Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-900DomainsDescribe the concepts of security, compliance, and identity
SC-900Free — No Signup

Describe the concepts of security, compliance, and identity

Describe the concepts of security, compliance, and identity questions on this certification test your ability to deploy and manage describe the concepts of security, compliance, and identity concepts in scenario-based situations.

235questions

Start practicing

Describe the concepts of security, compliance, and identity — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SC-900 Domains

Describe the capabilities of Microsoft EntraDescribe the capabilities of Microsoft security solutionsDescribe the capabilities of Microsoft compliance solutionsDescribe the concepts of security, compliance, and identity

Domain overview

About the Describe the concepts of security, compliance, and identity domain

Use this page to practise Describe the concepts of security, compliance, and identity questions for this certification. Focus on how the exam tests describe the concepts of security, compliance, and identity in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Exam objectives

What Describe the concepts of security, compliance, and identity tests on SC-900

  1. 1

    Core Describe the concepts of security, compliance, and identity concepts and how they apply in real-world cloud scenarios.

  2. 2

    How to deploy describe the concepts of security, compliance, and identity correctly and verify the outcome.

  3. 3

    Troubleshooting describe the concepts of security, compliance, and identity issues by interpreting error output and system state.

  4. 4

    Cloud best practices and Describe the concepts of security, compliance, and identity design trade-offs tested by this certification.

Watch out — common Describe the concepts of security, compliance, and identity traps

  • !

    Selecting the most expensive service when a simpler managed option meets the requirement.

  • !

    Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.

  • !

    Choosing a global service fix when the issue is region-specific.

  • !

    Overlooking cost implications of cross-region data transfer in architecture questions.

Practice Describe the concepts of security, compliance, and identity questions

10Q20Q30Q50Q

All SC-900 Describe the concepts of security, compliance, and identity questions (235)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst is explaining the core principles of information security to a new team member. Which principle ensures that data is not modified by unauthorized parties?

2

A company is moving its on-premises database to Azure SQL Database. According to the shared responsibility model, which security tasks remain the responsibility of the customer?

3

A security architect is adopting a new security model that assumes breach and verifies every access request. The model eliminates implicit trust and requires continuous validation. Which security model is being implemented?

4

A company is migrating its on-premises workloads to Azure. The CISO wants to understand the division of security responsibilities between Microsoft and the customer across cloud service models. For which cloud service model does the customer have the most security responsibility?

5

A security architect is designing a new security posture based on the Zero Trust model. The architect wants to ensure that every access request is fully authenticated, authorized, and encrypted before granting access, and that access is granted only to the minimum necessary resources. Which three principles of Zero Trust align with these requirements? (Choose three.)

6

A company's security policy requires that customer data must only be accessible by authorized sales representatives. Which security principle does this requirement directly enforce?

7

A company uses Microsoft Entra ID and has multiple departments with separate organizational units (OUs) in its on-premises Active Directory. The help desk team needs to be able to reset passwords for users only in the Finance department. What feature should be used to delegate this administrative scope?

8

A security administrator is explaining the concept of defense in depth to a new team member. Which statement best describes this approach?

9

A user logs into a company's financial application using their Microsoft Entra ID credentials. After successful sign-in, the application displays a dashboard with data for only the regions the user is authorized to manage. Which two security concepts are demonstrated in this scenario? (Select all that apply.)

10

A security manager wants to ensure that an employee who sends an email cannot later deny having sent it. Which security concept and associated technology is best suited to achieve this?

11

A company assigns permissions to users based strictly on their job title (e.g., Sales Manager can edit documents, Sales User can only read). Which identity and access management concept is being implemented?

12

A company implements a security measure to ensure that only authorized employees can view sensitive customer records. Which principle of the CIA triad does this measure primarily protect?

13

A company implements regular data backups and a disaster recovery plan to restore critical systems after an outage. Which security principle is primarily being addressed by these measures?

14

A security administrator configures user accounts so that employees have only the permissions necessary to perform their job functions and no more. Which security concept is being applied?

15

A company uses cryptographic hashes to verify that a downloaded software file has not been modified by an attacker during transmission. Which principle of the CIA triad is primarily being addressed?

16

A healthcare organization stores patient records in an encrypted database. Access to the database is restricted to authorized medical staff only. Which security principle is primarily being addressed by these measures?

17

A financial institution uses digital signatures to ensure that a transaction record has not been altered after it was processed. Which security principle is primarily addressed?

18

A company requires all employees to provide a one-time passcode generated by an authenticator app in addition to their password when accessing the corporate VPN. This practice is an example of which security concept?

19

A security architect is designing a system where user access rights are reviewed and certified on a regular basis by data owners. The goal is to ensure that users continue to have only the permissions necessary to perform their job functions and that no excessive permissions exist. Which security principle is primarily being implemented through these regular reviews?

20

A company configures its access control system so that each user can only access the data and perform actions that are strictly necessary for their job role. This configuration is a direct implementation of which security principle?

21

A company hosts a line-of-business application on an Azure virtual machine. The IT team is responsible for configuring the operating system, installing security updates, and managing the application code. An auditor asks who is responsible for the physical security of the data center where the virtual machine runs. According to the shared responsibility model for cloud services, who is responsible?

22

A company regularly performs automated backups of its critical databases and has a disaster recovery plan to restore operations quickly after a system failure. Which security principle is primarily being addressed by these measures?

23

A security architect is designing a defense strategy for the organization's network. The architect assumes that an attacker may already have breached the perimeter and is operating inside the network. Therefore, the design does not automatically trust any user or device, even if they are inside the corporate network, and requires continuous verification for every access request. Which security principle does this approach best represent?

24

A company implements a security strategy that includes multiple layers of controls: a perimeter firewall, an intrusion detection system, endpoint antivirus software, and multi-factor authentication for user access. The goal is that if one layer fails, another layer is in place to prevent or mitigate an attack. Which security principle does this approach best represent?

