Every answer is cross-verified by 3 leading AI models to ensure maximum accuracy. Get detailed per-option explanations and in-depth question analysis.
GPT Pro
Claude Opus
Gemini Pro
Per-option explanations
In-depth question analysis
3-model consensus accuracy
Practice Questions
1
Question 1
(Select 2)
What is a use case for implementing information barrier policies in Microsoft 365?
Incorrect. Restricting unauthenticated access to Microsoft 365 is an identity/access control scenario typically addressed with Microsoft Entra ID authentication, Conditional Access, MFA, and tenant access settings. Information barriers assume authenticated users and focus on preventing communication/collaboration between specific internal groups, not blocking anonymous access to the service.
Correct. A classic information barrier use case is preventing certain internal groups from communicating in Microsoft Teams (chat, calls, meetings, and team membership). This supports regulatory or ethical separation (e.g., finance “wall” scenarios). IB policies define segments and block communication between them, enforcing internal separation of duties.
Correct. Information barriers can also restrict Exchange Online communication between defined segments, preventing email interactions between certain groups within the organization. This aligns with compliance requirements where internal communications must be controlled (e.g., legal/insider trading restrictions). The policy model is segment-based and enforced across supported workloads.
Incorrect. Restricting data sharing to external email recipients is generally handled through Exchange Online mail flow rules, anti-spam policies, tenant external sharing controls, DLP policies, and sensitivity labels/encryption. While IB focuses on internal segmentation and preventing communication between internal groups, it is not primarily designed as an external recipient sharing control.
Question Analysis
Core concept:
Information barriers (IB) in Microsoft 365 are compliance controls designed to prevent certain users or groups from communicating or collaborating with each other. They are commonly used to meet regulatory, legal, or ethical requirements (for example, separating “insider” groups like trading from advisory teams in financial services).
Why the answer is correct:
A primary use case for information barriers is restricting communication between specific segments of an organization across Microsoft 365 workloads. This includes preventing Microsoft Teams interactions (chat, calling, meetings, and team membership) between defined groups, and preventing Exchange Online communication (email and related directory-based interactions) between those groups. Therefore, both restricting Teams chats (B) and restricting Exchange Online email (C) are valid use cases.
Key features and configuration points:
IB policies are built around “segments” (users grouped by attributes such as department, role, or custom attributes). Policies then define whether segments can communicate (“allow”) or must be blocked (“block”). IB integrates with Microsoft Purview compliance capabilities and relies on directory attributes (Microsoft Entra ID) to place users into segments. In practice, organizations implement IB alongside governance practices (clear segmentation strategy, change control, and testing) aligned with the Azure Well-Architected Framework’s Security pillar (least privilege and separation of duties) and Operational Excellence (policy lifecycle management).
Common misconceptions:
Information barriers are not primarily about blocking unauthenticated access (that’s identity and access management, e.g., Conditional Access). They also are not the main tool for restricting sharing to external recipients; that is typically handled by external sharing settings, DLP, sensitivity labels, and Exchange mail flow rules.
Exam tips:
For SC-900, remember: Information barriers = “prevent internal communication/collaboration between groups” (often regulatory). If the option mentions separating departments from communicating in Teams/Exchange, think information barriers. If it mentions external sharing or unauthenticated access, think other controls (Conditional Access, DLP, sensitivity labels, sharing policies).
Want to practice all questions on the go?
Download Cloud Pass for free — includes practice tests, progress tracking & more.
Download Cloud Pass and access all Microsoft SC-900 practice questions for free.
Want to practice all questions on the go?
Get the free app
Download Cloud Pass for free — includes practice tests, progress tracking & more.
2
Question 2
What do you use to provide real-time integration between Azure Sentinel and another security source?
Azure AD Connect is used to synchronize identities between on-premises Active Directory and Microsoft Entra ID. Its purpose is hybrid identity enablement, such as syncing users, groups, and authentication-related settings. It does not function as a Microsoft Sentinel ingestion or integration feature for security telemetry. Even though identity-related logs can be monitored in Sentinel, Azure AD Connect is not the tool used to connect those logs to Sentinel.
