SC-900 Describe the capabilities of Microsoft Entra • Complete Question Bank
Complete SC-900 Describe the capabilities of Microsoft Entra question bank — all 0 questions with answers and detailed explanations.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Where data is stored geographically
Data subject to laws of the country where it is stored
Process of identifying and delivering electronic information for legal cases
Preserve data for litigation purposes
Categorizing data based on sensitivity
Drag a concept onto its matching description — or click a concept then click the description.
Protect on-premises Active Directory
Secure email and collaboration tools
Protect cloud workloads and resources
Secure Internet of Things devices
SaaS application security
Drag a concept onto its matching description — or click a concept then click the description.
An entity that can be authenticated
Proving you are who you claim to be
Determining what an authenticated user can do
Trust relationship between identity providers
Creating and managing user accounts and access
Refer to the exhibit. {
"displayName": "Block Legacy Auth",
"state": "enabled",
"conditions": {
"clientAppTypes": ["exchangeActiveSync", "otherClients"],
"applications": {
"includeApplications": ["All"]
}
},
"grantControls": {
"builtInControls": ["block"],
"operator": "OR"
}
}Refer to the exhibit. Sign-in logs from Microsoft Entra ID: User: jsmith@contoso.com, App: Office 365 Exchange Online, Status: Failure, Error: 53003 - Device is not compliant. Risk level: Medium.
Refer to the exhibit. Microsoft Entra ID roles: User1: Global Administrator (active), User2: Global Administrator (eligible), User3: Security Reader (active). PIM settings: User2 requires approval for activation. User2 attempts to activate Global Administrator.
Refer to the exhibit. The exhibit shows a PowerShell command and its output:
```powershell
Get-MgPolicyConditionalAccessPolicy -Filter "DisplayName eq 'Block Legacy Auth'" | Format-List Id, DisplayName, Conditions
Id : 12345678-1234-1234-1234-123456789abc
DisplayName : Block Legacy Auth
Conditions : @{ClientAppTypes=System.Object[]; Applications=; Users=; Locations=; Platforms=; SignInRiskLevels=; UserRiskLevels=;}
```Refer to the exhibit. The exhibit shows a Microsoft Entra ID sign-in log entry:
```json
{
"id": "abc123",
"createdDateTime": "2025-12-01T10:00:00Z",
"userDisplayName": "John Doe",
"appDisplayName": "Microsoft Azure PowerShell",
"status": {
"errorCode": 53003,
"failureReason": "Blocked by Conditional Access"
},
"conditionalAccessStatus": "failure",
"authenticationRequirement": "multiFactorAuthentication",
"clientAppUsed": "Azure PowerShell"
}
```Refer to the exhibit. The exhibit shows a Microsoft Entra ID audit log entry:
```json
{
"activityDisplayName": "Add member to role",
"activityDateTime": "2025-12-01T09:00:00Z",
"targetResources": [{
"id": "abc",
"displayName": "Global Administrator",
"modifiedProperties": [{
"displayName": "Role.DisplayName",
"newValue": "\"Global Administrator\""
}]
}]
}
```Refer to the exhibit.
```json
{
"conditions": {
"applications": { "includeApplications": ["Office365"] },
"users": { "includeUsers": ["All"] },
"locations": {
"includeLocations": ["All"],
"excludeLocations": ["AllTrusted"]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["mfa", "compliantDevice"]
}
}
```Refer to the exhibit.
```json
{
"roleEligibilityScheduleRequests": [
{
"roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
"principalId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"scheduleInfo": {
"startDateTime": "2026-04-01T00:00:00Z",
"expiration": {
"type": "AfterDuration",
"duration": "PT8H"
}
},
"ticketInfo": {
"ticketNumber": "INC-12345"
}
}
]
}Refer to the exhibit.
```
DisplayName : Contoso HR App
ObjectId : 12345678-1234-1234-1234-123456789012
Enabled : True
SignInAudience : AzureADMyOrg
IdentifierUris : {https://api.contoso.com}
AppRoles : {}
```Refer to the exhibit.
```json
{
"conditions": {
"applications": {
"includeApplications": ["Office365"]
},
"users": {
"includeUsers": ["All"]
},
"locations": {
"includeLocations": ["All"]
}
},
"grantControls": {
"builtInControls": ["mfa", "compliantDevice"],
"operator": "AND"
}
}
```Refer to the exhibit.
```json
{
"conditions": {
"users": {
"includeUsers": ["All"]
},
"clientAppTypes": ["browser"]
},
"grantControls": {
"builtInControls": ["compliantDevice", "domainJoined"],
"operator": "OR"
}
}
```Refer to the exhibit.
```json
{
"conditions": {
"users": {
"includeUsers": ["All"]
},
"riskLevel": ["high"]
},
"grantControls": {
"builtInControls": ["block"]
}
}
```Refer to the exhibit.
{
"appId": "00001111-aaaa-2222-bbbb-3333cccc4444",
"displayName": "HRApp",
"passwordCredentials": [
{
"hint": "abc",
"endDateTime": "2025-12-31T23:59:00Z"
}
],
"api": {
"knownClientApplications": [],
"requestedAccessTokenVersion": 2
}
}Refer to the exhibit.
$users = Get-MgUser -Filter "startsWith(userPrincipalName, 'john') and userType eq 'Member'"
foreach ($user in $users) {
New-MgUserAuthenticationMethod -UserId $user.Id -PhoneAuthenticationMethod -PhoneNumber "+1234567890" -PhoneType "mobile"
}Refer to the exhibit.
{
"conditions": {
"applications": {
"includeApplications": ["Office365"]
},
"users": {
"includeUsers": ["All"]
},
"locations": {
"includeLocations": ["AllTrusted"]
}
},
"grantControls": {
"builtInControls": ["mfa"]
}
}Refer to the exhibit.
```json
{
"conditions": {
"users": { "include": ["All"] },
"applications": { "include": ["All"] },
"locations": { "include": ["AllTrusted"] }
},
"grantControls": {
"builtInControls": ["mfa"],
"termsOfUse": ["terms-of-use-id"]
}
}
```Refer to the exhibit.
```json
{
"roleSettings": [
{
"roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
"approvalRequired": true,
"activationMaximumDuration": "PT1H",
"eligibleAssignment": {
"assignmentType": "eligible",
"endDateTime": null
}
}
]
}
```Your organization has a Microsoft Entra ID tenant with 5,000 users. You need to implement a solution to allow external partners to access a specific SharePoint Online site. The partners must use their own email addresses to sign in. You want to enforce multifactor authentication for all external users. Additionally, you need to ensure that external users are automatically removed from the site after 90 days. You have the following requirements:
1. Use built-in Microsoft Entra features. 2. Minimize administrative effort. 3. The solution must support automatic expiration of access.
What should you do?
{
"signInLogs": [
{
"userId": "jdoe@contoso.com",
"appDisplayName": "Azure Portal",
"signInEventType": "interactiveUser",
"conditionalAccessStatus": "success",
"mfaRequired": true,
"riskLevelDuringSignIn": "medium",
"riskLevelAggregated": "high"
},
{
"userId": "asmith@contoso.com",
"appDisplayName": "Office 365 Exchange Online",
"signInEventType": "nonInteractiveUser",
"conditionalAccessStatus": "failure",
"mfaRequired": false,
"riskLevelDuringSignIn": "low",
"riskLevelAggregated": "low"
}
]
}Get-AzureADMSIdentityProtectionRiskDetection -Filter "riskEventType eq 'unfamiliarSignInProperties'"
New-AzureADMSInvitation -InvitedUserEmailAddress "external@partner.com" -InvitedUserDisplayName "Partner User" -InviteRedirectUrl "https://myapps.microsoft.com" -SendInvitationMessage $true
Refer to the exhibit.
```json
{
"policy": {
"displayName": "Block legacy authentication",
"conditions": {
"clientAppTypes": ["exchangeActiveSync", "other"],
"applications": {
"includeApplications": ["Office365"]
}
},
"grantControls": {
"builtInControls": ["block"]
}
}
}
```Refer to the exhibit.
```json
{
"riskDetections": [
{
"riskEventType": "unfamiliarFeatures",
"riskLevel": "medium",
"userDisplayName": "John Doe",
"signInDateTime": "2026-03-15T10:30:00Z",
"ipAddress": "203.0.113.5"
}
]
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "HR App",
"description": "Access package for HR application",
"catalogId": "catalog1",
"policyType": "userManaged",
"approvalRequired": true,
"approvalStages": [
{
"approvalTimeout": 14,
"approvalRequiredFor": "guest",
"primaryApprover": {
"id": "manager"
}
}
]
}
}
```Refer to the exhibit.
```json
{
"conditions": {
"users": { "include": ["All"] },
"applications": { "include": ["All"] },
"clientAppTypes": ["browser", "mobileAppsAndDesktopClients"],
"locations": { "include": ["AllTrusted"] }
},
"grantControls": {
"builtInControls": ["mfa"],
"operator": "OR"
}
}
```Refer to the exhibit.
```json
{
"roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
"principalId": "a7b8c9d0-e1f2-3a4b-5c6d-7e8f9a0b1c2d",
"directoryScopeId": "/",
"schedule": {
"startDateTime": "2025-01-01T00:00:00Z",
"expiration": {
"type": "afterDuration",
"duration": "PT8H"
}
}
}Refer to the exhibit.
```json
{
"identity": {
"userPrincipalName": "user1@contoso.com",
"riskLevel": "high",
"riskEventTypes": ["leakedCredentials", "impossibleTravel"]
},
"status": "remediated"
}{
"signInEvents": [
{
"userPrincipalName": "jdoe@contoso.com",
"appDisplayName": "Microsoft 365 Exchange Online",
"clientAppUsed": "Mobile Apps and Desktop clients",
"deviceDetail": {
"deviceId": "",
"displayName": "",
"operatingSystem": "iOS",
"browser": ""
},
"location": "US",
"riskLevelDuringSignIn": "medium",
"riskLevelAggregated": "medium",
"riskEventTypes": ["unfamiliarFeatures"],
"mfaRequired": false,
"status": {
"errorCode": 0,
"failureReason": ""
}
}
]
}{
"roleAssignments": [
{
"principalId": "user1@contoso.com",
"roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
"scope": "/"
},
{
"principalId": "user1@contoso.com",
"roleDefinitionId": "194ae4cb-b126-40b2-bd5b-6091b380977d",
"scope": "/subscriptions/sub1/resourceGroups/rg1"
}
]
}{
"device": {
"deviceId": "device123",
"operatingSystem": "Windows 10",
"trustType": "Azure AD joined",
"isCompliant": true,
"isManaged": true,
"profileType": "Workplace"
}
}Refer to the exhibit.
```json
{
"name": "Block legacy authentication",
"conditions": {
"clientAppTypes": ["exchangeActiveSync", "otherClients"]
},
"grantControls": {
"builtInControls": ["block"]
}
}
```Refer to the exhibit. ```powershell Get-AzureADGroupMember -ObjectId "Sales_Group_ObjectID" | Select-Object DisplayName, UserPrincipalName ```
Refer to the exhibit. ```kusto SigninLogs | where UserPrincipalName == "user@contoso.com" | where Status.errorCode == 50076 ```
You are the identity administrator for a multinational company using Microsoft Entra ID. The company has a Microsoft 365 E5 subscription. The security team wants to enforce the following requirements:
1. All users must use multi-factor authentication (MFA) when accessing sensitive applications (e.g., finance app). 2. Users from the IT department must use passwordless authentication methods (e.g., Windows Hello for Business) when accessing any resource. 3. All access to sensitive applications must be logged and monitored for anomalous activity. 4. Guest users from partner organizations must be automatically reviewed quarterly to ensure they still need access. 5. The company wants to minimize administrative overhead by automating as much as possible.
You need to design a solution that meets these requirements using Microsoft Entra ID capabilities. Which combination of actions should you take?
{
"policy": {
"conditions": {
"users": { "includeUsers": ["All"] },
"locations": {
"includeLocations": ["AllTrusted"]
},
"clientAppTypes": ["browser", "mobileAppsAndDesktopClients"]
},
"grantControls": {
"builtInControls": ["mfa"],
"termsOfUse": ["terms-of-use-id"]
},
"sessionControls": {
"signInFrequency": {
"value": 1,
"type": "hours"
},
"applicationEnforcedRestrictions": null,
"cloudAppSecurity": {
"cloudAppSecurityType": "monitorOnly",
"isEnabled": true
}
}
}
}Your organization, Contoso, uses Microsoft Entra ID for identity management. The security team has recently identified that several users have had their credentials compromised. You need to implement a solution that automatically enforces a password change for high-risk users and blocks sign-ins from risky locations. Additionally, you want to allow users to self-remediate by changing their password when they are at medium risk. You have the following requirements: - Users detected as high risk must be blocked from signing in until an administrator resets their password. - Users detected as medium risk must be prompted to change their password via self-service password reset before they can access resources. - All risk detections must be logged and reported to the security team. - The solution must use built-in Microsoft Entra capabilities without third-party tools.
Which of the following actions should you take to meet the requirements?
Refer to the exhibit.
{
"conditions": {
"users": {
"includeUsers": ["All"]
},
"applications": {
"includeApplications": ["Office 365 Exchange Online"]
},
"locations": {
"includeLocations": ["AllTrusted"]
}
},
"grantControls": {
"builtInControls": ["mfa"]
}
}