SC-900 Flashcards — Free Microsoft Security, Compliance, and Identity Fundamentals SC-900 Study Cards

Integrity

Integrity is the principle that protects data from unauthorized modification. Confidentiality protects against unauthorized disclosure, availability ensures data is accessible when needed, and non-repudiation prevents denial of actions.

Conditional Access

Conditional Access policies evaluate signals like location, device, and risk to enforce access controls. A policy can require MFA when a user is not on the corporate network, meeting the requirement.

Regulatory compliance dashboard

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a comprehensive view of your compliance posture against various standards and regulations, including CIS, NIST, and Azure CIS. It maps your Azure resources to the specific controls of each standard, showing pass/fail status and recommendations. Secure Score (Option B) is a separate feature that measures overall security posture based on security controls but does not directly map to specific industry standards. Azure Policy (Option C) is used to enforce rules and ensure compliance but does not provide a dashboard. Microsoft Sentinel (Option D) is a SIEM solution for threat detection, not compliance assessment. Thus, the correct answer is the Regulatory compliance dashboard.

Configure improvement actions with owners

In Compliance Manager, each improvement action represents a specific control to be implemented. The compliance manager can assign an owner to each improvement action, which automatically notifies that person via email and tracks their progress. Assessments (Option A) are frameworks of controls, but they do not assign actions. Connectors (Option C) are used to import non-Microsoft data into Compliance Manager. The Microsoft 365 admin center (Option D) is not used for Compliance Manager assignments. Therefore, the correct answer is to configure improvement actions with owners.

Data Lifecycle Management

Microsoft Purview Data Lifecycle Management enables organizations to define retention and deletion policies that automatically retain content for a specified period and then delete it. This solution manages data based on its lifecycle stage. The other options are incorrect: Data Loss Prevention (DLP) prevents accidental sharing of sensitive data, eDiscovery is used for legal investigations, and Information Protection focuses on classifying and labeling sensitive data.

Managing user access and permissions for the application

In the shared responsibility model for SaaS, the cloud provider manages the underlying infrastructure, platform, and application security. The customer is responsible for securing their own data, managing user access (e.g., configuring who can access the application and with what permissions), and ensuring compliance with organizational policies. Options A and B are provider responsibilities. Option D is a provider responsibility as well (securing the application code).

Advanced hunting in Microsoft 365 Defender

Microsoft 365 Defender advanced hunting allows security analysts to query raw data from various sources using Kusto Query Language (KQL) to proactively hunt for threats. Custom detection rules are built on top of advanced hunting queries; when the query returns results, an alert can be generated and an automated response can be triggered. Microsoft Defender for Cloud (B) provides security posture management and workload protection, but does not offer KQL-based custom detection rules. Microsoft Defender for Office 365 (C) protects email and collaboration, not cross-machine hunt queries. Microsoft Sentinel (D) is a SIEM that also uses KQL, but it is a separate service; the question asks about Microsoft 365 Defender capability, which includes advanced hunting. The correct answer is A.

Microsoft Entra External ID (B2C)

Microsoft Entra External ID includes two offerings: B2B (business-to-business) for external business partners and B2C (business-to-consumer) for customer-facing applications. B2C supports social identity providers like Google and Facebook, allowing customers to sign in with existing accounts. B2B is designed for organizational accounts and does not natively support social IDPs for consumer scenarios.

Microsoft Entra ID P1

Self-service password reset (SSPR) with password writeback (enabling changes to sync back to on-premises Active Directory) requires at least Microsoft Entra ID P1. Entra ID Free does not support writeback. P2 includes P1 features but P1 is sufficient. Microsoft 365 Business Basic includes only Entra ID Free.

Managing user identities and controlling access to the CRM

In the shared responsibility model, responsibilities vary by service type. For SaaS, the cloud provider manages the infrastructure, application, and platform security. The customer is responsible for securing their own data, managing user access, configuring application settings, and ensuring compliance with data protection regulations. Options A, C, and D are provider responsibilities.

Zero Trust

Zero Trust is a security model that eliminates implicit trust and continuously validates each stage of a digital interaction. Defense in depth refers to multiple layers of security controls. Least privilege means granting only the minimum permissions needed. Shared responsibility describes the division of security tasks between a cloud provider and customer.

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a method of restricting access based on the roles of individual users within an organization. In this scenario, assigning permissions based on job title is a classic example of RBAC. Least privilege is a principle that can be implemented using RBAC, but the direct method described is RBAC.

Patching the operating system of the underlying physical and virtual hosts

For Platform as a Service (PaaS) like Azure App Service and Azure SQL Database, Microsoft manages the underlying infrastructure, including the physical hardware, network controls, and the operating system of the host machines. This includes patching the OS of the virtual machines that host the service. The customer is responsible for securing their application code, managing access (identity), and protecting their data. While Microsoft provides infrastructure-level encryption, the customer is often responsible for configuring encryption at rest for their databases. Option D is not a clear Microsoft responsibility because encryption at rest can be customer-managed or platform-managed depending on configuration, and the question asks for a responsibility that remains with Microsoft regardless.

Managing user identities and access to the application

In the shared responsibility model, the cloud provider (Microsoft) manages the physical infrastructure, host OS, and network controls. For PaaS, the customer is responsible for managing access to data, ensuring proper application-level security (code, secrets, authentication), and configuring the service settings. Physical security of datacenters and patching the underlying host OS are Microsoft's responsibility. Customer data encryption at rest can be handled by the customer by enabling features like TDE, but the underlying protection of the infrastructure is Microsoft's job.

Patching the guest operating system and applications

For IaaS, the customer is responsible for all aspects of the virtual machine they deploy, including patching the guest OS, securing the application, and managing user access. Microsoft is responsible for the physical data center, the hypervisor, and the network infrastructure.

Least privilege

The principle of least privilege states that users should be granted only the minimum level of access (permissions) needed to perform their job functions. Role-based access control (RBAC) is often used to enforce this principle. Defense in depth uses multiple layers of security. Separation of duties prevents a single individual from having conflicting roles (e.g., authorizing and executing a transaction). Zero trust is a broader security model that assumes no implicit trust and requires continuous verification.

Microsoft Purview Insider Risk Management

Microsoft Purview Insider Risk Management uses predefined and customizable policies to detect, investigate, and act on risky user activities related to data theft, data leaks, and security policy violations. It provides behavioral analytics and a workflow for cases and notifications. Data Loss Prevention (DLP) is policy-based and prevents accidental sharing but does not focus on behavioral indicators. Audit logs provide raw event data without analytics or remediation workflows. eDiscovery is used for legal holds and content searches, not for detecting risky behavior.

Least privilege

The principle of least privilege ensures that users are granted only the permissions necessary to perform their job functions. By restricting sales users to sales documents only, the organization is applying least privilege to minimize potential damage from accidental or malicious actions. This principle reduces the attack surface and is a core concept of identity and access management.

Managing the application code and its configuration

In the shared responsibility model for Platform as a Service (PaaS), the cloud provider secures the infrastructure, including the operating system, network, and physical host. The customer is fully responsible for securing their application, including the code, configurations, and data. Applying OS patches (option A) is managed by Microsoft for PaaS services. Configuring network security groups (option B) is partly a customer capability but the underlying network controls are managed by Microsoft, and physical security (option D) is Microsoft's responsibility. Therefore, managing the application code and its configuration (option C) is the correct answer.

Retention policy

A retention policy in Microsoft Purview can be applied to a SharePoint site to enforce a specified retention period (e.g., 5 years) and then automatically delete the content. Retention policies prevent users from permanently deleting content before the retention period ends. A sensitivity label is used for classification and protection (encryption, access control), not retention alone. A data loss prevention (DLP) policy prevents sharing of sensitive data but does not enforce retention. An audit policy enables logging but does not enforce retention or deletion.

Confidentiality

The CIA triad consists of Confidentiality, Integrity, and Availability. Confidentiality ensures that data is accessible only to those with the proper authorization. In this scenario, restricting access to authorized employees directly protects confidentiality. Integrity ensures data accuracy and prevents tampering, while availability ensures systems are accessible when needed.

Least privilege

The principle of least privilege dictates that users should be granted the minimum level of access required to accomplish their tasks. This reduces the risk of accidental or malicious misuse of permissions. Segregation of duties involves splitting critical tasks among multiple people to prevent fraud. Defense in depth uses multiple layers of security controls. Zero Trust is a broader security model that assumes no implicit trust. The scenario directly describes least privilege.