Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Microsoft
  3. SC-100

Microsoft SC-100 Exam (page: 8)
Microsoft Cybersecurity Architect
Updated on: 25-Dec-2025

Viewing Page 8 of 41
SC-100 PDF 315 Questions

DRAG DROP (Drag and Drop is not supported)

You have an Azure environment that contains multiple workloads deployed across multiple subscriptions.

You need to recommend a solution to assess and improve the security posture of the workloads. The solution must meet the following requirements:

Use the Microsoft Cloud Adoption Framework for Azure to evaluate compliance with cloud governance policies.
Use the Azure Well-Architected Framework to secure individual workloads.

What should you include in the recommendation for each requirement? To answer, drag the appropriate recommendations to the correct requirements. Each recommendation may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Note: Each correct selection is worth one point.

Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:


Reference:

Box 1: Microsoft Defender for Cloud
Use the Microsoft Cloud Adoption Framework for Azure to evaluate compliance with cloud governance policies.

Microsoft Cloud Adoption Framework for AzureTo evaluate compliance with cloud governance policies in Azure when using the Microsoft Cloud Adoption Framework (CAF), you should use Azure Policy and Microsoft Defender for Cloud. Azure Policy enforces your defined rules on resources and provides a compliance dashboard, while Defender for Cloud offers a unified view of security and security recommendations to help meet compliance standards.

Enhance with Microsoft Defender for Cloud:
Use Defender for Cloud to gain a unified view of security posture across your workloads. It provides actionable recommendations to fix security issues, helping to improve your compliance with security standards and regulations.

Box 2: Microsoft Defender Vulnerability
Use the Azure Well-Architected Framework to secure individual workloads.

Microsoft Defender Vulnerability Management (a component of Microsoft Defender for Cloud) is used to secure workloads on Azure by identifying, prioritizing, and helping to remediate vulnerabilities, directly aligning with the Security pillar of the Azure Well-Architected Framework. The framework provides a holistic guidance structure, and Defender Vulnerability Management provides a practical tool for implementing security best practices to protect individual workloads and critical assets.


https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/govern-org- compliance




Case Study:


This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.


To start the case study:
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.


Overview

Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.


Existing Environment:
On-premises Environment

The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.


Existing Environment:
Azure Environment

Fabrikam has the following Azure resources:

A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace

An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.


Existing Environment:
Partners

Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:

A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam

Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.

The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.


Existing Environment:
Compliance Environment

Fabrikam deploys the following compliance environment:

Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.


Existing Environment:
Problem Statements

The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.

All the virtual machines must be compliant in Defender for Cloud.

Requirements:
ClaimsApp Deployment

Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:

ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.

ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements:
Application Development Requirements

Fabrikam identifies the following requirements for application development:

Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.

Requirements:
Security Requirements

Fabrikam identifies the following security requirements:

Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs)

and instances of Azure Firewall, WAF, and Front Door in Sub1. Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements:
AWS Requirements

Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements:
Contoso Developers Requirements

Fabrikam identifies the following requirements for the Contoso developers:

Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.

Requirements:
Compliance Requirements

Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT (Drag and Drop is not supported)

You need to recommend a solution to meet the AWS requirements.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Defender for Cloud
For the AWS EC2 instances:

Scenario:
Requirements:
AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

*-> Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
* Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Note: Secure score in Defender for Cloud
The secure score in Microsoft Defender for Cloud can help you to improve your cloud security posture. The secure score aggregates security findings into a single score so that you can assess, at a glance, your current security situation. The higher the score, the lower the identified risk level is.

View the secure score
When you view the Defender for Cloud Overview dashboard, you can view the secure score for all of your environments. The dashboard shows the secure score as a percentage value and includes the underlying values.



Box 2: Microsoft Sentinel
For the AWS service logs:

Scenario:
Requirements:
AWS Requirements

Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

* Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
*-> Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Use the Amazon Web Services (AWS) connectors to pull AWS service logs into Microsoft Sentinel.

Note: These connectors work by granting Microsoft Sentinel access to your AWS resource logs. Setting up the connector establishes a trust relationship between Amazon Web Services and Microsoft Sentinel. This is accomplished on AWS by creating a role that gives permission to Microsoft Sentinel to access your AWS logs.

Note:

Existing Environment:
Partners

Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:

A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam


Reference:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-aws https://docs.microsoft.com/en-us/azure/sentinel/connect-aws




Case Study:


This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.


To start the case study:
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.


