Hard SC-100 practice questions
Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 44 hard questions available — no sign-up, always free.
A financial services company is deploying autonomous AI agents and CI/CD workloads that run partly in Azure and partly in an external Kubernetes cluster hosted on another cloud. These agents must call Microsoft Graph and Azure-hosted APIs. Security leadership mandates that no long-lived client secrets or certificates be stored anywhere in the pipeline or the external cluster, and that each non-human identity be independently governable, auditable, and subject to Conditional Access. As the cybersecurity architect, which identity design best meets these requirements?
A retail company exposes several internal microservices through Azure API Management (APIM) to external partner applications. Security requirements state that: (1) every inbound request must present a valid OAuth 2.0 access token issued by Microsoft Entra ID before reaching any backend; (2) tokens must be rejected at the gateway if the audience or issuer is wrong; and (3) backend services must never be reachable directly, bypassing the gateway. The architect must design the APIM policy and network approach with the least custom code. Which combination BEST meets these requirements?
A financial services company is designing a business continuity and disaster recovery (BCDR) strategy to recover from a destructive ransomware attack that could encrypt both production workloads and the identity infrastructure. The security architect must define the recovery sequence to ensure that restored systems can be trusted and reconnected safely. Which recovery approach should the architect prioritize first in the restoration plan?
A financial services company uses Entra ID for workforce identity. The security architect must design an access policy that meets three requirements: (1) when a user's sign-in is scored high risk during an active session, access must be re-evaluated and revoked without waiting for token expiry; (2) tokens must be bound to the device that requested them so a stolen refresh token cannot be replayed from another device; and (3) users flagged as high user-risk must be forced to securely reset their password before regaining access. Which combination of Entra capabilities should the architect specify?
A financial services firm is deploying Microsoft 365 Copilot. During a pre-deployment readiness review, the security architect finds that many SharePoint sites containing confidential client portfolios have broad 'Everyone except external users' permissions, and much of the content is unlabeled. Leadership is concerned that Copilot could surface confidential data to employees who should not see it in generated responses. The architect must design a data-security control set that reduces oversharing risk without blocking Copilot entirely. Which approach best addresses the requirement?
A financial services company runs production workloads across Azure and AWS. Security architects need a Defender for Cloud design that: (1) applies the Microsoft Cloud Security Benchmark to both clouds, (2) provides agentless discovery of exposed secrets stored on VM disks and in container environments, and (3) flags a scored regulatory gap when a storage account or S3 bucket allows public network access. The team wants to minimize the number of Defender plans they must enable while still meeting all three requirements. Which combination of Defender for Cloud capabilities should they enable?
A retailer runs 400 Azure VMs across production and dev subscriptions. The security architect must design a posture solution that continuously assesses OS vulnerabilities and detects installed software risks without deploying or maintaining an agent on each VM, while keeping licensing cost minimal for the dev subscription that does not require runtime threat detection. Which design meets these requirements?
A retail company runs microservices on Azure Kubernetes Service (AKS) and pushes images to Azure Container Registry (ACR) through a CI/CD pipeline. Security architects require that vulnerable container images be identified before deployment and that images with critical, fixable vulnerabilities be blocked from being deployed into the cluster. They want to minimize custom tooling and rely on native Microsoft capabilities. Which combination of Defender for Cloud capabilities should the architects specify?
A retail company runs workloads across Azure, AWS, and on-premises data centers. The security architect must build a unified view that not only inventories internet-facing assets discovered from the outside (including forgotten domains and shadow IT) but also correlates those findings with internally known assets and their relationships to model realistic attack paths an adversary could traverse toward critical assets. The team wants to prioritize remediation based on how exposed critical assets truly are, combining external discovery with internal context. Which combination of Microsoft capabilities best meets these requirements?
A manufacturer builds smart building controllers that run a lightweight embedded Linux OS and communicate with an Azure IoT Hub over MQTT. The security architect must specify requirements so that each device reports its own security telemetry (open ports, baseline drift, suspicious processes) directly to the cloud, and so that firmware components with known CVEs are surfaced. The controllers have enough compute to run a small agent. Which approach best meets these requirements?
A manufacturing company operates several OT/ICS production sites that use PLCs and SCADA systems. Corporate security policy requires that raw operational network traffic never leave the plant floor and that no external internet connectivity be permitted from the OT VLANs. However, the central SOC team needs consolidated OT alerts correlated with IT signals in Microsoft Sentinel, and they want a single management console for sensor health and threat intelligence updates. Which Defender for IoT deployment approach best satisfies both requirements?
A financial services company runs Microsoft Defender XDR across endpoints, identities, and email. The SOC is overwhelmed by high-volume, low-complexity alerts (malware quarantines, phishing clicks) that consume analyst time on routine triage. Leadership demands that these repetitive containment actions occur automatically within seconds, but the SOC lead insists that any remediation touching domain controllers or Tier 0 assets must still require explicit analyst approval before execution. As the security architect, which approach to Defender XDR automated investigation and response (AIR) best satisfies both requirements?
A global enterprise is deploying autonomous AI agents built on Azure OpenAI and Copilot Studio to automate finance workflows. Each agent must call Microsoft Graph and internal APIs on its own behalf (no signed-in user), and the security architect must ensure the agents follow least-privilege, are individually attributable in audit logs, and can be revoked instantly if compromised. Human owners must periodically confirm each agent still needs its access. Which identity and governance design best meets these requirements?
