Lead4Pass SC-100 dumps are verified and audited by a Microsoft professional team, and they really meet the requirements of the SC-100 certification exam, covering more than 95% of the exam questions in the exam room!
And, offer the most popular study methods: SC-100 dumps PDF, and SC-100 dumps VCE, both study formats contain the latest certification exam questions and answers!
Therefore, the best exam solution is to use SC-100 dumps with PDF and VCE formats: https://www.leads4pass.com/sc-100.html (139 Q&A), to help you practice easily and achieve exam success.
What’s more! Part of the Lead4Pass SC-100 dumps exam questions online for free download: https://drive.google.com/file/d/1paKg30ee12AXRtQ6jXCQrEeThKQZXpm7/
You can also practice some of the Lead4Pass SC-100 dumps exam questions online
| Type | Number of exam questions | Exam name | Exam code | Last updated |
| Free | 15 | Microsoft Cybersecurity Architect | SC-100 | SC-100 dumps |
Question 1:
HOTSPOT
You are designing security for a runbook in an Azure Automation account. The runbook will copy data to Azure Data Lake Storage Gen2.
You need to recommend a solution to secure the components of the copy process.
What should you include in the recommendation for each component? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Azure Web Application Firewall with network service tags A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.
You can use service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes.
Incorrect:
* Not Azure private link with network service tags Network service tags are not used with Private links.
Box 2: Automation Contributor built-in role
The Automation Contributor role allows you to manage all resources in the Automation account, except modifying other users \’s access permissions to an Automation account.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview
https://docs.microsoft.com/en-us/azure/automation/automation-role-based-access-control
Question 2:
HOTSPOT
You open Microsoft Defender for Cloud as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Azure Web Application Firewall (WAF)
Restrict unauthorized network access control: 1 resource out of 11 needs to be addressed.
Restrict unauthorized network access – Azure offers a suite of tools designed to ensure access across your network meets the highest security standards.
Use these recommendations to manage Defender for Cloud\’s adaptive network hardening settings, ensure you configured Azure Private Link for all relevant PaaS services, enable Azure Firewall on your virtual networks, and more.
Note: Azure Web Application Firewall (WAF) is an optional addition to Azure Application Gateway.
Azure WAF protects inbound traffic to the web workloads, and the Azure Firewall inspects inbound traffic for the other applications. The Azure Firewall will cover outbound flows from both workload types.
Incorrect:
Not network security groups (NSGs).
Box 2: Microsoft Defender for servers
Enable endpoint protection – Defender for Cloud checks your organization\’s endpoints for active threat detection and response solutions such as Microsoft Defender for Endpoint or any of the major solutions shown in this list.
When an Endpoint Detection and Response (EDR) solution isn’t found, you can use these recommendations to deploy Microsoft Defender for Endpoint (included as part of Microsoft Defender for servers).
Incorrect:
Not Microsoft Defender for Resource Manager:
Microsoft Defender for Resource Manager does not handle endpoint protection.
Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization, whether they\’re performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Defender for Cloud runs advanced security analytics to detect threats and alert you about suspicious activity.
Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls
Question 3:
HOTSPOT
Your company has a multi-cloud environment that contains a Microsoft 365 subscription, an Azure subscription, and Amazon Web Services (AWS) implementation.
You need to recommend a security posture management solution for the following components:
1.
Azure IoT Edge devices
2.
AWS EC2 instances
Which services should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Microsoft Defender for IoT
Microsoft Defender for IoT is a unified security solution for identifying IoT and OT devices, vulnerabilities, and threats and managing them through a central interface.
Azure IoT Edge provides powerful capabilities to manage and perform business workflows at the edge. The key part that IoT Edge plays in IoT environments makes it particularly attractive for malicious actors.
Defender for IoT Azureiotsecurity provides a comprehensive security solution for your IoT Edge devices. Defender for IoT module collects, aggregates, and analyzes raw security data from your Operating System and container system into actionable security recommendations and alerts.
