SC-900 Exam Questions and Answers

A security analyst is explaining the core principles of information security to a new team member. Which principle ensures that data is not modified by unauthorized parties?

Confidentiality

Integrity

Integrity ensures that data remains accurate and unaltered by unauthorized parties, preventing tampering.

Availability

Non-repudiation

Why: Integrity is the principle that protects data from unauthorized modification. Confidentiality protects against unauthorized disclosure, availability ensures data is accessible when needed, and non-repudiation prevents denial of actions.

A company is moving its on-premises database to Azure SQL Database. According to the shared responsibility model, which security tasks remain the responsibility of the customer?

Patching the physical servers hosting the database

Managing access controls and authentication for database users

The customer retains responsibility for managing user identities, permissions, and authentication to the database.

Securing the hypervisor running the virtual machines

Hardening the network firewalls at the datacenter perimeter

Why: In the shared responsibility model, the customer is always responsible for managing access to data and ensuring user authentication. The cloud provider secures the physical infrastructure and hypervisor, while the customer manages data access and identity.

A security architect is adopting a new security model that assumes breach and verifies every access request. The model eliminates implicit trust and requires continuous validation. Which security model is being implemented?

Defense in Depth

Zero Trust

Zero Trust is based on the principle of 'never trust, always verify,' assumes breach, and verifies every access request regardless of location or network.

Least Privilege

Shared Responsibility

Why: Zero Trust is a security model that assumes breach and requires verification for every access request, eliminating implicit trust. Defense in Depth uses multiple layers but not necessarily continuous verification. Least Privilege is a principle, not a model. Shared Responsibility relates to cloud security division.

A company is migrating its on-premises workloads to Azure. The CISO wants to understand the division of security responsibilities between Microsoft and the customer across cloud service models. For which cloud service model does the customer have the most security responsibility?

Software as a Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

In IaaS, the customer manages the virtual machines, operating systems, applications, and data, while the provider manages the physical hosts and network. This gives the customer the most security responsibility among cloud service models.

On-premises

Why: The shared responsibility model shows that the customer's security responsibility decreases from IaaS to PaaS to SaaS. On-premises is not a cloud model. For IaaS, the customer manages more layers of the stack: virtual machines, operating systems, applications, and data, while the provider manages the physical hosts and network.

A security architect is designing a new security posture based on the Zero Trust model. The architect wants to ensure that every access request is fully authenticated, authorized, and encrypted before granting access, and that access is granted only to the minimum necessary resources. Which three principles of Zero Trust align with these requirements? (Choose three.)

Verify explicitly

Correct. This principle states that every access request must be fully authenticated, authorized, and encrypted before granting access.

Least privilege access

Correct. This principle ensures users are granted only the minimum necessary access to perform their tasks, aligning with the requirement to grant access only to necessary resources.

Assume breach

Correct. Assume breach means minimizing the blast radius and segmenting access to limit damage if a breach occurs, supporting continuous verification and encryption.

Network segmentation

Why: The Zero Trust model is based on three guiding principles: Verify explicitly (always authenticate and authorize based on all available data points), Least privilege access (limit user access with just-in-time and just-enough-access, and enforce policies), and Assume breach (minimize blast radius, segment access, and verify end-to-end encryption). Network segmentation is a common tactic derived from 'Assume breach,' but it is not one of the three core principles.

A company's security policy requires that customer data must only be accessible by authorized sales representatives. Which security principle does this requirement directly enforce?

Integrity

Availability

Confidentiality

Confidentiality is the principle of limiting access to data only to those who are authorized, which directly matches the requirement.

Non-repudiation

Why: The principle of confidentiality ensures that information is accessible only to authorized individuals or systems. In this scenario, restricting access to customer data to only authorized sales representatives aligns with maintaining confidentiality. The other options are incorrect: Integrity ensures data is not improperly modified, Availability ensures systems are operational, and Non-repudiation ensures actions cannot be denied.

Want more Describe the concepts of security, compliance, and identity practice?

All Describe the capabilities of Microsoft Entra questions

Domain 2: Describe the capabilities of Microsoft Entra

A company wants to require multi-factor authentication (MFA) for all users accessing a financial application, but only when they sign in from outside the corporate network. Which Microsoft Entra ID feature should be used?

Identity Protection

Conditional Access

Conditional Access allows administrators to define policies that grant or block access based on conditions such as network location, requiring MFA when outside the corporate network.

Privileged Identity Management (PIM)

Self-Service Password Reset (SSPR)

Why: Conditional Access policies evaluate signals like location, device, and risk to enforce access controls. A policy can require MFA when a user is not on the corporate network, meeting the requirement.

An organization uses Microsoft Entra ID Protection. A user's sign-in is flagged with a risk level of 'High' because of an anonymous IP address. The administrator wants to automatically block the sign-in while allowing the user to self-remediate. Which should be configured?

