Microsoft SC-100 dumps are the latest and most effective exam solution to aid candidates in their pre-exam practice!
Microsoft SC-100 dumps have been updated! Reviewed, corrected, and actually verified by the Microsoft team, it is true and effective! Meet the conditions for successfully passing the Microsoft Cybersecurity Architect Expert certification exam.
Microsoft SC-100 dumps contain 155 latest exam questions and answers, which truly cover all Microsoft Cybersecurity Architect Expert exam requirements.
Use the latest and most effective Microsoft SC-100 certification exam solution: Download Microsoft SC-100 dumps with PDF and VCE: https://www.leads4pass.com/sc-100.html to help you study easily and successfully pass the Microsoft Cybersecurity Architect Expert certification exam.
Share some Microsoft SC-100 dumps exam questions online practice for free:
| From | Number of exam questions | Associated certification |
| Lead4Pass | 15 | Fundamental, Role-based |
Question 1:
Your company is moving a big data solution to Azure.
The company plans to use the following storage workloads:
1.
Azure Storage blob containers
2.
Azure Data Lake Storage Gen2
3.
Azure Storage file shares
4.
Azure Disk Storage
Which two storage workloads support authentication by using Azure AD? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Azure Storage file shares
B. Azure Disk Storage
C. Azure Storage blob containers
D. Azure Data Lake Storage Gen2
Correct Answer: CD
C: Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to blob data. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal.
The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service.
You can scope access to Azure blob resources at the following levels, beginning with the narrowest scope:
*
An individual container. At this scope, a role assignment applies to all of the blobs in the container, as well as container properties and metadata.
*
The storage account.
*
The resource group.
*
The subscription.
*
A management group.
D: You can securely access data in an Azure Data Lake Storage Gen2 (ADLS Gen2) account using OAuth 2.0 with an Azure Active Directory (Azure AD) application service principal for authentication.
Using a service principal for authentication provides two options for accessing data in your storage account:
A mount point to a specific file or path
Direct access to data
Incorrect:
Not A: To enable AD DS authentication over SMB for Azure file shares, you need to register your storage account with AD DS and then set the required domain properties on the storage account. To register your storage account with AD DS, create an account representing it in your AD DS.
Reference: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory https://docs.microsoft.com/en-us/azure/databricks/data/data-sources/azure/adls-gen2/azure-datalake-gen2-sp-access
Question 2:
HOTSPOT
For a Microsoft cloud environment, you are designing a security architecture based on the Microsoft Cybersecurity Reference Architectures (MCRA).
You need to protect against the following external threats of an attack chain:
1.
An attacker attempts to exfiltrate data to external websites.
2.
An attacker attempts lateral movement across domain-joined computers.
What should you include in the recommendation for each threat? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Microsoft Defender for Identity
An attacker attempts to exfiltrate data to external websites.
Exfiltration alerts
Typically, cyberattacks are launched against any accessible entity, such as a low-privileged user, and then quickly move laterally until the attacker gains access to valuable assets.
Valuable assets can be sensitive accounts, domain administrators, or highly sensitive data. Microsoft Defender for Identity identifies these advanced threats at the source throughout the entire attack kill chain and classifies them into the following phases:
Reconnaissance
Compromised credentials
Lateral Movements
Domain dominance
Exfiltration
Box 2: Microsoft Defender for Identity
An attacker attempts lateral movement across domain-joined computers.
Microsoft Defender for Identity Lateral Movement Paths (LMPs)
Lateral movement is when an attacker uses non-sensitive accounts to gain access to sensitive accounts throughout your network.
Lateral movement is used by attackers to identify and gain access to the sensitive accounts and machines in your network that share stored sign-in credentials in accounts, groups, and machines.
Once an attacker makes successful lateral moves toward your key targets, the attacker can also take advantage and gain access to your domain controllers.
Lateral movement attacks are carried out using many of the methods described in Microsoft Defender for Identity Security Alerts.
A key component of Microsoft Defender for Identity\’s security insights is Lateral Movement Paths or LMPs. Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network.
Reference: https://learn.microsoft.com/en-us/defender-for-identity/exfiltration-alerts
Question 3:
Your company has an office in Seattle.
The company has two Azure virtual machine scale sets hosted on different virtual networks.
The company plans to contract developers in India.
You need to recommend a solution to provide the developers with the ability to connect to the virtual machines over SSL from the Azure portal. The solution must meet the following requirements:
1.
Prevent exposing the public IP addresses of the virtual machines.
