SC-100 is about to receive a minor update, in the Design solutions for securing privileged access and Evaluate solutions for network security and Security Service Edge (SSE) sections. What are these changes?
In the Design solutions for securing privileged access section, the difference is the removal of the words on-premises before Active Directory. This might seem minor, but it’s been an annoyance of mine that “on-premises Active Directory” is used as a general term instead of just using “Active Directory”. ignoring the fact Active Directory can be deployed in VMs in the cloud, rather than purely being on-premises. In some cases the use of “on-premises Active Directory” is accurate, but they are only when you are referring to Active Directory deployments that are, you guessed it, on-premises!
In the Evaluate solutions for network security and Security Service Edge (SSE) section was updated to say Microsoft Entra Internet Access for Microsoft Services, which is a broader reference to the supported Microsoft networking endpoints, instead of just referring to the endpoints as being for Microsoft 365.
The biggest challenges I hear about from people who are preparing for this exam, or have attempted it, is that they usually encounter something that they aren’t aware of, or at least aren’t very familiar with it. This is usually a byproduct of perhaps having strong skills in some areas of the exam, but not necessarily having exposure to other things the exam includes.
The easiest example to illustrate this could be someone who works on Azure solutions, but with very little Microsoft 365 exposure, or vice versa, which is very common in some organisations. If we convert that into what you really should be doing with this exam is making sure you aren’t just looking at the exam descriptions for topics you should be aware of but also make sure you are looking closely at the MCRA diagrams to make sure there isn’t anything lurking that you may not be aware of.
Additions in the July 2024 update
- Design a solution for centralized logging and auditing, including Microsoft Purview Audit
- Evaluate an access review management solution that includes Microsoft Entra Permissions Management
- Evaluate the security and governance of on-premises Active Directory Domain Services (AD DS), including resilience to common attacks
- Specify requirements and priorities for a posture management process that uses Exposure Management attack paths, attack surface reduction, security insights, and initiatives
- Evaluate Windows Local Admin Password Solution (LAPS) solutions
- Evaluate solutions that include Azure AI Services Security
- Evaluate network designs to align with security requirements and best practices
- Evaluate solutions that use Microsoft Entra Internet Access as a secure web gateway
- Evaluate solutions that use Microsoft Entra Internet Access to access Microsoft 365, including cross-tenant configurations
- Evaluate solutions that use Microsoft Entra Private Access
- Evaluate solutions for securing data in Microsoft 365 by using Microsoft Purview
- Evaluate data security and compliance controls in Microsoft Copilot for Microsoft 365 services
- Evaluate device management solutions that include Microsoft Intune
Summarising some of the differences here, one of the first things that jumped out to me was that Purview as being referenced more directly. Previously in this exam if there were references to logging, it was probably safe to assume that is was most likely using Log Analytics, Azure Monitor and Sentinel for log collection and analysis, but now Purview’s Audit capabilities are being mentioned as well. This means you need to be comfortable with the Standard and Premium offerings.
Four of the items in the list fall are from a new category under the Design security solutions for infrastructure objective domain, Evaluate solutions for network security and Security Service Edge (SSE). This isn’t completely new to the exam, as Global Secure Access was added to the exam objectives previously. What is new is that these items are being called out specifically.
The final thing thing I want to discuss in terms of changes is that this is the first time that Intune is being specifically mentioned in the exam description. This doesn’t mean that it’s new to the exam, as it was covered under different topics previously, but people may not have realised it. The change means that people won’t be as surprised to hear about Intune being part of the exam, which is something that I know caught some people off guard in the past.
There are obviously other changes, based on the list that I’ve provided, so make sure you focus on those as well if you are already well into your exam preparation.
Design solutions that align with security best practices and priorities (20–25%)
Design a resiliency strategy for ransomware and other attacks based on Microsoft Security Best Practices
- Design a security strategy to support business resiliency goals, including identifying and prioritizing threats to business-critical assets
- Design solutions for mitigating ransomware attacks, including prioritization of BCDR and privileged access
- Design solutions for business continuity and disaster recovery (BCDR), including secure backup and restore for hybrid and multicloud environments
- Evaluate solutions for security updates
Design solutions that align with the Microsoft Cybersecurity Reference Architectures (MCRA) and Microsoft cloud security benchmark (MCSB)
- Design solutions that align with best practices for cybersecurity capabilities and controls
- Design solutions that align with best practices for protecting against insider, external, and supply chain attacks
- Design solutions that align with best practices for Zero Trust security, including the Zero Trust Rapid Modernization Plan (RaMP)
Design solutions that align with the Microsoft Cloud Adoption Framework for Azure and the Azure Well-Architected Framework
- Design a new or evaluate an existing strategy for security and governance based on the Microsoft Cloud Adoption Framework (CAF) for Azure and the Microsoft Azure Well-Architected Framework
- Recommend solutions for security and governance based on the the Microsoft Cloud Adoption Framework for Azure and the Well-Architected Framework
- Design solutions for implementing and governing security by using Azure landing zones
- Design a DevSecOps process that aligns with best practices in the Microsoft Cloud Adoption Framework (CAF)
Design security operations, identity, and compliance capabilities (25–30%)
Design solutions for security operations
- Design a solution for detection and response that includes extended detection and response (XDR) and security information and event management (SIEM)
- Design a solution for centralized logging and auditing, including Microsoft Purview Audit
