SC-100 · topic practice

Design solutions that align with security best practices and priorities practice questions

Practise Microsoft Cybersecurity Architect Design solutions that align with security best practices and priorities practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Design solutions that align with security best practices and priorities

What the exam tests

What to know about Design solutions that align with security best practices and priorities

Design solutions that align with security best practices and priorities questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Design solutions that align with security best practices and priorities exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Design solutions that align with security best practices and priorities questions

20 questions · select your answer, then reveal the explanation

Your organization wants to implement a zero-trust security model for on-premises and cloud resources. As part of this strategy, you need to ensure that all access requests are authenticated and authorized based on dynamic risk signals. Which Microsoft security solution should you use to enforce conditional access policies based on real-time risk?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a hybrid identity solution with Microsoft Entra ID. They need to ensure that users can access resources from unmanaged devices while maintaining security. The security team requires that all access from unmanaged devices must be limited to browser-only access to web apps and must block native client apps. Which conditional access grant control should you configure?

Your organization is using Microsoft Defender for Cloud to assess the security posture of Azure resources. You need to ensure that the highest severity recommendations are addressed first. Which dashboard or feature in Defender for Cloud should you use to view the most critical security issues?

Refer to the exhibit. You are an Azure security engineer reviewing a custom Azure Policy definition. The policy is intended to audit virtual machines to ensure they have the Azure Security extension installed. However, the policy is not triggering on any resources. What is the most likely reason?

Exhibit

{
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines"
        },
        {
          "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk",
          "exists": "true"
        }
      ]
    },
    "then": {
      "effect": "auditIfNotExists",
      "details": {
        "type": "Microsoft.Compute/virtualMachines/extensions",
        "existenceCondition": {
          "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
          "equals": "Microsoft.Azure.Security"
        }
      }
    }
  }
}

Your company uses Microsoft Sentinel as a SIEM. You need to create an analytics rule that detects when a user account is created outside of business hours. The rule should trigger an incident for investigation. Which type of analytics rule should you use?

You are designing a security solution for Azure resources. You need to ensure that any changes to network security groups (NSGs) are automatically logged and sent to a central Log Analytics workspace. Which Azure feature should you use?

Refer to the exhibit. Your organization is required to comply with PCI DSS. You need to prioritize remediation efforts to meet PCI DSS requirements. Based on the exhibit, which recommendation should you address first?

Exhibit

Microsoft Defender for Cloud | Regulatory Compliance

Controls:
- CIS Controls v8: 16/20 passed
- ISO 27001: 42/48 passed
- NIST SP 800-53 Rev5: 85/100 passed
- PCI DSS v3.2.1: 12/15 passed
- SOC 2 Type II: 20/25 passed

Top recommendations by severity:
1. Critical: VMs should be migrated from classic to ARM (3 resources)
2. Critical: Vulnerability assessment should be enabled on SQL databases (5 resources)
3. High: MFA should be enabled on accounts with owner permissions (2 resources)
4. Medium: Diagnostic logs in Key Vault should be enabled (10 resources)

Your organization uses Microsoft Intune to manage devices. You need to ensure that devices that are not compliant with your organization's security policies are blocked from accessing corporate resources. Which Intune feature should you configure?

Your security team needs to receive alerts when a user is assigned a privileged role in Microsoft Entra ID. Which service should you use to create an alert for privileged role assignments?

Which TWO actions should you take to implement a defense-in-depth strategy for an Azure application? (Choose two.)

Which THREE Microsoft security solutions can be used to detect and respond to threats across hybrid cloud environments? (Choose three.)

Which TWO of the following are best practices for securing Microsoft 365 tenants? (Choose two.)

Which THREE components are part of the Microsoft Zero Trust architecture? (Choose three.)

You are designing a security solution for an Azure Kubernetes Service (AKS) cluster. You need to ensure that only authorized images from a specific container registry can be deployed. Which Azure Policy definition should you use?

Refer to the exhibit. You are reviewing an ARM template for a storage account. The security team has mandated that all storage accounts must enforce HTTPS traffic and use TLS 1.2 or higher. Which two changes must be made to the template to comply? (Choose two.)

Exhibit

{
  "properties": {
    "templateLink": null,
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "resources": [
        {
          "type": "Microsoft.Storage/storageAccounts",
          "apiVersion": "2021-02-01",
          "name": "[parameters('storageName')]",
          "location": "[resourceGroup().location]",
          "sku": {
            "name": "Standard_GRS"
          },
          "kind": "StorageV2",
          "properties": {
            "minimumTlsVersion": "TLS1_0",
            "supportsHttpsTrafficOnly": false
          }
        }
      ]
    }
  }
}

Your organization uses Microsoft Entra ID and plans to implement a Zero Trust security model. You need to ensure that all access requests to corporate applications are continuously evaluated based on user risk, device compliance, and location. Which Microsoft Entra ID feature should you configure?

Your enterprise uses Microsoft Defender for Cloud to secure a hybrid cloud environment spanning Azure and AWS. You need to design a solution that prioritizes remediation of the most critical vulnerabilities across both clouds based on Common Vulnerability Scoring System (CVSS) scores, exploitability, and business impact. Which Defender for Cloud feature should you use?

Your organization is adopting Microsoft Purview to classify and protect sensitive data in Microsoft 365. You need to ensure that documents containing credit card numbers are automatically detected and encrypted when shared externally. What should you configure?

Your company is deploying Microsoft Defender XDR and wants to use automated investigation and response (AIR) to remediate confirmed threats. However, you need to ensure that high-impact actions like deleting email messages or isolating devices require manual approval from the security operations team. Which configuration should you set?

Your organization is migrating on-premises applications to Azure and needs to secure secrets (database connection strings, API keys) used by these applications. You are required to rotate secrets automatically without downtime. Which Azure service should you use?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Design solutions that align with security best practices and priorities sessions

Start a Design solutions that align with security best practices and priorities only practice session

Every question in these sessions is drawn from the Design solutions that align with security best practices and priorities domain — nothing else.

Related practice questions

Related SC-100 topic practice pages

Move into related areas when this topic feels solid.

Design solutions that align with security best practices and priorities practice questions

Practise SC-100 questions linked to Design solutions that align with security best practices and priorities.

Design security operations, identity, and compliance capabilities practice questions

Practise SC-100 questions linked to Design security operations, identity, and compliance capabilities.

Design security solutions for infrastructure practice questions

Practise SC-100 questions linked to Design security solutions for infrastructure.

Design a Zero Trust strategy and architecture practice questions

Practise SC-100 questions linked to Design a Zero Trust strategy and architecture.

Design security solutions for applications and data practice questions

Practise SC-100 questions linked to Design security solutions for applications and data.

Evaluate GRC and security operations strategies practice questions

Practise SC-100 questions linked to Evaluate GRC and security operations strategies.

Design security for infrastructure practice questions

Practise SC-100 questions linked to Design security for infrastructure.

Design a strategy for data and applications practice questions

Practise SC-100 questions linked to Design a strategy for data and applications.

Recommend security best practices and priorities practice questions

Practise SC-100 questions linked to Recommend security best practices and priorities.

SC-100 fundamentals practice questions

Practise SC-100 questions linked to SC-100 fundamentals.

SC-100 scenario practice questions

Practise SC-100 questions linked to SC-100 scenario.

SC-100 troubleshooting practice questions

Practise SC-100 questions linked to SC-100 troubleshooting.

Frequently asked questions

What does the SC-100 exam test about Design solutions that align with security best practices and priorities?
Design solutions that align with security best practices and priorities questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Design solutions that align with security best practices and priorities questions in a focused session?
Yes — the session launcher on this page draws every question from the Design solutions that align with security best practices and priorities domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SC-100 topics?
Use the topic links above to move to related areas, or go back to the SC-100 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SC-100 exam covers. They are not copied from any real exam or dump site.