Microsoft Microsoft Certifications SC-100 Questions & Answers

• Question 61:

  Your company is developing a modern application that will un as an Azure App Service web app.

  You plan to perform threat modeling to identity potential security issues by using the Microsoft Threat Modeling Tool.

  Which type of diagram should you create?

  A. data flow

  B. system flow

  C. process flow

  D. network flow

  Correct Answer: A

  A data-flow diagram is a way of representing a flow of data through a process or a system (usually an information system). The DFD also provides information about the outputs and inputs of each entity and the process itself. A data-flow diagram has no control flow — there are no decision rules and no loops. Specific operations based on the data can be represented by a flowchart.[1]

  Data flow diagram with data storage, data flows, function and interface

• Question 62:

  Your company has a Microsoft 365 E5 subscription.

  The company wants to identify and classify data in Microsoft Teams, SharePoint Online, and Exchange Online.

  You need to recommend a solution to identify documents that contain sensitive information.

  What should you include in the recommendation?

  A. data classification content explorer

  B. data loss prevention (DLP)

  C. eDiscovery

  D. Information Governance

  Correct Answer: B

  Data loss prevention (DLP)

  With DLP policies, you can identify, monitor, and automatically protect sensitive information across Office 365. Data loss prevention policies can use sensitivity labels and sensitive information types to identify sensitive information.

  Note: Microsoft 365 includes many sensitive information types that are ready for you to use in DLP policies and for automatic classification with sensitivity and retention labels.

  Incorrect:

  Not A: Content explorer shows a current snapshot of the items that have a sensitivity label, a retention label or have been classified as a sensitive information type in your organization.

  Reference: https://docs.microsoft.com/en-us/security/compass/information-protection-and-storage-capabilities https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-content-explorer

• Question 63:

  Your company has a Microsoft 365 subscription and uses Microsoft Defender for Identity.

  You are informed about incidents that relate to compromised identities.

  You need to recommend a solution to expose several accounts for attackers to exploit. When the attackers attempt to exploit the accounts, an alert must be triggered.

  Which Defender for Identity feature should you include in the recommendation?

  A. sensitivity labels

  B. custom user tags

  C. standalone sensors

  D. honeytoken entity tags

  Correct Answer: D

  Honeytoken entities are used as traps for malicious actors. Any authentication associated with these honeytoken entities triggers an alert.

  Incorrect:

  Not B: custom user tags

  After you apply system tags or custom tags to users, you can use those tags as filters in alerts, reports, and investigation.

  Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-identity/entity-tags

• Question 64:

  A customer has a Microsoft 365 E5 subscription and an Azure subscription.

  The customer wants to centrally manage security incidents, analyze log, audit activity, and hunt for potential threats across all deployed services.

  You need to recommend a solution for the customer. The solution must minimize costs.

  What should you include in the recommendation?

  A. Microsoft 365 Defender

  B. Microsoft Defender for Cloud

  C. Microsoft Defender for Cloud Apps

  D. Microsoft Sentinel

  Correct Answer: D

  Microsoft Sentinel is a scalable, cloud-native solution that provides:

  Security information and event management (SIEM)

  Security orchestration, automation, and response (SOAR)

  Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise. With Microsoft Sentinel, you get a single solution for attack detection, threat visibility, proactive hunting, and threat response.

  Microsoft Sentinel is your bird's-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.

  Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.

  Detect previously undetected threats, and minimize false positives using Microsoft's analytics and unparalleled threat intelligence.

  Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cyber security work at Microsoft.

  Respond to incidents rapidly with built-in orchestration and automation of common tasks.

  Microsoft Sentinel natively incorporates proven Azure services, like Log Analytics and Logic Apps. Microsoft Sentinel enriches your investigation and detection with AI. It provides Microsoft's threat intelligence stream and enables you to bring

  your own threat intelligence.

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/overview

• Question 65:

  Your company has an on-premises network and an Azure subscription.

  The company does NOT have a Site-to-Site VPN or an ExpressRoute connection to Azure.

  You are designing the security standards for Azure App Service web apps. The web apps will access Microsoft SQL Server databases on the network.

  You need to recommend security standards that will allow the web apps to access the databases. The solution must minimize the number of open internet-accessible endpoints to the on-premises network.

  What should you include in the recommendation?

