Microsoft Cybersecurity SC-100 Exam Questions 2025

A. device registrations in Azure AD: Device registration is used to manage and secure end-user devices (e.g., laptops, mobile phones) accessing corporate resources, not for authenticating Azure services.

B. application registrations in Azure AD: While an application registration is a related concept, a managed identity is the specific, recommended implementation for a service's identity, abstracting away the underlying service principal and its credential management.

C. Azure service principals with certificate credentials: This is more secure than passwords but still requires manual or scripted management of the certificate lifecycle (creation, rotation, renewal), which managed identities handle automatically.

D. Azure service principals with usernames and passwords: This is the least secure method and is explicitly discouraged. Storing and managing passwords for service accounts introduces significant security risks, such as credential leakage.

1. Microsoft Cloud Security Benchmark v1, Control IM-3: Securely manage application and service identities. The guidance states: "Use managed identities for Azure resources where the feature is available to access other resources. The credential of a managed identity is fully managed by the platform and protected from unauthorized access."

2. Microsoft Learn, "What are managed identities for Azure resources?". This document explains that managed identities are the recommended solution for service-to-service authentication as they eliminate the need for developers to manage credentials. It states, "You don't have to manage credentials. Credentials are not even accessible to you."

3. Microsoft Learn, "How to use managed identities in Azure API Management". This official documentation confirms the applicability and best practice for the specific service in the question. It states, "A managed identity from Azure Active Directory (Azure AD) allows your API Management instance to easily and securely access other Azure AD-protected resources... Azure manages this identity, so you don't have to provision or rotate any secrets."

To integrate third-party security information, such as known malware or command-and-control server IP addresses, into Microsoft Sentinel, you must use a threat intelligence connector. These specialized data connectors are designed to ingest threat indicators from Threat Intelligence Platforms (TIPs) or other external feeds.

Once the threat intelligence data is in Sentinel, you need a mechanism to correlate it with your internal event logs. A threat detection rule (now called an analytics rule) performs this function. You configure a rule that queries your logs for matches against the imported threat indicators. When a match is found, such as traffic to a known malicious IP address, the rule automatically generates an alert and an incident for investigation.

Microsoft. (2024). Understand threat intelligence in Microsoft Sentinel. Microsoft Learn. In the "Integrate threat intelligence with connectors" section, it states, "Microsoft Sentinel provides data connectors to ingest threat indicators from a wide variety of sources." This confirms the use of connectors for integration.

Microsoft. (2024). Use threat intelligence to detect threats in Microsoft Sentinel. Microsoft Learn. The document explains, "After you've imported threat indicators into Microsoft Sentinel... use the built-in analytics rules that match your threat indicators with your event logs... The name of the rule is Microsoft Security Threat Intelligence Analytics." This directly links analytics rules (threat detection rules) to generating incidents from threat intelligence data.

A. an Azure logic app: Logic Apps are used for Security Orchestration, Automation, and Response (SOAR) workflows, not as a primary mechanism for high-volume log ingestion.

C. an on-premises data gateway: This gateway enables services like Power BI and Power Apps to connect to on-premises data sources; it is not used for forwarding Syslog logs to Sentinel.

D. Azure Data Factory: This is a large-scale data integration (ETL/ELT) service and is not the appropriate or efficient tool for real-time security log ingestion from Syslog sources.

1. Microsoft Documentation, "Ingest Common Event Format (CEF) logs with the AMA connector": "To connect your CEF-supported appliance to Microsoft Sentinel, you need to deploy a server, known as the log forwarder... The log forwarder receives logs from your appliances over Syslog and forwards them to your Microsoft Sentinel workspace." This document details the setup of a Linux machine to act as this Syslog server/forwarder.

2. Microsoft Documentation, "Plan costs and understand Microsoft Sentinel pricing and billing": Under the "Data collection" section, it mentions, "For some data sources like Syslog, Common Event Format (CEF)... you are required to set up a Log Forwarder on an Azure virtual machine or an on-premises server." This confirms the requirement of a server acting as a Syslog forwarder.

