SC 900

SC-900 Exam
Exam SC-900
Microsoft Security, Compliance, and

Title
Identity Fundamentals
Version 7.0
Product
97 Q&A with explanations
Type
“Best Material, Great Results”. www.certkingdom.com 1 of 1

QUESTION 1
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section:
Explanation
Explanation/Reference:
QUESTION 2
HOTSPOT
Select the answer that correctly completes the sentence.
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/get-started/
QUESTION 3
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/customer-lockbox-overview
QUESTION 4
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
QUESTION 5
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Federation is a collection of domains that have established trust.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed
QUESTION 6
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: Yes
System updates reduces security vulnerabilities, and provide a more stable environment for end users. Not
applying updates leaves unpatched vulnerabilities and results in environments that are susceptible to attacks.
Box 2: Yes
Box 3: Yes
If you only use a password to authenticate a user, it leaves an attack vector open. With MFA enabled, your
accounts are more secure.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/secure-score-security-controls
QUESTION 7
Which score measures an organization's progress in completing actions that help reduce risks associated to
data protection and regulatory standards?
A. Microsoft Secure Score

B. Productivity Score
C. Secure score in Azure Security Center
D. Compliance score
Answer: D
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-score-calculation?view=o365-
worldwide
QUESTION 8
What do you use to provide real-time integration between Azure Sentinel and another security source?
A. Azure AD Connect
B. a Log Analytics workspace
C. Azure Information Protection
D. a connector
Answer: D
Section:
Explanation
Explanation:
To on-board Azure Sentinel, you first need to connect to your security sources. Azure Sentinel comes with a
number of connectors for Microsoft solutions, including Microsoft 365 Defender solutions, and Microsoft 365
sources, including Office 365, Azure AD, Microsoft Defender for Identity, and Microsoft Cloud App Security,
etc.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/overview
QUESTION 9
Which Microsoft portal provides information about how Microsoft cloud services comply with regulatory
standard, such as International Organization for Standardization (ISO)?
A. the Microsoft Endpoint Manager admin center

B. Azure Cost Management + Billing
C. Microsoft Service Trust Portal
D. the Azure Active Directory admin center
Answer: C
Section:
Explanation
Explanation:
The Microsoft Service Trust Portal contains details about Microsoft's implementation of controls and processes
that protect our cloud services and the customer data therein.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal?view=o365-
worldwide
QUESTION 10
In the shared responsibility model for an Azure deployment, what is Microsoft solely responsible for managing?
A. the management of mobile devices

B. the permissions for the user data stored in Azure
C. the creation and management of user accounts
D. the management of the physical hardware
Answer: D
Section:
Explanation
QUESTION 11
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: Yes
Box 2: Yes
Box 3: No
The Zero Trust model does not assume that everything behind the corporate firewall is safe, the Zero Trust
model assumes breach and verifies each request as though it originated from an uncontrolled network.
Reference:
https://docs.microsoft.com/en-us/security/zero-trust/
QUESTION 12
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://privacy.microsoft.com/en-US/
QUESTION 13
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
QUESTION 14
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: Yes
A certificate is required that provides a private and a public key.
Box 2: Yes
The public key is used to validate the private key that is associated with a digital signature.
Box 3: Yes
The private key, or rather the password to the private key, validates the identity of the signer.
Reference:
https://support.microsoft.com/en-us/office/obtain-a-digital-certificate-and-create-a-digital-signature-e3d9d813-
3305-4164-a820-2e063d86e512
https://docs.microsoft.com/en-us/dynamics365/fin-ops-core/fin-ops/organization-administration/electronicsignature-
overview
QUESTION 15
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
QUESTION 16
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
QUESTION 17
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b
QUESTION 18
In the Microsoft Cloud Adoption Framework for Azure, which two phases are addressed before the Ready
phase? Each correct answer presents a complete solution.
A. Plan
B. Manage
C. Adopt
D. Govern
E. Define Strategy
Answer: A,E
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/overview
QUESTION 19
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
QUESTION 20
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
QUESTION 21
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/cloud-services-security-baseline
QUESTION 22
What is an example of encryption at rest?
A. encrypting communications by using a site-to-site VPN

B. encrypting a virtual machine disk
C. accessing a website by using an encrypted HTTPS connection
D. sending an encrypted email
Answer: B
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest
QUESTION 23
Which three statements accurately describe the guiding principles of Zero Trust? Each correct answer
presents a complete solution.
A. Define the perimeter by physical locations.

