Weekend Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

SC-100 Microsoft Cybersecurity Architect Questions and Answers

Questions 4

You are evaluating the security of ClaimsApp.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE; Each correct selection is worth one point.

SC-100 Question 4

Options:

Buy Now
Questions 5

You need to recommend a solution to resolve the virtual machine issue. What should you include in the recommendation? (Choose Two)

Options:

A.

Onboard the virtual machines to Microsoft Defender for Endpoint.

B.

Onboard the virtual machines to Azure Arc.

C.

Create a device compliance policy in Microsoft Endpoint Manager.

D.

Enable the Qualys scanner in Defender for Cloud.

Buy Now
Questions 6

You need to recommend a solution to meet the requirements for connections to ClaimsDB.

What should you recommend using for each requirement? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

SC-100 Question 6

Options:

Buy Now
Questions 7

You need to recommend a solution to meet the security requirements for the InfraSec group.

What should you use to delegate the access?

Options:

A.

a subscription

B.

a custom role-based access control (RBAC) role

C.

a resource group

D.

a management group

Buy Now
Questions 8

You need to recommend a solution to meet the security requirements for the virtual machines.

What should you include in the recommendation?

Options:

A.

an Azure Bastion host

B.

a network security group (NSG)

C.

just-in-time (JIT) VM access

D.

Azure Virtual Desktop

Buy Now
Questions 9

You need to recommend a solution to meet the compliance requirements.

What should you recommend? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

SC-100 Question 9

Options:

Buy Now
Questions 10

You need to recommend a solution to meet the AWS requirements.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

SC-100 Question 10

Options:

Buy Now
Questions 11

A customer follows the Zero Trust model and explicitly verifies each attempt to access its corporate applications.

The customer discovers that several endpoints are infected with malware.

The customer suspends access attempts from the infected endpoints.

The malware is removed from the end point.

Which two conditions must be met before endpoint users can access the corporate applications again? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Options:

A.

Microsoft Defender for Endpoint reports the endpoints as compliant.

B.

Microsoft Intune reports the endpoints as compliant.

C.

A new Azure Active Directory (Azure AD) Conditional Access policy is enforced.

D.

The client access tokens are refreshed.

Buy Now
Questions 12

Your company plans to deploy several Azure App Service web apps. The web apps will be deployed to the West Europe Azure region. The web apps will be accessed only by customers in Europe and the United States.

You need to recommend a solution to prevent malicious bots from scanning the web apps for vulnerabilities. The solution must minimize the attach surface.

What should you include in the recommendation?

Options:

A.

Azure Firewall Premium

B.

Azure Application Gateway Web Application Firewall (WAF)

C.

network security groups (NSGs)

D.

Azure Traffic Manager and application security groups

Buy Now
Questions 13

Your company has an on-premise network in Seattle and an Azure subscription. The on-premises network contains a Remote Desktop server.

The company contracts a third-party development firm from France to develop and deploy resources to the virtual machines hosted in the Azure subscription.

Currently, the firm establishes an RDP connection to the Remote Desktop server. From the Remote Desktop connection, the firm can access the virtual machines hosted in Azure by using custom administrative tools installed on the Remote Desktop server. All the traffic to the Remote Desktop server is captured by a firewall, and the firewall only allows specific connections from France to the server.

You need to recommend a modern security solution based on the Zero Trust model. The solution must minimize latency tor developers.

Which three actions should you recommend? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Options:

A.

Configure network security groups (NSGs) to allow access from only specific logical groupings of IP address ranges.

B.

Implement Azure Firewall to restrict host pool outbound access.

C.

Configure Azure Active Directory (Azure AD) Conditional Access with multi-factor authentication (MFA) and named locations.

D.

Migrate from the Remote Desktop server to Azure Virtual Desktop.

E.

Deploy a Remote Desktop server to an Azure region located in France.

Buy Now
Questions 14

You have multiple Azure subscriptions that each contains multiple resource groups.

You need to identify the privileged role assignments in each subscription and any associated security risks. The solution must minimize administrative effort.

What should you use?

Options:

A.

The Analytics dashboard in Microsoft Entra Permissions Management

B.

access reviews in Microsoft Entra ID Identity Governance

C.

access reviews in Privileged Identity Management (PIM)

D.

Microsoft Defender External Attack Surface Management (Defender EASM) discovery

Buy Now
Questions 15

You have a Microsoft 365 E5 subscription. The subscription contains 1,000 devices that run Windows 11 Pro and are enrolled in Microsoft Intune. You need to recommend a Microsoft Defender for Cloud Apps solution that meets the following requirements:

• When a user downloads a file from Microsoft SharePoint Online, a label must be applied to the file in real time based on the file ' s contents.

• Only users that use Intune-compliant devices must be able to sign in to Dropbox.

Which type of policy should you recommend for each requirement? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

SC-100 Question 15

Options:

Buy Now
Questions 16

You are designing security for a runbook in an Azure Automation account. The runbook will copy data to Azure Data Lake Storage Gen2.

