Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-100

Microsoft SC-100 Exam Questions
Microsoft Cybersecurity Architect (Page 11 )

Updated On: 17-Feb-2026
Page 11 of 64
PDF with 327 Questions

You have a Microsoft Entra tenant that syncs with an Active Directory Domain Services (AD DS) domain.

You have an on-premises datacenter that contains 100 servers. The servers run Windows Server and are backed up by using Microsoft Azure Backup Server (MABS).

You are designing a recovery solution for ransomware attacks. The solution follows Microsoft Security Best Practices.

You need to ensure that a compromised local administrator account cannot be used to stop scheduled backups.

What should you do?

  1. From Azure Backup, configure multi-user authorization by using Resource Guard.
  2. From Microsoft Entra Privileged Identity Management (PIM), create a role assignment for the Backup Contributor role.
  3. From Microsoft Azure Backup Setup, register MABS with a Recovery Services vault.
  4. From a Recovery Services vault, generate a security PIN for critical operations.

Answer(s): A

Explanation:

MUA for Azure Backup uses a new resource called the Resource Guard to ensure critical operations, such as disabling soft delete, stopping and deleting backups, or reducing retention of backup policies, are performed only with applicable authorization.


Reference:

https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq



HOTSPOT (Drag and Drop is not supported)

You have an Azure subscription that contains multiple Azure Storage blobs and Azure Files shares.

You need to recommend a security solution for authorizing access to the blobs and shares. The solution must meet the following requirements:

Support access to the shares by using the SMB protocol.

Limit access to the blobs to specific periods of time.

Include authentication support when possible.

What should you recommend for each resource? To answer, select the options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Account shared access signature (SAS)
Azure Storage blobs
Limit access to the blobs to specific periods of time

Account SAS
An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS.

Box 2: Service shared access signature (SAS)
Azure Files shares
Support access to the shares by using the SMB protocol.

A shared access signature can take one of the following two forms:

* Ad hoc SAS.
When you create an ad hoc SAS, the start time, expiry time, and permissions are specified in the SAS URI. Any type of SAS can be an ad hoc SAS.

*-> Service SAS with stored access policy. A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. The stored access policy can be used to manage constraints for one or more service shared access signatures.
When you associate a service SAS with a stored access policy, the SAS inherits the constraints--the start time, expiry time, and permissions--defined for the stored access policy.


Reference:

https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview



DRAG DROP (Drag and Drop is not supported)

You need to design a solution to accelerate a Zero Trust security implementation. The solution must be based on the Zero Trust Rapid Modernization Plan (RaMP).

Which three initiatives should you include in the solution, and in which order should you implement the initiatives? Each correct answer presents part of the solution.

Note: Each correct selection is worth one point.

Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Step 1: Explicitly validate trust for all access requests
RaMP initiatives for Zero Trust
To rapidly adopt Zero Trust in your organization, RaMP offers technical deployment guidance organized in these initiatives.
1. Explicitly validate trust for all access requests [Step 1]

Step 2: Apply provisions for ransomware recovery readiness
2. Ransomware recovery readiness [Step 2]

Step 3: Classify and protect data
3. Data protection
This Rapid Modernization Plan (RaMP) checklist helps you protect your on-premises and cloud data from both inadvertent and malicious access.
https://learn.microsoft.com/en-us/security/zero-trust/data-compliance-gov-data

1.1 Know your data [Step 3]
Perform these implementation steps to meet the Know your data deployment objective.

1. Determine data classification levels.
2. Determine built-in and custom sensitive information types.
3. Determine the use of pre-trained and custom trainable classifiers.

4. Discover and classify sensitive data.

2. Protect your data [Step 3]


Incorrect:

Modernize security operations
4. Streamline response
5. Unify visibility
6. Reduce manual effort

* Discover and protect IoT devices
Other initiatives based on Operational Technology (OT) or IoT usage, on-premises and cloud adoption, and security for in-house app development:
Discover
Protect
Monitor


Reference:

https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-ramp-overview https://learn.microsoft.com/en-us/security/zero-trust/data-compliance-gov-data



HOTSPOT (Drag and Drop is not supported)

You have an Azure subscription. The subscription contains an Azure SQL database named DB1 that stores customer data.

You have a Microsoft 365 subscription that uses Microsoft SharePoint Online, OneDrive, and Teams.

Users frequently create Microsoft Office documents that contain data from DB1.

You need to recommend a Microsoft Purview solution that meets the following requirements:

Identifies Office documents that contain customer addresses and phone numbers sourced from DB1 Generates an alert if a user downloads an above average number of files that contain data from DB1 Minimizes the number of false positives

What should you include in the solution for each requirement? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:


Reference:

Box 1: Document fingerprinting
Identifies Office documents that contain customer addresses and phone numbers sourced from DB1

Document fingerprinting is a Microsoft Purview feature that takes a standard form that you provide and creates a sensitive information type (SIT) based on that form. Document fingerprinting makes it easier for you to protect sensitive information by identifying standard forms that are used throughout your organization.

Document fingerprinting includes the following benefits:
SITs created from document fingerprinting can be used as a detection method in DLP policies scoped to Exchange, SharePoint, OneDrive, Teams, and Devices.

Etc.

Box 2: Microsoft Purview insider risk management
Generates an alert if a user downloads an above average number of files that contain data from DB1

Microsoft Purview, Configure intelligent detections in insider risk management Use can use the Intelligent detections setting in Microsoft Purview Insider Risk Management to:

* Boost the score for unusual file download activities by entering a minimum number of daily events.

* Etc.

File activity detection
You can use this section to specify the number of daily events required to boost the risk score for download activity that's considered unusual for a user. For example, if you enter "25", if a user downloads 10 files on average over the previous 30 days, but a policy detects that they downloaded 20 files on one day, the score for that activity won't be boosted even though it's unusual for that user because the number of files they downloaded that day was less than 25.


https://learn.microsoft.com/en-us/purview/sit-document-fingerprinting https://learn.microsoft.com/en-us/purview/insider-risk-management-settings-intelligent-detections



HOTSPOT (Drag and Drop is not supported)

You have an Azure DevOps organization that is used to manage the development and deployment of internal apps to multiple Azure subscriptions.

You need to implement a DevSecOps strategy based on Microsoft Cloud Adoption Framework for Azure principles. The solution must meet the following requirements:

All pull requests must be enforced.

All deployments to production must be approved.

What should you include in the solution for each requirement? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Protected branches
All pull requests must be enforced.

Azure Cloud Adoption Framework Ready, Automation
Platform automation design recommendation include:
Adopt a branching strategy for your team and set branch policies for branches that you want to protect. With branch policies, teams must use pull requests to make merge changes.


Incorrect:
* Environments

* Resource locks
Only use resource locks strictly to prevent unintended modifications or deletions of critical data. Avoid using resource locks to protect configurations, as resource locks complicate IaC deployments.

Box 2: Triggers
All deployments to production must be approved.

Depending on which branching strategy your team uses, changes to any important branch should trigger deployment to different environments. Once changes are approved and merged into main, the CD process deploys those changes to production. This code management system provides your team with a single source of truth for what is running in each environment.


Incorrect:
* Environments

* Resource locks
Only use resource locks strictly to prevent unintended modifications or deletions of critical data. Avoid using resource locks to protect configurations, as resource locks complicate IaC deployments.


Reference:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/automation






Post your Comments and Discuss Microsoft SC-100 exam dumps with other Community members:

Join the SC-100 Discussion