Microsoft Microsoft Certifications SC-100 Questions & Answers

• Question 111:

  You are evaluating an Azure environment for compliance.

  You need to design an Azure Policy implementation that can be used to evaluate compliance without changing any resources.

  Which effect should you use in Azure Policy?

  A. Deny

  B. Modify

  C. Append

  D. Disabled

  Correct Answer: D

  This effect is useful for testing situations or for when the policy definition has parameterized the effect. This flexibility makes it possible to disable a single assignment instead of disabling all of that policy's assignments.

  An alternative to the Disabled effect is enforcementMode, which is set on the policy assignment. When enforcementMode is Disabled, resources are still evaluated.

  Incorrect:

  Not A: Deny is used to prevent a resource request that doesn't match defined standards through a policy definition and fails the request.

  Not B: Modify evaluates before the request gets processed by a Resource Provider during the creation or updating of a resource. The Modify operations are applied to the request content when the if condition of the policy rule is met. Each

  Modify operation can specify a condition that determines when it's applied. Operations with conditions that are evaluated to false are skipped.

  Not C: Append is used to add additional fields to the requested resource during creation or update.

  Reference: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects

• Question 112:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.

  You need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.

  Solution: You recommend access restrictions to allow traffic from the backend IP address of the Front Door instance.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  Correct Solution: You recommend access restrictions based on HTTP headers that have the Front Door ID.

  Restrict access to a specific Azure Front Door instance.

  Traffic from Azure Front Door to your application originates from a well-known set of IP ranges defined in the AzureFrontDoor.Backend service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front

  Door. To ensure traffic only originates from your specific instance, you will need to further filter the incoming requests based on the unique http header that Azure Front Door sends.

  

  Reference: https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#managing-access-restriction-rules Reference:

• Question 113:

  Your company has an on-premises network, an Azure subscription, and a Microsoft 365 E5 subscription. The company uses the following devices:

  1.

  Computers that run either Windows 10 or Windows 11

  2.

  Tablets and phones that run either Android or iOS

  You need to recommend a solution to classify and encrypt sensitive Microsoft Office 365 data regardless of where the data is stored.

  What should you include in the recommendation?

  A. eDiscovery

  B. Microsoft Information Protection

  C. Compliance Manager

  D. retention policies

  Correct Answer: B

  Protect your sensitive data with Microsoft Purview.

  Implement capabilities from Microsoft Purview Information Protection (formerly Microsoft Information Protection) to help you discover, classify, and protect sensitive information wherever it lives or travels.

  Note: You can use Microsoft Information Protection: Microsoft Purview for Auditing and Analytics in Outlook for iOS, Android, and Mac (DoD).

  Incorrect:

  Not A: Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence in legal cases. You can use eDiscovery tools in Microsoft Purview to search for content in Exchange

  Online, OneDrive for Business, SharePoint Online, Microsoft Teams, Microsoft 365 Groups, and Yammer teams. You can search mailboxes and sites in the same eDiscovery search, and then export the search results. You can use Microsoft

  Purview eDiscovery (Standard) cases to identify, hold, and export content found in mailboxes and sites. If your organization has an Office 365 E5 or Microsoft 365 E5 subscription (or related E5 add-on subscriptions), you can further manage

  custodians and analyze content by using the feature-rich Microsoft Purview eDiscovery (Premium) solution in Microsoft 365.

  Not C: What does compliance Manager do?

  Compliance managers ensure that a business, its employees and its projects comply with all relevant regulations and specifications. This could include health and safety, environmental, legal or quality standards, as well as any ethical policies

  the company may have.

  Not D: A retention policy (also called a 'schedule') is a key part of the lifecycle of a record. It describes how long a business needs to keep a piece of information (record), where it's stored and how to dispose of the record when its time.

  Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/information-protection

  https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery?view=o365-worldwide

• Question 114:

  A customer is deploying Docker images to 10 Azure Kubernetes Service (AKS) resources across four Azure subscriptions.

  You are evaluating the security posture of the customer.

  You discover that the AKS resources are excluded from the secure score recommendations.

  You need to produce accurate recommendations and update the secure score.

  Which two actions should you recommend in Microsoft Defender for Cloud? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Enable Defender plans.

