Exam SC-500 Topic 1 Question 2 Discussion
Actual exam question for Microsoft's SC-500 exam
Question #: 2
Topic #: 1
Question #: 2
Topic #: 1
You have an Azure subscription named Sub1 that contains multiple virtual machines.
You have a Microsoft 365 E5 subscription that contains devices onboarded to Microsoft Defender for Endpoint.
You have an on-premises datacenter that contains multiple servers.
You plan to onboard all existing and future on-premises servers to Azure Arc.
You need to ensure that the Azure Arc-enabled servers are protected by using the same security features as the Microsoft 365 devices immediately after the servers are onboarded. The solution must minimize administrative effort.
What should you do?
You have a Microsoft 365 E5 subscription that contains devices onboarded to Microsoft Defender for Endpoint.
You have an on-premises datacenter that contains multiple servers.
You plan to onboard all existing and future on-premises servers to Azure Arc.
You need to ensure that the Azure Arc-enabled servers are protected by using the same security features as the Microsoft 365 devices immediately after the servers are onboarded. The solution must minimize administrative effort.
What should you do?
Suggested Answer: C Vote an answer
When on-premises servers are onboarded to Azure Arc, Microsoft Defender for Servers can extend Microsoft Defender for Endpoint integration and server protection policies to them centrally. Enabling the Defender for Servers plan in the subscription minimizes manual effort and applies protection as Arc resources come under Defender for Cloud. Local scripts or Group Policy deployments protect current servers only and are weaker for future automatic onboarding. For SC-500, compute controls are evaluated by workload type: VM, Arc server, AKS, container registry, container group, Functions, Logic Apps, App Service, and AI agent runtime.
The right answer uses the Microsoft control that is native to that workload. Broad Azure roles or unrelated monitoring services would either overgrant access or fail to enforce the required security state. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > onboard servers to Defender for Servers; Microsoft Learn > Defender for Servers and Azure Arc integration.
The right answer uses the Microsoft control that is native to that workload. Broad Azure roles or unrelated monitoring services would either overgrant access or fail to enforce the required security state. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > onboard servers to Defender for Servers; Microsoft Learn > Defender for Servers and Azure Arc integration.
by Aaron at Jun 25, 2026, 10:32 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).