Refer to the exhibit. You are reviewing a Bicep template for deploying an Azure SQL Database server. Which security best practice is violated?
Passwords should not be in code; use Azure Key Vault.
969 questions total · 13pages · All types, answers revealed
Page 13 of 13
Refer to the exhibit. You are reviewing a Bicep template for deploying an Azure SQL Database server. Which security best practice is violated?
Passwords should not be in code; use Azure Key Vault.
You need to secure Azure Kubernetes Service (AKS) clusters by ensuring that only approved container images from a private Azure Container Registry (ACR) can be deployed. The solution should enforce this at admission time. Which Azure Policy effect should you use?
This effect uses OPA Gatekeeper to enforce custom admission policies, such as restricting container image sources.
Why this answer
The 'enforceRegoPolicy' effect for Azure Policy on AKS uses Open Policy Agent (OPA) Gatekeeper to enforce that only images from specific registries are allowed. 'audit' only logs, 'deny' is not directly applicable for AKS admission, 'modify' changes resources but does not block.
A company uses Microsoft Entra ID to authenticate users for a web application. They want to enable self-service password reset (SSPR) for users. What is the minimum licensing requirement?
P1 includes SSPR with password writeback.
Why this answer
Option B is correct because Microsoft Entra ID P1 includes SSPR with writeback to on-premises Active Directory. Option A is wrong because the free tier does not include SSPR. Option C is wrong because P2 adds Identity Protection, not required for basic SSPR.
Option D is wrong because Microsoft 365 E3 includes Entra ID P1, but the question asks for minimum licensing.
Your organization is planning to deploy Microsoft Defender for Cloud to protect a hybrid environment that includes on-premises servers and Azure virtual machines. You need to ensure that the security recommendations and threat detections are consistently applied across all resources. What should you configure?
Auto-provisioning ensures all VMs are monitored and security recommendations are consistently applied.
Why this answer
Option A is correct because enabling auto-provisioning for the Log Analytics agent ensures that all existing and future VMs (both on-premises and Azure) are automatically monitored and security recommendations are applied consistently. Option B is wrong because Azure Arc is for managing on-premises machines, but it does not by itself provide consistent security policy application. Option C is wrong because just assigning a policy does not enforce monitoring.
Option D is wrong because Azure Policy is used to enforce compliance, but it does not replace the need for auto-provisioning.
Your organization is using Microsoft Defender for Cloud to assess the security posture of your Azure resources. You need to ensure that all storage accounts have secure transfer required enabled. Which Defender for Cloud feature should you use?
Policies can enforce that secure transfer is enabled on storage accounts.
Why this answer
Option A is correct: Security policies and initiatives allow you to define and enforce compliance requirements. Option B is wrong: Just-In-Time VM access is for network access. Option C is wrong: Adaptive network hardening is for NSGs.
Option D is wrong: File integrity monitoring is for critical files.
Which TWO of the following are requirements for implementing Azure Disk Encryption on Windows VMs? (Choose two.)
BitLocker is required; it's available in supported Windows versions.
Why this answer
Option B (Key Vault with EnabledForDiskEncryption) and Option E (BitLocker feature available) are requirements. Option A is not required because the VM does not need a public IP. Option C is incorrect because Azure Backup is not required.
Option D is incorrect because the VM must be a supported size, but any size is not correct.
Your organization wants to enforce that all users authenticate using Microsoft Authenticator app for Microsoft Entra ID. Which authentication method should you configure as the primary?
Authenticator app provides passwordless sign-in.
Why this answer
The question requires that all users authenticate using the Microsoft Authenticator app. The Microsoft Authenticator passwordless phone sign-in (option C) is the only method that both uses the Microsoft Authenticator app and provides a passwordless primary authentication experience. This method leverages FIDO2-based key attestation within the app, allowing users to sign in with a biometric or PIN gesture without entering a password.
Exam trap
The trap here is that candidates often confuse the Microsoft Authenticator app's TOTP mode (which requires a password) with its passwordless phone sign-in mode, leading them to incorrectly select SMS or email OTP as primary methods when the question explicitly mandates the Authenticator app as the sole authentication method.
How to eliminate wrong answers
Option A is wrong because FIDO2 security keys are hardware-based external devices, not the Microsoft Authenticator app, and while they support passwordless authentication, they do not meet the requirement of using the Authenticator app. Option B is wrong because Email one-time passcode is a passwordless method for users without a strong authentication method, but it does not use the Microsoft Authenticator app and is typically used as a fallback for unregistered users. Option D is wrong because SMS-based verification is a legacy multi-factor authentication method that requires a password first and does not use the Microsoft Authenticator app; it also does not support passwordless primary authentication.
Match each compliance framework to its focus area.
Drag a concept onto its matching description — or click a concept then click the description.
Information security management system
Controls for service organizations
Payment card data security
Protected health information privacy and security
Cloud security for US federal agencies
Why these pairings
These are common compliance standards relevant to Azure.
Your organization uses Azure DevOps for CI/CD. You need to ensure that secrets (e.g., API keys) used in pipeline tasks are securely stored and accessed. The security requirements are: secrets must be encrypted at rest, access must be audited, and secrets must be automatically rotated. Which THREE services or features should you use? (Choose three.)
Access policies control who can read secrets, with auditing.
Why this answer
Azure Key Vault provides encrypted storage for secrets with access auditing. Managed identities allow secure access without storing credentials. Key Vault supports automatic rotation for some secret types.
Azure DevOps Variable Groups can link to Key Vault but do not provide rotation. Azure AD is not a secret store. Pipeline secrets are not centrally managed.
Options A, B, and C together meet all requirements.
A financial services company is deploying a new application on Azure Kubernetes Service (AKS). The application must meet PCI DSS compliance requirements, which mandate encryption of data at rest and in transit, as well as network segmentation. The application will use Azure SQL Database. What is the MOST secure approach to meet these requirements?
Azure Policy can enforce encryption at rest and in transit; network policies provide segmentation; TDE and Always Encrypted protect data at rest and in use.
Why this answer
Option C is correct because it combines Azure Policy to enforce encryption, network policies for segmentation, and Azure SQL Database with TDE and Always Encrypted for data protection. Option A is wrong because service endpoints do not encrypt in-transit traffic and do not provide segmentation. Option B is wrong because Azure Firewall is a perimeter firewall, not granular network policy within AKS.
Option D is wrong because App Service Environment is not used for AKS.
Which THREE are components of Microsoft's Zero Trust model?
Protect data at rest, in transit, and in use.
Why this answer
Option A is correct because data is one of the six foundational pillars of Microsoft's Zero Trust model (identities, endpoints, data, apps, infrastructure, and network). The Zero Trust model explicitly treats data as a critical asset that must be protected regardless of location, using encryption, labeling, and Data Loss Prevention (DLP) policies to enforce least-privilege access and continuous validation.
Exam trap
The trap here is that candidates confuse the Zero Trust guiding principles (like 'Assume breach') with the architectural components (identities, endpoints, data, apps, infrastructure, network), leading them to select 'Assume breach' as a component rather than a principle.
Your organization uses Microsoft Purview. You need to design a solution that discovers and classifies sensitive data across Microsoft 365 services. Which two services should you include in your data map? (Choose TWO.)
SharePoint is a key source for sensitive documents.
Why this answer
Options A and C are correct because Microsoft Purview Data Map can scan SharePoint Online and OneDrive for sensitive data. Option B (Azure SQL Database) is not a Microsoft 365 service. Option D (Azure Blob Storage) is not Microsoft 365.