Overview

Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.


Existing Environment:
On-premises Environment

The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.


Existing Environment:
Azure Environment

Fabrikam has the following Azure resources:

A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace

An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.


Existing Environment:
Partners

Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:

A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam

Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.

The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.


Existing Environment:
Compliance Environment

Fabrikam deploys the following compliance environment:

Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.


Existing Environment:
Problem Statements

The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.

All the virtual machines must be compliant in Defender for Cloud.

Requirements:
ClaimsApp Deployment

Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:

ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.

ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements:
Application Development Requirements

Fabrikam identifies the following requirements for application development:

Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.

Requirements:
Security Requirements

Fabrikam identifies the following security requirements:

Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs)

and instances of Azure Firewall, WAF, and Front Door in Sub1. Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements:
AWS Requirements

Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements:
Contoso Developers Requirements

Fabrikam identifies the following requirements for the Contoso developers:

Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.

Requirements:
Compliance Requirements

Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT (Drag and Drop is not supported)

You need to recommend a solution to meet the compliance requirements.

What should you recommend? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Workflow automation
To enforce compliance to the regulatory standard, create:

Scenario: Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard.

Note: Run a HIPAA HITRUST 9.2 Regulatory Compliance Report for Azure In Azure, the HIPAA HITRUST 9.2 framework offers a comprehensive set of predefined compliance and security checks for the Health Insurance Portability and Accountability Act. These checks encompass various domains and controls, including administrator and operator logs, audit logging, privilege management, and more.

With the pre-built workflow below, you can generate 20 reports simultaneously, and have the results conveniently delivered via email.

Box 2: Modify an Azure policy definition
To exclude TestRG from the compliance assessment:

Scenario: The virtual machines in TestRG must be excluded from the compliance assessment.

Use a Policy definition to include the TestRG virtual machines from the Blueprint.

Note: Azure Policy establishes conventions for resources. Policy definitions describe resource compliance conditions and the effect to take if a condition is met. A condition compares a resource property field or a value to a required value. Resource property fields are accessed by using aliases.
When a resource property field is an array, a special array alias can be used to select values from all array members and apply a condition to each one.

By defining conventions, you can control costs and more easily manage your resources. For example, you can specify that only certain types of virtual machines are allowed. Or, you can require that resources have a particular tag. Policy assignments are inherited by child resources. If a policy assignment is applied to a resource group, it's applicable to all the resources in that resource group.


Incorrect:
* Not Update a policy assignment
A policy assignment assigns a Blueprint to a subscription. The scope is at the subscription level.

Note: Policy Assignments provide a means for applying policy to a subscription to which a blueprint is assigned. That said, the policy must be within the scope of the blueprint containing the policy. Parameters defined with a policy are assigned during blueprint creation or during blueprint assignment.


Reference:

https://www.blinkops.com/blog/azure-workflow-automation https://k21academy.com/microsoft-azure/azure-rbac-vs-azure-policies-vs-azure-blueprints/




Case Study:


This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.


To start the case study:
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.


Overview

Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.


Existing Environment:
On-premises Environment

The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.


Existing Environment:
Azure Environment

Fabrikam has the following Azure resources:

A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace

An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.


Existing Environment:
Partners

Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:

A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam

Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.

The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.


Existing Environment:
Compliance Environment

Fabrikam deploys the following compliance environment:

Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.


Existing Environment:
Problem Statements

The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.

All the virtual machines must be compliant in Defender for Cloud.

Requirements:
ClaimsApp Deployment

Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:

ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.

ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements:
Application Development Requirements

Fabrikam identifies the following requirements for application development:

Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.

Requirements:
Security Requirements

Fabrikam identifies the following security requirements:

Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs)

and instances of Azure Firewall, WAF, and Front Door in Sub1. Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements:
AWS Requirements

Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements:
Contoso Developers Requirements

Fabrikam identifies the following requirements for the Contoso developers:

Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.

Requirements:
Compliance Requirements

Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT (Drag and Drop is not supported)

You need to recommend a solution to meet the AWS requirements.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Microsoft Defender for servers
Scenario: Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.

Defender for Servers is one of the enhanced security features available in Microsoft Defender for Cloud. You can use it to add threat detection and advanced defenses to your Windows and Linux machines that exist in hybrid and multicloud environments.

Available Defender for Server plans
Defender for Servers offers you a choice between two paid plans. Both include automatic onboarding for resources in Azure, AWS, GCP.



