View SC-100 Exam Questions

Q: 1

A customer is deploying Docker images to 10 Azure Kubernetes Service (AKS) resources across four Azure subscriptions. You are evaluating the security posture of the customer. You discover that the AKS resources are excluded from the secure score recommendations. You need to produce accurate recommendations and update the secure score. Which two actions should you recommend in Microsoft Defender for Cloud? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Options

Discussion

JamieD Mar 1, 2026 1:48 pm

A and E tbh, official guide and MS practice tests both cover this sort of secure score scenario for AKS pretty often.

Daniel H. Mar 4, 2026 6:00 am

Its A and E. Auto provisioning gets the monitoring agents on all AKS, and Defender plans actually unlock those recommendations for secure score. B isn't needed just for secure score on this workload from what I’ve seen.

Sean I. Feb 21, 2026 10:52 pm

Why can't you just enable Defender for Containers and auto provisioning to get AKS resources into secure score? Isn't that what A and E are getting at here?

Morgan Feb 19, 2026 8:13 am

A and E tbh. You need Defender for Containers enabled and auto-provisioning so AKS gets monitored and actually impacts secure score. That's what I've seen in most of the docs, pretty sure it's not B or D here.

Mason N. Feb 23, 2026 5:24 pm

Option A and E make sense here. You have to enable Defender plans for containers (E) so AKS is even monitored, and auto provisioning (A) ensures the agent gets installed on all clusters, which is needed for secure score. B/C/D don't actually trigger the right recommendations for secure score updates. Pretty confident but open to corrections.

Neha Y. Mar 4, 2026 9:46 pm

Maybe B and D, since setting compliance policies usually affects recommendations and automations can trigger score updates too.

ArjunH Feb 19, 2026 10:56 pm

B. not A. Assigning regulatory compliance policies (B) should update the secure score recommendations for AKS. At least that's how I've seen it work before, could be missing an extra step though.

Maya U. Feb 24, 2026 5:52 pm

Totally agree, A and E do the job here. Need to enable Defender plans for AKS visibility and set auto provisioning so agents get deployed. Seen similar in some practice sets, pretty sure that's how secure score picks up AKS issues.

Ajay E. Feb 23, 2026 6:12 am

I don't think B helps with secure score for AKS, it's A and E. B is a common trap.

DirectOps5135 Mar 1, 2026 3:12 am

Feels like B and D, since workflow automation plus compliance policies should drive secure score recommendations. Not super confident though, maybe missing something.

Be respectful. No spam.

Correct Answer:

A, E

Explanation

To produce security recommendations for Azure Kubernetes Service (AKS) and update the secure score, Microsoft Defender for Cloud must first be enabled for this specific workload and configured to monitor the resources.

Enabling the "Defender for Containers" plan (part of the Defender plans) is the initial step that unlocks the advanced security features, threat detection, and specific security recommendations for AKS clusters. Without this plan, Defender for Cloud will not perform the in-depth assessments required.

After the plan is enabled, Defender for Cloud needs to deploy a monitoring agent to the AKS clusters to collect security-related data. Configuring auto-provisioning ensures that the Defender agent is automatically deployed to all existing and future AKS clusters within the scope, which is essential for generating accurate recommendations.

Why Incorrect

B. Assign regulatory compliance policies: This action maps existing recommendations to compliance standards. It does not enable the initial data collection or generate new recommendations for unmonitored resources.

C. Review the inventory: This is a diagnostic step to view the status of resources. While useful for identifying unmonitored resources, it is not a corrective action to enable monitoring.

D. Add a workflow automation: This is used to automate responses to security alerts and recommendations after they have been generated, not to enable their creation.

References

1. Microsoft Learn

Official Documentation

"Enable Microsoft Defender for Cloud plans": This document explicitly states that to get the full range of protections for resources in a subscription

you must enable the Defender plans for the resource types. For containers

this means enabling the Defender for Containers plan.

Reference: In the section "Enable Defender for Cloud plans on your subscriptions

" it details the process of turning on plans like Defender for Containers.

2. Microsoft Learn

Official Documentation

"Introduction to Microsoft Defender for Containers": This document clarifies that Defender for Containers provides security recommendations as part of its environment hardening capabilities. Enabling the plan is the prerequisite for these features.

Reference: The "Overview" section lists "Environment hardening" which includes "continuously assessing your clusters to provide visibility into misconfigurations" and "security recommendations."

3. Microsoft Learn

Official Documentation

"Enable Defender for Containers components": This document describes the components needed for Defender for Containers to function. It highlights the need for the Defender agent and how to enable it.

Reference: In the section "Enable the plan

" it states that enabling the plan is the first step. It then discusses deploying the Defender agent

which can be managed via the auto-provisioning settings in Defender for Cloud's "Environment settings" page. This confirms that both enabling the plan and ensuring agent deployment (via auto-provisioning) are key steps.

Q: 2

You have an Azure subscription that contains multiple network security groups (NSGs), multiple virtual machines, and an Azure Bastion host named bastion1. Several NSGs contain rules that allow direct RDP access to the virtual machines by bypassing bastion! You need to ensure that the virtual machines can be accessed only by using bastion! The solution must prevent the use of NSG rules to bypass bastion1. What should you include in the solution?

Options

Discussion

Mason X. Mar 3, 2026 2:06 pm

Makes sense to pick B for this one. Security admin rules in Azure Virtual Network Manager actually override any NSG settings, so they block RDP unless it's through Bastion no matter what someone's done at the NSG level. Agree?

RyanO Feb 26, 2026 1:11 pm

Probably B here since security admin rules from Azure Virtual Network Manager override NSG rules, so you can make sure RDP is only allowed via Bastion. Regular firewall or NSG config wouldn't fully block those bypasses. Pretty sure that's what the question's looking for, but let me know if anyone sees it differently.

Ishaan S. Feb 20, 2026 7:29 am

B , since admin rules trump NSGs and D is a trap here because it can't override existing NSG permissions.