  A. a private endpoint

  B. hybrid connections

  C. virtual network NAT gateway integration

  D. virtual network integration

  Correct Answer: B

  Hybrid Connections can connect Azure App Service Web Apps to on-premises resources that use a static TCP port. Supported resources include Microsoft SQL Server, MySQL, HTTP Web APIs, Mobile Services, and most custom Web

  Services.

  Note: You can use an Azure App Service Hybrid Connections. To do this, you need to add and create Hybrid Connections in your app. You will download and install an agent (the Hybrid Connection Manager) in the database server or another

  server which is in the same network as the on-premise database.

  You configure a logical connection on your app service or web app.

  A small agent, the Hybrid Connection Manager, is downloaded and installed on a Windows Server (2012 or later) running in the remote network (on-premises or anywhere) that you need to communicate with.

  You log into your Azure subscription in the Hybrid Connection manager and select the logical connection in your app service.

  The Hybrid Connection Manager will initiate a secure tunnel out (TCP 80/443) to your app service in Azure.

  Your app service can now communicate with TCP-based services, on Windows or Linux, in the remote network via the Hybrid Connection Manager.

  You could get more details on how to Connect Azure Web Apps To On-Premises.

  Incorrect:

  Not A: NAT gateway provides outbound internet connectivity for one or more subnets of a virtual network. Once NAT gateway is associated to a subnet, NAT provides source network address translation (SNAT) for that subnet. NAT gateway

  specifies which static IP addresses virtual machines use when creating outbound flows.

  However, we need an inbound connection.

  Not C: You can Azure web app service VNet integration with Azure VPN gateway to securely access the resource in an Azure VNet or on-premise network.

  Note: Virtual network integration gives your app access to resources in your virtual network, but it doesn't grant inbound private access to your app from the virtual network. Private site access refers to making an app accessible only from a

  private network, such as from within an Azure virtual network. Virtual network integration is used only to make outbound calls from your app into your virtual network. The virtual network integration feature behaves differently when it's used

  with virtual networks in the same region and with virtual networks in other regions. The virtual network integration feature has two variations:

  Regional virtual network integration: When you connect to virtual networks in the same region, you must have a dedicated subnet in the virtual network you're integrating with.

  Gateway-required virtual network integration: When you connect directly to virtual networks in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway created in the target virtual network.

  Reference: https://github.com/uglide/azure-content/blob/master/articles/app-service-web/web-sites-hybrid-connection-connect-on-premises-sql-server.md

  https://docs.microsoft.com/en-us/answers/questions/701793/connecting-to-azure-app-to-onprem-datbase.html

• Question 66:

  Your company plans to apply the Zero Trust Rapid Modernization Plan (RaMP) to its IT environment.

  You need to recommend the top three modernization areas to prioritize as part of the plan.

  Which three areas should you recommend based on RaMP? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. data, compliance, and governance

  B. infrastructure and development

  C. user access and productivity

  D. operational technology (OT) and IoT

  E. modern security operations

  Correct Answer: ACE

  RaMP initiatives for Zero Trust

  To rapidly adopt Zero Trust in your organization, RaMP offers technical deployment guidance organized in these initiatives.

  Critical security modernization initiatives:

  (C) User access and productivity

  1. Explicitly validate trust for all access requests Identities Endpoints (devices) Apps Network

  (A) Data, compliance, and governance

  2.

  Ransomware recovery readiness

  3.

  Data

  (E) Modernize security operations

  4.

  Streamline response

  5.

  Unify visibility

  6.

  reduce manual effort

  Incorrect:

  As needed

  Additional initiatives based on Operational Technology (OT) or IoT usage, on-premises and cloud adoption, and security for in-house app development:

  *

  (not D) OT and Industrial IoT Discover Protect Monitor

  *

  Datacenter and DevOps Security Security Hygiene Reduce Legacy Risk DevOps Integration Microsegmentation

  Reference: https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-ramp-overview

• Question 67:

  Your company develops several applications that are accessed as custom enterprise applications in Azure AD.

  You need to recommend a solution to prevent users on a specific list of countries from connecting to the applications.

  What should you include in the recommendation?

