Every answer is cross-verified by 3 leading AI models to ensure maximum accuracy. Get detailed per-option explanations and in-depth question analysis.
GPT Pro
Claude Opus
Gemini Pro
Per-option explanations
In-depth question analysis
3-model consensus accuracy
Practice Questions
1
Question 1
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Part 1:
______ is used to identify, hold, and export electronic information that might be used in an investigation.
Correct answer: C. eDiscovery.
Microsoft Purview eDiscovery is used to identify, preserve (place on hold), collect, review, and export electronically stored information (ESI) that may be needed for internal investigations, litigation, or regulatory requests. The phrase “identify, hold, and export” directly matches core eDiscovery capabilities: searching across Microsoft 365 data sources, applying legal holds to prevent deletion/alteration, and exporting results for external review tools or legal counsel.
Why the others are wrong:
- A. Customer Lockbox is about approving/denying Microsoft support access to your data during support requests; it is not an investigation/hold/export tool.
- B. Data loss prevention (DLP) focuses on preventing sensitive data from being shared or exfiltrated (policy enforcement), not legal holds and evidence export.
- D. A resource lock is an Azure governance feature to prevent accidental deletion/modification of Azure resources (e.g., a storage account), not to preserve and export investigation content.
2
Question 2
What can you use to provide a user with a two-hour window to complete an administrative task in Azure?
Azure AD (Microsoft Entra ID) Privileged Identity Management (PIM) enables just-in-time privileged access. Users can be assigned as “eligible” for a role and then activate it for a limited duration (for example, 2 hours). After the activation window, the role is automatically removed (deactivated). PIM can also require MFA, justification, approval, and provides auditing—ideal for temporary administrative tasks.
Azure Multi-Factor Authentication (MFA) adds a second verification method during sign-in or sensitive actions. While MFA reduces the risk of credential theft and can be required for admin actions, it does not provide a mechanism to grant a user administrative permissions for only a two-hour window. MFA strengthens authentication, not time-bound authorization/role elevation.
Azure AD (Microsoft Entra ID) Identity Protection detects and responds to identity-related risks (for example, leaked credentials, atypical travel, risky sign-ins). It can enforce remediation like requiring MFA or password reset based on risk. However, it is not used to provide temporary administrative role activation for a fixed time window such as two hours.
Conditional Access policies control access based on conditions (user/group, location, device compliance, app, risk, etc.) and can require controls like MFA. Conditional Access does not natively provide just-in-time role elevation or automatic deactivation of admin privileges after a set duration. It can restrict when/where admins sign in, but not grant timed admin rights.
Question Analysis
Core concept:
This question tests time-bound privileged access in Microsoft Entra ID (formerly Azure AD). The key capability is granting users elevated permissions only when needed and only for a limited duration, reducing standing administrative privileges (a major security risk).
Why the answer is correct:
Microsoft Entra ID Privileged Identity Management (PIM) is designed to provide “just-in-time” (JIT) privileged access. With PIM, a user can be made eligible for an administrative role (for example, Global Administrator, Privileged Role Administrator, or Azure RBAC roles in Azure resources) and then activate that role only when they need it. During activation, you can enforce a maximum activation duration—such as a two-hour window—after which the role automatically deactivates. This directly matches the requirement: “provide a user with a two-hour window to complete an administrative task.”
Key features and best practices:
PIM supports time-bound activation, approval workflows, MFA on activation, justification/ticketing, and alerting/auditing of privileged role use. These controls align with Azure Well-Architected Framework security principles (least privilege, reduce blast radius, and strong governance). In real-world operations, PIM is commonly used for break-glass reduction, controlled admin elevation for on-call engineers, and limiting access during change windows.
Common misconceptions:
MFA and Conditional Access can strengthen authentication and control access conditions, but they do not grant or revoke admin role membership on a timed basis. Identity Protection focuses on risk detection and automated remediation based on sign-in/user risk, not scheduled privilege elevation.
Exam tips:
When you see wording like “temporary admin access,” “time-bound elevation,” “just-in-time,” “eligible vs active role,” or “approval to activate a role,” think PIM. If the question is about requiring MFA, device compliance, location, or app restrictions, think Conditional Access. If it’s about risky sign-ins/users, think Identity Protection.
