SC-900 MCQs
SC-900 TestPrep SC-900 Study Guide
SC-900 Practice Test SC-900 Exam Questions
killexams.com
Microsoft Security, Compliance, and Identity Fundamentals
https://killexams.com/pass4sure/exam-detail/SC-900
An organization uses Microsoft Entra ID to manage user identities. A security administrator configures a custom role with the following JSON definition to restrict access to specific Azure resources:
{
"Name": "CustomReader", "Actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"NotActions": [],
"DataActions": [], "NotDataActions": [], "AssignableScopes": [
"/subscriptions/12345678-1234-1234-1234-1234567890ab"
]
}
Which identity concept is this configuration addressing?
Authentication
Authorization
Directory Services
Identity Providers
Answer: B
Explanation: The custom role defines permissions for accessing specific Azure resources, which is an aspect of authorization, determining what actions a user can perform after authentication.
An organization uses Microsoft Purview to improve its compliance score. The compliance manager recommends implementing Microsoft 365 Insider Risk Management. How does this action impact the compliance score?
It has no impact unless sensitivity labels are applied to user activities
It increases the score by addressing improvement actions related to user behavior monitoring
It decreases the score due to increased configuration complexity
It only affects the score if DLP policies are disabled
Answer: B
Explanation: Implementing Microsoft 365 Insider Risk Management in Microsoft Purview addresses improvement actions related to monitoring user behavior for potential data risks, improving the compliance score. Sensitivity labels, DLP policies, and configuration complexity do not negate the positive impact of enabling Insider Risk Management.
An organization uses Microsoft Sentinel as a SIEM solution. They configure an analytic rule to detect suspicious PowerShell activity using the KQL query below. The rule generates false positives for legitimate administrative tasks. What modification should the team make to reduce false positives?
Exhibit: SecurityEvent
| where EventID == 4688
| where CommandLine contains "powershell"
| summarize ProcessCount = count() by Account, Computer, bin(TimeGenerated, 1h)
| where ProcessCount > 10
Increase the ProcessCount threshold to 20
Add a filter to exclude known administrative accounts
Reduce the time window to 30 minutes
Replace EventID 4688 with EventID 4104
Answer: B
Explanation: Filtering out known administrative accounts reduces false positives by excluding legitimate PowerShell usage. EventID 4688 tracks process creation, which is appropriate for detecting PowerShell execution. Increasing the threshold or reducing the time window may miss suspicious activity, and EventID 4104 (script block logging) requires additional configuration and may not cover all PowerShell activity.
An organization implements a security strategy requiring continuous validation of user identities across all access attempts. The system uses machine learning to analyze user behavior patterns and triggers step- up authentication when anomalies are detected. Which model is this organization adopting?
Defense-in-Depth
Governance, Risk, and Compliance (GRC)
Zero Trust
Shared Responsibility Model
Answer: C
Explanation: The Zero Trust model emphasizes continuous validation of identities and assumes no implicit trust, requiring verification for every access attempt. Machine learning-based behavior analysis and step-up authentication align with Zero Trust principles, ensuring robust security by dynamically assessing risk.
An organization implements Microsoft Entra ID and wants to enforce strong authentication for users accessing sensitive applications. The IT team configures a Conditional Access policy that requires multi- factor authentication (MFA) for all users. However, they notice that some users are still able to access applications without MFA. Confirm the users are part of a dynamic group
Ensure the Conditional Access policy excludes trusted locations
Verify the application???s enterprise settings for MFA
Which setting should be verified to ensure MFA is enforced?
D. Check the Azure AD tenant???s MFA registration policy
Answer: D
Explanation: The MFA registration policy in Microsoft Entra ID determines whether users are prompted to register for MFA. If users haven???t registered, they may bypass Conditional Access policies requiring MFA. Excluding trusted locations could weaken enforcement but doesn???t address registration. Application settings may require MFA but rely on user registration, and dynamic groups are unrelated to MFA enforcement.
A company uses Azure to host a web application. The application stores sensitive customer data in an Azure SQL Database, encrypted using Transparent Data Encryption (TDE) with a customer-managed key stored in Azure Key Vault. Which component of the shared responsibility model is the customer responsible for securing?
Physical infrastructure of Azure data centers
Management of the Azure Key Vault service
Configuration of the Azure SQL Database firewall
Patching of the Azure SQL Database engine
Answer: C
Explanation: In the shared responsibility model, Microsoft is responsible for securing the physical infrastructure and patching the database engine, while the customer manages configurations like the Azure SQL Database firewall and the customer-managed key in Azure Key Vault.
An organization wants to use Compliance Manager to automate the assignment of compliance tasks to specific roles based on GDPR requirements. Which feature allows them to customize task workflows and assign responsibilities?
Improvement Actions
Assessment Templates
Action Items
Solutions
Answer: A
Explanation: Improvement Actions in Compliance Manager allow organizations to customize and assign compliance tasks, including GDPR-related responsibilities, with automated workflows. Action Items track tasks, Assessment Templates evaluate compliance, and Solutions provide general tools without task customization.
An organization uses Microsoft Purview to apply sensitivity labels. They want to ensure that documents labeled "Public" are accessible to external users without encryption. Which sensitivity label setting should be configured?
Enable content marking with a watermark indicating "Public"
Configure the label with no encryption and allow external user access
Set up a DLP rule to allow external sharing of labeled documents
Apply co-author permissions to allow external editing
Answer: B
Explanation: Sensitivity labels in Microsoft Purview can control encryption and access. Configuring a "Public" label with no encryption and allowing external user access ensures external users can view documents without restrictions. Content marking adds visual indicators, DLP rules control sharing but
not access, and co-author permissions are for editing, not access.
An administrator is configuring Microsoft Priva to detect overexposed personal data in Teams chats, such as passport numbers shared with external users. They need to set a policy with a confidence level of 90% and trigger alerts. Which Priva feature and configuration should they use?
Data Loss Prevention, Teams Policy
Privacy Risk Management, Overexposure Policy
Records Management, Retention Label
Subject Rights Request, Data Exposure
Answer: B
Explanation: Privacy Risk Management in Microsoft Priva allows configuring Overexposure Policies to detect sensitive data, like passport numbers in Teams, with a specified confidence level (90%) and trigger alerts. Data Loss Prevention focuses on preventing leaks, Records Management handles retention, and Subject Rights Requests address data queries.
An enterprise uses Microsoft Entra ID to secure access to a custom application. The application requires fine-grained access control based on user roles and group memberships. The IT team wants to implement a solution that dynamically assigns roles to users based on their attributes, such as department or location. Which Microsoft Entra ID feature should be used?
Azure AD Privileged Identity Management (PIM)
Role-based access control (RBAC)
Dynamic group membership
Static group assignments
Answer: C
Explanation: Dynamic group membership in Microsoft Entra ID allows groups to be populated automatically based on user attributes, such as department or location. This enables fine-grained access control when combined with role assignments for applications. PIM manages privileged roles, RBAC assigns roles but doesn???t dynamically adjust group membership, and static group assignments require manual updates, which doesn???t meet the dynamic requirement.
An organization uses Microsoft Entra ID to manage identities for a cloud-native application. The IT team needs to implement a solution that allows temporary access to resources for contractors without creating permanent accounts. Which Microsoft Entra ID feature supports this requirement?
Entitlement Management
Azure AD B2C
Azure AD B2B collaboration
Privileged Identity Management
Answer: A
Explanation: Entitlement Management in Microsoft Entra ID allows organizations to manage access packages, enabling temporary access for users like contractors without permanent accounts. Azure AD B2B is for external collaboration, B2C is for consumer apps, and PIM manages privileged roles, none of which directly support temporary access management.
Question: 320
HOTSPOT
Select the answer that correctly completes the sentence.
Answer:
Explanation:
Graphical user interface, text, application Description automatically generated
Azure Active Directory (Azure AD) is a cloud-based user identity and authentication service.