Option E (Power BI) is a Microsoft 365 service but is not typically scanned for sensitive data classification in the same way; however, it can be included, but the question asks for data across Microsoft 365 services, and SharePoint and OneDrive are the primary sources.
Your organization is adopting Microsoft Copilot for Microsoft 365. You need to ensure that Copilot respects the existing sensitivity labels when processing data. What should you configure?
Copilot respects sensitivity labels.
Why this answer
Option A is correct because Microsoft Purview Information Protection sensitivity labels are respected by Microsoft Copilot. Option B is wrong because DLP policies are for data loss prevention, not labeling. Option C is wrong because Retention labels are for retention, not sensitivity.
Option D is wrong because sensitivity labels are the correct solution.
You are designing a solution to protect an Azure App Service web app that authenticates users via Microsoft Entra ID. The app needs to ensure that only users from specific external partner organizations can access it. You do not want to create user objects for each partner user in your tenant. What should you configure?
B2B allows external users to authenticate using their own tenants without creating user objects.
Why this answer
B2B collaboration allows external users to use their own identities without creating separate user objects. B2C is for customer-facing apps. Conditional Access policies can restrict access but require user objects.
Application permissions are for app-to-app scenarios. Option D is correct.
A company is implementing Microsoft Priva to manage subject rights requests. Users submit requests to access their personal data stored in Exchange Online, SharePoint, and Teams. The privacy team needs to automate the retrieval of data from these sources. Which Priva capability should they use?
Subject Rights Requests automates the search and retrieval of personal data from Microsoft 365 services.
Why this answer
Option C is correct because Priva Subject Rights Requests includes built-in data retrieval from Microsoft 365 sources. Option A is wrong because Data Inventory scans but does not retrieve data for requests. Option B is wrong because Consent Management handles consent, not data retrieval.
Option D is wrong because Data Breach Notifications are for incident response.
Your company, Fabrikam, is designing a solution to securely store and manage secrets (e.g., API keys, database passwords) for cloud applications. The solution must use Azure Key Vault and support automatic rotation of secrets. The applications will run on Azure VMs and Azure App Service. Which TWO of the following should you include in your design?
Key Vault integration with Event Grid and Functions enables automated rotation.
Why this answer
Option B is correct because managed identities allow VMs and App Service to authenticate to Key Vault without storing credentials. Option D is correct because Key Vault can rotate secrets automatically using Event Grid and Azure Functions. Option A is wrong because storing secrets in application configuration is insecure.
Option C is wrong because service principals require credential management. Option E is wrong because Azure Automation is not designed for secret rotation.
Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that automatically creates an incident in Microsoft Sentinel when a Defender for Endpoint alert of severity 'High' is triggered for any device. The solution should minimize latency and administrative overhead. What should you configure?
This connector automatically ingests alerts and creates incidents with low latency and minimal effort.
Why this answer
Option B is correct because Microsoft Sentinel has a built-in data connector for Microsoft Defender XDR that enables automatic incident creation with low latency and minimal configuration. Option A (custom logic app) would add latency and complexity. Option C (manual ingestion) would not be automatic.
Option D (Azure AD Identity Protection) is for identity-based alerts, not device alerts.
A company's security team wants to automate response to common incidents like malware detected on endpoints. They have Microsoft 365 Defender and Microsoft Sentinel. Which feature should they use to create automated playbooks?
Integrates with Logic Apps for automated response to incidents.
Why this answer
Microsoft Sentinel's automation rules and playbooks are the correct choice because they are specifically designed to automate incident response by triggering predefined actions (e.g., running a Logic App) when a detection event, such as malware on an endpoint, is ingested from Microsoft 365 Defender. This integration allows security teams to create custom, automated workflows that respond to common incidents without manual intervention.
Exam trap
The trap here is that candidates often confuse Microsoft Defender for Cloud's workflow automation (which can send notifications or trigger a Logic App for Defender for Cloud alerts) with Sentinel's full playbook engine, but Sentinel is the correct choice because it is the centralized SIEM/SOAR platform that ingests alerts from Microsoft 365 Defender and orchestrates complex, multi-step automated responses across the entire security ecosystem.
How to eliminate wrong answers
Option A is wrong because Microsoft Purview's data loss prevention policies focus on classifying and protecting sensitive data (e.g., preventing unauthorized sharing), not on automating incident response to security alerts like malware. Option C is wrong because Azure Policy is used to enforce compliance rules on Azure resources (e.g., ensuring VMs have specific tags), not to orchestrate response actions to security incidents. Option D is wrong because Microsoft Defender for Cloud's workflow automation is limited to triggering actions (e.g., sending email) for security recommendations and alerts within Defender for Cloud, but it lacks the deep integration and flexible Logic Apps-based playbook engine that Sentinel provides for multi-source incident response.
You are designing a network security architecture for an Azure application that uses Azure Front Door and Azure Application Gateway. The application must be protected from DDoS attacks and common web exploits. Application traffic should be inspected by a web application firewall (WAF) before reaching the backend. What is the recommended deployment order?
Defender for Cloud supports AWS and GCP via connectors, providing unified recommendations.
Why this answer
Option B is correct because Azure Front Door should be the outermost layer for global DDoS protection and TLS termination, then Azure Application Gateway with WAF provides regional web application firewall inspection. Option A is wrong because that would inspect traffic at the gateway first, missing Front Door's global DDoS protection. Option C is wrong because placing WAF only at Front Door leaves backend traffic uninspected.
Option D is wrong because Application Gateway should have WAF enabled for web exploit protection.
You are a security architect for a large multinational organization that uses Microsoft 365, Azure, and third-party SaaS applications. The organization has recently experienced a breach where an attacker compromised a user account via a phishing email and then used that account to access sensitive data in SharePoint Online and exfiltrate it via email. The security team wants to implement a comprehensive solution that aligns with the Zero Trust principles of 'verify explicitly', 'use least privilege', and 'assume breach'. You need to design a solution that includes identity protection, conditional access, data protection, and continuous monitoring. You have the following requirements: 1. Block phishing attacks in real time. 2. Enforce least privilege access to sensitive data. 3. Detect and respond to anomalous user behavior. 4. Protect data at rest and in transit. 5. Enable automated response to incidents. Which combination of Microsoft security services and configurations should you recommend?
Covers all requirements: phishing block, least privilege, data protection, and automated response.
Why this answer
Option B is correct because it combines Microsoft Defender for Office 365 to block phishing, Conditional Access with risk policies to enforce least privilege, Microsoft Purview DLP and sensitivity labels to protect data, and Microsoft Sentinel with automation to detect and respond. Option A is wrong because it uses Azure AD (now Entra ID) Identity Protection but lacks DLP and monitoring. Option C is wrong because it does not include phishing prevention.
Option D is wrong because it uses Microsoft Defender for Cloud Apps alone, which is insufficient for email and identity protection.
Your company is migrating to Azure and needs to secure virtual networks with network segmentation. You need to design a solution that filters traffic between subnets based on application requirements. Which Azure service should you use?
NSGs provide stateful filtering between subnets and VMs within a VNet.
Why this answer
Option B is correct because Network Security Groups (NSGs) filter traffic between subnets and VMs. Option A is wrong because Azure Firewall is a managed firewall for inbound/outbound but at a higher level. Option C is wrong because Azure DDoS Protection mitigates DDoS attacks, not segmentation.
