Design security solutions for applications and data
Drill 20 practice questions focused entirely on Design security solutions for applications and data for the Microsoft SC-100 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A retail company exposes several internal microservices through Azure API Management (APIM) to external partner applications. Security requirements state that: (1) every inbound request must present a valid OAuth 2.0 access token issued by Microsoft Entra ID before reaching any backend; (2) tokens must be rejected at the gateway if the audience or issuer is wrong; and (3) backend services must never be reachable directly, bypassing the gateway. The architect must design the APIM policy and network approach with the least custom code. Which combination BEST meets these requirements?
A development team runs a web application on Azure App Service that must retrieve a database connection string and an external API key at runtime. Currently these secrets are stored as plaintext app settings, and security review flagged the risk. The architect must design a solution that eliminates stored credentials in application configuration and code, allows secrets to be centrally managed and rotated, and requires no code changes to how the application reads its configuration. Which approach best satisfies these requirements?
A retail company runs a public e-commerce web application behind Azure Front Door. Security has observed credential-stuffing attempts, automated scraping of product pricing, and occasional SQL injection payloads against the login and search endpoints. The architect must design a WAF policy that blocks known web exploits, mitigates malicious automated traffic, and allows verified search-engine crawlers to continue indexing the catalog, while minimizing false positives against legitimate shoppers. Which WAF configuration best meets these requirements?
A financial services firm is deploying Microsoft 365 Copilot. During a pre-deployment readiness review, the security architect finds that many SharePoint sites containing confidential client portfolios have broad 'Everyone except external users' permissions, and much of the content is unlabeled. Leadership is concerned that Copilot could surface confidential data to employees who should not see it in generated responses. The architect must design a data-security control set that reduces oversharing risk without blocking Copilot entirely. Which approach best addresses the requirement?
A financial services company stores sensitive transaction records in Azure Cosmos DB. Compliance requires that the organization retains full control of the encryption keys, that keys can be revoked to render data inaccessible on demand, and that key material is protected by a FIPS 140-2 Level 3 validated hardware boundary. The security architect must design the encryption approach. Which solution meets all requirements?
A financial services organization uses Microsoft 365 E5 and has enabled Microsoft Defender for Cloud Apps. Security discovers that employees are uploading customer data to numerous unsanctioned SaaS applications, and that several OAuth-connected third-party apps have been granted broad Microsoft Graph permissions (such as Mail.ReadWrite and Files.ReadWrite.All) without IT review. The security architect must design a solution that (1) surfaces and blocks risky cloud app usage discovered from network traffic, and (2) continuously monitors and can automatically revoke over-privileged or malicious OAuth app grants against Microsoft 365. Which combination of Defender for Cloud Apps capabilities should the architect implement?
A financial services company runs a fleet of Azure SQL Databases containing regulated customer PII. The security architect must design protection that (1) continuously identifies misconfigurations such as excessive permissions and unencrypted columns, and (2) generates alerts on anomalous access patterns like SQL injection and access from unusual locations. The solution must require minimal per-database agent deployment and integrate findings into Microsoft Defender for Cloud. Which capability set should the architect enable?
A financial services company is repeatedly targeted by business email compromise (BEC) attacks. Attackers register look-alike domains (e.g., contoso-finance.com instead of contoso.com) and spoof the display names of the CFO and treasury team to trick staff into wiring funds. The security architect must design a Defender for Office 365 configuration that specifically detects and mitigates these display-name and domain look-alike attacks against a defined list of high-value executives. Which configuration should be prioritized?
A financial services firm uses Exchange Online. Users complain that legitimate email with attachments is delayed by several minutes during sandbox detonation, hurting time-sensitive trading communications. Security requires that all attachments still be fully scanned for zero-day malware before users can open them, but the message body and links must reach the inbox without delay. As the cybersecurity architect, which Microsoft Defender for Office 365 configuration should you recommend?
A financial services company allows employees to access a line-of-business web application containing customer PII from unmanaged personal laptops and mobile devices. Security requires that data displayed in the app cannot be saved locally, copied to unmanaged apps, or printed, while avoiding full device enrollment to respect employee privacy on personal hardware. The application is accessed exclusively through a browser. Which solution best meets these requirements?