B. Use identity as the primary security boundary.
C. Always verify the permissions of a user explicitly.
D. Always assume that the user system can be breached.
E. Use the network as the primary security boundary.
Answer: B,C,D
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/security/zero-trust/
QUESTION 24
HOTSPOT
Which service should you use to view your Azure secure score? To answer, select the appropriate service in
the answer area.
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/security-center/secure-score-access-and-track
QUESTION 25
What can you use to provide a user with a two-hour window to complete an administrative task in Azure?
A. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)

B. Azure Multi-Factor Authentication (MFA)
C. Azure Active Directory (Azure AD) Identity Protection
D. conditional access policies
Answer: D
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policycommon
QUESTION 26
In a hybrid identity model, what can you use to sync identities between Active Directory Domain Services (AD
DS) and Azure Active Directory (Azure AD)?
A. Active Directory Federation Services (AD FS)

B. Azure Sentinel
C. Azure AD Connect
D. Azure Ad Privileged Identity Management (PIM)
Answer: C
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect
QUESTION 27
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: Yes
Azure AD supports custom roles.
Box 2: Yes
Global Administrator has access to all administrative features in Azure Active Directory.
Box 3: No
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
QUESTION 28
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: No
Azure Active Directory (Azure AD) is a cloud-based user identity and authentication service.
Box 2: Yes
Microsoft 365 uses Azure Active Directory (Azure AD). Azure Active Directory (Azure AD) is included with your
Microsoft 365 subscription.
Box 3: Yes
Reference:
https://docs.microsoft.com/en-us/microsoft-365/enterprise/about-microsoft-365-identity?view=o365-worldwide
QUESTION 29
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Biometrics templates are stored locally on a device.
Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview
QUESTION 30
What is the purpose of Azure Active Directory (Azure AD) Password Protection?
A. to control how often users must change their passwords

B. to identify devices to which users can sign in without using multi-factor authentication (MFA)
C. to encrypt a password by using globally recognized encryption standards
D. to prevent users from using specific words in their passwords
Answer: D
Section:
Explanation
Explanation:
Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also
block additional weak terms that are specific to your organization.
With Azure AD Password Protection, default global banned password lists are automatically applied to all
users in an Azure AD tenant. To support your own business and security needs, you can define entries in a
custom banned password list.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-onpremises
QUESTION 31
Which Azure Active Directory (Azure AD) feature can you use to evaluate group membership and
automatically remove users that no longer require membership in a group?
A. access reviews
B. managed identities
C. conditional access policies
D. Azure AD Identity Protection
Answer: A
Section:
Explanation
Explanation:
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group
memberships, access to enterprise applications, and role assignments.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
QUESTION 32
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional
form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
QUESTION 33
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: Yes
Box 2: No
Conditional Access policies are enforced after first-factor authentication is completed.
Box 3: Yes
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
QUESTION 34
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/what-is
QUESTION 35
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active
Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious
insider actions directed at your organization.
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/what-is
QUESTION 36
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/enterprise/about-microsoft-365-identity?view=o365-worldwide
QUESTION 37
Which Azure Active Directory (Azure AD) feature can you use to provide just-in-time (JIT) access to manage
Azure resources?
A. conditional access policies

B. Azure AD Identity Protection
C. Azure AD Privileged Identity Management (PIM)
D. authentication method policies
Answer: C
Section:
Explanation
Explanation:
Azure AD Privileged Identity Management (PIM) provides just-in-time privileged access to Azure AD and Azure
resources
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
QUESTION 38
Which three authentication methods can be used by Azure Multi-Factor Authentication (MFA)? Each correct
answer presents a complete solution.
A. text message (SMS)

