability assessments installed. Which THREE built-in policies should you assign? (Choose THREE.)

125

You are designing a backup strategy for Azure virtual machines using Azure Backup. The solution must support cross-region restore and provide 10 years of retention for compliance. Which THREE features should you enable? (Choose THREE.)

126

Your company uses Microsoft Purview to govern data across Azure and on-premises. You need to classify sensitive data such as credit card numbers in Azure SQL Database and apply automatic retention labels. What should you configure?

127

You are designing a security solution for an Azure Kubernetes Service (AKS) cluster that runs containerized workloads. The cluster must be integrated with Microsoft Defender for Cloud for threat detection, and you need to ensure that container images are scanned for vulnerabilities before deployment. What should you configure?

128

Your organization is implementing a security baseline for Windows 11 devices using Microsoft Intune. You need to ensure that BitLocker encryption is enabled on all devices and that recovery keys are stored in Microsoft Entra ID. Which policy type should you configure?

129

Your company is designing a hybrid identity solution using Microsoft Entra ID. You need to ensure that users can access on-premises applications using modern authentication methods. The solution must support multi-factor authentication and Conditional Access policies. What should you implement?

130

You are designing a network security solution for a multi-tier application hosted in Azure. The front-end web tier must be accessible from the internet, but the back-end database tier must only accept traffic from the front-end tier. Which Azure service should you use to enforce this restriction?

131

Your organization uses Microsoft Defender for Cloud to secure a hybrid environment. You need to ensure that security recommendations are automatically remediated for virtual machines. The solution must use Azure Policy and must be deployed at scale. What should you configure?

132

You are designing a security solution for containers in Azure Kubernetes Service (AKS). The solution must scan container images for vulnerabilities before deployment and enforce runtime security. Which combination of Microsoft Defender for Cloud features should you enable?

133

Your company is implementing a zero-trust network architecture in Azure. You need to ensure that all network traffic between virtual machines is encrypted and authenticated, regardless of the virtual network they reside in. What should you implement?

134

You need to design a backup and disaster recovery solution for Azure virtual machines that meets a recovery time objective (RTO) of 15 minutes and a recovery point objective (RPO) of 1 hour. Which Azure service should you use?

135

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to design a solution to detect brute-force attacks against Azure virtual machines. The solution should use Azure Activity Logs and Windows Security Events. What should you configure in Sentinel?

136

You are designing a security solution for an Azure SQL Database that stores sensitive customer data. The solution must encrypt the database at rest and in transit, and also mask sensitive columns from non-privileged users. Which combination of features should you implement?

137

Your company plans to migrate on-premises servers to Azure. You need to ensure that the migrated servers are protected against malware and vulnerabilities. Which Microsoft Defender for Cloud plan should you enable for the Azure VMs?

138

You are designing a secure access solution for on-premises applications using Microsoft Entra ID. The solution must support modern authentication, single sign-on (SSO), and Conditional Access. Which TWO technologies should you implement?

139

Your organization is implementing Microsoft Defender for Identity to protect on-premises Active Directory. Which THREE activities does Defender for Identity monitor?

140

You are designing a security solution for Azure resources using Azure Policy. You need to ensure that all storage accounts enforce HTTPS traffic and that only certain virtual networks can access them. Which THREE policy effects can you use to achieve this?

141

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy do?

142

Refer to the exhibit. You run the PowerShell command against an Azure SQL Database. The command returns a baseline object for rule VA2108. What does this indicate about the database's vulnerability assessment configuration?

143

Refer to the exhibit. You are deploying an ARM template that creates a network security group (NSG) named nsg-backend. What is the effect of this NSG on inbound traffic?

144

Your organization plans to deploy Microsoft Defender for Cloud to protect hybrid workloads. You need to design the agentless scanning deployment for Azure VMs running SQL Server. What should you configure?

145

You are designing a secure access strategy for a manufacturing plant using Azure IoT Hub and Azure Defender for IoT. The plant has unpatched legacy PLCs that cannot be updated. What is the best approach to prevent these devices from being compromised and used as an entry point into the corporate network?

146

Your company uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate Exchange Online mailboxes. Which conditional access policy setting should you configure?