25

A security manager explains that the company's security strategy relies on multiple layers of controls, such as firewalls, antivirus software, and multi-factor authentication, so that if one layer fails, another can still prevent an attack. Which security principle does this strategy best represent?

26

A company is deploying a web application on Azure App Service. The security officer states that according to the shared responsibility model, the customer is responsible for managing access to the application and securing the application code. Which of the following responsibilities does Microsoft retain for Azure App Service?

27

A security architect is designing a defense strategy for a company's IT infrastructure. The strategy includes deploying a network firewall, using an intrusion detection system, installing antivirus software on all endpoints, and requiring multi-factor authentication for all user accounts. The architect explains that if the firewall fails, the IDS can detect an intrusion, and if the IDS misses something, the antivirus might catch it, and MFA can protect even if credentials are compromised. Which security principle best describes this layered approach?

28

A company uses digital signatures to ensure that a sender cannot later deny having sent a message. Which security principle does this primarily address?

29

An attacker gains access to a company's email system and reads confidential customer emails. Which security principle has been compromised?

30

A company subscribes to Microsoft 365 E5, a Software-as-a-Service (SaaS) offering. The IT department is responsible for configuring user accounts and managing data in Exchange Online and SharePoint Online. According to the shared responsibility model, which security responsibility is retained by Microsoft for this SaaS deployment?

31

A company operates an e-commerce website that must remain accessible during high-traffic holiday seasons. The IT team deploys additional web servers and implements automatic failover to a secondary data center if the primary site goes down. Which security principle is the company primarily addressing?

32

A company has a document management system. The security policy requires that a user in the Sales department can only view documents related to sales and cannot access documents in the Finance or HR folders. Which security principle is being applied?

33

A company has implemented a security model where every access request is fully authenticated, authorized, and encrypted before granting access, regardless of where the request originates (corporate network or internet). The model assumes that no entity is inherently trustworthy and requires continuous verification. This model is known as:

34

A company implements a sign-in process where a user must provide their password and then enter a temporary code sent to their mobile phone. Which security principle is this process primarily enforcing?

35

A user logs into the company's network using their username and password. After successful login, the user attempts to open a financial report but receives an access denied message because they are not a member of the 'Finance' security group. Which security concept is best illustrated by the access denial?

36

A company deploys a web application on Azure virtual machines (VMs) in an Infrastructure-as-a-Service (IaaS) model. The company is responsible for managing the guest operating system, the application code, and the data stored on the VMs. According to the shared responsibility model, which of the following security responsibilities does Microsoft retain in this scenario?

37

A hotel uses a key card system. Guests insert their card into the door lock, which reads the card's ID number. The system checks the ID number against a list of authorized rooms. If the ID matches an authorized room, the door unlocks. In this scenario, which concept is demonstrated when the system checks the ID number against the list of authorized rooms?

38

A user logs into a company's application using their username and password. After logging in, the application checks whether the user belongs to the 'Admin' role before granting access to the user management page. Which security concept is primarily illustrated by the role check?

39

A company deploys firewalls, intrusion detection systems, and endpoint antivirus software at multiple layers of its network. This strategy is intended to ensure that if one security control fails, others still provide protection. Which security concept does this approach represent?

40

An organization stores sensitive customer data in a cloud database. The security team uses encryption to protect the data while it is stored and while it is transmitted. They also implement role-based access control to ensure only authorized users can modify the data. Which two security principles are primarily being upheld by these actions?

41

A company secures its network by deploying a firewall at the perimeter, an intrusion prevention system on internal segments, endpoint antivirus on all workstations, and encrypting sensitive data at rest and in transit. This layered approach ensures that if one control fails, others still provide protection. Which security concept does this strategy best represent?

42

A company requires users to enter a password and then a temporary code from a mobile app to sign in. After signing in, a user attempts to open a confidential document but is denied because they are not a member of the 'Managers' group. Which two security concepts are primarily demonstrated in this scenario?

43

A user receives an encrypted email from their bank. They use their private key to decrypt the message. After reading it, they verify that the message content has not been altered during transit. Which security principle is primarily demonstrated by the verification that the content was not altered?

44

A company implements multiple layers of security controls: firewalls at the perimeter, intrusion detection systems on internal segments, antivirus software on all workstations, and encryption for sensitive data at rest and in transit. This strategy is intended to ensure that if one control fails, others still provide protection. Which security concept does this approach represent?

45

A company subscribes to a SaaS human resources application hosted by an external provider. The provider is responsible for maintaining the physical data centers, network infrastructure, and the underlying application software. The company is responsible for managing user accounts, configuring user permissions, and classifying the data they upload. Which security model does this arrangement primarily describe?

46

A user authenticates to a company's network by entering their password and then approving a push notification on their mobile phone. After authentication, the user attempts to access a shared folder containing financial reports. The access is denied because the user's account is not a member of the 'Finance' group. Which security concept is demonstrated when the user is denied access to the folder?

47

A user downloads a software update from a company's internal website. The update file is hashed, and the hash value is published on a separate secure page. After downloading, the user computes the hash of the downloaded file and compares it to the published hash. The two values match. Which security concept is primarily demonstrated by this comparison?

48

A company implements a security model where no user or device is automatically trusted, even if they are inside the corporate network. Every access request must be authenticated, authorized, and encrypted before granting access, regardless of the request origin. This model is known as:

49

A security administrator is configuring permissions for a new cloud-based expense reporting application. The administrator assigns each employee only the permissions they need to perform their job functions. For example, employees in the Sales department can view expense reports but cannot approve or modify financial data. Which security principle is the administrator implementing?

50

A healthcare organization stores sensitive patient records in a cloud database. The database is encrypted at rest using AES-256. If an attacker gains access to the physical storage media, they cannot read the data. Which security concept does this encryption primarily provide?

51

A company hosts a mission-critical customer portal on Azure virtual machines. To ensure continuous availability, they deploy the application across two separate Azure regions. If one region experiences a failure, traffic is automatically routed to the other region with minimal disruption. Which security goal is primarily being addressed by this architecture?

52

A company issues laptops to all employees with BitLocker full-disk encryption enabled. If a laptop is stolen, the data on the hard drive cannot be read without the recovery key. Which security principle does this measure primarily protect?

53

A company uses digital signatures on all official emails sent to customers. The signature is created using the sender’s private key, allowing recipients to verify that the email truly came from the claimed sender and that it was not altered in transit. Which security goal is primarily achieved by the digital signature?

54

A company uses a financial accounting system where the employee who creates a purchase order cannot also approve it. This policy is designed to prevent a single individual from committing fraud by both initiating and approving a transaction. Which security principle does this practice primarily implement?

55

A hospital encrypts patient data stored in a database using AES-256 encryption. If an attacker manages to copy the database file, they cannot read the protected information. Which security goal is primarily achieved by this encryption measure?

56

A company is migrating its on-premises applications to Azure. The CIO states that the company is fully responsible for managing the security of its own applications and data, while Microsoft is responsible for the security of the underlying physical infrastructure, such as hardware and data centers. This division of security responsibilities is an example of which concept?

57

A company implements multiple layers of security controls including a firewall, an intrusion detection system (IDS), antivirus software on endpoints, and regular security awareness training for employees. This approach is an example of which security concept?

58

A security analyst downloads a software installer from a vendor's website. To ensure the file has not been tampered with during transmission, the analyst compares the SHA-256 hash of the downloaded file against the hash published on the vendor's official site. This practice primarily validates which security goal?

59

A company is moving its on-premises infrastructure to Azure. The CISO wants to understand the division of security responsibilities between the cloud provider and the customer. Which of the following models defines this division?

60

An organization is redesigning its security architecture based on the Zero Trust model. Which principle requires that every access request must be fully authenticated, authorized, and encrypted before granting access, regardless of the network location?

61

A security architect is explaining identity management concepts to the IT team. Which statement correctly describes the difference between authentication and authorization?

62

A security analyst is explaining the concept of 'defense in depth' to a new team member. Which of the following best describes the defense in depth strategy?

63

An organization adopts a Zero Trust security model. Which principle requires that every access request must be explicitly verified and granted least privilege regardless of the user's location or device?

64

A company uses Azure SQL Database, which is a Platform as a Service (PaaS) offering. The security team is reviewing the shared responsibility model and wants to know who is responsible for applying operating system patches to the underlying infrastructure that hosts the database. Who is responsible for this task?

65

A company stores application secrets and encryption keys in Azure Key Vault. They want to move from the older vault access policy model to a more scalable and granular permission model that integrates with Azure's role-based access control (RBAC). They also need to audit permissions using Azure Policy. Which access configuration should they choose for Azure Key Vault?

66

An organization is moving a virtual machine to Azure Infrastructure as a Service (IaaS). According to the shared responsibility model, which of the following security tasks is the customer responsible for?

67

A security administrator is explaining authentication and authorization to new IT staff. Which statement correctly describes the difference between these two processes?

68

A multinational company stores customer data across multiple Azure regions. A new regulation requires that customer data must remain within the country's borders and cannot be transferred abroad. Which concept does this regulation primarily relate to?

69

A company deploys a custom application on Azure App Service (PaaS). Which of the following security responsibilities falls completely under the customer's scope according to the shared responsibility model?

70

A company uses a cloud-based SaaS (Software as a Service) application for customer relationship management. According to the shared responsibility model, which security responsibility is primarily handled by the customer?

71

A security analyst is explaining the concept of 'Least Privilege' to a new team member. Which statement best describes the principle of least privilege?

72

A security architect is designing a Zero Trust strategy. Which principle ensures that network location alone does not grant trust, and all access requests must be verified?

73

According to the Zero Trust security model, which principle assumes that a breach has already occurred and therefore requires segmenting access and monitoring for lateral movement?

74

A security administrator is explaining the shared responsibility model to a new team member. The company uses a Software-as-a-Service (SaaS) application such as Microsoft 365. For which of the following items is the customer primarily responsible under this model?

75

A security architect is designing a Zero Trust security model for a hybrid organization. Which principle of Zero Trust requires that every access request must be fully authenticated and authorized regardless of the network location, and that access should be granted with the minimum level required?

76

A company uses a cloud-based Customer Relationship Management (CRM) system that is delivered as Software-as-a-Service (SaaS). According to the shared responsibility model, which security responsibility is primarily handled by the customer?

77

An organization is implementing a Zero Trust security model. Which principle requires that every access request must be fully authenticated, authorized, and verified based on all available signals, regardless of the user's network location?

78

A company is migrating its on-premises applications to Azure Infrastructure-as-a-Service (IaaS). According to the shared responsibility model, which of the following security responsibilities shifts from the customer to Microsoft during this migration?

79

A company is migrating its on-premises virtual machines to Azure Infrastructure-as-a-Service (IaaS). Which security responsibility primarily shifts from the customer to Microsoft during this migration?

80

A security architect explains the Zero Trust model to the board. They state that every access request must be fully authenticated and authorized based on identity, device health, location, and risk, regardless of whether the user is on the corporate network. Which Zero Trust principle does this statement represent?

81

A security architect is implementing a Zero Trust security model. The architect insists that the network perimeter should not be trusted and that security controls must be applied to all traffic, even within the corporate network. They also emphasize the need for continuous monitoring and detection of threats as if a breach has already occurred. Which Zero Trust principle is the architect primarily applying?

82

A security administrator is explaining the Zero Trust model to a new colleague. The administrator states that trust should never be granted based solely on network location, and every access request must be fully authenticated and authorized using all available signals. Which Zero Trust principle does this statement describe?