A Log Analytics workspace is the underlying data store and analytics engine used by Microsoft Sentinel. It is where ingested logs are stored and queried, but it is not the feature that establishes the connection to an external security source. In other words, the workspace is the destination and analysis layer, while the connector is the integration mechanism. This makes it a necessary component of Sentinel, but not the best answer to this question.
Azure Information Protection is a service for classifying, labeling, and protecting sensitive information. It helps organizations apply encryption and usage restrictions to documents and emails for data protection and compliance purposes. It is not a Microsoft Sentinel feature for integrating external security data sources. While events from related services may ultimately be monitored in Sentinel, Azure Information Protection itself is not the mechanism used to connect those sources.
A connector is the correct answer because Microsoft Sentinel uses data connectors to integrate with Microsoft and third-party security sources. These connectors define how data is collected and ingested into Sentinel, whether through APIs, agents, Syslog/CEF, or native Microsoft integrations. After configuration, the incoming security data becomes available for analytics rules, hunting queries, and incident investigation. On the exam, 'connector' or 'data connector' is the standard term for linking a source to Sentinel.
Question Analysis
Core concept:
Microsoft Sentinel (formerly Azure Sentinel) is a cloud-native SIEM/SOAR. Its value depends on ingesting security data from many sources (Microsoft and third-party). Real-time or near-real-time integration is achieved through built-in data connectors (and related ingestion methods like API-based collection, agent-based collection, and streaming).
Why the answer is correct:
A connector (data connector) is the Sentinel feature used to integrate another security source and continuously ingest its logs/alerts into Sentinel. Connectors provide the configuration and plumbing to pull or receive data from sources such as Microsoft Defender products, Microsoft Entra ID, AWS, Palo Alto, Cisco, and many others. Many connectors support near-real-time ingestion and also enable additional capabilities such as incident creation, analytics rule templates, and workbooks tailored to that source.
Key features / configuration points:
- Connectors are managed in Microsoft Sentinel under Content management / Data connectors.
- Connectors commonly use one of these patterns: Azure Monitor Agent/Log Analytics agent, REST APIs, Event Hubs/CEF/Syslog, or Microsoft-native integrations.
- Data lands in the Sentinel-backed Log Analytics workspace as tables; analytics rules then query that data (KQL) to create alerts/incidents.
- Best practice (Azure Well-Architected Framework – Security and Operational Excellence): standardize ingestion with supported connectors, validate data health (connector status, data volume), and use least privilege for API permissions.
Common misconceptions:
Many learners confuse the Log Analytics workspace with the integration mechanism. The workspace is the storage/analytics backend, but it doesn’t itself “integrate” a new source in real time—you still need a connector (or custom ingestion) to get data into the workspace. Similarly, Azure AD Connect and Azure Information Protection are security/identity services but are not Sentinel integration mechanisms.
Exam tips:
For SC-900, remember: Sentinel integrates data sources via “data connectors.” The Log Analytics workspace is required for Sentinel, but connectors are what you use to bring in data from other security sources. If the question says “integrate Sentinel with another security source,” the safest answer is typically “a connector.”
3
Question 3
Which Microsoft portal provides information about how Microsoft cloud services comply with regulatory standard, such as International Organization for
Standardization (ISO)?
Microsoft Endpoint Manager admin center (Intune) is used to manage devices, apps, and endpoint security policies (e.g., compliance policies, configuration profiles, conditional access integration). While it can report whether devices meet your organization’s compliance rules, it does not provide Microsoft’s third-party audit attestations (like ISO certificates) for Microsoft cloud services. It’s an operational management portal, not a compliance evidence repository.
Azure Cost Management + Billing focuses on financial governance: tracking spend, budgets, cost allocation, and billing accounts/subscriptions. It helps with cost optimization (Azure Well-Architected cost pillar) but is unrelated to demonstrating regulatory compliance with standards like ISO. You won’t find audit reports or compliance attestations there; it’s for cost analysis and billing administration.
Microsoft Service Trust Portal is the correct choice because it provides official compliance documentation and evidence for Microsoft cloud services, including certifications, audit reports, and attestations for standards like ISO/IEC 27001. It is designed to support customer due diligence, audits, and regulatory requirements by offering downloadable reports and compliance resources that demonstrate Microsoft’s adherence to recognized frameworks and standards.
