Download Microsoft Cybersecurity Architect.SC-100.ExamTopics.2026-03-20.277q.vcex
| Vendor: | Microsoft |
| Exam Code: | SC-100 |
| Exam Name: | Microsoft Cybersecurity Architect |
| Date: | Mar 20, 2026 |
| File Size: | 12 MB |
How to open VCEX files?
Files with VCEX extension can be opened by ProfExam Simulator.
Discount: 20%
Demo Questions
Question 1
You have an Azure subscription that contains multiple network security groups (NSGs), multiple virtual machines, and an Azure Bastion host named bastion1.
Several NSGs contain rules that allow direct RDP access to the virtual machines by bypassing bastion1.
You need to ensure that the virtual machines can be accessed only by using bastion1. The solution must prevent the use of NSG rules to bypass bastion1.
What should you include in the solution?
- Azure Virtual Network Manager security admin rules
- Azure Virtual Network Manager connectivity configurations
- Azure Firewall application rules
- Azure Firewall network rules
Correct answer: A
Question 2
You have a Microsoft Entra tenant named contoso.com.
You have an external partner that has a Microsoft Entra tenant named fabnkam.com.
You need to recommend an identity governance solution for contoso.com that meets the following requirements:
- Enables the users in contoso.com and fabrikam.com to communicate by using shared Microsoft Teams channels
- Manages access to shared Teams channels in contoso.com by using groups in fabrikam.com
- Supports single sign-on (SSO)
- Minimizes administrative effort
- Maximizes security
What should you include in the recommendation?
- Cross-tenant synchronization
- Microsoft Entra B2B collaboration
- B2B direct connect
- Microsoft Entra Connect Sync
Correct answer: C
Question 3
You have a multicloud environment that contains Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) subscriptions.
You need to discover and review role assignments across the subscriptions.
What should you use?
- Azure Lighthouse
- Microsoft Defender for Identity
- Microsoft Entra ID Governance
- Microsoft Entra Permissions Management
Correct answer: D
Question 4
Your on-premises network contains an Active Directory Domain Services (AD DS) domain named corp.contoso.com and an AD DS-integrated application named App1.
Your perimeter network contains a server named Server1that runs Windows Server.
You have a Microsoft Entra tenant named contoso.com that syncs with corp.contoso.com.
You plan to implement a security solution that will include the following configurations:
- Manage access to App1 by using Microsoft Entra Private Access.
- Deploy a Microsoft Entra application proxy connector to Server1.
- Implement single sign-on (SSO) for App1 by using Kerberos constrained delegation.
- For Server1, configure the following rules in Windows Defender Firewall with Advanced Security: o Rule1: Allow TCP 443 inbound from a designated set of Azure URLs, o Rule2: Allow TCP 443 outbound to a designated set of Azure URLs, o Rule3: Allow TCP 80 outbound to a designated set of Azure URLs, o Rule4: Allow TCP 389 outbound to the domain controllers on corp.contoso.com.
You need to maximize security for the planned implementation. The solution must minimize the impact on the connector.
Which rule should you remove?
- Rule1
- Rule2
- Rule3
- Rule4
Correct answer: C
Question 5
You have an Azure subscription that contains two virtual machines named VM1 and VM2 and an Azure App Service Standard app named App1. VM1 is used to upload data to App1. App1 stores data on VM2.
You need to secure connectivity between the virtual machines and App1. The solution must minimize the risk of data exfiltration.
What should you use to manage connectivity for App1? To answer, select the options in the answer area.
NOTE: Each correct answer is worth one point.
Correct answer: To work with this question, an Exam Simulator is required.
Question 6
Your company has offices in New York City and Los Angeles.
The New York City office contains an on-premises app named App1.
You have an Azure subscription. The subscription is linked to a Microsoft Entra tenant that is hosted in North America.
You plan to manage access to App1 for the users in the Los Angeles office by using Microsoft Entra Private Access. You will deploy Private Access by performing the following actions:
- Provision an ExpressRoute circuit from the New York City office to the closest peering location.
- Create an Azure virtual network named VNet1 in the East US Azure region.
- Deploy a Microsoft Entra application proxy connector to VNet1.
You need to optimize the network for the planned deployment. The solution must meet the following requirements:
- Maximize redundancy for connectivity to App1.
- Minimize network latency when accessing App1.
- Minimize complexity.
- Minimize costs.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct answer: To work with this question, an Exam Simulator is required.
Question 7
You have an Azure subscription that contains SQL Server on Azure virtual machines located in the West US Azure region. The virtual machines are only accessible by using private IP addresses.
You plan to deploy a Windows-based Azure App Service web apps in the East US Azure region.
You need to recommend a solution to provide the web apps access to the SQL Server databases.
What should you include in the recommendation?
- an Azure VPN gateway
- a private endpoint
- a service endpoint
- an Azure Bastion host
Correct answer: A
Question 8
Your company has a main office and 10 branch offices. Each branch office contains an on-premises file server that runs Windows Server and multiple devices that run either Windows 11 or macOS. The devices are enrolled in Microsoft Intune.
You have a Microsoft Entra tenant.
You need to deploy Global Secure Access to implement web filtering for device traffic to the internet. The solution must ensure that all the web traffic from the devices in the branch offices is controlled by using Global Secure Access.
What should you do first in each branch office?
- Configure an Intune policy to onboard Microsoft Defender for Endpoint to each device.
- Configure an IPsec tunnel on the router.
- Install the Microsoft Entra private network connector on the file server.
- Configure an Intune policy to deploy the Global Secure Access client to each device.
Correct answer: D
Question 9
Your company has 10 branch offices. Each office has a local internet connection that uses a static IP address.
You have an Azure subscription. The subscription contains a storage account named storage1 that stores blobs.
Users in the branch offices access the blobs via the internet.
You need to recommend a solution to ensure that the data in storage1 is accessible only from the branch office static IP addresses. The solution must minimize costs.
What should include in the recommendation?
- Azure Private Link
- an Azure Firewall policy
- Azure Storage firewall rules
- a network security group (NSG)
Correct answer: C
Question 10
You have a Microsoft Entra tenant. The tenant contains 500 Windows devices that have the Global Secure Access client deployed.
You have a third-party software as a service (SaaS) app named App1.
You plan to implement Global Secure Access to manage access to App1.
You need to recommend a solution to manage connections to App1. The solution must ensure that users authenticate by using their Microsoft Entra credentials before they can connect to App1.
What should you include the recommendation?
- a Global Secure Access app
- a private access traffic forwarding profile
- an internet access traffic forwarding profile
- a Quick Access app
Correct answer: A
HOW TO OPEN VCE FILES
Use VCE Exam Simulator to open VCE files
HOW TO OPEN VCEX AND EXAM FILES
Use ProfExam Simulator to open VCEX and EXAM files
ProfExam at a 20% markdown
You have the opportunity to purchase ProfExam at a 20% reduced price
Get Now!