Plan 1 includes the following benefits:

Automatic onboarding for resources in Azure, AWS, GCP
Microsoft threat and vulnerability management
Flexibility to use Microsoft Defender for Cloud or Microsoft 365 Defender portal A Microsoft Defender for Endpoint subscription that includes access to alerts, software inventory, Vulnerability Assessment and an automatic integration with Microsoft Defender for Cloud.

Plan 2 includes everything in Plan 1 plus some additional benefits.

Box 2: Microsoft Sentinel
Scenario: AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Use the Amazon Web Services (AWS) connectors to pull AWS service logs into Microsoft Sentinel.

Note: These connectors work by granting Microsoft Sentinel access to your AWS resource logs. Setting up the connector establishes a trust relationship between Amazon Web Services and Microsoft Sentinel. This is accomplished on AWS by creating a role that gives permission to Microsoft Sentinel to access your AWS logs.


Reference:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-introduction https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-aws https://docs.microsoft.com/en-us/azure/sentinel/connect-aws




Case Study:


This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.


To start the case study:
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.


Overview

Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.


Existing Environment:
On-premises Environment

The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.


Existing Environment:
Azure Environment

Fabrikam has the following Azure resources:

A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace

An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.


Existing Environment:
Partners

Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:

A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam

Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.

The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.


Existing Environment:
Compliance Environment

Fabrikam deploys the following compliance environment:

Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.


Existing Environment:
Problem Statements

The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.

All the virtual machines must be compliant in Defender for Cloud.

Requirements:
ClaimsApp Deployment

Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:

ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.

ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements:
Application Development Requirements

Fabrikam identifies the following requirements for application development:

Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.

Requirements:
Security Requirements

Fabrikam identifies the following security requirements:

Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs)

and instances of Azure Firewall, WAF, and Front Door in Sub1. Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements:
AWS Requirements

Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements:
Contoso Developers Requirements

Fabrikam identifies the following requirements for the Contoso developers:

Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.

Requirements:
Compliance Requirements

Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

You need to recommend a solution to resolve the virtual machine issue.

What should you include in the recommendation? Each correct answer presents a complete solution.

  1. Enable the Qualys scanner in Defender for Cloud.
  2. Onboard the virtual machines to Microsoft Defender for Endpoint.
  3. Create a device compliance policy in Microsoft Endpoint Manager.
  4. Onboard the virtual machines to Azure Arc.

Answer(s): A,B

Explanation:

(A) Enable vulnerability scanning with the integrated Qualys scanner A core component of every cyber risk and security program is the identification and analysis of vulnerabilities.
Defender for Cloud regularly checks your connected machines to ensure they're running vulnerability assessment tools.
When a machine is found that doesn't have a vulnerability assessment solution deployed, Defender for Cloud generates the security recommendation: Machines should have a vulnerability assessment solution. Use this recommendation to deploy the vulnerability assessment solution to your Azure virtual machines and your Azure Arc-enabled hybrid machines.
Deploying Microsoft Defender for Endpoint is a two-step process.
(B) Onboard devices to the service
Configure capabilities of the service
Scenario: 20 virtual machines (B, not D) that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud.

Existing Environment:
Problem Statements
The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.
All the virtual machines must be compliant in Defender for Cloud.


Reference:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm




Case Study:


This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.


To start the case study:
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.


Overview

Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.


Existing Environment:
On-premises Environment

The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.


Existing Environment:
Azure Environment

Fabrikam has the following Azure resources:

A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace

An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.


Existing Environment:
Partners

Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:

A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam

Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.

The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.


Existing Environment:
Compliance Environment

Fabrikam deploys the following compliance environment:

Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.


Existing Environment:
Problem Statements

The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.

All the virtual machines must be compliant in Defender for Cloud.

Requirements:
ClaimsApp Deployment

Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:

ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.

ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements:
Application Development Requirements

Fabrikam identifies the following requirements for application development:

Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.

Requirements:
Security Requirements

Fabrikam identifies the following security requirements:

Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs)

and instances of Azure Firewall, WAF, and Front Door in Sub1. Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements:
AWS Requirements

Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements:
Contoso Developers Requirements

Fabrikam identifies the following requirements for the Contoso developers:

Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.

Requirements:
Compliance Requirements

Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

You need to recommend a solution to meet the security requirements for the virtual machines.

What should you include in the recommendation?

  1. just-in-time (JIT) VM access
  2. an Azure Bastion host
  3. Azure Virtual Desktop
  4. a network security group (NSG)

Answer(s): C




Case Study:


This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.


