Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Microsoft
  3. SC-100

Microsoft Cybersecurity Architect SC-100 Exam Questions in PDF

Free Microsoft SC-100 Dumps Questions (page: 7)

SC-100 PDF — 349 Questions

Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

You have an Azure subscription. The subscription contains an Azure SQL database named DB1 that stores customer data.

You have a Microsoft 365 subscription that uses Microsoft SharePoint Online, OneDrive, and Teams.

Users frequently create Microsoft Office documents that contain data from DB1.

You need to recommend a Microsoft Purview solution that meets the following requirements:

Identifies Office documents that contain customer addresses and phone numbers sourced from DB1 Generates an alert if a user downloads an above average number of files that contain data from DB1 Minimizes the number of false positives

What should you include in the solution for each requirement? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Document fingerprinting
Identifies Office documents that contain customer addresses and phone numbers sourced from DB1

Document fingerprinting is a Microsoft Purview feature that takes a standard form that you provide and creates a sensitive information type (SIT) based on that form. Document fingerprinting makes it easier for you to protect sensitive information by identifying standard forms that are used throughout your organization.

Document fingerprinting includes the following benefits:
SITs created from document fingerprinting can be used as a detection method in DLP policies scoped to Exchange, SharePoint, OneDrive, Teams, and Devices.

Etc.

Box 2: Microsoft Purview insider risk management
Generates an alert if a user downloads an above average number of files that contain data from DB1

Microsoft Purview, Configure intelligent detections in insider risk management Use can use the Intelligent detections setting in Microsoft Purview Insider Risk Management to:

* Boost the score for unusual file download activities by entering a minimum number of daily events.

* Etc.

File activity detection
You can use this section to specify the number of daily events required to boost the risk score for download activity that's considered unusual for a user. For example, if you enter "25", if a user downloads 10 files on average over the previous 30 days, but a policy detects that they downloaded 20 files on one day, the score for that activity won't be boosted even though it's unusual for that user because the number of files they downloaded that day was less than 25.


Reference:

https://learn.microsoft.com/en-us/purview/sit-document-fingerprinting https://learn.microsoft.com/en-us/purview/insider-risk-management-settings-intelligent-detections




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

You have an Azure DevOps organization that is used to manage the development and deployment of internal apps to multiple Azure subscriptions.

You need to implement a DevSecOps strategy based on Microsoft Cloud Adoption Framework for Azure principles. The solution must meet the following requirements:

All pull requests must be enforced.


All deployments to production must be approved.


What should you include in the solution for each requirement? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Protected branches
All pull requests must be enforced.

Azure Cloud Adoption Framework Ready, Automation
Platform automation design recommendation include:
Adopt a branching strategy for your team and set branch policies for branches that you want to protect. With branch policies, teams must use pull requests to make merge changes.

Incorrect:
* Environments

* Resource locks
Only use resource locks strictly to prevent unintended modifications or deletions of critical data. Avoid using resource locks to protect configurations, as resource locks complicate IaC deployments.

Box 2: Triggers
All deployments to production must be approved.

Depending on which branching strategy your team uses, changes to any important branch should trigger deployment to different environments. Once changes are approved and merged into main, the CD process deploys those changes to production. This code management system provides your team with a single source of truth for what is running in each environment.

Incorrect:
* Environments

* Resource locks
Only use resource locks strictly to prevent unintended modifications or deletions of critical data. Avoid using resource locks to protect configurations, as resource locks complicate IaC deployments.


Reference:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/automation




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

Your company uses Microsoft Defender for Cloud and Microsoft Sentinel.

The company is designing an application that will have the architecture shown in the following exhibit.



You are designing a logging and auditing solution for the proposed architecture. The solution must meet the following requirements:

Integrate Azure Web Application Firewall (WAF) logs with Microsoft Sentinel.


Use Defender for Cloud to review alerts from the virtual machines.


What should you include in the solution? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Data connectors
Microsoft Sentinel connector streams security alerts from Microsoft Defender for Cloud into Microsoft Sentinel.

Launch a WAF workbook (see step 7 below)
The WAF workbook works for all Azure Front Door, Application Gateway, and CDN WAFs. Before connecting the data from these resources, log analytics must be enabled on your resource.

To enable log analytics for each resource, go to your individual Azure Front Door, Application Gateway, or CDN resource:

1. Select Diagnostic settings.
2. Select + Add diagnostic setting.
3. In the Diagnostic setting page (details skipped)
4. On the Azure home page, type Microsoft Sentinel in the search bar and select the Microsoft Sentinel resource.
5. Select an already active workspace or create a new workspace.
6. On the left side panel under Configuration select Data Connectors.
7. Search for Azure web application firewall and select Azure web application firewall (WAF). Select Open connector page on the bottom right.
8. Follow the instructions under Configuration for each WAF resource that you want to have log analytic data for if you haven't done so previously.
9. Once finished configuring individual WAF resources, select the Next steps tab. Select one of the recommended workbooks. This workbook will use all log analytic data that was enabled previously. A working WAF workbook should now exist for your WAF resources.

