SC-900

Question 1

What is the shared responsibility model?

Answer 1

identifies which security tasks are handled by the cloud provider and which are are handled by the customer

Question 2

True or False: For all cloud deployment types, you, the cloud customer, own your data and identities

Answer 2

True

Question 3

What are the typical layers for defense in depth?

Answer 3

Physical, Identity and Access, Perimeter, Network, Compute, Applications, Data

Question 4

What is CIA?

Answer 4

Confidentiality, Integrity, and Availability

Question 5

Explain the C in CIA

Answer 5

confidentiality refers to the need to keep confidential sensitive data such as customer information, passwords, or financial data.

Question 6

Explain the I in CIA

Answer 6

Integrity refers to keeping data or messages correct.

Question 7

Explain the A in CIA

Answer 7

Availability refers to making data available to those who need it, when they need it.

Question 8

What are the Zero Trust Model’s guiding principles?

Answer 8

Verify Explicitly, Use Rule of Least Privilege, Assume Breach

Question 9

What are the six pillars of Zero Trust Model?

Answer 9

Identities, Devices, Applications, Data, Infrastructure, Networks

Question 10

What is the pithy Zero Trust saying?

Answer 10

Trust no one, verify everything

Question 11

What is encryption?

Answer 11

The process of making data unreadable and usable to unauthorized viewers

Question 12

What decrypts encrypted data?

Answer 12

a key

Question 13

What is symmetric encryption?

Answer 13

uses the same key to encrypt and decrypt the data

Question 14

What is asymmetric encryption?

Answer 14

uses a public key and private key pair

Question 15

What is hashing?

Answer 15

uses an algorithm to convert text to a unique fixed length value called a hash

Question 16

When using a hash, will it produce the same hash value every time identical text is put into it?

Answer 16

Yes

Question 17

What does it mean to salt a hash?

Answer 17

Adding a fixed length random value to the input of the has functions

Question 18

What is Governance?

Answer 18

A system of rules, practices, and processes an organization uses to direct and control its activities.

Question 19

What is Risk Management?

Answer 19

the process of identifying, assessing, and responding, to threats or events that can impact company or customer objectives

Question 20

What is Compliance?

Answer 20

refers to the country/region, state, or federal laws or even multi-national regulations that an organization must follow

Question 21

An organization has deployed Microsoft 365 applications to all employees. Considering the shared responsibility model, who is responsible for the accounts and identities relating to these employees?

Answer 21

The organization

Question 22

Describe data sovereignty

Answer 22

Data, particularly personal data, is subject to the laws and regulations of the country/region in which it’s physically collected, held, or processed

Question 23

What is Authentication?

Answer 23

the process of proving a person is who they say they are

Question 24

What is Authorization?

Answer 24

the process of deciding what access an authorized individual has

Question 25

What is an Identity?

Answer 25

the set of things that define or characterize someone/something

Question 26

What are the 4 pillars of an identity infrastructure?

Answer 26

Administration, Authentication, Authorization, and Auditing

Question 27

What does an identity provider do?

Answer 27

creates, maintains, and manages identity information while offering authentication, authorization, and auditing services

Question 28

What is a directory?

Answer 28

a hierarchical structure that stores information about objects on the network

Question 29

What is the Windows on-prem directory service?

Answer 29

Active Directory

Question 30

Does Azure Directory Domain Services support modern authentication?

Answer 30

No

Question 31

What provides Identity as a Service solutions for all an organization’s apps across the cloud and on-prem?

Answer 31

Microsoft Entra ID

Question 32

What is Federation?

Answer 32

enables access of services across organizational or domain boundaries by establishing trust relationships between the respective domain’s identity provider

Question 33

What service means there’s no need for a user to maintain a different username and password when accessing resources in other domains?

Answer 33

Federation

Question 34

Which relationship allows federated services to access resources?

Answer 34

Trust relationships

Question 35

What is Microsoft Entra ID?

Answer 35

Microsoft’s cloud based identity and access management service

Question 36

What is Entra ID’s identity secure score?

