Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-900DomainsDescribe the capabilities of Microsoft security solutions
SC-900Free — No Signup

Describe the capabilities of Microsoft security solutions

Practice SC-900 Describe the capabilities of Microsoft security solutions questions with full explanations on every answer.

470questions

Start practicing

Describe the capabilities of Microsoft security solutions — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SC-900 Domains

Describe the capabilities of Microsoft EntraDescribe the capabilities of Microsoft security solutionsDescribe the capabilities of Microsoft compliance solutionsDescribe the concepts of security, compliance, and identity

Practice Describe the capabilities of Microsoft security solutions questions

10Q20Q30Q50Q

SC-900 Describe the capabilities of Microsoft security solutions questions (showing 300 of 470)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security administrator is using Microsoft Defender for Cloud to improve the security posture of Azure resources. The administrator wants to view a consolidated assessment of compliance with industry standards such as CIS and NIST. Which feature should be used?

2

An organization uses Microsoft 365 Defender. The security team receives an alert about a potential malware outbreak on multiple endpoints, and they need an integrated view that correlates signals from various Microsoft security solutions. Which Microsoft 365 Defender portal component provides this unified view?

3

A security team is evaluating Microsoft security solutions to monitor user activities across multiple SaaS applications, including Salesforce and Dropbox, for signs of compromised accounts and data exfiltration. Which solution is specifically designed for this purpose?

4

A company manages Azure virtual machines and on-premises servers. The security team needs a single dashboard that provides a secure score and actionable recommendations to improve the security posture across both environments. Which Microsoft solution should be used?

5

A company has deployed Microsoft 365 Defender to unify threat detection and response. Which two components are included within the Microsoft 365 Defender integrated solution? (Select all that apply.)

6

A security analyst is using Microsoft 365 Defender to investigate a sophisticated multi-stage attack. The analyst needs to query data across endpoints, email, and identity logs to identify the attacker's behavior patterns and correlate events. Which Microsoft 365 Defender capability should the analyst use?

7

A company wants to reduce the attack surface on its Windows devices by blocking common techniques used by malware, such as preventing Office applications from creating child processes or blocking executable files from running from the %TEMP% folder. Which Microsoft Defender for Endpoint feature should be configured?

8

A company uses Microsoft 365 and is concerned about phishing attacks targeting employees. They want to deploy a solution that can automatically analyze email messages for malicious links and attachments, and also provide click-time protection by rewriting URLs. Which Microsoft 365 Defender component should they use?

9

A security administrator needs to identify and remediate misconfigurations in Azure resources that could lead to security breaches. They want a central dashboard that provides a secure score based on security controls and recommendations. Which Microsoft solution should they use?

10

A security operations center (SOC) team needs to collect security logs from Azure services, on-premises servers, and third-party firewalls. They want a cloud-native solution that provides advanced threat detection through analytics, machine learning, and the ability to hunt for threats across all data sources. Which Microsoft solution should they deploy?

11

A security team needs to detect and investigate advanced attacks targeting on-premises Active Directory accounts, such as Pass-the-Hash (PtH) and Golden Ticket attacks. Which Microsoft security solution should they deploy?

12

A security analyst receives an alert about a suspicious process on a device. The security solution automatically investigates the device, gathers evidence, and determines that a known malware variant was detected. It then presents an action plan to the analyst for remediation. Which Microsoft security solution provides this automated investigation and response capability?

13

A security operations center (SOC) team needs to ingest security logs from on-premises servers, Azure virtual machines, and SaaS applications like Salesforce. They want a cloud-native solution that uses machine learning to detect threats, provides a unified query language for hunting, and supports automated incident response through playbooks. Which Microsoft solution should they deploy?

14

A company wants to discover which cloud applications are being used by employees, assess the risk of those apps, and control data sharing in sanctioned apps like Box or Dropbox. Which Microsoft security solution should they implement?

15

An organization runs workloads in Azure, an on-premises data center, and multiple third-party cloud environments. The security team needs a single, cloud-native solution that provides a unified view of the security posture across all these environments, along with a secure score and actionable recommendations. They also want to protect these workloads with advanced threat detection. Which Microsoft security solution should they implement?

16

A security team needs to continuously assess the security posture of Azure resources, including virtual machines, storage accounts, and SQL databases. They also want to identify vulnerabilities in both Windows and Linux servers running in Azure and on-premises, and receive prioritized recommendations for remediation. Which Microsoft security solution should they use?

17

A company runs containerized applications on Azure Kubernetes Service (AKS) and stores container images in Azure Container Registry. The security team wants to automatically scan container images for vulnerabilities every time a new image is pushed to the registry and receive recommendations for remediation. Which Microsoft security solution should they enable?

18

An organization wants to protect its Azure PaaS services, such as Azure SQL Database and Azure Key Vault, by detecting and alerting on suspicious activities like SQL injection attempts or unusual access patterns. They also need to integrate these alerts into a central security information and event management (SIEM) system for further analysis. Which Microsoft security solution provides the threat detection capability described?

19

A large enterprise uses a variety of cloud applications, including sanctioned apps like Microsoft 365 and unsanctioned apps that employees adopted without IT approval. The security team wants to discover all cloud applications in use, assess each app's risk score based on more than 80 risk factors, and control data sharing within sanctioned apps to prevent data leakage. Additionally, they need to identify which users are using a new, unknown file-sharing service. Which Microsoft security solution should be deployed to meet these requirements?

20

An organization uses Exchange Online and is concerned about phishing attacks that include malicious hyperlinks. They need a security solution that checks URLs at the time a user clicks them and blocks access to known malicious or suspicious websites. The solution must also provide real-time reputation analysis for link clicks. Which Microsoft security solution should they enable?

21

A security operations team uses Microsoft 365 Defender and wants to detect, investigate, and automatically respond to advanced identity-based attacks targeting on-premises Active Directory, such as Pass-the-Hash (PtH) and Golden Ticket attacks. They also need to integrate these alerts into Microsoft Sentinel for central incident management. Which Microsoft security solution provides these capabilities?

22

A company uses a mix of Azure virtual machines and on-premises Windows and Linux servers. The security team wants a single, integrated solution that can continuously assess these servers for missing security updates, weak operating system configurations, and common vulnerabilities. The solution should provide prioritized remediation recommendations. Which Microsoft security solution should they use?

23

A security operations team uses Microsoft Sentinel to centralize security log analysis. They need to ingest logs from a third-party firewall that does not have a native connector. What should the team use to bring the firewall logs into Microsoft Sentinel?

24

An organization uses Microsoft 365 Defender and wants to automate the investigation and response to common email-based phishing attacks. They want the system to automatically take actions such as deleting malicious emails from user inboxes across the organization after analysis. Which Microsoft 365 Defender component provides this automated capability?

25

A security operations team needs to protect their organization's Windows 10 and Windows 11 devices from advanced persistent threats (APTs), ransomware, and fileless malware. They also require a centralized dashboard to view device security posture, investigate incidents, and perform proactive threat hunting using advanced queries. Which Microsoft security solution should they deploy?

26

A company uses Exchange Online. The security team wants to protect users from malware hidden in email attachments by detonating them in a secure sandbox environment before delivery. Which Microsoft Defender for Office 365 feature should they enable?

27

A company runs workloads in Azure and Amazon Web Services (AWS). The security team wants a single, unified dashboard to assess the security posture of all cloud resources, get prioritized recommendations for misconfigurations, and enable just-in-time (JIT) virtual machine access across both cloud environments. Which Microsoft security solution should they use?

28

A company uses Microsoft Defender for Cloud Apps to secure its cloud applications. The security team wants to monitor and control data activities in a third-party cloud app (e.g., Box) in real time. Specifically, they need to block downloads of files that have a 'Confidential' sensitivity label when users access the app from unmanaged devices. Which capability of Microsoft Defender for Cloud Apps should they configure?

