Microsoft · Free Practice Questions · Last reviewed May 2026
54real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
Your organization wants to implement a zero-trust security model for on-premises and cloud resources. As part of this strategy, you need to ensure that all access requests are authenticated and authorized based on dynamic risk signals. Which Microsoft security solution should you use to enforce conditional access policies based on real-time risk?
Microsoft Entra ID Conditional Access
Entra ID Conditional Access enforces access policies based on user, device, location, and risk signals, supporting zero-trust.
Microsoft Intune
Microsoft Sentinel
Microsoft Defender for Cloud
A company is designing a hybrid identity solution with Microsoft Entra ID. They need to ensure that users can access resources from unmanaged devices while maintaining security. The security team requires that all access from unmanaged devices must be limited to browser-only access to web apps and must block native client apps. Which conditional access grant control should you configure?
Require multi-factor authentication
Require device to be marked as compliant
This grant control ensures only compliant devices (managed) get access; for unmanaged devices, you can combine with a session control to allow browser-only access.
Require approved client app
Require hybrid Azure AD joined device
Your organization is using Microsoft Defender for Cloud to assess the security posture of Azure resources. You need to ensure that the highest severity recommendations are addressed first. Which dashboard or feature in Defender for Cloud should you use to view the most critical security issues?
Azure Security Center dashboard
Inventory
Secure Score
Secure Score shows recommendations grouped by severity and impact, helping prioritize critical issues.
Security alerts
Refer to the exhibit. You are an Azure security engineer reviewing a custom Azure Policy definition. The policy is intended to audit virtual machines to ensure they have the Azure Security extension installed. However, the policy is not triggering on any resources. What is the most likely reason?
The policy condition requires a managed disk, but the VMs might have unmanaged disks.
If the VM does not have a managed disk, the 'if' condition is false, and the policy does not evaluate the audit effect.
The 'existenceCondition' field path is incorrect; it should be 'Microsoft.Compute/virtualMachines/extensions/publisher'.
The policy is assigned to a management group, but the VMs are in a subscription under a different management group.
The policy effect should be 'Deny' instead of 'auditIfNotExists'.
Your company uses Microsoft Sentinel as a SIEM. You need to create an analytics rule that detects when a user account is created outside of business hours. The rule should trigger an incident for investigation. Which type of analytics rule should you use?
Anomaly rule
Fusion rule
Scheduled query rule
Scheduled query rules run periodically and can trigger incidents based on query results.
NRT query rule
You are designing a security solution for Azure resources. You need to ensure that any changes to network security groups (NSGs) are automatically logged and sent to a central Log Analytics workspace. Which Azure feature should you use?
Diagnostic settings on the Azure Activity Log
Activity Log records control plane events; diagnostic settings can stream these to Log Analytics.
Azure Policy
NSG flow logs
Azure Monitor alerts
Want more Design solutions that align with security best practices and priorities practice?
Practice this domainYour organization uses Microsoft Sentinel and wants to automatically respond to high-severity incidents. Which feature should you configure?
Configure an automation rule to run a playbook automatically
Automation rules can automatically run playbooks based on incident properties such as severity.
Create a playbook and run it manually for each incident
Set up an analytics rule with automatic response
Use a workbook to trigger a playbook
A company plans to implement Microsoft Purview to enforce data loss prevention (DLP) policies. They need to prevent users from sharing credit card numbers via email. What should they configure?
Create a sensitivity label and apply it to emails
Enable communication compliance policies
Create a DLP policy that detects and blocks credit card numbers in Exchange Online
DLP policies in Microsoft Purview can detect sensitive info types like credit card numbers and block sharing via email.
Configure a retention policy for email
Your organization uses Microsoft Defender for Cloud to secure multi-cloud workloads. You need to ensure that Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) resources are assessed against the same security baseline. What should you do?
Configure AWS Config and GCP Security Command Center to export findings to Microsoft Sentinel
Connect AWS and GCP accounts to Defender for Cloud and use Azure Policy to enforce the Microsoft Cloud Security Benchmark
Connecting multi-cloud accounts allows Defender for Cloud to assess them against Azure Policy initiatives like the Microsoft Cloud Security Benchmark.
