Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Design solutions that align with security best practices and priorities practice sets

SC-100 Design solutions that align with security best practices and priorities • Complete Question Bank

SC-100 Design solutions that align with security best practices and priorities — All Questions With Answers

Complete SC-100 Design solutions that align with security best practices and priorities question bank — all 0 questions with answers and detailed explanations.

180
Questions
Free
No signup
Certifications/SC-100/Practice Test/Design solutions that align with security best practices and priorities/All Questions
Question 1mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization wants to implement a zero-trust security model for on-premises and cloud resources. As part of this strategy, you need to ensure that all access requests are authenticated and authorized based on dynamic risk signals. Which Microsoft security solution should you use to enforce conditional access policies based on real-time risk?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a hybrid identity solution with Microsoft Entra ID. They need to ensure that users can access resources from unmanaged devices while maintaining security. The security team requires that all access from unmanaged devices must be limited to browser-only access to web apps and must block native client apps. Which conditional access grant control should you configure?

Question 3easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is using Microsoft Defender for Cloud to assess the security posture of Azure resources. You need to ensure that the highest severity recommendations are addressed first. Which dashboard or feature in Defender for Cloud should you use to view the most critical security issues?

Question 4hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. You are an Azure security engineer reviewing a custom Azure Policy definition. The policy is intended to audit virtual machines to ensure they have the Azure Security extension installed. However, the policy is not triggering on any resources. What is the most likely reason?

Exhibit

{
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines"
        },
        {
          "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk",
          "exists": "true"
        }
      ]
    },
    "then": {
      "effect": "auditIfNotExists",
      "details": {
        "type": "Microsoft.Compute/virtualMachines/extensions",
        "existenceCondition": {
          "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
          "equals": "Microsoft.Azure.Security"
        }
      }
    }
  }
}
Question 5mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your company uses Microsoft Sentinel as a SIEM. You need to create an analytics rule that detects when a user account is created outside of business hours. The rule should trigger an incident for investigation. Which type of analytics rule should you use?

Question 6easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

You are designing a security solution for Azure resources. You need to ensure that any changes to network security groups (NSGs) are automatically logged and sent to a central Log Analytics workspace. Which Azure feature should you use?

Question 7hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. Your organization is required to comply with PCI DSS. You need to prioritize remediation efforts to meet PCI DSS requirements. Based on the exhibit, which recommendation should you address first?

Exhibit

Microsoft Defender for Cloud | Regulatory Compliance

Controls:
- CIS Controls v8: 16/20 passed
- ISO 27001: 42/48 passed
- NIST SP 800-53 Rev5: 85/100 passed
- PCI DSS v3.2.1: 12/15 passed
- SOC 2 Type II: 20/25 passed

Top recommendations by severity:
1. Critical: VMs should be migrated from classic to ARM (3 resources)
2. Critical: Vulnerability assessment should be enabled on SQL databases (5 resources)
3. High: MFA should be enabled on accounts with owner permissions (2 resources)
4. Medium: Diagnostic logs in Key Vault should be enabled (10 resources)
Question 8mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Intune to manage devices. You need to ensure that devices that are not compliant with your organization's security policies are blocked from accessing corporate resources. Which Intune feature should you configure?

Question 9easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your security team needs to receive alerts when a user is assigned a privileged role in Microsoft Entra ID. Which service should you use to create an alert for privileged role assignments?

Question 10mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which TWO actions should you take to implement a defense-in-depth strategy for an Azure application? (Choose two.)

Question 11hardmulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which THREE Microsoft security solutions can be used to detect and respond to threats across hybrid cloud environments? (Choose three.)

Question 12easymulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which TWO of the following are best practices for securing Microsoft 365 tenants? (Choose two.)

Question 13mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which THREE components are part of the Microsoft Zero Trust architecture? (Choose three.)

Question 14mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

You are designing a security solution for an Azure Kubernetes Service (AKS) cluster. You need to ensure that only authorized images from a specific container registry can be deployed. Which Azure Policy definition should you use?

Question 15hardmulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. You are reviewing an ARM template for a storage account. The security team has mandated that all storage accounts must enforce HTTPS traffic and use TLS 1.2 or higher. Which two changes must be made to the template to comply? (Choose two.)

Exhibit

{
  "properties": {
    "templateLink": null,
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "resources": [
        {
          "type": "Microsoft.Storage/storageAccounts",
          "apiVersion": "2021-02-01",
          "name": "[parameters('storageName')]",
          "location": "[resourceGroup().location]",
          "sku": {
            "name": "Standard_GRS"
          },
          "kind": "StorageV2",
          "properties": {
            "minimumTlsVersion": "TLS1_0",
            "supportsHttpsTrafficOnly": false
          }
        }
      ]
    }
  }
}
Question 16mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Entra ID and plans to implement a Zero Trust security model. You need to ensure that all access requests to corporate applications are continuously evaluated based on user risk, device compliance, and location. Which Microsoft Entra ID feature should you configure?

Question 17hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your enterprise uses Microsoft Defender for Cloud to secure a hybrid cloud environment spanning Azure and AWS. You need to design a solution that prioritizes remediation of the most critical vulnerabilities across both clouds based on Common Vulnerability Scoring System (CVSS) scores, exploitability, and business impact. Which Defender for Cloud feature should you use?

Question 18easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is adopting Microsoft Purview to classify and protect sensitive data in Microsoft 365. You need to ensure that documents containing credit card numbers are automatically detected and encrypted when shared externally. What should you configure?

Question 19hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your company is deploying Microsoft Defender XDR and wants to use automated investigation and response (AIR) to remediate confirmed threats. However, you need to ensure that high-impact actions like deleting email messages or isolating devices require manual approval from the security operations team. Which configuration should you set?

