Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-900Exam Questions

Microsoft · Free Practice Questions · Last reviewed May 2026

SC-900 Exam Questions and Answers

24real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

50 exam questions
60 min time limit
Pass: 700/1000 / 1000
4 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Describe the capabilities of Microsoft Entra2. Describe the capabilities of Microsoft security solutions3. Describe the capabilities of Microsoft compliance solutions4. Describe the concepts of security, compliance, and identity
1

Domain 1: Describe the capabilities of Microsoft Entra

All Describe the capabilities of Microsoft Entra questions
Q1
mediumFull explanation →

A company wants to require multi-factor authentication (MFA) for all users accessing a financial application, but only when they sign in from outside the corporate network. Which Microsoft Entra ID feature should be used?

A

Identity Protection

B

Conditional Access

Conditional Access allows administrators to define policies that grant or block access based on conditions such as network location, requiring MFA when outside the corporate network.

C

Privileged Identity Management (PIM)

D

Self-Service Password Reset (SSPR)

Why: Conditional Access is the correct choice because it allows administrators to define policies that enforce multi-factor authentication (MFA) based on specific conditions, such as network location. In this scenario, a Conditional Access policy can be configured to require MFA only when users access the financial application from outside the corporate network, using the 'Locations' condition to distinguish trusted IP ranges from external sign-ins. This granular control directly addresses the requirement without affecting internal access.
Q2
hardFull explanation →

An organization uses Microsoft Entra ID Protection. A user's sign-in is flagged with a risk level of 'High' because of an anonymous IP address. The administrator wants to automatically block the sign-in while allowing the user to self-remediate. Which should be configured?

A

A Conditional Access policy requiring MFA for high-risk sign-ins

B

A user risk policy configured to require a password change

C

A sign-in risk policy configured to block access

Sign-in risk policies in Identity Protection can block sign-ins based on risk level (e.g., High). The user can later remediate their account via a user risk policy.

D

An MFA registration policy for all users

Why: A sign-in risk policy in Microsoft Entra ID Protection can be configured to automatically block access when a sign-in is detected as high risk (e.g., from an anonymous IP address). This policy operates at the sign-in level, allowing the administrator to block the sign-in while still enabling the user to self-remediate (e.g., by signing in again after the risk is mitigated). Option C directly matches this requirement.
Q3
mediumFull explanation →

A company manages Azure resources for multiple departments. The security team needs to grant IT administrators temporary, just-in-time access to high-privilege roles (e.g., Contributor, Owner) only when needed, with approval workflows. Which Microsoft Entra ID capability should they configure?

A

Conditional Access

B

Identity Protection

C

Privileged Identity Management (PIM)

PIM provides time-based and approval-based role activation to manage, control, and monitor access to privileged resources. It supports just-in-time access for elevated roles.

D

Entitlement Management (Identity Governance)

Why: Privileged Identity Management (PIM) is the correct Microsoft Entra ID capability because it provides just-in-time (JIT) activation of high-privilege roles like Contributor and Owner, with time-bound approvals and approval workflows. PIM allows administrators to request temporary elevation to a role, which must be approved by designated approvers, and the access automatically expires after the specified duration. This directly addresses the requirement for temporary, approval-based access to privileged roles.
Q4
hardFull explanation →

A company uses Microsoft Entra ID and needs to regularly review membership of a group that grants access to a sensitive HR application. The identity team wants to automate quarterly reviews and automatically remove users who fail to respond or are denied by the reviewer. Which Microsoft Entra ID feature should they use?

A

Conditional Access

B

Identity Protection

C

Privileged Identity Management (PIM)

D

Access Reviews

Access Reviews enables administrators to create recurring reviews of group memberships, application access, and role assignments. Unresponsive or denied users can be automatically removed based on review settings.

Why: Option D is correct because Microsoft Entra Access Reviews are specifically designed to automate periodic attestation of group memberships, including the ability to automatically remove users who do not respond or are denied by the reviewer. This feature supports quarterly recurring reviews and integrates directly with Entra ID groups to enforce access governance for sensitive applications.
Q5
mediumFull explanation →

A company uses Microsoft Entra ID and wants to enforce multi-factor authentication (MFA) only for external guest users, while allowing internal employees to sign in without MFA. Which Conditional Access setting should be configured?

