SC-100 Online Practice Questions and Answers

Correct Answer:

Box 1: Azure Web Application Firewall with network service tags A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.

You can use service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes.

Incorrect:

* Not Azure private link with network service tags Network service tags are not used with Private links.

Box 2: Automation Contributor built-in role

The Automation Contributor role allows you to manage all resources in the Automation account, except modifying other user's access permissions to an Automation account.

Reference: https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview

https://docs.microsoft.com/en-us/azure/automation/automation-role-based-access-control

Correct Answer:

Box 1: Azure Purview

Microsoft Purview is a unified data governance service that helps you manage and govern your on-premises, multi-cloud, and software-as-a-service (SaaS) data. Microsoft Purview allows you to:

Create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage.

Enable data curators to manage and secure your data estate.

Empower data consumers to find valuable, trustworthy data.

Box 2: Microsoft Defender for Cloud

Microsoft Purview provides rich insights into the sensitivity of your data. This makes it valuable to security teams using Microsoft Defender for Cloud to manage the organization's security posture and protect against threats to their workloads.

Data resources remain a popular target for malicious actors, making it crucial for security teams to identify, prioritize, and secure sensitive data resources across their cloud environments. The integration with Microsoft Purview expands

visibility into the data layer, enabling security teams to prioritize resources that contain sensitive data.

References: https://docs.microsoft.com/en-us/azure/purview/overview

https://docs.microsoft.com/en-us/azure/purview/how-to-integrate-with-azure-security-products

Correct Answer:

Box 1: A security PIN

Azure Backup

The best way to prevent falling victim to ransomware is to implement preventive measures and have tools that protect your organization from every step that attackers take to infiltrate your systems.

You can reduce your on-premises exposure by moving your organization to a cloud service.

Checks have been added to make sure only valid users can perform various operations. These include adding an extra layer of authentication. As part of adding an extra layer of authentication for critical operations, you're prompted to enter a

security PIN before modifying online backups.

Box 2: Encryption by using platform-managed keys

Ensure backup data is encrypted.

By default, backup data at rest is encrypted using platform-managed keys (PMK). For vaulted backups, you can choose to use customer-managed keys (CMK) to own and manage the encryption keys yourself. Additionally, you can configure

encryption on the storage infrastructure using infrastructure-level encryption, which along with CMK encryption provides double encryption of data at rest.

Reference:

https://learn.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-against-ransomware

https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq

Correct Answer:

Plan and develop

Box 1: Plan and develop

Typically, modern development follows an agile development methodology. Scrum is one implementation of agile methodology that has every sprint start with a planning activity. Introducing security into this part of the development process should focus on:

*

Threat modeling to view the application through the lens of a potential attacker

*

IDE security plug-ins and pre-commit hooks for lightweight static analysis checking within an integrated development environment (IDE).

*

Peer reviews and secure coding standards to identify effective security coding standards, peer review processes, and pre-commit hooks. It's not mandatory to add all these steps. But each step helps reveal security issues early, when they're much cheaper and easier to fix.

Box 2: Operate

Go to production and operate

When the solution goes to production, it's vital to continue overseeing and managing the security state. At this stage in the process, it's time to focus on the cloud infrastructure and overall application.

Configuration and infrastructure scanning

Penetration testing

Actionable intelligence

The tools and techniques in this guidance offer a holistic security model for organizations who want to move at pace and experiment with new technologies that aim to drive innovation. A key element of DevSecOps is data-driven, event-driven

processes. These processes help teams identify, evaluate, and respond to potential risks. Many organizations choose to integrate alerts and usage data into their IT service management (ITSM) platform. The team can then bring the same

structured workflow to security events that they use for other incidents and requests.

Box 3: Build and test

Build and test

Many organizations use build and release pipelines to automate and standardize the processes for building and deploying code. Release pipelines let development teams make iterative changes to sections of code quickly and at scale. The

teams won't need to spend large amounts of time redeploying or upgrading existing environments.

Using release pipelines also lets teams promote code from development environments, through testing environments, and ultimately into production. As part of automation, development teams should include security tools that run scripted,

automated tests when deploying code into testing environments. The tests should include unit testing on application features to check for vulnerabilities or public endpoints. Testing ensures intentional access.

Dynamic application security testing (DAST)

In a classical waterfall development model, security was typically introduced at the last step, right before going to production. One of the most popular security approaches is penetration testing or pen testing. Penetration testing lets a team

look at the application from a black-box security perspective, as in, closest to an attacker mindset.

Reference:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls

https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-devops-security

Correct Answer: B

Protect your sensitive data with Microsoft Purview.

