Back to Microsoft Security, Compliance, and Identity Fundamentals SC-900 questions

Scenario-based practice

Hard Difficulty Questions

Practise Microsoft Security, Compliance, and Identity Fundamentals SC-900 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
SC-900
exam code
Microsoft
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SC-900 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmulti select
Full question →

A company must comply with the General Data Protection Regulation (GDPR). They need a unified solution that provides a compliance score, actionable recommendations to improve their security posture, and the ability to track their progress over time. Additionally, they want to assign improvement actions to specific teams and automate the collection of evidence for controls. Which two Microsoft Purview solutions should the administrator use? (Select two.)

Question 2hardmultiple choice
Full question →

A company uses Salesforce and Box as cloud apps. The security team discovers that a third-party OAuth app with excessive permissions was granted access to Salesforce data by a user. They want a solution that can detect such risky OAuth apps and automatically revoke their permissions based on policy. Which Microsoft security solution provides this capability?

Question 3hardmultiple choice
Full question →

A security operations team uses Microsoft 365 Defender and wants to detect, investigate, and automatically respond to advanced identity-based attacks targeting on-premises Active Directory, such as Pass-the-Hash (PtH) and Golden Ticket attacks. They also need to integrate these alerts into Microsoft Sentinel for central incident management. Which Microsoft security solution provides these capabilities?

Question 4hardmulti select
Full question →

A security architect is designing a new security posture based on the Zero Trust model. The architect wants to ensure that every access request is fully authenticated, authorized, and encrypted before granting access, and that access is granted only to the minimum necessary resources. Which three principles of Zero Trust align with these requirements? (Choose three.)

Question 5hardmultiple choice
Full question →

A company uses Microsoft Entra ID and has multiple departments with separate organizational units (OUs) in its on-premises Active Directory. The help desk team needs to be able to reset passwords for users only in the Finance department. What feature should be used to delegate this administrative scope?

Question 6hardmultiple choice
Full question →

A financial services company must comply with a regulation that requires all audit-related documents to be retained for 7 years and then permanently deleted. The compliance officer wants to ensure that even if a user modifies or deletes a file, the original content is preserved for the full 7 years, and at the end of the period the files are automatically destroyed without any manual approval. The company uses Microsoft 365 and stores these documents in SharePoint Online and Microsoft Teams. Which Microsoft Purview solution should the compliance officer configure?

Question 7hardmultiple choice
Full question →

A company uses Microsoft 365 E5. An employee's corporate laptop is infected with keylogging malware that captures the employee's credentials. The attacker uses these credentials to sign in to Exchange Online and forward sensitive emails to an external account. Under the shared responsibility model, who is primarily responsible for the security incident?

Question 8hardmultiple choice
Full question →

A company uses a third-party SaaS CRM application. The security team needs to monitor user sessions in real-time when sales representatives access the CRM from personal, unmanaged devices. The goal is to prevent the download of sensitive customer data to local drives. The solution should block download actions and show a warning to the user. Which Microsoft security solution should the team deploy to enforce these session controls?

Question 9hardmultiple choice
Full question →

A company uses an on-premises Active Directory (AD) and wants to enable single sign-on (SSO) for users to access Microsoft 365 and a third-party SaaS application. They plan to use an external identity provider (IdP) that supports Security Assertion Markup Language (SAML) 2.0. Which identity concept does this implementation primarily rely on?

Question 10hardmultiple choice
Full question →

A company wants to monitor employee communications in Microsoft Teams and Exchange Online for potential policy violations such as harassment or inappropriate sharing of confidential information. They need a solution that allows them to define policies, review flagged messages, and manage investigations. Which Microsoft Purview solution should they use?

Question 11hardmultiple choice
Full question →

A compliance officer needs to identify and monitor potentially risky user activities, such as users copying large amounts of data to external devices or sharing sensitive files with unauthorized recipients. They want to create a policy that detects these activities and automatically escalates them for investigation. Which Microsoft Purview solution should they use?

Question 12hardmultiple choice
Full question →

A company deploys a custom web application on Azure App Service (PaaS). The application stores user data in Azure SQL Database. The security team is responsible for securing the application code, managing authentication, and configuring TLS for data in transit. According to the Microsoft shared responsibility model, which security responsibility remains with Microsoft for this PaaS deployment?

Question 13hardmultiple choice
Full question →

A company deploys a custom application on Azure App Service (PaaS). Which of the following security responsibilities falls completely under the customer's scope according to the shared responsibility model?

Question 14hardmulti select
Full question →

A company has deployed Microsoft 365 Defender to unify threat detection and response. Which two components are included within the Microsoft 365 Defender integrated solution? (Select all that apply.)

Question 15hardmultiple choice
Full question →

A user logs into a corporate laptop by inserting a smart card and entering a PIN. The user then attempts to open a confidential folder. The operating system checks the user's access rights and denies access. Which security concepts are demonstrated in this scenario?

Question 16hardmultiple choice
Full question →

A security architect is designing a Zero Trust security model for a hybrid organization. Which principle of Zero Trust requires that every access request must be fully authenticated and authorized regardless of the network location, and that access should be granted with the minimum level required?

Question 17hardmultiple choice
Full question →

A large enterprise uses a variety of cloud applications, including sanctioned apps like Microsoft 365 and unsanctioned apps that employees adopted without IT approval. The security team wants to discover all cloud applications in use, assess each app's risk score based on more than 80 risk factors, and control data sharing within sanctioned apps to prevent data leakage. Additionally, they need to identify which users are using a new, unknown file-sharing service. Which Microsoft security solution should be deployed to meet these requirements?

Question 18hardmultiple choice
Full question →

A healthcare organization runs a mix of workloads on Azure (Azure VMs, SQL Database) and on-premises (Windows Servers). They must continuously assess their compliance against the HIPAA and HITRUST regulatory frameworks. They want a unified dashboard that shows their compliance score against these standards and provides step-by-step recommendations to remediate violations. Which Microsoft Defender for Cloud capability should they use?

Question 19hardmultiple choice
Full question →

A company deploys a custom web application on Azure App Service (PaaS). The application stores data in Azure SQL Database. The security team needs to identify which security responsibilities fall under the customer according to the Microsoft shared responsibility model. Which of the following is primarily the customer's responsibility for this PaaS deployment?

Question 20hardmultiple choice
Full question →

A security manager wants to ensure that an employee who sends an email cannot later deny having sent it. Which security concept and associated technology is best suited to achieve this?

These SC-900 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style SC-900 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.