A

Require MFA for all users

B

Exclude internal users by group

C

Target the 'Guest or external users' identity type

Conditional Access policies allow targeting specific identity types, including 'Guest or external users'. This ensures the MFA requirement applies only to external users.

D

Use Identity Protection's user risk policy

Why: Option C is correct because Conditional Access allows targeting the 'Guest or external users' identity type, which enables MFA enforcement exclusively for external guest users without affecting internal employees. This setting leverages the user type attribute in Microsoft Entra ID to differentiate between internal and external identities, providing granular control over authentication requirements.
Q6
mediumFull explanation →

A company wants to block all sign-ins using legacy authentication protocols because these protocols do not support multi-factor authentication (MFA). Which component of a Microsoft Entra ID Conditional Access policy should be configured to achieve this?

A

Cloud apps or actions

B

Conditions (Client apps)

The Conditions section includes a Client apps filter that can block legacy authentication protocols, effectively enforcing the use of modern authenticating clients.

C

Grant

D

Session

Why: To block legacy authentication protocols, you configure the 'Client apps' condition in a Conditional Access policy. This setting allows you to target specific authentication clients, such as Exchange ActiveSync, POP3, IMAP, and SMTP, which do not support MFA. By selecting 'Exchange ActiveSync clients' and 'Other clients' under the Client apps condition, you can enforce a block on all sign-ins using these legacy protocols.

Want more Describe the capabilities of Microsoft Entra practice?

Practice this domain
2

Domain 2: Describe the capabilities of Microsoft security solutions

All Describe the capabilities of Microsoft security solutions questions
Q1
easyFull explanation →

A security administrator is using Microsoft Defender for Cloud to improve the security posture of Azure resources. The administrator wants to view a consolidated assessment of compliance with industry standards such as CIS and NIST. Which feature should be used?

A

Regulatory compliance dashboard

This dashboard directly provides compliance assessments against industry standards like CIS and NIST, showing which controls pass or fail.

B

Secure Score

C

Azure Policy

D

Microsoft Sentinel

Why: The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a consolidated view of compliance with industry standards like CIS and NIST. It continuously assesses Azure resources against built-in compliance frameworks and displays the results in a dashboard, showing which controls are passing or failing. This directly meets the administrator's need to view a consolidated assessment of compliance with those specific standards.
Q2
mediumFull explanation →

An organization uses Microsoft 365 Defender. The security team receives an alert about a potential malware outbreak on multiple endpoints, and they need an integrated view that correlates signals from various Microsoft security solutions. Which Microsoft 365 Defender portal component provides this unified view?

A

Microsoft Defender for Cloud

B

Microsoft 365 Defender portal (security.microsoft.com)

This portal provides a unified view of threats across endpoints, email, identities, and apps, with integrated incident response.

C

Azure Sentinel

D

Microsoft Defender for Identity

Why: The Microsoft 365 Defender portal (security.microsoft.com) is the correct answer because it provides a unified view of alerts and incidents across Microsoft 365 Defender components, including Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. This integrated correlation enables security teams to see the full scope of a potential malware outbreak across multiple endpoints by combining signals from these solutions into a single incident timeline.
Q3
easyFull explanation →

A security team is evaluating Microsoft security solutions to monitor user activities across multiple SaaS applications, including Salesforce and Dropbox, for signs of compromised accounts and data exfiltration. Which solution is specifically designed for this purpose?

A

Microsoft Defender for Cloud Apps

Correct. Defender for Cloud Apps is designed as a CASB to monitor and protect SaaS applications like Salesforce and Dropbox from threats such as compromised accounts and data exfiltration.

B

Microsoft Defender for Endpoint

C

Microsoft Sentinel

D

Microsoft 365 Defender

Why: Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides deep visibility, data classification, and threat detection across SaaS applications like Salesforce and Dropbox. It uses behavioral analytics and anomaly detection to identify compromised accounts and data exfiltration by monitoring user activities and applying policies such as activity policies and app governance.
Q4
mediumFull explanation →

A company manages Azure virtual machines and on-premises servers. The security team needs a single dashboard that provides a secure score and actionable recommendations to improve the security posture across both environments. Which Microsoft solution should be used?

A

Microsoft 365 Defender portal

B

Microsoft Defender for Cloud

Defender for Cloud delivers security posture management with secure score and recommendations for Azure, on-premises, and multi-cloud environments.

