- A
Use an Azure Policy definition that enforces the Microsoft Defender for Cloud pricing tier (Standard) at the management group scope.
Azure Policy can be assigned to a management group, automatically applying the desired Defender for Cloud configuration to all existing and new subscriptions within that group.
- B
Manually enable the plans for each new subscription when it is created.
Why wrong: Manual intervention is not scalable and increases the risk of human error or delay.
- C
Create an Azure Automation runbook that runs on a schedule and enables plans for all subscriptions under the management group.
Why wrong: While automation helps, a runbook must be triggered and maintained. Azure Policy provides a declarative, continuous enforcement that is more reliable.
- D
Use Azure Blueprints to define the Defender for Cloud settings in the blueprint definition.
Why wrong: Azure Blueprints can include policy assignments, but using Azure Policy directly is simpler and more direct for this scenario. Blueprints add an extra layer of complexity.
Quick Answer
The answer is to use an Azure Policy definition that enforces the Microsoft Defender for Cloud pricing tier (Standard) at the management group scope. This is the most efficient and scalable approach because Azure Policy, when assigned at the management group level, automatically evaluates and remediates all current and future subscriptions under that hierarchy, ensuring every new subscription inherits the required Defender plans without manual scripting or post-creation configuration. On the SC-200 exam, this scenario tests your understanding of governance-driven automation versus manual methods like Azure CLI or ARM templates, with a common trap being the mistaken belief that enabling plans on the management group itself propagates to child subscriptions—it does not; only policy enforcement does. Remember the memory tip: "Policy at the parent, plans for the children"—assign the policy at the management group, and Defender plans auto-enable on every new subscription that joins the group.
SC-200 Practice Question: Mitigate threats using Microsoft Defender for Cloud
This SC-200 practice question tests your understanding of mitigate threats using microsoft defender for cloud. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: azure Policy enforces organizational standards and assesses compliance at scale.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A large enterprise uses Microsoft Defender for Cloud with all enhanced security plans (e.g., Defender for Servers, Defender for SQL) enabled on a management group. The security team wants to automatically enable these plans on new Azure subscriptions that are created under this management group. Which approach is the most efficient and scalable?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Use an Azure Policy definition that enforces the Microsoft Defender for Cloud pricing tier (Standard) at the management group scope.
Azure Policy can be assigned at the management group scope to enforce the 'Standard' pricing tier for Microsoft Defender for Cloud on all current and future subscriptions. This ensures that when a new subscription is created under that management group, the policy automatically evaluates and remediates the subscription to enable the required Defender plans, providing a fully automated, scalable, and governance-driven approach without manual intervention or custom scripting.
Key principle: Azure Policy enforces organizational standards and assesses compliance at scale.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Use an Azure Policy definition that enforces the Microsoft Defender for Cloud pricing tier (Standard) at the management group scope.
Why this is correct
Azure Policy can be assigned to a management group, automatically applying the desired Defender for Cloud configuration to all existing and new subscriptions within that group.
Related concept
Azure Policy enforces organizational standards and assesses compliance at scale.
- ✗
Manually enable the plans for each new subscription when it is created.
Why it's wrong here
Manual intervention is not scalable and increases the risk of human error or delay.
- ✗
Create an Azure Automation runbook that runs on a schedule and enables plans for all subscriptions under the management group.
Why it's wrong here
While automation helps, a runbook must be triggered and maintained. Azure Policy provides a declarative, continuous enforcement that is more reliable.
- ✗
Use Azure Blueprints to define the Defender for Cloud settings in the blueprint definition.
Why it's wrong here
Azure Blueprints can include policy assignments, but using Azure Policy directly is simpler and more direct for this scenario. Blueprints add an extra layer of complexity.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse Azure Blueprints (which apply settings only at deployment time) with Azure Policy (which provides continuous enforcement and automatic remediation), leading them to choose the Blueprints option despite its lack of ongoing compliance and scalability for new subscriptions.
Trap categories for this question
Scenario analysis trap
Azure Blueprints can include policy assignments, but using Azure Policy directly is simpler and more direct for this scenario. Blueprints add an extra layer of complexity.
Detailed technical explanation
How to think about this question
Azure Policy uses the 'Microsoft.Security/pricings' resource type with the 'pricingTier' property set to 'Standard' to enforce Defender plans. When combined with a 'deployIfNotExists' or 'modify' effect, the policy can automatically remediate non-compliant subscriptions by enabling the plans via a managed identity. This approach leverages Azure's built-in compliance engine, which continuously evaluates and remediates resources, ensuring that even subscriptions created outside of normal provisioning pipelines are automatically secured.
