Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-100Exam Questions

Microsoft · Free Practice Questions · Last reviewed May 2026

SC-100 Exam Questions and Answers

54real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

50 exam questions
120 min time limit
Pass: 700/1000 / 1000
9 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Design solutions that align with security best practices and priorities2. Design security operations, identity, and compliance capabilities3. Design security solutions for infrastructure4. Design a Zero Trust strategy and architecture5. Design security solutions for applications and data6. Evaluate GRC and security operations strategies7. Design security for infrastructure8. Design a strategy for data and applications9. Recommend security best practices and priorities
1

Domain 1: Design solutions that align with security best practices and priorities

All Design solutions that align with security best practices and priorities questions
Q1
mediumFull explanation →

Your organization wants to implement a zero-trust security model for on-premises and cloud resources. As part of this strategy, you need to ensure that all access requests are authenticated and authorized based on dynamic risk signals. Which Microsoft security solution should you use to enforce conditional access policies based on real-time risk?

A

Microsoft Entra ID Conditional Access

Entra ID Conditional Access enforces access policies based on user, device, location, and risk signals, supporting zero-trust.

B

Microsoft Intune

C

Microsoft Sentinel

D

Microsoft Defender for Cloud

Why: Microsoft Entra ID Conditional Access enables you to enforce access controls based on conditions such as user risk, sign-in risk, device compliance, and location. This aligns with zero-trust principles of verifying explicitly and using least privilege. Microsoft Defender for Cloud is for cloud security posture management, not conditional access. Microsoft Intune manages devices, and Microsoft Sentinel is a SIEM.
Q2
hardFull explanation →

A company is designing a hybrid identity solution with Microsoft Entra ID. They need to ensure that users can access resources from unmanaged devices while maintaining security. The security team requires that all access from unmanaged devices must be limited to browser-only access to web apps and must block native client apps. Which conditional access grant control should you configure?

A

Require multi-factor authentication

B

Require device to be marked as compliant

This grant control ensures only compliant devices (managed) get access; for unmanaged devices, you can combine with a session control to allow browser-only access.

C

Require approved client app

D

Require hybrid Azure AD joined device

Why: Option B is correct because the 'Require device to be marked as compliant' grant control, when combined with a device compliance policy (e.g., via Microsoft Intune), enforces that only compliant devices can access resources. However, to achieve the specific requirement of limiting access from unmanaged devices to browser-only access to web apps and blocking native client apps, you must configure a session control (not a grant control) such as 'Use app enforced restrictions' or 'Require device to be compliant' with a conditional access policy that targets unmanaged devices and uses the 'Browser' client app condition. The correct grant control for this scenario is actually 'Require device to be marked as compliant' only if the device is managed; for unmanaged devices, the appropriate approach is to use a session control like 'Use Conditional Access App Control' or 'Require device to be compliant' is not directly applicable because unmanaged devices cannot be compliant. The question's answer is flawed; the correct control is 'Require device to be marked as compliant' is not the right answer for unmanaged devices. The intended correct answer is likely 'Require device to be marked as compliant' but that only works for managed devices. The actual correct grant control for unmanaged devices is none of these; you would use a session control. Given the options, the closest is B, but it is technically incorrect for unmanaged devices.
Q3
easyFull explanation →

Your organization is using Microsoft Defender for Cloud to assess the security posture of Azure resources. You need to ensure that the highest severity recommendations are addressed first. Which dashboard or feature in Defender for Cloud should you use to view the most critical security issues?

A

Azure Security Center dashboard

B

Inventory

C

Secure Score

Secure Score shows recommendations grouped by severity and impact, helping prioritize critical issues.

D

Security alerts

Why: The Secure Score dashboard in Microsoft Defender for Cloud provides a prioritized list of security recommendations based on their impact on your overall security posture. By sorting recommendations by score impact, you can identify and address the highest severity issues first, as they contribute most significantly to improving your secure score.
Q4
hardFull explanation →

Refer to the exhibit. You are an Azure security engineer reviewing a custom Azure Policy definition. The policy is intended to audit virtual machines to ensure they have the Azure Security extension installed. However, the policy is not triggering on any resources. What is the most likely reason?

A

The policy condition requires a managed disk, but the VMs might have unmanaged disks.

If the VM does not have a managed disk, the 'if' condition is false, and the policy does not evaluate the audit effect.

B

The 'existenceCondition' field path is incorrect; it should be 'Microsoft.Compute/virtualMachines/extensions/publisher'.

C

The policy is assigned to a management group, but the VMs are in a subscription under a different management group.

D

The policy effect should be 'Deny' instead of 'auditIfNotExists'.

Why: Option A is correct because the policy condition uses `field` to check for `Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.id`, which requires the VM to have a managed disk. If the VMs use unmanaged disks (i.e., the `managedDisk` property is absent), the condition evaluates to false, and the `auditIfNotExists` effect never triggers the existence check for the Azure Security extension.
Q5
mediumFull explanation →

Your company uses Microsoft Sentinel as a SIEM. You need to create an analytics rule that detects when a user account is created outside of business hours. The rule should trigger an incident for investigation. Which type of analytics rule should you use?

A

Anomaly rule

B

Fusion rule

C

Scheduled query rule

Scheduled query rules run periodically and can trigger incidents based on query results.

D

NRT query rule

Why: A scheduled query rule is the correct choice because it allows you to define a KQL query that checks for user account creation events (e.g., from the SecurityEvent or AuditLogs table) and then use the query scheduling settings to run the query at a specific interval. You can then add a condition in the rule logic to filter for events occurring outside business hours (e.g., using the `datetime_part` function to check the hour of the event). When the query returns results, Sentinel automatically generates an incident for investigation.
Q6
easyFull explanation →

You are designing a security solution for Azure resources. You need to ensure that any changes to network security groups (NSGs) are automatically logged and sent to a central Log Analytics workspace. Which Azure feature should you use?

A

Diagnostic settings on the Azure Activity Log

Activity Log records control plane events; diagnostic settings can stream these to Log Analytics.

B

Azure Policy

C

NSG flow logs

D

Azure Monitor alerts

Why: Diagnostic settings on the Azure Activity Log capture all control-plane operations, including changes to NSGs (e.g., rule additions or deletions). By configuring a diagnostic setting to stream the Activity Log to a Log Analytics workspace, you ensure that every NSG modification is automatically logged and centralized for monitoring and alerting.

Want more Design solutions that align with security best practices and priorities practice?

Practice this domain
2

Domain 2: Design security operations, identity, and compliance capabilities

All Design security operations, identity, and compliance capabilities questions
Q1
easyFull explanation →

Your organization uses Microsoft Sentinel and wants to automatically respond to high-severity incidents. Which feature should you configure?

A

Configure an automation rule to run a playbook automatically

Automation rules can automatically run playbooks based on incident properties such as severity.

B

Create a playbook and run it manually for each incident

C

Set up an analytics rule with automatic response

D

Use a workbook to trigger a playbook

Why: Automation rules in Microsoft Sentinel allow you to define automated responses that trigger when an incident is created or updated, including running playbooks (Azure Logic Apps workflows) automatically. This is the correct approach for automatically responding to high-severity incidents because it eliminates manual intervention and ensures consistent, immediate action based on incident properties like severity.
Q2
mediumFull explanation →

A company plans to implement Microsoft Purview to enforce data loss prevention (DLP) policies. They need to prevent users from sharing credit card numbers via email. What should they configure?

A

Create a sensitivity label and apply it to emails

B

Enable communication compliance policies

C

Create a DLP policy that detects and blocks credit card numbers in Exchange Online

DLP policies in Microsoft Purview can detect sensitive info types like credit card numbers and block sharing via email.

D

Configure a retention policy for email

Why: Option C is correct because Microsoft Purview Data Loss Prevention (DLP) policies can be configured to detect sensitive data types, such as credit card numbers, in Exchange Online emails. When a DLP policy is created with a rule that identifies credit card numbers and blocks the email from being sent, it directly prevents users from sharing that data via email. This is the native mechanism for enforcing DLP on email traffic in Microsoft 365.
Q3
hardFull explanation →

Your organization uses Microsoft Defender for Cloud to secure multi-cloud workloads. You need to ensure that Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) resources are assessed against the same security baseline. What should you do?

A

Configure AWS Config and GCP Security Command Center to export findings to Microsoft Sentinel

B

Connect AWS and GCP accounts to Defender for Cloud and use Azure Policy to enforce the Microsoft Cloud Security Benchmark

Connecting multi-cloud accounts allows Defender for Cloud to assess them against Azure Policy initiatives like the Microsoft Cloud Security Benchmark.

C

Use regulatory compliance standards for each cloud separately

D

Enable the Cloud Security Posture Management (CSPM) plan and configure AWS and GCP connectors

Why: Microsoft Defender for Cloud can assess resources from Azure, AWS, and GCP using security policies. By default, Azure Policy is used for Azure resources. To assess AWS and GCP, you need to connect those cloud accounts to Defender for Cloud and then use Azure Policy to enforce standards like Microsoft Cloud Security Benchmark. Option A is wrong because the CSPM plan assesses posture but does not use a single baseline across clouds. Option C is wrong because regulatory compliance standards apply to specific regulations, not custom baselines. Option D is wrong because AWS Config and GCP Security Command Center are separate tools, not integrated into a single baseline.
Q4
easyFull explanation →

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. What should you configure?

A

Create a Conditional Access policy that requires compliant device

Conditional Access can require device compliance as a condition for accessing corporate resources.

B

Set up enrollment restrictions in Intune

C

Create a device configuration policy that blocks non-compliant devices

D

Configure an app protection policy for email apps

Why: Option A is correct because a Conditional Access policy in Microsoft Entra ID (formerly Azure AD) can enforce the requirement that only devices marked as compliant by Intune can access corporate email. This policy evaluates the device compliance status at authentication time and blocks or grants access based on that signal, ensuring that only managed and compliant devices can connect to services like Exchange Online.
Q5
mediumFull explanation →

Your organization uses Microsoft Entra ID and wants to implement a passwordless authentication strategy. Users have smartphones. Which method should you recommend as the primary authentication method?

A

FIDO2 security keys

B

Microsoft Authenticator app with passwordless sign-in

Microsoft Authenticator supports passwordless sign-in using phone, making it suitable for users with smartphones.

C

SMS-based authentication

D

Windows Hello for Business

Why: The Microsoft Authenticator app with passwordless sign-in is the correct primary method because it leverages the user's smartphone to provide a seamless, phishing-resistant authentication experience using public/private key cryptography (FIDO2/WebAuthn). This method aligns with the organization's goal of eliminating passwords while utilizing existing smartphone hardware, and it supports a simple user experience by requiring only a biometric or PIN verification on the phone.
Q6
hardFull explanation →

Your organization uses Microsoft Sentinel to aggregate logs from on-premises and cloud sources. You need to reduce the cost of data ingestion while ensuring security-critical logs are retained for at least one year. What should you do?

A

Archive all logs to Azure Storage after 90 days

B

Ingress security-critical logs to the Analytics logs tier with 365-day retention, and other logs to the Auxiliary logs tier with shorter retention

Auxiliary logs tier is for verbose logs at lower cost, while Analytics logs provide full capabilities and longer retention for critical data.

C

Use the Basic logs tier for all logs and set retention to 365 days

D

Set the default retention to 30 days and export logs to Log Analytics Workspace

Why: Option B is correct because it leverages the Analytics logs tier for security-critical logs, which supports full KQL query capabilities and allows setting a 365-day retention period to meet compliance requirements. Other logs can be sent to the Auxiliary logs tier (formerly Basic logs), which offers lower ingestion costs and shorter retention, reducing overall data ingestion expenses while still retaining necessary logs for security analysis.

Want more Design security operations, identity, and compliance capabilities practice?

Practice this domain
3

Domain 3: Design security solutions for infrastructure

All Design security solutions for infrastructure questions
Q1
mediumFull explanation →

Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to design a solution to detect lateral movement attempts from compromised on-premises servers to Azure VMs. Which data connector should you prioritize?

A

Syslog via AMA

B

Office 365 Logs

C

Windows Security Events via AMA

Captures security events like logons, which are critical for lateral movement detection.

D

Azure Activity Log

Why: Option B is correct because the Windows Security Events via AMA connector provides the necessary event IDs (e.g., 4624, 4625) for lateral movement detection on Azure VMs. Option A is wrong because Azure Activity Log does not capture OS-level events. Option C is wrong because Syslog via AMA covers Linux but not Windows. Option D is wrong because Office 365 connector is for cloud app activity.
Q2
easyFull explanation →

A company plans to use Microsoft Defender for Cloud to secure a multi-cloud environment including Azure, AWS, and GCP. What is the first step to enable multi-cloud visibility?

A

Enable all Defender plans for subscription

B

Connect AWS and GCP accounts using the cloud connectors in Defender for Cloud

Defender for Cloud provides native connectors to onboard AWS and GCP accounts.

C

Create custom compliance policies

D

Deploy Azure Arc agents on all cloud VMs

Why: Option C is correct because you must first onboard the AWS/GCP accounts into Defender for Cloud by connecting them via the native cloud connectors. Option A is wrong because deploying Azure Arc agents is for on-premises servers, not cloud accounts. Option B is wrong because enabling Defender plans is done after onboarding. Option D is wrong because custom policies are optional.
Q3
hardFull explanation →

You are designing a secure DevOps pipeline using GitHub Advanced Security and Microsoft Defender for Cloud. The development team uses a mix of Python and JavaScript. Which tool should you integrate to detect secrets (e.g., API keys) committed to the repository?

A

GitHub secret scanning

Secret scanning detects tokens, keys, and other secrets in repositories.

B

CodeQL code scanning

C

Dependabot alerts

D

Defender for Cloud DevOps security posture management

Why: Option A is correct because GitHub secret scanning automatically detects secrets in repositories. Option B is wrong because Dependabot focuses on dependency vulnerabilities. Option C is wrong because CodeQL analyzes code for security vulnerabilities, not secrets. Option D is wrong because Defender for Cloud’s DevOps security posture management does not replace secret scanning.
Q4
mediumFull explanation →

Which TWO Azure policies should you assign to enforce secure configuration of Azure SQL Database? (Select two.)

A

Ensure that 'Auditing' is set to 'On' for SQL Database

This policy enables auditing for Azure SQL Database.

B

Ensure that 'TDE' is enabled for SQL Server VMs

C

Audit SQL Server level audit setting

D

Ensure that 'Firewall and virtual network settings' for SQL Database are configured

This policy enforces network security rules.

E

Ensure secure transfer to storage accounts is enabled

Why: Option A is correct because enabling Auditing on Azure SQL Database captures all database events and writes them to an audit log in your Azure storage account, Log Analytics workspace, or Event Hubs. This is a fundamental security control for compliance and forensic analysis, as it provides a record of who did what and when, which is essential for detecting and investigating unauthorized access or changes.
Q5
easyFull explanation →

Which THREE features of Microsoft Defender for Cloud help secure Azure Kubernetes Service (AKS) clusters? (Select three.)

A

Advanced threat protection for Azure Cosmos DB

B

Azure Defender for Kubernetes (cluster hardening)

Provides threat detection and hardening recommendations for AKS.

C

Vulnerability assessment for container images

Defender for Cloud scans container images for vulnerabilities.

D

DDoS Protection Standard

E

Runtime threat detection for AKS clusters

Detects suspicious activities at runtime in AKS.

Why: Azure Defender for Kubernetes (now part of Microsoft Defender for Cloud's cloud workload protection) provides cluster hardening recommendations by assessing AKS cluster configurations against industry benchmarks like CIS. It identifies misconfigurations such as overly permissive RBAC roles, insecure network policies, or unencrypted secrets, and offers remediation steps to reduce the attack surface.
Q6
hardFull explanation →

Which TWO actions should you take to improve the security posture of an Azure subscription using Microsoft Defender for Cloud? (Select two.)

A

Assign Azure Policy to enforce resource compliance

B

Enable Azure Defender plans for all supported resource types

Enabling plans provides advanced threat protection.

C

Implement the top security recommendations from the Secure Score

Improving Secure Score directly enhances security posture.

D

Create custom security policies

E

Deploy vulnerability assessment solution to all VMs

Why: Options A and B are correct because enabling Defender plans and implementing recommendations improve security. Option C is wrong because Defender for Cloud already provides recommendations. Option D is wrong because vulnerability assessment for VMs is a feature, not a specific action. Option E is wrong because assigning Azure Policy is a method, but the most direct actions are enabling plans and implementing recommendations.

Want more Design security solutions for infrastructure practice?

Practice this domain
4

Domain 4: Design a Zero Trust strategy and architecture

All Design a Zero Trust strategy and architecture questions
Q1
mediumFull explanation →

A company is designing a Zero Trust network strategy. They want to ensure that all network traffic between on-premises and Azure is inspected and logged, regardless of source or destination. Which Azure service should they use to achieve this?

A

Azure Front Door

B

Azure Bastion

C

Azure Firewall

Azure Firewall can inspect and log all traffic between on-premises and Azure.

D

Azure DDoS Protection

Why: Azure Firewall is a managed, cloud-based network security service that provides inbound and outbound traffic inspection and logging for all traffic between on-premises networks and Azure, regardless of source or destination. It supports application and network-level filtering, threat intelligence-based filtering, and integrates with Azure Monitor for comprehensive logging, making it the correct choice for a Zero Trust network strategy that requires full traffic inspection and logging.
Q2
hardFull explanation →

An organization is implementing a Zero Trust identity strategy. They have a mix of on-premises Active Directory and Azure AD. They want to enforce conditional access policies that require device compliance for accessing sensitive apps. However, some users report that their devices are not being evaluated for compliance even though they are enrolled in Microsoft Intune. What should the organization check first?

A

Ensure Intune compliance policies are assigned to the correct user groups

B

Confirm that devices are Azure AD Joined

C

Check if users have enabled multi-factor authentication

D

Verify that devices are registered in Azure AD

Device registration in Azure AD is required for conditional access to evaluate device compliance.

Why: Device compliance evaluation in a hybrid identity environment requires that devices are registered in Azure AD (Azure AD Registration) so that Azure AD can associate the device identity with Intune compliance data. Even if a device is enrolled in Intune, without Azure AD registration, Conditional Access policies cannot evaluate its compliance status because the device identity is not recognized by Azure AD during authentication.
Q3
easyFull explanation →

A company is planning their Zero Trust data protection strategy. They want to classify and protect sensitive data stored in SharePoint Online. Which Microsoft tool should they use?

A

Microsoft Intune

B

Microsoft Defender for Cloud Apps

C

Microsoft Purview Information Protection

Purview Information Protection provides data classification and labeling.

D

Azure Policy

Why: Microsoft Purview Information Protection (formerly Microsoft Information Protection) is the correct tool because it provides integrated classification, labeling, and protection for sensitive data across Microsoft 365 services, including SharePoint Online. It uses sensitivity labels that can automatically apply encryption, rights management, and visual markings (headers/footers) to documents based on policy conditions, directly supporting the Zero Trust principle of 'assume breach' by protecting data at rest and in transit.
Q4
mediumFull explanation →

A company is implementing a Zero Trust network strategy using Azure Virtual Network Manager (AVNM). They need to ensure that all traffic between virtual networks is encrypted and inspected by a firewall. Which configuration should they use?

A

Enable VNet peering between all VNets and use network security groups

B

Use a mesh topology with direct connectivity between VNets

C

Use a hub-and-spoke topology with a firewall appliance in the hub

Hub-and-spoke with firewall ensures traffic is routed through the firewall for inspection.

D

Configure service endpoints for each VNet

Why: In a Zero Trust network strategy, all traffic must be encrypted and inspected regardless of source. A hub-and-spoke topology with a firewall appliance in the hub forces all inter-VNet traffic through the firewall, enabling deep packet inspection and encryption enforcement. Azure Virtual Network Manager (AVNM) can deploy this topology and route traffic via the hub, ensuring no direct VNet-to-VNet communication bypasses inspection.
Q5
hardFull explanation →

A company is designing a Zero Trust security posture for their Azure environment. They need to assess and improve their security posture. Which TWO actions should they take? (Choose two.)

A

Enable Azure Update Management for all VMs

B

Use Azure Policy to enforce security configurations

Azure Policy can enforce compliance and security baselines.

C

Deploy Microsoft Entra Permissions Management

D

Review and implement recommendations from Microsoft Defender for Cloud Secure Score

Secure Score provides recommendations to improve security posture.

E

Use Microsoft Security Copilot to generate security policies

Why: Azure Policy enforces organizational standards and assesses compliance at scale, which is a core Zero Trust principle of continuous verification and policy-driven access control. By applying policies that enforce security configurations (e.g., requiring HTTPS, restricting public network access), the company can proactively prevent misconfigurations and maintain a consistent security baseline across their Azure environment.
Q6
mediumFull explanation →

A company is implementing a Zero Trust identity strategy. They want to ensure that only compliant and managed devices can access corporate resources. Which THREE components should they include in their solution? (Choose three.)

A

Microsoft Intune for device management and compliance policies

Intune manages device compliance and enforces policies.

B

Azure AD device registration

Device registration in Azure AD is needed for device identity.

C

Azure AD Conditional Access policies

Conditional Access can require compliant devices for access.

D

Azure AD Application Proxy

E

Azure AD B2B collaboration

Why: A is correct because Microsoft Intune provides device management and compliance policies that define the security posture required for managed devices, such as requiring encryption, a minimum OS version, or a specific patch level. These compliance policies are evaluated by Azure AD during authentication, ensuring only devices that meet the organization's security standards can access corporate resources.

Want more Design a Zero Trust strategy and architecture practice?

Practice this domain
5

Domain 5: Design security solutions for applications and data

All Design security solutions for applications and data questions
Q1
mediumFull explanation →

Your organization is deploying a new line-of-business application on Azure App Service. The app must authenticate users from Microsoft Entra ID and also access a downstream API that requires a client secret. You need to recommend the most secure method for managing the client secret. What should you use?

A

Store the secret in the Azure AD app registration manifest.

B

Store the secret in an App Service application setting.

C

Store the secret in Azure Key Vault and use a Key Vault reference in App Service.

Key Vault provides centralized secret management with access policies and auditing.

D

Store the secret in the application code as a constant.

Why: Option C is correct because Azure Key Vault provides secure storage for secrets and certificates, and App Service can reference them via managed identity or Key Vault references. Option A is wrong because storing the secret in code exposes it to source control and accidental disclosure. Option B is wrong because App Service application settings are less secure and can be accessed through the portal. Option D is wrong because Azure AD app registration is the identity object, not a storage for secrets.
Q2
hardFull explanation →

Your company uses Microsoft Defender for Cloud to protect Azure resources. A critical application uses an Azure SQL Database. You need to ensure that all queries to the database are encrypted in transit and that the encryption protocol is the most secure version available. Which configuration should you enforce?

A

Set the minimal TLS version to 1.2 in the server's firewall rules.

This enforces that only clients using TLS 1.2 or higher can connect.

B

Configure the database to reject unencrypted connections.

C

Set the connection policy to Proxy and force TCP.

D

Enable 'Force SSL' on the database.

Why: Option B is correct because Azure SQL Database supports TLS 1.2 by default and can be enforced via server-level firewall rules or connection policy. Option A is wrong because TCP is a transport protocol, not encryption. Option C is wrong because forcing SSL only ensures encryption but may allow older TLS versions. Option D is wrong because encrypted connections are not the default for all clients; you must enforce minimal TLS version.
Q3
easyFull explanation →

Your organization stores sensitive customer data in Azure Blob Storage. You need to implement data classification and labeling using Microsoft Purview. Which resource should you use to automatically scan and classify the data?

A

Azure Policy

B

Microsoft Purview Data Map

Data Map scans assets and applies classification rules automatically.

C

Microsoft Purview Information Protection

D

Microsoft Purview Data Loss Prevention

Why: Option A is correct because Microsoft Purview Data Map provides automated scanning and classification of data assets across Azure and on-premises. Option B is wrong because Purview Information Protection focuses on labeling and protection policies, not scanning. Option C is wrong because Purview Data Loss Prevention (DLP) monitors and prevents data exfiltration. Option D is wrong because Azure Policy enforces organizational standards, not data classification.
Q4
mediumFull explanation →

A company uses Microsoft Entra ID to authenticate users for a web application. They want to enable self-service password reset (SSPR) for users. What is the minimum licensing requirement?

A

Microsoft 365 E3

B

Microsoft Entra ID P2

C

Microsoft Entra ID Free

D

Microsoft Entra ID P1

P1 includes SSPR with password writeback.

Why: Option B is correct because Microsoft Entra ID P1 includes SSPR with writeback to on-premises Active Directory. Option A is wrong because the free tier does not include SSPR. Option C is wrong because P2 adds Identity Protection, not required for basic SSPR. Option D is wrong because Microsoft 365 E3 includes Entra ID P1, but the question asks for minimum licensing.
Q5
hardFull explanation →

Your organization uses Microsoft Defender for Cloud to protect Azure SQL databases. You notice that a particular database is flagged with a high-severity recommendation to enable 'Advanced Data Security'. What does enabling Advanced Data Security provide?

A

It restricts access to the database to specific IP addresses.

B

It encrypts the database at rest using TDE.

C

It provides vulnerability assessments and threat detection.

ADS includes these security capabilities.

D

It enables automatic backup encryption.

Why: Option C is correct because Advanced Data Security (ADS) includes vulnerability assessments, threat detection, and data discovery/classification. Option A is wrong because transparent data encryption (TDE) is a separate feature. Option B is wrong because ADS does not restrict network access; that is firewall or VNet rules. Option D is wrong because backup encryption is handled by Azure Storage encryption.
Q6
easyFull explanation →

Your company is designing a solution to store sensitive documents in Azure Files. The files must be encrypted at rest and in transit. Which two configurations are required? (Each correct answer presents part of the solution.)

A

Enable Azure Disk Encryption on the VMs that mount the share.

B

Configure the storage account to use HTTPS only.

C

Enable Azure Storage Service Encryption (SSE) for the storage account.

SSE encrypts data at rest automatically.

D

Configure the Azure file share to require SMB 3.0 with encryption.

SMB 3.0 with encryption provides encryption in transit.

E

Use Azure File Sync to sync files to on-premises servers.

Why: Option A and B are correct. Encryption at rest is provided by Azure Storage Service Encryption (SSE). Encryption in transit is provided by SMB 3.0 with encryption. Option C is wrong because Azure File Sync does not provide encryption at rest or in transit for the file share itself. Option D is wrong because Azure Disk Encryption is for VMs, not Azure Files. Option E is wrong because TLS is for HTTPS, not SMB.

Want more Design security solutions for applications and data practice?

Practice this domain
6

Domain 6: Evaluate GRC and security operations strategies

All Evaluate GRC and security operations strategies questions
Q1
mediumFull explanation →

A multinational company is implementing a Zero Trust security model. The security team needs to ensure that all access requests to critical applications are evaluated based on user identity, device health, and real-time risk signals. Which Microsoft solution should they use to centralize policy enforcement?

A

Microsoft Defender for Cloud Apps

B

Microsoft Entra Conditional Access

Centralizes policy evaluation based on user, device, and risk signals.

C

Azure AD Identity Protection

D

Microsoft Purview Compliance Manager

Why: Correct answer is C: Microsoft Entra Conditional Access. It evaluates signals like user, device, and location to enforce access policies. Option A (Microsoft Defender for Cloud Apps) is a CASB, not a policy enforcement point for authentication. Option B (Microsoft Purview Compliance Manager) is for compliance scores. Option D (Azure AD Identity Protection) identifies risks but does not enforce access policies directly.
Q2
hardFull explanation →

A company is designing a security operations strategy. They want to use Microsoft Sentinel to detect and respond to threats across their hybrid environment. They need to ensure that logs from all sources are collected cost-effectively and that analysts can easily query data. Which data ingestion strategy should they recommend?

A

Send all logs to the Basic logs table to reduce costs.

B

Send only Windows Security Events to Sentinel.

C

Send all logs to the Analytics logs table for full query capabilities.

D

Use Analytics logs for high-value security logs and Basic logs for verbose logs with low security value.

Balances cost and functionality; Basic logs for low-value data, Analytics for actionable data.

Why: Option D is correct because it balances cost and query performance by routing high-value security logs (e.g., Windows Security Events, network logs) to the Analytics logs table for full KQL query capabilities and retention, while sending verbose, low-security-value logs (e.g., DNS debug, firewall flow logs) to the Basic logs table, which offers lower ingestion cost and limited query features (e.g., no KQL summarization). This tiered approach ensures analysts can efficiently hunt on critical data without incurring unnecessary costs for voluminous, less actionable logs.
Q3
easyFull explanation →

A company's security team wants to automate response to common incidents like malware detected on endpoints. They have Microsoft 365 Defender and Microsoft Sentinel. Which feature should they use to create automated playbooks?

A

Microsoft Purview's data loss prevention policies

B

Microsoft Sentinel automation rules and playbooks

Integrates with Logic Apps for automated response to incidents.

C

Azure Policy

D

Microsoft Defender for Cloud's workflow automation

Why: Microsoft Sentinel's automation rules and playbooks are the correct choice because they are specifically designed to automate incident response by triggering predefined actions (e.g., running a Logic App) when a detection event, such as malware on an endpoint, is ingested from Microsoft 365 Defender. This integration allows security teams to create custom, automated workflows that respond to common incidents without manual intervention.
Q4
mediumFull explanation →

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to ensure that critical recommendations are automatically remediated. They create a workflow automation that triggers a Logic App for specific recommendations. However, the Logic App fails to run. What is the most likely cause?

A

The managed identity of the Logic App lacks permissions on the target resources.

Logic App needs permissions to perform remediation actions.

B

The subscription is not onboarded to Defender for Cloud.

C

Defender for Cloud is disabled for the resource group.

D

The recommendation is disabled in the security policy.

Why: The most likely cause is that the Logic App's managed identity lacks the necessary permissions on the target Azure resources. Workflow automations in Defender for Cloud use a Logic App that executes remediation actions; if the Logic App's identity (either system-assigned or user-assigned) does not have the required RBAC role (e.g., Contributor or a custom role with specific actions) on the resource scope, the remediation run will fail with an authorization error. This is a common misconfiguration because the automation trigger itself succeeds, but the downstream action fails due to insufficient permissions.
Q5
hardFull explanation →

A company is evaluating their incident response (IR) process. They use Microsoft Sentinel as their SIEM. During a security incident, the IR team struggles to quickly find related alerts and entities. Which improvement should they implement to enhance investigation efficiency?

A

Create more analytics rules to cover additional scenarios.

B

Configure automation rules to automatically classify incidents.

C

Increase data retention for all log tables.

D

Leverage the investigation graph to explore entity relationships.

Provides visual mapping of connections between alerts, entities, and incidents.

Why: The investigation graph in Microsoft Sentinel provides a visual, interactive map of entity relationships (e.g., users, hosts, IP addresses, alerts) connected to an incident. This directly addresses the IR team's struggle to quickly find related alerts and entities by allowing them to explore and pivot across linked data points, drastically reducing manual correlation time.
Q6
easyFull explanation →

A company wants to implement a governance strategy for their Azure environment. They need to enforce tagging standards and restrict deployment to approved regions. Which combination of Azure services should they use?

A

Azure Management Groups and subscriptions

B

Azure RBAC and Azure AD

C

Azure Resource Graph and Azure Monitor

D

Azure Policy and Azure Blueprints

Policy enforces rules; Blueprints package policies, RBAC, and resources.

Why: Azure Policy is the correct service for enforcing tagging standards and restricting deployments to approved regions because it applies rules and effects to resources during creation and existing resources. Azure Blueprints complements this by orchestrating the deployment of policy definitions, role assignments, and resource groups into a single, repeatable package, ensuring consistent governance across subscriptions.

Want more Evaluate GRC and security operations strategies practice?

Practice this domain
7

Domain 7: Design security for infrastructure

All Design security for infrastructure questions
Q1
mediumFull explanation →

A company is designing a hybrid network architecture using Azure ExpressRoute. They need to ensure that all traffic between on-premises and Azure is encrypted and authenticated. Which configuration should they implement?

A

Use VPN Gateway over ExpressRoute

B

Use ExpressRoute Direct with BGP

C

Use ExpressRoute with MACsec

MACsec enables encryption and authentication on ExpressRoute circuits.

D

Use Azure Firewall to inspect ExpressRoute traffic

Why: Option C is correct because MACsec (IEEE 802.1AE) provides Layer 2 encryption and authentication for traffic traversing ExpressRoute Direct ports, ensuring that all data between on-premises and Azure is encrypted at the physical link level. This meets the requirement for both encryption and authentication without relying on higher-layer protocols like IPsec, which would add overhead and complexity.
Q2
hardFull explanation →

An organization uses Microsoft Defender for Cloud to secure their multi-cloud environment, including Azure and AWS. They want to ensure that all AWS EC2 instances are automatically onboarded to Defender for Cloud. What should they configure?

A

Deploy Azure Arc on each EC2 instance

B

Use AWS Systems Manager to push Defender workload

C

Set up the AWS connector in Defender for Cloud

The connector automatically discovers and monitors EC2 instances.

D

Configure AWS Config rules to report to Defender

Why: Option C is correct because the AWS connector in Microsoft Defender for Cloud is the native integration that enables automatic discovery and onboarding of AWS resources, including EC2 instances, into Defender for Cloud. Once configured, the connector uses AWS IAM roles and APIs to continuously sync EC2 inventory and apply Defender plans (e.g., Defender for Servers) without requiring manual agent installation on each instance.
Q3
easyFull explanation →

A company plans to deploy Azure Virtual Desktop (AVD) in a secure environment. They require that all user connections be established over a reverse connect protocol to avoid inbound firewall rules. Which component enables this?

A

Azure Bastion

B

Azure AD Application Proxy

C

AVD Gateway service

The gateway uses reverse connect for outbound connections.

D

Session host configuration

Why: The AVD Gateway service is the correct component because it establishes a reverse connect transport, where the session host initiates an outbound connection to the gateway over HTTPS (port 443). This eliminates the need for any inbound firewall rules to the session hosts, as user connections are relayed through the gateway without directly exposing the session hosts to the internet.
Q4
mediumFull explanation →

A financial services company is deploying a three-tier application on Azure. They need to ensure that the web tier can only communicate with the application tier, and the application tier can only communicate with the data tier. All tiers should use private IP addresses. What is the most secure way to implement this?

A

Deploy Azure Firewall and use application rules

Azure Firewall can filter based on FQDNs and IPs, providing secure inter-tier communication.

B

Use Network Security Groups (NSGs) on each subnet

C

Use VNet peering with route tables

D

Use Azure Web Application Firewall (WAF)

Why: Azure Firewall with application rules (FQDN-based) provides the most secure and granular control for east-west traffic between tiers. It can inspect and filter traffic at Layer 7 (application layer) using TLS inspection, ensuring only allowed application protocols (e.g., HTTPS) and specific FQDNs are permitted, while blocking all other traffic. This meets the requirement for private IP communication and enforces a zero-trust model between tiers.
Q5
hardFull explanation →

A company uses Azure Kubernetes Service (AKS) with Azure Active Directory (Azure AD) integration. They want to restrict developers to only be able to create and manage pods and services, but not modify cluster-level resources like nodes or namespaces. What should they configure?

A

Assign the cluster-admin ClusterRole to the developers

B

Create a custom ClusterRole with rules for pods and services, then bind it to the developer group with a ClusterRoleBinding

This grants cluster-wide but limited access to only specified resources.

C

Create a RoleBinding in each namespace for developers

D

Use Azure RBAC to grant Contributor role on the AKS cluster

Why: Option B is correct because Kubernetes RBAC allows fine-grained authorization. A custom ClusterRole can define rules for pods and services (core API group resources), and a ClusterRoleBinding binds it to the developer group across all namespaces. This grants the required permissions without allowing modifications to cluster-level resources like nodes or namespaces, which are not included in the custom role's rules.
Q6
easyFull explanation →

A company has a hybrid identity deployment using Azure AD Connect. They want to ensure that if a user's on-premises account is disabled, the corresponding Azure AD account is also disabled within 30 minutes. Which setting should they configure?

A

Enable password hash synchronization

B

Configure the synchronization interval for directory changes

Azure AD Connect syncs changes every 30 minutes by default.

C

Install Azure AD Application Proxy

D

Enable password writeback

Why: Option B is correct because Azure AD Connect's default synchronization cycle for directory changes is 30 minutes. By configuring the synchronization interval (via the Azure AD Connect scheduler or PowerShell), you can ensure that disabled on-premises accounts are reflected in Azure AD within that timeframe. This setting directly controls how frequently Azure AD Connect processes and synchronizes changes from the on-premises Active Directory to Azure AD.

Want more Design security for infrastructure practice?

Practice this domain
8

Domain 8: Design a strategy for data and applications

All Design a strategy for data and applications questions
Q1
mediumFull explanation →

A company is designing a data protection strategy for Azure SQL Database. They need to ensure that backups are retained for 7 years to meet regulatory compliance. Which Azure feature should they use?

A

Geo-redundant backup storage

B

Long-Term Retention (LTR)

LTR retains backups for up to 10 years.

C

Point-in-Time Restore

D

Active Geo-Replication

Why: Long-Term Retention (LTR) for Azure SQL Database allows you to retain full database backups for up to 10 years, which meets the 7-year regulatory compliance requirement. LTR is specifically designed for archival and compliance scenarios, storing backups in separate containers with configurable retention policies based on weekly, monthly, or yearly intervals.
Q2
easyFull explanation →

A company deploys Azure App Service with a custom domain and SSL certificate. They want to enforce HTTPS only. Which configuration setting should they enable?

A

HTTPS Only

Enforces HTTPS redirect.

B

Client Certificates

C

Minimum TLS Version

D

Custom Domain

Why: The 'HTTPS Only' setting in Azure App Service enforces that all incoming requests are redirected from HTTP to HTTPS, ensuring encrypted communication. This is achieved by returning a 301 redirect for any HTTP request, which aligns with the requirement to enforce HTTPS only.
Q3
hardFull explanation →

A company uses Azure Policy to audit storage accounts for secure transfer (HTTPS) enforcement. The policy is set to 'AuditIfNotExists' but compliance shows 0% non-compliant storage accounts even though some accounts have secure transfer disabled. What is the most likely cause?

A

The policy is in 'audit' mode and does not evaluate

B

The policy should use 'Audit' or 'Deny' effect instead of 'AuditIfNotExists'

AuditIfNotExists is for existence of a resource, not property.

C

The storage accounts are in a different region

D

The policy assignment scope does not include the non-compliant accounts

Why: The 'AuditIfNotExists' effect is designed to audit resources that do not have a specific extension or sub-resource (e.g., a diagnostic setting or an agent). For a policy that needs to check a property of the storage account itself (like secure transfer enabled), the correct effect is 'Audit' (or 'Deny'). 'AuditIfNotExists' will never flag a storage account as non-compliant for missing the secure transfer property because it is looking for the absence of a child resource, not a property misconfiguration.
Q4
mediumFull explanation →

A company is designing a microservices architecture on Azure Kubernetes Service (AKS). They need to secure communication between services using mutual TLS (mTLS). Which solution should they implement?

A

Azure Application Gateway

B

Azure Firewall

C

Azure API Management

D

Istio service mesh

Provides mTLS for microservices.

Why: Istio service mesh is the correct solution because it provides a dedicated infrastructure layer for managing service-to-service communication, including automatic mutual TLS (mTLS) between microservices. Istio injects Envoy sidecar proxies into each pod, which handle encryption, authentication, and authorization without requiring application code changes. This enables zero-trust network security within the AKS cluster.
Q5
easyFull explanation →

A company stores sensitive data in Azure Blob Storage. They want to prevent data exfiltration by blocking public access and restricting network access to only their on-premises data center via VPN. Which two features should they use?

A

Enable firewall and add on-premises IP range

B

Disable public access and use RBAC

C

Disable public access and configure a service endpoint with a firewall rule for the VPN subnet

Service endpoint restricts to subnet, firewall blocks other traffic.

D

Disable public access and configure a private endpoint

Private endpoint uses private IP, but VPN is needed for connectivity.

Why: Option C is correct because disabling public access ensures the storage account is not reachable from the internet, and configuring a service endpoint with a firewall rule for the VPN subnet restricts traffic to only the on-premises data center traffic arriving via the VPN. Service endpoints provide an optimized route over the Azure backbone, and the firewall rule explicitly allows the VPN subnet's IP range, preventing data exfiltration from unauthorized networks.
Q6
hardFull explanation →

A company uses Azure Key Vault to store secrets for their applications. They want to ensure that secrets can be automatically rotated when they are close to expiration. Which solution should they implement?

A

Use Azure DevOps release pipeline to rotate secrets

B

Use Azure Automation with a schedule to check expiration and rotate

C

Use Key Vault event grid subscription to trigger an Azure Function for rotation

Event-driven rotation on secret expiration.