Question 20mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is migrating on-premises applications to Azure and needs to secure secrets (database connection strings, API keys) used by these applications. You are required to rotate secrets automatically without downtime. Which Azure service should you use?

Question 21easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your company uses Microsoft Sentinel for security information and event management (SIEM). You need to design a solution that reduces alert fatigue by correlating low-fidelity alerts from multiple sources into a single high-fidelity incident. Which Microsoft Sentinel feature should you use?

Question 22mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Intune to manage mobile devices. You need to design a policy that ensures corporate data on personally owned devices is protected, but does not allow IT to wipe the entire device if it is lost or stolen. Which Intune policy type should you configure?

Question 23hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your company is implementing Microsoft Copilot for Security to assist the security operations team. You need to ensure that prompts and responses from Copilot do not expose sensitive internal information to unauthorized users. Which configuration should you apply?

Question 24easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization needs to audit all changes to Azure resources, including who made the change and what was changed. Which Azure service should you use to collect and analyze this audit data?

Question 25mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is designing a security strategy for Microsoft 365 Copilot. You need to ensure that Copilot does not generate responses based on sensitive data that users are not authorized to access. Which TWO configurations should you implement?

Question 26hardmulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Defender for Cloud to protect a multi-cloud environment (Azure, AWS, GCP). You need to ensure that security configurations are assessed against industry benchmarks like CIS and PCI DSS. Which THREE actions should you take?

Question 27easymulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Your company is using Microsoft Entra ID and wants to implement passwordless authentication to improve security. Which THREE authentication methods should you consider?

Question 28hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. You are evaluating an Azure Policy definition that checks whether a web app redirects HTTP to HTTPS. The policy uses 'auditIfNotExists' effect. After assigning this policy to a subscription, you notice that a web app that does not redirect HTTP to HTTPS is marked as 'Healthy'. What is the most likely cause?

Exhibit

{
  "policy": {
    "if": {
      "field": "Microsoft.Security/customAssessment.name",
      "equals": "Ensure web app redirects HTTP to HTTPS"
    },
    "then": {
      "effect": "auditIfNotExists",
      "details": {
        "type": "Microsoft.Security/assessments",
        "name": "web-app-http-redirect",
        "existenceCondition": {
          "field": "Microsoft.Security/assessments/status.code",
          "equals": "Healthy"
        }
      }
    }
  }
}
Question 29mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel that detects machines with more than two malware alerts in a day. The query returns no results even though you know there are machines with multiple malware alerts. What is the most likely reason?

Exhibit

SecurityAlert | where AlertName == "Malware detected" | summarize Count = count() by Computer, bin(TimeGenerated, 1d) | where Count > 2
Question 30mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. You are reviewing an ARM template that deploys a network security group (NSG) for a web application. The NSG allows inbound HTTP traffic from any source and then denies all other inbound traffic. However, after deployment, you find that HTTP traffic is being blocked. What is the most likely cause?

Exhibit

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2020-06-01",
      "name": "nsg-web",
      "properties": {
        "securityRules": [
          {
            "name": "AllowHTTP",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "80",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*",
              "access": "Allow",
              "priority": 100,
              "direction": "Inbound"
            }
          },
          {
            "name": "DenyAll",
            "properties": {
              "protocol": "*",
              "sourcePortRange": "*",
              "destinationPortRange": "*",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*",
              "access": "Deny",
              "priority": 200,
              "direction": "Inbound"
            }
          }
        ]
      }
    }
  ]
}
Question 31mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company plans to implement a Zero Trust security model. Which of the following is the primary principle that should guide their strategy?

Question 32easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to detect anomalous behavior such as impossible travel. What should you configure?

Question 33hardmultiple choice
Read the full Ansible explanation →

A company uses Microsoft Sentinel and wants to implement a security orchestration, automation, and response (SOAR) solution. They need a playbook that automatically blocks a user in Microsoft Entra ID when a high-severity incident is created. What should they use?

Question 34mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is implementing Microsoft Entra ID Conditional Access. You need to require multi-factor authentication (MFA) for all users accessing financial applications, but only when the sign-in risk is medium or higher. What is the most efficient way to achieve this?

Question 35easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company uses Microsoft Defender for Endpoint (MDE) and needs to ensure that all devices report their security configuration to Microsoft Defender XDR. Which setting should they verify?

Question 36hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is adopting Microsoft Copilot for Security. You need to ensure that the AI model does not expose sensitive data during interactions. What is the primary security control you should implement?

Question 37mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company uses Microsoft Purview to manage data governance. They need to classify sensitive data automatically in Azure SQL Database. What should they configure?

Question 38easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Intune for mobile device management. You need to ensure that only devices compliant with security policies can access corporate email. What should you implement?

Question 39hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company needs to design a secure DevOps pipeline using GitHub Actions and Microsoft Defender for Cloud. They want to scan infrastructure-as-code (IaC) templates for misconfigurations before deployment. What should they integrate?

Question 40mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which TWO of the following are key components of a Zero Trust architecture according to Microsoft? (Choose two.)

Question 41hardmulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which THREE of the following are valid ways to protect sensitive data in Microsoft 365 using Microsoft Purview? (Choose three.)

Question 42mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which TWO of the following are benefits of using Microsoft Defender XDR (Extended Detection and Response)? (Choose two.)

Question 43easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is implementing a Zero Trust security model. Which Microsoft security solution should you use to enforce conditional access policies based on user, device, location, and real-time risk signals?

Question 44mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your company uses Microsoft Defender XDR to protect endpoints. The security team wants to implement automated response actions when a malicious file is detected on a device. Which Microsoft security feature should you configure to automatically isolate the affected device from the network?

