Updated May-2026 Test Engine or PDF for the Microsoft SC-100 test to help you quickly prepare for the Microsoft exam!
Full SC-100 Practice Test and 335 unique questions with explanations waiting just for you, get it now!
NEW QUESTION # 168
Hotspot Question
You have an Azure subscription. The subscription contains an Azure Bastion host and 100 virtual machines that run Windows Server 2022. The virtual machines have Microsoft Defender for Servers Plan 2 enabled.
You need to recommend a security solution for the virtual machines that meets the following requirements:
- Administrators must request RDP access to the virtual machines by
using the Azure portal.
- Remote Desktop sessions must be limited to a maximum of three hours.
- Agentless scanning must be scheduled to run on each virtual machine.
What should you recommend using? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Explanation:
Box 1: Just-in-time (JIT) VM access
Administrators must request RDP access to the virtual machines by using the Azure portal.
Remote Desktop sessions must be limited to a maximum of three hours.
From Defender for Cloud, you can enable and configure the JIT VM access.
1. Open the Workload protections and, in the advanced protections, select Just-in-time VM access.
2. In the Not configured virtual machines tab, mark the VMs to protect with JIT and select Enable JIT on VMs.
The JIT VM access page opens listing the ports that Defender for Cloud recommends protecting:
22 - SSH
3389 - RDP
5985 - WinRM
5986 - WinRM
To customize the JIT access:
3. Select Add.
4. Select one of the ports in the list to edit it or enter other ports. For each port, you can set the:
Protocol - The protocol that is allowed on this port when a request is approved Allowed source IPs - The IP ranges that are allowed on this port when a request is approved *-> Maximum request time - The maximum time window during which a specific port can be opened Select OK.
5. To save the port configuration, select Save.
Box 2: Microsoft Defender Vulnerability Management
Agentless scanning must be scheduled to run on each virtual machine.
Defender for Cloud, Enable agentless scanning for VMs
Defender for Cloud already supports different agent-based vulnerability scans, including Microsoft Defender Vulnerability Management (MDVM), BYOL. Agentless scanning extends the visibility of Defender for Cloud to reach more devices.
When you enable agentless vulnerability assessment:
* If you have no existing integrated vulnerability assessment solutions enabled on any of your VMs on your subscription, Defender for Cloud automatically enables MDVM by default.
*-> If you select Microsoft Defender Vulnerability Management as part of an integration with Microsoft Defender for Endpoint, Defender for Cloud shows a unified and consolidated view that optimizes coverage and freshness.
* Machines covered by just one of the sources (Defender Vulnerability Management or agentless) show the results from that source.
Reference:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage
https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-agentless-scanning-vms
NEW QUESTION # 169
You design cloud-based software as a service (SaaS) solutions.
You need to recommend ransomware attacks. The solution must follow Microsoft Security Best Practices.
What should you recommend doing first?
- A. Develop a privileged access strategy.
- B. Develop a privileged identity strategy.
- C. Implement data protection.
- D. Prepare a recovery plan.
Answer: D
NEW QUESTION # 170
Your company plans to move all on-premises virtual machines to Azure. A network engineer proposes the Azure virtual network design shown in the following table.
You need to recommend an Azure Bastion deployment to provide secure remote access to all the virtual machines. Based on the virtual network design, how many Azure Bastion subnets are required?
- A. 0
- B. 1
- C. 2
- D. 3
- E. 4
Answer: D
NEW QUESTION # 171
You have a Microsoft 365 E5 subscription and an Azure subscription. You are designing a Microsoft Sentinel deployment.
You need to recommend a solution for the security operations team. The solution must include custom views and a dashboard for analyzing security events. What should you recommend using in Microsoft Sentinel?
- A. workbooks
- B. playbooks
- C. threat intelligence
- D. notebooks
Answer: A
Explanation:
https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-overview
NEW QUESTION # 172
You need to recommend a multi-tenant and hybrid security solution that meets to the business requirements and the hybrid requirements. What should you recommend? To answer, select the appropriate options in the answer are
a. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
NEW QUESTION # 173
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines.
If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
- A. app protection policies in Microsoft Endpoint Manager
- B. Azure Security Benchmark compliance controls m Defender for Cloud
- C. app discovery anomaly detection policies in Microsoft Defender for Cloud Apps
- D. adaptive application controls in Defender for Cloud
Answer: D
NEW QUESTION # 174
You have an Azure subscription.
You plan to deploy Azure Kubernetes Service (AKS) clusters that will be used to host web services.
You need to recommend an ingress controller solution that will protect the hosted web services.
What should you include in the recommendation?
- A. Azure Load Balancer
- B. Azure Front Door
- C. Azure Application Gateway
- D. Azure Firewall
Answer: C
Explanation:
Use Application Gateway Ingress Controller (AGIC) with a multitenant Azure Kubernetes Service.
In this solution, Azure Web Application Firewall (WAF) provides centralized protection for web applications deployed on a multi-tenant Azure Kubernetes Service (AKS) cluster from common exploits and vulnerabilities.
Web applications running on Azure Kubernetes Service (AKS) cluster and exposed via the Application Gateway Ingress Controller (AGIC) can be protected from malicious attacks, such as SQL injection and cross-site scripting, by using a WAF Policy on Azure Application Gateway.
WAF policy on Azure Application Gateway comes pre-configured with Open Worldwide Application Security Project (OWASP) core rule sets and can be changed to other supported OWASP Core Rule Set (CRS) versions.
Reference:
https://learn.microsoft.com/en-us/azure/architecture/example-scenario/aks-agic/aks-agic
NEW QUESTION # 175
You need to recommend a security methodology for a DevOps development process based on the Microsoft Cloud Adoption Framework for Azure.
During which stage of a continuous integration and continuous deployment (CI/CD) DevOps process should each security-related task be performed? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
Answer:
Explanation:
Explanation:
NEW QUESTION # 176
You are evaluating an Azure environment for compliance.
You need to design an Azure Policy implementation that can be used to evaluate compliance without changing any resources.
Which effect should you use in Azure Policy?
- A. Modify
- B. Append
- C. Deny
- D. Disabled
Answer: D
Explanation:
Before looking to manage new or updated resources with your new policy definition, it's best to see how it evaluates a limited subset of existing resources, such as a test resource group. Use the enforcement mode Disabled (DoNotEnforce) on your policy assignment to prevent the effect from triggering or activity log entries from being created.
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/evaluate-impact
NEW QUESTION # 177
Your company wants to optimize using Azure to protect its resources from ransomware.
You need to recommend which capabilities of Azure Backup and Azure Storage provide the strongest protection against ransomware attacks. The solution must follow Microsoft Security Best Practices.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
NEW QUESTION # 178
Your company is developing an invoicing application that will use Azure Active Directory (Azure AD) B2C.
The application will be deployed as an App Service web app. You need to recommend a solution to the application development team to secure the application from identity related attacks. Which two configurations should you recommend? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A. access packages in Identity Governance
- B. Azure AD workbooks to monitor risk detections
- C. custom resource owner password credentials (ROPC) flows in Azure AD B2C
- D. Azure AD Conditional Access integration with user flows and custom policies
- E. smart account lockout in Azure AD B2C
Answer: D,E
NEW QUESTION # 179
Your company uses Azure Pipelines and Azure Repos to implement continuous integration and continuous deployment (CI/CD) workflows for the deployment of applications to Azure.
You are updating the deployment process to align with DevSecOps controls guidance in the Microsoft Cloud Adoption Framework for Azure.
You need to recommend a solution to ensure that all code changes are submitted by using pull requests before being deployed by the CI/CD workflow.
What should you include in the recommendation?
- A. custom Azure roles
- B. Azure policies
- C. custom roles in Azure Pipelines
- D. branch policies in Azure Repos
Answer: D
Explanation:
Securing Azure Pipelines
YAML pipelines offer the best security for your Azure Pipelines. In contrast to classic build and release pipelines, YAML pipelines:
* Can be code reviewed. YAML pipelines are no different from any other piece of code. You can prevent malicious actors from introducing malicious steps in your pipelines by enforcing the use of Pull Requests to merge changes. Branch policies make it easy for you to set this up.
* Etc.
Reference:
https://learn.microsoft.com/en-us/azure/devops/pipelines/security/overview
NEW QUESTION # 180
You are designing a security operations strategy based on the Zero Trust framework.
You need to minimize the operational load on Tier 1 Microsoft Security Operations Center (SOC) analysts.
What should you do?
- A. Automate data classification.
- B. Create hunting queries in Microsoft 365 Defender.
- C. Enable self-healing in Microsoft 365 Defender.
- D. Enable built-in compliance policies in Azure Policy.
Answer: C
Explanation:
https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/self-healing-in-microsoft-
365-defender/ba-p/1729527
NEW QUESTION # 181
You have an Azure subscription that is used as an Azure landing zone for an application. You need to evaluate the security posture of all the workloads in the landing zone. What should you do first?
- A. Add Microsoft Sentinel data connectors.
- B. Configure Continuous Integration/Continuous Deployment (CI/CD) vulnerability scanning.
- C. Enable the Defender plan for all resource types in Microsoft Defender for Cloud.
- D. Obtain Azure Active Directory Premium Plan 2 licenses.
Answer: A
NEW QUESTION # 182
Your on-premises network contains an e-commerce web app that was developed in Angular and Node.js. The web app uses a MongoDB database. You plan to migrate the web app to Azure. The solution architecture team proposes the following architecture as an Azure landing zone.
You need to provide recommendations to secure the connection between the web app and the database. The solution must follow the Zero Trust model. Solution: You recommend implementing Azure Front Door with Azure Web Application Firewall (WAF). Does this meet the goal?
- A. Yes
- B. No
Answer: A
NEW QUESTION # 183
Your company uses Microsoft Defender for Cloud and Microsoft Sentinel. The company is designing an application that will have the architecture shown in the following exhibit.
You are designing a logging and auditing solution for the proposed architecture. The solution must meet the following requirements-.
* Integrate Azure Web Application Firewall (WAF) logs with Microsoft Sentinel.
* Use Defender for Cloud to review alerts from the virtual machines.
What should you include in the solution? To answer, select the appropriate options in the answer are a. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
NEW QUESTION # 184
......
Get Latest SC-100 Dumps Exam Questions: https://drive.google.com/open?id=1bZ7fzpiKDXurKs_1EQTScqdNNP0A89cA
Full SC-100 Practice Test and 335 unique questions with explanations waiting just for you, get it now: https://www.exams4sures.com/Microsoft/SC-100-practice-exam-dumps.html