83

A security architect is explaining the evolution of the security perimeter. They state that because users access corporate resources from anywhere on any device, the traditional network perimeter is no longer sufficient. What does the architect identify as the new primary security perimeter?

84

A security architect is explaining the Zero Trust model to the board. The architect emphasizes that the network perimeter can no longer be considered a safe zone. Which statement best describes the modern primary security perimeter according to Zero Trust principles?

85

A company subscribes to a cloud-based email service that is delivered as Software-as-a-Service (SaaS). According to the shared responsibility model, who is primarily responsible for the physical security of the data centers where the email data is stored?

86

A hospital stores patient medical records electronically. An attacker gains access to the system and modifies patient diagnoses. Which principle of the CIA triad has been violated?

87

A user logs into a corporate laptop by inserting a smart card and entering a PIN. The user then attempts to open a confidential folder. The operating system checks the user's access rights and denies access. Which security concepts are demonstrated in this scenario?

88

A company is implementing a new security policy that requires every user to have only the minimum permissions necessary to perform their job duties. Which security principle does this policy align with?

89

A company's IT department deploys a multi-layered security strategy that includes a perimeter firewall, network segmentation, endpoint antivirus software, data encryption, and employee security awareness training. Which security model does this approach represent?

90

A security architect is implementing a Zero Trust strategy. They state that all access requests must be verified continuously, regardless of where the request originates (corporate network or remote). They also emphasize that access is granted based on a policy that evaluates user identity, device health, location, and risk in real-time. Which Zero Trust guiding principle does this scenario primarily illustrate?

91

A company deploys full disk encryption on all employee laptops to protect data in case a device is lost or stolen. Which security goal does this measure primarily address?

92

A company uses Microsoft 365 E5. An employee's corporate laptop is infected with keylogging malware that captures the employee's credentials. The attacker uses these credentials to sign in to Exchange Online and forward sensitive emails to an external account. Under the shared responsibility model, who is primarily responsible for the security incident?

93

A company's security policy requires that all data transferred between the corporate data center and the cloud must be protected from unauthorized access during transmission. They use encryption protocols such as TLS to achieve this. Which security goal is primarily being addressed?

94

A company is implementing security controls to protect data during transmission between their on-premises database and a cloud storage service. They decide to use TLS encryption. Which security goal is primarily addressed by ensuring that data is not altered during transit?

95

An organization is migrating its on-premises applications to Azure Infrastructure-as-a-Service (IaaS). According to the shared responsibility model, which of the following security responsibilities remain with Microsoft? (Select two.)

96

A user scans their fingerprint to unlock a corporate laptop. After unlocking, the user attempts to open a confidential database. The system checks the user's role and grants access because the user is a member of the 'Data Analyst' group. Which two security concepts are demonstrated in this scenario?

97

A company's IT department implements a policy for server administrators: they must submit an access request to perform privileged tasks on critical servers. Each request is approved by a manager, and the granted elevated permissions automatically expire after four hours. This approach reduces the risk of standing privileges being exploited. Which security concept is primarily being applied?

98

A company deploys a custom web application on Azure App Service (PaaS). The application stores user data in Azure SQL Database. The security team is responsible for securing the application code, managing authentication, and configuring TLS for data in transit. According to the Microsoft shared responsibility model, which security responsibility remains with Microsoft for this PaaS deployment?

99

A company stores sensitive customer data in an Azure SQL database. To protect this data, the database files are encrypted at rest using Transparent Data Encryption (TDE). Additionally, all network traffic between the application and the database is encrypted using TLS. Which security goal is primarily addressed by these encryption measures?

100

A company implements multiple layers of security controls, including firewalls, antivirus software, access controls, and security awareness training. Which security concept does this approach best represent?

101

A user authenticates with a smart card and is then granted access to a specific database based on their job role in the finance department. Which security concept describes the process of determining what the authenticated user is allowed to do?

102

A company uses a cloud-based email service. The service provider ensures that the physical data centers are secure and that the email platform is patched and available. The company is responsible for managing user accounts and ensuring that employees use strong passwords. This division of responsibilities is an example of which concept?

103

A healthcare company stores patient records in an Azure SQL database. To protect the data, they enable Transparent Data Encryption (TDE) for the database and require all client connections to use TLS. Which security goal is being primarily addressed by these measures?

104

A company deploys a custom web application on Azure App Service (PaaS). The application stores data in Azure SQL Database. The security team needs to identify which security responsibilities fall under the customer according to the Microsoft shared responsibility model. Which of the following is primarily the customer's responsibility for this PaaS deployment?

105

A company implements a security policy where employees must use a smart card to log into their workstations. After logging in, they can only access file shares that correspond to their department. Which two security concepts are demonstrated in this scenario?

106

An organization adopts a security model where they never trust a request by default, even if it comes from inside the corporate network. Every access request must be authenticated, authorized, and encrypted. They also assume that a breach will happen and design their systems to minimize the blast radius. Which security model does this describe?

107

A financial company processes stock trades. To ensure that a trader cannot later deny having submitted a specific trade order, the system captures a digital signature from the trader for each order. Which security goal is being addressed by this practice?

108

A company deploys a virtual machine on Azure IaaS. According to the Microsoft shared responsibility model, which of the following security responsibilities is primarily the customer's responsibility?

109

A healthcare organization uses digital signatures on electronic medical records to ensure that the records have not been tampered with during transmission. Which security goal is primarily being addressed by this practice?

110

A company configures its identity and access management system so that employees are granted only the permissions necessary to perform their job functions. For example, a sales representative has read-only access to the customer database and cannot modify financial records. Which security principle is being applied in this scenario?

111

A company's security team has adopted a strategy that assumes a breach has already occurred. They implement network segmentation, apply strict least privilege access, continuously verify all access requests, and never trust users or devices solely because they are inside the network perimeter. This approach best describes which security model?