29

A security operations team uses multiple Microsoft security products, including Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Entra ID Protection. They want to aggregate alerts from these sources into a single dashboard, correlate them to create incidents, and use automated playbooks to respond to threats. The team also wants to query historical security data for threat hunting. Which Microsoft solution should they deploy?

30

A company runs workloads in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). The security team needs a single, unified dashboard to continuously assess the security posture of all cloud resources, identify misconfigurations, and receive prioritized recommendations for remediation. Which Microsoft security solution should they use?

31

A company wants to improve its security awareness program by periodically sending simulated phishing emails to employees to test their ability to identify malicious messages. The results should be tracked in a dashboard that shows which employees clicked the links. Which Microsoft 365 Defender capability should they use?

32

A company wants to gain visibility into the use of unsanctioned cloud applications (shadow IT) within their organization. The security team has access to network proxy logs that show traffic to various cloud services. They want to use a Microsoft security solution to analyze these logs and identify which cloud apps are being used, by whom, and how much data is being consumed. Which capability of Microsoft Defender for Cloud Apps should they use?

33

A security operations team needs to protect Windows servers from ransomware and other advanced threats. They require a solution that provides endpoint detection and response (EDR), automated investigation, and the ability to isolate compromised machines from the network. Which Microsoft security solution should they deploy?

34

A company uses Microsoft 365. The security team wants to protect users from clicking malicious URLs in email messages. The solution should rewrite all links in incoming emails so that when a user clicks them, the URL is checked in real time against a dynamic list of known malicious sites. Which Microsoft Defender for Office 365 feature should they enable?

35

A company maintains an on-premises Active Directory environment with over 10,000 domain-joined computers. The security team is concerned about advanced attacks that use stolen credentials to move laterally, such as pass-the-hash attacks or DCSync attacks targeting domain controllers. They need a solution that monitors on-premises Active Directory traffic and event logs to detect these identity-based threats and provides alerts for investigation. Which Microsoft security solution should they deploy?

36

A company runs workloads in Microsoft Azure and in Google Cloud Platform (GCP). The security team needs a single dashboard to view the security posture of both cloud environments, get recommendations for misconfigurations based on best practices, and track compliance with industry standards such as ISO 27001 and PCI DSS. Which Microsoft security solution should they use?

37

A company runs Windows Server virtual machines (VMs) on-premises and in Azure. The security team wants a unified view of missing security updates and known vulnerabilities (CVEs) across all VMs. They want to enable agentless scanning for Azure VMs and deploy a lightweight agent for on-premises machines. The results should be consolidated in a single dashboard with prioritized remediation recommendations. Which Microsoft security solution should they use?

38

A company uses Exchange Online. The security team wants to protect users from malicious email attachments. They need a solution that detonates attachments in a sandbox environment to check for malware behavior before the email is delivered to the recipient. Which Microsoft Defender for Office 365 feature should they enable?

39

A security operations center (SOC) team needs a centralized platform to collect logs from firewalls, servers, and cloud applications. They want to analyze these logs to detect threats, create custom alerts, and automate response actions using playbooks. The solution should also provide threat intelligence feeds and allow for advanced hunting with Kusto Query Language (KQL). Which Microsoft security solution should the team implement?

40

A company has deployed Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. The security operations team wants a single, unified portal where they can view alerts from all these products, perform cross-domain investigations, and orchestrate automated response actions. Which Microsoft security solution should they use?

41

A company wants to improve its security posture across Microsoft 365. The security team needs a central dashboard that provides a score based on current security configurations, gives recommendations for improving the score, and allows tracking of improvement actions over time. Which Microsoft security solution should they use?

42

A company runs Azure SQL databases containing customer transaction data. The security team needs to detect and alert on suspicious database access patterns, such as SQL injection attempts or access from unusual locations. Which Microsoft security solution should they enable?

43

A company uses Azure virtual machines and also has physical servers in their on-premises datacenter. The security team needs a single dashboard to view security recommendations, detect misconfigurations, and get a secure score for both environments. They also want to integrate with Microsoft Defender for Cloud for threat protection. Which Microsoft security solution provides this unified visibility across hybrid workloads?

44

A company runs critical applications on Windows Server virtual machines in Azure and on-premises. The security team wants to reduce the exposure of administrative ports (e.g., RDP, SSH) by requiring administrators to request just-in-time (JIT) access. The request should require approval from a central team, and the port should be opened only for a limited time. Which Microsoft security solution provides this JIT capability for both Azure and on-premises servers (when connected via Azure Arc)?

45

A company uses Microsoft Defender for Endpoint on all workstations and Microsoft Defender for Office 365 for email protection. The security operations team wants a single console to see all incidents from both products, automatically investigate and respond to threats across endpoints and email, and integrate with Microsoft Sentinel for advanced hunting. Which Microsoft security solution should they use?

46

A company runs virtual machines in Azure and also maintains on-premises servers connected via Azure Arc. The security team needs a single dashboard to view security recommendations, detect misconfigurations, and track a secure score across both environments. They also want to enable advanced threat protection features such as just-in-time (JIT) VM access and file integrity monitoring for these workloads. Which Microsoft security solution should they implement?

47

A company wants to gain visibility into the cloud applications that employees are using (e.g., unsanctioned SaaS apps), assess the risk level of each app based on multiple factors, and block access to high-risk applications. Which Microsoft security solution should they deploy?

48

A company wants to detect and respond to advanced attacks targeting their on-premises Active Directory infrastructure, such as Kerberos Golden Ticket attacks, pass-the-hash, and brute-force attempts. The solution should integrate with Microsoft Sentinel and Microsoft 365 Defender for cross-domain investigations. Which Microsoft security solution should they deploy?

49

A company uses a third-party SaaS CRM application. The security team needs to monitor user sessions in real-time when sales representatives access the CRM from personal, unmanaged devices. The goal is to prevent the download of sensitive customer data to local drives. The solution should block download actions and show a warning to the user. Which Microsoft security solution should the team deploy to enforce these session controls?

50

A company runs a production Kubernetes cluster in Azure. The security team needs to continuously monitor the cluster for misconfigurations, such as containers running with privileged access or secrets exposed in environment variables. They also want to detect runtime threats like crypto-mining containers. Which Microsoft security solution should they use?

51

A company's security operations team needs to centralize security log collection from multiple sources including on-premises firewalls, AWS CloudTrail, and Azure Active Directory sign-in logs. They want to use built-in analytics to detect threats across all data sources and create automated response playbooks, such as isolating a compromised user account when a specific attack pattern is detected. Which Microsoft security solution should they deploy?

52

A company uses a third-party SaaS project management application. The security team wants to monitor and control user sessions when employees access the application from personal, unmanaged devices. Specifically, they want to block the download of files to local drives and display a warning message to the user if they attempt to download. Which Microsoft security solution should they deploy?

53

An organization wants to protect its fleet of Windows 10 laptops from advanced malware and ransomware. The solution must detect suspicious behavior (e.g., a process encrypting files) and provide security teams with the ability to isolate an infected device from the network for investigation. Which Microsoft security solution should they deploy?

54

A company's security operations center wants to detect advanced attacks targeting their on-premises Active Directory, such as Kerberos Golden Ticket attacks, pass-the-hash, and skeleton key malware. They need a solution that monitors domain controller traffic, correlates with entity behavior, and integrates with Microsoft Sentinel for incident response. Which Microsoft security solution should they deploy?

55

A company uses Microsoft 365 and stores many business documents in SharePoint Online and OneDrive. The security team wants to automatically detect and block malicious files (e.g., those containing ransomware or other malware) that are uploaded to these document libraries. Files should be scanned and held until proven safe. Which Microsoft security solution should they enable to provide this protection?

56

A company wants to protect its employees from phishing attacks delivered via email. The solution must analyze all URLs embedded in incoming emails in real-time. If a URL points to a known malicious site, the link should be blocked at the time of click. Additionally, the solution should sandbox URLs in attachments and provide time-of-click verification. Which Microsoft security solution should they implement?