B. Microsoft Authenticator app
C. email verification
D. phone call
E. security question
Answer: A,B,D
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
QUESTION 39
Which Microsoft 365 feature can you use to restrict communication and the sharing of information between
members of two departments at your organization?
A. sensitivity label policies

B. Customer Lockbox
C. information barriers
D. Privileged Access Management (PAM)
Answer: C
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/information-barriers
QUESTION 40
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
QUESTION 41
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: Yes
Conditional access policies can be applied to all users
Box 2: No
Conditional access policies are applied after first-factor authentication is completed.
Box 3: Yes
Users with devices of specific platforms or marked with a specific state can be used when enforcing
Conditional Access policies.
Reference:
QUESTION 42
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
When you register an application through the Azure portal, an application object and service principal are
automatically created in your home directory or tenant.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
QUESTION 43
Which three authentication methods does Windows Hello for Business support? Each correct answer presents
a complete solution.
A. fingerprint
B. facial recognition
C. PIN
D. email verification
E. security question
Answer: A,B,C
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-worksauthentication
QUESTION 44
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
QUESTION 45
You have an Azure subscription.
You need to implement approval-based, time-bound role activation.
What should you use?
A. Windows Hello for Business

B. Azure Active Directory (Azure AD) Identity Protection
C. access reviews in Azure Active Directory (Azure AD)
D. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
Answer: D
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
QUESTION 46
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policyadmin-
mfa
QUESTION 47
When security defaults are enabled for an Azure Active Directory (Azure AD) tenant, which two requirements
are enforced? Each correct answer presents a complete solution.
A. All users must authenticate from a registered device.

B. Administrators must always use Azure Multi-Factor Authentication (MFA).
C. Azure Multi-Factor Authentication (MFA) registration is required for all users.
D. All users must authenticate by using passwordless sign-in.
E. All users must authenticate by using Windows Hello.
Answer: B,C
Section:
Explanation
Explanation:
Security defaults make it easy to protect your organization with the following preconfigured security settings:
Requiring all users to register for Azure AD Multi-Factor Authentication.
Requiring administrators to do multi-factor authentication.
Blocking legacy authentication protocols.
Requiring users to do multi-factor authentication when necessary.
Protecting privileged activities like access to the Azure portal.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
QUESTION 48
Which type of identity is created when you register an application with Active Directory (Azure AD)?
A. a user account
B. a user-assigned managed identity
C. a system-assigned managed identity
D. a service principal
Answer: D
Section:
Explanation
Explanation:
When you register an application through the Azure portal, an application object and service principal are
automatically created in your home directory or tenant.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
QUESTION 49
Which three tasks can be performed by using Azure Active Directory (Azure AD) Identity Protection? Each
correct answer presents a complete solution.
A. Configure external access for partner organizations.

B. Export risk detection to third-party utilities.
C. Automate the detection and remediation of identity based-risks.
D. Investigate risks that relate to user authentication.
E. Create and automatically assign sensitivity labels to data.
Answer: C,D,E
Section:
Explanation
QUESTION 50
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide
QUESTION 51
What are two capabilities of Microsoft Defender for Endpoint? Each correct selection presents a complete
solution.
A. automated investigation and remediation