To start the case study:
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.


Overview

Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.


Existing Environment:
On-premises Environment

The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.


Existing Environment:
Azure Environment

Fabrikam has the following Azure resources:

A Microsoft Entra tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com

A single Azure subscription named Sub1

A virtual network named Vnet1 in the East US Azure region

A virtual network named Vnet2 in the West Europe Azure region

An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled

A Microsoft Sentinel workspace

An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud
A resource group named TestRG that is used for testing purposes only

An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.


Existing Environment:
Partners

Fabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:

A Microsoft Entra tenant named contoso.onmicrosoft.com

An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam

Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.

The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.


Existing Environment:
Compliance Environment

Fabrikam deploys the following compliance environment:

Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.
Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

Qualys is used as the standard vulnerability assessment tool for servers.


Existing Environment:
Problem Statements

The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.

All the virtual machines must be compliant in Defender for Cloud.

Requirements:
ClaimsApp Deployment

Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:

ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

ClaimsApp will access data in ClaimsDB.

ClaimsDB must be accessible only from Azure virtual networks.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Requirements:
Application Development Requirements

Fabrikam identifies the following requirements for application development:

Azure DevTest labs will be used by developers for testing.

All the application code must be stored in GitHub Enterprise.

Azure Pipelines will be used to manage application deployments.

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.

Requirements:
Security Requirements

Fabrikam identifies the following security requirements:

Internet-accessible applications must prevent connections that originate in North Korea.

Only members of a group named InfraSec must be allowed to configure network security groups (NSGs)

and instances of Azure Firewall, WAF, and Front Door in Sub1. Administrators must connect to a secure host to perform any remote administration of the virtual machines.

The secure host must be provisioned from a custom operating system image.

Requirements:
AWS Requirements

Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Requirements:
Contoso Developers Requirements

Fabrikam identifies the following requirements for the Contoso developers:

Every month, the membership of the ContosoDevelopers group must be verified.

The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.

Requirements:
Compliance Requirements

Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.

HOTSPOT (Drag and Drop is not supported)

You need to recommend a solution to meet the compliance requirements.

What should you recommend? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: A blueprint
Scenario: Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard.

Microsoft releases automation for HIPAA/HITRUST compliance
I am excited to share our new Azure Security and Compliance Blueprint for HIPAA/HITRUST Health Data & AI. Microsoft's Azure Blueprints are resources to help build and launch cloud-powered applications that comply with stringent regulations and standards. Included in the blueprints are reference architectures, compliance guidance and deployment scripts.

An Azure Blueprint is a package for creating specific sets of standards and requirements that govern the implementation of Azure services, security, and design. Such packages are reusable so that consistency and compliance among resources can be maintained.


Incorrect:
* not Workflow automation
Workflow automation is an approach to making the flow of tasks, documents and information across work- related activities perform independently in accordance with defined business rules.

Box 2: Modify an Azure policy definition
Scenario: The virtual machines in TestRG must be excluded from the compliance assessment.

Use a Policy definition to include the TestRG virtual machines from the Blueprint.

Note: Azure Policy establishes conventions for resources. Policy definitions describe resource compliance conditions and the effect to take if a condition is met. A condition compares a resource property field or a value to a required value. Resource property fields are accessed by using aliases.
When a resource property field is an array, a special array alias can be used to select values from all array members and apply a condition to each one.

By defining conventions, you can control costs and more easily manage your resources. For example, you can specify that only certain types of virtual machines are allowed. Or, you can require that resources have a particular tag. Policy assignments are inherited by child resources. If a policy assignment is applied to a resource group, it's applicable to all the resources in that resource group.


Incorrect:
* Not Update a policy assignment
A policy assignment assigns a Blueprint to a subscription. The scope is at the subscription level.

Note: Policy Assignments provide a means for applying policy to a subscription to which a blueprint is assigned. That said, the policy must be within the scope of the blueprint containing the policy. Parameters defined with a policy are assigned during blueprint creation or during blueprint assignment.


Reference:

https://azure.microsoft.com/en-us/blog/microsoft-releases-automation-for-hipaa-hitrust-compliance/ https://cloudacademy.com/blog/what-are-azure-blueprints/
https://k21academy.com/microsoft-azure/azure-rbac-vs-azure-policies-vs-azure-blueprints/




Case Study:


This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.