Implement capabilities from Microsoft Purview Information Protection (formerly Microsoft Information Protection) to help you discover, classify, and protect sensitive information wherever it lives or travels.

Note: You can use Microsoft Information Protection: Microsoft Purview for Auditing and Analytics in Outlook for iOS, Android, and Mac (DoD).

Incorrect:

Not A: Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence in legal cases. You can use eDiscovery tools in Microsoft Purview to search for content in Exchange

Online, OneDrive for Business, SharePoint Online, Microsoft Teams, Microsoft 365 Groups, and Yammer teams. You can search mailboxes and sites in the same eDiscovery search, and then export the search results. You can use Microsoft

Purview eDiscovery (Standard) cases to identify, hold, and export content found in mailboxes and sites. If your organization has an Office 365 E5 or Microsoft 365 E5 subscription (or related E5 add-on subscriptions), you can further manage

custodians and analyze content by using the feature-rich Microsoft Purview eDiscovery (Premium) solution in Microsoft 365.

Not C: What does compliance Manager do?

Compliance managers ensure that a business, its employees and its projects comply with all relevant regulations and specifications. This could include health and safety, environmental, legal or quality standards, as well as any ethical policies

the company may have.

Not D: A retention policy (also called a 'schedule') is a key part of the lifecycle of a record. It describes how long a business needs to keep a piece of information (record), where it's stored and how to dispose of the record when its time.

Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/information-protection

https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery?view=o365-worldwide

Correct Answer: AF

An Azure Management group is logical containers that allow Azure Administrators to manage access, policy, and compliance across multiple Azure Subscriptions en masse.

If your organization has many Azure subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Management groups provide a governance scope above subscriptions. You organize subscriptions into management groups the governance conditions you apply cascade by inheritance to all associated subscriptions.

F: Blueprint definition locations

When creating a blueprint definition, you'll define where the blueprint is saved. Blueprints can be saved to a management group or subscription that you have Contributor access to. If the location is a management group, the blueprint is

available to assign to any child subscription of that management group.

A: Create and assign an initiative definition

With an initiative definition, you can group several policy definitions to achieve one overarching goal. An initiative evaluates resources within scope of the assignment for compliance to the included policies.

Note: The Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in ISO 27001:2013.

The Azure Policy control mapping provides details on policy definitions included within this blueprint and how these policy definitions map to the compliance domains and controls in ISO 27001. When assigned to an architecture, resources

are evaluated by Azure Policy for non-compliance with assigned policy definitions.

Incorrect:

Not B, D, E: If you plan to apply this policy definition to multiple subscriptions, the location must be a management group that contains the subscriptions you assign the policy to. The same is true for an initiative definition.

Reference: https://docs.microsoft.com/en-us/azure/governance/management-groups/overview https://docs.microsoft.com/en-us/azure/governance/blueprints/overview https://docs.microsoft.com/en-us/azure/governance/policy/samples/iso-27001 https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage

Correct Answer: D

Web content filtering is part of the Web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not

malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.

Note: Turn on web content filtering

From the left-hand navigation in Microsoft 365 Defender portal, select Settings > Endpoints > General > Advanced Features. Scroll down until you see the entry for Web content filtering. Switch the toggle to On and Save preferences.

Configure web content filtering policies

Web content filtering policies specify which site categories are blocked on which device groups. To manage the policies, go to Settings > Endpoints > Web content filtering (under Rules).

Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/web-content-filtering

Correct Answer: A

Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal

application portal.

Azure AD Application Proxy is:

Secure. On-premises applications can use Azure's authorization controls and security analytics. For example, on-premises applications can use Conditional Access and two-step verification. Application Proxy doesn't require you to open

inbound connections through your firewall.

Simple to use. Users can access your on-premises applications the same way they access Microsoft 365 and other SaaS apps integrated with Azure AD. You don't need to change or update your applications to work with Application Proxy.

Incorrect:

Not D: Azure Virtual WAN

Azure Virtual WAN is for end users, not for applications.

Note: Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. Some of the main features include:

Branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE).

Site-to-site VPN connectivity.

Remote user VPN connectivity (point-to-site).

Private connectivity (ExpressRoute).

Intra-cloud connectivity (transitive connectivity for virtual networks).

VPN ExpressRoute inter-connectivity.

Routing, Azure Firewall, and encryption for private connectivity.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy

Correct Answer: A

Control mapping of the ISO 27001 Shared Services blueprint sample

The following mappings are to the ISO 27001:2013 controls. Use the navigation on the right to jump directly to a specific control mapping. Many of the mapped controls are implemented with an Azure Policy initiative.

