Microsoft Cybersecurity Architect (SC-100) (SC-100) practice questions

A financial services organisation wants its backup design to survive a ransomware operator who has already gained Global Administrator rights in Microsoft Entra ID and intends to delete or encrypt all backups before detonating. Which backup design property most directly satisfies this resiliency requirement?

• ABackups are written to immutable, time-locked storage that no administrator role can delete or alter until the retention period expires.check_circle Correct
• BBackups are replicated to a second Azure region so that a regional outage cannot make the restore points unavailable.
• CBackups are encrypted at rest with customer-managed keys held in an Azure Key Vault that the backup service can read automatically.
• DBackups run more frequently so that the recovery point objective is reduced to under fifteen minutes for every protected workload.

Why A is correct: Immutability with a retention lock enforces the assume-breach principle so that even a fully compromised privileged identity cannot delete or encrypt the protected restore point, which is exactly what the requirement demands.

Why B is wrong: Geo-replication defends against a datacentre or regional failure and seems resilient, but a privileged attacker can issue deletion against replicated copies just as easily, so it does not counter a malicious insider-level identity.

Why C is wrong: Encryption at rest protects backup confidentiality and is tempting because it sounds like hardening, but it does nothing to stop a Global Administrator from deleting the backups outright, so it misses the stated threat.

Why D is wrong: A tighter recovery point objective improves data freshness and is appealing for resilience metrics, but more frequent copies in deletable storage are equally destroyable by the compromised admin, so the threat is unaddressed.

While designing a ransomware resiliency strategy, an architect is asked to identify the single highest-leverage protection to prioritise first according to Microsoft Security Best Practices, because most large-scale ransomware incidents pivot through one common control failure. Which priority should the design address first?

• ADeploying Microsoft Defender for Endpoint to every workstation and server so that malicious binaries are blocked at execution time.
• BSecuring privileged access by isolating administrative identities and enforcing just-in-time elevation through Microsoft Entra Privileged Identity Management.check_circle Correct
• CImplementing immutable backups so that encrypted production data can always be restored after a successful detonation.
• DEnabling Microsoft Sentinel analytics rules tuned to detect lateral movement and mass file-encryption behaviour across the estate.

Why A is wrong: Endpoint protection is essential and tempting as a first move, but it is a detection and prevention layer that attackers routinely evade, whereas removing standing privileged access denies the escalation the campaign relies on, so it is not the first priority.

Why B is correct: Microsoft guidance ranks protecting privileged access as the top ransomware priority because operators escalate to admin rights to spread payloads and destroy backups, so removing standing privilege closes the path the attack depends on.

Why C is wrong: Recoverable backups are a critical pillar and appealing because recovery is the visible outcome, but they assume the attack has already succeeded, so prioritising them before privileged access leaves the breach path open.

Why D is wrong: SIEM analytics improve detection speed and are attractive for visibility, but detection alerts after compromise has begun, so it does not prevent the privileged-access escalation that Microsoft ranks as the leading priority.

A manufacturer is designing recovery for a destructive attack that compromises Active Directory itself. The requirement is to be able to rebuild a trustworthy directory and core services even if the production forest and its domain controllers are fully encrypted. Which design element best meets this resiliency goal?

• AContinuous replication of all domain controllers to a secondary region using Azure Site Recovery for fast regional failover.
• BA read-only domain controller deployed in a branch site so that authentication continues if the primary domain controllers fail.
• CAn isolated recovery environment with offline, validated forest backups from which Active Directory can be rebuilt independently of the compromised production network.check_circle Correct
• DFrequent system state backups stored on a file share inside the production domain for quick local restore of each controller.

Why A is wrong: Site Recovery gives rapid failover and appears resilient, but it faithfully replicates the encrypted or tampered state of the directory, so failing over simply brings the compromised forest online elsewhere.

Why B is wrong: A read-only domain controller adds branch resilience and is tempting because it is another directory copy, but it replicates from the same compromised forest and would inherit the corruption, so it cannot serve as a trustworthy rebuild source.

Why C is correct: A clean-room recovery environment with offline directory backups lets the organisation restore a known-good forest without trusting any compromised production asset, which is precisely what recovery from a directory-wide destructive attack requires.

Why D is wrong: In-domain system state backups speed routine restores and seem convenient, but storing them inside the compromised production domain leaves them reachable by the attacker, so they cannot guarantee a clean rebuild.