Sample questions
Microsoft Security, Compliance, and Identity Fundamentals SC-900 practice questions
A company uses a cloud-based SaaS (Software as a Service) application for customer relationship management. According to the shared responsibility model, which security responsibility is primarily handled by the customer?
Trap 1: Physical security of the data center hosting the application
Physical security is always the responsibility of the cloud provider, even in a SaaS model.
Trap 2: Security of the underlying networking infrastructure
The networking infrastructure (e.g., routers, firewalls) is maintained by the cloud provider as part of the platform security.
Trap 3: Applying security patches to the application's code
In SaaS, the provider is responsible for patching the application code because they own the software.
- A
Physical security of the data center hosting the application
Why wrong: Physical security is always the responsibility of the cloud provider, even in a SaaS model.
- B
Security of the underlying networking infrastructure
Why wrong: The networking infrastructure (e.g., routers, firewalls) is maintained by the cloud provider as part of the platform security.
- C
Managing user access and permissions for the application
The customer controls who uses the application and with what privileges. This is a customer responsibility regardless of the cloud service model.
- D
Applying security patches to the application's code
Why wrong: In SaaS, the provider is responsible for patching the application code because they own the software.
A company has a document management system. The security policy requires that a user in the Sales department can only view documents related to sales and cannot access documents in the Finance or HR folders. Which security principle is being applied?
Trap 1: Availability
Availability ensures systems are accessible when needed, but this scenario focuses on restricting access to specific data, not on uptime.
Trap 2: Defense in depth
Defense in depth uses multiple layers of security controls, but the scenario only discusses one access control policy, not a layered approach.
Trap 3: Non-repudiation
Non-repudiation ensures that actions cannot be denied later, typically via digital signatures, which is not relevant here.
- A
Availability
Why wrong: Availability ensures systems are accessible when needed, but this scenario focuses on restricting access to specific data, not on uptime.
- B
Least privilege
Correct. Least privilege restricts permissions to only what is necessary for the job, which is exactly what is described in the scenario.
- C
Defense in depth
Why wrong: Defense in depth uses multiple layers of security controls, but the scenario only discusses one access control policy, not a layered approach.
- D
Non-repudiation
Why wrong: Non-repudiation ensures that actions cannot be denied later, typically via digital signatures, which is not relevant here.
A company implements a security measure to ensure that only authorized employees can view sensitive customer records. Which principle of the CIA triad does this measure primarily protect?
Trap 1: Integrity
Incorrect. Integrity focuses on maintaining the accuracy and consistency of data, not on restricting access.
Trap 2: Availability
Incorrect. Availability ensures that systems and data are accessible when needed, not specifically who can view them.
Trap 3: Accountability
Incorrect. Accountability is not part of the CIA triad; it involves tracking actions to a specific user, often through auditing.
- A
Confidentiality
Correct. Confidentiality prevents unauthorized access to information, which matches the requirement to limit access to authorized employees.
- B
Integrity
Why wrong: Incorrect. Integrity focuses on maintaining the accuracy and consistency of data, not on restricting access.
- C
Availability
Why wrong: Incorrect. Availability ensures that systems and data are accessible when needed, not specifically who can view them.
- D
Accountability
Why wrong: Incorrect. Accountability is not part of the CIA triad; it involves tracking actions to a specific user, often through auditing.
A company has a SharePoint Online site that stores project documents. Due to legal requirements, all documents in this site must be retained for exactly 5 years from the date they were created, and then automatically deleted. No user should be able to permanently delete a document before the retention period ends. Which Microsoft Purview solution should the administrator configure?
Trap 1: Sensitivity label
Sensitivity labels are used to apply classification, encryption, and visual markings to documents. They do not enforce retention or deletion schedules by themselves.
Trap 2: Data loss prevention (DLP) policy
DLP policies detect and prevent sensitive information from being shared inappropriately. They do not enforce content retention or deletion.
Trap 3: Audit policy
Audit policies enable logging of activities for auditing purposes. They do not directly control retention or deletion of content.
- A
Retention policy
A retention policy in Microsoft Purview allows administrators to set a retention period (e.g., 5 years) and an action (such as automatic deletion) for content in SharePoint sites. Users cannot permanently delete the content until the retention period expires.
- B
Sensitivity label
Why wrong: Sensitivity labels are used to apply classification, encryption, and visual markings to documents. They do not enforce retention or deletion schedules by themselves.
- C
Data loss prevention (DLP) policy
Why wrong: DLP policies detect and prevent sensitive information from being shared inappropriately. They do not enforce content retention or deletion.
- D
Audit policy
Why wrong: Audit policies enable logging of activities for auditing purposes. They do not directly control retention or deletion of content.
A company has deployed Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. The security operations team wants a single, unified portal where they can view alerts from all these products, perform cross-domain investigations, and orchestrate automated response actions. Which Microsoft security solution should they use?
Trap 1: Microsoft Sentinel
Microsoft Sentinel is a cloud-native SIEM and SOAR solution that can collect logs from various sources, but it is not the default unified portal for the four Defender products. The native unification comes from Microsoft 365 Defender.
Trap 2: Microsoft Defender for Cloud
Microsoft Defender for Cloud provides cloud security posture management and threat protection for cloud workloads (VMs, databases, etc.). It does not natively unify the four Defender products into a single incident view.
Trap 3: Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is an enterprise endpoint security platform that provides EDR and antivirus. It is one of the products to be unified, not the unified solution itself.
- A
Microsoft Sentinel
Why wrong: Microsoft Sentinel is a cloud-native SIEM and SOAR solution that can collect logs from various sources, but it is not the default unified portal for the four Defender products. The native unification comes from Microsoft 365 Defender.
- B
Microsoft 365 Defender
Correct. Microsoft 365 Defender is the unified portal that correlates alerts and incidents from Defender for Endpoint, Office 365, Identity, and Cloud Apps, enabling cross-domain investigations and automated response.
- C
Microsoft Defender for Cloud
Why wrong: Microsoft Defender for Cloud provides cloud security posture management and threat protection for cloud workloads (VMs, databases, etc.). It does not natively unify the four Defender products into a single incident view.
- D
Microsoft Defender for Endpoint
Why wrong: Microsoft Defender for Endpoint is an enterprise endpoint security platform that provides EDR and antivirus. It is one of the products to be unified, not the unified solution itself.
A company deploys firewalls, intrusion detection systems, and endpoint antivirus software at multiple layers of its network. This strategy is intended to ensure that if one security control fails, others still provide protection. Which security concept does this approach represent?
Trap 1: Least privilege
Least privilege is about granting users the minimum permissions needed to perform their tasks, not about layered controls.
Trap 2: Separation of duties
Separation of duties prevents a single individual from having excessive control by splitting critical actions among multiple people, not by layering defenses.
Trap 3: Zero trust
Zero trust is a security model that requires continuous verification of every access request, treating all users as potential threats even if inside the network. It is not the same as deploying multiple security layers.
- A
Defense in depth
Defense in depth is the correct concept. It employs overlapping security controls so that if one layer is breached, subsequent layers continue to protect the system.
- B
Least privilege
Why wrong: Least privilege is about granting users the minimum permissions needed to perform their tasks, not about layered controls.
- C
Separation of duties
Why wrong: Separation of duties prevents a single individual from having excessive control by splitting critical actions among multiple people, not by layering defenses.
- D
Zero trust
Why wrong: Zero trust is a security model that requires continuous verification of every access request, treating all users as potential threats even if inside the network. It is not the same as deploying multiple security layers.
A company deploys full disk encryption on all employee laptops to protect data in case a device is lost or stolen. Which security goal does this measure primarily address?
Trap 1: Integrity
Integrity ensures data is not tampered with, but encryption primarily protects against unauthorized viewing.
Trap 2: Availability
Availability ensures systems and data are accessible when needed; encryption does not directly address availability.
Trap 3: Non-repudiation
Non-repudiation prevents a user from denying an action, often achieved through digital signatures, not encryption alone.
- A
Confidentiality
Encryption protects data from unauthorized access, ensuring only authorized parties can read it.
- B
Integrity
Why wrong: Integrity ensures data is not tampered with, but encryption primarily protects against unauthorized viewing.
- C
Availability
Why wrong: Availability ensures systems and data are accessible when needed; encryption does not directly address availability.
- D
Non-repudiation
Why wrong: Non-repudiation prevents a user from denying an action, often achieved through digital signatures, not encryption alone.
A company hosts a mission-critical customer portal on Azure virtual machines. To ensure continuous availability, they deploy the application across two separate Azure regions. If one region experiences a failure, traffic is automatically routed to the other region with minimal disruption. Which security goal is primarily being addressed by this architecture?
Trap 1: Confidentiality
Confidentiality focuses on restricting access to data to authorized users, often through encryption. Redundancy across regions does not directly address who can see the data.
Trap 2: Integrity
Integrity ensures data has not been altered by unauthorized parties. While failover mechanisms may preserve data integrity, the primary goal of multi-region deployment is to keep the service running, not to prevent modification.
Trap 3: Non-repudiation
Non-repudiation prevents individuals from denying that they performed an action. This is typically achieved through audit logs or digital signatures, not through geographic redundancy.
- A
Confidentiality
Why wrong: Confidentiality focuses on restricting access to data to authorized users, often through encryption. Redundancy across regions does not directly address who can see the data.
- B
Integrity
Why wrong: Integrity ensures data has not been altered by unauthorized parties. While failover mechanisms may preserve data integrity, the primary goal of multi-region deployment is to keep the service running, not to prevent modification.
- C
Availability
Correct. Availability ensures that resources are accessible to authorized users when needed. Deploying across multiple regions with automatic failover is a classic implementation of availability.
- D
Non-repudiation
Why wrong: Non-repudiation prevents individuals from denying that they performed an action. This is typically achieved through audit logs or digital signatures, not through geographic redundancy.
A company uses cryptographic hashes to verify that a downloaded software file has not been modified by an attacker during transmission. Which principle of the CIA triad is primarily being addressed?
Trap 1: Confidentiality
Confidentiality focuses on ensuring data is accessible only to authorized individuals. Hashing does not prevent unauthorized reading of data; it only detects changes.
Trap 2: Availability
Availability ensures systems and data are accessible when needed. Hashing does not affect system uptime or accessibility.
Trap 3: Non-repudiation
Non-repudiation prevents a party from denying an action, typically achieved through digital signatures. Hashing alone does not provide proof of origin or action.
- A
Confidentiality
Why wrong: Confidentiality focuses on ensuring data is accessible only to authorized individuals. Hashing does not prevent unauthorized reading of data; it only detects changes.
- B
Integrity
Integrity ensures data has not been altered. Hashing provides a fingerprint of the original data; any modification changes the hash, thus verifying integrity.
- C
Availability
Why wrong: Availability ensures systems and data are accessible when needed. Hashing does not affect system uptime or accessibility.
- D
Non-repudiation
Why wrong: Non-repudiation prevents a party from denying an action, typically achieved through digital signatures. Hashing alone does not provide proof of origin or action.
A company implements a policy where each employee is granted only the permissions necessary to perform their specific job role. For example, a marketing specialist has read-only access to the customer database and cannot modify financial records. Which security principle is primarily being applied?
Trap 1: Defense in depth
Defense in depth uses multiple layers of security controls (e.g., firewall, antivirus, encryption) to protect assets, not specifically limiting permissions per role.
Trap 2: Zero Trust
Zero Trust is a security model that assumes no implicit trust and continuously verifies every request, but it is broader than just limiting permissions.
Trap 3: Separation of duties
Separation of duties involves dividing critical tasks among multiple individuals to reduce risk of fraud or error, not about limiting individual permissions.
- A
Defense in depth
Why wrong: Defense in depth uses multiple layers of security controls (e.g., firewall, antivirus, encryption) to protect assets, not specifically limiting permissions per role.
- B
Least privilege
Correct. Least privilege is the security concept of granting users only the permissions they need to do their job, which matches the scenario of restricting access based on job role.
- C
Zero Trust
Why wrong: Zero Trust is a security model that assumes no implicit trust and continuously verifies every request, but it is broader than just limiting permissions.
- D
Separation of duties
Why wrong: Separation of duties involves dividing critical tasks among multiple individuals to reduce risk of fraud or error, not about limiting individual permissions.
A company must retain all vendor contracts for 10 years to meet regulatory requirements. After 10 years, the contracts must be permanently destroyed with no possibility of recovery. The compliance team wants to automate this lifecycle and ensure that during the retention period, the contracts cannot be edited or deleted by users. Which Microsoft Purview solution should they use?
Trap 1: Data Lifecycle Management (DLM)
Data Lifecycle Management (via retention policies and labels) can manage retention and deletion, but it does not provide the 'record' status that locks a document to prevent editing. DLM is for general content lifecycle, not regulatory records.
Trap 2: eDiscovery (Premium)
eDiscovery is used for legal discovery holds and searches, not for automating retention and disposition of records based on a fixed schedule.
Trap 3: Sensitivity Labels
Sensitivity labels apply classification and protection (e.g., encryption, visual markings) but do not enforce immutable retention that prevents deletion or editing for a specified period.
- A
Data Lifecycle Management (DLM)
Why wrong: Data Lifecycle Management (via retention policies and labels) can manage retention and deletion, but it does not provide the 'record' status that locks a document to prevent editing. DLM is for general content lifecycle, not regulatory records.
- B
Records Management
Records Management uses retention labels that declare items as records, locking them against modifications or deletions during the retention period, and supports automated disposition review and permanent deletion.
- C
eDiscovery (Premium)
Why wrong: eDiscovery is used for legal discovery holds and searches, not for automating retention and disposition of records based on a fixed schedule.
- D
Sensitivity Labels
Why wrong: Sensitivity labels apply classification and protection (e.g., encryption, visual markings) but do not enforce immutable retention that prevents deletion or editing for a specified period.
A company secures its network by deploying a firewall at the perimeter, an intrusion prevention system on internal segments, endpoint antivirus on all workstations, and encrypting sensitive data at rest and in transit. This layered approach ensures that if one control fails, others still provide protection. Which security concept does this strategy best represent?
Trap 1: Least privilege
Least privilege is the principle of granting users only the minimum permissions necessary to perform their tasks. While important, the described layered controls do not primarily limit permissions; they add multiple defensive barriers.
Trap 2: Zero Trust
Zero Trust is a security model based on 'never trust, always verify' and assumes breach. It focuses on continuous verification of every access request, not just deploying layered controls. While defense in depth can be part of a Zero Trust architecture, the scenario describes only the layered approach, not the full Zero Trust model.
Trap 3: Separation of duties
Separation of duties prevents a single person from having too much control over a critical process (e.g., one person requests a purchase, another approves). The scenario describes technical security layers, not task separation among people.
- A
Least privilege
Why wrong: Least privilege is the principle of granting users only the minimum permissions necessary to perform their tasks. While important, the described layered controls do not primarily limit permissions; they add multiple defensive barriers.
- B
Defense in depth
Correct. Defense in depth uses multiple, overlapping security controls (firewalls, IPS, antivirus, encryption) so that failure of one does not compromise the entire security posture. This is exactly what the company is implementing.