To start the case study:
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs.
When you are ready to answer a question, click the Question button to return to the question.


Overview

Litware, Inc. is a financial services company that has main offices in New York and San Francisco. Litware has 30 branch offices and remote employees across the United States. The remote employees connect to the main offices by using a VPN.

Litware has grown significantly during the last two years due to mergers and acquisitions. The acquisitions include several companies based in France.

Existing Environment

Litware has a Microsoft Entra tenant that syncs with an Active Directory Domain Services (AD DS) forest named litware.com and is linked to 20 Azure subscriptions. Microsoft Entra Connect is used to implement pass-through authentication. Password hash synchronization is disabled, and password writeback is enabled.
All Litware users have Microsoft 365 E5 licenses.

The environment also includes several AD DS forests, Microsoft Entra tenants, and hundreds of Azure subscriptions that belong to the subsidiaries of Litware.

Requirements:
Planned Changes

Litware plans to implement the following changes:

Create a management group hierarchy for each Microsoft Entra tenant.

Design a landing zone strategy to refactor the existing Azure environment of Litware and deploy all future

Azure workloads.
Implement Microsoft Entra Application Proxy to provide secure access to internal applications that are currently accessed by using the VPN.

Requirements:
Business Requirements

Litware identifies the following business requirements:

Minimize any additional on-premises infrastructure.

Minimize the operational costs associated with administrative overhead.

Requirements:
Hybrid Requirements

Litware identifies the following hybrid cloud requirements:

Enable the management of on-premises resources from Azure, including the following:

- Use Azure Policy for enforcement and compliance evaluation.
- Provide change tracking and asset inventory.
- Implement patch management.
Provide centralized, cross-tenant subscription management without the overhead of maintaining guest accounts.

Requirements:
Microsoft Sentinel Requirements

Litware plans to leverage the security information and event management (SIEM) and security orchestration automated response (SOAR) capabilities of Microsoft Sentinel. The company wants to centralize Security Operations Center (SOC) by using Microsoft Sentinel.

Requirements:
Identity Requirements

Litware identifies the following identity requirements:

Detect brute force attacks that directly target AD DS user accounts.

Implement leaked credential detection in the Microsoft Entra tenant of Litware.

Prevent AD DS user accounts from being locked out by brute force attacks that target Microsoft Entra user accounts.
Implement delegated management of users and groups in the Microsoft Entra tenant of Litware, including support for:
- The management of group properties, membership, and licensing
- The management of user properties, passwords, and licensing
- The delegation of user management based on business units

Requirements:
Regulatory Compliance Requirements

Litware identifies the following regulatory compliance requirements:

Ensure data residency compliance when collecting logs, telemetry, and data owned by each United States-

and France-based subsidiary.
Leverage built-in Azure Policy definitions to evaluate regulatory compliance across the entire managed environment.
Use the principle of least privilege.

Requirements:
Azure Landing Zone Requirements

Litware identifies the following landing zone requirements:

Route all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription.

Provide a secure score scoped to the landing zone.

Ensure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints.
Minimize the possibility of data exfiltration.

Maximize network bandwidth.

The landing zone architecture will include the dedicated subscription, which will serve as the hub for internet and hybrid connectivity. Each landing zone will have the following characteristics:

Be created in a dedicated subscription.

Use a DNS namespace of litware.com.

Requirements:
Application Security Requirements

Litware identifies the following application security requirements:

Identify internal applications that will support single sign-on (SSO) by using Microsoft Entra Application

Proxy.
Monitor and control access to Microsoft SharePoint Online and Exchange Online data in real time.

HOTSPOT (Drag and Drop is not supported)

You need to recommend a solution to evaluate regulatory compliance across the entire managed environment. The solution must meet the regulatory compliance requirements and the business requirements.

What should you recommend? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Azure Policy initiatives to management groups
If your organization has many Azure subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Management groups provide a governance scope above subscriptions. You organize subscriptions into management groups the governance conditions you apply cascade by inheritance to all associated subscriptions.

If you plan to apply a policy definition to multiple subscriptions, the location must be a management group that contains the subscriptions you assign the policy to. The same is true for an initiative definition.

With an initiative definition, you can group several policy definitions to achieve one overarching goal. An initiative evaluates resources within scope of the assignment for compliance to the included policies.


Incorrect:
Not: Azure Policy initiatives to subscriptions
Must use a management group as we have multiple subscriptions.

