SC-100 Practice Questions — Page 5

You have a Microsoft Entra tenant named contoso.com. You have 30 Azure subscriptions that are linked to contoso.com. The tenant contains the management groups shown in the following table.

You need to design a governance solution to manage access to all the Azure Storage accounts across the subscriptions. The solution must meet the following requirements:

• Use custom role-based access control (RBAC) to provide granular access to control plane and data plane operations.

• Minimize administrative effort.

At which scope should you assign the roles, and what is the minimum number of assignments per role? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named AKS1. AKS1 hosts a Windows node pool named Pool1 and a Linux node pool named Pool2.

You are designing a pool update strategy for AKS1.

You need to recommend how often to replace the operating system images deployed to the nodes. The solution must meet the following requirements:

• Minimize how long it takes to apply operating system updates once the updates are released.

• Minimize administrative effort.

What should you recommend for each pool? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains multiple apps. The apps are deployed by using continuous integration and continuous delivery (CI/CD) pipelines in Azure DevOps.

You need to integrate static application security testing (SAST) and security smoke testing into the pipelines based on Microsoft Cloud Adoption Framework for Azure principles.

At which stage of the CI/CID process should each type of test be integrated? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains Azure App Service apps. The apps have the following characteristics:

• The apps are deployed by using continuous integration and continuous deployment (CI/CD) pipelines in Azure DevOps.

• The apps are deployed to a test environment first, and then to a production environment.

• The source code for the apps is stored in Azure Repos.

You plan to implement DevSecOps controls based on the Microsoft Cloud Adoption Framework for Azure.

You need to recommend testing controls to meet the following requirements:

• All the source code must be tested for security vulnerabilities in Azure Repos before deploying the apps.

• Once the apps are deployed to the test environment, they must be tested for security vulnerabilities.

Which testing method should you recommend for each stage? To answer, select the options in the answer area.

NOTE: Each correct answer is worth one point.

You have an Azure DevOps organization that is used to manage the development and deployment of internal apps to multiple Azure subscriptions.

You are developing a DevSecOps strategy.

You need to apply DevSecOps controls for the secure code stage and the secure operations stage. The solution must be based on Microsoft Cloud Adoption Framework for Azure principles.

What should you apply for each stage? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an Azure environment that contains multiple workloads deployed across multiple subscriptions.

You need to recommend a solution to assess and improve the security posture of the workloads. The solution must meet the following requirements:

• Use the Microsoft Cloud Adoption Framework for Azure to evaluate compliance with cloud governance policies.

• Use the Azure Well-Architected Framework to secure individual workloads.

What should you include in the recommendation for each requirement? To answer, drag the appropriate recommendations to the correct requirements. Each recommendation may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

You are designing a ransomware mitigation strategy.

You perform a ransomware risk assessment and identify business-critical assets.

You need to recommend a solution to mitigate ransomware threats. The solution must follow Microsoft security best practices.

Which two actions should you include in the recommendation? Each correct answer presents a complete solution.

NOTE: Each correct answer is worth one point.

You are designing new Azure applications based on security best practices from the Microsoft Cloud Adoption Framework for Azure. Each application will be deployed to a dedicated and secure environment that will contain isolated instances of the following key Azure security resources:

• Azure Key Vault

• Virtual networks

• An Azure subscription

• Azure Policy assignments

• Network security groups (NSGs)

• Role-based access control (RBAC) assignments

You need to recommend which type of environment and which module to use to deploy the applications. The solution must use infrastructure as code (IaC) to deploy each application environment.

What should you recommend? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You plan to implement an Azure environment based on Microsoft Cloud Adoption Framework for enterprise-scale landing zone architecture principles. The environment will host three apps that have the following characteristics:

• Each app will have a development environment, a test environment, and a production environment.

• Each environment will be managed by a separate team.

• Each app will store its secrets in Azure Key Vault.

You need to recommend how many Azure subscriptions and key vaults to deploy to the application landing zones.

What should you recommend? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that contains a group named Group1. The subscription contains 1,000 Windows devices that are joined to a Microsoft Entra tenant and managed by using Microsoft Intune. All users sign in to the devices by using standard user accounts.

You plan to deploy a new app named App1 to the members of Group1. The Group1 members must have administrative rights to install new versions of App1.

You need to ensure that the Group1 members can install new versions of App1. The solution must follow the principles of Zero Trust.

What should you implement?