Back to Microsoft Security, Compliance, and Identity Fundamentals SC-900 questions

Scenario-based practice

Select Two (Multi-Select) Questions

Practise Microsoft Security, Compliance, and Identity Fundamentals SC-900 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
SC-900
exam code
Microsoft
vendor

Scenario guide

How to approach select two (multi-select) questions

Multi-select questions tell you to 'Choose TWO' or 'Choose THREE'. Getting partial credit is not a thing — you must select all correct answers with no incorrect ones. The stem always states how many to choose, so trust it. These questions require precision, not best-guess elimination.

Quick answer

Select Two (Multi-Select) Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SC-900 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmulti select
Full question →

A company must comply with the General Data Protection Regulation (GDPR). They need a unified solution that provides a compliance score, actionable recommendations to improve their security posture, and the ability to track their progress over time. Additionally, they want to assign improvement actions to specific teams and automate the collection of evidence for controls. Which two Microsoft Purview solutions should the administrator use? (Select two.)

Question 2mediummulti select
Full question →

A company uses Microsoft Entra ID. They need to implement a Conditional Access policy for the finance application that requires multifactor authentication (MFA) when a user accesses the app from an unmanaged device. Additionally, they want to block access if the sign-in risk level is high. Which two grant controls should they configure in the policy? (Select two.)

Question 3hardmulti select
Full question →

A security architect is designing a new security posture based on the Zero Trust model. The architect wants to ensure that every access request is fully authenticated, authorized, and encrypted before granting access, and that access is granted only to the minimum necessary resources. Which three principles of Zero Trust align with these requirements? (Choose three.)

Question 4easymulti select
Full question →

An organization uses a system where users first provide a username and password (Step 1) and then the system checks whether the user has permission to view a specific folder (Step 2). Which two security concepts are demonstrated in this process? (Choose two.)

Question 5hardmulti select
Full question →

A company has deployed Microsoft 365 Defender to unify threat detection and response. Which two components are included within the Microsoft 365 Defender integrated solution? (Select all that apply.)

Question 6mediummulti select
Full question →

An organization is migrating its on-premises applications to Azure Infrastructure-as-a-Service (IaaS). According to the shared responsibility model, which of the following security responsibilities remain with Microsoft? (Select two.)

Question 7hardmulti select
Full question →

A security team is using Microsoft Entra ID Protection. They want to automatically block sign-ins from known malicious IP addresses, but if a user's account is compromised (e.g., leaked credentials), they want to force the user to change their password upon next sign-in. Which two risk policies should they configure? (Select all that apply.)

Question 8mediummulti select
Full question →

A company wants to automatically apply a 'Confidential' sensitivity label to any document that contains a credit card number, and also encrypt the document as part of the label. Which two components must be configured to achieve this? (Choose two.)

Question 9hardmulti select
Full question →

A security administrator wants to use Microsoft Defender for Cloud to protect Azure VMs. Which two of the following should be enabled to meet the requirements? (Choose two.)

Question 10easymulti select
Full question →

A user logs into a company portal by entering a username and password. After successful login, the system checks if the user is a member of the 'Sales' group and then grants access to the sales dashboard. Which two security concepts are demonstrated in this process? (Choose all that apply.) (Choose two.)

Question 11mediummulti select
Full question →

A user logs into a company's financial application using their Microsoft Entra ID credentials. After successful sign-in, the application displays a dashboard with data for only the regions the user is authorized to manage. Which two security concepts are demonstrated in this scenario? (Select all that apply.)

Question 12easymulti select
Full question →

A company requires users to enter a password and then a temporary code from a mobile app to sign in. After signing in, a user attempts to open a confidential document but is denied because they are not a member of the 'Managers' group. Which two security concepts are primarily demonstrated in this scenario?

Question 13easymulti select
Full question →

A company implements a security policy where employees must use a smart card to log into their workstations. After logging in, they can only access file shares that correspond to their department. Which two security concepts are demonstrated in this scenario?

Question 14easymulti select
Full question →

An organization stores sensitive customer data in a cloud database. The security team uses encryption to protect the data while it is stored and while it is transmitted. They also implement role-based access control to ensure only authorized users can modify the data. Which two security principles are primarily being upheld by these actions?

Question 15easymulti select
Full question →

A user scans their fingerprint to unlock a corporate laptop. After unlocking, the user attempts to open a confidential database. The system checks the user's role and grants access because the user is a member of the 'Data Analyst' group. Which two security concepts are demonstrated in this scenario?

Question 16easymulti select
Full question →

Which THREE are capabilities of Microsoft Defender for Cloud?

Question 17easymulti select
Full question →

Which TWO of the following are benefits of using Microsoft Entra ID Conditional Access? (Choose two.)

Question 18mediummulti select
Full question →

Which THREE of the following are features of Microsoft Entra ID Governance? (Select three.)

Question 19hardmulti select
Full question →

Which THREE are benefits of using Microsoft Entra ID as an identity provider? (Choose three.)

Question 20easymulti select
Full question →

Which THREE features are included in Microsoft Entra ID Free? (Choose three.)

These SC-900 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style SC-900 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.