Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Microsoft
  3. SC-100

Microsoft Cybersecurity Architect SC-100 Exam Questions in PDF

Free Microsoft SC-100 Dumps Questions (page: 8)

SC-100 PDF — 349 Questions

Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

DRAG DROP (Drag and Drop is not supported)

You have an Azure environment that contains multiple workloads deployed across multiple subscriptions.

You need to recommend a solution to assess and improve the security posture of the workloads. The solution must meet the following requirements:

Use the Microsoft Cloud Adoption Framework for Azure to evaluate compliance with cloud governance policies.
Use the Azure Well-Architected Framework to secure individual workloads.

What should you include in the recommendation for each requirement? To answer, drag the appropriate recommendations to the correct requirements. Each recommendation may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Note: Each correct selection is worth one point.

Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Microsoft Defender for Cloud
Use the Microsoft Cloud Adoption Framework for Azure to evaluate compliance with cloud governance policies.

Microsoft Cloud Adoption Framework for AzureTo evaluate compliance with cloud governance policies in Azure when using the Microsoft Cloud Adoption Framework (CAF), you should use Azure Policy and Microsoft Defender for Cloud. Azure Policy enforces your defined rules on resources and provides a compliance dashboard, while Defender for Cloud offers a unified view of security and security recommendations to help meet compliance standards.

Enhance with Microsoft Defender for Cloud:
Use Defender for Cloud to gain a unified view of security posture across your workloads. It provides actionable recommendations to fix security issues, helping to improve your compliance with security standards and regulations.

Box 2: Microsoft Defender Vulnerability
Use the Azure Well-Architected Framework to secure individual workloads.

Microsoft Defender Vulnerability Management (a component of Microsoft Defender for Cloud) is used to secure workloads on Azure by identifying, prioritizing, and helping to remediate vulnerabilities, directly aligning with the Security pillar of the Azure Well-Architected Framework. The framework provides a holistic guidance structure, and Defender Vulnerability Management provides a practical tool for implementing security best practices to protect individual workloads and critical assets.


Reference:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/govern-org- compliance




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

You are designing a ransomware mitigation strategy.

You perform a ransomware risk assessment and identify business-critical assets.

You need to recommend a solution to mitigate ransomware threats. The solution must follow Microsoft security best practices.

Which two actions should you include in the recommendation? Each correct answer presents a complete solution.

Note: Each correct answer is worth one point.

  1. Enable firewall logging for auditing, without restricting inbound or outbound traffic.
  2. Use extended patching cycles to reduce the risk of update-related service disruptions.
  3. Implement immutable, offline backups that have restricted access and test restore procedures regularly.
  4. Deploy Privileged Identity Management (PIM) that uses just-in-time (JIT) access and approval workflows.

Answer(s): C,D

Explanation:

[C]
Prepare for a Recovery
Assume that a breach can happen and plan how to restore your operations without paying a ransom.
- Implement a robust backup strategy: Use Azure Backup to automatically back up critical data and systems (VMs, SQL databases, file shares) on a regular schedule

- *-> Protect your backups: Ensure backups are isolated from production environments and protected from deletion or tampering using:
*-> Immutable storage: Store business-critical data using Write Once, Read Many (WORM) storage, which cannot be modified or deleted until its expiry date.
Soft delete: Enable soft delete to retain deleted backup data for an additional 14-180 days, allowing recovery even if a malicious actor deletes the primary backup.
Multi-user authorization (MUA): Enforce MUA using a separate Resource Guard to require multiple approvals for critical operations like disabling soft delete, adding an extra layer of security against a compromised single account.
*-> Offline copies: Follow the 3-2-1 rule: keep three copies of important files, on two different media types, with one copy stored offsite or offline.
[D]
Limit the Scope of Damage (Zero Trust Principles)
Minimize the attacker's ability to move laterally and access critical systems if they gain initial access by adopting a Zero Trust strategy.
Enforce strong identity and access controls:
Multi-factor authentication (MFA): Mandate MFA for all users, especially administrators, as it can prevent 99.9% of attacks on accounts.
Principle of Least Privilege: Use Azure Role-Based Access Control (RBAC) to grant users and applications only the permissions they need for specific tasks.
*-> Privileged Identity Management (PIM): Implement PIM to provide time-bound, approval-based "Just-In- Time" (JIT) access for privileged roles, minimizing the window of opportunity for an attacker to misuse high- level credentials.
Segment the network: Isolate critical resources in separate virtual networks and use Network Security Groups (NSGs) or Azure Firewall to restrict inbound and outbound traffic to only what is necessary for operations.
Secure management access: Avoid public RDP/SSH access. Use Azure Bastion to securely connect to VMs over SSL without exposing public IP addresses.


