Question 628 of 969

Quick Answer

The answer is to configure Azure App Service authentication to use Azure AD and create a Conditional Access policy in Microsoft Entra ID that requires MFA and restricts IP ranges. This combination works because App Service authentication delegates user identity verification to Azure AD, while Conditional Access acts as the policy engine that enforces both MFA and IP-based restrictions at the authentication layer, not the network layer. On the Microsoft Cybersecurity Architect exam, this scenario tests your ability to distinguish between identity-centric controls (Conditional Access) and network-centric controls (NSGs, Azure Firewall), a common trap where candidates mistakenly choose network security groups or Azure Firewall for IP restrictions. Remember that App Service runs in a multitenant environment, so IP restrictions must be enforced through Conditional Access policies rather than traditional network security tools. A useful memory tip is "Auth + Policy, not Firewall or NSG" — authentication and conditional access handle user access, while network controls handle infrastructure traffic.

SC-100 Practice Question: Design security solutions for applications and data

This SC-100 practice question tests your understanding of design security solutions for applications and data. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

You are designing a secure access strategy for Azure App Service web applications. The requirements are: use Azure AD for authentication, restrict access to specific IP ranges, and require multi-factor authentication (MFA) for all users. Which two components should you configure? (Choose two.)

Question 1hardmulti select
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Configure Azure App Service authentication with Microsoft Entra ID

Options B and C are correct because Azure App Service authentication can be configured to use Azure AD, and Conditional Access policies can enforce MFA and IP restrictions. Option A is wrong because app registration is part of the setup but not a direct component for access control. Option D is wrong because network security groups are for virtual networks, not App Service. Option E is wrong because Azure Firewall is for network traffic, not user authentication.

Key principle: Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Apply a network security group (NSG) to the App Service subnet

    Why it's wrong here

    NSGs are not directly applied to App Service; access restrictions are configured in the App Service plan.

  • Configure Azure App Service authentication with Microsoft Entra ID

    Why this is correct

    This enables Azure AD as the identity provider.

    Related concept

    CIDR notation defines the prefix length.

  • Create a Conditional Access policy in Microsoft Entra ID that requires MFA and restricts IP ranges

    Why this is correct

    Conditional Access can enforce MFA and location-based policies.

    Related concept

    CIDR notation defines the prefix length.

  • Deploy Azure Firewall to filter inbound traffic

    Why it's wrong here

    Azure Firewall is for network-level filtering, not user authentication.

  • Register the application in Microsoft Entra ID

    Why it's wrong here

    Registration is a prerequisite but does not enforce MFA or IP restrictions.

Common exam traps

Common exam trap: usable hosts are not the same as total addresses

Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.

Detailed technical explanation

How to think about this question

Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.

KKey Concepts to Remember

  • CIDR notation defines the prefix length.
  • Block size helps identify subnet boundaries.
  • Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
  • The required host count determines the smallest suitable subnet.

TExam Day Tips

  • Write the block size before choosing the subnet.
  • Check whether the question asks for hosts, subnets or a specific address range.
  • Do not confuse /24, /25, /26 and /27 host counts.

Key takeaway

Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related SC-100 subnetting questions on CIDR, address ranges, and subnet selection.

Related practice questions

Related SC-100 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Design solutions that align with security best practices and priorities practice questions

Practise SC-100 questions linked to Design solutions that align with security best practices and priorities.

Design security operations, identity, and compliance capabilities practice questions

Practise SC-100 questions linked to Design security operations, identity, and compliance capabilities.

Design security solutions for infrastructure practice questions

Practise SC-100 questions linked to Design security solutions for infrastructure.

Design a Zero Trust strategy and architecture practice questions

Practise SC-100 questions linked to Design a Zero Trust strategy and architecture.

Design security solutions for applications and data practice questions

Practise SC-100 questions linked to Design security solutions for applications and data.

Evaluate GRC and security operations strategies practice questions

Practise SC-100 questions linked to Evaluate GRC and security operations strategies.

Design security for infrastructure practice questions

Practise SC-100 questions linked to Design security for infrastructure.

Design a strategy for data and applications practice questions

Practise SC-100 questions linked to Design a strategy for data and applications.

Recommend security best practices and priorities practice questions

Practise SC-100 questions linked to Recommend security best practices and priorities.

SC-100 fundamentals practice questions

Practise SC-100 questions linked to SC-100 fundamentals.

SC-100 scenario practice questions

Practise SC-100 questions linked to SC-100 scenario.

SC-100 troubleshooting practice questions

Practise SC-100 questions linked to SC-100 troubleshooting.

Practice this exam

Start a free SC-100 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SC-100 question test?

Design security solutions for applications and data — This question tests Design security solutions for applications and data — CIDR notation defines the prefix length..

What is the correct answer to this question?

The correct answer is: Configure Azure App Service authentication with Microsoft Entra ID — Options B and C are correct because Azure App Service authentication can be configured to use Azure AD, and Conditional Access policies can enforce MFA and IP restrictions. Option A is wrong because app registration is part of the setup but not a direct component for access control. Option D is wrong because network security groups are for virtual networks, not App Service. Option E is wrong because Azure Firewall is for network traffic, not user authentication.

What should I do if I get this SC-100 question wrong?

Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related SC-100 subnetting questions on CIDR, address ranges, and subnet selection.

What is the key concept behind this question?

CIDR notation defines the prefix length.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on SC-100

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Your organization, Adatum, is migrating its on-premises applications to Azure. The applications include a legacy .NET Framework web app that uses Windows authentication and a modern ASP.NET Core API that uses OAuth 2.0. You need to design a secure solution for these applications using Azure App Service. The security requirements include: (1) enforce HTTPS only, (2) restrict access to the web app based on the user's corporate identity, (3) allow the API to access an Azure SQL Database using a managed identity. Which of the following is the correct design?

easy
  • A.Configure the web app to use Windows authentication via Azure AD Domain Services, and the API to use SQL authentication with a managed identity.
  • B.Configure the web app to use Microsoft Entra ID authentication with a built-in policy, and the API to use a connection string with a username and password.
  • C.Configure the web app to require client certificates for authentication, and the API to use a connection string with SQL authentication.
  • D.Configure both apps to enforce HTTPS only, configure the web app to use Microsoft Entra ID authentication, and configure the API to use a system-assigned managed identity to access Azure SQL Database.

Why D: Option D is correct because it meets all requirements: HTTPS only enforced, Microsoft Entra ID authentication for the web app, and managed identity for the API to access SQL Database. Option A is wrong because client certificates do not provide user-level authentication. Option B is wrong because the API should use managed identity, not connection strings. Option C is wrong because SQL authentication is less secure and does not use managed identity.

Last reviewed: Jun 21, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SC-100 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SC-100 exam.