147

You are designing a backup strategy for a Microsoft 365 tenant. You need to ensure that Exchange Online mailbox items deleted by users can be recovered up to 30 days after deletion, without using third-party tools. What should you configure?

148

You are designing a secure solution for an Azure Kubernetes Service (AKS) cluster that hosts a critical application. You need to ensure that pods can only communicate with specific back-end services and that traffic is encrypted. What should you implement?

149

Your organization is migrating on-premises Active Directory to Microsoft Entra ID. You need to design the authentication method to support hybrid identities with seamless single sign-on (SSO) for legacy applications that require Kerberos authentication. What should you implement?

150

Your company uses Microsoft Sentinel as a SIEM. You need to ensure that all Azure subscription activity logs are ingested into Sentinel. What is the most efficient way to configure this?

151

You are designing a secure DevOps pipeline for a critical application using GitHub Actions and Microsoft Defender for Cloud. You need to ensure that container images are scanned for vulnerabilities before being deployed to Azure Kubernetes Service (AKS). What should you implement?

152

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that devices must have a minimum OS version and cannot be jailbroken. Which configuration profile type should you assign?

153

Refer to the exhibit. You are reviewing an Azure Policy definition. What will this policy do when assigned to a subscription?

154

Refer to the exhibit. You are reviewing a Microsoft Sentinel analytics rule in your workspace. The output shows the rule 'MFA Disabled' is enabled with severity Medium. The query returns events where MFA is absent. What is the primary issue with this rule?

155

Refer to the exhibit. You are reviewing a Bicep template for deploying an Azure SQL Database server. Which security best practice is violated?

156

Which TWO actions should you take to protect Azure Virtual Machines from ransomware attacks? (Choose two.)

157

Which THREE components are required to implement a secure hybrid network architecture using Azure VPN Gateway? (Choose three.)

158

Which TWO features of Microsoft Defender for Cloud help you identify and remediate misconfigurations in your Azure environment? (Choose two.)

159

Your organization is planning to deploy a new web application on Azure VMs. The security team requires that all incoming traffic to the VMs be inspected by a network virtual appliance (NVA) before reaching the VMs. Which Azure networking solution should you use to route traffic through the NVA?

160

A company uses Azure Arc to manage on-premises servers. The security team wants to enforce that all servers (on-premises and Azure) have Microsoft Defender for Endpoint installed and running. Which solution should you use to ensure compliance across hybrid environments?

161

Your organization has a multi-region Azure deployment with ExpressRoute connections to on-premises. You need to design a solution that ensures all traffic between on-premises and Azure is inspected by a firewall for both inbound and outbound connections. The solution must minimize latency and avoid a single point of failure. What design should you recommend?

162

Refer to the exhibit. The NSG is applied to a subnet containing a web server. The web server is not receiving HTTP traffic. What is the most likely cause?

163

A company is implementing a zero-trust network for their Azure environment. They want to ensure that only authenticated and authorized users can access specific VMs, regardless of network location. Which Azure service should they use?

164

Your organization uses Microsoft Sentinel to monitor security events. You need to design a solution that alerts when a user account is created and then used to log in from a different country within 1 hour. Which KQL query structure should you use?

165

Refer to the exhibit. The NSG is applied to a subnet containing Azure SQL databases. You notice that traffic from the internet to the databases is not being denied. What is the most likely reason?

166

Your company uses Azure DevOps to deploy infrastructure. You need to ensure that all deployed resources have specific tags for cost tracking. Which Azure policy effect should you use to prevent deployment of untagged resources?

167

A global company with branches worldwide wants to secure access to Azure resources using a zero-trust approach. They require that all access requests be authenticated, authorized, and encrypted, and that the user's device must be compliant with corporate policies. Which combination of services should they use?

168

Which TWO of the following are valid methods to secure Azure Kubernetes Service (AKS) workloads?

169

Which THREE of the following are best practices for designing a secure hybrid network architecture with Azure?

170

Which TWO of the following are features of Azure DDoS Protection?

171

Refer to the exhibit. A company applies this Azure Policy to their subscription. An administrator tries to create a VM with a public IP address. What will happen?

172

Your organization uses Azure SQL Database with Azure AD authentication. You need to ensure that database administrators (DBAs) can only perform management tasks from a specific Azure region and only during business hours. Which solution should you use?