Question 45hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization plans to use Microsoft Purview to protect sensitive data in Microsoft 365. The compliance team needs to detect when users share credit card numbers via email and automatically apply encryption. Which solution should you implement?

Question 46easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Sentinel as its SIEM. The security team needs to detect brute-force attacks against Azure VMs by analyzing Windows Security Event logs. Which data connector should you enable?

Question 47mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your company is migrating on-premises Active Directory to Microsoft Entra ID. The security team requires that users must use passwordless authentication methods for all sign-ins. Which Microsoft Entra ID feature should you enable to support passwordless authentication?

Question 48hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. The compliance team wants to ensure that all storage accounts have secure transfer required enabled. Which action should you take in Defender for Cloud?

Question 49easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is adopting a Zero Trust network strategy. Which Microsoft solution should you use to implement micro-segmentation and enforce identity-based access controls for on-premises and cloud resources?

Question 50mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your company uses Microsoft Purview to classify and label sensitive data. The data protection team needs to automatically apply a 'Confidential' label to documents that contain a custom sensitive info type for employee IDs. Which should you create?

Question 51hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Sentinel for security operations. The SOC team wants to automatically disable a compromised user account in Microsoft Entra ID when a high-severity alert is generated. Which automation method should you use?

Question 52mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which TWO Microsoft security solutions can help enforce Zero Trust principles by verifying identity and device health before granting access to resources?

Question 53hardmulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which THREE components are essential for implementing a successful SIEM strategy using Microsoft Sentinel?

Question 54mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which TWO Microsoft Purview solutions are used to discover and protect sensitive data across Microsoft 365, Azure, and on-premises environments?

Question 55mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. You are reviewing a conditional access policy JSON in Microsoft Entra ID. The policy is enabled but users with the Global Administrator role are not being prompted for MFA. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "displayName": "Require MFA for admins",
    "state": "enabled",
    "conditions": {
      "applications": {
        "includeApplications": ["All"]
      },
      "users": {
        "includeRoles": ["Global Administrator"]
      }
    },
    "grantControls": {
      "builtInControls": ["mfa"]
    }
  }
}
Question 56hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. You are analyzing an Azure PowerShell script that checks a blob property. The output of the last command returns 'False'. What does this indicate about the blob storage configuration?

Exhibit

Refer to the exhibit.

$storageAccount = Get-AzStorageAccount -ResourceGroupName "RG-Security" -Name "stgsecdata"
$container = Get-AzStorageContainer -Context $storageAccount.Context -Name "logs"
$containerName = $container.Name
$blob = Get-AzStorageBlob -Container $containerName -Context $storageAccount.Context -Blob "access.log"
$blob.ICloudBlob.Properties.IsAccessTimeTrackingEnabled
Question 57mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. You are reviewing a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

Exhibit

Refer to the exhibit.

SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4625
| summarize FailedLogons = count() by Account, IpAddress
| where FailedLogons > 10
Question 58easymultiple choice
Read the full NAT/PAT explanation →

A company is implementing a Zero Trust security model. Which principle requires verifying every access request as if it originates from an uncontrolled network?

Question 59mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company uses Microsoft Entra ID for identity management. They want to ensure that only managed devices can access corporate email. Which Conditional Access policy setting should be configured?

Question 60hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A security team is designing a Microsoft Sentinel deployment. They need to minimize costs while ensuring critical alerts are always processed. Which data retention and ingestion strategy should they use?

Question 61mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company deploys Microsoft Defender for Cloud Apps. They need to detect anomalous behavior in user activities across multiple cloud apps. Which feature should they enable?

Question 62hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

An organization uses Microsoft Purview Information Protection. They want to automatically apply a sensitivity label to documents containing credit card numbers. Which policy should they configure?

Question 63mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company is using Microsoft Intune to manage devices. They need to ensure that only devices with a specific operating system version can access corporate resources. Which Intune policy should they use?

Question 64easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company wants to use Microsoft Defender XDR to correlate alerts across endpoints, email, and identities. Which component enables this correlation?

Question 65hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company uses Microsoft Sentinel with a workspace in the East US region. They want to ingest logs from Azure resources in West Europe. To minimize data transfer costs, what should they do?

Question 66mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company uses Microsoft Entra ID Governance. They need to automate the process of granting access to a SaaS application based on the user's department attribute. Which feature should they use?

Question 67mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which TWO actions are part of the Microsoft Cybersecurity Reference Architecture (MCRA) for a Zero Trust implementation?

Question 68hardmulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which THREE components are included in Microsoft Defender XDR?

Question 69easymulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which TWO are best practices for securing Microsoft Entra ID?

Question 70mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. You are reviewing a Conditional Access policy JSON. What is the effect of this policy?

Exhibit

{
  "properties": {
    "displayName": "Block high-risk sign-ins",
    "conditions": {
      "userRiskLevels": ["high"],
      "signInRiskLevels": [],
      "clientAppTypes": ["all"],
      "applications": {
        "includeApplications": ["All"]
      },
      "users": {
        "includeUsers": ["All"]
      }
    },
    "grantControls": {
      "builtInControls": ["block"]
    }
  }
}
Question 71hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. What is the purpose of this query?

Exhibit

SecurityAlert
| where AlertName == "Malware detected"
| extend DeviceName = tostring(CompromisedEntity)
| join kind=inner (
  DeviceInfo
  | where Timestamp > ago(7d)
  | project DeviceName, OSVersion, IsManaged
) on DeviceName
| where IsManaged == false
Question 72mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. You are reviewing an ARM template for an Azure storage account. Which security best practice is implemented?