KKey Concepts to Remember
- Azure Policy enforces organizational standards and assesses compliance at scale.
- Policies can be assigned at various scopes, including management groups, subscriptions, and resource groups.
- The 'Microsoft Defender for Cloud pricing tier' policy definition controls the enablement of enhanced security plans.
- Policies can have 'DeployIfNotExists' or 'Modify' effects to automatically remediate non-compliant resources.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Azure Policy enforces organizational standards and assesses compliance at scale.
Real-world example
How this comes up in practice
A startup's cloud architect reviews their monthly bill and notices costs are higher than expected for a long-running batch job. Switching from on-demand instances to Reserved Instances — or using Spot/Preemptible VMs — can reduce compute costs by up to 72 %. Questions like this test whether you understand the tradeoffs between commitment, flexibility, and cost across cloud pricing models.
What to study next
Got this wrong? Here's your next step.
Review azure Policy enforces organizational standards and assesses compliance at scale., then practise related SC-200 questions on the same topic to reinforce the concept.
- →
Mitigate threats using Microsoft Defender for Cloud — study guide chapter
Learn the concepts, then practise the questions
- →
Mitigate threats using Microsoft Defender for Cloud practice questions
Targeted practice on this topic area only
- →
All SC-200 questions
1,639 questions across all exam domains
- →
Microsoft Security Operations Analyst SC-200 study guide
Full concept coverage aligned to exam objectives
- →
SC-200 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related SC-200 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Manage a security operations environment practice questions
Practise SC-200 questions linked to Manage a security operations environment.
Respond to security incidents practice questions
Practise SC-200 questions linked to Respond to security incidents.
Perform threat hunting practice questions
Practise SC-200 questions linked to Perform threat hunting.
Mitigate threats using Microsoft Defender XDR practice questions
Practise SC-200 questions linked to Mitigate threats using Microsoft Defender XDR.
Mitigate threats using Microsoft Defender for Cloud practice questions
Practise SC-200 questions linked to Mitigate threats using Microsoft Defender for Cloud.
Mitigate threats using Microsoft Sentinel practice questions
Practise SC-200 questions linked to Mitigate threats using Microsoft Sentinel.
SC-200 fundamentals practice questions
Practise SC-200 questions linked to SC-200 fundamentals.
SC-200 scenario practice questions
Practise SC-200 questions linked to SC-200 scenario.
SC-200 troubleshooting practice questions
Practise SC-200 questions linked to SC-200 troubleshooting.
Practice this exam
Start a free SC-200 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SC-200 question test?
Mitigate threats using Microsoft Defender for Cloud — This question tests Mitigate threats using Microsoft Defender for Cloud — Azure Policy enforces organizational standards and assesses compliance at scale..
What is the correct answer to this question?
The correct answer is: Use an Azure Policy definition that enforces the Microsoft Defender for Cloud pricing tier (Standard) at the management group scope. — Azure Policy can be assigned at the management group scope to enforce the 'Standard' pricing tier for Microsoft Defender for Cloud on all current and future subscriptions. This ensures that when a new subscription is created under that management group, the policy automatically evaluates and remediates the subscription to enable the required Defender plans, providing a fully automated, scalable, and governance-driven approach without manual intervention or custom scripting.
What should I do if I get this SC-200 question wrong?
Review azure Policy enforces organizational standards and assesses compliance at scale., then practise related SC-200 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Azure Policy enforces organizational standards and assesses compliance at scale.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
1 more ways this is tested on SC-200
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A large enterprise uses Microsoft Defender for Cloud with all enhanced security plans enabled. They want to automatically enable the Defender for Cloud plans on new Azure subscriptions that are created under their management group. Which approach should they use?
medium- ✓ A.Assign the built-in Azure Policy initiative 'Enable Microsoft Defender for Cloud on all subscriptions' at the management group level.
- B.Configure 'Continuous export' settings in Defender for Cloud to export policies to Log Analytics for each subscription.
- C.Set the default security policies at the management group level in Defender for Cloud's environment settings.
- D.Enable 'Auto provisioning' for the Log Analytics agent in Defender for Cloud.
Why A: Option A is correct because the built-in Azure Policy initiative 'Enable Microsoft Defender for Cloud on all subscriptions' is designed to be assigned at a management group scope, automatically enabling all Defender for Cloud plans on new subscriptions as they are created under that management group. This leverages Azure Policy's compliance evaluation and remediation tasks to enforce the security plans across the entire hierarchy without manual intervention.
Last reviewed: Jun 11, 2026
This SC-200 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SC-200 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.