Evaluating Security Architecture Decisions
Practise the architect's core skill: evaluating trade-offs, justifying design choices, and connecting frameworks to real security decisions. This capstone module ties together Zero Trust, CAF, WAF, MCRA, and MCSB.
The architect’s real job: making trade-offs
An architect doesn’t pick the “best” option. They pick the “best option for this situation.”
Think of choosing a car. A sports car is fast but impractical for a family. A minivan carries everyone but isn’t exciting. Neither is objectively “better” — the right choice depends on who’s driving and what they need.
A cybersecurity architect faces the same kind of choices — maximum security might cost too much, slow users down, or add complexity that nobody can maintain.
The SC-100 exam tests this judgment. It gives you scenarios where multiple options could work, and you must choose the one that best balances security, cost, usability, compliance, and operational complexity for that specific organisation.
This module teaches you how to think through those trade-offs systematically — not by guessing, but by applying the frameworks you’ve learned in Domain 1.
The architecture decision framework
When evaluating any security design, work through these five steps:
| Step | Question | Framework |
|---|---|---|
| 1. Requirements | What must this solution achieve? (business, regulatory, technical) | Business context, compliance mandates |
| 2. Zero Trust alignment | Does the design verify explicitly, enforce least privilege, and assume breach? | Zero Trust principles |
| 3. Framework validation | Does the design align with CAF (journey), WAF (workload), MCRA (capabilities), MCSB (controls)? | CAF, WAF, MCRA, MCSB |
| 4. Trade-off analysis | What are we gaining vs what are we giving up? | Cost, complexity, usability, coverage |
| 5. Justification | Can you explain the recommendation to a non-technical stakeholder? | Business language, risk framing |
Exam tip: The five-step framework in action
When facing an exam question with a long scenario and four options, mentally run through the five steps:
- Requirements: What does the scenario say the organisation needs? (Look for compliance mentions, budget constraints, team size, industry)
- Zero Trust: Which options violate verify explicitly, least privilege, or assume breach?
- Frameworks: Which option aligns with CAF/WAF/MCSB best practices?
- Trade-offs: Which option best balances the stated constraints?
- Justification: Can you explain why this is the right choice in one sentence?
If an option violates a Zero Trust principle, eliminate it. If two options both align with Zero Trust, the one that matches the organisation’s specific constraints wins.
Common trade-offs on the exam
| Trade-off | Option A | Option B | Architect's Consideration |
|---|---|---|---|
| Security vs Usability | Block all personal devices | Allow BYOD with app protection policies | Blocking improves security but reduces flexibility. App protection policies balance both — data is protected even on unmanaged devices. |
| Cost vs Coverage | Defender for Cloud on all subscriptions | Defender only on production subscriptions | Full coverage is ideal but expensive. Risk-based approach: protect production first, monitor dev/test with basic tier. |
| Native vs Third-party | Microsoft Sentinel as SIEM | Existing Splunk deployment | Native integrates better with Microsoft stack. But migration cost and team expertise matter — don't discard working tools without business justification. |
| Centralised vs Distributed | One Sentinel workspace for all regions | Regional workspaces with cross-workspace queries | Centralised simplifies management. Distributed addresses data residency requirements. Choose based on compliance needs. |
| Strictness vs Adoption | Block legacy auth immediately | Grace period with monitoring, then block | Immediate block is more secure. Grace period reduces user disruption and support ticket volume. Phase it. |
Decision scenarios
Scenario 1: Network security approach
☁️ Rajan's client network decision
Rajan Krishnamurthy’s client is designing network security for their Azure environment. Three options are proposed:
Option A: Traditional hub-spoke with Azure Firewall inspecting all traffic
- ✅ Centralised inspection, familiar model, strong east-west controls
- ❌ Bottleneck at the hub, latency for SaaS traffic, doesn’t address remote users
Option B: Zero Trust network with microsegmentation (NSGs + ASGs) and Entra Private Access for internal apps
- ✅ No single bottleneck, aligns with Zero Trust, handles remote users natively
- ❌ More complex to manage, requires identity-aware networking knowledge
Option C: Network Virtual Appliance (NVA) from third-party vendor
- ✅ Feature-rich, familiar to team with existing vendor relationship
- ❌ Third-party dependency, licensing costs, complex integration with Azure-native services
Rajan’s recommendation: Option B for new workloads, with Option A’s hub-spoke maintained for legacy workloads during transition.
Decision framework walkthrough:
- Requirements: Client has remote workforce + cloud-native apps + legacy on-prem
- Zero Trust: Option B verifies per-app (not per-network), least privilege by design
- Frameworks: CAF says “use native first.” MCSB NS controls support microsegmentation
- Trade-offs: Option B is more complex but future-proof. Option A bridges legacy
- Justification: “We modernise new workloads with Zero Trust networking while keeping legacy workloads stable. Over 18 months, legacy migrates to the new model.”
Deepak Malhotra, the client’s cost-conscious CTO, appreciates the phased approach: “I don’t have to rip and replace — I can budget the transition over two fiscal years.”