You need to recommend a solution to secure the components of the copy process.

What should you include in the recommendation for each component? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

SC-100 Question 16

Options:

Buy Now
Questions 17

You are designing a ransomware response plan that follows Microsoft Security Best Practices-

You need to recommend a solution to limit the scope of damage of ransomware attacks without being locked out.

What should you include in the recommendations?

Options:

A.

Privileged Access Workstations (PAWs)

B.

emergency access accounts

C.

device compliance policies

D.

Customer Lockbox for Microsoft Azure

Buy Now
Questions 18

You have an Azure subscription.

You have an on-premises datacenter. The datacenter contains 20 servers that run Windows Server. Each server is onboarded to Azure Arc and is protected by using Microsoft Defender for Servers Plan 1.

You have a Microsoft 365 subscription.

You need to recommend a solution to identify which servers have outdated hardware drivers or firmware.

What should you include in the recommendation?

Options:

A.

Change all the servers to Microsoft Defender for Servers Plan 2.

B.

Add Microsoft Defender Vulnerability Management add-ons.

C.

Onboard all the servers to Azure Update Manager.

D.

Add the Microsoft Intune Suite add-on.

Buy Now
Questions 19

You have the Azure subscriptions shown in the following table.

SC-100 Question 19

The tenants contain the groups shown in the following table.

SC-100 Question 19

You perform the following actions:

• Configure multi-user authorization (MUA) for Vault1 by using a resource guard deployed to Sub2.

• Enable all available MUA controls for Vault1.

• In contoso.com, create a Privileged Identity Management (PIM) assignment named Assignment1.

• Configure Assignment1 to enable Group! to activate the Contributor role for Vault1.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

SC-100 Question 19

Options:

Buy Now
Questions 20

Your company plans to provision blob storage by using an Azure Storage account The blob storage will be accessible from 20 application sewers on the internet. You need to recommend a solution to ensure that only the application servers can access the storage account. What should you recommend using to secure the blob storage?

Options:

A.

service tags in network security groups (NSGs)

B.

managed rule sets in Azure Web Application Firewall (WAF) policies

C.

inbound rules in network security groups (NSGs)

D.

firewall rules for the storage account

E.

inbound rules in Azure Firewall

Buy Now
Questions 21

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that has Microsoft Defender for Cloud enabled.

You are evaluating the Azure Security Benchmark V3 report.

In the Secure management ports controls, you discover that you have 0 out of a potential 8 points.

You need to recommend configurations to increase the score of the Secure management ports controls.

Solution: You recommend enabling the VMAccess extension on all virtual machines.

Does this meet the goal?

Options:

A.

Yes

B.

No

Buy Now
Questions 22

Your company wants to optimize ransomware incident investigations.

You need to recommend a plan to investigate ransomware incidents based on the Microsoft Detection and Response Team (DART) approach.

Which three actions should you recommend performing in sequence in the plan? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

SC-100 Question 22

Options:

Buy Now
Questions 23

You use Azure Pipelines with Azure Repos to implement continuous integration and continuous deployment (CI/CO) workflows.

You need to recommend best practices to secure the stages of the CI/CD workflows based on the Microsoft Cloud Adoption Framework for Azure.

What should you include in the recommendation for each stage? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

SC-100 Question 23

Options:

Buy Now
Questions 24

You have an on-premises app named App1. Remote users access App1 by using VPN connections. You have a third-party software as a service (SaaS) app named App2. You need to deploy Global Secure Access to manage access to App1 and App2. What should you use for each app?

Options:

A.

Microsoft Entra Private Access for App1 and Microsoft Entra Internet Access for App2

B.

Microsoft Entra Private Access for App1 and App2

C.

Microsoft Entra Internet Access for App1 and App2

D.

Microsoft Entra Private Access for App2 and Microsoft Entra Internet Access for App1

Buy Now
Questions 25

For of an Azure deployment you are designing a security architecture based on the Microsoft Cloud Security Benchmark. You need to recommend a best practice for implementing service accounts for Azure API management. What should you include in the recommendation?

Options:

A.

device registrations in Azure AD

B.

application registrations m Azure AD

C.

Azure service principals with certificate credentials

D.

Azure service principals with usernames and passwords

E.

managed identities in Azure

Buy Now
Questions 26

You have a Microsoft 365 subscription that syncs with Active Directory Domain Services (AD DS).

You need to define the recovery steps for a ransomware attack that encrypted data in the subscription The solution must follow Microsoft Security Best Practices.

What is the first step in the recovery plan?

Options:

A.

Disable Microsoft OneDnve sync and Exchange ActiveSync.

B.

Recover files to a cleaned computer or device.

C.

Contact law enforcement.

D.

From Microsoft Defender for Endpoint perform a security scan.

Buy Now
Questions 27

You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain.

You have an on-premises datacenter that contains 100 servers. The servers run Windows Server and are backed up by using Microsoft Azure Backup Server (MABS).

You are designing a recovery solution for ransomware attacks. The solution follows Microsoft Security Best Practices.

You need to ensure that a compromised administrator account cannot be used to delete the backups

What should you do?

Options:

A.

From a Recovery Services vault generate a security PIN for critical operations.

B.

From Azure Backup, configure multi-user authorization by using Resource Guard.

C.

From Microsoft Azure Backup Setup, register MABS with a Recovery Services vault

D.

From Azure AD Privileged Identity Management (PIM), create a role assignment for the Backup Contributor role.

Buy Now
Questions 28

You have a Microsoft 365 subscription that contains 500 users. Each user is assigned a Microsoft 365 E5 license and uses a Windows device. Microsoft Purview data loss prevention (DLP) policies are applied to Microsoft Exchange Online email and SharePoint Online sites. You plan to monitor the usage of third-party generative Al apps by using Microsoft Purview Data Security Posture Management for Al (DSPM for Al). What should you do first?

Options:

A.

Enable Microsoft Purview insider risk management for all the users.

B.

Onboard all endpoint devices to Microsoft Purview.

C.

Configure Microsoft Purview data connectors for the generative Al apps.

D.

License all the users for Microsoft 365 Copilot.

Buy Now
Questions 29

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. The subscription contains 500 devices that are enrolled in Microsoft Intune. The subscription contains 500 users that connect to external software as a service (SaaS) apps by using the devices.

You need to implement a solution that meets the following requirements:

• Allows user access to SaaS apps that Microsoft has identified as low risk.

• Blocks user access to Saas apps that Microsoft has identified as high risk.

Solution: From Microsoft Defender for Cloud Apps, you configure SaaS security posture management (SSPM) and create an access policy.

Does this meet the goal?

Options:

A.

Yes

B.

No

Buy Now
Questions 30

You have an Azure subscription and an Azure DevOps organization.

You need to recommend a solution for connecting Azure DevOps pipelines to the resources in the subscription by using Azure Resource Manager (ARM) service connections. The solution must align with Microsoft Cloud Adoption Framework for Azure best practices, including the principle of least privilege.

What should you include in the recommendation?

Options:

A.

workload identity federation and system-assigned managed identities

B.

service principals and secrets

C.

workload identity federation and user-assigned managed identities

D.

workload identity federation and service principals

Buy Now
Questions 31

To meet the application security requirements, which two authentication methods must the applications support? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Options:

A.

Security Assertion Markup Language (SAML)

B.

NTLMv2

C.

certificate-based authentication

D.

Kerberos

Buy Now
Questions 32

You need to recommend an identity security solution for the Azure AD tenant of Litware. The solution must meet the identity requirements and the regulatory compliance requirements.

What should you recommend? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

SC-100 Question 32

Options:

Buy Now
Questions 33

You need to recommend a multi-tenant and hybrid security solution that meets to the business requirements and the hybrid requirements. What should you recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

SC-100 Question 33

Options:

Buy Now
Questions 34

You need to recommend a strategy for securing the litware.com forest. The solution must meet the identity requirements. What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE; Each correct selection is worth one point.

SC-100 Question 34

Options:

Buy Now
Questions 35

You need to recommend a SIEM and SOAR strategy that meets the hybrid requirements, the Microsoft Sentinel requirements, and the regulatory compliance requirements.

What should you recommend? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

SC-100 Question 35

Options:

Buy Now
Questions 36

You need to recommend a strategy for App Service web app connectivity. The solution must meet the landing zone requirements. What should you recommend? To answer, select the appropriate options in the answer area. NOTE Each correct selection is worth one point.

SC-100 Question 36

Options:

Buy Now
Questions 37

You need to recommend a solution to evaluate regulatory compliance across the entire managed environment. The solution must meet the regulatory compliance requirements and the business requirements.

What should you recommend? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

SC-100 Question 37

Options:

Buy Now
Questions 38

You need to design a strategy for securing the SharePoint Online and Exchange Online data. The solution must meet the application security requirements.

Which two services should you leverage in the strategy? Each correct answer presents part of the solution. NOTE; Each correct selection is worth one point.

Options:

A.

Azure AD Conditional Access

B.

Microsoft Defender for Cloud Apps

C.

Microsoft Defender for Cloud

D.

Microsoft Defender for Endpoint

E.

access reviews in Azure AD

Buy Now
Questions 39

You need to recommend a solution for securing the landing zones. The solution must meet the landing zone requirements and the business requirements.

What should you configure for each landing zone?

Options:

A.

Azure DDoS Protection Standard

B.

an Azure Private DNS zone

C.

Microsoft Defender for Cloud

D.

an ExpressRoute gateway

Buy Now
Exam Code: SC-100
Exam Name: Microsoft Cybersecurity Architect
Last Update: Jul 19, 2026
Questions: 296

PDF + Testing Engine

$144.99

Testing Engine

$109.99

PDF (Q&A)

$94.99