Exhibit

resourceGroup: myResourceGroup
parameters:
  - name: location
    type: string
    defaultValue: eastus
resources:
  - type: Microsoft.Storage/storageAccounts
    name: mystorageaccount
    properties:
      supportsHttpsTrafficOnly: true
      minimumTlsVersion: TLS1_2
      networkAcls:
        defaultAction: Deny
        ipRules: []
        virtualNetworkRules: []
Question 73mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. The security team wants to prioritize remediation of high-severity findings based on the greatest potential business impact. Which security policy or framework should you configure to align remediation with business priorities?

Question 74easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company is designing a Zero Trust architecture for their hybrid identity environment. They plan to require multifactor authentication (MFA) for all users accessing sensitive applications. Which Microsoft Entra ID capability should they use to enforce MFA based on risk level?

Question 75hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is deploying Microsoft Copilot for Security and wants to ensure that the AI model does not expose sensitive data in its responses. You need to configure data loss prevention (DLP) policies that apply to Copilot interactions. Which Microsoft Purview capability should you use?

Question 76mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your company uses Microsoft Sentinel as its SIEM. You need to design a solution that automatically responds to high-severity incidents by creating a ticket in ServiceNow and notifying the security team via Teams. Which Sentinel feature should you configure?

Question 77easymultiple choice
Read the full NAT/PAT explanation →

A manufacturing company wants to secure its IoT devices that run on Azure IoT Hub. They need to ensure that only authorized devices can connect and that firmware updates are signed. Which combination of Azure services should they use?

Question 78hardmultiple choice
Study the full multicast explanation →

Your organization is implementing a privileged access strategy using Microsoft Entra Privileged Identity Management (PIM). The compliance team requires that all privileged role activations be approved by a manager and that an audit trail is maintained for at least one year. Which configuration should you recommend?

Question 79mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your company uses Microsoft Intune to manage corporate devices. The security team wants to prevent users from copying sensitive data from corporate apps to personal apps on mobile devices. Which Intune policy should you configure?

Question 80hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is migrating to Microsoft 365 and wants to implement a data classification strategy. The compliance team needs to automatically detect and label documents containing personal data (e.g., Social Security numbers) in SharePoint Online. Which Microsoft Purview solution should you use?

Question 81mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your company uses Microsoft Defender for Endpoint (MDE) and wants to integrate threat intelligence from an external source to improve detection. The security team needs to ingest custom indicators of compromise (IOCs) into MDE. Which feature should they use?

Question 82hardmulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is designing a Microsoft Sentinel solution to detect and respond to threats across multi-cloud environments (Azure, AWS, GCP). Which TWO components are essential for this design?

Question 83mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Your company is implementing Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Microsoft 365. The compliance team needs to monitor and block the sharing of credit card numbers in emails. Which THREE actions should they configure in a DLP policy?

Question 84easymulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is implementing a Zero Trust network architecture in Azure. Which TWO principles are foundational to Zero Trust?

Question 85mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company is migrating its on-premises Active Directory to Microsoft Entra ID. They need to ensure that all user authentication for cloud apps uses passwordless methods. Which security best practice should they implement?

Question 86easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A security architect is designing a solution to detect and respond to advanced threats across email, endpoints, and identities. Which Microsoft security solution should they use?

Question 87hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company uses Microsoft Sentinel and wants to prioritize incidents using user risk scores from Microsoft Entra ID Protection. Which configuration should they use to automatically assign a Sentinel severity based on the user's risk level?

Question 88easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company wants to enforce that all administrators use just-in-time (JIT) access to privileged roles in Microsoft Entra ID. Which feature should they enable?

Question 89mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They need to ensure that all resources are compliant with the Payment Card Industry Data Security Standard (PCI DSS). What should they do?

Question 90hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A security architect is designing a solution to protect sensitive data stored in SharePoint Online from being shared with unauthorized users. The solution must block sharing of files containing credit card numbers when shared externally. What should they use?

Question 91mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company uses Microsoft Intune to manage devices. They want to ensure that only devices that have passed health attestation can access corporate email. Which method should they use?

Question 92mediummultiple choice
Read the full Ansible explanation →

A security architect needs to design a solution that provides a unified view of security alerts from multiple clouds (Azure, AWS, GCP) and on-premises systems. The solution must also support automated response using playbooks. Which Microsoft service should they use?

Question 93hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company uses Azure DevOps and wants to implement a DevSecOps practice by scanning code for secrets and vulnerabilities before deployment. Which tool should they integrate into their pipeline?

Question 94mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which TWO actions align with the Zero Trust principle of 'verify explicitly'? (Select two.)

Question 95hardmulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which THREE are security best practices for Microsoft Entra ID? (Select three.)

Question 96easymulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which TWO are recommended practices for securing Microsoft 365 workloads? (Select two.)

Question 97mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. You are reviewing a conditional access policy. What is the effect of this policy?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Require MFA for admins",
    "state": "enabled",
    "conditions": {
      "users": {
        "includeRoles": ["Global Administrator", "Security Administrator"]
      },
      "applications": {
        "includeApplications": ["All"]
      }
    },
    "grantControls": {
      "builtInControls": ["mfa"],
      "operator": "OR"
    }
  }
}
```
Question 98hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the purpose of this query?

Exhibit

Refer to the exhibit.

```kusto
SecurityAlert
| where TimeGenerated > ago(7d)
| where AlertName contains "Mimikatz"
| extend UserName = tostring(parse_json(Entities)[0].AccountName)
| summarize Count = count() by UserName
| top 10 by Count desc
```
Question 99hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Refer to the exhibit. You are reviewing an ARM template snippet for an Azure Storage container. Which security best practice does this configuration enforce?

Exhibit

Refer to the exhibit.

