Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-100

Free Microsoft SC-100 Exam Questions (page: 7)

Page 7 of 41
PDF with 315 Questions

You have a Microsoft Entra tenant that contains 10 Windows 11 devices and two groups named Group1 and Group2. The Windows 11 devices are joined to the Microsoft Entra tenant and are managed by using Microsoft Intune.

You are designing a privileged access strategy based on the rapid modernization plan (RaMP). The strategy will include the following configurations:

Each user in Group1 will be assigned a Windows 11 device that will be configured as a privileged access device.
The Security Administrator role will be mapped to the privileged access security level.

The users in Group1 will be assigned the Security Administrator role.

The users in Group2 will manage the privileged access devices.

You need to configure the local Administrators group for each privileged access device. The solution must follow the principle of least privilege.

What should you include in the solution?

  1. Only add Group2 to the local Administrators group.
  2. Configure Windows Local Administrator Password Solution (Windows LAPS) in legacy Microsoft LAPS emulation mode.
  3. Add Group2 to the local Administrators group. Add the user that is assigned the Security Administrator role to the local Administrators group of the user's assigned privileged access device.

Answer(s): C

Explanation:

Separate and manage privileged accounts
Emergency access accounts
What: Ensure that you are not accidentally locked out of your Microsoft Entra organization in an emergency situation.
Why: Emergency access accounts rarely used and highly damaging to the organization if compromised, but their availability to the organization is also critically important for the few scenarios when they are required.
Ensure you have a plan for continuity of access that accommodates both expected and unexpected events.


Reference:

https://learn.microsoft.com/en-us/security/privileged-access-workstations/security-rapid-modernization-plan



You have an Azure subscription.

You plan to deploy enterprise-scale landing zones based on the Microsoft Cloud Adoption Framework for Azure. The deployment will include a single-platform landing zone for all shared services and three application landing zones that will each host a different Azure application.

You need to recommend which resource to deploy to each landing zone. The solution must meet the Cloud Adoption Framework best-practice recommendations for enterprise-scale landing zones.

What should you recommend?

  1. an Azure firewall
  2. an Azure virtual network gateway
  3. an Azure Private DNS zone
  4. an Azure key vault

Answer(s): C

Explanation:

Landing zones and Azure regions
Azure landing zones consist of a set of resources and configuration. Some of these items, like management groups, policies, and role assignments, are stored at either a tenant or management group level within the Azure landing zone architecture. These resources aren't deployed to a particular region and instead are deployed globally. However, you still need to specify a deployment region because Azure tracks some of the resource metadata in a regional metadata store.
If you deploy a networking topology, you also need to select an Azure region to deploy the networking resources to. This region can be different from the region that you use for the resources listed in the preceding list. Depending on the topology you select, the networking resources that you deploy might include:
Azure Virtual WAN, including a Virtual WAN hub
Azure virtual networks
VPN gateway
Azure ExpressRoute gateway
Azure Firewall
Azure DDoS Protection plans
*-> Azure private DNS zones, including zones for Azure Private Link Resource groups, to contain the preceding resources


Reference:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions



HOTSPOT (Drag and Drop is not supported)

You have 1,000 on-premises servers that run Windows Server 2022 and 500 on-premises servers that run Linux.

You have an Azure subscription that contains the following resources:

A Log Analytics workspace

A Microsoft Defender Cloud Security Posture Management (CSPM) plan

You need to deploy Update Management for the servers.

What should you configure? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Microsoft Defender for Servers Plan 2
Azure resource


Incorrect:
* An Azure Automation account
Update Manager offers many new features and provides enhanced and native functionalities. Following are some of the benefits:
* Provides native experience with zero on-boarding.
- No dependency on Log Analytics and Azure Automation.
- Etc.
* Etc.

Box 2: Azure connected machine agent
Agent on the servers

For the Azure Update Manager, both AMA and MMA aren't a requirement to manage software update workflows as it relies on the Microsoft Azure VM Agent for Azure VMs and Azure connected machine agent for Arc-enabled servers.


Reference:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-select-plan https://learn.microsoft.com/en-us/azure/update-manager/overview https://learn.microsoft.com/en-us/azure/update-manager/migration-overview



HOTSPOT (Drag and Drop is not supported)

You have an Active Directory Domain Services (AD DS) domain that contains a virtual desktop infrastructure (VDI). The VDI uses non-persistent images and cloned virtual machine templates. VDI devices are members of the domain.

You have an Azure subscription that contains an Azure Virtual Desktop environment. The environment contains host pools that use a custom golden image. All the Azure Virtual Desktop deployments are members of a single Microsoft Entra Domain Services domain.

You need to recommend a solution to deploy Microsoft Defender for Endpoint to the hosts. The solution must meet the following requirements:

Ensure that the hosts are onboarded to Defender for Endpoint during the first startup sequence.

Ensure that the Microsoft Defender portal contains a single entry for each deployed VDI host.

Minimize administrative effort.

What should you recommend? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Add the Defender for Endpoint onboarding script to the virtual machine template. Ensure that the Microsoft Defender portal contains a single entry for each deployed VDI host.

Box 2: Deploy Defender for Endpoint using a custom Group Policy Object (GPO) Ensure that the hosts are onboarded to Defender for Endpoint during the first startup sequence.

Microsoft Defender for Endpoint, Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR

Onboarding steps

1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you downloaded from the service onboarding wizard.

2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the golden/primary image under the path C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup.

3. Open a Local Group Policy Editor window and navigate to Computer Configuration > Windows Settings > Scripts > Startup.

Note
Domain Group Policy may also be used for onboarding non-persistent VDI devices.

