Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-100

Microsoft SC-100 Exam Questions
Microsoft Cybersecurity Architect (Page 8 )

Updated On: 17-Feb-2026
Page 8 of 64
PDF with 327 Questions

You have legacy operational technology (OT) devices and IoT devices.

You need to recommend best practices for applying Zero Trust principles to the OT and IoT devices based on the Microsoft Cybersecurity Reference Architectures (MCRA). The solution must minimize the risk of disrupting business operations.

Which two security methodologies should you include in the recommendation? Each correct answer presents part of the solution.

Note: Each correct selection is worth one point.

  1. active scanning
  2. threat monitoring
  3. software patching
  4. passive traffic monitoring

Answer(s): B,C

Explanation:

Microsoft Cybersecurity Reference Architectures
Apply zero trust principles to securing OT and industrial IoT environments Operational Technology (OT) Environments
Safety/Integrity/Availability
· Hardware Age: 50-100 years (mechanical + electronic overlay) · Warranty length: up to 30-50 years
· Protocols: Industry Specific (often bridged to IP networks) · Security Hygiene: Isolation, threat monitoring, managing vendor access risk, (patching rarely) Information Technology (IT) Environments
Confidentiality/Integrity/Availability
· Hardware Age: 5-10 years
· Warranty length 3-5 years
· Protocols: Native IP, HTTP(S), Others
· Security Hygiene: Multi-factor authentication (MFA), patching, threat monitoring, antimalware


Reference:

https://learn.microsoft.com/en-us/security/cybersecurity-reference-architecture/mcra



You have an on-premises network and a Microsoft 365 subscription.

You are designing a Zero Trust security strategy.

Which two security controls should you include as part of the Zero Trust solution? Each correct answer presents part of the solution.

Note: Each correct answer is worth one point.

  1. Always allow connections from the on-premises network.
  2. Disable passwordless sign-in for sensitive accounts.
  3. Block sign-in attempts from unknown locations.
  4. Block sign-in attempts from noncompliant devices.

Answer(s): C,D

Explanation:

Securing identity with Zero Trust
User, device, location, and behavior is analyzed in real time to determine risk and deliver ongoing protection.
As users appear on new devices and from new locations, being able to respond to an MFA challenge is one of the most direct ways that your users can teach us that these are familiar devices/locations as they move around the world (without having administrators parse individual signals).

Incorrect:
Not B: Use passwordless authentication to reduce the risk of phishing and password attacks With Azure AD supporting FIDO 2.0 and passwordless phone sign-in, you can move the needle on the credentials that your users (especially sensitive/privileged users) are employing day-to-day. These credentials are strong authentication factors that can mitigate risk as well.
Cloud identity federates with on-premises identity systems


Reference:

https://learn.microsoft.com/en-us/security/zero-trust/deploy/identity#v-user-device-location-and-behavior-is- analyzed-in-real-time-to-determine-risk-and-deliver-ongoing-protection



You are designing a ransomware response plan that follows Microsoft Security Best Practices.

You need to recommend a solution to minimize the risk of a ransomware attack encrypting local user files.

What should you include in the recommendation?

  1. Windows Defender Device Guard
  2. Microsoft Defender for Endpoint
  3. Azure Files
  4. BitLocker Drive Encryption (BitLocker)
  5. protected folders

Answer(s): E



You have a Microsoft Entra tenant that syncs with an Active Directory Domain Services (AD DS) domain.

You are designing an Azure DevOps solution to deploy applications to an Azure subscription by using continuous integration and continuous deployment (CI/CD) pipelines.

You need to recommend which types of identities to use for the deployment credentials of the service connection. The solution must follow DevSecOps best practices from the Microsoft Cloud Adoption Framework for Azure.

What should you recommend?

  1. a managed identity in Azure
  2. a Microsoft Entra user account that has role assignments in Microsoft Entra Privileged Identity Management (PIM)
  3. a group managed service account (gMSA)
  4. a Microsoft Entra user account that has a password stored in Azure Key Vault

Answer(s): A



You have an Azure Kubernetes Service (AKS) cluster that hosts Linux nodes.

You need to recommend a solution to ensure that deployed worker nodes have the latest kernel updates. The solution must minimize administrative effort.

What should you recommend?

  1. The nodes must restart after the updates are applied.
  2. The updates must first be applied to the image used to provision the nodes.
  3. The AKS cluster version must be upgraded.

Answer(s): B

Explanation:

Patch and upgrade AKS worker nodes
This section of the Azure Kubernetes Service (AKS) day-2 operations guide describes patching and upgrading practices for AKS worker nodes and Kubernetes (K8S) versions.
Node image upgrades
Microsoft provides patches and new images for image nodes weekly. For AKS Linux nodes, we have two mechanisms to patch the nodes: unattended updates and node image upgrade. Unattended updates are automatic, but they don't account for kernel level patches. You're required to use something like KURED or node image upgrade to reboot the node and complete the cycle. For node image upgrade, we create a patched node every week for customers to use, which would require applying that patched virtual hard disk (VHD).
Auto-upgrade with the node image update SKU can automate the process.


Reference:

https://learn.microsoft.com/en-us/azure/architecture/operator-guides/aks/aks-upgrade-practices






Post your Comments and Discuss Microsoft SC-100 exam dumps with other Community members:

Join the SC-100 Discussion