Scenario:
Requirements:
Business Requirements
Litware identifies the following business requirements:

· Minimize any additional on-premises infrastructure.
· Minimize the operational costs associated with administrative overhead.

Box 2: Azure Arc
With Azure Arc:

Meet governance and compliance standards for apps, infrastructure, and data with Azure Policy.

Take advantage of elastic scale, consistent on-premises and multicloud management, and cloud-style billing models.

Note: Azure Arc is a bridge that extends the Azure platform to help you build applications and services with the flexibility to run across datacenters, at the edge, and in multicloud environments. Develop cloud-native applications with a consistent development, operations, and security model. Azure Arc runs on both new and existing hardware, virtualization and Kubernetes platforms, IoT devices, and integrated systems.


Reference:

https://docs.microsoft.com/en-us/azure/governance/management-groups/overview https://azure.microsoft.com/en-us/services/azure-arc/#product-overview



Viewing Page 8 of 41



Share your comments for Microsoft SC-100 exam with other users:

Sandhya 12/9/2023 12:57:00 AM

very g inood
Anonymous


Agathenta 12/16/2023 1:36:00 PM

q35 should be a
Anonymous


MD. SAIFUL ISLAM 6/22/2023 5:21:00 AM

sap c_ts450_2021
Anonymous


Satya 7/24/2023 3:18:00 AM

nice questions
UNITED STATES


sk 5/13/2023 2:10:00 AM

ecellent materil for unserstanding
INDIA


Gerard 6/29/2023 11:14:00 AM

good so far
Anonymous


Limbo 10/9/2023 3:08:00 AM

this is way too informative
BOTSWANA


Tejasree 8/26/2023 1:46:00 AM

very helpfull
UNITED STATES


Yolostar Again 10/12/2023 3:02:00 PM

q.189 - answers are incorrect.
Anonymous


Shikha Bakra 9/10/2023 5:16:00 PM

awesome job in getting these questions
AUSTRALIA


Kevin 10/20/2023 2:01:00 AM

i cant find aws certified practitioner clf-c01 exam in aws website but i found aws certified practitioner clf-c02 exam. can everyone please verify the difference between the two clf-c01 and clf-c02? thank you
UNITED STATES


D Mario 6/19/2023 10:38:00 PM

grazie mille. i got a satisfactory mark in my exam test today because of this exam dumps. sorry for my english.
ITALY


Bharat Kumar Saraf 10/31/2023 4:36:00 AM

some of the answers are incorrect. need to be reviewed.
HONG KONG


JP 7/13/2023 12:21:00 PM

so far so good
Anonymous


Kiky V 8/8/2023 6:32:00 PM

i am really liking it
Anonymous


trying 7/28/2023 12:37:00 PM

thanks good stuff
UNITED STATES


exampei 10/4/2023 2:40:00 PM

need dump c_tadm_23
Anonymous


Eman Sawalha 6/10/2023 6:18:00 AM

next time i will write a full review
GREECE


johnpaul 11/15/2023 7:55:00 AM

first time using this site
ROMANIA


omiornil@gmail.com 7/25/2023 9:36:00 AM

please sent me oracle 1z0-1105-22 pdf
BANGLADESH


John 8/29/2023 8:59:00 PM

very helpful
Anonymous


Kvana 9/28/2023 12:08:00 PM

good info about oml
UNITED STATES


Checo Lee 7/3/2023 5:45:00 PM

very useful to practice
UNITED STATES


dixitdnoh@gmail.com 8/27/2023 2:58:00 PM

this website is very helpful.
UNITED STATES


Sanjay 8/14/2023 8:07:00 AM

good content
INDIA


Blessious Phiri 8/12/2023 2:19:00 PM

so challenging
Anonymous


PAYAL 10/17/2023 7:14:00 AM

17 should be d ,for morequery its scale out
Anonymous


Karthik 10/12/2023 10:51:00 AM

nice question
Anonymous


Godmode 5/7/2023 10:52:00 AM

yes.
NETHERLANDS


Bhuddhiman 7/30/2023 1:18:00 AM

good mateial
Anonymous


KJ 11/17/2023 3:50:00 PM

good practice exam
Anonymous


sowm 10/29/2023 2:44:00 PM

impressivre qustion
Anonymous


CW 7/6/2023 7:06:00 PM

questions seem helpful
Anonymous


luke 9/26/2023 10:52:00 AM

good content
Anonymous