173

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to ensure that user passwords are synchronized securely and that password changes on-premises are reflected in the cloud quickly. Which tool should you configure?

174

Your organization is deploying Microsoft Defender for Cloud to secure a hybrid environment with workloads in Azure and on-premises. You need to ensure that all servers are covered by Defender for Cloud's plans. Which two actions should you take?

175

You are designing a network security solution for a multi-tier application in Azure that must meet PCI DSS compliance. You need to restrict traffic between tiers to only necessary ports and protocols. You also need to log all denied traffic for auditing. What is the most efficient design?

176

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy do?

177

Your company uses Microsoft Defender for Cloud to manage security across multiple subscriptions. You need to ensure that all subscriptions have at least one Defender plan enabled, and you want to enforce this centrally using Azure Policy. What is the best approach?

178

Your organization is planning to use Azure Bastion for secure RDP/SSH access to Azure VMs. You need to ensure that Bastion can reach the VMs in a spoke virtual network that is connected to a hub via VNet peering. The hub has an Azure Firewall. What is the minimal configuration required?

179

You are designing a secure access solution for an Azure Kubernetes Service (AKS) cluster that hosts a critical application. You need to ensure that only authorized users can access the Kubernetes API server. Which authentication method should you use?

180

Your organization uses Microsoft Defender for Identity (MDI) to protect on-premises Active Directory. You need to integrate MDI with Microsoft Sentinel to centralize detection and response. What is the required configuration?

181

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You are designing a solution to protect against password spray attacks. You need to implement a solution that can detect and block malicious authentication attempts in real-time. What should you use?

182

You are designing a secure CI/CD pipeline for Azure using GitHub Actions. You need to ensure that secrets (e.g., Azure service principal credentials) are stored securely and accessed only by authorized actions. What should you use?

183

Your organization is designing a Microsoft Sentinel workspace for a multi-region deployment. You need to optimize cost while ensuring that security data is available for investigation in the primary region. Which TWO actions should you take?

184

You are designing a secure data exfiltration protection solution for Azure Storage accounts. You need to prevent data from being copied to unauthorized external locations. Which THREE controls should you implement?

185

Your company is planning to use Microsoft Intune for mobile device management (MDM). You need to ensure that devices are compliant before accessing corporate resources. Which TWO components should you configure?

186

You are a security architect for a large financial services company. The company has a hybrid identity infrastructure with on-premises Active Directory and Microsoft Entra ID (Azure AD). They have recently suffered a password spray attack that compromised several accounts. Management wants to implement a Zero Trust security model and has mandated the following requirements: 1. All user authentication must be protected by phishing-resistant MFA. 2. Legacy authentication protocols must be blocked. 3. All sign-in risks must be detected and automatically remediated. The current environment includes: - Microsoft 365 E5 licenses for all users. - Microsoft Entra ID P2 licenses. - On-premises Active Directory with password hash sync. - Azure AD Application Proxy for publishing on-premises apps. - A third-party VPN solution for remote access. You need to design a solution that meets the requirements. What should you do?

187

You are a security architect for a software development company. The company uses GitHub for source control and Azure DevOps for CI/CD. They have a large number of repositories and want to ensure that secrets (e.g., API keys, connection strings) are never committed to code. They also want to scan pull requests for secrets before merging. The company has Microsoft Defender for Cloud and Microsoft Purview available. You need to design a solution that prevents secret leaks. What should you use?

188

You are a security architect for a retail company that uses Microsoft 365 and Azure. The company has a large number of remote employees who use both company-managed and personal devices. You need to design a solution to ensure that only compliant devices can access corporate email (Exchange Online) and files (SharePoint Online). The company has Microsoft Intune and Microsoft Entra ID P1 licenses. You need to implement device-based conditional access. What should you do?

189

Your organization plans to use Microsoft Defender for Cloud to protect hybrid workloads across Azure and on-premises servers. You need to ensure that security policies are consistently applied and that compliance status is monitored centrally. What should you configure?

190

A company uses Microsoft Sentinel for SIEM and SOAR. You need to design a solution to detect and automatically respond to ransomware attacks involving mass file encryption on Windows servers. The response must include isolating the compromised server from the network, creating a backup of affected files, and resetting the user account's password. Which automation approach minimizes manual intervention?