4. Depending on the method you'd like to implement, follow the appropriate steps:

4a) For single entry for each device:
Select the PowerShell Scripts tab, then select Add (Windows Explorer opens directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script Onboard- NonPersistentMachine.ps1. There's no need to specify the other file, as it is triggered automatically.

4b) For multiple entries for each device:
Select the Scripts tab, then click Add (Windows Explorer opens directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script WindowsDefenderATPOnboardingScript.cmd.

5. Test your solution:

Create a pool with one device.

Log on to device.

Log off from device.

Log on to device with another user.

Depending on the method you'd like to implement, follow the appropriate steps:
-For single entry for each device: Check only one entry in Microsoft Defender portal. -For multiple entries for each device: Check multiple entries in Microsoft Defender portal.

6. Click Devices list on the Navigation pane.

7. Use the search function by entering the device name and select Device as search type.


Reference:

https://learn.microsoft.com/en-us/defender-endpoint/configure-endpoints-vdi



You have 10 Azure subscriptions that contain 100 role-based access control (RBAC) role assignments.

You plan to consolidate the role assignments.

You need to recommend a solution to identify which role assignments were NOT used during the last 90 days.
The solution must minimize administrative effort.

What should you include in the recommendation?

  1. Microsoft Defender for Cloud
  2. Microsoft Entra access reviews
  3. Microsoft Entra Privileged Identity Management (PIM)
  4. Microsoft Entra Permissions Management

Answer(s): D

Explanation:

Microsoft Entra Permissions Management is designed to manage and monitor permissions across multiple cloud environments, including Azure. It provides insights into permissions, allowing you to identify unused role assignments over a specified period, like the last 90 days. This solution helps you track permissions, detect unused roles, and optimize role assignments across subscriptions, minimizing administrative effort by offering automated recommendations for role consolidation.



You have a Microsoft Entra tenant that syncs with an Active Directory Domain Services (AD DS) domain.

You have an on-premises datacenter that contains 100 servers. The servers run Windows Server and are backed up by using Microsoft Azure Backup Server (MABS).

You are designing a recovery solution for ransomware attacks. The solution follows Microsoft Security Best Practices.

You need to ensure that a compromised local administrator account cannot be used to stop scheduled backups.

What should you do?

  1. From Azure Backup, configure multi-user authorization by using Resource Guard.
  2. From Microsoft Entra Privileged Identity Management (PIM), create a role assignment for the Backup Contributor role.
  3. From Microsoft Azure Backup Setup, register MABS with a Recovery Services vault.
  4. From a Recovery Services vault, generate a security PIN for critical operations.

Answer(s): A

Explanation:

MUA for Azure Backup uses a new resource called the Resource Guard to ensure critical operations, such as disabling soft delete, stopping and deleting backups, or reducing retention of backup policies, are performed only with applicable authorization.


Reference:

https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq



HOTSPOT (Drag and Drop is not supported)

You have an Azure subscription that contains multiple Azure Storage blobs and Azure Files shares.

You need to recommend a security solution for authorizing access to the blobs and shares. The solution must meet the following requirements:

Support access to the shares by using the SMB protocol.

Limit access to the blobs to specific periods of time.

Include authentication support when possible.

What should you recommend for each resource? To answer, select the options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Account shared access signature (SAS)
Azure Storage blobs
Limit access to the blobs to specific periods of time

Account SAS
An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS.

Box 2: Service shared access signature (SAS)
Azure Files shares
Support access to the shares by using the SMB protocol.

A shared access signature can take one of the following two forms:

* Ad hoc SAS.
When you create an ad hoc SAS, the start time, expiry time, and permissions are specified in the SAS URI. Any type of SAS can be an ad hoc SAS.

*-> Service SAS with stored access policy. A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. The stored access policy can be used to manage constraints for one or more service shared access signatures.
When you associate a service SAS with a stored access policy, the SAS inherits the constraints--the start time, expiry time, and permissions--defined for the stored access policy.


Reference:

https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview



DRAG DROP (Drag and Drop is not supported)

You need to design a solution to accelerate a Zero Trust security implementation. The solution must be based on the Zero Trust Rapid Modernization Plan (RaMP).

Which three initiatives should you include in the solution, and in which order should you implement the initiatives? Each correct answer presents part of the solution.

Note: Each correct selection is worth one point.

Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Step 1: Explicitly validate trust for all access requests
RaMP initiatives for Zero Trust
To rapidly adopt Zero Trust in your organization, RaMP offers technical deployment guidance organized in these initiatives.
1. Explicitly validate trust for all access requests [Step 1]

Step 2: Apply provisions for ransomware recovery readiness
2. Ransomware recovery readiness [Step 2]

Step 3: Classify and protect data
3. Data protection
This Rapid Modernization Plan (RaMP) checklist helps you protect your on-premises and cloud data from both inadvertent and malicious access.
https://learn.microsoft.com/en-us/security/zero-trust/data-compliance-gov-data

1.1 Know your data [Step 3]
Perform these implementation steps to meet the Know your data deployment objective.

1. Determine data classification levels.
2. Determine built-in and custom sensitive information types.
3. Determine the use of pre-trained and custom trainable classifiers.

4. Discover and classify sensitive data.

2. Protect your data [Step 3]


Incorrect:

Modernize security operations
4. Streamline response
5. Unify visibility
6. Reduce manual effort

* Discover and protect IoT devices
Other initiatives based on Operational Technology (OT) or IoT usage, on-premises and cloud adoption, and security for in-house app development:
Discover
Protect
Monitor


Reference:

https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-ramp-overview https://learn.microsoft.com/en-us/security/zero-trust/data-compliance-gov-data



Viewing page 7 of 41



Post your Comments and Discuss Microsoft SC-100 exam prep with other Community members:

SC-100 Exam Discussions & Posts