Infrastructure Security Decisions
Apply Domain 3 concepts to realistic architecture decision scenarios combining posture management, endpoint security, network architecture, and SSE.
Infrastructure Security Decisions
Why Decision Modules Matter
The SC-100 exam doesn’t ask: “What is a private endpoint?” It asks: “Given these constraints, what should the architect recommend?” The difference is enormous. Knowledge of individual technologies is necessary but not sufficient. You need to combine that knowledge, weigh trade-offs, and justify decisions.
This module presents three decision scenarios. Each one draws from multiple modules in Domain 3. Work through them as if you’re the architect making the recommendation.
Decision Scenario 1: Unified Multicloud Posture
The Situation
🌐 Elena at Meridian Global Industries faces a board directive: “Provide a single security dashboard showing our posture across all environments.” Meridian’s infrastructure:
- Azure: 23 subscriptions, 400+ VMs, PaaS services (SQL, Storage, Key Vault)
- AWS: 40 accounts (from the European acquisition), 200 EC2 instances, S3, RDS
- On-premises: 150 servers across 12 manufacturing plants, connected via ExpressRoute
- OT networks: 12 plants with industrial control systems (covered by IT/OT DMZ)
The CFO wants cost efficiency. The CTO wants technical accuracy. Marcus Chen wants a number he can report to the board.
The Trade-offs
Option A: Microsoft Defender for Cloud as the single pane
- Deploy AWS connector for CSPM across all 40 accounts
- Deploy Arc agents on critical on-premises servers
- Enable Defender CSPM on production subscriptions
- Use Secure Score as the board-level metric
Strengths: Single console, consistent benchmarking (MCSB mapped across clouds), attack path analysis spanning environments, integrates with existing Sentinel deployment.
Weaknesses: AWS recommendations are mapped from MCSB, not native AWS benchmarks — some AWS-specific best practices may be missed. Arc agents require maintenance on on-premises servers. Cost of Defender CSPM per subscription plus Defender plans per workload.
Option B: Cloud-native tools per environment, aggregated in Sentinel
- Azure: Defender for Cloud
- AWS: AWS Security Hub + GuardDuty
- On-premises: Arc-enabled servers with Azure Policy
- Aggregation: All alerts and posture data flow to Microsoft Sentinel
Strengths: Each cloud assessed against its own native benchmarks. No concern about MCSB mapping gaps. Teams familiar with their cloud’s native tools.
Weaknesses: Three different recommendation systems with different scoring. No unified Secure Score — the board metric requires manual aggregation. No cross-cloud attack path analysis. Higher operational complexity managing three tool sets.
Option C: Third-party CSPM tool (Wiz, Prisma Cloud, etc.)
- Single agent-based or agentless tool across all clouds
- Vendor-neutral assessment
Strengths: Designed for multicloud from the ground up. Vendor-neutral. Some have strong attack path analysis.
Weaknesses: Doesn’t integrate natively with Conditional Access, Sentinel playbooks, or Defender for Endpoint signals. Additional vendor cost and relationship. Security data leaves the Microsoft ecosystem (potential data governance concern).
Elena’s Decision
Elena recommends Option A with targeted Option B supplements:
“Defender for Cloud is our primary posture management platform. We use the AWS connector for 90% of our AWS posture assessment. For the 10% where AWS-native benchmarks differ from MCSB mapping, we run AWS Security Hub in audit-only mode — it feeds into Sentinel but doesn’t create a second remediation workflow.”
“On-premises servers get Arc agents where technically feasible. For the 30 servers in plants where we can’t install agents (air-gapped OT-adjacent systems), we use Defender for IoT for network-level monitoring and manual compliance reporting.”
“The board gets one number: Defender for Cloud’s Secure Score across Azure and AWS, with a separate OT posture metric from Defender for IoT. Two numbers, not three or twelve.”
This is the architect’s mindset: use one primary platform, supplement where gaps exist, avoid parallel systems that create operational complexity.
Decision Scenario 2: Endpoint vs Network Investment
The Situation
☁️ Rajan is consulting for a mid-size law firm (800 employees) that has experienced three security incidents in the past year:
- Ransomware on a partner’s laptop spread to three file servers
- An attacker used stolen credentials to access the VPN and exfiltrate client documents
- A phishing email installed a keylogger on a paralegal’s workstation
The firm has a limited security budget and can’t do everything at once. Deepak Malhotra, the managing partner, asks: “Do we invest in better endpoint security or better network security? Which protects us more?”
The Analysis
Rajan analyses the three incidents through two lenses:
If we’d had better endpoint security:
- Incident 1: EDR would have detected the ransomware behaviour and stopped lateral spread. ✅ Prevented.
- Incident 2: Device compliance in Conditional Access would have blocked the VPN session from a non-compliant device (the attacker was using a personal machine with stolen credentials). ✅ Partially prevented — depends on whether the attacker’s device would fail compliance.
- Incident 3: ASR rules blocking keylogger techniques would have prevented installation. EDR would have detected it if ASR missed it. ✅ Prevented.
