You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/1-introduction-hybrid-multi-cloud-posture-management.yml
+2-2Lines changed: 2 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -4,10 +4,10 @@ title: Introduction
4
4
metadata:
5
5
title: Introduction
6
6
description: "SC-100 preparatory unit on the topic: introduction to hybrid and multicloud posture management."
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/10-knowledge-check.yml
+43-43Lines changed: 43 additions & 43 deletions
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ title: Module assessment
4
4
metadata:
5
5
title: Module assessment
6
6
description: "Knowledge check for the module on the topic: design solutions for security posture management in hybrid and multicloud environments."
7
-
ms.date: 02/05/2026
7
+
ms.date: 03/12/2026
8
8
author: ceperezb
9
9
ms.author: ceperezb
10
10
ms.topic: unit
@@ -27,62 +27,62 @@ durationInMinutes: 5
27
27
content: |
28
28
quiz:
29
29
questions:
30
-
- content: "What is the purpose of Cloud Security Posture Management (CSPM)?"
30
+
- content: "An organization operates workloads across Azure, AWS, and GCP. Which capability requires Defender CSPM rather than Foundational CSPM?"
31
31
choices:
32
-
- content: "To provide a comprehensive vulnerability assessment of all resources in the cloud environment."
32
+
- content: "Continuous assessment of resources against the Microsoft cloud security benchmark (MCSB)."
33
33
isCorrect: false
34
-
explanation: "CSPM provides more than just a vulnerability assessment, it offers continuous compliance monitoring and security configuration management."
35
-
- content: "To facilitate secure communication between hybrid and multicloud environments."
34
+
explanation: "Foundational CSPM includes continuous assessment against MCSB at no cost across Azure, AWS, and GCP."
35
+
- content: "Generating a secure score that quantifies overall security posture."
36
36
isCorrect: false
37
-
explanation: "This statement is referring to another concept called hybrid and multicloud connectivity."
38
-
- content: "To enable users to prevent and respond to threats, automate compliance requirements, and assess the security posture of their cloud environment."
37
+
explanation: "Secure score is available in both Foundational and Defender CSPM tiers."
38
+
- content: "Identifying exploitable attack paths across multicloud environments using the cloud security graph."
39
39
isCorrect: true
40
-
explanation: "CSPM helps users ensure their cloud environment is secure by assessing, identifying, preventing and responding to threats or vulnerabilities that could compromise it. Additionally, it automates compliance tasks and monitors security configuration across all cloud resources or services."
41
-
- content: "To provide endpoint protection against advanced attacks."
40
+
explanation: "Attack path analysis uses the cloud security graph to correlate assets, identities, and permissions across Azure, AWS, and GCP. This capability is only available with Defender CSPM."
41
+
- content: "Generating security recommendations with remediation guidance for noncompliant resources."
42
42
isCorrect: false
43
-
explanation: "Endpoint protection refers to a different approach to security which involves securing individual endpoints like devices or servers."
44
-
45
-
- content: "What is Cloud Workload Protection in Microsoft Defender for Cloud?"
43
+
explanation: "Security recommendations are available in Foundational CSPM. Defender CSPM adds advanced capabilities like attack path analysis, cloud security explorer, and agentless scanning."
44
+
45
+
- content: "A security architect is designing workload protection for an environment that includes Azure VMs and AWS EC2 instances. What is required to enable Defender for Servers on the AWS instances?"
46
46
choices:
47
-
- content: "A feature that provides external attack surface management."
47
+
- content: "Install the Azure Monitor Agent directly on each EC2 instance using AWS Systems Manager."
48
48
isCorrect: false
49
-
explanation: "Workload protection is focused on providing security measures to specific workloads or applications running in the cloud, and doesn't pertain to external attack surface management."
50
-
- content: "A feature that automates vulnerability assessments and compliance checks."
51
-
isCorrect: false
52
-
explanation: "This statement is describing CSPM functionality, not workload protection."
53
-
- content: "A feature that surfaces workload-specific recommendations that lead you to the right security controls to protect your workloads."
