Free Practice Questions for Microsoft SC-200 Exam

In Microsoft Defender for Identity (MDI), the goal described — “configure several accounts for attackers to exploit” — refers to creating honeytoken accounts . A honeytoken is a decoy user account deliberately configured to appear valuable (e.g., privileged or high-value) but is not used by legitimate users. Defender for Identity monitors these accounts, and if any authentication or access attempt is detected, it triggers an immediate alert because such activity indicates potential attacker reconnaissance or co mpromise.

According to Microsoft Defender for Identity documentation , to designate honeytoken accounts, you must explicitly add the accounts themselves under the Honeytoken accounts configuration in the MDI portal. The portal path is:

Defender for Identity Portal → Configuration → Honeytoken accounts → Add accounts .

Adding accounts to a Sensitive group does not make them honeytokens. Sensitive groups (like Domain Admins or Enterprise Admins) are used by Defender for Identity to track privileged account activities and detect lateral movement, but they are not monitored as honeypots.

Therefore, while adding accounts to a Sensitive group increases monitoring visibility for privilege abuse, it does not fulfill the goal of configuring specific accounts as dec oy targets for attackers.

Hence, the correct and verified answer is B. No — the described solution does not meet the goal.

In Microsoft Defender for Identity, Honeytoken accounts are special decoy accounts designed to attract attackers. These accounts have no legitimate business use and are monitored closely—any authentication attempt or reconnaissance activity involving them triggers an alert.

Configuring such accounts is done through the Entity tags section in the Defender for Identity portal. Microsoft documentation clearly states:

“Honeytoken accounts are decoy user accounts that Defender for Identity monitors for any authentication attempt. Configure them from the Entity tags settings.”

Thus, adding the accounts as Honeytoken accounts meets the goal perfectly — it allows monitoring and alerting when attackers attempt to exploit those accounts.

In Microsoft Defender for Endpoint, Live Response provides an interactive remote shell for in vestigating a device directly from the Microsoft Defender portal. It allows security analysts to run commands, collect data, inspect processes, and perform incident response tasks without manually logging into the endpoint.

For this scenario, you must:

Ide ntify all active network connections.

Identify all running processes.

Retrieve login history.

All of these can be achieved efficiently through a Live Response session . Once connected, you can use built-in commands such as:

netstat to view active network co nnections,

ps to list running processes,

cat or less to review log files containing login history.

According to Microsoft Defender for Endpoint documentation, “Live response enables analysts to perform in-depth investigation on a device remotely to collect forensic data, run scripts, and remediate threats.” It is the least administrative-intensive way to gather this information compared to collecting an investigation package, which is more time-consuming and primarily for offline forensic analysis.

Option A (disable authenticated telemetry) is unrelated to investigation tasks.

Option B (enable unsigned script execution) is only needed for running custom scripts, not built-in commands.

Option C (collect investigation package) gathers data for offline review a nd does not allow interactive analysis.

Option D (initiate live response) gives immediate, interactive insight into processes, connections, and logs — satisfying all requirements with minimal effort.

✅ Therefore, the correct first step is to initiate a live response session on Device1.

To combine Microsoft Graph activity logs with Microsoft Entra ID Protection risky users , while minimizing data volume, you use the lookup kind=leftouter operator.

Microsoft documentation explains:

“Use lookup (instead of join) when you need to enrich a large dataset with a small lookup table to minimize data returned.”

MicrosoftGraphActivityLogs provides user activity records.

AADRiskyUsers lists users detected as risky by Entra ID Protection.

A leftouter lookup ensures all Microsoft Graph activity entri es are kept, while only matching risky user info is appended — reducing output volume compared to a full join .

✅ Correct Answer: A. MicrosoftGraphActivityLogs lookup kind=leftouter AADRiskyUsers on $left.UserId == $right.Id

According to Microsoft Sentinel documentation, automation rules are used to automatically assign, tag, or close incidents as soon as they are created. Automation rules can filter incidents based on attributes such as alert name, severity, or source , and then perform specific actions like assigning incidents to users or groups .

In this scenario, incidents are generated by Rule1 from two different AD DS domains — contoso.com and fabrikam.com — and each must be routed to a specific security group for triage. The most efficient approach is to create two automation rules , each filtering incidents by domain (one for contoso.com and on e for fabrikam.com) and automatically assigning them to Group1 and Group2 respectively. This approach minimizes administrative overhead because automation rules are easy to maintain and don’t require the complexity of a playbook.