- Design monitoring to support hybrid and multicloud environments
- Design a solution for security orchestration automated response (SOAR), including Microsoft Sentinel and Microsoft Defender XDR
- Design and evaluate security workflows, including incident response, threat hunting, and incident management
- Design and evaluate threat detection coverage by using MITRE ATT&CK matrices, including Cloud, Enterprise, Mobile, and industrial control systems (ICS)
Design solutions for identity and access management
- Design a solution for access to software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS), hybrid/on-premises, and multicloud resources, including identity, networking, and application controls
- Design a solution for Microsoft Entra ID, including hybrid and multi-cloud environments
- Design a solution for external identities, including business-to-business (B2B), business-to-customer (B2C), and decentralized identity
- Design a modern authentication and authorization strategy, including Conditional Access, continuous access evaluation, risk scoring, and protected actions
- Validate the alignment of Conditional Access policies with a Zero Trust strategy
- Specify requirements to harden Active Directory Domain Services (AD DS)
- Design a solution to manage secrets, keys, and certificates
Design solutions for securing privileged access
- Design a solution for assigning and delegating privileged roles by using the enterprise access model
- Evaluate the security and governance of Microsoft Entra ID, including Microsoft Entra Privileged Identity Management (PIM), entitlement management, and access reviews
- Evaluate the security and governance of Active Directory Domain Services (AD DS), including resilience to common attacks
- Design a solution for securing the administration of cloud tenants, including SaaS and multicloud infrastructure and platforms
- Design a solution for cloud infrastructure entitlement management that includes Microsoft Entra Permissions Management
- Evaluate an access review management solution that includes Microsoft Entra Permissions Management
- Design a solution for Privileged Access Workstation (PAW), including remote access
Design solutions for regulatory compliance
- Translate compliance requirements into security controls
- Design a solution to address compliance requirements by using Microsoft Purview
- Design a solution to address privacy requirements, including Microsoft Priva
- Design Azure Policy solutions to address security and compliance requirements
- Evaluate and validate alignment with regulatory standards and benchmarks by using Microsoft Defender for Cloud
Design security solutions for infrastructure (25–30%)
Design solutions for security posture management in hybrid and multicloud environments
- Evaluate security posture by using Microsoft Defender for Cloud, including the Microsoft cloud security benchmark (MCSB)
- Evaluate security posture by using Microsoft Secure Score
- Design integrated security posture management solutions that include Microsoft Defender for Cloud in hybrid and multi-cloud environments
- Select cloud workload protection solutions in Microsoft Defender for Cloud
- Design a solution for integrating hybrid and multicloud environments by using Azure Arc
- Design a solution for Microsoft Defender External Attack Surface Management (Defender EASM)
- Specify requirements and priorities for a posture management process that uses Microsoft Security Exposure Management attack paths, attack surface reduction, security insights, and initiatives
Design solutions for securing server and client endpoints
- Specify security requirements for servers, including multiple platforms and operating system
- Specify security requirements for mobile devices and clients, including endpoint protection, hardening, and configuration
- Specify security requirements for IoT devices and embedded systems
- Evaluate solutions for securing operational technology (OT) and industrial control systems (ICS) by using Microsoft Defender for IoT
- Specify security baselines for server and client endpoints
- Evaluate Windows Local Admin Password Solution (LAPS) solutions
Specify requirements for securing SaaS, PaaS, and IaaS services
- Specify security baselines for SaaS, PaaS, and IaaS services
- Specify security requirements for IoT workloads
- Specify security requirements for web workloads
- Specify security requirements for containers
- Specify security requirements for container orchestration
- Evaluate solutions that include Azure AI Services Security
Evaluate solutions for network security and Security Service Edge (SSE)
- Evaluate network designs to align with security requirements and best practices
- Evaluate solutions that use Microsoft Entra Internet Access as a secure web gateway
- Evaluate solutions that use Microsoft Entra Internet Access for Microsoft Services, including cross-tenant configurations
- Evaluate solutions that use Microsoft Entra Private Access
Design security solutions for applications and data (20–25%)
Evaluate solutions for securing Microsoft 365
- Evaluate security posture for productivity and collaboration workloads by using metrics, including Microsoft Secure Score
- Evaluate solutions that include Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps
- Evaluate device management solutions that include Microsoft Intune
- Evaluate solutions for securing data in Microsoft 365 by using Microsoft Purview
- Evaluate data security and compliance controls in Microsoft Copilot for Microsoft 365 services
Design solutions for securing applications
- Evaluate the security posture of existing application portfolios
- Evaluate threats to business-critical applications by using threat modeling
- Design and implement a full lifecycle strategy for application security
- Design and implement standards and practices for securing the application development process
- Map technologies to application security requirements
- Design a solution for workload identity to authenticate and access Azure cloud resources
- Design a solution for API management and security
- Design solutions that secure applications by using Azure Web Application Firewall (WAF)
Design solutions for securing an organization’s data
- Evaluate solutions for data discovery and classification
- Specify priorities for mitigating threats to data
- Evaluate solutions for encryption of data at rest and in transit, including Azure Key Vault and infrastructure encryption
- Design a security solution for data in Azure workloads, including Azure SQL, Azure Synapse Analytics, and Azure Cosmos DB
- Design a security solution for data in Azure Storage
- Design a security solution that includes Microsoft Defender for Storage and Microsoft Defender for Databases
intunedin.net 