Describe the concepts of security, compliance, and identity questions on this certification test your ability to deploy and manage describe the concepts of security, compliance, and identity concepts in scenario-based situations.
Start practicing
Describe the concepts of security, compliance, and identity — choose a session length
Free · No account required
Domain overview
Use this page to practise Describe the concepts of security, compliance, and identity questions for this certification. Focus on how the exam tests describe the concepts of security, compliance, and identity in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.
Exam objectives
Core Describe the concepts of security, compliance, and identity concepts and how they apply in real-world cloud scenarios.
How to deploy describe the concepts of security, compliance, and identity correctly and verify the outcome.
Troubleshooting describe the concepts of security, compliance, and identity issues by interpreting error output and system state.
Cloud best practices and Describe the concepts of security, compliance, and identity design trade-offs tested by this certification.
Selecting the most expensive service when a simpler managed option meets the requirement.
Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
Choosing a global service fix when the issue is region-specific.
Overlooking cost implications of cross-region data transfer in architecture questions.
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst is explaining the core principles of information security to a new team member. Which principle ensures that data is not modified by unauthorized parties?
2A company is moving its on-premises database to Azure SQL Database. According to the shared responsibility model, which security tasks remain the responsibility of the customer?
3A security architect is adopting a new security model that assumes breach and verifies every access request. The model eliminates implicit trust and requires continuous validation. Which security model is being implemented?
4A company is migrating its on-premises workloads to Azure. The CISO wants to understand the division of security responsibilities between Microsoft and the customer across cloud service models. For which cloud service model does the customer have the most security responsibility?
5A security architect is designing a new security posture based on the Zero Trust model. The architect wants to ensure that every access request is fully authenticated, authorized, and encrypted before granting access, and that access is granted only to the minimum necessary resources. Which three principles of Zero Trust align with these requirements? (Choose three.)
6A company's security policy requires that customer data must only be accessible by authorized sales representatives. Which security principle does this requirement directly enforce?
7A company uses Microsoft Entra ID and has multiple departments with separate organizational units (OUs) in its on-premises Active Directory. The help desk team needs to be able to reset passwords for users only in the Finance department. What feature should be used to delegate this administrative scope?
8A security administrator is explaining the concept of defense in depth to a new team member. Which statement best describes this approach?
9A user logs into a company's financial application using their Microsoft Entra ID credentials. After successful sign-in, the application displays a dashboard with data for only the regions the user is authorized to manage. Which two security concepts are demonstrated in this scenario? (Select all that apply.)
10A security manager wants to ensure that an employee who sends an email cannot later deny having sent it. Which security concept and associated technology is best suited to achieve this?
11A company assigns permissions to users based strictly on their job title (e.g., Sales Manager can edit documents, Sales User can only read). Which identity and access management concept is being implemented?
12A company implements a security measure to ensure that only authorized employees can view sensitive customer records. Which principle of the CIA triad does this measure primarily protect?
13A company implements regular data backups and a disaster recovery plan to restore critical systems after an outage. Which security principle is primarily being addressed by these measures?
14A security administrator configures user accounts so that employees have only the permissions necessary to perform their job functions and no more. Which security concept is being applied?
15A company uses cryptographic hashes to verify that a downloaded software file has not been modified by an attacker during transmission. Which principle of the CIA triad is primarily being addressed?
16A healthcare organization stores patient records in an encrypted database. Access to the database is restricted to authorized medical staff only. Which security principle is primarily being addressed by these measures?
17A financial institution uses digital signatures to ensure that a transaction record has not been altered after it was processed. Which security principle is primarily addressed?
18A company requires all employees to provide a one-time passcode generated by an authenticator app in addition to their password when accessing the corporate VPN. This practice is an example of which security concept?
19A security architect is designing a system where user access rights are reviewed and certified on a regular basis by data owners. The goal is to ensure that users continue to have only the permissions necessary to perform their job functions and that no excessive permissions exist. Which security principle is primarily being implemented through these regular reviews?
20A company configures its access control system so that each user can only access the data and perform actions that are strictly necessary for their job role. This configuration is a direct implementation of which security principle?
21A company hosts a line-of-business application on an Azure virtual machine. The IT team is responsible for configuring the operating system, installing security updates, and managing the application code. An auditor asks who is responsible for the physical security of the data center where the virtual machine runs. According to the shared responsibility model for cloud services, who is responsible?
22A company regularly performs automated backups of its critical databases and has a disaster recovery plan to restore operations quickly after a system failure. Which security principle is primarily being addressed by these measures?
23A security architect is designing a defense strategy for the organization's network. The architect assumes that an attacker may already have breached the perimeter and is operating inside the network. Therefore, the design does not automatically trust any user or device, even if they are inside the corporate network, and requires continuous verification for every access request. Which security principle does this approach best represent?
24A company implements a security strategy that includes multiple layers of controls: a perimeter firewall, an intrusion detection system, endpoint antivirus software, and multi-factor authentication for user access. The goal is that if one layer fails, another layer is in place to prevent or mitigate an attack. Which security principle does this approach best represent?
25A security manager explains that the company's security strategy relies on multiple layers of controls, such as firewalls, antivirus software, and multi-factor authentication, so that if one layer fails, another can still prevent an attack. Which security principle does this strategy best represent?
26A company is deploying a web application on Azure App Service. The security officer states that according to the shared responsibility model, the customer is responsible for managing access to the application and securing the application code. Which of the following responsibilities does Microsoft retain for Azure App Service?