Box 2: Microsoft Defender for Cloud and Azure Arc
Microsoft Defender for Cloud provides the following features in the CSPM (Cloud Security Posture Management) category in the multi-cloud scenario for AWS. Take into account that some of them require a Defender plan to be enabled (such as Regulatory Compliance):
*
Detection of security misconfigurations
*
Single view showing Security Center recommendations and AWS Security Hub findings
*
Incorporation of AWS resources into the Security Center\’s secure score calculations
*
Regulatory compliance assessments of AWS resources
Security Center uses Azure Arc to deploy the Log Analytics agent to AWS instances.
Incorrect: AWS EC2 Microsoft Defender for Cloud Apps Amazon Web Services is an IaaS provider that enables your organization to host and manage its entire workloads in the cloud. Along with the benefits of leveraging infrastructure in the cloud, your organization\’s most critical assets may be exposed to threats. Exposed assets include storage instances with potentially sensitive information, compute resources that operate some of your most critical applications, ports, and virtual private networks that enable access to your organization.
Connecting AWS to Defender for Cloud Apps helps you secure your assets and detect potential threats by monitoring administrative and sign-in activities, notifying of possible brute force attacks, malicious use of a privileged user account, unusual deletions of VMs, and publicly exposed storage buckets.
Reference: https://docs.microsoft.com/en-us/azure/defender-for-iot/device-builders/security-edge-architecture https://samilamppu.com/2021/11/04/multi-cloud-security-posture-management-in-microsoft-defender-for-cloud/
Question 4:
You are designing an auditing solution for Azure landing zones that will contain the following components:
1.
SQL audit logs for Azure SQL databases
2.
Windows Security logs from Azure virtual machines
3.
Azure App Service audit logs from App Service web apps
You need to recommend a centralized logging solution for the landing zones. The solution must meet the following requirements:
Log all privileged access.
Retain logs for at least 365 days.
Minimize costs.
What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Question 5:
HOTSPOT
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains a Microsoft Sentinel workspace. Microsoft Sentinel data connectors are configured for Microsoft 365, Microsoft 365 Defender, Defender for Cloud, and Azure.
You plan to deploy Azure virtual machines that will run Windows Server.
You need to enable extended detection and response (EDR) and security orchestration, automation, and response (SOAR) capabilities for Microsoft Sentinel.
How should you recommend enabling each capability? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Onboard the servers to Defender for Cloud.
Extended detection and response (XDR) is a new approach defined by industry analysts that are designed to deliver intelligent, automated, and integrated security across domains to help defenders connect seemingly disparate alerts and get
ahead of attackers.
As part of this announcement, we are unifying all XDR technologies under the Microsoft Defender brand. The new Microsoft Defender is the most comprehensive XDR in the market today and prevents, detects, and responds to threats across
identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms.
Box 2: Configure Microsoft Sentinel playbooks.
As a SOAR platform, its primary purposes are to automate any recurring and predictable enrichment, response, and remediation tasks that are the responsibility of Security Operations Centers (SOC/SecOps). Leveraging SOAR frees up time
and resources for more in-depth investigation of and hunting for advanced threats. Automation takes a few different forms in Microsoft Sentinel, from automation rules that centrally manage the automation of incident handling and response to
playbooks that run predetermined sequences of actions to provide robust and flexible advanced automation to your threat response tasks.
Question 6:
HOTSPOT
You have a hybrid cloud infrastructure.
You plan to deploy the Azure applications shown in the following table.
What should you use to meet the requirement of each app? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Azure Application Gateway Web Application Firewall policies
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications.
Azure Web Application Firewall is a cloud-native service that protects web apps from common web-hacking techniques such as SQL injection and security vulnerabilities such as cross-site scripting.
Box 2: Azure Active Directory B2C with Conditional Access
You can set up sign-up and sign-in with a LinkedIn account using Azure Active Directory B2C.
You can enhance the security of Azure Active Directory B2C (Azure AD B2C) with Azure AD Identity Protection and Conditional Access. Incorrect:
* Azure VPN Gateway with network security group rules NSGs cannot protect against XSS.