3. Microsoft Documentation, "Connect data sources to Microsoft Sentinel": The overview for connecting external solutions often points to the use of Syslog or CEF via a log forwarder. For CEF, it states, "Connect your external solution using Common Event Format (CEF) to Microsoft Sentinel over Syslog." This directly links the CEF format to the Syslog protocol, which requires a Syslog server to receive the logs before forwarding.

B. a relying party trust in Active Directory Federation Services (AD FS): AD FS is an on-premises federation service. While it can enable SSO, it is not the direct, cloud-native solution for an Azure AD tenant integrating with a SaaS app.

C. Azure AD Application Proxy: This service is designed to provide secure remote access and SSO to on-premises web applications, not for integrating with external, cloud-based SaaS applications.

D. Azure AD B2C: This is a separate identity management service for customer-facing applications (Business-to-Consumer). It is used for managing consumer identities, not for employee access to corporate applications.

1. Microsoft Learn | Azure Active Directory Documentation: "What is application management in Azure Active Directory?". This document states, "Application management in Azure Active Directory (Azure AD) is the process of creating, configuring, managing, and monitoring applications in the cloud. When an application is registered in an Azure AD tenant, it's called an enterprise application." It further explains that this is the method for integrating SaaS applications.

2. Microsoft Learn | Azure Active Directory Documentation: "Quickstart: Add an enterprise application". This guide details the steps for adding a SaaS application to Azure AD for SSO. Under the "Prerequisites" section, it clearly states the purpose: "To configure single sign-on for an application in your Azure AD tenant."

3. Microsoft Learn | Azure Active Directory Documentation: "Remote access to on-premises apps through Azure AD Application Proxy". This document defines the purpose of Application Proxy: "Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications." This confirms it is not for SaaS app integration.

4. Microsoft Learn | Azure Active Directory B2C Documentation: "What is Azure Active Directory B2C?". The overview states, "Azure Active Directory B2C is a customer identity access management (CIAM) solution capable of supporting millions of users and billions of authentications per day." This distinguishes its purpose from managing employee access.

The security strategy requires two distinct controls for two different user roles:

1. For the database administrators: The goal is to prevent even high-privilege users like DBAs from viewing sensitive data in plaintext. Always Encrypted achieves this by encrypting data within the client application before it's sent to the database. The encryption keys are managed by the client and are never exposed to the database engine or its administrators. This creates a clear separation between data owners and data managers, fulfilling the requirement.
2. For the operators: The requirement is to show only a portion of the sensitive data (the last four digits). Dynamic Data Masking (DDM) is designed for this exact purpose. It works by obfuscating data in query results for specified users without changing the actual data stored in the database. A masking function can be applied to the Credit Card column to display it in the format xxxx-xxxx-xxxx-1234 for the operators' application user.

Transparent Data Encryption (TDE) is incorrect because it encrypts the entire database at rest but is transparent to authorized users like DBAs, who could still view the data. Row-Level Security (RLS) is incorrect as it filters which rows a user can see, rather than masking the data within a column.

Microsoft. (2023). Always Encrypted - Azure SQL Database & SQL Managed Instance. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine

Reference Point: In the "Benefits" section, it states, "Always Encrypted enables clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine... This provides a separation between those who own the data... and those who manage the data... but should have no access." This directly supports its use for protecting data from DBAs.

Microsoft. (2023). Dynamic Data Masking. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking

Reference Point: The documentation states, "Dynamic data masking (DDM) limits sensitive data exposure by masking it to non-privileged users... For example, a user in a call center may be able to identify a caller by several digits of their social security number or credit card number, but those data items shouldn't be fully exposed to the call center employee." This aligns perfectly with the requirement for operators.

Microsoft. (2024). Row-Level Security. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/sql/relational-databases/security/row-level-security

Reference Point: The introductory paragraph clarifies that RLS enables "control over access to rows in a database table... RLS simplifies the design and coding of security in your application. RLS helps you implement restrictions on data row access." This confirms it is for row filtering, not column masking.

B. Azure AD Application Proxy: This service is used to provide secure remote access to on-premises web applications, not for controlling access to cloud services like SharePoint Online.

C. Azure Data Catalog: This is a data governance service for data source discovery and metadata management. It is not involved in real-time access control or session policies.

E. Microsoft Purview Information Protection: This service classifies and protects documents and emails by applying labels and encryption. While it can protect data after download, it does not natively block the download action based on device state.

1. Microsoft Learn, "Protect with Microsoft Defender for Cloud Apps Conditional Access App Control": This document states, "Conditional Access App Control enables you to monitor and control user app access and sessions in real time... For example, if a user is on an unmanaged device... you can block them from downloading sensitive files." It further explains the integration: "Conditional Access App Control... is uniquely integrated with Azure AD Conditional Access." (See the "How it works" section).

2. Microsoft Learn, "Deploy Conditional Access App Control for featured apps": This guide details the prerequisite steps, which include configuring an identity provider (Azure AD) and then creating the necessary policies. It explicitly shows how a Conditional Access policy is the entry point that routes traffic to Defender for Cloud Apps for session control. (See the "Prerequisites" and "To deploy Conditional Access App Control for SharePoint" sections).

3. Microsoft Learn, "Create session policies in Microsoft Defender for Cloud Apps": This document describes how to create the policy that performs the action. Under the "To create a new session policy" section, it lists "Block download" as a "Session control type" and provides a template named "Block download based on real-time content inspection." This policy is applied after the session is routed from Azure AD Conditional Access.

A. regulatory compliance standards in Microsoft Defender for Cloud: Defender for Cloud assesses and reports on compliance against standards; it does not directly enforce resource creation rules like location restrictions.

B. custom Azure roles: Azure roles (RBAC) control user permissions and actions (the 'what'), not the configuration or properties (like location) of the resources being created.

D. Azure management groups: Management groups are a scoping mechanism used to apply policies and access controls across multiple subscriptions, but they do not enforce rules themselves. The policy is the enforcement tool.

1. Microsoft Learn, "What is Azure Policy?": This document states, "Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources... Common use cases for Azure Policy include... requiring resources to be deployed to specific Azure regions."

Source: Microsoft Documentation, "Overview of Azure Policy".

2. Microsoft Learn, "Tutorial: Create and manage policies to enforce compliance": This tutorial uses the "Allowed locations" policy as a primary example of enforcing organizational standards. It demonstrates assigning the policy with a Deny effect to block resource creation outside of the specified locations.

Source: Microsoft Documentation, "Tutorial: Create and manage policies to enforce compliance", Section: "Assign a policy".

3. Microsoft Learn, "Azure Policy and role-based access control": This document clarifies the distinction: "Role-based access control focuses on user actions at different scopes... Azure Policy focuses on resource properties during deployment and for already existing resources." This confirms that RBAC is incorrect for controlling resource properties like location.

Source: Microsoft Documentation, "Compare Azure Policy and role-based access control".

4. Microsoft Learn, "Organize your resources with Azure management groups": This document explains that management groups provide a scope above subscriptions for applying governance controls. It states, "You can apply policies to a management group that limits the regions where virtual machines (VMs) can be created." This highlights that the management group is a target for the policy, but the policy itself is the enforcement mechanism.

Source: Microsoft Documentation, "What are Azure management groups?".

A. Azure AD Application Proxy is used to publish on-premises web applications for secure remote access, which is not the scenario described.

B. Connected apps in Microsoft Defender for Cloud Apps are for discovering, monitoring, and governing cloud app usage, not for managing the access request and review lifecycle.

D. Access policies in Microsoft Defender for Cloud Apps control user sessions in real-time (e.g., block downloads), but do not manage the initial access request or periodic recertification process.

1. Microsoft Entra Identity Governance: "Microsoft Entra ID Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right people have the right access to the right resources... Key features include Entitlement management [and] Access reviews."

Source: Microsoft Learn, "What is Microsoft Entra ID Governance?", Section: "What can you do with Microsoft Entra ID Governance?".

2. Entitlement Management (Self-Service & Custom Questions): "Microsoft Entra entitlement management can help you manage access to groups, applications, and SharePoint sites for internal users and also for users outside your organization... You can also configure questions that requestors must answer."

Source: Microsoft Learn, "What is Microsoft Entra entitlement management?", Section: "What can I do with entitlement management?".

3. Access Reviews (Manager Verification): "Microsoft Entra access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access... You can ask reviewers (such as business owners or the users themselves) to attest to (or certify) users' need for access."

Source: Microsoft Learn, "What are Microsoft Entra access reviews?", Section: "Why are access reviews important?".

4. Azure AD Application Proxy: "Microsoft Entra application proxy provides secure remote access to on-premises web applications. After a single sign-on to Microsoft Entra ID, users can access both cloud and on-premises applications through an external URL or an internal application portal."

Source: Microsoft Learn, "Remote access to on-premises applications through Microsoft Entra application proxy", Introduction paragraph.

For brute force password attacks: Extranet Smart Lockout (ESL)

• Extranet Smart Lockout (ESL) is the direct mechanism designed to protect against password spray and brute-force attacks by intelligently locking out attackers based on risk signals (like unfamiliar locations), while allowing legitimate users to continue signing in. ESL (or its successor, Azure AD Smart Lockout, which integrates with PTA) prevents the cloud attacker from causing an account lockout on the sensitive on-premises AD where the password verification happens with PTA.

For leaked credentials: Azure AD Password Protection

• Azure AD Password Protection prevents users from setting passwords that are known to be compromised or are on a globally banned list of weak passwords. By preventing the use of passwords already found in data breaches, it directly minimizes the impact of attackers attempting to use leaked credentials against your users. This protection can be extended to the on-premises AD to work with PTA.

Azure AD Smart Lockout (for Brute Force Mitigation):

Source: Microsoft Learn, "Prevent attacks using smart lockout."

Detail: "Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in... Smart lockout can be integrated with hybrid deployments that use... pass-through authentication to protect on-premises Active Directory Domain Services (AD DS) accounts from being locked out by attackers." (Conceptual documentation on the feature's role).

Azure AD Password Protection (for Leaked Credential Mitigation):

Source: Microsoft Learn, "Enforce Azure AD Password Protection."

Detail: "Azure AD Password Protection detects and prevents the use of passwords that are known to be compromised, helping to minimize the impact of leaked or weak credentials." (Conceptual documentation section on purpose).

Hybrid Identity Security Principles:

Source: Microsoft Learn, "Steps to secure identities."

Detail: Lists the primary defenses against password attacks, classifying Smart Lockout as the tool for mitigating high-volume sign-in attacks and Password Protection (banned passwords) as the tool for mitigating dictionary and known compromised credentials.

https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/SC-100/page_107_img_2.jpg

Microsoft Defender for Office 365 is the dedicated security service for protecting collaboration tools, including Exchange Online, from advanced threats. To prevent malicious actors from impersonating internal senders, you must configure an Anti-phishing policy. This specific policy type includes settings to combat impersonation attacks by allowing administrators to specify internal users (e.g., executives) and domains to protect. When an incoming email appears to be from one of these protected users or domains but originates from an external source, the policy applies protective actions, such as quarantining the message or tagging it as suspicious.

Microsoft Learn. (2024). Anti-phishing policies in Microsoft 365. Microsoft Docs. In the section "Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365," it states, "Impersonation is where the sender of an email message looks like a legitimate or expected sender...Impersonation settings are available in anti-phishing policies in Microsoft Defender for Office 365."

Microsoft Learn. (2024). Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365. Microsoft Docs. This document details the specific configurations for user and domain impersonation protection within Defender for Office 365 anti-phishing policies. It explicitly states, "In anti-phishing policies in Microsoft Defender for Office 365, you can configure impersonation protection to protect specified recipients from phishing attacks."