Free Microsoft SC-100 Exam Questions (page: 39)

HOTSPOT (Drag and Drop is not supported)
You have an Azure subscription. The subscription contains an Azure SQL database named DB1 that stores customer data.
You have a Microsoft 365 subscription that uses Microsoft SharePoint Online, OneDrive, and Teams. Users frequently create Microsoft Office documents that contain data from DB1.
You need to recommend a Microsoft Purview solution that meets the following requirements:
● Identifies Office documents that contain customer addresses and phone numbers sourced from DB1
● Generates an alert if a user downloads an above average number of files that contain data from DB1
● Minimizes the number of false positives
What should you include in the solution for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Document fingerprinting
Identifies Office documents that contain customer addresses and phone numbers sourced from DB1
Document fingerprinting is a Microsoft Purview feature that takes a standard form that you provide and creates a sensitive information type (SIT) based on that form. Document fingerprinting makes it easier for you to protect sensitive information by identifying standard forms that are used throughout your organization.
Document fingerprinting includes the following benefits:
SITs created from document fingerprinting can be used as a detection method in DLP policies scoped to Exchange, SharePoint, OneDrive, Teams, and Devices.
Etc.
Box 2: Microsoft Purview insider risk management
Generates an alert if a user downloads an above average number of files that contain data from DB1
Microsoft Purview, Configure intelligent detections in insider risk management
Use can use the Intelligent detections setting in Microsoft Purview Insider Risk Management to:
Boost the score for unusual file download activities by entering a minimum number of daily events.
Etc.
File activity detection
You can use this section to specify the number of daily events required to boost the risk score for download activity that's considered unusual for a user. For example, if you enter "25", if a user downloads 10 files on average over the previous 30 days, but a policy detects that they downloaded 20 files on one day, the score for that activity won't be boosted even though it's unusual for that user because the number of files they downloaded that day was less than 25.


Reference:

https://learn.microsoft.com/en-us/purview/sit-document-fingerprinting https://learn.microsoft.com/en-us/purview/insider-risk-management-settings-intelligent-detections



HOTSPOT (Drag and Drop is not supported)
You have an Azure DevOps organization that is used to manage the development and deployment of internal apps to multiple Azure subscriptions.
You need to implement a DevSecOps strategy based on Microsoft Cloud Adoption Framework for Azure principles. The solution must meet the following requirements:
All pull requests must be enforced.
All deployments to production must be approved.
What should you include in the solution for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Protected branches
All pull requests must be enforced.
Azure Cloud Adoption Framework Ready, Automation Platform automation design recommendation include:
Adopt a branching strategy for your team and set branch policies for branches that you want to protect. With branch policies, teams must use pull requests to make merge changes.
Incorrect:
Environments
Resource locks
Only use resource locks strictly to prevent unintended modifications or deletions of critical data. Avoid using resource locks to protect configurations, as resource locks complicate IaC deployments.
Box 2: Triggers
All deployments to production must be approved.
Depending on which branching strategy your team uses, changes to any important branch should trigger deployment to different environments. Once changes are approved and merged into main, the CD process deploys those changes to production. This code management system provides your team with a single source of truth for what is running in each environment.
Incorrect:
Environments
* Resource locks
Only use resource locks strictly to prevent unintended modifications or deletions of critical data. Avoid using resource locks to protect configurations, as resource locks complicate IaC deployments.


Reference:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/automation



HOTSPOT (Drag and Drop is not supported)
Your company uses Microsoft Defender for Cloud and Microsoft Sentinel.
The company is designing an application that will have the architecture shown in the following exhibit.


You are designing a logging and auditing solution for the proposed architecture. The solution must meet the following requirements:
Integrate Azure Web Application Firewall (WAF) logs with Microsoft Sentinel. Use Defender for Cloud to review alerts from the virtual machines.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Data connectors
Microsoft Sentinel connector streams security alerts from Microsoft Defender for Cloud into Microsoft Sentinel.
Launch a WAF workbook (see step 7 below)
The WAF workbook works for all Azure Front Door, Application Gateway, and CDN WAFs. Before connecting the data from these resources, log analytics must be enabled on your resource.
To enable log analytics for each resource, go to your individual Azure Front Door, Application Gateway, or CDN resource:
1. Select Diagnostic settings.
2. Select + Add diagnostic setting.
3. In the Diagnostic setting page (details skipped)
4. On the Azure home page, type Microsoft Sentinel in the search bar and select the Microsoft Sentinel resource.
5. Select an already active workspace or create a new workspace.
6. On the left side panel under Configuration select Data Connectors.
7. Search for Azure web application firewall and select Azure web application firewall (WAF). Select Open connector page on the bottom right.
8. Follow the instructions under Configuration for each WAF resource that you want to have log analytic data for if you haven't done so previously.
9. Once finished configuring individual WAF resources, select the Next steps tab. Select one of the recommended workbooks. This workbook will use all log analytic data that was enabled previously. A working WAF workbook should now exist for your WAF resources.
Box 2: The Azure Diagnostics extension
Azure Diagnostics extension is an agent in Azure Monitor that collects monitoring data from the guest operating system of Azure compute resources including virtual machines.
Comparison to Log Analytics agent
The Log Analytics agent in Azure Monitor can also be used to collect monitoring data from the guest operating system of virtual machines. You can choose to use either or both depending on your requirements.
The key differences to consider are:
Azure Diagnostics Extension can be used only with Azure virtual machines. The Log Analytics agent can be used with virtual machines in Azure, other clouds, and on-premises.
* Azure Diagnostics extension sends data to Azure Storage, Azure Monitor Metrics (Windows only) and Azure Event Hubs. The Log Analytics agent collects data to Azure Monitor Logs.
*-> The Log Analytics agent is required for retired solutions, VM insights, and other services such as Microsoft Defender for Cloud.
Note: The Log Analytics agent is a better answer, but that option is not available in this version of the question.


Reference:

https://docs.microsoft.com/en-us/azure/web-application-firewall/waf-sentinel https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview https://learn.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview



HOTSPOT (Drag and Drop is not supported)
You have a Microsoft Entra tenant named contoso.com. You have 30 Azure subscriptions that are linked to contoso.com. The tenant contains the management groups shown in the following table.


You need to design a governance solution to manage access to all the Azure Storage accounts across the subscriptions. The solution must meet the following requirements:
Use custom role-based access control (RBAC) to provide granular access to control plane and data plane operations.
Minimize administrative effort.
At which scope should you assign the roles, and what is the minimum number of assignments per role? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: ..Mgmt1 AND .. Mgmt2 Scope
For Microsoft Entra's two management groups, the appropriate scope for assigning roles is the management group level itself. This is because management groups are designed to be a broader scope for managing access and policies across multiple subscriptions.
Box 2: 2
Minimum number of assignments
Note:
Broadest Scope:
Management groups are the broadest scope in Azure, encompassing multiple subscriptions. Inheritance:
Role assignments at the management group level apply to all subscriptions within that group.
Centralized Governance:
This allows you to apply policies and RBAC configurations centrally, rather than individually to each subscription.
Organization:
Management groups help organize subscriptions based on business units, teams, or functional areas.
RBAC:
The scope of a role assignment dictates where it applies, with management group level offering a wide scope for granting access.
Custom Roles:
You can create custom roles that are scoped to the management group, allowing for fine-grained access control at a broader level.


Reference:

https://learn.microsoft.com/en-us/azure/governance/management-groups/overview



Viewing page 39 of 70



Post your Comments and Discuss Microsoft SC-100 exam prep with other Community members:

SC-100 Exam Discussions & Posts