Robin Z. Mar 4, 2026 2:35 pm

B tbh, since Azure Virtual Network Manager security admin rules take priority over NSGs. That way, you can centrally enforce a deny on RDP unless it's through Bastion, no matter what the individual NSG settings are. Firewall rules (D) can't override NSGs, so direct access could still slip through if someone opens a port at the NSG level. Pretty sure it's B but open to debate if anyone has seen different behavior in real setups.

Alex W. Mar 2, 2026 6:07 pm

I don’t think it’s B. D makes more sense if the Firewall network rules block all RDP, but the trap is that NSG rules can still be too permissive.

Sam G. Feb 20, 2026 4:23 am

Its D, I think firewall network rules could block direct RDP but trap is that NSG might get around it.

Priya M. Feb 19, 2026 6:33 pm

Why wouldn't Azure Firewall network rules (D) be enough here if the only goal was blocking RDP, not about NSG bypass? Just trying to clarify how they interact.

FocusedAuditor5497 Feb 28, 2026 12:20 pm

Its B. Security admin rules in Virtual Network Manager override NSGs so RDP can't sneak in around Bastion. Official guides cover this.

Alex S. Feb 19, 2026 9:48 pm

Hannah Feb 15, 2026 11:22 am

Probably B, official docs and labs both mention security admin rules overriding all NSGs for this scenario.

Be respectful. No spam.

Correct Answer:

Explanation

Azure Virtual Network Manager (AVNM) security admin rules are designed to enforce security policies at scale across multiple virtual networks. These rules are evaluated before Network Security Group (NSG) rules and have a higher priority. By creating a security admin rule that denies inbound RDP (port 3389) traffic from any source other than the AzureBastionSubnet, you can centrally override any permissive RDP rules in individual NSGs. This ensures that all RDP connections must be initiated through the Bastion host, directly addressing the requirement to prevent NSG rules from creating a bypass.

Why Incorrect

A. Azure Virtual Network Manager connectivity configurations: These configurations are used to define network topology, such as hub-and-spoke or mesh, not for enforcing traffic filtering rules.

C. Azure Firewall application rules: These rules filter outbound traffic based on Fully Qualified Domain Names (FQDNs) for protocols like HTTP/S. They are not used for controlling inbound RDP traffic.

D. Azure Firewall network rules: While Azure Firewall can block RDP, the question's core problem is overriding conflicting NSG rules at scale. AVNM security admin rules are specifically designed for this purpose and take precedence over NSGs.

References

1. Microsoft Documentation | Azure Virtual Network Manager | Security admin rules: "Security admin rules are high priority rules that are evaluated before NSG rules... With security admin rules

you can enforce

and override NSG rules at scale." This document explicitly states the precedence and purpose of security admin rules

confirming they can override NSGs to enforce a security baseline.

Source: Microsoft Learn

"Security admin rules in Azure Virtual Network Manager

" Introduction section.

2. Microsoft Documentation | Azure Virtual Network Manager | How it works: "A security configuration contains a set of security admin rules that you can apply to one or more network groups... When you apply a security configuration to a virtual network

all the network interfaces (NICs) in the virtual network will have the security admin rules applied. The rules are evaluated before network security groups."

Source: Microsoft Learn

"How security admin rules work with Azure Virtual Network Manager

" How it works section.

3. Microsoft Documentation | Azure Virtual Network Manager | Overview: This document distinguishes between the two main capabilities of AVNM: "Connectivity configuration" and "Security configuration

" clarifying that option A (connectivity) is for topology and option B (security) is for traffic control.

Source: Microsoft Learn

"What is Azure Virtual Network Manager?

" Key benefits section.

Q: 3

Your company plans to provision blob storage by using an Azure Storage account The blob storage will be accessible from 20 application sewers on the internet. You need to recommend a solution to ensure that only the application servers can access the storage account. What should you recommend using to secure the blob storage?

Options

Discussion

Reese Q. Mar 5, 2026 6:04 pm

I don't think it's C, I'd pick D here. NSG inbound rules (C) can't control access to Azure Storage coming from public internet IPs, that's a common trick option. Storage account firewall rules (D) are made for this, letting you set an allow list of only those app servers' IPs. Pretty sure that's what Microsoft wants here but open to other takes.

ThoughtfulNeteng5744 Feb 27, 2026 3:24 pm

D imo. The storage account firewall directly lets you allow only those app server public IPs, not NSGs.

Liam Feb 17, 2026 4:32 am

QuietAuditor5088 Feb 18, 2026 1:28 pm

Yeah, D makes the most sense to me. Storage account firewall rules let you specify those 20 app server IPs so only they get access, blocking everything else by default. NSGs like C don't work for public internet traffic to storage accounts. Pretty sure D is what Microsoft has in mind, unless there's some networking detail we're missing.

Owen Feb 19, 2026 5:50 pm

Probably D, this comes up in Microsoft official practice. Storage account firewall rules let you restrict to known IPs.

Ava X. Feb 16, 2026 1:40 am

Pretty sure this matches similar practice questions, I'd go with Option C. Check the official guide for more details.

Parker Feb 22, 2026 1:41 am

D tbh

Avery Feb 27, 2026 4:01 pm

This looks like the classic scenario for D. You'd use storage account firewall rules so only the public IPs of those 20 servers are allowed access, everything else blocked by default. Official study guide and lab practices both highlight this method. I think D is best here but open to other suggestions if anyone has seen it handled another way in real exam cases.

Robin Mar 1, 2026 1:23 am

Seen similar Qs on practice sets, always D. Storage account firewall rules let you whitelist those 20 IPs, nothing else works here.

Noah O. Feb 16, 2026 3:56 am

I don't think C fits here, D is the safer bet. NSG inbound rules (C) work for VM traffic on a VNet but not for controlling access to a storage account from arbitrary public IPs. The firewall rules in D let you specify exactly which external servers can get in. Pretty sure that's the intent, unless I'm missing some weird edge case.

