SC-100 · topic practice

Recommend security best practices and priorities practice questions

Practise Microsoft Cybersecurity Architect Recommend security best practices and priorities practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Recommend security best practices and priorities

What the exam tests

What to know about Recommend security best practices and priorities

Recommend security best practices and priorities questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Recommend security best practices and priorities exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Recommend security best practices and priorities questions

20 questions · select your answer, then reveal the explanation

A company is designing a defense-in-depth strategy for their Azure environment. They want to ensure that if a virtual machine is compromised, the attacker cannot move laterally to other VMs in the same virtual network. Which security control should they prioritize?

A company uses Azure Policy to enforce compliance. They have a custom policy that denies creation of storage accounts without encryption enabled. A developer reports that they cannot create a storage account even though they specified encryption. What is the most likely cause?

A company is moving to a zero-trust security model. Which principle is most important for securing network traffic?

A company uses Azure Security Center and Azure Sentinel. They want to prioritize remediation of vulnerabilities based on risk. Which metric should they use to rank vulnerabilities?

A company is implementing a cloud security governance strategy. They need to ensure that all Azure resources are compliant with internal security policies before deployment. Which approach should they use?

A company wants to protect sensitive data in their Azure SQL Database from unauthorized access. Which feature should they enable?

A company is using Azure Active Directory (Azure AD) for identity management. They want to implement a policy that requires all users to use multi-factor authentication (MFA) when accessing Office 365 from outside the corporate network. Which conditional access policy setting should they configure?

A company is planning a migration to Azure and wants to ensure that their security operations center (SOC) has visibility into all Azure resources. They need to collect security logs from multiple subscriptions into a central workspace. Which Azure service should they use?

Which TWO of the following are best practices for securing Azure Kubernetes Service (AKS)?

Which THREE of the following are key components of a defense-in-depth strategy?

Which TWO of the following are true about Azure Policy initiatives?

Refer to the exhibit. A company creates this Azure Policy definition and assigns it to a subscription. A developer attempts to create a storage account with blob encryption enabled. The creation fails. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Storage/storageAccounts"
        },
        {
          "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
          "notEquals": true
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
}
```

Refer to the exhibit. The ContosoPlatform management group has an Azure Policy assignment that denies all deployments without encryption. The App1 subscription contains a storage account that was created without encryption. Why is the storage account still non-compliant?

Exhibit

Refer to the exhibit.

```
Name                            Type
----                            ----
ContosoRoot                     Management group
  - ContosoPlatform             Management group
    - ContosoProduction         Subscription
    - ContosoNonProduction      Subscription
  - ContosoApplication          Management group
    - App1                      Subscription
    - App2                      Subscription
```
Question 14hardmultiple choice
Read the full NAT/PAT explanation →

You are the lead security architect for a multinational corporation that recently completed a merger. The new entity, Contoso Ltd., has a complex Azure environment with over 200 subscriptions spread across multiple management groups. The company's security team has identified several critical issues: (1) many subscriptions have Azure Security Center's Secure Score below 30%, (2) there are numerous unmanaged VMs with public IP addresses, (3) there is no centralized logging for security events, and (4) identity management is fragmented with multiple Azure AD tenants. The CEO mandates a 'zero-trust' security posture within 12 months. You have a limited budget and must prioritize the most impactful actions. Which course of action should you take first?

A company is deploying Microsoft Defender for Cloud to protect a multi-cloud environment that includes Azure and AWS. The security team wants to prioritize the highest-risk recommendations. Which feature should they use to identify and focus on the most critical security issues?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

A financial services organization is designing a zero-trust architecture for its Azure environment. They need to ensure that all administrative access to critical systems uses just-in-time (JIT) access and that privileged role assignments are time-bound. Which combination of Microsoft security best practices should they implement?

A company uses Azure DevOps for CI/CD. The security team wants to ensure that secrets like API keys and connection strings are never stored in code repositories. Which best practice should they recommend?

A large enterprise is implementing Microsoft Defender for Cloud to improve their security posture. Which TWO actions should they take to prioritize and remediate security recommendations effectively? (Choose two.)

Refer to the exhibit. A security architect reviews the Azure AD Conditional Access policy JSON. The policy is intended to require MFA for all users accessing Azure management (Microsoft Azure Management app ID 797f4846-ba77-4853-9e6f-4433c3e1d1c5), except for the BreakGlassAdmin account and from trusted locations. However, some users report being prompted for MFA even when connecting from the corporate office (which is marked as a trusted location). What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Require MFA for Azure management",
    "state": "Enabled",
    "conditions": {
      "userRiskLevels": [],
      "signInRiskLevels": [],
      "clientAppTypes": ["all"],
      "applications": {
        "includeApplications": ["797f4846-ba77-4853-9e6f-4433c3e1d1c5"],
        "excludeApplications": []
      },
      "users": {
        "includeUsers": ["All"],
        "excludeUsers": ["BreakGlassAdmin@contoso.com"]
      },
      "locations": {
        "includeLocations": ["All"],
        "excludeLocations": ["AllTrusted"]
      }
    },
    "grantControls": {
      "builtInControls": ["mfa"],
      "termsOfUse": [],
      "operator": "OR"
    }
  }
}
```
Question 20hardmultiple choice
Read the full NAT/PAT explanation →

