SC-100 · topic practice

Design a Zero Trust strategy and architecture practice questions

Practise Microsoft Cybersecurity Architect Design a Zero Trust strategy and architecture practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
12 questionsDomain: Design a Zero Trust strategy and architecture

What the exam tests

What to know about Design a Zero Trust strategy and architecture

Design a Zero Trust strategy and architecture questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Design a Zero Trust strategy and architecture exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Design a Zero Trust strategy and architecture questions

12 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a Zero Trust network strategy. They want to ensure that all network traffic between on-premises and Azure is inspected and logged, regardless of source or destination. Which Azure service should they use to achieve this?

An organization is implementing a Zero Trust identity strategy. They have a mix of on-premises Active Directory and Azure AD. They want to enforce conditional access policies that require device compliance for accessing sensitive apps. However, some users report that their devices are not being evaluated for compliance even though they are enrolled in Microsoft Intune. What should the organization check first?

A company is planning their Zero Trust data protection strategy. They want to classify and protect sensitive data stored in SharePoint Online. Which Microsoft tool should they use?

A company is implementing a Zero Trust network strategy using Azure Virtual Network Manager (AVNM). They need to ensure that all traffic between virtual networks is encrypted and inspected by a firewall. Which configuration should they use?

A company is designing a Zero Trust security posture for their Azure environment. They need to assess and improve their security posture. Which TWO actions should they take? (Choose two.)

A company is implementing a Zero Trust identity strategy. They want to ensure that only compliant and managed devices can access corporate resources. Which THREE components should they include in their solution? (Choose three.)

Refer to the exhibit. You are reviewing a Conditional Access policy in Azure AD. The policy requires MFA and a compliant device for all users and all cloud apps. Some users report that they are able to access apps without being prompted for MFA even though their devices are compliant. What is the most likely reason?

Exhibit

{
  "policy": {
    "tenantId": "contoso.onmicrosoft.com",
    "displayName": "Require MFA for all users",
    "state": "enabled",
    "conditions": {
      "applications": {
        "includeApplications": ["All"]
      },
      "users": {
        "includeUsers": ["All"]
      }
    },
    "grantControls": {
      "builtInControls": ["mfa", "compliantDevice"]
    }
  }
}

A company, Fabrikam, has a hybrid identity environment with on-premises Active Directory synchronized to Azure AD using Azure AD Connect. They have implemented a Zero Trust strategy that includes requiring multi-factor authentication (MFA) for all users accessing cloud applications. They use Conditional Access policies to enforce MFA. Recently, they noticed that users who authenticate from the on-premises network are not being prompted for MFA when accessing cloud apps, even though the Conditional Access policy is configured to require MFA for all users. The network location is not excluded in the policy. The Conditional Access policy is enabled and in 'Enforce' mode. The users' devices are not domain-joined. What is the most likely reason for this behavior?

Order the steps to implement a Microsoft Sentinel data connector for Azure Active Directory logs.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 10mediumdrag order
Study the full multicast explanation →

Order the steps to implement Azure AD Privileged Identity Management (PIM) for a role.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each Azure security capability to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SIEM and SOAR

Cloud security posture management

Risk-based conditional access

Manage secrets, keys, and certificates

Mitigate distributed denial-of-service attacks

Match each Azure security benchmark control to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Control category for authentication and authorization

Control category for network segmentation and filtering

Control category for encryption and data classification

Control category for audit logs and alerts

Control category for detection and response processes

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Design a Zero Trust strategy and architecture sessions

Start a Design a Zero Trust strategy and architecture only practice session

Every question in these sessions is drawn from the Design a Zero Trust strategy and architecture domain — nothing else.

Related practice questions

Related SC-100 topic practice pages

Move into related areas when this topic feels solid.

Design solutions that align with security best practices and priorities practice questions

Practise SC-100 questions linked to Design solutions that align with security best practices and priorities.

Design security operations, identity, and compliance capabilities practice questions

Practise SC-100 questions linked to Design security operations, identity, and compliance capabilities.

Design security solutions for infrastructure practice questions

Practise SC-100 questions linked to Design security solutions for infrastructure.

Design a Zero Trust strategy and architecture practice questions

Practise SC-100 questions linked to Design a Zero Trust strategy and architecture.

Design security solutions for applications and data practice questions

Practise SC-100 questions linked to Design security solutions for applications and data.

Evaluate GRC and security operations strategies practice questions

Practise SC-100 questions linked to Evaluate GRC and security operations strategies.

Design security for infrastructure practice questions

Practise SC-100 questions linked to Design security for infrastructure.

Design a strategy for data and applications practice questions

Practise SC-100 questions linked to Design a strategy for data and applications.

Recommend security best practices and priorities practice questions

Practise SC-100 questions linked to Recommend security best practices and priorities.

SC-100 fundamentals practice questions

Practise SC-100 questions linked to SC-100 fundamentals.

SC-100 scenario practice questions

Practise SC-100 questions linked to SC-100 scenario.

SC-100 troubleshooting practice questions

Practise SC-100 questions linked to SC-100 troubleshooting.

Frequently asked questions

What does the SC-100 exam test about Design a Zero Trust strategy and architecture?
Design a Zero Trust strategy and architecture questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Design a Zero Trust strategy and architecture questions in a focused session?
Yes — the session launcher on this page draws every question from the Design a Zero Trust strategy and architecture domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SC-100 topics?
Use the topic links above to move to related areas, or go back to the SC-100 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SC-100 exam covers. They are not copied from any real exam or dump site.