Free Microsoft Cybersecurity SC-100 Actual Exam Questions

I think D might be tricky since patching OT devices often risks downtime or crashes. Active scanning (B) could cause more harm than good in legacy systems too. So focusing on A and C makes sense to me because both help spot issues without poking the devices directly. Would adding patching really fit “minimizing disruption”? Seems risky to me here.

A, C - Both minimize disruption and improve visibility without touching the devices directly.

This one's tricky, but I think A is off since the PIN is mostly for cloud vault operations, not on-prem MABS backups. D limits admin roles but won't stop an admin from deleting backups they have access to. A better safeguard might be B to add multi-user approval.

Option A seems less relevant here since a security PIN mainly covers critical actions in the Recovery Services vault but doesn't specifically block a compromised admin from deleting backups, especially on-prem with MABS. Option D, using PIM, limits who can get Backup Contributor rights, which is good for reducing risk but doesn’t directly prevent deletion if someone already has those rights. Resource Guard (B) is designed specifically to require multiple admins to approve important actions like deleting backups, making it a stronger safeguard against ransomware attacks targeting backup deletio

It’s C because Microsoft Information Protection specifically handles labeling and applying watermarks directly to files and attachments, which fits the need for embedding watermarks in email attachments. Defender for Cloud Apps (A) does watermarking but mostly when files are accessed through cloud apps, not embedded in the file itself. Insider risk management (B) isn’t about watermarking at all, and Azure Purview (D) is more focused on data governance and classification, not on applying watermarks. So from a practical standpoint, C seems like the only option designed for this exact purpose.

A vs C? Defender for Cloud Apps adds watermarks on file access, not directly to attachments.

Actually, option C might not be the best because using an Azure AD user with PIM adds unnecessary complexity and risk—user accounts can still be compromised, and managing passwords or MFA is a pain for automation. Option B (gMSA) is more for on-prem Windows services and doesn’t integrate well with Azure DevOps pipelines. Option A storing passwords in Key Vault is better but still involves handling secrets. Managed identities (D) eliminate secrets entirely, which fits best with DevSecOps principles by reducing attack surface and simplifying credential management. So D still feels like the clean

Option D for secure, passwordless access without manual credential management.

It’s A. Enabling just-in-time VM access directly targets the risk of having management ports open and accessible all the time, which is exactly what the Secure management ports control is about. Other controls like NSGs or MFA are good too, but JIT alone already scores points in this area because it reduces the attack surface by only opening ports when needed. So this solution fits the requirement perfectly.

A. JIT VM access limits open management ports to when needed, which directly improves security for these ports according to the benchmark. It’s the main recommendation here.

Option B makes sense here. Relying on a single backend IP isn’t reliable since Front Door’s IPs can change or be multiple. Access restrictions need to cover the full IP range or use service tags instead.

B/D? You can’t really trust a single backend IP because Front Door uses a range that could change anytime. Even if you whitelist one IP, others might still get through or legit traffic might get blocked. Using service tags or header validation is safer since they cover all Front Door traffic dynamically without risking lockout due to IP changes. So just allowing one backend IP won’t fully meet the goal here.

B imo, since Managed HSM offers more company control than Microsoft-managed keys.

A imo, since C doesn’t support on-premises keys for insurance claims.

I agree with picking D here. Azure Policy is designed exactly for enforcing those kinds of configurations automatically across all storage accounts, which tackles the risk of misconfigurations upfront. The other options focus more on monitoring or analysis rather than prevention.

D imo, since Azure Policy can enforce those storage account settings consistently across the subscription, unlike the other options that focus more on monitoring or analytics.

It’s B for sure. Playbooks handle automation and can send alerts straight to Teams, which cuts down manual work. Data connectors and KQL don’t automate or push notifications by themselves.

B/D? Playbooks (B) are the obvious choice for automation and Teams integration, but KQL (D) is essential for querying and defining the alerts that trigger these playbooks. Without well-crafted queries, the automation won’t know what to act on. So you kinda need both to build a solid SOAR strategy that cuts down manual work and supports Teams notifications effectively. Data connectors just bring in data, and workbooks only help visualize, so they don’t really address the automation or Teams alerting parts directly.

D. Machine isolation makes the most sense here since the question focuses on a post-breach response plan. It’s about cutting off the attacker’s current access, which aligns with DART’s containment strategy. The other options like controlled folder access or application isolation are more about prevention rather than immediate response after a breach has been detected. Memory scanning is more of a detection technique, not really part of the response plan itself. User isolation doesn’t fully block the threat if the machine remains connected, so isolating the entire machine is more effective for

Option D, machine isolation cuts off the attacker's access immediately.

Workbooks for dashboards and Playbooks for automation, no doubt.

Workbooks nailed for dashboards, plus Playbooks handle alerts automation smoothly.

I agree dedicated pools definitely support customer-managed keys through Azure Key Vault, so that one’s straightforward. For serverless pools, I think you have to go with service-managed keys because they don’t currently support CMK encryption. Since the question says “whenever possible,” using CMK for dedicated and default for serverless fits best. Trying to use CMK for serverless pools isn’t really practical given the current limitations.

Dedicated pools support CMK with Key Vault; serverless pools stick with service-managed keys.

Another way to look at this is focusing on identity governance along with protection. Including Azure AD Privileged Identity Management can help by just-in-time elevating admin rights instead of always-on permissions, which cuts down attack surfaces. Plus, using conditional access with sign-in risk policies adds an automatic response layer that can block or require extra verification only when suspicious activity’s detected, rather than blanket enforcement on everyone all the time. This targeted approach feels more efficient and secure for the entire litware.com forest.

I’d go with MFA and conditional access too, but another angle is to include Privileged Access Workstations (PAWs) if that’s an option. PAWs help reduce the risk of credential theft by isolating admin tasks. This complements MFA and conditional access by protecting the most sensitive accounts in litware.com. So if the question is about securing identities, layering PAWs on top of conditional access and MFA makes sense.

I’m thinking secret scanning should be part of both build and release. Catching secrets early helps prevent bad commits, but doing it again before release adds a safety net. Static analysis and vulnerability scans make sense in the build phase since you want to stop issues from moving forward. Compliance checks seem better suited for release since that’s the final gate before deployment. Splitting secret scanning across build and release feels like a solid way to cover all bases without slowing down the pipeline too much.

Static code analysis and vulnerability scanning definitely fit best in the build phase to catch issues early. Secret scanning works better in release to avoid pushing sensitive data into production accidentally.

Azure Defender for JIT covers network and RBAC controls; Conditional Access isn’t needed here.

I’m thinking Azure Defender (formerly Security Center) for JIT VM access since it controls network-level and time-limited access, which hits the network-based control requirement. For RBAC controls, Azure Role-Based Access Control itself is the obvious choice since it manages who can request JIT access. Azure Bastion doesn’t do IP restrictions by itself, so relying on Defender for JIT plus RBAC seems right. Conditional Access might be overkill here since the question focuses on VM access controls rather than user authentication policies. So, Azure Defender + Azure RBAC would cover both parts o