SC-100 Online Practice Questions and Answers

Correct Answer:

Box 1: Azure Web Application Firewall with network service tags A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.

You can use service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes.

Incorrect:

* Not Azure private link with network service tags Network service tags are not used with Private links.

Box 2: Automation Contributor built-in role

The Automation Contributor role allows you to manage all resources in the Automation account, except modifying other user's access permissions to an Automation account.

Reference: https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview

https://docs.microsoft.com/en-us/azure/automation/automation-role-based-access-control

Correct Answer:

Box 1: A private endpoint Scenario: An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

Requirements. ClaimsApp Deployment.

Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:

1.

ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.

2.

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

3.

ClaimsApp will access data in ClaimsDB.

4.

ClaimsDB must be accessible only from Azure virtual networks.

5.

The app services permission for ClaimsApp must be assigned to ClaimsDB.

Web app private connectivity to Azure SQL Database. Architecture: Workflow

1.

Using Azure App Service regional VNet Integration, the web app connects to Azure through an AppSvcSubnet delegated subnet in an Azure Virtual Network.

2.

In this example, the Virtual Network only routes traffic and is otherwise empty, but other subnets and workloads could also run in the Virtual Network.

3.

The App Service and Private Link subnets could be in separate peered Virtual Networks, for example as part of a hub-and-spoke network configuration.

4.

Azure Private Link sets up a private endpoint for the Azure SQL Database in the PrivateLinkSubnet of the Virtual Network.

5.

The web app connects to the SQL Database private endpoint through the PrivateLinkSubnet of the Virtual Network.

The database firewall allows only traffic coming from the PrivateLinkSubnet to connect, making the database inaccessible from the public internet.

Box 2: A managed identity Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. Using a managed identity, you can authenticate to any service that supports Azure AD authentication without managing credentials.

Reference: https://docs.microsoft.com/en-us/azure/architecture/example-scenario/private-web-app/private-web-app https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identities-status

Correct Answer: A

Microsoft Sentinel Add-On for Splunk allows Azure Log Analytics and Microsoft Sentinel users to ingest security logs from Splunk platform using the Azure HTTP Data Collector API. Reference: https://splunkbase.splunk.com/app/5312/

Correct Answer: C

Azure SQL Database is a general-purpose relational database, provided as a managed service. Categorized as a platform as a service (PaaS), Azure SQL Databases are built on standardized hardware and software that is owned, hosted, and maintained by Microsoft. When using Azure SQL Database, you pay-as-you-go, with the option to scale up or out with no service interruption.

Within Azure SQL Database, you have the option to deploy a managed instance. Azure SQL Database Managed Instance is a collection of system and user databases with a shared set of resources. In addition to all the PaaS benefits of Azure SQL Database, this option provides a native virtual network (VNet) and near 100 percent compatibility with on-premises SQL Server. Azure SQL Database Managed Instance provides you with full SQL Server access and feature compatibility for migrating SQL Servers to Azure.

Recommendation: Choose Azure SQL Database for your modern cloud applications, or when you have time constraints in development and marketing.

Correct Answer: AD

A: Data loss prevention in Office 365. Data loss prevention (DLP) helps you protect sensitive information and prevent its inadvertent disclosure. Examples of sensitive information that you might want to prevent from leaking outside your

organization include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records. With a data loss prevention (DLP) policy, you can identify, monitor, and automatically

protect sensitive information across Office 365.

D: Sensitivity labels

Sensitivity labels from Microsoft Purview Information Protection let you classify and protect your organization's data without hindering the productivity of users and their ability to collaborate.

Plan for integration into a broader information protection scheme. On top of coexistence with OME, sensitivity labels can be used along-side capabilities like Microsoft Purview Data Loss Prevention (DLP) and Microsoft Defender for Cloud

Apps.

Incorrect:

Not B: Retention labels help you retain what you need and delete what you don't at the item level (document or email). They are also used to declare an item as a record as part of a records management solution for your Microsoft 365 data.

Not C: eDiscovery cases in eDiscovery (Standard) and eDiscovery (Premium) let you associate specific searches and exports with a specific investigation. You can also assign members to a case to control who can access the case and view

the contents of the case. Place content locations on legal hold.

Reference: https://motionwave.com.au/keeping-your-confidential-data-secure-with-microsoft-office-365/ https://docs.microsoft.com/en-us/microsoft-365/solutions/information-protection-deploy-protect-information?view=o365-worldwide#sensitivity-labels

Correct Answer: A

Control mapping of the ISO 27001 Shared Services blueprint sample

The following mappings are to the ISO 27001:2013 controls. Use the navigation on the right to jump directly to a specific control mapping. Many of the mapped controls are implemented with an Azure Policy initiative.