Option D is wrong because Azure Bastion is for secure RDP/SSH access.
Refer to the exhibit. A security architect is reviewing an ARM template for an Azure Key Vault. The vault must be accessible from a backend subnet via private endpoint. What is the missing configuration component?
Private endpoints are separate resources that provide private connectivity; a private DNS zone enables name resolution
Why this answer
The exhibit shows network ACLs with virtual network rules, but to use private endpoints, the template must include a private endpoint resource and a private DNS zone. Option B is correct because private endpoints are required for private connectivity, and they are not part of the vault resource itself. Option A is wrong because enabling RBAC authorization is not required for private endpoint access.
Option C is wrong because disabling public network access is done via the network ACLs, but private endpoints still need a separate resource. Option D is wrong because a system-assigned managed identity is not needed for private endpoint connectivity.
A company uses Microsoft Sentinel with a workspace in the East US region. They want to ingest logs from Azure resources in West Europe. To minimize data transfer costs, what should they do?
This minimizes data transfer costs by keeping logs in the same region.
Why this answer
To minimize costs, the best practice is to create a Sentinel workspace in the same region as the data sources. Since West Europe resources are in West Europe, a workspace there is optimal. However, the question states the workspace is already in East US.
To minimize transfer costs, they could create a new workspace in West Europe and ingest logs there, then use cross-workspace queries. But that adds complexity. Alternatively, they could continue to use the East US workspace and accept the costs.
The best answer is to create a new workspace in West Europe.
Your organization uses Microsoft Sentinel to centralize security events. You need to ensure that alerts from Microsoft Defender for Cloud are automatically ingested into Sentinel. Which data connector should you enable?
Directly ingests alerts and recommendations from Defender for Cloud.
Why this answer
The Microsoft Defender for Cloud connector (formerly Azure Security Center) is specifically designed to ingest alerts and recommendations from Defender for Cloud into Sentinel. The other options are unrelated: Office 365 connector ingests Office logs, Azure Activity logs track Azure resource operations, and DNS connector ingests DNS queries.
A company is migrating its on-premises Active Directory to Microsoft Entra ID. They have line-of-business applications that use Windows Integrated Authentication. You need to design a solution that allows users to access these applications from domain-joined devices without prompting for credentials, while also supporting hybrid identity. What should you implement?
Hybrid join provides SSO for on-prem apps from domain-joined devices.
Why this answer
Option D is correct because Microsoft Entra hybrid join allows domain-joined devices to authenticate to both on-prem and cloud resources, enabling SSO. Option A is incorrect because Azure AD Application Proxy requires separate authentication. Option B is incorrect because Pass-through Authentication is for cloud apps, not on-prem.
Option C is incorrect because Federation does not provide device-based SSO for on-prem apps.
A security architect is designing a solution to detect and respond to advanced threats across email, endpoints, and identities. Which Microsoft security solution should they use?
Defender XDR provides integrated protection across email, endpoints, identities, and apps.
Why this answer
Microsoft Defender XDR (Extended Detection and Response) is the correct solution because it provides unified pre- and post-breach detection, investigation, and response across email, endpoints, and identities. It correlates signals from Microsoft Defender for Endpoint, Defender for Office 365, and Defender for Identity into a single incident queue, enabling automated remediation of advanced multi-vector attacks.
Exam trap
The trap here is that candidates confuse Microsoft Sentinel (a SIEM) with Microsoft Defender XDR (an XDR), but Sentinel is a log aggregation and analysis tool requiring manual correlation, while Defender XDR provides native, automated cross-domain detection and response across email, endpoints, and identities.
How to eliminate wrong answers
Option A is wrong because Microsoft Purview is a data governance, compliance, and risk management solution (e.g., data loss prevention, eDiscovery, insider risk), not a threat detection and response platform. Option B is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR that ingests logs from multiple sources for broad security analytics, but it is not purpose-built for unified cross-domain detection and automated response across email, endpoints, and identities; it requires custom correlation rules and playbooks. Option D is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service for endpoint configuration and compliance, not a threat detection or response tool.
Your organization uses Microsoft Sentinel. You need to design a solution to detect and respond to threats across on-premises and cloud workloads. Which TWO components are essential for this? (Select two.)
Define detection logic for threats.
Why this answer
Data connectors ingest logs from various sources, and analytics rules detect threats. Playbooks automate response, but are not essential for detection. Workbooks visualize data, and UEBA enriches analytics but is not a separate essential component.
Your organization uses Microsoft Intune to manage devices. You need to ensure that only devices with a specific minimum OS version can access corporate resources. Which configuration should you use?
Directly enforces OS version compliance.
Why this answer
A device compliance policy with a minimum OS version rule is the correct choice because Intune compliance policies evaluate device attributes—including OS version—against defined rules before granting access to corporate resources. When a device fails the minimum OS version check, Conditional Access blocks access until the device is updated or remediated, ensuring only compliant devices can connect.
Exam trap
The trap here is confusing enrollment restrictions (which only check OS version at the point of enrollment) with compliance policies (which enforce OS version continuously after enrollment), leading candidates to pick enrollment restrictions as a one-time gate rather than an ongoing control.
How to eliminate wrong answers
Option B is wrong because a device configuration profile manages settings and features on the device (e.g., Wi-Fi, VPN, restrictions) but does not enforce access control based on OS version; it lacks the conditional access integration needed to block non-compliant devices. Option C is wrong because enrollment restrictions control which devices can enroll in Intune (e.g., by platform, manufacturer, or OS version at enrollment time), but they do not enforce ongoing compliance after enrollment—a device could be enrolled with a compliant OS and later be downgraded or fail to update. Option D is wrong because an app protection policy (APP) manages data protection within applications (e.g., preventing copy/paste or requiring PIN) and does not evaluate device-level OS version; APP applies to apps on both managed and unmanaged devices, not to device compliance for resource access.
An organization uses Microsoft Defender XDR to detect and respond to threats. Which THREE data sources does Defender XDR ingest? (Choose three.)
Identity-based threat signals.
Why this answer
Microsoft Defender XDR ingests signals from Microsoft Defender for Identity to correlate on-premises Active Directory activities with cloud-based threats. This integration allows Defender XDR to detect identity-based attacks like Kerberoasting or pass-the-hash by analyzing domain controller logs and authentication events.
Exam trap
The trap here is that candidates often confuse Microsoft Sentinel as a data source for Defender XDR, when in reality Sentinel is a SIEM that consumes data from Defender XDR, not the reverse.
Your company is designing a secure baseline for Azure Linux virtual machines using Azure Policy. You need to ensure that all Linux VMs have SSH access restricted, disk encryption enabled, and vulnerability assessments installed. Which THREE built-in policies should you assign? (Choose THREE.)
This policy deploys the vulnerability assessment agent on Linux.
Why this answer
Options A, B, and D are correct. A restricts SSH from the internet, B enables encryption, and D deploys vulnerability assessment. Option C is wrong because it requires Microsoft Antimalware, which is for Windows.
Option E is wrong because it enforces Windows Defender Credential Guard, which is Windows-specific.
Your organization needs to enforce multi-factor authentication (MFA) for all users accessing Microsoft Entra ID integrated applications. However, users in the finance department should be exempted from MFA when accessing a specific legacy financial app that does not support modern authentication. What should you design?
Conditional Access policy can be scoped to exclude specific applications, allowing the finance department to access the legacy app without MFA.
