SC-900 · topic practice

Scenario practice questions

Practise Microsoft Security, Compliance, and Identity Fundamentals SC-900 Scenario practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Scenario

What the exam tests

What to know about Scenario

Scenario questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Scenario exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Scenario questions

20 questions · select your answer, then reveal the explanation

Question 1easymultiple choice
Read the full Scenario explanation →

A company implements a policy where each employee is granted only the permissions necessary to perform their specific job role. For example, a marketing specialist has read-only access to the customer database and cannot modify financial records. Which security principle is primarily being applied?

Question 2easymultiple choice
Read the full Scenario explanation →

A company's security policy requires that customer data must only be accessible by authorized sales representatives. Which security principle does this requirement directly enforce?

Question 3mediummulti select
Read the full Scenario explanation →

A company uses Microsoft Entra ID. They need to implement a Conditional Access policy for the finance application that requires multifactor authentication (MFA) when a user accesses the app from an unmanaged device. Additionally, they want to block access if the sign-in risk level is high. Which two grant controls should they configure in the policy? (Select two.)

Question 4easymultiple choice
Read the full Scenario explanation →

A company uses Microsoft Entra ID. They want to allow employees to access the expense reporting application only from managed devices that are compliant with security policies and from trusted IP ranges. Additionally, if the user's sign-in risk is high, access must be blocked. Which of the following conditions should the administrator configure in a Conditional Access policy to enforce these requirements?

Question 5hardmultiple choice
Read the full Scenario explanation →

A company uses Salesforce and Box as cloud apps. The security team discovers that a third-party OAuth app with excessive permissions was granted access to Salesforce data by a user. They want a solution that can detect such risky OAuth apps and automatically revoke their permissions based on policy. Which Microsoft security solution provides this capability?

Question 6easymultiple choice
Read the full Scenario explanation →

A hotel uses a key card system. Guests insert their card into the door lock, which reads the card's ID number. The system checks the ID number against a list of authorized rooms. If the ID matches an authorized room, the door unlocks. In this scenario, which concept is demonstrated when the system checks the ID number against the list of authorized rooms?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Microsoft Entra ID and wants to automatically detect potential security risks such as leaked credentials and suspicious sign-in patterns. They also need the ability to investigate these risks and configure automated responses based on risk levels. Which Microsoft Entra capability should they use?

Question 8easymultiple choice
Read the full Scenario explanation →

A user authenticates to a company's network by entering their password and then approving a push notification on their mobile phone. After authentication, the user attempts to access a shared folder containing financial reports. The access is denied because the user's account is not a member of the 'Finance' group. Which security concept is demonstrated when the user is denied access to the folder?

Question 9easymultiple choice
Read the full Scenario explanation →

A user logs into the company's network using their username and password. After successful login, the user attempts to open a financial report but receives an access denied message because they are not a member of the 'Finance' security group. Which security concept is best illustrated by the access denial?

Question 10easymultiple choice
Study the full AAA explanation →

An organization adopts a security model where they never trust a request by default, even if it comes from inside the corporate network. Every access request must be authenticated, authorized, and encrypted. They also assume that a breach will happen and design their systems to minimize the blast radius. Which security model does this describe?

Question 11easymultiple choice
Read the full Scenario explanation →

A company deploys a web application on Azure virtual machines (VMs) in an Infrastructure-as-a-Service (IaaS) model. The company is responsible for managing the guest operating system, the application code, and the data stored on the VMs. According to the shared responsibility model, which of the following security responsibilities does Microsoft retain in this scenario?

Question 12easymultiple choice
Read the full Scenario explanation →

A company implements multiple layers of security controls: firewalls at the perimeter, intrusion detection systems on internal segments, antivirus software on all workstations, and encryption for sensitive data at rest and in transit. This strategy is intended to ensure that if one control fails, others still provide protection. Which security concept does this approach represent?

Question 13hardmultiple choice
Read the full Scenario explanation →

A company uses Microsoft 365 E5. An employee's corporate laptop is infected with keylogging malware that captures the employee's credentials. The attacker uses these credentials to sign in to Exchange Online and forward sensitive emails to an external account. Under the shared responsibility model, who is primarily responsible for the security incident?

Question 14easymultiple choice
Read the full Scenario explanation →

A user receives an encrypted email from their bank. They use their private key to decrypt the message. After reading it, they verify that the message content has not been altered during transit. Which security principle is primarily demonstrated by the verification that the content was not altered?

Question 15easymultiple choice
Read the full Scenario explanation →

A company is migrating its on-premises applications to Azure. The CIO states that the company is fully responsible for managing the security of its own applications and data, while Microsoft is responsible for the security of the underlying physical infrastructure, such as hardware and data centers. This division of security responsibilities is an example of which concept?

Question 16mediummultiple choice
Read the full Scenario explanation →

A company's IT department implements a policy for server administrators: they must submit an access request to perform privileged tasks on critical servers. Each request is approved by a manager, and the granted elevated permissions automatically expire after four hours. This approach reduces the risk of standing privileges being exploited. Which security concept is primarily being applied?

Question 17easymultiple choice
Read the full Scenario explanation →

A company assigns permissions to users based strictly on their job title (e.g., Sales Manager can edit documents, Sales User can only read). Which identity and access management concept is being implemented?

Question 18easymultiple choice
Read the full Scenario explanation →

A company configures its identity and access management system so that employees are granted only the permissions necessary to perform their job functions. For example, a sales representative has read-only access to the customer database and cannot modify financial records. Which security principle is being applied in this scenario?

Question 19easymultiple choice
Read the full Scenario explanation →

A company implements a security strategy that includes multiple layers of controls: a perimeter firewall, an intrusion detection system, endpoint antivirus software, and multi-factor authentication for user access. The goal is that if one layer fails, another layer is in place to prevent or mitigate an attack. Which security principle does this approach best represent?

Question 20hardmultiple choice
Read the full Scenario explanation →

A user logs into a corporate laptop by inserting a smart card and entering a PIN. The user then attempts to open a confidential folder. The operating system checks the user's access rights and denies access. Which security concepts are demonstrated in this scenario?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Scenario sessions

Start a Scenario only practice session

Every question in these sessions is drawn from the Scenario domain — nothing else.

Related practice questions

Related SC-900 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SC-900 exam test about Scenario?
Scenario questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Scenario questions in a focused session?
Yes — the session launcher on this page draws every question from the Scenario domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SC-900 topics?
Use the topic links above to move to related areas, or go back to the SC-900 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SC-900 exam covers. They are not copied from any real exam or dump site.