191

Your company is deploying Azure Kubernetes Service (AKS) and needs to secure container workloads. You must ensure that only approved container images from a trusted Azure Container Registry (ACR) can be deployed. What should you implement?

192

You are designing a secure access solution for a manufacturing company's IoT devices that send telemetry to Azure IoT Hub. The devices run on a private network with no internet access except through a firewall. You need to ensure that device-to-cloud communication is authenticated and encrypted, and that device credentials are rotated regularly. What should you include in the design?

193

A multinational corporation uses Microsoft Entra ID for identity and Microsoft Defender for Cloud Apps for SaaS app governance. The security team wants to deploy a conditional access policy that blocks access from untrusted locations for all cloud apps except Microsoft 365, which should only be blocked if the device is not compliant. How should you configure the policy?

194

You are designing a secure remote access solution for employees using Windows 10/11 devices that are managed by Microsoft Intune. The solution must enforce device compliance before allowing access to corporate resources and must support single sign-on (SSO). Which technology should you use?

195

Your organization uses Azure SQL Database and needs to protect sensitive data from being exported by unauthorized users. You must implement a solution that prevents users from copying data to clipboard or taking screenshots of query results, while allowing legitimate business operations. What should you implement?

196

A company is migrating its on-premises Active Directory to Microsoft Entra ID. They have line-of-business applications that use Windows Integrated Authentication. You need to design a solution that allows users to access these applications from domain-joined devices without prompting for credentials, while also supporting hybrid identity. What should you implement?

197

You are designing a backup strategy for Azure virtual machines that host a mission-critical application. The solution must support daily backups with a retention of 30 days for daily backups, weekly backups retained for 12 weeks, and monthly backups retained for 3 years. What should you use?

198

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to detect and respond to lateral movement using pass-the-hash attacks. Which TWO data sources should you enable for ingestion into Microsoft Sentinel to detect such attacks?

199

You are designing a secure CI/CD pipeline for deploying infrastructure as code (ARM templates) to Azure. The solution must detect drift from the desired state and prevent deployment of non-compliant resources. Which THREE Azure services should you incorporate?

200

A company wants to secure its Azure Kubernetes Service (AKS) cluster. They need to ensure that pods cannot communicate with each other unless explicitly allowed, and that secrets are encrypted at rest. Which TWO security controls should they implement?

201

Your organization is a large financial services company with a hybrid infrastructure consisting of on-premises servers and Azure IaaS. You are tasked with designing a security solution for infrastructure that meets the following requirements: - All administrative access to Azure resources must be just-in-time (JIT) and just-enough-access (JEA). - All on-premises servers must be managed centrally with consistent security policies. - All network traffic between on-premises and Azure must be encrypted and inspected for threats. - All privileged access must be monitored and audited. You have the following services available: Microsoft Entra ID, Microsoft Defender for Cloud, Azure Firewall, Azure Bastion, Microsoft Sentinel, Azure Arc, Azure Policy, Microsoft Defender for Identity, and Microsoft Entra Privileged Identity Management (PIM). Which combination of services should you use to meet all requirements?

202

You are a security architect for a healthcare organization that is adopting Microsoft 365 and Azure. The organization must comply with HIPAA and has the following requirements: - All users must use multi-factor authentication (MFA) when accessing Microsoft 365 from outside the corporate network. - Mobile devices must be managed and must be compliant before accessing email. - Access to Azure virtual machines must be limited to specific admin users and must be audited. - All sensitive data stored in Azure SQL Database must be encrypted at rest and in transit. You have the following technologies: Microsoft Entra ID, Microsoft Intune, Azure SQL Database, Azure Policy, Azure Key Vault, Microsoft Defender for Cloud, and Azure Bastion. Which combination of services and configurations should you implement?

203

You are designing a security solution for a small business that uses Azure App Services to host a web application. The business has the following requirements: - The web application must be protected against common web vulnerabilities like SQL injection and cross-site scripting (XSS). - All traffic to the application must be encrypted. - The solution should be cost-effective and require minimal management overhead. - The application must be able to scale automatically based on demand. Which Azure service should you use to meet these requirements?

204

Your organization is planning to deploy Microsoft Defender for Cloud to protect a hybrid environment that includes on-premises servers and Azure virtual machines. You need to ensure that the security recommendations and threat detections are consistently applied across all resources. What should you configure?