112

A company wants to ensure that data is not altered during transmission between a client and a server. They use TLS encryption. Which security goal does this primarily address?

113

An organization implements a policy where users must provide two forms of verification, such as a password and a text message code, to access the corporate network. Which security concept does this demonstrate?

114

A company implements a policy where each employee is granted only the permissions necessary to perform their specific job role. For example, a marketing specialist has read-only access to the customer database and cannot modify financial records. Which security principle is primarily being applied?

115

A company uses an on-premises Active Directory (AD) and wants to enable single sign-on (SSO) for users to access Microsoft 365 and a third-party SaaS application. They plan to use an external identity provider (IdP) that supports Security Assertion Markup Language (SAML) 2.0. Which identity concept does this implementation primarily rely on?

116

A financial organization implements a security control that logs every access attempt to sensitive financial records, including who accessed the data, when it was accessed, and from which device. The logs are regularly reviewed by the security team. This control primarily addresses which security concept?

117

A company's security team configures network firewall rules so that only a dedicated jump server's IP address can initiate RDP connections to production servers. This is an example of which security principle?

118

A user successfully authenticates to a system using a smart card. After authentication, the system checks whether the user's device is compliant with security policies before granting access to the network. This additional check is an example of which security concept?

119

An organization uses a system where users first provide a username and password (Step 1) and then the system checks whether the user has permission to view a specific folder (Step 2). Which two security concepts are demonstrated in this process? (Choose two.)

120

A company's security team implements a system where every access attempt to sensitive data is recorded, including who accessed the data and when. The logs are regularly reviewed to detect unauthorized access and to hold users accountable for their actions. Which security goal is primarily being addressed by this logging practice?

121

An organization implements a security policy where users must authenticate using a smart card and PIN. After successful authentication, the system checks whether the user's device is managed by the organization and complies with security baselines. If the device is compliant, the user is granted access to the corporate network. If not, access is denied. This approach most directly reflects which security model?

122

A company stores critical financial reports in a SharePoint Online library. To ensure that the reports have not been tampered with, the security team compares a calculated hash of each file against a stored baseline. This verification process primarily protects which security goal?

123

A financial institution uses digital signatures to sign all transaction records. This ensures that the records have not been altered after signing. Which security goal does this primarily protect?

124

A user logs into a company portal by entering a username and password. After successful login, the system checks if the user is a member of the 'Sales' group and then grants access to the sales dashboard. Which two security concepts are demonstrated in this process? (Choose all that apply.) (Choose two.)

125

A company uses a hashing algorithm to verify that a downloaded software file has not been tampered with during transmission. This practice primarily protects which security principle?

126

An organization adopts a security model that requires explicit verification of every access request, uses least privilege principles, and assumes that a breach has already occurred. Which security model does this describe?

127

Arrange the steps to configure Azure AD Privileged Identity Management (PIM) for a role in the correct order.

128

Order the steps to respond to a data breach using Microsoft 365 Defender incident response.

129

Sequence the steps to configure a retention policy in Microsoft Purview compliance portal.

130

Match each Microsoft security feature to its primary purpose.

131

Match each Microsoft 365 compliance feature to its function.

132

Match each Azure security service to its purpose.

133

Your organization is implementing a Zero Trust security model. Which Microsoft Entra ID feature should you use to verify that users and devices meet specific health requirements before granting access to corporate resources?

134

Your company uses Microsoft Purview Information Protection to classify sensitive data. A user reports that when they try to share a document containing a credit card number via email, the email is blocked. Which Purview feature is most likely causing this behavior?

135

Which Microsoft security solution provides centralized investigation and response across identities, endpoints, email, and cloud apps by correlating alerts from multiple sources?

136

Your organization is deploying Microsoft Entra ID Governance. You need to automate the process of removing user access to a critical application when the user leaves the company. Which feature should you configure?

137

Your company uses Microsoft Defender for Cloud Apps. You notice that a user is downloading large volumes of data from a sanctioned cloud app that exceeds the normal pattern. Which action should you take to automatically block this activity?

138

Which of the following is a primary purpose of Microsoft Entra ID Identity Protection?

139

Your organization uses Microsoft Sentinel as a SIEM. You need to create a rule that triggers an incident when a user account is created in an Azure subscription and then logs in from an unfamiliar location within 24 hours. Which type of rule should you configure?

140

Your company is adopting a Zero Trust network architecture. You need to implement microsegmentation for workloads running in Azure. Which Azure service should you use?

141

Which Microsoft cloud service provides a unified data governance solution that helps you manage and protect data across your entire data estate, including multi-cloud and on-premises?

142

Which TWO of the following are components of the Microsoft Entra product family? (Choose two.)

143

Which THREE of the following are capabilities of Microsoft Purview Data Loss Prevention (DLP)? (Choose three.)

144

Which TWO of the following are identity-related security best practices recommended by Microsoft? (Choose two.)

145

You are reviewing a Conditional Access policy configuration in Microsoft Entra ID. Based on the exhibit, what is the effect of this policy?

146

You are a security analyst using Microsoft Sentinel. You run the Kusto query shown in the exhibit. What does this query do?

147

You run the PowerShell command shown in the exhibit. What is the purpose of this command?

148

Your organization wants to enforce multi-factor authentication (MFA) for all users accessing cloud applications. Which Microsoft Entra ID feature should you configure?

149

Your company is implementing a zero-trust security model. Which principle requires verifying every access request as though it originates from an untrusted network, even if the request comes from within the corporate network?

150

Your organization uses Microsoft Purview to classify sensitive data. You need to create a custom sensitive information type that detects employee IDs matching the pattern 'EMP-XXXXX' (where X is a digit). Which rule pack element must you define?

151

Your organization needs to control which users can access Microsoft Purview compliance portal. Which method should you use to grant access?

152

Your company is implementing data loss prevention (DLP) policies in Microsoft Purview. You need to prevent users from sharing credit card numbers via email. Which type of sensitive information type should you use in the DLP rule?

153

Your organization uses Microsoft Defender for Cloud Apps. You need to discover shadow IT usage. Which feature should you enable?

154

Your organization wants to use Microsoft Entra ID to provide single sign-on (SSO) for a third-party SaaS application. What must you configure in Microsoft Entra ID?

155

Which Microsoft Purview solution should you use to automatically retain or delete content based on regulations?

156

Your organization uses Microsoft Sentinel. You need to create a custom analytics rule that triggers an incident when a user executes a specific command on Azure VMs. Which data source should you connect to capture the command execution logs?

157

Which TWO of the following are principles of the Zero Trust security model? (Select two.)

158

Which THREE of the following are capabilities of Microsoft Purview Information Protection? (Select three.)

159

Which TWO of the following are types of identity in Microsoft Entra ID? (Select two.)

160

Refer to the exhibit. You have a Conditional Access policy defined in Microsoft Entra ID. What is the effect of this policy?

161

Refer to the exhibit. You are configuring a sensitivity label in Microsoft Purview. The label is set to automatically apply when credit card numbers are detected. However, users report that the label is not being applied to documents containing credit card numbers. What is the most likely cause?

162

Refer to the exhibit. You have a Data Loss Prevention (DLP) policy in Microsoft Purview. What will happen when a user tries to share a document containing a credit card number via email?

163

A company wants to ensure that only authorized users can access sensitive financial data stored in Microsoft SharePoint Online. Which identity feature should they use to require a second form of verification?

164

Your organization is implementing Microsoft Purview to manage data compliance. They need to automatically detect and protect credit card numbers in emails and documents. Which Microsoft Purview feature should they configure?

165

A multinational corporation uses Microsoft Entra ID for identity management. They want to allow their external partners to use their own corporate credentials to access the company's resources, rather than creating guest accounts. Which Entra ID feature should they use?

166

A healthcare organization must comply with HIPAA regulations regarding the protection of patient health information (PHI). Which cloud compliance concept ensures that the organization has controls in place to meet regulatory requirements?

167

Your company uses Microsoft Defender for Cloud to assess security posture. A recommendation states that virtual machines should have just-in-time (JIT) network access enabled. What is the primary security benefit of enabling JIT?

168

A Microsoft 365 organization needs to classify and protect sensitive documents based on their content, such as passport numbers. They want the classification to be applied automatically without user intervention. Which Microsoft Purview solution should they use?

169

Which TWO of the following are purposes of the 'Zero Trust' security model?

170

Which THREE of the following are key concepts of identity management in Microsoft Entra ID?

171

Which TWO of the following are features of Microsoft Purview Audit?

172

You are the security architect for a multinational organization that uses Microsoft 365 E5, Microsoft Entra ID P2, and Microsoft Purview. The company has 10,000 employees across five regions. The legal department requires that all documents containing personally identifiable information (PII) of European Union citizens be automatically labeled with a 'Highly Confidential' sensitivity label and encrypted. Additionally, any sharing of such documents with external users must be blocked unless the sender explicitly justifies the business need. The solution must minimize manual user intervention. You need to design a Microsoft Purview configuration. What should you do?

173

Your company has a Microsoft 365 E5 subscription and uses Microsoft Teams for collaboration. The security team needs to ensure that guest users invited to Teams channels are required to pass multi-factor authentication (MFA) before accessing company resources. Currently, guest users are invited via Entra ID External ID but MFA is not enforced. You need to enforce MFA for all guest users. The solution should apply to all guest users across all applications. What should you configure?

174

A small business uses Microsoft 365 Business Premium. The owner wants to ensure that employees can access their email and files from anywhere, but only from trusted devices that comply with company security policies (e.g., have antivirus enabled and are up-to-date). They have heard about Microsoft Intune but are not sure if it's included. You need to recommend a solution that enforces device compliance for accessing company data. What should you do?

175

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using their social media accounts, such as Google or Facebook. Which feature should you configure?

176

A company is implementing Microsoft Purview Information Protection. They want to automatically apply a 'Confidential' sensitivity label to emails containing credit card numbers. Which policy should they configure?

177

Your organization uses Microsoft Defender XDR. The security team wants a central dashboard showing the overall security posture and recommended actions. Which tool should they use?

178

A company is planning to use Copilot for Microsoft 365. To ensure that Copilot responses are based only on data accessible to the user, which principle must be enforced?

179

Which TWO components are part of the 'Zero Trust' security model? (Choose two.)

180

Which TWO of the following are benefits of using Microsoft Entra ID for identity management? (Choose two.)

181

Which THREE of the following are capabilities of Microsoft Purview Compliance Manager? (Choose three.)

182

You are a security administrator for Contoso Ltd., a global financial services company with 5,000 employees. The company uses Microsoft 365 E5 licenses and has deployed Microsoft Entra ID, Microsoft Defender XDR, Microsoft Purview, and Microsoft Intune. Recently, the security team identified a risk: employees are sharing sensitive financial reports via external email recipients without encryption. To address this, you need to implement a solution that automatically applies encryption to emails containing the sensitive information type 'U.S. Bank Account Number' when sent to external recipients. The solution must not block the email but should encrypt it. Additionally, you want to notify the sender with a policy tip that the email will be encrypted. You have access to the Microsoft Purview compliance portal. What should you configure?

183

You work for a healthcare organization that uses Microsoft 365 E5 licenses. The organization must comply with HIPAA regulations. You need to ensure that electronic protected health information (ePHI) is classified and protected. Specifically, you want to automatically detect and apply a 'Highly Confidential' sensitivity label to documents containing medical record numbers, and also prevent users from sharing these documents externally via email. You have Microsoft Purview deployed. What should you implement first?

184

Your organization is adopting a Zero Trust security model. You are tasked with implementing identity protection. The requirements are: enforce multi-factor authentication (MFA) for all users when accessing cloud applications, ensure that risky sign-ins are detected and blocked automatically, and provide administrators with a dashboard showing user risk levels. You have Microsoft Entra ID P2 licenses. What should you configure?

185

You are a compliance officer for a law firm that uses Microsoft 365 E5 licenses. The firm must comply with GDPR. You need to implement a solution that automatically identifies personal data (e.g., email addresses) in SharePoint Online documents and applies a 'GDPR-Protected' sensitivity label. Additionally, you need to ensure that if a user attempts to share a labeled document externally, they receive a policy tip warning about GDPR compliance, but the share is not blocked. You have Microsoft Purview. What should you configure?

186

Your organization uses Microsoft Intune and Microsoft Entra ID. You need to enforce that only compliant and managed devices can access corporate email in Microsoft 365. Additionally, if a device is jailbroken, access should be blocked. You also want to provide a seamless sign-in experience for compliant devices. You have Microsoft Entra ID P1 licenses. What should you configure?

187

Your organization wants to ensure that only users with a specific sensitivity label can access a SharePoint site. Which Microsoft Purview feature should you configure?

188

A company deploys Microsoft Defender for Cloud Apps. They want to detect when a user downloads more than 100 files from SharePoint in 10 minutes. Which policy type should they create?

189

A user reports that they cannot access a sensitive document in SharePoint. The document has a sensitivity label of 'Highly Confidential' applied. The user is a member of the 'Finance' group, which has the label permission. However, the user is located in a country that is blocked by a conditional access policy. What is the most likely reason the user cannot access the document?

190

Your organization uses Microsoft Entra ID for identity management. You need to implement a solution that allows external partners to access resources using their own identity provider. Which Microsoft Entra feature should you use?

191

A company uses Microsoft Defender for Endpoint. An alert indicates that a device is communicating with a known malicious IP address. The security team wants to automatically block the IP address on all devices. Which action should they configure?

192

An organization wants to classify and label data automatically based on sensitive content patterns such as credit card numbers. Which Microsoft Purview solution should they use?

193

Your company uses Microsoft Intune for device management. You need to ensure that all company data on a user's personally owned device is removed when the user is offboarded, but the user's personal data should remain. Which wipe action should you use?

194

A security administrator receives an alert from Microsoft Sentinel about a possible brute-force attack against a virtual machine. The administrator wants to automatically block the attacker's IP address for 24 hours using a playbook. Which automation trigger should the playbook use?

195

Your organization uses Microsoft Purview to enforce retention policies. You need to retain all documents in a specific SharePoint site for 5 years after they are created, and then delete them permanently. What should you configure?

196

Which TWO are principles of the Zero Trust security model?

197

Which THREE are capabilities of Microsoft Defender XDR?

198

Which TWO are features of Microsoft Entra ID?

199

You find the above JSON in a SharePoint document's metadata. Based on the exhibit, what is the effect of the label applied to the document?

200

You run the above KQL query in Microsoft Sentinel. What is the purpose of this query?

201

You run the above PowerShell command in your Microsoft Entra ID environment. What is the command retrieving?

202

A company wants to ensure that only users with appropriate permissions can access sensitive data stored in Microsoft SharePoint Online. Which principle should they implement?

203

A healthcare organization must comply with HIPAA regulations. They use Microsoft Purview to classify and label patient data. Which Microsoft Purview capability helps them enforce data protection policies automatically?

204

A multinational corporation wants to implement a Zero Trust security model. They plan to verify every access request explicitly, use least privilege access, and assume breach. Which Microsoft security solution should they use to enforce conditional access policies based on user, device, location, and risk?

205

A small business wants to enable single sign-on (SSO) for its employees using their existing on-premises Active Directory. They plan to migrate to cloud-based identity management. Which Microsoft service should they use to connect their on-premises directory to Microsoft Entra ID?

206

An organization wants to ensure that its security team can quickly identify and respond to threats across all workloads, including identities, endpoints, email, and cloud apps. Which Microsoft security solution provides a unified incident management experience?

207

A financial services company needs to comply with GDPR and requires that personal data be automatically classified and protected when stored in Microsoft SharePoint and OneDrive. They also need to retain certain records for a minimum of 7 years. Which combination of Microsoft Purview capabilities should they use?

208

A user reports that they cannot access a sensitive document in SharePoint Online. The administrator checks the document's permissions and sees that the user is not listed directly, but a group they belong to has been granted access. Which identity concept describes this scenario?

209

An organization uses Microsoft Intune to manage devices. They want to ensure that only devices that are compliant with security policies (e.g., encryption enabled, latest patches) can access corporate email. Which Microsoft Entra feature should they use to enforce this requirement?

210

A company is designing a data governance strategy using Microsoft Purview. They need to allow data owners to define custom attributes for data assets and control who can access those assets. Which Purview feature should they use?

211

Which TWO of the following are benefits of using Microsoft Entra ID for identity management?

212

Refer to the exhibit. An administrator deploys this Azure Resource Manager template. Which TWO of the following statements are true?

213

Which THREE of the following are components of the Zero Trust security model?

214

Refer to the exhibit. A security administrator is reviewing an Azure Resource Manager template for a virtual machine. What is the purpose of the 'identity' section shown?

215

Refer to the exhibit. A security analyst runs this Microsoft Graph PowerShell command. What is the most likely purpose of this command?

216

Refer to the exhibit. A security analyst runs this Kusto Query Language (KQL) query in Microsoft Sentinel. What is being identified?

217

A company wants to ensure that all users access corporate resources using multi-factor authentication (MFA). Which Microsoft Entra ID feature should they configure to enforce MFA for all users?

218

An organization uses Microsoft Purview to manage data compliance. They need to automatically detect and protect credit card numbers stored in SharePoint Online. Which Microsoft Purview solution should they implement?

219

A security analyst needs to investigate a potential ransomware attack affecting multiple endpoints. They want to centralize detection and response across devices, email, and applications. Which Microsoft solution should they use?

220

Which Microsoft Entra ID feature allows an organization to provide external partners with access to its applications while maintaining control over authentication and governance?

221

A company requires that all sensitive data in Microsoft Teams messages be automatically encrypted and labeled with a 'Confidential' tag. Which Microsoft Purview solution should they use?

222

An organization wants to use a cloud-based SIEM to collect security data from multiple sources, including on-premises servers and cloud applications. Which Microsoft solution should they choose?

223

A company uses Microsoft Purview to classify and protect data. They need to ensure that when a user attempts to share a file containing a credit card number externally, the file is blocked and the user is prompted with a policy tip. Which type of Microsoft Purview policy should they configure?

224

An organization wants to enable passwordless authentication for its users by using a mobile app. Which Microsoft Entra ID authentication method should they implement?

225

A company uses Microsoft Defender for Cloud to secure its hybrid cloud environment. They need to continuously assess compliance with regulatory standards like ISO 27001 and receive recommendations for remediation. Which feature should they enable?

226

Which TWO of the following are components of the Microsoft Security Development Lifecycle (SDL)? (Choose two.)

227

Which THREE of the following are core principles of the Zero Trust security model? (Choose three.)

228

Which TWO of the following are Microsoft Entra ID editions that include Identity Protection? (Choose two.)

229

You are the security administrator for Contoso Corporation. The company uses Microsoft 365 E5 licenses, which include Microsoft Entra ID P2, Microsoft Purview, and Microsoft Defender XDR. Contoso has a hybrid identity environment with Microsoft Entra Connect syncing on-premises Active Directory to Microsoft Entra ID. The company recently experienced a data breach where an attacker compromised a user's credentials and exfiltrated sensitive customer data from SharePoint Online. The investigation revealed that the compromised user did not have MFA enabled and had admin consent to a malicious third-party OAuth app. To prevent future incidents, management has mandated the following requirements: (1) Enforce MFA for all users, especially those accessing sensitive data. (2) Block all OAuth apps that are not pre-approved by IT. (3) Detect and respond to identity-based threats in real-time. (4) Classify and protect sensitive data in SharePoint and Teams. You need to recommend a solution that meets all requirements. Which combination of Microsoft security solutions should you implement?

230

Your organization is implementing a new policy to ensure that only authorized users can access sensitive financial data stored in Microsoft SharePoint Online. The security team wants to enforce multi-factor authentication (MFA) for all users accessing this data, but only when accessing from outside the corporate network. Which Microsoft Entra ID conditional access policy setting should you configure to meet this requirement?

231

A company wants to implement a Zero Trust security model. Which TWO of the following are core principles of Zero Trust?

232

A company is implementing data classification in Microsoft Purview. Which THREE of the following are types of sensitive information that can be detected using built-in sensitive information types?

233

Refer to the exhibit. You are reviewing a conditional access policy in Microsoft Entra ID. The policy is enabled and applies to all cloud apps. Which users are affected by this policy?

234

Contoso Ltd. is a financial services company that must comply with strict regulatory requirements. They use Microsoft 365 E5, Microsoft Entra ID P2, Microsoft Purview, and Microsoft Defender for Cloud Apps. The compliance team needs to implement a data loss prevention (DLP) policy that detects and prevents the sharing of credit card numbers in Microsoft Teams messages. Additionally, they want to ensure that only users with a specific custom sensitivity label can access documents containing credit card numbers. The sensitivity label is named 'Financial-Confidential' and is applied automatically via auto-labeling. The DLP policy should block sharing of credit card numbers in Teams but allow users to override the block with a business justification. Which combination of actions should you configure in the Microsoft Purview DLP policy to meet these requirements?

235

Fabrikam Inc. is a global manufacturing company that uses Microsoft Entra ID for identity management. They have recently experienced a security incident where an attacker compromised a user account and accessed sensitive intellectual property. The security team wants to implement identity protection measures to detect and respond to such attacks in the future. They need a solution that can automatically detect suspicious sign-in behavior, such as impossible travel and anomalous token issuance, and then take action to block the sign-in or require additional verification. Additionally, they want to integrate threat intelligence feeds to improve detection. Which Microsoft security solution should they use to meet these requirements?

Practice all 235 Describe the concepts of security, compliance, and identity questions

Deep-dive questions

Must-know Describe the concepts of security, compliance, and identity questions

The most-searched questions in this domain — detailed explanations, worked examples, full answer breakdowns.

  • Conditional Access and Identity Protection for MFA and Risky Sign-Ins→
  • Configuring Identity Protection and Conditional Access for MFA and Risk Detection→
  • Authentication vs Authorization→
  • Authentication vs Authorization: What's the Difference?→
  • What Is Availability in the CIA Triad?→
  • What Is Availability in the CIA Triad?→
  • What Is Defense in Depth?→
  • Defense in Depth: Multiple Layers of Security Controls→

Other SC-900 exam domains

Describe the capabilities of Microsoft EntraDescribe the capabilities of Microsoft security solutionsDescribe the capabilities of Microsoft compliance solutions

Frequently asked questions

What does the Describe the concepts of security, compliance, and identity domain cover on the SC-900 exam?

Describe the concepts of security, compliance, and identity questions on this certification test your ability to deploy and manage describe the concepts of security, compliance, and identity concepts in scenario-based situations.

How many Describe the concepts of security, compliance, and identity questions are in the SC-900 question bank?

The Courseiva SC-900 question bank contains 235 questions in the Describe the concepts of security, compliance, and identity domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Describe the concepts of security, compliance, and identity for SC-900?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Describe the concepts of security, compliance, and identity questions for SC-900?

Yes — the session launcher on this page draws questions exclusively from the Describe the concepts of security, compliance, and identity domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SC-900 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

AZ-900AZ-500SY0-701SC-200