B. transport encryption
C. shadow IT detection
D. attack surface reduction
Answer: A,D
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?
view=o365-worldwide
QUESTION 52
DRAG DROP
Match the Azure networking service to the appropriate description.
To answer, drag the appropriate service from the column on the left to its description on the right. Each service
may be used once, more than once, or not at all.
NOTE: Each correct match is worth one point.
Select and Place:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: Azure Firewall
Azure Firewall provide Source Network Address Translation and Destination Network Address Translation.
Box 2: Azure Bastion
Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the
Azure portal over TLS.
Box 3: Network security group (NSG)
You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure
virtual network.
Reference:
https://docs.microsoft.com/en-us/azure/networking/fundamentals/networking-overview
https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
https://docs.microsoft.com/en-us/azure/firewall/features
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
QUESTION 53
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and
security orchestration automated response (SOAR) solution.
Reference:
QUESTION 54
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: Yes
Azure Defender provides security alerts and advanced threat protection for virtual machines, SQL databases,
containers, web applications, your network, your storage, and more
Box 2: Yes
Cloud security posture management (CSPM) is available for free to all Azure users.
Box 3: Yes
Azure Security Center is a unified infrastructure security management system that strengthens the security
posture of your data centers, and provides advanced threat protection across your hybrid workloads in the
cloud - whether they're in Azure or not - as well as on premises.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/azure-defender
https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction
https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction
QUESTION 55
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/threat-analytics?view=o365-worldwide
QUESTION 56
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure
virtual network. A network security group contains security rules that allow or deny inbound network traffic to,
or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and
destination, port, and protocol.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
QUESTION 57
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune
https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-device-management
QUESTION 58
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal
QUESTION 59
What feature in Microsoft Defender for Endpoint provides the first line of defense against cyberthreats by
reducing the attack surface?
A. automated remediation
B. automated investigation
C. advanced hunting
D. network protection
Answer: D
Section:
Explanation
Explanation:
Network protection helps protect devices from Internet-based events. Network protection is an attack surface
reduction capability.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-
worldwide
QUESTION 60
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
QUESTION 61
Which two types of resources can be protected by using Azure Firewall? Each correct answer presents a
complete solution.
A. Azure virtual machines

B. Azure Active Directory (Azure AD) users
C. Microsoft Exchange Online inboxes
D. Azure virtual networks
E. Microsoft SharePoint Online sites
Answer: D,E
Section:
Explanation
QUESTION 62
You plan to implement a security strategy and place multiple layers of defense throughout a network
infrastructure.
Which security methodology does this represent?
A. threat modeling
B. identity as the security perimeter
C. defense in depth
D. the shared responsibility model
Answer: C
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/learn/modules/secure-network-connectivity-azure/2-what-is-defense-in-depth
QUESTION 63
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
QUESTION 64
What can you use to scan email attachments and forward the attachments to recipients only if the attachments
are free from malware?
A. Microsoft Defender for Office 365

B. Microsoft Defender Antivirus
C. Microsoft Defender for Identity
D. Microsoft Defender for Endpoint
Answer: A
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-servicedescription
QUESTION 65
Which feature provides the extended detection and response (XDR) capability of Azure Sentinel?
A. integration with the Microsoft 365 compliance center

B. support for threat hunting
C. integration with Microsoft 365 Defender
D. support for Azure Monitor Workbooks
Answer: C
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/eval-overview?view=o365-worldwide
QUESTION 66
What can you use to provide threat detection for Azure SQL Managed Instance?
A. Microsoft Secure Score
B. application security groups
C. Azure Defender
D. Azure Bastion
Answer: C
Section:
Explanation
QUESTION 67
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
QUESTION 68
Which Azure Active Directory (Azure AD) feature can you use to restrict Microsoft Intune-managed devices
from accessing corporate resources?
A. network security groups (NSGs)

B. Azure AD Privileged Identity Management (PIM)
D. resource locks
Answer: C
Section:
Explanation
QUESTION 69
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security
QUESTION 70
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
QUESTION 71
What should you use in the Microsoft 365 Defender portal to view security trends and track the protection
status of identities?
A. Attack simulator
B. Reports
C. Hunting
D. Incidents
Answer: B
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-and-insights-in-securityand-
compliance?view=o365-worldwide
QUESTION 72
You have a Microsoft 365 E3 subscription.
You plan to audit user activity by using the unified audit log and Basic Audit.
For how long will the audit records be retained?
A. 15 days
B. 30 days
C. 90 days
D. 180 days
Answer: C
Section:
Explanation
QUESTION 73
To which type of resource can Azure Bastion provide secure access?
A. Azure Files
B. Azure SQL Managed Instances
C. Azure virtual machines
D. Azure App Service
Answer: C
Section:
Explanation
Explanation:
Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the
Azure portal over TLS.
Reference:
QUESTION 74
What are three uses of Microsoft Cloud App Security? Each correct answer presents a complete solution.
A. to discover and control the use of shadow IT