49
+
explanation: "While agents can be deployed, the prerequisite for Defender for Cloud protection on non-Azure resources is Azure Arc, which projects the resources into Azure Resource Manager."
50
+
- content: "Connect the AWS account through Defender for Cloud and onboard EC2 instances through Azure Arc."
54
51
isCorrect: true
55
-
explanation: "Workload protection is designed specifically for addressing threats targeting cloud workloads such as applications or containers."
56
-
- content: "A feature that provides security controls for DevOps teams and their CI/CD pipelines."
52
+
explanation: "Azure Arc is a prerequisite for Defender for Cloud protection on non-Azure resources. AWS connectors can autoprovision Azure Arc agents on EC2 instances, enabling Defender for Servers protection."
53
+
- content: "Deploy a Defender for Cloud sensor directly into the AWS VPC where the instances run."
57
54
isCorrect: false
58
-
explanation: "This statement is referring to another feature called Azure Defender for Kubernetes which provides native security controls for CI/CD pipelines."
59
-
60
-
- content: "What is Azure Arc used for?"
61
-
choices:
62
-
- content: "To automatically scale compute resources in cloud environments."
55
+
explanation: "Defender for Cloud doesn't deploy sensors into AWS VPCs. It uses cloud connectors and Azure Arc to extend protection to AWS resources."
56
+
- content: "Enable AWS Security Hub and configure it to forward findings to Defender for Cloud."
63
57
isCorrect: false
64
-
explanation: "This statement describes auto scaling which is related but distinct from Azure Arc."
65
-
- content: "To monitor network traffic and detect anomalies in cloud environments."
58
+
explanation: "AWS Security Hub isn't used to enable workload protection. Defender for Cloud uses its own connectors and Azure Arc to provide runtime threat detection on non-Azure machines."
59
+
60
+
- content: "Which statement accurately describes how the Microsoft cloud security benchmark (MCSB) supports multicloud security assessment?"
61
+
choices:
62
+
- content: "MCSB evaluates all cloud providers using Azure-specific configuration checks translated to equivalent settings."
66
63
isCorrect: false
67
-
explanation: "This statement describes a network monitoring tool, rather than Azure Arc which is more focused on enabling hybrid cloud management."
68
-
- content: "To extend Azure management capabilities and tools to manage resources running outside of Azure datacenters."
64
+
explanation: "MCSB doesn't translate Azure checks to other clouds. It provides platform-specific implementation guidance tailored to each cloud provider's native services."
65
+
- content: "MCSB provides platform-specific implementation guidance for each control across Azure, AWS, and GCP, reported under unified control domains."
69
66
isCorrect: true
70
-
explanation: "Azure Arc enables enterprises to manage their infrastructure centrally from Azure portal, including servers, Kubernetes clusters, and applications running in distributed environments."
71
-
- content: "To perform virtual machine backups and disaster recovery for cloud environments."
67
+
explanation: "MCSB includes platform-specific guidance for each control. For example, the Network Security control evaluates Azure NSGs, AWS Security Groups, and GCP firewall rules using platform-appropriate criteria but reports findings under the same MCSB control."
68
+
- content: "MCSB requires each cloud provider to implement identical security configurations for consistent assessment."
72
69
isCorrect: false
73
-
explanation: "This statement generally refers to another feature within Azure called Azure Site Recovery which focuses on ensuring business continuity and disaster recovery."
74
-
75
-
- content: "What is external attack surface management?"
76
-
choices:
77
-
- content: "A feature that secures data stored on public cloud services."
70
+
explanation: "Each cloud has different services and configuration models. MCSB adapts its guidance per platform while maintaining consistent control objectives."
71
+
- content: "MCSB applies only to Azure resources, and separate benchmarks are used for AWS and GCP assessments."
78
72
isCorrect: false
79
-
explanation: "This statement references data security, while external attack surface management is more about the visibility and governance of all external assets and resources exposed to potential attackers."
80
-
- content: "A feature that provides endpoint threat detection and response for cloud-connected devices."
73
+
explanation: "MCSB is a multicloud benchmark that includes implementation guidance for Azure, AWS, and GCP within a single framework."
