SC-100 Practice Questions — Page 18

You have on-premises Windows 11 devices that have the Global Secure Access client deployed.

You have a Microsoft 365 subscription that uses Microsoft SharePoint Online and Exchange Online.

You deploy Microsoft Entra Internet Access from the on-premises network to Microsoft 365. The deployment has the Microsoft 365 profile enabled and contains the following:

• Default traffic policies for Microsoft 365 services

• A linked Conditional Access policy that performs compliant network checks with continuous access evaluation and is applied to all users

• An assignment to all the devices

• An assignment to a remote network associated with the on-premises network

Which Microsoft 365 resources are protected by using continuous access evaluation?

You have an Azure subscription that contains multiple network security groups (NSGs), multiple virtual machines, and an Azure Bastion host named bastion1.

Several NSGs contain rules that allow direct RDP access to the virtual machines by bypassing bastion1.

You need to ensure that the virtual machines can be accessed only by using bastion1. The solution must prevent the use of NSG rules to bypass bastion1.

What should you include in the solution?

Your company has 10 branch offices. Each office has a local internet connection that uses a static IP address.

You have an Azure subscription. The subscription contains a storage account named storage1 that stores blobs.

Users in the branch offices access the blobs via the internet.

You need to recommend a solution to ensure that the data in storage1 is accessible only from the branch office static IP addresses. The solution must minimize costs.

What should include in the recommendation?

You plan to deploy a dynamically scaling, Linux-based Azure Virtual Machine Scale Set that will host jump servers. The jump servers will be used by support staff who connect from personal and kiosk devices via the internet. The subnet of the jump servers will be associated to a network security group (NSG).

You need to design an access solution for the Azure Virtual Machine Scale Set. The solution must meet the following requirements:

• Ensure that each time the support staff connects to a jump server, they must request access to the server.

• Ensure that only authorized support staff can initiate SSH connections to the jump servers.

• Maximize protection against brute-force attacks from internal networks and the internet.

• Ensure that users can only connect to the jump servers from the internet.

• Minimize administrative effort.

What should you include in the solution? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Your company has a main office and 10 branch offices. Each branch office contains an on-premises file server that runs Windows Server and multiple devices that run either Windows 11 or macOS. The devices are enrolled in Microsoft Intune.

You have a Microsoft Entra tenant.

You need to deploy Global Secure Access to implement web filtering for device traffic to the internet. The solution must ensure that all the web traffic from the devices in the branch offices is controlled by using Global Secure Access.

What should you do first in each branch office?

You have an Azure subscription that contains SQL Server on Azure virtual machines located in the West US Azure region. The virtual machines are only accessible by using private IP addresses.

You plan to deploy a Windows-based Azure App Service web apps in the East US Azure region.

You need to recommend a solution to provide the web apps access to the SQL Server databases.

What should you include in the recommendation?

Your company has offices in New York City and Los Angeles.

The New York City office contains an on-premises app named App1.

You have an Azure subscription. The subscription is linked to a Microsoft Entra tenant that is hosted in North America.

You plan to manage access to App1 for the users in the Los Angeles office by using Microsoft Entra Private Access. You will deploy Private Access by performing the following actions:

• Provision an ExpressRoute circuit from the New York City office to the closest peering location.

• Create an Azure virtual network named VNet1 in the East US Azure region.

• Deploy a Microsoft Entra application proxy connector to VNet1.

You need to optimize the network for the planned deployment. The solution must meet the following requirements:

• Maximize redundancy for connectivity to App1.

• Minimize network latency when accessing App1.

• Minimize complexity.

• Minimize costs.

What should you include in the solution? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains two virtual machines named VM1 and VM2 and an Azure App Service Standard app named App1. VM1 is used to upload data to App1. App1 stores data on VM2.

You need to secure connectivity between the virtual machines and App1. The solution must minimize the risk of data exfiltration.

What should you use to manage connectivity for App1? To answer, select the options in the answer area.

NOTE: Each correct answer is worth one point.

You have an Azure subscription that contains the resources shown in the following table.

You need to recommend a network security solution for App1. The solution must meet the following requirements:

• Only the virtual machines that are connected to Subnet1 must be able to connect to DB1.

• DB1 must be inaccessible from the internet.

• Costs must be minimized.

What should you include in the recommendation? To answer, select the options in the answer area.

NOTE: Each correct answer is worth one point.

Your on-premises network contains an Active Directory Domain Services (AD DS) domain named corp.contoso.com and an AD DS-integrated application named App1.

Your perimeter network contains a server named Server1that runs Windows Server.

You have a Microsoft Entra tenant named contoso.com that syncs with corp.contoso.com.

You plan to implement a security solution that will include the following configurations:

• Manage access to App1 by using Microsoft Entra Private Access.

• Deploy a Microsoft Entra application proxy connector to Server1.

• Implement single sign-on (SSO) for App1 by using Kerberos constrained delegation.

• For Server1, configure the following rules in Windows Defender Firewall with Advanced Security: o Rule1: Allow TCP 443 inbound from a designated set of Azure URLs, o Rule2: Allow TCP 443 outbound to a designated set of Azure URLs, o Rule3: Allow TCP 80 outbound to a designated set of Azure URLs, o Rule4: Allow TCP 389 outbound to the domain controllers on corp.contoso.com.

You need to maximize security for the planned implementation. The solution must minimize the impact on the connector.

Which rule should you remove?