C

Microsoft Sentinel

D

Microsoft Defender for Cloud Apps

Why: Microsoft Defender for Cloud provides a unified dashboard that displays a secure score and actionable recommendations for Azure virtual machines, on-premises servers, and other cloud workloads. It integrates with Azure Arc to extend security monitoring to on-premises resources, enabling a single view of security posture across hybrid environments.
Q5
hardFull explanation →

A company has deployed Microsoft 365 Defender to unify threat detection and response. Which two components are included within the Microsoft 365 Defender integrated solution? (Select all that apply.)

A

Microsoft Defender for Endpoint

Defender for Endpoint is a core component of Microsoft 365 Defender, providing endpoint security and threat detection.

B

Microsoft Defender for Cloud

C

Microsoft Defender for Office 365

Defender for Office 365 is included in Microsoft 365 Defender, protecting email and collaboration tools.

D

Microsoft Sentinel

Why: Microsoft 365 Defender is an integrated threat protection suite that unifies detection and response across an organization's Microsoft 365 environment. It includes Microsoft Defender for Endpoint, which provides endpoint detection and response (EDR) capabilities for devices, and Microsoft Defender for Office 365, which protects against email, phishing, and collaboration threats. These two components work together within the Microsoft 365 Defender portal to correlate alerts and automate response across endpoints and Office 365 workloads.
Q6
hardFull explanation →

A security analyst is using Microsoft 365 Defender to investigate a sophisticated multi-stage attack. The analyst needs to query data across endpoints, email, and identity logs to identify the attacker's behavior patterns and correlate events. Which Microsoft 365 Defender capability should the analyst use?

A

Automated investigation and response

B

Threat analytics

C

Advanced hunting

Advanced hunting uses KQL to query raw data from multiple Microsoft 365 Defender components, enabling custom threat hunting and correlation across data sources.

D

Action center

Why: Advanced hunting is the correct capability because it provides a Kusto Query Language (KQL)-based query interface that allows the security analyst to perform custom, cross-domain searches across data from endpoints (Microsoft Defender for Endpoint), email (Microsoft Defender for Office 365), and identity logs (Microsoft Defender for Identity). This enables the correlation of events and identification of attacker behavior patterns across a multi-stage attack, which is not possible with the other options.

Want more Describe the capabilities of Microsoft security solutions practice?

Practice this domain
3

Domain 3: Describe the capabilities of Microsoft compliance solutions

All Describe the capabilities of Microsoft compliance solutions questions
Q1
mediumFull explanation →

A healthcare organization uses Microsoft Purview to protect patient health information (PHI). They need to identify sensitive data stored in Microsoft SharePoint Online and prevent unauthorized sharing. Which two Purview solutions should they implement? (Select all that apply.)

A

Data Classification

Data Classification (including automatic sensitivity labeling) helps identify and label PHI content in SharePoint Online.

B

Data Loss Prevention (DLP)

DLP policies can detect and prevent unauthorized sharing of files containing PHI, such as through external sharing links.

C

Insider Risk Management

D

Communication Compliance

Why: Data Classification (A) is correct because it enables the organization to identify and label sensitive data, such as PHI, stored in SharePoint Online. By applying sensitivity labels or retention labels, the organization can classify content based on its sensitivity, which is a prerequisite for applying protective actions. This allows them to discover where PHI resides and prepare it for further controls.
Q2
hardFull explanation →

A multinational corporation must comply with the General Data Protection Regulation (GDPR). They use Microsoft Purview Compliance Manager to manage compliance activities. The compliance manager wants to automatically assign each control to the appropriate team member for remediation. What should they configure?

A

Create new assessments for each regulation

B

Configure improvement actions with owners

Improvement actions represent individual controls that can be assigned to an owner for remediation, enabling automatic assignment and tracking.

C

Set up connectors to import external risk data

D

Use the Microsoft 365 admin center to delegate tasks

Why: To automatically assign each control to the appropriate team member for remediation in Microsoft Purview Compliance Manager, you must configure improvement actions with owners. Each improvement action can be assigned to a specific user who is responsible for implementing the remediation steps, and this assignment triggers automatic notifications and tracking within the compliance score.
Q3
mediumFull explanation →

A company is subject to a legal hold for an ongoing investigation. The IT administrator must prevent the deletion of any documents related to this case across SharePoint Online and OneDrive, overriding any existing deletion policies. Which Microsoft Purview capability should the administrator use?

A

Data Lifecycle Management

B

eDiscovery (Premium)

Correct. eDiscovery (Premium) allows administrators to place holds on content locations, preventing deletion for the duration of a legal case, overriding any existing deletion policies.

C

Audit (Premium)

D

Communication Compliance

Why: eDiscovery (Premium) is the correct choice because it provides legal hold capabilities that can preserve content in SharePoint Online and OneDrive for Business, overriding any deletion policies. When a legal hold is applied via eDiscovery, the system places a hold on the specified locations, preventing permanent deletion or modification of documents until the hold is released. This directly addresses the requirement to prevent deletion of case-related documents during an ongoing investigation.
Q4
mediumFull explanation →

A company wants to automatically apply a 'Confidential' sensitivity label to any document that contains a credit card number, and also encrypt the document as part of the label. Which two components must be configured to achieve this? (Choose two.)

A

A sensitivity label with encryption settings

Correct. The sensitivity label must define the protection (encryption) that will be applied to documents containing credit card numbers.

B

A DLP policy that detects sensitive info

C

An auto-labeling policy

Correct. The auto-labeling policy applies the sensitivity label automatically to documents that match specified conditions (e.g., containing a credit card number).

D

A data classification dashboard

Why: Option A is correct because a sensitivity label must include encryption settings to automatically encrypt documents when the label is applied. The encryption is configured within the label's protection settings, which defines how content is protected (e.g., with a predefined template or user-defined permissions). Without encryption configured in the label, the automatic application would only assign the label without encrypting the document.
Q5
mediumFull explanation →

A company must retain all customer contracts for 10 years to comply with industry regulations. After 10 years, the contracts must be permanently deleted. Which Microsoft Purview solution should be used to automate this process?

A

Data Loss Prevention (DLP)

B

Data Lifecycle Management

Data Lifecycle Management provides retention labels and policies to automatically retain data for a defined period and then delete it, meeting the regulatory requirement.

C

eDiscovery

D

Information Protection

Why: Data Lifecycle Management (DLM) in Microsoft Purview is the correct solution because it allows you to define retention labels and policies that automatically retain contracts for a specified period (10 years) and then trigger a permanent deletion disposition review or direct deletion. This aligns directly with the regulatory requirement to retain data for a fixed duration and then dispose of it securely.
Q6
mediumFull explanation →

A healthcare organization uses Microsoft 365 and wants to prevent users from sending emails that contain patient health information (PHI) to external recipients. Which Microsoft Purview solution should they implement?

A

Data Lifecycle Management

B

Data Loss Prevention (DLP)

DLP policies can inspect content in emails and files for sensitive data, and then block or warn users according to the configured rules.

C

Insider Risk Management

D

eDiscovery

Why: Data Loss Prevention (DLP) is the correct solution because it is specifically designed to detect and prevent the unauthorized sharing of sensitive data, such as patient health information (PHI), via email and other channels. DLP policies can be configured with sensitive information types (e.g., HIPAA-defined PHI patterns) to automatically block or warn users when they attempt to send such data to external recipients.

Want more Describe the capabilities of Microsoft compliance solutions practice?

Practice this domain
4

Domain 4: Describe the concepts of security, compliance, and identity

All Describe the concepts of security, compliance, and identity questions
Q1
easyFull explanation →

A security analyst is explaining the core principles of information security to a new team member. Which principle ensures that data is not modified by unauthorized parties?

A

Confidentiality

B

Integrity

Integrity ensures that data remains accurate and unaltered by unauthorized parties, preventing tampering.

C

Availability

D

Non-repudiation

Why: The principle of integrity ensures that data remains accurate and unaltered during storage, processing, or transmission, except by authorized entities. In the context of information security, integrity is specifically concerned with preventing unauthorized modification, deletion, or creation of data. This is often enforced through mechanisms such as hashing (e.g., SHA-256), digital signatures, and checksums (e.g., CRC32) that detect any tampering.
Q2
mediumFull explanation →

A company is moving its on-premises database to Azure SQL Database. According to the shared responsibility model, which security tasks remain the responsibility of the customer?

A

Patching the physical servers hosting the database

B

Managing access controls and authentication for database users

The customer retains responsibility for managing user identities, permissions, and authentication to the database.

C

Securing the hypervisor running the virtual machines

D

Hardening the network firewalls at the datacenter perimeter

Why: In the shared responsibility model for Azure SQL Database, Microsoft manages the physical infrastructure, including servers, storage, and network, while the customer is responsible for data and access management. Option B is correct because managing access controls and authentication for database users, such as configuring logins, users, and permissions via T-SQL or Azure Active Directory, falls squarely on the customer. Microsoft ensures the platform is patched and secure, but the customer must control who can access the database and what they can do.
Q3
easyFull explanation →

A security architect is adopting a new security model that assumes breach and verifies every access request. The model eliminates implicit trust and requires continuous validation. Which security model is being implemented?

A

Defense in Depth

B

Zero Trust

Zero Trust is based on the principle of 'never trust, always verify,' assumes breach, and verifies every access request regardless of location or network.

C

Least Privilege

D

Shared Responsibility

Why: Zero Trust is the correct model because it explicitly assumes breach, eliminates implicit trust, and requires continuous validation of every access request. This aligns with the core Zero Trust principle of 'never trust, always verify,' which mandates that no user, device, or network is trusted by default, even if they are inside the corporate perimeter.
Q4
mediumFull explanation →

A company is migrating its on-premises workloads to Azure. The CISO wants to understand the division of security responsibilities between Microsoft and the customer across cloud service models. For which cloud service model does the customer have the most security responsibility?

A

Software as a Service (SaaS)

B

Platform as a Service (PaaS)

C

Infrastructure as a Service (IaaS)

In IaaS, the customer manages the virtual machines, operating systems, applications, and data, while the provider manages the physical hosts and network. This gives the customer the most security responsibility among cloud service models.

D

On-premises

Why: In the Infrastructure as a Service (IaaS) model, the customer is responsible for securing the operating system, applications, data, and network configurations, while Microsoft only secures the physical datacenter, host servers, and hypervisor. This gives the customer the most security responsibility compared to PaaS or SaaS, where Microsoft manages more of the stack.
Q5
hardFull explanation →

A security architect is designing a new security posture based on the Zero Trust model. The architect wants to ensure that every access request is fully authenticated, authorized, and encrypted before granting access, and that access is granted only to the minimum necessary resources. Which three principles of Zero Trust align with these requirements? (Choose three.)

A

Verify explicitly

Correct. This principle states that every access request must be fully authenticated, authorized, and encrypted before granting access.

B

Least privilege access

Correct. This principle ensures users are granted only the minimum necessary access to perform their tasks, aligning with the requirement to grant access only to necessary resources.

C

Assume breach

Correct. Assume breach means minimizing the blast radius and segmenting access to limit damage if a breach occurs, supporting continuous verification and encryption.

D

Network segmentation

Why: Option A is correct because the 'Verify explicitly' principle of Zero Trust requires that every access request must be fully authenticated, authorized, and encrypted before granting access. This means using strong authentication mechanisms (e.g., multifactor authentication) and continuous validation of identity and device health, not just relying on network location or implicit trust.
Q6
easyFull explanation →

A company's security policy requires that customer data must only be accessible by authorized sales representatives. Which security principle does this requirement directly enforce?

A

Integrity

B

Availability

C

Confidentiality

Confidentiality is the principle of limiting access to data only to those who are authorized, which directly matches the requirement.

D

Non-repudiation

Why: The principle of confidentiality ensures that information is accessible only to authorized individuals or systems. In this scenario, restricting access to customer data to only authorized sales representatives aligns with maintaining confidentiality. The other options are incorrect: Integrity ensures data is not improperly modified, Availability ensures systems are operational, and Non-repudiation ensures actions cannot be denied.

Want more Describe the concepts of security, compliance, and identity practice?

Practice this domain

Frequently asked questions

How many questions are on the SC-900 exam?

The SC-900 exam has 50 questions and must be completed in 60 minutes. The passing score is 700/1000.

What types of questions appear on the SC-900 exam?

Conceptual questions on security, compliance, and identity concepts in Microsoft and Azure environments.

How are SC-900 questions organised by domain?

The exam covers 4 domains: Describe the capabilities of Microsoft Entra, Describe the capabilities of Microsoft security solutions, Describe the capabilities of Microsoft compliance solutions, Describe the concepts of security, compliance, and identity. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual SC-900 exam questions?

No. These are original exam-style practice questions written against the official Microsoft SC-900 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 60 SC-900 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all SC-900 questionsTake a timed practice test