Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-100DomainsDesign security operations, identity, and compliance capabilities
SC-100Free — No Signup

Design security operations, identity, and compliance capabilities

Practice SC-100 Design security operations, identity, and compliance capabilities questions with full explanations on every answer.

231questions

Start practicing

Design security operations, identity, and compliance capabilities — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SC-100 Domains

Design solutions that align with security best practices and prioritiesDesign security operations, identity, and compliance capabilitiesDesign security solutions for infrastructureDesign a Zero Trust strategy and architectureDesign security solutions for applications and dataEvaluate GRC and security operations strategiesDesign security for infrastructureDesign a strategy for data and applicationsRecommend security best practices and priorities

Practice Design security operations, identity, and compliance capabilities questions

10Q20Q30Q50Q

All SC-100 Design security operations, identity, and compliance capabilities questions (231)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

Your organization uses Microsoft Sentinel and wants to automatically respond to high-severity incidents. Which feature should you configure?

2

A company plans to implement Microsoft Purview to enforce data loss prevention (DLP) policies. They need to prevent users from sharing credit card numbers via email. What should they configure?

3

Your organization uses Microsoft Defender for Cloud to secure multi-cloud workloads. You need to ensure that Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) resources are assessed against the same security baseline. What should you do?

4

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. What should you configure?

5

Your organization uses Microsoft Entra ID and wants to implement a passwordless authentication strategy. Users have smartphones. Which method should you recommend as the primary authentication method?

6

Your organization uses Microsoft Sentinel to aggregate logs from on-premises and cloud sources. You need to reduce the cost of data ingestion while ensuring security-critical logs are retained for at least one year. What should you do?

7

Your organization uses Microsoft Defender for Office 365. You need to protect users from malicious links in emails. What should you configure?

8

Your organization uses Microsoft Entra ID and needs to ensure that external partners can access only specific applications for 30 days. What should you configure?

9

Your organization uses Microsoft Defender XDR for detection and response. You need to create a custom detection rule that alerts when a user performs more than 10 failed sign-ins from different countries within 5 minutes. Which component should you use?

10

Your organization uses Microsoft Purview to classify sensitive data. You need to automatically apply a sensitivity label to documents that contain personally identifiable information (PII). Which TWO components should you configure?

11

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a unified security operations platform. Which THREE capabilities should you enable?

12

Your organization uses Microsoft Entra ID and needs to implement a Zero Trust identity strategy. Which THREE principles should you apply?

13

Your organization is implementing a zero-trust security model and needs to ensure that all access to cloud resources is verified in real-time. You plan to use Microsoft Entra ID Conditional Access. Which policy component enforces real-time verification of user identity and device compliance before granting access?

14

Your company uses Microsoft Defender for Cloud to manage security posture across hybrid workloads. You need to ensure that critical vulnerabilities found on Azure VMs are automatically remediated without manual intervention. Which feature should you enable?

15

Your organization uses Microsoft Sentinel to centralize security logs from multiple clouds. The security team needs a solution that automatically investigates low-fidelity alerts and creates incidents only when confirmed malicious. Which Microsoft Sentinel feature should you configure?

16

Your company is deploying Microsoft Intune for mobile device management. You need to ensure that corporate data on personally owned devices is protected without affecting the user's personal data. Which Intune feature should you use?

17

Your organization is implementing a data loss prevention (DLP) strategy using Microsoft Purview. The compliance team needs to automatically classify and label sensitive data in Microsoft 365, Azure SQL Database, and Amazon S3. Which Purview feature should you use?

18

Your organization uses Microsoft Defender XDR to detect and respond to threats. The SOC team wants to automatically isolate a device when a high-severity incident is confirmed. Which automation feature should you configure?

19

Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can authenticate using their existing on-premises credentials while gradually moving to cloud-only authentication. Which authentication method should you implement first?

20

Your organization uses Microsoft Sentinel as a SIEM. The security team wants to use Microsoft Copilot for Security to assist in incident investigation. You need to ensure that Copilot can access Sentinel data while meeting compliance requirements. Which integration should you configure?

21

Your organization needs to enforce multi-factor authentication (MFA) for all users accessing sensitive applications. You plan to use Microsoft Entra ID Conditional Access. Which grant control should you configure?

22

Your organization is implementing a privileged access strategy using Microsoft Entra ID. You need to provide just-in-time (JIT) access to Azure resources for administrators. Which TWO features should you use?

23

Your organization is using Microsoft Sentinel to detect advanced threats. You need to ensure that alerts from Microsoft Defender XDR are automatically synchronized with Sentinel and that incidents are created. Which THREE components are required?

24

Your organization uses Microsoft Purview Information Protection to label sensitive emails. You need to ensure that labels are applied automatically based on content. Which THREE methods can you use?

25

Refer to the exhibit. You are reviewing a Conditional Access policy JSON. The policy is intended to block legacy authentication. However, users are still able to access email using Outlook (modern auth). What is the most likely reason?

26

Refer to the exhibit. A KQL query is used in Microsoft Sentinel to detect brute-force attacks. The query returns no results despite known brute-force attempts. What is the most likely issue?

27

Refer to the exhibit. You are reviewing an ARM template for an Azure storage account. The security team requires that only HTTPS traffic is allowed and that TLS 1.2 is enforced. Does this template meet the requirements?

28

Your organization uses Microsoft Sentinel and has enabled User and Entity Behavior Analytics (UEBA). The security team receives an alert for a user who has failed authentication 10 times in 5 minutes. What should you configure to reduce false positives while ensuring legitimate brute-force attacks are still detected?

29

A company uses Microsoft Defender for Cloud to assess the security posture of their hybrid environment. They need to ensure that all Azure subscriptions are evaluated against the same set of regulatory compliance standards. What should they configure?

