Practice Free SC-900 Microsoft Security Compliance and Identity Fundamentals Exam Questions Answers With Explanation

Azure AD Privileged Identity Management (PIM) provides just-in-time privileged access to Azure AD and Azure resources

Conditional access policies always enforce MFA = NoMicrosoft Entra Conditional Access policies are flexible and do not always require MFA. MFA is one possible control, but policies can enforce other access controls such as requiring a compliant device, blocking access entirely, requiring Terms of Use acceptance, or enforcing session controls.

SCI Extract: “Conditional Access is the tool used by Azure AD to bring signals together, to make decisions, and enforce organizational policies. These policies can require MFA, but it is not mandatory for all policies.”

Block access based on location = YesConditional Access supports location-based conditions using named locations (such as country or IP ranges). Policies can block or allow access based on where the user is signing in from.

SCI Extract: “Administrators can use Conditional Access policies to block or grant access based on user location, using named locations to define trusted or risky areas.”

Only affects Entra joined devices = NoConditional Access applies to all users and devices, including:

Entra-joined,

Hybrid Entra-joined,

Registered devices (via Microsoft Intune or Azure AD),

And even unmanaged (BYOD) devices depending on configuration.

SCI Extract: “Conditional Access policies apply to all users and devices based on selected conditions, not only Microsoft Entra joined devices.”

Microsoft defines defense in depth as a security strategy that uses multiple, reinforcing layers of protection to reduce the chance that a single failure leads to compromise. In Microsoft’s security guidance, defense in depth is described as employing “a series of mechanisms across multiple layers” to protect identities, endpoints, applications, data, and the network. The model spans layers such as identity, perimeter, network, compute, application, and data, with controls at each layer designed to detect, prevent, and contain attacks. Typical Azure/Microsoft 365 implementations include identity protections (MFA, Conditional Access), network controls (Azure Firewall, NSGs), perimeter filtering (WAF, DDoS Protection), endpoint safeguards (Defender for Endpoint), application security (code and runtime controls), and data protection (encryption, DLP, Purview Information Protection). By “placing multiple layers of defense throughout a network infrastructure,” an organization limits blast radius and increases resilience if one layer is bypassed. This contrasts with threat modeling (a design-time analysis technique), identity as the security perimeter (a principle of Zero Trust), and the shared responsibility model (a cloud governance concept). The scenario in the question precisely matches Microsoft’s defense in depth methodology.

In Microsoft identity terminology, authentication is the step that proves who the user is when they attempt to sign in. Microsoft Learn defines it plainly: “Authentication is the process of proving the identity of a user, device, or service.” By contrast, “Authorization is the process of determining what a user, device, or service can do.” During sign-in to Microsoft Entra ID (formerly Azure AD), “the identity provider validates credentials and, upon successful authentication, issues tokens that applications use to grant access.” Microsoft further explains the available methods: “Microsoft Entra ID supports multiple authentication methods, including passwords, multi-factor authentication, FIDO2 security keys, certificate-based authentication, and federated authentication.”

Auditing and administration are not the mechanisms that verify identity at sign-in. Auditing “records security-relevant events for investigation and compliance,” while administration “refers to configuring and managing identities, access policies, and settings.” Therefore, in the sentence “When users sign in, _____ verifies their credentials to prove their identity,” the correct completion is authentication, because it is the control that validates the user’s credentials and establishes identity before any authorization decisions are made.

In Microsoft’s shared responsibility model, responsibilities vary by service type. For IaaS (for example, Azure Virtual Machines), Microsoft states that it is responsible for protecting and maintaining the cloud infrastructure that runs customer workloads, while customers secure what they deploy in that infrastructure. Microsoft’s guidance explains that Microsoft “operates and secures the datacenters, physical hosts, networking, and the virtualization fabric,” and handles the underlying platform maintenance, including “hardware and firmware” that support those hosts. Conversely, customers are responsible for what runs inside their VM: “the guest operating system (including updates and security configuration), applications, identity, and data.”

Applied to the options in this question:

Updating the operating system and updating installed applications are customer tasks because they are inside the guest VM.

Configuring permissions for shared folders is also a customer responsibility because it’s an OS/application configuration within the guest.

Updating the firmware of the disk controller belongs to Microsoft, because firmware and hardware on the physical hosts (including storage controllers) are part of the infrastructure of the cloud that Microsoft manages and secures.

This aligns with SCI study materials that summarize: Microsoft secures “the security of the cloud” (physical datacenter, hosts, network, and hypervisor/firmware), while customers secure “security in the cloud” (guest OS, apps, and data).

In Microsoft’s Security, Compliance, and Identity guidance, encryption is described as the control that “converts data into a form that cannot be understood by anyone who does not possess the appropriate decryption key.” In the Microsoft Purview Information Protection (sensitivity labels with encryption) documentation, Microsoft explains that when encryption is applied to a file, “only authorized users and services that present the correct keys and usage rights can open and use the content,” and that access is enforced even if the file is moved outside the organization. Azure Rights Management (part of Microsoft Purview) further states that encryption “protects data at rest and in transit by using keys so that only permitted identities can decrypt and use the information.”