The Azure Active Directory admin center (now Microsoft Entra admin center) is used to manage identities, authentication methods, conditional access, and tenant security settings. It supports implementing security controls, but it does not serve as the authoritative source for Microsoft’s compliance attestations (e.g., ISO audit reports). For evidence of Microsoft’s compliance with external standards, you should use the Service Trust Portal instead.
Question Analysis
Core Concept:
This question tests knowledge of where Microsoft publishes official compliance documentation for its cloud services (Microsoft 365, Azure, Dynamics 365) against external regulatory standards and certifications (for example ISO/IEC 27001, SOC, PCI DSS). In SC-900, this falls under foundational security/compliance concepts: understanding how organizations verify a cloud provider’s compliance posture.
Why the Answer is Correct:
The Microsoft Service Trust Portal (STP) is Microsoft’s primary public portal for compliance resources. It provides access to audit reports, compliance guides, certificates, and documentation that demonstrate how Microsoft cloud services meet various regulatory and industry standards. For ISO specifically, STP is where you typically find ISO certificates, audit attestations, and related compliance documentation. This aligns with governance and risk management needs and supports the Azure Well-Architected Framework’s Security pillar (risk management, assurance, and compliance evidence).
Key Features:
STP includes Compliance Manager (assessment-based compliance posture tracking), downloadable audit reports (e.g., SOC reports), certificates/attestations (e.g., ISO/IEC certifications), and detailed documentation such as the Microsoft cloud security and compliance “trust” content. It is designed for auditors, compliance officers, and security teams who need evidence for due diligence, vendor risk management, and regulatory audits.
Common Misconceptions:
Learners often confuse STP with the Microsoft Purview compliance portal because Purview is where you configure compliance features (DLP, retention, eDiscovery, audit). However, Purview is primarily for managing your organization’s compliance controls and data governance, not for retrieving Microsoft’s third-party audit reports and certifications. Similarly, Microsoft 365 admin center is for tenant administration, and Azure Cost Management is for spend/chargeback—neither is intended for compliance attestations.
Exam Tips:
If the question asks for “audit reports,” “certifications,” “attestations,” “ISO/SOC/PCI documentation,” or “how Microsoft complies,” think Service Trust Portal. If it asks where you “configure” compliance policies (DLP, retention labels, eDiscovery), think Microsoft Purview compliance portal. If it asks about user/tenant settings, think Microsoft 365 admin center; if it asks about costs/budgets, think Azure Cost Management + Billing.
4
Question 4
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Part 1:
Conditional access policies can use the device state as a signal.
Yes. Conditional Access policies can use device state as a signal. In Microsoft Entra, device-related conditions include device platform (iOS, Android, Windows, macOS), and—more importantly for “state”—whether the device is marked compliant by Microsoft Intune (device compliance) and/or whether it is Hybrid Azure AD joined / Microsoft Entra joined. Conditional Access can also use device filters (filter for devices) to include/exclude devices based on device attributes.
These device signals allow policies such as “Require a compliant device” or “Allow access only from Hybrid Azure AD joined devices.” This is a common Zero Trust pattern: verify device health/state before granting access to sensitive apps.
“No” would be incorrect because device context is one of the core Conditional Access inputs (signals) used to make access decisions.
Part 2:
Conditional access policies apply before first-factor authentication is complete.
No. Conditional Access policies do not apply before first-factor authentication is complete. Conditional Access evaluation requires that Entra ID can identify the user and understand the sign-in context (who is signing in, what app/resource is being accessed, and other conditions). That identification happens after the user submits primary credentials (the first factor).
After the first factor, Conditional Access is evaluated and can then enforce additional requirements (controls), such as prompting for MFA, requiring a compliant device, or blocking access. In other words, CA is not a pre-authentication gate that runs before the user is known; it is part of the sign-in process that can require extra steps after initial authentication.
Answering “Yes” would confuse Conditional Access with network-layer pre-auth controls (like some VPN/NAC scenarios). In Entra, CA is an identity-driven policy evaluated during sign-in, not before first-factor completion.