Why this answer
Option B is correct because Conditional Access policies allow granular control, including exemption for specific applications. Option A is wrong because security defaults would apply MFA to all users and apps with no exemption. Option C is wrong because per-user MFA is outdated and does not offer app-based exemptions.
Option D is wrong because Identity Protection is for risk-based policies, not app exemptions.
Your organization deploys Microsoft Sentinel and wants to automatically respond to phishing emails reported by users. You need to recommend a solution that creates an incident in Sentinel and blocks the email sender in Exchange Online. What should you configure?
Automation rules trigger playbooks on incident creation, which can then block the sender via Exchange Online actions.
Why this answer
Option A is correct because automation rules in Microsoft Sentinel can trigger playbooks when an incident is created. Option B is wrong because analytics rules create incidents from data, not from existing incidents. Option C is wrong because watchlists are for reference data, not automation.
Option D is wrong because UEBA is for user behavior analytics.
Your organization uses Azure SQL Database with Azure AD authentication. You need to ensure that database administrators (DBAs) can only perform management tasks from a specific Azure region and only during business hours. Which solution should you use?
Can enforce location and time conditions for Azure AD authenticated access.
Why this answer
Option A is correct because Conditional Access can enforce location and time restrictions for Azure AD authenticated users. Option B is wrong because Azure SQL Firewall rules filter by IP, not user identity. Option C is wrong because Azure Policy cannot enforce time-based access.
Option D is wrong because Azure RBAC cannot enforce location or time.
Your company uses Microsoft 365 and wants to prevent sensitive data from being copied to personal cloud storage services like Dropbox. Which TWO Microsoft Purview capabilities should you use?
DLP policies can detect and block sharing of sensitive data to unauthorized cloud services.
Why this answer
Options B and D are correct. Endpoint DLP can block copying to personal cloud storage from devices, and DLP policies in Microsoft 365 can detect and block such actions. Option A is wrong because sensitivity labels classify but don't block actions.
Option C is wrong because AIP is deprecated in favor of Purview. Option E is wrong because Cloud App Security can block downloads from cloud apps but not from endpoint to personal cloud.
A company is implementing Microsoft Purview to protect sensitive data in SharePoint Online. They need to automatically apply a 'Highly Confidential' label to documents that contain credit card numbers. What should they create?
Auto-labeling policies scan documents and apply labels automatically.
Why this answer
Option D is correct because Microsoft Purview auto-labeling policies for sensitivity labels can automatically detect sensitive data types (e.g., credit card numbers) in SharePoint Online documents and apply a 'Highly Confidential' label without user intervention. This meets the requirement for automatic, policy-driven labeling based on content inspection.
Exam trap
The trap here is that candidates confuse DLP rules (which detect and protect data) with auto-labeling policies (which apply sensitivity labels), but the question specifically asks for automatic label application, not just detection or blocking.
How to eliminate wrong answers
Option A is wrong because communication compliance policies are designed to detect and remediate inappropriate communications (e.g., harassment, insider trading) in Exchange Online and Teams, not to automatically label documents based on sensitive data patterns. Option B is wrong because a data loss prevention (DLP) rule can detect credit card numbers and block or alert, but it does not apply sensitivity labels; DLP rules and sensitivity labels are separate controls. Option C is wrong because manual labeling requires users to apply the label themselves, which contradicts the requirement for automatic application.
A company uses Microsoft Defender for Cloud Apps to monitor SaaS apps. They discover that a user is downloading large volumes of data from SharePoint Online from an atypical IP address. The security team wants to automatically suspend the user's access to all cloud apps. What is the most efficient way to achieve this?
Session policies provide real-time access control and can block sessions.
Why this answer
Option B is correct because session policies enforce real-time controls and can block access. Option A is wrong because file policies control data at rest, not access. Option C is wrong because app tags categorize apps.
Option D is wrong because OAuth app policies manage third-party app permissions.
A company plans to use Microsoft Purview to manage data governance across their on-premises SQL Server databases and Azure SQL databases. They need to classify sensitive data and create a unified data map. Which resource should they deploy?
Microsoft Purview provides unified data governance and classification.
Why this answer
Microsoft Purview is the correct choice because it provides a unified data governance service that can scan both on-premises SQL Server and Azure SQL databases, automatically classify sensitive data using built-in classifiers (e.g., PII, financial info), and build a centralized data map. This aligns with the requirement to manage data governance across hybrid environments with a single pane of glass.
Exam trap
The trap here is that candidates often confuse Azure Data Factory's data movement capabilities with Purview's governance role, or mistakenly think Azure Synapse Analytics can perform classification because it includes data warehousing and some security features.
How to eliminate wrong answers
Option B (Azure Synapse Analytics) is wrong because it is an analytics service for large-scale data warehousing and big data processing, not a data governance or classification tool. Option C (Azure Data Factory) is wrong because it is a data integration and orchestration service for ETL/ELT pipelines, lacking native data classification and data map capabilities. Option D (Azure SQL Database) is wrong because it is a specific database platform, not a governance service; it cannot unify metadata or classify data across multiple sources like on-premises SQL Server.
Refer to the exhibit. A KQL query is used in Microsoft Sentinel to detect brute-force attacks. The query returns no results despite known brute-force attempts. What is the most likely issue?
Some authentication failures use other EventIDs.
Why this answer
EventID 4625 in Windows Security logs specifically records failed logon attempts, but brute-force attacks may target other authentication protocols (e.g., RDP, SMB, or network-level authentication) that generate different EventIDs (such as 4648, 4776, or 5156). Additionally, some brute-force attempts might be blocked at the network layer or use non-Windows authentication methods, so relying solely on EventID 4625 will miss those events. Therefore, the query returns no results because it does not capture all authentication failure scenarios.
Exam trap
Microsoft often tests the misconception that a single EventID (like 4625) covers all authentication failures, when in reality different protocols and authentication methods generate distinct EventIDs, and candidates must consider the broader log source landscape.
How to eliminate wrong answers
Option B is wrong because the absence of a time filter would cause the query to return results from all available data, not zero results; a missing time filter might cause performance issues or overly broad results, but it would not suppress known brute-force attempts. Option C is wrong because if the 'IPAddress' field did not exist in the SecurityEvent table, the query would fail with a schema error or return no results for that field, but the question states the query returns no results at all, implying the field exists but the filter is too narrow. Option D is wrong because the 'count()' aggregation is syntactically correct and commonly used in KQL to count events; an incorrect aggregation would cause a syntax error or unexpected counts, but it would not cause the query to return zero results for known brute-force attempts.
Your organization is planning to use Microsoft Sentinel for security information and event management (SIEM). You need to ingest security logs from on-premises Active Directory. What should you deploy?
Azure Monitor Agent is the modern unified agent for collecting logs.
Why this answer
Option A is correct because Azure Monitor Agent is the current agent for collecting Windows events from on-premises VMs and sending to Log Analytics workspace, which is used by Sentinel. Option B is wrong because Log Analytics agent is legacy. Option C is wrong because MMA is also legacy.
Option D is wrong because Defender for Cloud agent focuses on security baselines, not general event collection.
Which TWO actions should you take to implement a defense-in-depth strategy for an Azure application? (Choose two.)
DDoS Protection mitigates large-scale attacks, adding a network layer.
Why this answer
Option B is correct because Azure DDoS Protection provides defense against volumetric network-layer attacks, which is a critical component of a defense-in-depth strategy. By enabling it on the virtual network, you add a layer of protection at the network perimeter, complementing other security controls. This aligns with the principle of layered security, where multiple controls address different attack vectors.
