SC-100

Selected Answer: C
Questions have been updated - recently took exam and around 80% of the questions on it are in here.

Selected Answer: C
C is the Correct Option
I’ve tried a few mock test platforms, but Examforsure stood out. Their content is top-notch and very similar to what you see on the actual exam.

The questions may be updated, based on the new developments that have emerged in the sector: the main sections of the exam, 4 in total, are the same, I checked the official study guide of the exam, but within each individual section there have been changes, as you can verify by reading the "change log" section published in the official study guide of the exam: https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/sc-100

Selected Answer: C
Hello, 63 questions in total, 140 minutes of time, 5 questions from the case study and 3 questions from the series that concerns the same scenario; at least 5 questions outside of examtopics, but this collection is still valid. Keep in mind that from April 21st this exam will be updated

Is that true? even with contributor access??

Selected Answer: C
Admin please update the exam questions. 90% of them are outdated. I only saw 10% of given questions appear in my exam.

Selected Answer: C
Took the exam today, and since this is the first question in this dumb I am providing my feedback here.
For this exact question, this was in the exam, so this is not outdated. Generally this dumb is covering every topic, even the Global secure access, so if you read the questions, check the answers and you are familiar the Azure Well-Architected Framework, RaMP, MCRA and SAF you are good to go. In real word you need to check the documentation on a regular basis anyway

Selected Answer: C
Outdated questions. More than 70% of the exam questions are missing.

Do the questions/answers vary a lot, or are they similar and by studying these can we deduce? :(

Selected Answer: C
there are many new questions, please prepare well ..

Selected Answer: C
In December 2024, have the questions changed a lot, or is this questionnaire up to date?

I got quite a few new questions. I strongly recommend you to go through Microsoft's free test exam as well and make sure that you really understand the questions and answers.

Selected Answer: C
Privacy Risk Management in Microsoft Priva gives you the capability to set up policies that identify privacy risks in your Microsoft 365 environment and enable easy remediation. Privacy Risk Management policies are meant to be internal guides and can help you:

 Detect overexposed personal data so that users can secure it.
 Spot and limit transfers of personal data across departments or regional borders.
 Help users identify and reduce the amount of unused personal data that you store.

https://learn.microsoft.com/en-us/privacy/priva/risk-management-policy-data-minimization
Data minimization policies focus on the age of your content and how long it has been since it was last modified. Monitoring for personal data that's still being retained in older, unused content can help you better manage your stored data and reduce risks.

Privacy Risk Management allows you to create policies to monitor data that hasn't been modified within a timeframe that you select. When a policy match is detected, you can send users email notifications with remediation options include marking items for deletion, notifying content owners, or tagging items for further review.

https://learn.microsoft.com/en-us/privacy/priva/risk-management-notifications
Sending notifications to users can be an important component in helping your organization meet its privacy goals. The notifications are designed to:
- Bring immediate awareness to users when their actions could expose personal data to privacy risks.
- Provide remediation methods directly within the emails, so that users can take swift action to protect data at risk.
- Direct users to your organization's privacy guidelines and best practices.

Informing users of potential issues in the moment, and empowering them to remediate issues and refresh their skills, can be powerful tools for building sound data handling practices across your organization.

Selected Answer: C
C is the answer.

https://learn.microsoft.com/en-us/privacy/priva/risk-management
Privacy Risk Management in Microsoft Priva gives you the capability to set up policies that identify privacy risks in your Microsoft 365 environment and enable easy remediation. Privacy Risk Management policies are meant to be internal guides and can help you:
- Detect overexposed personal data so that users can secure it.
- Spot and limit transfers of personal data across departments or regional borders.
- Help users identify and reduce the amount of unused personal data that you store.

Selected Answer: C
Privacy Risk Management in Microsoft Priva gives you the capability to set up policies that identify privacy risks in your Microsoft 365 environment and enable easy remediation. Privacy Risk Management policies are meant to be internal guides and can help you:

Detect overexposed personal data so that users can secure it.
Spot and limit transfers of personal data across departments or regional borders.
Help users identify and reduce the amount of unused personal data that you store.

https://learn.microsoft.com/en-us/privacy/priva/risk-management

Microsoft Viva Insights is a solution that can enhance privacy management in a Microsoft 365 environment. Viva Insights provides employees with insights and guidance on how they are using collaboration tools, such as Microsoft Teams, to handle personal data. This can help employees make smart data handling decisions and minimize privacy risks. Viva Insights can also provide notifications and guidance when personal data is sent in Teams, helping to ensure compliance with privacy regulations. Additionally, Viva Insights can provide recommendations for mitigating privacy risks, further enhancing privacy management within the working environment.

Require (Enterprise Mobility + Security E3, Office E3, or Microsoft 365 E3 or E5 license) to purchase any compliance and data governance solutions.

Difference between Priva and Purview

Key features of Microsoft Priva Privacy Risk Management is to Assess your organization's privacy posture.
how much personal data exists in the environment, where it's located, how it moves, and the privacy risks detected.

Microsoft Purview automates data discovery by providing data scanning and classification for assets across your data estate. 
Metadata and descriptions of discovered data assets are integrated into a holistic map of your data estate.

Selected Answer: C
Priva is for Privacy handling & mgmt

c and d is correct, fileshare needs onprem AD.

Answer is Correct, . Privacy Risk Management in Microsoft Priva

Priva is correct:
https://www.microsoft.com/en-us/security/business/privacy/microsoft-priva-risk-management

You're thinking of Purview

Selected Answer: C
It means Perview. Priva is misspelled but that's the correct answer.

Your company has a Microsoft 365 ES subscription.
The Chief Compliance Officer plans to enhance privacy management in the working environment.
You need to recommend a solution to enhance the privacy management. The solution must meet the following requirements:
✑ Identify unused personal data and empower users to make smart data handling decisions.
✑ Provide users with notifications and guidance when a user sends personal data in Microsoft Teams.
✑ Provide users with recommendations to mitigate privacy risks.
What should you include in the recommendation?

Box 1: Data connectors -
Microsoft Sentinel connector streams security alerts from Microsoft Defender for Cloud into Microsoft Sentinel.
Launch a WAF workbook (see step 7 below)
The WAF workbook works for all Azure Front Door, Application Gateway, and CDN WAFs. Before connecting the data from these resources, log analytics must be enabled on your resource.
To enable log analytics for each resource, go to your individual Azure Front Door, Application Gateway, or CDN resource:
1. Select Diagnostic settings.
2. Select + Add diagnostic setting.
3. In the Diagnostic setting page (details skipped)
4. On the Azure home page, type Microsoft Sentinel in the search bar and select the Microsoft Sentinel resource.
5. Select an already active workspace or create a new workspace.
6. On the left side panel under Configuration select Data Connectors.
7. Search for Azure web application firewall and select Azure web application firewall (WAF). Select Open connector page on the bottom right.
8. Follow the instructions under Configuration for each WAF resource that you want to have log analytic data for if you haven't done so previously.
9. Once finished configuring individual WAF resources, select the Next steps tab. Select one of the recommended workbooks. This workbook will use all log analytic data that was enabled previously. A working WAF workbook should now exist for your WAF resources.

Box 2: The Log Analytics agent -
Use the Log Analytics agent to integrate with Microsoft Defender for cloud.

The Log Analytics agent is required for solutions, VM insights, and other services such as Microsoft Defender for Cloud.
Note: The Log Analytics agent in Azure Monitor can also be used to collect monitoring data from the guest operating system of virtual machines. You may choose to use either or both depending on your requirements.

Azure Log Analytics agent -
Use Defender for Cloud to review alerts from the virtual machines.
The Azure Log Analytics agent collects telemetry from Windows and Linux virtual machines in any cloud, on-premises machines, and those monitored by System
Center Operations Manager and sends collected data to your Log Analytics workspace in Azure Monitor.
Incorrect:
The Azure Diagnostics extension does not integrate with Microsoft Defender for Cloud.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/waf-sentinel https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview

For WAF - in Sentinel we have Data Conenctor 

For the VM - we have to install the Log analytics agent in teh VM in the cloud or on premises 
The ans is correct

Taken exam Jan 2025 - Log Analytics Agent was not in the options anymore. Only 4 options remaining what could be the ans?

Now we can also use data connectors on VM which automatically install Azure Monitor Agent

in Exam Nov 2023 1. Data Connectors 2. Log analytics agent

1. Data connectors 
2. Log Analytics agent

I hate it when questions mention Azure Diagnostics extension...

(As an example) Setup the Diagnostic Settings in Azure AD to stream data to a Log Analytics workspace that hosts Sentinel, you will notice that the Azure AD connector becomes enabled.
I know this would make more sense to just say 'enable the connector', but it's technically correct as well if you stream it to LA; it works the same as if it was a data connector to Sentinel.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/working-with-log-analytics-agent
https://learn.microsoft.com/en-us/azure/defender-for-cloud/auto-deploy-azure-monitoring-agent

1. Data connectors
2. Log Analytics agent (but should use Azure Monitor Agent now)

https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/azure-web-application-firewall-waf

https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate

No. It is not just a new name. Those are two completely different monitoring agents that in some cases can and need to both be installed. They can do similar things though.

Correct Answers
New name for Log Analytics Agent - Azure Monitoring Agent

Incorrect (although not relevant for the question): if you put AzFW premium before AppGW, you will not be able to inspect TLS traffic, unless you find a way to install your own private CA in every one of your app client devices so that they trust the self-signed certificates that AzFW generates on the fly to decrypt TLS.

It depends (premium SKU has application level filtering properties but not WAF).Both pattern works it depends where the public exposure is agreed in the APP GW or FW. Have seen more patterns to keep the APP GW behind FW; in which case only the private listener of APP GW is activated and public one even if reachable will just drop any connection requests.

it depends on the requirement, please refer here for reference https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall

Nobody will comment that the azure firewall (premium) should be BEFORE the application gateway?

HOTSPOT -
Your company uses Microsoft Defender for Cloud and Microsoft Sentinel.
The company is designing an application that will have the architecture shown in the following exhibit.
//IMG//

You are designing a logging and auditing solution for the proposed architecture. The solution must meet the following requirements:
✑ Integrate Azure Web Application Firewall (WAF) logs with Microsoft Sentinel.
✑ Use Defender for Cloud to review alerts from the virtual machines.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
//IMG//

agree as i donot see any Splunk data connector in Sentinel and also no Azure Http PI connector in Sentinel

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029

if data need to go to splunk then event hub.
https://www.splunk.com/en_us/blog/platform/splunking-azure-event-hubs.html

Thats the point .Read the Question

"...send security events FROM Microsoft Sentinel TO Splunk."