A Conditional Access policy requiring MFA for high-risk sign-ins

A user risk policy configured to require a password change

A sign-in risk policy configured to block access

Sign-in risk policies in Identity Protection can block sign-ins based on risk level (e.g., High). The user can later remediate their account via a user risk policy.

An MFA registration policy for all users

Why: A sign-in risk policy in Identity Protection can be set to automatically block sign-ins that meet a specified risk level (e.g., High). Combined with a user risk policy that triggers password change, the user can self-remediate after the block.

A company manages Azure resources for multiple departments. The security team needs to grant IT administrators temporary, just-in-time access to high-privilege roles (e.g., Contributor, Owner) only when needed, with approval workflows. Which Microsoft Entra ID capability should they configure?

Conditional Access

Identity Protection

Privileged Identity Management (PIM)

PIM provides time-based and approval-based role activation to manage, control, and monitor access to privileged resources. It supports just-in-time access for elevated roles.

Entitlement Management (Identity Governance)

Why: Privileged Identity Management (PIM) provides time-based and approval-based role activation to manage, control, and monitor access to privileged resources in Azure AD, Azure, and other Microsoft Online Services. Conditional Access enforces policies based on signals but does not manage role activation. Identity Protection detects and responds to identity risks. Entitlement Management (Identity Governance) manages access packages but not specifically JIT privileged role activation.

A company uses Microsoft Entra ID and needs to regularly review membership of a group that grants access to a sensitive HR application. The identity team wants to automate quarterly reviews and automatically remove users who fail to respond or are denied by the reviewer. Which Microsoft Entra ID feature should they use?

Conditional Access

Identity Protection

Privileged Identity Management (PIM)

Access Reviews

Access Reviews enables administrators to create recurring reviews of group memberships, application access, and role assignments. Unresponsive or denied users can be automatically removed based on review settings.

Why: Access Reviews is designed specifically for periodic attestation of access to groups, applications, and roles, with settings to automatically remove users who do not respond or are denied. Conditional Access controls access based on conditions but does not conduct reviews. Identity Protection detects risks. Privileged Identity Management (PIM) manages privileged role activations and can include reviews for privileged roles, but for general group membership reviews, Access Reviews is the appropriate feature.

A company uses Microsoft Entra ID and wants to enforce multi-factor authentication (MFA) only for external guest users, while allowing internal employees to sign in without MFA. Which Conditional Access setting should be configured?

Require MFA for all users

Exclude internal users by group

Target the 'Guest or external users' identity type

Conditional Access policies allow targeting specific identity types, including 'Guest or external users'. This ensures the MFA requirement applies only to external users.

Use Identity Protection's user risk policy

Why: Conditional Access policies can be scoped to specific user types. By targeting the 'Guest or external users' identity type, the policy applies only to external users, leaving internal users unaffected. This is more precise than excluding or including groups and avoids unintended impacts.

A company wants to block all sign-ins using legacy authentication protocols because these protocols do not support multi-factor authentication (MFA). Which component of a Microsoft Entra ID Conditional Access policy should be configured to achieve this?

Cloud apps or actions

Conditions (Client apps)

The Conditions section includes a Client apps filter that can block legacy authentication protocols, effectively enforcing the use of modern authenticating clients.

Grant

Session

Why: In a Conditional Access policy, the Conditions component includes a 'Client apps' setting that allows administrators to block sign-ins from legacy authentication protocols such as IMAP, POP, and SMTP. This setting ensures that only modern authentication clients that support MFA can connect. The other options are incorrect: Cloud apps or actions target specific applications, Grant controls enforce access requirements like MFA, and Session controls manage session behavior after sign-in.

Want more Describe the capabilities of Microsoft Entra practice?

All Describe the capabilities of Microsoft security solutions questions

Domain 3: Describe the capabilities of Microsoft security solutions

A security administrator is using Microsoft Defender for Cloud to improve the security posture of Azure resources. The administrator wants to view a consolidated assessment of compliance with industry standards such as CIS and NIST. Which feature should be used?

Regulatory compliance dashboard

This dashboard directly provides compliance assessments against industry standards like CIS and NIST, showing which controls pass or fail.

Secure Score

Azure Policy

Microsoft Sentinel

Why: The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a comprehensive view of your compliance posture against various standards and regulations, including CIS, NIST, and Azure CIS. It maps your Azure resources to the specific controls of each standard, showing pass/fail status and recommendations. Secure Score (Option B) is a separate feature that measures overall security posture based on security controls but does not directly map to specific industry standards. Azure Policy (Option C) is used to enforce rules and ensure compliance but does not provide a dashboard. Microsoft Sentinel (Option D) is a SIEM solution for threat detection, not compliance assessment. Thus, the correct answer is the Regulatory compliance dashboard.

An organization uses Microsoft 365 Defender. The security team receives an alert about a potential malware outbreak on multiple endpoints, and they need an integrated view that correlates signals from various Microsoft security solutions. Which Microsoft 365 Defender portal component provides this unified view?

Microsoft Defender for Cloud

Microsoft 365 Defender portal (security.microsoft.com)

This portal provides a unified view of threats across endpoints, email, identities, and apps, with integrated incident response.

Azure Sentinel

Microsoft Defender for Identity

Why: The Microsoft 365 Defender portal (security.microsoft.com) is the central hub that aggregates signals from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Microsoft Cloud App Security. It provides incident management, automated investigation, and a unified queue of alerts. Microsoft Defender for Cloud (Option A) focuses on cloud workload protection. Azure Sentinel (Option C) is a cloud-native SIEM that can ingest data but is separate from the integrated Microsoft 365 Defender experience. Microsoft Defender for Identity (Option D) only covers identity-based threats. Therefore, the correct answer is the Microsoft 365 Defender portal.

A security team is evaluating Microsoft security solutions to monitor user activities across multiple SaaS applications, including Salesforce and Dropbox, for signs of compromised accounts and data exfiltration. Which solution is specifically designed for this purpose?

Microsoft Defender for Cloud Apps

Correct. Defender for Cloud Apps is designed as a CASB to monitor and protect SaaS applications like Salesforce and Dropbox from threats such as compromised accounts and data exfiltration.

Microsoft Defender for Endpoint

Microsoft Sentinel

Microsoft 365 Defender

Why: Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) is a Cloud Access Security Broker (CASB) that provides visibility, control, and threat protection for cloud apps. It can detect anomalous user behavior, compromised accounts, and data exfiltration across SaaS applications. Microsoft Defender for Endpoint focuses on endpoint devices, Microsoft Sentinel is a SIEM/SOAR for broader security data, and Microsoft 365 Defender is an integrated suite but the specific solution for SaaS monitoring is Defender for Cloud Apps.

A company manages Azure virtual machines and on-premises servers. The security team needs a single dashboard that provides a secure score and actionable recommendations to improve the security posture across both environments. Which Microsoft solution should be used?

Microsoft 365 Defender portal

Microsoft Defender for Cloud

Defender for Cloud delivers security posture management with secure score and recommendations for Azure, on-premises, and multi-cloud environments.

Microsoft Sentinel

Microsoft Defender for Cloud Apps

Why: Microsoft Defender for Cloud provides a unified security management platform for Azure, on-premises, and other clouds. It includes a secure score and recommendations based on resources and best practices, making it ideal for hybrid environments.

A company has deployed Microsoft 365 Defender to unify threat detection and response. Which two components are included within the Microsoft 365 Defender integrated solution? (Select all that apply.)

Microsoft Defender for Endpoint

Defender for Endpoint is a core component of Microsoft 365 Defender, providing endpoint security and threat detection.

Microsoft Defender for Cloud

Microsoft Defender for Office 365

Defender for Office 365 is included in Microsoft 365 Defender, protecting email and collaboration tools.

Microsoft Sentinel

Why: Microsoft 365 Defender is an integrated solution that combines signals from Microsoft Defender for Endpoint, Office 365, Identity, and Cloud Apps. These components work together to provide cross-domain threat detection and response.

A security analyst is using Microsoft 365 Defender to investigate a sophisticated multi-stage attack. The analyst needs to query data across endpoints, email, and identity logs to identify the attacker's behavior patterns and correlate events. Which Microsoft 365 Defender capability should the analyst use?

Automated investigation and response

Threat analytics

Advanced hunting

Advanced hunting uses KQL to query raw data from multiple Microsoft 365 Defender components, enabling custom threat hunting and correlation across data sources.

Action center

Why: Advanced hunting is a query-based threat hunting tool in Microsoft 365 Defender. It allows security analysts to run custom Kusto Query Language (KQL) queries over raw data from various Microsoft 365 Defender components, such as Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. This enables deep investigation and correlation across different data sources.

Want more Describe the capabilities of Microsoft security solutions practice?

All Describe the capabilities of Microsoft compliance solutions questions

Domain 4: Describe the capabilities of Microsoft compliance solutions

A healthcare organization uses Microsoft Purview to protect patient health information (PHI). They need to identify sensitive data stored in Microsoft SharePoint Online and prevent unauthorized sharing. Which two Purview solutions should they implement? (Select all that apply.)

Data Classification

Data Classification (including automatic sensitivity labeling) helps identify and label PHI content in SharePoint Online.

Data Loss Prevention (DLP)

DLP policies can detect and prevent unauthorized sharing of files containing PHI, such as through external sharing links.

Insider Risk Management

Communication Compliance

Why: To protect PHI, the organization needs to first discover and classify sensitive data, then prevent its unauthorized sharing. Microsoft Purview Data Classification (often part of Information Protection) scans content and applies sensitivity labels to identify PHI. Data Loss Prevention (DLP) policies can then detect when labeled data is being shared outside the organization and block or alert on that activity. Insider Risk Management (Option C) focuses on identifying risky user behaviors that lead to data leaks but is not primarily for classification or sharing prevention. Communication Compliance (Option D) monitors communications for inappropriate language, not data protection. Therefore, the correct choices are Data Classification and DLP.

A multinational corporation must comply with the General Data Protection Regulation (GDPR). They use Microsoft Purview Compliance Manager to manage compliance activities. The compliance manager wants to automatically assign each control to the appropriate team member for remediation. What should they configure?

Create new assessments for each regulation

Configure improvement actions with owners

Improvement actions represent individual controls that can be assigned to an owner for remediation, enabling automatic assignment and tracking.

Set up connectors to import external risk data

Use the Microsoft 365 admin center to delegate tasks

Why: In Compliance Manager, each improvement action represents a specific control to be implemented. The compliance manager can assign an owner to each improvement action, which automatically notifies that person via email and tracks their progress. Assessments (Option A) are frameworks of controls, but they do not assign actions. Connectors (Option C) are used to import non-Microsoft data into Compliance Manager. The Microsoft 365 admin center (Option D) is not used for Compliance Manager assignments. Therefore, the correct answer is to configure improvement actions with owners.

A company is subject to a legal hold for an ongoing investigation. The IT administrator must prevent the deletion of any documents related to this case across SharePoint Online and OneDrive, overriding any existing deletion policies. Which Microsoft Purview capability should the administrator use?

Data Lifecycle Management

eDiscovery (Premium)

Correct. eDiscovery (Premium) allows administrators to place holds on content locations, preventing deletion for the duration of a legal case, overriding any existing deletion policies.

Audit (Premium)

Communication Compliance

Why: eDiscovery (Premium) in Microsoft Purview includes features such as holds, which allow organizations to preserve content relevant to legal cases. A hold overrides any deletion policies (e.g., from Data Lifecycle Management) and ensures that the content is retained until the hold is removed. Data Lifecycle Management is used for routine retention and deletion based on policy, but holds take precedence. Audit (Premium) tracks activities but does not preserve data. Communication Compliance monitors communications for policy violations but does not prevent deletion.

A company wants to automatically apply a 'Confidential' sensitivity label to any document that contains a credit card number, and also encrypt the document as part of the label. Which two components must be configured to achieve this? (Choose two.)

A sensitivity label with encryption settings

Correct. The sensitivity label must define the protection (encryption) that will be applied to documents containing credit card numbers.

A DLP policy that detects sensitive info

An auto-labeling policy

Correct. The auto-labeling policy applies the sensitivity label automatically to documents that match specified conditions (e.g., containing a credit card number).

A data classification dashboard

Why: To automatically apply a sensitivity label with encryption based on sensitive content, you need to first create a sensitivity label that includes encryption settings (e.g., permissions). Then, you create an auto-labeling policy that uses conditions (such as sensitive info types like credit card number) to automatically apply that label. A DLP policy is used for actions like blocking sharing of sensitive data, not for auto-labeling. The data classification dashboard provides visibility into classified data but does not configure auto-labeling.

A company must retain all customer contracts for 10 years to comply with industry regulations. After 10 years, the contracts must be permanently deleted. Which Microsoft Purview solution should be used to automate this process?

Data Loss Prevention (DLP)

Data Lifecycle Management

Data Lifecycle Management provides retention labels and policies to automatically retain data for a defined period and then delete it, meeting the regulatory requirement.

eDiscovery

Information Protection

Why: Microsoft Purview Data Lifecycle Management enables organizations to define retention and deletion policies that automatically retain content for a specified period and then delete it. This solution manages data based on its lifecycle stage. The other options are incorrect: Data Loss Prevention (DLP) prevents accidental sharing of sensitive data, eDiscovery is used for legal investigations, and Information Protection focuses on classifying and labeling sensitive data.

A healthcare organization uses Microsoft 365 and wants to prevent users from sending emails that contain patient health information (PHI) to external recipients. Which Microsoft Purview solution should they implement?

Data Lifecycle Management

Data Loss Prevention (DLP)

DLP policies can inspect content in emails and files for sensitive data, and then block or warn users according to the configured rules.

Insider Risk Management

eDiscovery

Why: Data Loss Prevention (DLP) policies in Microsoft Purview are designed to help organizations detect and prevent the accidental sharing of sensitive information. By creating a DLP policy that identifies PHI (e.g., using built-in sensitive information types like U.S. Social Security Number or medical record numbers), the organization can block or warn users when they attempt to send such data via email to external parties.

Want more Describe the capabilities of Microsoft compliance solutions practice?