Practice SC-100 Design security operations, identity, and compliance capabilities questions with full explanations on every answer.
Start practicing
Design security operations, identity, and compliance capabilities — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
Your organization uses Microsoft Sentinel and wants to automatically respond to high-severity incidents. Which feature should you configure?
2A company plans to implement Microsoft Purview to enforce data loss prevention (DLP) policies. They need to prevent users from sharing credit card numbers via email. What should they configure?
3Your organization uses Microsoft Defender for Cloud to secure multi-cloud workloads. You need to ensure that Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) resources are assessed against the same security baseline. What should you do?
4Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. What should you configure?
5Your organization uses Microsoft Entra ID and wants to implement a passwordless authentication strategy. Users have smartphones. Which method should you recommend as the primary authentication method?
6Your organization uses Microsoft Sentinel to aggregate logs from on-premises and cloud sources. You need to reduce the cost of data ingestion while ensuring security-critical logs are retained for at least one year. What should you do?
7Your organization uses Microsoft Defender for Office 365. You need to protect users from malicious links in emails. What should you configure?
8Your organization uses Microsoft Entra ID and needs to ensure that external partners can access only specific applications for 30 days. What should you configure?
9Your organization uses Microsoft Defender XDR for detection and response. You need to create a custom detection rule that alerts when a user performs more than 10 failed sign-ins from different countries within 5 minutes. Which component should you use?
10Your organization uses Microsoft Purview to classify sensitive data. You need to automatically apply a sensitivity label to documents that contain personally identifiable information (PII). Which TWO components should you configure?
11Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a unified security operations platform. Which THREE capabilities should you enable?
12Your organization uses Microsoft Entra ID and needs to implement a Zero Trust identity strategy. Which THREE principles should you apply?
13Your organization is implementing a zero-trust security model and needs to ensure that all access to cloud resources is verified in real-time. You plan to use Microsoft Entra ID Conditional Access. Which policy component enforces real-time verification of user identity and device compliance before granting access?
14Your company uses Microsoft Defender for Cloud to manage security posture across hybrid workloads. You need to ensure that critical vulnerabilities found on Azure VMs are automatically remediated without manual intervention. Which feature should you enable?
15Your organization uses Microsoft Sentinel to centralize security logs from multiple clouds. The security team needs a solution that automatically investigates low-fidelity alerts and creates incidents only when confirmed malicious. Which Microsoft Sentinel feature should you configure?
16Your company is deploying Microsoft Intune for mobile device management. You need to ensure that corporate data on personally owned devices is protected without affecting the user's personal data. Which Intune feature should you use?
17Your organization is implementing a data loss prevention (DLP) strategy using Microsoft Purview. The compliance team needs to automatically classify and label sensitive data in Microsoft 365, Azure SQL Database, and Amazon S3. Which Purview feature should you use?
18Your organization uses Microsoft Defender XDR to detect and respond to threats. The SOC team wants to automatically isolate a device when a high-severity incident is confirmed. Which automation feature should you configure?
19Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can authenticate using their existing on-premises credentials while gradually moving to cloud-only authentication. Which authentication method should you implement first?
20Your organization uses Microsoft Sentinel as a SIEM. The security team wants to use Microsoft Copilot for Security to assist in incident investigation. You need to ensure that Copilot can access Sentinel data while meeting compliance requirements. Which integration should you configure?
21Your organization needs to enforce multi-factor authentication (MFA) for all users accessing sensitive applications. You plan to use Microsoft Entra ID Conditional Access. Which grant control should you configure?
22Your organization is implementing a privileged access strategy using Microsoft Entra ID. You need to provide just-in-time (JIT) access to Azure resources for administrators. Which TWO features should you use?
23Your organization is using Microsoft Sentinel to detect advanced threats. You need to ensure that alerts from Microsoft Defender XDR are automatically synchronized with Sentinel and that incidents are created. Which THREE components are required?
24Your organization uses Microsoft Purview Information Protection to label sensitive emails. You need to ensure that labels are applied automatically based on content. Which THREE methods can you use?
25Refer to the exhibit. You are reviewing a Conditional Access policy JSON. The policy is intended to block legacy authentication. However, users are still able to access email using Outlook (modern auth). What is the most likely reason?
26Refer to the exhibit. A KQL query is used in Microsoft Sentinel to detect brute-force attacks. The query returns no results despite known brute-force attempts. What is the most likely issue?
27Refer to the exhibit. You are reviewing an ARM template for an Azure storage account. The security team requires that only HTTPS traffic is allowed and that TLS 1.2 is enforced. Does this template meet the requirements?
28Your organization uses Microsoft Sentinel and has enabled User and Entity Behavior Analytics (UEBA). The security team receives an alert for a user who has failed authentication 10 times in 5 minutes. What should you configure to reduce false positives while ensuring legitimate brute-force attacks are still detected?
29A company uses Microsoft Defender for Cloud to assess the security posture of their hybrid environment. They need to ensure that all Azure subscriptions are evaluated against the same set of regulatory compliance standards. What should they configure?
30Your organization uses Microsoft Intune to manage devices. You need to ensure that corporate data on personally owned devices is removed when a user leaves the company, but personal data remains intact. What should you use?
31A company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They want to prevent users from sharing credit card numbers in email but allow sharing via encrypted email. What should they configure?
32Your organization has Microsoft Entra ID (Azure AD) and uses Privileged Identity Management (PIM). You need to ensure that when a user activates a privileged role, they must provide a reason and a ticket number. What should you configure?
33Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. Based on the JSON snippet, what is the most likely outcome when a user with high user risk attempts to sign in?
34Refer to the exhibit. You are analyzing a Microsoft Sentinel analytics rule. What does this rule detect?
35Refer to the exhibit. You are configuring a Microsoft Purview sensitivity label. When a user applies this label to an email, what happens?
36Your organization uses Microsoft Defender XDR to correlate alerts across endpoints, email, and identities. You need to create a custom detection rule that triggers when a user receives a phishing email and then attempts to log in from a new location. Which approach should you use?
37Which TWO actions should you take to implement a zero-trust identity strategy in Microsoft Entra ID?
38Which THREE capabilities does Microsoft Purview provide for compliance management?
39Which TWO configurations are required to enable Microsoft Defender for Cloud Apps to monitor cloud app usage?
40Your organization uses Microsoft Sentinel as a SIEM. You need to reduce the cost of data ingestion while ensuring that security-relevant events are retained. You have identified that Windows Event ID 4624 (successful logon) produces a high volume of logs. What should you do?
41Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only devices with a TPM (Trusted Platform Module) version 2.0 can access corporate resources. What should you configure?
42Your organization uses Microsoft Defender for Cloud to manage the security posture of Azure resources. You need to receive alerts when a virtual machine is deployed without just-in-time (JIT) access enabled. What should you do?
43A company uses Microsoft Sentinel for security operations. The security team wants to automatically create an incident in Microsoft Sentinel when Microsoft Defender for Cloud detects a high-severity vulnerability on a virtual machine. What should the security team configure?
44A global organization uses Microsoft Entra ID with Conditional Access policies. They want to enforce multifactor authentication (MFA) for all users accessing sensitive apps from outside the corporate network, but allow access without MFA from trusted IPs. What should they configure?
45Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. The query returns a list of users and IP addresses with failed sign-ins due to 'User Account Disabled' (ResultType 50057). The analyst wants to create a scheduled analytics rule that generates an incident when a user exceeds 5 such failures from the same IP in an hour. Which setting is missing from the query to meet the requirement?
46A company uses Microsoft Purview to enforce Data Loss Prevention (DLP) policies. They want to prevent users from sharing credit card numbers via email. Which action should they configure in the DLP policy?
47An organization uses Microsoft Intune to manage devices. They need to ensure that only devices compliant with security baselines can access corporate email via Microsoft Outlook. The solution should use existing Microsoft 365 security features. What should they implement?
48Refer to the exhibit. An organization uses Microsoft Entra ID Governance. This access review policy is intended to review guest users created after January 1, 2025. The reviewers are users with job title 'Manager'. However, the review is not starting automatically. What is the most likely cause?
49A company wants to monitor and respond to threats across their entire digital estate, including on-premises servers, cloud workloads, and identities. Which Microsoft solution should they use as a central security information and event management (SIEM) and extended detection and response (XDR) platform?
50A company uses Microsoft Defender for Cloud Apps to discover and control cloud apps. They want to receive alerts when a user accesses a sanctioned app from an unusual location. Which feature should they configure?
51Refer to the exhibit. An administrator runs this Microsoft Graph PowerShell command to retrieve an access review policy. The review is set to run quarterly but no recurrence is shown in the output. The review has not started. What is the most likely cause?
52A company wants to implement a Zero Trust security model. Which TWO principles are fundamental to Zero Trust? (Choose two.)
53An organization uses Microsoft Purview to classify and protect sensitive data. Which THREE capabilities can be used to discover sensitive data? (Choose three.)
54A security operations center (SOC) uses Microsoft Sentinel. They want to automate incident response for common alerts. Which THREE components are required to build an automated response? (Choose three.)
55A company needs to ensure that only authorized users can access sensitive data in Microsoft SharePoint Online. Which TWO controls can be used? (Choose two.)
56An organization uses Microsoft Defender XDR to detect and respond to threats. Which THREE data sources does Defender XDR ingest? (Choose three.)
57A company wants to implement hybrid identity with Microsoft Entra ID. Which TWO components are required for password hash synchronization? (Choose two.)
58Your organization uses Microsoft Sentinel and wants to automatically respond to high-severity incidents without human intervention. Which feature should you configure?
59Your company uses Microsoft Defender for Cloud Apps and wants to prevent users from uploading sensitive files to personal cloud storage apps. What should you configure?
60Your organization uses Microsoft Purview and needs to automatically apply a retention label to all documents containing personally identifiable information (PII) in SharePoint Online. What should you configure?
61You need to design a solution to synchronize on-premises Active Directory users to Microsoft Entra ID for hybrid identity. Which tool should you use?
62Your organization uses Microsoft Sentinel and wants to correlate security events from multiple sources to detect multi-stage attacks. What should you create?
63Your organization uses Microsoft Intune to manage devices and wants to ensure that only compliant devices can access corporate email. Which conditional access policy setting should you configure?
64Your organization uses Microsoft Defender for Office 365 and wants to block malicious links in email messages in real time. Which policy should you configure?
65Your organization uses Microsoft Purview and needs to prevent users from copying sensitive data to USB drives. Which solution should you implement?
66Your organization uses Microsoft Sentinel and wants to reduce alert fatigue by grouping related alerts into incidents. Which configuration should you use?
67Refer to the exhibit. You create this conditional access policy in Microsoft Entra ID. What is the result?
68Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What is the primary purpose?