B. to provide secure connections to Azure virtual machines
C. to protect sensitive information hosted anywhere in the cloud
D. to provide pass-through authentication to on-premises applications
E. to prevent data leaks to noncompliant apps and limit access to regulated data
Answer: A,C,E
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps
QUESTION 75
What is a use case for implementing information barrier policies in Microsoft 365?
A. to restrict unauthenticated access to Microsoft 365

B. to restrict Microsoft Teams chats between certain groups within an organization
C. to restrict Microsoft Exchange Online email between certain groups within an organization
D. to restrict data sharing to external email recipients
Answer: C
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/information-barriers-policies?view=o365-worldwide
QUESTION 76
What can you use to provision Azure resources across multiple subscriptions in a consistent manner?
A. Azure Defender
B. Azure Blueprints
C. Azure Sentinel
D. Azure Policy
Answer: B
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
QUESTION 77
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: Yes
The MailItemsAccessed event is a mailbox auditing action and is triggered when mail data is accessed by mail
protocols and mail clients.
Box 2: No
Basic Audit retains audit records for 90 days.
Advanced Audit retains all Exchange, SharePoint, and Azure Active Directory audit records for one year. This
is accomplished by a default audit log retention policy that retains any audit record that contains the value of
Exchange, SharePoint, or AzureActiveDirectory for the Workload property (which indicates the service in which
the activity occurred) for one year.
Box 3: yes
Advanced Audit in Microsoft 365 provides high-bandwidth access to the Office 365 Management Activity API.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/advanced-audit?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/compliance/auditing-solutions-overview?view=o365-
worldwide#licensing-requirements
https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-
365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#advancedaudit
QUESTION 78
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: No
Box 2: Yes
Leaked Credentials indicates that the user's valid credentials have been leaked.
Box 3: Yes
Multi-Factor Authentication can be required based on conditions, one of which is user risk.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa
QUESTION 79
Which Microsoft 365 compliance center feature can you use to identify all the documents on a Microsoft
SharePoint Online site that contain a specific key word?
A. Audit
B. Compliance Manager
C. Content Search
D. Alerts
Answer: C
Section:
Explanation
Explanation:
The Content Search tool in the Security & Compliance Center can be used to quickly find email in Exchange
mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in
Skype for Business.
The first step is to starting using the Content Search tool to choose content locations to search and configure a
keyword query to search for specific items.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/search-for-content?view=o365-worldwide
QUESTION 80
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/microsoft-365-compliance-center?view=o365-
worldwide
QUESTION 81
Which Microsoft 365 feature can you use to restrict users from sending email messages that contain lists of
customers and their associated credit card numbers?
A. retention policies
B. data loss prevention (DLP) policies
D. information barriers
Answer: B
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide
QUESTION 82
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/customer-lockbox-overview
QUESTION 83
In a Core eDiscovery workflow, what should you do before you can search for content?
A. Create an eDiscovery hold.

B. Run Express Analysis.
C. Configure attorney-client privilege detection.
D. Export and download results.
Answer: A
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-core-ediscovery?view=o365-worldwide
QUESTION 84
Which Microsoft portal provides information about how Microsoft manages privacy, compliance, and security?
A. Microsoft Service Trust Portal

B. Compliance Manager
C. Microsoft 365 compliance center
D. Microsoft Support
Answer: A
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal?view=o365-
worldwide
QUESTION 85
What can you protect by using the information protection solution in the Microsoft 365 compliance center?
A. computers from zero-day exploits

B. users from phishing attempts
C. files from malware and viruses
D. sensitive data from being exposed to unauthorized users
Answer: D
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/information-protection?view=o365-worldwide
QUESTION 86
What can you specify in Microsoft 365 sensitivity labels?
A. how long files must be preserved

