Back to Microsoft Security, Compliance, and Identity Fundamentals SC-900 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Microsoft Security, Compliance, and Identity Fundamentals SC-900 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
SC-900
exam code
Microsoft
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related SC-900 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

A security administrator at an organization using Microsoft Entra ID needs to automatically detect user sign-ins that exhibit risky behavior, such as signing in from a suspicious IP address or using leaked credentials. The administrator also wants the system to automatically calculate a risk level for each user and take actions like requiring a password reset when risk is high. Which Microsoft Entra ID feature should the administrator use?

Question 2hardmultiple choice
Full question →

Refer to the exhibit. User2 attempts to activate the Global Administrator role. What must happen before User2 gains the role?

Exhibit

Refer to the exhibit. Microsoft Entra ID roles: User1: Global Administrator (active), User2: Global Administrator (eligible), User3: Security Reader (active). PIM settings: User2 requires approval for activation. User2 attempts to activate Global Administrator.
Question 3hardmultiple choice
Full question →

Refer to the exhibit. The Conditional Access policy shown is applied to all users accessing Office 365. A user with a compliant device but no MFA registered attempts to access Exchange Online. What will happen?

Exhibit

Refer to the exhibit.
```json
{
  "conditions": {
    "applications": {
      "includeApplications": ["Office365"]
    },
    "users": {
      "includeUsers": ["All"]
    },
    "locations": {
      "includeLocations": ["All"]
    }
  },
  "grantControls": {
    "builtInControls": ["mfa", "compliantDevice"],
    "operator": "AND"
  }
}
```
Question 4hardmultiple choice
Full question →

Refer to the exhibit. You run the cmdlet and get a list of risk detections. What does this cmdlet retrieve?

Exhibit

Get-AzureADMSIdentityProtectionRiskDetection -Filter "riskEventType eq 'unfamiliarSignInProperties'"
Question 5hardmultiple choice
Full question →

Refer to the exhibit. You are configuring a Conditional Access policy that requires compliant device for access to Microsoft 365. The device shown in the exhibit is Azure AD joined, compliant, and managed. However, a user signing in from this device is still blocked. What is the most likely cause?

Exhibit

{
  "device": {
    "deviceId": "device123",
    "operatingSystem": "Windows 10",
    "trustType": "Azure AD joined",
    "isCompliant": true,
    "isManaged": true,
    "profileType": "Workplace"
  }
}
Question 6mediummultiple choice
Full question →

Refer to the exhibit. You are reviewing a risk detection in Microsoft Entra Identity Protection. The risk event indicates 'unfamiliarFeatures' with medium risk level for user John Doe from IP 203.0.113.5. What is the most likely cause of this risk detection?

Exhibit

Refer to the exhibit.

```json
{
  "riskDetections": [
    {
      "riskEventType": "unfamiliarFeatures",
      "riskLevel": "medium",
      "userDisplayName": "John Doe",
      "signInDateTime": "2026-03-15T10:30:00Z",
      "ipAddress": "203.0.113.5"
    }
  ]
}
```
Question 7mediummultiple choice
Full question →

Refer to the exhibit. You are reviewing Microsoft Entra role assignments for a user. The first assignment has a roleDefinitionId of '62e90394-69f5-4237-9190-012177145e10' at scope '/'. The second assignment has a roleDefinitionId of '194ae4cb-b126-40b2-bd5b-6091b380977d' at a subscription scope. What can you infer?

Exhibit

{
  "roleAssignments": [
    {
      "principalId": "user1@contoso.com",
      "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
      "scope": "/"
    },
    {
      "principalId": "user1@contoso.com",
      "roleDefinitionId": "194ae4cb-b126-40b2-bd5b-6091b380977d",
      "scope": "/subscriptions/sub1/resourceGroups/rg1"
    }
  ]
}
Question 8hardmultiple choice
Full question →

Refer to the exhibit. A Conditional Access policy is defined as shown. Which client applications will be blocked?