Exam trap
The trap here is that candidates often confuse defense-in-depth with a single security control, such as encryption or identity management, and fail to recognize that network-layer protections like DDoS Protection and NSGs are essential for a layered security posture.
Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the purpose of this query?
The query counts alerts per user and shows the top 10.
Why this answer
The KQL query uses the `summarize` operator with `count()` to aggregate Mimikatz alerts by `UserPrincipalName`, then sorts the results by count in descending order and limits the output to 10 rows. This directly identifies the top 10 users who have been targeted by Mimikatz attacks, as each alert represents a detection event associated with a specific user.
Exam trap
Microsoft often tests the distinction between aggregation (count, sum) and attribute display (severity, details), so candidates may mistakenly think a `count()` query shows severity or detailed entity information when it only provides numerical summaries.
How to eliminate wrong answers
Option B is wrong because the query does not include any field or aggregation related to severity (e.g., `Severity` column or `max(Severity)`), so it cannot show severity levels. Option C is wrong because the query only returns `UserPrincipalName` and a count, not detailed entity information such as IP addresses, process names, or device IDs. Option D is wrong because while the query counts alerts, it does not filter by a specific time range (e.g., `where TimeGenerated > ago(7d)`), so it does not count alerts only in the last 7 days.
Your organization uses Microsoft Purview to classify data assets. You need to design a solution that automatically scans data sources in Azure SQL Database for sensitive information. Which Purview scanner should you configure?
Purview can scan Azure SQL Database using built-in scanning rule sets.
Why this answer
Option C is correct because Purview's scanning capability supports Azure SQL Database natively. Option A is wrong because Purview does not have a scanner named 'Azure SQL Scanner'; it uses the built-in scan. Option B is wrong because Microsoft Defender for SQL is a security product, not a classification scanner.
Option D is wrong because Purview Insights is a reporting feature.
Your organization is implementing a defense-in-depth strategy for a multi-tier application hosted on Azure. You need to secure the network layers. Which THREE measures should you implement?
DDoS Protection is a key network security layer.
Why this answer
Option B is correct because Azure Firewall provides centralized inbound and outbound traffic filtering. Option C is correct because network security groups (NSGs) provide micro-segmentation at the subnet or NIC level. Option D is correct because Azure DDoS Protection helps mitigate volumetric attacks.
Option A is wrong because a VPN gateway is for connectivity, not a network security layer. Option E is wrong because Azure Front Door is an application delivery and security service, but it is not a general network security layer for all tiers; it is more specific to web applications.
A company wants to protect their Azure App Service web application from common web vulnerabilities like SQL injection and XSS. Which Azure service should they enable?
Protects against SQL injection, XSS, etc.
Why this answer
Azure Web Application Firewall (WAF) on Application Gateway is the correct choice because it provides centralized, inbound protection for web applications against common exploits such as SQL injection and cross-site scripting (XSS). WAF inspects HTTP/HTTPS traffic at the application layer (Layer 7) using OWASP Core Rule Sets (CRS) to block malicious payloads before they reach the App Service. This service is specifically designed to defend web workloads, unlike network-layer or generic firewall solutions.
Exam trap
The trap here is that candidates often confuse Azure Front Door with WAF (a global, CDN-based WAF) with Azure Application Gateway WAF (a regional, load-balancer-based WAF), but for protecting a single Azure App Service within a region, the Application Gateway WAF is the direct and intended service, while Front Door is typically used for multi-region or global scenarios.
How to eliminate wrong answers
Option A is wrong because Azure DDoS Protection operates at the network and transport layers (Layers 3 and 4) to mitigate volumetric attacks, not application-layer threats like SQL injection or XSS. Option B is wrong because Azure Firewall is a stateful, network-layer firewall (Layer 3/4) that filters traffic based on IP addresses, ports, and protocols, and it lacks the deep packet inspection (DPI) and rule sets needed to detect application-layer attacks. Option C is wrong because Azure Front Door with WAF does provide WAF capabilities, but the question specifically asks for a service to protect an Azure App Service web application; while Front Door can front App Services, the most direct and commonly deployed service for this purpose is WAF on Application Gateway, which is explicitly listed as the correct answer and is the standard pattern for regional web application protection.
Your company, Lucerne Publishing, is migrating its on-premises SQL Server databases to Azure SQL Managed Instance. The databases contain sensitive customer data subject to GDPR. You need to design a security solution that includes: (1) Always Encrypted for sensitive columns, (2) dynamic data masking for non-privileged users, (3) auditing of all data access, and (4) encryption at rest using customer-managed keys stored in Azure Key Vault. Which of the following configurations should you implement?
All requirements are met: column encryption, masking, auditing, and CMK encryption.
Why this answer
Option B is correct because it includes all required features: Always Encrypted for column-level encryption, dynamic data masking, auditing via SQL Audit with Log Analytics, and TDE with CMK in Key Vault. Option A is wrong because TDE with service-managed keys does not meet CMK requirement. Option C is wrong because auditing via server-level audit is possible but not as integrated with Log Analytics.
Option D is wrong because disabling TDE is not secure.
You are designing a security solution for Azure SQL Database. The requirements include: encrypting data at rest and in transit, and masking sensitive data from non-privileged users. Which two features should you implement? (Choose two.)
Masks sensitive data from non-privileged users.
Why this answer
Options A and B are correct: TDE encrypts data at rest, and Dynamic Data Masking hides sensitive data from non-privileged users. Option C is wrong because Always Encrypted protects data in transit between client and server but does not mask data. Option D is wrong because Azure Firewall is a network security service, not a database feature.
Option E is wrong because Transparent Data Encryption is at rest, not column-level.
South Ridge School District uses Microsoft 365 Education and Azure for administrative systems. They have a large number of students and staff. The district wants to implement a security solution that protects against phishing attacks, ransomware, and inappropriate content. They also need to comply with the Children's Online Privacy Protection Act (COPPA) and other educational regulations. The solution should be cost-effective and easy to manage. What should you recommend?
Education-appropriate, cost-effective, covers key threats.
Why this answer
Option D is correct because it provides a cost-effective, education-focused security solution that directly addresses the district's requirements. Microsoft Defender for Office 365 protects against phishing and malware in email and collaboration tools, Microsoft Intune for Education enables policy enforcement and device management for students, Microsoft Purview Communication Compliance monitors for inappropriate content to meet COPPA and other regulations, and Microsoft Entra ID (free tier) with Security Defaults provides baseline identity protection without additional licensing costs.
Exam trap
The trap here is that candidates often assume a full E5 or SIEM solution is necessary for compliance and security, but the SC-100 exam emphasizes cost-effective, education-specific solutions that leverage free tiers and built-in capabilities like Security Defaults and Intune for Education.
How to eliminate wrong answers
Option A is wrong because it recommends Microsoft Sentinel, which is a SIEM solution that requires significant cost and expertise, and Azure Policy is for Azure resource compliance, not student device or content monitoring; third-party web filtering adds unnecessary complexity and cost. Option B is wrong because upgrading all users to Microsoft 365 E5 is prohibitively expensive for a school district and includes features like Microsoft Defender for Identity and Sentinel that are overkill for the stated requirements, while not specifically addressing student content monitoring or device management. Option C is wrong because using Microsoft 365 Business Premium for staff only leaves students unprotected against phishing and malware, and Microsoft Cloud App Security (now part of Microsoft Defender for Cloud Apps) requires additional licensing and does not directly address inappropriate content monitoring or device management for students.
A company is deploying a new API management solution using Azure API Management. The APIs will be consumed by external partners. Security requirements include: protecting against OWASP Top 10 attacks, throttling requests per subscription, and validating JSON schemas. Which TWO policies should you configure? (Choose two.)
Validates request body against a defined schema.
Why this answer
Azure API Management policies can be added to protect APIs. The 'Validate JWT' policy is for token validation, not OWASP protection. The 'Rate limit' policy throttles requests per subscription.
The 'Validate content' policy can validate JSON schemas. The 'Cross domain' policy is for CORS. The 'IP filter' restricts by IP.
Options B and D meet the requirements.
You are designing a Microsoft Purview data security solution for a multinational organization subject to GDPR and CCPA. Which THREE Purview capabilities should you include to meet regulatory requirements?
Prevents unauthorized sharing of personal data.
Why this answer
Data Loss Prevention (DLP) policies are correct because they allow the organization to detect and prevent the accidental or intentional sharing of sensitive data—such as personally identifiable information (PII) covered under GDPR and CCPA—across email, SharePoint, OneDrive, and endpoints. By scanning content for sensitive information types (e.g., credit card numbers, EU passport numbers) and applying protective actions (e.g., blocking transmission, showing policy tips), DLP directly enforces data protection mandates required by these regulations.
Exam trap
The trap here is that candidates often confuse 'detective' controls (like eDiscovery) with 'preventive' controls (like DLP and sensitivity labels), or they mistakenly think retention policies alone satisfy data security requirements, when in fact GDPR and CCPA demand active protection against data breaches and unauthorized disclosure.
Your organization wants to implement a security information and event management (SIEM) solution that can ingest logs from multiple sources, including on-premises servers, Azure resources, and third-party SaaS applications. Which Microsoft service should you choose?
Sentinel is a scalable SIEM for log ingestion from diverse sources.
Why this answer
Microsoft Sentinel is the correct choice because it is a cloud-native SIEM solution specifically designed to ingest logs from diverse sources, including on-premises servers, Azure resources, and third-party SaaS applications, using built-in connectors for over 100 data sources. It provides centralized security analytics, threat detection, and incident response, making it the appropriate service for this multi-source log ingestion requirement.
Exam trap
The trap here is that candidates often confuse Azure Monitor with a SIEM because it collects logs and metrics, but it lacks the security-specific correlation, threat intelligence integration, and incident management features that define a true SIEM like Microsoft Sentinel.
How to eliminate wrong answers
Option A is wrong because Microsoft Purview is a data governance and compliance solution focused on data classification, labeling, and risk management, not a SIEM for ingesting and analyzing security logs. Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform that provides security recommendations and alerts for Azure and hybrid resources, but it lacks the comprehensive log ingestion and SIEM capabilities needed for multi-source log aggregation. Option D is wrong because Azure Monitor is a monitoring and diagnostics service for Azure resources and applications, primarily collecting metrics and logs for performance and operational health, not a SIEM solution designed for security event correlation and threat hunting across diverse sources.
You are a security architect for a healthcare organization that is adopting Microsoft 365 and Azure. The organization must comply with HIPAA and has the following requirements: - All users must use multi-factor authentication (MFA) when accessing Microsoft 365 from outside the corporate network. - Mobile devices must be managed and must be compliant before accessing email. - Access to Azure virtual machines must be limited to specific admin users and must be audited. - All sensitive data stored in Azure SQL Database must be encrypted at rest and in transit. You have the following technologies: Microsoft Entra ID, Microsoft Intune, Azure SQL Database, Azure Policy, Azure Key Vault, Microsoft Defender for Cloud, and Azure Bastion. Which combination of services and configurations should you implement?
Meets all requirements: MFA, device compliance, secure VM access, encryption.
Why this answer
Option B is correct: Conditional Access with MFA for external access; Intune compliance policies for mobile devices; Azure Bastion for secure VM access with audit; Transparent Data Encryption (TDE) for at-rest encryption and TLS for in-transit. Option A is incorrect: Always Encrypted is for column-level encryption, but TDE is simpler for HIPAA. Option C is incorrect: Azure AD Application Proxy is not for VM access.
Option D is incorrect: Azure Firewall does not provide audit for VM access.
A company is designing a Zero Trust network strategy. They want to ensure that all network traffic between on-premises and Azure is inspected and logged, regardless of source or destination. Which Azure service should they use to achieve this?
Azure Firewall can inspect and log all traffic between on-premises and Azure.
Why this answer
Azure Firewall is a managed, cloud-based network security service that provides inbound and outbound traffic inspection and logging for all traffic between on-premises networks and Azure, regardless of source or destination. It supports application and network-level filtering, threat intelligence-based filtering, and integrates with Azure Monitor for comprehensive logging, making it the correct choice for a Zero Trust network strategy that requires full traffic inspection and logging.
Exam trap
The trap here is that candidates may confuse Azure Firewall with Azure Front Door or Azure Bastion, thinking that any security or access service can inspect all traffic, but only Azure Firewall provides the necessary stateful inspection and logging for all network traffic between on-premises and Azure.
How to eliminate wrong answers
Option A is wrong because Azure Front Door is a global, scalable entry point for web applications, focusing on HTTP/HTTPS load balancing and acceleration, not on inspecting and logging all network traffic between on-premises and Azure (it does not handle non-web protocols or provide stateful packet inspection). Option B is wrong because Azure Bastion is a fully managed PaaS service that provides secure RDP/SSH connectivity to virtual machines directly from the Azure portal, without exposing public IPs; it does not inspect or log general network traffic between on-premises and Azure. Option D is wrong because Azure DDoS Protection is a service that protects against distributed denial-of-service attacks by monitoring and mitigating volumetric attacks at the network layer, but it does not provide general traffic inspection or logging for all network flows.
Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You need to create an analytics rule in Sentinel that triggers an incident when a device is reported as 'high risk' by MDE. Which data source and rule type should you use?
The XDR connector ingests MDE alerts and device info; scheduled query can detect high risk.
Why this answer
The Microsoft Defender XDR connector ingests alerts from Microsoft Defender for Endpoint (MDE) into Sentinel. A Scheduled query rule is required to run a KQL query at a defined interval (e.g., every 5 minutes) that checks for devices with a 'high risk' severity level in the ingested alert data. This combination allows you to create an incident when MDE reports a device as high risk.
Exam trap
The trap here is confusing the Microsoft Defender XDR connector (which covers MDE, MDO, MDI, and MDCA) with the Microsoft 365 Defender connector (which is deprecated or used for legacy scenarios), leading candidates to incorrectly choose Option B.
How to eliminate wrong answers
Option A is wrong because Anomalous Activity rules use machine learning to detect unusual patterns in time-series data, not to trigger on a specific static alert severity like 'high risk' from MDE. Option B is wrong because the Microsoft 365 Defender connector is used for Microsoft 365 Defender (formerly Microsoft Threat Protection) alerts, not for MDE alerts directly; also, NRT (near-real-time) query rules are designed for low-latency scenarios but require a specific connector (Microsoft Defender XDR) for MDE data. Option D is wrong because the Microsoft Defender for Cloud connector ingests security alerts from Azure and hybrid workloads, not from MDE endpoint devices; Fusion rules correlate multiple alert types across different products, not a single static condition.
A company uses Microsoft Intune to manage devices. They need to ensure that only compliant devices can access corporate email. They plan to use Conditional Access in Microsoft Entra ID. Which THREE components must be configured?
Devices must be registered to be evaluated.
Why this answer
Device registration in Entra ID (A) is required because Conditional Access policies evaluate device compliance based on the device's identity in Entra ID. Without registration, the device lacks a unique identity that Entra ID can assess for compliance status, making it impossible to enforce access controls based on device state.
Exam trap
The trap here is that candidates often confuse Configuration profiles (which apply settings) with Compliance policies (which define security requirements), leading them to incorrectly select Configuration profile instead of Compliance policy for enforcing device-based access control.
Your organization is deploying Azure SQL Managed Instance (SQL MI) with sensitive financial data. You need to design a security solution that includes data encryption at rest and in transit, threat detection, and fine-grained access control. The solution must also ensure that database administrators (DBAs) cannot access the data. What should you include?
TDE encrypts at rest; Always Encrypted prevents DBAs from seeing column data; Azure AD auth eliminates shared passwords; Defender for Cloud detects threats.
Why this answer
Your organization is designing a new application that will store sensitive customer data in Azure Cosmos DB. You need to ensure that data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. What should you configure?
Azure Cosmos DB supports CMK via Azure Key Vault.
Why this answer
Option A is correct because Azure Cosmos DB supports CMK by creating an encryption key in Azure Key Vault and associating it with the Cosmos DB account. Option B is wrong because Transparent Data Encryption (TDE) is for SQL databases, not Cosmos DB. Option C is wrong because Always Encrypted is for SQL Server.
Option D is wrong because Azure Storage Service Encryption is for storage accounts, not Cosmos DB.
A company is planning a migration to Azure and wants to ensure that their security operations center (SOC) has visibility into all Azure resources. They need to collect security logs from multiple subscriptions into a central workspace. Which Azure service should they use?
Sentinel is a SIEM that can centralize logs from multiple subscriptions.
Why this answer
Azure Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) solution designed to ingest security logs from multiple Azure subscriptions, on-premises sources, and third-party clouds into a single central workspace. It provides the SOC with unified visibility, threat detection, and incident response across all Azure resources, meeting the requirement for centralized security log collection.
Exam trap
The trap here is that candidates often confuse Azure Monitor (a general monitoring service) with Azure Sentinel (a SIEM), but Azure Monitor lacks the security-specific log correlation, threat intelligence, and incident response features required for a SOC's centralized security operations.
How to eliminate wrong answers
Option A is wrong because Azure Security Center (now part of Microsoft Defender for Cloud) is a cloud security posture management (CSPM) tool that provides security recommendations and threat protection, but it does not serve as a central log collection and SIEM platform for multiple subscriptions. Option B is wrong because Azure Policy is a governance service that enforces compliance rules and resource configurations, not a log aggregation or SIEM service. Option C is wrong because Azure Monitor is a monitoring service for collecting metrics, logs, and alerts from Azure resources, but it lacks the advanced SIEM capabilities (e.g., correlation rules, threat intelligence, incident management) required for a SOC's centralized security operations.
You are analyzing sign-in logs in Microsoft Sentinel. The query returns users with ResultType 50074. What does this result type indicate?
50074 indicates strong auth failure.
Why this answer
Option B is correct because ResultType 50074 indicates that strong authentication was required but the user did not pass it (e.g., MFA challenge failure or not performed). Option A is wrong because 50074 is not generic failure. Option C is wrong because 50074 is specific to strong authentication.
Option D is wrong because it's not about conditional access policy, but authentication strength.
Which TWO of the following are best practices for securing Microsoft 365 tenants? (Choose two.)
Security defaults enforce common security policies like MFA.
Why this answer
Enabling security defaults provides a baseline of security. Using Conditional Access policies allows granular access control. These are best practices.
Disabling modern authentication is counterproductive. Allowing all external sharing is risky. Using basic authentication is insecure.
So the correct two are A and B.
Refer to the exhibit. You configure this mail flow rule in Exchange Online. What happens to emails with 'FREE' in the subject?
Marking as spam in Exchange Online typically moves the email to the Junk Email folder.
Why this answer
The mail flow rule is configured to add the header 'X-CustomHeader' with the value 'Free' to emails that have 'FREE' in the subject. However, the rule also has the action 'Increase the spam confidence level (SCL) to 9', which causes Exchange Online to treat the message as high-confidence spam. When the SCL is set to 9, Exchange Online automatically moves the email to the Junk Email folder for the recipient, unless a transport rule or mailbox setting overrides this behavior.
Therefore, the emails are not deleted, blocked, or simply have a header added; they are moved to the Junk Email folder due to the SCL increase.
Exam trap
The trap here is that candidates see the 'add a custom header' action and assume that is the only effect, overlooking that the subsequent 'increase SCL to 9' action takes precedence and causes the email to be moved to the Junk Email folder, making the header addition secondary.
How to eliminate wrong answers
Option A is wrong because the rule does not include a 'Delete the message without notifying anyone' action; it only adds a header and increases the SCL, which does not result in deletion. Option B is wrong because while the rule does add a custom header ('X-CustomHeader: Free'), this is not the final outcome—the SCL increase to 9 overrides this action by causing the message to be moved to Junk Email, so the primary effect is the junking, not just header addition. Option D is wrong because the rule does not use a 'Reject the message' action (such as with a non-delivery report or 550 status code); increasing the SCL to 9 does not block delivery but instead routes the message to the Junk Email folder.
Your organization is using Microsoft Defender for Cloud to manage security across multiple Azure subscriptions. You need to ensure that all virtual machines in the subscriptions are monitored by Defender for Cloud and that security alerts are sent to the security operations team. You also need to enforce that any new VMs are automatically onboarded to Defender for Cloud. You have a Log Analytics workspace in the central subscription. What should you do?
Auto-provisioning at management group level ensures all subscriptions are covered and new VMs are automatically onboarded.
Why this answer
Option C is correct because enabling auto-provisioning of the Log Analytics agent at the management group scope ensures all VMs across subscriptions are monitored and new VMs are automatically onboarded. Option A is wrong because configuring only the workspace does not auto-provision. Option B is wrong because Azure Policy can enforce agent deployment, but auto-provisioning is simpler and more direct.
Option D is wrong because enabling Defender for Cloud at the subscription level does not automatically install the agent.
A healthcare organization is using Microsoft Purview to govern its data estate. They have multiple Azure Data Lake Storage accounts and Azure SQL Databases. They need to classify sensitive data such as patient health information (PHI) and apply protection automatically when data is exported from these sources to an external location. The organization also wants to prevent unauthorized users from accessing sensitive data in Azure SQL Database by using built-in security features. The compliance team requires that any access to sensitive data be logged and auditable. You need to design a solution that meets these requirements. What should you implement?
Automated classification, granular access control, and auditing.
Why this answer
Microsoft Purview can scan data sources and classify sensitive data. Sensitivity labels can be applied automatically based on classification. Azure SQL Database supports Azure AD authentication and row-level security to restrict access.
Auditing logs can be sent to Log Analytics. Option B combines all these. Option A uses Azure Information Protection (now part of Purview) but does not cover SQL access control.
Option C uses data masking which doesn't prevent access. Option D uses Defender for Cloud but not data classification.