This aligns precisely with the sentence: encrypting a file makes the data readable and usable to viewers that have the appropriate key (and unreadable to those who do not). By contrast, archiving organizes or preserves data for long-term storage; compressing reduces file size without controlling access; and deduplicating removes redundant copies to save space. None of these provide the key-based, identity-bound access control described in Microsoft SCI materials. Therefore, the correct completion is Encrypting.

In Microsoft’s identity platform, Active Directory Domain Services (AD DS) is the on-premises directory that maintains directory objects such as users, groups, and computers. Microsoft documentation describes AD DS as a service that “stores information about objects on the network and makes this information easy for administrators and users to find and use.” It further explains that AD DS contains objects like “users, groups, computers, and other resources,” and that administrators use tools such as Active Directory Users and Computers to create and manage these objects. A key object type is the computer account; Microsoft states that “a computer that’s joined to a domain has a corresponding computer account object in Active Directory” and that these accounts are created and managed within AD DS to enable secure authentication and authorization for domain-joined devices.

By contrast, mobile devices are typically enrolled and managed through Microsoft Intune/Endpoint Manager and Azure AD device objects, not created in AD DS. Likewise, SaaS applications that require modern authentication integrate with Microsoft Entra ID (Azure AD) using OpenID Connect/OAuth 2.0—not with AD DS. Line-of-business apps that rely on modern authentication are also registered in Entra ID, while AD DS supports traditional Kerberos/NTLM for domain resources. Therefore, among the options provided, the object you can create in AD DS is computer accounts.

You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

In Microsoft’s shared responsibility model for Azure, responsibilities are divided between Microsoft and the customer. Microsoft Learn explains that Microsoft is responsible for security of the cloud, while customers are responsible for security in the cloud. The platform owner’s scope includes the underlying facilities and infrastructure. As the documentation states: “Microsoft is responsible for the security OF the cloud, which includes protecting the infrastructure that runs all of the services offered in Microsoft Azure,” and this encompasses “physical datacenters, physical hosts, and the physical network.” The customer, by contrast, is responsible for items within their tenant and workloads, including “data, endpoints, accounts, and access management,” as well as configuration of services, identities, and devices.

Applied to the options given: managing mobile devices (A), setting permissions for user data (B), and creating/managing user accounts (C) fall under the customer’s responsibility because they relate to identity, access, data, and endpoint management within the tenant. The one item that Microsoft solely manages is the physical layer—the “physical hardware and facilities” that host Azure services. Therefore, the correct answer is D. the management of the physical hardware.

Microsoft positions Microsoft Sentinel as a cloud-native SIEM and SOAR that “collects data at cloud scale” and “detects, investigates, and responds to threats.” The extended detection and response (XDR) layer in Microsoft’s security stack is delivered by Microsoft 365 Defender, which “correlates signals across endpoints, identities, email, and apps to automatically detect, investigate, and remediate attacks.” Sentinel’s XDR capability is realized through its integration with Microsoft 365 Defender, enabling incident synchronization, alert enrichment, and bi-directional actions. Documentation explains that this integration “brings Microsoft 365 Defender incidents into Microsoft Sentinel,” unifying SIEM/SOAR analytics with the cross-domain XDR detections from Defender. Features such as automatic incident grouping, advanced hunting, and entity behavior flow from Microsoft 365 Defender to Sentinel, giving analysts an end-to-end XDR view. By contrast, threat hunting and workbooks are valuable Sentinel features, and compliance center is unrelated to XDR. The specific capability that provides Sentinel’s XDR experience is its integration with Microsoft 365 Defender.

Microsoft’s hybrid identity guidance explains that Microsoft Entra Connect (formerly Azure AD Connect) is the tool used to synchronize identities from on-premises AD DS to a Microsoft Entra tenant, enabling hybrid identity. Microsoft states that hybrid identity is achieved by connecting your on-premises directory with your cloud directory so users have a single identity to access both environments. This does not require two Microsoft 365 tenants; rather, it requires one Microsoft Entra tenant integrated with your on-premises AD DS. For authentication models—Password Hash Synchronization (PHS), Pass-through Authentication (PTA), or federation (AD FS)—Microsoft specifies that directory synchronization is required so that user objects exist in Entra ID and can authenticate to cloud services while maintaining a consistent identity. Thus, Entra Connect is used to implement the synchronization underpinning hybrid identity; two M365 tenants are unnecessary; and synchronization between AD DS and Entra ID is required for authenticating hybrid identities across Microsoft cloud services.

Microsoft’s Zero Trust guidance in the Security, Compliance, and Identity (SCI) materials frames three core principles: “Verify explicitly,” “Use least-privilege access,” and “Assume breach.” The guidance explains that identity is the new control plane in cloud-based environments: identity becomes the primary security boundary, with access decisions evaluated continuously using signals such as user identity, device health, location, and risk. In Zero Trust, organizations must “verify explicitly”—that is, require strong authentication and explicit authorization for every access request, not just initial logon, and base decisions on the permissions and context presented. The model also directs organizations to “assume breach”, operating with the expectation that an attacker may already be inside the environment and therefore applying containment practices such as micro-segmentation, telemetry, and rapid detection and response. Conversely, the traditional notion of defining the perimeter by physical locations or network boundaries is explicitly rejected; the documentation emphasizes that network location is no longer a reliable trust signal and should not be treated as the primary boundary. Therefore, the statements that align with Microsoft’s Zero Trust principles are: Use identity as the primary security boundary (B), Always verify user permissions explicitly (C), and Always assume the user/system can be breached (D).