Reference: https://learn.microsoft.com/en-us/azure/application-gateway/overview https://azure.microsoft.com/en-us/products/web-application-firewall/#overview https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-linkedin
Question 7:
HOTSPOT
Your company has an Azure App Service plan that is used to deploy containerized web apps.
You are designing a secure DevOps strategy for deploying the web apps to the App Service plan.
You need to recommend a strategy to integrate code scanning tools into a secure software development lifecycle. The code must be scanned during the following two phases:
1.
Uploading the code to repositories
2.
Building containers
Where should you integrate code scanning for each phase? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: GitHub Enterprise
A GitHub Advanced Security license provides the following additional features:
Code scanning – Search for potential security vulnerabilities and coding errors in your code.
Secret scanning – Detect secrets, for example, keys and tokens, that have been checked into the repository. If push protection is enabled, also detects secrets when they are pushed to your repository.
Etc.
Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub Enterprise Cloud.
Box 2: Azure Pipelines
Building Containers with Azure DevOps using DevTest Pattern with Azure Pipelines
The pattern enabled us to build a container for development, testing, and releasing the container for further reuse (production ready).
Azure Pipelines integrates metadata tracing into your container images, including commit hashes and issue numbers from Azure Boards, so that you can inspect your applications with confidence.
Incorrect:
*
Not Azure Boards: Azure Boards provides software development teams with the interactive and customizable tools they need to manage their software projects. It provides a rich set of capabilities including native support for Agile, Scrum,
and Kanban processes, calendar views, configurable dashboards, and integrated reporting.
*
Not Microsoft Defender for Cloud
Microsoft Defender for Containers is the cloud-native solution that is used to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications.
You cannot use Microsoft Defender for Cloud to scan code, it scans images.
Reference:
Question 8:
HOTSPOT
Your company is migrating data to Azure. The data contains Personally Identifiable Information (PII).
The company plans to use Microsoft Information Protection for the PII data store in Azure.
You need to recommend a solution to discover PII data at risk in the Azure resources.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Azure Purview
Microsoft Purview is a unified data governance service that helps you manage and govern your on-premises, multi-cloud, and software-as-a-service (SaaS) data. Microsoft Purview allows you to:
Create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage.
Enable data curators to manage and secure your data estate.
Empower data consumers to find valuable, trustworthy data.
Box 2: Microsoft Defender for Cloud
Microsoft Purview provides rich insights into the sensitivity of your data. This makes it valuable to security teams using Microsoft Defender for Cloud to manage the organization\’s security posture and protect against threats to their workloads.
Data resources remain a popular target for malicious actors, making it crucial for security teams to identify, prioritize, and secure sensitive data resources across their cloud environments. The integration with Microsoft Purview expands
visibility into the data layer, enabling security teams to prioritize resources that contain sensitive data.
References: https://docs.microsoft.com/en-us/azure/purview/overview
https://docs.microsoft.com/en-us/azure/purview/how-to-integrate-with-azure-security-products
Question 9:
HOTSPOT
You are creating the security recommendations for an Azure App Service web app named App1. App1 has the following specifications:
1.
Users will authenticate by using Azure AD user accounts.
2.
Users will request access to App1 through the My Apps portal. A human resources manager will approve the requests.
You need to recommend an access security architecture for App1.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: A managed identity in Azure AD
Use a managed identity. You use Azure AD as the identity provider.
Box 2: An access review in Identity Governance
Access to groups and applications for employees and guests changes over time. To reduce the risk associated with stale access assignments, administrators can use Azure Active Directory (Azure AD) to create access reviews for group
members or application access.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
Question 10:
HOTSPOT
You are planning the security levels for a security access strategy.
You need to identify which job roles to configure at which security levels. The solution must meet security best practices of the Microsoft Cybersecurity Reference Architectures (MCRA).
Which security level should you configure for each job role? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Specialized Security
Securing devices as part of the privileged access story Box 2: Enterprise security
Box 3: Privileged security
Reference: https://learn.microsoft.com/en-us/security/compass/privileged-access-devices
Question 11:
HOTSPOT
For a Microsoft cloud environment, you are designing a security architecture based on the Microsoft Cybersecurity Reference Architectures (MCRA).