Be respectful. No spam.

Correct Answer:

Explanation

The most direct and appropriate method to restrict access to an Azure Storage account from specific internet-based IP addresses is by using the storage account's built-in firewall. This feature allows you to define a set of rules that explicitly grant access from specified public IP addresses or CIDR ranges. By adding the 20 public IP addresses of the application servers to the firewall's allow list and denying access by default, you ensure that only those designated servers can reach the storage account's public endpoint. This is a native security feature designed precisely for this use case.

Why Incorrect

A. service tags in network security groups (NSGs): Service tags represent groups of IP prefixes for Azure services, not specific external application servers. NSGs apply to resources within a virtual network.

B. managed rule sets in Azure Web Application Firewall (WAF) policies: WAF is designed to protect web applications from common exploits (Layer 7), not for network-level IP-based access control to a storage account.

C. inbound rules in network security groups (NSGs): NSGs filter traffic for resources within an Azure Virtual Network (VNet), not for the public endpoint of a PaaS service like a storage account.

E. inbound rules in Azure Firewall: Azure Firewall is a VNet-level security service used to filter traffic for resources within that VNet, not the primary tool for securing a storage account's public endpoint.

References

1. Microsoft Learn

Azure Storage Documentation. "Configure Azure Storage firewalls and virtual networks." Under the section "Grant access from an internet IP range

" it states

"You can grant access to storage accounts from specific public internet IP address ranges by creating IP network rules. Each storage account supports up to 200 rules." This directly supports using the storage account firewall for the specified scenario.

Source: learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-an-internet-ip-range

2. Microsoft Learn

Azure Storage Documentation. "Security recommendations for Blob storage." In the "Network security" section

a key recommendation is to "Use the firewall in your storage account to allow traffic only from specific virtual networks or public IP address ranges."

Source: learn.microsoft.com/en-us/azure/storage/blobs/security-recommendations#network-security

3. Microsoft Learn

SC-100 Learning Path. "Design a solution for network security." This module discusses securing PaaS services

explaining that services like Azure Storage have built-in firewall capabilities to restrict access to their public endpoints based on IP addresses

which is distinct from VNet-centric controls like NSGs or Azure Firewall.

Source: learn.microsoft.com/en-us/training/modules/design-solutions-for-securing-azure-infrastructure/4-design-solutions-for-network-security (Section: Secure PaaS services)

Q: 4

Your company has on-premises Microsoft SQL Server databases. The company plans to move the databases to Azure. You need to recommend a secure architecture for the databases that will minimize operational requirements for patching and protect sensitive data by using dynamic data masking. The solution must minimize costs. What should you include in the recommendation?

Options

Discussion

Luna Mar 2, 2026 1:20 am

C. Azure SQL Database

Sam Feb 23, 2026 3:48 pm

C , saw similar logic in the official guide and practice questions for SC-100.

Jason U. Feb 27, 2026 2:59 am

A tbh. I've seen similar exam questions pick A, since Managed Instance handles patching and supports masking too.

Alex Z. Feb 21, 2026 9:05 pm

Not A, C. Managed Instance adds cost and you only need database-level features here.

Sam P. Feb 16, 2026 3:08 pm

C, easy call here

ThoughtfulReviewer1700 Mar 2, 2026 8:38 am

Adam B. Feb 26, 2026 6:17 pm

Option C for me. SQL Database keeps patching simple, has DDM built in, plus it's cheapest overall. Pretty sure that's what they're looking for here.

FocusedAnalyst6738 Mar 3, 2026 5:59 pm

C tbh, had something like this in a mock. Azure SQL Database covers patching and data masking with less effort or cost than the other options.

HelpfulSec9381 Feb 28, 2026 7:32 am

C , Azure SQL Database makes patching hands-off and supports dynamic data masking natively. Managed Instance (A) is more expensive and really only needed for full instance-level features, which the question doesn't mention. Saw this same logic in Microsoft official docs and a few practice tests.

Jack J. Mar 5, 2026 5:36 am

A but what if you need agent jobs or full instance-level features? Managed Instance cuts down patching too.

Be respectful. No spam.

Correct Answer:

Explanation

Azure SQL Database is a fully managed Platform as a Service (PaaS) offering. This model abstracts the underlying infrastructure, meaning Microsoft handles all patching and updates automatically, which directly fulfills the requirement to minimize operational requirements. It natively supports security features like Dynamic Data Masking to protect sensitive data. For migrating individual or groups of databases without complex instance-level dependencies, Azure SQL Database is generally the most cost-effective solution compared to other PaaS options like Azure SQL Managed Instance, thus meeting all the specified criteria.

Why Incorrect

A. Azure SQL Managed Instance: While it is a PaaS service that automates patching and supports dynamic data masking, it is typically more expensive than Azure SQL Database and is designed for migrations requiring instance-level features.

B. Azure Synapse Analytics dedicated SQL pools: This service is optimized for large-scale data warehousing and analytics, not for general-purpose transactional databases. It is an unnecessarily complex and costly option for this scenario.

D. SQL Server on Azure Virtual Machines: This is an Infrastructure as a Service (IaaS) solution. It requires the customer to manage and perform all patching for both the operating system and SQL Server, directly contradicting the requirement to minimize operational effort.

References

1. Microsoft Learn

"Choose an Azure SQL option": This document compares the Azure SQL offerings. It states that Azure SQL Database is a "fully managed SQL database" where "Microsoft is responsible for all patching and updating of the SQL code base". It also positions SQL Database as having the "Lowest cost in PaaS". For SQL Server on Azure VMs

it explicitly lists "OS and SQL Server patching" as a customer responsibility.

Reference Section: "Compare the options" table.

2. Microsoft Learn

"What is Azure SQL Database?": This document describes the service

stating it is a "fully managed platform as a service (PaaS) database engine that handles most of the database management functions such as upgrading

patching

backups

and monitoring without user involvement."

