SC-100 Question #211: Real Exam Question with Answer & Explanation

Question

Your on-premises network contains an Active Directory Domain Services (AD DS) domain and a hybrid deployment between a Microsoft Exchange Server 2019 organization and an Exchange Online tenant. The AD DS domain contains a group named Group1. Group1 is a member of the Organization Management role group for the Exchange deployment. You have a Microsoft 365 E5 subscription that uses Microsoft Defender. You have an Azure subscription that uses Microsoft Sentinel. You need to recommend a solution to ensure that Group1 is marked as a sensitive group and that any changes made to Group1 raises an alert in Microsoft Sentinel. The solution must minimize administrative effort. What should you include in the recommendation?

Options

• AMicrosoft Defender for Identity
• BMicrosoft Entra ID Protection
• CMicrosoft Entra Privileged Identity Management (PIM)
• DMicrosoft Defender for Office 365

Explanation

{"question_number": 8, "correct_answer": "A", "explanation": "Microsoft Defender for Identity (MDI) is the correct choice because it monitors Active Directory Domain Services (AD DS) directly, can automatically classify specific groups as 'sensitive' (including groups like Organization Management that have privileged Exchange access), and raises alerts when membership or attributes of those groups change. MDI integrates natively with Microsoft Sentinel, forwarding these alerts with minimal configuration-meeting the 'minimize administrative effort' requirement. Entra ID Protection (B) focuses on user sign-in risk, not group membership changes. Entra PIM (C) manages privileged role activation in Entra ID, not AD DS group membership events. Defender for Office 365 (D) focuses on email and collaboration threats, not AD DS group monitoring. Only MDI has the capability to mark an AD DS group as sensitive and alert on changes to it.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.