Reference:

https://www.microsoft.com/en-us/security/blog/2021/09/07/3-steps-to-prevent-and-recover-from-ransomware/




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

You are designing new Azure applications based on security best practices from the Microsoft Cloud Adoption Framework for Azure. Each application will be deployed to a dedicated and secure environment that will contain isolated instances of the following key Azure security resources:

Azure Key Vault


Virtual networks


An Azure subscription


Azure Policy assignments


Network security groups (NSGs)


Role-based access control (RBAC) assignments


You need to recommend which type of environment and which module to use to deploy the applications. The solution must use infrastructure as code (IaC) to deploy each application environment.

What should you recommend? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Landing zone
Environment type

A landing zone in the Microsoft Cloud Adoption Framework (CAF) for Azure is a dedicated environment that includes foundational infrastructure components to host applications and resources. It is designed to be secure, compliant, and scalable. The resources listed are core components and best practices for establishing an Azure landing zone:

Azure Key Vault: Used for secure storage and management of cryptographic keys, secrets, and certificates, a key aspect of secure landing zones.

Virtual networks: Provide the fundamental network infrastructure, allowing for secure and isolated connectivity within the Azure environment, often connected to a central hub network via peering in a landing zone architecture.

An Azure subscription: Landing zones are provisioned within one or more Azure subscriptions, which act as the primary boundary for governance and billing.

Azure Policy assignments: Used to enforce organizational standards and assess compliance at scale across the landing zone and its resources.

Network security groups (NSGs): Act as a virtual firewall to filter network traffic to and from Azure resources within the virtual networks of the landing zone.

Role-based access control (RBAC): Provides granular access management, ensuring users have only the necessary permissions within the landing zone environment.

Box 2: Azure Resource Manager (ARM) or Bicep
Module

Azure Bicep and Azure Resource Manager (ARM) are often preferred over Terraform for organizations exclusively using Microsoft Azure due to their native integration and lower operational overhead.

While Terraform remains a leading choice for multi-cloud environments, Bicep provides specific advantages for managing resources like Key Vault, Virtual Networks, and RBAC:

Key Reasons for Preferring Bicep/ARM
Zero State Management: Unlike Terraform, which requires securing and managing a .tfstate file, Bicep is stateless. It relies on Azure's backend to track resource states, eliminating risks of state corruption or the need for remote state locking.

Day-Zero Support: As a native Microsoft tool, Bicep supports new Azure features and API versions immediately upon release. Terraform's AzureRM provider may experience slight delays before new resource types or properties are supported.

Deep Portal Integration: Bicep allows you to export existing resources directly from the Azure portal into templates, a feature not natively available for Terraform.

Native Security & Governance: Bicep integrates seamlessly with Azure Policy for "preflight" checks, validating that resources (like NSGs or RBAC assignments) comply with organizational policies before deployment. Terraform typically identifies these violations only after a deployment fails.


Reference:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity- access-landing-zones https://learn.microsoft.com/en-us/azure/developer/terraform/comparing-terraform-and-bicep




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

You plan to implement an Azure environment based on Microsoft Cloud Adoption Framework for enterprise- scale landing zone architecture principles. The environment will host three apps that have the following characteristics:

Each app will have a development environment, a test environment, and a production environment.


Each environment will be managed by a separate team.


Each app will store its secrets in Azure Key Vault.


You need to recommend how many Azure subscriptions and key vaults to deploy to the application landing zones.

What should you recommend? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: 9
Subscriptions

Based on the Microsoft Cloud Adoption Framework (CAF) and its enterprise-scale landing zone architecture principles (specifically Subscription Democratization), the following subscription count is required

Application Landing Zones (9 Subscriptions):
According to CAF principles, a workload should have a dedicated application landing zone for each environment (Development, Test, and Production) to provide security, policy, and management isolation. 3 Apps × 3 Environments (Dev, Test, Prod) = 9 Subscriptions. This ensures each team has a clear management boundary and that Azure Key Vault secrets for each app/ environment are isolated at the subscription level.

