Security, Compliance & Identity Concepts
Domain 1 — 25-30% of Exam
Question 01
Which security model assumes that every request — whether inside or outside the network — must be verified before granting access?
APerimeter-based security
BZero Trust ✅
CDefense in depth
DShared responsibility model
💡 Explanation: Zero Trust operates on the principle “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted — regardless of whether it originates inside or outside the corporate network. The three guiding principles are: verify explicitly, use least privilege access, and assume breach. This is the #1 most tested concept on SC-900.
Question 02
Which concept describes using multiple layers of security controls so that if one layer fails, another layer continues to provide protection?
AZero Trust
BLeast privilege
CDefense in depth ✅
DEncryption at rest
💡 Explanation: Defense in depth uses a layered approach to security. The layers typically include: physical security, identity & access, perimeter (firewalls), network (segmentation), compute (patching), application (code security), and data (encryption). If an attacker breaches one layer, the next layer provides protection. Think of it like a castle with multiple walls, moats, and gates.
Question 03
In the shared responsibility model for cloud services, which security task is ALWAYS the customer’s responsibility regardless of the cloud deployment model (IaaS, PaaS, or SaaS)?
AOperating system patching
BPhysical host security
CData and user account/identity management ✅
DNetwork controls
💡 Explanation: Regardless of whether you use IaaS, PaaS, or SaaS — your data, accounts, and identities are ALWAYS your responsibility. The customer always controls who accesses what and what data is stored. OS patching is customer-owned in IaaS but Microsoft-owned in SaaS/PaaS. Physical security is always the cloud provider’s job. This is a critical SC-900 concept.
Question 04
Which type of encryption protects data while it is being transmitted over a network?
AEncryption at rest
BEncryption in transit ✅
CHashing
DTokenization
💡 Explanation: Encryption in transit protects data as it moves across a network using protocols like TLS/SSL and HTTPS. Encryption at rest protects stored data (on disk, in databases). Hashing creates a fixed-size fingerprint of data (used for integrity verification, not reversible). Tokenization replaces sensitive data with non-sensitive tokens. Know the difference for the SC-900 exam.
2
Microsoft Entra ID & Identity
Domain 2 — 25-30% of Exam
Question 05
What is Microsoft Entra ID (formerly Azure Active Directory)?
AA firewall service for Azure virtual networks
BA cloud-based identity and access management service ✅
CA database encryption service
DA backup and disaster recovery tool
💡 Explanation: Microsoft Entra ID (renamed from Azure AD in 2023) is Microsoft’s cloud-based identity and access management (IAM) service. It handles authentication, single sign-on (SSO), multi-factor authentication (MFA), conditional access policies, and identity governance. It is the backbone of Microsoft 365, Azure, and thousands of SaaS applications. This is the most heavily tested topic on SC-900.
Question 06
A company wants to require users to complete MFA only when they sign in from an untrusted location or an unmanaged device. Which Microsoft Entra ID feature enables this?
APassword protection
BConditional Access ✅
CPrivileged Identity Management
DAzure Key Vault
💡 Explanation: Conditional Access policies are “if-then” rules in Microsoft Entra ID. They evaluate signals like user location, device state, application, and risk level to determine access decisions — such as grant access, require MFA, or block access. Example: IF user is off-network AND device is unmanaged, THEN require MFA. This is the foundation of Zero Trust in Microsoft’s ecosystem.
Question 07
Which authentication method allows users to sign in to multiple applications with a single set of credentials?
AMulti-Factor Authentication
BSingle Sign-On (SSO) ✅
CPasswordless authentication
DRole-Based Access Control
💡 Explanation: Single Sign-On (SSO) lets users authenticate once and access multiple applications without re-entering credentials. Microsoft Entra ID provides SSO for thousands of SaaS apps (Salesforce, ServiceNow, etc.) plus Microsoft 365. MFA adds extra verification layers, passwordless eliminates passwords entirely (using biometrics/FIDO2), and RBAC controls what users can do after authentication.
Question 08
A company wants to collaborate with an external partner organization by granting their employees access to specific internal applications. Which Microsoft Entra feature should be used?
AConditional Access
BExternal Identities (B2B collaboration) ✅
CPrivileged Identity Management
DMicrosoft Defender for Identity
💡 Explanation: Microsoft Entra External Identities (B2B collaboration) allows you to invite guest users from partner organizations to access your apps and resources. External users authenticate with their own organization’s credentials. B2C (Business-to-Customer) is for consumer-facing apps. PIM manages privileged role activation, and Defender for Identity monitors on-premises AD for identity threats.
3
Microsoft Security Solutions
Domain 3 — 25-30% of Exam
Question 09
Which Microsoft service is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution?
AMicrosoft Defender for Cloud
BMicrosoft Sentinel ✅
CMicrosoft Defender for Endpoint
DMicrosoft Intune
💡 Explanation: Microsoft Sentinel is a cloud-native SIEM+SOAR solution. It collects security data across your entire organization, detects threats using AI and analytics, investigates incidents, and automates responses with playbooks. Defender for Cloud provides cloud security posture management (CSPM), Defender for Endpoint protects devices, and Intune manages mobile devices and apps.
Question 10
Which Microsoft service provides a unified security posture management view and threat protection for multi-cloud and hybrid environments including Azure, AWS, and Google Cloud?
AMicrosoft Defender for Cloud ✅
BMicrosoft Sentinel
CMicrosoft Entra ID
DAzure Firewall
💡 Explanation: Microsoft Defender for Cloud provides Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) across Azure, AWS, and Google Cloud. It gives a unified Secure Score, identifies misconfigurations, recommends fixes, and protects workloads like VMs, databases, and containers. Sentinel is SIEM/SOAR, Entra ID is identity, and Azure Firewall is network protection.
Question 11
What does the Microsoft Secure Score represent?
AThe total cost of Microsoft security licenses
BThe number of security incidents in the last 30 days
CA numerical measure of an organization’s security posture ✅
DThe encryption strength of stored data
💡 Explanation: Microsoft Secure Score is a numerical representation (percentage) of your organization’s security posture. It analyzes your Microsoft 365, Entra ID, and Defender configurations and provides actionable recommendations to improve your score. A higher score means better security. It’s found in the Microsoft Defender portal and is a key exam topic for understanding security assessment.
4
Microsoft Compliance Solutions
Domain 4 — 25-30% of Exam
Question 12
Which Microsoft service provides a centralized portal to manage data governance, data cataloging, and data classification across on-premises, multi-cloud, and SaaS environments?
AMicrosoft Purview ✅
BMicrosoft Sentinel
CMicrosoft Defender for Cloud
DAzure Policy
💡 Explanation: Microsoft Purview (formerly Azure Purview + Microsoft Compliance) is a unified data governance and compliance platform. It provides data cataloging, classification, sensitivity labeling, data loss prevention (DLP), information protection, insider risk management, eDiscovery, and compliance management. It covers on-premises, Azure, AWS, GCP, and SaaS data sources.
Question 13
A company needs to prevent employees from accidentally sharing sensitive data such as credit card numbers via email or Teams. Which Microsoft Purview feature should they implement?
ASensitivity labels
BData Loss Prevention (DLP) ✅
CRetention policies
DeDiscovery
💡 Explanation: Data Loss Prevention (DLP) policies in Microsoft Purview detect and prevent the accidental sharing of sensitive information like credit card numbers, social security numbers, and health records. DLP works across Exchange, SharePoint, OneDrive, Teams, and endpoints. Sensitivity labels classify and protect documents, retention policies manage data lifecycle, and eDiscovery finds data for legal cases.
Question 14
Which Microsoft tool provides pre-built assessment templates to help organizations evaluate their compliance posture against regulations like GDPR, HIPAA, and ISO 27001?
AAzure Policy
BMicrosoft Purview Compliance Manager ✅
CMicrosoft Secure Score
DService Trust Portal
💡 Explanation: Compliance Manager provides a compliance score and pre-built assessment templates for 360+ regulations including GDPR, HIPAA, ISO 27001, NIST, and SOC 2. It maps Microsoft-managed controls and customer-managed controls, providing improvement actions to increase your compliance score. Azure Policy enforces resource rules, Secure Score measures security posture, and Service Trust Portal provides audit reports and compliance documents.
Question 15
Which Microsoft Purview feature detects and helps mitigate potential security risks from malicious or unintentional activities by employees within an organization?
AData Loss Prevention
BeDiscovery
CInsider Risk Management ✅
DInformation barriers
💡 Explanation: Insider Risk Management in Microsoft Purview uses signals from Microsoft 365 and other sources to identify risky user activities like data theft, data leaks, and security policy violations by employees. It correlates activities across email, files, Teams, and endpoints while maintaining user privacy through pseudonymization. DLP prevents data sharing, eDiscovery finds legal content, and information barriers block communication between groups.
Question 16
Where can organizations access Microsoft’s third-party audit reports, compliance guides, and security assessment documentation?
AMicrosoft Defender portal
BAzure Portal
CMicrosoft Service Trust Portal ✅
DMicrosoft Purview portal
💡 Explanation: The Microsoft Service Trust Portal (STP) at servicetrust.microsoft.com provides access to third-party audit reports (SOC, ISO), compliance guides, penetration test results, and Microsoft’s privacy documentation. It’s a self-service portal that helps organizations understand how Microsoft cloud services protect their data. It’s different from Compliance Manager (which tracks YOUR compliance) or the Defender portal (which monitors threats).
How hard is the Microsoft SC-900 exam? SC-900 is one of the easiest Microsoft certifications. It is a fundamentals-level exam with approximately 40-60 questions and a 45-minute time limit. The passing score is 700 out of 1000. Most candidates can prepare in 1-2 weeks of dedicated study. It tests conceptual knowledge — no hands-on labs or coding required.
Is SC-900 good for beginners? Yes — SC-900 is designed for beginners and non-technical professionals. No prerequisites are required. It’s ideal for business stakeholders, managers, students, and IT professionals who want to understand Microsoft’s security, compliance, and identity landscape. It provides a foundation for advanced security certifications like SC-200, SC-300, and SC-400.
How much does the SC-900 exam cost? The SC-900 exam costs $99 USD. However, Microsoft frequently offers free certification exam vouchers through Microsoft Virtual Training Days — a free, instructor-led online event. After attending the SC-900 training day, you receive a free exam voucher. Check the Microsoft Events page for upcoming sessions.
Does the SC-900 certification expire? No — Microsoft fundamentals certifications (including SC-900, AZ-900, AI-900, and DP-900) do not expire. Once you pass, the certification is valid for life. However, role-based and specialty certifications do require annual renewal. This makes SC-900 a risk-free investment in your career.
Leave a Comment