  A. activity policies in Microsoft Defender for Cloud Apps

  B. sign-in risk policies in Azure AD Identity Protection

  C. Azure AD Conditional Access policies

  D. device compliance policies in Microsoft Endpoint Manager

  E. user risk policies in Azure AD Identity Protection

  Correct Answer: A

  Microsoft Defender for Cloud Apps Activity policies.

  Activity policies allow you to enforce a wide range of automated processes using the app provider's APIs. These policies enable you to monitor specific activities carried out by various users, or follow unexpectedly high rates of one certain

  type of activity.

  After you set an activity detection policy, it starts to generate alerts - alerts are only generated on activities that occur after you create the policy.

  Each policy is composed of the following parts:

  Activity filters – Enable you to create granular conditions based on metadata.

  Activity match parameters – Enable you to set a threshold for the number of times an activity repeats to be considered to match the policy.

  Actions – The policy provides a set of governance actions that can be automatically applied when violations are detected.

  Incorrect:

  Not C: Azure AD Conditional Access policies applies to users, not to applications.

  Note: Blocking user logins by location can be an added layer of security to your environment. The following process will use Azure Active Directory conditional access to block access based on geographical location. For example, you are

  positive that nobody in your organization should be trying to login to select cloud applications from specific countries.

  Reference: https://docs.microsoft.com/en-us/defender-cloud-apps/user-activity-policies https://cloudcompanyapps.com/2019/04/18/block-users-by-location-in-azure-o365/

• Question 68:

  Your company plans to move all on-premises virtual machines to Azure. A network engineer proposes the Azure virtual network design shown in the following table.

  

  You need to recommend an Azure Bastion deployment to provide secure remote access to all the virtual machines. Based on the virtual network design, how many Azure Bastion subnets are required?

  A. 1

  B. 2

  C. 3

  D. 4

  E. 5

  Correct Answer: B

  https://docs.microsoft.com/en-us/azure/bastion/vnet-peering https://docs.microsoft.com/en-us/learn/modules/connect-vm-with-azure-bastion/2-what-is-azure-bastion

• Question 69:

  Your company has a hybrid cloud infrastructure that contains an on-premises Active Directory Domain Services (AD DS) forest, a Microsoft 365 subscription, and an Azure subscription.

  The company's on-premises network contains internal web apps that use Kerberos authentication. Currently, the web apps are accessible only from the network.

  You have remote users who have personal devices that run Windows 11.

  You need to recommend a solution to provide the remote users with the ability to access the web apps. The solution must meet the following requirements:

  1.

  Prevent the remote users from accessing any other resources on the network.

  2.

  Support Azure Active Directory (Azure AD) Conditional Access.

  3.

  Simplify the end-user experience. What should you include in the recommendation?

  A. Azure AD Application Proxy

  B. web content filtering in Microsoft Defender for Endpoint

  C. Microsoft Tunnel

  D. Azure Virtual WAN

  Correct Answer: A

  Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal

  application portal.

  Azure AD Application Proxy is:

  Secure. On-premises applications can use Azure's authorization controls and security analytics. For example, on-premises applications can use Conditional Access and two-step verification. Application Proxy doesn't require you to open

  inbound connections through your firewall.

  Simple to use. Users can access your on-premises applications the same way they access Microsoft 365 and other SaaS apps integrated with Azure AD. You don't need to change or update your applications to work with Application Proxy.

  Incorrect:

  Not D: Azure Virtual WAN

  Azure Virtual WAN is for end users, not for applications.

  Note: Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. Some of the main features include:

  Branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE).

  Site-to-site VPN connectivity.

  Remote user VPN connectivity (point-to-site).

  Private connectivity (ExpressRoute).

  Intra-cloud connectivity (transitive connectivity for virtual networks).

  VPN ExpressRoute inter-connectivity.

  Routing, Azure Firewall, and encryption for private connectivity.

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy

• Question 70:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.

  You need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.

  Solution: You recommend access restrictions that allow traffic from the Front Door service tags.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  Correct Solution: You recommend access restrictions based on HTTP headers that have the Front Door ID.

  Restrict access to a specific Azure Front Door instance.

  Traffic from Azure Front Door to your application originates from a well-known set of IP ranges defined in the AzureFrontDoor.Backend service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front

  Door. To ensure traffic only originates from your specific instance, you will need to further filter the incoming requests based on the unique http header that Azure Front Door sends.

  

  Reference: https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#managing-access-restriction-rules