Want to practice all questions on the go?
Download Cloud Pass for free — includes practice tests, progress tracking & more.
Download Cloud Pass and access all Microsoft SC-900 practice questions for free.
Want to practice all questions on the go?
Get the free app
Download Cloud Pass for free — includes practice tests, progress tracking & more.
3
Question 3
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Part 1:
Azure DDoS Protection Standard can be used to protect ______
Correct answer: D (virtual networks).
Azure DDoS Protection Standard is enabled at the Virtual Network (VNet) level. When a VNet is protected, DDoS Standard provides enhanced mitigation for eligible resources within that VNet that have public IP exposure (for example, public IPs associated with Azure Load Balancer, Application Gateway, or internet-facing VMs). This is the key scope concept the exam expects: DDoS Standard is a network protection service applied to VNets, not to identity objects or management containers.
Why the other options are wrong:
A (Azure AD applications) is incorrect because Azure AD apps are identity/application registrations; DDoS Standard doesn’t attach to or protect Azure AD app objects.
B (Azure AD users) is incorrect because DDoS is not an identity attack type; Azure AD user protection is handled by services like Microsoft Entra ID Protection and Conditional Access.
C (resource groups) is incorrect because a resource group is a logical management container for resources; DDoS Standard is not enabled at the resource group scope. You enable it on a VNet, and then resources in that VNet benefit from the protection.
4
Question 4
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Part 1:
Control is a key privacy principle of Microsoft.
Yes. “Control” is a key Microsoft privacy principle. In Microsoft privacy guidance, control refers to giving customers and individuals meaningful choices and the ability to manage how their data is collected, used, and shared. In a cloud context, this shows up as capabilities such as configuring privacy settings, managing data retention, choosing where data is stored (where applicable), and using tools to access, export, or delete data.
Why not No: Microsoft explicitly positions customer control as foundational to privacy—customers should be able to determine how their data is handled and to configure services accordingly. This is distinct from security controls (like MFA) because the emphasis is on privacy choices and data handling, not only protection from threats.
Part 2:
Transparency is a key privacy principle of Microsoft.
Yes. “Transparency” is a key Microsoft privacy principle. Transparency means Microsoft communicates clearly about privacy practices—what data is collected, why it is collected, how it is used, how long it is retained, and with whom it may be shared. This is commonly reflected through privacy statements, product documentation, audit/compliance documentation, and service-specific disclosures.
Why not No: Transparency is repeatedly emphasized in Microsoft’s privacy posture because it enables informed decision-making and supports compliance obligations (for example, notice requirements under GDPR). In exam terms, transparency is a privacy principle, whereas items like threat protection or identity governance are security/identity capabilities rather than privacy principles.
Part 3:
Shared responsibility is a key privacy principle of Microsoft.
No. “Shared responsibility” is not a Microsoft privacy principle; it is a cloud service model concept (shared responsibility model) describing how responsibilities for security and compliance are divided between Microsoft (cloud provider) and the customer. For example, Microsoft is responsible for the security of the cloud (physical datacenters, core infrastructure), while customers are responsible for security in the cloud (identity configuration, data classification, access management, endpoint security, etc.), depending on IaaS/PaaS/SaaS.
Why not Yes: Although shared responsibility strongly influences privacy outcomes (customers must configure services appropriately to meet privacy obligations), Microsoft does not list “shared responsibility” as a privacy principle. It is taught under cloud security/compliance fundamentals, not as a privacy commitment like control or transparency.
5
Question 5
What is the purpose of Azure Active Directory (Azure AD) Password Protection?
Incorrect. Controlling how often users must change passwords relates to password expiration/age policies (for example, legacy password policy settings or domain password policies in AD DS). Entra ID Password Protection does not set rotation frequency; it evaluates password strength against banned lists when a password is created or changed. Modern best practices also emphasize strong passwords and MFA over frequent forced changes.