You need to protect against the following external threats of an attack chain:
1.
An attacker attempts to exfiltrate data to external websites.
2.
An attacker attempts lateral movement across domain-joined computers.
What should you include in the recommendation for each threat? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Microsoft Defender for Identity
An attacker attempts to exfiltrate data to external websites.
Exfiltration alerts
Typically, cyberattacks are launched against any accessible entity, such as a low-privileged user, and then quickly move laterally until the attacker gains access to valuable assets. Valuable assets can be sensitive accounts, domain
administrators, or highly sensitive data. Microsoft Defender for Identity identifies these advanced threats at the source throughout the entire attack kill chain and classifies them into the following phases:
Reconnaissance
Compromised credentials
Lateral Movements
Domain dominance
Exfiltration
Box 2: Microsoft Defender for Identity
An attacker attempts lateral movement across domain-joined computers.
Microsoft Defender for Identity Lateral Movement Paths (LMPs)
Lateral movement is when an attacker uses non-sensitive accounts to gain access to sensitive accounts throughout your network. Lateral movement is used by attackers to identify and gain access to the sensitive accounts and machines in
your network that share stored sign-in credentials in accounts, groups, and machines. Once an attacker makes successful lateral moves toward your key targets, the attacker can also take advantage and gain access to your domain
controllers. Lateral movement attacks are carried out using many of the methods described in Microsoft Defender for Identity Security Alerts.
A key component of Microsoft Defender for Identity\’s security insights is Lateral Movement Paths or LMPs. Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally
inside your network.
Reference: https://learn.microsoft.com/en-us/defender-for-identity/exfiltration-alerts
Question 12:
HOTSPOT
You use Azure Policy with Azure Repos to implement continuous integration and continuous deployment (CI/CD) workflows.
You need to recommend best practices to secure the stages of the CI/CD workflows based on the Microsoft Cloud Adoption Framework for Azure.
What should you include in the recommendation for each stage? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Protected branches
Git workflow
The pull request workflow is designed to introduce healthy friction, which is why it should only be applied to secure specific Git branches. Especially the branches that will trigger automated workflows that can deploy, configure, or in any other
way affect your cloud resources. These branches are called protected branches.
Restrict access to protected branches
The pull request workflow is used together with restricted access controls. The pull request workflow can\’t be enforced, however, unless the server is configured to reject direct changes to protected branches.
A developer can’t push directly to the production branch but instead must create a pull request that targets the protected branch. Each SCM vendor has a different flavor for achieving restricted access to protected branches. For example, with
GitHub This feature is only available for organizations using GitHub Team or GitHub Enterprise cloud.
Box 2: Azure Key Vault
Secure your deployment credentials
Pipelines and code repositories should not include hard-coded credentials and secrets. Credentials and secrets should be stored elsewhere and use the CI vendor feature for security. Because pipelines run as headless agents, they should
never use an individual\’s password.
Azure Key Vault
If your CI platform supports it, consider storing credentials in a dedicated secret store, for example, Azure Key Vault. Credentials are fetched at runtime by the build agent and your attack surface is reduced.
Reference:
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/best-practices/secure-devops
Question 13:
HOTSPOT
Your company wants to optimize using Azure to protect its resources from ransomware.
You need to recommend which capabilities of Azure Backup and Azure Storage provide the strongest protection against ransomware attacks. The solution must follow Microsoft Security Best Practices.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: A security PIN
Azure Backup
The best way to prevent falling victim to ransomware is to implement preventive measures and have tools that protect your organization from every step that attackers take to infiltrate your systems.
You can reduce your on-premises exposure by moving your organization to a cloud service.
Checks have been added to make sure only valid users can perform various operations. These include adding an extra layer of authentication. As part of adding an extra layer of authentication for critical operations, you\’re prompted to enter a
security PIN before modifying online backups.
Box 2: Encryption by using platform-managed keys
Ensure backup data is encrypted.
By default, backup data at rest is encrypted using platform-managed keys (PMK). For vaulted backups, you can choose to use customer-managed keys (CMK) to own and manage the encryption keys yourself. Additionally, you can configure
encryption on the storage infrastructure using infrastructure-level encryption, which along with CMK encryption provides double encryption of data at rest.
