Reinforce SC-900 concepts with active-recall study cards covering all 4 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For SC-900 preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the SC-900 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your SC-900 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real SC-900 exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass SC-900.
Sample cards from the SC-900 flashcard bank. Read the question, think of the answer, then read the explanation below.
A company wants to require multi-factor authentication (MFA) for all users accessing a financial application, but only when they sign in from outside the corporate network. Which Microsoft Entra ID feature should be used?
Conditional Access
Conditional Access is the correct choice because it allows administrators to define policies that enforce multi-factor authentication (MFA) based on specific conditions, such as network location. In this scenario, a Conditional Access policy can be configured to require MFA only when users access the financial application from outside the corporate network, using the 'Locations' condition to distinguish trusted IP ranges from external sign-ins. This granular control directly addresses the requirement without affecting internal access.
A security administrator is using Microsoft Defender for Cloud to improve the security posture of Azure resources. The administrator wants to view a consolidated assessment of compliance with industry standards such as CIS and NIST. Which feature should be used?
Regulatory compliance dashboard
The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a consolidated view of compliance with industry standards like CIS and NIST. It continuously assesses Azure resources against built-in compliance frameworks and displays the results in a dashboard, showing which controls are passing or failing. This directly meets the administrator's need to view a consolidated assessment of compliance with those specific standards.
A multinational corporation must comply with the General Data Protection Regulation (GDPR). They use Microsoft Purview Compliance Manager to manage compliance activities. The compliance manager wants to automatically assign each control to the appropriate team member for remediation. What should they configure?
Configure improvement actions with owners
To automatically assign each control to the appropriate team member for remediation in Microsoft Purview Compliance Manager, you must configure improvement actions with owners. Each improvement action can be assigned to a specific user who is responsible for implementing the remediation steps, and this assignment triggers automatic notifications and tracking within the compliance score.
A security analyst is explaining the core principles of information security to a new team member. Which principle ensures that data is not modified by unauthorized parties?
Integrity
The principle of integrity ensures that data remains accurate and unaltered during storage, processing, or transmission, except by authorized entities. In the context of information security, integrity is specifically concerned with preventing unauthorized modification, deletion, or creation of data. This is often enforced through mechanisms such as hashing (e.g., SHA-256), digital signatures, and checksums (e.g., CRC32) that detect any tampering.
An organization uses Microsoft Purview Compliance Manager to track compliance with regulations. The compliance officer needs to create a custom assessment for a new internal policy. What should they do?
Create a new custom assessment in Compliance Manager and add custom controls.
In Microsoft Purview Compliance Manager, assessments are built on templates that contain controls. To create a custom assessment for a new internal policy, the compliance officer must create a new custom assessment and then add custom controls, because Compliance Manager does not provide a built-in template for arbitrary internal policies. Option B correctly describes this workflow: creating a new custom assessment and adding custom controls.
A company uses Microsoft Teams and wants to ensure that messages containing offensive language are flagged for review. Which Microsoft Purview solution should be used?
Microsoft Purview Communication Compliance
Microsoft Purview Communication Compliance is designed to detect and flag messages containing offensive language, harassment, or other policy violations in Microsoft Teams, Exchange Online, and Yammer. It uses customizable policies and machine learning classifiers to automatically review communications and route flagged items for human review, making it the correct solution for this requirement.
A financial services firm uses Microsoft Purview Information Barriers to prevent traders from communicating with investment bankers. A new employee in the trading department cannot access a SharePoint site used for compliance training. What should the administrator do?
Add the employee to the 'Traders' segment in Microsoft Purview Information Barriers.
Microsoft Purview Information Barriers use segments to group users based on their organizational roles. Adding the new employee to the 'Traders' segment ensures that the Information Barrier policy applies to them correctly, allowing them to access the compliance training SharePoint site while still being blocked from communicating with investment bankers.
A company uses a cloud-based SaaS (Software as a Service) application for customer relationship management. According to the shared responsibility model, which security responsibility is primarily handled by the customer?
Managing user access and permissions for the application
In a SaaS model like a cloud-based CRM application, the customer is responsible for managing user access and permissions, including identity and access management (IAM), multi-factor authentication (MFA), and role-based access control (RBAC). The cloud provider handles the underlying infrastructure, platform, and application security, but the customer must control who can access the application and what they can do within it.
A company has a document management system. The security policy requires that a user in the Sales department can only view documents related to sales and cannot access documents in the Finance or HR folders. Which security principle is being applied?
Least privilege
The security policy restricts a Sales user's access to only sales-related documents, explicitly denying access to Finance and HR folders. This aligns with the principle of least privilege, which mandates that users be granted only the minimum permissions necessary to perform their job functions. In Microsoft 365, this is implemented via role-based access control (RBAC) or sensitivity labels that enforce read-only access on specific SharePoint document libraries or folders.
A company implements a security measure to ensure that only authorized employees can view sensitive customer records. Which principle of the CIA triad does this measure primarily protect?
Confidentiality
Confidentiality ensures that sensitive information is accessible only to authorized individuals. By restricting access to customer records to authorized employees, the company directly prevents unauthorized disclosure, which is the core goal of confidentiality in the CIA triad.
A company has a SharePoint Online site that stores project documents. Due to legal requirements, all documents in this site must be retained for exactly 5 years from the date they were created, and then automatically deleted. No user should be able to permanently delete a document before the retention period ends. Which Microsoft Purview solution should the administrator configure?
Retention policy
Option A is correct because a retention policy in Microsoft Purview can be configured to retain documents for exactly 5 years from creation and then automatically delete them. This policy enforces a mandatory retention period that prevents users from permanently deleting documents before the period ends, meeting the legal requirement.
A company has deployed Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. The security operations team wants a single, unified portal where they can view alerts from all these products, perform cross-domain investigations, and orchestrate automated response actions. Which Microsoft security solution should they use?
Microsoft 365 Defender
Microsoft 365 Defender is the correct answer because it is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. It provides a single portal (security.microsoft.com) where alerts from Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps are correlated into incidents, enabling cross-domain investigation and automated response via playbooks and the Microsoft 365 Defender API.
A company deploys firewalls, intrusion detection systems, and endpoint antivirus software at multiple layers of its network. This strategy is intended to ensure that if one security control fails, others still provide protection. Which security concept does this approach represent?
Defense in depth
Defense in depth is a security strategy that layers multiple independent controls—such as firewalls, intrusion detection systems (IDS), and endpoint antivirus—across different network segments. The core principle is that if one layer is breached or fails, subsequent layers continue to provide protection, ensuring no single point of failure compromises the entire security posture.
A company deploys full disk encryption on all employee laptops to protect data in case a device is lost or stolen. Which security goal does this measure primarily address?
Confidentiality
Full disk encryption (FDE) ensures that data stored on the laptop's hard drive is unreadable without the correct decryption key. This directly protects the confidentiality of the data by preventing unauthorized access if the device is lost or stolen, as the encrypted data cannot be deciphered without the key.
A company hosts a mission-critical customer portal on Azure virtual machines. To ensure continuous availability, they deploy the application across two separate Azure regions. If one region experiences a failure, traffic is automatically routed to the other region with minimal disruption. Which security goal is primarily being addressed by this architecture?
Availability
Deploying a mission-critical application across two Azure regions with automatic traffic routing directly addresses the security goal of availability. This architecture ensures that if one region fails, the application remains accessible from the other region, minimizing downtime. Azure Traffic Manager or Azure Front Door can be used to route traffic based on priority or latency, providing high availability and disaster recovery.
A company uses cryptographic hashes to verify that a downloaded software file has not been modified by an attacker during transmission. Which principle of the CIA triad is primarily being addressed?
Integrity
Cryptographic hashing (e.g., SHA-256) produces a fixed-size digest from the file's contents. By comparing the computed hash with the publisher's published hash, any change to the file—even a single bit—yields a completely different digest, proving the file has not been tampered with. This directly protects the integrity of the data, ensuring it remains unaltered during transit.