Exhibit

Refer to the exhibit.

```json
{
  "name": "Block legacy authentication",
  "conditions": {
    "clientAppTypes": ["exchangeActiveSync", "otherClients"]
  },
  "grantControls": {
    "builtInControls": ["block"]
  }
}
```
Question 9mediummultiple choice
Full question →

Refer to the exhibit. You are reviewing a risk detection report in Microsoft Entra Identity Protection. The report shows a user with high risk level and two risk events. What does the status 'remediated' indicate?

Exhibit

Refer to the exhibit.

```json
{
  "identity": {
    "userPrincipalName": "user1@contoso.com",
    "riskLevel": "high",
    "riskEventTypes": ["leakedCredentials", "impossibleTravel"]
  },
  "status": "remediated"
}
Question 10mediummultiple choice
Full question →

You are evaluating the Conditional Access policy JSON exhibit. The policy includes MFA for Exchange Online but excludes trusted locations. A user reports that they are prompted for MFA when accessing webmail from a trusted IP address. Which is the most likely cause?

Exhibit

Refer to the exhibit.
{
  "conditions": {
    "users": {
      "includeUsers": ["All"]
    },
    "applications": {
      "includeApplications": ["Office 365 Exchange Online"]
    },
    "locations": {
      "includeLocations": ["AllTrusted"]
    }
  },
  "grantControls": {
    "builtInControls": ["mfa"]
  }
}
Question 11hardmultiple choice
Full question →

You are investigating an alert in Microsoft Defender XDR. Based on the exhibit, what is the primary detection source for this alert?

Exhibit

Refer to the exhibit.
```json
{
  "Alert": {
    "AlertId": "alert-1234",
    "Title": "Suspicious sign-in from unfamiliar location",
    "Severity": "Medium",
    "Category": "Identity",
    "DetectionSource": "Microsoft Defender for Identity",
    "Entities": [
      {
        "Type": "account",
        "Name": "jdoe",
        "UPN": "jdoe@contoso.com"
      },
      {
        "Type": "ip",
        "Address": "203.0.113.5"
      }
    ]
  }
}
```
Question 12mediummultiple choice
Full question →

You are reviewing a Microsoft Purview sensitivity label configuration. Based on the exhibit, what will happen when this label is applied to a document?

Exhibit

Refer to the exhibit.

{
  "LabelId": "12345678-1234-1234-1234-123456789012",
  "DisplayName": "Confidential",
  "Description": "Sensitive business data",
  "Actions": [
    {
      "Type": "encrypt",
      "EncryptionType": "AES256"
    },
    {
      "Type": "marking",
      "MarkingType": "watermark",
      "WatermarkText": "CONFIDENTIAL"
    },
    {
      "Type": "protection",
      "ProtectionType": "block",
      "BlockAction": "share"
    }
  ]
}
Question 13mediummultiple choice
Full question →

Refer to the exhibit. An analyst runs a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

Exhibit

SecurityAlert | where AlertName == "Malware detected" | project TimeGenerated, ComputerName, AlertSeverity | order by TimeGenerated desc | take 10
Question 14hardmultiple choice
Full question →

You are analyzing sign-in logs in Microsoft Sentinel. Based on the KQL query in the exhibit, what is the purpose of this query?

Exhibit

Refer to the exhibit.

let timeRange = 7d;
SigninLogs
| where TimeGenerated > ago(timeRange)
| where ResultType == "50057"
| project TimeGenerated, UserPrincipalName, IPAddress, Location
| summarize Attempts = count() by UserPrincipalName
| where Attempts > 10
| order by Attempts desc
Question 15hardmultiple choice
Full question →

Refer to the exhibit. A security analyst is reviewing an alert from Microsoft 365 Defender. The alert is associated with an incident. What is the best first step to investigate this alert?

Exhibit

{
  "alerts": [
    {
      "id": "alert-123",
      "title": "Suspicious inbound email with malware",
      "category": "Malware",
      "severity": "High",
      "incidentId": "inc-456"
    }
  ]
}

These SC-900 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style SC-900 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.