Reference:
https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq
Question 14:
HOTSPOT
You need to recommend a security methodology for a DevOps development process based on the Microsoft Cloud Adoption Framework for Azure.
During which stage of a continuous integration and continuous deployment (CI/CD) DevOps process should each security-related task be performed? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Plan and develop
Box 1: Plan and develop
Typically, modern development follows an agile development methodology. Scrum is one implementation of agile methodology that has every sprint start with a planning activity. Introducing security into this part of the development process should focus on:
*
Threat modeling to view the application through the lens of a potential attacker
*
IDE security plug-ins and pre-commit hooks for lightweight static analysis checking within an integrated development environment (IDE).
*
Peer reviews and secure coding standards to identify effective security coding standards, peer review processes, and pre-commit hooks. It\’s not mandatory to add all these steps. But each step helps reveal security issues early, when they\’re much cheaper and easier to fix.
Box 2: Operate
Go to production and operate
When the solution goes to production, it\’s vital to continue overseeing and managing the security state. At this stage in the process, it\’s time to focus on the cloud infrastructure and overall application.
Configuration and infrastructure scanning
Penetration testing
Actionable intelligence
The tools and techniques in this guide offer a holistic security model for organizations that want to move at pace and experiment with new technologies that aim to drive innovation. A key element of DevSecOps is data-driven, event-driven
processes. These processes help teams identify, evaluate, and respond to potential risks. Many organizations choose to integrate alerts and usage data into their IT service management (ITSM) platform. The team can then bring the same
structured workflow to security events that they use for other incidents and requests.
Box 3: Build and test
Build and test
Many organizations use to build and release pipelines to automate and standardize the processes for building and deploying code. Release pipelines let development teams make iterative changes to sections of code quickly and at scale. The
teams won’t need to spend large amounts of time redeploying or upgrading existing environments.
Using release pipelines also lets teams promote code from development environments, through testing environments, and ultimately into production. As part of automation, development teams should include security tools that run scripted,
automated tests when deploying code into testing environments. The tests should include unit testing on application features to check for vulnerabilities or public endpoints. Testing ensures intentional access.
Dynamic application security testing (DAST)
In a classical waterfall development model, security was typically introduced at the last step, right before going to production. One of the most popular security approaches is penetration testing or pen testing. Penetration testing lets a team
look at the application from a black-box security perspective, as in, closest to an attacker mindset.
Reference:
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-devops-security
Question 15:
HOTSPOT
You have an Azure subscription and an on-premises data center. The data center contains 100 servers that run Windows Server. All the servers are backed up to a Recovery Services vault by using Azure Backup and the Microsoft Azure Recovery Services (MARS) agent.
You need to design a recovery solution for ransomware attacks that encrypt the on-premises servers. The solution must follow Microsoft Security Best Practices and protect against the following risks:
1.
A compromised administrator account was used to delete the backups from Azure Backup before encrypting the servers
2.
A compromised administrator account was used to disable the backups on the MARS agent before encrypting the servers
What should you use for each risk? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Soft delete of backups
How to block intentional or unintentional deletion of backup data?
Enable Soft delete is enabled to protect backups from accidental or malicious deletes.
Soft delete is a useful feature that helps you deal with data loss. Soft delete retains backup data for 14 days, allowing the recovery of that backup item before it\’s permanently lost.
Box 2: Multi-user authorization by using Resource Guard
Ensure Multi-user authorization (MUA) is enabled for an additional layer of protection.
MUA for Azure Backup uses a new resource called Resource Guard to ensure critical operations, such as disabling soft delete, stopping and deleting backups, or reducing retention of backup policies, are performed only with applicable
authorization.
Reference: https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq
Lead4Pass SC-100 dumps share two study materials for free: you can download them online and practice exams online!
Now! Download the SC-100 best practice solution! Use Lead4Pass SC-100 dumps with PDF and VCE: https://www.leads4pass.com/sc-100.html Contains 139 latest exam questions and answers to help you pass the exam 100%.