Open Policy in the Azure portal and select the Definitions page. Then, find and select the [Preview] Audit ISO 27001:2013 controls and deploy specific VM Extensions to support audit requirements built-in policy initiative.

Note: Security Center can now auto provision the Azure Policy's Guest Configuration extension (in preview)

Azure Policy can audit settings inside a machine, both for machines running in Azure and Arc connected machines. The validation is performed by the Guest Configuration extension and client.

With this update, you can now set Security Center to automatically provision this extension to all supported machines.

Enforcing a secure configuration, based on a specific recommendation, is offered in two modes:

Using the Deny effect of Azure Policy, you can stop unhealthy resources from being created

Using the Enforce option, you can take advantage of Azure Policy's DeployIfNotExist effect and automatically remediate non-compliant resources upon creation Reference: https://docs.microsoft.com/en-us/azure/governance/blueprints/samples/iso27001-shared/control-mapping https://docs.microsoft.com/en-us/azure/defender-for-cloud/release-notes-archive https://docs.microsoft.com/en-us/azure/defender-for-cloud/prevent-misconfigurations

Correct Answer: A

Service chaining.

Service chaining enables you to direct traffic from one virtual network to a virtual appliance or gateway in a peered network through user-defined routes.

You can deploy hub-and-spoke networks, where the hub virtual network hosts infrastructure components such as a network virtual appliance or VPN gateway. All the spoke virtual networks can then peer with the hub virtual network. Traffic

flows through network virtual appliances or VPN gateways in the hub virtual network.

Virtual network peering enables the next hop in a user-defined route to be the IP address of a virtual machine in the peered virtual network, or a VPN gateway. You can't route between virtual networks with a user-defined route that specifies

an Azure ExpressRoute gateway as the next hop type.

Incorrect:

Not B: Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing. This is a critical security requirement for most enterprise IT policies. If you

don't configure forced tunneling, Internet-bound traffic from your VMs in Azure always traverses from the Azure network infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic. Unauthorized

Internet access can potentially lead to information disclosure or other types of security breaches.

ExpressRoute forced tunneling is not configured via this mechanism, but instead, is enabled by advertising a default route via the ExpressRoute BGP peering sessions.

Note:

Requirements. Planned Changes

Litware plans to implement the following changes:

Design a landing zone strategy to refactor the existing Azure environment of Litware and deploy all future Azure workloads.

Requirements. Azure Landing Zone Requirements

Litware identifies the following landing zone requirements:

1.

Route all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription.

2.

Provide a secure score scoped to the landing zone.

3.

Ensure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints.

4.

Minimize the possibility of data exfiltration.

5.

Maximize network bandwidth.

The landing zone architecture will include the dedicated subscription, which will serve as the hub for internet and hybrid connectivity. Each landing zone will have the following characteristics:

1.

Be created in a dedicated subscription.

2.

Use a DNS namespace of litware.com.

Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#service-chaining https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm

Correct Answer: C

Explanation:

Windows Defender Application Control is designed to protect devices against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run.

Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run on a PC.

Incorrect:

Not A: Microsoft Defender for Cloud Apps OAuth app policies.

OAuth app policies enable you to investigate which permissions each app requested and which users authorized them for Office 365, Google Workspace, and Salesforce. You're also able to mark these permissions as approved or banned.

Marking them as banned will revoke permissions for each app for each user who authorized it.

Note: In addition to the existing investigation of OAuth apps connected to your environment, you can set permission policies so that you get automated notifications when an OAuth app meets certain criteria. For example, you can

automatically be alerted when there are apps that require a high permission level and were authorized by more than 50 users.

Reference:

https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager

https://docs.microsoft.com/en-us/defender-cloud-apps/app-permission-policy

Correct Answer: B

Correct Answer: BD

Scenario: Litware identifies the following application security requirements:

Monitor and control access to Microsoft SharePoint Online and Exchange Online data in real time.

B: Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access.

D: The Defender for Cloud Apps framework Discover and control the use of Shadow IT: Identify the cloud apps, IaaS, and PaaS services used by your organization. Investigate usage patterns, assess the risk levels and business readiness of more than 25,000 SaaS apps against more than 80 risks. Start managing them to ensure security and compliance.

Protect your sensitive information anywhere in the cloud: Understand, classify, and protect the exposure of sensitive information at rest. Leverage out-of-the box policies and automated processes to apply controls in real time across all your cloud apps.

Etc.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview https://docs.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps