Back to Microsoft Security, Compliance, and Identity Fundamentals SC-900 questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Microsoft Security, Compliance, and Identity Fundamentals SC-900 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
SC-900
exam code
Microsoft
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SC-900 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Microsoft Entra ID and wants to automatically detect potential security risks such as leaked credentials and suspicious sign-in patterns. They also need the ability to investigate these risks and configure automated responses based on risk levels. Which Microsoft Entra capability should they use?

Question 2hardmultiple choice
Full question →

A security operations team uses Microsoft 365 Defender and wants to detect, investigate, and automatically respond to advanced identity-based attacks targeting on-premises Active Directory, such as Pass-the-Hash (PtH) and Golden Ticket attacks. They also need to integrate these alerts into Microsoft Sentinel for central incident management. Which Microsoft security solution provides these capabilities?

Question 3mediumdrag order
Full question →

Arrange the steps to investigate a user compromise using Azure AD Identity Protection.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 4mediummultiple choice
Full question →

A security operations team investigates a multi-stage attack that began with a phishing email, then moved to credential compromise, and finally to lateral movement on endpoints. They need a single pane of glass to view the entire attack story, including the initial email, the compromised user's sign-in activities, and processes on affected devices. Which Microsoft security solution provides this unified investigation experience?

Question 5mediummultiple choice
Full question →

A security operations team needs to protect their organization's Windows 10 and Windows 11 devices from advanced persistent threats (APTs), ransomware, and fileless malware. They also require a centralized dashboard to view device security posture, investigate incidents, and perform proactive threat hunting using advanced queries. Which Microsoft security solution should they deploy?

Question 6easymultiple choice
Full question →

Your organization uses Microsoft Entra ID. A user reports that they are unable to access any Microsoft 365 services because they forgot their password. Which self-service tool should they use?

Question 7easymultiple choice
Full question →

Your company wants to use Microsoft Security Copilot to help analysts investigate security incidents. Which data source can Security Copilot ingest to provide contextual insights?

Question 8easymultiple choice
Full question →

Your organization uses Microsoft Defender for Endpoint. You need to investigate a potential malware outbreak on several endpoints. Which feature allows you to search for indicators of compromise (IOCs) across all endpoints?

Question 9mediummultiple choice
Full question →

A security analyst needs to investigate a phishing campaign that targeted multiple users. They want to correlate email threat data with user actions and device signals. Which Microsoft security solution should they use as the primary investigation console?

Question 10hardmultiple choice
Full question →

Refer to the exhibit. A security analyst is reviewing an alert from Microsoft 365 Defender. The alert is associated with an incident. What is the best first step to investigate this alert?

Exhibit

{
  "alerts": [
    {
      "id": "alert-123",
      "title": "Suspicious inbound email with malware",
      "category": "Malware",
      "severity": "High",
      "incidentId": "inc-456"
    }
  ]
}
Question 11easymultiple choice
Full question →

You are the security administrator for a company using Microsoft Defender XDR. A user reports receiving a suspicious email with a link. What Microsoft Defender XDR feature should you use to investigate the email's threat level?

Question 12hardmultiple choice
Full question →

Refer to the exhibit. You run a KQL query in Microsoft Sentinel to investigate ransomware alerts. The query returns: AlertSeverity High: 5, Medium: 3, Low: 2. The security team wants to automate a response for all high-severity ransomware alerts. What should you configure?

Exhibit

Refer to the exhibit.

```kql
SecurityAlerts
| where Timestamp > ago(7d)
| where AlertName has "ransomware"
| summarize Count=count() by AlertSeverity
| order by Count desc
```
Question 13hardmultiple choice
Full question →

You are troubleshooting a Conditional Access policy in Microsoft Entra ID. The policy in the exhibit is not blocking some sign-ins that you expected to block. What is the most likely reason?

Exhibit

Refer to the exhibit.
```json
{
  "displayName": "Block high-risk sign-ins",
  "conditions": {
    "userRiskLevels": ["high"],
    "signInRiskLevels": []
  },
  "grantControls": {
    "builtInControls": ["block"]
  }
}
```
Question 14hardmultiple choice
Full question →

You are troubleshooting a Windows device that is reporting as non-compliant in Microsoft Intune. The exhibit shows the output of a PowerShell command run on the device. Based on the output, which component is likely misconfigured?

Exhibit

Refer to the exhibit.

```powershell
Get-MpComputerStatus | Select-Object AMProductVersion, AMServiceEnabled, AntispywareEnabled, AntivirusEnabled
AMProductVersion    : 4.18.2401.10
AMServiceEnabled    : True
AntispywareEnabled  : True
AntivirusEnabled    : True
```
Question 15mediummultiple choice
Read the full NAT/PAT explanation →

Your organization uses Microsoft Defender XDR. You need to investigate a potential lateral movement attack where a compromised user account is used to access multiple workstations. Which feature should you use to visualize the attack path?

These SC-900 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style SC-900 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.