Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Microsoft
  3. SC-100

Microsoft Cybersecurity Architect SC-100 Exam Questions in PDF

Free Microsoft SC-100 Dumps Questions (page: 3)

SC-100 PDF — 349 Questions

Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

Your company uses Microsoft Defender for Cloud and Microsoft Sentinel.

The company is designing an application that will have the architecture shown in the following exhibit.



You are designing a logging and auditing solution for the proposed architecture. The solution must meet the following requirements:

Integrate Azure Web Application Firewall (WAF) logs with Microsoft Sentinel.


Use Defender for Cloud to review alerts from the virtual machines.


What should you include in the solution? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Data connectors
Microsoft Sentinel connector streams security alerts from Microsoft Defender for Cloud into Microsoft Sentinel.

Launch a WAF workbook (see step 7 below)
The WAF workbook works for all Azure Front Door, Application Gateway, and CDN WAFs. Before connecting the data from these resources, log analytics must be enabled on your resource.

To enable log analytics for each resource, go to your individual Azure Front Door, Application Gateway, or CDN resource:

1. Select Diagnostic settings.

2. Select + Add diagnostic setting.
3. In the Diagnostic setting page (details skipped)
4. On the Azure home page, type Microsoft Sentinel in the search bar and select the Microsoft Sentinel resource.
5. Select an already active workspace or create a new workspace.
6. On the left side panel under Configuration select Data Connectors.
7. Search for Azure web application firewall and select Azure web application firewall (WAF). Select Open connector page on the bottom right.
8. Follow the instructions under Configuration for each WAF resource that you want to have log analytic data for if you haven't done so previously.
9. Once finished configuring individual WAF resources, select the Next steps tab. Select one of the recommended workbooks. This workbook will use all log analytic data that was enabled previously. A working WAF workbook should now exist for your WAF resources.

Box 2: The Log Analytics agent
Use the Log Analytics agent to integrate with Microsoft Defender for cloud.



The Log Analytics agent is required for solutions, VM insights, and other services such as Microsoft Defender for Cloud.

Note: The Log Analytics agent in Azure Monitor can also be used to collect monitoring data from the guest operating system of virtual machines. You may choose to use either or both depending on your requirements.

Azure Log Analytics agent
Use Defender for Cloud to review alerts from the virtual machines.

The Azure Log Analytics agent collects telemetry from Windows and Linux virtual machines in any cloud, on- premises machines, and those monitored by System Center Operations Manager and sends collected data to your Log Analytics workspace in Azure Monitor.

Incorrect:
The Azure Diagnostics extension does not integrate with Microsoft Defender for Cloud.


Reference:

https://docs.microsoft.com/en-us/azure/web-application-firewall/waf-sentinel https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

Your company has a third-party security information and event management (SIEM) solution that uses Splunk and Microsoft Sentinel.

You plan to integrate Microsoft Sentinel with Splunk.

You need to recommend a solution to send security events from Microsoft Sentinel to Splunk.

What should you include in the recommendation?

  1. a Microsoft Sentinel data connector
  2. Azure Event Hubs
  3. a Microsoft Sentinel workbook
  4. Azure Data Factory

Answer(s): B




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

A customer follows the Zero Trust model and explicitly verifies each attempt to access its corporate applications.

The customer discovers that several endpoints are infected with malware.

The customer suspends access attempts from the infected endpoints.

The malware is removed from the endpoints.

Which two conditions must be met before endpoint users can access the corporate applications again? Each correct answer presents part of the solution.

Note: Each correct selection is worth one point.

  1. The client access tokens are refreshed.
  2. Microsoft Intune reports the endpoints as compliant.
  3. A new Microsoft Entra Conditional Access policy is enforced.
  4. Microsoft Defender for Endpoint reports the endpoints as compliant.

Answer(s): A,B




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft

Defender for Cloud are enabled.

The Azure subscription contains a Microsoft Sentinel workspace. Microsoft Sentinel data connectors are configured for Microsoft 365, Microsoft Defender XDR, Defender for Cloud, and Azure Activity.

You plan to deploy Azure virtual machines that will run Windows Server.