Box 2: 9
Key vaults

Based on the Microsoft Cloud Adoption Framework (CAF) and enterprise-scale landing zone design principles, you require 9 Azure Key Vaults.

Architecture Calculation
3 Apps * 3 Environments (Development, Test, Production) = 9 Total Key Vaults.

Justification and Design Principles The enterprise-scale architecture emphasizes specific design principles for security and resource organization:

Environmental Isolation: CAF principles recommend using one Key Vault per application, per region, and per environment. This ensures that secrets are not shared across development, testing, and production, drastically reducing the "blast radius" in the event of a security breach.Subscription

Democratization: In an enterprise-scale landing zone, subscriptions are the unit of management and isolation. Each environment (Dev, Test, Prod) should ideally reside in its own subscription to segregate the software development lifecycle (SDLC).

Separation of Duties: Since each environment is managed by a separate team, having distinct Key Vaults allows you to implement granular Role-Based Access Control (RBAC). This ensures the Dev team cannot access Production secrets, adhering to the principle of least privilege.

Security Boundaries: Key Vaults define hard security boundaries. Grouping secrets for multiple apps or environments into a single vault increases risk, as an attacker with access to one vault could potentially compromise all associated applications.


Reference:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-principles




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.

Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace


An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.
Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.


ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

You have a Microsoft 365 subscription that contains a group named Group1. The subscription contains 1,000 Windows devices that are joined to a Microsoft Entra tenant and managed by using Microsoft Intune. All users sign in to the devices by using standard user accounts.

You plan to deploy a new app named App1 to the members of Group1. The Group1 members must have administrative rights to install new versions of App1.

You need to ensure that the Group1 members can install new versions of App1. The solution must follow the principles of Zero Trust.

What should you implement?

  1. Microsoft Entra Privileged Identity Management (PIM)
  2. Microsoft Intune Endpoint Privilege Management (EPM)
  3. Microsoft Local Administrator Password Solution (Microsoft LAPS)
  4. Microsoft Entra entitlement management

Answer(s): B

Explanation:

To best ensure that members of the group can install new versions of the app while following Zero Trust principles, you should implement Microsoft Intune Endpoint Privilege Management (EPM).
Why EPM is the Best Solution:
*-> Principle of Least Privilege: EPM allows users to continue signing in as standard users while granting them elevated privileges only for specific, approved tasks or applications.
Just-in-Time (JIT) Elevation: It provides temporary administrative rights precisely when needed for the application installation, rather than granting permanent local admin rights.
Granular Control: You can create elevation rules based on file hashes, publisher certificates, or file names to ensure only the specific app and its versions can be installed with elevated rights.
*-> Zero Trust Alignment: By using EPM, you verify every elevation request explicitly and maintain a strong security posture by minimizing the attack surface associated with excessive local permissions.
Incorrect:
[Not A]
Microsoft Entra PIM: Primarily used for managing elevated cloud roles (e.g., Global Administrator) rather than local device permissions.
[Not C]
Microsoft LAPS: Manages the password for a local administrator account but does not allow standard users to perform elevations within their own session.
[Not D]
Microsoft Entra Entitlement Management: Focused on managing access to groups, applications, and SharePoint sites via access packages, not local device privilege elevation.


Reference:

https://learn.microsoft.com/en-us/intune/intune-service/protect/epm-overview




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.


Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace

An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft

Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.

Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.

ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.

Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

You need to recommend a solution to meet the AWS requirements.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Defender for Cloud
For the AWS EC2 instances:

Scenario:
Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

*-> Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
* Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Note: Secure score in Defender for Cloud
The secure score in Microsoft Defender for Cloud can help you to improve your cloud security posture. The secure score aggregates security findings into a single score so that you can assess, at a glance, your current security situation. The higher the score, the lower the identified risk level is.

View the secure score
When you view the Defender for Cloud Overview dashboard, you can view the secure score for all of your environments. The dashboard shows the secure score as a percentage value and includes the underlying values.



Box 2: Microsoft Sentinel
For the AWS service logs:

Scenario:
Requirements. AWS Requirements

Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

* Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
*-> Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Use the Amazon Web Services (AWS) connectors to pull AWS service logs into Microsoft Sentinel.

