SC-100 Certification Practice Question #136

Question

Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains 500 Windows 11 devices.

You have a Microsoft 365 subscription and an Azure subscription.

You have a Microsoft Entra tenant that syncs with the domain and is linked to the subscriptions. The devices are Microsoft Entra hybrid joined.

You plan to deploy a solution to mitigate attacks against privileged accounts. The solution will include Microsoft Sentinel rules that will detect attempts to use fake cached credentials.

You need to recommend a solution to create the fake cached credentials on client computers.

What should you recommend?

Accepted Answer

The requirement is to *create* fake cached credentials on client computers so that Sentinel rules can detect attempts to use them. In Microsoft Defender for Identity you apply a Honeytoken tag to dormant decoy user/device accounts; any authentication against them is, by design, malicious and raises a Honeytoken alert that surfaces in Microsoft Defender XDR and can be ingested by Sentinel. MS Learn explicitly describes honeytoken accounts as decoy credentials set up as traps, matching the wording of the question. The Suggested Answer, the unanimous community Most Voted (D), and the top comment (3 👍) all agree, and MS Learn corroborates, so confidence is high. The lone B dissent (deception in Defender for Endpoint) is plausible-sounding but unsupported in this AD DS / Sentinel honeytoken scenario and carries only a single vote.

More SC-100 practice questions