SC-100 · topic practice

Design security solutions for infrastructure practice questions

Practise Microsoft Cybersecurity Architect Design security solutions for infrastructure practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Design security solutions for infrastructure

What the exam tests

What to know about Design security solutions for infrastructure

Design security solutions for infrastructure questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Design security solutions for infrastructure exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Design security solutions for infrastructure questions

20 questions · select your answer, then reveal the explanation

Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to design a solution to detect lateral movement attempts from compromised on-premises servers to Azure VMs. Which data connector should you prioritize?

A company plans to use Microsoft Defender for Cloud to secure a multi-cloud environment including Azure, AWS, and GCP. What is the first step to enable multi-cloud visibility?

You are designing a secure DevOps pipeline using GitHub Advanced Security and Microsoft Defender for Cloud. The development team uses a mix of Python and JavaScript. Which tool should you integrate to detect secrets (e.g., API keys) committed to the repository?

Which TWO Azure policies should you assign to enforce secure configuration of Azure SQL Database? (Select two.)

Which THREE features of Microsoft Defender for Cloud help secure Azure Kubernetes Service (AKS) clusters? (Select three.)

Which TWO actions should you take to improve the security posture of an Azure subscription using Microsoft Defender for Cloud? (Select two.)

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy accomplish?

Exhibit

{
  "properties": {
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
      },
      "then": {
        "effect": "deny",
        "details": {
          "field": "properties.destinationPortRange",
          "notIn": ["22", "3389"]
        }
      }
    }
  }
}

Refer to the exhibit. You need to ensure that the storage account 'seccorpstorage' is only accessible from a specific Azure virtual network. What should you do?

Exhibit

Storage account name: seccorpstorage
Property: publicNetworkAccess = Disabled
Property: defaultAction = Deny
Property: networkRules.defaultAction = Deny
Property: networkRules.ipRules = []
Property: networkRules.virtualNetworkRules = []

Refer to the exhibit. You are deploying an ARM template for a network security group. What is the security implication of this configuration?

Exhibit

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "resources": [
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2020-06-01",
      "name": "nsg-frontend",
      "properties": {
        "securityRules": [
          {
            "name": "AllowHTTPS",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "443",
              "sourceAddressPrefix": "Internet",
              "destinationAddressPrefix": "10.0.1.0/24",
              "access": "Allow",
              "priority": 100,
              "direction": "Inbound"
            }
          }
        ]
      }
    }
  ]
}

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only approved applications can run on corporate devices. Which Intune feature should you configure?

You need to design a solution to protect Azure VMs from malware and vulnerabilities. Which Microsoft service should you use?

Question 12hardmultiple choice
Read the full DNS explanation →

Your company uses Azure Firewall to filter outbound traffic from a virtual network. You need to allow only HTTP and HTTPS traffic to specific FQDNs, while blocking all other outbound traffic. Which Azure Firewall rule type should you use?

You are designing a secure hybrid network connectivity solution between an on-premises datacenter and Azure. The requirement is to have encrypted traffic and high availability. Which service should you use?

You need to ensure that Azure SQL Database always encrypts data at rest and in transit. Which features should you enable?

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to automatically respond to a confirmed compromise of a domain controller by isolating the affected VM. Which automation feature should you use?

Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to design a solution to detect lateral movement attempts using pass-the-hash attacks. Which data source should you prioritize for ingestion?

Question 17hardmultiple choice
Read the full VPN explanation →

Your company is designing a Zero Trust network for a hybrid workforce. Remote users connect via VPN to on-premises resources, while cloud apps use Microsoft Entra ID. You need to enforce conditional access based on device compliance and user risk. Which Microsoft security solution should you integrate with Entra ID to provide real-time device posture signals?

You are designing a secure infrastructure for an e-commerce platform hosted on Azure. The platform must meet PCI DSS compliance. Which Azure service should you use to centrally manage and monitor security policies across subscriptions?

Question 19mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses Microsoft Entra ID with hybrid identities. They need to design a solution that automatically remediates risky sign-ins without user intervention. Which feature should you enable?

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that automatically creates an incident in Sentinel when a Defender XDR alert fires. Which integration should you configure?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Design security solutions for infrastructure sessions

Start a Design security solutions for infrastructure only practice session

Every question in these sessions is drawn from the Design security solutions for infrastructure domain — nothing else.

Related practice questions

Related SC-100 topic practice pages

Move into related areas when this topic feels solid.

Design solutions that align with security best practices and priorities practice questions

Practise SC-100 questions linked to Design solutions that align with security best practices and priorities.

Design security operations, identity, and compliance capabilities practice questions

Practise SC-100 questions linked to Design security operations, identity, and compliance capabilities.

Design security solutions for infrastructure practice questions

Practise SC-100 questions linked to Design security solutions for infrastructure.

Design a Zero Trust strategy and architecture practice questions

Practise SC-100 questions linked to Design a Zero Trust strategy and architecture.

Design security solutions for applications and data practice questions

Practise SC-100 questions linked to Design security solutions for applications and data.

Evaluate GRC and security operations strategies practice questions

Practise SC-100 questions linked to Evaluate GRC and security operations strategies.

Design security for infrastructure practice questions

Practise SC-100 questions linked to Design security for infrastructure.

Design a strategy for data and applications practice questions

Practise SC-100 questions linked to Design a strategy for data and applications.

Recommend security best practices and priorities practice questions

Practise SC-100 questions linked to Recommend security best practices and priorities.

SC-100 fundamentals practice questions

Practise SC-100 questions linked to SC-100 fundamentals.

SC-100 scenario practice questions

Practise SC-100 questions linked to SC-100 scenario.

SC-100 troubleshooting practice questions

Practise SC-100 questions linked to SC-100 troubleshooting.

Frequently asked questions

What does the SC-100 exam test about Design security solutions for infrastructure?
Design security solutions for infrastructure questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Design security solutions for infrastructure questions in a focused session?
Yes — the session launcher on this page draws every question from the Design security solutions for infrastructure domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SC-100 topics?
Use the topic links above to move to related areas, or go back to the SC-100 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SC-100 exam covers. They are not copied from any real exam or dump site.