Note: These connectors work by granting Microsoft Sentinel access to your AWS resource logs. Setting up the connector establishes a trust relationship between Amazon Web Services and Microsoft Sentinel. This is accomplished on AWS by creating a role that gives permission to Microsoft Sentinel to access your AWS logs.

Note:
Existing Environment. Partners

Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:

A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam


Reference:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-aws https://docs.microsoft.com/en-us/azure/sentinel/connect-aws




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.


Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace

An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft

Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.

Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.

ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.

Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

You need to recommend a solution to meet the compliance requirements.

What should you recommend? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Workflow automation
To enforce compliance to the regulatory standard, create:

Scenario: Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard.

Note: Run a HIPAA HITRUST 9.2 Regulatory Compliance Report for Azure In Azure, the HIPAA HITRUST 9.2 framework offers a comprehensive set of predefined compliance and security checks for the Health Insurance Portability and Accountability Act. These checks encompass various domains and controls, including administrator and operator logs, audit logging, privilege management, and more.

With the pre-built workflow below, you can generate 20 reports simultaneously, and have the results conveniently delivered via email.

Box 2: Modify an Azure policy definition
To exclude TestRG from the compliance assessment:

Scenario: The virtual machines in TestRG must be excluded from the compliance assessment.

Use a Policy definition to include the TestRG virtual machines from the Blueprint.

Note: Azure Policy establishes conventions for resources. Policy definitions describe resource compliance conditions and the effect to take if a condition is met. A condition compares a resource property field or a value to a required value. Resource property fields are accessed by using aliases.
When a resource property field is an array, a special array alias can be used to select values from all array members and apply a condition to each one.

By defining conventions, you can control costs and more easily manage your resources. For example, you can specify that only certain types of virtual machines are allowed. Or, you can require that resources have a particular tag. Policy assignments are inherited by child resources. If a policy assignment is applied to a resource group, it's applicable to all the resources in that resource group.

Incorrect:
* Not Update a policy assignment
A policy assignment assigns a Blueprint to a subscription. The scope is at the subscription level.

Note: Policy Assignments provide a means for applying policy to a subscription to which a blueprint is assigned. That said, the policy must be within the scope of the blueprint containing the policy. Parameters defined with a policy are assigned during blueprint creation or during blueprint assignment.


Reference:

https://www.blinkops.com/blog/azure-workflow-automation https://k21academy.com/microsoft-azure/azure-rbac-vs-azure-policies-vs-azure-blueprints/




Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.


Overview
Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.

Existing Environment. On-premises Environment
The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.

Existing Environment. Azure Environment
Fabrikam has the following Azure resources:
A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace

An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft

Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.

Existing Environment. Partners
Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:
A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.

Existing Environment. Compliance Environment
Fabrikam deploys the following compliance environment:
Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.

Existing Environment. Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.

Requirements. ClaimsApp Deployment
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.

ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements. Application Development Requirements
Fabrikam identifies the following requirements for application development:
Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.
Requirements. Security Requirements
Fabrikam identifies the following security requirements:
Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.
Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements. AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements. Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.

Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT

You need to recommend a solution to meet the AWS requirements.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Microsoft Defender for servers
Scenario: Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.

Defender for Servers is one of the enhanced security features available in Microsoft Defender for Cloud. You can use it to add threat detection and advanced defenses to your Windows and Linux machines that exist in hybrid and multicloud environments.

Available Defender for Server plans
Defender for Servers offers you a choice between two paid plans. Both include automatic onboarding for resources in Azure, AWS, GCP.



Plan 1 includes the following benefits:

Automatic onboarding for resources in Azure, AWS, GCP
Microsoft threat and vulnerability management
Flexibility to use Microsoft Defender for Cloud or Microsoft 365 Defender portal A Microsoft Defender for Endpoint subscription that includes access to alerts, software inventory, Vulnerability Assessment and an automatic integration with Microsoft Defender for Cloud.

Plan 2 includes everything in Plan 1 plus some additional benefits.

Box 2: Microsoft Sentinel
Scenario: AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Use the Amazon Web Services (AWS) connectors to pull AWS service logs into Microsoft Sentinel.

Note: These connectors work by granting Microsoft Sentinel access to your AWS resource logs. Setting up the connector establishes a trust relationship between Amazon Web Services and Microsoft Sentinel. This is accomplished on AWS by creating a role that gives permission to Microsoft Sentinel to access your AWS logs.