Answer 36

a percentage for how aligned you are with Microsoft’s best practices

Question 37

What is an Entra tenant?

Answer 37

an instance of Microsoft Entra ID

Question 38

What is an Entra directory?

Answer 38

a logical container within a Microsoft Entra tenant that holds and organizes the various resources and objects related to identity and access management including users, groups, applications, devices, and other directory objects.

Question 39

What is a multi-tenant organization?

Answer 39

An organization that has more than one Entra tenant

Question 40

What are the three categories of things you can assign Microsoft Entra ID’s to?

Answer 40

Humans, physical devices, software applications

Question 41

What are the two types of managed identities?

Answer 41

system assigned and user assigned

Question 42

What are the two kinds of groups?

Answer 42

Security groups and 365 groups

Question 43

What is a security group created for?

Answer 43

manage user and device access to shared resources

Question 44

What is a 365 group for?

Answer 44

grouping users according to collaboration needs

Question 45

What is Entra Cloud Sync?

Answer 45

designed to meet and accomplish your hybrid identity goals for provisioning and synchronization of users, groups, and contacts

Question 46

What can you do with B2B direct connect?

Answer 46

you create two-way trust relationships with other Microsoft Entra organizations to allow users to seamlessly sign in to your shared resources and vice versa.

Question 47

An organization has completed a full migration to the cloud and has purchased devices for all its employees. All employees sign in to the device through an organizational account configured in Microsoft Entra ID. Select the option that best describes how these devices are set up in Microsoft Entra ID?

Answer 47

These devices are set up as Microsoft Entra joined

Question 48

A developer wants an application to connect to Azure resources that support Microsoft Entra authentication, without having to manage any credentials and without incurring any extra cost. What best describes the identity type of the application?

Answer 48

Managed Identity

Question 49

What two phone verification options does Microsoft Entra support?

Answer 49

SMS and Voice call

Question 50

What is OAUTH?

Answer 50

Open Authentication is an open standard that specifies how time-based, one-time password (TOTP) codes are generated. One-time password codes can be used to authenticate a user.

Question 51

What does Windows Hello do?

Answer 51

Replaces passwords with strong two factor authentication on devices

Question 52

What is FIDO?

Answer 52

Fast Identity Online allows users and organizations to leverage the standard to sign in to their resources using an external security key or a platform key built into a device, eliminating the need for a username and password.

Question 53

What is CBA?

Answer 53

Certificate based authentication enables customers to allow or require users to authenticate directly with X.509 certificates against their Microsoft Entra identity, for applications and browser sign-in.

Question 54

What is SSPR?

Answer 54

Self-service password reset is a way for users to reset their password without an admin

Question 55

What is the feature of Entra ID that limits users ability to set weak passwords?

Answer 55

Password protection

Question 56

True or False: A global banned password list with known weak passwords is automatically updated and enforced by Microsoft.

Answer 56

True

Question 57

True or False: Admins can also create custom banned password lists to support specific business security needs.

Answer 57

True

Question 58

What is conditional access?

Answer 58

a feature of Microsoft Entra ID that provides an extra layer of security before allowing authenticated users access to resources

Question 59

What is conditional access picking up to make a decision?

Answer 59

signals like user, location, device, application,

Question 60

What is managing access using roles known as?

Answer 60

RBAC – role based access control

Question 61

An organization plans to implement Conditional Access. What do admins need to do?

Answer 61

Create policies that enforce organizational rules.

Question 62

Sign-in risk is a signal used by Conditional Access policies to decide whether to grant or deny access. What is sign-in risk?

Answer 62

The probability that the authentication request isn’t authorized by the identity owner.

Question 63

What gives organizations the ability to do the following tasks:

Govern the identity lifecycle.
Govern access lifecycle.
Secure privileged access for administration.

Answer 63

ID governance

Question 64

What are access reviews?

Answer 64

enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignment.

Question 65

What is entitlement management?

Answer 65

an identity governance feature that enables organizations to manage the identity and access lifecycle at scale. Entitlement management automates access request workflows, access assignments, reviews, and expiration.

Question 66

What is privileged identity management?

Answer 66

a service of Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization.

Question 67

What is Entra Identity protection?

Answer 67

a tool that allows organizations to accomplish three key tasks:

Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis.

Question 68

True or False: risk can be detected at the user and sign-in level, can be categorized as low, medium, or high, and may be calculated in real-time or offline with identity protection

Answer 68

True

Question 69

What are the three reports identity protection can provide?

Answer 69

risk detection, risk sign-ins, risky-users

Question 70

What is Entra permissions management?

Answer 70

a cloud infrastructure entitlement management (CIEM) product that provides comprehensive visibility and control over permissions for any identity and any resource in Microsoft Azure, Amazon Web Services (AWS) and Google Cloud Platform (GCP).

Question 71

What is Entra Verified ID?

Answer 71

a managed verifiable credentials service based on open standards. Verified ID automates verification of identity credentials and enables privacy-protected interactions between organizations and users.

Question 72

Your organization has implemented important changes in their customer facing web-based applications. You want to ensure that any user who wishes to access these applications agrees to the legal disclaimers. Which Microsoft Entra feature should you implement?

Answer 72

Entra Terms of Use

Question 73

An organization is project-oriented with employees often working on more than one project at a time. Which solution is best suited to managing user access to this organization’s resources?

Answer 73

Entitlement management.

Question 74

An organization has recently conducted a security audit and found that four people who have left were still active and assigned global admin roles. The users have now been deleted but the IT organization has been asked to recommend a solution to prevent a similar security lapse happening in future. Which solution should they recommend?

Answer 74

Privileged Identity Management.

Question 75

Your IT organization recently discovered that several user accounts in the finance department have been compromised. The CTO has asked for a solution to reduce the impact of compromised user accounts. The IT admin team is looking into Microsoft Entra features. Which one should they recommend?

Answer 75

Identity Protection.

Question 76

Your IT organization is looking for a solution that provides comprehensive visibility and control over permissions for any identity and any resource in their multi-vendor cloud environment. Which Microsoft solution is best suited to address these needs?

Answer 76

Permissions Management.

Question 77

At what layers does Azure DDoS offer protection?

Answer 77

Layer 3 (network) and Layer 4 (application)

Question 78

What is Azure firewall?

Answer 78

a managed, cloud-based network security service that provides threat protection for your cloud workloads and resources running in Azure.

Question 79

What is WAF?

Answer 79

Web application firewall provides centralized protection of your web applications from common exploits and vulnerabilities.

Question 80

What is Azure Virtual Network?

Answer 80

the fundamental building block for your organization’s private network in Azure.

Question 81

What is a virtual network?

Answer 81

A virtual network is similar to a traditional network that you’d operate in your own data center, but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

Question 82

What is a network security group?

Answer 82

lets you filter network traffic to and from Azure resources in an Azure virtual network

Question 83

Does Azure Firewall or NSG provide security within virtual networks?

Answer 83

NSG’s

Question 84

What is Azure Bastion?

Answer 84

a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal.

Question 85

What is Azure Key Vault?

Answer 85

a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.

Question 86

How can application developers benefit from using Azure Key Vault?

Answer 86

To securely store and retrieve application secrets

Question 87

True or False: Azure Bastion cannot be deployed per virtual network, with support for virtual network peering.

Answer 87

False

Question 88

The security admin wants to protect Azure resources from DDoS attacks and needs logging, alerting, and telemetry capabilities. which Azure service can provide these capabilities?

Answer 88

DDoS network protections

Question 89

What is Microsoft Defender for Cloud?

Answer 89

a cloud-native application protection platform (CNAPP) with a set of security measures and practices designed to protect cloud-based applications from various cyber threats and vulnerabilities

Question 90

What is an Azure policy definition?

Answer 90

A rule about specific security conditions that you want controlled.

Question 91

What is a security initative?

Answer 91

a collection of Azure Policy definitions, or rules, grouped together towards a specific goal or purpose.

Question 92

Can security admins build custom security initatives?

Answer 92

Yes

Question 93

What is the microsoft cloud security benchmark?

Answer 93

a Microsoft-authored set of guidelines for security and compliance that provides best practices and recommendations to help improve the security of workloads, data, and services on Azure and your multicloud environment.

Question 94

What is CSPM?

Answer 94

Cloud security posture management provides you with hardening guidance that helps you efficiently and effectively improve your security. CSPM also gives you visibility into your current security situation.

Question 95

What is the central feature in Microsoft Defender for Cloud that provides visibility to your current security posture?

Answer 95

secure score

Question 96

What is Defender for DevOps?

Answer 96

empowers security teams to manage DevOps security across multi-pipeline environments.

Question 97

What are the three pillars of Microsoft Defender for Cloud?

Answer 97

CSPM, CWP (cloud workload protection), Cloud security benchmark

Question 98

Microsoft Defender for Cloud covers three pillars of cloud security. Which pillar provides visibility to help you understand your current security situation and provides hardening recommendations?

Answer 98

CSPM

Question 99

An organization wants to add vulnerability scanning for its Azure resources to view, investigate, and remediate the findings directly within Microsoft Defender for Cloud. What functionality of Microsoft Defender for Cloud would they need to consider?

Answer 99

The enhanced functionality that is provided through the Microsoft Defender plans and is part of the CWP pillar of Microsoft Defender for Cloud.

Question 100

Which framework does Microsoft Defender for Cloud apply as a default initiative for security and compliance and provides best practices and recommendations to help improve the security of workloads, data, and services on Azure and your multicloud environment?

Answer 100

Microsoft Cloud security benchmark

Question 101

Which capability allows you to manage your connected DevOps environments and provides your security teams with visibility to discovered issues within those environments?

Answer 101

The Defender for DevOps console

Question 102

What is SIEM?

Answer 102

Security information and event management is a tool that an organization uses to collect data from across the whole estate, including infrastructure, software, and resources. It does analysis, looks for correlations or anomalies, and generates alerts and incidents.

Question 103

What is SOAR?

Answer 103

Security Orchestration, Automation , and Response system takes alerts from many sources, such as a SIEM system. The SOAR system then triggers action-driven automated workflows and processes to run security tasks that mitigate the issue.

Question 104

What is Microsoft Sentinel?

Answer 104

a scalable, cloud-native SIEM/SOAR solution that delivers intelligent security analytics and threat intelligence across the enterprise. It provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Question 105

What is Azure Monitor Workbooks?

Answer 105

Workbooks are intended for SOC engineers and analysts of all tiers to visualize data. You’ll see a canvas for data analysis and the creation of rich visual reports within the Azure portal.

Question 106

What kind of tasks do playbooks work best with?

Answer 106

single, repeatable tasks

Question 107

What is Microsoft Security Copilot?

Answer 107

is the first and only generative AI security product to help defend organizations at machine speed and scale. It’s an AI-powered security analysis tool that enables analysts to respond to threats quickly, process signals at machine speed, and assess risk exposure in minutes.

Question 108

What are the three primary use cases of Security Colpilot?

Answer 108

Security posture management, incident response, and security reporting

Question 109

As the lead admin, it’s important to convince your team to start using Microsoft Sentinel. You’ve put together a presentation. What are the four security operation areas of Microsoft Sentinel?

Answer 109

Collect, Detect, Investigate, Respond

Question 110

Your estate has many different data sources where data is stored. Which tool should be used with Microsoft Sentinel to quickly gain insights across your data as soon as a data source is connected?

Answer 110

Azure Monitor Workbooks

Question 111

What is Microsoft XDR?

Answer 111

an enterprise defense suite that protects against sophisticated cyberattacks. With Microsoft Defender XDR, you can natively coordinate the detection, prevention, investigation, and response to threats across endpoints, identities, email, and applications.

Question 112

What is Microsoft Defender for 365?

Answer 112

a seamless integration into your Office 365 subscription that provides protection against threats, like phishing and malware that arrive in email links (URLs), attachments, or collaboration tools like SharePoint, Teams, and Outlook.

Question 113

What is Microsoft Defender for Endpoint?

Answer 113

a platform designed to help enterprise networks protect endpoints including laptops, phones, tablets, PCs, access points, routers, and firewalls.

Question 114

What is Microsoft Defender for Cloud Apps?

Answer 114

delivers full protection for SaaS applications

Question 115

What is microsoft defender for identity?

Answer 115

a cloud-based security solution that uses your on-premises Active Directory data (called signals) to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Question 116

What is Defender Vulnerability Management?

Answer 116

delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices

Question 117

What is Microsoft Defender Threat intelligence?

Answer 117

helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows. Defender TI aggregates and enriches critical threat information in an easy-to-use interface.

Question 118

What provides proprietary reputation scores for any Host, Domain, or IP Address?

Answer 118

Defender TI

Question 119

What is the Defender portal?

Answer 119

combines protection, detection, investigation, and response to devices, identities, endpoints, email & collaboration, and cloud apps, in a central place.

Question 120

A lead admin for an organization is looking to protect against malicious threats posed by email messages, links (URLs), and collaboration tools. Which solution from the Microsoft Defender XDR suite is best suited for this purpose?

Answer 120

Microsoft Defender for office 365

Question 121

A cloud access security broker (CASB) provides protection across 4 areas/pillars: visibility to detect all cloud services, data security, threat protection, and compliance. These pillars represent the basis of the Cloud App Security framework upon which Microsoft Defender for Cloud Apps is built. Which pillar is responsible for identifying and controlling sensitive information?

Answer 121

Data security

Question 122

Which of the following is a cloud-based security solution that identifies, detects, and helps to investigate advanced threats, compromised identities, and malicious insider actions directed at your organization?

Answer 122

Microsoft Defender for Identity

Question 123

Admins in the organization are using the Microsoft Defender portal every day. They want to quickly get an understanding of the organization’s current security posture. Which capability in the Microsoft Defender portal will they use?

Answer 123

Secure score

Question 124

Your security and IT teams want to implement a solution that helps address critical vulnerabilities and misconfigurations across your organization. Which solution in the Microsoft Defender XDR suite can help address these requirements?

Answer 124

Defender Vulnerability Management

Question 125

What is the Microsoft Service Trust Portal?

Answer 125

provides a variety of content, tools, and other resources about how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization.

Question 126

What are Microsoft’s six principles of privacy?

Answer 126

Control, transparency, security, strong legal protection, no content based targeting, benefit the consumer

Question 127

What is Microsoft Priva?

Answer 127

helps you understand the data your organization stores by automating discovery of personal data assets and providing visualizations of essential information.

Question 128

When browsing Microsoft compliance documentation in the Service Trust Portal, you have found several documents that are specific to your industry. What is the best way of ensuring you keep up to date with the latest updates?

Answer 128

Save the documents to your My Library

Question 129

What is Microsoft Purview compliance portal?

Answer 129

brings together all of the tools and data that are needed to help understand and manage an organization’s compliance needs.

Question 130

What is Purview compliance manager?

Answer 130

a feature in the Microsoft Purview compliance portal that helps admins to manage an organization’s compliance requirements with greater ease and convenience.

Question 131

What is the compliance score?

Answer 131

measures progress in completing recommended improvement actions within controls. The score can help an organization to understand its current compliance posture. It also helps organizations to prioritize actions based on their potential to reduce risk.

Question 132

A new admin has joined the team and needs to be able to access the Microsoft Purview compliance portal. Which of the following roles could the admin use to access the compliance portal?

Answer 132

Compliance Administrator Role

Question 133

Your new colleagues on the admin team are unfamiliar with the concept of shared controls in Compliance Manager. How would the concept of shared controls be explained?

Answer 133

Controls that both your organization and Microsoft share responsibility for implementing.

Question 134

What is Microsoft Information Protection?

Answer 134

discovers, classifies, and protects sensitive and business-critical content throughout its lifecycle across your organization. It provides the tools to know your data, protect your data, and prevent data loss.

Question 135

What are trainable classifiers?

Answer 135

use artificial intelligence and machine learning to intelligently classify your data.

Question 136

What are sensitivity labels?

Answer 136

enable the labeling and protection of content, without affecting productivity and collaboration.

Question 137

How do you implement data loss prevention?

Answer 137

In microsoft purview by defining and applying DLP policies.

Question 138

What helps organizations to manage and govern information by ensuring content is kept only for a required time, and then permanently deleted.

Answer 138

Retention policies and retention labels

Question 139

What is the Microsoft Purview governance portal?

Answer 139

provides a unified data governance service that helps you manage your on-premises, multicloud, and software-as-a-service (SaaS) data.

Question 140

Which part of the concept of know your data, protect your data, prevent data loss, and govern your data addresses the need for organizations to automatically retain, delete, store data and records in a compliant manner?

Answer 140

Govern your data

Question 141

As part of a new data loss prevention policy, the compliance admin needs to be able to identify important information such as credit card numbers, across the organization’s data. How can the admin address this requirement?

Answer 141

Use sensitive information types

Question 142

Within the organization, some emails are confidential and should be encrypted so that only authorized users can read them. How can this requirement be implemented?

Answer 142

Use sensitivity labels

Question 143

Your organization uses Microsoft Teams to collaborate on all projects. The compliance admin wants to prevent users from accidentally sharing sensitive information in a Microsoft Teams chat session. What capability can address this requirement?

Answer 143

use data loss prevention policies

Question 144

Due to a certain regulation, your organization must now keep hold of all documents in a specific SharePoint site that contains customer information for five years. How can this requirement be implemented?

Answer 144

use retention policies

Question 145

Which application in the Microsoft Purview governance portal is used to capture metadata about enterprise data, to identify and classify sensitive data?

Answer 145

Data map

Question 146

What is Purview Insider Risk Management?

Answer 146

a solution that helps minimize internal risks by enabling an organization to detect, investigate, and act on risky and malicious activities.

Question 147

What is Purview Communication Compliance

Answer 147

an insider risk solution that helps you detect, capture, and act on inappropriate messages that can lead to potential data security or compliance incidents within your organization.

Question 148

To comply with corporate policies, the compliance admin needs to be able to identify and scan for offensive language across the organization. What solution can the admin implement to address this need?

Answer 148

Purview Communication Compliance

Question 149

What is eDiscovery?

Answer 149

the process of identifying and delivering electronic information that can be used as evidence in legal cases.

Question 150

A new admin has joined the compliance team and needs access to eDiscovery (Standard) to be able to add and remove members, create and edit searches, and export content from a case. To which role should the admin be assigned?

Answer 150

Add them as a member of the eDiscovery Manager role group.

Question 151

The compliance admin team needs to be able to collect and copy data into review sets and to be able filter, search, and tag content, which solution can best address their needs?

Answer 151

eDiscovery Premium

Question 152

The compliance team wants to obtain intelligent insights to help investigate possible breaches and determine the scope of compromise. Which solution can best address that need?

Answer 152

Audit Premium

Question 153

Which of the following allows you to invite guest users and provide them access to Azure resources within your organization?

Answer 153

Azure B2B

Question 154

Your company is planning on making use of Azure Active Directory Privileged Identity Management. Can Privileged Identity Management be used to provide time-bound access for Azure virtual machines?

Answer 154

No

Question 155

Which of the following is a component of the Cloud App Security Framework?

Answer 155

Control/discover the use of shadow IT

Question 156

You are considering the use of sensitivity labels in Microsoft 365. Can sensitivity labels be used to encrypt the contents in documents?

Answer 156

yes

Question 157

What is the maximum time frame for which you can retain audit logs in Microsoft 365?

Answer 157

10 years