SC-100 Exam Overview
Prepare for the Microsoft SC-100 certification exam
with our comprehensive study guide. This study material contains 293 practice questions
sourced from real exams and expert-verified for accuracy. Each question includes the correct answer
and a detailed explanation to help you understand the material thoroughly.
The SC-100 exam — Microsoft Cybersecurity Architect — is offered by Microsoft.
Passing this exam earns you the Microsoft Certified: Cybersecurity Architect Expert credential,
an industry-recognized certification that validates your expertise.
Our study materials were last updated on 2026-02-27 to reflect the
most recent exam objectives and content.
About the Microsoft Certified: Cybersecurity Architect Expert
The Microsoft Certified: Cybersecurity Architect Expert is awarded by Microsoft
to professionals who demonstrate competence in the skills measured by the SC-100 exam.
According to the
official Microsoft certification page,
this certification validates your ability to work with the technologies covered in the exam objectives.
According to the
Global Knowledge IT Skills and Salary Report,
certified IT professionals earn 15-25% more than their non-certified peers.
Certifications from Microsoft are among the most recognized credentials in the IT industry,
with strong demand across enterprise organizations worldwide.
Free Sample — 15 Practice Questions
Preview 15 of 293 questions from the SC-100 exam.
Try before you buy — purchase the full study guide for all 293 questions with answers and explanations.
Question 229
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.
You need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.
Solution: You recommend configuring gateway-required virtual network integration.
Does this meet the goal?
Show Answer
Correct Answer: B
Explanation:
Gateway-required virtual network integration controls outbound traffic from an App Service to a virtual network and does not restrict inbound access to only Azure Front Door. To ensure web apps are accessible only through Front Door, you must use App Service access restrictions with Azure Front Door service tags or validate the Front Door header. Therefore, the proposed solution does not meet the goal.
Question 74
Your company has an Azure subscription that uses Microsoft Defender for Cloud.
The company signs a contract with the United States government.
You need to review the current subscription for NIST 800-53 compliance.
What should you do first?
A. From Azure Policy, assign a built-in initiative that has a scope of the subscription.
B. From Azure Policy, assign a built-in policy definition that has a scope of the subscription.
C. From Defender for Cloud, review the Azure security baseline for audit report.
D. From Defender for Cloud, enable Defender for Cloud plans.
Show Answer
Correct Answer: A
Explanation:
To review NIST SP 800-53 compliance in an Azure subscription, the first step is to assign the relevant regulatory compliance initiative. Azure provides a built-in NIST SP 800-53 Regulatory Compliance initiative in Azure Policy that maps NIST controls to Azure Policy definitions. Assigning this initiative at the subscription scope enables assessment and reporting of compliance against NIST 800-53. Individual policy definitions, Defender plans, or baseline reports are either too granular or occur after the compliance framework is applied.
Question 168
You are designing a security operations strategy based on the Zero Trust framework.
You need to minimize the operational load on Tier 1 Microsoft Security Operations Center (SOC) analysts.
What should you do?
A. Enable built-in compliance policies in Azure Policy.
B. Enable self-healing in Microsoft 365 Defender.
C. Automate data classification.
D. Create hunting queries in Microsoft 365 Defender.
Show Answer
Correct Answer: B
Explanation:
To minimize the operational load on Tier 1 SOC analysts in a Zero Trust–based security operations strategy, automation of detection and response is key. Enabling self-healing in Microsoft 365 Defender provides automated investigation and remediation of common threats, reducing manual triage and response work for Tier 1 analysts. The other options focus on compliance, data governance, or proactive hunting, which do not directly reduce Tier 1 operational workload.
Question 161
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You need to enforce ISO 27001:2013 standards for new resources deployed to the subscription. The solution must ensure that noncompliant resources are automatically detected.
What should you use?
A. Azure Blueprints
B. the regulatory compliance dashboard in Defender for Cloud
C. Azure Policy
D. Azure role-based access control (Azure RBAC)
Show Answer
Correct Answer: C
Explanation:
Azure Policy is the correct choice because it can assign built-in ISO 27001:2013 policy initiatives that automatically evaluate new and existing resources for compliance and can enforce requirements using effects such as deny, audit, or deployIfNotExists. The regulatory compliance dashboard only reports compliance status, Blueprints are deprecated and focus on initial deployments, and Azure RBAC controls access rather than compliance.
Question 86
You have an Azure subscription that contains multiple Azure Blob Storage accounts.
You need to recommend a solution to detect threats in files after the files are uploaded to a blob container.
What should you include in the recommendation?
A. sensitive data threat detection in Microsoft Defender for Storage
B. runtime threat protection in Microsoft Defender for Containers
C. vulnerability assessment in Microsoft Defender for Containers
D. malware scanning in Microsoft Defender for Storage
Show Answer
Correct Answer: D
Explanation:
The requirement is to detect threats in files after they are uploaded to Azure Blob Storage. Malware scanning in Microsoft Defender for Storage is specifically designed to scan blobs for malicious content (on-upload or on-demand) and generate alerts when malware is detected. The other options focus on containers or data sensitivity rather than scanning file contents for malware.
Question 23
HOTSPOT
-
You have a Microsoft Entra tenant named contoso.com that syncs with an Active Directory Domain Services (AD DS) domain named corp.contoso.com The domain contains 100 devices that have the following configurations:
• Hybrid joined
• Enrolled in Microsoft Intune
• Disabled built-in local administrator account
• Contain a local user account named User1 that is a member of the local administrators group
You need to recommend a solution that meets the following requirements:
• Ensures that the Directory Services Restore Mode (DSRM) credentials of each domain controller are backed up to the AD DS database
• Ensures that the password of User1 changes automatically every 60 days
• Ensures that the credentials of User1 are stored in an encrypted store
• Prevents the User1 password from being changed manually
• Whenever possible, stores all credentials in contoso.com
• Minimizes administrative effort
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: For the User1 credentials:
Windows Local Administrator Password Solution (Windows LAPS)
For the DSRM credentials:
Windows Local Administrator Password Solution (Windows LAPS)
Explanation:
Windows LAPS automatically rotates local account passwords, prevents manual changes, and stores them encrypted in AD DS or Microsoft Entra ID, minimizing admin effort. It also supports backing up DSRM passwords for domain controllers into AD DS, meeting all security and storage requirements.
Question 36
HOTSPOT
-
You plan to deploy an Azure API Management solution that will enable different groups of developers to access different sets of APIs at random times and rates.
You need to recommend the pricing tier that should be purchased and the scope at which the rate limit policies should be applied. The solution must meet the following requirements:
• Ensure that each group of developers can access only specific sets of APIs.
• Ensure that each set of APIs can be configured with specific rate limits.
• Minimize development and administrative effort and costs.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: Pricing tier: Standard V2
Scope: Product
Explanation:
Standard V2 supports products and access control so different developer groups can be granted access to specific sets of APIs. Applying rate‑limit policies at the Product scope allows configuring limits per set of APIs, minimizing duplication and administrative effort compared to per‑API policies.
Question 24
HOTSPOT
-
You have a Microsoft Entra tenant. The tenant contains a security group named Group1. Group1 contains the members of your company's IT support team.
You have an Azure subscription. The subscription contains 800 Windows devices that are Microsoft Entra joined and 200 Windows devices that are Microsoft Entra registered.
You have 200 standalone macOS devices.
You deploy 10 Windows devices that are Microsoft Entra joined and have the Microsoft Entra ExtensionAttribute1 value set to SecureWorkstation.
You need to recommend a Conditional Access solution that meets the following requirements:
• Only allows access to Microsoft Entra resources from devices that run Windows 10 or Windows 11
• Restricts Windows Azure Service Management API access to the following users:
o The members of Group1
o Users that authenticate by using multifactor authentication (MFA)
o Users that connect from a device that has the SecureWorkstation ExtensionAttribute1
The solution must minimize the number of required policies and maximize security.
What should include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: Identity type:
Service principal
Signal source:
Device platform
Explanation:
Access to the Windows Azure Service Management API is controlled via a workload (cloud app/service principal). Evaluating Windows 10/11 and the SecureWorkstation ExtensionAttribute1 requires device-based conditions, which are provided by the Device platform signal source.
Question 172
You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain.
You have an on-premises datacenter that contains 100 servers. The servers run Windows Server and are backed up by using Microsoft Azure Backup Server (MABS).
You are designing a recovery solution for ransomware attacks. The solution follows Microsoft Security Best Practices.
You need to ensure that a compromised administrator account cannot be used to delete the backups.
What should you do?
A. From Azure Backup, configure multi-user authorization by using Resource Guard.
B. From Microsoft Azure Backup Setup, register MABS with a Recovery Services vault.
C. From a Recovery Services vault, generate a security PIN for critical operations.
D. From Azure AD Privileged Identity Management (PIM), create a role assignment for the Backup Contributor role.
Show Answer
Correct Answer: A
Explanation:
To protect against ransomware and ensure that a single compromised administrator account cannot delete backups, Microsoft best practice is to enable Multi-User Authorization (MUA) using a Resource Guard. MUA enforces separation of duties: critical operations like deleting backups require approval from a separate security principal that owns the Resource Guard. A security PIN (option C) is a single-user control and can still be misused if that account is compromised. The other options do not provide protection against malicious deletion.
Question 236
You are creating an application lifecycle management process based on the Microsoft Security Development Lifecycle (SDL).
You need to recommend a security standard for onboarding applications to Azure. The standard will include recommendations for application design, development, and deployment.
What should you include during the application design phase?
A. software decomposition by using Microsoft Visual Studio Enterprise
B. dynamic application security testing (DAST) by using Veracode
C. threat modeling by using the Microsoft Threat Modeling Tool
D. static application security testing (SAST) by using SonarQube
Show Answer
Correct Answer: C
Explanation:
In the Microsoft Security Development Lifecycle (SDL), the application design phase focuses on identifying and mitigating potential security risks early. Threat modeling is a core design-phase activity in SDL and is specifically recommended by Microsoft to analyze application architecture, identify threats, and define mitigations before development begins. DAST and SAST occur during testing/implementation phases, and software decomposition in Visual Studio is not the primary SDL design requirement.
Question 166
You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain.
You are designing an Azure DevOps solution to deploy applications to an Azure subscription by using continuous integration and continuous deployment (CI/CD) pipelines.
You need to recommend which types of identities to use for the deployment credentials of the service connection. The solution must follow DevSecOps best practices from the Microsoft Cloud Adoption Framework for Azure.
What should you recommend?
A. a managed identity in Azure
B. an Azure AD user account that has role assignments in Azure AD Privileged Identity Management (PIM)
C. a group managed service account (gMSA)
D. an Azure AD user account that has a password stored in Azure Key Vault
Show Answer
Correct Answer: A
Explanation:
DevSecOps best practices in the Microsoft Cloud Adoption Framework recommend using non-human identities with least privilege and no stored secrets for automation. Managed identities are automatically managed by Azure, integrate with Azure RBAC, and eliminate the need to handle passwords or secrets in CI/CD pipelines. User accounts (even with PIM or Key Vault–stored passwords) and gMSAs introduce unnecessary credential management and risk, making a managed identity the most secure and compliant choice for Azure DevOps service connections.
Question 99
HOTSPOT
-
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains a 10-node virtual machine scale set that hosts a web search app named App1. Customers access App1 from the internet. The nodes establish outbound HTTP and HTTPS connections to the internet.
You need to recommend a network security solution for App1. The solution must meet the following requirements:
• Inbound connections to App1 that contain security threats specified in the Core Rule Set (CRS) from the Open Web Application Security Project (OWASP) must be blocked.
• Outbound HTTP and HTTPS connections from the virtual machine scale set that contain security threats identified by the Microsoft Defender Threat Intelligence (Defender TI) feed must be blocked.
What should you include in the recommendation? To answer, select the options in the answer area.
NOTE: Each correct answer is worth one point.
Show Answer
Correct Answer: For the inbound connections:
Azure Web Application Firewall (WAF)
For the outbound connections:
Azure Firewall
Explanation:
Inbound HTTP/HTTPS traffic must be inspected against OWASP CRS rules, which is provided by Azure Web Application Firewall. Outbound HTTP/HTTPS traffic must be filtered using Microsoft Defender Threat Intelligence, which is supported by Azure Firewall threat intelligence–based filtering.
Question 72
HOTSPOT
-
You have an Azure subscription that contains the resources shown in the following table.
You need to recommend a network security solution for App1. The solution must meet the following requirements:
• Only the virtual machines that are connected to Subnet1 must be able to connect to DB1.
• DB1 must be inaccessible from the internet.
• Costs must be minimized.
What should you include in the recommendation? To answer, select the options in the answer area.
NOTE: Each correct answer is worth one point.
Show Answer
Correct Answer: A private endpoint
Virtual network rules
Explanation:
A private endpoint (via Azure Private Link) places DB1 on a private IP in Subnet1, removing public internet access and allowing only resources in the VNet to connect. Virtual network rules on Azure SQL restrict access to the specified subnet, ensuring only VMs in Subnet1 can reach DB1 at minimal cost.
Question 183
You have a Microsoft 365 subscription.
You need to design a solution to block file downloads from Microsoft SharePoint Online by authenticated users on unmanaged devices.
Which two services should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Azure AD Conditional Access
B. Azure Data Catalog
C. Microsoft Purview Information Protection
D. Azure AD Application Proxy
E. Microsoft Defender for Cloud Apps
Show Answer
Correct Answer: A, E
Explanation:
Blocking file downloads from SharePoint Online on unmanaged devices requires session-based controls. Azure AD Conditional Access is used to detect unmanaged devices and route sessions to Conditional Access App Control. Microsoft Defender for Cloud Apps then enforces session policies that block file downloads while still allowing authenticated access. Together, these services provide the required control.
Question 267
A customer is deploying Docker images to 10 Azure Kubernetes Service (AKS) resources across four Azure subscriptions.
You are evaluating the security posture of the customer.
You discover that the AKS resources are excluded from the secure score recommendations.
You need to produce accurate recommendations and update the secure score.
Which two actions should you recommend in Microsoft Defender for Cloud? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Enable Defender plans.
B. Configure auto provisioning.
C. Add a workflow automation.
D. Assign regulatory compliance policies.
E. Review the inventory.
Show Answer
Correct Answer: A, B
Explanation:
The AKS resources are excluded from secure score because Microsoft Defender for Cloud isn’t actively evaluating them. Enabling the relevant Defender plans (such as Defender for Containers) is required for AKS to generate security recommendations and contribute to the secure score. Configuring auto-provisioning ensures the necessary components and coverage are automatically applied across all AKS clusters and subscriptions so recommendations are produced consistently and the secure score is updated.