2026/January Latest Braindump2go SC-100 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go SC-100 Real Exam Questions!
QUESTION 198
You have a Microsoft Entra tenant that contains 10 Windows 11 devices and two groups named Group1 and Group2. The Windows 11 devices are joined to the Microsoft Entra tenant and are managed by using Microsoft Intune.
You are designing a privileged access strategy based on the rapid modernization plan (RaMP). The strategy will include the following configurations:
– Each user in Group1 will be assigned a Windows 11 device that will be configured as a privileged access device.
– The Security Administrator role will be mapped to the privileged access security level.
– The users in Group1 will be assigned the Security Administrator role.
– The users in Group2 will manage the privileged access devices.
You need to configure the local Administrators group for each privileged access device. The solution must follow the principle of least privilege.
What should you include in the solution?
A. Only add Group2 to the local Administrators group.
B. Configure Windows Local Administrator Password Solution (Windows LAPS) in legacy Microsoft LAPS emulation mode.
C. Add Group2 to the local Administrators group. Add the user that is assigned the Security Administrator role to the local Administrators group of the user’s assigned privileged access device.
Answer: C
Explanation:
Separate and manage privileged accounts
Emergency access accounts
What: Ensure that you are not accidentally locked out of your Microsoft Entra organization in an emergency situation.
Why: Emergency access accounts rarely used and highly damaging to the organization if compromised, but their availability to the organization is also critically important for the few scenarios when they are required. Ensure you have a plan for continuity of access that accommodates both expected and unexpected events.
Reference:
https://learn.microsoft.com/en-us/security/privileged-access-workstations/security-rapid-modernization-plan
QUESTION 199
You have an Azure subscription.
You plan to deploy enterprise-scale landing zones based on the Microsoft Cloud Adoption Framework for Azure. The deployment will include a single- platform landing zone for all shared services and three application landing zones that will each host a different Azure application.
You need to recommend which resource to deploy to each landing zone. The solution must meet the Cloud Adoption Framework best-practice recommendations for enterprise-scale landing zones.
What should you recommend?
A. an Azure firewall
B. an Azure virtual network gateway
C. an Azure Private DNS zone
D. an Azure key vault
Answer: C
Explanation:
Landing zones and Azure regions
Azure landing zones consist of a set of resources and configuration. Some of these items, like management groups, policies, and role assignments, are stored at either a tenant or management group level within the Azure landing zone architecture. These resources aren’t deployed to a particular region and instead are deployed globally. However, you still need to specify a deployment region because Azure tracks some of the resource metadata in a regional metadata store.
If you deploy a networking topology, you also need to select an Azure region to deploy the networking resources to. This region can be different from the region that you use for the resources listed in the preceding list. Depending on the topology you select, the networking resources that you deploy might include:
Azure Virtual WAN, including a Virtual WAN hub
Azure virtual networks
VPN gateway
Azure ExpressRoute gateway
Azure Firewall
Azure DDoS Protection plans
*-> Azure private DNS zones, including zones for Azure Private Link
Resource groups, to contain the preceding resources
Reference:
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions
QUESTION 200
You have 10 Azure subscriptions that contain 100 role-based access control (RBAC) role assignments.
You plan to consolidate the role assignments.
You need to recommend a solution to identify which role assignments were NOT used during the last 90 days. The solution must minimize administrative effort.
What should you include in the recommendation?
A. Microsoft Defender for Cloud
B. Microsoft Entra access reviews
C. Microsoft Entra Privileged Identity Management (PIM)
D. Microsoft Entra Permissions Management
Answer: D
Explanation:
Microsoft Entra Permissions Management is designed to manage and monitor permissions across multiple cloud environments, including Azure. It provides insights into permissions, allowing you to identify unused role assignments over a specified period, like the last 90 days. This solution helps you track permissions, detect unused roles, and optimize role assignments across subscriptions, minimizing administrative effort by offering automated recommendations for role consolidation.