A financial services company is deploying autonomous AI agents built on Azure that call internal APIs and Microsoft Graph on behalf of business workflows. The security architect must design a way to detect anomalous or compromised agent behavior—such as an agent suddenly requesting scopes far beyond its normal pattern or accessing resources at abnormal times—and feed high-fidelity signals into the SOC's Microsoft Sentinel workspace for correlation with human-identity incidents. Which design approach best meets these requirements?
A financial services company must comply with a regulation that mandates phishing-resistant multifactor authentication for all administrators. The security architect wants to standardize on Entra ID Conditional Access to enforce this requirement, while also allowing a small partner group to authenticate using the partner's own certified FIDO2 solution that Entra ID does not natively provide. The design must ensure that only phishing-resistant methods satisfy MFA for privileged operations. Which combination of capabilities should the architect include in the design?
A multinational manufacturer runs primary workloads in Azure with Entra ID as the corporate IdP. It is acquiring a subsidiary that already operates entirely on AWS and uses AWS IAM Identity Center (federated to its own Okta tenant) for all employee sign-ins. During the 18-month integration period, subsidiary staff must access several Azure-hosted line-of-business apps, while the parent company's engineers must access AWS management consoles. Leadership requires that each company continue managing its own employee lifecycle in its existing IdP, that no shadow accounts be created, and that Conditional Access policies from Entra ID be enforced for access to the Azure apps. Which identity design best meets these requirements?
A multinational logistics company hires thousands of seasonal contract drivers each year through third-party staffing agencies. The security architect wants to reduce onboarding friction and manual identity-proofing while ensuring that each driver's professional credentials (commercial license validity, safety certification) can be cryptographically verified before the driver is granted access to the fleet-management app. Verification must not require the company to store copies of the underlying documents, and drivers should be able to present the same proof to partner carriers without re-verification. Which Microsoft Entra capability should the architect design into the onboarding flow?
A financial services company runs dozens of automated batch jobs and CI/CD pipelines in Azure that authenticate to APIs using Entra ID service principals with client secrets. A security review finds that many secrets have never been rotated, some are stored in code repositories, and there is no visibility into which service principals are risky or unused. The architect must design an identity governance approach for these non-human (workload) identities that reduces credential exposure and provides continuous risk detection. Which combination best meets these goals?
A financial services company allows employees to access a line-of-business web application containing customer PII from unmanaged personal laptops and mobile devices. Security requires that data displayed in the app cannot be saved locally, copied to unmanaged apps, or printed, while avoiding full device enrollment to respect employee privacy on personal hardware. The application is accessed exclusively through a browser. Which solution best meets these requirements?
A financial services company is deploying Microsoft 365 Copilot to boost employee productivity. During pre-deployment testing, the security architect discovers that Copilot can surface sensitive documents (containing PII and financial records) to users who technically have SharePoint access but should not view them, due to years of accumulated permission sprawl and broad sharing links. Leadership wants to proceed with deployment but demands that Copilot not become a vector for data oversharing. Following Microsoft Cybersecurity Reference Architecture (MCRA) guidance for secure AI adoption, which approach should the architect prioritize FIRST?
A financial services company has just recovered from a ransomware incident where attackers compromised a domain admin account through credential theft. The CISO wants to follow Microsoft's guidance to systematically reduce privileged access risk. She asks the security architect which framework and initial focus to adopt to prioritize the fastest reduction in privileged access attack surface. Which recommendation best aligns with the Microsoft Cybersecurity Reference Architectures (MCRA)?
A financial services company is deploying an Azure landing zone using the Cloud Adoption Framework enterprise-scale architecture. During a tabletop ransomware exercise, the security team discovers that domain administrators use the same workstations for email, web browsing, and administering both on-premises Active Directory and Azure privileged roles. The CISO wants to prioritize privileged access hardening as the first control to reduce the blast radius of a credential-theft attack. Following Microsoft's Enterprise Access Model and MCRA guidance, which approach should you recommend?
A financial services organization must satisfy a regulatory requirement that all administrative and user activity across Microsoft 365 be retained for one year and be programmatically retrievable by their in-house forensic tooling. The security architect wants a supported, forward-looking design that avoids deprecated interfaces and ensures the retention duration meets the regulator's mandate without extra licensing beyond E5. Which design should the architect recommend?
A financial services firm must detect and act on insider threats where employees exfiltrate sensitive client data before resigning. Compliance requires that risky user behavior (mass downloads, data staged to USB or personal cloud) automatically raise the user's risk level, and that separately, offensive or harassing internal communications be reviewed by a designated reviewer group with segregation from IT admins. The architect must design a solution using Microsoft Purview that links behavioral risk signals to remediation while keeping communication review duties separated. Which design best meets these requirements?
A financial services firm must comply with SEC 17a-4 requirements that mandate certain trade communications be retained in an immutable, non-rewriteable, non-erasable state for seven years, after which they must be permanently disposed of with a documented approval process. The compliance team needs a solution in Microsoft Purview that enforces immutable retention, prevents early deletion even by administrators, and requires reviewer sign-off before records are purged. Which design best meets these requirements?