So it cant be an data connector

Selected Answer: B
B. Data connectors are for receiving data not to send data

Azure Event Hub is the correct answer.
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029

Selected Answer: B
Azure Event Hubs.
"to send security events from Microsoft Sentinel to Splunk"
https://www.splunk.com/en_us/blog/platform/splunking-azure-event-hubs.html - Event Hubs can process data or telemetry produced from your Azure environment. They also provide us a scalable method to get your valuable Azure data into Splunk! 
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029 - Another option would be to implement a Side-by-Side architecture with Azure Event Hub.
Not a Microsoft Sentinel data connector - Microsoft Sentinel Add-On for Splunk allows Azure Log Analytics and Microsoft Sentinel users to ingest security logs 'from' Splunk platform using the Azure HTTP

Answer B
Preparation : The following tasks describe the necessary preparation and configurations steps.

Onboard Azure Sentinel
Register an application in Azure AD
Create an Azure Event Hub Namespace
Prepare Azure Sentinel to forward Incidents to Event Hub
Configure Splunk to consume Azure Sentinel Incidents from Azure Event Hub
Using Azure Sentinel Incidents in Splunk

Selected Answer: B
B. Events Hubs | Azure Event Hubs can be used to buffer and route events between Microsoft Sentinel and Splunk. This option provides scalability and reliability in handling high volumes of security events.

Selected Answer: B
I must say that I do think it's strange and unusual for a Microsoft exam to have a scenario where data is going from their own product to a third party's. It's to my experience always the other way. 

Therefor I suspect that it could be a typo saying "from Sentinel to Splunk". 
It's more likely to be "to Sentinel from Splunk". I.e. Sentinel Data connectors

If appearing on a test make sure to read carefully...

Selected Answer: A
To send security events from Microsoft Sentinel to Splunk, you should use a Microsoft Sentinel data connector. Data connectors in Microsoft Sentinel are used to export security events and logs to external systems, and Splunk is a supported destination for these connectors.

So, the correct recommendation is:

A. a Microsoft Sentinel data connector

Rule of thumb - always go with most votes!!

To send security events from Microsoft Sentinel to Splunk, you would typically use Azure Event Hubs as the messaging service that can integrate with both solutions. Azure Event Hubs can be used to collect and stream event data into various services, and it's suitable for integration with third-party SIEM solutions like Splunk.

So, the correct answer to include in the recommendation would be:

B. Azure Event Hubs.

Selected Answer: B
my 2 cents:
given the options to chose from - I would go for event hub. 
I would imagine the best solution in this case would be Microsoft Graph Security API Add-On for Splunk
https://splunkbase.splunk.com/app/4564

Selected Answer: B
B is the answer.

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029

https://learn.microsoft.com/en-us/azure/defender-for-cloud/export-to-siem#stream-alerts-to-qradar-and-splunk

There is a distinction between data connectors for receiving ( <a href="https://reminiapk.org/">ai</a>) data and data connectors for sending data

The recommended solution to send security events from Microsoft Sentinel to Splunk is to use a Microsoft Sentinel data connector. This is because Microsoft Sentinel data connectors are designed to send security events to external systems, such as Splunk, in real-time. By using a data connector, you can easily configure the integration and define which events to send to Splunk based on your organization's needs. Azure Event Hubs is not the best option for this scenario because it is used to stream large amounts of data to other services and may not provide the required security and filtering capabilities for security events. A Microsoft Sentinel workbook is not designed for sending data to external systems, but rather for visualizing and analyzing data within the Microsoft Sentinel environment. Azure Data Factory is a data integration service that allows you to create data pipelines and move data between different systems, but it is not designed for sending security events from Microsoft Sentinel to Splunk.

I think the correct answer is B(Event Hub) and not A(Data connector).

The requirement mentioned in the question is Sentinel to send events to Splunk whereas Microsoft Sentinel Add-On for Splunk allows Azure Log Analytics and Microsoft Sentinel users to ingest security logs from Splunk platform using the Azure HTTP Data Collector API. 

For sentinel to send the events to Splunk - we need to use Event hub. Refer more here on this techcommunity link.

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029

The question asks about sending data from Sentinel to Splunk which is Event Hub. The referenced Splunk Addon and a data connector are for importing Splunk data into Sentinel. See add-on description "Microsoft Sentinel Add-On for Splunk allows Azure Log Analytics and Microsoft Sentinel users to ingest security logs from Splunk platform using the Azure HTTP Data Collector API. "

Selected Answer: A
To send security events from Microsoft Sentinel to Splunk, you should include a Microsoft Sentinel data connector in the recommendation. This will allow you to forward the events to Splunk using a secure and reliable channel.

To set up the integration, you can create a new data connector in Sentinel and select the "Send to Splunk" option. You will need to provide the Splunk server details and configure the mapping of the fields in the event data. Once the connector is set up, you can start forwarding the events from Sentinel to Splunk for further analysis and correlation with other security data.

Selected Answer: B
Microsoft defines Azure Event Hubs as “a big data streaming platform and event ingestion service”. Most services inside of Azure, and some services outside of Azure, integrate with Event Hubs. 

https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub_data

I'll go with A.