30

Your organization uses Microsoft Intune to manage devices. You need to ensure that corporate data on personally owned devices is removed when a user leaves the company, but personal data remains intact. What should you use?

31

A company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They want to prevent users from sharing credit card numbers in email but allow sharing via encrypted email. What should they configure?

32

Your organization has Microsoft Entra ID (Azure AD) and uses Privileged Identity Management (PIM). You need to ensure that when a user activates a privileged role, they must provide a reason and a ticket number. What should you configure?

33

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. Based on the JSON snippet, what is the most likely outcome when a user with high user risk attempts to sign in?

34

Refer to the exhibit. You are analyzing a Microsoft Sentinel analytics rule. What does this rule detect?

35

Refer to the exhibit. You are configuring a Microsoft Purview sensitivity label. When a user applies this label to an email, what happens?

36

Your organization uses Microsoft Defender XDR to correlate alerts across endpoints, email, and identities. You need to create a custom detection rule that triggers when a user receives a phishing email and then attempts to log in from a new location. Which approach should you use?

37

Which TWO actions should you take to implement a zero-trust identity strategy in Microsoft Entra ID?

38

Which THREE capabilities does Microsoft Purview provide for compliance management?

39

Which TWO configurations are required to enable Microsoft Defender for Cloud Apps to monitor cloud app usage?

40

Your organization uses Microsoft Sentinel as a SIEM. You need to reduce the cost of data ingestion while ensuring that security-relevant events are retained. You have identified that Windows Event ID 4624 (successful logon) produces a high volume of logs. What should you do?

41

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only devices with a TPM (Trusted Platform Module) version 2.0 can access corporate resources. What should you configure?

42

Your organization uses Microsoft Defender for Cloud to manage the security posture of Azure resources. You need to receive alerts when a virtual machine is deployed without just-in-time (JIT) access enabled. What should you do?

43

A company uses Microsoft Sentinel for security operations. The security team wants to automatically create an incident in Microsoft Sentinel when Microsoft Defender for Cloud detects a high-severity vulnerability on a virtual machine. What should the security team configure?

44

A global organization uses Microsoft Entra ID with Conditional Access policies. They want to enforce multifactor authentication (MFA) for all users accessing sensitive apps from outside the corporate network, but allow access without MFA from trusted IPs. What should they configure?

45

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. The query returns a list of users and IP addresses with failed sign-ins due to 'User Account Disabled' (ResultType 50057). The analyst wants to create a scheduled analytics rule that generates an incident when a user exceeds 5 such failures from the same IP in an hour. Which setting is missing from the query to meet the requirement?

46

A company uses Microsoft Purview to enforce Data Loss Prevention (DLP) policies. They want to prevent users from sharing credit card numbers via email. Which action should they configure in the DLP policy?

47

An organization uses Microsoft Intune to manage devices. They need to ensure that only devices compliant with security baselines can access corporate email via Microsoft Outlook. The solution should use existing Microsoft 365 security features. What should they implement?

48

Refer to the exhibit. An organization uses Microsoft Entra ID Governance. This access review policy is intended to review guest users created after January 1, 2025. The reviewers are users with job title 'Manager'. However, the review is not starting automatically. What is the most likely cause?

49

A company wants to monitor and respond to threats across their entire digital estate, including on-premises servers, cloud workloads, and identities. Which Microsoft solution should they use as a central security information and event management (SIEM) and extended detection and response (XDR) platform?

50

A company uses Microsoft Defender for Cloud Apps to discover and control cloud apps. They want to receive alerts when a user accesses a sanctioned app from an unusual location. Which feature should they configure?

51

Refer to the exhibit. An administrator runs this Microsoft Graph PowerShell command to retrieve an access review policy. The review is set to run quarterly but no recurrence is shown in the output. The review has not started. What is the most likely cause?

52

A company wants to implement a Zero Trust security model. Which TWO principles are fundamental to Zero Trust? (Choose two.)

53

An organization uses Microsoft Purview to classify and protect sensitive data. Which THREE capabilities can be used to discover sensitive data? (Choose three.)

54

A security operations center (SOC) uses Microsoft Sentinel. They want to automate incident response for common alerts. Which THREE components are required to build an automated response? (Choose three.)

55

A company needs to ensure that only authorized users can access sensitive data in Microsoft SharePoint Online. Which TWO controls can be used? (Choose two.)

56

An organization uses Microsoft Defender XDR to detect and respond to threats. Which THREE data sources does Defender XDR ingest? (Choose three.)

57

A company wants to implement hybrid identity with Microsoft Entra ID. Which TWO components are required for password hash synchronization? (Choose two.)

58

Your organization uses Microsoft Sentinel and wants to automatically respond to high-severity incidents without human intervention. Which feature should you configure?

59

Your company uses Microsoft Defender for Cloud Apps and wants to prevent users from uploading sensitive files to personal cloud storage apps. What should you configure?

60

Your organization uses Microsoft Purview and needs to automatically apply a retention label to all documents containing personally identifiable information (PII) in SharePoint Online. What should you configure?

61

You need to design a solution to synchronize on-premises Active Directory users to Microsoft Entra ID for hybrid identity. Which tool should you use?

62

Your organization uses Microsoft Sentinel and wants to correlate security events from multiple sources to detect multi-stage attacks. What should you create?

63

Your organization uses Microsoft Intune to manage devices and wants to ensure that only compliant devices can access corporate email. Which conditional access policy setting should you configure?

64

Your organization uses Microsoft Defender for Office 365 and wants to block malicious links in email messages in real time. Which policy should you configure?

65

Your organization uses Microsoft Purview and needs to prevent users from copying sensitive data to USB drives. Which solution should you implement?

66

Your organization uses Microsoft Sentinel and wants to reduce alert fatigue by grouping related alerts into incidents. Which configuration should you use?

67

Refer to the exhibit. You create this conditional access policy in Microsoft Entra ID. What is the result?

68

Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What is the primary purpose?

69

Refer to the exhibit. You configure this mail flow rule in Exchange Online. What happens to emails with 'FREE' in the subject?

70

Which TWO of the following are valid methods to protect privileged accounts in Microsoft Entra ID?

71

Which THREE of the following are capabilities of Microsoft Purview Information Protection?

72

Which TWO of the following are components of Microsoft Defender XDR (Extended Detection and Response)?

73

Your organization uses Microsoft Sentinel for security operations. You need to ensure that an attacker cannot disable data collection by deleting the diagnostic settings on the Sentinel workspace. What should you configure?

74

Your company uses Microsoft Defender for Cloud Apps (MDA). You need to create a policy that automatically suspends a user's access to a cloud app if the user is confirmed as compromised by Microsoft Entra ID Protection. Which policy type should you use?

75

You are designing a compliance solution for your organization that must enforce retention policies for documents stored in SharePoint Online. Which Microsoft Purview solution should you use?

76

Refer to the exhibit. You are reviewing a Conditional Access policy JSON in Microsoft Entra ID. The policy is not blocking any sign-ins even though there are high-risk users. What is the most likely reason?

77

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You need to create an analytics rule in Sentinel that triggers an incident when a device is reported as 'high risk' by MDE. Which data source and rule type should you use?

78

Your company needs to automatically classify and label sensitive documents in Microsoft 365 based on their content. Which Microsoft Purview solution should you implement?

79

Refer to the exhibit. You are troubleshooting a KQL query in Microsoft Sentinel that is supposed to return alerts for ransomware detections in the last day. The query returns no results, but you know there were ransomware alerts. What is the most likely cause?

80

Your organization uses Microsoft Entra ID and plans to implement a Zero Trust architecture. You need to ensure that all access requests to internal applications are verified continuously, not just at the initial sign-in. What should you configure?

81

You need to audit user activities in Microsoft 365, including who accessed a specific file in SharePoint Online. Which Microsoft Purview solution should you use?

82

Which TWO actions should you take to meet a compliance requirement that all emails containing credit card numbers must be encrypted before delivery?

83

Which TWO components are required to enable Microsoft Sentinel to ingest data from Amazon Web Services (AWS) CloudTrail?

84

Which THREE capabilities are provided by Microsoft Defender for Cloud Apps (MDA) when integrated with Microsoft Defender XDR?

85

Which THREE conditions can trigger a Microsoft Entra ID Protection user risk policy to require a password change?

86

Refer to the exhibit. You run the PowerShell command in Microsoft Entra ID to find compliance roles. You need to assign the Compliance Administrator role to a user. What is the correct parameter to use in the Add-AzureADMSRoleAssignment cmdlet?

87

Refer to the exhibit. You are deploying this Bicep template to enable Microsoft Defender for Cloud's VM protection. After deployment, you notice that Agentless VM scanning is not enabled for existing VMs. What is the most likely reason?

88

Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incident investigations are automatically captured for compliance reporting. Which feature should you enable?

89

A company is implementing a zero-trust security model. They need to enforce conditional access policies that require device compliance from Microsoft Intune. However, some users report being blocked when using personal devices that are not enrolled. What is the best approach to allow access while maintaining security?

90

Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM). You need to design a role activation policy that requires approval from a security group for global administrator roles, but allows self-activation for other roles. What is the correct configuration?

91

Your organization needs to monitor and respond to threats across email, endpoints, and identities. Which Microsoft solution provides a unified incident response experience?

92

A company uses Microsoft Purview to classify data and enforce retention policies. They need to automatically apply a retention label to all documents containing credit card numbers. Which approach should they use?

93

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to design a solution that automatically creates an incident in Sentinel when a high-severity alert is generated in Defender for Cloud. What should you configure?

94

Your organization wants to enforce that all users authenticate using Microsoft Authenticator app for Microsoft Entra ID. Which authentication method should you configure as the primary?

95

A company uses Microsoft Intune to manage devices. They need to ensure that only devices with a minimum OS version can access corporate email. Which policy type should they implement?

96

Your organization uses Microsoft Entra ID with external identities. You need to design a solution that allows partners to self-service sign up using their existing Azure AD or Microsoft account credentials, while preventing them from accessing other resources. What should you use?

97

Your organization is implementing Microsoft Defender for Office 365 to protect against phishing attacks. Which TWO features can be used to simulate phishing attacks and train users?

98

Your organization uses Microsoft Sentinel and wants to improve threat hunting efficiency. Which THREE actions should you take?

99

Your organization needs to comply with regulatory requirements for data retention and deletion. Which TWO Microsoft Purview features should you use?

100

The exhibit shows a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

101

The exhibit shows a conditional access policy in Microsoft Entra ID. What will be the effect of this policy?

102

The exhibit shows a conditional access policy from Microsoft Entra ID Identity Protection. When will this policy require MFA?

103

A company uses Microsoft Sentinel for security operations. The SOC team needs to automatically respond to a specific type of incident involving a known malicious IP address. They want to create an automated response that blocks the IP at the firewall and creates a Teams notification. Which feature should they use?

104

A global enterprise uses Microsoft Entra ID with Privileged Identity Management (PIM) and Conditional Access. They need to ensure that all privileged role activations require an approval workflow, and that the approval process is documented for compliance. What configuration should they implement?

105

A company uses Microsoft Defender for Cloud Apps to discover and control Shadow IT. They want to block the use of a newly discovered unsanctioned app. What should they do?

