Microsoft Cybersecurity Architect Expert · Domain 2 · 28% of exam

Design security operations, identity, and compliance capabilities

Drill 20 practice questions focused entirely on Design security operations, identity, and compliance capabilities for the Microsoft SC-100 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A financial services company is deploying autonomous AI agents and CI/CD workloads that run partly in Azure and partly in an external Kubernetes cluster hosted on another cloud. These agents must call Microsoft Graph and Azure-hosted APIs. Security leadership mandates that no long-lived client secrets or certificates be stored anywhere in the pipeline or the external cluster, and that each non-human identity be independently governable, auditable, and subject to Conditional Access. As the cybersecurity architect, which identity design best meets these requirements?

Reviewed for accuracy · Report an issue
Question 2 of 20

A financial services company uses Entra ID for workforce identity. The security architect must design an access policy that meets three requirements: (1) when a user's sign-in is scored high risk during an active session, access must be re-evaluated and revoked without waiting for token expiry; (2) tokens must be bound to the device that requested them so a stolen refresh token cannot be replayed from another device; and (3) users flagged as high user-risk must be forced to securely reset their password before regaining access. Which combination of Entra capabilities should the architect specify?

Reviewed for accuracy · Report an issue
Question 3 of 20

A multinational financial services firm runs workloads across three Azure subscriptions and one AWS account, all connected to Microsoft Defender for Cloud. Auditors require the organization to demonstrate continuous compliance against both PCI DSS and the local ISO 27001 standard, and the compliance team wants each business unit's subscription measured against only the standards relevant to it. What is the most appropriate design to meet these requirements while minimizing manual reporting effort?

Reviewed for accuracy · Report an issue
Question 4 of 20

A financial services company runs 200 Windows and Linux VMs in Azure hosting sensitive workloads. Administrators currently connect to these VMs via RDP and SSH over public IP addresses with ports left permanently open, which auditors flagged as a management-plane exposure risk. The security architect must reduce the attack surface for administrative access while retaining the ability for approved admins to connect on demand and generate an audit trail of each access request. Which design should the architect recommend?

Reviewed for accuracy · Report an issue
Question 5 of 20

A financial services company runs Microsoft Defender XDR across endpoints, identities, and email. The SOC is overwhelmed by high-volume, low-complexity alerts (malware quarantines, phishing clicks) that consume analyst time on routine triage. Leadership demands that these repetitive containment actions occur automatically within seconds, but the SOC lead insists that any remediation touching domain controllers or Tier 0 assets must still require explicit analyst approval before execution. As the security architect, which approach to Defender XDR automated investigation and response (AIR) best satisfies both requirements?

Reviewed for accuracy · Report an issue
Question 6 of 20

A global retailer runs Microsoft Defender XDR (Defender for Endpoint, Identity, and Office 365) and Microsoft Sentinel. The SOC complains that a single multistage attack—phishing email, credential theft, then lateral movement to a server—generates separate, disconnected alerts across the Defender portals and Sentinel, forcing analysts to manually stitch the story together. The security architect must design a solution that automatically correlates related alerts from both Defender XDR and Sentinel into a single investigation surface while preserving Sentinel's ability to ingest third-party (non-Microsoft firewall) logs. What should the architect recommend?

Reviewed for accuracy · Report an issue
Question 7 of 20

A financial services company runs Microsoft Defender XDR integrated with Microsoft Sentinel. The SOC reports that analysts are overwhelmed by a high volume of low-fidelity incidents, many of which are generated when multiple correlated alerts (sign-in anomalies, suspicious inbox rules, and impossible-travel events) are surfaced as separate incidents rather than a single actionable incident. The security architect must reduce alert fatigue while preserving the ability to detect genuine multi-stage attacks. Which design approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 8 of 20

A global manufacturing company uses Entra ID entitlement management with access packages to grant project-based access to internal employees and external partners. Compliance auditors require that access to sensitive engineering resources be recertified quarterly, that stale partner access be automatically removed after 90 days of no project activity, and that resource owners (not IT) approve continued access. As the security architect, which design best meets these requirements with the least ongoing administrative effort?

Reviewed for accuracy · Report an issue
Question 9 of 20

A global enterprise is deploying autonomous AI agents built on Azure OpenAI and Copilot Studio to automate finance workflows. Each agent must call Microsoft Graph and internal APIs on its own behalf (no signed-in user), and the security architect must ensure the agents follow least-privilege, are individually attributable in audit logs, and can be revoked instantly if compromised. Human owners must periodically confirm each agent still needs its access. Which identity and governance design best meets these requirements?

Reviewed for accuracy · Report an issue
Question 10 of 20

A financial services company is deploying autonomous AI agents built on Azure that call internal APIs and Microsoft Graph on behalf of business workflows. The security architect must design a way to detect anomalous or compromised agent behavior—such as an agent suddenly requesting scopes far beyond its normal pattern or accessing resources at abnormal times—and feed high-fidelity signals into the SOC's Microsoft Sentinel workspace for correlation with human-identity incidents. Which design approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 11 of 20

A financial services company uses Microsoft 365 and Entra ID. Their security team requires that when a user's account is disabled, their session risk becomes high, or their network location moves outside approved corporate ranges, active access tokens must be invalidated in near real time rather than waiting for the standard token lifetime to expire. The architecture must work for Exchange Online, SharePoint Online, and Microsoft Graph without forcing shorter token lifetimes across the tenant that would degrade user experience. What should the architect design to meet this requirement?

Reviewed for accuracy · Report an issue
Question 12 of 20

A financial services company must comply with a regulation that mandates phishing-resistant multifactor authentication for all administrators. The security architect wants to standardize on Entra ID Conditional Access to enforce this requirement, while also allowing a small partner group to authenticate using the partner's own certified FIDO2 solution that Entra ID does not natively provide. The design must ensure that only phishing-resistant methods satisfy MFA for privileged operations. Which combination of capabilities should the architect include in the design?

Reviewed for accuracy · Report an issue
Question 13 of 20

A multinational manufacturer must let engineers from three partner firms access a specific set of Azure-hosted design applications. Requirements: partners authenticate with their own organizational credentials (no new passwords), access must be time-boxed and auto-expire after each project phase, partner users must periodically re-attest their continued need for access, and the security team wants a single package that bundles the app roles and group memberships partners receive. Which combination of Entra ID capabilities best satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 14 of 20

A multinational manufacturer runs primary workloads in Azure with Entra ID as the corporate IdP. It is acquiring a subsidiary that already operates entirely on AWS and uses AWS IAM Identity Center (federated to its own Okta tenant) for all employee sign-ins. During the 18-month integration period, subsidiary staff must access several Azure-hosted line-of-business apps, while the parent company's engineers must access AWS management consoles. Leadership requires that each company continue managing its own employee lifecycle in its existing IdP, that no shadow accounts be created, and that Conditional Access policies from Entra ID be enforced for access to the Azure apps. Which identity design best meets these requirements?

Reviewed for accuracy · Report an issue
Question 15 of 20

A global manufacturing company runs Active Directory Domain Services on-premises and is adopting Microsoft 365 and several Azure workloads. Security leadership requires that authentication continues to work for cloud apps even if the on-premises data center suffers a prolonged outage, that Entra ID leaked-credential detection (identity protection) can evaluate user passwords, and that the organization avoids deploying and maintaining federation server farms. As the cybersecurity architect, which Entra ID hybrid authentication design should you recommend?

Reviewed for accuracy · Report an issue
Question 16 of 20

A financial services company uses Microsoft Entra Privileged Identity Management (PIM) to secure privileged roles. Security requires that all Global Administrator activations need multi-stage approval and MFA. During a recent Entra ID authentication outage, administrators could not activate roles to respond to an unrelated production incident, delaying recovery. The security architect must redesign privileged access so that day-to-day admin activations remain fully governed while ensuring a reliable path exists when PIM or Entra authentication services are degraded. What should the architect recommend?

Reviewed for accuracy · Report an issue
Question 17 of 20

A financial services company is designing privileged access for its Azure environment. Global Administrator and other Entra ID directory roles are currently assigned permanently to eight staff members. Auditors require that standing highly privileged access be eliminated, activations be time-bound and approval-gated, and that a permanent role assignment remains only for emergency use. The company already licenses Entra ID P2. Which design best meets the auditor requirements while minimizing standing privilege?

Reviewed for accuracy · Report an issue
Question 18 of 20

A multinational logistics company hires thousands of seasonal contract drivers each year through third-party staffing agencies. The security architect wants to reduce onboarding friction and manual identity-proofing while ensuring that each driver's professional credentials (commercial license validity, safety certification) can be cryptographically verified before the driver is granted access to the fleet-management app. Verification must not require the company to store copies of the underlying documents, and drivers should be able to present the same proof to partner carriers without re-verification. Which Microsoft Entra capability should the architect design into the onboarding flow?

Reviewed for accuracy · Report an issue
Question 19 of 20

A financial services company runs dozens of automated batch jobs and CI/CD pipelines in Azure that authenticate to APIs using Entra ID service principals with client secrets. A security review finds that many secrets have never been rotated, some are stored in code repositories, and there is no visibility into which service principals are risky or unused. The architect must design an identity governance approach for these non-human (workload) identities that reduces credential exposure and provides continuous risk detection. Which combination best meets these goals?

Reviewed for accuracy · Report an issue
Question 20 of 20

A financial services company's SOC uses Microsoft Sentinel and Defender XDR. During a maturity review, the CISO asks the security architect to demonstrate which adversary techniques the organization can currently detect, identify blind spots, and prioritize new analytics rules against the tactics most relevant to recent threat actor campaigns targeting the finance sector. Which approach best satisfies this requirement?

Reviewed for accuracy · Report an issue

More SC-100 practice

Keep going with the other Microsoft Cybersecurity Architect Expert domains, or take a full timed mock exam.

← Back to SC-100 overview