57

A security operations team investigates a multi-stage attack that began with a phishing email, then moved to credential compromise, and finally to lateral movement on endpoints. They need a single pane of glass to view the entire attack story, including the initial email, the compromised user's sign-in activities, and processes on affected devices. Which Microsoft security solution provides this unified investigation experience?

58

A company runs a web application in Azure that is publicly accessible. They want to protect it against large-scale distributed denial-of-service (DDoS) attacks from multiple sources. Which Azure service is specifically designed for this purpose?

59

A company has multiple Azure virtual machines running various workloads. They want a central solution that continuously assesses their security posture, identifies vulnerabilities, and provides recommendations to harden the environment. Which Azure service should they use?

60

A financial institution is deploying Microsoft Sentinel to monitor security events across its hybrid cloud environment. They want to correlate alerts from multiple sources and automate incident response. Which Microsoft Sentinel feature should they use to create automated workflows?

61

A company uses Microsoft Defender for Cloud to secure their Azure environment. The security team needs to check whether their resources comply with the CIS (Center for Internet Security) benchmark. How can they view their compliance status against CIS in Defender for Cloud?

62

A company uses Azure virtual machines for a production database. The security team wants to minimize the attack surface by blocking all inbound RDP (port 3389) traffic. However, administrators occasionally need to connect for maintenance. The team needs a solution that allows administrators to request temporary access to the RDP port, which is automatically revoked after a specified time. Which Microsoft Defender for Cloud feature should they use?

63

A company uses Microsoft Defender for Endpoint to secure its devices, Microsoft Defender for Office 365 for email security, and Microsoft Defender for Identity for on-premises Active Directory. The security team wants a single console to view correlated incidents across these domains, where an incident might combine a suspicious email, a malicious file download, and a compromised account. Which Microsoft solution provides this unified incident view and automatic correlation?

64

A company uses Microsoft 365 and wants to protect its users from malicious links and attachments in email, as well as phishing attacks. Which Microsoft security solution is specifically designed for email and collaboration protection?

65

A company uses Microsoft Defender for Cloud to improve their cloud security posture. They want to see an aggregated score that reflects how well their resources are protected against threats. Which feature in Defender for Cloud provides this?

66

A company uses Microsoft 365 and Azure. They want a unified security solution that provides threat protection across email, endpoints, identities, and cloud apps, with automated investigation and response capabilities. Which Microsoft solution should they use?

67

A security administrator wants to use Microsoft Defender for Cloud to protect Azure VMs. Which two of the following should be enabled to meet the requirements? (Choose two.)

68

A company has enabled Microsoft Defender for Cloud. They want to assess their Azure resources for compliance with security benchmarks like CIS and Azure Security Benchmark, and view a secure score. Which feature of Defender for Cloud provides this capability?

69

A company uses Microsoft 365 and wants to protect against sophisticated phishing attacks that use malicious links in email. They also want real-time analysis of URLs at the time of click. Which Microsoft Defender for Office 365 feature provides this?

70

A company wants to gain visibility into which cloud applications are being used by employees (shadow IT) and assess the risk level of each app. They use Microsoft Defender for Cloud Apps. Which feature should they enable to discover and analyze these apps?

71

A company uses Microsoft Defender for Office 365 and wants to protect users from malicious attachments in email. They need a feature that scans email attachments in a sandbox environment before they are delivered to recipients. Which Defender for Office 365 feature should they use?

72

A security team wants to discover which cloud applications (such as Dropbox, Salesforce, or unsanctioned file-sharing apps) are being used by employees, even if those apps are not sanctioned by IT. They need to analyze usage patterns, risk levels, and identify potential shadow IT. Which feature of Microsoft Defender for Cloud Apps should they enable?

73

A company uses Microsoft 365 and needs to protect endpoints from ransomware attacks that encrypt files. The security team wants automated investigation and response capabilities for malware incidents on Windows devices. Which Microsoft security solution should they use?

74

A company uses Microsoft Defender for Cloud to secure their multi-cloud environment, which includes Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). They want a unified view of security posture, continuous assessment of resources, and recommendations to improve security across all clouds. Which feature of Defender for Cloud provides this capability?

75

A security team needs to collect and analyze security logs from a hybrid environment consisting of on-premises Windows servers, Azure virtual machines, and AWS workloads. They want to correlate events, detect anomalous behavior, and create custom security alerts with automated response playbooks. Which Microsoft security solution should they use?

76

A security team wants to discover all cloud apps being used by employees, including unsanctioned personal apps like unauthorized file-sharing services. They plan to analyze firewall logs to identify traffic patterns and assess each app's risk score. Which feature of Microsoft Defender for Cloud Apps should they enable?

77

A security analyst needs to detect and investigate compromised identities in on-premises Active Directory. They want to monitor for lateral movement, reconnaissance, and credential theft using behavioral analytics. Which Microsoft security solution is designed specifically for this purpose?

78

A company uses Microsoft 365 E5 and is concerned about advanced phishing attacks that use adversary-in-the-middle (AiTM) techniques to steal session cookies and bypass multifactor authentication. Which Microsoft Defender for Office 365 feature should they configure to specifically protect against this type of attack?

79

A security operations team uses Microsoft Defender for Cloud and has connected their AWS and GCP accounts. They want to continuously assess the security posture of AWS EC2 instances against the CIS AWS Foundations Benchmark and receive prioritized recommendations. Which feature of Defender for Cloud should they use?

80

A security team wants to receive a unified security posture assessment for their hybrid workloads including Azure VMs, on-premises SQL servers, and AWS EC2 instances. They need to get actionable recommendations to harden configurations and improve their overall security score. Which Microsoft security solution provides this capability?

81

A security team wants to discover all cloud applications being used by employees, including unsanctioned file sharing and collaboration apps. They plan to analyze traffic logs from their network firewall to identify usage patterns and assess each app's risk level. Which feature of Microsoft Defender for Cloud Apps should they enable?

82

A security team wants to discover which cloud applications are being used by employees, including unsanctioned file-sharing and collaboration apps. They plan to upload network traffic logs from their firewall to analyze app usage and risk levels. Which feature of Microsoft Defender for Cloud Apps should they enable?

83

A company uses Microsoft 365 and sanctioned cloud apps like Salesforce and Box. The security team wants to prevent users from downloading sensitive documents from these apps when accessing from unmanaged personal devices, while still allowing read-only access. They need real-time session monitoring and control. Which Microsoft security solution should they use?

84

A security team wants to monitor and proactively defend against cyber threats across their entire infrastructure, including Azure virtual machines, on-premises servers, and AWS workloads. They need a unified solution that provides endpoint detection and response (EDR), vulnerability management, and threat hunting capabilities. Which Microsoft security solution should they use?

85

A company runs critical applications on Azure virtual machines and on-premises SQL servers. The security team wants to reduce VM attack surface by allowing just-in-time (JIT) access to RDP and SSH ports only when needed. Additionally, they need to monitor changes to important registry keys and system files on the SQL servers. Which Microsoft security solution should they use?

86

A security operations center (SOC) wants to enrich their detection capabilities by automatically correlating internal network logs with external threat intelligence feeds containing known malicious IP addresses and domains. They need to ingest, normalize, and prioritize these indicators and generate alerts when matches are found. Which Microsoft security solution provides built-in capabilities for this purpose?

87

A security analyst needs to investigate a potential malware outbreak that started on an on-premises Windows server several days ago. They want to trace the attack timeline, see which files were modified, and understand how the attacker moved laterally across the network. Which Microsoft solution provides advanced endpoint detection and response (EDR) for on-premises servers?

88

A security operations team needs a solution that can detect and stop ransomware attacks on Windows servers and desktops in real time. They also want the ability to automatically isolate affected devices and, if necessary, roll back files modified by ransomware using a built-in recovery feature. Which Microsoft security solution provides these capabilities?