Incorrect. Identifying devices that can sign in without MFA is handled through Conditional Access policies, device compliance (Intune), and concepts like trusted locations or authentication strengths. Password Protection does not evaluate device trust or MFA requirements; it only checks the password string during password set/change operations to block weak or banned passwords.
Incorrect. Encrypting or hashing passwords is part of credential storage and authentication mechanisms (e.g., salted hashes, secure protocols), not the goal of Password Protection. Entra ID Password Protection focuses on preventing weak passwords from being chosen in the first place. It does not provide a user-facing feature to “encrypt a password” using recognized standards.
Correct. Entra ID Password Protection prevents users from using weak passwords by blocking passwords that contain banned terms from Microsoft’s global list and the organization’s custom list. This includes common words and predictable patterns, and it uses normalization/fuzzy matching to catch variations. The purpose is to reduce password spray and brute-force success by eliminating easily guessable passwords.
Question Analysis
Core concept:
Azure Active Directory (now Microsoft Entra ID) Password Protection is a capability that reduces password-based attacks by blocking weak and commonly used passwords. It does this by checking new or changed passwords against a global banned-password list maintained by Microsoft and (optionally) a custom banned-password list defined by the organization.
Why the answer is correct:
The primary purpose is to prevent users from choosing passwords that contain specific banned terms (for example, “Password123”, “Contoso2026!”, seasonal terms, or company/product names). This directly maps to option D: preventing users from using specific words in their passwords. The feature is designed to mitigate password spray and credential stuffing success rates by eliminating predictable passwords.
Key features, configuration, and best practices:
- Global banned password list: Microsoft-curated list of known weak passwords and variants.
- Custom banned password list: Add organization-specific terms (company name, brands, locations, internal project names). The system also performs fuzzy matching/normalization to catch common substitutions (e.g., “P@ssw0rd”).
- Smart lockout integration: While separate, it complements Password Protection by slowing brute-force attempts.
- Hybrid support: You can extend the same banned-password policy to on-premises Active Directory Domain Services by deploying the Azure AD Password Protection proxy service and DC agent.
- Well-Architected alignment: Under the Security pillar, this is a preventive control that reduces identity attack surface. Combine it with MFA, Conditional Access, and user education for defense-in-depth.
Common misconceptions:
Many learners confuse Password Protection with password expiration/rotation policies (how often users must change passwords) or with encryption/hashing of stored passwords. Password Protection is about password quality at creation/change time, not about how passwords are stored or how frequently they must be changed. Another confusion is thinking it designates “trusted devices” to bypass MFA; that is Conditional Access and device compliance, not Password Protection.
Exam tips:
If you see “banned passwords,” “weak passwords,” “custom banned list,” or “prevent common passwords,” think Entra ID Password Protection. If the question mentions MFA prompts, trusted locations/devices, or sign-in risk, think Conditional Access/Identity Protection. If it mentions password expiration, think password policy settings (and note modern guidance often discourages forced periodic changes unless there’s evidence of compromise).
6
Question 6
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Part 1:
______ is a cloud-based solution that leverages on-premises Active Directory signals to identify, detect, and investigate advanced threats.
Correct answer: C. Microsoft Defender for Identity.
Microsoft Defender for Identity is a cloud-based security solution designed specifically to use signals from on-premises Active Directory (AD) to identify, detect, and help investigate advanced threats, compromised identities, and malicious insider actions. It typically collects telemetry from domain controllers (via Defender for Identity sensors) and analyzes AD-related activities to surface suspicious behaviors and attack patterns.
Why the others are wrong:
- A. Microsoft Defender for Cloud Apps focuses on SaaS application discovery, shadow IT, app governance, and controlling/monitoring cloud app usage (CASB capabilities). It is not primarily about on-prem AD signals.
- B. Microsoft Defender for Endpoint focuses on endpoint devices (Windows, macOS, Linux, mobile) for EDR, vulnerability management, and attack surface reduction—not AD domain controller telemetry.
- D. Microsoft Defender for Office 365 protects email and collaboration (Exchange, SharePoint, OneDrive, Teams) against phishing, malware, and business email compromise, not on-prem AD signal-based identity threat detection.
7
Question 7
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Part 1:
Microsoft Defender for Identity can identify advanced threats from ______ signals.
Correct answer: C (on-premises Active Directory Domain Services (AD DS)).
Microsoft Defender for Identity identifies advanced threats by collecting and analyzing signals directly from on-prem AD DS environments. It does this using Defender for Identity sensors installed on domain controllers (or a standalone sensor) to monitor authentication and directory-related activity. These on-prem signals enable detections for identity-focused attacks such as suspicious logons, abnormal Kerberos/NTLM usage, reconnaissance, lateral movement, and other behaviors that are visible at the domain controller level.
Why the others are wrong:
A (Azure Active Directory/Azure AD, now Microsoft Entra ID) is primarily the signal source for cloud identity protections like Entra ID Protection, Conditional Access, and sign-in risk/user risk detections. While MDI integrates with cloud portals, its core telemetry is from on-prem AD DS.
B (Azure AD Connect) is a synchronization component used to sync identities between AD DS and Entra ID. It is not designed to provide the behavioral/security signals that MDI uses for advanced threat detection.
8
Question 8
Which Microsoft 365 compliance feature can you use to encrypt content automatically based on specific conditions?
Content Search (Microsoft Purview) is used to search across Microsoft 365 workloads (Exchange, SharePoint, OneDrive, Teams) to locate content that matches keywords, conditions, or sensitive info types. It supports compliance investigations and data discovery, but it does not apply protection controls like encryption. It’s a “find and export” capability, not an “automatically protect” capability.
Sensitivity labels classify and protect data. They can apply encryption, access restrictions, and visual markings. When paired with auto-labeling policies, labels can be applied automatically based on conditions such as sensitive information types, keywords, or trainable classifiers. Because encryption is a label protection setting, sensitivity labels are the Microsoft 365 feature that enables automatic encryption based on specific conditions.
Retention policies govern the lifecycle of content—how long it is retained and what happens at the end of the retention period (delete, retain, or retain then delete). Retention is about records management and regulatory requirements, not confidentiality controls. While retention can be condition-based in some scenarios, it does not encrypt content or control who can access it.
eDiscovery (Standard/Premium) supports legal and investigative workflows: placing holds, collecting data, reviewing, and exporting evidence. It helps preserve and analyze content but does not automatically encrypt content based on conditions. eDiscovery may identify sensitive content during review, yet protection/encryption enforcement is handled by information protection features like sensitivity labels.
Question Analysis
Core concept:
This question tests Microsoft Purview Information Protection in Microsoft 365—specifically how organizations classify and protect data. The feature that can automatically apply encryption based on conditions (like keywords, sensitive info types, or locations) is sensitivity labels.
Why the answer is correct:
Sensitivity labels can be configured with protection settings such as encryption (Azure Rights Management), content marking (headers/footers/watermarks), and access restrictions. When combined with auto-labeling policies, Microsoft 365 can automatically apply a label—and therefore automatically encrypt content—when specific conditions are met (for example, detecting credit card numbers, national IDs, or “Confidential” project terms). This aligns with compliance goals by enforcing consistent protection without relying on users to manually encrypt files or emails.
Key features and configuration points:
Sensitivity labels are created in the Microsoft Purview compliance portal. You define label scope (Files & emails, Groups & sites, etc.) and protection settings (encrypt, assign permissions, set expiration, allow offline access). Auto-labeling can be applied in Exchange, SharePoint, OneDrive, and Microsoft 365 apps depending on licensing and workload support. This supports the Azure Well-Architected Framework security pillar by reducing human error and applying least privilege through policy-driven access controls.
Common misconceptions:
People often confuse retention policies with protection. Retention controls how long content is kept or deleted, not encryption. eDiscovery and Content Search are about finding and exporting content for investigations, not applying encryption. They may surface sensitive data, but they don’t enforce protection automatically.
Exam tips:
For SC-900, remember: “encrypt/classify/protect” maps to sensitivity labels (Microsoft Purview Information Protection). “Keep/delete content” maps to retention. “Find content” maps to Content Search. “Legal case workflow” maps to eDiscovery. If the question mentions automatic protection based on conditions, think “auto-labeling + sensitivity labels.”
