SC-100 Online Practice Questions and Answers

Correct Answer: B

After you connected your data sources to Microsoft Sentinel, you get instant visualization and analysis of data so that you can know what's happening across all your connected data sources. Microsoft Sentinel gives you workbooks that provide you with the full power of tools already available in Azure as well as tables and charts that are built in to provide you with analytics for your logs and queries. You can either use built-in workbooks or create a new workbook easily, from scratch or based on an existing workbook.

Reference: https://docs.microsoft.com/en-us/azure/sentinel/get-visibility

Correct Answer: AE

Azure Bastion is a fully managed service that provides more secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to virtual machines (VMs) without any exposure through public IP addresses.

Provision the service directly in your local or peered virtual network to get support for all the VMs within it.

Connect to your virtual machines in your local and peered virtual networks over SSL, port 443, directly in the Azure portal.

Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it

can be used to connect to VMs deployed in a peered VNet without deploying an additional bastion host.

Architecture

When VNet peering is configured, Azure Bastion can be deployed in hub-and-spoke or full-mesh topologies.

Reference:

https://learn.microsoft.com/en-us/azure/bastion/vnet-peering

https://azure.microsoft.com/en-us/products/azure-bastion/#features

Correct Answer: B

Correct Solution: You recommend access restrictions based on HTTP headers that have the Front Door ID.

Restrict access to a specific Azure Front Door instance.

Traffic from Azure Front Door to your application originates from a well-known set of IP ranges defined in the AzureFrontDoor.Backend service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front

Door. To ensure traffic only originates from your specific instance, you will need to further filter the incoming requests based on the unique http header that Azure Front Door sends.

Reference: https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#managing-access-restriction-rules Reference:

Correct Answer: B

Microsoft Endpoint Manager includes Microsoft Intune.

Device compliance policies are a key feature when using Intune to protect your organization's resources. In Intune, you can create rules and settings that devices must meet to be considered compliant, such as a minimum OS version.

Microsoft Endpoint Manager helps deliver the modern workplace and modern management to keep your data secure, in the cloud and on-premises. Endpoint Manager includes the services and tools you use to manage and monitor mobile

devices, desktop computers, virtual machines, embedded devices, and servers.

Endpoint Manager combines services you may know and already be using, including Microsoft Intune, Configuration Manager, Desktop Analytics, co-management, and Windows Autopilot. These services are part of the Microsoft 365 stack to

help secure access, protect data, respond to risk, and manage risk.

Note: Microsoft Defender for Endpoint Plan 2 protects your Windows and Linux machines whether they're hosted in Azure, hybrid clouds (on-premises), or multicloud.

Microsoft Defender for Endpoint on iOS offers protection against phishing and unsafe network connections from websites, emails, and apps.

Microsoft Defender for Endpoint on Android supports installation on both modes of enrolled devices - the legacy Device Administrator and Android Enterprise modes. Currently, Personally-owned devices with work profile and Corporate-

owned fully managed user device enrollments are supported in Android Enterprise.

Reference: https://docs.microsoft.com/en-us/mem/endpoint-manager-overview

https://docs.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint

Correct Answer: B

Lightweight Directory Access Protocol (LDAP) is an application protocol for working with various directory services. Directory services, such as Active Directory, store user and account information, and security information like passwords. The service then allows the information to be shared with other devices on the network. Enterprise applications such as email, customer relationship managers (CRMs), and Human Resources (HR) software can use LDAP to authenticate, access, and find information.

Azure Active Directory (Azure AD) supports this pattern via Azure AD Domain Services (AD DS). It allows organizations that are adopting a cloud-first strategy to modernize their environment by moving off their on-premises LDAP resources

to the cloud. The immediate benefits will be:

Integrated with Azure AD. Additions of users and groups, or attribute changes to their objects are automatically synchronized from your Azure AD tenant to AD DS. Changes to objects in on-premises Active Directory are synchronized to

Azure AD, and then to AD DS.

Simplify operations. Reduces the need to manually keep and patch on-premises infrastructures. Reliable. You get managed, highly available services Reference: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-ldap

Correct Answer: A

Microsoft Defender for Cloud Apps Activity policies.

Activity policies allow you to enforce a wide range of automated processes using the app provider's APIs. These policies enable you to monitor specific activities carried out by various users, or follow unexpectedly high rates of one certain

type of activity.

After you set an activity detection policy, it starts to generate alerts - alerts are only generated on activities that occur after you create the policy.

Each policy is composed of the following parts:

Activity filters – Enable you to create granular conditions based on metadata.

Activity match parameters – Enable you to set a threshold for the number of times an activity repeats to be considered to match the policy.

Actions – The policy provides a set of governance actions that can be automatically applied when violations are detected.

Incorrect:

Not C: Azure AD Conditional Access policies applies to users, not to applications.

Note: Blocking user logins by location can be an added layer of security to your environment. The following process will use Azure Active Directory conditional access to block access based on geographical location. For example, you are

positive that nobody in your organization should be trying to login to select cloud applications from specific countries.

Reference: https://docs.microsoft.com/en-us/defender-cloud-apps/user-activity-policies https://cloudcompanyapps.com/2019/04/18/block-users-by-location-in-azure-o365/

Correct Answer: AE

Explanation:

Blocking or limiting access on unmanaged devices relies on Azure AD conditional access policies.

Create a block download policy for unmanaged devices

Defender for Cloud Apps session policies allow you to restrict a session based on device state. To accomplish control of a session using its device as a condition, create both a conditional access policy AND a session policy.

Incorrect:

Not B: Azure Data Catalog is an enterprise-wide metadata catalog that makes data asset discovery straightforward. It's a fully-managed service that lets you — from analyst to data scientist to data developer — register, enrich, discover,

understand, and consume data sources.

Not C: Implement capabilities from Microsoft Purview Information Protection (formerly Microsoft Information Protection) to help you discover, classify, and protect sensitive information wherever it lives or travels.

Reference:

https://learn.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices

https://learn.microsoft.com/en-us/defender-cloud-apps/use-case-proxy-block-session-aad

Correct Answer: D

Explanation:

The Microsoft cloud security benchmark (MCSB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure and your multi-cloud environment. This benchmark focuses

on cloud-centric control areas with input from a set of holistic Microsoft and industry security guidance.

Controls include:

*

Endpoint Security (ES)

Endpoint Security covers controls in endpoint detection and response, including use of endpoint detection and response (EDR) and anti-malware service for endpoints in cloud environments.

*

Data Protection (DP)

Data Protection covers control of data protection at rest, in transit, and via authorized access mechanisms, including discover, classify, protect, and monitor sensitive data assets using access control, encryption, key management and

certificate management.

*

Etc.

Reference: https://learn.microsoft.com/en-us/security/benchmark/azure/overview

Correct Answer: A

Correct Answer: D