69Refer to the exhibit. You configure this mail flow rule in Exchange Online. What happens to emails with 'FREE' in the subject?
70Which TWO of the following are valid methods to protect privileged accounts in Microsoft Entra ID?
71Which THREE of the following are capabilities of Microsoft Purview Information Protection?
72Which TWO of the following are components of Microsoft Defender XDR (Extended Detection and Response)?
73Your organization uses Microsoft Sentinel for security operations. You need to ensure that an attacker cannot disable data collection by deleting the diagnostic settings on the Sentinel workspace. What should you configure?
74Your company uses Microsoft Defender for Cloud Apps (MDA). You need to create a policy that automatically suspends a user's access to a cloud app if the user is confirmed as compromised by Microsoft Entra ID Protection. Which policy type should you use?
75You are designing a compliance solution for your organization that must enforce retention policies for documents stored in SharePoint Online. Which Microsoft Purview solution should you use?
76Refer to the exhibit. You are reviewing a Conditional Access policy JSON in Microsoft Entra ID. The policy is not blocking any sign-ins even though there are high-risk users. What is the most likely reason?
77Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You need to create an analytics rule in Sentinel that triggers an incident when a device is reported as 'high risk' by MDE. Which data source and rule type should you use?
78Your company needs to automatically classify and label sensitive documents in Microsoft 365 based on their content. Which Microsoft Purview solution should you implement?
79Refer to the exhibit. You are troubleshooting a KQL query in Microsoft Sentinel that is supposed to return alerts for ransomware detections in the last day. The query returns no results, but you know there were ransomware alerts. What is the most likely cause?
80Your organization uses Microsoft Entra ID and plans to implement a Zero Trust architecture. You need to ensure that all access requests to internal applications are verified continuously, not just at the initial sign-in. What should you configure?
81You need to audit user activities in Microsoft 365, including who accessed a specific file in SharePoint Online. Which Microsoft Purview solution should you use?
82Which TWO actions should you take to meet a compliance requirement that all emails containing credit card numbers must be encrypted before delivery?
83Which TWO components are required to enable Microsoft Sentinel to ingest data from Amazon Web Services (AWS) CloudTrail?
84Which THREE capabilities are provided by Microsoft Defender for Cloud Apps (MDA) when integrated with Microsoft Defender XDR?
85Which THREE conditions can trigger a Microsoft Entra ID Protection user risk policy to require a password change?
86Refer to the exhibit. You run the PowerShell command in Microsoft Entra ID to find compliance roles. You need to assign the Compliance Administrator role to a user. What is the correct parameter to use in the Add-AzureADMSRoleAssignment cmdlet?
87Refer to the exhibit. You are deploying this Bicep template to enable Microsoft Defender for Cloud's VM protection. After deployment, you notice that Agentless VM scanning is not enabled for existing VMs. What is the most likely reason?
88Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incident investigations are automatically captured for compliance reporting. Which feature should you enable?
89A company is implementing a zero-trust security model. They need to enforce conditional access policies that require device compliance from Microsoft Intune. However, some users report being blocked when using personal devices that are not enrolled. What is the best approach to allow access while maintaining security?
90Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM). You need to design a role activation policy that requires approval from a security group for global administrator roles, but allows self-activation for other roles. What is the correct configuration?
91Your organization needs to monitor and respond to threats across email, endpoints, and identities. Which Microsoft solution provides a unified incident response experience?
92A company uses Microsoft Purview to classify data and enforce retention policies. They need to automatically apply a retention label to all documents containing credit card numbers. Which approach should they use?
93Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to design a solution that automatically creates an incident in Sentinel when a high-severity alert is generated in Defender for Cloud. What should you configure?
94Your organization wants to enforce that all users authenticate using Microsoft Authenticator app for Microsoft Entra ID. Which authentication method should you configure as the primary?
95A company uses Microsoft Intune to manage devices. They need to ensure that only devices with a minimum OS version can access corporate email. Which policy type should they implement?
96Your organization uses Microsoft Entra ID with external identities. You need to design a solution that allows partners to self-service sign up using their existing Azure AD or Microsoft account credentials, while preventing them from accessing other resources. What should you use?
97Your organization is implementing Microsoft Defender for Office 365 to protect against phishing attacks. Which TWO features can be used to simulate phishing attacks and train users?
98Your organization uses Microsoft Sentinel and wants to improve threat hunting efficiency. Which THREE actions should you take?
99Your organization needs to comply with regulatory requirements for data retention and deletion. Which TWO Microsoft Purview features should you use?
100The exhibit shows a KQL query in Microsoft Sentinel. What is the primary purpose of this query?
101The exhibit shows a conditional access policy in Microsoft Entra ID. What will be the effect of this policy?
102The exhibit shows a conditional access policy from Microsoft Entra ID Identity Protection. When will this policy require MFA?
103A company uses Microsoft Sentinel for security operations. The SOC team needs to automatically respond to a specific type of incident involving a known malicious IP address. They want to create an automated response that blocks the IP at the firewall and creates a Teams notification. Which feature should they use?
104A global enterprise uses Microsoft Entra ID with Privileged Identity Management (PIM) and Conditional Access. They need to ensure that all privileged role activations require an approval workflow, and that the approval process is documented for compliance. What configuration should they implement?
105A company uses Microsoft Defender for Cloud Apps to discover and control Shadow IT. They want to block the use of a newly discovered unsanctioned app. What should they do?
106A company uses Microsoft Defender XDR and wants to ensure that all devices are reporting to the service. They notice that some devices are not appearing in the device inventory. Which log source should they check first to troubleshoot?
107An organization uses Microsoft Purview to enforce data loss prevention (DLP) policies. They need to prevent users from pasting sensitive data into AI-powered tools like Microsoft Copilot. Which DLP rule condition should they configure?
108A company uses Microsoft Sentinel and wants to use a built-in connector to ingest logs from Amazon Web Services (AWS). Which connector should they use?
109Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy is enabled but users who are detected as high risk are still able to sign in. What is the most likely reason?
110Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the primary purpose of this query?
111A company uses Microsoft Defender for Identity (MDI) to monitor on-premises Active Directory. They want to integrate MDI alerts into Microsoft Sentinel. Which data connector should they use?
112A company uses Microsoft Purview to classify and label sensitive data. They want to automatically apply a sensitivity label to documents containing a specific custom sensitive information type. Which TWO components are required for this?
113A company uses Microsoft Intune to manage devices. They need to ensure that only compliant devices can access corporate email. They plan to use Conditional Access in Microsoft Entra ID. Which THREE components must be configured?
114A company uses Microsoft Sentinel as its SIEM. They want to minimize storage costs for verbose logs that are rarely accessed but must be retained for one year for compliance. Which TWO actions should they take?
115A company uses Microsoft Purview Data Lifecycle Management. They need to retain financial records for 7 years and then delete them. Which TWO actions should they configure?
116A company uses Microsoft Defender for Cloud to secure multicloud environments. They want to assess compliance with SOC 2. Which THREE steps should they take?
117A company uses Microsoft Intune and wants to ensure that devices are compliant before accessing corporate resources. They create a Conditional Access policy that requires devices to be marked as compliant. However, some users report that they are blocked even though their device shows as compliant in Intune. What is the most likely cause?
118Your company uses Microsoft Sentinel for security operations. You need to design a solution to automatically respond to a confirmed ransomware incident by isolating affected devices and blocking malicious IPs. What should you use?
119Your organization needs to enforce multi-factor authentication (MFA) for all users accessing Microsoft Entra ID integrated applications. However, users in the finance department should be exempted from MFA when accessing a specific legacy financial app that does not support modern authentication. What should you design?
120Your organization is implementing a zero-trust security model. You need to design a solution that continuously verifies user identity, device compliance, and access context before granting access to corporate resources. The solution should also support risk-based policies. Which Microsoft security capability should be at the core of this design?
121Your organization uses Microsoft Purview to govern sensitive data. You need to design a solution that automatically detects and protects credit card numbers in emails and documents stored in Microsoft 365. The solution should also provide data loss prevention (DLP) policy tips to users when they try to share such data externally. What should you configure?
122Your company is deploying a new line-of-business application in Azure that must comply with PCI DSS. The application uses Azure SQL Database. You need to design a solution to encrypt sensitive data at rest and in transit, and to audit access to sensitive columns. Which combination of Microsoft security capabilities should you recommend?
123Your organization wants to use Microsoft Defender XDR to automatically investigate and respond to alerts. You need to ensure that the solution can autonomously remediate confirmed threats on endpoints, such as quarantining files and isolating devices. What should you enable?
124Your organization uses Microsoft Sentinel as its SIEM. You receive a large number of low-severity alerts from various sources, overwhelming the security operations team. You need to design a solution to reduce alert fatigue while ensuring that critical incidents are not missed. The solution should also automatically collect feedback from analysts when they close an incident. What should you implement?
125Your company uses Microsoft Intune to manage corporate devices. You need to design a compliance policy that requires devices to have a minimum OS version, be encrypted, and not be jailbroken or rooted. Additionally, you want to automatically block non-compliant devices from accessing corporate email. What should you configure?
126Your organization is required to retain all Microsoft Teams chat messages for 7 years due to regulatory compliance. You need to design a solution that automatically retains and, if needed, e-discovery searches these messages. What should you configure?
127Your organization is designing a privileged access strategy using Microsoft Entra ID. Which TWO configurations should be part of the design to protect privileged accounts?
128Your company is deploying Microsoft Defender XDR. You need to design a solution that uses advanced hunting to proactively search for threats. Which THREE data sources should be included in the advanced hunting schema to enable comprehensive threat hunting across endpoints, identities, and cloud apps?
129Your organization needs to comply with GDPR. You need to design a data protection strategy using Microsoft Purview. Which THREE capabilities should you include?
130Refer to the exhibit. You are reviewing a Microsoft Defender for Cloud automation resource. You want the automation to trigger a playbook in Microsoft Sentinel when a high-severity security assessment is found. Based on the exhibit, what is the missing configuration?
131Refer to the exhibit. You are analyzing a KQL query in Microsoft Defender XDR advanced hunting. The query is intended to identify the top 10 devices by the number of executable process creations in the last 7 days. However, the results are showing only a few entries with low counts. What is the most likely issue?
132Refer to the exhibit. You are reviewing an Azure Policy definition for GDPR compliance. The policy is intended to audit storage accounts that do not have encryption enabled. However, the policy is not evaluating correctly. What is the most likely reason?
133Your organization deploys Microsoft Sentinel and wants to automatically respond to phishing emails reported by users. You need to recommend a solution that creates an incident in Sentinel and blocks the email sender in Exchange Online. What should you configure?
134A company uses Microsoft Defender for Cloud Apps to monitor SaaS apps. They discover that a user is downloading large volumes of data from SharePoint Online from an atypical IP address. The security team wants to automatically suspend the user's access to all cloud apps. What is the most efficient way to achieve this?
135Your organization uses Microsoft Intune for mobile device management. Employees report they cannot access corporate email on their personal iOS devices. The helpdesk confirms devices are enrolled and compliant. What should you check first?
136A multinational company uses Microsoft Purview for data governance. They need to automatically classify sensitive data in Microsoft 365 and apply retention labels. The solution must use pattern-based detection for credit card numbers and support custom keywords. What should they configure?
137You need to design a security operations strategy for a hybrid environment using Microsoft Sentinel. Your environment includes on-premises servers and Azure VMs. Which data connector should you use to collect security events from both sources?
138Your organization uses Microsoft Defender for Endpoint (MDE) and wants to implement automated investigation and response (AIR) for ransomware. You need to ensure that when a suspicious file is detected, the investigation is automatically started and the file is contained. What should you configure?
139A company uses Microsoft Entra ID with P2 licenses and wants to implement a zero-trust identity security model. They need to require multi-factor authentication (MFA) for all external users accessing internal applications. The solution should not require external users to have Entra ID licenses. What should you configure?
140You are designing an incident response plan for a company using Microsoft Defender XDR. The team needs to automatically notify the SOC via email when an incident of high severity is created. What should you use?
141Your organization uses Microsoft Purview Information Protection to label sensitive documents. You need to ensure that documents containing personally identifiable information (PII) are automatically labeled when saved in SharePoint Online. What should you configure?
142Which TWO actions should you take to implement a least-privilege identity security model using Microsoft Entra ID? (Choose two.)
143Your company uses Microsoft Sentinel to manage security incidents. You need to design a solution that automatically triages low-severity incidents and enriches them with threat intelligence. Which THREE capabilities would you include? (Choose three.)
144Which THREE are valid methods to secure privileged access in Microsoft Entra ID? (Choose three.)
145You need to design a compliance solution using Microsoft Purview that automatically detects and protects credit card numbers in emails and documents. Which TWO features should you include? (Choose two.)
146A company wants to automate incident response in Microsoft 365 Defender. Which THREE actions can be automated using automated investigation and response (AIR) capabilities? (Choose three.)
147You are analyzing a custom detection rule in Microsoft 365 Defender. Based on the exhibit, what is a potential operational issue with this rule?
148Your organization uses Microsoft Sentinel to centralize security events. You need to ensure that alerts from Microsoft Defender for Cloud are automatically ingested into Sentinel. Which data connector should you enable?
149A company is implementing Microsoft Purview Compliance Manager to manage compliance activities. They need to assign a specific control action to a compliance officer. Which role should be assigned to the user in Purview Compliance Manager?
150Your organization uses Microsoft Intune for mobile device management. You need to configure a compliance policy for iOS devices that requires the device to be jailbreak-detected and have a minimum OS version. Which two settings should you configure in the compliance policy? (Choose two.)
151Your organization uses Microsoft Defender XDR. You need to configure automatic attack disruption for ransomware attacks. Which action should you take?
152You are designing identity security for a hybrid organization using Microsoft Entra ID. You need to enforce multi-factor authentication (MFA) for all users accessing sensitive applications. What is the recommended approach?
153Your organization uses Microsoft Purview to protect sensitive data. You need to create a sensitivity label that automatically encrypts documents containing credit card numbers when they are shared externally. Which configuration should you use?
154Your organization has Microsoft Sentinel. You need to create an analytics rule that detects when a user account is created outside of business hours (9 AM to 5 PM, Monday-Friday). Which KQL query should you use as the rule query?
155Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only compliant devices can access Exchange Online. Which Microsoft Entra ID feature should you use?
156Your organization is deploying Microsoft Defender for Cloud Apps. Which THREE capabilities are included in Defender for Cloud Apps? (Select three.)
157Your organization uses Microsoft Sentinel. You need to design a solution to detect and respond to threats across on-premises and cloud workloads. Which TWO components are essential for this? (Select two.)
158Your organization is implementing Microsoft Entra ID governance. Which TWO features are part of Microsoft Entra ID Governance? (Select two.)
159Your organization uses Microsoft Sentinel for security operations. You need to ensure that incident investigations automatically enrich alerts with relevant user and device information from Microsoft Defender XDR and Microsoft Entra ID. What should you configure?
160Your company uses Microsoft Purview to protect sensitive data. You need to automatically apply a retention label to documents containing credit card numbers detected in SharePoint Online. What should you configure?
161You are designing a security operations solution for a multinational organization using Microsoft Sentinel. The organization has multiple Azure subscriptions, each with its own Log Analytics workspace. You need to centralize incident management while minimizing data egress costs. What should you recommend?
162Your organization uses Microsoft Intune for mobile device management. You need to ensure that users can access corporate email on their personal iOS devices only if the device is enrolled in Intune and compliant with security policies. What should you configure?
163Your organization is planning to migrate from on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can use the same passwords for both on-premises and cloud resources without having to change them. What should you implement?
164Your organization uses Microsoft Defender for Cloud Apps. You need to detect and block data exfiltration from sanctioned cloud apps to personal devices. What should you configure?
165Your organization uses Microsoft Purview to manage data governance. You need to create a unified data catalog that automatically classifies and labels data across Azure SQL Database, Amazon S3, and on-premises SQL Server. What should you configure?
166Your organization uses Microsoft Entra ID. You need to enforce multi-factor authentication (MFA) for all users accessing the Azure portal. What is the simplest way to configure this?
167Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to automatically create incidents in Sentinel for high-severity alerts from Defender XDR. You also want to suppress low-severity alerts to reduce noise. What should you configure?
168Your organization uses Microsoft 365 and wants to protect against phishing attacks. Which TWO configurations should you recommend?
169Your organization is implementing Microsoft Entra ID governance. Which THREE capabilities should you include to manage the identity lifecycle and access reviews?
170Your organization uses Microsoft Purview to comply with regulatory requirements. Which TWO features should you use to manage data retention and deletion?
171Refer to the exhibit. You are reviewing a conditional access policy JSON in Microsoft Entra ID. What does this policy accomplish?
172Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. What is the primary purpose of this query?
173Refer to the exhibit. You are reviewing a Microsoft Purview Data Map resource pattern for scanning. What is this pattern intended to do?
174Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incidents related to a specific critical asset are automatically assigned to the senior SOC analyst. The assignment should occur as soon as the incident is created. What should you configure?
175Your company uses Microsoft Purview Compliance Manager to track compliance with regulatory standards. You need to generate a report that shows the percentage of controls that are not yet implemented for the PCI DSS standard. What should you do?
176You are designing a security operations strategy for a multinational organization. The SOC team needs to correlate alerts from multiple sources including Microsoft Defender for Cloud, Microsoft Sentinel, and third-party firewalls. Which solution should you use as the primary platform for correlation?
177Your organization uses Microsoft Entra ID. You need to ensure that when a user's risk level is assessed as high by Identity Protection, the user is automatically blocked from signing in. The block should apply immediately. What should you configure?
178Refer to the exhibit. You have deployed the automation shown in the exhibit in Microsoft Defender for Cloud. The automation triggers a Logic App when a high-severity alert is generated. Users report that the Logic App is not being triggered for some high-severity alerts. What is the most likely cause?
179Your organization uses Microsoft Intune for mobile device management. You need to ensure that only compliant devices can access corporate email. What should you configure?
180Your company uses Microsoft 365 Copilot for Security. You need to ensure that only users in the 'SecurityAnalysts' group can access the Copilot for Security portal. All other users should not see the portal in their Microsoft 365 app launcher. What should you configure?
181Your organization uses Microsoft Sentinel with the Microsoft 365 Defender connector. You need to create an analytics rule that generates an incident when a user is reported as compromised by Microsoft Defender for Identity. The rule should use the most efficient method to get this data. What should you use as the data source?
182Your company uses Microsoft Purview Data Loss Prevention (DLP). You need to ensure that credit card numbers are not shared externally via email. What should you configure?
183Your organization uses Microsoft Defender for Cloud Apps. You need to identify users who are downloading large amounts of data from a sanctioned cloud app in a short period. What should you configure?
184Which TWO actions should you take to implement a Zero Trust security strategy for identity and access? (Choose two.)
185Which THREE capabilities are part of Microsoft Purview's insider risk management solution? (Choose three.)
186Which THREE are valid sources for ingesting data into Microsoft Sentinel? (Choose three.)
187You are a security architect for a global financial services company. The company is adopting Microsoft Sentinel as its primary SIEM and Microsoft Defender XDR for endpoint, email, and identity protection. The company has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. The SOC team needs to be able to investigate incidents that involve lateral movement between on-premises and cloud resources. Additionally, the company must comply with GDPR, requiring that personal data be protected and that data residency requirements are met: all security logs for EU users must remain within the EU. The company already has a Microsoft Sentinel workspace in the West Europe region. You need to design a solution that meets these requirements while minimizing administrative overhead. What should you do?
188Your organization uses Microsoft Intune for mobile device management and Microsoft Entra ID for identity. You are designing a solution to ensure that only devices that are compliant with security policies can access corporate resources. The requirements are: 1) Devices must have a minimum OS version. 2) Devices must have encryption enabled. 3) Devices must not be jailbroken or rooted. 4) Access to corporate apps must be blocked if the device is non-compliant. 5) The solution should automatically remediate non-compliant devices when possible. You need to recommend the minimum configuration. What should you do?
189Your company uses Microsoft 365 E5 licenses and has deployed Microsoft Defender for Office 365. The security team wants to be alerted when a user reports a phishing email using the built-in report message button in Outlook. The alert should be sent to the security team's email address. You need to configure this in the Microsoft 365 Defender portal. What should you do?
190Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that automatically creates an incident in Microsoft Sentinel when a Defender for Endpoint alert of severity 'High' is triggered for any device. The solution should minimize latency and administrative overhead. What should you configure?
191Your organization uses Microsoft Purview Information Protection and Microsoft Defender for Cloud Apps. You need to design a solution that automatically applies a 'Confidential' sensitivity label to documents that contain credit card numbers and are shared externally. The solution should also generate an alert when this occurs. Which two configurations should you implement? (Choose TWO.)
192Your organization uses Microsoft Sentinel. You need to design a solution to detect and automatically respond to a potential brute-force attack against an on-premises application that is published via Azure AD Application Proxy. The solution should block the attacker's IP address in Azure AD Conditional Access for one hour after detecting more than 10 failed login attempts within 5 minutes. What should you implement?
193Your organization uses Microsoft Intune to manage devices. You need to design a compliance policy that requires devices to have a minimum OS version and be encrypted. Which policy type should you use?
