SC-100 · Question #164
SC-100 Question #164: Real Exam Question with Answer & Explanation
The correct answer is A: From Azure Backup, configure multi-user authorization by using Resource Guard.. {"question_number": 8, "correct_answer": "A", "explanation": "Multi-user authorization (MUA) using Resource Guard adds a second layer of protection to critical Azure Backup operations such as deleting backups or disabling soft delete. Resource Guard should be placed in a separate
Question
You have a Microsoft Entra tenant that syncs with an Active Directory Domain Services (AD DS) domain. You have an on-premises datacenter that contains 100 servers. The servers run Windows Server and are backed up by using Microsoft Azure Backup Server (MABS). You are designing a recovery solution for ransomware attacks. The solution follows Microsoft Security Best Practices. You need to ensure that a compromised administrator account cannot be used to delete the backups. What should you do?
Options
- AFrom Azure Backup, configure multi-user authorization by using Resource Guard.
- BFrom Microsoft Azure Backup Setup, register MABS with a Recovery Services vault.
- CFrom a Recovery Services vault, generate a security PIN for critical operations.
- DFrom Microsoft Entra Privileged Identity Management (PIM), create a role assignment for the
Explanation
{"question_number": 8, "correct_answer": "A", "explanation": "Multi-user authorization (MUA) using Resource Guard adds a second layer of protection to critical Azure Backup operations such as deleting backups or disabling soft delete. Resource Guard should be placed in a separate Azure subscription under different administrator control from the Recovery Services vault. Any critical backup operation then requires an authorization token from the Resource Guard resource-meaning a compromised administrator account that controls the backup vault alone cannot delete backups without also controlling the separate Resource Guard resource. This is the Microsoft-recommended ransomware protection pattern for backups. Registering MABS with a vault (B) is a setup step, not a deletion protection control. The security PIN (C) adds some protection for on-premises backup servers but is less robust than MUA. Entra PIM role assignments (D) control when privileged access is active but do not independently prevent a compromised account from exercising already-assigned backup deletion rights.", "generated_by": "claude-sonnet", "llm_judge_score": 4}
Topics
Community Discussion
No community discussion yet for this question.