9
Question 9
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Part 1:
Azure Policy supports automatic remediation.
Yes. Azure Policy supports automatic (or semi-automatic) remediation through policy effects such as DeployIfNotExists and Modify. When these policies are assigned, you can create a remediation task that uses a managed identity to deploy missing configurations or modify existing resources to bring them into compliance (for example, automatically adding required tags, enabling diagnostic settings, or deploying a specific configuration if it’s missing).
It’s important to note the nuance: not every policy can remediate. Policies with Deny prevent non-compliant changes but don’t “fix” existing resources. Policies with Audit only report. Remediation is specifically associated with DeployIfNotExists/Modify and requires appropriate permissions and, often, a managed identity. Because Azure Policy does provide a remediation mechanism, the statement that it supports automatic remediation is true.
Part 2:
Azure Policy can be used to ensure that new resources adhere to corporate standards.
Yes. A primary use case for Azure Policy is ensuring that new resources adhere to corporate standards. You can assign policies that enforce standards at deployment time (for example, Deny creation of resources outside approved regions, require specific SKUs, enforce naming/tagging conventions, or require encryption settings). When a Deny policy is in place, non-compliant resource creation or updates are blocked, which is a direct way to ensure new resources meet organizational requirements.
This is a foundational governance pattern in Azure: define standards as policy definitions, assign them at the appropriate scope (often management group for enterprise-wide standards), and use initiatives (policy sets) to group related requirements. Therefore, Azure Policy can be used to ensure new resources adhere to corporate standards.
Part 3:
Compliance evaluation in Azure Policy occurs only when a target resource is created or modified.
No. Compliance evaluation in Azure Policy does not occur only when a target resource is created or modified. Azure Policy performs periodic compliance scans to evaluate existing resources against assigned policies, which helps detect configuration drift and newly discovered non-compliance even if no recent change was made to the resource.
Additionally, compliance evaluation can be triggered on demand (for example, via the Azure portal or APIs) and is also influenced by policy assignment changes (if you assign a new policy, existing resources are evaluated against it). While creation/modification events are important moments where policy can deny or audit changes, ongoing evaluation is a key feature for continuous compliance reporting. Because evaluation is continuous/periodic and not limited strictly to create/modify events, the statement is false.
10
Question 10
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Part 1:
You can add a resource lock to an Azure subscription.
Yes. You can add a resource lock at the subscription scope. Azure resource locks support multiple scopes: management group, subscription, resource group, and individual resource. When you apply a lock at the subscription level, it is inherited by all resource groups and resources within that subscription, which is useful for broad protection (for example, preventing deletion of all resources in a production subscription).
This is a governance feature of Azure Resource Manager, not tied to a specific service. The lock can be CanNotDelete or ReadOnly. The main caveat is that applying a subscription-level lock can have wide operational impact, so it should be used carefully and typically combined with RBAC and policy. Therefore, the statement is true.
Part 2:
You can add only one resource lock to an Azure resource.
No. You can add more than one resource lock to an Azure resource. Azure supports multiple locks at the same scope (for example, a CanNotDelete lock and a ReadOnly lock), and locks can also be inherited from parent scopes (resource group, subscription, management group). The effective restriction is the most restrictive combination of all applicable locks.
For example, if a resource has no direct lock but the resource group has a CanNotDelete lock, the resource cannot be deleted. If you then add a ReadOnly lock directly on the resource, it becomes read-only as well. Because multiple locks can exist and stack/inherit, the statement “only one resource lock” is incorrect.
Part 3:
You can delete a resource group containing resources that have resource locks.
No. You cannot delete a resource group if it contains resources that have resource locks that prevent deletion. Deleting a resource group is effectively a bulk delete operation for all contained resources. If any contained resource has a CanNotDelete lock (or a ReadOnly lock, which also blocks deletion), the delete operation will fail until the lock is removed.
This is a common exam trap: even if you have Owner permissions, the lock still blocks deletion unless you first remove the lock (and you must have permissions to remove locks). In practice, administrators remove or adjust locks as part of a controlled change process before deleting a resource group. Therefore, the statement is false.