You need to enable extended detection and response (EDR) and security orchestration, automation, and response (SOAR) capabilities for Microsoft Sentinel.

How should you recommend enabling each capability? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Onboard the servers to Defender for Cloud.
Extended detection and response (XDR) is a new approach defined by industry analysts that are designed to deliver intelligent, automated, and integrated security across domains to help defenders connect seemingly disparate alerts and get ahead of attackers.

As part of this announcement, we are unifying all XDR technologies under the Microsoft Defender brand. The new Microsoft Defender is the most comprehensive XDR in the market today and prevents, detects, and responds to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms.

Box 2: Configure Microsoft Sentinel playbooks.
As a SOAR platform, its primary purposes are to automate any recurring and predictable enrichment, response and remediation tasks that are the responsibility of Security Operations Centers (SOC/SecOps). Leveraging SOAR frees up time and resources for more in-depth investigation of and hunting for advanced threats. Automation takes a few different forms in Microsoft Sentinel, from automation rules that centrally manage the automation of incident handling and response to playbooks that run predetermined sequences of actions to provide robust and flexible advanced automation to your threat response tasks.


Reference:

https://www.microsoft.com/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security- operations/
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-automation-ninja/ ba-p/3563377




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

You have a customer that has a Microsoft 365 subscription and uses the Free edition of Microsoft Entra ID.

The customer plans to obtain an Azure subscription and provision several Azure resources.

You need to evaluate the customer's security environment.

What will necessitate an upgrade from the Microsoft Entra Free edition to the Premium edition?

  1. Microsoft Entra Privileged Identity Management (PIM)
  2. role-based authorization
  3. resource-based authorization
  4. Microsoft Entra Multi-Factor Authentication

Answer(s): A




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

You are designing the security standards for a new Azure environment.

You need to design a privileged identity strategy based on the Zero Trust model.

Which framework should you follow to create the design?

  1. Microsoft Security Development Lifecycle (SDL)
  2. Enhanced Security Admin Environment (ESAE)
  3. Rapid Modernization Plan (RaMP)
  4. Microsoft Operational Security Assurance (OSA)

Answer(s): C

Explanation:

RaMP initiatives for Zero Trust.

To rapidly adopt Zero Trust in your organization, RaMP offers technical deployment guidance organized in these initiatives.
In particular, meet these deployment objectives to protect your privileged identities with Zero Trust.
1. Deploy secured privileged access to protect administrative user accounts.
2. Deploy Microsoft Entra Privileged Identity Management (PIM) for a time-bound, just-in-time approval process for the use of privileged user accounts.
Note 1: RaMP guidance takes a project management and checklist approach:
* User access and productivity
1. Explicitly validate trust for all access requests
Identities
Endpoints (devices)
Apps
Network
* Data, compliance, and governance
2. Ransomware recovery readiness
3. Data
* Modernize security operations
4. Streamline response
5. Unify visibility
6. Reduce manual effort
Note 2: As an alternative to deployment guidance that provides detailed configuration steps for each of the technology pillars being protected by Zero Trust principles, Rapid Modernization Plan (RaMP) guidance is based on initiatives and gives you a set of deployment paths to more quickly implement key layers of protection.
By providing a suggested mapping of key stakeholders, implementers, and their accountabilities, you can more quickly organize an internal project and define the tasks and owners to drive them to conclusion.
By providing a checklist of deployment objectives and implementation steps, you can see the bigger picture of infrastructure requirements and track your progress.
Incorrect:
Not B: Enhanced Security Admin Environment (ESAE)
The Enhanced Security Admin Environment (ESAE) architecture (often referred to as red forest, admin forest, or hardened forest) is an approach to provide a secure environment for Windows Server Active Directory (AD) administrators.
Microsoft's recommendation to use this architectural pattern has been replaced by the modern privileged access strategy and rapid modernization plan (RAMP) guidance as the default recommended approach for securing privileged users. The ESAE hardened administrative forest pattern (on-prem or cloud-based) is now considered a custom configuration suitable only for exception cases listed below.
What are the valid ESAE use cases?
While not a mainstream recommendation, this architectural pattern is valid in a limited set of scenarios.
In these exception cases, the organization must accept the increased technical complexity and operational costs of the solution. The organization must have a sophisticated security program to measure risk, monitor risk, and apply consistent operational rigor to the usage and maintenance of the ESAE implementation.
Example scenarios include:
Isolated on-premises environments - where cloud services are unavailable such as offline research laboratories, critical infrastructure or utilities, disconnected operational technology (OT) environments such as Supervisory control and data acquisition (SCADA) / Industrial Control Systems (ICS), and public sector customers that are fully reliant on on-premises technology.
Highly regulated environments industry or government regulation may specifically require an administrative forest configuration.
High level security assurance is mandated - organizations with low risk tolerance that are willing to accept the increased complexity and operational cost of the solution.