Scenario 2: Identity governance design
💰 Ingrid's privileged access decision
Ingrid must design privileged access for Nordic Capital Partners. The organisation has 200 admin roles across Azure, M365, and on-premises AD. Three options:
Option A: Standing admin access with enhanced monitoring
- ✅ Simple, no workflow overhead, admins always ready
- ❌ Violates least privilege, high blast radius if compromised
Option B: PIM for all roles with 4-hour activation windows
- ✅ Just-in-time access, Zero Trust aligned, audit trail of every activation
- ❌ Requires workflow discipline, potential delays for urgent issues
Option C: PIM for critical roles only, standing access for routine admin tasks
- ✅ Balanced — protects crown jewels without over-burdening daily operations
- ❌ Risk of “scope creep” as teams argue their role isn’t critical
Ingrid’s recommendation: Option B, with emergency access accounts (break-glass) stored securely for true emergencies.
Decision framework walkthrough:
- Requirements: Financial services, regulatory obligations, 200 admin roles
- Zero Trust: Option A violates least privilege. Options B and C both use PIM
- Frameworks: MCSB PA-1 recommends protecting all privileged accounts. CAF governance says enforce least privilege at scale
- Trade-offs: Option C seems pragmatic, but “routine admin” scope creep is a known pattern. Option B with break-glass covers emergencies
- Justification: “For a regulated financial institution, every admin action is auditable. PIM for all roles with break-glass for emergencies gives us least privilege AND operational readiness.”
Harald Eriksen, the compliance officer, adds: “The audit trail from PIM alone justifies this — our regulators specifically ask for privileged access records.”
Scenario 3: SIEM architecture
🏛️ Commander Torres's Sentinel design
Commander Torres is deploying Microsoft Sentinel for the Department of Federal Systems. The agency operates across 5 regions with strict data residency requirements. Three workspace designs:
Option A: Single centralised Sentinel workspace
- ✅ Unified view, simplified management, single set of analytics rules
- ❌ All data in one region — violates data residency for 3 regions
Option B: 5 regional Sentinel workspaces with no cross-workspace queries
- ✅ Data residency satisfied, regional autonomy
- ❌ No unified threat visibility, duplicate analytics rules, blind spots across regions
Option C: 5 regional workspaces with Azure Lighthouse cross-workspace queries and centralised incident management
- ✅ Data stays regional (residency satisfied), centralised threat hunting and incident response, unified dashboards
- ❌ More complex setup, requires cross-workspace query expertise
Torres’s recommendation: Option C — regional workspaces with centralised orchestration.
Decision framework walkthrough:
- Requirements: Data sovereignty is a non-negotiable compliance requirement
- Zero Trust: Assume breach requires unified detection across all regions — blind spots are unacceptable
- Frameworks: MCRA prescribes unified SecOps visibility. MCSB LT controls require centralised logging
- Trade-offs: Complexity is higher, but compliance AND visibility are both met
- Justification: “Data stays where the law requires it. The SOC sees everything through cross-workspace queries. We satisfy compliance and security simultaneously.”
Colonel Reeves approves: “I can tell Congress our data stays in-region AND our SOC has full visibility. That’s both boxes checked.”
How to spot the “best” answer on the exam
The exam’s “best design” questions follow patterns:
| Pattern | What to Look For |
|---|---|
| Least privilege wins | When two options both work, the one with narrower access is correct |
| Native over third-party | Microsoft-native solutions are preferred unless there’s a specific reason not to |
| Frameworks validate | The answer that aligns with CAF/WAF/MCSB is preferred over ad-hoc designs |
| Business context matters | Read the scenario carefully — budget, regulation, and team maturity change the answer |
| Phase-appropriate | Don’t recommend “Optimal” maturity when the org is at “Traditional” — recommend the next step |
| Assume breach | Between prevention-only and prevention + detection, choose prevention + detection |
| Both/and over either/or | If an answer combines two good approaches (e.g., “PIM + break-glass”), it often wins over a single approach |
Exam tip: Eliminate before choosing
On multi-option questions, eliminate options that violate a hard constraint first:
- Does it violate a Zero Trust principle? → Eliminate
- Does it violate a stated compliance requirement? → Eliminate
- Does it ignore a framework the question references? → Eliminate
You usually end up with two viable options. Then apply trade-off analysis using the scenario’s specific business context to choose the winner.
🎬 Video coming soon
Key takeaways
Knowledge check
A cybersecurity architect is designing identity governance for a healthcare organisation. The CISO wants PIM for all admin roles, but the IT operations team argues this will slow down urgent patient care system access. What should the architect recommend?
Commander Torres must choose between a single centralised Sentinel workspace and regional workspaces with cross-workspace queries. The agency has data residency requirements in 3 regions. Which is the correct recommendation, and which framework supports it?
When evaluating two security designs on the SC-100 exam, which decision hierarchy should an architect apply?
Rajan's client has a tight budget and asks: 'Should we deploy Defender for Cloud on all 50 subscriptions or just the 10 production ones?' What should Rajan recommend as the architect?
Domain 1 complete! Next up: Domain 2 — Design Security Operations, Identity, and Compliance Capabilities — design the security operations centre that detects, responds to, and hunts threats across the enterprise.