205

Your company uses Azure Firewall to secure outbound traffic from a hub virtual network that contains multiple spoke virtual networks. You need to implement a solution that allows traffic from specific spoke VMs to reach a specific external SaaS endpoint, while blocking all other outbound traffic. The SaaS endpoint uses a dynamic set of IP addresses that change frequently. What should you do?

206

Your organization is deploying a new application on Azure Kubernetes Service (AKS). You need to ensure that only authorized containers can run in the cluster and that any unauthorized containers are automatically blocked. What should you configure?

207

Refer to the exhibit. You are reviewing an Azure Policy definition that is assigned to a subscription containing several virtual machines. After the assignment, users report that they cannot create new VMs. What is the most likely reason?

208

Your company plans to use Microsoft Defender for Cloud to protect its Azure resources. You need to enable just-in-time (JIT) VM access to reduce the attack surface. Which TWO configurations are required to implement JIT access?

209

Your organization is implementing a defense-in-depth strategy for a multi-tier application hosted on Azure. You need to secure the network layers. Which THREE measures should you implement?

210

You are designing a secure infrastructure for an Azure Kubernetes Service (AKS) cluster that will host sensitive workloads. Which TWO configurations should you implement to secure the cluster?

211

Your company is planning to use Azure Policy to enforce security compliance across multiple subscriptions. You need to define a set of policies that will be applied to all subscriptions. Which THREE components should you include in your policy assignment?

212

You are the security architect for a company that has a hybrid identity infrastructure with Microsoft Entra ID (formerly Azure AD) and an on-premises Active Directory Domain Services (AD DS) forest. The company is planning to migrate several line-of-business (LOB) applications to Azure Virtual Machines. The applications currently use Windows Integrated Authentication (WIA) and rely on Kerberos delegation. You need to design a solution that allows the Azure VMs to authenticate on-premises users and access on-premises resources using Kerberos constrained delegation (KCD) without exposing on-premises-domain controllers to the internet. The solution must minimize latency and administrative overhead. You have configured Azure ExpressRoute for connectivity between the on-premises network and Azure. What should you do?

213

Your organization is using Microsoft Defender for Cloud to manage security across multiple Azure subscriptions. You need to ensure that all virtual machines in the subscriptions are monitored by Defender for Cloud and that security alerts are sent to the security operations team. You also need to enforce that any new VMs are automatically onboarded to Defender for Cloud. You have a Log Analytics workspace in the central subscription. What should you do?

214

Your company is deploying a critical application on Azure App Service. You need to secure the application by restricting access to only users within your organization. The application should be accessible from both corporate-managed devices and personal devices that are enrolled in Microsoft Intune. You want to use Microsoft Entra ID for authentication and require that users authenticate using multi-factor authentication (MFA). What should you configure?

215

Your organization uses Azure SQL Database for a sensitive financial application. You need to implement a defense-in-depth strategy to protect the database. The requirements are: (1) All connections to the database must be encrypted in transit. (2) Only specific Azure services and on-premises IP ranges should be allowed to connect. (3) Database administrators should be able to view the database schema but not the actual data. (4) Auditing must be enabled for all data access. What combination of features should you implement?

216

Your company has an Azure subscription that contains multiple virtual machines (VMs) running Windows Server. You need to ensure that all VMs are compliant with your organization's security baseline. The security baseline includes specific registry key settings, password policies, and service configurations. You want to continuously monitor and automatically remediate non-compliant VMs. What should you implement?

217

Your organization is using Microsoft Sentinel to collect security logs from multiple sources, including Azure Activity Logs, Office 365 Audit Logs, and on-premises Windows Event Logs. You need to ensure that security incidents are automatically created when a user from a specific IP address attempts to access a sensitive application. You have already configured the data connectors. What should you create?

218

Your company has a Microsoft 365 E5 subscription and uses Microsoft Defender for Office 365. You need to protect users from phishing attacks that use malicious links in email messages. The solution should allow users to report suspicious emails to the security team for analysis. You also want to automatically block repeated phishing attempts from the same sender. What should you configure?

219

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to detect and respond to lateral movement attempts using pass-the-hash attacks. Which TWO data sources should you enable in Microsoft Sentinel to best detect this activity?