Option B (Azure Event Hubs) and Option D (Azure Data Factory) are not suitable solutions for sending security events from Microsoft Sentinel to Splunk, as they are focused on data ingestion and processing rather than data integration between two SIEM solutions.

Option C (a Microsoft Sentinel workbook) is also not a suitable solution for this scenario, as a workbook is a type of report or dashboard that provides insights into security data, but it does not provide the capability to send data from Sentinel to Splunk.

The question and the supposed correct answers contradict themselves. Sticking to the question we're trying get Sentinel logs into Splunk, which requires an event hub

The question is about send, not receive. Event HuB

Selected Answer: A
For sending security events from Microsoft Sentinel to Splunk, you can recommend using a Microsoft Sentinel data connector. This data connector allows you to export data from Microsoft Sentinel to a third-party SIEM solution such as Splunk, where it can be analyzed and used to enhance the overall security posture of your organization.

Selected Answer: B
The detailed implementation details is here:

Azure Sentinel Side-by-Side with Splunk via EventHub
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029
(1) Prepare Azure Sentinel to forward Incidents to Event Hub
(2) Configure Splunk to consume Azure Sentinel Incidents from Azure Event Hub

Sentinel Data connector is used to sent data to sentinel not export data from sentinel to Splunk

You're sending logs from sentinel to splunk not the other way around

A
Microsoft Sentinel Add-On for Splunk allows Azure Log Analytics and Microsoft Sentinel users to ingest security logs from Splunk platform using the Azure HTTP Data Collector API. Learn more about Microsoft Sentinel at https://aka.ms/microsoftsentinel Follow the setup and configuration

Selected Answer: B
Given answer is wrong as the solution need to go from Sentinel to Splunk

Selected Answer: B
I would assume connection is already done via LA, I would go for Event Hubs

Microsoft Sentinel Add-On for Splunk allows Azure Log Analytics and Microsoft Sentinel users to ingest security logs from Splunk platform using the Azure HTTP Data Collector API.

Not so simply put, because there is no Splunk connector and the direction of logs in the question is FROM Sentinel TO Splunk, usually for connectors the direction is to get the data FROM the log source. So, the answer is B and we also have several links to confirm it in this thread.
https://www.splunk.com/en_us/blog/platform/splunking-azure-event-hubs.html
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029

Selected Answer: A
You need to recommend a solution to send security events from Microsoft Sentinel to Splunk.

to simply put 

Azure to Splunk = event hub
Sentinel to splunk = data connector

It asks "You need to recommend a solution to send security events from Microsoft Sentinel to Splunk."

To ingest logs from Azure to Splunk it's Event Hub. Microsoft Sentinel Add-On for Splunk allows Azure Log Analytics and Microsoft Sentinel users to ingest security logs from Splunk platform

Selected Answer: B
Event Hub is the answer

Selected Answer: B
B. Azure Event Hubs Most Voted
any integrations via Azure Hub

Selected Answer: B
The following tasks describe the necessary preparation and configurations steps.

Onboard Azure Sentinel
Register an application in Azure AD
Create an Azure Event Hub Namespace
Prepare Azure Sentinel to forward Incidents to Event Hub
Configure Splunk to consume Azure Sentinel Incidents from Azure Event Hub
Using Azure Sentinel Incidents in Splunk

Selected Answer: B
It's definitely event hub

Selected Answer: B
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029

Selected Answer: B
Sending "security events" to Splunk --> Azure Event Hubs

Selected Answer: B
Disagree with the explanation. Link provided mentions data collector (in splunk) nothing about a data connector.

This answer is wrong. The questions say "send security events from Micorosoft Sentinel to Splunk". This can be done via Azure Event Hubs --> https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029

Your company has a third-party security information and event management (SIEM) solution that uses Splunk and Microsoft Sentinel.
You plan to integrate Microsoft Sentinel with Splunk.
You need to recommend a solution to send security events from Microsoft Sentinel to Splunk.
What should you include in the recommendation?

Wrong. Defender for Endpoint alone does not directly mark a device as "compliant" in Conditional Access. Instead, it assesses the device's security state and shares that with Intune, which then determines compliance based on its policies. So the integration between Defender for Endpoint and Intune is critical to the compliance process. Microsoft Defender for Endpoint (MDE) integrates with Microsoft Intune through a compliance connector. This integration allows MDE to share device risk level data with Intune. Intune is the authority that determines and reports device compliance based on Defender for Endpoint’s input. It's a trick question.

Documents say otherwise!
https://learn.microsoft.com/en-us/azure/security/fundamentals/recover-from-identity-compromise#remediate-user-and-service-account-access

Selected Answer: AB
AB looks correct to me

A second thought ( why NEW conditional access policy??) so the ans seems wrong and the correct one looks like Microsoft intune reports the endpoints as compliant and The client access token are refreshed

Maybe the Conditional access already in place since he follow zero trust ? so i feel like it should be AB ?

In Identity to achieve zero trust ( we have to use Conditional access policy stating a condition as that the resource is compliant ) so i guess ans is correct ( whereas Intune is for configuring the compliance policy via MDM and MAM)

Conditional Access reaches out to Intune to check if a device is seen as compliant or not.
Intune will receive the risk score from Defender for Endpoint.
Devices have to be managed by Intune in order for Conditional Access to get the compliance check.

