SC-100: Microsoft Cybersecurity Architect Part 1
Question #: 6
Topic #: 10
You need to recommend a strategy for routing internet-bound traffic from the landing zones. The solution must meet the landing zone requirements.
What should you recommend as part of the landing zone deployment?
A. local network gateways
B. forced tunneling
C. service chaining
Selected Answer: C
Question #: 7
Topic #: 3
You have Microsoft Defender for Cloud assigned to Azure management groups.
You have a Microsoft Sentinel deployment.
During the triage of alerts, you require additional information about the security events, including suggestions for remediation.
Which two components can you use to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Microsoft Sentinel threat intelligence workbooks
B. Microsoft Sentinel notebooks
C. threat intelligence reports in Defender for Cloud
D. workload protections in Defender for Cloud
Selected Answer: AC
Question #: 8
Topic #: 13
You need to recommend a solution to secure the MedicalHistory data in the ClaimsDetail table. The solution must meet the Contoso developer requirements.
What should you include in the recommendation?
A. row-level security (RLS)
B. Transparent Data Encryption (TDE)
C. Always Encrypted
D. data classification
E. dynamic data masking
Selected Answer: C
Question #: 9
Topic #: 2
You are evaluating an Azure environment for compliance.
You need to design an Azure Policy implementation that can be used to evaluate compliance without changing any resources.
Which effect should you use in Azure Policy?
A. Deny
B. Modify
C. Append
D. Disabled
Selected Answer: D
Question #: 10
Topic #: 5
Your company wants to optimize using Microsoft Defender for Endpoint to protect its resources against ransomware based on Microsoft Security Best Practices.
You need to prepare a post-breach response plan for compromised computers based on the Microsoft Detection and Response Team (DART) approach in Microsoft Security Best Practices.
What should you include in the response plan?
A. controlled folder access
B. application isolation
C. memory scanning
D. machine isolation
E. user isolation
Selected Answer: D
Question #: 11
Topic #: 1
Your company has a Microsoft 365 ES subscription.
The Chief Compliance Officer plans to enhance privacy management in the working environment.
You need to recommend a solution to enhance the privacy management. The solution must meet the following requirements:
✑ Identify unused personal data and empower users to make smart data handling decisions.
✑ Provide users with notifications and guidance when a user sends personal data in Microsoft Teams.
✑ Provide users with recommendations to mitigate privacy risks.
What should you include in the recommendation?
A. communication compliance in insider risk management
B. Microsoft Viva Insights
C. Privacy Risk Management in Microsoft Priva
D. Advanced eDiscovery
Selected Answer: C
Question #: 12
Topic #: 4
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. app registrations in Azure Active Directory (Azure AD)
B. OAuth app policies in Microsoft Defender for Cloud Apps
C. Azure Security Benchmark compliance controls in Defender for Cloud
D. application control policies in Microsoft Defender for Endpoint
Selected Answer: D
Question #: 13
Topic #: 12
You need to design a strategy for securing the SharePoint Online and Exchange Online data. The solution must meet the application security requirements.
Which two services should you leverage in the strategy? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Azure AD Conditional Access
B. access reviews in Azure AD
C. Microsoft Defender for Cloud
D. Microsoft Defender for Cloud Apps
E. Microsoft Defender for Endpoint
Selected Answer: AD
Question #: 17
Topic #: 8
You need to recommend a solution to resolve the virtual machine issue.
What should you include in the recommendation?
A. Enable the Qualys scanner in Defender for Cloud.
B. Onboard the virtual machines to Microsoft Defender for Endpoint.
C. Create a device compliance policy in Microsoft Endpoint Manager.
D. Onboard the virtual machines to Azure Arc.
Selected Answer: A
Question #: 18
Topic #: 3
A customer is deploying Docker images to 10 Azure Kubernetes Service (AKS) resources across four Azure subscriptions.
You are evaluating the security posture of the customer.