If we’d had better network security:
- Incident 1: Network segmentation would have contained the ransomware to the partner’s subnet, preventing spread to file servers. ✅ Partially prevented — damage on the initial subnet still occurs.
- Incident 2: Private Access (replacing VPN) with per-app access would have limited what the attacker could reach, but they still accessed the document management system. ⚠️ Reduced impact, not prevented.
- Incident 3: Network monitoring would have detected the exfiltration of keylogged data. ⚠️ Detected, not prevented.
The Recommendation
“Both matter, but your incidents tell a clear story,” Rajan presents. “Two of three incidents were endpoint-originated. The attacker got onto a device first. Better endpoint security prevents the initial compromise. Better network security contains the blast radius after compromise.”
Priority 1 (Months 1-3): Endpoint foundation.
- Deploy Defender for Endpoint Plan 2 on all 800 devices
- Enable ASR rules (audit → block) to prevent common attack techniques
- Integrate device risk into Conditional Access — non-compliant or high-risk devices lose access
- Deploy Intune for device management and compliance policies
Priority 2 (Months 3-6): Network containment.
- Replace VPN with Entra Private Access — per-app access eliminates broad network exposure
- Implement network segmentation between departments — partner subnet can’t reach all file servers
- Deploy private endpoints for the cloud-hosted document management system
Priority 3 (Months 6-9): Monitoring and response.
- Enable virtual network flow logs and Traffic Analytics
- Deploy Sentinel with automated incident response playbooks
- Implement Defender for Cloud for posture management of Azure resources
“The answer to ‘endpoint or network?’ is ‘endpoint first, network second, both always.’ Endpoints stop the initial compromise. Networks contain the blast radius. Together, they create defence in depth.”
| Decision Area | Choose This When... | Watch Out For... | Combine With... |
|---|---|---|---|
| Defender CSPM (paid) vs Foundational (free) | Production workloads, sensitive data, need attack path analysis and governance | Cost scales per subscription — dev/test may not justify paid tier | Azure Policy for prevention; Defender plans for runtime protection |
| Arc + Defender for Cloud vs cloud-native tools | Microsoft-centric multicloud, unified dashboard needed, Sentinel already deployed | MCSB mapping gaps for AWS/GCP-specific services | AWS Security Hub in audit-only for supplemental coverage |
| Endpoint EDR vs network segmentation (priority) | Most incidents are endpoint-originated (phishing, malware, credential theft) | Network security is still essential — never skip it, just sequence it | Both are needed — prioritise based on incident analysis |
| VPN vs Entra Private Access | Remote workforce, VPN capacity issues, lateral movement risk, Zero Trust initiative | Migration is phased (6-12 months), not a cutover — plan for parallel operation | Entra Internet Access for web filtering; Conditional Access for every decision |
| NSGs vs Azure Firewall | NSGs for microsegmentation (every subnet). Firewall for centralised inspection (hub VNet) | NSGs don't inspect L7 — don't rely on them for threat detection | Hub-spoke topology; UDRs to force traffic through Firewall |
| Private endpoints vs service firewalls | Regulatory requirement for no public exposure; sensitive PaaS data | Requires Private DNS Zones configured correctly or apps resolve to public IP | Azure Policy to deny PaaS creation without private endpoints |
| Defender for IoT vs standard endpoint tools | OT/ICS/SCADA environments; can't install agents; industrial protocols | IT security tools will crash OT devices — never deploy IT agents on OT systems | Purdue model network segmentation; compensating controls for unpatchable systems |
| DDoS Network Protection vs IP Protection | Multiple internet-facing apps in same VNet → Network Protection. Single public IP → IP Protection | DDoS Network Protection has fixed monthly cost — justify for workloads that need it | Azure Firewall + WAF for application-layer attack protection |
Decision Scenario 3: Government VPN Modernisation
The Situation
🏛️ Torres must modernise remote access for the Department of Federal Systems. The current state:
- 10,000 employees across 50 office locations and field operations
- 35 internal applications (HR, finance, document management, field reporting, classified systems, logistics)
- 3 VPN concentrators in 2 data centres, at 85% peak capacity
- FedRAMP requirement: All solutions must meet FedRAMP High authorisation
- Classified systems: 5 applications handle classified data and must remain on isolated networks (no cloud connectivity)
- Budget cycle: Major capital expenditure possible this fiscal year, but ongoing costs must decrease
The Constraints
This scenario tests multiple infrastructure security concepts simultaneously:
Constraint 1: Not everything can move to SSE. The 5 classified applications require a separate access solution — Entra Private Access routes traffic through Microsoft’s cloud, which classified data cannot traverse. These remain on a separate, dedicated network with hardware-based access controls.
Constraint 2: FedRAMP compliance. Microsoft’s Global Secure Access services must have appropriate FedRAMP authorisation for the data classification levels involved. The architect must verify that Entra Private Access and Internet Access meet FedRAMP High for the 30 non-classified applications.
Constraint 3: Field operations. Some field employees work in areas with limited internet connectivity. The SSE architecture must account for degraded connectivity — access to critical field reporting tools must work even with intermittent connections.
Torres’ Architecture
For 30 non-classified applications (SSE migration):
Torres designs a phased migration following the pattern from the previous module, but with government-specific considerations:
-
Month 1-3: Deploy Entra Internet Access. Implement web filtering aligned with government cybersecurity policy. Universal tenant restrictions ensure employees only access the department’s M365 tenant.
-
Month 3-6: Pilot Entra Private Access with 5 low-sensitivity applications and 500 users across 10 office locations. Measure performance, connectivity, and user experience. Conditional Access policies require government-managed devices with MFA (PIV/CAC card) for all private application access.
-
Month 6-12: Expand to all 30 applications and all non-field employees. Deploy connectors in both data centres with redundancy. Configure Quick Access profiles by department.
-
Month 12-15: Migrate field employees. For limited-connectivity scenarios, implement offline-capable progressive web apps for the field reporting tool (application architecture change, not just security architecture). Accept that field employees may have intermittent access to cloud-dependent applications.
-
Month 15-18: Decommission VPN concentrators for the 30 non-classified applications.
For 5 classified applications (separate architecture):
These remain on a dedicated classified network with:
- Hardware VPN with NSA-approved encryption for remote access
- Dedicated terminals in secure facilities
- Physical security controls (no mobile devices, no removable media)
- Air-gapped monitoring through on-premises Defender for IoT sensors
Budget impact: VPN concentrator decommission saves $200K/year in hardware maintenance and support contracts. SSE licensing costs approximately $120K/year. Net savings of $80K/year with improved security posture and user experience.
“We don’t force every use case into one solution,” Torres tells Colonel Reeves. “Classified systems stay isolated — that’s non-negotiable. For everything else, we move to an architecture where there’s no network-level access, every session is verified, and we can scale without buying more hardware.”
Synthesis: The Architect’s Framework
Across all three scenarios, a pattern emerges. The security architect’s decision framework:
-
Start with the threat model. What are the most likely attack vectors? Where has the organisation been breached before? This determines priority.
-
Layer defences. No single control is sufficient. Endpoints detect initial compromise. Networks contain lateral movement. CSPM prevents misconfigurations. SSE controls access. Each layer catches what the others miss.
-
Design for operations. The best architecture is useless if the team can’t operate it. Prefer unified platforms over best-of-breed point solutions. One dashboard, one policy engine, one incident response workflow.
-
Account for constraints. Budget, regulation, legacy systems, personnel skills. The theoretically optimal architecture matters less than the best architecture that actually gets implemented.
-
Phase the implementation. No organisation deploys everything in Week 1. Sequence by risk (highest threats first), then by complexity (quick wins before transformational changes).
Exam Strategy: Architecture Decision Questions
SC-100’s most challenging questions present multi-constraint scenarios. Here’s how to approach them:
- Identify the primary objective. What does the question actually ask? “Unified visibility” is CSPM. “Prevent lateral movement” is segmentation/ZTNA. “Reduce attack surface” could be ASR, private endpoints, or network controls depending on context.
- Eliminate answers that only address one constraint. If the scenario mentions cost, compliance, AND security, an answer that only addresses security is incomplete.
- Look for “phased” or “tiered” answers. The best architecture answer usually acknowledges that implementation is staged, not instantaneous. If one option says “implement everything immediately” and another says “prioritise by risk and phase deployment,” the phased approach is usually correct.
- “Compensating controls” signals OT/legacy constraints. If you see “cannot be patched” or “cannot install agents,” the answer involves compensating controls — not forcing the system to comply.
- Watch for hybrid answers. The exam rarely has answers where one product does everything. Correct answers often combine multiple services: Defender for Cloud + Arc + Sentinel, or Private Access + Internet Access + Conditional Access.
- Justify, don’t just choose. Even if you can’t write a justification in the exam, think about why one answer is better. “Because it addresses the most constraints with the least complexity” is the architect’s decision criterion.
A company has 500 Azure VMs, 100 AWS EC2 instances, and 50 on-premises servers. They want unified security posture management with attack path analysis across all environments. The AWS team is concerned that mapping to Microsoft's benchmarks may miss AWS-specific best practices. Budget allows for one primary tool. What architecture balances coverage, accuracy, and operational simplicity?
A law firm experienced ransomware spreading from one partner's laptop to file servers. Their current security stack includes basic antivirus, a flat network (no segmentation), and VPN for remote access. With budget for one major initiative this quarter, what should the security architect prioritise?
A government agency is migrating from VPN to Entra Private Access. Five of their 35 applications process classified information that cannot traverse commercial cloud infrastructure. Field employees in remote locations sometimes have intermittent internet connectivity. What architecture addresses all constraints?
An organisation's security team is debating between deploying Azure Firewall Premium in a hub-spoke topology versus relying on NSGs for all traffic filtering. They run 15 spoke VNets with various workloads including internet-facing web apps, internal APIs, and databases. Budget is a consideration. What recommendation balances security effectiveness with cost?
🎬 Video coming soon
Next up: Microsoft 365 Security Design — move from infrastructure to application-layer security as we begin Domain 4, designing security for Microsoft 365, collaboration workloads, and SaaS applications.