You're assuming endpoints are enrolled in Intune, and assuming is never a good idea in Microsoft exams.
The question says "The customer discovers ..." and "The customer suspends ...", there is nothing about Intune.

I don't think this is correct.

Zero Trust its reffering to Conditional Access, so would be

Microsoft Intune reports the endpoints as compliant.
https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection

and I assume

The client access tokens are refreshed.

Selected Answer: AB
A. The client access tokens are refreshed. Once access is suspended (e.g., via Conditional Access), any existing tokens may still be valid. After remediation, refreshing the tokens ensures that the new compliant state is recognized and access can be restored.

 B. Microsoft Intune reports the endpoints as compliant. Intune is the authority that determines and reports device compliance based on Defender for Endpoint’s input. Defender for Endpoint alone does not directly mark a device as "compliant" in Conditional Access. Instead, it assesses the device's security state and shares that with Intune, which then determines compliance based on its policies. So the integration between Defender for Endpoint and Intune is critical to the compliance process.

Selected Answer: AD
Devices must be marked as compliant before Intune policies will allow them to access the network

Selected Answer: AC
• Enforce conditional access based on trusted devices. We recommend that you enforce location-based conditional access to suit your organizational requirements.
• Reset passwords after eviction for any user accounts that may have been compromised. 
• Revoke refresh tokens immediately after rotating your credentials.

https://learn.microsoft.com/en-us/azure/security/fundamentals/recover-from-identity-compromise#remediate-user-and-service-account-access

after further investigation, A and B are correct because MDE does not directly report endpoints as compliant in the same way that Microsoft Intune does. MDE provides detailed reports on device health, antivirus status, and threat protection, but compliance reporting is typically managed through Intune. Therefore A + B = Correct!

Selected Answer: BD
B. Microsoft Intune reports the endpoints as compliant: Intune ensures that the endpoints meet the organization's compliance policies, verifying that they are secure and properly configured.
https://learn.microsoft.com/en-us/security/zero-trust/deploy/endpoints

D. Microsoft Defender for Endpoint reports the endpoints as compliant: Defender for Endpoint provides advanced threat protection and ensures that the endpoints are free from malware and other security threats.
https://learn.microsoft.com/en-us/defender-endpoint/zero-trust-with-microsoft-defender-endpoint

These conditions help maintain the integrity of the Zero Trust model by ensuring that only secure and compliant endpoints can access corporate applications.

Selected Answer: BD
B. Microsoft Intune reports the endpoints as compliant: In a Zero Trust model, compliance is verified before granting access. Intune is used to manage device compliance policies, and the endpoints need to be reported as compliant to ensure they are safe for accessing corporate applications again.

D. Microsoft Defender for Endpoint reports the endpoints as compliant: Defender for Endpoint provides security management for endpoints. After the malware is removed, Defender must report that the endpoints are secure and compliant, ensuring that they are safe for access.

Selected Answer: AB
A. The client access tokens are refreshed
B. Microsoft Intune reports the endpoints as compliant

Agree, as per the links below, MS says:
n Intune, a device compliance policy is used with Microsoft Entra Conditional Access to block access to applications. In parallel, an automated investigation and remediation process is launched.

A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated.

To resolve the risk found on a device, you need to return the device to a compliant state. A device returns to a compliant state when there's no risk seen on it.

Selected Answer: AB
Agree with the given answer

Tokens need to be refreshed, when a device is marked as incompliant. The access is revoked due to the incomliance state. Answer A

In Intune you configure the compliance policy. Within the compliance policy you configure the risk level for defender. Intune reports the compliance state as compliant, if the defender risk level is equal to or lower than the configured value. Answer B. 
Answer C: Is wrong
Answer D is incorrect, because Defender does not report compliance. It reports the client risk level.

Selected Answer: BD
Questions asks "which 2 conditions must be met". The answer is:

D: Defender must report the risk as being mitigated to Intune
B: Intune reports the device as compliant

Answer should be B and C from the below key points in the question and the reference conditional access link:

The customer discovers that several endpoints are infected with malware. - This comes under Microsoft intune compliance reporting.
The customer suspends access attempts from the infected endpoints. - Conditional access kicks in "when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated."
The malware is removed from the endpoints. - "an automated investigation and remediation process is launched."


https://learn.microsoft.com/en-us/defender-endpoint/conditional-access?view=o365-worldwide
<<Understand the Conditional Access flow>>

To ensure that endpoint users can access the corporate applications again after malware removal, the following two conditions must be met:

B. Microsoft Intune reports the endpoints as compliant: This ensures that the devices meet the organization’s compliance policies and are considered secure1.

D. Microsoft Defender for Endpoint reports the endpoints as compliant: This confirms that the endpoints are free from threats and meet the security requirements1.

Selected Answer: BD
Answer: B. Microsoft Intune reports the endpoint as compliant. D. Microsoft Defender for Endpoint reports the endpoint as compliant.

Reason: In a Zero Trust model, it is necessary to verify the security and compliance status of endpoints before they access corporate applications. Microsoft Intune and Microsoft Defender for Endpoint report the compliance status of endpoints and ensure that the endpoints are secure.