Reference Section: "Overview".

3. Microsoft Learn

"Dynamic Data Masking": This documentation confirms that Dynamic Data Masking is a supported feature in Azure SQL Database

Azure SQL Managed Instance

and Azure Synapse Analytics.

Reference Section: "Applies to" and "Permissions".

Q: 5

You are designing security for an Azure landing zone. Your company identifies the following compliance and privacy requirements: • Encrypt cardholder data by using encryption keys managed by the company. • Encrypt insurance claim files by using encryption keys hosted on-premises. Which two configurations meet the compliance and privacy requirements? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Options

Discussion

Ryan Feb 28, 2026 5:54 am

A and B tbh. Blob with customer-provided keys checks the on-prem key box for insurance, and Managed HSM for SQL DB fits company-managed keys for cardholder data. Not 100% but fits what I've seen in practice.

Quinn M. Feb 20, 2026 11:14 pm

Nah, I don't think it's C. A and B match best since "hosted on-premises" rules out Azure-managed HSM here.

QuickNeteng1518 Feb 28, 2026 11:09 pm

A/B? I saw a similar question on a practice test and the key thing was "on-premises" for the insurance claims, so A (with customer-provided keys) fits. For cardholder data, B makes sense since Managed HSM is still company-controlled. Can't be totally sure unless "on-premises" is super literal, but that's what I'd use here.

Riley Q. Mar 5, 2026 5:06 am

A , C

Cameron Feb 25, 2026 11:02 pm

I’d go C here. Azure Key Vault Managed HSM is still company-managed, so option C should fit the insurance claim requirement. Not 100% sure if "hosted on-premises" always rules out Managed HSM but I think it works in most cases.

CarefulLearner5964 Feb 18, 2026 7:26 pm

Sick of how picky these requirements are. A and B imo, since customer-provided keys for insurance means you keep keys on-prem, and Managed HSM for cardholder covers company-managed. Pretty sure that's what exam reports mention too.

Ishaan Mar 2, 2026 11:52 am

A/B tbh. Official docs say customer-provided keys (A) let you keep the insurance claim keys on-prem, since Azure doesn't store them. For cardholder data, Managed HSM (B) gives the company full lifecycle control of keys, which ticks the compliance box for "company-managed." Seen similar in some practice exams. If you think "on-premises" rules out any Azure integration, I'd check MS documentation again-CPK is designed for this case.

Liam X. Feb 21, 2026 1:03 am

A/B. Customer-provided keys for on-prem, Managed HSM for company-managed. Fits both requirements.

Sofia Feb 23, 2026 3:33 am

I don't think C fits since Managed HSM is Azure-side, not on-prem. So A and B.

OliviaM Feb 17, 2026 12:55 am

Yeah, looks like A and B fit best. Blob storage with customer-provided keys lets you keep insurance file encryption keys on-prem, which matches that requirement. For cardholder data, Managed HSM is still company-controlled in Azure so B works. Pretty sure about this combo but let me know if something's off?

Be respectful. No spam.

Correct Answer:

A, B

Explanation

The solution must satisfy two distinct encryption key management requirements.

1. Insurance Claim Files: The requirement is for encryption keys to be "hosted on-premises." Azure Blob storage with customer-provided keys (CPK) meets this. With CPK, the client application provides the encryption key with each read/write request. Azure Storage uses the key for the operation but never stores it. This allows the key to be securely stored and managed in an on-premises Hardware Security Module (HSM).

2. Cardholder Data: The requirement is for "encryption keys managed by the company." Storing cardholder data in an Azure SQL Database encrypted with Transparent Data Encryption (TDE) using keys from an Azure Key Vault Managed HSM fulfills this. A Managed HSM provides a single-tenant, FIPS 140-2 Level 3 validated HSM where the company retains full and exclusive control over the key lifecycle, satisfying the "company-managed" requirement.

Why Incorrect

C. Azure Key Vault Managed HSM is a cloud service hosted in Azure, not on-premises. This configuration violates the requirement for insurance claim file keys to be hosted on-premises.

D. Microsoft-managed keys are created, stored, and managed by Microsoft, not the company. This configuration violates the requirement for cardholder data keys to be company-managed.

References

1. Customer-Provided Keys (for Answer A): Microsoft Learn. (2023). Provide an encryption key on a request to Blob storage. "When a client application presents an encryption key on the request

Azure Storage performs encryption and decryption transparently... The encryption key is not persisted in Azure Storage." This supports using keys managed entirely outside of Azure

such as on-premises.

2. TDE with Managed HSM (for Answer B): Microsoft Learn. (2024). Customer-managed transparent data encryption (TDE) - Azure SQL Database & Azure Synapse. "Customer-managed TDE... provides control over key lifecycle management... Azure Key Vault Managed HSM is a highly available and scalable single-tenant solution for managing cryptographic keys." This confirms it as a company-managed key solution.

3. Managed HSM Location (for why C is incorrect): Microsoft Learn. (2023). What is Azure Key Vault Managed HSM?. "Azure Key Vault Managed HSM is a fully managed

highly available

single-tenant

standards-compliant cloud service..." This clarifies that the service is not hosted on-premises.

4. Microsoft-Managed Keys (for why D is incorrect): Microsoft Learn. (2023). Azure Storage encryption for data at rest. "By default

all data in a storage account is encrypted using Microsoft-managed keys. With Microsoft-managed keys

Microsoft creates and manages the keys that are used to encrypt your data..." This shows the company does not manage these keys.

Q: 6

You receive a security alert in Microsoft Defender for Cloud as shown in the exhibit. (Click the Exhibit tab.) After remediating the threat which policy definition should you assign to prevent the threat from reoccurring?

Options

Discussion

Reese Feb 24, 2026 12:59 pm

If the alert had been about shared keys instead of public access, C would flip ahead of A.