You discover that the AKS resources are excluded from the secure score recommendations.
You need to produce accurate recommendations and update the secure score.
Which two actions should you recommend in Microsoft Defender for Cloud? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Enable Defender plans.
B. Configure auto provisioning.
C. Add a workflow automation.
D. Assign regulatory compliance policies.
E. Review the inventory.
Selected Answer: AB
Question #: 19
Topic #: 1
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
Suspicious authentication activity alerts have been appearing in the Workload protections dashboard.
You need to recommend a solution to evaluate and remediate the alerts by using workflow automation. The solution must minimize development effort.
What should you include in the recommendation?
A. Azure Monitor webhooks
B. Azure Event Hubs
C. Azure Functions apps
D. Azure Logics Apps
Selected Answer: D
Question #: 20
Topic #: 4
Your company plans to provision blob storage by using an Azure Storage account. The blob storage will be accessible from 20 application servers on the internet.
You need to recommend a solution to ensure that only the application servers can access the storage account.
What should you recommend using to secure the blob storage?
A. managed rule sets in Azure Web Application Firewall (WAF) policies
B. inbound rules in network security groups (NSGs)
C. firewall rules for the storage account
D. inbound rules in Azure Firewall
E. service tags in network security groups (NSGs)
Selected Answer: C
Question #: 21
Topic #: 12
To meet the application security requirements, which two authentication methods must the applications support? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Security Assertion Markup Language (SAML)
B. NTLMv2
C. certificate-based authentication
D. Kerberos
Selected Answer: AD
Question #: 22
Topic #: 7
You need to recommend a solution to meet the security requirements for the InfraSec group.
What should you use to delegate the access?
A. a subscription
B. a custom role-based access control (RBAC) role
C. a resource group
D. a management group
Selected Answer: B
Question #: 23
Topic #: 2
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You are evaluating the Azure Security Benchmark V3 report as shown in the following exhibit.
You need to verify whether Microsoft Defender for servers is installed on all the virtual machines that run Windows.
Which compliance control should you evaluate?
A. Asset Management
B. Posture and Vulnerability Management
C. Data Protection
D. Endpoint Security
E. Incident Response
Selected Answer: D
Question #: 24
Topic #: 11
You need to recommend a solution to scan the application code. The solution must meet the application development requirements.
What should you include in the recommendation?
A. GitHub Advanced Security
B. Azure Key Vault
C. Azure DevTest Labs
D. Application Insights in Azure Monitor
Selected Answer: A
Question #: 25
Topic #: 5
You have an operational model based on the Microsoft Cloud Adoption Framework for Azure.
You need to recommend a solution that focuses on cloud-centric control areas to protect resources such as endpoints, databases, files, and storage accounts.
What should you include in the recommendation?
A. business resilience
B. modem access control
C. network isolation
D. security baselines in the Microsoft Cloud Security Benchmark
Selected Answer: D
Question #: 30
Topic #: 8
You need to recommend a solution to meet the security requirements for the virtual machines.
What should you include in the recommendation?
A. just-in-time (JIT) VM access
B. an Azure Bastion host
C. Azure Virtual Desktop
D. a network security group (NSG)
Selected Answer: C
Question #: 31
Topic #: 1
Your company is moving a big data solution to Azure.
The company plans to use the following storage workloads:
✑ Azure Storage blob containers
✑ Azure Data Lake Storage Gen2
Azure Storage file shares –
✑ Azure Disk Storage
Which two storage workloads support authentication by using Azure Active Directory (Azure AD)? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Azure Storage file shares
B. Azure Disk Storage
C. Azure Storage blob containers
D. Azure Data Lake Storage Gen2
Selected Answer: CD
Question #: 32
Topic #: 4
Your company is developing a modern application that will un as an Azure App Service web app.
You plan to perform threat modeling to identity potential security issues by using the Microsoft Threat Modeling Tool.