Reasons why other answers are different:
A. Client access tokens are refreshed: While refreshing tokens is important, it is not directly related to verifying the security status of endpoints.
C. A new Azure Active Directory (Azure AD) Conditional Access policy is applied: Conditional access policies help with access control but are not directly related to verifying the compliance status of endpoints.

According to this article, the answer should be BC and not BD.

Answer is BD
Source: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide

Selected Answer: AD
Today, I read more about this question and eliminated given options based on the question scenario.. So, company uses zero trust model.. It already performed what needs to be done.. So, if some endpoints are malware infected and suspended to access company applications.. For re-access to applications (it says corporate applications not Microsoft 365 apps etc.) User's token needs to be refreshed and also Microsoft Defender for Endpoint also mark device healthy after scan etc.. So Options are;

A and D.

Update for given selection above:

Today, I read more about this question and eliminated given options based on the question scenario.. So, company uses zero trust model.. It already performed what needs to be done.. So, if some endpoints are malware infected and suspended to access company applications.. For re-access to applications (it says corporate applications not Microsoft 365 apps etc.) User's token needs to be refreshed and also Microsoft Defender for Endpoint also mark device healthy after scan etc.. So Options are;

A and D.

Selected Answer: AC
When you force option C, automatically Conditional Access combined with B and D options.. So, there is last option with option C that is A.

Selected Answer: BD
To ensure that endpoint users can access the corporate applications again after the malware removal, consider the following two conditions:

Microsoft Intune Reports Endpoints as Compliant (Option B):
Microsoft Intune is a cloud-based endpoint management solution that helps manage and secure devices.
After malware removal, the endpoints should be scanned and verified by Microsoft Intune to ensure compliance.
If Intune reports the endpoints as compliant, it indicates that they meet security and policy requirements, allowing users to access corporate applications.
Microsoft Defender for Endpoint Reports Endpoints as Compliant (Option D):
Microsoft Defender for Endpoint (formerly Windows Defender ATP) provides advanced threat protection for endpoints.
After malware removal, Microsoft Defender for Endpoint should verify that the endpoints are free from threats.
If Defender reports the endpoints as compliant, it confirms that they are secure and can safely access corporate resources.

Selected Answer: BD
ayadmawla's answer are correct.

Selected Answer: BD
BD - See: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide

Defender needs to say that device is okay
InTune accepts the Defender report
Conditional Access let them in

Selected Answer: BD
not C: verify explicity is made by conditional access. So you already have a policy that requires enpoint is compliant
Not A. With CAE you don't need to wait access token expiration.
So I think it could be B and D:
Conditional Access verifies the compliance with Intune, cannot communicate directly with MDE. So MDE reports the endpoint as compliant. This info goes to intune that reports the endpoint as compliant and CA verify it.

if the endpoints were infected, then surely there was access to them. Therefore, the costomer must secure access to the endpoints. He can do that with CA Policies and he has to update the existing tokens. AC is the correct answer for me

I would go for AC. Not B - they don't mention Intune. Not D - as one of pre-requisites for seeing devices in health report is that they need to be onboarded to Microsoft Defender for Endpoint - they don't mention that. Also, according this kb: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-health-microsoft-defender-antivirus-health?view=o365-worldwide, you can only onboard OS: Win, MacOS and Linux. the question is not specific about the kind of endpoints - I think we shouldn't exclude mobile devices in this case.

Selected Answer: AB
A - Revoking all tokens is a standard security practice.
B - CA looks at Intune for device compliance, which in turn can be influenced by Def Endpoint or other MTM partner connections.

Selected Answer: BC
Once the conditional access is setup, the token will refresh. Token will also refresh after 8-12 hours of activity. Tokens are short lived so it cannot be the method of verification for long term solution.

Selected Answer: BD
For me it's B&D. Why? See what Microsoft says:

"The manual or automated investigation and remediation is completed and the threat is removed. Defender for Endpoint sees that there's no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy, which allows access to applications."

Source: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide

Well i see you guys are all wrong : 
the correct answer are :
B and D 

Option A In the given scenario, the conditions mentioned were focused on verifying the cleanliness and compliance of the endpoints after malware removal. So, while refreshing client access tokens can be beneficial for security, it is not one of the two specific conditions required in this scenario.

Furthermore, Intune is the appropriate choice b/c:
"A customer follows the Zero Trust model and explicitly verifies each attempt to access its corporate applications"

Selected Answer: AB
Best answers are A, B; my decision is based on MS guideline: "Next, we can configure device-based Conditional Access policies in Intune to enforce restrictions based on device health and compliance. This will allow us to enforce more granular access decisions and fine-tune the Conditional Access policies based on your organization’s risk appetite. For example, we might want to exclude certain device platforms from accessing specific apps."
https://www.microsoft.com/en-us/security/blog/2020/05/26/zero-trust-deployment-guide-for-devices/

Before endpoint users can access the corporate applications again, the following two conditions must be met:

Microsoft Intune reports the endpoints as compliant. This means that the endpoints meet the compliance requirements set by the organization.
Microsoft Defender for Endpoint reports the endpoints as compliant. This means that the endpoints have been scanned and no threats have been detected.

Selected Answer: AD
Based on the given scenario, the following two conditions must be met before endpoint users can access the corporate applications again:

A. The client access tokens are refreshed: When access is denied due to malware infection, the client access tokens become invalid. The tokens must be refreshed after malware removal to enable access again.