194Refer to the exhibit. You receive an alert from Microsoft Defender for Cloud Apps. You need to investigate this alert in Microsoft Sentinel. Which Microsoft Sentinel feature should you use to visualize the relationship between the user account and the IP address?
195Your organization plans to use Microsoft Sentinel and Microsoft Defender XDR to manage security incidents. You need to design a solution that ensures all Defender for Cloud Apps alerts are automatically synchronized to Microsoft Sentinel as incidents with the least administrative effort. What should you configure?
196Your organization uses Microsoft Purview to manage data governance. You need to design a solution that allows data owners to classify sensitive data in their Microsoft SharePoint Online sites and generate a data catalog. Which Purview tool should you use?
197Your organization needs to meet regulatory requirements that mandate keeping security audit logs for at least seven years. Which Microsoft Sentinel feature should you configure to comply with this requirement?
198Your organization uses Microsoft Entra ID and Microsoft Intune. You need to design a solution that allows corporate users to access a sensitive internal application only from managed devices that are compliant with company security policies. The solution should block access from personal devices. Which two components should you use? (Choose TWO.)
199Your organization uses Microsoft Purview. You need to design a solution that automatically detects and classifies sensitive data such as passport numbers stored in Microsoft OneDrive. The solution should apply a 'Highly Confidential' sensitivity label without user intervention. What should you configure?
200Your organization uses Microsoft Sentinel. You need to design a solution that automatically responds to a detected ransomware incident by isolating the affected device in Microsoft Defender for Endpoint. Which tool should you use to create the automated response?
201Your organization uses Microsoft Entra ID. You need to design a solution that requires users to perform multifactor authentication when accessing a critical application from an untrusted network. The solution should not require additional licensing beyond Microsoft Entra ID P1. What should you use?
202Your organization uses Microsoft Purview and Microsoft Sentinel. You need to design a solution that alerts the security team when a user tries to share a file labeled 'Highly Confidential' with an external email address. The alert should include the file name, user, and external recipient. Which two components should you use? (Choose TWO.)
203Your organization uses Microsoft Intune and Microsoft Defender for Endpoint. You need to design a solution that automatically remediates non-compliant devices by running a remediation script. Which Intune component should you use?
204Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to design a solution that collects security events from Azure virtual machines and sends them to Microsoft Sentinel. The solution must minimize cost and management overhead. Which data connector should you use?
205Your organization uses Microsoft Entra ID and Microsoft Intune. You need to design a solution that allows only hybrid Azure AD joined devices to access a sensitive application. The solution must also require that the device is compliant with company policies. Which two components should you configure? (Choose TWO.)
206Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that investigates and responds to a ransomware incident. Which three actions should you take? (Choose THREE.)
207Your organization uses Microsoft Purview. You need to design a solution that discovers and classifies sensitive data across Microsoft 365 services. Which two services should you include in your data map? (Choose TWO.)
208You are a security architect for a large organization that uses Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Entra ID. The organization has a hybrid identity environment with on-premises Active Directory synchronized to Azure AD. The security team needs to detect and automatically respond to a specific attack pattern: an attacker compromises a user's credentials and then uses a new device to sign in to a critical application from an unusual location. The response should block the user's account for one hour and reset the user's password. You have already configured Microsoft Sentinel to receive sign-in logs from Azure AD. You need to design the detection and automated response. What should you do?
209Your organization uses Microsoft Intune and Microsoft Defender for Endpoint. You need to design a solution that ensures all Windows 10 devices are running the latest security updates and have real-time protection enabled. If a device is non-compliant, it should be blocked from accessing corporate resources. You have already created a Conditional Access policy that requires compliant devices. You need to configure the compliance requirements and automatic remediation. What should you do?
210Your organization uses Microsoft Purview to manage data governance. The compliance team needs to be able to search for and investigate whether any sensitive data (e.g., credit card numbers) is stored in Microsoft Teams messages. They also need to place a legal hold on specific user's Teams messages for eDiscovery. You need to design the solution. What should you configure?
211Your organization uses Microsoft Defender for Cloud to secure a multi-cloud environment including Azure, AWS, and GCP. You need to design a solution that centralizes security alerts and automates remediation across all clouds. Which security operations capability should you prioritize?
212Your organization is planning to use Microsoft Entra ID for identity management. You need to design a solution that enforces conditional access policies for sensitive applications while minimizing user friction. The solution must support offline access for mobile devices and require step-up authentication only when accessing high-risk data. What should you recommend?
213Your organization has a Microsoft 365 E5 subscription and wants to detect insider data exfiltration attempts. You need to design a solution that can identify users copying sensitive data to personal cloud storage services. Which Microsoft Purview capability should you use?
214Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy appears to block all legacy authentication. However, some users report that they can still access Exchange Online using Outlook 2010 (which uses basic authentication). What is the most likely reason the policy is not blocking these connections?
215Your organization uses Microsoft Sentinel as a SIEM. You need to design a solution to detect advanced persistent threats (APTs) by correlating data from multiple sources, including network logs, endpoint data, and threat intelligence feeds. The solution must use machine learning to identify anomalies and reduce false positives. Which analytics rule type should you configure?
216Your organization is implementing Microsoft Entra ID Governance. You need to design a solution that automates user access reviews for cloud applications. Which TWO capabilities should you include?
217Your organization uses Microsoft 365 and wants to implement a data loss prevention (DLP) strategy. You need to ensure that sensitive data is protected both at rest and in transit, and that incidents are automatically reported to the security team. Which THREE actions should you take?
218Your organization needs to meet compliance requirements for GDPR. You need to design a solution that uses Microsoft Purview to classify and protect personal data. Which TWO capabilities should you include?
219Your organization uses Microsoft Defender for Cloud and Microsoft Sentinel. You need to design a solution that automates incident response for critical security alerts. Which THREE components should you include?
220Your organization is designing a Zero Trust architecture using Microsoft 365 security features. You need to ensure that all access requests are verified and least-privilege principles are applied. Which TWO capabilities should you implement?
221You are a security architect for a global financial services company that uses Microsoft 365 E5 and Azure. The company has 50,000 users across 10 regions. The security team needs to detect and respond to identity-based threats in real-time, automate remediation for compromised accounts, and meet regulatory requirements for audit logging. The following requirements must be met: (1) Detect risky sign-ins and user anomalies, (2) Automatically block sign-ins when risk level is high, (3) Provide a centralized dashboard for security analysts to investigate incidents, (4) Retain logs for at least one year for compliance, (5) Minimize false positives by using machine learning. You have the following services available: Microsoft Entra ID P2, Microsoft Sentinel, Microsoft Defender for Identity, Microsoft Purview, and Microsoft Intune. Which combination of services should you use to meet all requirements?
222Your organization is a large healthcare provider that uses Microsoft 365 and Azure. You need to design a compliance solution that meets HIPAA requirements. The solution must automatically classify and protect electronic protected health information (ePHI) in Exchange Online, SharePoint Online, and OneDrive for Business. It must also provide reports on data access and sharing activities for auditors. The following requirements must be met: (1) Detect ePHI using built-in sensitive info types, (2) Apply encryption automatically to emails containing ePHI, (3) Prevent unauthorized sharing of ePHI in SharePoint, (4) Generate activity reports for auditors, (5) Use machine learning to improve classification accuracy. Which Microsoft Purview capabilities should you use?
223Your organization is a small business with 200 users using Microsoft 365 Business Premium. You need to secure user identities against common attacks like phishing and password spray. The solution must be easy to deploy and manage with minimal overhead. Requirements: (1) Enable multi-factor authentication (MFA) for all users, (2) Block legacy authentication protocols, (3) Detect and block risky sign-ins, (4) Provide security recommendations to users, (5) Integrate with Microsoft Defender for Office 365 for email protection. Which Microsoft security service should you primarily use?
224Your organization is a multi-national corporation that uses Microsoft 365 E5 and Azure. You need to design a security operations center (SOC) to detect and respond to threats across identities, endpoints, and cloud apps. The SOC team will use a single pane of glass for incident management. Requirements: (1) Centralize alerts from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps, (2) Automate incident response playbooks, (3) Use advanced hunting across all data sources, (4) Integrate with external threat intelligence feeds, (5) Provide role-based access control for SOC analysts. Which Microsoft solution should you implement?
225Your organization uses Microsoft Entra ID for identity management and wants to implement a least-privilege access model for administrators. You need to reduce standing privileges and ensure that admin roles are activated only when needed with approval workflow. Requirements: (1) Require approval for activation of Global Administrator role, (2) Set activation duration to 4 hours maximum, (3) Require Azure MFA for activation, (4) Receive notifications when roles are activated, (5) Audit all activations for compliance. Which Microsoft Entra ID capability should you use?
226Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incidents are automatically assigned to the appropriate analyst team based on the type of threat. What should you configure?
227Your company uses Microsoft Entra ID. You need to implement a policy that requires all guest users to complete a terms-of-use acceptance before accessing applications. Which two components must be configured?
228Your organization uses Microsoft Defender for Cloud to secure multi-cloud resources. You need to ensure that security recommendations are automatically remediated for non-compliant resources without manual intervention. What should you configure?
229Refer to the exhibit. You are reviewing a conditional access policy in Microsoft Entra ID. The policy is enabled but users report they can still sign in from high-risk sessions. What is the most likely reason?
230Your organization, Contoso Ltd., uses Microsoft 365 E5 licenses and has deployed Microsoft Sentinel in Azure. The security operations center (SOC) receives thousands of alerts daily from Microsoft Defender for Cloud, Microsoft Defender for Office 365, and Microsoft Defender for Endpoint. The SOC team is overwhelmed and needs to prioritize incidents effectively. You need to design a solution that uses Microsoft Sentinel to automatically classify incidents as true positive, false positive, or benign positive based on threat intelligence and analytics. Additionally, the solution should automatically close low-confidence false positive incidents after 24 hours if no analyst interaction occurs. You must minimize manual effort and ensure that critical incidents are escalated immediately. What should you do?
231Your organization, Fabrikam Inc., uses Microsoft Intune for device management and Microsoft Entra ID for identity. You need to design a solution to ensure that only compliant and healthy devices can access corporate resources. The solution must require that devices are either enrolled in Intune and compliant, or joined to Azure AD with a health attestation. Additionally, you need to block access from devices that are rooted or jailbroken. You have the following requirements: 1) Enforce conditional access policies to check device compliance and health. 2) Use Microsoft Defender for Endpoint integration for device health signals. 3) Provide a fallback option for unmanaged devices to access only web apps via browser with app protection policies. Which combination of actions should you take?
The Design security operations, identity, and compliance capabilities domain covers the key concepts tested in this area of the SC-100 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SC-100 domains — no account required.
The Courseiva SC-100 question bank contains 231 questions in the Design security operations, identity, and compliance capabilities domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Design security operations, identity, and compliance capabilities domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included