Back to Microsoft Cybersecurity Architect questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Microsoft Cybersecurity Architect practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
SC-100
exam code
Microsoft
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related SC-100 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Design solutions that align with security best practices and priorities practice questions

Practise SC-100 questions linked to Design solutions that align with security best practices and priorities.

Design security operations, identity, and compliance capabilities practice questions

Practise SC-100 questions linked to Design security operations, identity, and compliance capabilities.

Design security solutions for infrastructure practice questions

Practise SC-100 questions linked to Design security solutions for infrastructure.

Design a Zero Trust strategy and architecture practice questions

Practise SC-100 questions linked to Design a Zero Trust strategy and architecture.

Design security solutions for applications and data practice questions

Practise SC-100 questions linked to Design security solutions for applications and data.

Evaluate GRC and security operations strategies practice questions

Practise SC-100 questions linked to Evaluate GRC and security operations strategies.

Design security for infrastructure practice questions

Practise SC-100 questions linked to Design security for infrastructure.

Design a strategy for data and applications practice questions

Practise SC-100 questions linked to Design a strategy for data and applications.

Recommend security best practices and priorities practice questions

Practise SC-100 questions linked to Recommend security best practices and priorities.

SC-100 fundamentals practice questions

Practise SC-100 questions linked to SC-100 fundamentals.

SC-100 scenario practice questions

Practise SC-100 questions linked to SC-100 scenario.

SC-100 troubleshooting practice questions

Practise SC-100 questions linked to SC-100 troubleshooting.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

Refer to the exhibit. You are reviewing a Conditional Access policy in Azure AD. The policy requires MFA and a compliant device for all users and all cloud apps. Some users report that they are able to access apps without being prompted for MFA even though their devices are compliant. What is the most likely reason?

Exhibit

{
  "policy": {
    "tenantId": "contoso.onmicrosoft.com",
    "displayName": "Require MFA for all users",
    "state": "enabled",
    "conditions": {
      "applications": {
        "includeApplications": ["All"]
      },
      "users": {
        "includeUsers": ["All"]
      }
    },
    "grantControls": {
      "builtInControls": ["mfa", "compliantDevice"]
    }
  }
}
Question 2easymultiple choice
Full question →

Refer to the exhibit. The ContosoPlatform management group has an Azure Policy assignment that denies all deployments without encryption. The App1 subscription contains a storage account that was created without encryption. Why is the storage account still non-compliant?

Exhibit

Refer to the exhibit.

```
Name                            Type
----                            ----
ContosoRoot                     Management group
  - ContosoPlatform             Management group
    - ContosoProduction         Subscription
    - ContosoNonProduction      Subscription
  - ContosoApplication          Management group
    - App1                      Subscription
    - App2                      Subscription
```
Question 3mediummultiple choice
Full question →

Refer to the exhibit. A network policy is applied in the production namespace. What is the effect on the webapp pod's ability to reach external services?

Exhibit

Refer to the exhibit.

```
$ kubectl get pods -n production
NAME                     READY   STATUS    RESTARTS   AGE
webapp-7d5b6c8b9-abc     1/1     Running   0          2d
webapp-7d5b6c8b9-def     1/1     Running   0          2d
$ kubectl get networkpolicy -n production
NAME                     POD-SELECTOR   AGE
allow-egress-dns         {}             1d
$ kubectl describe networkpolicy allow-egress-dns -n production
...
Spec:
  PodSelector: <none>
  Egress:
    To:
      - NamespaceSelector: {}
        PodSelector:
          MatchLabels:
            k8s-app: kube-dns
    Ports:
      - Port: 53
        Protocol: UDP
  PolicyTypes:
    - Egress
```
Question 4mediummultiple choice
Full question →

A security administrator applies the Azure Policy definition shown in the exhibit to a management group containing multiple subscriptions. After the policy is assigned, a development team reports they cannot create a new storage account in their subscription. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Storage/storageAccounts"
        },
        {
          "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
          "equals": "false"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
}
Question 5easymultiple choice
Full question →

Refer to the exhibit. A security administrator created this Azure Policy definition to prevent unauthorized role assignments. However, SOC analysts are unable to assign the Security Operations Contributor role to new team members. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "SecurityOperationsPolicy",
    "description": "Policy to assign Security Operations Contributor role to SOC team.",
    "metadata": {
      "category": "Security Center"
    },
    "parameters": {
      "principalId": {
        "type": "String",
        "metadata": {
          "displayName": "Principal ID"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Authorization/roleAssignments"
      },
      "then": {
        "effect": "deny",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/5cbe2b2a-1c3b-4b4d-9b4e-2b5e6f7a8c9d"
          ],
          "exemption": "deny"
        }
      }
    }
  }
}
```
Question 6easymultiple choice
Full question →

Refer to the exhibit. You are reviewing an Azure Policy definition that will be assigned to a subscription containing production virtual machines. The policy is intended to enforce security best practices for disk encryption. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.storageAccountType",
            "in": [
              "Standard_LRS",
              "StandardSSD_LRS"
            ]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}
Question 7hardmultiple choice
Full question →

Refer to the exhibit. A security architect reviews the Azure AD Conditional Access policy JSON. The policy is intended to require MFA for all users accessing Azure management (Microsoft Azure Management app ID 797f4846-ba77-4853-9e6f-4433c3e1d1c5), except for the BreakGlassAdmin account and from trusted locations. However, some users report being prompted for MFA even when connecting from the corporate office (which is marked as a trusted location). What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Require MFA for Azure management",
    "state": "Enabled",
    "conditions": {
      "userRiskLevels": [],
      "signInRiskLevels": [],
      "clientAppTypes": ["all"],
      "applications": {
        "includeApplications": ["797f4846-ba77-4853-9e6f-4433c3e1d1c5"],
        "excludeApplications": []
      },
      "users": {
        "includeUsers": ["All"],
        "excludeUsers": ["BreakGlassAdmin@contoso.com"]
      },
      "locations": {
        "includeLocations": ["All"],
        "excludeLocations": ["AllTrusted"]
      }
    },
    "grantControls": {
      "builtInControls": ["mfa"],
      "termsOfUse": [],
      "operator": "OR"
    }
  }
}
```
Question 8hardmultiple choice
Full question →