Part 3:
Conditional access policies can trigger multi-factor authentication (MFA) if a user attempts to access a specific application.
Yes. Conditional Access can trigger MFA when a user attempts to access a specific application. One of the most common Conditional Access configurations is: Assign the policy to specific users/groups, target one or more cloud apps (for example, Exchange Online, SharePoint Online, Azure Management, or a specific enterprise application), and then set the grant control to “Require multi-factor authentication.”
This enables app-specific step-up authentication: users might sign in with only a password for low-risk apps, but when they access a sensitive application, Conditional Access requires MFA before granting access (issuing the token).
Answering “No” would be incorrect because “Require MFA” is a built-in grant control in Conditional Access, and scoping policies to specific cloud apps is a core capability used to protect high-value resources.
5
Question 5
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Part 1:
Sensitivity labels can be used to encrypt documents.
Yes. Sensitivity labels can be configured to encrypt documents. In Microsoft Purview Information Protection, a label can apply protection settings that include encryption and usage rights (for example, restricting who can open, edit, print, or forward). This protection is enforced using Microsoft Purview Message Encryption/Azure Rights Management technology and is designed to be persistent—meaning the protection stays with the file even if it is copied outside the organization (depending on configuration).
This is a key exam concept: labels are not just “tags”; they can actively enforce controls. The alternative (No) would be incorrect because encryption is one of the primary reasons organizations deploy sensitivity labels: to prevent unauthorized access to sensitive content such as financial reports, HR data, or customer PII.
Part 2:
Sensitivity labels can add headers and footers to documents.
Yes. Sensitivity labels can add headers and footers to documents as part of content marking. When configuring a label, admins can define visual markings such as a header (for example, “Confidential”), a footer, and also watermarks for Office documents. These markings help users recognize the sensitivity level and support governance and compliance by reducing accidental sharing.
This capability is commonly applied to Word, Excel, and PowerPoint documents in Microsoft 365 apps. Answering No would be incorrect because headers and footers are explicitly supported label actions for documents and are frequently referenced in Microsoft Purview Information Protection fundamentals.
Part 3:
Sensitivity labels can apply watermarks to emails.
No. Sensitivity labels can apply protection to emails (such as encrypting the message and controlling recipient permissions), and they can also add certain visual markings to email (like a subject prefix or header/footer text in supported clients). However, “watermarks” are a document-centric marking feature (Word/Excel/PowerPoint) and are not typically applied to emails as a watermark in the way Office documents support.
For SC-900, treat watermarking as a document marking capability rather than an email capability. Therefore, selecting Yes would be misleading because it implies the same watermark feature set exists for email messages, which is not the expected sensitivity label behavior.
6
Question 6
(Select 2)
What are two capabilities of Microsoft Defender for Endpoint? Each correct selection presents a complete solution.
NOTE: Each correct selection is worth one point.
Correct. Automated investigation and remediation (AIR) is a core Defender for Endpoint capability. It automatically analyzes alerts and related artifacts (process trees, files, persistence, lateral movement indicators) and can take actions such as quarantining malware, stopping malicious processes, removing persistence mechanisms, and isolating devices. This helps scale security operations and reduces time to contain threats.
Incorrect. Transport encryption (for example, TLS/SSL for data in transit) is a general security mechanism used across many services, but it is not typically tested as a primary, distinguishing capability of Microsoft Defender for Endpoint. MDE focuses on endpoint prevention, detection, investigation, and response rather than providing network transport encryption features.
Incorrect. Shadow IT detection is most closely associated with Microsoft Defender for Cloud Apps (a CASB). That service discovers and assesses unsanctioned cloud applications by analyzing traffic logs and signals, enabling governance and policy enforcement for cloud app usage. Defender for Endpoint can provide device signals to Cloud Apps, but shadow IT detection is not an MDE core capability.
Correct. Attack surface reduction is a major Defender for Endpoint capability focused on prevention. It includes ASR rules (blocking risky behaviors like Office child processes), controlled folder access (anti-ransomware), network protection (blocking malicious domains/IPs), and exploit protection. These controls reduce exposure to common attack vectors and are frequently referenced in endpoint security exam objectives.