B. when to archive an email message
C. which watermark to add to files
D. where to store files
Answer: C
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide
QUESTION 87
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: No
Advanced Audit helps organizations to conduct forensic and compliance investigations by increasing audit log
retention.
Box 2: No
Box 3: Yes
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/advanced-audit?view=o365-worldwide
QUESTION 88
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
QUESTION 89
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-sensitivity-labels?view=o365-
worldwide
QUESTION 90
Which two tasks can you implement by using data loss prevention (DLP) policies in Microsoft 365? Each
correct answer presents a complete solution.
A. Display policy tips to users who are about to violate your organization?s policies.
B. Enable disk encryption on endpoints.
C. Protect documents in Microsoft OneDrive that contain sensitive information.
D. Apply security baselines to devices.
Answer: A,C
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide
QUESTION 91
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-score-calculation?view=o365-
worldwide#how-compliance-manager-continuously-assesses-controls
QUESTION 92
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: Yes
You can use sensitivity labels to provide protection settings that include encryption of emails and documents to
prevent unauthorized people from accessing this data.
Box 2: Yes
You can use sensitivity labels to mark the content when you use Office apps, by adding watermarks, headers,
or footers to documents that have the label applied.
Box 3: Yes
You can use sensitivity labels to mark the content when you use Office apps, by adding headers, or footers to
email that have the label applied.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide
QUESTION 93
Which Microsoft 365 compliance feature can you use to encrypt content automatically based on specific
conditions?
A. Content Search
B. sensitivity labels
C. retention policies
D. eDiscovery
Answer: B
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/information-protection?view=o365-worldwide
QUESTION 94
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: No
Compliance Manager tracks Microsoft managed controls, customer-managed controls, and shared controls.
Box 2: Yes
Box 3: Yes
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager?view=o365-worldwide
QUESTION 95
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Explanation:
Box 1: No
Phishing scams are external threats.
Box 2: Yes
Insider risk management is a compliance solution in Microsoft 365.
Box 3: Yes
Insider risk management helps minimize internal risks from users. These include:
Leaks of sensitive data and data spillage
Confidentiality violations
Intellectual property (IP) theft
Fraud
Insider trading
Regulatory compliance violations
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/compliance/microsoft-365-compliance-center?view=o365-
worldwide
QUESTION 96
HOTSPOT
Hot Area:
Correct Answer:
Section:
Explanation
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
QUESTION 97
DRAG DROP
Match the Microsoft 365 insider risk management workflow step to the appropriate task.
To answer, drag the appropriate step from the column on the left to its task on the right. Each step may be
used once, more than once, or not at all.
NOTE: Each correct match is worth one point.
Select and Place:
Correct Answer:
Section:
Explanation
Reference:

SC 900

Uploaded by

Copyright:

Available Formats

SC 900

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SC 900

Uploaded by

Copyright:

Available Formats

SC-900 Exam

Microsoft Security, Compliance, and

“Best Material, Great Results”. www.certkingdom.com 1 of 1

A. Microsoft Secure Score

A. the Microsoft Endpoint Manager admin center

A. the management of mobile devices

A. encrypting communications by using a site-to-site VPN

A. Define the perimeter by physical locations.

A. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)

A. Active Directory Federation Services (AD FS)

A. to control how often users must change their passwords

A. conditional access policies

A. text message (SMS)

A. sensitivity label policies

A. Windows Hello for Business

A. All users must authenticate from a registered device.

A. Configure external access for partner organizations.

A. automated investigation and remediation

A. Azure virtual machines

A. Microsoft Defender for Office 365

A. integration with the Microsoft 365 compliance center

A. network security groups (NSGs)

A. to discover and control the use of shadow IT

A. to restrict unauthenticated access to Microsoft 365

A. Create an eDiscovery hold.

A. Microsoft Service Trust Portal

A. computers from zero-day exploits

A. how long files must be preserved

You might also like