Box 2: The Azure Diagnostics extension
Azure Diagnostics extension is an agent in Azure Monitor that collects monitoring data from the guest operating system of Azure compute resources including virtual machines.

Comparison to Log Analytics agent
The Log Analytics agent in Azure Monitor can also be used to collect monitoring data from the guest operating system of virtual machines. You can choose to use either or both depending on your requirements.

The key differences to consider are:

* Azure Diagnostics Extension can be used only with Azure virtual machines. The Log Analytics agent can be used with virtual machines in Azure, other clouds, and on-premises.

* Azure Diagnostics extension sends data to Azure Storage, Azure Monitor Metrics (Windows only) and Azure Event Hubs. The Log Analytics agent collects data to Azure Monitor Logs.

*-> The Log Analytics agent is required for retired solutions, VM insights, and other services such as Microsoft Defender for Cloud.

Note: The Log Analytics agent is a better answer, but that option is not available in this version of the question.


Reference:

https://docs.microsoft.com/en-us/azure/web-application-firewall/waf-sentinel https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview https://learn.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

You have a Microsoft Entra tenant named contoso.com. You have 30 Azure subscriptions that are linked to contoso.com. The tenant contains the management groups shown in the following table.



You need to design a governance solution to manage access to all the Azure Storage accounts across the subscriptions. The solution must meet the following requirements:

Use custom role-based access control (RBAC) to provide granular access to control plane and data plane operations.
Minimize administrative effort.


At which scope should you assign the roles, and what is the minimum number of assignments per role? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: ..Mgmt1 AND .. Mgmt2
Scope

For Microsoft Entra's two management groups, the appropriate scope for assigning roles is the management group level itself. This is because management groups are designed to be a broader scope for managing access and policies across multiple subscriptions.

Box 2: 2
Minimum number of assignments

Note:
Broadest Scope:
Management groups are the broadest scope in Azure, encompassing multiple subscriptions.

Inheritance:

Role assignments at the management group level apply to all subscriptions within that group.

Centralized Governance:
This allows you to apply policies and RBAC configurations centrally, rather than individually to each subscription.

Organization:
Management groups help organize subscriptions based on business units, teams, or functional areas.

RBAC:
The scope of a role assignment dictates where it applies, with management group level offering a wide scope for granting access.

Custom Roles:
You can create custom roles that are scoped to the management group, allowing for fine-grained access control at a broader level.


Reference:

https://learn.microsoft.com/en-us/azure/governance/management-groups/overview




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named AKS1. AKS1 hosts a Windows node pool named Pool1 and a Linux node pool named Pool2.

You are designing a pool update strategy for AKS1.

You need to recommend how often to replace the operating system images deployed to the nodes. The solution must meet the following requirements:

Minimize how long it takes to apply operating system updates once the updates are released.


Minimize administrative effort.


What should you recommend for each pool? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Monthly
Pool1 - Windows node pool named Pool1

Windows supports monthly node image version upgrades.

Box 2: Weekly
Pool2 - a Linux node pool named Pool2.

Linux supports weekly node image version upgrades.

Note: Azure Kubernetes Service patch and upgrade guidance
This section of the Azure Kubernetes Service (AKS) day-2 operations guide describes patching and upgrading strategies for AKS worker nodes and Kubernetes versions. As a cluster operator, you need to have a plan for keeping your clusters up to date and monitoring Kubernetes API changes and deprecations over time.

Background and types of updates
There are three types of updates for AKS, and each one builds on the previous update:


Reference:

https://learn.microsoft.com/en-us/azure/architecture/operator-guides/aks/aks-upgrade-practices




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

You have an Azure subscription that contains multiple apps. The apps are deployed by using continuous integration and continuous delivery (CI/CD) pipelines in Azure DevOps.

You need to integrate static application security testing (SAST) and security smoke testing into the pipelines based on Microsoft Cloud Adoption Framework for Azure principles.

At which stage of the CI/CID process should each type of test be integrated? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Commit the code
Static application security testing (SAST)

Static application security testing is under the commit the code.

Box 2: Build and test
Security smoke testing

In DevOps, security smoke testing refers to a quick, preliminary check of a software application's security posture after a new build or code change. It's designed to identify major security flaws early in the DevOps pipeline, preventing the deployment of a build with critical vulnerabilities and saving time and resources on deeper, more comprehensive security testing.


Reference:

https://www.infracloud.io/blogs/implement-devsecops-secure-ci-cd-pipeline/




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

You have an Azure subscription that contains Azure App Service apps. The apps have the following characteristics:

The apps are deployed by using continuous integration and continuous deployment (CI/CD) pipelines in


Azure DevOps.
The apps are deployed to a test environment first, and then to a production environment.


The source code for the apps is stored in Azure Repos.


You plan to implement DevSecOps controls based on the Microsoft Cloud Adoption Framework for Azure.

You need to recommend testing controls to meet the following requirements:

All the source code must be tested for security vulnerabilities in Azure Repos before deploying the apps.


Once the apps are deployed to the test environment, they must be tested for security vulnerabilities.


Which testing method should you recommend for each stage? To answer, select the options in the answer area.

Note: Each correct answer is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Static application security testing (SAST
Pre-deployment
All the source code must be tested for security vulnerabilities in Azure Repos before deploying the apps.

SAST (Static Application Security Testing) SAST tools analyze source code or bytecode early in the pipeline to identify security flaws before deployment. They provide deep insights into insecure coding patterns and vulnerabilities by scanning code syntax and data flows without executing the program.

DS-4: Integrate static application security testing into DevOps pipeline Security Principle: Ensure static application security testing (SAST) is part of the gating controls in the CI/CD workflow. The gating can be set based on the testing results to prevent vulnerable packages from committing into the repository, building into the packages, or deploying into the production.

Azure Guidance: Integrate SAST into your pipeline so the source code can be scanned automatically in your CI/CD workflow. Azure DevOps Pipeline or GitHub can integrate tools below and third-party SAST tools into the workflow.

Box 2: Dynamic Application Security Testing (DAST)
Post-deployment to the test environment
Once the apps are deployed to the test environment, they must be tested for security vulnerabilities.

Dynamic Application Security Testing (DAST) is the process of analyzing a web application through the front- end to find vulnerabilities through simulated attacks. This type of approach evaluates the application from the "outside in" by attacking an application like a malicious user would. After a DAST scanner performs these attacks, it looks for results that are not part of the expected result set and identifies security vulnerabilities.

DS-5: Integrate dynamic application security testing into DevOps pipeline Security Principle: Ensure dynamic application security testing (DAST) are part of the gating controls in the CI/ CD workflow. The gating can be set based on the testing results to prevent vulnerability from building into the packages or deploying into the production.

Azure Guidance: Integrate DAST into your pipeline so the runtime application can be tested automatically in your CI/CD workflow set in the Azure DevOps or GitHub. The automated penetration testing (with manual assisted validation) should also be part of the DAST.

Azure DevOps Pipeline or GitHub supports the integrate of third-party DAST tools into the CI/CD workflow.

Incorrect:
* Security smoke testing
In DevOps, security smoke testing refers to a quick, preliminary check of a software application's security posture after a new build or code change. It's designed to identify major security flaws early in the DevOps pipeline, preventing the deployment of a build with critical vulnerabilities and saving time and resources on deeper, more comprehensive security testing.

* Security acceptance testing
In DevOps, Security Acceptance Testing is the process of verifying that a system or application meets established security requirements and standards before it's deployed to a production environment. It's a critical phase that ensures the system is robust enough to withstand potential security threats and prevent data breaches or other security incidents. This testing is often done in a production-like environment to simulate real-world conditions and identify vulnerabilities that could be exploited.


Reference:

https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-devops-security




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

You have an Azure DevOps organization that is used to manage the development and deployment of internal apps to multiple Azure subscriptions.

You are developing a DevSecOps strategy.

You need to apply DevSecOps controls for the secure code stage and the secure operations stage. The solution must be based on Microsoft Cloud Adoption Framework for Azure principles.

What should you apply for each stage? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: App access controls
Secure code

Integrating application access controls into the code itself during the secure code stage of DevSecOps is a recommended practice to prevent unauthorized access to features and sensitive data within an application. Developers should define roles, assign permissions based on those roles, enforce strong password policies, and regularly test these controls to ensure they are effective at protecting the application's integrity and data throughout the software development life cycle.

Note: In DevSecOps, the Secure Code Stage involves integrating security practices and automated tools into the coding process to prevent vulnerabilities from entering the codebase. Key activities include implementing secure coding standards, performing static code analysis (SAST) to find flaws, using software composition analysis (SCA) for dependencies, and performing secret scanning to catch hardcoded credentials. This stage aims to catch security issues early in the development lifecycle, reducing costs and risks.

Box 2: A secure pipeline
Secure operations

Using a secure pipeline is a core recommendation in the Secure Operations stage of DevSecOps, as it integrates automated security checks throughout the entire software development lifecycle (SDLC). This automated approach allows for early detection and remediation of vulnerabilities, fosters collaboration between development, operations, and security teams, and helps ensure that secure, high-quality software is delivered faster and more reliably.