QUESTION 201
You have a Microsoft Entra tenant that syncs with an Active Directory Domain Services (AD DS) domain. You have an on-premises datacenter that contains 100 servers. The servers run Windows Server and are backed up by using Microsoft Azure Backup Server (MABS).
You are designing a recovery solution for ransomware attacks. The solution follows Microsoft Security Best Practices.
You need to ensure that a compromised local administrator account cannot be used to stop scheduled backups.
What should you do?
A. From Azure Backup, configure multi-user authorization by using Resource Guard.
B. From Microsoft Entra Privileged Identity Management (PIM), create a role assignment for the Backup Contributor role.
C. From Microsoft Azure Backup Setup, register MABS with a Recovery Services vault.
D. From a Recovery Services vault, generate a security PIN for critical operations.
Answer: A
Explanation:
MUA for Azure Backup uses a new resource called the Resource Guard to ensure critical operations, such as disabling soft delete, stopping and deleting backups, or reducing retention of backup policies, are performed only with applicable authorization.
Reference:
https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq
QUESTION 202
Hotspot Question
You have an Azure subscription that contains multiple apps. The apps are managed by using continuous integration and continuous deployment (CCD) pipelines in Azure DevOps.
You need to recommend DevSecOps controls for the Commit the code and the Build and test CI/CD process stages based on the Microsoft Cloud Adoption Framework for Azure.
Which testing method should you recommend for each stage? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Static application security testing (SAST)
Commit the code
Box 2: Dynamic application security testing (DAST)
Build and test
Reference:
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls
QUESTION 203
Hotspot Question
You have 1,000 on-premises servers that run Windows Server 2022 and 500 on-premises servers that run Linux.
You have an Azure subscription that contains the following resources:
– A Log Analytics workspace
– A Microsoft Defender Cloud Security Posture Management (CSPM) plan
You need to deploy Update Management for the servers.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Microsoft Defender for Servers Plan 2
Incorrect:
* An Azure Automation account
Update Manager offers many new features and provides enhanced and native functionalities. Following are some of the benefits:
* Provides native experience with zero on-boarding.
– No dependency on Log Analytics and Azure Automation.
– Etc.
* Etc.
Box 2: Azure connected machine agent
For the Azure Update Manager, both AMA and MMA aren’t a requirement to manage software update workflows as it relies on the Microsoft Azure VM Agent for Azure VMs and Azure connected machine agent for Arc-enabled servers.
Reference:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-select-plan
https://learn.microsoft.com/en-us/azure/update-manager/overview
https://learn.microsoft.com/en-us/azure/update-manager/migration-overview
QUESTION 204
Hotspot Question
You have an Active Directory Domain Services (AD DS) domain that contains a virtual desktop infrastructure (VDI). The VDI uses non-persistent images and cloned virtual machine templates. VDI devices are members of the domain.
You have an Azure subscription that contains an Azure Virtual Desktop environment. The environment contains host pools that use a custom golden image. All the Azure Virtual Desktop deployments are members of a single Microsoft Entra Domain Services domain.
You need to recommend a solution to deploy Microsoft Defender for Endpoint to the hosts. The solution must meet the following requirements:
– Ensure that the hosts are onboarded to Defender for Endpoint during the first startup sequence.
– Ensure that the Microsoft Defender portal contains a single entry for each deployed VDI host.
– Minimize administrative effort.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
https://learn.microsoft.com/en-us/defender-endpoint/configure-endpoints-vdi
QUESTION 205
Hotspot Question
You have an Azure subscription that contains multiple Azure Storage blobs and Azure Files shares.
You need to recommend a security solution for authorizing access to the blobs and shares. The solution must meet the following requirements:
– Support access to the shares by using the SMB protocol.
– Limit access to the blobs to specific periods of time.
– Include authentication support when possible.
What should you recommend for each resource? To answer, select the options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Account shared access signature (SAS)
Azure Storage blobs
Limit access to the blobs to specific periods of time
Account SAS
An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS.