Which type of diagram should you create?
A. system flow
B. data flow
C. process flow
D. network flow
Selected Answer: B
Question #: 33
Topic #: 3
Your company has an office in Seattle.
The company has two Azure virtual machine scale sets hosted on different virtual networks.
The company plans to contract developers in India.
You need to recommend a solution provide the developers with the ability to connect to the virtual machines over SSL from the Azure portal. The solution must meet the following requirements:
✑ Prevent exposing the public IP addresses of the virtual machines.
✑ Provide the ability to connect without using a VPN.
✑ Minimize costs.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a hub and spoke network by using virtual network peering.
B. Deploy Azure Bastion to each virtual network.
C. Deploy Azure Bastion to one virtual network.
D. Create NAT rules and network rules in Azure Firewall.
E. Enable just-in-time VM access on the virtual machines.
Selected Answer: AC
Question #: 38
Topic #: 6
You need to recommend a solution for securing the landing zones. The solution must meet the landing zone requirements and the business requirements.
What should you configure for each landing zone?
A. an ExpressRoute gateway
B. Microsoft Defender for Cloud
C. an Azure Private DNS zone
D. Azure DDoS Protection Standard
Selected Answer: C
Question #: 39
Topic #: 4
Your company has an on-premises network and an Azure subscription.
The company does NOT have a Site-to-Site VPN or an ExpressRoute connection to Azure.
You are designing the security standards for Azure App Service web apps. The web apps will access Microsoft SQL Server databases on the network.
You need to recommend security standards that will allow the web apps to access the databases. The solution must minimize the number of open internet- accessible endpoints to the on-premises network.
What should you include in the recommendation?
A. virtual network NAT gateway integration
B. hybrid connections
C. virtual network integration
D. a private endpoint
Selected Answer: B
Question #: 40
Topic #: 2
Your company has an Azure subscription that has enhanced security enabled for Microsoft Defender for Cloud.
The company signs a contract with the United States government.
You need to review the current subscription for NIST 800-53 compliance.
What should you do first?
A. From Azure Policy, assign a built-in initiative that has a scope of the subscription.
B. From Microsoft Sentinel, configure the Microsoft Defender for Cloud data connector.
C. From Defender for Cloud, review the Azure security baseline for audit report.
D. From Microsoft Defender for Cloud Apps, create an access policy for cloud applications.
Selected Answer: A
Question #: 41
Topic #: 2
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have an Amazon Web Services (AWS) implementation.
You plan to extend the Azure security strategy to the AWS implementation. The solution will NOT use Azure Arc.
Which three services can you use to provide security for the AWS resources? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Microsoft Defender for Containers
B. Microsoft Defender for servers
C. Azure Active Directory (Azure AD) Conditional Access
D. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
E. Azure Policy
Selected Answer: ACE
Question #: 42
Topic #: 1
You have a Microsoft 365 E5 subscription and an Azure subscription.
You are designing a Microsoft deployment.
You need to recommend a solution for the security operations team. The solution must include custom views and a dashboard for analyzing security events.
What should you recommend using in Microsoft Sentinel?
A. notebooks
B. playbooks
C. workbooks
D. threat intelligence
Selected Answer: C
Question #: 43
Topic #: 5
You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain.
You have an on-premises datacenter that contains 100 servers. The servers run Windows Server and are backed up by using Microsoft Azure Backup Server (MABS).
You are designing a recovery solution for ransomware attacks. The solution follows Microsoft Security Best Practices.
You need to ensure that a compromised administrator account cannot be used to delete the backups.
What should you do?
A. From Azure Backup, configure multi-user authorization by using Resource Guard.
B. From Microsoft Azure Backup Setup, register MABS with a Recovery Services vault.
C. From a Recovery Services vault, generate a security PIN for critical operations.
D. From Azure AD Privileged Identity Management (PIM), create a role assignment for the Backup Contributor role.
Selected Answer: C
Question #: 44
Topic #: 3
You have Windows 11 devices and Microsoft 365 E5 licenses.
You need to recommend a solution to prevent users from accessing websites that contain adult content such as gambling sites.
What should you include in the recommendation?
A. Compliance Manager
B. Microsoft Defender for Cloud Apps
C. Microsoft Endpoint Manager
D. Microsoft Defender for Endpoint
Selected Answer: D
Question #: 45
Topic #: 4
You are creating an application lifecycle management process based on the Microsoft Security Development Lifecycle (SDL).
You need to recommend a security standard for onboarding applications to Azure. The standard will include recommendations for application design, development, and deployment.
What should you include during the application design phase?
A. software decomposition by using Microsoft Visual Studio Enterprise
B. dynamic application security testing (DAST) by using Veracode
C. threat modeling by using the Microsoft Threat Modeling Tool
D. static application security testing (SAST) by using SonarQube
Selected Answer: C
Question #: 47
Topic #: 5
You are designing a ransomware response plan that follows Microsoft Security Best Practices.
You need to recommend a solution to limit the scope of damage of ransomware attacks without being locked out.
What should you include in the recommendation?
A. device compliance policies
B. Privileged Access Workstations (PAWs)
C. Customer Lockbox for Microsoft Azure
D. emergency access accounts
Selected Answer: B
Question #: 48
Topic #: 2
Your company has on-premises network in Seattle and an Azure subscription. The on-premises network contains a Remote Desktop server.
The company contracts a third-party development firm from France to develop and deploy resources to the virtual machines hosted in the Azure subscription.
Currently, the firm establishes an RDP connection to the Remote Desktop server. From the Remote Desktop connection, the firm can access the virtual machines hosted in Azure by using custom administrative tools installed on the Remote Desktop server. All the traffic to the Remote Desktop server is captured by a firewall, and the firewall only allows specific connections from France to the server.
You need to recommend a modern security solution based on the Zero Trust model. The solution must minimize latency for developers.
Which three actions should you recommend? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Configure network security groups (NSGs) to allow access from only specific logical groupings of IP address ranges.
B. Deploy a Remote Desktop server to an Azure region located in France.
C. Migrate from the Remote Desktop server to Azure Virtual Desktop.
D. Implement Azure Firewall to restrict host pool outbound access.
E. Configure Azure Active Directory (Azure AD) Conditional Access with multi-factor authentication (MFA) and named locations.
Selected Answer: CDE
Question #: 49
Topic #: 3
Your company has a Microsoft 365 E5 subscription.
The company plans to deploy 45 mobile self-service kiosks that will run Windows 10.
You need to provide recommendations to secure the kiosks. The solution must meet the following requirements:
✑ Ensure that only authorized applications can run on the kiosks.
✑ Regularly harden the kiosks against new threats.
Which two actions should you include in the recommendations? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Implement Automated investigation and Remediation (AIR) in Microsoft Defender for Endpoint.
B. Onboard the kiosks to Microsoft intune and Microsoft Defender for Endpoint.
C. Implement threat and vulnerability management in Microsoft Defender for Endpoint.
D. Onboard the kiosks to Azure Monitor.
E. Implement Privileged Access Workstation (PAW) for the kiosks.
Selected Answer: BC
Question #: 50
Topic #: 1
Your company has a Microsoft 365 subscription and uses Microsoft Defender for Identity.
You are informed about incidents that relate to compromised identities.
You need to recommend a solution to expose several accounts for attackers to exploit. When the attackers attempt to exploit the accounts, an alert must be triggered.
Which Defender for Identity feature should you include in the recommendation?
A. sensitivity labels
B. custom user tags
C. standalone sensors
D. honeytoken entity tags
Selected Answer: D
Question #: 52
Topic #: 3
You have a Microsoft 365 E5 subscription.
You need to recommend a solution to add a watermark to email attachments that contain sensitive data.
What should you include in the recommendation?
A. Microsoft Defender for Cloud Apps
B. Microsoft Information Protection
C. insider risk management
D. Azure Purview
Selected Answer: B
Question #: 53
Topic #: 4
Your company is developing a new Azure App Service web app.
You are providing design assistance to verify the security of the web app.
You need to recommend a solution to test the web app for vulnerabilities such as insecure server configurations, cross-site scripting (XSS), and SQL injection.
What should you include in the recommendation?
A. dynamic application security testing (DAST)
B. static application security testing (SAST)
C. interactive application security testing (IAST)
D. runtime application self-protection (RASP)
Selected Answer: A
Question #: 54
Topic #: 1
Your company is moving all on-premises workloads to Azure and Microsoft 365.
You need to design a security orchestration, automation, and response (SOAR) strategy in Microsoft Sentinel that meets the following requirements:
✑ Minimizes manual intervention by security operation analysts
✑ Supports triaging alerts within Microsoft Teams channels
What should you include in the strategy?
A. KQL
B. playbooks
C. data connectors
D. workbooks
Selected Answer: B
Question #: 55
Topic #: 5
You design cloud-based software as a service (SaaS) solutions.
You need to recommend a recovery solution for ransomware attacks. The solution must follow Microsoft Security Best Practices.
What should you recommend doing first?
A. Develop a privileged identity strategy.
B. Implement data protection.
C. Develop a privileged access strategy.
D. Prepare a recovery plan.
Selected Answer: D
Question #: 57
Topic #: 1
You have an Azure subscription that contains virtual machines, storage accounts, and Azure SQL databases.
All resources are backed up multiple times a day by using Azure Backup.
You are developing a strategy to protect against ransomware attacks.
You need to recommend which controls must be enabled to ensure that Azure Backup can be used to restore the resources in the event of a successful ransomware attack.
Which two controls should you include in the recommendation? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Enable soft delete for backups.
B. Require PINs for critical operations.
C. Encrypt backups by using customer-managed keys (CMKs).
D. Perform offline backups to Azure Data Box.
E. Use Azure Monitor notifications when backup configurations change.
Selected Answer: AB
Question #: 58
Topic #: 4
Your company develops several applications that are accessed as custom enterprise applications in Azure Active Directory (Azure AD).
You need to recommend a solution to prevent users on a specific list of countries from connecting to the applications.
What should you include in the recommendation?
A. activity policies in Microsoft Defender for Cloud Apps
B. sign-in risk policies in Azure AD Identity Protection
C. Azure AD Conditional Access policies
D. device compliance policies in Microsoft Endpoint Manager
E. user risk poticies in Azure AD Identity Protection
Selected Answer: C
Question #: 59
Topic #: 2
Your company has a hybrid cloud infrastructure.
The company plans to hire several temporary employees within a brief period. The temporary employees will need to access applications and data on the company’s on-premises network.
The company’s secutity policy prevents the use of personal devices for accessing company data and applications.
You need to recommend a solution to provide the temporary employee with access to company resources. The solution must be able to scale on demand.
What should you include in the recommendation?
A. Deploy Azure Virtual Desktop, Azure Active Directory (Azure AD) Conditional Access, and Microsoft Defender for Cloud Apps.
B. Redesign the VPN infrastructure by adopting a split tunnel configuration.
C. Deploy Microsoft Endpoint Manager and Azure Active Directory (Azure AD) Conditional Access.
D. Migrate the on-premises applications to cloud-based applications.
Selected Answer: A
Question #: 60
Topic #: 3
Your company plans to deploy several Azure App Service web apps. The web apps will be deployed to the West Europe Azure region. The web apps will be accessed only by customers in Europe and the United States.
You need to recommend a solution to prevent malicious bots from scanning the web apps for vulnerabilities. The solution must minimize the attack surface.
What should you include in the recommendation?
A. Azure Firewall Premium
B. Azure Traffic Manager and application security groups
C. Azure Application Gateway Web Application Firewall (WAF)
D. network security groups (NSGs)
Selected Answer: C
Question #: 62
Topic #: 2
Your company is preparing for cloud adoption.
You are designing security for Azure landing zones.
Which two preventative controls can you implement to increase the secure score? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Azure Web Application Firewall (WAF)
B. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
C. Microsoft Sentinel
D. Azure Firewall
E. Microsoft Defender for Cloud alerts
Selected Answer: AD
Question #: 63
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing the encryption standards for data at rest for an Azure resource.
You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.
Solution: For blob containers in Azure Storage, you recommend encryption that uses Microsoft-managed keys within an encryption scope.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 64
Topic #: 5
You use Azure Pipelines with Azure Repos to implement continuous integration and continuous deployment (CI/CD) workflows for the deployment of applications to Azure.
You need to recommend what to include in dynamic application security testing (DAST) based on the principles of the Microsoft Cloud Adoption Framework for Azure.
What should you recommend?
A. unit testing
B. penetration testing
C. dependency checks
D. threat modeling
Selected Answer: B
Question #: 65
Topic #: 4
Your company has an Azure subscription that uses Azure Storage.
The company plans to share specific blobs with vendors.
You need to recommend a solution to provide the vendors with secure access to specific blobs without exposing the blobs publicly. The access must be time- limited.
What should you include in the recommendation?
A. Configure private link connections.
B. Configure encryption by using customer-managed keys (CMKs).
C. Share the connection string of the access key.
D. Create shared access signatures (SAS).
Selected Answer: D
Question #: 67
Topic #: 2
You are designing security for an Azure landing zone.
Your company identifies the following compliance and privacy requirements:
✑ Encrypt cardholder data by using encryption keys managed by the company.
✑ Encrypt insurance claim files by using encryption keys hosted on-premises.
Which two configurations meet the compliance and privacy requirements? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Store the cardholder data in an Azure SQL database that is encrypted by using Microsoft-managed keys.
B. Store the insurance claim data in Azure Blob storage encrypted by using customer-provided keys.
C. Store the cardholder data in an Azure SQL database that is encrypted by using keys stored in Azure Key Vault Managed HSM.
D. Store the insurance claim data in Azure Files encrypted by using Azure Key Vault Managed HSM.
Selected Answer: CD
Question #: 68
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing the encryption standards for data at rest for an Azure resource.
You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.
Solution: For Azure SQL databases, you recommend Transparent Data Encryption (TDE) that uses Microsoft-managed keys.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 69
Topic #: 4
Your company is developing an invoicing application that will use Azure Active Directory (Azure AD) B2C. The application will be deployed as an App Service web app.
You need to recommend a solution to the application development team to secure the application from identity-related attacks.
Which two configurations should you recommend? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Azure AD workbooks to monitor risk detections
B. Azure AD Conditional Access integration with user flows and custom policies
C. smart account lockout in Azure AD B2C
D. access packages in Identity Governance
E. custom resource owner password credentials (ROPC) flows in Azure AD B2C
Selected Answer: BC
Question #: 70
Topic #: 5
You have a Microsoft 365 subscription.
You are designing a user access solution that follows the Zero Trust principles of the Microsoft Cybersecurity Reference Architectures (MCRA).
You need to recommend a solution that automatically restricts access to Microsoft Exchange Online, SharePoint Online, and Teams in near-real-time (NRT) in response to the following Azure AD events:
• A user account is disabled or deleted.
• The password of a user is changed or reset.
• All the refresh tokens for a user are revoked.
• Multi-factor authentication (MFA) is enabled for a user.
Which two features should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. continuous access evaluation
B. Azure AD Application Proxy
C. a sign-in risk policy
D. Azure AD Privileged Identity Management (PIM)
E. Conditional Access
Selected Answer: AE