Refer to the exhibit. You are an Azure security engineer reviewing a custom Azure Policy definition. The policy is intended to audit virtual machines to ensure they have the Azure Security extension installed. However, the policy is not triggering on any resources. What is the most likely reason?

Exhibit

{
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines"
        },
        {
          "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk",
          "exists": "true"
        }
      ]
    },
    "then": {
      "effect": "auditIfNotExists",
      "details": {
        "type": "Microsoft.Compute/virtualMachines/extensions",
        "existenceCondition": {
          "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
          "equals": "Microsoft.Azure.Security"
        }
      }
    }
  }
}
Question 9hardmultiple choice
Full question →

Refer to the exhibit. Your organization is required to comply with PCI DSS. You need to prioritize remediation efforts to meet PCI DSS requirements. Based on the exhibit, which recommendation should you address first?

Exhibit

Microsoft Defender for Cloud | Regulatory Compliance

Controls:
- CIS Controls v8: 16/20 passed
- ISO 27001: 42/48 passed
- NIST SP 800-53 Rev5: 85/100 passed
- PCI DSS v3.2.1: 12/15 passed
- SOC 2 Type II: 20/25 passed

Top recommendations by severity:
1. Critical: VMs should be migrated from classic to ARM (3 resources)
2. Critical: Vulnerability assessment should be enabled on SQL databases (5 resources)
3. High: MFA should be enabled on accounts with owner permissions (2 resources)
4. Medium: Diagnostic logs in Key Vault should be enabled (10 resources)
Question 10mediummultiple choice
Full question →

Refer to the exhibit. You are reviewing a conditional access policy JSON in Microsoft Entra ID. The policy is enabled but users with the Global Administrator role are not being prompted for MFA. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "displayName": "Require MFA for admins",
    "state": "enabled",
    "conditions": {
      "applications": {
        "includeApplications": ["All"]
      },
      "users": {
        "includeRoles": ["Global Administrator"]
      }
    },
    "grantControls": {
      "builtInControls": ["mfa"]
    }
  }
}
Question 11hardmultiple choice
Full question →

Refer to the exhibit. You are analyzing an Azure PowerShell script that checks a blob property. The output of the last command returns 'False'. What does this indicate about the blob storage configuration?

Exhibit

Refer to the exhibit.

$storageAccount = Get-AzStorageAccount -ResourceGroupName "RG-Security" -Name "stgsecdata"
$container = Get-AzStorageContainer -Context $storageAccount.Context -Name "logs"
$containerName = $container.Name
$blob = Get-AzStorageBlob -Container $containerName -Context $storageAccount.Context -Blob "access.log"
$blob.ICloudBlob.Properties.IsAccessTimeTrackingEnabled
Question 12hardmultiple choice
Full question →

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. What is the purpose of this query?

Exhibit

SecurityAlert
| where AlertName == "Malware detected"
| extend DeviceName = tostring(CompromisedEntity)
| join kind=inner (
  DeviceInfo
  | where Timestamp > ago(7d)
  | project DeviceName, OSVersion, IsManaged
) on DeviceName
| where IsManaged == false
Question 13mediummultiple choice
Full question →

Refer to the exhibit. You are reviewing an ARM template for an Azure storage account. Which security best practice is implemented?

Exhibit

resourceGroup: myResourceGroup
parameters:
  - name: location
    type: string
    defaultValue: eastus
resources:
  - type: Microsoft.Storage/storageAccounts
    name: mystorageaccount
    properties:
      supportsHttpsTrafficOnly: true
      minimumTlsVersion: TLS1_2
      networkAcls:
        defaultAction: Deny
        ipRules: []
        virtualNetworkRules: []
Question 14mediummultiple choice
Full question →

Refer to the exhibit. You are reviewing a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

Exhibit

Refer to the exhibit.

SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4625
| summarize FailedLogons = count() by Account, IpAddress
| where FailedLogons > 10
Question 15hardmultiple choice
Full question →

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. Based on the JSON snippet, what is the most likely outcome when a user with high user risk attempts to sign in?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Block high-risk sign-ins",
    "conditions": {
      "userRiskLevels": ["high"],
      "signInRiskLevels": []
    },
    "grantControls": {
      "builtInControls": ["block"]
    }
  }
}
```

These SC-100 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style SC-100 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.