Reference:

https://docs.microsoft.com/en-us/security/zero-trust/zero-trust-ramp-overview https://docs.microsoft.com/en-us/security/zero-trust/user-access-productivity-validate-trust#identities https://docs.microsoft.com/en-us/security/compass/esae-retirement




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

A customer has a hybrid cloud infrastructure that contains a Microsoft 365 E5 subscription and an Azure subscription.

All on-premises servers in the perimeter network are prevented from connecting directly to the internet.

The customer recently recovered from a ransomware attack.

The customer plans to deploy Microsoft Sentinel.

You need to recommend solutions to meet the following requirements:

Ensure that the security operations team can access the security logs and the operation logs.


Ensure that the IT operations team can access only the operations logs, including the event logs of the servers in the perimeter network.

Which two solutions should you include in the recommendation? Each correct answer presents a complete solution.

Note: Each correct selection is worth one point.

  1. a custom collector that uses the Log Analytics agent
  2. the Azure Monitor agent
  3. resource-based role-based access control (RBAC)
  4. Microsoft Entra Conditional Access policies

Answer(s): B,C

Explanation:

A: You can collect data in custom log formats to Microsoft Sentinel with the Log Analytics agent.
Note: You can use the Log Analytics agent to collect data in text files of nonstandard formats from both Windows and Linux computers. Once collected, you can either parse the data into individual fields in your queries or extract the data during collection to individual fields.
You can connect your data sources to Microsoft Sentinel using custom log formats.
C: Microsoft Sentinel uses Azure role-based access control (Azure RBAC) to provide built-in roles that can be assigned to users, groups, and services in Azure.
Use Azure RBAC to create and assign roles within your security operations team to grant appropriate access to Microsoft Sentinel. The different roles give you fine-grained control over what Microsoft Sentinel users can see and do. Azure roles can be assigned in the Microsoft Sentinel workspace directly (see note below), or in a subscription or resource group that the workspace belongs to, which Microsoft Sentinel inherits.
Incorrect:
A: You can collect data in custom log formats to Microsoft Sentinel with the Log Analytics agent.
Note: You can use the Log Analytics agent to collect data in text files of nonstandard formats from both Windows and Linux computers. Once collected, you can either parse the data into individual fields in your queries or extract the data during collection to individual fields.
You can connect your data sources to Microsoft Sentinel using custom log formats.


Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview https://docs.microsoft.com/en-us/azure/sentinel/connect-custom-logs?tabs=DCG https://docs.microsoft.com/en-us/azure/sentinel/roles




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

Your company is developing a serverless application in Azure that will have the architecture shown in the following exhibit.



You need to recommend a solution to isolate the compute components on an Azure virtual network.

What should you include in the recommendation?

  1. Microsoft Entra enterprise applications
  2. an Azure App Service Environment (ASE)
  3. Azure service endpoints
  4. Microsoft Entra enterprise applications

Answer(s): B

Explanation:

The Azure App Service Environment v2 is an Azure App Service feature that provides a fully isolated and dedicated environment for securely running App Service apps at high scale. This capability can host your:
Windows web apps
Linux web apps
Docker containers
Mobile apps
Functions
App Service environments (ASEs) are appropriate for application workloads that require:
Very high scale.

Isolation and secure network access.
High memory utilization.
Customers can create multiple ASEs within a single Azure region or across multiple Azure regions. This flexibility makes ASEs ideal for horizontally scaling stateless application tiers in support of high requests per second (RPS) workloads.


Reference:

https://docs.microsoft.com/en-us/azure/app-service/environment/intro



Viewing page 3 of 44

Share your comments for Microsoft SC-100 exam with other users:

D
Dinesh
8/1/2023 2:26:00 PM

could you please upload sap c_arsor_2302 questions? it will be very much helpful.

Anonymous
L
LBert
6/19/2023 10:23:00 AM

vraag 20c: rsa veilig voor symmtrische cryptografie? antwoord c is toch fout. rsa is voor asymmetrische cryptogafie??

NETHERLANDS
G
g
12/22/2023 1:51:00 PM

so far good

UNITED STATES
M
Milos
8/4/2023 9:33:00 AM

question 31 has obviously wrong answers. tls and ssl are used to encrypt data at transit, not at rest.

Serbia And Montenegro
D
Diksha
9/25/2023 2:32:00 AM

pls provide dump for 1z0-1080-23 planning exams

Anonymous
H
H
7/17/2023 4:28:00 AM

could you please upload the exam?

Anonymous
A
Anonymous
9/14/2023 4:47:00 AM

please upload this

UNITED STATES
N
Naveena
1/13/2024 9:55:00 AM

good material

Anonymous
W
WildWilly
1/19/2024 10:43:00 AM

lets see if this is good stuff...

Anonymous
L
Lavanya
11/2/2023 1:53:00 AM

useful information

UNITED STATES
M
Moussa
12/12/2023 5:52:00 AM

intéressant

BURKINA FASO
M
Madan
6/22/2023 9:22:00 AM

thank you for making the interactive questions

Anonymous
V
Vavz
11/2/2023 6:51:00 AM

questions are accurate

Anonymous
S
Su
11/23/2023 4:34:00 AM

i need questions/dumps for this exam.

Anonymous
L
LuvSN
7/16/2023 11:19:00 AM

i need this exam, when will it be uploaded

ROMANIA
M
Mihai
7/19/2023 12:03:00 PM

i need the dumps !

Anonymous
W
Wafa
11/13/2023 3:06:00 AM

very helpful

Anonymous
A
Alokit
7/3/2023 2:13:00 PM

good source

Anonymous
S
Show-Stopper
7/27/2022 11:19:00 PM

my 3rd test and passed on first try. hats off to this brain dumps site.

UNITED STATES
M
Michelle
6/23/2023 4:06:00 AM

please upload it

Anonymous
L
Lele
11/20/2023 11:55:00 AM

does anybody know if are these real exam questions?

EUROPEAN UNION
G
Girish Jain
10/9/2023 12:01:00 PM

are these questions similar to actual questions in the exam? because they seem to be too easy

Anonymous
P
Phil
12/8/2022 11:16:00 PM

i have a lot of experience but what comes in the exam is totally different from the practical day to day tasks. so i thought i would rather rely on these brain dumps rather failing the exam.

GERMANY
B
BV
6/8/2023 4:35:00 AM

good questions

NETHERLANDS
K
krishna
12/19/2023 2:05:00 AM

valied exam dumps. they were very helpful and i got a pretty good score. i am very grateful for this service and exam questions

Anonymous
P
Pie
9/3/2023 4:56:00 AM

will it help?

INDIA
L
Lucio
10/6/2023 1:45:00 PM

very useful to verify knowledge before exam

POLAND
A
Ajay
5/17/2023 4:54:00 AM

good stuffs

Anonymous
T
TestPD1
8/10/2023 12:19:00 PM

question 17 : responses arent b and c ?

EUROPEAN UNION
N
Nhlanhla
12/13/2023 5:26:00 AM

just passed the exam on my first try using these dumps.

Anonymous
R
Rizwan
1/6/2024 2:18:00 AM

very helpful

INDIA
Y
Yady
5/24/2023 10:40:00 PM

these questions look good.

SINGAPORE
K
Kettie
10/12/2023 1:18:00 AM

this is very helpful content

Anonymous
S
SB
7/21/2023 3:18:00 AM

please provide the dumps

UNITED STATES
AI Tutor 👋 I’m here to help!