27A security architect is designing a defense strategy for a company's IT infrastructure. The strategy includes deploying a network firewall, using an intrusion detection system, installing antivirus software on all endpoints, and requiring multi-factor authentication for all user accounts. The architect explains that if the firewall fails, the IDS can detect an intrusion, and if the IDS misses something, the antivirus might catch it, and MFA can protect even if credentials are compromised. Which security principle best describes this layered approach?
28A company uses digital signatures to ensure that a sender cannot later deny having sent a message. Which security principle does this primarily address?
29An attacker gains access to a company's email system and reads confidential customer emails. Which security principle has been compromised?
30A company subscribes to Microsoft 365 E5, a Software-as-a-Service (SaaS) offering. The IT department is responsible for configuring user accounts and managing data in Exchange Online and SharePoint Online. According to the shared responsibility model, which security responsibility is retained by Microsoft for this SaaS deployment?
31A company operates an e-commerce website that must remain accessible during high-traffic holiday seasons. The IT team deploys additional web servers and implements automatic failover to a secondary data center if the primary site goes down. Which security principle is the company primarily addressing?
32A company has a document management system. The security policy requires that a user in the Sales department can only view documents related to sales and cannot access documents in the Finance or HR folders. Which security principle is being applied?
33A company has implemented a security model where every access request is fully authenticated, authorized, and encrypted before granting access, regardless of where the request originates (corporate network or internet). The model assumes that no entity is inherently trustworthy and requires continuous verification. This model is known as:
34A company implements a sign-in process where a user must provide their password and then enter a temporary code sent to their mobile phone. Which security principle is this process primarily enforcing?
35A user logs into the company's network using their username and password. After successful login, the user attempts to open a financial report but receives an access denied message because they are not a member of the 'Finance' security group. Which security concept is best illustrated by the access denial?
36A company deploys a web application on Azure virtual machines (VMs) in an Infrastructure-as-a-Service (IaaS) model. The company is responsible for managing the guest operating system, the application code, and the data stored on the VMs. According to the shared responsibility model, which of the following security responsibilities does Microsoft retain in this scenario?
37A hotel uses a key card system. Guests insert their card into the door lock, which reads the card's ID number. The system checks the ID number against a list of authorized rooms. If the ID matches an authorized room, the door unlocks. In this scenario, which concept is demonstrated when the system checks the ID number against the list of authorized rooms?
38A user logs into a company's application using their username and password. After logging in, the application checks whether the user belongs to the 'Admin' role before granting access to the user management page. Which security concept is primarily illustrated by the role check?
39A company deploys firewalls, intrusion detection systems, and endpoint antivirus software at multiple layers of its network. This strategy is intended to ensure that if one security control fails, others still provide protection. Which security concept does this approach represent?
40An organization stores sensitive customer data in a cloud database. The security team uses encryption to protect the data while it is stored and while it is transmitted. They also implement role-based access control to ensure only authorized users can modify the data. Which two security principles are primarily being upheld by these actions?
41A company secures its network by deploying a firewall at the perimeter, an intrusion prevention system on internal segments, endpoint antivirus on all workstations, and encrypting sensitive data at rest and in transit. This layered approach ensures that if one control fails, others still provide protection. Which security concept does this strategy best represent?
42A company requires users to enter a password and then a temporary code from a mobile app to sign in. After signing in, a user attempts to open a confidential document but is denied because they are not a member of the 'Managers' group. Which two security concepts are primarily demonstrated in this scenario?
43A user receives an encrypted email from their bank. They use their private key to decrypt the message. After reading it, they verify that the message content has not been altered during transit. Which security principle is primarily demonstrated by the verification that the content was not altered?
44A company implements multiple layers of security controls: firewalls at the perimeter, intrusion detection systems on internal segments, antivirus software on all workstations, and encryption for sensitive data at rest and in transit. This strategy is intended to ensure that if one control fails, others still provide protection. Which security concept does this approach represent?
45A company subscribes to a SaaS human resources application hosted by an external provider. The provider is responsible for maintaining the physical data centers, network infrastructure, and the underlying application software. The company is responsible for managing user accounts, configuring user permissions, and classifying the data they upload. Which security model does this arrangement primarily describe?
46A user authenticates to a company's network by entering their password and then approving a push notification on their mobile phone. After authentication, the user attempts to access a shared folder containing financial reports. The access is denied because the user's account is not a member of the 'Finance' group. Which security concept is demonstrated when the user is denied access to the folder?
47A user downloads a software update from a company's internal website. The update file is hashed, and the hash value is published on a separate secure page. After downloading, the user computes the hash of the downloaded file and compares it to the published hash. The two values match. Which security concept is primarily demonstrated by this comparison?
48A company implements a security model where no user or device is automatically trusted, even if they are inside the corporate network. Every access request must be authenticated, authorized, and encrypted before granting access, regardless of the request origin. This model is known as:
49A security administrator is configuring permissions for a new cloud-based expense reporting application. The administrator assigns each employee only the permissions they need to perform their job functions. For example, employees in the Sales department can view expense reports but cannot approve or modify financial data. Which security principle is the administrator implementing?
50A healthcare organization stores sensitive patient records in a cloud database. The database is encrypted at rest using AES-256. If an attacker gains access to the physical storage media, they cannot read the data. Which security concept does this encryption primarily provide?
51A company hosts a mission-critical customer portal on Azure virtual machines. To ensure continuous availability, they deploy the application across two separate Azure regions. If one region experiences a failure, traffic is automatically routed to the other region with minimal disruption. Which security goal is primarily being addressed by this architecture?