Reference:

https://learn.microsoft.com/en-us/azure/devops/organizations/security/about-permissions https://www.wiz.io/academy/devsecops-pipeline-best-practices



Viewing page 7 of 44

Share your comments for Microsoft SC-100 exam with other users:

P
P
1/6/2024 11:22:00 AM

good matter

Anonymous
S
surya
7/30/2023 2:02:00 PM

please upload c_sacp_2308

CANADA
S
Sasuke
7/11/2023 10:30:00 PM

please upload the dump. thanks very much !!

Anonymous
V
V
7/4/2023 8:57:00 AM

good questions

UNITED STATES
T
TTB
8/22/2023 5:30:00 AM

hi, could you please update the latest dump version

Anonymous
T
T
7/28/2023 9:06:00 PM

this question is keep repeat : you are developing a sales application that will contain several azure cloud services and handle different components of a transaction. different cloud services will process customer orders, billing, payment, inventory, and shipping. you need to recommend a solution to enable the cloud services to asynchronously communicate transaction information by using xml messages. what should you include in the recommendation?

NEW ZEALAND
G
Gurgaon
9/28/2023 4:35:00 AM

great questions

UNITED STATES
W
wasif
10/11/2023 2:22:00 AM

its realy good

UNITED ARAB EMIRATES
S
Shubhra Rathi
8/26/2023 1:12:00 PM

oracle 1z0-1059-22 dumps

Anonymous
L
Leo
7/29/2023 8:48:00 AM

please share me the pdf..

INDIA
A
AbedRabbou Alaqabna
12/18/2023 3:10:00 AM

q50: which two functions can be used by an end user when pivoting an interactive report? the correct answer is a, c because we do not have rank in the function pivoting you can check in the apex app

GREECE
R
Rohan Limaye
12/30/2023 8:52:00 AM

best to practice

Anonymous
A
Aparajeeta
10/13/2023 2:42:00 PM

so far it is good

Anonymous
V
Vgf
7/20/2023 3:59:00 PM

please provide me the dump

Anonymous
D
Deno
10/25/2023 1:14:00 AM

i failed the cisa exam today. but i have found all the questions that were on the exam to be on this site.

Anonymous
C
CiscoStudent
11/15/2023 5:29:00 AM

in question 272 the right answer states that an autonomous acces point is "configured and managed by the wlc" but this is not what i have learned in my ccna course. is this a mistake? i understand that lightweight aps are managed by wlc while autonomous work as standalones on the wlan.

Anonymous
P
pankaj
9/28/2023 4:36:00 AM

it was helpful

Anonymous
U
User123
10/8/2023 9:59:00 AM

good question

UNITED STATES
V
vinay
9/4/2023 10:23:00 AM

really nice

Anonymous
U
Usman
8/28/2023 10:07:00 AM

please i need dumps for isc2 cybersecuity

Anonymous
Q
Q44
7/30/2023 11:50:00 AM

ans is coldline i think

UNITED STATES
A
Anuj
12/21/2023 1:30:00 PM

very helpful

Anonymous
G
Giri
9/13/2023 10:31:00 PM

can you please provide dumps so that it helps me more

UNITED STATES
A
Aaron
2/8/2023 12:10:00 AM

thank you for providing me with the updated question and answers. this version has all the questions from the exam. i just saw them in my exam this morning. i passed my exam today.

SOUTH AFRICA
S
Sarwar
12/21/2023 4:54:00 PM

how i can see exam questions?

CANADA
C
Chengchaone
9/11/2023 10:22:00 AM

can you please upload please?

Anonymous
M
Mouli
9/2/2023 7:02:00 AM

question 75: option c is correct answer

Anonymous
J
JugHead
9/27/2023 2:40:00 PM

please add this exam

Anonymous
S
sushant
6/28/2023 4:38:00 AM

please upoad

EUROPEAN UNION
J
John
8/7/2023 12:09:00 AM

has anyone recently attended safe 6.0 certification? is it the samq question from here.

Anonymous
B
Blessious Phiri
8/14/2023 3:49:00 PM

expository experience

Anonymous
C
concerned citizen
12/29/2023 11:31:00 AM

52 should be b&c. controller failure has nothing to do with this type of issue. degraded state tells us its a raid issue, and if the os is missing then the bootable device isnt found. the only other consideration could be data loss but thats somewhat broad whereas b&c show understanding of the specific issues the question is asking about.

UNITED STATES
D
deedee
12/23/2023 5:10:00 PM

great help!!!

UNITED STATES
S
Samir
8/1/2023 3:07:00 PM

very useful tools

UNITED STATES
AI Tutor 👋 I’m here to help!