220

Your company is deploying Microsoft Sentinel in a government agency that requires strict data residency. You need to ensure that all Sentinel data is stored within the United States. Which THREE actions must you take to meet this requirement?

221

Your organization is migrating from on-premises Active Directory to Microsoft Entra ID. You need to design a solution for hybrid identity that supports seamless SSO for legacy applications that require Kerberos authentication. Which THREE components should you include in your design?

222

Your company uses Microsoft Intune to manage Windows 10 devices. You need to design a security baseline that ensures devices meet the organization's security requirements, including BitLocker encryption, Windows Defender Firewall rules, and Microsoft Defender for Endpoint settings. Which TWO Intune features should you use to apply these configurations?

223

Your organization is adopting a Zero Trust security model. You need to design a solution for secure remote access to on-premises applications that eliminates VPNs. Which TWO Microsoft technologies should you use?

224

Your organization uses Azure Kubernetes Service (AKS) for containerized workloads. You need to design a security solution that includes network segmentation, threat detection, and secret management. Which THREE Azure services should you include?

225

You are a security architect at a global manufacturing company. The company uses a hybrid infrastructure with on-premises Active Directory and Azure. They have recently deployed Microsoft Sentinel as their SIEM. The security team wants to detect and investigate ransomware attacks that spread via SMB. The CISO has requested a solution that can automatically block malicious IPs at the network level and provide forensic evidence. You need to design a solution that meets these requirements with minimal manual intervention. What should you include in your design?

226

You are designing a security solution for a financial services company that uses Microsoft 365 E5 and Azure. They have 10,000 users and 500 servers. They need to implement a Zero Trust network strategy that includes microsegmentation, identity-based access, and continuous monitoring. The solution must work across on-premises and cloud workloads. They also require that all access to critical servers is logged and audited. What should you include in your design?

227

Your organization uses Microsoft Intune to manage iOS and Android devices. You need to ensure that corporate data on these devices is protected in case the device is lost or stolen. The security policy requires that corporate data be automatically removed from the device when it is reported lost, while personal data remains intact. The devices are enrolled in Intune with user affinity. What should you configure?

228

Your company is designing a secure DevOps pipeline using Azure DevOps. You need to ensure that secrets (e.g., API keys) are stored securely and scanned for leaks in code repositories. The solution must integrate with Azure Policy to prevent deployment if secrets are exposed. You also need to enforce that only approved branches can deploy to production. What should you implement?

229

Your organization is deploying Azure SQL Managed Instance (SQL MI) with sensitive financial data. You need to design a security solution that includes data encryption at rest and in transit, threat detection, and fine-grained access control. The solution must also ensure that database administrators (DBAs) cannot access the data. What should you include?

230

Your company uses Microsoft 365 Defender (XDR) for endpoint detection and response. You need to design a solution to automatically remediate malware infections on Windows 10 devices. The solution should isolate the device from the network, run a full antivirus scan, and reset the device if the infection cannot be cleaned. What should you configure?

231

Your organization is implementing a privileged access workstation (PAW) strategy for administrators managing Azure resources. The PAWs are Windows 11 devices enrolled in Intune. You need to ensure that only approved applications can run on PAWs, and that device users cannot disable security features. The solution must also enforce that PAWs are used exclusively for administrative tasks. What should you configure?

Practice all 231 Design security solutions for infrastructure questions

Other SC-100 exam domains

Design solutions that align with security best practices and prioritiesDesign security operations, identity, and compliance capabilitiesDesign a Zero Trust strategy and architectureDesign security solutions for applications and dataEvaluate GRC and security operations strategiesDesign security for infrastructureDesign a strategy for data and applicationsRecommend security best practices and priorities

Frequently asked questions

What does the Design security solutions for infrastructure domain cover on the SC-100 exam?

The Design security solutions for infrastructure domain covers the key concepts tested in this area of the SC-100 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SC-100 domains — no account required.

How many Design security solutions for infrastructure questions are in the SC-100 question bank?

The Courseiva SC-100 question bank contains 231 questions in the Design security solutions for infrastructure domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Design security solutions for infrastructure for SC-100?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Design security solutions for infrastructure questions for SC-100?

Yes — the session launcher on this page draws questions exclusively from the Design security solutions for infrastructure domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SC-100 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide