Objectives in this domain

Design solutions for security posture management in hybrid and multicloud environments.
Section 3.1hard
Specify requirements for securing server and client endpoints across platforms, mobile, IoT, and operational technology.
Section 3.2medium
Specify requirements for securing SaaS, PaaS, and IaaS services, including containers and workloads.
Section 3.3medium
Evaluate solutions for network security and Security Service Edge (SSE).
Section 3.4hard

Sample question from this domain

Free sampleDesign Security Solutions for Infrastructuremedium

A security architect must remove a long-standing risk where every Windows server and workstation in a hybrid estate shares an identical, rarely rotated built-in local administrator password, giving an attacker who cracks one device lateral movement to all of them. The design must automatically randomise and rotate each device's local administrator password and store it so that only authorised staff can retrieve it. Which capability should the architect specify to meet this requirement?

AWindows Local Administrator Password Solution, configured to automatically randomise and rotate each device's built-in local administrator password and store it in the directory so that only authorised staff can retrieve the current value. Correct
BMicrosoft Entra Privileged Identity Management, configured to grant just-in-time, time-bound activation of the local administrator role on each Windows device so that standing local administrator credentials are eliminated across the estate.
CMicrosoft Entra Conditional Access, configured with device-compliance policies so that the shared local administrator account cannot sign in from a device that fails its posture checks across the estate.
DMicrosoft Defender for Endpoint, configured with attack surface reduction rules so that misuse of the shared local administrator account is blocked and rotated automatically across every onboarded Windows device.

Specify Windows LAPS to automatically randomise, rotate, and securely store each device's local administrator password and remove shared-credential lateral movement. Windows LAPS solves the shared local administrator password problem at its root by generating a unique random password on each device, rotating it on a schedule, and backing it up to Microsoft Entra ID or Active Directory where retrieval is permission-controlled. This breaks the pass-the-credential lateral movement path that identical local passwords create, which identity-governance and detection tools do not address directly.

Why A is correct: Windows LAPS is purpose-built to set a unique, automatically rotated local administrator password per device and back it up to Microsoft Entra ID or Active Directory with controlled retrieval, which directly removes the shared-password lateral movement risk.

Why B is wrong: Privileged Identity Management is tempting because it governs privileged role activation, but it brokers just-in-time access to directory and Azure roles rather than randomising and rotating the per-device built-in local administrator password that this requirement targets.

Why C is wrong: Conditional Access is appealing because it gates sign-in by device posture, but it evaluates access to cloud and federated resources rather than randomising or rotating the local administrator password stored on each Windows device itself.

Why D is wrong: Defender for Endpoint is tempting as the device protection plane, but it detects and reduces attack surface rather than managing or rotating local account passwords, so it does not satisfy the credential-rotation requirement.

Other domains in this exam

Design Solutions that Align with Security Best Practices and Priorities23% of the exam
Design Security Operations, Identity, and Compliance Capabilities27% of the exam
Design Security Solutions for Applications and Data23% of the exam

See also the SC-100 cert hub, the study guide, and the cheat sheet.