CertGrid
Microsoft Certification

SC-100: Microsoft Cybersecurity Architect Practice Exam

Validates designing and evolving a cybersecurity strategy - Zero Trust, GRC and security posture, security operations/identity/compliance capabilities, and security solutions for infrastructure, applications, and data.

Practice 730 exam-style SC-100 questions with full answer explanations, then take timed mock exams that score like the real thing.

730
Practice questions
40-60
On the real exam
700
Passing score
120 min
Exam length

Question bank reviewed Jul 2026.

What the SC-100 exam covers

Free SC-100 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 730.

  1. Question 1Design solutions that align with security best practices and priorities

    You are designing a Zero Trust strategy for a large enterprise migrating to Microsoft 365 and Azure. Leadership asks you to summarize the foundational principles that must govern every design decision. According to Microsoft's Zero Trust model, which set of guiding principles should you present?

    • ATrust but verify, network segmentation, and perimeter hardening
    • BVerify explicitly, use least privilege access, and assume breachCorrect
    • CEncrypt everything, block all inbound traffic, and require VPN
    • DCentralize identity, disable legacy protocols, and audit quarterly
    ✓ Correct answer: B

    Microsoft defines Zero Trust with exactly three guiding principles: verify explicitly (authenticate and authorize on all available signals), use least privilege access (JIT/JEA and risk-based adaptive policies), and assume breach (minimize blast radius, segment access, verify end-to-end encryption, use analytics for detection).

    Why the other options are wrong
    • ATrust but verify and perimeter hardening describe the legacy castle-and-moat model that Zero Trust explicitly replaces.
    • CThese are individual controls, not the strategic principles that define the Zero Trust model.
    • DCentralizing identity and disabling legacy protocols are tactics, not the three defining Zero Trust principles.
  2. Question 2Design solutions that align with security best practices and prioritiesSelect all that apply

    A security architect is building the business case for a Zero Trust program and must map three stated business priorities to design outcomes. Leadership priorities are: enable secure hybrid work, minimize damage from breaches, and simplify compliance reporting. Which THREE design outcomes correctly align to these priorities? (Choose three.)

    • ALeast privilege and segmentation to minimize breach blast radiusCorrect
    • BDefender for Cloud regulatory compliance dashboard and Purview Compliance Manager to streamline compliance reportingCorrect
    • CDisabling multifactor authentication to reduce sign-in friction
    • DConditional Access and device compliance to enable secure access from anywhereCorrect
    ✓ Correct answer: A, B, D

    Secure hybrid work maps to Conditional Access with device compliance and MFA, verifying access from any location. Minimizing breach damage maps to least privilege and segmentation (assume breach). Simplifying compliance reporting maps to Defender for Cloud's regulatory compliance dashboard and Purview Compliance Manager. These three align each priority to a concrete Zero Trust design outcome.

    Why the other options are wrong
    • CDisabling MFA weakens identity security and contradicts Zero Trust; it is never a valid design outcome.
  3. Question 3Design solutions that align with security best practices and priorities

    The CISO asks the architect to ensure security requirements are captured before solutions are chosen, so that capabilities are selected to meet needs rather than needs being retrofitted to purchased tools. Which sequencing reflects requirements-driven design best practice?

    • AElicit business and security requirements, derive required capabilities, then select technologies that provide those capabilitiesCorrect
    • BPurchase leading tools first, then define requirements to match what the tools do
    • CSkip requirements and adopt whatever the largest competitor uses
    • DLet each engineer choose tools independently and reconcile requirements later
    ✓ Correct answer: A

    Requirements-driven design flows from business and security requirements to the capabilities needed to satisfy them, and only then to specific technologies that provide those capabilities. This ordering ensures the solution addresses the actual needs and avoids the anti-pattern of buying a tool and then bending requirements to justify it. Translating requirements into capabilities is a core architect responsibility in this domain.

    Why the other options are wrong
    • BBuying tools first and defining requirements afterward is the retrofitting anti-pattern the CISO explicitly wants to avoid.
    • CAdopting a competitor's tooling ignores this organization's own requirements and context.
    • DUncoordinated per-engineer tool selection produces fragmented capabilities and no coherent requirement traceability.
  4. Question 4Design security operations, identity, and compliance capabilities

    The SOC operates 24x7 across three regional teams and needs role separation so that Tier 1 analysts can triage and comment on incidents but cannot change analytics rules or connectors, while engineers can. Which Microsoft Sentinel access design should you recommend?