```json
{
  "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
  "apiVersion": "2021-04-01",
  "name": "[parameters('storageAccountName')]/default/[parameters('containerName')]",
  "properties": {
    "publicAccess": "None"
  }
}
```
Question 100easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is adopting a Zero Trust security model. You need to design a solution that ensures continuous verification of user identity and device health before granting access to resources. Which Microsoft Entra ID feature should you prioritize?

Question 101easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization wants to implement a security baseline for Azure resources using built-in policies. Which Azure service should you use to assign policies that enforce compliance with security best practices?

Question 102mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Defender XDR for incident response. You need to design a process to automatically isolate a compromised device when a high-severity incident is triggered. Which automation approach should you use?

Question 103mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is planning to deploy Microsoft Purview Information Protection to classify and protect sensitive data. You need to design a solution that automatically applies sensitivity labels to documents containing personally identifiable information (PII) when they are uploaded to SharePoint Online. Which configuration should you use?

Question 104hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to design a solution that ensures all user authentication requests are evaluated by Conditional Access policies before granting access to cloud apps. However, some legacy apps still require basic authentication. What should you recommend?

Question 105hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to automatically respond to a DDoS attack detected by Azure DDoS Protection. The response should include blocking the attacker's IP address in Azure Firewall and sending an alert to the security team. Which approach should you use?

Question 106mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is implementing a secure DevOps pipeline for a critical application. You need to design a solution that scans container images for vulnerabilities before they are deployed to production. Which Azure service should you integrate into the pipeline?

Question 107hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is deploying Microsoft Copilot for Security (Microsoft 365 Copilot). You need to design a solution that ensures Copilot queries are audited and that access to Copilot is restricted to authorized users based on their role. Which Microsoft Purview capabilities should you use together?

Question 108easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization wants to implement a security information and event management (SIEM) solution that can ingest logs from multiple sources, including on-premises servers, Azure resources, and third-party SaaS applications. Which Microsoft service should you choose?

Question 109mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is implementing Microsoft Intune for mobile device management. You need to design a solution that ensures corporate data on mobile devices is protected if the device is lost or stolen. Which TWO actions should you configure?

Question 110mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is designing a secure access solution for a partner company that needs to access specific SharePoint Online sites. You need to implement Microsoft Entra ID B2B collaboration. Which THREE configurations are essential for a secure B2B collaboration setup?

Question 111hardmulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is implementing Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. You need to design a policy that prevents users from sharing credit card numbers via email. Which THREE components are required to build this DLP policy?

Question 112mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

You are designing a Zero Trust architecture for a company that uses Microsoft Entra ID and Microsoft Intune. The security team wants to enforce device compliance before granting access to cloud apps. Which policy should you implement?

Question 113hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is migrating on-premises workloads to Azure and wants to use Microsoft Defender for Cloud to secure the environment. The compliance team requires that all critical vulnerabilities be remediated within 30 days. What is the most efficient way to track and enforce this?

Question 114easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company is adopting Microsoft Purview for data security. They need to prevent users from sharing sensitive data like credit card numbers via email. Which feature should you configure?

Question 115hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Sentinel for SIEM. You need to ensure that security incidents are automatically responded to without human intervention for known false positives. What should you implement?

Question 116mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company wants to use Microsoft Defender XDR to detect and respond to advanced persistent threats (APTs). They have deployed Defender for Endpoint, Defender for Office 365, and Defender for Identity. What additional step is critical to correlate signals across these products?

Question 117mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Intune to manage devices. You need to ensure that only devices with a specific minimum OS version can access corporate resources. Which configuration should you use?

Question 118hardmultiple choice
Read the full NAT/PAT explanation →

A company uses Microsoft Entra ID with P2 licenses. They want to implement a Zero Trust approach that requires step-up authentication for accessing high-value data in SharePoint. The solution must use risk-based policies and minimize user friction. Which combination should you recommend?

Question 119easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization plans to use Microsoft Defender for Cloud to secure Azure resources. The security team wants to continuously assess compliance against the CIS Azure Foundations Benchmark. What should you do?

Question 120mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company uses Microsoft Entra ID and wants to enable passwordless authentication for all users to reduce phishing risks. Users are already using Microsoft Authenticator for MFA. Which passwordless method should you prioritize?

Question 121hardmulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which TWO are best practices for designing a Microsoft 365 Defender (XDR) deployment to ensure optimal detection and response?

Question 122easymulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which THREE are components of Microsoft's Zero Trust model?

Question 123mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which TWO should you implement to protect privileged accounts in Microsoft Entra ID?

Question 124easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company is designing a Zero Trust security strategy. They want to ensure that all access requests are authenticated, authorized, and encrypted before granting access. Which Microsoft security solution should they use as the central policy engine?

Question 125mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company uses Microsoft Defender for Cloud to manage security across hybrid workloads. They need to ensure that all Azure VMs have guest-level threat detection enabled. Which security policy should they assign?

Question 126hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing a privileged access strategy. They need to ensure that all users with permanent administrative roles sign in using phishing-resistant authentication methods. Which Microsoft Entra ID feature should they enforce?

Question 127easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company wants to protect sensitive email data from being exfiltrated by malicious insiders. They need a solution that can detect and block anomalous outbound email traffic in real time. Which Microsoft solution should they use?

Question 128mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company is designing a security operations center (SOC). They want to use Microsoft Sentinel as their SIEM. They need to ensure that all security events from on-premises servers are collected. Which data connector should they configure?

Question 129hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company uses Microsoft Defender for Endpoint to protect endpoints. They want to configure attack surface reduction rules to block executable files from running unless they meet a specific prevalence, age, or trust level. Which ASR rule should they enable?

Question 130easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company is implementing Microsoft Purview to protect sensitive data in SharePoint Online. They need to automatically apply a 'Highly Confidential' label to documents that contain credit card numbers. What should they create?

Question 131mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company uses Microsoft Intune to manage devices. They want to ensure that all devices accessing corporate email are compliant with security policies before they can connect. Which feature should they enable?

Question 132hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company is designing a security strategy for their AI-powered applications using Microsoft Azure OpenAI Service. They need to ensure that the AI models are not used to generate harmful content and that the data sent to the models is protected. Which Microsoft Purview feature should they use?

Question 133easymulti select
Read the full Design solutions that align with security best practices and priorities explanation →

A company is implementing Microsoft Defender for Cloud to protect their Azure environment. Which TWO of the following are security best practices that should be enabled? (Choose two.)

Question 134mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

A company is designing a data security strategy using Microsoft Purview. They need to identify sensitive data across their data estate, including on-premises SQL Server, Azure SQL Database, and Amazon S3. Which THREE components should they use? (Choose three.)

Question 135hardmulti select
Read the full Design solutions that align with security best practices and priorities explanation →

A company is deploying Microsoft Entra ID Governance. They need to implement a least privilege access model for their Azure resources. Which TWO features should they use? (Choose two.)

Question 136hardmultiple choice
Read the full NAT/PAT explanation →

You are a security architect for a large financial services company. The company has a hybrid identity environment with on-premises Active Directory synchronized to Microsoft Entra ID using Microsoft Entra Connect. They use Microsoft 365 E5 licenses and have deployed Microsoft Defender for Cloud, Microsoft Defender for Identity, Microsoft Sentinel, and Microsoft Purview. The company has recently suffered a ransomware attack where an attacker gained access via a compromised service account that had permanent Global Administrator privileges. The attacker then used the account to create a backdoor user and exfiltrate sensitive data from SharePoint Online. After the incident, the CISO mandates a Zero Trust security transformation with the following requirements: 1. Eliminate standing privileged access for all cloud admins. 2. Require phishing-resistant authentication for all privileged roles. 3. Ensure that all sensitive data in SharePoint Online is automatically classified and protected. 4. Enable detection of lateral movement using anomalous behavior analytics. Which combination of actions should you recommend?

Question 137easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is adopting Microsoft Entra ID as the identity provider for all SaaS applications. The security team wants to enforce multifactor authentication (MFA) for all users accessing these applications. Which approach aligns with security best practices and minimizes user friction?

Question 138mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to ensure that all virtual machines have the Log Analytics agent installed and that missing system updates are remediated automatically. Which two recommendations should be enabled in a single policy initiative?

Question 139hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Sentinel and has deployed the Analytics rule 'TI map IP entity to AzureActivity' to detect suspicious activities based on threat intelligence. The SOC team reports that the rule has a high false positive rate because it matches benign IP addresses used by legitimate services. What design change should you recommend to reduce false positives while maintaining detection coverage?

Question 140mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company plans to implement a Zero Trust architecture using Microsoft security solutions. They want to ensure that all access to corporate resources is verified explicitly, uses least privilege, and assumes breach. Which Microsoft service should be the central policy engine for enforcing conditional access decisions?

Question 141hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Purview Information Protection to classify and protect sensitive data. The compliance team wants to automatically apply a 'Highly Confidential' sensitivity label to emails that contain credit card numbers. Which solution should you configure?

Question 142easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

An organization wants to ensure that all Windows 10 devices are compliant with security policies before they can access corporate email. Microsoft Intune is used for device management. Which component should be used to enforce compliance and block non-compliant devices?

Question 143mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Sentinel to centralize security logs from multiple clouds. They need to ensure that logs from Amazon Web Services (AWS) are ingested and analyzed for threats. Which connector should you implement?

Question 144hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a security solution for a multinational organization that uses Microsoft Entra ID. They have a hybrid identity environment with Active Directory on-premises. The security team requires that all administrative actions in Microsoft Entra ID are logged and monitored in real-time with alerts for critical changes. Which two data sources should you stream to Microsoft Sentinel?

Question 145easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company wants to implement a secure web application gateway to protect their public-facing web apps from common exploits like SQL injection and cross-site scripting. Which Azure service should they use?

Question 146mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Defender for Office 365 to protect against phishing attacks. The security team wants to implement a custom advanced phishing threshold policy that blocks suspicious emails more aggressively. Which policy type should they modify?

Question 147hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A company plans to use Microsoft Purview to manage data governance across their on-premises SQL Server databases and Azure SQL databases. They need to classify sensitive data and create a unified data map. Which resource should they deploy?

Question 148mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which TWO Microsoft security solutions should be integrated to provide a comprehensive Zero Trust architecture that includes identity protection, endpoint detection, and response? (Select exactly two correct options.)

Question 149hardmulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which THREE components should be part of a secure DevOps pipeline using Microsoft security tools? (Select exactly three correct options.)

Question 150easymulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Which TWO Microsoft services can be used to implement a cloud security posture management (CSPM) solution? (Select exactly two correct options.)