D

Use Azure Logic Apps with a recurrence trigger to rotate secrets

Why: Option C is correct because Azure Key Vault can emit events via Event Grid when a secret is near expiration, and an Azure Function subscribed to that event can perform the rotation logic immediately. This event-driven approach ensures near-real-time rotation without polling, aligning with the requirement for automatic rotation close to expiration.

Want more Design a strategy for data and applications practice?

Practice this domain
9

Domain 9: Recommend security best practices and priorities

All Recommend security best practices and priorities questions
Q1
mediumFull explanation →

A company is designing a defense-in-depth strategy for their Azure environment. They want to ensure that if a virtual machine is compromised, the attacker cannot move laterally to other VMs in the same virtual network. Which security control should they prioritize?

A

Enable Azure DDoS Protection on the virtual network

B

Implement network segmentation using NSGs and application security groups

Network segmentation restricts east-west traffic, limiting lateral movement.

C

Enable multi-factor authentication (MFA) for all admin accounts

D

Deploy Azure Bastion for secure remote access

Why: Network segmentation using NSGs and application security groups is the correct priority because it directly controls east-west traffic between VMs within the same virtual network. By defining explicit inbound and outbound rules that restrict communication to only necessary ports and protocols (e.g., TCP 443 for HTTPS), an attacker who compromises one VM cannot initiate lateral movement to other VMs, as the NSG will drop unauthorized traffic at the subnet or NIC level.
Q2
hardFull explanation →

A company uses Azure Policy to enforce compliance. They have a custom policy that denies creation of storage accounts without encryption enabled. A developer reports that they cannot create a storage account even though they specified encryption. What is the most likely cause?

A

The developer does not have 'Microsoft.Authorization/policyAssignments/write' permission

B

The policy effect is set to 'audit' instead of 'deny'

C

The policy's 'then' block uses 'deny' but the condition logic evaluates the 'encryption' property incorrectly

If the condition does not match the actual property path, the deny may fire incorrectly.

D

The policy is scoped to a management group that includes the developer's subscription

Why: Option C is correct because the most likely cause is that the policy's condition logic incorrectly evaluates the 'encryption' property. Azure Policy uses JSON-based condition expressions to check resource properties; if the condition does not match the actual property path (e.g., 'properties.encryption.enabled' vs. 'properties.encryption') or uses an incorrect operator, the deny effect will trigger even when encryption is specified. This is a common misconfiguration in custom policies.
Q3
easyFull explanation →

A company is moving to a zero-trust security model. Which principle is most important for securing network traffic?

A

Rely on perimeter firewalls to block threats

B

Verify explicitly every access request

Zero-trust requires explicit verification for each access attempt.

C

Trust all traffic within the corporate network

D

Allow all traffic and monitor for anomalies

Why: In a zero-trust model, the principle of 'verify explicitly' means every access request—regardless of source—must be authenticated, authorized, and encrypted before being allowed. This eliminates implicit trust based on network location, which is the core shift from traditional perimeter-based security.
Q4
hardFull explanation →

A company uses Azure Security Center and Azure Sentinel. They want to prioritize remediation of vulnerabilities based on risk. Which metric should they use to rank vulnerabilities?

A

Common Vulnerability Scoring System (CVSS) score

B

Azure Secure Score impact

Secure Score reflects the risk and remediation priority.

C

Compliance status from Azure Policy

D

Number of security alerts triggered

Why: Azure Secure Score impact is the correct metric because it directly reflects the risk-based prioritization of security recommendations within Azure Security Center. Each recommendation has a Secure Score impact value that indicates how much your overall security posture improves when remediated, allowing you to prioritize actions that reduce the most risk. This aligns with the scenario's goal of ranking vulnerabilities by risk, as Secure Score impact is calculated using factors like exploitability, threat intelligence, and potential business impact.
Q5
mediumFull explanation →

A company is implementing a cloud security governance strategy. They need to ensure that all Azure resources are compliant with internal security policies before deployment. Which approach should they use?

A

Configure Azure Firewall to block non-compliant resources

B

Assign Azure Policy definitions with 'deny' effect at the subscription scope

Azure Policy can deny non-compliant resource creation.

C

Deploy resources using Azure Blueprints

D

Use Azure DevOps pipelines with manual approval gates

Why: Azure Policy with the 'deny' effect is the correct approach because it proactively prevents the deployment of any resource that violates defined security policies at the subscription scope. This ensures compliance before deployment by evaluating the resource against policy rules during the creation or update operation, blocking the request if non-compliant. Unlike reactive measures, this enforces governance at the point of deployment without requiring post-deployment remediation.
Q6
easyFull explanation →

A company wants to protect sensitive data in their Azure SQL Database from unauthorized access. Which feature should they enable?

A

Azure Information Protection

B

Transparent Data Encryption (TDE)

TDE encrypts SQL Server data files.

C

Azure Key Vault

D

Azure Firewall

Why: Transparent Data Encryption (TDE) performs real-time I/O encryption and decryption of the data and log files at the page level, protecting data at rest in Azure SQL Database. This directly addresses the requirement to prevent unauthorized access to the underlying storage files, as TDE ensures that data cannot be read if the physical media is compromised.

Want more Recommend security best practices and priorities practice?

Practice this domain

Frequently asked questions

How many questions are on the SC-100 exam?

The SC-100 exam has 50 questions and must be completed in 120 minutes. The passing score is 700/1000.

What types of questions appear on the SC-100 exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are SC-100 questions organised by domain?

The exam covers 9 domains: Design solutions that align with security best practices and priorities, Design security operations, identity, and compliance capabilities, Design security solutions for infrastructure, Design a Zero Trust strategy and architecture, Design security solutions for applications and data, Evaluate GRC and security operations strategies, Design security for infrastructure, Design a strategy for data and applications, Recommend security best practices and priorities. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual SC-100 exam questions?

No. These are original exam-style practice questions written against the official Microsoft SC-100 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 300 SC-100 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all SC-100 questionsTake a timed practice test