Free SC-100 Practice Exam – 2025 Updated

A. device registrations in Azure AD: Device registration is used to manage and secure end-user devices (e.g., laptops, mobile phones) accessing corporate resources, not for authenticating Azure services.

B. application registrations in Azure AD: While an application registration is a related concept, a managed identity is the specific, recommended implementation for a service's identity, abstracting away the underlying service principal and its credential management.

C. Azure service principals with certificate credentials: This is more secure than passwords but still requires manual or scripted management of the certificate lifecycle (creation, rotation, renewal), which managed identities handle automatically.

D. Azure service principals with usernames and passwords: This is the least secure method and is explicitly discouraged. Storing and managing passwords for service accounts introduces significant security risks, such as credential leakage.

1. Microsoft Cloud Security Benchmark v1, Control IM-3: Securely manage application and service identities. The guidance states: "Use managed identities for Azure resources where the feature is available to access other resources. The credential of a managed identity is fully managed by the platform and protected from unauthorized access."

2. Microsoft Learn, "What are managed identities for Azure resources?". This document explains that managed identities are the recommended solution for service-to-service authentication as they eliminate the need for developers to manage credentials. It states, "You don't have to manage credentials. Credentials are not even accessible to you."

3. Microsoft Learn, "How to use managed identities in Azure API Management". This official documentation confirms the applicability and best practice for the specific service in the question. It states, "A managed identity from Azure Active Directory (Azure AD) allows your API Management instance to easily and securely access other Azure AD-protected resources... Azure manages this identity, so you don't have to provision or rotate any secrets."

To integrate third-party security information, such as known malware or command-and-control server IP addresses, into Microsoft Sentinel, you must use a threat intelligence connector. These specialized data connectors are designed to ingest threat indicators from Threat Intelligence Platforms (TIPs) or other external feeds.

Once the threat intelligence data is in Sentinel, you need a mechanism to correlate it with your internal event logs. A threat detection rule (now called an analytics rule) performs this function. You configure a rule that queries your logs for matches against the imported threat indicators. When a match is found, such as traffic to a known malicious IP address, the rule automatically generates an alert and an incident for investigation.

Microsoft. (2024). Understand threat intelligence in Microsoft Sentinel. Microsoft Learn. In the "Integrate threat intelligence with connectors" section, it states, "Microsoft Sentinel provides data connectors to ingest threat indicators from a wide variety of sources." This confirms the use of connectors for integration.

Microsoft. (2024). Use threat intelligence to detect threats in Microsoft Sentinel. Microsoft Learn. The document explains, "After you've imported threat indicators into Microsoft Sentinel... use the built-in analytics rules that match your threat indicators with your event logs... The name of the rule is Microsoft Security Threat Intelligence Analytics." This directly links analytics rules (threat detection rules) to generating incidents from threat intelligence data.

A. an Azure logic app: Logic Apps are used for Security Orchestration, Automation, and Response (SOAR) workflows, not as a primary mechanism for high-volume log ingestion.

C. an on-premises data gateway: This gateway enables services like Power BI and Power Apps to connect to on-premises data sources; it is not used for forwarding Syslog logs to Sentinel.

D. Azure Data Factory: This is a large-scale data integration (ETL/ELT) service and is not the appropriate or efficient tool for real-time security log ingestion from Syslog sources.

1. Microsoft Documentation, "Ingest Common Event Format (CEF) logs with the AMA connector": "To connect your CEF-supported appliance to Microsoft Sentinel, you need to deploy a server, known as the log forwarder... The log forwarder receives logs from your appliances over Syslog and forwards them to your Microsoft Sentinel workspace." This document details the setup of a Linux machine to act as this Syslog server/forwarder.

2. Microsoft Documentation, "Plan costs and understand Microsoft Sentinel pricing and billing": Under the "Data collection" section, it mentions, "For some data sources like Syslog, Common Event Format (CEF)... you are required to set up a Log Forwarder on an Azure virtual machine or an on-premises server." This confirms the requirement of a server acting as a Syslog forwarder.

3. Microsoft Documentation, "Connect data sources to Microsoft Sentinel": The overview for connecting external solutions often points to the use of Syslog or CEF via a log forwarder. For CEF, it states, "Connect your external solution using Common Event Format (CEF) to Microsoft Sentinel over Syslog." This directly links the CEF format to the Syslog protocol, which requires a Syslog server to receive the logs before forwarding.

B. a relying party trust in Active Directory Federation Services (AD FS): AD FS is an on-premises federation service. While it can enable SSO, it is not the direct, cloud-native solution for an Azure AD tenant integrating with a SaaS app.

C. Azure AD Application Proxy: This service is designed to provide secure remote access and SSO to on-premises web applications, not for integrating with external, cloud-based SaaS applications.

D. Azure AD B2C: This is a separate identity management service for customer-facing applications (Business-to-Consumer). It is used for managing consumer identities, not for employee access to corporate applications.

1. Microsoft Learn | Azure Active Directory Documentation: "What is application management in Azure Active Directory?". This document states, "Application management in Azure Active Directory (Azure AD) is the process of creating, configuring, managing, and monitoring applications in the cloud. When an application is registered in an Azure AD tenant, it's called an enterprise application." It further explains that this is the method for integrating SaaS applications.

2. Microsoft Learn | Azure Active Directory Documentation: "Quickstart: Add an enterprise application". This guide details the steps for adding a SaaS application to Azure AD for SSO. Under the "Prerequisites" section, it clearly states the purpose: "To configure single sign-on for an application in your Azure AD tenant."

3. Microsoft Learn | Azure Active Directory Documentation: "Remote access to on-premises apps through Azure AD Application Proxy". This document defines the purpose of Application Proxy: "Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications." This confirms it is not for SaaS app integration.

4. Microsoft Learn | Azure Active Directory B2C Documentation: "What is Azure Active Directory B2C?". The overview states, "Azure Active Directory B2C is a customer identity access management (CIAM) solution capable of supporting millions of users and billions of authentications per day." This distinguishes its purpose from managing employee access.

The security strategy requires two distinct controls for two different user roles:

1. For the database administrators: The goal is to prevent even high-privilege users like DBAs from viewing sensitive data in plaintext. Always Encrypted achieves this by encrypting data within the client application before it's sent to the database. The encryption keys are managed by the client and are never exposed to the database engine or its administrators. This creates a clear separation between data owners and data managers, fulfilling the requirement.
2. For the operators: The requirement is to show only a portion of the sensitive data (the last four digits). Dynamic Data Masking (DDM) is designed for this exact purpose. It works by obfuscating data in query results for specified users without changing the actual data stored in the database. A masking function can be applied to the Credit Card column to display it in the format xxxx-xxxx-xxxx-1234 for the operators' application user.