Question 151hardmultiple choice
Read the full NAT/PAT explanation →

You are a security architect for a large enterprise that is migrating to Microsoft 365. The organization has 50,000 users across multiple regions. They have recently experienced a ransomware attack that encrypted files on SharePoint Online and OneDrive for Business. The security team wants to implement a comprehensive protection strategy. Requirements: 1. Automatically detect and block ransomware-like behavior in real-time. 2. Provide users with self-service recovery of files encrypted by ransomware. 3. Ensure that all files in SharePoint and OneDrive are scanned for malware upon upload. 4. Minimize administrative overhead. Which combination of Microsoft 365 security features should you recommend?

Question 152mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is migrating on-premises Active Directory to Microsoft Entra ID. You need to design a solution that aligns with the Zero Trust principle of 'verify explicitly'. Which approach should you recommend for user authentication?

Question 153hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a security baseline for Azure resources that host a critical application. The application uses Azure SQL Database, Azure Storage, and Azure Key Vault. You need to ensure that all resources use managed identities for authentication and that no secrets are stored in code or configuration files. Which combination of controls should you include in the baseline?

Question 154easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

You are designing a security operations strategy for Microsoft 365. You need to prioritize alerts from Microsoft Defender XDR based on their impact on business operations. Which security best practice should you follow?

Question 155mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your company is implementing Microsoft Purview Information Protection to protect sensitive data. The compliance team requires that when a user applies a 'Highly Confidential' sensitivity label to a document, the document is automatically encrypted and watermarked. Which configuration should you use?

Question 156hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

You are designing a secure DevOps pipeline in GitHub that deploys to Azure Kubernetes Service (AKS). The security team requires that no secrets are stored in the pipeline variables and that all container images are scanned for vulnerabilities before deployment. Which approach aligns with security best practices?

Question 157easymultiple choice
Read the full NAT/PAT explanation →

Your organization is migrating to Microsoft 365 and wants to implement a defense-in-depth strategy for email security. Which combination of Microsoft services should you use?

Question 158mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

You are designing a security solution for a hybrid identity environment that uses Microsoft Entra ID and on-premises Active Directory. The company wants to enforce Zero Trust principles by continuously verifying user access. Which feature should you implement?

Question 159hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization uses Microsoft Sentinel as its SIEM. You need to design a solution to automatically respond to detected threats in Azure resources. The response must include isolating the affected virtual machine and creating a support ticket. Which approach should you use?

Question 160mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is implementing a Zero Trust architecture for access to cloud applications. Which TWO of the following are core components of the Microsoft Zero Trust model?

Question 161hardmulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Your company is designing a secure access strategy for a SaaS application that supports SAML 2.0. You need to enforce phishing-resistant authentication. Which THREE of the following methods meet the requirement?

Question 162easymulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization wants to implement a defense-in-depth strategy for Azure virtual machines. Which THREE of the following should you include?

Question 163mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

You are designing a solution to protect Microsoft 365 data from insider threats. Which TWO Microsoft Purview features should you use?

Question 164hardmultiple choice
Read the full NAT/PAT explanation →

You are a security architect for a large multinational organization that uses Microsoft 365, Azure, and third-party SaaS applications. The organization has recently experienced a breach where an attacker compromised a user account via a phishing email and then used that account to access sensitive data in SharePoint Online and exfiltrate it via email. The security team wants to implement a comprehensive solution that aligns with the Zero Trust principles of 'verify explicitly', 'use least privilege', and 'assume breach'. You need to design a solution that includes identity protection, conditional access, data protection, and continuous monitoring. You have the following requirements: 1. Block phishing attacks in real time. 2. Enforce least privilege access to sensitive data. 3. Detect and respond to anomalous user behavior. 4. Protect data at rest and in transit. 5. Enable automated response to incidents. Which combination of Microsoft security services and configurations should you recommend?

Question 165mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is deploying a new application on Azure that will process personal data for European Union residents. The compliance team requires that the application encrypts all data at rest and in transit, that access to the data is logged and auditable, and that the data is not stored outside the EU. You need to design a solution that meets these requirements while following security best practices. The solution must also minimize operational overhead. You have decided to use Azure SQL Database, Azure Storage, and Azure Key Vault. Which design should you recommend?

Question 166easymultiple choice
Read the full NAT/PAT explanation →

Your organization is a small business with 50 employees that uses Microsoft 365 Business Premium. You need to design a security baseline that protects against common threats like phishing, ransomware, and data leakage. The solution must be easy to manage and require minimal ongoing effort. You have the following requirements: 1. Block malicious emails and links. 2. Protect sensitive data from being shared externally. 3. Require multi-factor authentication for all users. 4. Keep devices healthy. Which combination of policies should you implement?

Question 167easymulti select
Read the full Design solutions that align with security best practices and priorities explanation →

Your organization is designing a security strategy for Microsoft 365. You need to align with Microsoft's Zero Trust best practices. Which TWO principles should be included?

Question 168mediummulti select
Read the full Design solutions that align with security best practices and priorities explanation →

You are planning a security baseline for Azure resources using Microsoft Defender for Cloud. Which THREE recommendations are part of the Azure Security Benchmark?

Question 169hardmulti select
Read the full NAT/PAT explanation →

You are designing a Microsoft Purview data security solution for a multinational organization subject to GDPR and CCPA. Which THREE Purview capabilities should you include to meet regulatory requirements?

Question 170hardmultiple choice
Study the full multicast explanation →

