SC-200 Practice Questions

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel , Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the secu rity extension , Defender for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector . Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft D efender XDR signals, enabling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom inge stion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configur ation is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

To monitor and detect higher-than-normal volumes of password resets, you need to gather password reset event data both from Azure Active Directory (cloud identities) and from on-premises Active Directory (domain accounts) . Microsoft’s official Defender XDR and Sentinel integrat ion guidance describes that:

Azure AD Password Protection enforces and monitors password policies in both cloud and hybrid environments. It can detect weak, commonly used, or compromised passwords and logs related password change/reset activities. Deployin g Azure AD Password Protection extends password reset visibility to on-premises domain controllers through the Password Protection proxy and DC agent. This makes it the correct choice for implementing monitoring at the identity environment level.

In Microsoft Sentinel , to ingest and analyze password reset activities from on-premises servers (e.g., domain controllers), you must use the Windows Security Events via AMA connector . This connector collects Event ID 4723 (password change) , 4724 (password res et) , and related security logs directly from Windows Servers into the Sentinel Log Analytics workspace through the Azure Monitor Agent (AMA) . Once the events are available in Sentinel, they can be correlated with other identity or behavioral analytics to d etect abnormal reset volumes or potential compromise attempts.

The other options are not suitable:

Microsoft Defender for Identity focuses on identity compromise detection, not specifically on password reset volume monitoring.

Smart lockout protects agains t brute-force sign-in attempts but doesn’t generate detailed reset event telemetry.

Microsoft security rule and UEBA are higher-level analytic configurations, not data ingestion mechanisms.

Therefore, to meet the Sentinel requirements for monitoring passwo rd reset anomalies:

✅ Implement in the identity environment: Azure AD Password Protection

✅ Configure in Microsoft Sentinel: The Windows Security Events via AMA connector

 Log Analytics workspace to use: LA1

 Windo ws security events to collect: All Events

To meet the Azure Defender (Microsoft Defender for Cloud) requirement that all servers send logs to the same Log Analytics workspace , you should select the existing workspace LA1 . Defender for Cloud best practic es recommend centralizing data in a single workspace for unified analytics, incident correlation, and cost control. Using the “Default workspace created by Azure Security Center” or creating a new workspace would fragment telemetry, complicate management, and contradict the stated requirement and the business goal to minimize costs (multiple workspaces can increase ingestion/retention overhead and complicate RBAC and automation).

For Windows hosts, Defender for Cloud’s Data collection setting controls the l evel of Windows Security Events collected: Minimal , Common , or All Events . The business requirement calls for logs that provide a full audit trail of user activities . In Microsoft guidance, All Events is the level intended for comprehensive auditing (inclu ding logon/logoff, account changes, privilege use, process creation, object access, and other advanced categories). Therefore, to satisfy the “full audit trail” requirement and ensure complete visibility for investigations and Sentinel analytics, choose Al l Events .

In summary: centralize on LA1 (single workspace) and collect All Events to achieve both operational and compliance objectives with Defender for Cloud and Sentinel.

To restrict cloud apps running on CLIENT1 (a Window s 10 endpoint) in compliance with Microsoft Defender for Endpoint (MDE) requirements, you must integrate Microsoft Defender for Endpoint with Microsoft Defender for Cloud Apps (formerly Cloud App Security) using Cloud Discovery . This integration enables th e blocking of unsanctioned cloud apps through the endpoint’s network protection capabilities.

According to Microsoft Defender for Cloud Apps documentation , Cloud Discovery uses traffic data from Defender for Endpoint to identify and manage the use of shado w IT. The relevant steps include:

1️ ⃣ Enable advanced features in Microsoft Defender for Endpoint (M365 Defender portal → Settings → Endpoints → Advanced features).

You must enable the following advanced features:

Microsoft Defender for Cloud Apps integrat ion

Network protection (in block mode)

Custom network indicators (if applicable) These options allow Defender for Endpoint to share telemetry and enforce app restrictions received from Defender for Cloud Apps.

2️ ⃣ Configure Cloud Discovery settings in Micr osoft Defender for Cloud Apps.

In the Defender for Cloud Apps portal, Cloud Discovery must be configured to receive continuous reports from Defender for Endpoint devices. Within these settings, you define sanctioned and unsanctioned applications. Once an a pp is marked as unsanctioned , Defender for Endpoint enforces blocking on all onboarded devices (like CLIENT1).

This two-part configuration ensures that MDE enforces the blocking of unsanctioned cloud applications discovered through Cloud App Security telem etry, fulfilling the business requirement that “All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.”

To block unsanctioned cloud apps on Windows 10 endpoints with Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps (formerly Cl oud App Security), you must enable and configure the product integration on both sides. First, in Microsoft Defender Security Center → Settings → Advanced features , turn on the Microsoft Defender for Cloud Apps integration (and ensure network protection pr erequisites are met). This allows Defender for Endpoint to receive the unsanctioned app list and enforce endpoint-based blocking when users on CLIENT1 attempt to access those apps via the browser or client.

Second, in Defender for Cloud Apps → Settings → C loud Discovery , configure the Microsoft Defender for Endpoint integration and enable Block unsanctioned apps . In Cloud Discovery, apps are discovered, assessed, and can be tagged as Unsanctioned . Once the MDE integration is enabled, that tag is exported to endpoints, which then enforce blocking based on the tenant’s app catalog and policies.

Options A (Onboarding settings) are for enrolling devices and do not control app blocking behavior. B (Anomaly detection policies) govern behavioral detections (e.g., i mpossible travel, anonymous IP) and are unrelated to endpoint enforcement of app access. Therefore, the two configurations you must modify to meet the requirement “block unsanctioned apps on Windows 10 computers by using Microsoft Defender for Endpoint” ar e

C.  

According to Micros oft’s official Defender for Identity deployment documentation, setting up Microsoft Defender for Identity (MDI) on an on-premises domain controller (DC) such as DC1 requires a specific sequence of steps. MDI monitors and protects Active Directory from adva nced threats by using sensors installed directly on domain controllers.

The correct sequence is as follows:

1️ ⃣ Provide global administrator credentials to the Azure AD tenant.

Microsoft Defender for Identity is created and managed in the Microsoft 365 Def ender portal or Microsoft Security portal, which requires global administrator permissions to provision the MDI instance and connect it to the Azure AD tenant.

2️ ⃣ Create an instance of Microsoft Defender for Identity.

You must create an MDI instance in th e portal before deploying any sensors. This instance defines your Defender for Identity workspace and generates the configuration package that sensors will later use to connect to the cloud service.

3️ ⃣ Provide domain administrator credentials to the on-pr emises Active Directory domain.

Domain admin credentials are required for the sensor installation because the sensor must access the domain controller’s security logs, event logs, and directory services to monitor authentication traffic and suspicious acti vities.

4️ ⃣ Install the sensor on DC1.

Since DC1 is a domain controller connected directly to the internet, the standard sensor (not the standalone sensor) is installed directly on it. The standalone sensor is used only when you do not want to install the sensor directly on a D

C.  

This sequence aligns with Microsoft Defender for Identity deployment guidance, ensuring secure onboarding of DC1 while mai ntaining the principle of least privilege and meeting the business requirement to protect all domain controllers.

✅ Final Order:

Provide global administrator credentials →

Create instance of Microsoft Defender for Identity →

Provide domain administrator credentials →

Install the sensor on DC1.