Question 1mediummultiple choice
Full question →SC-900 · topic practice
Scenario practice questions
Use this page to practise SC-900 Scenario practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.
What the exam tests
What to know about Scenario
Scenario questions test whether you can apply the concept in context, not just recognise a definition.
How the topic appears in realistic exam-style scenarios.
Which detail in the question changes the correct answer.
How to eliminate plausible but wrong options.
How to connect the question back to the wider exam objective.
Practice set
Scenario questions
20 questions · select your answer, then reveal the explanation
Question 2easymultiple choice
Full question →A company assigns permissions to users based strictly on their job title (e.g., Sales Manager can edit documents, Sales User can only read). Which identity and access management concept is being implemented?
Question 3easymultiple choice
Full question →A company implements a security measure to ensure that only authorized employees can view sensitive customer records. Which principle of the CIA triad does this measure primarily protect?
Question 4easymultiple choice
Full question →A company configures its identity and access management system so that employees are granted only the permissions necessary to perform their job functions. For example, a sales representative has read-only access to the customer database and cannot modify financial records. Which security principle is being applied in this scenario?
Question 5easymultiple choice
Full question →A company deploys firewalls, intrusion detection systems, and endpoint antivirus software at multiple layers of its network. This strategy is intended to ensure that if one security control fails, others still provide protection. Which security concept does this approach represent?
Question 6mediummultiple choice
Full question →A company has an on-premises Active Directory and wants to synchronize user accounts to Microsoft Entra ID. They also need to enable password hash synchronization so users can sign in to cloud resources with the same password. Which Microsoft tool should they use?
Question 7easymultiple choice
Full question →A company implements a security strategy that includes multiple layers of controls: a perimeter firewall, an intrusion detection system, endpoint antivirus software, and multi-factor authentication for user access. The goal is that if one layer fails, another layer is in place to prevent or mitigate an attack. Which security principle does this approach best represent?
Question 8easymultiple choice
Full question →A company hosts a mission-critical customer portal on Azure virtual machines. To ensure continuous availability, they deploy the application across two separate Azure regions. If one region experiences a failure, traffic is automatically routed to the other region with minimal disruption. Which security goal is primarily being addressed by this architecture?
Question 9easymultiple choice
Full question →A company implements a policy where each employee is granted only the permissions necessary to perform their specific job role. For example, a marketing specialist has read-only access to the customer database and cannot modify financial records. Which security principle is primarily being applied?
Question 10easymultiple choice
Full question →A company deploys a web application on Azure virtual machines (VMs) in an Infrastructure-as-a-Service (IaaS) model. The company is responsible for managing the guest operating system, the application code, and the data stored on the VMs. According to the shared responsibility model, which of the following security responsibilities does Microsoft retain in this scenario?
Question 11easymultiple choice
Full question →A company secures its network by deploying a firewall at the perimeter, an intrusion prevention system on internal segments, endpoint antivirus on all workstations, and encrypting sensitive data at rest and in transit. This layered approach ensures that if one control fails, others still provide protection. Which security concept does this strategy best represent?
Question 12easymultiple choice
Full question →A company implements a security policy where employees must use a smart card to log into their workstations. After logging in, they can only access file shares that correspond to their department. Which two security concepts are demonstrated in this scenario?
Question 13easymultiple choice
Full question →A company implements multiple layers of security controls: firewalls at the perimeter, intrusion detection systems on internal segments, antivirus software on all workstations, and encryption for sensitive data at rest and in transit. This strategy is intended to ensure that if one control fails, others still provide protection. Which security concept does this approach represent?
Question 14easymultiple choice
Full question →A company subscribes to a SaaS human resources application hosted by an external provider. The provider is responsible for maintaining the physical data centers, network infrastructure, and the underlying application software. The company is responsible for managing user accounts, configuring user permissions, and classifying the data they upload. Which security model does this arrangement primarily describe?
Question 15easymultiple choice
Full question →A company requires users to enter a password and then a temporary code from a mobile app to sign in. After signing in, a user attempts to open a confidential document but is denied because they are not a member of the 'Managers' group. Which two security concepts are primarily demonstrated in this scenario?
Question 16easymultiple choice
Full question →A company's security policy requires that customer data must only be accessible by authorized sales representatives. Which security principle does this requirement directly enforce?
Question 17mediummultiple choice
Full question →A company uses digital signatures on all official emails sent to customers. The signature is created using the sender’s private key, allowing recipients to verify that the email truly came from the claimed sender and that it was not altered in transit. Which security goal is primarily achieved by the digital signature?
Question 18mediummultiple choice
Full question →A company uses Azure virtual machines and also has physical servers in their on-premises datacenter. The security team needs a single dashboard to view security recommendations, detect misconfigurations, and get a secure score for both environments. They also want to integrate with Microsoft Defender for Cloud for threat protection. Which Microsoft security solution provides this unified visibility across hybrid workloads?
Question 19mediummultiple choice
Full question →A company uses Microsoft Entra ID. They want to require multi-factor authentication (MFA) for users who sign in from locations with a high risk score, as determined by Microsoft's analysis of the sign-in's IP address and other behavioral signals. Which Microsoft Entra ID feature should they configure?
Question 20hardmulti select
Full question →A company uses Microsoft Entra ID (Azure AD). The security team wants to create a Conditional Access policy that meets the following requirements: - Require multi-factor authentication (MFA) when users access a sensitive financial application from an untrusted network. - Additionally, require that the device accessing the app is compliant with company policies (e.g., encryption enabled). Which two conditions should the team configure in the Conditional Access policy? (Choose two.)
Watch out for
Common Scenario exam traps
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.
Free account
Track your progress over time
Create a free account to save your results and see which topics improve across sessions.
Focused Scenario sessions
Start a Scenario only practice session
Every question in these sessions is drawn from the Scenario domain — nothing else.
Related practice questions
Related SC-900 topic practice pages
Move into related areas when this topic feels solid.
Frequently asked questions
- What does the SC-900 exam test about Scenario?
- Scenario questions test whether you can apply the concept in context, not just recognise a definition.
- How should I use these practice questions?
- Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
- Can I practise just Scenario questions in a focused session?
- Yes — the session launcher on this page draws every question from the Scenario domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
- Where can I practise other SC-900 topics?
- Use the topic links above to move to related areas, or go back to the SC-900 question bank to see all topics.
- Are these real exam questions or dumps?
- These are original practice questions written to test the same concepts the SC-900 exam covers. They are not copied from any real exam or dump site.
Track your progress
A free account saves results across sessions and highlights which topics need work.
Sign up freeExam traps to avoid
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.