Box 2: Service shared access signature (SAS)
Azure Files shares
Support access to the shares by using the SMB protocol.
A shared access signature can take one of the following two forms:
* Ad hoc SAS. When you create an ad hoc SAS, the start time, expiry time, and permissions are specified in the SAS URI. Any type of SAS can be an ad hoc SAS.
*-> Service SAS with stored access policy. A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. The stored access policy can be used to manage constraints for one or more service shared access signatures. When you associate a service SAS with a stored access policy, the SAS inherits the constraints–the start time, expiry time, and permissions–defined for the stored access policy.
Reference:
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
QUESTION 206
Drag and Drop Question
You need to design a solution to accelerate a Zero Trust security implementation. The solution must be based on the Zero Trust Rapid Modernization Plan (RaMP).
Which three initiatives should you include in the solution, and in which order should you implement the initiatives? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-ramp-overview
https://learn.microsoft.com/en-us/security/zero-trust/data-compliance-gov-data
QUESTION 207
You have a Microsoft 365 subscription.
You have an Azure subscription.
You need to implement a Microsoft Purview communication compliance solution for Microsoft Teams and Yammer. The solution must meet the following requirements:
– Assign compliance policies to Microsoft 365 groups based on custom Microsoft Exchange Online attributes.
– Minimize the number of compliance policies.
– Minimize administrative effort.
What should you include in the solution?
A. Microsoft Purview Information Protection
B. Microsoft 365 Defender user tags
C. adaptive scopes
D. administrative units
Answer: C
Explanation:
When you create a communication compliance policy or a policy for retention, you can create or add an adaptive scope for your policy. A single policy can have one or many adaptive scopes.
An adaptive scope uses a query that you specify, so you can define the membership of users or groups included in that query. These dynamic queries run daily against the attributes or properties that you specify for the selected scope. You can use one or more adaptive scopes with a single policy.
Reference:
https://learn.microsoft.com/en-us/purview/purview-adaptive-scopes
QUESTION 208
You have a Microsoft Entra tenant named contoso.com.
You have an external partner that has a Microsoft Entra tenant named fabnkam.com.
You need to recommend an identity governance solution for contoso.com that meets the following requirements:
– Enables the users in contoso.com and fabrikam.com to communicate by using shared Microsoft Teams channels
– Manages access to shared Teams channels in contoso.com by using groups in fabrikam.com
– Supports single sign-on (SSO)
– Minimizes administrative effort
– Maximizes security
What should you include in the recommendation?
A. Cross-tenant synchronization
B. Microsoft Entra B2B collaboration
C. B2B direct connect
D. Microsoft Entra Connect Sync
Answer: C
Explanation:
B2B direct connect is a feature of Microsoft Entra External ID that lets you set up a mutual trust relationship with another Microsoft Entra organization for seamless collaboration. This feature currently works with Microsoft Teams shared channels. With B2B direct connect, users from both organizations can work together using their home credentials and a shared channel in Teams, without having to be added to each other’s organizations as guests.
Use B2B direct connect to share resources with external Microsoft Entra organizations. Or use it to share resources across multiple Microsoft Entra tenants within your own organization.
B2B direct connect requires a mutual trust relationship between two Microsoft Entra organizations to allow access to each other’s resources. Both the resource organization and the external organization need to mutually enable B2B direct connect in their cross-tenant access settings. When the trust is established, the B2B direct connect user has single sign-on access to resources outside their organization using credentials from their home Microsoft Entra organization.
Reference:
https://learn.microsoft.com/en-us/entra/external-id/b2b-direct-connect-overview
QUESTION 209
You have a multicloud environment that contains Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) subscriptions.
You need to discover and review role assignments across the subscriptions.
What should you use?
A. Azure Lighthouse
B. Microsoft Defender for Identity
C. Microsoft Entra ID Governance
D. Microsoft Entra Permissions Management
Answer: D
Explanation:
Microsoft Entra Permissions Management is a cloud infrastructure entitlement management (CIEM) product that provides comprehensive visibility and control over permissions for any identity and any resource in Microsoft Azure, Amazon Web Services (AWS) and Google Cloud Platform (GCP).
Reference:
https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-permissions-management
QUESTION 210
You have multiple Azure subscriptions that each contains multiple resource groups.
You need to identify the privileged role assignments in each subscription and any associated security risks. The solution must minimize administrative effort.
What should you use?
A. access reviews in Privileged Identity Management (PIM)
B. access reviews in Microsoft Entra ID Identity Governance
C. Microsoft Defender External Attack Surface Management (Defender EASM) discovery
D. the Analytics dashboard in Microsoft Entra Permissions Management
Answer: A
Explanation:
List role assignments at a scope
Important
Azure role assignment integration with Privileged Identity Management is currently in PREVIEW.
Follow these steps:
1. In the Azure portal, click All services and then select the scope. For example, you can select Management groups, Subscriptions, Resource groups, or a resource.
2. Click the specific resource.
3. Click Access control (IAM).
4. Click the Role assignments tab to view the role assignments at this scope.
Reference:
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-portal
QUESTION 211
Your on-premises network contains an Active Directory Domain Services (AD DS) domain and a hybrid deployment between a Microsoft Exchange Server 2019 organization and an Exchange Online tenant. The AD DS domain contains a group named Group1. Group1 is a member of the Organization Management role group for the Exchange deployment.
You have a Microsoft 365 E5 subscription that uses Microsoft Defender.
You have an Azure subscription that uses Microsoft Sentinel.
You need to recommend a solution to ensure that Group1 is marked as a sensitive group and that any changes made to Group1 raises an alert in Microsoft Sentinel. The solution must minimize administrative effort.
What should you include in the recommendation?
A. Microsoft Defender for Identity
B. Microsoft Entra ID Protection
C. Microsoft Entra Privileged Identity Management (PIM)
D. Microsoft Defender for Office 365
Answer: A
Explanation:
Alert changes to sensitive AD groups using MDI (Microsoft Defender for Identity) Microsoft Defender for Identity is a very powerful tool when it comes to track changes to users and groups in your on-prem Active Directory. When used in combination of the advanced hunting capabilities available in the Microsoft 365 Defender portal and custom detection rules you can very easily automate the change tracking.
If you protect any on-prem Active Directory, you should be aware to changes to any privileged groups. Microsoft itself list a few of them in their documentation on Active Directory Domain Services and in the Defender for Identity documentation adds additional ones.
Reference:
https://cloudbrothers.info/en/alert-sensitive-ad-groups-mdi/
QUESTION 212
You have a Microsoft 365 subscription that contains 1,000 users and a group named Group1. All the users have Windows 11 devices. The users sign in to their devices by using their Microsoft Entra account. The users do NOT have administrative rights to their devices.
The members of Group1 remotely assist the users by taking control of user sessions. The remote control sessions run in the security context of the users they are assisting.
You need to recommend a solution that will enable the Group1 members to run apps that require administrative rights to the users’ devices. The solution must ensure that the apps are run in the context of each signed-in standard user.
What should you include in the recommendation?
A. Windows Local Administrator Password Solution (Windows LAPS)
B. Microsoft Entra Permissions Management
C. Microsoft Intune Endpoint Privilege Management
D. Privileged Identity Management (PIM) in Microsoft Entra ID
Answer: C
Explanation:
With Microsoft Intune Endpoint Privilege Management (EPM) your organization’s users can run as a standard user (without administrator rights) and complete tasks that require elevated privileges. Tasks that commonly require administrative privileges are application installs (like Microsoft 365 Applications), updating device drivers, and running certain Windows diagnostics.
Endpoint Privilege Management supports your Zero Trust journey by helping your organization achieve a broad user base running with least privilege, while allowing users to still run tasks allowed by your organization to remain productive. For more information, see Zero Trust with Microsoft Intune.
Reference:
https://learn.microsoft.com/en-us/mem/intune/protect/epm-overview
QUESTION 213
You have a Microsoft 365 subscription and an Azure subscription. Microsoft Defender XDR and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. app registrations in the Microsoft Entra tenant
B. OAuth app policies in Microsoft Defender for Cloud Apps
C. app protection policies in Microsoft Endpoint Manager
D. application control policies in Microsoft Defender for Endpoint
Answer: D
Explanation:
Microsoft Defender for Endpoint includes application control policies that allow you to define which applications are authorized to run on a machine.
This can help block any unauthorized applications and provide an approval mechanism, ensuring that only approved software is allowed to run.
The solution aligns with the requirement to block unauthorized applications from running on the virtual machines automatically until approved by an administrator.
QUESTION 214
You have a Microsoft 365 subscription that contains 1,000 users. Each user is assigned a Microsoft 365 E5 license.
The subscription uses sensitivity labels to classify corporate documents. All the users have Windows 11 devices that are onboarded to Microsoft Defender for Endpoint and are configured to sync files to Microsoft OneDrive.
You need to prevent the users from uploading the documents from OneDrive to external websites.
What should you include in the solution?
A. Microsoft Purview Information Protection
B. Microsoft Purview data loss prevention (DLP)
C. web content filtering in Defender for Endpoint
D. an endpoint security policy
Answer: B
Explanation:
Microsoft Purview Data Loss Prevention (DLP) policies help protect sensitive information by preventing data leakage and restricting data sharing, even across cloud platforms. By using DLP, you can define rules that prevent users from uploading classified documents, such as those with sensitivity labels, from OneDrive to unauthorized external websites. DLP policies can control actions like copy, download, and upload based on content classification, location, and user context.
QUESTION 215
You have a Microsoft Entra tenant. The tenant contains 500 Windows devices that have the Global Secure Access client deployed.
You have a third-party software as a service (SaaS) app named App1.
You plan to implement Global Secure Access to manage access to App1.
You need to recommend a solution to manage connections to App1. The solution must ensure that users authenticate by using their Microsoft Entra credentials before they can connect to App1.
What should you include the recommendation?
A. a Global Secure Access app
B. a private access traffic forwarding profile
C. an internet access traffic forwarding profile
D. a Quick Access app
Answer: A
Explanation:
Global Secure Access app is the best solution to manage access to a third-party SaaS application, such as App1. By configuring this app within A Microsoft Entra, you can enforce authentication policies that require users to log in with their Microsoft Entra credentials before accessing the SaaS application. This setup provides centralized access management, secure access controls, and ensures consistent user authentication for App1.
QUESTION 216
You have a Microsoft 365 tenant that contains two groups named Group1 and Group2.
You use Microsoft Defender XDR to manage the tenants of your company’s customers.
You need to ensure that the users in Group1 can perform security tasks in the tenant of each customer. The solution must meet the following requirements:
– The Group1 users must only be assigned the Security Operator role for the customer tenants.
– The users in Group2 must be able to assign the Security Operators role to the Group1 users for the customer tenants.
– The use of quest accounts must be minimized.
– Administrative effort must be minimized.
What should you include in the solution?
A. multi-user authorization (MUA)
B. Azure Lighthouse
C. Privileged Identity Management (PIM)
D. Microsoft Entra B2B collaboration
Answer: B
Explanation:
Azure Lighthouse includes multiple ways to help streamline engagement and management:
* Azure delegated resource management: Manage your customers’ Azure resources securely from within your own tenant, without having to switch context and control planes. Customer subscriptions and resource groups can be delegated to specified users and roles in the managing tenant, with the ability to remove access as needed.
* Etc.
Reference:
https://learn.microsoft.com/en-us/azure/lighthouse/overview
QUESTION 217
You have a Microsoft 365 subscription that contains 1,000 Microsoft Exchange Online mailboxes.
Incoming email from the internet is scanned for security threats by using a third-party cloud service.
You are evaluating whether to replace the third-party service with Microsoft Defender for Office 365.
What should you modify to ensure that all the incoming email is scanned by Defender for Office 365 only?
A. the accepted domains in Exchange Online
B. the DNS records
C. the Exchange Online transport rule
D. the Exchange Online connectors
Answer: D
Explanation:
Configure mail flow using connectors in Exchange Online
Connectors are a collection of instructions that customize the way your email flows to and from your Microsoft 365 or Office 365 organization.
What do connectors do?
Connectors are used in the following scenarios:
Enable mail flow between Microsoft 365 or Office 365 and email servers that you have in your on-premises environment (also known as on-premises email servers).
*-> Apply security restrictions or controls to email that’s sent between your Microsoft 365 or Office 365 organization and a business partner or service provider.
Relay mail from devices, applications, or other non-mailbox entities in your on-premises environment through Microsoft 365 or Office 365.
Avoid graylisting that would otherwise occur due to the large volume of mail that’s regularly sent between your Microsoft 365 or Office 365 organization and your on-premises environment or partners.
Reference:
https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow
QUESTION 218
Hotspot Question
You have an Azure subscription that contains a Microsoft Sentinel workspace named MSW1. MSW11 includes 50 scheduled analytics rules.
You need to design a security orchestration automated response (SOAR) solution by using Microsoft Sentinel playbooks. The solution must meet the following requirements:
– Ensure that expiration dates can be configured when a playbook runs.
– Minimize the administrative effort required to configure individual analytics rules.
What should you use to invoke the playbooks, and which type of Microsoft Sentinel trigger should you use? To answer, select the options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Automation rules
You can respond to threats by using playbooks with automation rules in Microsoft Sentinel
Box 2: Incident
Use triggers and actions in Microsoft Sentinel playbooks
For most use cases, incident-triggered automation is the preferable approach. In Microsoft Sentinel, an incident is a “case file” ?an aggregation of all the relevant evidence for a specific investigation. It’s a container for alerts, entities, comments, collaboration, and other artifacts. Unlike alerts which are single pieces of evidence, incidents are modifiable, have the most updated status, and can be enriched with comments, tags, and bookmarks. The incident allows you to track the attack story which keeps evolving with the addition of new alerts.
For these reasons, it makes more sense to build your automation around incidents. So the most appropriate way to create playbooks is to base them on the Microsoft Sentinel incident trigger in Azure Logic Apps.
Reference:
https://learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules
https://learn.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
QUESTION 219
Hotspot Question
You have three Microsoft Entra tenants named Tenant1, Tenant2, and Tenant3.
You have three Azure subscriptions named Sub1, Sub2, and Sub3. Each tenant is associated with multiple Azure subscriptions.
Each subscription contains a single Microsoft Sentinel workspace as shown in the following table.
You need to recommend a solution that meets the following requirements:
– Ensures that the users in Tenant1 can manage the resources in Sub2 and Sub3 without having to switch subscriptions or sign in to a different tenant.
– Implements multiple workspace view for Sentinel2 and Sentinel3.
What should you use to delegate permissions, and which Microsoft Sentinel feature will users be able to manage in multiple workspace view? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Azure Lighthouse
Delegate permissions by using
You can manage workspaces across tenants using Azure Lighthouse.
In many scenarios, the different Microsoft Sentinel workspaces can be located in different Microsoft Entra tenants. You can use Azure Lighthouse to extend all cross-workspace activities across tenant boundaries, allowing users in your managing tenant to work on Microsoft Sentinel workspaces across all tenants.
Once Azure Lighthouse is onboarded, use the directory + subscription selector on the Azure portal to select all the subscriptions containing workspaces you want to manage, in order to ensure that they’ll all be available in the different workspace selectors in the portal.
When using Azure Lighthouse, it’s recommended to create a group for each Microsoft Sentinel role and delegate permissions from each tenant to those groups.
Box 2: Workbooks
Microsoft Sentinel feature
Use cross-workspace workbooks
Workbooks provide dashboards and apps to Microsoft Sentinel. When working with multiple workspaces, workbooks provide monitoring and actions across workspaces.
Note: Extend Microsoft Sentinel across workspaces and tenants
When you onboard Microsoft Sentinel, your first step is to select your Log Analytics workspace. While you can get the full benefit of the Microsoft Sentinel experience with a single workspace, in some cases, you might want to extend your workspace to query and analyze your data across workspaces and tenants.
Reference:
https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants
QUESTION 220
Hotspot Question
Your company, named Contoso, Ltd., has a Microsoft Entra tenant named contoso.com. Contoso has a partner company named Fabrikam, Inc. that has a Microsoft Entra tenant named fabrikam.com.
You need to ensure that helpdesk users at Fabrikam can reset passwords for specific users at Contoso. The solution must meet the following requirements:
– Follow the principle of least privilege.
– Minimize administrative effort.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Directory Readers
To enable a service principal or guest user to use a role assignment scoped to an administrative unit, you must assign the Directory Readers role (or another role that includes read permissions) at a tenant scope.
Box 2: Administrative unit
Assign Microsoft Entra roles with administrative unit scope
In Microsoft Entra ID, for more granular administrative control, you can assign a Microsoft Entra role with a scope that’s limited to one or more administrative units. When a Microsoft Entra role is assigned at the scope of an administrative unit, role permissions apply only when managing members of the administrative unit itself, and don’t apply to tenant-wide settings or configurations.
For example, an administrator who is assigned the Groups Administrator role at the scope of an administrative unit can manage groups that are members of the administrative unit, but they can’t manage other groups in the tenant. They also can’t manage tenant-level settings related to groups, such as expiration or group naming policies.
Box 3: Password Administrator
* Password Administrator
Can reset passwords for non-administrators within the assigned administrative unit only. This is a privileged role. Users with this role have limited ability to manage passwords. This role does not grant the ability to manage service requests or monitor service health. Whether a Password Administrator can reset a user’s password depends on the role the user is assigned.
Reference:
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-assign-roles
QUESTION 221
Hotspot Question
You have multiple on-premises Hyper-V hosts that contain virtual machines. The virtual machines run Windows Server 2022.
You have an Azure subscription.
You need to recommend a solution to collect Security event logs from the virtual machines by using Microsoft Sentinel. The Solution must meet the following requirements:
– Leverage the Windows Security Events via AMA data connector.
– Ensure that only specific events are collected.
– Minimize costs.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one port.
Answer:
Explanation:
Box 1: Azure Monitor data collection rules (DCRs)
In Azure, deploy
Windows Security Events via AMA connector for Microsoft Sentinel
You can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.
Connector attributes
Create a data collection rule
You can define a data collection rule to send data from multiple machines to multiple Log Analytics workspaces, including workspaces in a different region or tenant. Create the data collection rule in the same region as your Log Analytics workspace. You can send Windows event and Syslog data to Azure Monitor Logs only. You can send performance counters to both Azure Monitor Metrics and Azure Monitor Logs.
Box 2: The Azure Connected Machine agent for Azure Arc-enabled servers
On the virtual machines, install
The Azure Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers.
Reference:
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent
https://learn.microsoft.com/en-us/windows-server/administration/azure
https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-overview
Resources From:
1.2026 Latest Braindump2go SC-100 Exam Dumps (PDF & VCE) Free Share:
https://www.braindump2go.com/sc-100.html
2.2026 Latest Braindump2go SC-100 PDF and SC-100 VCE Dumps Free Share:
https://drive.google.com/drive/folders/1fpcKj4eTa7zVX2sBmcO0SN8tfjzbG4Df?usp=sharing
3.2026 Free Braindump2go SC-100 Exam Questions Download:
https://www.braindump2go.com/free-online-pdf/SC-100-VCE-Dumps(198-221).pdf
Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!