  B. Configure auto provisioning.

  C. Add a workflow automation.

  D. Assign regulatory compliance policies.

  E. Review the inventory.

  Correct Answer: AB

• Question 115:

  You are designing the security standards for containerized applications onboarded to Azure.

  You are evaluating the use of Microsoft Defender for Containers.

  In which two environments can you use Defender for Containers to scan for known vulnerabilities? Each correct answer presents a complete solution.

  NOTE: Each correct selection is worth one point.

  A. Linux containers deployed to Azure Container Instances

  B. Windows containers deployed to Azure Kubernetes Service (AKS)

  C. Windows containers deployed to Azure Container Registry

  D. Linux containers deployed to Azure Container Registry

  E. Linux containers deployed to Azure Kubernetes Service (AKS)

  Correct Answer: DE

  https://docs.microsoft.com/en-us/azure/defender-for-cloud/supported-machines-endpoint-solutions-clouds-containers?tabs=azure-aks#registries-and-images Windows is on preview.

  OS Packages Supported

  •

  Alpine Linux 3.12-3.15

  •

  Red Hat Enterprise Linux 6, 7, 8

  •

  CentOS 6, 7

  •

  Oracle Linux 6,6,7,8

  •

  Amazon Linux 1,2 • openSUSE Leap 42, 15

  •

  SUSE Enterprise Linux 11,12, 15

  •

  Debian GNU/Linux wheezy, jessie, stretch, buster, bullseye

  •

  Ubuntu 10.10-22.04

  •

  FreeBSD 11.1-13.1

  •

  Fedora 32, 33, 34, 35

• Question 116:

  Your company has a hybrid cloud infrastructure.

  The company plans to hire several temporary employees within a brief period. The temporary employees will need to access applications and data on the company' premises network.

  The company's security policy prevents the use of personal devices for accessing company data and applications.

  You need to recommend a solution to provide the temporary employee with access to company resources. The solution must be able to scale on demand.

  What should you include in the recommendation?

  A. Deploy Azure Virtual Desktop, Azure AD Conditional Access, and Microsoft Defender for Cloud Apps.

  B. Redesign the VPN infrastructure by adopting a split tunnel configuration.

  C. Deploy Microsoft Endpoint Manager and Azure AD Conditional Access.

  D. Migrate the on-premises applications to cloud-based applications.

  Correct Answer: A

  You can connect an Azure Virtual Desktop to an on-premises network using a virtual private network (VPN), or use Azure ExpressRoute to extend the on-premises network into the Azure cloud over a private connection.

  *

  Azure AD: Azure Virtual Desktop uses Azure AD for identity and access management. Azure AD integration applies Azure AD security features like conditional access, multi-factor authentication, and the Intelligent Security Graph, and helps

  maintain app compatibility in domain-joined VMs.

  *

  Azure Virtual Desktop, enable Microsoft Defender for Cloud.

  We recommend enabling Microsoft Defender for Cloud's enhanced security features to:

  Manage vulnerabilities.

  Assess compliance with common frameworks like PCI.

  * Microsoft Defender for Cloud Apps, formerly known as Microsoft Cloud App Security, is a comprehensive solution for security and compliance teams enabling users in the organization, local and remote, to safely adopt business applications without compromising productivity.

  Reference: https://docs.microsoft.com/en-us/azure/architecture/example-scenario/wvd/windows-virtual-desktop https://docs.microsoft.com/en-us/azure/virtual-desktop/security-guide https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-microsoft-defender-for-cloud-apps/ba-p/2835842

• Question 117:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  Your on-premises network contains an e-commerce web app that was developed in Angular and Node,js. The web app uses a MongoDB database. You plan to migrate the web app to Azure. The solution architecture team proposes the following architecture as an Azure landing zone.

  

  You need to provide recommendations to secure the connection between the web app and the database. The solution must follow the Zero Trust model.

  Solution: You recommend creating private endpoints for the web app and the database layer.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: A

  How to Use Azure Private Endpoints to Restrict Public Access to WebApps.

  As an Azure administrator or architect, you are sometimes asked the question: “How can we safely deploy internal business applications to Azure App Services?”

  These applications characteristically are:

  Not accessible from the public internet.

  Accessible from within the on-premises corporate network

  Accessible via an authorized VPN client from outside the corporate network.

  For such scenarios, we can use Azure Private Links, which enables private and secure access to Azure PaaS services over Azure Private Endpoints, along with the Site-to-Site VPN, Point-to-Site VPN, or the Express Route. Azure Private

  Endpoint is a read-only network interface service associated with the Azure PAAS Services. It allows you to bring deployed sites into your virtual network, limiting access to them at the network level.

  It uses one of the private IP addresses from your Azure VNet and associates it with the Azure App Services. These services are called Private Link resources. They can be Azure Storage, Azure Cosmos DB, SQL, App Services Web App,

  your own / partner owned services, Azure Backups, Event Grids, Azure Service Bus, or Azure Automations.

  Reference: https://www.varonis.com/blog/securing-access-azure-webapps

• Question 118:

  Your company is developing a serverless application in Azure that will have the architecture shown in the following exhibit.

  

  You need to recommend a solution to isolate the compute components on an Azure virtual network. What should you include in the recommendation?

  A. Azure Active Directory (Azure AD) enterprise applications

  B. an Azure App Service Environment (ASE)

  C. Azure service endpoints

  D. an Azure Active Directory (Azure AD) application proxy

  Correct Answer: B

  The Azure App Service Environment v2 is an Azure App Service feature that provides a fully isolated and dedicated environment for securely running App Service apps at high scale. This capability can host your:

  1.

  Windows web apps

  2.

  Linux web apps

  3.

  Docker containers

  4.

  Mobile apps

  5.

  Functions

  App Service environments (ASEs) are appropriate for application workloads that require:

  Very high scale.

  Isolation and secure network access.

  High memory utilization.

  Customers can create multiple ASEs within a single Azure region or across multiple Azure regions. This flexibility makes ASEs ideal for horizontally scaling stateless application tiers in support of high requests per second (RPS) workloads.

  Reference: https://docs.microsoft.com/en-us/azure/app-service/environment/intro

• Question 119:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure subscription that has Microsoft Defender for Cloud enabled.

  You are evaluating the Azure Security Benchmark V3 report.

  In the Secure management ports controls, you discover that you have 0 out of a potential 8 points.

  You need to recommend configurations to increase the score of the Secure management ports controls.

  Solution: You recommend enabling just-in-time (JIT) VM access on all virtual machines.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: A

  Secure management ports - Brute force attacks often target management ports. Use these recommendations to reduce your exposure with tools like just-in-time VM access and network security groups. Recommendations:

  -Internet-facing virtual machines should be protected with network security groups

  -

  Management ports of virtual machines should be protected with just-in-time network access control

  -

  Management ports should be closed on your virtual machines Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls

• Question 120:

  A customer uses Azure to develop a mobile app that will be consumed by external users as shown in the following exhibit.

  

  You need to design an identity strategy for the app. The solution must meet the following requirements:

  1.

  Enable the usage of external IDs such as Google, Facebook, and Microsoft accounts.

  2.

  Be managed separately from the identity store of the customer.

  3.

  Support fully customizable branding for each app. Which service should you recommend to complete the design?

  A. Azure Active Directory (Azure AD) B2B

  B. Azure Active Directory Domain Services (Azure AD DS)

  C. Azure Active Directory (Azure AD) B2C

  D. Azure AD Connect

  Correct Answer: C

  Azure Active Directory B2C (Azure AD B2C), an identity store, is an identity management service that enables custom control of how your customers sign up, sign in, and manage their profiles when using your iOS, Android, .NET, single-page

  (SPA), and other applications.

  You can set up sign-up and sign-in with a Facebook/Google account using Azure Active Directory B2C.

  Branding

  Branding and customizing the user interface that Azure Active Directory B2C (Azure AD B2C) displays to your customers helps provide a seamless user experience in your application. These experiences include signing up, signing in, profile

  editing, and password resetting. This article introduces the methods of user interface (UI) customization.

  Incorrect:

  Not D: Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD.

  Reference: https://docs.microsoft.com/en-us/azure/active-directory-b2c/

  https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-facebook?pivots=b2c-user-flow

  https://docs.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-user-flow