Question Analysis
Core concept:
Microsoft Defender for Endpoint (MDE) is Microsoft’s endpoint security platform (part of Microsoft Defender XDR) that provides prevention, detection, investigation, and response (EDR/XDR) for devices such as Windows, macOS, Linux, iOS, and Android. In SC-900, you’re expected to recognize MDE’s core endpoint-focused capabilities.
Why the answer is correct:
A (automated investigation and remediation) is a key MDE capability. When alerts are generated (for example, suspicious PowerShell, malware, credential theft behaviors), MDE can automatically investigate related entities (processes, files, registry keys, persistence mechanisms) and take remediation actions such as quarantining files, stopping processes, isolating devices, and removing persistence. This reduces mean time to respond and supports the Azure Well-Architected Framework security pillar by improving detection/response and limiting blast radius.
D (attack surface reduction) is also a core MDE capability. Attack Surface Reduction (ASR) includes controls like ASR rules, controlled folder access, network protection, and exploit protection. These are preventive measures that reduce opportunities for common attack techniques (macro abuse, credential theft, ransomware behaviors), aligning with “shift-left” security and least privilege principles.
Key features and best practices:
MDE includes EDR telemetry, threat and vulnerability management, device isolation, advanced hunting (KQL), indicators, and integration with Microsoft Intune and Microsoft Defender for Cloud Apps. Best practice is to deploy ASR rules in audit mode first, then enforce, and to use automated investigation with appropriate permissions/roles and alert tuning to avoid noise.
Common misconceptions:
Transport encryption (B) is a general security control (e.g., TLS for data in transit) but is not a defining “capability” of Defender for Endpoint; it’s typically associated with networking, email, or service-to-service security. Shadow IT detection (C) is primarily a Microsoft Defender for Cloud Apps (CASB) capability, focused on discovering unsanctioned cloud app usage from network logs and signals.
Exam tips:
For SC-900, map products to their “home” capabilities: endpoints = MDE (EDR, ASR, automated investigation), cloud app discovery/shadow IT = Defender for Cloud Apps, email protection = Defender for Office 365, identity protection = Entra ID Protection. When you see “attack surface reduction” or “automated investigation,” think Defender for Endpoint.
7
Question 7
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Part 1:
______ is a cloud-native security information and event management (SIEM) and security orchestration automated response (SOAR) solution used to provide a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Correct answer: D. Azure Sentinel (now Microsoft Sentinel).
Azure Sentinel is Microsoft’s cloud-native SIEM and SOAR solution. It ingests data from Azure services, Microsoft security products (like Microsoft Defender), and third-party sources, then uses analytics rules and threat intelligence to detect alerts, provides incident management for investigation, supports proactive threat hunting with KQL (Kusto Query Language), and enables automated response using playbooks (Azure Logic Apps integration), which is the SOAR component.
Why the others are wrong:
- A. Azure Advisor focuses on best-practice recommendations for cost, reliability, performance, operational excellence, and security posture improvements—not SIEM/SOAR.
- B. Azure Bastion provides secure RDP/SSH access to VMs over TLS via the Azure portal—an access solution, not a security operations platform.
- C. Azure Monitor is for telemetry/metrics/log monitoring and alerting for infrastructure and apps; it is not a SIEM/SOAR (though Sentinel can use Log Analytics workspaces that are part of Azure Monitor).
8
Question 8
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Part 1:
Compliance Manager assesses compliance data ______ for an organization.
Correct answer: A (continually).
Compliance Manager continually assesses compliance data by automatically evaluating technical controls based on your tenant’s current configuration and available signals. As settings change (for example, enabling MFA, adjusting retention policies, or configuring DLP), the compliance posture and score can update to reflect the new state. This continuous assessment supports ongoing compliance management rather than treating compliance as a periodic event.
Why the others are wrong:
- B (monthly) and D (quarterly): These imply a fixed audit cadence. While organizations may choose to review compliance on those schedules, Compliance Manager itself is designed to provide ongoing assessment and tracking.
- C (on-demand): You can generate reports or review dashboards on-demand, but the underlying assessment is not limited to only when you request it; it is maintained continuously as part of the service’s operation.