2.
Provide the ability to connect without using a VPN.
3.
Minimize costs.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a hub and spoke network by using virtual network peering.
B. Deploy Azure Bastion to each virtual network.
C. Enable just-in-time VM access on the virtual machines.
D. Create NAT rules and network rules in Azure Firewall.
E. Deploy Azure Bastion to one virtual network.
Correct Answer: AE
Azure Bastion is a fully managed service that provides more secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to virtual machines (VMs) without any exposure through public IP addresses.
Provision the service directly in your local or peered virtual network to get support for all the VMs within it.
Connect to your virtual machines in your local and peered virtual networks over SSL, port 443, directly in the Azure portal.
Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don’t have to deploy Azure Bastion in each peered VNet.
This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional bastion host.
Architecture
When VNet peering is configured, Azure Bastion can be deployed in hub-and-spoke or full-mesh topologies.
Reference:
https://learn.microsoft.com/en-us/azure/bastion/vnet-peering
https://azure.microsoft.com/en-us/products/azure-bastion/#features
Question 4:
DRAG DROP
Your company wants to optimize ransomware incident investigations.
You need to recommend a plan to investigate ransomware incidents based on the Microsoft Detection and Response Team (DART) approach.
Which three actions should you recommend performing in sequence in the plan? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Step 1: Assess the current situation and identify the scope.
The DART approach to conducting ransomware incident investigations
You should make every effort to determine how the adversary gained access to your assets so that vulnerabilities can be remediated.
Otherwise, it is highly likely that the same type of attack will take place again in the future. In some cases, the threat actor takes steps to cover their tracks and destroy evidence, so it is possible that the entire chain of events may not be evident.
The following are three key steps in DART ransomware investigations:
1. Assess the current situation Understand the scope
What initially made you aware of a ransomware attack?
What time/date did you first learn of the incident?
What logs are available and is there any indication that the actor is currently accessing systems?
Step 2: Identity which line-of-business (LOB) apps are unavailable due to a ransomware incident.
2. Identify the affected line-of-business (LOB) apps Get systems back online
Does the application require an identity?
Are backups of the application, configuration, and data available?
Are the content and integrity of backups regularly verified using a restore exercise?
Step 3: Identify the compromise recovery process.
3. Determine the compromise recovery (CR) process Remove attacker control from the environment
Question 5:
You are planning the security requirements for Azure Cosmos DB Core (SQL) API accounts.
You need to recommend a solution to audit all users that access the data in the Azure Cosmos DB accounts.
Which two configurations should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Send the Azure Active Directory (Azure AD) sign-in logs to a Log Analytics workspace.
B. Enable Microsoft Defender for Identity.
C. Send the Azure Cosmos DB logs to a Log Analytics workspace.
D. Disable local authentication for Azure Cosmos DB.
E. Enable Microsoft Defender for Cosmos DB.
Correct Answer: AD
A: LT-2: Enable threat detection for Azure identity and access management
Guidance: Azure Active Directory (Azure AD) provides the following user logs, which can be viewed in Azure AD reporting or integrated with Azure Monitor, Microsoft Sentinel, or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:
Sign-ins – The sign-ins report provides information about the usage of managed applications and user sign-in activities.
Audit logs – Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, like adding or removing users, apps, groups, roles, and policies.
D: Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication.
Enforcing RBAC as the only authentication method
In situations where you want to force clients to connect to Azure Cosmos DB through RBAC exclusively, you have the option to disable the account\’s primary/secondary keys.
When doing so, any incoming request using either a primary/secondary key or a resource token will be actively rejected.
Incorrect:
Not C: We use the Azure Active Directory (Azure AD) sign-in logs, not the Azure Cosmos db logs.
Not E: Microsoft Defender for Cosmos DB, though useful from a security perspective, does not help with auditing the users.
Note: Logging and Threat Detection, LT-1: Enable threat detection for Azure resources Guidance: Use the Microsoft Defender for Cloud built-in threat detection capability and enable Microsoft Defender for your Cosmos DB resources.
Microsoft Defender for Cosmos DB provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your Cosmos DB resources.
Reference: https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/cosmos-db-security-baseline https://docs.microsoft.com/en-us/azure/cosmos-db/policy-reference https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#disable-local-auth
Question 6:
Your company has a Microsoft 365 E5 subscription.
The company wants to identify and classify data in Microsoft Teams, SharePoint Online, and Exchange Online.
You need to recommend a solution to identify documents that contain sensitive information.
What should you include in the recommendation?
A. data classification content explorer
B. data loss prevention (DLP)
C. eDiscovery
D. Information Governance
Correct Answer: B
Data loss prevention (DLP)
With DLP policies, you can identify, monitor, and automatically protect sensitive information across Office 365. Data loss prevention policies can use sensitivity labels and sensitive information types to identify sensitive information.
Note: Microsoft 365 includes many sensitive information types that are ready for you to use in DLP policies and for automatic classification with sensitivity and retention labels.
Incorrect:
Not A: Content explorer shows a current snapshot of the items that have a sensitivity label, a retention label, or have been classified as a sensitive information type in your organization.
Reference: https://docs.microsoft.com/en-us/security/compass/information-protection-and-storage-capabilities
https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-content-explorer
Question 7:
What should you create in Azure AD to meet the Contoso developer requirements?
Hot Area:
Correct Answer:
Box 1: A synced user account
Need to use a synched user account.
Incorrect:
*
Not A user account in the fabrikam.onmicrosoft.com tenant
The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
*
Guest accounts would not meet the requirements.
Note: Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named ContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.
The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.
Contoso Developers Requirements
Fabrikam identifies the following requirements for the Contoso developers:
Every month, the membership of the ContosoDevelopers group must be verified.
The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.
The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.
Box 2: An access review
Scenario: Every month, the membership of the ContosoDevelopers group must be verified.
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments.
User\’s access can be reviewed on a regular basis to make sure only the right people have continued access.
Access review is part of Azure AD Identity governance.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Question 8:
Your company plans to deploy several Azure App Service web apps. The web apps will be deployed to the West Europe Azure region. The web apps will be accessed only by customers in Europe and the United States.
You need to recommend a solution to prevent malicious bots from scanning web apps for vulnerabilities. The solution must minimize the attack surface.
What should you include in the recommendation?
A. Azure Firewall Premium
B. Azure Traffic Manager and application security groups
C. Azure Application Gateway Web Application Firewall (WAF)
D. network security groups (NSGs)
Correct Answer: B
*
Application security groups enable you to configure network security as a natural extension of an application\’s structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic.
*
Azure Traffic Manager is a DNS-based traffic load balancer. This service allows you to distribute traffic to your public-facing applications across the global Azure regions. Traffic Manager also provides your public endpoints with high availability and quick responsiveness.
Traffic Manager uses DNS to direct the client requests to the appropriate service endpoint based on a traffic-routing method. The traffic manager also provides health monitoring for every endpoint.
Incorrect:
Not C: Azure Application Gateway Web Application Firewall is too small a scale solution in this scenario.
Note: Attacks against a web application can be monitored by using a real-time Application Gateway that has a Web Application Firewall, enabled with integrated logging from Azure Monitor to track Web Application Firewall alerts and easily
monitor trends.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/app-service-security-baseline
Question 9:
You have 50 Azure subscriptions.
You need to monitor the resource in the subscriptions for compliance with the ISO 27001:2013 standards. The solution must minimize the effort required to modify the list of monitored policy definitions for the subscriptions.
What are two ways to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Assign an initiative to a management group.
B. Assign a policy to each subscription.
C. Assign a policy to a management group.
D. Assign an initiative to each subscription.
E. Assign a blueprint to each subscription.
F. Assign a blueprint to a management group.
Correct Answer: AF
An Azure Management group is a logical container that allows Azure Administrators to manage access, policy, and compliance across multiple Azure Subscriptions en masse.
If your organization has many Azure subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Management groups provide a governance scope above subscriptions. You organize subscriptions into management groups the governance conditions you apply cascade by inheritance to all associated subscriptions.
F: Blueprint definition locations
When creating a blueprint definition, you\’ll define where the blueprint is saved. Blueprints can be saved to a management group or subscription that you have Contributor access to. If the location is a management group, the blueprint is available to assign to any child subscription of that management group.
A: Create and assign an initiative definition
With an initiative definition, you can group several policy definitions to achieve one overarching goal. An initiative evaluates resources within the scope of the assignment for compliance with the included policies.
Note: The Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in ISO 27001:2013.
The Azure Policy Control mapping provides details on policy definitions included within this blueprint and how these policy definitions map to the compliance domains and controls in ISO 27001. When assigned to an architecture, resources are evaluated by Azure Policy for non-compliance with assigned policy definitions.
Incorrect:
Not B, D, E: If you plan to apply this policy definition to multiple subscriptions, the location must be a management group that contains the subscriptions you assign the policy to. The same is true for an initiative definition.
Reference: https://docs.microsoft.com/en-us/azure/governance/management-groups/overview https://docs.microsoft.com/en-us/azure/governance/blueprints/overview https://docs.microsoft.com/en-us/azure/governance/policy/samples/iso-27001 https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage
Question 10:
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear on the review screen.
You are designing the encryption standards for data at rest for an Azure resource.
You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.
Solution: For Azure SQL databases, you recommend Transparent Data Encryption (TDE) that uses Microsoft-managed keys.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Need to use customer-managed keys instead.
Note: Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. You can use a rotation policy to configure rotation for each individual key.
Our recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices. This feature enables end-to-end zero-touch rotation for encryption at rest for Azure services with a customer-managed key (CMK) stored in Azure Key Vault.
Please refer to specific Azure service documentation to see if the service covers end-to-end rotation.
Reference: https://docs.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation
Question 11:
HOTSPOT
Your company has a Microsoft 365 E5 subscription, an Azure subscription, on-premises applications, and Active Directory Domain Services (AD DS).
You need to recommend an identity security strategy that meets the following requirements:
1.
Ensures that customers can use their Facebook credentials to authenticate to an Azure App Service website
2.
Ensures that partner companies can access Microsoft SharePoint Online sites for the project to which they are assigned
The solution must minimize the need to deploy additional infrastructure components.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Azure AD B2C authentication
Ensures that customers can use their Facebook credentials to authenticate to an Azure App Service website.
You can set up sign-up and sign in with a Facebook account using Azure Active Directory B2C.
Box 2: Azure AD B2B authentication with access package assignments
Govern access for external users in Azure AD entitlement management
Azure AD entitlement management uses Azure AD business-to-business (B2B) to share access so you can collaborate with people outside your organization.
With Azure AD B2B, external users authenticate to their home directory but have a representation in your directory. The representation in your directory enables the user to be assigned access to your resources.
Incorrect:
Not: Password hash synchronization in Azure AD connect
The partners are not integrated with AD DS.
https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-integration
Question 12:
Your company has a Microsoft 365 E5 subscription.
Users use Microsoft Teams, Exchange Online, SharePoint Online, and OneDrive for sharing and collaborating.
The company identifies protected health information (PHI) within stored documents and communications.
What should you recommend using to prevent the PHI from being shared outside the company?
A. sensitivity label policies
B. data loss prevention (DLP) policies
C. insider risk management policies
D. retention policies
Correct Answer: A
What sensitivity labels can do?
After a sensitivity label is applied to an email or document, any configured protection settings for that label are enforced on the content. You can configure a sensitivity label to:
*
Protect content in containers such as sites and groups when you enable the capability to use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites.
*
Encrypt emails and documents to prevent unauthorized people from accessing this data. You can additionally choose which users or groups have permission to perform which actions and for how long. For example, you can choose to allow all users in your organization to modify a document while a specific group in another organization can only view it. Alternatively, instead of administrator-defined permissions, you can allow your users to assign permissions to the content when they apply the label.
*
Mark the content when you use Office apps, by adding watermarks, headers, or footers to emails or documents that have the label applied. Watermarks can be applied to documents but not email.
*
Etc.
Note: Publish sensitivity labels by creating a label policy
1.
From the Microsoft Purview compliance portal, select Solutions > Information protection > Label policies
2.
On the Label policies page, select Publish label to start the Create policy configuration
3.
On the Choose sensitivity labels to Publish page, select the Choose sensitivity labels to Publish link. Select the labels that you want to make available in apps and to services, and then select Add.
4.
Etc.
Incorrect:
Not B: In this scenario, the company itself has identified the sensitive information. This means that sensitive labels are enough, and there is no need for Data loss prevention (DLP) policies.
Note: With DLP policies, you can identify, monitor, and automatically protect sensitive information across Office 365. Data loss prevention policies can use sensitivity labels and sensitive information types to identify sensitive information.
Note: Microsoft 365 includes many sensitive information types that are ready for you to use in DLP policies and for automatic classification with sensitivity and retention labels.
Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels
https://docs.microsoft.com/en-us/security/compass/information-protection-and-storage-capabilities
Question 13:
DRAG DROP
Your company has Microsoft 365 E5 licenses and Azure subscriptions.
The company plans to automatically label sensitive data stored in the following locations:
1.
Microsoft SharePoint Online
2.
Microsoft Exchange Online
3.
Microsoft Teams You need to recommend a strategy to identify and protect sensitive data. Which scope should you recommend for the sensitivity label policies? To answer, drag the appropriate scopes to the correct locations. Each scope may only be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point. Select and Place:
Correct Answer:
Box 1: Groups and sites SharePoint online handles sites.
Azure Active Directory (Azure AD) supports applying sensitivity labels published by the Microsoft Purview compliance portal to Microsoft 365 groups. Sensitivity labels apply to groups across services like Outlook, Microsoft Teams, and SharePoint.
Box 2: Schematized data assets Label travels with the data: The sensitivity labels created in Microsoft Purview Information Protection can also be extended to the Microsoft Purview Data Map, SharePoint, Teams, Power BI, and SQL. When you apply a label on an official document and then scan it into the Microsoft Purview Data Map, the label will be applied to the data asset.
After you enable and configure sensitivity labels for containers, users can additionally see and apply sensitivity labels to Microsoft team sites, Microsoft 365 groups, and SharePoint sites.
Box 3: Files and emails
Exchange Online handles files and emails.
Reference: https://docs.microsoft.com/en-us/azure/purview/create-sensitivity-label
Question 14:
Your company has an on-premises network, an Azure subscription, and a Microsoft 365 E5 subscription. The company uses the following devices:
1.
Computers that run either Windows 10 or Windows 11
2.
Tablets and phones that run either Android or iOS
You need to recommend a solution to classify and encrypt sensitive Microsoft Office 365 data regardless of where the data is stored.
What should you include in the recommendation?
A. eDiscovery
B. Microsoft Information Protection
C. Compliance Manager
D. retention policies
Correct Answer: B
Protect your sensitive data with Microsoft Purview.
Implement capabilities from Microsoft Purview Information Protection (formerly Microsoft Information Protection) to help you discover, classify, and protect sensitive information wherever it lives or travels.
Note: You can use Microsoft Information Protection: Microsoft Purview for Auditing and Analytics in Outlook for iOS, Android, and Mac (DoD).
Incorrect:
Not A: Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence in legal cases. You can use eDiscovery tools in Microsoft Purview to search for content in Exchange
Online, OneDrive for Business, SharePoint Online, Microsoft Teams, Microsoft 365 Groups, and Yammer Teams. You can search mailboxes and sites in the same eDiscovery search, and then export the search results.
You can use Microsoft Purview eDiscovery (Standard) cases to identify, hold, and export content found in mailboxes and sites.
If your organization has an Office 365 E5 or Microsoft 365 E5 subscription (or related E5 add-on subscriptions), you can further manage custodians and analyze content by using the feature-rich Microsoft Purview eDiscovery (Premium) solution in Microsoft 365.
Not C: What does the compliance Manager do?
Compliance managers ensure that a business, its employees, and its projects comply with all relevant regulations and specifications. This could include health and safety, environmental, legal, or quality standards, as well as any ethical policies the company may have.
Not D: A retention policy (also called a \’ schedule\’) is a key part of the lifecycle of a record. It describes how long a business needs to keep a piece of information (a record), where it\’s stored, and how to dispose of the record when it’s time.
Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/information-protection
https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery?view=o365-worldwide
Question 15:
HOTSPOT
You are creating the security recommendations for an Azure App Service web app named App1. App1 has the following specifications:
1.
Users will authenticate by using Azure AD user accounts.
2.
Users will request access to App1 through the My Apps portal. A human resources manager will approve the requests.
You need to recommend an access security architecture for App1.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: A managed identity in Azure AD
Use a managed identity. You use Azure AD as the identity provider.
Box 2: An access review in Identity Governance
Access to groups and applications for employees and guests changes over time. To reduce the risk associated with stale access assignments, administrators can use Azure Active Directory (Azure AD) to create access reviews for group
members or application access.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
…
Microsoft SC-100 dumps: is the best solution for Microsoft Cybersecurity Architect! Using the latest and effective Microsoft Cybersecurity Architect Expert certification exam program can not only make you progress quickly but also can help you pass the exam 100% successfully.
You can take advantage of the free Microsoft SC-100 dumps exam questions to help you validate your current learning and advance your expertise! Download 100% Best Microsoft Cybersecurity Architect Expert Certification Exam Scenario: Microsoft SC-100 dumps with PDF and VCE: https://www.leads4pass.com/sc-100.html Really helps you pass the exam 100% successfully!