Reference: https://docs.microsoft.com/en-us/microsoft-365/enterprise/about-microsoft-365-identity?view=o365- worldwide
Question: 321
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Graphical user interface, text, application, email Description automatically generated
Question: 322
DRAG DROP
Match the Azure networking service to the appropriate description.
To answer, drag the appropriate service from the column on the left to its description on the right. Each service may be used once, more than once, or not at all.
NOTE: Each correct match is worth one point.
Answer:
Explanation:
Graphical user interface, application Description automatically generated Box 1: Azure Firewall
Azure Firewall provide Source Network Address Translation and Destination Network Address Translation. Box 2: Azure Bastion
Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS.
Box 3: Network security group (NSG)
You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network.
Question: 323
HOTSPOT
Select the answer that correctly completes the sentence.
Answer:
Explanation: Text, letter
Description automatically generated
Question: 324
HOTSPOT
Select the answer that correctly completes the sentence.
Answer:
Explanation: Text
Description automatically generated
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.
Question: 325
HOTSPOT
Select the answer that correctly completes the sentence.
Answer:
Explanation:
Graphical user interface, text Description automatically generated
Question: 326
HOTSPOT
Select the answer that correctly completes the sentence.
Answer:
Graphical user interface, text
Description automatically generated with medium confidence
Question: 327
HOTSPOT
Select the answer that correctly completes the sentence.
Answer:
Explanation:
Graphical user interface, application Description automatically generated
Question: 328
Which score measures an organization???s progress in completing actions that help reduce risks associated to data protection and regulatory standards?
Microsoft Secure Score
Productivity Score
Secure score in Azure Security Center
Compliance score
Answer: D
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager?view=o365-worldwide https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-score-calculation?view=o365-worldwide
Question: 329
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Graphical user interface, text, application Description automatically generated
Box 1: Yes
You can use sensitivity labels to provide protection settings that include encryption of emails and documents to prevent unauthorized people from accessing this data.
Box 2: Yes
You can use sensitivity labels to mark the content when you use Office apps, by adding watermarks, headers, or footers to documents that have the label applied.
Box 3: Yes
You can use sensitivity labels to mark the content when you use Office apps, by adding headers, or footers to email that have the label applied.
Question: 330
What do you use to provide real-time integration between Azure Sentinel and another security source?
Azure AD Connect
a Log Analytics workspace
Azure Information Protection
a connector
Answer: D Explanation:
To on-board Azure Sentinel, you first need to connect to your security sources. Azure Sentinel comes with a number of connectors for Microsoft solutions, including Microsoft 365 Defender solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity, and Microsoft Cloud App Security, etc.
Reference: https://docs.microsoft.com/en-us/azure/sentinel/overview
KILLEXAMS.COM
Killexams.com is a leading online platform specializing in high-quality certification exam preparation. Offering a robust suite of tools, including MCQs, practice tests, and advanced test engines, Killexams.com empowers candidates to excel in their certification exams. Discover the key features that make Killexams.com the go-to choice for exam success.
Killexams.com provides exam questions that are experienced in test centers. These questions are updated regularly to ensure they are up-to-date and relevant to the latest exam syllabus. By studying these questions, candidates can familiarize themselves with the content and format of the real exam.
Killexams.com offers exam MCQs in PDF format. These questions contain a comprehensive
collection of questions and answers that cover the exam topics. By using these MCQs, candidate can enhance their knowledge and improve their chances of success in the certification exam.
Killexams.com provides practice test through their desktop test engine and online test engine. These practice tests simulate the real exam environment and help candidates assess their readiness for the actual exam. The practice test cover a wide range of questions and enable candidates to identify their strengths and weaknesses.
Killexams.com offers a success guarantee with the exam MCQs. Killexams claim that by using this materials, candidates will pass their exams on the first attempt or they will get refund for the purchase price. This guarantee provides assurance and confidence to individuals preparing for certification exam.
Killexams.com regularly updates its question bank of MCQs to ensure that they are current and reflect the latest changes in the exam syllabus. This helps candidates stay up-to-date with the exam content and increases their chances of success.