106

A company uses Microsoft Defender XDR and wants to ensure that all devices are reporting to the service. They notice that some devices are not appearing in the device inventory. Which log source should they check first to troubleshoot?

107

An organization uses Microsoft Purview to enforce data loss prevention (DLP) policies. They need to prevent users from pasting sensitive data into AI-powered tools like Microsoft Copilot. Which DLP rule condition should they configure?

108

A company uses Microsoft Sentinel and wants to use a built-in connector to ingest logs from Amazon Web Services (AWS). Which connector should they use?

109

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy is enabled but users who are detected as high risk are still able to sign in. What is the most likely reason?

110

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the primary purpose of this query?

111

A company uses Microsoft Defender for Identity (MDI) to monitor on-premises Active Directory. They want to integrate MDI alerts into Microsoft Sentinel. Which data connector should they use?

112

A company uses Microsoft Purview to classify and label sensitive data. They want to automatically apply a sensitivity label to documents containing a specific custom sensitive information type. Which TWO components are required for this?

113

A company uses Microsoft Intune to manage devices. They need to ensure that only compliant devices can access corporate email. They plan to use Conditional Access in Microsoft Entra ID. Which THREE components must be configured?

114

A company uses Microsoft Sentinel as its SIEM. They want to minimize storage costs for verbose logs that are rarely accessed but must be retained for one year for compliance. Which TWO actions should they take?

115

A company uses Microsoft Purview Data Lifecycle Management. They need to retain financial records for 7 years and then delete them. Which TWO actions should they configure?

116

A company uses Microsoft Defender for Cloud to secure multicloud environments. They want to assess compliance with SOC 2. Which THREE steps should they take?

117

A company uses Microsoft Intune and wants to ensure that devices are compliant before accessing corporate resources. They create a Conditional Access policy that requires devices to be marked as compliant. However, some users report that they are blocked even though their device shows as compliant in Intune. What is the most likely cause?

118

Your company uses Microsoft Sentinel for security operations. You need to design a solution to automatically respond to a confirmed ransomware incident by isolating affected devices and blocking malicious IPs. What should you use?

119

Your organization needs to enforce multi-factor authentication (MFA) for all users accessing Microsoft Entra ID integrated applications. However, users in the finance department should be exempted from MFA when accessing a specific legacy financial app that does not support modern authentication. What should you design?

120

Your organization is implementing a zero-trust security model. You need to design a solution that continuously verifies user identity, device compliance, and access context before granting access to corporate resources. The solution should also support risk-based policies. Which Microsoft security capability should be at the core of this design?

121

Your organization uses Microsoft Purview to govern sensitive data. You need to design a solution that automatically detects and protects credit card numbers in emails and documents stored in Microsoft 365. The solution should also provide data loss prevention (DLP) policy tips to users when they try to share such data externally. What should you configure?

122

Your company is deploying a new line-of-business application in Azure that must comply with PCI DSS. The application uses Azure SQL Database. You need to design a solution to encrypt sensitive data at rest and in transit, and to audit access to sensitive columns. Which combination of Microsoft security capabilities should you recommend?

123

Your organization wants to use Microsoft Defender XDR to automatically investigate and respond to alerts. You need to ensure that the solution can autonomously remediate confirmed threats on endpoints, such as quarantining files and isolating devices. What should you enable?

124

Your organization uses Microsoft Sentinel as its SIEM. You receive a large number of low-severity alerts from various sources, overwhelming the security operations team. You need to design a solution to reduce alert fatigue while ensuring that critical incidents are not missed. The solution should also automatically collect feedback from analysts when they close an incident. What should you implement?

125

Your company uses Microsoft Intune to manage corporate devices. You need to design a compliance policy that requires devices to have a minimum OS version, be encrypted, and not be jailbroken or rooted. Additionally, you want to automatically block non-compliant devices from accessing corporate email. What should you configure?

126

Your organization is required to retain all Microsoft Teams chat messages for 7 years due to regulatory compliance. You need to design a solution that automatically retains and, if needed, e-discovery searches these messages. What should you configure?

127

Your organization is designing a privileged access strategy using Microsoft Entra ID. Which TWO configurations should be part of the design to protect privileged accounts?

128

Your company is deploying Microsoft Defender XDR. You need to design a solution that uses advanced hunting to proactively search for threats. Which THREE data sources should be included in the advanced hunting schema to enable comprehensive threat hunting across endpoints, identities, and cloud apps?

129

Your organization needs to comply with GDPR. You need to design a data protection strategy using Microsoft Purview. Which THREE capabilities should you include?

130

Refer to the exhibit. You are reviewing a Microsoft Defender for Cloud automation resource. You want the automation to trigger a playbook in Microsoft Sentinel when a high-severity security assessment is found. Based on the exhibit, what is the missing configuration?

131

Refer to the exhibit. You are analyzing a KQL query in Microsoft Defender XDR advanced hunting. The query is intended to identify the top 10 devices by the number of executable process creations in the last 7 days. However, the results are showing only a few entries with low counts. What is the most likely issue?

132

Refer to the exhibit. You are reviewing an Azure Policy definition for GDPR compliance. The policy is intended to audit storage accounts that do not have encryption enabled. However, the policy is not evaluating correctly. What is the most likely reason?

133

Your organization deploys Microsoft Sentinel and wants to automatically respond to phishing emails reported by users. You need to recommend a solution that creates an incident in Sentinel and blocks the email sender in Exchange Online. What should you configure?

134

A company uses Microsoft Defender for Cloud Apps to monitor SaaS apps. They discover that a user is downloading large volumes of data from SharePoint Online from an atypical IP address. The security team wants to automatically suspend the user's access to all cloud apps. What is the most efficient way to achieve this?

135

Your organization uses Microsoft Intune for mobile device management. Employees report they cannot access corporate email on their personal iOS devices. The helpdesk confirms devices are enrolled and compliant. What should you check first?

136

A multinational company uses Microsoft Purview for data governance. They need to automatically classify sensitive data in Microsoft 365 and apply retention labels. The solution must use pattern-based detection for credit card numbers and support custom keywords. What should they configure?

137

You need to design a security operations strategy for a hybrid environment using Microsoft Sentinel. Your environment includes on-premises servers and Azure VMs. Which data connector should you use to collect security events from both sources?

138

Your organization uses Microsoft Defender for Endpoint (MDE) and wants to implement automated investigation and response (AIR) for ransomware. You need to ensure that when a suspicious file is detected, the investigation is automatically started and the file is contained. What should you configure?

139

A company uses Microsoft Entra ID with P2 licenses and wants to implement a zero-trust identity security model. They need to require multi-factor authentication (MFA) for all external users accessing internal applications. The solution should not require external users to have Entra ID licenses. What should you configure?

140

You are designing an incident response plan for a company using Microsoft Defender XDR. The team needs to automatically notify the SOC via email when an incident of high severity is created. What should you use?

141

Your organization uses Microsoft Purview Information Protection to label sensitive documents. You need to ensure that documents containing personally identifiable information (PII) are automatically labeled when saved in SharePoint Online. What should you configure?

142

Which TWO actions should you take to implement a least-privilege identity security model using Microsoft Entra ID? (Choose two.)

143

Your company uses Microsoft Sentinel to manage security incidents. You need to design a solution that automatically triages low-severity incidents and enriches them with threat intelligence. Which THREE capabilities would you include? (Choose three.)

144

Which THREE are valid methods to secure privileged access in Microsoft Entra ID? (Choose three.)

145

You need to design a compliance solution using Microsoft Purview that automatically detects and protects credit card numbers in emails and documents. Which TWO features should you include? (Choose two.)

146

A company wants to automate incident response in Microsoft 365 Defender. Which THREE actions can be automated using automated investigation and response (AIR) capabilities? (Choose three.)

147

You are analyzing a custom detection rule in Microsoft 365 Defender. Based on the exhibit, what is a potential operational issue with this rule?

148

Your organization uses Microsoft Sentinel to centralize security events. You need to ensure that alerts from Microsoft Defender for Cloud are automatically ingested into Sentinel. Which data connector should you enable?

149

A company is implementing Microsoft Purview Compliance Manager to manage compliance activities. They need to assign a specific control action to a compliance officer. Which role should be assigned to the user in Purview Compliance Manager?

150

Your organization uses Microsoft Intune for mobile device management. You need to configure a compliance policy for iOS devices that requires the device to be jailbreak-detected and have a minimum OS version. Which two settings should you configure in the compliance policy? (Choose two.)

151

Your organization uses Microsoft Defender XDR. You need to configure automatic attack disruption for ransomware attacks. Which action should you take?

152

You are designing identity security for a hybrid organization using Microsoft Entra ID. You need to enforce multi-factor authentication (MFA) for all users accessing sensitive applications. What is the recommended approach?

153

Your organization uses Microsoft Purview to protect sensitive data. You need to create a sensitivity label that automatically encrypts documents containing credit card numbers when they are shared externally. Which configuration should you use?

154

Your organization has Microsoft Sentinel. You need to create an analytics rule that detects when a user account is created outside of business hours (9 AM to 5 PM, Monday-Friday). Which KQL query should you use as the rule query?

155

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only compliant devices can access Exchange Online. Which Microsoft Entra ID feature should you use?

156

Your organization is deploying Microsoft Defender for Cloud Apps. Which THREE capabilities are included in Defender for Cloud Apps? (Select three.)

157

Your organization uses Microsoft Sentinel. You need to design a solution to detect and respond to threats across on-premises and cloud workloads. Which TWO components are essential for this? (Select two.)

158

Your organization is implementing Microsoft Entra ID governance. Which TWO features are part of Microsoft Entra ID Governance? (Select two.)

159

Your organization uses Microsoft Sentinel for security operations. You need to ensure that incident investigations automatically enrich alerts with relevant user and device information from Microsoft Defender XDR and Microsoft Entra ID. What should you configure?

160

Your company uses Microsoft Purview to protect sensitive data. You need to automatically apply a retention label to documents containing credit card numbers detected in SharePoint Online. What should you configure?

161

You are designing a security operations solution for a multinational organization using Microsoft Sentinel. The organization has multiple Azure subscriptions, each with its own Log Analytics workspace. You need to centralize incident management while minimizing data egress costs. What should you recommend?

162

Your organization uses Microsoft Intune for mobile device management. You need to ensure that users can access corporate email on their personal iOS devices only if the device is enrolled in Intune and compliant with security policies. What should you configure?

163

Your organization is planning to migrate from on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can use the same passwords for both on-premises and cloud resources without having to change them. What should you implement?

164

Your organization uses Microsoft Defender for Cloud Apps. You need to detect and block data exfiltration from sanctioned cloud apps to personal devices. What should you configure?

165

Your organization uses Microsoft Purview to manage data governance. You need to create a unified data catalog that automatically classifies and labels data across Azure SQL Database, Amazon S3, and on-premises SQL Server. What should you configure?

166

Your organization uses Microsoft Entra ID. You need to enforce multi-factor authentication (MFA) for all users accessing the Azure portal. What is the simplest way to configure this?

167

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to automatically create incidents in Sentinel for high-severity alerts from Defender XDR. You also want to suppress low-severity alerts to reduce noise. What should you configure?

168

Your organization uses Microsoft 365 and wants to protect against phishing attacks. Which TWO configurations should you recommend?

169

Your organization is implementing Microsoft Entra ID governance. Which THREE capabilities should you include to manage the identity lifecycle and access reviews?

170

Your organization uses Microsoft Purview to comply with regulatory requirements. Which TWO features should you use to manage data retention and deletion?

171

Refer to the exhibit. You are reviewing a conditional access policy JSON in Microsoft Entra ID. What does this policy accomplish?

172

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

173

Refer to the exhibit. You are reviewing a Microsoft Purview Data Map resource pattern for scanning. What is this pattern intended to do?

174

Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incidents related to a specific critical asset are automatically assigned to the senior SOC analyst. The assignment should occur as soon as the incident is created. What should you configure?

175

Your company uses Microsoft Purview Compliance Manager to track compliance with regulatory standards. You need to generate a report that shows the percentage of controls that are not yet implemented for the PCI DSS standard. What should you do?

176

You are designing a security operations strategy for a multinational organization. The SOC team needs to correlate alerts from multiple sources including Microsoft Defender for Cloud, Microsoft Sentinel, and third-party firewalls. Which solution should you use as the primary platform for correlation?

177

Your organization uses Microsoft Entra ID. You need to ensure that when a user's risk level is assessed as high by Identity Protection, the user is automatically blocked from signing in. The block should apply immediately. What should you configure?

178

Refer to the exhibit. You have deployed the automation shown in the exhibit in Microsoft Defender for Cloud. The automation triggers a Logic App when a high-severity alert is generated. Users report that the Logic App is not being triggered for some high-severity alerts. What is the most likely cause?

179

Your organization uses Microsoft Intune for mobile device management. You need to ensure that only compliant devices can access corporate email. What should you configure?

180

Your company uses Microsoft 365 Copilot for Security. You need to ensure that only users in the 'SecurityAnalysts' group can access the Copilot for Security portal. All other users should not see the portal in their Microsoft 365 app launcher. What should you configure?

181

Your organization uses Microsoft Sentinel with the Microsoft 365 Defender connector. You need to create an analytics rule that generates an incident when a user is reported as compromised by Microsoft Defender for Identity. The rule should use the most efficient method to get this data. What should you use as the data source?

182

Your company uses Microsoft Purview Data Loss Prevention (DLP). You need to ensure that credit card numbers are not shared externally via email. What should you configure?

183

Your organization uses Microsoft Defender for Cloud Apps. You need to identify users who are downloading large amounts of data from a sanctioned cloud app in a short period. What should you configure?

184

Which TWO actions should you take to implement a Zero Trust security strategy for identity and access? (Choose two.)

185

Which THREE capabilities are part of Microsoft Purview's insider risk management solution? (Choose three.)

186

Which THREE are valid sources for ingesting data into Microsoft Sentinel? (Choose three.)

187

You are a security architect for a global financial services company. The company is adopting Microsoft Sentinel as its primary SIEM and Microsoft Defender XDR for endpoint, email, and identity protection. The company has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. The SOC team needs to be able to investigate incidents that involve lateral movement between on-premises and cloud resources. Additionally, the company must comply with GDPR, requiring that personal data be protected and that data residency requirements are met: all security logs for EU users must remain within the EU. The company already has a Microsoft Sentinel workspace in the West Europe region. You need to design a solution that meets these requirements while minimizing administrative overhead. What should you do?

188

Your organization uses Microsoft Intune for mobile device management and Microsoft Entra ID for identity. You are designing a solution to ensure that only devices that are compliant with security policies can access corporate resources. The requirements are: 1) Devices must have a minimum OS version. 2) Devices must have encryption enabled. 3) Devices must not be jailbroken or rooted. 4) Access to corporate apps must be blocked if the device is non-compliant. 5) The solution should automatically remediate non-compliant devices when possible. You need to recommend the minimum configuration. What should you do?

189

Your company uses Microsoft 365 E5 licenses and has deployed Microsoft Defender for Office 365. The security team wants to be alerted when a user reports a phishing email using the built-in report message button in Outlook. The alert should be sent to the security team's email address. You need to configure this in the Microsoft 365 Defender portal. What should you do?

190

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that automatically creates an incident in Microsoft Sentinel when a Defender for Endpoint alert of severity 'High' is triggered for any device. The solution should minimize latency and administrative overhead. What should you configure?

191

Your organization uses Microsoft Purview Information Protection and Microsoft Defender for Cloud Apps. You need to design a solution that automatically applies a 'Confidential' sensitivity label to documents that contain credit card numbers and are shared externally. The solution should also generate an alert when this occurs. Which two configurations should you implement? (Choose TWO.)

192

Your organization uses Microsoft Sentinel. You need to design a solution to detect and automatically respond to a potential brute-force attack against an on-premises application that is published via Azure AD Application Proxy. The solution should block the attacker's IP address in Azure AD Conditional Access for one hour after detecting more than 10 failed login attempts within 5 minutes. What should you implement?

193

Your organization uses Microsoft Intune to manage devices. You need to design a compliance policy that requires devices to have a minimum OS version and be encrypted. Which policy type should you use?

194

Refer to the exhibit. You receive an alert from Microsoft Defender for Cloud Apps. You need to investigate this alert in Microsoft Sentinel. Which Microsoft Sentinel feature should you use to visualize the relationship between the user account and the IP address?

195

Your organization plans to use Microsoft Sentinel and Microsoft Defender XDR to manage security incidents. You need to design a solution that ensures all Defender for Cloud Apps alerts are automatically synchronized to Microsoft Sentinel as incidents with the least administrative effort. What should you configure?

196

Your organization uses Microsoft Purview to manage data governance. You need to design a solution that allows data owners to classify sensitive data in their Microsoft SharePoint Online sites and generate a data catalog. Which Purview tool should you use?

197

Your organization needs to meet regulatory requirements that mandate keeping security audit logs for at least seven years. Which Microsoft Sentinel feature should you configure to comply with this requirement?

198

Your organization uses Microsoft Entra ID and Microsoft Intune. You need to design a solution that allows corporate users to access a sensitive internal application only from managed devices that are compliant with company security policies. The solution should block access from personal devices. Which two components should you use? (Choose TWO.)

199

Your organization uses Microsoft Purview. You need to design a solution that automatically detects and classifies sensitive data such as passport numbers stored in Microsoft OneDrive. The solution should apply a 'Highly Confidential' sensitivity label without user intervention. What should you configure?

200

Your organization uses Microsoft Sentinel. You need to design a solution that automatically responds to a detected ransomware incident by isolating the affected device in Microsoft Defender for Endpoint. Which tool should you use to create the automated response?

201

Your organization uses Microsoft Entra ID. You need to design a solution that requires users to perform multifactor authentication when accessing a critical application from an untrusted network. The solution should not require additional licensing beyond Microsoft Entra ID P1. What should you use?

202

Your organization uses Microsoft Purview and Microsoft Sentinel. You need to design a solution that alerts the security team when a user tries to share a file labeled 'Highly Confidential' with an external email address. The alert should include the file name, user, and external recipient. Which two components should you use? (Choose TWO.)

203

Your organization uses Microsoft Intune and Microsoft Defender for Endpoint. You need to design a solution that automatically remediates non-compliant devices by running a remediation script. Which Intune component should you use?

204

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to design a solution that collects security events from Azure virtual machines and sends them to Microsoft Sentinel. The solution must minimize cost and management overhead. Which data connector should you use?

205

Your organization uses Microsoft Entra ID and Microsoft Intune. You need to design a solution that allows only hybrid Azure AD joined devices to access a sensitive application. The solution must also require that the device is compliant with company policies. Which two components should you configure? (Choose TWO.)

206

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that investigates and responds to a ransomware incident. Which three actions should you take? (Choose THREE.)

207

Your organization uses Microsoft Purview. You need to design a solution that discovers and classifies sensitive data across Microsoft 365 services. Which two services should you include in your data map? (Choose TWO.)

208

You are a security architect for a large organization that uses Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Entra ID. The organization has a hybrid identity environment with on-premises Active Directory synchronized to Azure AD. The security team needs to detect and automatically respond to a specific attack pattern: an attacker compromises a user's credentials and then uses a new device to sign in to a critical application from an unusual location. The response should block the user's account for one hour and reset the user's password. You have already configured Microsoft Sentinel to receive sign-in logs from Azure AD. You need to design the detection and automated response. What should you do?

209

Your organization uses Microsoft Intune and Microsoft Defender for Endpoint. You need to design a solution that ensures all Windows 10 devices are running the latest security updates and have real-time protection enabled. If a device is non-compliant, it should be blocked from accessing corporate resources. You have already created a Conditional Access policy that requires compliant devices. You need to configure the compliance requirements and automatic remediation. What should you do?

210

Your organization uses Microsoft Purview to manage data governance. The compliance team needs to be able to search for and investigate whether any sensitive data (e.g., credit card numbers) is stored in Microsoft Teams messages. They also need to place a legal hold on specific user's Teams messages for eDiscovery. You need to design the solution. What should you configure?

211

Your organization uses Microsoft Defender for Cloud to secure a multi-cloud environment including Azure, AWS, and GCP. You need to design a solution that centralizes security alerts and automates remediation across all clouds. Which security operations capability should you prioritize?

212

Your organization is planning to use Microsoft Entra ID for identity management. You need to design a solution that enforces conditional access policies for sensitive applications while minimizing user friction. The solution must support offline access for mobile devices and require step-up authentication only when accessing high-risk data. What should you recommend?

213

Your organization has a Microsoft 365 E5 subscription and wants to detect insider data exfiltration attempts. You need to design a solution that can identify users copying sensitive data to personal cloud storage services. Which Microsoft Purview capability should you use?

214

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy appears to block all legacy authentication. However, some users report that they can still access Exchange Online using Outlook 2010 (which uses basic authentication). What is the most likely reason the policy is not blocking these connections?

215

Your organization uses Microsoft Sentinel as a SIEM. You need to design a solution to detect advanced persistent threats (APTs) by correlating data from multiple sources, including network logs, endpoint data, and threat intelligence feeds. The solution must use machine learning to identify anomalies and reduce false positives. Which analytics rule type should you configure?

216

Your organization is implementing Microsoft Entra ID Governance. You need to design a solution that automates user access reviews for cloud applications. Which TWO capabilities should you include?

217

Your organization uses Microsoft 365 and wants to implement a data loss prevention (DLP) strategy. You need to ensure that sensitive data is protected both at rest and in transit, and that incidents are automatically reported to the security team. Which THREE actions should you take?

218

Your organization needs to meet compliance requirements for GDPR. You need to design a solution that uses Microsoft Purview to classify and protect personal data. Which TWO capabilities should you include?

219

Your organization uses Microsoft Defender for Cloud and Microsoft Sentinel. You need to design a solution that automates incident response for critical security alerts. Which THREE components should you include?

220

Your organization is designing a Zero Trust architecture using Microsoft 365 security features. You need to ensure that all access requests are verified and least-privilege principles are applied. Which TWO capabilities should you implement?

221

You are a security architect for a global financial services company that uses Microsoft 365 E5 and Azure. The company has 50,000 users across 10 regions. The security team needs to detect and respond to identity-based threats in real-time, automate remediation for compromised accounts, and meet regulatory requirements for audit logging. The following requirements must be met: (1) Detect risky sign-ins and user anomalies, (2) Automatically block sign-ins when risk level is high, (3) Provide a centralized dashboard for security analysts to investigate incidents, (4) Retain logs for at least one year for compliance, (5) Minimize false positives by using machine learning. You have the following services available: Microsoft Entra ID P2, Microsoft Sentinel, Microsoft Defender for Identity, Microsoft Purview, and Microsoft Intune. Which combination of services should you use to meet all requirements?

222

Your organization is a large healthcare provider that uses Microsoft 365 and Azure. You need to design a compliance solution that meets HIPAA requirements. The solution must automatically classify and protect electronic protected health information (ePHI) in Exchange Online, SharePoint Online, and OneDrive for Business. It must also provide reports on data access and sharing activities for auditors. The following requirements must be met: (1) Detect ePHI using built-in sensitive info types, (2) Apply encryption automatically to emails containing ePHI, (3) Prevent unauthorized sharing of ePHI in SharePoint, (4) Generate activity reports for auditors, (5) Use machine learning to improve classification accuracy. Which Microsoft Purview capabilities should you use?

223

Your organization is a small business with 200 users using Microsoft 365 Business Premium. You need to secure user identities against common attacks like phishing and password spray. The solution must be easy to deploy and manage with minimal overhead. Requirements: (1) Enable multi-factor authentication (MFA) for all users, (2) Block legacy authentication protocols, (3) Detect and block risky sign-ins, (4) Provide security recommendations to users, (5) Integrate with Microsoft Defender for Office 365 for email protection. Which Microsoft security service should you primarily use?

224

Your organization is a multi-national corporation that uses Microsoft 365 E5 and Azure. You need to design a security operations center (SOC) to detect and respond to threats across identities, endpoints, and cloud apps. The SOC team will use a single pane of glass for incident management. Requirements: (1) Centralize alerts from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps, (2) Automate incident response playbooks, (3) Use advanced hunting across all data sources, (4) Integrate with external threat intelligence feeds, (5) Provide role-based access control for SOC analysts. Which Microsoft solution should you implement?

225

Your organization uses Microsoft Entra ID for identity management and wants to implement a least-privilege access model for administrators. You need to reduce standing privileges and ensure that admin roles are activated only when needed with approval workflow. Requirements: (1) Require approval for activation of Global Administrator role, (2) Set activation duration to 4 hours maximum, (3) Require Azure MFA for activation, (4) Receive notifications when roles are activated, (5) Audit all activations for compliance. Which Microsoft Entra ID capability should you use?

226

Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incidents are automatically assigned to the appropriate analyst team based on the type of threat. What should you configure?

227

Your company uses Microsoft Entra ID. You need to implement a policy that requires all guest users to complete a terms-of-use acceptance before accessing applications. Which two components must be configured?

228

Your organization uses Microsoft Defender for Cloud to secure multi-cloud resources. You need to ensure that security recommendations are automatically remediated for non-compliant resources without manual intervention. What should you configure?

229

Refer to the exhibit. You are reviewing a conditional access policy in Microsoft Entra ID. The policy is enabled but users report they can still sign in from high-risk sessions. What is the most likely reason?

230

Your organization, Contoso Ltd., uses Microsoft 365 E5 licenses and has deployed Microsoft Sentinel in Azure. The security operations center (SOC) receives thousands of alerts daily from Microsoft Defender for Cloud, Microsoft Defender for Office 365, and Microsoft Defender for Endpoint. The SOC team is overwhelmed and needs to prioritize incidents effectively. You need to design a solution that uses Microsoft Sentinel to automatically classify incidents as true positive, false positive, or benign positive based on threat intelligence and analytics. Additionally, the solution should automatically close low-confidence false positive incidents after 24 hours if no analyst interaction occurs. You must minimize manual effort and ensure that critical incidents are escalated immediately. What should you do?

231

Your organization, Fabrikam Inc., uses Microsoft Intune for device management and Microsoft Entra ID for identity. You need to design a solution to ensure that only compliant and healthy devices can access corporate resources. The solution must require that devices are either enrolled in Intune and compliant, or joined to Azure AD with a health attestation. Additionally, you need to block access from devices that are rooted or jailbroken. You have the following requirements: 1) Enforce conditional access policies to check device compliance and health. 2) Use Microsoft Defender for Endpoint integration for device health signals. 3) Provide a fallback option for unmanaged devices to access only web apps via browser with app protection policies. Which combination of actions should you take?

Practice all 231 Design security operations, identity, and compliance capabilities questions

Other SC-100 exam domains

Design solutions that align with security best practices and prioritiesDesign security solutions for infrastructureDesign a Zero Trust strategy and architectureDesign security solutions for applications and dataEvaluate GRC and security operations strategiesDesign security for infrastructureDesign a strategy for data and applicationsRecommend security best practices and priorities

Frequently asked questions

What does the Design security operations, identity, and compliance capabilities domain cover on the SC-100 exam?

The Design security operations, identity, and compliance capabilities domain covers the key concepts tested in this area of the SC-100 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SC-100 domains — no account required.

How many Design security operations, identity, and compliance capabilities questions are in the SC-100 question bank?

The Courseiva SC-100 question bank contains 231 questions in the Design security operations, identity, and compliance capabilities domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Design security operations, identity, and compliance capabilities for SC-100?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Design security operations, identity, and compliance capabilities questions for SC-100?

Yes — the session launcher on this page draws questions exclusively from the Design security operations, identity, and compliance capabilities domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SC-100 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide