Microsoft
Microsoft
228+ preguntas de práctica gratuitas con respuestas verificadas por IA
Microsoft Security, Compliance, and Identity Fundamentals
Todas las preguntas
y respuestas gratis
Explicación
detallada
Lo más cercano
al examen realImpulsado por IA
Cada respuesta de Microsoft SC-900 es verificada de forma cruzada por 3 modelos de IA líderes para garantizar la máxima precisión. Obtén explicaciones detalladas por opción y análisis profundo de cada pregunta.
HOTSPOT - Select the answer that correctly completes the sentence. Hot Area:
______ is used to identify, hold, and export electronic information that might be used in an investigation.
Correct answer: C. eDiscovery. Microsoft Purview eDiscovery is used to identify, preserve (place on hold), collect, review, and export electronically stored information (ESI) that may be needed for internal investigations, litigation, or regulatory requests. The phrase “identify, hold, and export” directly matches core eDiscovery capabilities: searching across Microsoft 365 data sources, applying legal holds to prevent deletion/alteration, and exporting results for external review tools or legal counsel. Why the others are wrong: - A. Customer Lockbox is about approving/denying Microsoft support access to your data during support requests; it is not an investigation/hold/export tool. - B. Data loss prevention (DLP) focuses on preventing sensitive data from being shared or exfiltrated (policy enforcement), not legal holds and evidence export. - D. A resource lock is an Azure governance feature to prevent accidental deletion/modification of Azure resources (e.g., a storage account), not to preserve and export investigation content.
What can you use to provide a user with a two-hour window to complete an administrative task in Azure?
Azure AD (Microsoft Entra ID) Privileged Identity Management (PIM) enables just-in-time privileged access. Users can be assigned as “eligible” for a role and then activate it for a limited duration (for example, 2 hours). After the activation window, the role is automatically removed (deactivated). PIM can also require MFA, justification, approval, and provides auditing—ideal for temporary administrative tasks.
Azure Multi-Factor Authentication (MFA) adds a second verification method during sign-in or sensitive actions. While MFA reduces the risk of credential theft and can be required for admin actions, it does not provide a mechanism to grant a user administrative permissions for only a two-hour window. MFA strengthens authentication, not time-bound authorization/role elevation.
Azure AD (Microsoft Entra ID) Identity Protection detects and responds to identity-related risks (for example, leaked credentials, atypical travel, risky sign-ins). It can enforce remediation like requiring MFA or password reset based on risk. However, it is not used to provide temporary administrative role activation for a fixed time window such as two hours.
Conditional Access policies control access based on conditions (user/group, location, device compliance, app, risk, etc.) and can require controls like MFA. Conditional Access does not natively provide just-in-time role elevation or automatic deactivation of admin privileges after a set duration. It can restrict when/where admins sign in, but not grant timed admin rights.
Core concept: This question tests time-bound privileged access in Microsoft Entra ID (formerly Azure AD). The key capability is granting users elevated permissions only when needed and only for a limited duration, reducing standing administrative privileges (a major security risk). Why the answer is correct: Microsoft Entra ID Privileged Identity Management (PIM) is designed to provide “just-in-time” (JIT) privileged access. With PIM, a user can be made eligible for an administrative role (for example, Global Administrator, Privileged Role Administrator, or Azure RBAC roles in Azure resources) and then activate that role only when they need it. During activation, you can enforce a maximum activation duration—such as a two-hour window—after which the role automatically deactivates. This directly matches the requirement: “provide a user with a two-hour window to complete an administrative task.” Key features and best practices: PIM supports time-bound activation, approval workflows, MFA on activation, justification/ticketing, and alerting/auditing of privileged role use. These controls align with Azure Well-Architected Framework security principles (least privilege, reduce blast radius, and strong governance). In real-world operations, PIM is commonly used for break-glass reduction, controlled admin elevation for on-call engineers, and limiting access during change windows. Common misconceptions: MFA and Conditional Access can strengthen authentication and control access conditions, but they do not grant or revoke admin role membership on a timed basis. Identity Protection focuses on risk detection and automated remediation based on sign-in/user risk, not scheduled privilege elevation. Exam tips: When you see wording like “temporary admin access,” “time-bound elevation,” “just-in-time,” “eligible vs active role,” or “approval to activate a role,” think PIM. If the question is about requiring MFA, device compliance, location, or app restrictions, think Conditional Access. If it’s about risky sign-ins/users, think Identity Protection.
HOTSPOT - For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
All Azure Active Directory (Azure AD) license editions include the same features.
No. Azure AD/Microsoft Entra ID license editions do not include the same features. The Free edition provides core directory services such as user and group management, basic security defaults, and single sign-on for many apps. Premium editions add advanced identity governance and security capabilities. For example, Microsoft Entra ID P1 commonly includes Conditional Access and dynamic groups, which are frequently tested concepts in SC-900. Microsoft Entra ID P2 adds higher-end protections such as Identity Protection (risk-based policies) and Privileged Identity Management (PIM). These differences are central to how organizations choose licensing based on security and compliance requirements. Therefore, the statement is false because feature sets vary significantly by edition and by the bundle (e.g., Microsoft 365 E3/E5, EMS E3/E5) that includes Entra ID capabilities.
You can manage an Azure Active Directory (Azure AD) tenant by using the Azure portal.
Yes. You can manage an Azure AD/Microsoft Entra ID tenant using the Azure portal. The Azure portal provides administrative experiences for directory management tasks such as creating and managing users and groups, configuring app registrations, managing enterprise applications, reviewing sign-in logs (depending on licensing), and setting tenant properties. In addition to the Azure portal, Microsoft also provides the Microsoft Entra admin center, which is a dedicated portal for identity administration and is commonly referenced in newer documentation. However, the existence of the Entra admin center does not invalidate the Azure portal as a management tool. For exam purposes, remember: Entra ID is a cloud service, and its configuration is performed through web portals and APIs (e.g., Microsoft Graph), not by managing servers.
You must deploy Azure virtual machines to host an Azure Active Directory (Azure AD) tenant.
No. You do not need to deploy Azure virtual machines to host an Azure AD/Microsoft Entra ID tenant. Entra ID is a Microsoft-managed cloud identity service (SaaS). Microsoft operates the underlying infrastructure, handles scaling, availability, and patching, and you consume the service by creating a tenant and configuring identity settings. Deploying VMs is associated with self-managed identity solutions like Windows Server Active Directory Domain Services (AD DS) running on IaaS, or with hybrid identity components such as Microsoft Entra Connect (which typically runs on a server/VM) to synchronize on-prem AD DS identities to Entra ID. So while VMs might be used to support hybrid scenarios, they are not required to “host” the Entra ID tenant itself, making the statement false.
What is a use case for implementing information barrier policies in Microsoft 365?
Incorrect. Restricting unauthenticated access to Microsoft 365 is an identity/access control scenario typically addressed with Microsoft Entra ID authentication, Conditional Access, MFA, and tenant access settings. Information barriers assume authenticated users and focus on preventing communication/collaboration between specific internal groups, not blocking anonymous access to the service.
Correct. A classic information barrier use case is preventing certain internal groups from communicating in Microsoft Teams (chat, calls, meetings, and team membership). This supports regulatory or ethical separation (e.g., finance “wall” scenarios). IB policies define segments and block communication between them, enforcing internal separation of duties.
Correct. Information barriers can also restrict Exchange Online communication between defined segments, preventing email interactions between certain groups within the organization. This aligns with compliance requirements where internal communications must be controlled (e.g., legal/insider trading restrictions). The policy model is segment-based and enforced across supported workloads.
Incorrect. Restricting data sharing to external email recipients is generally handled through Exchange Online mail flow rules, anti-spam policies, tenant external sharing controls, DLP policies, and sensitivity labels/encryption. While IB focuses on internal segmentation and preventing communication between internal groups, it is not primarily designed as an external recipient sharing control.
Core concept: Information barriers (IB) in Microsoft 365 are compliance controls designed to prevent certain users or groups from communicating or collaborating with each other. They are commonly used to meet regulatory, legal, or ethical requirements (for example, separating “insider” groups like trading from advisory teams in financial services). Why the answer is correct: A primary use case for information barriers is restricting communication between specific segments of an organization across Microsoft 365 workloads. This includes preventing Microsoft Teams interactions (chat, calling, meetings, and team membership) between defined groups, and preventing Exchange Online communication (email and related directory-based interactions) between those groups. Therefore, both restricting Teams chats (B) and restricting Exchange Online email (C) are valid use cases. Key features and configuration points: IB policies are built around “segments” (users grouped by attributes such as department, role, or custom attributes). Policies then define whether segments can communicate (“allow”) or must be blocked (“block”). IB integrates with Microsoft Purview compliance capabilities and relies on directory attributes (Microsoft Entra ID) to place users into segments. In practice, organizations implement IB alongside governance practices (clear segmentation strategy, change control, and testing) aligned with the Azure Well-Architected Framework’s Security pillar (least privilege and separation of duties) and Operational Excellence (policy lifecycle management). Common misconceptions: Information barriers are not primarily about blocking unauthenticated access (that’s identity and access management, e.g., Conditional Access). They also are not the main tool for restricting sharing to external recipients; that is typically handled by external sharing settings, DLP, sensitivity labels, and Exchange mail flow rules. Exam tips: For SC-900, remember: Information barriers = “prevent internal communication/collaboration between groups” (often regulatory). If the option mentions separating departments from communicating in Teams/Exchange, think information barriers. If it mentions external sharing or unauthenticated access, think other controls (Conditional Access, DLP, sensitivity labels, sharing policies).
HOTSPOT - Select the answer that correctly completes the sentence. Hot Area:
Azure DDoS Protection Standard can be used to protect ______
Correct answer: D (virtual networks). Azure DDoS Protection Standard is enabled at the Virtual Network (VNet) level. When a VNet is protected, DDoS Standard provides enhanced mitigation for eligible resources within that VNet that have public IP exposure (for example, public IPs associated with Azure Load Balancer, Application Gateway, or internet-facing VMs). This is the key scope concept the exam expects: DDoS Standard is a network protection service applied to VNets, not to identity objects or management containers. Why the other options are wrong: A (Azure AD applications) is incorrect because Azure AD apps are identity/application registrations; DDoS Standard doesn’t attach to or protect Azure AD app objects. B (Azure AD users) is incorrect because DDoS is not an identity attack type; Azure AD user protection is handled by services like Microsoft Entra ID Protection and Conditional Access. C (resource groups) is incorrect because a resource group is a logical management container for resources; DDoS Standard is not enabled at the resource group scope. You enable it on a VNet, and then resources in that VNet benefit from the protection.
¿Quieres practicar todas las preguntas en cualquier lugar?
Descarga Cloud Pass gratis — incluye exámenes de práctica, seguimiento de progreso y más.
HOTSPOT - Select the answer that correctly completes the sentence. Hot Area:
______ provides best practices from Microsoft employees, partners, and customers, including tools and guidance to assist in an Azure deployment.
Correct answer: C (The Microsoft Cloud Adoption Framework for Azure). The Cloud Adoption Framework (CAF) is explicitly designed to provide best practices, guidance, and tools for adopting and deploying workloads in Azure. It includes structured methodologies (Strategy, Plan, Ready, Adopt, Govern, Manage) and practical resources such as landing zone guidance, governance and management best practices, and organizational alignment recommendations. The wording “best practices from Microsoft employees, partners, and customers” strongly matches CAF’s purpose and positioning. Why the others are wrong: - A (Azure Blueprints) is a governance/deployment mechanism that helps you orchestrate and repeat deployments of compliant environments by bundling artifacts (policies, role assignments, templates). It is not primarily a best-practices guidance library. - B (Azure Policy) is an enforcement and compliance evaluation service that applies rules to resources (audit/deny/modify). It doesn’t provide broad adoption best practices. - D (A resource lock) is a protective control to prevent accidental deletion or modification of resources; it provides no deployment guidance or best-practice framework.
HOTSPOT - Select the answer that correctly completes the sentence. Hot Area:
Federation is used to establish ______ between organizations.
Federation is used to establish a trust relationship between organizations. In a federated setup, one organization (the relying party/service provider) trusts another organization’s identity provider to authenticate users and issue security tokens (claims). This trust allows users to sign in using their home organization’s credentials while accessing resources in the other organization, enabling cross-organization SSO. Why the other options are incorrect: A (MFA): Multi-factor authentication is a control that can be enforced within an identity system, but federation itself does not “establish MFA.” MFA can be required in either organization, yet it’s not the defining purpose of federation. C (user account synchronization): Synchronization copies or aligns identity objects between directories (e.g., Entra Connect syncing from AD DS). Federation avoids needing to synchronize passwords by relying on token-based trust. D (VPN connection): A VPN provides network-level connectivity. Federation is an identity/authentication mechanism and works independently of VPNs.
What do you use to provide real-time integration between Azure Sentinel and another security source?
Azure AD Connect is used to synchronize identities between on-premises Active Directory and Microsoft Entra ID. Its purpose is hybrid identity enablement, such as syncing users, groups, and authentication-related settings. It does not function as a Microsoft Sentinel ingestion or integration feature for security telemetry. Even though identity-related logs can be monitored in Sentinel, Azure AD Connect is not the tool used to connect those logs to Sentinel.
A Log Analytics workspace is the underlying data store and analytics engine used by Microsoft Sentinel. It is where ingested logs are stored and queried, but it is not the feature that establishes the connection to an external security source. In other words, the workspace is the destination and analysis layer, while the connector is the integration mechanism. This makes it a necessary component of Sentinel, but not the best answer to this question.
Azure Information Protection is a service for classifying, labeling, and protecting sensitive information. It helps organizations apply encryption and usage restrictions to documents and emails for data protection and compliance purposes. It is not a Microsoft Sentinel feature for integrating external security data sources. While events from related services may ultimately be monitored in Sentinel, Azure Information Protection itself is not the mechanism used to connect those sources.
A connector is the correct answer because Microsoft Sentinel uses data connectors to integrate with Microsoft and third-party security sources. These connectors define how data is collected and ingested into Sentinel, whether through APIs, agents, Syslog/CEF, or native Microsoft integrations. After configuration, the incoming security data becomes available for analytics rules, hunting queries, and incident investigation. On the exam, 'connector' or 'data connector' is the standard term for linking a source to Sentinel.
Core concept: Microsoft Sentinel (formerly Azure Sentinel) is a cloud-native SIEM/SOAR. Its value depends on ingesting security data from many sources (Microsoft and third-party). Real-time or near-real-time integration is achieved through built-in data connectors (and related ingestion methods like API-based collection, agent-based collection, and streaming). Why the answer is correct: A connector (data connector) is the Sentinel feature used to integrate another security source and continuously ingest its logs/alerts into Sentinel. Connectors provide the configuration and plumbing to pull or receive data from sources such as Microsoft Defender products, Microsoft Entra ID, AWS, Palo Alto, Cisco, and many others. Many connectors support near-real-time ingestion and also enable additional capabilities such as incident creation, analytics rule templates, and workbooks tailored to that source. Key features / configuration points: - Connectors are managed in Microsoft Sentinel under Content management / Data connectors. - Connectors commonly use one of these patterns: Azure Monitor Agent/Log Analytics agent, REST APIs, Event Hubs/CEF/Syslog, or Microsoft-native integrations. - Data lands in the Sentinel-backed Log Analytics workspace as tables; analytics rules then query that data (KQL) to create alerts/incidents. - Best practice (Azure Well-Architected Framework – Security and Operational Excellence): standardize ingestion with supported connectors, validate data health (connector status, data volume), and use least privilege for API permissions. Common misconceptions: Many learners confuse the Log Analytics workspace with the integration mechanism. The workspace is the storage/analytics backend, but it doesn’t itself “integrate” a new source in real time—you still need a connector (or custom ingestion) to get data into the workspace. Similarly, Azure AD Connect and Azure Information Protection are security/identity services but are not Sentinel integration mechanisms. Exam tips: For SC-900, remember: Sentinel integrates data sources via “data connectors.” The Log Analytics workspace is required for Sentinel, but connectors are what you use to bring in data from other security sources. If the question says “integrate Sentinel with another security source,” the safest answer is typically “a connector.”
Which Microsoft portal provides information about how Microsoft cloud services comply with regulatory standard, such as International Organization for Standardization (ISO)?
Microsoft Endpoint Manager admin center (Intune) is used to manage devices, apps, and endpoint security policies (e.g., compliance policies, configuration profiles, conditional access integration). While it can report whether devices meet your organization’s compliance rules, it does not provide Microsoft’s third-party audit attestations (like ISO certificates) for Microsoft cloud services. It’s an operational management portal, not a compliance evidence repository.
Azure Cost Management + Billing focuses on financial governance: tracking spend, budgets, cost allocation, and billing accounts/subscriptions. It helps with cost optimization (Azure Well-Architected cost pillar) but is unrelated to demonstrating regulatory compliance with standards like ISO. You won’t find audit reports or compliance attestations there; it’s for cost analysis and billing administration.
Microsoft Service Trust Portal is the correct choice because it provides official compliance documentation and evidence for Microsoft cloud services, including certifications, audit reports, and attestations for standards like ISO/IEC 27001. It is designed to support customer due diligence, audits, and regulatory requirements by offering downloadable reports and compliance resources that demonstrate Microsoft’s adherence to recognized frameworks and standards.
The Azure Active Directory admin center (now Microsoft Entra admin center) is used to manage identities, authentication methods, conditional access, and tenant security settings. It supports implementing security controls, but it does not serve as the authoritative source for Microsoft’s compliance attestations (e.g., ISO audit reports). For evidence of Microsoft’s compliance with external standards, you should use the Service Trust Portal instead.
Core Concept: This question tests knowledge of where Microsoft publishes official compliance documentation for its cloud services (Microsoft 365, Azure, Dynamics 365) against external regulatory standards and certifications (for example ISO/IEC 27001, SOC, PCI DSS). In SC-900, this falls under foundational security/compliance concepts: understanding how organizations verify a cloud provider’s compliance posture. Why the Answer is Correct: The Microsoft Service Trust Portal (STP) is Microsoft’s primary public portal for compliance resources. It provides access to audit reports, compliance guides, certificates, and documentation that demonstrate how Microsoft cloud services meet various regulatory and industry standards. For ISO specifically, STP is where you typically find ISO certificates, audit attestations, and related compliance documentation. This aligns with governance and risk management needs and supports the Azure Well-Architected Framework’s Security pillar (risk management, assurance, and compliance evidence). Key Features: STP includes Compliance Manager (assessment-based compliance posture tracking), downloadable audit reports (e.g., SOC reports), certificates/attestations (e.g., ISO/IEC certifications), and detailed documentation such as the Microsoft cloud security and compliance “trust” content. It is designed for auditors, compliance officers, and security teams who need evidence for due diligence, vendor risk management, and regulatory audits. Common Misconceptions: Learners often confuse STP with the Microsoft Purview compliance portal because Purview is where you configure compliance features (DLP, retention, eDiscovery, audit). However, Purview is primarily for managing your organization’s compliance controls and data governance, not for retrieving Microsoft’s third-party audit reports and certifications. Similarly, Microsoft 365 admin center is for tenant administration, and Azure Cost Management is for spend/chargeback—neither is intended for compliance attestations. Exam Tips: If the question asks for “audit reports,” “certifications,” “attestations,” “ISO/SOC/PCI documentation,” or “how Microsoft complies,” think Service Trust Portal. If it asks where you “configure” compliance policies (DLP, retention labels, eDiscovery), think Microsoft Purview compliance portal. If it asks about user/tenant settings, think Microsoft 365 admin center; if it asks about costs/budgets, think Azure Cost Management + Billing.
In the shared responsibility model for an Azure deployment, what is Microsoft solely responsible for managing?
Management of mobile devices is not solely Microsoft’s responsibility in an Azure deployment. Device management (enrollment, compliance policies, app protection, configuration profiles) is typically handled by the customer using tools like Microsoft Intune (Microsoft Endpoint Manager). Microsoft provides the service platform, but the customer defines policies and manages their device fleet and compliance requirements.
Permissions for user data stored in Azure are primarily the customer’s responsibility. Microsoft secures the platform and offers capabilities like Azure RBAC, Microsoft Entra ID, storage access controls, and logging, but the customer must configure who can access data, apply least privilege, manage identities/roles, and implement governance. Misconfigurations here are a common cause of data exposure.
Creation and management of user accounts is generally the customer’s responsibility. Customers create users, groups, and roles in Microsoft Entra ID (or synchronize from on-premises), set authentication methods, configure conditional access, and manage lifecycle processes (joiner/mover/leaver). Microsoft operates the identity service infrastructure, but it does not decide which accounts exist or what access they have.
Management of the physical hardware is solely Microsoft’s responsibility in Azure. This includes servers, storage arrays, networking gear, and the datacenter facilities (power, cooling, physical access controls). Customers cannot access or maintain this hardware; they consume Azure services abstracted from the physical layer. This is the clearest “provider-only” responsibility in the shared responsibility model.
Core concept: This question tests the Azure shared responsibility model. In cloud services, security and management responsibilities are split between the cloud provider (Microsoft) and the customer. The split varies by service type (IaaS, PaaS, SaaS), but some responsibilities always remain with Microsoft. Why the answer is correct: Microsoft is solely responsible for managing the physical infrastructure that runs Azure: datacenters, physical servers, storage devices, networking equipment, and the environmental controls (power, cooling, physical access controls). Customers never directly manage or access this hardware. This is a foundational promise of public cloud: the provider owns and operates the underlying physical layer and is accountable for its availability, maintenance, replacement, and physical security. Key features / practices to know: Microsoft implements physical security controls (guards, cameras, access badges, secure perimeters), hardware lifecycle management, and resiliency at the datacenter and region level. These controls align with the Azure Well-Architected Framework (especially Reliability and Security pillars) by ensuring the platform is resilient and protected. Customers build on top of this by configuring identity, network controls, encryption, and monitoring, but they do not patch or replace physical components. Common misconceptions: Learners often assume Microsoft also manages “permissions for user data” or “user accounts” because those are security-related. In reality, identity and access management (IAM) and data access permissions are primarily customer responsibilities in Azure (e.g., Microsoft Entra ID configuration, RBAC, conditional access, key management choices). Microsoft provides the tools and secure defaults, but the customer decides who can access what. Exam tips: For SC-900, memorize the baseline: Microsoft is always responsible for physical security and the underlying cloud infrastructure. Customers are always responsible for their data, identities, and access configuration. When you see options mentioning hardware/datacenters/physical network, that’s typically Microsoft’s sole responsibility; when you see users, permissions, and devices, that’s usually the customer’s responsibility (with some variation in SaaS).
¿Quieres practicar todas las preguntas en cualquier lugar?
Descarga Cloud Pass gratis — incluye exámenes de práctica, seguimiento de progreso y más.
HOTSPOT - For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
Control is a key privacy principle of Microsoft.
Yes. “Control” is a key Microsoft privacy principle. In Microsoft privacy guidance, control refers to giving customers and individuals meaningful choices and the ability to manage how their data is collected, used, and shared. In a cloud context, this shows up as capabilities such as configuring privacy settings, managing data retention, choosing where data is stored (where applicable), and using tools to access, export, or delete data. Why not No: Microsoft explicitly positions customer control as foundational to privacy—customers should be able to determine how their data is handled and to configure services accordingly. This is distinct from security controls (like MFA) because the emphasis is on privacy choices and data handling, not only protection from threats.
Transparency is a key privacy principle of Microsoft.
Yes. “Transparency” is a key Microsoft privacy principle. Transparency means Microsoft communicates clearly about privacy practices—what data is collected, why it is collected, how it is used, how long it is retained, and with whom it may be shared. This is commonly reflected through privacy statements, product documentation, audit/compliance documentation, and service-specific disclosures. Why not No: Transparency is repeatedly emphasized in Microsoft’s privacy posture because it enables informed decision-making and supports compliance obligations (for example, notice requirements under GDPR). In exam terms, transparency is a privacy principle, whereas items like threat protection or identity governance are security/identity capabilities rather than privacy principles.
Shared responsibility is a key privacy principle of Microsoft.
No. “Shared responsibility” is not a Microsoft privacy principle; it is a cloud service model concept (shared responsibility model) describing how responsibilities for security and compliance are divided between Microsoft (cloud provider) and the customer. For example, Microsoft is responsible for the security of the cloud (physical datacenters, core infrastructure), while customers are responsible for security in the cloud (identity configuration, data classification, access management, endpoint security, etc.), depending on IaaS/PaaS/SaaS. Why not Yes: Although shared responsibility strongly influences privacy outcomes (customers must configure services appropriately to meet privacy obligations), Microsoft does not list “shared responsibility” as a privacy principle. It is taught under cloud security/compliance fundamentals, not as a privacy commitment like control or transparency.
HOTSPOT - Select the answer that correctly completes the sentence. Hot Area:
______ a file makes the data in the file readable and usable to viewers that have the appropriate key.
Correct answer: D. Encrypting. Encrypting a file converts readable plaintext into unreadable ciphertext using an encryption algorithm and a cryptographic key. Only viewers (users, services, or applications) that have the appropriate key (and permission to use it) can decrypt the file and make the data readable and usable again. This directly matches the sentence’s wording: “readable and usable to viewers that have the appropriate key.” Why the other options are wrong: - A. Archiving: Typically bundles files and/or moves them to long-term storage (for retention, backup, or compliance). Archived data may still be readable without any key unless it is also encrypted. - B. Compressing: Reduces file size by encoding data more efficiently. Compressed files are still readable by anyone who can decompress them; no cryptographic key is inherently required. - C. Deduplicating: Eliminates duplicate data blocks to save storage. It changes how data is stored, not who can read it. Exam tip: if a question mentions “key,” “ciphertext,” “decrypt,” or “only authorized viewers can read,” it’s pointing to encryption.
HOTSPOT - For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
You can create custom roles in Azure Active Directory (Azure AD).
Yes. You can create custom roles in Azure Active Directory (Microsoft Entra ID). These are commonly referred to as custom directory roles. They allow you to define a role with a specific set of permissions (directory-level permissions) rather than relying only on built-in roles like User Administrator or Security Administrator. This supports least privilege by granting only the exact permissions required for a job function. Why “No” is incorrect: Entra ID is not limited to only built-in roles. While many organizations start with built-in roles, custom roles are available to meet more granular administrative needs. Note the common exam trap: don’t confuse Entra ID custom directory roles with Azure RBAC custom roles. Both exist, but they apply to different scopes (directory vs Azure resources). The statement is still true because it explicitly says “in Azure AD.”
Global administrator is a role in Azure Active Directory (Azure AD).
Yes. Global administrator is a role in Azure Active Directory (Microsoft Entra ID). It is the highest-privileged directory role and has broad permissions across the tenant, including managing users, groups, app registrations, and many tenant-wide settings. Because of its power, best practice is to minimize the number of Global administrators, use dedicated admin accounts, and protect them with strong authentication (MFA) and privileged access controls. Why “No” is incorrect: Global administrator is one of the most fundamental built-in Entra ID roles and is frequently referenced in Microsoft identity documentation and exam objectives. Another common confusion is with Azure subscription roles (Owner/Contributor), but Global administrator is specifically a directory role, not an Azure resource RBAC role.
An Azure Active Directory (Azure AD) user can be assigned only one role.
No. An Azure AD (Microsoft Entra ID) user can be assigned multiple roles. Role assignments are not limited to a single role per user. For example, a user could be both a User Administrator and an Application Administrator, or hold additional roles for security and compliance operations. This flexibility supports real-world operational needs but must be governed carefully to avoid excessive privilege. Why “Yes” is incorrect: Entra ID role-based access is designed to be additive. Limiting users to only one role would be impractical and would force organizations into overly broad roles. From a security best-practice perspective, you should still follow least privilege and separation of duties, but the platform capability absolutely allows multiple role assignments (directly or via group-based role assignment where supported).
HOTSPOT - For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
Azure Active Directory (Azure AD) is deployed to an on-premises environment.
No. Azure Active Directory (Azure AD), now Microsoft Entra ID, is a cloud-based directory and identity service hosted and operated by Microsoft. You do not deploy Azure AD into an on-premises environment the way you deploy Windows Server Active Directory Domain Services (AD DS) on domain controllers. What you can deploy on-premises are components that integrate with Azure AD, such as Microsoft Entra Connect (formerly Azure AD Connect) to synchronize identities from on-prem AD DS to Azure AD, Pass-through Authentication agents, or Active Directory Federation Services (AD FS) for federation. These enable a hybrid identity model, but Azure AD itself remains a cloud service. Why “Yes” is wrong: it confuses Azure AD with AD DS. AD DS is installed and managed on-premises; Azure AD is consumed as a service (SaaS) from Microsoft’s cloud.
Azure Active Directory (Azure AD) is provided as part of a Microsoft 365 subscription.
Yes. Azure AD (Microsoft Entra ID) is provided as part of a Microsoft 365 subscription because Microsoft 365 relies on Azure AD for tenant identity, authentication, and access control. When an organization signs up for Microsoft 365, a tenant is created and backed by an Azure AD directory. Important nuance for the exam: while Azure AD is included, the included capabilities depend on licensing. Microsoft 365 includes the base Azure AD features (often referred to as Entra ID Free). More advanced identity and access features—such as Conditional Access, Identity Protection, and Privileged Identity Management—require Microsoft Entra ID P1/P2 or suites that include them (for example, Microsoft 365 E3/E5 include different security/identity entitlements). Why “No” is wrong: it would imply Microsoft 365 operates without Azure AD, which is not the case; Azure AD is foundational to Microsoft 365 sign-in and authorization.
Azure Active Directory (Azure AD) is an identity and access management service.
Yes. Azure Active Directory (Microsoft Entra ID) is an identity and access management (IAM) service. Its primary purpose is to manage identities (users, groups, service principals) and control access to resources through authentication (verifying who you are) and authorization (what you can do). In practice, Azure AD provides capabilities such as Single Sign-On (SSO) to Microsoft 365, Azure, and third-party SaaS apps; Multi-Factor Authentication (MFA); Conditional Access policies; application registrations and OAuth/OpenID Connect/SAML-based sign-in; and device identity integration. These are core IAM functions. Why “No” is wrong: it would misclassify Azure AD as something like a network security tool or a purely on-prem directory. While it can integrate with on-prem AD DS, Azure AD’s core role is cloud IAM, aligning with best practices like least privilege and strong authentication.
HOTSPOT - Select the answer that correctly completes the sentence. Hot Area:
With Windows Hello for Business, a user’s biometric data used for authentication ______
Correct answer: B. With Windows Hello for Business, a user’s biometric data (the biometric template) is stored on the local device only. The biometric is used as a local gesture to unlock a cryptographic key (typically protected by the TPM). Azure AD/Entra ID does not receive or store the biometric template; it only has the associated public key information needed to validate authentication. Why the others are wrong: A is incorrect because WHfB does not store biometric data on an external device as the standard model; the template is kept on the device where enrollment occurred. C is incorrect because Azure AD does not store biometric templates; storing biometrics centrally would increase privacy and breach risk. D is incorrect because biometric templates are not replicated across a user’s devices. Each device has its own local biometric enrollment and its own key material registration.
¿Quieres practicar todas las preguntas en cualquier lugar?
Descarga Cloud Pass gratis — incluye exámenes de práctica, seguimiento de progreso y más.
What is the purpose of Azure Active Directory (Azure AD) Password Protection?
Incorrect. Controlling how often users must change passwords relates to password expiration/age policies (for example, legacy password policy settings or domain password policies in AD DS). Entra ID Password Protection does not set rotation frequency; it evaluates password strength against banned lists when a password is created or changed. Modern best practices also emphasize strong passwords and MFA over frequent forced changes.
Incorrect. Identifying devices that can sign in without MFA is handled through Conditional Access policies, device compliance (Intune), and concepts like trusted locations or authentication strengths. Password Protection does not evaluate device trust or MFA requirements; it only checks the password string during password set/change operations to block weak or banned passwords.
Incorrect. Encrypting or hashing passwords is part of credential storage and authentication mechanisms (e.g., salted hashes, secure protocols), not the goal of Password Protection. Entra ID Password Protection focuses on preventing weak passwords from being chosen in the first place. It does not provide a user-facing feature to “encrypt a password” using recognized standards.
Correct. Entra ID Password Protection prevents users from using weak passwords by blocking passwords that contain banned terms from Microsoft’s global list and the organization’s custom list. This includes common words and predictable patterns, and it uses normalization/fuzzy matching to catch variations. The purpose is to reduce password spray and brute-force success by eliminating easily guessable passwords.
Core concept: Azure Active Directory (now Microsoft Entra ID) Password Protection is a capability that reduces password-based attacks by blocking weak and commonly used passwords. It does this by checking new or changed passwords against a global banned-password list maintained by Microsoft and (optionally) a custom banned-password list defined by the organization. Why the answer is correct: The primary purpose is to prevent users from choosing passwords that contain specific banned terms (for example, “Password123”, “Contoso2026!”, seasonal terms, or company/product names). This directly maps to option D: preventing users from using specific words in their passwords. The feature is designed to mitigate password spray and credential stuffing success rates by eliminating predictable passwords. Key features, configuration, and best practices: - Global banned password list: Microsoft-curated list of known weak passwords and variants. - Custom banned password list: Add organization-specific terms (company name, brands, locations, internal project names). The system also performs fuzzy matching/normalization to catch common substitutions (e.g., “P@ssw0rd”). - Smart lockout integration: While separate, it complements Password Protection by slowing brute-force attempts. - Hybrid support: You can extend the same banned-password policy to on-premises Active Directory Domain Services by deploying the Azure AD Password Protection proxy service and DC agent. - Well-Architected alignment: Under the Security pillar, this is a preventive control that reduces identity attack surface. Combine it with MFA, Conditional Access, and user education for defense-in-depth. Common misconceptions: Many learners confuse Password Protection with password expiration/rotation policies (how often users must change passwords) or with encryption/hashing of stored passwords. Password Protection is about password quality at creation/change time, not about how passwords are stored or how frequently they must be changed. Another confusion is thinking it designates “trusted devices” to bypass MFA; that is Conditional Access and device compliance, not Password Protection. Exam tips: If you see “banned passwords,” “weak passwords,” “custom banned list,” or “prevent common passwords,” think Entra ID Password Protection. If the question mentions MFA prompts, trusted locations/devices, or sign-in risk, think Conditional Access/Identity Protection. If it mentions password expiration, think password policy settings (and note modern guidance often discourages forced periodic changes unless there’s evidence of compromise).
Which Azure Active Directory (Azure AD) feature can you use to evaluate group membership and automatically remove users that no longer require membership in a group?
Access reviews (Microsoft Entra ID Identity Governance) are used to periodically evaluate whether users should retain access to groups, apps, or roles. They support recurring schedules, reviewer assignment (owners, selected reviewers, or self), and automated enforcement such as auto-applying results to remove users who are denied or who don’t respond. This is the feature that can automatically remove users who no longer need group membership.
Managed identities provide an automatically managed identity for Azure resources (workloads) to authenticate to other services like Key Vault or Storage without storing credentials. They are not used for human access governance, group membership evaluation, or removing users from groups. This option targets application/service authentication scenarios, not access reviews or entitlement management.
Conditional Access policies enforce access controls at sign-in time based on signals like user/group, device compliance, location, risk, and application. They can require MFA, block access, or require compliant devices, but they do not evaluate ongoing group membership or automatically remove users from a group. Conditional Access is about real-time access decisions, not membership governance.
Azure AD Identity Protection (Microsoft Entra ID Protection) detects and remediates identity-related risks such as risky users and risky sign-ins. It can trigger actions like requiring password reset or MFA based on risk, but it does not perform periodic access attestation for group membership or automatically remove users from groups based on review outcomes. It’s risk management, not entitlement governance.
Core concept: This question tests Microsoft Entra ID (Azure AD) governance capabilities for controlling and periodically validating access. The feature is part of Identity Governance and is designed to ensure users keep only the access they still need (least privilege), aligning with Azure Well-Architected Framework security principles. Why the answer is correct: Access reviews let you evaluate whether users (or guests) should continue to have access to resources such as Microsoft 365 groups, security groups, application roles, and privileged role assignments. Critically, access reviews can be configured with automated actions so that if a user is not approved (or does not respond) by the end of the review, their access can be removed automatically. This directly matches “evaluate group membership and automatically remove users that no longer require membership.” Key features and best practices: Access reviews can be scheduled (one-time or recurring), scoped to specific groups, apps, or roles, and assigned to reviewers (group owners, selected reviewers, or self-review). You can require justification, track audit history, and configure “auto-apply results” to remove access for denied/expired users. For external collaboration, access reviews are commonly used to periodically validate guest user access to groups/teams. In practice, organizations pair access reviews with lifecycle processes (joiner/mover/leaver) to reduce standing access and improve compliance. Common misconceptions: Conditional Access is often confused with governance because it controls access decisions, but it does not manage group membership or remove users from groups. Identity Protection focuses on risk detection and remediation (e.g., risky sign-ins), not entitlement cleanup. Managed identities are for service-to-service authentication and have nothing to do with human group membership. Exam tips: When you see keywords like “review,” “attest,” “periodically validate,” “remove access automatically,” or “governance,” think Access reviews (Identity Governance). When you see “block/allow based on conditions,” think Conditional Access. When you see “risk-based,” think Identity Protection. When you see “workload identity for Azure resources,” think Managed identities.
HOTSPOT - Select the answer that correctly completes the sentence. Hot Area:
______ requires additional verification, such as a verification code sent to a mobile phone.
Correct: A. Multi-factor authentication (MFA). MFA requires additional verification beyond a username and password. The prompt’s example—“a verification code sent to a mobile phone”—is a classic second factor (something you have). In Microsoft Entra ID, MFA can be satisfied via SMS codes, voice calls, authenticator app codes, push notifications, or FIDO2/security keys depending on configuration. The goal is to mitigate risks such as password spray, phishing, and credential stuffing by ensuring that a stolen password alone is insufficient. Why the others are wrong: B. Pass-through authentication (PTA) is a hybrid authentication method where the user’s password is validated against on-premises Active Directory via an agent. It doesn’t inherently add a second verification step. C. Password writeback is a Microsoft Entra ID feature (commonly with SSPR) that writes password changes from the cloud back to on-premises AD; it’s not an “additional verification” mechanism. D. Single sign-on (SSO) reduces the number of sign-in prompts by reusing an existing session/token; it is the opposite of requiring extra verification.
HOTSPOT - For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
Conditional access policies can use the device state as a signal.
Yes. Conditional Access policies can use device state as a signal. In Microsoft Entra, device-related conditions include device platform (iOS, Android, Windows, macOS), and—more importantly for “state”—whether the device is marked compliant by Microsoft Intune (device compliance) and/or whether it is Hybrid Azure AD joined / Microsoft Entra joined. Conditional Access can also use device filters (filter for devices) to include/exclude devices based on device attributes. These device signals allow policies such as “Require a compliant device” or “Allow access only from Hybrid Azure AD joined devices.” This is a common Zero Trust pattern: verify device health/state before granting access to sensitive apps. “No” would be incorrect because device context is one of the core Conditional Access inputs (signals) used to make access decisions.
Conditional access policies apply before first-factor authentication is complete.
No. Conditional Access policies do not apply before first-factor authentication is complete. Conditional Access evaluation requires that Entra ID can identify the user and understand the sign-in context (who is signing in, what app/resource is being accessed, and other conditions). That identification happens after the user submits primary credentials (the first factor). After the first factor, Conditional Access is evaluated and can then enforce additional requirements (controls), such as prompting for MFA, requiring a compliant device, or blocking access. In other words, CA is not a pre-authentication gate that runs before the user is known; it is part of the sign-in process that can require extra steps after initial authentication. Answering “Yes” would confuse Conditional Access with network-layer pre-auth controls (like some VPN/NAC scenarios). In Entra, CA is an identity-driven policy evaluated during sign-in, not before first-factor completion.
Conditional access policies can trigger multi-factor authentication (MFA) if a user attempts to access a specific application.
Yes. Conditional Access can trigger MFA when a user attempts to access a specific application. One of the most common Conditional Access configurations is: Assign the policy to specific users/groups, target one or more cloud apps (for example, Exchange Online, SharePoint Online, Azure Management, or a specific enterprise application), and then set the grant control to “Require multi-factor authentication.” This enables app-specific step-up authentication: users might sign in with only a password for low-risk apps, but when they access a sensitive application, Conditional Access requires MFA before granting access (issuing the token). Answering “No” would be incorrect because “Require MFA” is a built-in grant control in Conditional Access, and scoping policies to specific cloud apps is a core capability used to protect high-value resources.
HOTSPOT - Select the answer that correctly completes the sentence. Hot Area:
______ is a cloud-based solution that leverages on-premises Active Directory signals to identify, detect, and investigate advanced threats.
Correct answer: C. Microsoft Defender for Identity. Microsoft Defender for Identity is a cloud-based security solution designed specifically to use signals from on-premises Active Directory (AD) to identify, detect, and help investigate advanced threats, compromised identities, and malicious insider actions. It typically collects telemetry from domain controllers (via Defender for Identity sensors) and analyzes AD-related activities to surface suspicious behaviors and attack patterns. Why the others are wrong: - A. Microsoft Defender for Cloud Apps focuses on SaaS application discovery, shadow IT, app governance, and controlling/monitoring cloud app usage (CASB capabilities). It is not primarily about on-prem AD signals. - B. Microsoft Defender for Endpoint focuses on endpoint devices (Windows, macOS, Linux, mobile) for EDR, vulnerability management, and attack surface reduction—not AD domain controller telemetry. - D. Microsoft Defender for Office 365 protects email and collaboration (Exchange, SharePoint, OneDrive, Teams) against phishing, malware, and business email compromise, not on-prem AD signal-based identity threat detection.
Descarga Cloud Pass y accede a todas las preguntas de práctica de Microsoft SC-900 gratis.
¿Quieres practicar todas las preguntas en cualquier lugar?
Obtén la app gratis
Descarga Cloud Pass gratis — incluye exámenes de práctica, seguimiento de progreso y más.