A financial services firm allows employees to access Outlook and Teams on personal iOS and Android devices without enrolling them in MDM. Compliance requires that when an employee leaves the company or reports a lost device, all corporate email and files inside those apps can be removed without touching the user's personal photos, contacts, or apps. The security architect must design a solution that meets this requirement with the least administrative overhead. Which approach should the architect recommend?
A financial services company must store cryptographic keys used to protect regulated customer records in Azure. Compliance mandates that keys be generated and stored in single-tenant, FIPS 140-2 Level 3-validated hardware that the cloud provider cannot access, and the design must support customer-managed keys (CMK) for Azure Storage and Azure SQL Database encryption. Which key storage solution should the architect recommend?
A financial services company stores millions of documents across SharePoint Online, OneDrive, and Exchange Online. Compliance requires that documents containing customer PII and payment card data be automatically classified and protected without relying on end users to manually apply labels. The security architect must design a solution that discovers this data at rest across the existing content and applies sensitivity labels consistently, including encryption for the most sensitive documents. Which approach should the architect choose?
A financial services firm must prevent the exfiltration of highly structured customer records (account numbers, SSNs) that follow a precise format found in an exported CSV template. Generic pattern-based detection has produced excessive false positives, flagging unrelated numeric strings. The security architect needs a Microsoft Purview classification approach that matches only records that closely correspond to the actual customer database contents while minimizing false positives. Which classification method should be recommended?
A financial services company uses Microsoft Teams extensively for internal collaboration. Compliance requires that credit card numbers shared in Teams chat and channel messages be blocked in real time before the recipient can view them, and that senders receive a policy tip explaining the violation. The security architect must design a solution using existing Microsoft Purview licensing. Which approach meets these requirements?
A financial services firm allows employees to use several sanctioned SaaS applications (including a marketing analytics platform) that are accessed through the browser. The security architect must ensure that when a user attempts to download a file containing customer credit card numbers from any of these SaaS apps to an unmanaged personal device, the download is blocked in near real time — even though the file resides in a third-party SaaS store, not in Microsoft 365. Sensitivity labeling and Microsoft 365 DLP policies are already deployed for SharePoint, OneDrive, and Exchange. Which solution should the architect design to enforce this control?
A financial services firm needs to protect a repository of contract documents stored in SharePoint Online. The security architect has two goals: (1) ensure that any contract file, even when downloaded to an unmanaged personal device or emailed to an external partner, remains encrypted and only openable by authorized internal users, and (2) automatically block the copying of credit card numbers from those files into non-corporate cloud storage while users work on managed endpoints. The design must persist protection with the file regardless of where it travels. Which combination of Microsoft Purview capabilities best satisfies BOTH goals?
A defense contractor must protect a small set of highly classified engineering documents so that Microsoft 365 cloud services can never decrypt the content, even during legal or government requests to Microsoft. The organization already uses sensitivity labels with standard encryption for most data. For this narrow set of documents, they require that decryption depend on a key the organization holds entirely on-premises, in addition to a Microsoft-managed key, and are willing to accept that cloud-side services like search, eDiscovery, and DLP inspection will not work on that content. Which Microsoft Purview capability should the architect recommend for these documents?
A financial services organization is building a generative AI application that uses Azure OpenAI grounded on data stored in a Microsoft Fabric lakehouse and Azure Data Lake Storage Gen2. Before the data can be used for AI grounding, the security architect must ensure that regulated data (PII, account numbers) is discovered and classified across these repositories, and that the classification results can drive downstream protection and governance decisions for the AI workload. Which solution should the architect recommend to meet the discovery and classification requirement with the least custom development?
A financial services company must protect a set of highly confidential documents stored in SharePoint Online. The security architect requires that: (1) content is encrypted with a key the organization controls and can revoke, (2) Microsoft services (including co-authoring, eDiscovery, and search indexing) continue to function on the content, and (3) the encryption key material is stored in a FIPS 140-2 Level 2-validated Azure service under organizational governance. Which encryption approach for the sensitivity label best satisfies all three requirements?
More SC-100 practice
Keep going with the other Microsoft Cybersecurity Architect Expert domains, or take a full timed mock exam.
← Back to SC-100 overview