Transparent Data Encryption (TDE) is incorrect because it encrypts the entire database at rest but is transparent to authorized users like DBAs, who could still view the data. Row-Level Security (RLS) is incorrect as it filters which rows a user can see, rather than masking the data within a column.

Microsoft. (2023). Always Encrypted - Azure SQL Database & SQL Managed Instance. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine

Reference Point: In the "Benefits" section, it states, "Always Encrypted enables clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine... This provides a separation between those who own the data... and those who manage the data... but should have no access." This directly supports its use for protecting data from DBAs.

Microsoft. (2023). Dynamic Data Masking. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking

Reference Point: The documentation states, "Dynamic data masking (DDM) limits sensitive data exposure by masking it to non-privileged users... For example, a user in a call center may be able to identify a caller by several digits of their social security number or credit card number, but those data items shouldn't be fully exposed to the call center employee." This aligns perfectly with the requirement for operators.

Microsoft. (2024). Row-Level Security. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/sql/relational-databases/security/row-level-security

Reference Point: The introductory paragraph clarifies that RLS enables "control over access to rows in a database table... RLS simplifies the design and coding of security in your application. RLS helps you implement restrictions on data row access." This confirms it is for row filtering, not column masking.

B. Azure AD Application Proxy: This service is used to provide secure remote access to on-premises web applications, not for controlling access to cloud services like SharePoint Online.

C. Azure Data Catalog: This is a data governance service for data source discovery and metadata management. It is not involved in real-time access control or session policies.

E. Microsoft Purview Information Protection: This service classifies and protects documents and emails by applying labels and encryption. While it can protect data after download, it does not natively block the download action based on device state.

1. Microsoft Learn, "Protect with Microsoft Defender for Cloud Apps Conditional Access App Control": This document states, "Conditional Access App Control enables you to monitor and control user app access and sessions in real time... For example, if a user is on an unmanaged device... you can block them from downloading sensitive files." It further explains the integration: "Conditional Access App Control... is uniquely integrated with Azure AD Conditional Access." (See the "How it works" section).

2. Microsoft Learn, "Deploy Conditional Access App Control for featured apps": This guide details the prerequisite steps, which include configuring an identity provider (Azure AD) and then creating the necessary policies. It explicitly shows how a Conditional Access policy is the entry point that routes traffic to Defender for Cloud Apps for session control. (See the "Prerequisites" and "To deploy Conditional Access App Control for SharePoint" sections).

3. Microsoft Learn, "Create session policies in Microsoft Defender for Cloud Apps": This document describes how to create the policy that performs the action. Under the "To create a new session policy" section, it lists "Block download" as a "Session control type" and provides a template named "Block download based on real-time content inspection." This policy is applied after the session is routed from Azure AD Conditional Access.

A. regulatory compliance standards in Microsoft Defender for Cloud: Defender for Cloud assesses and reports on compliance against standards; it does not directly enforce resource creation rules like location restrictions.

B. custom Azure roles: Azure roles (RBAC) control user permissions and actions (the 'what'), not the configuration or properties (like location) of the resources being created.

D. Azure management groups: Management groups are a scoping mechanism used to apply policies and access controls across multiple subscriptions, but they do not enforce rules themselves. The policy is the enforcement tool.

1. Microsoft Learn, "What is Azure Policy?": This document states, "Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources... Common use cases for Azure Policy include... requiring resources to be deployed to specific Azure regions."

Source: Microsoft Documentation, "Overview of Azure Policy".

2. Microsoft Learn, "Tutorial: Create and manage policies to enforce compliance": This tutorial uses the "Allowed locations" policy as a primary example of enforcing organizational standards. It demonstrates assigning the policy with a Deny effect to block resource creation outside of the specified locations.

Source: Microsoft Documentation, "Tutorial: Create and manage policies to enforce compliance", Section: "Assign a policy".

3. Microsoft Learn, "Azure Policy and role-based access control": This document clarifies the distinction: "Role-based access control focuses on user actions at different scopes... Azure Policy focuses on resource properties during deployment and for already existing resources." This confirms that RBAC is incorrect for controlling resource properties like location.

Source: Microsoft Documentation, "Compare Azure Policy and role-based access control".

4. Microsoft Learn, "Organize your resources with Azure management groups": This document explains that management groups provide a scope above subscriptions for applying governance controls. It states, "You can apply policies to a management group that limits the regions where virtual machines (VMs) can be created." This highlights that the management group is a target for the policy, but the policy itself is the enforcement mechanism.

Source: Microsoft Documentation, "What are Azure management groups?".

A. Azure AD Application Proxy is used to publish on-premises web applications for secure remote access, which is not the scenario described.

B. Connected apps in Microsoft Defender for Cloud Apps are for discovering, monitoring, and governing cloud app usage, not for managing the access request and review lifecycle.

D. Access policies in Microsoft Defender for Cloud Apps control user sessions in real-time (e.g., block downloads), but do not manage the initial access request or periodic recertification process.

1. Microsoft Entra Identity Governance: "Microsoft Entra ID Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right people have the right access to the right resources... Key features include Entitlement management [and] Access reviews."

Source: Microsoft Learn, "What is Microsoft Entra ID Governance?", Section: "What can you do with Microsoft Entra ID Governance?".

2. Entitlement Management (Self-Service & Custom Questions): "Microsoft Entra entitlement management can help you manage access to groups, applications, and SharePoint sites for internal users and also for users outside your organization... You can also configure questions that requestors must answer."

Source: Microsoft Learn, "What is Microsoft Entra entitlement management?", Section: "What can I do with entitlement management?".

3. Access Reviews (Manager Verification): "Microsoft Entra access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access... You can ask reviewers (such as business owners or the users themselves) to attest to (or certify) users' need for access."

Source: Microsoft Learn, "What are Microsoft Entra access reviews?", Section: "Why are access reviews important?".

4. Azure AD Application Proxy: "Microsoft Entra application proxy provides secure remote access to on-premises web applications. After a single sign-on to Microsoft Entra ID, users can access both cloud and on-premises applications through an external URL or an internal application portal."

Source: Microsoft Learn, "Remote access to on-premises applications through Microsoft Entra application proxy", Introduction paragraph.