9
Question 9
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Part 1:
You can create one Azure Bastion per virtual network.
Yes. Azure Bastion is deployed as a resource in a specific virtual network by using the dedicated AzureBastionSubnet, so it is associated with a single VNet rather than with individual virtual machines. In foundational exam wording, this is treated as one Bastion deployment per virtual network. "No" is not correct because Bastion is not a per-VM service and the statement matches the standard VNet-scoped deployment model.
Part 2:
Azure Bastion provides secure user connections by using RDP.
Yes. Azure Bastion provides secure user connections to Windows VMs using RDP (and to Linux VMs using SSH). Bastion acts as an intermediary: the user session is established from the browser (Azure portal) to Bastion over HTTPS, and then Bastion connects to the target VM using RDP (TCP 3389) internally within the VNet.
Why this is considered secure: you do not need to expose RDP directly to the internet via a public IP on the VM, and you typically do not need inbound NSG rules allowing 3389 from the internet. This reduces the attack surface and helps mitigate common threats like brute-force attacks against exposed RDP endpoints.
Why “No” is wrong: RDP is explicitly one of the primary protocols Bastion supports (along with SSH).
Part 3:
Azure Bastion provides a secure connection to an Azure virtual machine by using the Azure portal.
Yes. A core capability of Azure Bastion is providing secure connectivity to Azure virtual machines directly from the Azure portal. Users initiate the session in the portal, and the connection is established over TLS (HTTPS/443) to the Bastion service, which then reaches the VM over private IP within the VNet using RDP or SSH.
This is a key exam takeaway: Bastion enables “in-portal” RDP/SSH without requiring a public IP on the VM and without opening inbound management ports to the internet. It supports security best practices by centralizing and controlling administrative access.
Why “No” is wrong: connecting via the Azure portal is the signature user experience for Bastion (even though some tiers/features may also support native client scenarios). The portal-based secure connection is fundamental to the service description.
10
Question 10
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Part 1:
Microsoft Intune can be used to manage Android devices.
Yes. Microsoft Intune can manage Android devices using Mobile Device Management (MDM). With Intune, organizations can enroll Android devices (including Android Enterprise scenarios such as Work Profile for BYOD, Fully Managed, Dedicated, and Corporate-Owned Work Profile) and then apply configuration profiles, compliance policies, and app protection policies.
This includes enforcing requirements like PIN/biometrics, encryption, OS version minimums, and blocking rooted devices. Intune can also deploy and manage apps from Managed Google Play and control data movement between apps using app protection policies (MAM), even in some cases without full device enrollment.
Therefore, the statement is true because Android is a first-class supported platform for Intune endpoint management.
Part 2:
Microsoft Intune can be used to provision Azure subscriptions.
No. Microsoft Intune is not used to provision Azure subscriptions. Provisioning subscriptions is an Azure management and governance task performed through Azure (for example, via the Azure portal, Azure billing/account administration, Azure Resource Manager, management groups, and automation tools like ARM/Bicep/Terraform).
Intune’s scope is endpoint and application management: enrolling devices, deploying apps, configuring settings, and evaluating device compliance. While Intune integrates with Microsoft Entra ID (Azure AD) and Conditional Access (where device compliance can be a signal to allow/block access to cloud apps), it does not create or allocate Azure subscriptions.
So the statement is false because it confuses endpoint management (Intune) with cloud subscription provisioning and governance (Azure platform capabilities).
Part 3:
Microsoft Intune can be used to manage organization-owned devices and personal devices.
Yes. Microsoft Intune can manage both organization-owned (corporate) devices and personal (BYOD) devices. This is a core Intune concept for SC-900: supporting different ownership models with appropriate controls.
For corporate devices, Intune can enforce full device management (MDM), including configuration baselines, compliance policies, app deployment, device restrictions, and (depending on platform) actions like remote wipe or reset. For personal devices, Intune commonly uses BYOD-friendly approaches such as Android Work Profile or iOS User Enrollment, and/or Mobile Application Management (MAM) app protection policies to protect organizational data within managed apps without fully controlling the entire device.
This flexibility enables organizations to balance security and user privacy while still meeting compliance requirements, making the statement true.