You are the security architect for a multinational corporation that uses Azure Active Directory (Azure AD) and Microsoft 365. The company has recently experienced a security incident where a compromised user account was used to access sensitive data from a legacy application that does not support modern authentication. To mitigate this risk, you have been asked to recommend a set of security best practices and priorities. The environment includes 50,000 users, 200 applications (many legacy), and a hybrid identity setup with Active Directory Domain Services (AD DS) synchronized to Azure AD via Azure AD Connect. The security team wants to reduce the attack surface, enforce least privilege, and improve identity protection. Current issues include: (1) many users have standing admin privileges on workstations, (2) legacy apps use shared service accounts with weak passwords, (3) Conditional Access policies are not applied consistently, and (4) there is no process for reviewing privileged role assignments. Which course of action should you recommend as the highest priority?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Recommend security best practices and priorities sessions

Start a Recommend security best practices and priorities only practice session

Every question in these sessions is drawn from the Recommend security best practices and priorities domain — nothing else.

Related practice questions

Related SC-100 topic practice pages

Move into related areas when this topic feels solid.

Design solutions that align with security best practices and priorities practice questions

Practise SC-100 questions linked to Design solutions that align with security best practices and priorities.

Design security operations, identity, and compliance capabilities practice questions

Practise SC-100 questions linked to Design security operations, identity, and compliance capabilities.

Design security solutions for infrastructure practice questions

Practise SC-100 questions linked to Design security solutions for infrastructure.

Design a Zero Trust strategy and architecture practice questions

Practise SC-100 questions linked to Design a Zero Trust strategy and architecture.

Design security solutions for applications and data practice questions

Practise SC-100 questions linked to Design security solutions for applications and data.

Evaluate GRC and security operations strategies practice questions

Practise SC-100 questions linked to Evaluate GRC and security operations strategies.

Design security for infrastructure practice questions

Practise SC-100 questions linked to Design security for infrastructure.

Design a strategy for data and applications practice questions

Practise SC-100 questions linked to Design a strategy for data and applications.

Recommend security best practices and priorities practice questions

Practise SC-100 questions linked to Recommend security best practices and priorities.

SC-100 fundamentals practice questions

Practise SC-100 questions linked to SC-100 fundamentals.

SC-100 scenario practice questions

Practise SC-100 questions linked to SC-100 scenario.

SC-100 troubleshooting practice questions

Practise SC-100 questions linked to SC-100 troubleshooting.

Frequently asked questions

What does the SC-100 exam test about Recommend security best practices and priorities?
Recommend security best practices and priorities questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Recommend security best practices and priorities questions in a focused session?
Yes — the session launcher on this page draws every question from the Recommend security best practices and priorities domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SC-100 topics?
Use the topic links above to move to related areas, or go back to the SC-100 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SC-100 exam covers. They are not copied from any real exam or dump site.