SC-100 Question #159: Real Exam Question with Answer & Explanation

Question

You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled. The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019. You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application. Which security control should you recommend?

Options

• Aapp discovery anomaly detection policies in Microsoft Defender for Cloud Apps
• BAzure AD Conditional Access App Control policies
• Cadaptive application controls in Defender for Cloud
• Dapp protection policies in Microsoft Endpoint Manager

Explanation

{"question_number": 3, "correct_answer": "C", "explanation": "Adaptive application controls in Microsoft Defender for Cloud use machine learning to analyze the applications running on your Azure VMs and generate recommended application allowlists. When set to Enforce mode, unauthorized applications are blocked via AppLocker or Windows Defender Application Control (WDAC) until an administrator reviews and authorizes them. This feature is purpose-built for controlling which applications can run on Azure VMs. App discovery in Defender for Cloud Apps (A) deals with SaaS/shadow IT discovery, not VM process control. Azure AD Conditional Access App Control (B) governs access to cloud apps via session policies, not OS-level application execution. App protection policies in Endpoint Manager (D) manage mobile app data protection on devices, not server application allowlisting.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.