A company wants to protect sensitive email data from being exfiltrated by malicious insiders. They need a solution that can detect and block anomalous outbound email traffic in real time. Which Microsoft solution should they use?
Defender for Office 365 includes anti-phishing, anti-spam, and anomaly detection for email.
Why this answer
Microsoft Defender for Office 365 (MDO) is the correct solution because it provides real-time detection and blocking of anomalous outbound email traffic through its outbound spam filtering and anti-phishing policies. MDO uses machine learning models to analyze email sending patterns, such as sudden spikes in volume or unusual recipient domains, and can automatically quarantine or block suspicious outbound messages to prevent data exfiltration by malicious insiders.
Exam trap
The trap here is that candidates often confuse Microsoft Defender for Cloud Apps (a CASB for cloud app activity monitoring) with Defender for Office 365, which is specifically built to protect email traffic at the transport layer, including outbound anomaly detection.
How to eliminate wrong answers
Option A is wrong because Microsoft Purview Information Protection focuses on classifying, labeling, and encrypting data at rest or in transit, but it does not provide real-time detection or blocking of anomalous outbound email traffic. Option B is wrong because Microsoft Defender for Cloud Apps is a CASB that monitors cloud app usage and can detect anomalous behavior, but it is not designed to inspect and block outbound email traffic in real time at the email transport layer. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution that aggregates and analyzes security logs for threat detection and response, but it does not natively perform real-time email traffic inspection or blocking at the mail flow level.
Refer to the exhibit. You are reviewing an ARM template for an Azure Function App. The function app uses a user-assigned managed identity and references a Key Vault secret for the storage connection string. The deployment fails because the function app cannot access the Key Vault secret. What is the most likely cause?
The identity needs an access policy to retrieve secrets from Key Vault.
Why this answer
Option A is correct because the user-assigned managed identity must have a Key Vault access policy to read secrets. Option B is wrong because the secret name is 'storage-connection', not 'storage-connection-string'. Option C is wrong because the reference syntax is correct for Key Vault references.
Option D is wrong because a custom DNS is not relevant.
Refer to the exhibit. A security architect is reviewing the network configuration of an Azure App Service app named 'finance-app'. The app needs to be accessible from a backend subnet via private endpoint. Which additional configuration is required?
Private endpoint is required for inbound private connectivity; the vNet rule alone does not enable private endpoint
Why this answer
The exhibit shows network ACLs with a virtual network rule allowing traffic from a subnet. However, to use private endpoint, the app must be integrated with a private endpoint resource. The 'publicNetworkAccess' is disabled, but private endpoint access requires a private endpoint resource to be created and associated with the app.
Option A is correct. Option B is wrong because IP-based SSL is unrelated to network access. Option C is wrong because a regional VNet integration provides outbound connectivity, not inbound private access.
Option D is wrong because enabling public access would defeat the purpose of private endpoint.
You are a security architect for a large organization that uses Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Entra ID. The organization has a hybrid identity environment with on-premises Active Directory synchronized to Azure AD. The security team needs to detect and automatically respond to a specific attack pattern: an attacker compromises a user's credentials and then uses a new device to sign in to a critical application from an unusual location. The response should block the user's account for one hour and reset the user's password. You have already configured Microsoft Sentinel to receive sign-in logs from Azure AD. You need to design the detection and automated response. What should you do?
This leverages ID Protection's risk detections and Sentinel's automation capabilities.
Why this answer
Option C is correct because the Microsoft Entra ID Protection connector provides risk detections that can be ingested into Sentinel, and a playbook can be triggered to block the user and reset the password via the Azure AD API. Option A is incorrect because ID Protection can detect risky sign-ins, but the requirement is to use Sentinel for detection and response. Option B is incorrect because a scheduled query would be less efficient and not leverage ID Protection's risk assessments.
Option D is incorrect because custom detection rules are less accurate than ID Protection's machine learning.
Proseware, a pharmaceutical company, is deploying a new AI-powered application using Azure OpenAI Service. The application will process sensitive research data and must comply with HIPAA. The security team wants to ensure that the data sent to the Azure OpenAI endpoint is not logged or stored by Microsoft, and that access to the service is restricted to authorized users with appropriate data classification. They also need to monitor for potential data exfiltration and prompt injection attacks. What should you recommend?
Addresses data privacy, classification, and real-time exfiltration protection.
Why this answer
Option D is correct because it combines a Data Processing Addendum (DPA) to contractually prevent Microsoft from logging or storing data, Microsoft Purview Data Classification for labeling sensitive research data, and Microsoft Defender for Cloud Apps session policies to monitor and block data exfiltration. Additionally, enabling audit logging to Microsoft Sentinel provides anomaly detection for prompt injection attacks, fulfilling all HIPAA compliance and security requirements.
Exam trap
The trap here is that candidates often overlook the contractual Data Processing Addendum (DPA) as a requirement for HIPAA compliance, assuming technical controls alone suffice, and may confuse deprecated Azure Information Protection with the current Microsoft Purview solution.
How to eliminate wrong answers
Option A is wrong because default Azure OpenAI Service settings do not prevent Microsoft from logging or storing data, and Azure Policy tagging does not restrict access or monitor for data exfiltration. Option B is wrong because Azure Information Protection is deprecated in favor of Microsoft Purview, and Azure Firewall alone cannot monitor application-level data exfiltration or prompt injection. Option C is wrong because Conditional Access by IP does not prevent data logging by Microsoft, and Azure Monitor tracks usage but does not block data exfiltration or detect prompt injection attacks.
Both properties are set correctly.
Why this answer
Option D is correct because the ARM template sets 'supportsHttpsTrafficOnly' to true, which enforces HTTPS-only traffic, and 'minimumTlsVersion' to 'TLS1_2', which enforces TLS 1.2 as the minimum protocol version. These two properties together fully satisfy the security team's requirement that only HTTPS traffic is allowed and TLS 1.2 is enforced.
Exam trap
The trap here is that candidates may confuse 'defaultAction': 'Deny' in network rules with blocking all traffic, when in fact it only denies traffic that does not match an explicit allow rule, and HTTPS traffic can still be permitted through a separate rule.
How to eliminate wrong answers
Option A is wrong because 'minimumTlsVersion' should be 'TLS1_2', not 'TLS1_0', as 'TLS1_0' would allow older, less secure TLS versions. Option B is wrong because 'supportsHttpsTrafficOnly' should be true to enforce HTTPS-only traffic; setting it to false would allow HTTP traffic. Option C is wrong because 'defaultAction': 'Deny' in a network rule set does not block all traffic including HTTPS; it blocks traffic that does not match an explicit allow rule, and HTTPS traffic can still be allowed via a separate rule.
Your organization uses Microsoft Entra ID and needs to implement a Zero Trust identity strategy. Which THREE principles should you apply?
Least privilege limits access to only what is needed.
Why this answer
Option A is correct because least privilege access is a core Zero Trust principle that ensures users, devices, and services are granted only the minimum permissions necessary to perform their tasks. In Microsoft Entra ID, this is implemented through features like Privileged Identity Management (PIM), Conditional Access policies, and role-based access control (RBAC) to reduce the attack surface and limit lateral movement.
Exam trap
The trap here is that candidates often confuse 'Trust implicitly' with the legacy perimeter-based security model and select it as a valid principle, or mistakenly think a single authentication method simplifies management, but Zero Trust explicitly rejects both for continuous verification and defense-in-depth.
Page 13 of 13
Practice SC-100 by domain
Target a specific domain to shore up weak areas.