Practice set
Microsoft Security, Compliance, and Identity Fundamentals SC-900 questions
Question 1mediummultiple choice
Full question →A company must retain all customer contracts for 10 years to comply with industry regulations. After 10 years, the contracts must be permanently deleted. Which Microsoft Purview solution should be used to automate this process?
Question 2mediummultiple choice
Full question →A company uses a cloud-based SaaS (Software as a Service) application for customer relationship management. According to the shared responsibility model, which security responsibility is primarily handled by the customer?
Question 3hardmultiple choice
Full question →A company runs a mix of on-premises servers and Azure virtual machines. They deploy Microsoft Defender for Endpoint on all servers. The security team wants to create custom queries to hunt for a specific attack pattern that involves a sequence of events across multiple machines, such as a PowerShell script being downloaded and then executed on several servers. They need to write their own detection rules based on advanced hunting data. Which Microsoft 365 Defender capability should they use?
Question 4mediummultiple choice
Full question →A company runs a consumer-facing e-commerce website and wants to allow customers to sign in using their existing social media accounts such as Google, Facebook, or LinkedIn. Which Microsoft Entra ID solution should they implement?
Question 5easymultiple choice
Full question →A company has a hybrid identity environment with Active Directory synchronizing to Microsoft Entra ID. They want users to be able to reset their own on-premises passwords via the cloud SSPR portal. What is the minimum license required for this capability?
Question 6easymultiple choice
Full question →A company uses a cloud-based Customer Relationship Management (CRM) system that is delivered as Software-as-a-Service (SaaS). According to the shared responsibility model, which security responsibility is primarily handled by the customer?
Question 7mediummultiple choice
Full question →A company has implemented a security model where every access request is fully authenticated, authorized, and encrypted before granting access, regardless of where the request originates (corporate network or internet). The model assumes that no entity is inherently trustworthy and requires continuous verification. This model is known as:
Question 8easymultiple choice
Full question →A company assigns permissions to users based strictly on their job title (e.g., Sales Manager can edit documents, Sales User can only read). Which identity and access management concept is being implemented?
Question 9hardmultiple choice
Full question →A company deploys a custom web application on Azure App Service (PaaS). The application stores user data in Azure SQL Database. The security team is responsible for securing the application code, managing authentication, and configuring TLS for data in transit. According to the Microsoft shared responsibility model, which security responsibility remains with Microsoft for this PaaS deployment?
Question 10hardmultiple choice
Full question →A company deploys a custom web application on Azure App Service (PaaS). The application stores data in Azure SQL Database. The security team needs to identify which security responsibilities fall under the customer according to the Microsoft shared responsibility model. Which of the following is primarily the customer's responsibility for this PaaS deployment?
Question 11mediummultiple choice
Full question →A company deploys a virtual machine on Azure IaaS. According to the Microsoft shared responsibility model, which of the following security responsibilities is primarily the customer's responsibility?
Question 12easymultiple choice
Full question →A company configures its access control system so that each user can only access the data and perform actions that are strictly necessary for their job role. This configuration is a direct implementation of which security principle?
Question 13mediummultiple choice
Full question →A company has a policy that prohibits employees from sharing confidential customer data with unauthorized parties. The compliance team needs to detect patterns of unusual user activity that may indicate insider data theft, such as downloading large volumes of data to a personal device or emailing sensitive files to external recipients. They also want to investigate the activity and take remediation actions like generating a case for litigation or notifying the user's manager. Which Microsoft Purview solution should they use?
Question 14easymultiple choice
Full question →A company has a document management system. The security policy requires that a user in the Sales department can only view documents related to sales and cannot access documents in the Finance or HR folders. Which security principle is being applied?
Question 15hardmultiple choice
Full question →A company deploys a custom application on Azure App Service (PaaS). Which of the following security responsibilities falls completely under the customer's scope according to the shared responsibility model?
Question 16easymultiple choice
Full question →A company has a SharePoint Online site that stores project documents. Due to legal requirements, all documents in this site must be retained for exactly 5 years from the date they were created, and then automatically deleted. No user should be able to permanently delete a document before the retention period ends. Which Microsoft Purview solution should the administrator configure?
Question 17easymultiple choice
Full question →A company implements a security measure to ensure that only authorized employees can view sensitive customer records. Which principle of the CIA triad does this measure primarily protect?
Question 18easymultiple choice
Full question →A company configures its identity and access management system so that employees are granted only the permissions necessary to perform their job functions. For example, a sales representative has read-only access to the customer database and cannot modify financial records. Which security principle is being applied in this scenario?
Question 19mediummultiple choice
Full question →A company has an on-premises Active Directory domain and uses Microsoft Entra ID (Azure AD) for cloud applications. They purchase new Windows 10 laptops that are not yet joined to any domain. The IT admin wants users to be able to sign in with their existing on-premises credentials and automatically have the laptops joined to both the on-premises AD domain and Microsoft Entra ID. Which device identity option should the admin configure?
Question 20mediummultiple choice
Full question →A company has deployed Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. The security operations team wants a single, unified portal where they can view alerts from all these products, perform cross-domain investigations, and orchestrate automated response actions. Which Microsoft security solution should they use?
Question 21mediummultiple choice
Full question →A company has a SharePoint Online library containing legal contracts. They must satisfy a regulatory requirement that contracts cannot be modified or deleted after they are signed. Additionally, they need to retain the contracts for 10 years after the contract end date, after which they can be disposed of manually. Which Microsoft Purview solution should they implement?
Question 22mediummultiple choice
Full question →A company has an on-premises web-based expense report application. The IT team wants to make this application accessible to remote employees over the internet without requiring a VPN. They need to use Microsoft Entra ID for authentication and apply Conditional Access policies such as requiring multi-factor authentication. Which Microsoft Entra ID feature should they implement?
Question 23easymultiple choice
Full question →A company has enabled Microsoft Defender for Cloud. They want to assess their Azure resources for compliance with security benchmarks like CIS and Azure Security Benchmark, and view a secure score. Which feature of Defender for Cloud provides this capability?
Question 24easymultiple choice
Full question →