D. Microsoft Defender for Endpoint reports the endpoints as compliant: As the endpoints were infected with malware, they should be scanned by an endpoint protection solution like Microsoft Defender for Endpoint. The security team should ensure that the endpoints are reported as compliant by the endpoint protection solution before allowing access again.

Therefore, options A and D are the correct answers.

While both solutions can help ensure the security and compliance of endpoints, they have different capabilities and focus on different aspects of endpoint security. Microsoft Intune focuses on managing and securing mobile devices, while Microsoft Defender for Endpoint focuses on threat detection and response on endpoints.

Therefore, in this scenario, the customer needs to ensure that both Microsoft Intune and Microsoft Defender for Endpoint report the endpoints as compliant before allowing access to corporate applications again, as they serve complementary roles in endpoint security.

Selected Answer: BD
Microsoft Intune is a cloud-based service that provides mobile device management (MDM) and mobile application management (MAM) capabilities, as well as conditional access and compliance policies. Microsoft Intune can help ensure that mobile devices, such as laptops and mobile phones, meet the organization's security and compliance requirements before allowing access to corporate resources.

On the other hand, Microsoft Defender for Endpoint is a unified endpoint protection platform that provides advanced threat protection and endpoint detection and response (EDR) capabilities. It can help detect and respond to threats, as well as prevent future attacks by providing security insights and recommendations.

You said "connect the device to intune (Answer A) and defender for endpoint (Answer D) and perform a scan". So why did choose answer A and not D?
Intune requires more setup and configuration than Defender for endpoint.

It is A and B

The device is infected so a new token to be generated as previous token is already exposed. a refresh token can be used to generate a new access token. So A is correct.

Zero Trust is based on 3 principles:

1. Assume Breach
2. Verify Explicitly
3. Principles of Least Privilege

Azure AD conditional access policy is already in place as it’s a mandatory to verify the user explicitly, moreover question confirms this stating that user explicitly verifies the devices, so we don’t need a new one. 
What’s required here is to connect the device to intune and defender for endpoint and perform a scan for vulnerabilities, this will help to measure the device compliance against the known vulnerabilities if it’s fixed.

An advice I can give you and all the ChatGPT pieps out here: Don't use GPT to study you exam. It gives allot of wrong answers and does not has the capability to understand the sneaky questions Microsoft asks on the exam. Take your knowledge from studying the Learn sites and Microsoft docs sites. Also use a lab to test and double check everything. 

Success with the exam!

ChatGTP:
While access tokens (option A) can be used to authenticate and authorize users, refreshing them is not necessary in this scenario. The issue at hand is that some endpoints were infected with malware, and the customer needs to ensure that the endpoints are clean before allowing access again. Refreshing access tokens would not directly address this concern.

Similarly, while creating a new Azure AD Conditional Access policy (option C) may be useful in other scenarios, it is not directly related to the issue of infected endpoints. The customer needs to ensure that the endpoints are clean and meet the compliance requirements set by Microsoft Intune and Microsoft Defender for Endpoint before allowing access to corporate applications again.

Selected Answer: BD
BD looks correct to me. Because,
In order to follow the Zero Trust model, the customer needs to verify each attempt to access its corporate applications. If several endpoints are infected with malware and access attempts are suspended, the two conditions that must be met before the endpoint users can access the corporate applications again are:

B. Microsoft Intune reports the endpoints as compliant, meaning that the endpoint management solution has verified that the endpoint is secure and meets the required security standards.
D. Microsoft Defender for Endpoint reports the endpoints as compliant, meaning that the endpoint security solution has verified that the endpoint is free of malware and any other security threats.
Once both of these conditions are met, the customer can restore access to the corporate applications from the endpoints.

Definetly A. The client access tokens are refreshed. ( as tokens Was compromise) and and B. we need to have proof of healthy resources when MDE will be clean Intune will assume compliant state on endpoint.

Selected Answer: AC
Based on the question no Intune or MDE is specified (could be any endpoint or management solution) so my guess is related only to CA policy and Access Token refresh

NM - question says the customer "suspends access attempts" - it doesn't clearly state the access was blocked. Only that the access attempts were suspended. The best answer may be "AD".

Possibly CD -- the question states the customer removed access to the applications after discovering the endpoints were compromised (manually adding a block? - access policy?) and Microsoft Defender for Endpoint reports on compliance of the endpoint. See the following link: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/new-device-health-reporting-for-microsoft-defender-for-endpoint/ba-p/3589287

Selected Answer: BC
Question already states that session has already been revoked. So there is no need for A. Will go with B and C, since you need to enforce CA that Intunes needs to be compliant to access the app.

A & B for me. A "new" CA policy is irrelevant to allowing access in this context (it should already be in place if there is one). Once remediated and compliant, the device will need the refresh token to get access again.

BD seems to be correct. By default, each compliance policy includes the action for noncompliance of Mark device noncompliant with a schedule of zero days. The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the device as noncompliant. After a device is marked as noncompliance, Azure Active Directory (AD) Conditional Access can block the device.

In order for the non-compliant device to be unblocked from accessing the tenant, Defender for Endpoint must first confirm compliance with the computer risk specified in the compliance policy. Then Intune will mark the device as compliant and the Conditional Access policy will grant access the tenant.

Selected Answer: AC
A and C is correct, the question is about Access to application not Endpoint. 
endpoint is already remediated and conditional access policy can check if device is compliant before granting access

Selected Answer: AB
It is either AB or AC depending how the customer detected maleware and blocked.
AB: Intune detected malware and blocks as non-complient.
AC: Customer manually blocked theses devices with a conditional access policy, just not allowing these devices at all.
I think the question is not as well written but probably it is AB

Answers: B,C
Using conditional access policies we can allow access to cloud apps only from compliant devices. To use this feature the devices have to be Intune compliant (so we need Intune). An Intune compliance policy for Windows devices can require to have an antivirus active and the signatures up to date.
We have to invalidate refresh tokens when an identity is compromised, and we want to reset all sessions. There are no references in the question that any identity was compromised.

Selected Answer: AC
AC seems right, since issue is several endpoints from a specific location.

Selected Answer: AB
Maybe the Conditional access already in place since he follow zero trust ? so i feel like it should be AB ?

why not Microsoft Defender for Endpoint reports the endpoints as compliant? I think it should also work.

Selected Answer: AB
A NEW Conditional Access policy is enforced cannot be correct, since a sufficient Conditional Access policy must've already existed. 
Intune would need to report the devices as compliant again (using feeds from Defender for Endpoint) which would in turn enables the device to obtain a new Client Access Token.

Selected Answer: AB
Mobile device management (MDM) solutions like Intune can help protect organizational data by requiring users and devices to meet some requirements. In Intune, this feature is called compliance policies.

i mean, when enforcing a CA policy, that policy would usually contain a requirement of device compliancy which requires intune to mark the device as compliant before passing the CA check.

Selected Answer: AC
https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens?source=recommendations
This question is about securing access to applications, not endpoint hardening. Once malware is removed, a NEW conditional access policy would be needed (if there was one previously, it wasn't good enough to prevent malware) and tokens must be refreshed per the identity platform access documentation.
The question does not mention Intune. Even though Intune is a fantastic MDM system, it is not required by this scenario.

I think the answer is right: Primary Refresh Token (PRT)/Access Token with Conditional Access. When conditional access evaluation kicks off it will need to check the DeviceID to be certain if the device is who it says it is.

The device will request a new Access token by using the PRT (with probably the deviceID information in it) to get access to the specific requested service. After authentication, conditional Access will check the token and uses the deviceId attribute from it to check if the device is compliant by using the “isCompliant” information from Azure AA. 
https://call4cloud.nl/2021/08/the-death-of-compliance/

A customer follows the Zero Trust model and explicitly verifies each attempt to access its corporate applications.
The customer discovers that several endpoints are infected with malware.
The customer suspends access attempts from the infected endpoints.
The malware is removed from the endpoints.
Which two conditions must be met before endpoint users can access the corporate applications again? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

Box 1: Onboard the servers to Defender for Cloud.
Extended detection and response (XDR) is a new approach defined by industry analysts that are designed to deliver intelligent, automated, and integrated security across domains to help defenders connect seemingly disparate alerts and get ahead of attackers.
As part of this announcement, we are unifying all XDR technologies under the Microsoft Defender brand. The new Microsoft Defender is the most comprehensive
XDR in the market today and prevents, detects, and responds to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms.
Box 2: Configure Microsoft Sentinel playbooks.
As a SOAR platform, its primary purposes are to automate any recurring and predictable enrichment, response and remediation tasks that are the responsibility of
Security Operations Centers (SOC/SecOps). Leveraging SOAR frees up time and resources for more in-depth investigation of and hunting for advanced threats.
Automation takes a few different forms in Microsoft Sentinel, from automation rules that centrally manage the automation of incident handling and response to playbooks that run predetermined sequences of actions to provide robust and flexible advanced automation to your threat response tasks.
Reference:
https://www.microsoft.com/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/ https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-automation-ninja/ba-p/3563377

I agree with the answer but the explanation and links are not very good. For SOAR read this https://docs.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks

Endpoint detection and response (EDR) and eXtended detection and response (XDR) are both part of Microsoft Defender. https://docs.microsoft.com/en-us/microsoft-365/security/defender/eval-overview?view=o365-worldwide

Vms will use agent less to onboard to defender the connector needed for sentinel before automation

1. Onboard the servers to Defender for Cloud
2. Configure Microsoft Sentinel playbooks

https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers

https://learn.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks
A playbook is a collection of these remediation actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually on-demand on entities (in preview - see below) and alerts, or set to run automatically in response to specific alerts or incidents, when triggered by an automation rule.

answer is correct:
https://learn.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook?tabs=LAC

https://learn.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows

Correct. But the acronym for extended detection and response is (XDR) not (EDR) which refers to Endpoint detection and response.

HOTSPOT -
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains a Microsoft Sentinel workspace. Microsoft Sentinel data connectors are configured for Microsoft 365, Microsoft 365 Defender,
Defender for Cloud, and Azure.
You plan to deploy Azure virtual machines that will run Windows Server.
You need to enable extended detection and response (EDR) and security orchestration, automation, and response (SOAR) capabilities for Microsoft Sentinel.
How should you recommend enabling each capability? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
//IMG//

.css-1hohgv6{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;gap:0px;}Exam.css-1cp477w{color:#4285F4;}Prepper

Exam
Prepper