74
+
75
+
- content: "A security team wants to discover internet-facing assets that might be unknown to the organization, including infrastructure from a recent acquisition. Which tool addresses this requirement?"
76
+
choices:
77
+
- content: "Microsoft Security Exposure Management, which maps attack paths across the digital estate."
81
78
isCorrect: false
82
-
explanation: "This statement is describing a feature called Microsoft Defender for Endpoint which focuses more specifically on protecting endpoints linked to cloud resources or services."
83
-
- content: "An umbrella term used to describe tactics used by hackers to gain access to an organization's assets through external-facing entry points such as web applications, APIs, and remote offices."
79
+
explanation: "Security Exposure Management analyzes attack paths and security posture for known assets. It doesn't perform external discovery of unknown internet-facing infrastructure."
80
+
- content: "Microsoft Defender for Cloud with Defender CSPM, which provides agentless scanning across cloud environments."
84
81
isCorrect: false
85
-
explanation: "This is a definition of the external attack surface itself, while external attack surface management refers to the proactive identification and governance of potential risks to those entry points."
86
-
- content: "A feature that correlates information from various sources to provide a single view of the organization's security posture related to external attack surfaces."
82
+
explanation: "Defender for Cloud assesses resources within connected cloud subscriptions and accounts. It doesn't discover unknown external-facing assets outside those environments."
83
+
- content: "Microsoft Defender External Attack Surface Management (Defender EASM), which recursively discovers internet-facing assets from seed infrastructure."
87
84
isCorrect: true
88
-
explanation: "External attack surface management allows organizations to have a unified view of their external assets so they can detect risks at the earliest possible time. The feature correlates information from various sources, including intelligence feeds, third-party tools, and internal organizational information to provide a complete view on external attack surface risk levels."
85
+
explanation: "Defender EASM starts with known seeds (domains, IP blocks) and recursively maps connections to discover assets the organization might not know it owns, including infrastructure from acquisitions."
86
+
- content: "Azure Arc, which projects external resources into Azure Resource Manager for security assessment."
87
+
isCorrect: false
88
+
explanation: "Azure Arc requires intentional onboarding of known resources. It doesn't discover unknown internet-facing assets."
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/11-summary.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ title: Summary
4
4
metadata:
5
5
title: Summary
6
6
description: "Summary of the module on the topic: design solutions for security posture management in hybrid and multicloud environments."
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/3-design-integrated-posture-management-workload-protection.yml
+2-2Lines changed: 2 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -4,10 +4,10 @@ title: Design integrated posture management solutions that include Microsoft Def
4
4
metadata:
5
5
title: Design integrated posture management solutions that include Microsoft Defender for Cloud in hybrid and multicloud environments
6
6
description: "SC-100 preparatory unit on the topic: design integrated posture management solutions that include Microsoft Defender for Cloud in hybrid and multicloud environments."
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/6-design-cloud-workload-protection-microsoft-defender-cloud.yml
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/7-integrate-hybrid-multi-cloud-environments-azure-arc.yml
+2-2Lines changed: 2 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -4,10 +4,10 @@ title: Design a solution for integrating hybrid and multicloud environments by u
4
4
metadata:
5
5
title: Design a solution for integrating hybrid and multicloud environments by using Azure Arc
6
6
description: "SC-100 preparatory unit on the topic: Design a solution for integrating hybrid and multicloud environments by using Azure Arc."
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/design-solutions-security-posture-management-hybrid-multicloud-environments/9-posture-management-using-exposure-management-attack-paths.yml
title: Posture management using Exposure management attack paths
3
+
title: Specify requirements and priorities for a posture management process that uses Microsoft Security Exposure Management attack paths
4
4
metadata:
5
-
title: Posture management using Exposure management attack paths
6
-
description: "SC-100 preparatory unit on the topic: Posture management using Exposure management attack paths."
7
-
ms.date: 02/05/2026
5
+
title: Specify requirements and priorities for a posture management process that uses Microsoft Security Exposure Management attack paths
6
+
description: "SC-100: Specify requirements and priorities for a posture management process that uses Microsoft Security Exposure Management attack paths."
0 commit comments