A company implements a policy where each employee is granted only the permissions necessary to perform their specific job role. For example, a marketing specialist has read-only access to the customer database and cannot modify financial records. Which security principle is primarily being applied?
Least privilege
The principle of least privilege dictates that users should be granted only the permissions necessary to perform their job functions. In this scenario, the marketing specialist receives read-only access to the customer database and no access to financial records, which directly aligns with limiting permissions to the minimum required. This reduces the attack surface and limits potential damage from accidental or malicious actions.
A company must retain all vendor contracts for 10 years to meet regulatory requirements. After 10 years, the contracts must be permanently destroyed with no possibility of recovery. The compliance team wants to automate this lifecycle and ensure that during the retention period, the contracts cannot be edited or deleted by users. Which Microsoft Purview solution should they use?
Records Management
Records Management in Microsoft Purview is designed to declare records (regulatory or legal) that must be retained for a specific period and then disposed of in a compliant manner. It enforces immutability during the retention period—users cannot edit or delete records—and supports a disposition review or automatic permanent deletion after the retention period ends, exactly matching the requirement for 10-year retention followed by destruction with no recovery.
A company secures its network by deploying a firewall at the perimeter, an intrusion prevention system on internal segments, endpoint antivirus on all workstations, and encrypting sensitive data at rest and in transit. This layered approach ensures that if one control fails, others still provide protection. Which security concept does this strategy best represent?
Defense in depth
The strategy described uses multiple independent security controls—firewall, IPS, endpoint antivirus, and encryption—so that if one layer fails, others continue to protect the asset. This is the core definition of defense in depth, which creates overlapping layers of protection rather than relying on a single point of failure.
A company is moving its on-premises database to Azure SQL Database. According to the shared responsibility model, which security tasks remain the responsibility of the customer?
Managing access controls and authentication for database users
In the shared responsibility model for Azure SQL Database, Microsoft manages the physical infrastructure, including servers, storage, and network, while the customer is responsible for data and access management. Option B is correct because managing access controls and authentication for database users, such as configuring logins, users, and permissions via T-SQL or Azure Active Directory, falls squarely on the customer. Microsoft ensures the platform is patched and secure, but the customer must control who can access the database and what they can do.
A company has many guest users in Microsoft Entra ID who collaborate on a project in a specific SharePoint site. The compliance team needs to periodically verify that these guest users still require access to the site. If a reviewer does not respond within 30 days, the guest's access should be automatically removed. Additionally, the company wants to ensure that once access is removed, the guest user object is eventually deleted from the directory after 90 days. Which Microsoft Entra Identity Governance features should they use together?
Access Reviews configured to auto-apply results and delete guest users after a specified number of days
Access Reviews in Microsoft Entra ID can be configured to automatically apply results, removing guest access when a reviewer does not respond within a specified period (e.g., 30 days). Additionally, the 'Delete guest users not reviewed within' setting allows automatic deletion of the guest user object from the directory after a configurable number of days (e.g., 90 days). This directly meets both requirements: periodic verification of access and eventual cleanup of the directory object.
A company stores customer data in Microsoft 365 and needs to identify which data is subject to GDPR. Which Microsoft Purview solution should be used?
Data Classification
Microsoft Purview Data Classification enables organizations to identify and classify sensitive data across their Microsoft 365 environment. This includes detecting personal data that may be subject to regulations like GDPR. The other options serve different purposes: lifecycle management for retention, DLP for protection, and audit for logging.
The SC-900 flashcard bank covers all 4 official blueprint domains published by Microsoft. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Describe the capabilities of Microsoft Entra
Describe the capabilities of Microsoft security solutions
Describe the capabilities of Microsoft compliance solutions
Describe the concepts of security, compliance, and identity
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that SC-900 questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.SC-900 questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective SC-900 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
Yes. Courseiva provides free SC-900 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.
Courseiva has 1411+ original SC-900 flashcards across all 4 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official Microsoft exam objectives.
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official SC-900 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included