89

A healthcare organization runs a mix of workloads on Azure (Azure VMs, SQL Database) and on-premises (Windows Servers). They must continuously assess their compliance against the HIPAA and HITRUST regulatory frameworks. They want a unified dashboard that shows their compliance score against these standards and provides step-by-step recommendations to remediate violations. Which Microsoft Defender for Cloud capability should they use?

90

A security team manages a hybrid environment with Azure VMs and on-premises Windows servers. They want a single dashboard that provides continuous assessment of security posture, actionable recommendations to harden configurations, and integration with Microsoft Defender for Cloud to detect threats. Which Microsoft security solution should they use?

91

A security operations center (SOC) receives a high volume of low-fidelity alerts from various security tools. They need a solution that can automatically correlate alerts into incidents, use built-in machine learning to reduce false positives, and provide a unified console for investigation and response across Azure, on-premises, and Microsoft 365. Which Microsoft security solution should they use?

92

A security team needs to detect and automatically respond to ransomware attacks on Windows servers and desktops. They require the solution to automatically isolate affected devices from the network and, if necessary, roll back files that have been modified by ransomware using a built-in recovery feature. Which Microsoft security solution provides these specific capabilities?

93

A security team needs to detect and investigate suspicious activities in their on-premises Active Directory environment, such as pass-the-hash attacks, Kerberoasting, and unusual service account behavior. They also want to integrate these alerts with Microsoft Defender for Cloud for a unified view across hybrid workloads. Which Microsoft security solution should they deploy on-premises?

94

A company uses a hybrid environment with Azure virtual machines (IaaS) and on-premises Windows servers. The security team needs a single solution that continuously assesses the security posture of these workloads, provides a regulatory compliance dashboard with actionable recommendations, and enables threat detection. Which Microsoft security solution should they use?

95

A company uses Microsoft 365 and allows employees to access corporate email and documents from their personal devices. The security team wants to protect against malicious links in emails and Microsoft Teams messages. When a user clicks a link, it should be checked in real-time to see if it leads to a known malicious site. If it does, access should be blocked. Which Microsoft security solution provides this capability?

96

A company uses Azure virtual machines and on-premises Windows servers. The security team wants a single solution that provides vulnerability assessment, a regulatory compliance dashboard (e.g., for ISO 27001), and integrated threat detection such as fileless malware and anomalous logins. Which Microsoft security solution should they use?

97

A company uses Salesforce and Box as cloud apps. The security team discovers that a third-party OAuth app with excessive permissions was granted access to Salesforce data by a user. They want a solution that can detect such risky OAuth apps and automatically revoke their permissions based on policy. Which Microsoft security solution provides this capability?

98

A company uses Microsoft 365 and wants to protect users from malicious attachments in email. The security team wants a solution that detonates attachments in a sandbox environment before delivery, and only allows the email through if the attachment is deemed safe. Which Microsoft security solution should they use?

99

A company uses Microsoft Defender for Cloud Apps. The security team discovers that a user has granted a third-party OAuth app with 'read all mail' and 'send mail as user' permissions. They want to automatically revoke the authorization for this risky app and block similar apps in the future. Which Defender for Cloud Apps feature should they use?

100

A security team manages a hybrid environment with on-premises Windows servers and Azure VMs. They need a solution that can detect lateral movement attacks, pass-the-hash attempts, and anomalous service account behavior on the on-premises Active Directory environment. They also want these alerts to be integrated into Microsoft Defender for Cloud for centralized monitoring. Which Microsoft security solution should they deploy on their on-premises domain controllers?

101

A security team monitors user activities in third-party cloud apps like Box and Dropbox. They want to automatically detect when a user performs an anomalous file download after signing in from an unusual location, and then suspend the user's account and initiate an investigation. Which Microsoft security solution should they use?

102

A company uses Azure virtual machines (IaaS) and on-premises Windows servers. The security team needs a single solution that provides a continuous assessment of security posture, a regulatory compliance dashboard for NIST SP 800-53, and integrated threat detection for hybrid workloads (e.g., brute force attacks on SSH). Which Microsoft security solution should they use?

103

A company uses Azure resources, on-premises servers, and third-party cloud apps. The security team wants a single solution to collect security logs from all these sources, detect threats using advanced analytics, and automate responses to incidents. Which Microsoft security solution should they use?

104

A company runs critical Windows virtual machines on Azure. To reduce the attack surface, the security team wants to block all inbound RDP (port 3389) traffic from the internet by default. When a security engineer needs to connect via RDP for troubleshooting, they must request access through a portal, and the RDP port will be opened for a limited time (e.g., 4 hours) only to their source IP address. Which Microsoft security solution should they use to implement this control?

105

A company uses Microsoft 365 and many third-party SaaS apps like Salesforce and Box. The security team wants to detect when a user downloads a large number of files from a cloud storage app after hours, which may indicate data exfiltration. Which Microsoft security solution should be used to detect such anomalous behavior in cloud apps?

106

A company uses Azure SQL Database for a critical line-of-business application. The security team wants to enable threat protection that specifically detects and alerts on SQL injection attempts and anomalous database access patterns. Which workload protection plan should they enable within Microsoft Defender for Cloud?

107

A global enterprise has a hybrid environment that includes on-premises Active Directory, Azure resources, Amazon Web Services (AWS), and Google Cloud Platform (GCP). The security team needs a single solution to collect security logs from all these sources, detect threats using advanced analytics and threat intelligence, and automate incident response via playbooks. They already have Microsoft Defender for Cloud protecting their Azure workloads. Which Microsoft security solution should they add to meet these requirements?

108

A security team wants to detect when a user downloads an unusually large number of files from a third-party cloud storage app (e.g., Box) after logging in from an unfamiliar location. They also want to automatically suspend the user's account if such behavior is detected. Which Microsoft security solution should they use?

109

A company has a hybrid environment with on-premises Active Directory. The security team wants to detect advanced attacks such as pass-the-hash, malicious Kerberos ticket activity, and abnormal service account behavior. They want alerts from the on-premises environment to be integrated into Microsoft Defender for Cloud for centralized monitoring. Which Microsoft security solution should they deploy on their domain controllers?

110

A company runs Azure VMs and on-premises Windows servers. They need a solution that provides vulnerability assessment, regulatory compliance dashboard, and threat detection for their hybrid workloads. Which Microsoft security solution should they use?

111

A company uses Microsoft 365 and many third-party SaaS apps like Salesforce and Box. The security team needs to discover which unsanctioned cloud apps employees are using (Shadow IT). They also want to get a risk score for each app and receive alerts when a high-risk app is used. Which Microsoft security solution should they use?

112

A company uses Microsoft 365 and wants to protect its users from clicking malicious links in phishing emails. The security team needs a solution that rewrites URLs in email messages to check the link at the time of click, and blocks access if the link is malicious. Which Microsoft security solution should they use?

113

A company runs a mix of on-premises servers and Azure virtual machines. They deploy Microsoft Defender for Endpoint on all servers. The security team wants to create custom queries to hunt for a specific attack pattern that involves a sequence of events across multiple machines, such as a PowerShell script being downloaded and then executed on several servers. They need to write their own detection rules based on advanced hunting data. Which Microsoft 365 Defender capability should they use?

114

A company uses Microsoft 365 and several third-party SaaS apps. The security team wants to detect when a user signs in from a remote location that is significantly far from their typical sign-in location within a very short time, indicating possible account compromise. Which Microsoft security solution should they use?

115

An organization wants to protect against business email compromise (BEC) attacks where attackers impersonate the CEO to trick employees into transferring funds. Which Microsoft Defender for Office 365 capability should they configure to detect such impersonation?

116

A company uses Microsoft 365 and wants to deploy a security solution that can automatically detect and remediate advanced attacks on endpoints (workstations and servers), such as ransomware and fileless attacks. They also want to provide incident response teams with detailed forensic data and the ability to isolate an infected machine from the network. Which Microsoft security solution should they use?

117

A multinational company uses a hybrid infrastructure with on-premises Active Directory and Azure resources. They have deployed Microsoft Defender for Cloud to protect their Azure workloads. They now want to extend threat detection to their on-premises Active Directory by collecting security events from domain controllers to detect attacks like Golden Ticket, DCSync, and malicious Kerberos activity. The solution should integrate with Microsoft Sentinel for automated response. Which security solution should they deploy on the on-premises domain controllers?

118

A company wants to deploy a single security operations portal that provides a unified view of alerts and incidents from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Which Microsoft portal should the security team use?

119

A company wants to collect security logs from on-premises servers, cloud applications, and network devices into a central repository, and then use advanced analytics detect threats and automate incident response. Which Microsoft security solution should they deploy?

120

A company has on-premises Active Directory. They want to detect advanced attacks like Pass-the-Hash, DCSync, and malicious Kerberos activity using behavioral analytics. Which Microsoft security solution should they deploy on their domain controllers?

121

A security analyst wants to create a custom detection rule that tracks a specific multi-stage attack pattern: a user receives a phishing email, clicks a link, and then a script is executed on their device. The analyst needs to write a Kusto Query Language (KQL) query to detect this pattern and schedule it to run automatically, generating alerts. Which Microsoft 365 Defender capability should they use?

122

An organization wants to protect against spear-phishing attacks where attackers impersonate the company's CEO or other trusted domains to trick employees into transferring funds. They need a security solution that uses machine learning to detect and prevent such impersonation attempts in incoming emails. Which Microsoft 365 protection feature should they enable?

123

A company uses Microsoft 365 and Microsoft Azure. The security team wants a single portal that provides a unified view of alerts and incidents from their endpoints, email, and cloud applications to accelerate threat investigation and response. Which Microsoft security solution should they use?

124

Sequence the steps to enable Microsoft Defender for Cloud Apps for an organization.

125

Arrange the steps to configure multi-factor authentication (MFA) for a user in Azure AD.

126

Match each Microsoft identity service to its description.

127

Match each authentication method to its description.

128

Your organization wants to automatically investigate and remediate email-based threats in Microsoft 365. Which security solution should you use?

129

A company must ensure that sensitive data in SharePoint Online is automatically classified and protected. They want to use built-in Microsoft Purview capabilities. Which feature should they implement?

130

An organization uses Microsoft Entra ID for identity management. They want to implement a risk-based conditional access policy that requires multi-factor authentication (MFA) when sign-in risk is medium or high. Which policy settings should they configure?

131

Your company wants to use Microsoft Security Copilot to help analysts investigate security incidents. Which data source can Security Copilot ingest to provide contextual insights?

132

An organization uses Microsoft Intune to manage devices. They need to ensure that only devices with a minimum OS version can access corporate email. What should they configure?

133

Your company is deploying Microsoft Entra ID Governance. They want to automate the review of guest user access to Microsoft Teams and remove access when guests leave the partner organization. Which feature should they implement?

134

A security analyst needs to query Microsoft 365 audit logs to find all activities where a user deleted a file from SharePoint Online in the last 24 hours. Which tool should they use?

135

Your organization wants to use Microsoft Defender for Cloud to secure Azure virtual machines. Which feature should they enable to get vulnerability assessment without additional agents?

136

Refer to the exhibit. You run a Kusto query in Microsoft Defender XDR Advanced Hunting. What does this query return?

137

Which TWO Microsoft Purview features can be used to classify and label sensitive data in Microsoft 365?

138

Which THREE are capabilities of Microsoft Defender for Cloud?

139

Which TWO Microsoft Security Copilot capabilities can help security analysts during incident response?

140

A company wants to use Microsoft Intune to enforce that mobile devices have a PIN of at least 6 characters to access corporate resources. What should they configure?

141

Refer to the exhibit. You are reviewing a Conditional Access policy JSON in Microsoft Entra ID. What will this policy do?

142

Refer to the exhibit. You are creating a custom analytics rule in Microsoft Sentinel. What does this rule detect?

143

Your organization is deploying Microsoft Defender XDR to detect and respond to advanced threats. You need to ensure that security alerts from Microsoft Defender for Endpoint are automatically correlated with alerts from Microsoft Defender for Office 365. What should you configure?

144

A company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They need to prevent users from sharing credit card numbers via email, but allow sharing via Microsoft Teams messages. What should they configure?

145

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. Which policy should you configure?

146

You are reviewing a Microsoft Sentinel KQL query. What is the primary purpose of this query?

147

Your organization uses Microsoft Purview eDiscovery to manage legal cases. You need to place a hold on a user's mailbox to preserve data for an ongoing litigation. Which role do you need to assign to the eDiscovery manager?

148

Your organization wants to use Microsoft Defender for Cloud Apps to detect anomalous user behavior across cloud applications. Which feature should you enable?

149

You are reviewing a Microsoft Purview DLP policy rule represented in JSON. What is the effect of this rule?

150

Your organization uses Microsoft Entra ID for identity management. You need to implement a solution that allows users to sign in using their social media accounts, such as Google or Facebook. What should you configure?

151

Your organization wants to protect sensitive documents from being copied to unauthorized cloud services. Which Microsoft Purview capability should you use?

152

Which TWO of the following are features of Microsoft Defender for Cloud? (Choose two.)

153

Which THREE of the following are capabilities of Microsoft Purview eDiscovery? (Choose three.)

154

Which TWO of the following are benefits of using Microsoft Entra ID Conditional Access? (Choose two.)

155

A tenant administrator runs the PowerShell cmdlet shown in the exhibit. The output shows that some compliance policies have IsAssigned = $false. What does this indicate?

156

Your organization uses Microsoft Sentinel as a SIEM. You need to collect security events from on-premises servers. Which connector should you use?

157

Your organization wants to label emails and documents as 'Confidential' automatically based on content patterns. Which Microsoft Purview feature should you use?

158

Your organization uses Microsoft Defender for Cloud Apps. A security analyst needs to receive an alert whenever a user accesses a cloud app from a new IP address that is not in the organization's trusted IP range. What should the analyst configure?

159

Your organization is implementing Microsoft Defender for Office 365 to protect against phishing attacks. You need to ensure that when a user clicks a malicious link in an email, the user is warned and the action is blocked. Which policy should you configure?

160

You are a security administrator for a company that uses Microsoft 365. The compliance team needs to automatically classify and protect sensitive data such as credit card numbers in emails and documents. Which Microsoft Purview solution should you recommend?

161

Your organization has Microsoft Sentinel deployed. The security operations team needs to automatically respond to a security incident by opening an incident in ServiceNow and sending a notification to a Teams channel. What should you configure?

162

Your company uses Microsoft Entra ID and is implementing a zero-trust security model. You need to ensure that all access requests to sensitive applications are verified continuously, not just at the initial sign-in. Which Microsoft Entra ID capability should you use?

163

Your organization has deployed Microsoft Intune for mobile device management. You need to ensure that users can only access corporate resources from devices that are compliant with your security policies. Which policy type should you configure?

164

Your organization is using Microsoft Defender for Cloud to secure a multi-cloud environment including Azure and AWS. You need to identify misconfigurations that could lead to security breaches. Which feature should you use?

165

Your company uses Microsoft Purview to manage data across Azure, on-premises SQL Server, and Amazon S3. You need to create a unified map of all data sources and their sensitivity labels. Which Microsoft Purview feature should you use?

166

Your organization uses Microsoft Defender for Endpoint. You need to investigate a potential malware outbreak on several endpoints. Which feature allows you to search for indicators of compromise (IOCs) across all endpoints?

167

You are reviewing a Microsoft Purview sensitivity label configuration. Based on the exhibit, what will happen when this label is applied to a document?

168

You are analyzing sign-in logs in Microsoft Sentinel. Based on the KQL query in the exhibit, what is the purpose of this query?

169

You run the Microsoft Graph PowerShell command in the exhibit. What information does this command retrieve about the user?

170

Which TWO of the following are capabilities of Microsoft Defender for Cloud? (Choose two.)

171

Which THREE of the following are features of Microsoft Purview Data Loss Prevention (DLP)? (Choose three.)

172

Which TWO of the following are capabilities of Microsoft Sentinel? (Choose two.)

173

A company uses Microsoft Defender for Cloud Apps to monitor SaaS app usage. The security team wants to receive an alert when a user downloads more than 10 files from SharePoint Online within 5 minutes. Which type of policy should they create?

174

An organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They need to prevent users from sharing credit card numbers via email outside the company. Which type of DLP rule action should they configure?

175

A company is designing a Microsoft 365 Defender incident response workflow. They want to automatically isolate a compromised device when a ransomware alert is triggered. Which Microsoft 365 component should be used to execute the automated response action?

176

A security analyst needs to investigate a phishing campaign that targeted multiple users. They want to correlate email threat data with user actions and device signals. Which Microsoft security solution should they use as the primary investigation console?

177

A company wants to enforce conditional access policies that require multifactor authentication (MFA) for all users accessing financial apps from outside the corporate network. Which Microsoft Entra ID license is minimally required to create conditional access policies?

178

Refer to the exhibit. A security analyst is reviewing an alert from Microsoft 365 Defender. The alert is associated with an incident. What is the best first step to investigate this alert?

179

Refer to the exhibit. A Microsoft Purview DLP policy is configured. When a user attempts to share a document containing a credit card number externally, what will happen?

180

A company wants to use Microsoft Sentinel to collect security logs from on-premises servers and send them to Azure. Which data connector should they use?

181

A security operations center (SOC) team uses Microsoft Sentinel with User and Entity Behavior Analytics (UEBA) enabled. They notice an alert about a user accessing a sensitive HR application from an unusual IP address at 3 AM. What does UEBA primarily use to detect this anomaly?

182

Which TWO of the following are capabilities of Microsoft Defender for Cloud Apps?

183

Which THREE of the following are features of Microsoft Purview Insider Risk Management?

184

Which TWO of the following are included in Microsoft Entra ID Protection?

185

Which THREE of the following are capabilities of Microsoft Defender for Office 365?

186

Which TWO of the following are examples of Microsoft Copilot for Security use cases?

187

Refer to the exhibit. An analyst runs a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

188

Your organization uses Microsoft Sentinel to detect threats. A security analyst needs to create a custom analytics rule that triggers an incident when a user accesses more than 1000 files from an external IP address within 5 minutes. Which rule type should the analyst configure?

189

Your company uses Microsoft Purview Information Protection to classify and protect sensitive data. You need to ensure that when a user sends an email containing a credit card number, the email is automatically encrypted and a custom footer is added. Which two components should you configure?

190

Your organization wants to protect against phishing attacks by verifying the sender's identity for incoming emails. Which Microsoft Defender for Office 365 feature should you configure?

191

A company uses Microsoft Defender for Cloud to secure its hybrid cloud workload. The security team needs to ensure that all virtual machines (VMs) have Just-In-Time (JIT) VM access enabled. What should they use to enforce this across subscriptions?

192

Your company uses Microsoft Intune to manage mobile devices. You need to ensure that company data on personal devices is protected if the device is lost or stolen. What should you configure?

193

Your organization uses Microsoft Entra ID and wants to provide a single sign-on (SSO) experience for a third-party SaaS application that supports SAML 2.0. The app must also enforce multifactor authentication (MFA) for external users. What should you configure?

194

Refer to the exhibit. The exhibit shows an alert from Microsoft Defender XDR. The security team needs to determine if the file 'invoice.docm' is known malware and if other devices in the organization have this file. What should they do next?

195

Your company uses Microsoft Sentinel to manage security incidents. You need to automatically assign incidents to a specific analyst team based on the incident category (e.g., phishing incidents to the SOC team). What should you configure?

196

Your organization uses Microsoft Purview to govern data in Azure Data Lake Storage. You need to create a data classification policy that automatically tags files containing personally identifiable information (PII) such as social security numbers. Which scanning solution should you use?

197

Your organization uses Microsoft Defender for Cloud to assess the security posture of its Azure resources. Which two actions can be taken to improve the Secure Score? (Choose two.)

198

A SOC analyst is investigating a potential security incident in Microsoft Sentinel. Which three are valid methods to gather additional context about a user entity? (Choose three.)

199

Your company wants to protect sensitive data in Microsoft Teams. Which two Microsoft Purview features can help prevent accidental sharing of confidential information? (Choose two.)

200

Refer to the exhibit. The exhibit shows an Azure Policy definition. A storage account named 'storagedev' is created with network ACLs set to allow all traffic (defaultAction: Allow) and no IP rules. What will happen when this policy is assigned?

201

Refer to the exhibit. The exhibit shows an alert from Microsoft Defender for Endpoint. The SOC team needs to decode the PowerShell command to understand the malicious intent. Which tool or method should they use?

202

Your organization uses Microsoft Purview Compliance Manager to track compliance with regulatory standards. You need to create a custom assessment for a new internal policy. What should you do first?

203

You are the security administrator for a company using Microsoft Defender XDR. A user reports receiving a suspicious email with a link. What Microsoft Defender XDR feature should you use to investigate the email's threat level?

204

Your organization is adopting Microsoft 365 Copilot for enterprise users. Which Microsoft Purview capability should you configure to prevent sensitive data from being inadvertently shared during Copilot interactions?

205

You are investigating an alert in Microsoft Defender XDR. Based on the exhibit, what is the primary detection source for this alert?

206

Your company uses Microsoft Purview to protect sensitive data in SharePoint Online. You need to automatically apply a 'Confidential' sensitivity label to documents containing credit card numbers. What should you create?

207

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. Which Microsoft Entra ID feature should you use?

208

You are investigating an alert in Microsoft 365 Defender. The KQL query in the exhibit retrieves evidence for alert-5678. What type of entities does this query filter for?

209

Your organization is using Microsoft Sentinel as a SIEM. You want to automatically respond to a high-severity incident by opening a ticket in ServiceNow and notifying the security team via email. What should you create?

210

Your company uses Microsoft Defender for Cloud to secure Azure resources. You need to assess compliance with the CIS benchmark. What should you enable?

211

A user reports that they cannot access a sensitive document in SharePoint Online. The document has a 'Highly Confidential' sensitivity label. You verify the label is applied correctly. What is the most likely reason for the access issue?

212

Which TWO Microsoft security solutions can be used to detect and respond to identity-based threats? (Choose two.)

213

Which THREE are capabilities of Microsoft Purview Data Loss Prevention (DLP)? (Choose three.)

214

Which TWO are features of Microsoft Defender for Cloud Apps? (Choose two.)

215

You are reviewing a Microsoft Purview auto-labeling policy configuration. Based on the exhibit, what happens when a document contains a credit card number and is labeled 'Confidential'?

216

Your organization uses Microsoft Intune to manage mobile devices. You need to ensure that devices with a jailbroken or rooted OS cannot access corporate resources. What should you configure?

217

You are troubleshooting a Conditional Access policy in Microsoft Entra ID. The policy in the exhibit is not blocking some sign-ins that you expected to block. What is the most likely reason?

218

A company wants to protect against malware and phishing attacks in email and collaboration tools like Microsoft Teams. Which Microsoft security solution should they use?

219

A security administrator needs to block legacy authentication protocols across all applications in Microsoft Entra ID. Which conditional access policy setting should they configure?

220

An organization uses Microsoft Sentinel for security information and event management (SIEM) and security orchestration automated response (SOAR). They want to automatically respond to a specific incident by running a playbook. What should they configure?

221

Refer to the exhibit. You are creating a Microsoft Purview sensitivity label for HR data. The JSON shows a label configuration. What is the likely effect of setting the sensitivity value to 90?

222

A company uses Microsoft Intune to manage devices. They want to ensure that only devices with a specific minimum operating system version can access corporate email. What should they configure?

223

An organization wants to detect and respond to threats across their cloud infrastructure, including Azure, AWS, and GCP. Which Microsoft security solution should they centralize their security monitoring in?

224

Refer to the exhibit. You run the PowerShell command to retrieve a conditional access policy's conditions. The output shows Applications: All, Users: All, and Locations: All trusted. You need to ensure that only trusted locations are used when accessing Microsoft 365. What change should you make?

225

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to improve their secure score. What should they do?

226

An organization uses Microsoft Purview Data Loss Prevention (DLP) to prevent sensitive data from being shared externally. They need to block sharing of credit card numbers in emails and Teams messages. What should they create?

227

Which TWO capabilities are provided by Microsoft Defender for Cloud? (Choose two.)

228

Which THREE components are part of Microsoft Defender XDR? (Choose three.)

229

Which TWO features are available in Microsoft Entra ID P2 licenses? (Choose two.)

230

Refer to the exhibit. You run a KQL query in Microsoft Sentinel to investigate ransomware alerts. The query returns: AlertSeverity High: 5, Medium: 3, Low: 2. The security team wants to automate a response for all high-severity ransomware alerts. What should you configure?

231

A company uses Microsoft Purview to map their data estate. They need to classify data stored in Azure SQL Database and Amazon S3. What should they use?

232

An organization wants to provide a secure way for external partners to access specific SharePoint sites without creating new user accounts. What Microsoft Entra B2B feature should they use?

233

Your organization uses Microsoft Defender for Cloud to protect hybrid workloads. A security administrator needs to ensure that all Azure subscriptions are automatically covered by Defender for Cloud's security policies. What should the administrator configure?

234

Refer to the exhibit. You are evaluating a custom Azure Policy definition. The policy is intended to audit whether users assigned to a management role have MFA enabled. However, the policy is not triggering alerts for non-compliant users. What is the most likely cause?

235

Your company is deploying Microsoft Defender for Office 365. The security team wants to automatically remove malicious attachments from emails before they reach user inboxes. Which protection feature should be configured?

236

An organization uses Microsoft Sentinel for SIEM. The security operations center (SOC) wants to automatically create an incident when a user account is compromised and suspicious activity is detected. Which Microsoft Sentinel feature should be used?

237

Refer to the exhibit. A security analyst in your SOC runs the provided KQL query in Microsoft Sentinel to identify users with repeated MFA or suspicious sign-in alerts. The query returns no results even though alerts exist. What is the most likely issue?

238

Your company wants to use Microsoft Purview to classify and protect sensitive data in Microsoft 365. The compliance team needs to automatically detect credit card numbers in emails and apply a label that encrypts the email. What should they configure?

239

An organization uses Microsoft Intune to manage devices. The security team wants to ensure that only devices with a minimum OS version and antivirus enabled can access corporate email. What should they configure?

240

Your company uses Microsoft Defender for Cloud Apps to discover shadow IT. The security team wants to automatically block the use of a newly discovered high-risk cloud app across all users. What is the most efficient approach?

241

A company wants to use Microsoft Entra ID (Azure AD) to enforce multi-factor authentication (MFA) for all users accessing sensitive applications. Which security feature should they implement?

242

Which TWO of the following are capabilities of Microsoft Defender XDR? (Choose two.)

243

Which THREE capabilities are provided by Microsoft Purview? (Choose three.)

244

Which TWO of the following are features of Microsoft Sentinel? (Choose two.)

245

Your organization uses Microsoft Purview to label and protect sensitive data. The compliance team wants to automatically apply a 'Confidential' label to documents containing personally identifiable information (PII) stored in SharePoint Online. What should they create?

246

An organization is deploying Microsoft Intune for mobile device management. They need to ensure that all iOS devices must have a passcode of at least 6 characters and the device must be encrypted. What should they configure?

247

Your company uses Microsoft Defender for Cloud to assess the security posture of Azure resources. The security team wants to identify resources that are missing system updates. Which feature should they use?

248

Your organization uses Microsoft Entra ID and wants to automatically block sign-ins from users located in countries that are not approved for business operations. Which Microsoft Entra ID feature should you configure?

249

A security administrator needs to enforce that all Microsoft 365 documents containing credit card numbers are automatically encrypted before being shared externally. Which Microsoft Purview solution should they use?

250

Your organization is planning to deploy Microsoft Defender for Cloud Apps to discover shadow IT. You need to ensure that logs from your network proxy servers are ingested. Which method should you use to connect the logs?

251

A company wants to allow users to reset their own passwords from the login screen without contacting IT. Which Microsoft Entra ID feature enables this?

252

Your organization uses Microsoft Sentinel. You need to create an analytics rule that triggers an incident when more than 10 failed sign-ins occur from a single IP address within 5 minutes. Which rule type should you use?

253

Refer to the exhibit. The KQL query is used in a Microsoft Sentinel analytics rule. What is the primary purpose of this rule?

254

Your organization wants to prevent users from installing unapproved apps on company-managed Windows devices. Which Microsoft Intune feature should you use?

255

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the default filters. You need to create a custom mail flow rule to block similar emails based on specific keywords in the subject line. Which tool should you use?

256

Refer to the exhibit. You are reviewing a Microsoft Purview Information Protection policy in JSON format. The policy defines two sensitivity labels. What is the key difference between the 'Confidential' label and the 'Highly Confidential' label?

257

Which TWO Microsoft Purview solutions can help detect and prevent data exfiltration?

258

Which THREE capabilities are provided by Microsoft Defender for Cloud? (Choose three.)

259

Which TWO actions can be performed using Microsoft Entra Identity Governance? (Choose two.)

260

Refer to the exhibit. You run the Azure PowerShell command for a storage account. What is the current network access configuration?

261

Your organization needs to monitor and respond to security threats across on-premises, cloud, and hybrid environments. Which Microsoft solution provides a unified SIEM and SOAR capability?

262

Refer to the exhibit. You are reviewing an ARM template for an Azure resource. Assuming the resource is a Key Vault, what is the effect of the networkAcls configuration?

263

Your organization is deploying Microsoft Defender for Cloud Apps to protect against cloud app threats. You need to ensure that users are prompted for authentication when accessing a sanctioned cloud app from an unmanaged device. Which policy type should you configure?

264

Your company uses Microsoft Intune to manage devices. You need to ensure that only devices that are compliant with your security policies can access corporate email via Microsoft Outlook. What should you implement?

265

You are investigating an alert in Microsoft Sentinel. The exhibit shows the JSON output of an alert that was generated from a sign-in log. The alert is linked to an active incident. Which action should you take to prioritize the incident for investigation?

266

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. You need to prevent users from sharing credit card numbers in emails to external recipients. Which DLP rule action should you configure?

267

Your company has Microsoft Defender for Office 365 and wants to configure anti-phishing policies to protect against spear-phishing attacks targeting executives. Which policy setting should you enable to provide the highest level of protection?

268

Your organization uses Microsoft Entra ID for identity management. You need to require multi-factor authentication (MFA) for all users when accessing the Azure portal. Which feature should you use?

269

Your company uses Microsoft Sentinel to centralize security event monitoring. You need to create a custom analytics rule that triggers an alert when a user account is created outside of business hours. Which rule type should you use?

270

You are troubleshooting a Windows device that is reporting as non-compliant in Microsoft Intune. The exhibit shows the output of a PowerShell command run on the device. Based on the output, which component is likely misconfigured?

271

Your organization uses Microsoft Defender for Cloud to secure Azure resources. You need to ensure that all storage accounts have soft delete enabled to protect against accidental deletion. Which policy should you implement?

272

Which TWO capabilities are provided by Microsoft Defender for Cloud Apps?

273

Which THREE actions can Microsoft Sentinel perform as part of automated incident response using playbooks?

274

Which TWO features are part of Microsoft Defender XDR?

275

Your organization, Contoso Ltd., has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. You are deploying Microsoft Defender for Identity (MDI) to protect against identity-based attacks. You have installed the MDI sensor on domain controllers and configured the service with the necessary permissions. After installation, you notice that MDI is not generating alerts for pass-the-hash attacks. You have verified that the sensors are healthy and that audit policies are correctly configured. You need to ensure that MDI can detect pass-the-hash attacks. What should you do?

276

Your company, Fabrikam, uses Microsoft 365 and has Microsoft Purview Information Protection deployed. You need to protect sensitive documents labeled as 'Confidential' so that they cannot be printed or copied when opened in Microsoft Word. You have created a sensitivity label with the appropriate encryption settings. However, users report that they can still print and copy content from these documents. You verify that the label is published and assigned to the correct users. What should you configure to enforce the protection?

277

Your organization, Northwind Traders, uses Microsoft Intune to manage Windows 10 devices. You have created a compliance policy that requires devices to have BitLocker enabled. After assigning the policy, you notice that some devices are reporting as non-compliant due to BitLocker not being enabled. You have verified that the devices support BitLocker and that the policy is correctly assigned. You need to ensure that BitLocker is enabled on these devices automatically. What should you do?

278

Your organization uses Microsoft Defender for Cloud to protect Azure virtual machines. You need to ensure that critical vulnerabilities identified on the VMs are automatically remediated using a just-in-time patching mechanism. What should you configure?

279

A company uses Microsoft Sentinel for security information and event management (SIEM). The security team needs to detect and automatically respond to a potential privilege escalation attack where an attacker attempts to add a new user to the Global Administrator role in Microsoft Entra ID. What should the security team configure?

280

Your organization is implementing Microsoft Purview Data Loss Prevention (DLP). You need to prevent users from sharing sensitive credit card numbers via email. The DLP policy must trigger automatically when a user attempts to send an email containing a credit card number. Which DLP configuration should you use?

281

A company uses Microsoft Intune to manage its devices. The security team wants to enforce that all devices running Windows 11 must have BitLocker enabled and a minimum operating system build version. Which Intune policy type should they use?

282

Your organization uses Microsoft Defender XDR. You need to investigate a potential lateral movement attack where a compromised user account is used to access multiple workstations. Which feature should you use to visualize the attack path?

283

A company uses Microsoft Purview to classify and label data. The compliance team needs to automatically apply a 'Highly Confidential' sensitivity label to any document containing a passport number that is stored in SharePoint Online. The label should also encrypt the document. What should the compliance team configure?

284

Your organization wants to enable passwordless authentication for users. Which Microsoft Entra ID feature should you use?

285

A security analyst in your organization receives an alert from Microsoft Defender XDR indicating that a user's device may be infected with ransomware. The analyst needs to immediately isolate the device from the network to prevent further spread. What should the analyst do?

286

Your company uses Microsoft 365 Copilot to assist employees with drafting emails and documents. The security team needs to ensure that when Copilot accesses sensitive data, it respects the organization's sensitivity labels and does not expose highly confidential information to unauthorized users. What should the security team configure?

287

Your organization is planning to use Microsoft Sentinel as a SIEM solution. Which TWO of the following are required components for Sentinel? (Select TWO.)

288

A company uses Microsoft Purview Data Lifecycle Management. To comply with regulatory requirements, the company must retain financial records for 7 years and then delete them. Which THREE actions should the company configure? (Select THREE.)

289

Your organization wants to implement a Zero Trust security model. Which TWO principles are part of the Zero Trust model? (Select TWO.)

290

Your organization, Contoso Ltd., uses Microsoft 365 and Microsoft Defender XDR. You are a security administrator. Recently, a user named John Doe reported that his account is sending phishing emails internally. You suspect his account is compromised. You need to contain the threat immediately while preserving forensic data. The company has the following security solutions: Microsoft Entra ID P2, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft Sentinel, and Microsoft Purview. You need to prevent the compromised account from causing further damage. Which action should you take first?

291

You are a compliance officer at a healthcare organization that uses Microsoft 365. The organization must comply with HIPAA regulations. You have Microsoft Purview, Microsoft Defender for Cloud Apps, and Microsoft Intune. You need to ensure that all devices accessing patient health information (PHI) are compliant with the organization's security policies, which require device encryption, a minimum OS version, and the use of a compliant mobile device management (MDM) provider. Currently, some devices are not managed by Intune. You need to enforce that only compliant devices can access PHI stored in SharePoint Online. What should you do?

292

Your company is adopting Microsoft Copilot for Microsoft 365 to improve productivity. The security team is concerned about data leakage, as Copilot can access emails, documents, and other content. You need to ensure that sensitive data, such as credit card numbers and social security numbers, is not inadvertently exposed by Copilot. The organization uses Microsoft Purview sensitivity labels and DLP. You need to configure a solution that automatically detects and prevents Copilot from accessing or generating content containing these sensitive data types. What should you do?

293

Your organization uses Microsoft Defender for Cloud Apps to monitor cloud app usage. You discover that a user is accessing a sanctioned app from an unmanaged device. You need to ensure that when users access this app from unmanaged devices, they are prompted for additional authentication and their session is monitored. What should you configure?

294

Your company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive information. You need to create a policy that prevents users from sharing credit card numbers via email, but allows them to share internally with other employees. The policy should also notify the user when an attempt is made to share externally. What should you configure?

295

Which TWO of the following are capabilities of Microsoft Defender for Cloud?

296

Which THREE of the following are features of Microsoft Purview Communication Compliance?

297

Which TWO of the following are capabilities of Microsoft Defender for Office 365?

298

You are reviewing a Microsoft Purview DLP policy configuration as shown in the exhibit. What is the expected behavior when a user sends an email containing a credit card number to an external recipient?

299

You are a security administrator for a company that uses Microsoft 365. The company has a Microsoft Purview Data Loss Prevention (DLP) policy that blocks sharing of Social Security Numbers (SSNs) externally. Recently, a user accidentally sent an email containing SSNs to an external partner after overriding the policy by selecting a business justification. Management wants to prevent users from overriding the policy for SSNs. You need to update the DLP policy to ensure that users cannot override the block for SSNs. What should you do?

300

Your organization has implemented Microsoft Defender for Cloud to protect Azure resources. You are responsible for security posture management. You need to ensure that all Azure VMs have the latest security updates installed. You have enabled automatic VM patching via Azure Update Manager. However, some VMs are not receiving updates because they are not registered with the Update Manager. You need to identify which VMs are missing updates and ensure they are patched. What should you do?

Practice all 300 Describe the capabilities of Microsoft security solutions questions

Other SC-900 exam domains

Describe the capabilities of Microsoft EntraDescribe the capabilities of Microsoft compliance solutionsDescribe the concepts of security, compliance, and identity

Frequently asked questions

What does the Describe the capabilities of Microsoft security solutions domain cover on the SC-900 exam?

The Describe the capabilities of Microsoft security solutions domain covers the key concepts tested in this area of the SC-900 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SC-900 domains — no account required.

How many Describe the capabilities of Microsoft security solutions questions are in the SC-900 question bank?

The Courseiva SC-900 question bank contains 300 questions in the Describe the capabilities of Microsoft security solutions domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Describe the capabilities of Microsoft security solutions for SC-900?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Describe the capabilities of Microsoft security solutions questions for SC-900?

Yes — the session launcher on this page draws questions exclusively from the Describe the capabilities of Microsoft security solutions domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SC-900 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

AZ-900AZ-500SY0-701SC-200