A playbook (Logic App) cou ld technically achieve the same outcome, but it introduces more administrative management, permissions, and maintenance. Hence, per Microsoft Sentinel best practices, multiple automation rules provide a lightweight and direct automation layer for incident assignment.

✅ Correct Answer: C. two automation rules assigned to Rule1

To complete the KQL query against the BehaviorAnalytics t able, you need to know the exact column name (for example, the Boolean field that flags a new or first-time country for the sign-in). Microsoft’s standard method to discover table schemas and column names is the Logs (Log Analytics) query window . In this p ane, the left-hand Schema browser lists all connected tables and, when expanded, shows every column name and data type . Selecting a table (e.g., BehaviorAnalytics ) reveals its fields, and the editor provides IntelliSense/autocomplete for columns as you typ e your KQL, making it straightforward to complete a clause like | where < ColumnName > == true .

Security alerts in Azure Security Center (Defender for Cloud), the Azure Activity log, and Azure Advisor do not expose the per-table column schema needed to build KQL filters. Security Center surfaces alerts and recommendations; the Activity log records control-plane operations; and Advisor provides optimization guidance—none of these replace the Logs experience for exploring data schemas.

Therefore, to accurately identify and verify the column required in the where clause for failed sign-ins from a first-time country, you should use the Log Analytics workspace query window , consult the Schema pane for the BehaviorAnalytics table, and leverage the editor’s autocompl ete to insert the correct column name.

The case s tudy requires:

“Ensure that the Group1 members can create and edit playbooks.”

In Microsoft Sentinel, the ability to create, edit, and assign playbooks is granted by the Microsoft Sentinel Automation Contributor role.

This role allows users to:

Create and manage automation rules,

Create and edit playbooks (Logic Apps) in the connected subscription,

Associate playbooks with Sentinel incidents or alerts.

By contrast:

Logic App Contributor allows Logic App creation but doesn’t include Sentinel-level integration permissions.

Automation Operator can run playbooks but not edit or create them.

Sentinel Playbook Operator can execute playbooks but cannot modify or assign them.

✅ Answer for Question 11: A. Microsoft Sentinel Automation Contributor

To have a Microsoft Sentinel workbook pull live data from an external web service, you use the workbook’s built-in JSON data source. Workbooks can query REST endpoints that return JSON and render results dynamically in visuals. Because the Azure portal (where the workbook runs) is a different origin than your on-prem/public Webapp1 , browsers will block these cross-origin requests unless the endpoint explicitly allows them. Therefore, the external service must enable CORS to permit the portal’s origin to fetch the JSON. This aligns with Microsoft guidance that Workbooks can query HTTP/HTTPS JSON endpoints and that external endpoints must allow cross-origin requests for client-side calls from the Azure portal. Enforcing CORS on Webapp1 satisfies the security model while enabling the workbook to retrieve data at view time—meeting the requirement to “dynamically retrieve data from Webapp1.” Options like “custom endpoint” or “custom resource provider” aren’t needed here, and enabling SOP or only enforcing TLS 1.2 wouldn’t address the browser’s cross-origin policy blocking the call.

For a near-real-time (NRT) analytics rule that detects sign-ins by a designated break-glass account, the most direct and performant pattern is to filter SigninLogs by joining to a Microsoft Sentinel watchlist that contains the protected account(s). Sentinel exposes watchlists to KQL through the helper function _GetWatc hlist( ' < watchlist-name > ' ) , which returns a table with standard columns (including SearchKey ) plus any custom columns you imported. Using join kind=inner ensures the result set includes only those SigninLogs rows whose UserPrincipalName matches an entry in the watchlist—ideal for alerting on a high-value account without post-filtering.

The completed query is:

SigninLogs | join kind=inner (_GetWatchlist( ' breakglass_account ' )) on $left.UserPrincipalName == $right.SearchKey

This approach satisfies the requireme nt to implement an NRT rule for the break-glass account because:

NRT rules support KQL with joins and watchlists and are optimized for rapid evaluation over fresh data.

Using a watchlist lets SecOps adjust monitored accounts without editing the rule—minimi zing administrative effort and aligning with least-privilege operations (no extra permissions beyond watchlist management).

The inner join pattern reduces noise by returning only matched events, which are then turned into alerts/incidents by the NRT rule.

Thus, select join and GetWatchlist , and join UserPrincipalName to the watchlist’s SearchKey .