    • AGrant all analysts Owner on the subscription
    • BUse Sentinel built-in RBAC roles (Reader, Responder, Contributor) scoped appropriately, layered on Azure RBACCorrect
    • CShare a single admin account among all teams
    • DDisable RBAC and rely on network restrictions
    ✓ Correct answer: B

    Microsoft Sentinel provides built-in roles: Reader (view), Responder (triage and manage incidents), and Contributor (create and edit rules, connectors, and content). Assigning Responder to Tier 1 analysts and Contributor to engineers, scoped to the workspace resource group and layered on Azure RBAC, enforces least privilege and the required separation of duties.

    Why the other options are wrong
    • AGranting Owner to all analysts violates least privilege and lets Tier 1 change rules and connectors, which the requirement forbids.
    • CA shared admin account destroys accountability, auditability, and separation of duties.
    • DDisabling RBAC removes access control entirely; network restrictions do not enforce per-role permissions inside Sentinel.
  5. Question 5Design security operations, identity, and compliance capabilities

    A multicloud enterprise wants a single dashboard to discover unused and excessive permissions across Azure, AWS, and Google Cloud, quantify permission risk, and right-size identities to least privilege. Which Microsoft solution should the architect recommend?

    • AMicrosoft Defender for Cloud Apps
    • BMicrosoft Entra Permissions Management (CIEM)Correct
    • CMicrosoft Purview Data Map
    • DAzure Policy with Guest Configuration
    ✓ Correct answer: B

    Permissions Management provides cloud infrastructure entitlement management: it inventories identities and permissions across the three major clouds, computes a Permission Creep Index, surfaces unused and excessive permissions, and helps remediate toward least privilege from one console.

    Why the other options are wrong
    • ADefender for Cloud Apps is a CASB focused on SaaS app discovery and control, not multicloud permission right-sizing.
    • CPurview Data Map catalogs data assets, not cloud identity entitlements.
    • DAzure Policy enforces resource configuration compliance in Azure and is not a cross-cloud CIEM tool.
  6. Question 6Design security operations, identity, and compliance capabilities

    A regulated healthcare organization must retain a tamper-evident, long-term record of all administrator and user activity in Microsoft 365 for regulatory investigations, with the ability to search up to one year by default and retain audit records for longer. Which audit capability should the architect design around?

    • AMicrosoft Purview Audit (Premium) with an audit log retention policy extending records beyond the defaultCorrect
    • BMicrosoft Purview Audit (Standard) with 90-day retention
    • CAzure Monitor diagnostic settings streaming sign-in logs to a Log Analytics workspace
    • DMicrosoft Sentinel data connector for Office 365
    ✓ Correct answer: A

    Microsoft Purview Audit (Premium) extends the default audit search window to one year (with retention policies enabling up to ten years) and surfaces high-value events such as MailItemsAccessed. This is the correct capability for long-term, investigation-grade audit retention in regulated environments.

    Why the other options are wrong
    • BAudit (Standard) retains records for 180 days and lacks long-term retention policies and crucial events.
    • CAzure Monitor captures Azure and Entra sign-in telemetry, not the full Microsoft 365 unified audit record set for compliance investigations.
    • DSentinel ingests and analyzes logs but does not itself provide the compliant Microsoft 365 audit retention control.
  7. Question 7Design security solutions for infrastructure

    A security architect is evaluating whether to place Azure Firewall in a customer-managed hub VNet or use the Secured Virtual Hub in Virtual WAN. The organization already relies heavily on complex custom UDRs, third-party NVAs chained with Azure Firewall, and fine-grained control of the hub subnet layout. Which recommendation is most appropriate?

    • AUse a customer-managed hub VNet with Azure Firewall when maximum control over routing, subnetting, and NVA chaining is requiredCorrect
    • BAlways use Secured Virtual Hub because it removes all need for routing knowledge
    • CAvoid Azure Firewall entirely and use only NSGs in the hub
    • DDeploy the firewall in every spoke instead of a hub
    ✓ Correct answer: A

    Secured Virtual Hub is Microsoft-managed and simplifies routing but constrains custom subnetting and complex NVA-chaining scenarios. When an organization requires granular control over the hub subnet layout, intricate custom UDRs, and chaining third-party NVAs with Azure Firewall, a customer-managed hub VNet gives the needed flexibility, so it is the appropriate recommendation here.

    Why the other options are wrong
    • BSecured Virtual Hub simplifies but restricts custom routing and NVA-chaining flexibility that this organization requires.
    • CNSGs alone cannot provide the L3-L7 firewalling, FQDN filtering, and threat intelligence the hub needs.
    • DDeploying a firewall in every spoke is costly, fragmented, and abandons centralized inspection.
  8. Question 8Design security solutions for infrastructureSelect all that apply

    An architect must justify the value of the paid Defender CSPM plan over the free foundational CSPM tier for a multicloud environment. Which capabilities are provided by the paid Defender CSPM plan? (Choose three.)

    • AAttack path analysisCorrect
    • BCloud security explorer over the cloud security graphCorrect
    • CAgentless vulnerability and secret scanning of machinesCorrect
    • DFree unlimited data retention in Microsoft Sentinel
    • EAutomatic physical destruction of decommissioned hardware
    ✓ Correct answer: A, B, C

    The paid Defender CSPM plan provides the cloud security graph with attack path analysis and cloud security explorer, agentless machine vulnerability and secret scanning, and additional risk-prioritization capabilities that the free foundational secure-score tier does not include.

    Why the other options are wrong
    • DSentinel data retention and pricing are governed by Sentinel and Log Analytics, not the Defender CSPM plan.
    • EPhysical hardware destruction is a datacenter operations task, not a Defender CSPM feature.
  9. Question 9Design security solutions for infrastructure

    An architect needs a design that continuously assesses the security posture of infrastructure against a specific compliance standard (for example, PCI DSS and ISO 27001) and produces auditor-ready reports of control pass/fail status. Which Defender for Cloud capability should the design use?

    • AThe regulatory compliance dashboard with the relevant standards assignedCorrect
    • BThe Secure Score tile alone
    • CJust-in-time VM access logs
    • DWorkflow automation with Logic Apps only
    ✓ Correct answer: A

    Defender for Cloud's regulatory compliance dashboard lets you assign compliance standards (PCI DSS, ISO 27001, and others) and continuously evaluates your environment's controls against them, producing pass/fail views and downloadable reports suitable for auditors. This directly meets the requirement.

    Why the other options are wrong
    • BSecure Score summarizes recommendation-based posture but is not organized by regulatory control mappings.
    • CJIT logs record port-access requests, not compliance control status.
    • DWorkflow automation triggers responses to alerts but does not assess or report compliance status.
  10. Question 10Design security solutions for applications and data

    An architect must design protection for sensitive files that leave the organization to external partners. The requirement is that partners can open protected documents with their own Microsoft Entra or Microsoft accounts, but the sending organization can still revoke and audit access. Which approach should be recommended?

    • ASensitivity labels with encryption and cross-tenant collaboration, sharing to specified external users or domainsCorrect
    • BPassword-protected ZIP files emailed to partners
    • CPublic anonymous SharePoint links
    • DRemoving all protection so partners can open files easily
    ✓ Correct answer: A

    Sensitivity labels with encryption can assign permissions to specific external users, domains, or authenticated guests. External partners authenticate with their Microsoft Entra or Microsoft accounts to open files, while the originating organization keeps control: it can track usage and revoke access to protected documents. This meets the cross-organization sharing and control requirements.

    Why the other options are wrong
    • BA password ZIP offers no per-user revocation, no auditing, and passwords are easily shared, providing weak control.
    • CAnonymous links give no identity-based control, revocation, or auditing.
    • DRemoving protection eliminates the very controls the requirement demands.

SC-100 practice exam FAQ

How many questions are in the SC-100 practice exam on CertGrid?

CertGrid has 730 practice questions for SC-100: Microsoft Cybersecurity Architect, covering 4 exam domains. The real SC-100 exam has 40-60 questions.

What is the passing score for SC-100?

The SC-100 exam passing score is 700, and you have about 120 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.

Are these official SC-100 exam questions?

No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of SC-100: Microsoft Cybersecurity Architect, with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.

Can I practice SC-100 for free?

Yes. You can start practicing SC-100: Microsoft Cybersecurity Architect for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.