Use regulatory compliance standards for each cloud separately
Enable the Cloud Security Posture Management (CSPM) plan and configure AWS and GCP connectors
Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. What should you configure?
Create a Conditional Access policy that requires compliant device
Conditional Access can require device compliance as a condition for accessing corporate resources.
Set up enrollment restrictions in Intune
Create a device configuration policy that blocks non-compliant devices
Configure an app protection policy for email apps
Your organization uses Microsoft Entra ID and wants to implement a passwordless authentication strategy. Users have smartphones. Which method should you recommend as the primary authentication method?
FIDO2 security keys
Microsoft Authenticator app with passwordless sign-in
Microsoft Authenticator supports passwordless sign-in using phone, making it suitable for users with smartphones.
SMS-based authentication
Windows Hello for Business
Your organization uses Microsoft Sentinel to aggregate logs from on-premises and cloud sources. You need to reduce the cost of data ingestion while ensuring security-critical logs are retained for at least one year. What should you do?
Archive all logs to Azure Storage after 90 days
Ingress security-critical logs to the Analytics logs tier with 365-day retention, and other logs to the Auxiliary logs tier with shorter retention
Auxiliary logs tier is for verbose logs at lower cost, while Analytics logs provide full capabilities and longer retention for critical data.
Use the Basic logs tier for all logs and set retention to 365 days
Set the default retention to 30 days and export logs to Log Analytics Workspace
Want more Design security operations, identity, and compliance capabilities practice?
Practice this domainYour organization uses Microsoft Sentinel to monitor hybrid workloads. You need to design a solution to detect lateral movement attempts from compromised on-premises servers to Azure VMs. Which data connector should you prioritize?
Syslog via AMA
Office 365 Logs
Windows Security Events via AMA
Captures security events like logons, which are critical for lateral movement detection.
Azure Activity Log
A company plans to use Microsoft Defender for Cloud to secure a multi-cloud environment including Azure, AWS, and GCP. What is the first step to enable multi-cloud visibility?
Enable all Defender plans for subscription
Connect AWS and GCP accounts using the cloud connectors in Defender for Cloud
Defender for Cloud provides native connectors to onboard AWS and GCP accounts.
Create custom compliance policies
Deploy Azure Arc agents on all cloud VMs
You are designing a secure DevOps pipeline using GitHub Advanced Security and Microsoft Defender for Cloud. The development team uses a mix of Python and JavaScript. Which tool should you integrate to detect secrets (e.g., API keys) committed to the repository?
GitHub secret scanning
Secret scanning detects tokens, keys, and other secrets in repositories.
CodeQL code scanning
Dependabot alerts
Defender for Cloud DevOps security posture management
Which TWO Azure policies should you assign to enforce secure configuration of Azure SQL Database? (Select two.)
Ensure that 'Auditing' is set to 'On' for SQL Database
This policy enables auditing for Azure SQL Database.
Ensure that 'TDE' is enabled for SQL Server VMs
Audit SQL Server level audit setting
Ensure that 'Firewall and virtual network settings' for SQL Database are configured
This policy enforces network security rules.
Ensure secure transfer to storage accounts is enabled
Which THREE features of Microsoft Defender for Cloud help secure Azure Kubernetes Service (AKS) clusters? (Select three.)
Advanced threat protection for Azure Cosmos DB
Azure Defender for Kubernetes (cluster hardening)
Provides threat detection and hardening recommendations for AKS.
Vulnerability assessment for container images
Defender for Cloud scans container images for vulnerabilities.
DDoS Protection Standard
Runtime threat detection for AKS clusters
Detects suspicious activities at runtime in AKS.
Which TWO actions should you take to improve the security posture of an Azure subscription using Microsoft Defender for Cloud? (Select two.)
Assign Azure Policy to enforce resource compliance
Enable Azure Defender plans for all supported resource types
Enabling plans provides advanced threat protection.
Implement the top security recommendations from the Secure Score
Improving Secure Score directly enhances security posture.
Create custom security policies
Deploy vulnerability assessment solution to all VMs
Want more Design security solutions for infrastructure practice?
Practice this domainA company is designing a Zero Trust network strategy. They want to ensure that all network traffic between on-premises and Azure is inspected and logged, regardless of source or destination. Which Azure service should they use to achieve this?
Azure Front Door
Azure Bastion
Azure Firewall
Azure Firewall can inspect and log all traffic between on-premises and Azure.
Azure DDoS Protection
An organization is implementing a Zero Trust identity strategy. They have a mix of on-premises Active Directory and Azure AD. They want to enforce conditional access policies that require device compliance for accessing sensitive apps. However, some users report that their devices are not being evaluated for compliance even though they are enrolled in Microsoft Intune. What should the organization check first?
Ensure Intune compliance policies are assigned to the correct user groups
Confirm that devices are Azure AD Joined
Check if users have enabled multi-factor authentication
Verify that devices are registered in Azure AD
Device registration in Azure AD is required for conditional access to evaluate device compliance.
A company is planning their Zero Trust data protection strategy. They want to classify and protect sensitive data stored in SharePoint Online. Which Microsoft tool should they use?
Microsoft Intune
Microsoft Defender for Cloud Apps
Microsoft Purview Information Protection
Purview Information Protection provides data classification and labeling.
Azure Policy
A company is implementing a Zero Trust network strategy using Azure Virtual Network Manager (AVNM). They need to ensure that all traffic between virtual networks is encrypted and inspected by a firewall. Which configuration should they use?
Enable VNet peering between all VNets and use network security groups
Use a mesh topology with direct connectivity between VNets
Use a hub-and-spoke topology with a firewall appliance in the hub
Hub-and-spoke with firewall ensures traffic is routed through the firewall for inspection.
Configure service endpoints for each VNet
A company is designing a Zero Trust security posture for their Azure environment. They need to assess and improve their security posture. Which TWO actions should they take? (Choose two.)
Enable Azure Update Management for all VMs
Use Azure Policy to enforce security configurations
Azure Policy can enforce compliance and security baselines.
Deploy Microsoft Entra Permissions Management
Review and implement recommendations from Microsoft Defender for Cloud Secure Score
Secure Score provides recommendations to improve security posture.
Use Microsoft Security Copilot to generate security policies
A company is implementing a Zero Trust identity strategy. They want to ensure that only compliant and managed devices can access corporate resources. Which THREE components should they include in their solution? (Choose three.)
Microsoft Intune for device management and compliance policies
Intune manages device compliance and enforces policies.
Azure AD device registration
Device registration in Azure AD is needed for device identity.
Azure AD Conditional Access policies
Conditional Access can require compliant devices for access.
Azure AD Application Proxy
Azure AD B2B collaboration
Want more Design a Zero Trust strategy and architecture practice?
Practice this domainYour organization is deploying a new line-of-business application on Azure App Service. The app must authenticate users from Microsoft Entra ID and also access a downstream API that requires a client secret. You need to recommend the most secure method for managing the client secret. What should you use?
Store the secret in the Azure AD app registration manifest.
Store the secret in an App Service application setting.
Store the secret in Azure Key Vault and use a Key Vault reference in App Service.
Key Vault provides centralized secret management with access policies and auditing.
Store the secret in the application code as a constant.
Your company uses Microsoft Defender for Cloud to protect Azure resources. A critical application uses an Azure SQL Database. You need to ensure that all queries to the database are encrypted in transit and that the encryption protocol is the most secure version available. Which configuration should you enforce?
Set the minimal TLS version to 1.2 in the server's firewall rules.
This enforces that only clients using TLS 1.2 or higher can connect.
Configure the database to reject unencrypted connections.
Set the connection policy to Proxy and force TCP.
Enable 'Force SSL' on the database.
Your organization stores sensitive customer data in Azure Blob Storage. You need to implement data classification and labeling using Microsoft Purview. Which resource should you use to automatically scan and classify the data?
Azure Policy
Microsoft Purview Data Map
Data Map scans assets and applies classification rules automatically.
Microsoft Purview Information Protection
Microsoft Purview Data Loss Prevention
A company uses Microsoft Entra ID to authenticate users for a web application. They want to enable self-service password reset (SSPR) for users. What is the minimum licensing requirement?
Microsoft 365 E3
Microsoft Entra ID P2
Microsoft Entra ID Free
Microsoft Entra ID P1
P1 includes SSPR with password writeback.
Your organization uses Microsoft Defender for Cloud to protect Azure SQL databases. You notice that a particular database is flagged with a high-severity recommendation to enable 'Advanced Data Security'. What does enabling Advanced Data Security provide?
It restricts access to the database to specific IP addresses.
It encrypts the database at rest using TDE.
It provides vulnerability assessments and threat detection.
ADS includes these security capabilities.
It enables automatic backup encryption.
Your company is designing a solution to store sensitive documents in Azure Files. The files must be encrypted at rest and in transit. Which two configurations are required? (Each correct answer presents part of the solution.)
Enable Azure Disk Encryption on the VMs that mount the share.
Configure the storage account to use HTTPS only.
Enable Azure Storage Service Encryption (SSE) for the storage account.
SSE encrypts data at rest automatically.
Configure the Azure file share to require SMB 3.0 with encryption.
SMB 3.0 with encryption provides encryption in transit.
Use Azure File Sync to sync files to on-premises servers.
Want more Design security solutions for applications and data practice?
Practice this domainA multinational company is implementing a Zero Trust security model. The security team needs to ensure that all access requests to critical applications are evaluated based on user identity, device health, and real-time risk signals. Which Microsoft solution should they use to centralize policy enforcement?
Microsoft Defender for Cloud Apps
Microsoft Entra Conditional Access
Centralizes policy evaluation based on user, device, and risk signals.
Azure AD Identity Protection
Microsoft Purview Compliance Manager
A company is designing a security operations strategy. They want to use Microsoft Sentinel to detect and respond to threats across their hybrid environment. They need to ensure that logs from all sources are collected cost-effectively and that analysts can easily query data. Which data ingestion strategy should they recommend?
Send all logs to the Basic logs table to reduce costs.
Send only Windows Security Events to Sentinel.
Send all logs to the Analytics logs table for full query capabilities.
Use Analytics logs for high-value security logs and Basic logs for verbose logs with low security value.
Balances cost and functionality; Basic logs for low-value data, Analytics for actionable data.
A company's security team wants to automate response to common incidents like malware detected on endpoints. They have Microsoft 365 Defender and Microsoft Sentinel. Which feature should they use to create automated playbooks?
Microsoft Purview's data loss prevention policies
Microsoft Sentinel automation rules and playbooks
Integrates with Logic Apps for automated response to incidents.
Azure Policy
Microsoft Defender for Cloud's workflow automation
A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to ensure that critical recommendations are automatically remediated. They create a workflow automation that triggers a Logic App for specific recommendations. However, the Logic App fails to run. What is the most likely cause?
The managed identity of the Logic App lacks permissions on the target resources.
Logic App needs permissions to perform remediation actions.
The subscription is not onboarded to Defender for Cloud.
Defender for Cloud is disabled for the resource group.
The recommendation is disabled in the security policy.
A company is evaluating their incident response (IR) process. They use Microsoft Sentinel as their SIEM. During a security incident, the IR team struggles to quickly find related alerts and entities. Which improvement should they implement to enhance investigation efficiency?
Create more analytics rules to cover additional scenarios.
Configure automation rules to automatically classify incidents.
Increase data retention for all log tables.
Leverage the investigation graph to explore entity relationships.
Provides visual mapping of connections between alerts, entities, and incidents.
A company wants to implement a governance strategy for their Azure environment. They need to enforce tagging standards and restrict deployment to approved regions. Which combination of Azure services should they use?
Azure Management Groups and subscriptions
Azure RBAC and Azure AD
Azure Resource Graph and Azure Monitor
Azure Policy and Azure Blueprints
Policy enforces rules; Blueprints package policies, RBAC, and resources.
Want more Evaluate GRC and security operations strategies practice?
Practice this domainA company is designing a hybrid network architecture using Azure ExpressRoute. They need to ensure that all traffic between on-premises and Azure is encrypted and authenticated. Which configuration should they implement?
Use VPN Gateway over ExpressRoute
Use ExpressRoute Direct with BGP
Use ExpressRoute with MACsec
MACsec enables encryption and authentication on ExpressRoute circuits.
Use Azure Firewall to inspect ExpressRoute traffic
An organization uses Microsoft Defender for Cloud to secure their multi-cloud environment, including Azure and AWS. They want to ensure that all AWS EC2 instances are automatically onboarded to Defender for Cloud. What should they configure?
Deploy Azure Arc on each EC2 instance
Use AWS Systems Manager to push Defender workload
Set up the AWS connector in Defender for Cloud
The connector automatically discovers and monitors EC2 instances.
Configure AWS Config rules to report to Defender
A company plans to deploy Azure Virtual Desktop (AVD) in a secure environment. They require that all user connections be established over a reverse connect protocol to avoid inbound firewall rules. Which component enables this?
Azure Bastion
Azure AD Application Proxy
AVD Gateway service
The gateway uses reverse connect for outbound connections.
Session host configuration
A financial services company is deploying a three-tier application on Azure. They need to ensure that the web tier can only communicate with the application tier, and the application tier can only communicate with the data tier. All tiers should use private IP addresses. What is the most secure way to implement this?
Deploy Azure Firewall and use application rules
Azure Firewall can filter based on FQDNs and IPs, providing secure inter-tier communication.
Use Network Security Groups (NSGs) on each subnet
Use VNet peering with route tables
Use Azure Web Application Firewall (WAF)
A company uses Azure Kubernetes Service (AKS) with Azure Active Directory (Azure AD) integration. They want to restrict developers to only be able to create and manage pods and services, but not modify cluster-level resources like nodes or namespaces. What should they configure?
Assign the cluster-admin ClusterRole to the developers
Create a custom ClusterRole with rules for pods and services, then bind it to the developer group with a ClusterRoleBinding
This grants cluster-wide but limited access to only specified resources.
Create a RoleBinding in each namespace for developers
Use Azure RBAC to grant Contributor role on the AKS cluster
A company has a hybrid identity deployment using Azure AD Connect. They want to ensure that if a user's on-premises account is disabled, the corresponding Azure AD account is also disabled within 30 minutes. Which setting should they configure?
Enable password hash synchronization
Configure the synchronization interval for directory changes
Azure AD Connect syncs changes every 30 minutes by default.
Install Azure AD Application Proxy
Enable password writeback
Want more Design security for infrastructure practice?
Practice this domainA company is designing a data protection strategy for Azure SQL Database. They need to ensure that backups are retained for 7 years to meet regulatory compliance. Which Azure feature should they use?
Geo-redundant backup storage
Long-Term Retention (LTR)
LTR retains backups for up to 10 years.
Point-in-Time Restore
Active Geo-Replication
A company deploys Azure App Service with a custom domain and SSL certificate. They want to enforce HTTPS only. Which configuration setting should they enable?
HTTPS Only
Enforces HTTPS redirect.
Client Certificates
Minimum TLS Version
Custom Domain
A company uses Azure Policy to audit storage accounts for secure transfer (HTTPS) enforcement. The policy is set to 'AuditIfNotExists' but compliance shows 0% non-compliant storage accounts even though some accounts have secure transfer disabled. What is the most likely cause?
The policy is in 'audit' mode and does not evaluate
The policy should use 'Audit' or 'Deny' effect instead of 'AuditIfNotExists'
AuditIfNotExists is for existence of a resource, not property.
The storage accounts are in a different region
The policy assignment scope does not include the non-compliant accounts
A company is designing a microservices architecture on Azure Kubernetes Service (AKS). They need to secure communication between services using mutual TLS (mTLS). Which solution should they implement?
Azure Application Gateway
Azure Firewall
Azure API Management
Istio service mesh
Provides mTLS for microservices.
A company stores sensitive data in Azure Blob Storage. They want to prevent data exfiltration by blocking public access and restricting network access to only their on-premises data center via VPN. Which two features should they use?
Enable firewall and add on-premises IP range
Disable public access and use RBAC
Disable public access and configure a service endpoint with a firewall rule for the VPN subnet
Service endpoint restricts to subnet, firewall blocks other traffic.
Disable public access and configure a private endpoint
Private endpoint uses private IP, but VPN is needed for connectivity.
A company uses Azure Key Vault to store secrets for their applications. They want to ensure that secrets can be automatically rotated when they are close to expiration. Which solution should they implement?
Use Azure DevOps release pipeline to rotate secrets
Use Azure Automation with a schedule to check expiration and rotate
Use Key Vault event grid subscription to trigger an Azure Function for rotation
Event-driven rotation on secret expiration.
Use Azure Logic Apps with a recurrence trigger to rotate secrets
Want more Design a strategy for data and applications practice?
Practice this domainA company is designing a defense-in-depth strategy for their Azure environment. They want to ensure that if a virtual machine is compromised, the attacker cannot move laterally to other VMs in the same virtual network. Which security control should they prioritize?
Enable Azure DDoS Protection on the virtual network
Implement network segmentation using NSGs and application security groups
Network segmentation restricts east-west traffic, limiting lateral movement.
Enable multi-factor authentication (MFA) for all admin accounts
Deploy Azure Bastion for secure remote access
A company uses Azure Policy to enforce compliance. They have a custom policy that denies creation of storage accounts without encryption enabled. A developer reports that they cannot create a storage account even though they specified encryption. What is the most likely cause?
The developer does not have 'Microsoft.Authorization/policyAssignments/write' permission
The policy effect is set to 'audit' instead of 'deny'
The policy's 'then' block uses 'deny' but the condition logic evaluates the 'encryption' property incorrectly
If the condition does not match the actual property path, the deny may fire incorrectly.
The policy is scoped to a management group that includes the developer's subscription
A company is moving to a zero-trust security model. Which principle is most important for securing network traffic?
Rely on perimeter firewalls to block threats
Verify explicitly every access request
Zero-trust requires explicit verification for each access attempt.
Trust all traffic within the corporate network
Allow all traffic and monitor for anomalies
A company uses Azure Security Center and Azure Sentinel. They want to prioritize remediation of vulnerabilities based on risk. Which metric should they use to rank vulnerabilities?
Common Vulnerability Scoring System (CVSS) score
Azure Secure Score impact
Secure Score reflects the risk and remediation priority.
Compliance status from Azure Policy
Number of security alerts triggered
A company is implementing a cloud security governance strategy. They need to ensure that all Azure resources are compliant with internal security policies before deployment. Which approach should they use?
Configure Azure Firewall to block non-compliant resources
Assign Azure Policy definitions with 'deny' effect at the subscription scope
Azure Policy can deny non-compliant resource creation.
Deploy resources using Azure Blueprints
Use Azure DevOps pipelines with manual approval gates
A company wants to protect sensitive data in their Azure SQL Database from unauthorized access. Which feature should they enable?
Azure Information Protection
Transparent Data Encryption (TDE)
TDE encrypts SQL Server data files.
Azure Key Vault
Azure Firewall
Want more Recommend security best practices and priorities practice?
Practice this domainThe SC-100 exam has 50 questions and must be completed in 120 minutes. The passing score is 700/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 9 domains: Design solutions that align with security best practices and priorities, Design security operations, identity, and compliance capabilities, Design security solutions for infrastructure, Design a Zero Trust strategy and architecture, Design security solutions for applications and data, Evaluate GRC and security operations strategies, Design security for infrastructure, Design a strategy for data and applications, Recommend security best practices and priorities. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Microsoft SC-100 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.