Priya A. Mar 2, 2026 10:58 am

Probably A here, since I remember a similar question in some exam reports and it was flagged as the clear fix for public access on storage. The scenario's about anonymous blob exposure, not shared key stuff. Happy to hear if anyone saw it play out differently.

LeoV Feb 16, 2026 5:42 pm

This one comes up in practice sets too. A lines up with "public access should be disallowed" which is exactly what the Defender alert called out. Official docs and practice exams both highlight this policy for public container issues. If anyone's got a different take let me know, but pretty sure it's A.

Taylor D. Feb 16, 2026 11:10 am

Don't think it's C here. The question is specifically about public access to storage accounts, not shared key usage. A covers that exact misconfig according to recent exam-style practice. People tend to mix up public and shared key exposures so that's the trap I see a lot.

Chris D. Feb 18, 2026 1:20 am

That subtle difference with shared key access can throw people off, but the question's asking about *public* access specifically. A

AaronK Feb 22, 2026 9:59 am

C or A here. The alert is about public access so A fits directly, but C could also tighten things up by blocking shared key methods. I'm leaning A since that's what Defender actually flagged, but open to debate if anyone thinks C covers more.

Arjun Feb 16, 2026 12:55 am

A Directly blocks public blob access, exactly what the alert called out. Not 100% but looks like the clean fix for this particular case, unless something in the scenario says otherwise. Disagree?

Casey V. Mar 5, 2026 6:19 am

Ivy G. Feb 22, 2026 11:13 am

A tbh. The alert literally says public access, so A is the direct fix. C is a trap since it’s shared key, not anonymous access. I’m pretty sure A is the right policy, unless I’m missing something.

Maya K. Feb 26, 2026 7:10 pm

Had something similar show up in my exam, went with A. Stopping public access directly addresses what Defender flagged, while C is more for shared key scenarios. Not 100 percent but A looks strongest here, anyone disagree?

Be respectful. No spam.

Correct Answer:

Explanation

The security alert explicitly identifies the threat as a "Storage account with publicly accessible containers detected." This indicates that anonymous public access is enabled for blobs within the storage account. The most direct and effective way to prevent this specific misconfiguration from reoccurring is to use an Azure Policy that enforces the desired state. The policy definition "Storage account public access should be disallowed" is designed specifically for this purpose. By assigning this policy, you can audit or deny the creation or modification of storage accounts that permit public blob access, thereby systematically preventing this vulnerability across your environment.

Why Incorrect

B. Azure Key Vault Managed HSM should have purge protection enabled: This policy applies to Azure Key Vault, not Azure Storage accounts, and is irrelevant to the alert about public container access. C. Storage accounts should prevent shared key access: This policy disables authentication using account access keys, which is a separate security control from anonymous public access settings. D. Storage account keys should not be expired: This is not a standard Azure Policy definition and is related to key rotation practices, not the prevention of public access.

References

1. Microsoft Learn, Azure Policy built-in definitions for Azure Storage: The documentation lists the "Storage account public access should be disallowed" policy. Its description states, "Anonymous public access is a convenient way to share data, but it can also be a security risk. To prevent data breaches, it's recommended to disallow public access to a storage account." This directly aligns with the alert's details.

Source: Microsoft Learn, Azure Policy built-in definitions for Azure Storage, "Storage" section.

2. Microsoft Learn, Remediate recommendations in Microsoft Defender for Cloud: This document explains how security recommendations in Defender for Cloud often have a corresponding Azure Policy that can be used for enforcement. The recommendation "Storage accounts should prevent public access" is directly enforced by the policy in option A.

Source: Microsoft Learn, Security recommendations - a reference guide, "Remediate security recommendations" section.

3. Microsoft Learn, Prevent anonymous public read access to containers and blobs: This documentation details the security risk of public access and recommends disabling it at the account level. It states, "To enforce that anonymous access is disallowed for all storage accounts in a subscription or resource group, assign the Azure Policy 'Storage account public access should be disallowed'."

Source: Microsoft Learn, Blob storage > Data protection > Prevent anonymous public read access to containers and blobs, "Disallow public access for a subscription or resource group" section.

Q: 7

Your company is developing a new Azure App Service web app. You are providing design assistance to verify the security of the web app. You need to recommend a solution to test the web app for vulnerabilities such as insecure server configurations, cross-site scripting (XSS), and SQL injection. What should you include in the recommendation?

Options

Discussion

LunaW Feb 25, 2026 3:24 pm

Option D and if anyone wants to dig deeper, the official study guide and practice labs really help clarify these testing types.

Logan F. Feb 21, 2026 3:10 am

I remember similar question on practice test, pretty sure it's B.

Amelia F. Feb 22, 2026 3:09 am

Official guides and practice tests both mention SAST (B) for catching common flaws. It's good for code-level issues like injection. Not sure if it covers configs fully, but worth reviewing in the study materials. Agree?

SeasonedAnalyst7462 Mar 2, 2026 9:09 pm

Why not A here? IAST sounds tempting since it's interactive, but I think D is what usually catches XSS and config issues.

PreciseTester220 Feb 28, 2026 11:07 am

B isn’t right here, D is. DAST actually tests the running app so it can spot XSS or SQLi while the service is live. SAST won’t catch those runtime issues. Pretty sure D is what’s expected, but let me know if you’ve seen otherwise.

Jamie M. Feb 22, 2026 10:05 pm

Option D fits, since DAST hits the live app and checks for real vulnerabilities like XSS or SQL injection. Pretty sure similar questions on practice exams picked D, since SAST doesn't catch runtime issues that well. Anyone see this answered differently?

Luna D. Feb 24, 2026 7:22 pm

D for sure. DAST actively scans the running app so it finds things like XSS and SQLi, which static analysis (B) would probably miss since it doesn't test in real time. Only thing giving me pause is if IAST (A) would ever be enough, but I think D fits this scenario better.

Taylor B. Feb 23, 2026 1:02 pm

Sofia L. Feb 24, 2026 4:48 pm

D. but not totally sure. SAST (B) is more code review, but DAST (D) should catch runtime stuff like XSS and config problems. I think D is right for full vulnerability coverage. Let me know if you see it differently.

Daniel H. Mar 5, 2026 11:09 pm

D tbh, since B (SAST) misses runtime and config stuff like XSS in production. DAST covers those better. Anyone disagree?

Be respectful. No spam.

Correct Answer:

Explanation

Dynamic Application Security Testing (DAST) is a "black-box" security testing methodology that analyzes a web application from the outside while it is running. DAST tools simulate attacks against an application to identify vulnerabilities without needing access to the source code. This method is highly effective for detecting runtime vulnerabilities such as cross-site scripting (XSS), SQL injection, and insecure server configurations (e.g., HTTP header issues), which directly matches the requirements of the question. DAST assesses the application from an attacker's perspective, making it the ideal choice for this scenario.

Why Incorrect

A. interactive application security testing (IAST): IAST analyzes the application from within while it runs, often using agents. While effective, DAST is the more direct and standard black-box approach for testing the specified external vulnerabilities.

B. static application security testing (SAST): SAST analyzes the application's source code without executing it. It cannot detect runtime vulnerabilities or insecure server configurations, which are only present in a running application.

C. runtime application self-protection (RASP): RASP is a security technology that protects an application in real-time by detecting and blocking attacks. It is a protection mechanism, not a testing tool for identifying vulnerabilities.

References

1. Microsoft Cloud Adoption Framework

"Security in the DevOps (DevSecOps)": This document describes different application security testing methods. It states

"Dynamic Application Security Testing (DAST) analyzes running web applications and services for security vulnerabilities. DAST tools interact with the application like a malicious user would... Common vulnerabilities found by DAST tools include cross-site scripting

and SQL injection." This directly supports the use of DAST for the specified vulnerabilities.

Source: Microsoft Docs

Cloud Adoption Framework > Strategy > Define a security strategy > Security in the DevOps (DevSecOps).

2. Microsoft Security Development Lifecycle (SDL)

"Practice #10: Perform Dynamic Analysis Security Testing": The SDL

a foundational Microsoft security process

explicitly recommends DAST. It describes DAST as a method that "finds security vulnerabilities in a running web application by presenting it with a series of malicious inputs."

Source: Microsoft Security Development Lifecycle > SDL Practices > Verification > Practice #10: Perform Dynamic Analysis Security Testing.

3. OWASP

"DAST": The Open Web Application Security Project (OWASP)

a widely respected authority

defines DAST as a process of testing an application from the outside. It notes

"DAST is a black-box security testing methodology in which an application is tested from the outside."

Source: owasp.org

search for "DAST".

Q: 8

You have an Azure subscription. You plan to deploy Azure App Services apps by using Azure DevOps. You need to recommend a solution to ensure that deployed apps maintain compliance with Microsoft cloud security benchmark (MCSB) recommendations. What should you include in the recommendation?

Options

Discussion

Ryan E. Mar 2, 2026 4:52 am

Its A. I figured DevOps security in Defender for Cloud tracks compliance for apps as they’re deployed. Compliance checks seem like a thing you'd want in your deployment pipeline anyway, not just after. Is there something I'm missing with Azure Policy here?

Jack R. Feb 26, 2026 9:20 am

D , since Azure Policy actually enforces those MCSB rules at the resource level no matter how you deploy. It's not just a DevOps thing-policy applies even if someone does a manual deployment. Branch policies in DevOps (C) can't guarantee compliance after deployment. Feel free to challenge if anyone sees it differently.

Maya Feb 21, 2026 2:27 pm

PreciseLead180 Feb 16, 2026 12:21 am

D is the move here since Azure Policy actually enforces compliance with MCSB across deployed resources, not just in the pipeline. Branch policies (C) only cover code merge, not post-deploy resource config. Pretty sure this is what Microsoft expects for ongoing enforcement but open to other thoughts if I missed something.

FriendlySec5748 Feb 20, 2026 2:34 pm

CarefulNeteng7330 Feb 24, 2026 2:00 pm

Had something like this in a mock, picked D. Azure Policy is built for enforcing compliance like MCSB after deployment, not just during CI/CD. Pretty sure that's what they're after here, unless you only care about pipeline side.

Daniel W. Feb 25, 2026 10:00 am

I don't think it's D. A sounds more specific to DevOps pipelines since "DevOps security in Microsoft Defender for Cloud" should give some compliance integration directly in the CI/CD process. Saw a similar question focus on Defender controls during deployment, not ongoing enforcement.

Ishaan P. Feb 14, 2026 7:31 pm

A is wrong, it's D. Official study guide and Azure sandbox labs both push Azure Policy for resource compliance, especially for MCSB. Saw similar approach in practice sets.

SkylerQ Feb 16, 2026 5:36 pm

PreciseLearner56 Feb 21, 2026 7:32 am

If you want the apps to meet MCSB standards automatically, that's Azure Policy (D). Other options just don't enforce compliance at deployment.

Be respectful. No spam.

Correct Answer:

Explanation

Azure Policy is the primary Azure service for implementing governance and ensuring compliance. It allows you to create, assign, and manage policies that enforce rules over your resources. The Microsoft cloud security benchmark (MCSB) is available as a built-in policy initiative within Azure Policy. By assigning this initiative to the relevant scope (e.g., the subscription or resource groups where App Services are deployed), you can continuously audit the configuration of the deployed apps against MCSB recommendations. Azure Policy can also be set to "Deny" non-compliant deployments, ensuring that any app deployed through Azure DevOps or any other method must adhere to the benchmark to be created or updated.

Why Incorrect

A. DevOps security in Microsoft Defender for Cloud: This provides security posture visibility and threat detection within the DevOps pipeline and code, not for enforcing compliance on deployed Azure resources.

B. Microsoft Defender for App Service: This is a threat detection service that identifies attacks against running applications; it does not enforce configuration compliance against a benchmark.

C. a branch policy in Azure DevOps: This enforces rules on the source code repository and pull request process, not on the configuration of the final deployed Azure resources.

References

1. Azure Policy and MCSB: Microsoft Learn

"Overview of the Microsoft cloud security benchmark (v1)". Under the "Monitor compliance" section

it states

"You can monitor your compliance with this benchmark by using the Microsoft cloud security benchmark initiative in Azure Policy."

2. Azure Policy for Governance: Microsoft Learn

"What is Azure Policy?". The introduction states

"Azure Policy is a service in Azure that you use to create

assign

and manage policies. These policies enforce different rules and effects over your resources

so those resources stay compliant with your corporate standards and service level agreements."

3. DevOps Security in Defender for Cloud: Microsoft Learn

"DevOps security". The overview explains

"The DevOps security workload in Defender for Cloud unifies security management... to provide full visibility into your application development lifecycle and security posture from code to cloud." This highlights its focus on the pipeline

not the deployed resource's compliance state.

4. Microsoft Defender for App Service: Microsoft Learn

"Protect your Azure App Service web apps and APIs". The documentation states

"Microsoft Defender for App Service uses the scale of the cloud to identify attacks targeting applications running over App Service." This confirms its role in threat detection

not configuration compliance.

Q: 9

Your company plans to deploy several Azure App Service web apps. The web apps will be deployed to the West Europe Azure region. The web apps will be accessed only by customers in Europe and the United States. You need to recommend a solution to prevent malicious bots from scanning the web apps for vulnerabilities. The solution must minimize the attach surface. What should you include in the recommendation?

Options

Discussion

RobinX Mar 3, 2026 8:24 pm

Makes sense to pick B. Only Azure Application Gateway WAF offers direct bot protection, not just geo filtering like D.

Rowan Feb 27, 2026 10:48 pm

D is wrong, B. WAF gives you bot protection and targeted rules for this use case.

Casey C. Feb 25, 2026 6:18 am

I don’t think it’s B. D could make sense since Traffic Manager and application security groups can restrict access based on geographic routing and segmentation, which might help reduce the overall attack surface. Not sure if it blocks bots directly but for geo-limiting plus reducing exposure, D seems reasonable here. Anyone else see a strong case for B outside of just bot filtering?

Ava X. Feb 22, 2026 10:32 pm

Wouldn't C (NSGs) only handle basic network traffic, not actual bot filtering?

Maya W. Feb 26, 2026 1:00 am

Saw similar on a practice test, pretty sure B is expected. Check the official docs or Microsoft Learn modules too.

Sam P. Feb 18, 2026 2:00 am

Yeah, for stopping bots from scanning web apps, B fits best. Azure Application Gateway WAF has built-in bot protection rules and lets you create custom rules for geo restrictions too. That actually addresses both blocking bots and limiting access by region, so pretty sure B is the most complete answer here. Anyone disagree?

Riley E. Feb 28, 2026 10:26 am

I kinda see why D could work since Traffic Manager can route based on geography and ASGs help segment, so maybe that’s seen as reducing surface area? Doesn’t really block bots specifically but fits if they just want geo-filtering. Not 100% though, someone correct me?

Hannah Feb 20, 2026 7:59 am

B tbh. Azure Application Gateway WAF includes built-in bot protection and custom rules, so it actually scans HTTP requests for malicious activity at the app layer. D is really just for routing and grouping, not for blocking or filtering bots directly. Pretty sure B is what Microsoft wants here, but open to other takes if anyone's got real-world issues with this approach.

NinaR Mar 4, 2026 5:46 am

Why not just use B since Application Gateway WAF is meant for bot protection? D doesn’t block bots, just routes traffic.

Ava Feb 17, 2026 8:03 pm

Probably B. App Gateway WAF can handle bot protection at the app layer, which matches what they're asking-especially since you want to control access at HTTP/S and block known bad bots, not just filter IPs. NSGs and Firewalls are more about network traffic, not app vulnerabilities. If anyone thinks another option fits better for bots specifically, let me know.

Be respectful. No spam.

Correct Answer:

Explanation

Azure Application Gateway with its integrated Web Application Firewall (WAF) is the most appropriate solution. The WAF component can be configured with a managed bot protection rule set to identify and block malicious bots and scanners. Furthermore, the WAF supports custom rules for geo-filtering, which can restrict access to only users from Europe and the United States, directly minimizing the attack surface as required. This solution is specifically designed to protect web applications, such as Azure App Service, from common exploits, vulnerabilities, and automated threats.

Why Incorrect

A. Azure Firewall Premium: While it offers advanced threat protection, it is a network firewall, not a specialized web application firewall. A WAF is more suitable for protecting against web-specific attacks and bots.

C. network security groups (NSGs): NSGs operate at the network layer (L3/L4) and cannot inspect application traffic to identify or block malicious bots. They lack native geo-filtering capabilities.

D. Azure Traffic Manager and application security groups: Traffic Manager is a DNS-based load balancer and has no security inspection features. Application security groups are for simplifying NSG rules, which are insufficient for this task.

References

1. Microsoft Documentation

"What is Azure Web Application Firewall on Azure Application Gateway?": "Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities... This includes protection against things like malicious bot attacks."

Source: Microsoft Learn

learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

2. Microsoft Documentation

"Bot protection overview": "Azure WAF on Application Gateway provides protection from bot attacks through the OWASP managed bot protection rule set."

Source: Microsoft Learn

learn.microsoft.com/en-us/azure/web-application-firewall/ag/bot-protection-overview

3. Microsoft Documentation

"Custom rules for Web Application Firewall v2 on Azure Application Gateway": This document details the creation of custom rules

including "Geomatch" as a match type. "You can create a custom rule to block or allow traffic from certain countries/regions... This helps you to block requests from geographic locations that are known to be malicious."

Source: Microsoft Learn

learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-rules-overview (See section on Match types and operators).

4. Microsoft Documentation

"Network security groups": "A network security group contains security rules that allow or deny inbound network traffic to

or outbound network traffic from

several types of Azure resources... You can filter traffic by source and destination IP address

port

and protocol." This confirms NSGs operate at L3/L4 and lack application-layer intelligence for bot detection.

Source: Microsoft Learn

learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Q: 10

You have a multicloud environment that contains an Azure subscription, an Amazon Web Services (AWS) subscription, and a Google Cloud Platform (GCP) subscription. You plan to assess data security and compliance. You need to design a Compliance Manager solution that meets the following requirements: • Provides recommended improvement actions that include detailed implementation guidance • Automatically monitors regulatory compliance • Minimizes administrative effort What should you include in the solution?

Options

Discussion

Ethan G. Feb 21, 2026 11:50 pm

A is the better pick. Defender for Cloud actually covers regulatory monitoring and gives actionable recommendations with guidance for all three clouds, not just Azure. D seems like a trap since connectors alone don't automate compliance checks. I think I'm right, but open to other views.

Sanjay G. Feb 20, 2026 7:19 am

C or D? I know Sentinel does a lot for monitoring but not really compliance actions, and those connectors seem only partial. But honestly A (Defender for Cloud) ticks the automation and cross-cloud boxes, right? Not totally sure since sometimes D gets mentioned for Compliance Manager setups. If anyone's got hands-on experience, chime in!

Olivia Feb 27, 2026 7:59 am

Nah, D is just a connector and doesn't handle the automation piece. A works better for multicloud monitoring here.

Jordan N. Feb 19, 2026 6:19 pm

A . Not positive but Defender for Cloud is what handles continuous compliance checks and automated guidance across multiple clouds.

SharpAuditor5559 Feb 20, 2026 5:34 pm

Its A

EthanN Feb 15, 2026 5:21 pm

A is wrong, it's actually A. Defender for Cloud not only scans Azure but also hooks into AWS and GCP, giving compliance recommendations and monitoring out of the box. The connectors (D) just provide data flow, not automated tracking or real guidance. Pretty confident but open to corrections.

Luna E. Feb 25, 2026 12:15 am

Its A. If you want automatic regulatory monitoring across all three clouds, only Defender for Cloud actually does that.

QuietAuditor5488 Feb 20, 2026 4:48 am

Pretty sure it's A for this one. Defender for Cloud integrates with AWS and GCP, does automatic compliance assessments, and gives you improvement actions with guidance. D (the connectors) just let you pull stuff in, they don't actually automate the monitoring part. If anyone thinks D works better here, let me know-but I think A fits all the requirements best.

Karan F. Feb 27, 2026 4:23 am

A tbh, D is tempting but it doesn't actually automate compliance checks across clouds. Saw similar on practice tests.

Nora R. Mar 5, 2026 3:42 am

Makes sense to pick A for this since Defender for Cloud actually does continuous posture assessment across those clouds and spits out remediation steps. D just connects data, not as automated. Pretty sure it's A but open to other arguments.

Be respectful. No spam.

Correct Answer:

Explanation

Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) solution. It extends its capabilities beyond Azure to multicloud environments, including Amazon Web Services (AWS) and Google Cloud Platform (GCP). By connecting AWS and GCP accounts to Defender for Cloud, you can continuously assess their security posture against regulatory compliance standards. Defender for Cloud automatically provides prioritized security recommendations (improvement actions) with detailed implementation guidance. These assessments and recommendations directly contribute to the technical control status within Microsoft Purview Compliance Manager, thus automating compliance monitoring and minimizing administrative effort for the multicloud environment.

Why Incorrect

B. Microsoft Defender for Cloud Apps: This is a Cloud Access Security Broker (CASB) focused on securing SaaS applications, not the underlying IaaS/PaaS infrastructure of AWS and GCP for regulatory compliance posture.

C. Microsoft Sentinel: This is a SIEM/SOAR solution for threat detection and response. While it can ingest logs from multicloud environments, its primary function is not compliance posture management or providing improvement actions.

D. Compliance Manager connectors: While connectors are a concept, Microsoft Defender for Cloud is the specific, primary service that provides the multicloud CSPM capabilities required to connect AWS and GCP for automated compliance assessment.

References

1. Microsoft Documentation - Microsoft Defender for Cloud: "Connect your AWS accounts to Microsoft Defender for Cloud". This document details how Defender for Cloud integrates with AWS to provide CSPM. It states

"When you connect your AWS accounts to Defender for Cloud

you're integrating AWS Security Hub with Defender for Cloud. Defender for Cloud thus provides visibility and protection across both of these cloud environments to provide: ... Compliance with regulatory standards."

Source: Microsoft Learn

"Connect your AWS accounts to Microsoft Defender for Cloud"

Introduction section.

2. Microsoft Documentation - Microsoft Defender for Cloud: "Connect your GCP projects to Microsoft Defender for Cloud". This document explains the integration with GCP. It mentions

"When you connect your GCP projects to Microsoft Defender for Cloud

you are integrating GCP Security Command Center with Defender for Cloud... You get recommendations from Defender for Cloud that help you protect your resources in line with Microsoft cloud security benchmark."

Source: Microsoft Learn

"Connect your GCP projects to Microsoft Defender for Cloud"

Introduction section.

3. Microsoft Documentation - Microsoft Purview Compliance Manager: "Microsoft Purview Compliance Manager and Microsoft Defender for Cloud". This document explains the integration. It states

"Defender for Cloud's regulatory compliance dashboard provides insights into your compliance posture based on continuous assessments of your Azure and hybrid environments... The integration of Defender for Cloud with Compliance Manager allows you to get a single view of your overall compliance posture."

Source: Microsoft Learn

"Microsoft Purview Compliance Manager and Microsoft Defender for Cloud"

How the integration works section.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE