Question 1mediummultiple choice
Full question →mediummultiple choiceObjective-mapped
A company has many guest users in Microsoft Entra ID who collaborate on a project in a specific SharePoint site. The compliance team needs to periodically verify that these guest users still require access to the site. If a reviewer does not respond within 30 days, the guest's access should be automatically removed. Additionally, the company wants to ensure that once access is removed, the guest user object is eventually deleted from the directory after 90 days. Which Microsoft Entra Identity Governance features should they use together?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Access Reviews configured to auto-apply results and delete guest users after a specified number of days
Access Reviews can automatically apply results (remove access) if no response, and the 'Delete users' setting within the review automatically removes guest objects after the configured days.
B
Distractor review
Entitlement Management access packages with an expiration policy
Access packages manage recurring access requests but do not provide periodic review with automatic removal of guest objects. Expiration policies can expire access, but not automatically delete the guest identity.
C
Distractor review
Lifecycle Workflows to schedule a periodic task
Lifecycle Workflows handle on/offboarding scenarios but are not designed for periodic access reviews of existing guests.
D
Distractor review
Privileged Identity Management (PIM) for guest roles
PIM is for managing just-in-time privileged access for Microsoft Entra ID roles or Azure resources, not for periodic reviews of guest access to SharePoint.
Common exam trap
Common exam trap: authentication is not authorization
Logging in proves the user can authenticate. It does not automatically mean the user is allowed to enter privileged or configuration mode. Watch for AAA authorization, privilege level and command authorization details.
Technical deep dive
How to think about this question
This kind of question is testing the difference between identity and permission. A user may successfully log in to a router because authentication is working, but still fail to enter configuration mode because authorization is missing, misconfigured or mapped to a lower privilege level.
KKey Concepts to Remember
- Authentication checks who the user is.
- Authorization controls what the user is allowed to do after login.
- Privilege levels affect access to EXEC and configuration commands.
- AAA, TACACS+ and RADIUS can separate login success from command access.
TExam Day Tips
- Do not assume successful login means full administrative access.
- Look for words such as cannot enter configuration mode, privilege level, authorization or command access.
- Separate login problems from permission problems before choosing the answer.
Related practice questions
Related SC-900 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A company must retain all customer contracts for 10 years to comply with industry regulations. After 10 years, the contracts must be permanently deleted. Which Microsoft Purview solution should be used to automate this process?
Question 2
A company uses a cloud-based SaaS (Software as a Service) application for customer relationship management. According to the shared responsibility model, which security responsibility is primarily handled by the customer?
Question 3
A company runs a mix of on-premises servers and Azure virtual machines. They deploy Microsoft Defender for Endpoint on all servers. The security team wants to create custom queries to hunt for a specific attack pattern that involves a sequence of events across multiple machines, such as a PowerShell script being downloaded and then executed on several servers. They need to write their own detection rules based on advanced hunting data. Which Microsoft 365 Defender capability should they use?
Question 4
A company runs a consumer-facing e-commerce website and wants to allow customers to sign in using their existing social media accounts such as Google, Facebook, or LinkedIn. Which Microsoft Entra ID solution should they implement?
Question 5
A company has a hybrid identity environment with Active Directory synchronizing to Microsoft Entra ID. They want users to be able to reset their own on-premises passwords via the cloud SSPR portal. What is the minimum license required for this capability?
Question 6
A company uses a cloud-based Customer Relationship Management (CRM) system that is delivered as Software-as-a-Service (SaaS). According to the shared responsibility model, which security responsibility is primarily handled by the customer?
FAQ
Questions learners often ask
What does this SC-900 question test?
Authentication checks who the user is.
What is the correct answer to this question?
The correct answer is: Access Reviews configured to auto-apply results and delete guest users after a specified number of days — Access Reviews allow you to create periodic reviews of group or application access. By configuring auto-apply settings, you can automatically remove access if a reviewer doesn't respond. Additionally, to automatically remove guest user objects from the directory after access is removed, you can enable the 'Automatically delete users after the specified number of days' setting within the Access Review policy. Entitlement Management is used for access packages and requesting access, but not for periodic reviews with auto-removal of guest objects. Lifecycle Workflows can automate user lifecycle events but are not designed for periodic access reviews.
What should I do if I get this SC-900 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.