Open Policy in the Azure portal and select the Definitions page. Then, find and select the [Preview] Audit ISO 27001:2013 controls and deploy specific VM Extensions to support audit requirements built-in policy initiative.

Note: Security Center can now auto provision the Azure Policy's Guest Configuration extension (in preview)

Azure Policy can audit settings inside a machine, both for machines running in Azure and Arc connected machines. The validation is performed by the Guest Configuration extension and client.

With this update, you can now set Security Center to automatically provision this extension to all supported machines.

Enforcing a secure configuration, based on a specific recommendation, is offered in two modes:

Using the Deny effect of Azure Policy, you can stop unhealthy resources from being created

Using the Enforce option, you can take advantage of Azure Policy's DeployIfNotExist effect and automatically remediate non-compliant resources upon creation Reference: https://docs.microsoft.com/en-us/azure/governance/blueprints/samples/iso27001-shared/control-mapping https://docs.microsoft.com/en-us/azure/defender-for-cloud/release-notes-archive https://docs.microsoft.com/en-us/azure/defender-for-cloud/prevent-misconfigurations

Correct Answer: ACE

Correct Answer: C

Explanation:

Azure Policy helps to enforce organizational standards and to assess compliance at-scale.

Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure

environment as built-ins to help you get started.

Specifically, some useful governance actions you can enforce with Azure Policy include:

Ensuring your team deploys Azure resources only to allowed regions

Enforcing the consistent application of taxonomic tags

Requiring resources to send diagnostic logs to a Log Analytics workspace

Note: Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. The

assignment applies to all resources within the Resource Manager scope of that assignment.

Reference:

https://learn.microsoft.com/en-us/azure/governance/policy/overview

Correct Answer: C

Explanation:

Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics support dynamic data masking. Dynamic data masking limits sensitive data exposure by masking it to non-privileged users.

Azure SQL Database is cheaper as its offer DTU's based tier and also vCore based for more intensive workflow.

Hovewer, Managed Instance offers almost ~100% compatibility with on-prem Microsoft SQL Server.

Incorrect:

Not A: SQL Server does not support dynamic data masking.

Not B: Synapse Analytics is more expensive compared to Azure SQL Database.

Reference:

https://docs.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-overview?view=azuresql

https://learn.microsoft.com/en-us/answers/questions/1057631/azure-sql-db-vs-azure-sql-managed-instance-cost

Correct Answer: D

Explanation:

Windows Defender Application Control is designed to protect devices against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run.

Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run on a PC.

Note: Windows Defender Application Control is designed to protect devices against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run.

Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run on a PC.

Incorrect:

Not C: App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of

actions that are prohibited or monitored when the user is inside the app. A managed app is an app that has app protection policies applied to it, and can be managed by Intune.

Mobile Application Management (MAM) app protection policies allows you to manage and protect your organization's data within an application. Many productivity apps, such as the Microsoft Office apps, can be managed by Intune MAM.

Reference:

https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-intro-aad

https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy

Correct Answer: D

Explanation:

By default, the Kubernetes API server uses a public IP address and a fully qualified domain name (FQDN). You can limit access to the API server endpoint using authorized IP ranges. You can also create a fully private cluster to limit API

server access to your virtual network.

Reference:

https://learn.microsoft.com/en-us/azure/aks/concepts-security

Correct Answer: B

Requirements. Application Development Requirements

Fabrikam identifies the following requirements for application development:

*

All the application code must be stored in GitHub Enterprise.

*

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.

A GitHub Advanced Security license provides the following additional features:

Code scanning - Search for potential security vulnerabilities and coding errors in your code.

Secret scanning - Detect secrets, for example keys and tokens, that have been checked into the repository. If push protection is enabled, also detects secrets when they are pushed to your repository.

Dependency review - Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request.

Security overview - Review the security configuration and alerts for an organization and identify the repositories at greatest risk.

Incorrect:

Not C:

Scenario: Azure DevTest labs will be used by developers for testing.

Azure DevTest Labs is a service for easily creating, using, and managing infrastructure-as-a-service (IaaS) virtual machines (VMs) and platform-as-a-service (PaaS) environments in labs. Labs offer preconfigured bases and artifacts for

creating VMs, and Azure Resource Manager (ARM) templates for creating environments like Azure Web Apps or SharePoint farms.

Lab owners can create preconfigured VMs that have tools and software lab users need. Lab users can claim preconfigured VMs, or create and configure their own VMs and environments. Lab policies and other methods track and control lab

usage and costs.

Reference: https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security