52A company issues laptops to all employees with BitLocker full-disk encryption enabled. If a laptop is stolen, the data on the hard drive cannot be read without the recovery key. Which security principle does this measure primarily protect?
53A company uses digital signatures on all official emails sent to customers. The signature is created using the sender’s private key, allowing recipients to verify that the email truly came from the claimed sender and that it was not altered in transit. Which security goal is primarily achieved by the digital signature?
54A company uses a financial accounting system where the employee who creates a purchase order cannot also approve it. This policy is designed to prevent a single individual from committing fraud by both initiating and approving a transaction. Which security principle does this practice primarily implement?
55A hospital encrypts patient data stored in a database using AES-256 encryption. If an attacker manages to copy the database file, they cannot read the protected information. Which security goal is primarily achieved by this encryption measure?
56A company is migrating its on-premises applications to Azure. The CIO states that the company is fully responsible for managing the security of its own applications and data, while Microsoft is responsible for the security of the underlying physical infrastructure, such as hardware and data centers. This division of security responsibilities is an example of which concept?
57A company implements multiple layers of security controls including a firewall, an intrusion detection system (IDS), antivirus software on endpoints, and regular security awareness training for employees. This approach is an example of which security concept?
58A security analyst downloads a software installer from a vendor's website. To ensure the file has not been tampered with during transmission, the analyst compares the SHA-256 hash of the downloaded file against the hash published on the vendor's official site. This practice primarily validates which security goal?
59A company is moving its on-premises infrastructure to Azure. The CISO wants to understand the division of security responsibilities between the cloud provider and the customer. Which of the following models defines this division?
60An organization is redesigning its security architecture based on the Zero Trust model. Which principle requires that every access request must be fully authenticated, authorized, and encrypted before granting access, regardless of the network location?
61A security architect is explaining identity management concepts to the IT team. Which statement correctly describes the difference between authentication and authorization?
62A security analyst is explaining the concept of 'defense in depth' to a new team member. Which of the following best describes the defense in depth strategy?
63An organization adopts a Zero Trust security model. Which principle requires that every access request must be explicitly verified and granted least privilege regardless of the user's location or device?
64A company uses Azure SQL Database, which is a Platform as a Service (PaaS) offering. The security team is reviewing the shared responsibility model and wants to know who is responsible for applying operating system patches to the underlying infrastructure that hosts the database. Who is responsible for this task?
65A company stores application secrets and encryption keys in Azure Key Vault. They want to move from the older vault access policy model to a more scalable and granular permission model that integrates with Azure's role-based access control (RBAC). They also need to audit permissions using Azure Policy. Which access configuration should they choose for Azure Key Vault?
66An organization is moving a virtual machine to Azure Infrastructure as a Service (IaaS). According to the shared responsibility model, which of the following security tasks is the customer responsible for?
67A security administrator is explaining authentication and authorization to new IT staff. Which statement correctly describes the difference between these two processes?
68A multinational company stores customer data across multiple Azure regions. A new regulation requires that customer data must remain within the country's borders and cannot be transferred abroad. Which concept does this regulation primarily relate to?
69A company deploys a custom application on Azure App Service (PaaS). Which of the following security responsibilities falls completely under the customer's scope according to the shared responsibility model?
70A company uses a cloud-based SaaS (Software as a Service) application for customer relationship management. According to the shared responsibility model, which security responsibility is primarily handled by the customer?
71A security analyst is explaining the concept of 'Least Privilege' to a new team member. Which statement best describes the principle of least privilege?
72A security architect is designing a Zero Trust strategy. Which principle ensures that network location alone does not grant trust, and all access requests must be verified?
73According to the Zero Trust security model, which principle assumes that a breach has already occurred and therefore requires segmenting access and monitoring for lateral movement?
74A security administrator is explaining the shared responsibility model to a new team member. The company uses a Software-as-a-Service (SaaS) application such as Microsoft 365. For which of the following items is the customer primarily responsible under this model?
75A security architect is designing a Zero Trust security model for a hybrid organization. Which principle of Zero Trust requires that every access request must be fully authenticated and authorized regardless of the network location, and that access should be granted with the minimum level required?
76A company uses a cloud-based Customer Relationship Management (CRM) system that is delivered as Software-as-a-Service (SaaS). According to the shared responsibility model, which security responsibility is primarily handled by the customer?
77An organization is implementing a Zero Trust security model. Which principle requires that every access request must be fully authenticated, authorized, and verified based on all available signals, regardless of the user's network location?
78A company is migrating its on-premises applications to Azure Infrastructure-as-a-Service (IaaS). According to the shared responsibility model, which of the following security responsibilities shifts from the customer to Microsoft during this migration?
79A company is migrating its on-premises virtual machines to Azure Infrastructure-as-a-Service (IaaS). Which security responsibility primarily shifts from the customer to Microsoft during this migration?
80A security architect explains the Zero Trust model to the board. They state that every access request must be fully authenticated and authorized based on identity, device health, location, and risk, regardless of whether the user is on the corporate network. Which Zero Trust principle does this statement represent?
81A security architect is implementing a Zero Trust security model. The architect insists that the network perimeter should not be trusted and that security controls must be applied to all traffic, even within the corporate network. They also emphasize the need for continuous monitoring and detection of threats as if a breach has already occurred. Which Zero Trust principle is the architect primarily applying?
82A security administrator is explaining the Zero Trust model to a new colleague. The administrator states that trust should never be granted based solely on network location, and every access request must be fully authenticated and authorized using all available signals. Which Zero Trust principle does this statement describe?
83A security architect is explaining the evolution of the security perimeter. They state that because users access corporate resources from anywhere on any device, the traditional network perimeter is no longer sufficient. What does the architect identify as the new primary security perimeter?
84A security architect is explaining the Zero Trust model to the board. The architect emphasizes that the network perimeter can no longer be considered a safe zone. Which statement best describes the modern primary security perimeter according to Zero Trust principles?
85A company subscribes to a cloud-based email service that is delivered as Software-as-a-Service (SaaS). According to the shared responsibility model, who is primarily responsible for the physical security of the data centers where the email data is stored?
86A hospital stores patient medical records electronically. An attacker gains access to the system and modifies patient diagnoses. Which principle of the CIA triad has been violated?
87A user logs into a corporate laptop by inserting a smart card and entering a PIN. The user then attempts to open a confidential folder. The operating system checks the user's access rights and denies access. Which security concepts are demonstrated in this scenario?
88A company is implementing a new security policy that requires every user to have only the minimum permissions necessary to perform their job duties. Which security principle does this policy align with?
89A company's IT department deploys a multi-layered security strategy that includes a perimeter firewall, network segmentation, endpoint antivirus software, data encryption, and employee security awareness training. Which security model does this approach represent?
90A security architect is implementing a Zero Trust strategy. They state that all access requests must be verified continuously, regardless of where the request originates (corporate network or remote). They also emphasize that access is granted based on a policy that evaluates user identity, device health, location, and risk in real-time. Which Zero Trust guiding principle does this scenario primarily illustrate?
91A company deploys full disk encryption on all employee laptops to protect data in case a device is lost or stolen. Which security goal does this measure primarily address?
92A company uses Microsoft 365 E5. An employee's corporate laptop is infected with keylogging malware that captures the employee's credentials. The attacker uses these credentials to sign in to Exchange Online and forward sensitive emails to an external account. Under the shared responsibility model, who is primarily responsible for the security incident?
93A company's security policy requires that all data transferred between the corporate data center and the cloud must be protected from unauthorized access during transmission. They use encryption protocols such as TLS to achieve this. Which security goal is primarily being addressed?
94A company is implementing security controls to protect data during transmission between their on-premises database and a cloud storage service. They decide to use TLS encryption. Which security goal is primarily addressed by ensuring that data is not altered during transit?
95An organization is migrating its on-premises applications to Azure Infrastructure-as-a-Service (IaaS). According to the shared responsibility model, which of the following security responsibilities remain with Microsoft? (Select two.)
96A user scans their fingerprint to unlock a corporate laptop. After unlocking, the user attempts to open a confidential database. The system checks the user's role and grants access because the user is a member of the 'Data Analyst' group. Which two security concepts are demonstrated in this scenario?
97A company's IT department implements a policy for server administrators: they must submit an access request to perform privileged tasks on critical servers. Each request is approved by a manager, and the granted elevated permissions automatically expire after four hours. This approach reduces the risk of standing privileges being exploited. Which security concept is primarily being applied?
98A company deploys a custom web application on Azure App Service (PaaS). The application stores user data in Azure SQL Database. The security team is responsible for securing the application code, managing authentication, and configuring TLS for data in transit. According to the Microsoft shared responsibility model, which security responsibility remains with Microsoft for this PaaS deployment?
99A company stores sensitive customer data in an Azure SQL database. To protect this data, the database files are encrypted at rest using Transparent Data Encryption (TDE). Additionally, all network traffic between the application and the database is encrypted using TLS. Which security goal is primarily addressed by these encryption measures?
100A company implements multiple layers of security controls, including firewalls, antivirus software, access controls, and security awareness training. Which security concept does this approach best represent?
101A user authenticates with a smart card and is then granted access to a specific database based on their job role in the finance department. Which security concept describes the process of determining what the authenticated user is allowed to do?
102A company uses a cloud-based email service. The service provider ensures that the physical data centers are secure and that the email platform is patched and available. The company is responsible for managing user accounts and ensuring that employees use strong passwords. This division of responsibilities is an example of which concept?
103A healthcare company stores patient records in an Azure SQL database. To protect the data, they enable Transparent Data Encryption (TDE) for the database and require all client connections to use TLS. Which security goal is being primarily addressed by these measures?
104A company deploys a custom web application on Azure App Service (PaaS). The application stores data in Azure SQL Database. The security team needs to identify which security responsibilities fall under the customer according to the Microsoft shared responsibility model. Which of the following is primarily the customer's responsibility for this PaaS deployment?
105A company implements a security policy where employees must use a smart card to log into their workstations. After logging in, they can only access file shares that correspond to their department. Which two security concepts are demonstrated in this scenario?
106An organization adopts a security model where they never trust a request by default, even if it comes from inside the corporate network. Every access request must be authenticated, authorized, and encrypted. They also assume that a breach will happen and design their systems to minimize the blast radius. Which security model does this describe?
107A financial company processes stock trades. To ensure that a trader cannot later deny having submitted a specific trade order, the system captures a digital signature from the trader for each order. Which security goal is being addressed by this practice?
108A company deploys a virtual machine on Azure IaaS. According to the Microsoft shared responsibility model, which of the following security responsibilities is primarily the customer's responsibility?
109A healthcare organization uses digital signatures on electronic medical records to ensure that the records have not been tampered with during transmission. Which security goal is primarily being addressed by this practice?
110A company configures its identity and access management system so that employees are granted only the permissions necessary to perform their job functions. For example, a sales representative has read-only access to the customer database and cannot modify financial records. Which security principle is being applied in this scenario?
111A company's security team has adopted a strategy that assumes a breach has already occurred. They implement network segmentation, apply strict least privilege access, continuously verify all access requests, and never trust users or devices solely because they are inside the network perimeter. This approach best describes which security model?
112A company wants to ensure that data is not altered during transmission between a client and a server. They use TLS encryption. Which security goal does this primarily address?
113An organization implements a policy where users must provide two forms of verification, such as a password and a text message code, to access the corporate network. Which security concept does this demonstrate?
114A company implements a policy where each employee is granted only the permissions necessary to perform their specific job role. For example, a marketing specialist has read-only access to the customer database and cannot modify financial records. Which security principle is primarily being applied?
115A company uses an on-premises Active Directory (AD) and wants to enable single sign-on (SSO) for users to access Microsoft 365 and a third-party SaaS application. They plan to use an external identity provider (IdP) that supports Security Assertion Markup Language (SAML) 2.0. Which identity concept does this implementation primarily rely on?
116A financial organization implements a security control that logs every access attempt to sensitive financial records, including who accessed the data, when it was accessed, and from which device. The logs are regularly reviewed by the security team. This control primarily addresses which security concept?
117A company's security team configures network firewall rules so that only a dedicated jump server's IP address can initiate RDP connections to production servers. This is an example of which security principle?
118A user successfully authenticates to a system using a smart card. After authentication, the system checks whether the user's device is compliant with security policies before granting access to the network. This additional check is an example of which security concept?
119An organization uses a system where users first provide a username and password (Step 1) and then the system checks whether the user has permission to view a specific folder (Step 2). Which two security concepts are demonstrated in this process? (Choose two.)
120A company's security team implements a system where every access attempt to sensitive data is recorded, including who accessed the data and when. The logs are regularly reviewed to detect unauthorized access and to hold users accountable for their actions. Which security goal is primarily being addressed by this logging practice?
121An organization implements a security policy where users must authenticate using a smart card and PIN. After successful authentication, the system checks whether the user's device is managed by the organization and complies with security baselines. If the device is compliant, the user is granted access to the corporate network. If not, access is denied. This approach most directly reflects which security model?
122A company stores critical financial reports in a SharePoint Online library. To ensure that the reports have not been tampered with, the security team compares a calculated hash of each file against a stored baseline. This verification process primarily protects which security goal?
123A financial institution uses digital signatures to sign all transaction records. This ensures that the records have not been altered after signing. Which security goal does this primarily protect?
124A user logs into a company portal by entering a username and password. After successful login, the system checks if the user is a member of the 'Sales' group and then grants access to the sales dashboard. Which two security concepts are demonstrated in this process? (Choose all that apply.) (Choose two.)
125A company uses a hashing algorithm to verify that a downloaded software file has not been tampered with during transmission. This practice primarily protects which security principle?
126An organization adopts a security model that requires explicit verification of every access request, uses least privilege principles, and assumes that a breach has already occurred. Which security model does this describe?
127Arrange the steps to configure Azure AD Privileged Identity Management (PIM) for a role in the correct order.
128Order the steps to respond to a data breach using Microsoft 365 Defender incident response.
129Sequence the steps to configure a retention policy in Microsoft Purview compliance portal.
130Match each Microsoft security feature to its primary purpose.
131Match each Microsoft 365 compliance feature to its function.
132Match each Azure security service to its purpose.
133Your organization is implementing a Zero Trust security model. Which Microsoft Entra ID feature should you use to verify that users and devices meet specific health requirements before granting access to corporate resources?
134Your company uses Microsoft Purview Information Protection to classify sensitive data. A user reports that when they try to share a document containing a credit card number via email, the email is blocked. Which Purview feature is most likely causing this behavior?
135Which Microsoft security solution provides centralized investigation and response across identities, endpoints, email, and cloud apps by correlating alerts from multiple sources?
136Your organization is deploying Microsoft Entra ID Governance. You need to automate the process of removing user access to a critical application when the user leaves the company. Which feature should you configure?
137Your company uses Microsoft Defender for Cloud Apps. You notice that a user is downloading large volumes of data from a sanctioned cloud app that exceeds the normal pattern. Which action should you take to automatically block this activity?
138Which of the following is a primary purpose of Microsoft Entra ID Identity Protection?
139Your organization uses Microsoft Sentinel as a SIEM. You need to create a rule that triggers an incident when a user account is created in an Azure subscription and then logs in from an unfamiliar location within 24 hours. Which type of rule should you configure?
140Your company is adopting a Zero Trust network architecture. You need to implement microsegmentation for workloads running in Azure. Which Azure service should you use?
141Which Microsoft cloud service provides a unified data governance solution that helps you manage and protect data across your entire data estate, including multi-cloud and on-premises?
142Which TWO of the following are components of the Microsoft Entra product family? (Choose two.)
143Which THREE of the following are capabilities of Microsoft Purview Data Loss Prevention (DLP)? (Choose three.)
144Which TWO of the following are identity-related security best practices recommended by Microsoft? (Choose two.)
145You are reviewing a Conditional Access policy configuration in Microsoft Entra ID. Based on the exhibit, what is the effect of this policy?
146You are a security analyst using Microsoft Sentinel. You run the Kusto query shown in the exhibit. What does this query do?
147You run the PowerShell command shown in the exhibit. What is the purpose of this command?
148Your organization wants to enforce multi-factor authentication (MFA) for all users accessing cloud applications. Which Microsoft Entra ID feature should you configure?
149Your company is implementing a zero-trust security model. Which principle requires verifying every access request as though it originates from an untrusted network, even if the request comes from within the corporate network?
150Your organization uses Microsoft Purview to classify sensitive data. You need to create a custom sensitive information type that detects employee IDs matching the pattern 'EMP-XXXXX' (where X is a digit). Which rule pack element must you define?
151Your organization needs to control which users can access Microsoft Purview compliance portal. Which method should you use to grant access?
152Your company is implementing data loss prevention (DLP) policies in Microsoft Purview. You need to prevent users from sharing credit card numbers via email. Which type of sensitive information type should you use in the DLP rule?
153Your organization uses Microsoft Defender for Cloud Apps. You need to discover shadow IT usage. Which feature should you enable?
154Your organization wants to use Microsoft Entra ID to provide single sign-on (SSO) for a third-party SaaS application. What must you configure in Microsoft Entra ID?
155Which Microsoft Purview solution should you use to automatically retain or delete content based on regulations?
156Your organization uses Microsoft Sentinel. You need to create a custom analytics rule that triggers an incident when a user executes a specific command on Azure VMs. Which data source should you connect to capture the command execution logs?
157Which TWO of the following are principles of the Zero Trust security model? (Select two.)
158Which THREE of the following are capabilities of Microsoft Purview Information Protection? (Select three.)
159Which TWO of the following are types of identity in Microsoft Entra ID? (Select two.)
160Refer to the exhibit. You have a Conditional Access policy defined in Microsoft Entra ID. What is the effect of this policy?
161Refer to the exhibit. You are configuring a sensitivity label in Microsoft Purview. The label is set to automatically apply when credit card numbers are detected. However, users report that the label is not being applied to documents containing credit card numbers. What is the most likely cause?
162Refer to the exhibit. You have a Data Loss Prevention (DLP) policy in Microsoft Purview. What will happen when a user tries to share a document containing a credit card number via email?
163A company wants to ensure that only authorized users can access sensitive financial data stored in Microsoft SharePoint Online. Which identity feature should they use to require a second form of verification?
164Your organization is implementing Microsoft Purview to manage data compliance. They need to automatically detect and protect credit card numbers in emails and documents. Which Microsoft Purview feature should they configure?
165A multinational corporation uses Microsoft Entra ID for identity management. They want to allow their external partners to use their own corporate credentials to access the company's resources, rather than creating guest accounts. Which Entra ID feature should they use?
166A healthcare organization must comply with HIPAA regulations regarding the protection of patient health information (PHI). Which cloud compliance concept ensures that the organization has controls in place to meet regulatory requirements?
167Your company uses Microsoft Defender for Cloud to assess security posture. A recommendation states that virtual machines should have just-in-time (JIT) network access enabled. What is the primary security benefit of enabling JIT?
168A Microsoft 365 organization needs to classify and protect sensitive documents based on their content, such as passport numbers. They want the classification to be applied automatically without user intervention. Which Microsoft Purview solution should they use?
169Which TWO of the following are purposes of the 'Zero Trust' security model?
170Which THREE of the following are key concepts of identity management in Microsoft Entra ID?
171Which TWO of the following are features of Microsoft Purview Audit?
172You are the security architect for a multinational organization that uses Microsoft 365 E5, Microsoft Entra ID P2, and Microsoft Purview. The company has 10,000 employees across five regions. The legal department requires that all documents containing personally identifiable information (PII) of European Union citizens be automatically labeled with a 'Highly Confidential' sensitivity label and encrypted. Additionally, any sharing of such documents with external users must be blocked unless the sender explicitly justifies the business need. The solution must minimize manual user intervention. You need to design a Microsoft Purview configuration. What should you do?
173Your company has a Microsoft 365 E5 subscription and uses Microsoft Teams for collaboration. The security team needs to ensure that guest users invited to Teams channels are required to pass multi-factor authentication (MFA) before accessing company resources. Currently, guest users are invited via Entra ID External ID but MFA is not enforced. You need to enforce MFA for all guest users. The solution should apply to all guest users across all applications. What should you configure?
174A small business uses Microsoft 365 Business Premium. The owner wants to ensure that employees can access their email and files from anywhere, but only from trusted devices that comply with company security policies (e.g., have antivirus enabled and are up-to-date). They have heard about Microsoft Intune but are not sure if it's included. You need to recommend a solution that enforces device compliance for accessing company data. What should you do?
175Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using their social media accounts, such as Google or Facebook. Which feature should you configure?
176A company is implementing Microsoft Purview Information Protection. They want to automatically apply a 'Confidential' sensitivity label to emails containing credit card numbers. Which policy should they configure?
177Your organization uses Microsoft Defender XDR. The security team wants a central dashboard showing the overall security posture and recommended actions. Which tool should they use?
178A company is planning to use Copilot for Microsoft 365. To ensure that Copilot responses are based only on data accessible to the user, which principle must be enforced?
179Which TWO components are part of the 'Zero Trust' security model? (Choose two.)
180Which TWO of the following are benefits of using Microsoft Entra ID for identity management? (Choose two.)
181Which THREE of the following are capabilities of Microsoft Purview Compliance Manager? (Choose three.)
182You are a security administrator for Contoso Ltd., a global financial services company with 5,000 employees. The company uses Microsoft 365 E5 licenses and has deployed Microsoft Entra ID, Microsoft Defender XDR, Microsoft Purview, and Microsoft Intune. Recently, the security team identified a risk: employees are sharing sensitive financial reports via external email recipients without encryption. To address this, you need to implement a solution that automatically applies encryption to emails containing the sensitive information type 'U.S. Bank Account Number' when sent to external recipients. The solution must not block the email but should encrypt it. Additionally, you want to notify the sender with a policy tip that the email will be encrypted. You have access to the Microsoft Purview compliance portal. What should you configure?
183You work for a healthcare organization that uses Microsoft 365 E5 licenses. The organization must comply with HIPAA regulations. You need to ensure that electronic protected health information (ePHI) is classified and protected. Specifically, you want to automatically detect and apply a 'Highly Confidential' sensitivity label to documents containing medical record numbers, and also prevent users from sharing these documents externally via email. You have Microsoft Purview deployed. What should you implement first?
184Your organization is adopting a Zero Trust security model. You are tasked with implementing identity protection. The requirements are: enforce multi-factor authentication (MFA) for all users when accessing cloud applications, ensure that risky sign-ins are detected and blocked automatically, and provide administrators with a dashboard showing user risk levels. You have Microsoft Entra ID P2 licenses. What should you configure?
185You are a compliance officer for a law firm that uses Microsoft 365 E5 licenses. The firm must comply with GDPR. You need to implement a solution that automatically identifies personal data (e.g., email addresses) in SharePoint Online documents and applies a 'GDPR-Protected' sensitivity label. Additionally, you need to ensure that if a user attempts to share a labeled document externally, they receive a policy tip warning about GDPR compliance, but the share is not blocked. You have Microsoft Purview. What should you configure?
186Your organization uses Microsoft Intune and Microsoft Entra ID. You need to enforce that only compliant and managed devices can access corporate email in Microsoft 365. Additionally, if a device is jailbroken, access should be blocked. You also want to provide a seamless sign-in experience for compliant devices. You have Microsoft Entra ID P1 licenses. What should you configure?
187Your organization wants to ensure that only users with a specific sensitivity label can access a SharePoint site. Which Microsoft Purview feature should you configure?
188A company deploys Microsoft Defender for Cloud Apps. They want to detect when a user downloads more than 100 files from SharePoint in 10 minutes. Which policy type should they create?
189A user reports that they cannot access a sensitive document in SharePoint. The document has a sensitivity label of 'Highly Confidential' applied. The user is a member of the 'Finance' group, which has the label permission. However, the user is located in a country that is blocked by a conditional access policy. What is the most likely reason the user cannot access the document?
190Your organization uses Microsoft Entra ID for identity management. You need to implement a solution that allows external partners to access resources using their own identity provider. Which Microsoft Entra feature should you use?
191A company uses Microsoft Defender for Endpoint. An alert indicates that a device is communicating with a known malicious IP address. The security team wants to automatically block the IP address on all devices. Which action should they configure?
192An organization wants to classify and label data automatically based on sensitive content patterns such as credit card numbers. Which Microsoft Purview solution should they use?
193Your company uses Microsoft Intune for device management. You need to ensure that all company data on a user's personally owned device is removed when the user is offboarded, but the user's personal data should remain. Which wipe action should you use?
194A security administrator receives an alert from Microsoft Sentinel about a possible brute-force attack against a virtual machine. The administrator wants to automatically block the attacker's IP address for 24 hours using a playbook. Which automation trigger should the playbook use?
195Your organization uses Microsoft Purview to enforce retention policies. You need to retain all documents in a specific SharePoint site for 5 years after they are created, and then delete them permanently. What should you configure?
196Which TWO are principles of the Zero Trust security model?
197Which THREE are capabilities of Microsoft Defender XDR?
198Which TWO are features of Microsoft Entra ID?
199You find the above JSON in a SharePoint document's metadata. Based on the exhibit, what is the effect of the label applied to the document?
200You run the above KQL query in Microsoft Sentinel. What is the purpose of this query?
201You run the above PowerShell command in your Microsoft Entra ID environment. What is the command retrieving?
202A company wants to ensure that only users with appropriate permissions can access sensitive data stored in Microsoft SharePoint Online. Which principle should they implement?
203A healthcare organization must comply with HIPAA regulations. They use Microsoft Purview to classify and label patient data. Which Microsoft Purview capability helps them enforce data protection policies automatically?
204A multinational corporation wants to implement a Zero Trust security model. They plan to verify every access request explicitly, use least privilege access, and assume breach. Which Microsoft security solution should they use to enforce conditional access policies based on user, device, location, and risk?
205A small business wants to enable single sign-on (SSO) for its employees using their existing on-premises Active Directory. They plan to migrate to cloud-based identity management. Which Microsoft service should they use to connect their on-premises directory to Microsoft Entra ID?
206An organization wants to ensure that its security team can quickly identify and respond to threats across all workloads, including identities, endpoints, email, and cloud apps. Which Microsoft security solution provides a unified incident management experience?
207A financial services company needs to comply with GDPR and requires that personal data be automatically classified and protected when stored in Microsoft SharePoint and OneDrive. They also need to retain certain records for a minimum of 7 years. Which combination of Microsoft Purview capabilities should they use?
208A user reports that they cannot access a sensitive document in SharePoint Online. The administrator checks the document's permissions and sees that the user is not listed directly, but a group they belong to has been granted access. Which identity concept describes this scenario?
209An organization uses Microsoft Intune to manage devices. They want to ensure that only devices that are compliant with security policies (e.g., encryption enabled, latest patches) can access corporate email. Which Microsoft Entra feature should they use to enforce this requirement?
210A company is designing a data governance strategy using Microsoft Purview. They need to allow data owners to define custom attributes for data assets and control who can access those assets. Which Purview feature should they use?
211Which TWO of the following are benefits of using Microsoft Entra ID for identity management?
212Refer to the exhibit. An administrator deploys this Azure Resource Manager template. Which TWO of the following statements are true?
213Which THREE of the following are components of the Zero Trust security model?
214Refer to the exhibit. A security administrator is reviewing an Azure Resource Manager template for a virtual machine. What is the purpose of the 'identity' section shown?
215Refer to the exhibit. A security analyst runs this Microsoft Graph PowerShell command. What is the most likely purpose of this command?
216Refer to the exhibit. A security analyst runs this Kusto Query Language (KQL) query in Microsoft Sentinel. What is being identified?
217A company wants to ensure that all users access corporate resources using multi-factor authentication (MFA). Which Microsoft Entra ID feature should they configure to enforce MFA for all users?
218An organization uses Microsoft Purview to manage data compliance. They need to automatically detect and protect credit card numbers stored in SharePoint Online. Which Microsoft Purview solution should they implement?
219A security analyst needs to investigate a potential ransomware attack affecting multiple endpoints. They want to centralize detection and response across devices, email, and applications. Which Microsoft solution should they use?
220Which Microsoft Entra ID feature allows an organization to provide external partners with access to its applications while maintaining control over authentication and governance?
221A company requires that all sensitive data in Microsoft Teams messages be automatically encrypted and labeled with a 'Confidential' tag. Which Microsoft Purview solution should they use?
222An organization wants to use a cloud-based SIEM to collect security data from multiple sources, including on-premises servers and cloud applications. Which Microsoft solution should they choose?
223A company uses Microsoft Purview to classify and protect data. They need to ensure that when a user attempts to share a file containing a credit card number externally, the file is blocked and the user is prompted with a policy tip. Which type of Microsoft Purview policy should they configure?
224An organization wants to enable passwordless authentication for its users by using a mobile app. Which Microsoft Entra ID authentication method should they implement?
225A company uses Microsoft Defender for Cloud to secure its hybrid cloud environment. They need to continuously assess compliance with regulatory standards like ISO 27001 and receive recommendations for remediation. Which feature should they enable?
226Which TWO of the following are components of the Microsoft Security Development Lifecycle (SDL)? (Choose two.)
227Which THREE of the following are core principles of the Zero Trust security model? (Choose three.)
228Which TWO of the following are Microsoft Entra ID editions that include Identity Protection? (Choose two.)
229You are the security administrator for Contoso Corporation. The company uses Microsoft 365 E5 licenses, which include Microsoft Entra ID P2, Microsoft Purview, and Microsoft Defender XDR. Contoso has a hybrid identity environment with Microsoft Entra Connect syncing on-premises Active Directory to Microsoft Entra ID. The company recently experienced a data breach where an attacker compromised a user's credentials and exfiltrated sensitive customer data from SharePoint Online. The investigation revealed that the compromised user did not have MFA enabled and had admin consent to a malicious third-party OAuth app. To prevent future incidents, management has mandated the following requirements: (1) Enforce MFA for all users, especially those accessing sensitive data. (2) Block all OAuth apps that are not pre-approved by IT. (3) Detect and respond to identity-based threats in real-time. (4) Classify and protect sensitive data in SharePoint and Teams. You need to recommend a solution that meets all requirements. Which combination of Microsoft security solutions should you implement?
230Your organization is implementing a new policy to ensure that only authorized users can access sensitive financial data stored in Microsoft SharePoint Online. The security team wants to enforce multi-factor authentication (MFA) for all users accessing this data, but only when accessing from outside the corporate network. Which Microsoft Entra ID conditional access policy setting should you configure to meet this requirement?
231A company wants to implement a Zero Trust security model. Which TWO of the following are core principles of Zero Trust?
232A company is implementing data classification in Microsoft Purview. Which THREE of the following are types of sensitive information that can be detected using built-in sensitive information types?
233Refer to the exhibit. You are reviewing a conditional access policy in Microsoft Entra ID. The policy is enabled and applies to all cloud apps. Which users are affected by this policy?
234Contoso Ltd. is a financial services company that must comply with strict regulatory requirements. They use Microsoft 365 E5, Microsoft Entra ID P2, Microsoft Purview, and Microsoft Defender for Cloud Apps. The compliance team needs to implement a data loss prevention (DLP) policy that detects and prevents the sharing of credit card numbers in Microsoft Teams messages. Additionally, they want to ensure that only users with a specific custom sensitivity label can access documents containing credit card numbers. The sensitivity label is named 'Financial-Confidential' and is applied automatically via auto-labeling. The DLP policy should block sharing of credit card numbers in Teams but allow users to override the block with a business justification. Which combination of actions should you configure in the Microsoft Purview DLP policy to meet these requirements?
235Fabrikam Inc. is a global manufacturing company that uses Microsoft Entra ID for identity management. They have recently experienced a security incident where an attacker compromised a user account and accessed sensitive intellectual property. The security team wants to implement identity protection measures to detect and respond to such attacks in the future. They need a solution that can automatically detect suspicious sign-in behavior, such as impossible travel and anomalous token issuance, and then take action to block the sign-in or require additional verification. Additionally, they want to integrate threat intelligence feeds to improve detection. Which Microsoft security solution should they use to meet these requirements?
Deep-dive questions
The most-searched questions in this domain — detailed explanations, worked examples, full answer breakdowns.
Describe the concepts of security, compliance, and identity questions on this certification test your ability to deploy and manage describe the concepts of security, compliance, and identity concepts in scenario-based situations.
The Courseiva SC-900 question bank contains 235 questions in the Describe the concepts of security, compliance, and identity domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Describe the concepts of security, compliance, and identity domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included