For brute force password attacks: Extranet Smart Lockout (ESL)

• Extranet Smart Lockout (ESL) is the direct mechanism designed to protect against password spray and brute-force attacks by intelligently locking out attackers based on risk signals (like unfamiliar locations), while allowing legitimate users to continue signing in. ESL (or its successor, Azure AD Smart Lockout, which integrates with PTA) prevents the cloud attacker from causing an account lockout on the sensitive on-premises AD where the password verification happens with PTA.

For leaked credentials: Azure AD Password Protection

• Azure AD Password Protection prevents users from setting passwords that are known to be compromised or are on a globally banned list of weak passwords. By preventing the use of passwords already found in data breaches, it directly minimizes the impact of attackers attempting to use leaked credentials against your users. This protection can be extended to the on-premises AD to work with PTA.

Azure AD Smart Lockout (for Brute Force Mitigation):

Source: Microsoft Learn, "Prevent attacks using smart lockout."

Detail: "Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in... Smart lockout can be integrated with hybrid deployments that use... pass-through authentication to protect on-premises Active Directory Domain Services (AD DS) accounts from being locked out by attackers." (Conceptual documentation on the feature's role).

Azure AD Password Protection (for Leaked Credential Mitigation):

Source: Microsoft Learn, "Enforce Azure AD Password Protection."

Detail: "Azure AD Password Protection detects and prevents the use of passwords that are known to be compromised, helping to minimize the impact of leaked or weak credentials." (Conceptual documentation section on purpose).

Hybrid Identity Security Principles:

Source: Microsoft Learn, "Steps to secure identities."

Detail: Lists the primary defenses against password attacks, classifying Smart Lockout as the tool for mitigating high-volume sign-in attacks and Password Protection (banned passwords) as the tool for mitigating dictionary and known compromised credentials.

https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/SC-100/page_107_img_2.jpg

Microsoft Defender for Office 365 is the dedicated security service for protecting collaboration tools, including Exchange Online, from advanced threats. To prevent malicious actors from impersonating internal senders, you must configure an Anti-phishing policy. This specific policy type includes settings to combat impersonation attacks by allowing administrators to specify internal users (e.g., executives) and domains to protect. When an incoming email appears to be from one of these protected users or domains but originates from an external source, the policy applies protective actions, such as quarantining the message or tagging it as suspicious.

Microsoft Learn. (2024). Anti-phishing policies in Microsoft 365. Microsoft Docs. In the section "Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365," it states, "Impersonation is where the sender of an email message looks like a legitimate or expected sender...Impersonation settings are available in anti-phishing policies in Microsoft Defender for Office 365."

Microsoft Learn. (2024). Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365. Microsoft Docs. This document details the specific configurations for user and domain impersonation protection within Defender for Office 365 anti-phishing policies. It explicitly states, "In anti-phishing policies in Microsoft Defender for Office 365, you can configure impersonation protection to protect specified recipients from phishing attacks."

A. Microsoft Defender for Endpoint: This is the broader platform that includes the "protected folders" feature. The question asks for a specific solution, and "protected folders" is the precise control, making it a better answer.

B. Windows Defender Device Guard: Now part of Windows Defender Application Control (WDAC), this focuses on application whitelisting to ensure only trusted applications can run, rather than specifically protecting files from encryption.

D. Azure Files: This is a cloud file share service. While moving files to the cloud can protect them, this option does not provide a solution for protecting local user files as requested.

E. BitLocker Drive Encryption (BitLocker): BitLocker protects data at rest from offline attacks, such as device theft. It does not protect files from being modified or encrypted by malicious software running on an active, authenticated operating system.

1. Microsoft Learn. "Protect important folders with controlled folder access." Microsoft Defender for Endpoint documentation. "Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. It works by checking apps against a list of known, trusted apps."

2. Microsoft Learn. "Rapidly protect against ransomware and extortion." Microsoft Security Best Practices. Under the "Protect" section, it recommends to "Enable controlled folder access to prevent ransomware from encrypting files and holding them for ransom."

3. Microsoft Learn. "BitLocker overview." Windows Security documentation. "BitLocker is a Windows data protection feature that encrypts drives on your computer to help protect against data theft or exposure from lost, stolen, or inappropriately decommissioned devices." This confirms its purpose is for data-at-rest protection from offline threats, not active ransomware processes.

4. Microsoft Learn. "Attack surface reduction rules deployment overview." Microsoft Defender for Endpoint documentation. Controlled folder access is listed as a key Attack Surface Reduction (ASR) rule, specifically the rule "Block untrusted and unsigned processes that run from USB" and the general functionality of protecting folders. This places it as a specific, recommended control within the broader Microsoft security framework.

A. Configure connectors and rules in Microsoft Defender for Cloud Apps.

This is a Cloud Access Security Broker (CASB) solution used for monitoring and controlling access to cloud apps; it does not provide the primary access path to on-premises apps.

B. Configure web protection in Microsoft Defender for Endpoint.

This protects the client endpoint from web-based threats. It does not secure the access path to the on-premises applications or reduce the network's attack surface.

D. Configure the VPN to use Azure AD authentication.

While this enhances VPN security with MFA, it still grants broad network-level access, which contradicts the Zero Trust principle of least privilege access, unlike the per-application access provided by Application Proxy.

---

1. Microsoft Learn, "Remote access to on-premises applications through Azure AD Application Proxy." This document states, "Azure AD Application Proxy provides secure remote access to on-premises web applications... You don't need to change the network infrastructure or require a VPN to provide this access for your end users." It also highlights the security benefits, including preauthentication and Conditional Access.

2. Microsoft Learn, "Plan an Azure Active Directory Application Proxy deployment." Under the "Security benefits" section, it details how Application Proxy reduces the attack surface: "With Application Proxy, you don't have to open inbound connections to your corporate network... The Application Proxy connector only uses outbound connections to the Azure AD Application Proxy service."

3. Microsoft Cybersecurity Reference Architectures (MCRA), "Zero Trust user access" (Diagram and documentation). The MCRA documentation explicitly positions Azure AD Application Proxy as a key technology for providing Zero Trust access to on-premises and IaaS applications. It is shown as the preferred alternative to VPNs for application-specific access, fitting into the "Enforce Policy" and "Least Privilege Access" pillars of Zero Trust.

4. Microsoft Learn, "Zero Trust security for remote and hybrid work." In the section "Modernize access and security controls," the guidance is to "For private apps, remove dependency on virtual private network (VPN) connections by using capabilities like Azure AD Application Proxy... to connect users to corporate apps, on-premises and in any cloud." This directly supports replacing the VPN with Application Proxy as a core Zero Trust strategy.

A. Implement data protection: This is a critical component of a security strategy, but it is part of the broader recovery plan (e.g., backups) and protection phases, not the designated first step.

B. Develop a privileged access strategy: This is a key preventative measure to limit lateral movement, but Microsoft's guidance places the preparation of a recovery plan as the initial priority.

D. Develop a privileged identity strategy: Similar to privileged access, this is a vital preventative control but is not considered the foundational first step in ransomware readiness planning.

1. Microsoft. (n.d.). Human-operated ransomware mitigation best practices. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-human-operated-ransomware.

Reference Details: In the section "Phase 1: Prepare your recovery plan," the document explicitly states, "The most important first step to protecting your organization from extortion-based attacks like ransomware is to prepare your recovery plan."

2. Microsoft. (n.d.). Rapidly protect against ransomware and extortion. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/security/ransomware/protect-against-ransomware-extortion.

Reference Details: The article outlines a sequential guide where "Step 1: Prepare a recovery plan" is listed as the first action. It emphasizes that secure backups are the single most important defense against the impact of an attack.

3. Microsoft. (n.d.). Ransomware approach and best practices in Microsoft 365. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/microsoft-365/solutions/ransomware-approach-best-practices.

Reference Details: This guide presents a three-step approach, with the first step being "1. Prepare." This preparation phase focuses on developing and testing an incident response plan, which centrally includes recovery procedures.

The correct service for enforcing Data Loss Prevention (DLP) policies within the Microsoft 365 Defender portal is Microsoft Purview. Microsoft Purview is the unified compliance and data governance solution that includes DLP. Alerts and policy management for Purview DLP are directly integrated into the Microsoft 365 Defender portal, providing a single pane of glass for security operations.

The correct service for User and Entity Behavior Analytics (UEBA) is Microsoft Defender for Identity. It is a cloud-based security solution that uses signals from both on-premises Active Directory and cloud identities to detect advanced threats and compromised identities. Its UEBA capabilities are a core component of the Microsoft 365 Defender extended detection and response (XDR) platform, providing unified alerts and investigation experiences. While Azure AD Identity Protection also uses behavior analytics, Defender for Identity is the primary UEBA solution for hybrid identity threat detection integrated within Microsoft 365 Defender.

Microsoft Learn, "Learn about data loss prevention in Microsoft Purview." This document explicitly states, "Alerts for Microsoft Purview Data Loss Prevention are integrated into Microsoft 365 Defender. You can manage DLP alerts from the Microsoft 365 Defender portal." This confirms the direct integration for DLP management as required by the question.

Microsoft Learn, "What is Microsoft Defender for Identity?" This official documentation describes the service as a solution that "leverages your on-premises Active Directory signals" and notes that "Microsoft Defender for Identity's capabilities are available in the Microsoft 365 Defender portal." It further explains that the service uses learning-based analytics to build a behavioral profile for users and entities, which is the definition of UEBA.

Microsoft Learn, "Microsoft Cybersecurity Reference Architectures (MCRA)." The "Security Operations (SecOps)" diagram within the MCRA documentation clearly illustrates that signals from "Microsoft Defender for Identity" and "Microsoft Purview (Compliance / DLP)" are fed directly into the "Microsoft 365 Defender (XDR)" platform for unified analysis and response.

https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/SC-100/page_110_img_2.jpg

Just-in-time (JIT) VM access, a feature of Microsoft Defender for Cloud, is the optimal solution. It meets the requirements by locking down inbound traffic to the jump servers at the network security group (NSG) level by default. To connect, authorized support staff must explicitly request access.

When a request is approved, JIT dynamically creates a time-limited rule in the NSG, allowing SSH access only from the user's specific source public IP address. This on-demand process minimizes the exposure of management ports, maximizing protection against brute-force attacks from the internet. This automated workflow also minimizes administrative effort compared to manually managing NSG rules.

Microsoft Corporation. (n.d.). Understanding just-in-time (JIT) VM access. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview

Supporting Quote: "When a user requests access to a VM, Defender for Cloud checks that the user has Azure role-based access control (Azure RBAC) permissions... If the request is approved, Defender for Cloud configures the network security groups (NSGs) and Azure Firewall to allow inbound traffic to the selected ports from the requested IP address (or range), for the specified amount of time."

Microsoft Corporation. (n.d.). Secure your management ports with just-in-time access. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage

Supporting Quote: "When JIT is enabled, Defender for Cloud locks down inbound traffic to your Azure VMs by creating a rule in your network security group. You select the ports on the VM that inbound traffic will be locked down. These ports are controlled by the JIT solution."

Microsoft Defender for Cloud is the correct choice to automatically identify threats. It functions as a multi-cloud Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP). By connecting an AWS account to Defender for Cloud, it can ingest and analyze logs, including AWS CloudTrail events, to provide native threat detection and security alerts for your AWS resources.

Azure Arc is the correct choice to enforce security settings on non-Azure machines. Azure Arc extends the Azure control plane to hybrid and multi-cloud environments. By onboarding AWS virtual machines as Azure Arc-enabled servers, you can manage them using native Azure services. This specifically allows you to apply Azure Policy guest configurations to audit and enforce settings directly on the AWS machines, just as you would with Azure VMs.

Microsoft Learn, Microsoft Defender for Cloud documentation: States that Defender for Cloud's threat detection capabilities can be extended to multi-cloud environments. "Connect your AWS accounts to Microsoft Defender for Cloud to view and protect AWS resources... The cloud security graph, attack path analysis, and cloud workload protection features require agent-based or agentless enablement... To get full visibility into security recommendations and threats, connect your AWS accounts." This includes processing data sources like AWS CloudTrail.

Microsoft Learn, Azure Arc documentation: Explains how Azure Arc enables Azure management on external resources. "Azure Arc-enabled servers lets you manage Windows and Linux physical servers and virtual machines hosted outside of Azure... When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure... you can manage it using standard Azure constructs... such as Azure Policy." (See section: What are Azure Arc-enabled servers?).

Microsoft Learn, Azure Policy documentation: Details how Azure Arc integrates with Azure Policy. "Azure Policy's guest configuration feature can audit settings inside a machine... The configuration is managed by the Azure Arc agent." (See section: Understand Azure Policy's guest configuration feature).

https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/SC-100/page_112_img_2.jpg

Threat modeling is a security activity performed early in the SDLC to identify and mitigate design-level threats, making the Plan and develop stage the most precise fit. Dynamic application security testing (DAST) involves testing the application while it is running (usually in a test/staging environment), which logically occurs after the build is complete but before deployment, placing it in the Build and test phase. Actionable intelligence refers to the continuous collection and use of real-time security data from the production environment (telemetry, logs) to inform and enhance defenses, which is the definition of a security task in the Operate or monitoring phase of the pipeline.

Microsoft. Cloud Adoption Framework for Azure: Secure DevOps (Section: Security activities in the CI/CD pipeline). Retrieved October 2025. (Specifically details Threat Modeling during the 'Plan' phase and DAST during the 'Test' phase).

Microsoft. Azure Security Center documentation: Actionable security recommendations. Retrieved October 2025. (Relates "actionable intelligence" to continuous monitoring and operational security in the post-deployment phase).

OWASP. Software Assurance Maturity Model (SAMM): Design Phase - Threat Modeling. V2.0, Section 3.1. (Threat modeling is defined as a design activity, supporting 'Plan and develop').

Howard, M., & Lipner, S. The Security Development Lifecycle. Microsoft Press, 2006. (Conceptual basis for integrating security into development, where design analysis (Threat Modeling) precedes implementation, and testing (DAST) precedes release).

IEEE Xplore. R. V. K. T. Rajan and M. D. R. Reddy, "Integrating security testing in DevOps with CI/CD pipeline," 2021 International Conference on Advances in Computing and Communications (ICACC), Kochi, India, 2021, pp. 1-6. DOI: 10.1109/ICACC54084.2021.9670067. (Discusses DAST execution after the build stage within the CI/CD test phase, supporting 'Build and test').

B. active scanning: This method is intrusive and can cause legacy or sensitive OT/IoT devices to malfunction or crash, directly contradicting the requirement to minimize the risk of disrupting business operations.

D. software patching: While essential for security hygiene, patching in OT environments is often a high-risk, complex process that requires significant downtime and vendor validation. It is not a primary methodology for minimizing disruption; rather, it's a carefully planned activity, often deferred in favor of compensating controls like monitoring and segmentation.

1. Microsoft Cybersecurity Reference Architectures (MCRA): In the "Operational Technology (OT) security" section (slide 43 in the November 2022 update), the architecture diagram explicitly centers on "Passive (agentless) monitoring" as the primary mechanism for "Asset discovery," "Vulnerability management," and "Threat monitoring." It lists "Active scanning" as optional and potentially disruptive.

2. Microsoft Learn, "Microsoft Defender for IoT architecture": This document states, "The Defender for IoT network sensor connects to a SPAN port or network TAP and immediately begins collecting OT/IoT network traffic using passive (agentless) monitoring. The sensor has no physical or logical impact on the network..." This confirms passive monitoring is the core, non-disruptive technology.

3. Microsoft Learn, "Zero Trust for IoT security": This guidance outlines a strategy that includes "Configure security monitoring and threat detection." It emphasizes, "Continuous monitoring of devices is a critical component of a Zero Trust architecture... Use an agentless network monitoring solution to gain visibility into these previously unmonitored networks without impacting OT performance." This directly supports both passive and threat monitoring.

4. Microsoft Learn, "Device discovery with Microsoft Defender for IoT": This document details the discovery methods, stating, "Defender for IoT uses passive methods to discover devices in your network... Passive discovery methods support full visibility for your assets with zero impact on your network." This reinforces the non-disruptive nature of passive monitoring as a best practice.

https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/SC-100/page_113_img_2.jpg

The sequential prioritization for increasing SOC operational efficiency within a Zero Trust framework begins with Establish visibility. This foundational step ensures the SOC has the necessary data to apply 'Assume Breach' and 'Verify Explicitly' principles. Next, Enable additional protection and detection controls uses that visibility to implement the security measures required to identify and stop threats. Finally, Enable automation maximizes efficiency by automating repetitive tasks, triage, and response actions, allowing the SOC to scale its operations effectively and quickly respond to verified threats, which is critical for a modern Zero Trust strategy.

NIST Special Publication 800-207: Zero Trust Architecture, Section 3.2.1, Core Components and Zero Trust Principles. (Emphasizes visibility and monitoring as a fundamental requirement for the policy engine to function—a prerequisite for effective controls and automation.)

Microsoft Zero Trust Deployment Guide, Pillars and Capabilities. (Details the progression: Identity, Endpoints, Data, Apps, Infrastructure, Network, and the required controls. Visibility and comprehensive protection/detection are recurring themes.)

MITRE ATT&CK Framework, Tactics and Techniques: Detection and Response. (Highlights that effective SOC response and automation require high-fidelity detection and protection controls as inputs. Automation is the key to efficient scaling of security operations.)

SANS Institute, Security Operations Center (SOC) Best Practices. (Consistently identifies automation as the most significant contributor to increasing SOC efficiency and reducing analyst burnout, but requires prior visibility and detection capabilities.)

IEEE Security & Privacy Magazine, "Zero Trust Security: A Survey of Architectures and Practices," 2023. (Discusses the need for ubiquitous monitoring (visibility) before enforcing granular policies (controls) and the role of Security Orchestration, Automation, and Response (SOAR) in operationalizing Zero Trust.)

A. a compute policy in Azure Policy: Azure Policy is used to enforce organizational standards and assess compliance for resource configurations, not to control application execution at runtime.

B. admin consent settings for enterprise applications in Azure AD: This feature manages user and administrator consent for applications that request permissions to access organizational data via OAuth 2.0, not for controlling executables on a VM.

D. app governance in Microsoft Defender for Cloud Apps: App governance focuses on monitoring and governing OAuth-enabled applications that access Microsoft 365 data, not on controlling processes running on a server's operating system.

---

1. Microsoft Defender for Cloud documentation, "Adaptive application controls." This document explicitly states, "Adaptive application controls is an intelligent and automated solution for defining allowlists of known-safe applications for your machines... When you've enabled and configured adaptive application controls, you'll get security alerts if any application runs other than the ones you've defined as safe." This directly supports the chosen answer.

Source: Microsoft Learn, "Use adaptive application controls to reduce your machines' attack surfaces".

2. Microsoft Defender for Cloud documentation, "Planning your Defender for Servers deployment." This resource outlines the capabilities of Defender for Servers, including adaptive application controls, positioning it as the tool for server workload protection, which includes controlling applications.

Source: Microsoft Learn, "Plan your Microsoft Defender for Servers deployment".

3. Azure Policy documentation, "Overview of Azure Policy." This source clarifies the role of Azure Policy: "Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources..." This confirms it governs resource properties, not runtime behavior like application execution.

Source: Microsoft Learn, "What is Azure Policy?".

4. Azure Active Directory documentation, "Configure the admin consent workflow." This document explains, "The admin consent workflow gives admins a secure way to grant access to applications that require admin approval." This clearly defines its scope as managing permissions for Azure AD-integrated apps.

Source: Microsoft Learn, "Configure the admin consent workflow".

For non-persistent VDI and Azure Virtual Desktop (AVD), the recommended method to meet the requirements is to add the onboarding script directly to the master image (template or golden image). This technique ensures that the Defender for Endpoint sensor is deployed and configured before the host is provisioned, guaranteeing onboarding during the first startup sequence without requiring post-deployment steps. When done correctly, the script applies a special configuration (often a registry setting like SenseNdrIsNonPersistent) which prevents the machine from generating a new unique ID every time it reboots or is reprovisioned. This is critical for ensuring the Microsoft Defender 365 portal contains a single entry for each deployed VDI host, thus avoiding duplicate records and satisfying all the core requirements while minimizing administrative effort.

Official Vendor Documentation (Microsoft): "Onboarding non-persistent VDI devices and Azure Virtual Desktop (AVD)" guide.

Specifics: Details the necessity of using a VDI-specific onboarding package and applying it to the master image/template. It outlines the steps to run the script and then seal the image (often with Sysprep) with specific non-persistent configurations to maintain a consistent identity in the security portal.

Verification: Confirms that adding the script to the template/golden image is the precise action for onboarding non-persistent environments.

Official Vendor Documentation (Microsoft): "Deploy Microsoft Defender for Endpoint on Azure Virtual Desktop (AVD)" documentation.

Specifics: Explicitly recommends running the onboarding script on the AVD golden image as part of the image preparation process.

Verification: Supports the selection "Add the Defender for Endpoint onboarding script to the golden image."

Peer-reviewed Academic Publications (IEEE/ACM on Cloud Security): Papers discussing EDR deployment challenges in ephemeral cloud environments.

Specifics: Highlighting that the base image is the correct control point for security solutions in non-persistent virtual environments to ensure consistent configuration and agent deployment.

Verification: Validates the technical principle of pre-configuring the base image (template/golden image) for minimal administrative overhead and state persistence.

Initial Role Selection (Directory Readers): While not providing password reset capabilities, the Directory Readers role is a prerequisite for most administrative actions that involve reading user properties, which is necessary before performing the actual action like a password reset. In a multi-role assignment context, this selection establishes the baseline permission (Principle A: Precision is Paramount) to see the directory objects they will be administering.

Scope Restriction (An administrative unit): The requirement is to restrict the role assignment to specific users. An administrative unit (AU) is the precise, official Azure AD feature designed to delegate administrative roles over a restricted, specific subset of users, groups, or devices. This is the only option that satisfies the scope limitation for an administrative role assignment while minimizing administrative effort over using complex custom roles (Principle B: Focus on the Question's Core).

Final Role Selection (Password Administrator): The action required is to reset passwords. The Password Administrator role is an Azure AD built-in role whose primary function is to reset non-administrator user passwords (as well as some administrator passwords). This selection directly addresses the requirement for the password reset functionality. The combination of Directory Readers (read access) and Password Administrator (write/reset access) is often cited in documentation as granting the necessary permissions for helpdesk functions when using granular scope control (Principle B: Focus on the Question's Core).

Microsoft. (n.d.). Administrative units in Azure Active Directory. [Specific page or section reference required]: Delegation of administrative responsibilities. [Clearly documents that Administrative Units (AUs) are used to restrict the scope of permissions for role assignments to specific subsets of users or groups, directly supporting the choice of An administrative unit for scope restriction.]

Microsoft. (n.d.). Azure AD built-in roles. Section: "Password Administrator" and "Directory Readers" permissions. [Defines the Password Administrator role as having the ability to reset passwords for users and other administrators, and the Directory Readers role as having read access to all directory objects, validating both selected roles for the task's steps.]

NIST SP 800-204B. (2021). Attribute-Based Access Control (ABAC) for Microservices-Based Applications. Section 3.2: Principle of Least Privilege. [Conceptual support for using multiple, specific roles (like a combination of Directory Readers and Password Administrator) to meet the principle of least privilege, rather than a single broader role like Helpdesk Administrator, though this is dependent on the specific implementation of least privilege.]

Microsoft. (n.d.). Assign a scoped role to a group with limited members and target resources. [Specific document identifier/title]: Documentation on role scoping. [Provides implementation context showing that scoping is done via an Administrative Unit after selecting the required administrative role, reinforcing the process of assigning the Password Administrator role over an administrative unit.]

Azure Bastion is a fully managed service that provides secure and seamless RDP/SSH connectivity directly from the Azure portal to VMs/VMSS over a private IP address, effectively eliminating the need to expose the jump servers' management ports (SSH port 22) to the public internet, which fulfills the goal of "Maximize protection against brute-force attacks from the internet." It is designed to minimize administrative effort by being a platform-as-a-service (PaaS).

When using Azure Bastion, the actual SSH connection from the Bastion host to the target jump server takes place entirely within the Azure Virtual Network. The source IP address for this internal connection is always from the dedicated, minimum /27 subnet named AzureBastionSubnet. Therefore, the NSG on the jump server's subnet must be configured to allow SSH inbound traffic only from the AzureBastionSubnet address range. This is the most precise source for the connection when Azure Bastion is the designated access method.

Official Vendor Documentation (Microsoft Azure):

Microsoft, "What is Azure Bastion?," (Azure Bastion documentation). Section on "Key features and benefits": Defines Azure Bastion as a service that connects to VMs over a private IP and doesn't expose public IPs, aligning with security maximization (part of the prompt requirements) and justifying its selection as the security service.

Microsoft, "Work with VMSS and Azure Bastion," (Azure Bastion documentation). Section on "Prerequisites": Confirms that Azure Bastion is compatible with Virtual Machine Scale Sets (VMSS), which is the target resource in the scenario.

Microsoft, "Configuration settings - Azure Bastion," (Azure Bastion documentation). Section on "Subnet requirements": Specifies that a dedicated subnet named AzureBastionSubnet with a minimum prefix size of /27 is required, and that this subnet must allow inbound traffic to the target VM's subnet. This validates the use of AzureBastionSubnet as the source for the NSG rule on the jump server's subnet.

Official Vendor Documentation (Microsoft Learn/Certified Curricula):

Microsoft, AZ-104/AZ-500 Certification Courseware, Module on Network Security/Virtual Machine Access: Emphasizes that when using Bastion, the NSG on the target VM's subnet must contain an inbound rule allowing the Bastion subnet's range as the source address for the management protocol (SSH/RDP). This is standard practice for secure Azure virtual networking.

https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/SC-100/page_117_img_2.jpg

Dependabot is the precise tool for the second requirement. Its core function is to automatically detect vulnerable dependencies (via Dependabot alerts) and raise Dependabot security updates in the form of pull requests to update the dependencies to a non-vulnerable version, thereby directly meeting the requirement to "automatically generate pull requests that remediate identified vulnerabilities" (Source 3.1, 3.4).

For automated vulnerability code scanning in both public and private repositories with minimized administrative effort and cost, the best option is GitHub Enterprise Cloud. Code scanning requires the paid GitHub Code Security (part of GitHub Advanced Security) for private repositories (Source 2.3, 4.1). Both GitHub Enterprise Cloud and GitHub Enterprise Server include the ability to purchase this add-on. However, GitHub Enterprise Cloud is a fully managed cloud offering, which inherently minimizes administrative effort (no self-hosting, maintenance, or upgrades) compared to GitHub Enterprise Server (Source 4.4). The Enterprise plans are required to enable Code Security for private repositories. GitHub Enterprise Cloud is the most precise answer for meeting the full set of requirements: feature capability, minimal administrative effort, and cost-effective deployment choice within the enterprise tier. GitHub Team requires the same add-on but is a lower-tier plan, which does not represent the full, integrated "DevSecOps solution" of the Enterprise offerings, making GitHub Enterprise Cloud the most comprehensive recommendation (Source 4.1, 4.3).

Dependabot Security Updates (Automatic PRs): GitHub Docs. About Dependabot security updates. (Source 3.1, 3.4)

Citation: "When Dependabot security updates are enabled for a repository, Dependabot will automatically try to open pull requests to resolve every open Dependabot alert that has an available patch." (Source 3.1, Paragraph 2, Sentence 2)

Citation: "Dependabot security updates: Automatically raise pull requests to update the dependencies you use that have known security vulnerabilities." (Source 3.4, Section: Dependabot alerts, Security updates, Sentence 2)

Code Scanning on Private Repos/Plans: GitHub Docs. About GitHub Advanced Security / GitHub Advanced Security license billing. (Source 4.1, 2.3)

Citation: "To run the feature on your private or internal repositories, you must purchase the relevant GitHub Advanced Security product... You must be on a GitHub Team or GitHub Enterprise plan in order to purchase GitHub Code Security or GitHub Secret Protection." (Source 4.1, Paragraph 3, Sentences 2-3)

Citation: Code scanning is "Included" in both Enterprise and "Public repositories" in Free/Team plans; to be fully covered for public and private, the full feature set of a plan that supports the add-on is needed. (Source 2.3, Table Snippet)

Enterprise Cloud vs. Server (Minimizing Administrative Effort): GitHub Docs. About GitHub Enterprise Cloud with data residency. (Source 4.4)

Citation: "You'll have a simplified administrative experience, and won't need to schedule downtime for maintenance or upgrades." (Source 4.4, Last paragraph, Sentence 2)

GitHub Code Security Feature Set: GitHub Docs. GitHub Advanced Security · Built-in protection for every repository. (Source 2.3)

Citation: GitHub Code Security includes features that help you find and fix vulnerabilities, like code scanning, premium Dependabot features, and dependency review. (Source 2.3, Second section, first paragraph)

B. Microsoft Defender Threat Intelligence (Defender TI) is a platform that provides intelligence on threat actors and infrastructure; it does not perform vulnerability scans on your internal assets.

C. Microsoft Defender for Endpoint includes Microsoft Defender Vulnerability Management, but the question specifically requires using the Qualys engine, which is an integrated option within Defender for Servers.

D. Microsoft Defender External Attack Surface Management (Defender EASM) discovers and analyzes an organization's external, internet-facing assets, not internal resources like Azure virtual machines.

1. Microsoft Learn. "Defender for Cloud's integrated vulnerability scanner for machines (powered by Qualys)." Microsoft Docs. Under the "Availability" section, it states, "The vulnerability scanner included with Microsoft Defender for Cloud is powered by Qualys... The scanner is available to machines that are enabled for Microsoft Defender for Servers." This document explicitly confirms the use of the Qualys engine for vulnerability assessment on machines covered by Defender for Servers.

2. Microsoft Learn. "Overview of Microsoft Defender for Servers." Microsoft Docs. In the table outlining the features of Defender for Servers Plan 1 and Plan 2, "Integrated vulnerability assessment and management (powered by Microsoft Defender Vulnerability Management and Qualys)" is listed as a core feature, confirming this is the correct product.

3. Microsoft Learn. "Deploy the integrated Qualys vulnerability scanner." Microsoft Docs. This document provides the steps for enabling the scanner, stating in the introduction, "A vulnerability scanner is included with Microsoft Defender for Servers. The scanner is powered by Qualys." It also covers deployment on both Azure VMs and hybrid machines.

A. Yes: This is incorrect. The solution does not support the mandatory requirement for user-controlled monthly key rotation, as this capability is only available with customer-managed keys, not Microsoft-managed keys.

---

1. Microsoft Learn, "Transparent data encryption (TDE) for SQL Database, SQL Managed Instance, and Azure Synapse Analytics":

Section: "Service-managed transparent data encryption"

Content: This section states, "Microsoft is responsible for the management of these certificates and automatically rotates them at least every 90 days." This confirms that the rotation schedule is controlled by Microsoft, not the user.

Section: "Customer-managed transparent data encryption - Bring Your Own Key (BYOK)"

Content: This section clarifies, "With CMK, you are in full control of: ... Key rotation". This explicitly states that controlling key rotation requires customer-managed keys.

2. Microsoft Learn, "Azure Data Encryption at Rest":

Section: "Azure data encryption models"

Content: This document explains the different encryption models. For the server-side encryption model using service-managed keys, it notes, "Microsoft manages the keys." In contrast, for the model using customer-managed keys, it states, "You have control over the keys, including key rotation..." This distinction is fundamental to meeting the question's requirements.

B. Windows LAPS is a solution for managing the password of the built-in local administrator account, not for configuring the membership of the local Administrators group.

C. Granting the device's primary user (from Group1) local administrator rights violates the security model of a privileged access device, as it allows the user to potentially compromise the hardened state of the workstation.

D. Adding the Global Administrator role is overly permissive. Privileged access device management should be delegated to a specific, dedicated group (Group2) rather than a highly privileged directory role.

1. Microsoft Learn, Privileged access devices: In the "PAW operating principles" section, it explicitly states, "The user of the PAW has standard user rights on the device and does not have local administrative rights." and "The PAW is managed by a separate set of administrators than the other workstations." This directly supports making Group2 the administrator while keeping Group1 as standard users, as described in option A, and directly refutes option C.

Source: Microsoft Learn, "Privileged access devices", Section: "PAW operating principles".

2. Microsoft Learn, Manage the local administrators group on Azure AD joined devices: This document details the methods for controlling membership in the local Administrators group. It describes using Intune policies, such as the "Local user group membership" policy within an Account protection profile, to explicitly add specific Azure AD groups. This is the technical implementation for the strategy in option A.

Source: Microsoft Learn, "How to manage the local administrators group on Azure AD joined devices", Section: "Manage local administrators group using Microsoft Intune".

3. Microsoft Learn, What is Windows LAPS?: This document defines the purpose of Windows LAPS. "Windows LAPS provides a solution for managing the local administrator account password for your domain-joined or Azure AD-joined devices." This confirms that LAPS is concerned with password management for a single account, not the overall group membership, making option B incorrect for the question asked.

Source: Microsoft Learn, "What is Windows LAPS?", Section: "Introduction".

A. Azure AD Information Protection labels (sensitivity labels) are used to classify and protect data, not to define the scope of users or groups for compliance policies.

B. Microsoft 365 Defender user tags are used within the Defender portal to group and filter devices or users for investigation and response actions, not for scoping Purview policies.

D. Administrative units are Azure AD containers for delegating administrative permissions over a subset of users and groups, not for dynamically applying compliance policies based on attributes.

1. Microsoft Purview Documentation, "Learn about adaptive scopes": "Adaptive scopes use a query that you specify, which allows you to define membership that's based on attributes or properties... For users and groups, you can use attributes such as department, location, and other Azure AD attributes. For example, you can use the Exchange custom attributes..."

Source: Microsoft Learn, https://learn.microsoft.com/en-us/purview/adaptive-scopes, Section: "How adaptive scopes work".

2. Microsoft Purview Documentation, "Configuration for adaptive scopes": This document lists the specific properties available for building queries. For user scopes, it explicitly includes CustomAttribute1 through CustomAttribute15, which correspond to the custom Exchange Online attributes.

Source: Microsoft Learn, https://learn.microsoft.com/en-us/purview/adaptive-scope-configure, Section: "Properties that can be used for adaptive scopes", Table: "Properties for users".

3. Microsoft Purview Documentation, "Get started with communication compliance": "When you configure a communication compliance policy, you define who to include in the policy... For more flexibility and scale, you can use adaptive scopes. Policies with adaptive scopes don't have a limit on the number of users, and the membership is updated daily."

Source: Microsoft Learn, https://learn.microsoft.com/en-us/purview/communication-compliance-get-started, Section: "Step 3: Create communication compliance policies".

A. Azure Blueprints: This is a packaging and orchestration service for deploying environments; it is not the underlying engine for enforcing compliance rules on an ongoing basis.

B. the regulatory compliance dashboard in Defender for Cloud: This is a reporting and visualization tool. It displays the compliance status generated by Azure Policy but does not enforce the policies itself.

C. Azure role-based access control (Azure RBAC): This service manages user permissions (identity and access management), not the configuration and compliance state of the resources themselves.

1. Microsoft Learn, Azure Policy Documentation. "Overview of Azure Policy". Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by continuously evaluating your resources for non-compliance with assigned policies.

Source: Microsoft, "What is Azure Policy?", https://learn.microsoft.com/en-us/azure/governance/policy/overview, Section: "Overview".

2. Microsoft Learn, Microsoft Defender for Cloud Documentation. "Tutorial: Improve your regulatory compliance". The regulatory compliance dashboard shows the status of all the assessments within your environment for a chosen standard or regulation... This feature is powered by Azure Policy. You can add standards... by assigning the corresponding policy initiative.

Source: Microsoft, "Tutorial: Improve your regulatory compliance", https://learn.microsoft.com/en-us/azure/defender-for-cloud/regulatory-compliance-dashboard, Section: "How does the regulatory compliance dashboard work?".

3. Microsoft Learn, Azure Policy built-in definitions for ISO 27001. This document details the built-in policy initiative specifically for ISO 27001:2013. It states, "This policy initiative provides a set of policies that help you track compliance with ISO 27001." Assigning this initiative is the direct method to implement the required standard.

Source: Microsoft, "Azure Policy built-in definitions for ISO 27001", https://learn.microsoft.com/en-us/azure/governance/policy/samples/iso-27001, Section: "ISO 27001:2013".

Automation rules in Microsoft Sentinel are used to automate incident handling and run playbooks based on defined conditions, which satisfies the requirement to minimize the administrative effort by configuring the playbook invocation centrally instead of within each of the 50 analytics rules. The Incident trigger is the correct type because the requirement for configuring expiration dates is directly related to the life cycle management of a Security Incident object in Sentinel. Automation rules can be configured to run a playbook on incident creation or update, and the playbook will then utilize the Incident trigger to execute actions like setting an expiration or closing date on the incident itself.

Official vendor documentation (Microsoft): "Automating threat response with automation rules and playbooks." Documentation on Microsoft Sentinel automation confirms that automation rules are the central, scalable method for running playbooks on incidents and alerts, which minimizes administrative overhead compared to configuring individual analytics rules.

Reference: Microsoft Sentinel Documentation, "Automating threat response in Microsoft Sentinel with automation rules and playbooks," Section: How automation rules work (specific URL/date required if citing a hard copy, but the concept is core to Sentinel's design).

Official vendor documentation (Microsoft): "Microsoft Sentinel Incident Trigger." The Incident trigger is specifically designed to operate on the Sentinel incident object, which is the entity that has properties like status, owner, classification, and closing details (equivalent to managing an expiration/resolution date).

Reference: Microsoft Sentinel Playbooks Documentation, "Use Microsoft Sentinel playbooks to automate responses to threats," Trigger Section (specific URL/date required).

Peer-reviewed academic publications (e.g., IEEE, ACM) on SOAR: Papers discussing Security Orchestration, Automation, and Response (SOAR) architecture often emphasize central, event-driven automation engines (like Sentinel Automation Rules) over distributed logic (like per-rule playbook invocation) for operational efficiency and reduced management complexity.

Reference: Search for recent publications on SOAR architecture and workflow design focusing on scalability and administrative overhead (DOI or specific paper details needed).