Question 762 of 1,639
Mitigate threats using Microsoft Defender for CloudmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is to use an Azure Policy definition that enforces the Microsoft Defender for Cloud pricing tier (Standard) at the management group scope. This is the most efficient and scalable approach because Azure Policy, when assigned at the management group level, automatically evaluates and remediates all current and future subscriptions under that hierarchy, ensuring every new subscription inherits the required Defender plans without manual scripting or post-creation configuration. On the SC-200 exam, this scenario tests your understanding of governance-driven automation versus manual methods like Azure CLI or ARM templates, with a common trap being the mistaken belief that enabling plans on the management group itself propagates to child subscriptions—it does not; only policy enforcement does. Remember the memory tip: "Policy at the parent, plans for the children"—assign the policy at the management group, and Defender plans auto-enable on every new subscription that joins the group.

SC-200 Practice Question: Mitigate threats using Microsoft Defender for Cloud

This SC-200 practice question tests your understanding of mitigate threats using microsoft defender for cloud. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: azure Policy enforces organizational standards and assesses compliance at scale.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A large enterprise uses Microsoft Defender for Cloud with all enhanced security plans (e.g., Defender for Servers, Defender for SQL) enabled on a management group. The security team wants to automatically enable these plans on new Azure subscriptions that are created under this management group. Which approach is the most efficient and scalable?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Use an Azure Policy definition that enforces the Microsoft Defender for Cloud pricing tier (Standard) at the management group scope.

Azure Policy can be assigned at the management group scope to enforce the 'Standard' pricing tier for Microsoft Defender for Cloud on all current and future subscriptions. This ensures that when a new subscription is created under that management group, the policy automatically evaluates and remediates the subscription to enable the required Defender plans, providing a fully automated, scalable, and governance-driven approach without manual intervention or custom scripting.

Key principle: Azure Policy enforces organizational standards and assesses compliance at scale.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Use an Azure Policy definition that enforces the Microsoft Defender for Cloud pricing tier (Standard) at the management group scope.

    Why this is correct

    Azure Policy can be assigned to a management group, automatically applying the desired Defender for Cloud configuration to all existing and new subscriptions within that group.

    Related concept

    Azure Policy enforces organizational standards and assesses compliance at scale.

  • Manually enable the plans for each new subscription when it is created.

    Why it's wrong here

    Manual intervention is not scalable and increases the risk of human error or delay.

  • Create an Azure Automation runbook that runs on a schedule and enables plans for all subscriptions under the management group.

    Why it's wrong here

    While automation helps, a runbook must be triggered and maintained. Azure Policy provides a declarative, continuous enforcement that is more reliable.

  • Use Azure Blueprints to define the Defender for Cloud settings in the blueprint definition.

    Why it's wrong here

    Azure Blueprints can include policy assignments, but using Azure Policy directly is simpler and more direct for this scenario. Blueprints add an extra layer of complexity.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse Azure Blueprints (which apply settings only at deployment time) with Azure Policy (which provides continuous enforcement and automatic remediation), leading them to choose the Blueprints option despite its lack of ongoing compliance and scalability for new subscriptions.

Trap categories for this question

  • Scenario analysis trap

    Azure Blueprints can include policy assignments, but using Azure Policy directly is simpler and more direct for this scenario. Blueprints add an extra layer of complexity.

Detailed technical explanation

How to think about this question

Azure Policy uses the 'Microsoft.Security/pricings' resource type with the 'pricingTier' property set to 'Standard' to enforce Defender plans. When combined with a 'deployIfNotExists' or 'modify' effect, the policy can automatically remediate non-compliant subscriptions by enabling the plans via a managed identity. This approach leverages Azure's built-in compliance engine, which continuously evaluates and remediates resources, ensuring that even subscriptions created outside of normal provisioning pipelines are automatically secured.

KKey Concepts to Remember

  • Azure Policy enforces organizational standards and assesses compliance at scale.
  • Policies can be assigned at various scopes, including management groups, subscriptions, and resource groups.
  • The 'Microsoft Defender for Cloud pricing tier' policy definition controls the enablement of enhanced security plans.
  • Policies can have 'DeployIfNotExists' or 'Modify' effects to automatically remediate non-compliant resources.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Azure Policy enforces organizational standards and assesses compliance at scale.

Real-world example

How this comes up in practice

A startup's cloud architect reviews their monthly bill and notices costs are higher than expected for a long-running batch job. Switching from on-demand instances to Reserved Instances — or using Spot/Preemptible VMs — can reduce compute costs by up to 72 %. Questions like this test whether you understand the tradeoffs between commitment, flexibility, and cost across cloud pricing models.

What to study next

Got this wrong? Here's your next step.

Review azure Policy enforces organizational standards and assesses compliance at scale., then practise related SC-200 questions on the same topic to reinforce the concept.

Related practice questions

Related SC-200 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SC-200 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SC-200 question test?

Mitigate threats using Microsoft Defender for Cloud — This question tests Mitigate threats using Microsoft Defender for Cloud — Azure Policy enforces organizational standards and assesses compliance at scale..

What is the correct answer to this question?

The correct answer is: Use an Azure Policy definition that enforces the Microsoft Defender for Cloud pricing tier (Standard) at the management group scope. — Azure Policy can be assigned at the management group scope to enforce the 'Standard' pricing tier for Microsoft Defender for Cloud on all current and future subscriptions. This ensures that when a new subscription is created under that management group, the policy automatically evaluates and remediates the subscription to enable the required Defender plans, providing a fully automated, scalable, and governance-driven approach without manual intervention or custom scripting.

What should I do if I get this SC-200 question wrong?

Review azure Policy enforces organizational standards and assesses compliance at scale., then practise related SC-200 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

Azure Policy enforces organizational standards and assesses compliance at scale.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on SC-200

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A large enterprise uses Microsoft Defender for Cloud with all enhanced security plans enabled. They want to automatically enable the Defender for Cloud plans on new Azure subscriptions that are created under their management group. Which approach should they use?

medium
  • A.Assign the built-in Azure Policy initiative 'Enable Microsoft Defender for Cloud on all subscriptions' at the management group level.
  • B.Configure 'Continuous export' settings in Defender for Cloud to export policies to Log Analytics for each subscription.
  • C.Set the default security policies at the management group level in Defender for Cloud's environment settings.
  • D.Enable 'Auto provisioning' for the Log Analytics agent in Defender for Cloud.

Why A: Option A is correct because the built-in Azure Policy initiative 'Enable Microsoft Defender for Cloud on all subscriptions' is designed to be assigned at a management group scope, automatically enabling all Defender for Cloud plans on new subscriptions as they are created under that management group. This leverages Azure Policy's compliance evaluation and remediation tasks to enforce the security plans across the entire hierarchy without manual intervention.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SC-200 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SC-200 exam.