- C
Zero Trust
Why wrong: Zero Trust is a security model based on 'never trust, always verify' and assumes breach. It focuses on continuous verification of every access request, not just deploying layered controls. While defense in depth can be part of a Zero Trust architecture, the scenario describes only the layered approach, not the full Zero Trust model.
- D
Separation of duties
Why wrong: Separation of duties prevents a single person from having too much control over a critical process (e.g., one person requests a purchase, another approves). The scenario describes technical security layers, not task separation among people.
A company is moving its on-premises database to Azure SQL Database. According to the shared responsibility model, which security tasks remain the responsibility of the customer?
Trap 1: Patching the physical servers hosting the database
Physical server patching is the responsibility of the cloud provider (Microsoft) in a PaaS service like Azure SQL Database.
Trap 2: Securing the hypervisor running the virtual machines
Hypervisor security is provided by the cloud provider as part of the underlying infrastructure.
Trap 3: Hardening the network firewalls at the datacenter perimeter
Physical network security is the responsibility of the cloud provider.
- A
Patching the physical servers hosting the database
Why wrong: Physical server patching is the responsibility of the cloud provider (Microsoft) in a PaaS service like Azure SQL Database.
- B
Managing access controls and authentication for database users
The customer retains responsibility for managing user identities, permissions, and authentication to the database.
- C
Securing the hypervisor running the virtual machines
Why wrong: Hypervisor security is provided by the cloud provider as part of the underlying infrastructure.
- D
Hardening the network firewalls at the datacenter perimeter
Why wrong: Physical network security is the responsibility of the cloud provider.
A company has many guest users in Microsoft Entra ID who collaborate on a project in a specific SharePoint site. The compliance team needs to periodically verify that these guest users still require access to the site. If a reviewer does not respond within 30 days, the guest's access should be automatically removed. Additionally, the company wants to ensure that once access is removed, the guest user object is eventually deleted from the directory after 90 days. Which Microsoft Entra Identity Governance features should they use together?
Trap 1: Entitlement Management access packages with an expiration policy
Access packages manage recurring access requests but do not provide periodic review with automatic removal of guest objects. Expiration policies can expire access, but not automatically delete the guest identity.
Trap 2: Lifecycle Workflows to schedule a periodic task
Lifecycle Workflows handle on/offboarding scenarios but are not designed for periodic access reviews of existing guests.
Trap 3: Privileged Identity Management (PIM) for guest roles
PIM is for managing just-in-time privileged access for Microsoft Entra ID roles or Azure resources, not for periodic reviews of guest access to SharePoint.
- A
Access Reviews configured to auto-apply results and delete guest users after a specified number of days
Access Reviews can automatically apply results (remove access) if no response, and the 'Delete users' setting within the review automatically removes guest objects after the configured days.
- B
Entitlement Management access packages with an expiration policy
Why wrong: Access packages manage recurring access requests but do not provide periodic review with automatic removal of guest objects. Expiration policies can expire access, but not automatically delete the guest identity.
- C
Lifecycle Workflows to schedule a periodic task
Why wrong: Lifecycle Workflows handle on/offboarding scenarios but are not designed for periodic access reviews of existing guests.
- D
Privileged Identity Management (PIM) for guest roles
Why wrong: PIM is for managing just-in-time privileged access for Microsoft Entra ID roles or Azure resources, not for periodic reviews of guest access to SharePoint.
A company stores customer data in Microsoft 365 and needs to identify which data is subject to GDPR. Which Microsoft Purview solution should be used?
Trap 1: Data Lifecycle Management
Data Lifecycle Management deals with retention and deletion policies, not classification for GDPR.
Trap 2: Data Loss Prevention
Data Loss Prevention focuses on preventing unauthorized sharing of sensitive data, not identifying it.
Trap 3: Audit
Audit provides logging of activities, not classification of data.
- A
Data Lifecycle Management
Why wrong: Data Lifecycle Management deals with retention and deletion policies, not classification for GDPR.
- B
Data Loss Prevention
Why wrong: Data Loss Prevention focuses on preventing unauthorized sharing of sensitive data, not identifying it.
- C
Audit
Why wrong: Audit provides logging of activities, not classification of data.
- D
Data Classification
Data Classification in Microsoft Purview helps discover and classify sensitive data, including personal data subject to GDPR.
A company is migrating its on-premises virtual machines to Azure Infrastructure-as-a-Service (IaaS). Which security responsibility primarily shifts from the customer to Microsoft during this migration?
Trap 1: Patching the guest operating system
Incorrect. Patching the guest OS is the customer's responsibility in IaaS, as they manage the operating system and applications.
Trap 2: Managing user access to the virtual machines
Incorrect. The customer retains responsibility for managing user accounts, access policies, and authentication for their VMs.
Trap 3: Configuring the firewall rules for the virtual network
Incorrect. Configuring network security groups and firewall rules is the customer's responsibility, as they define traffic controls.
- A
Physical security of the data center
Correct. In IaaS, Microsoft is responsible for the physical data center security, including access control, surveillance, and environmental controls.
- B
Patching the guest operating system
Why wrong: Incorrect. Patching the guest OS is the customer's responsibility in IaaS, as they manage the operating system and applications.
- C
Managing user access to the virtual machines
Why wrong: Incorrect. The customer retains responsibility for managing user accounts, access policies, and authentication for their VMs.
- D
Configuring the firewall rules for the virtual network
Why wrong: Incorrect. Configuring network security groups and firewall rules is the customer's responsibility, as they define traffic controls.
A company uses Microsoft 365 E5 and is concerned about advanced phishing attacks that use adversary-in-the-middle (AiTM) techniques to steal session cookies and bypass multifactor authentication. Which Microsoft Defender for Office 365 feature should they configure to specifically protect against this type of attack?
Trap 1: Safe Attachments
Safe Attachments protects against malicious email attachments by detonating them in a sandbox, but it does not directly address AiTM-based phishing attacks that steal session cookies.
Trap 2: Safe Links
Safe Links protects users from malicious URLs in email and other Office apps, but it does not specifically defend against AiTM phishing techniques that involve credential and session theft.
Trap 3: Campaign Views
Campaign Views is a reporting and investigation feature that provides an overview of attack campaigns across the organization. It does not provide active protection against AiTM attacks.
- A
Safe Attachments
Why wrong: Safe Attachments protects against malicious email attachments by detonating them in a sandbox, but it does not directly address AiTM-based phishing attacks that steal session cookies.
- B
Safe Links
Why wrong: Safe Links protects users from malicious URLs in email and other Office apps, but it does not specifically defend against AiTM phishing techniques that involve credential and session theft.
- C
Anti-Phishing (advanced policies)
Advanced anti-phishing policies in Defender for Office 365 include protection against adversary-in-the-middle (AiTM) attacks through impersonation analysis, advanced thresholds, and real-time signal detection. This helps block phishing aimed at hijacking sessions.
- D
Campaign Views
Why wrong: Campaign Views is a reporting and investigation feature that provides an overview of attack campaigns across the organization. It does not provide active protection against AiTM attacks.
A company's security policy requires that customer data must only be accessible by authorized sales representatives. Which security principle does this requirement directly enforce?
Trap 1: Integrity
Integrity focuses on preventing unauthorized modifications, not on restricting access to authorized parties.
Trap 2: Availability
Availability ensures that systems and data are accessible when needed, not specifically that access is limited to authorized users.
Trap 3: Non-repudiation
Non-repudiation provides assurance that a user cannot deny an action, often through digital signatures, but does not govern access control.
- A
Integrity
Why wrong: Integrity focuses on preventing unauthorized modifications, not on restricting access to authorized parties.
- B
Availability
Why wrong: Availability ensures that systems and data are accessible when needed, not specifically that access is limited to authorized users.
- C
Confidentiality
Confidentiality is the principle of limiting access to data only to those who are authorized, which directly matches the requirement.
- D
Non-repudiation
Why wrong: Non-repudiation provides assurance that a user cannot deny an action, often through digital signatures, but does not govern access control.
A company must comply with the General Data Protection Regulation (GDPR). They need a unified solution that provides a compliance score, actionable recommendations to improve their security posture, and the ability to track their progress over time. Additionally, they want to assign improvement actions to specific teams and automate the collection of evidence for controls. Which two Microsoft Purview solutions should the administrator use? (Select two.)
Trap 1: Data Lifecycle Management
Data Lifecycle Management handles retention and deletion of content, not compliance scoring or evidence collection.
Trap 2: Insider Risk Management
Insider Risk Management detects and investigates risky user behavior, not compliance scoring or recommendations.
- A
Compliance Manager
Compliance Manager offers a compliance score, continuous assessment, recommended improvement actions, and evidence collection workflows.
- B
Data Lifecycle Management
Why wrong: Data Lifecycle Management handles retention and deletion of content, not compliance scoring or evidence collection.
- C
Insider Risk Management
Why wrong: Insider Risk Management detects and investigates risky user behavior, not compliance scoring or recommendations.
- D
Audit (Premium)
Audit (Premium) provides detailed logging of user and admin activities, which can be used as evidence to demonstrate compliance with controls.
A company subscribes to a cloud-based email service that is delivered as Software-as-a-Service (SaaS). According to the shared responsibility model, who is primarily responsible for the physical security of the data centers where the email data is stored?
Trap 1: The customer
The customer is not responsible for physical security in SaaS; the cloud provider manages the physical data centers.
Trap 2: Both the customer and the cloud provider equally
While both share responsibilities, physical security is solely the provider's responsibility in SaaS.
Trap 3: Neither the customer nor the cloud provider
The cloud provider is responsible for physical security; it is not an unassigned responsibility.
- A
The customer
Why wrong: The customer is not responsible for physical security in SaaS; the cloud provider manages the physical data centers.
- B
The cloud provider
In SaaS, the cloud provider is responsible for physical security, including data center infrastructure, networking, and hardware.
- C
Both the customer and the cloud provider equally
Why wrong: While both share responsibilities, physical security is solely the provider's responsibility in SaaS.
- D
Neither the customer nor the cloud provider
Why wrong: The cloud provider is responsible for physical security; it is not an unassigned responsibility.
A company uses Microsoft 365 and is concerned about phishing attacks targeting employees. They want to deploy a solution that can automatically analyze email messages for malicious links and attachments, and also provide click-time protection by rewriting URLs. Which Microsoft 365 Defender component should they use?
Trap 1: Microsoft Defender for Endpoint
Defender for Endpoint focuses on endpoint devices (e.g., workstations, servers) with EDR and antivirus. It does not provide email-level protections.
Trap 2: Microsoft Defender for Cloud Apps
Defender for Cloud Apps is a CASB for controlling shadow IT and protecting cloud apps. It does not directly analyze email attachments.
Trap 3: Microsoft Defender for Identity
Defender for Identity detects identity-based attacks using on-premises Active Directory signals. It does not analyze email content.
- A
Microsoft Defender for Endpoint
Why wrong: Defender for Endpoint focuses on endpoint devices (e.g., workstations, servers) with EDR and antivirus. It does not provide email-level protections.
- B
Microsoft Defender for Office 365
Defender for Office 365 includes Safe Links, Safe Attachments, and anti-phishing policies to protect email and collaboration tools.
- C
Microsoft Defender for Cloud Apps
Why wrong: Defender for Cloud Apps is a CASB for controlling shadow IT and protecting cloud apps. It does not directly analyze email attachments.
- D
Microsoft Defender for Identity
Why wrong: Defender for Identity detects identity-based attacks using on-premises Active Directory signals. It does not analyze email content.
A company uses digital signatures to ensure that a sender cannot later deny having sent a message. Which security principle does this primarily address?
Trap 1: Confidentiality
Confidentiality is achieved through encryption, not digital signatures. Digital signatures do not hide the content; they provide authenticity and non-repudiation.
Trap 2: Integrity
While digital signatures also provide integrity (detecting tampering), the primary focus of the scenario is preventing denial of sending, which is non-repudiation.
Trap 3: Availability
Availability deals with ensuring resources are accessible; digital signatures do not impact availability.
- A
Confidentiality
Why wrong: Confidentiality is achieved through encryption, not digital signatures. Digital signatures do not hide the content; they provide authenticity and non-repudiation.
- B
Integrity
Why wrong: While digital signatures also provide integrity (detecting tampering), the primary focus of the scenario is preventing denial of sending, which is non-repudiation.
- C
Availability
Why wrong: Availability deals with ensuring resources are accessible; digital signatures do not impact availability.
- D
Non-repudiation
Non-repudiation specifically addresses the inability to deny an action. Digital signatures provide cryptographic proof of origin and consent, ensuring the sender cannot deny sending the message.
A company uses digital signatures on all official emails sent to customers. The signature is created using the sender’s private key, allowing recipients to verify that the email truly came from the claimed sender and that it was not altered in transit. Which security goal is primarily achieved by the digital signature?
Trap 1: Confidentiality
Confidentiality ensures data is hidden from unauthorized parties. Digital signatures do not encrypt the message; they only sign it.
Trap 2: Integrity
While digital signatures do verify integrity (no tampering), the primary focus of the scenario is preventing the sender from denying the email, which is non-repudiation.
Trap 3: Availability
Availability ensures systems and data are accessible when needed. Digital signatures do not contribute to availability.
- A
Confidentiality
Why wrong: Confidentiality ensures data is hidden from unauthorized parties. Digital signatures do not encrypt the message; they only sign it.
- B
Integrity
Why wrong: While digital signatures do verify integrity (no tampering), the primary focus of the scenario is preventing the sender from denying the email, which is non-repudiation.
- C
Availability
Why wrong: Availability ensures systems and data are accessible when needed. Digital signatures do not contribute to availability.
- D
Non-repudiation
Non-repudiation provides proof of origin that cannot be denied. A digital signature created with the sender's private key binds the message to the sender, achieving non-repudiation.
A company uses Microsoft Entra ID. They need to implement a Conditional Access policy for the finance application that requires multifactor authentication (MFA) when a user accesses the app from an unmanaged device. Additionally, they want to block access if the sign-in risk level is high. Which two grant controls should they configure in the policy? (Select two.)
Trap 1: Require device to be marked as compliant
Incorrect. While this control can enforce device compliance (e.g., Intune), the scenario does not mention a need for device compliance; it only specifies unmanaged device status (which is a condition, not a grant). The requirement is for MFA from unmanaged devices, which is handled by the 'Require MFA' grant.
Trap 2: Require approved client app
Incorrect. This grant control restricts access to only specific client applications (e.g., Microsoft apps like Outlook). The scenario does not mention any need to limit the client application type.
- A
Require multi-factor authentication
Correct. This grant control forces users to complete MFA when the condition (unmanaged device) is met, satisfying the requirement for an extra verification step.
- B
Block access
Correct. This grant control immediately blocks access if the sign-in risk is high (as defined by Microsoft Entra ID Protection), preventing any access to the application.
- C
Require device to be marked as compliant
Why wrong: Incorrect. While this control can enforce device compliance (e.g., Intune), the scenario does not mention a need for device compliance; it only specifies unmanaged device status (which is a condition, not a grant). The requirement is for MFA from unmanaged devices, which is handled by the 'Require MFA' grant.
- D
Require approved client app
Why wrong: Incorrect. This grant control restricts access to only specific client applications (e.g., Microsoft apps like Outlook). The scenario does not mention any need to limit the client application type.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.