Reference:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-introduction https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-aws https://docs.microsoft.com/en-us/azure/sentinel/connect-aws



Viewing page 8 of 44

Share your comments for Microsoft SC-100 exam with other users:

R
Roberto
11/27/2023 12:33:00 AM

very interesting repository

ITALY
N
Nale
9/18/2023 1:51:00 PM

american history 1

Anonymous
T
Tanvi
9/27/2023 4:02:00 AM

good level of questions

Anonymous
B
Boopathy
8/17/2023 1:03:00 AM

i need this dump kindly upload it

Anonymous
S
s_123
8/12/2023 4:28:00 PM

do we need c# coding to be az204 certified

Anonymous
B
Blessious Phiri
8/15/2023 3:38:00 PM

excellent topics covered

Anonymous
M
Manasa
12/5/2023 3:15:00 AM

are these really financial cloud questions and answers, seems these are basic admin question and answers

Anonymous
N
Not Robot
5/14/2023 5:33:00 PM

are these comments real

Anonymous
K
kriah
9/4/2023 10:44:00 PM

please upload the latest dumps

UNITED STATES
E
ed
12/17/2023 1:41:00 PM

a company runs its workloads on premises. the company wants to forecast the cost of running a large application on aws. which aws service or tool can the company use to obtain this information? pricing calculator ... the aws pricing calculator is primarily used for estimating future costs

UNITED STATES
M
Muru
12/29/2023 10:23:00 AM

looks interesting

Anonymous
T
Tech Lady
10/17/2023 12:36:00 PM

thanks! that’s amazing

Anonymous
M
Mike
8/20/2023 5:12:00 PM

the exam dumps are helping me get a solid foundation on the practical techniques and practices needed to be successful in the auditing world.

UNITED STATES
N
Nobody
9/18/2023 6:35:00 PM

q 14 should be dmz sever1 and notepad.exe why does note pad have a 443 connection

Anonymous
M
Muhammad Rawish Siddiqui
12/4/2023 12:17:00 PM

question # 108, correct answers are business growth and risk reduction.

SAUDI ARABIA
E
Emmah
7/29/2023 9:59:00 AM

are these valid chfi questions

KENYA
M
Mort
10/19/2023 7:09:00 PM

question: 162 should be dlp (b)

EUROPEAN UNION
E
Eknath
10/4/2023 1:21:00 AM

good exam questions

INDIA
N
Nizam
6/16/2023 7:29:00 AM

I have to say this is really close to real exam. Passed my exam with this.

EUROPEAN UNION
P
poran
11/20/2023 4:43:00 AM

good analytics question

Anonymous
A
Antony
11/23/2023 11:36:00 AM

this looks accurate

INDIA
E
Ethan
8/23/2023 12:52:00 AM

question 46, the answer should be data "virtualization" (not visualization).

Anonymous
N
nSiva
9/22/2023 5:58:00 AM

its useful.

UNITED STATES
R
Ranveer
7/26/2023 7:26:00 PM

Pass this exam 3 days ago. The PDF version and the Xengine App is quite useful.

SOUTH AFRICA
S
Sanjay
8/15/2023 10:22:00 AM

informative for me.

UNITED STATES
T
Tom
12/12/2023 8:53:00 PM

question 134s answer shoule be "dlp"

JAPAN
A
Alex
11/7/2023 11:02:00 AM

in 72 the answer must be [sys_user_has_role] table.

Anonymous
F
Finn
5/4/2023 10:21:00 PM

i appreciated the mix of multiple-choice and short answer questions. i passed my exam this morning.

IRLAND
A
AJ
7/13/2023 8:33:00 AM

great to find this website, thanks

UNITED ARAB EMIRATES
C
Curtis Nakawaki
6/29/2023 9:11:00 PM

examination questions seem to be relevant.

UNITED STATES
U
Umashankar Sharma
10/22/2023 9:39:00 AM

planning to take psm test

Anonymous
E
ED SHAW
7/31/2023 10:34:00 AM

please allow to download

UNITED STATES
A
AD
7/22/2023 11:29:00 AM

please provide dumps

UNITED STATES
A
Ayyjayy
11/6/2023 7:29:00 AM

is the answer to question 15 correct ? i feel like the answer should be b

BAHRAIN
AI Tutor 👋 I’m here to help!