Contoso is a financial services company migrating critical workloads to Azure. They must comply with PCI DSS and have a Security Operations Center (SOC) team that uses Microsoft Sentinel. The CISO wants to ensure that the security posture aligns with Microsoft's cybersecurity reference architecture (MCRA). You need to design a solution that includes the following requirements: 1) All Azure subscriptions must be managed under a single management group hierarchy with consistent policies. 2) The SOC must have a centralized view of security alerts across all resources, including on-premises servers and multi-cloud environments. 3) Privileged access to Azure resources must be protected using just-in-time (JIT) access and Privileged Identity Management (PIM). 4) Compliance with PCI DSS must be continuously monitored and reported. 5) The solution must minimize operational overhead. What should you include in the design?

Question 171mediummultiple choice
Read the full NAT/PAT explanation →

Fabrikam is a healthcare organization that uses Microsoft 365 E5 and Azure. They have a hybrid identity environment with Active Directory on-premises synced to Microsoft Entra ID. The security team wants to implement a Zero Trust strategy following the 'verify explicitly' principle. They need to ensure that all access to Microsoft 365 services and Azure applications is conditionally enforced based on real-time risk signals. Additionally, they want to block legacy authentication protocols that do not support modern authentication. The solution must integrate with Microsoft Defender XDR and Microsoft Sentinel for threat intelligence. Which combination of technologies should you recommend?

Question 172mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

A global retail company, Northwind Traders, is adopting a cloud-first strategy using Azure and Microsoft 365. They have a large number of temporary seasonal workers who need access to specific applications and data for limited periods. The security team wants to minimize the risk of standing privileges and ensure that access is granted only when needed and for a limited duration. They also need to audit all privileged access actions. The environment includes Microsoft Entra ID, Azure resources, and Microsoft 365 services. You need to design a privileged access strategy that follows the principle of least privilege and aligns with Microsoft's best practices for privileged identity management. What should you recommend?

Question 173mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Litware, a software development company, has adopted a DevOps culture and uses Azure DevOps for CI/CD pipelines. They deploy applications to Azure Kubernetes Service (AKS) and Azure App Services. The security team wants to ensure that secrets (API keys, connection strings) are not exposed in source code or pipeline logs. They also need to scan container images for vulnerabilities before deployment and ensure that only approved images are used in production. The solution must integrate with Microsoft Defender for Cloud and follow security best practices. What should you include in the design?

Question 174easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Tailwind Traders is a small business that uses Microsoft 365 Business Premium. They have no dedicated IT staff. The owner wants to implement basic security measures to protect against common threats like phishing, ransomware, and unauthorized access. They need a simple, cost-effective solution that aligns with Microsoft's security best practices for small businesses. Which set of actions should you recommend?

Question 175hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Proseware, a pharmaceutical company, is deploying a new AI-powered application using Azure OpenAI Service. The application will process sensitive research data and must comply with HIPAA. The security team wants to ensure that the data sent to the Azure OpenAI endpoint is not logged or stored by Microsoft, and that access to the service is restricted to authorized users with appropriate data classification. They also need to monitor for potential data exfiltration and prompt injection attacks. What should you recommend?

Question 176mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation, Contoso Ltd., is implementing Microsoft Purview to manage data governance across their Azure and Microsoft 365 environments. They need to discover sensitive data (e.g., credit card numbers, passport numbers) in Azure Blob Storage, Azure SQL Database, and SharePoint Online. The data must be classified and labeled automatically. Additionally, they want to prevent sensitive data from being shared externally via email and Teams. The solution should align with Microsoft's data security best practices. What should you recommend?

Question 177mediummultiple choice
Study the full ACL explanation →

South Ridge School District uses Microsoft 365 Education and Azure for administrative systems. They have a large number of students and staff. The district wants to implement a security solution that protects against phishing attacks, ransomware, and inappropriate content. They also need to comply with the Children's Online Privacy Protection Act (COPPA) and other educational regulations. The solution should be cost-effective and easy to manage. What should you recommend?

Question 178easymultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Adventure Works is a startup that uses Microsoft 365 Business Premium. They have 20 employees and no cloud expertise. The CEO has been hearing about ransomware attacks on small businesses. They want to implement basic protection against ransomware using built-in Microsoft 365 features. They also want to ensure they can recover from an attack quickly. What should you recommend?

Question 179mediummultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Wide World Importers uses Azure Active Directory (now Microsoft Entra ID) and Microsoft 365. They have a hybrid identity with password hash sync. They want to implement a passwordless authentication strategy to improve security and user experience. They have a mix of Windows 10/11 devices and mobile devices (iOS/Android). They also have some shared computers in kiosk mode. The solution must support all user scenarios and align with Microsoft's authentication best practices. What should you recommend?

Question 180hardmultiple choice
Read the full Design solutions that align with security best practices and priorities explanation →

Contoso is a large enterprise with a complex Azure environment. They have multiple management groups, subscriptions, and a hub-spoke network topology. The security team wants to implement a consistent security baseline across all subscriptions using Azure Policy. They need to ensure that: 1) All resources must be deployed in approved regions only. 2) Network security groups must have specific rules to block high-risk ports. 3) All storage accounts must enforce HTTPS traffic. 4) The policies must be applied at the management group level to ensure inheritance. 5) Non-compliant resources must be automatically remediated where possible. What should you do?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SC-100 Practice Test 1 — 10 Questions→SC-100 Practice Test 2 — 10 Questions→SC-100 Practice Test 3 — 10 Questions→SC-100 Practice Test 4 — 10 Questions→SC-100 Practice Test 5 — 10 Questions→SC-100 Practice Exam 1 — 20 Questions→SC-100 Practice Exam 2 — 20 Questions→SC-100 Practice Exam 3 — 20 Questions→SC-100 Practice Exam 4 — 20 Questions→Free SC-100 Practice Test 1 — 30 Questions→Free SC-100 Practice Test 2 — 30 Questions→Free SC-100 Practice Test 3 — 30 Questions→SC-100 Practice Questions 1 — 50 Questions→SC-100 Practice Questions 2 — 50 Questions→SC-100 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Design solutions that align with security best practices and prioritiesDesign security operations, identity, and compliance capabilitiesDesign security solutions for infrastructureDesign a Zero Trust strategy and architectureDesign security solutions for applications and dataEvaluate GRC and security operations strategiesDesign security for infrastructureDesign a strategy for data and applicationsRecommend security best practices and priorities

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Design solutions that align with security best practices and priorities setsAll Design solutions that align with security best practices and priorities questionsSC-100 Practice Hub