Conditional Access session controls enable user app access and sessions to be monitored and controlled in real time based on access and session policies.

Based on this definition, the best answer for your question is B. enable limited experiences, such as blocking download of sensitive information.

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-session

Microsoft Entra Conditional Access (CA) evaluates signals from the user, device, location, and risk to make access decisions. The platform explicitly notes that CA decisions occur after primary sign-in: “Conditional Access policies are enforced after the first-factor authentication has been completed.” This means a user must successfully present their initial credentials (e.g., password, Windows Hello, FIDO2) before the CA engine evaluates policy logic. Therefore, the statement that CA is evaluated before a user is authenticated is not correct.

Regarding scoping, CA can target ordinary and privileged identities. The assignment options allow administrators to aim policies at users, groups, and directory roles: “You can include or exclude users and groups… [and] include or exclude specific Azure AD directory roles from a Conditional Access policy.” Because Global Administrator is a directory role, policies can be applied to those accounts (with Microsoft’s best-practice guidance to maintain at least one excluded break-glass account to prevent lockout).

For signals/conditions, CA supports device platform filtering. The documented device platform condition states: “This condition is based on the operating system platform of the device… iOS, Android, Windows, macOS (and others).” Administrators commonly use this to require different controls (like MFA or compliant device) based on Android or iOS.

Putting these together:

CA can apply to Global Administrators (Yes).

CA is evaluated after first-factor authentication (No to “before”).

Device platform (e.g., Android/iOS) is a valid CA signal (Yes).

The Compliance score in Microsoft Purview Compliance Manager is a measurement tool that evaluates an organization’s progress toward meeting data protection and regulatory compliance requirements. It is specifically designed to help organizations reduce risks related to data governance, privacy, and compliance with various standards such as GDPR, ISO 27001, NIST 800-53, and Microsoft Data Protection Baselines.

According to Microsoft’s official documentation on Compliance Manager, the Compliance score “helps organizations track, improve, and demonstrate their compliance posture by providing a quantifiable measure of compliance with regulations and standards.” Each action within Compliance Manager contributes a certain number of points to the overall score. These points are weighted based on risk, meaning that actions with a greater impact on reducing compliance risk contribute more significantly to the total score.

The score is not an absolute measure of legal compliance but rather an indicator of progress toward implementing recommended controls and risk-reducing actions. Microsoft emphasizes that Compliance score “assists organizations in identifying areas of improvement, prioritizing compliance tasks, and maintaining an auditable record of their compliance activities.”

By contrast, Microsoft Secure Score measures security posture related to identity, device, and application protection, while Productivity Score evaluates collaboration and technology experience. Thus, the metric that specifically assesses data protection and regulatory compliance progress is the Compliance score in Microsoft Purview Compliance Manager.

In Microsoft’s Security, Compliance, and Identity learning content for Microsoft Defender for Cloud, the service is described as providing ongoing posture management and threat protection. The official description states that Defender for Cloud “continuously assesses your resources to identify security misconfigurations and weaknesses” and “continuously discovers and evaluates resources” across your subscriptions. The recommendations and secure-score updates are produced as the platform “continuously analyzes your environment using security policies and analytics,” surfacing issues the moment they’re detected and mapping them to remediation guidance. This continuous assessment model underpins Defender for Cloud’s cloud security posture management (CSPM) capability and ensures that newly created or modified resources are evaluated without waiting for a scheduled job. By design, there is no fixed interval (such as hourly, every 15 minutes, or daily) required to trigger assessments—policy-driven evaluation and data collection run as changes occur and signals are received. Therefore, the sentence “Microsoft Defender for Cloud assesses Azure resources ____ for security issues” is correctly completed with continuously, reflecting Microsoft’s emphasis on persistent, real-time security posture evaluation rather than periodic scans.

In Microsoft’s Security, Compliance, and Identity guidance, the Microsoft Service Trust Portal (STP) is identified as the public destination where Microsoft publishes independent audit reports, compliance certifications, assessment reports, and trust-related documentation for Microsoft cloud services. The documentation explains that the STP provides customers with access to materials such as SOC 1/SOC 2 reports, ISO/IEC certifications, audit summaries, and compliance guides, enabling organizations to evaluate Microsoft’s controls and map them to their own regulatory requirements. The STP is expressly positioned for transparency and due diligence, allowing customers and auditors to review Microsoft’s compliance posture and understand how Microsoft manages security, privacy, and compliance across its cloud platforms.

By contrast, the Microsoft Purview compliance portal is a tenant-admin portal used to configure and manage compliance solutions (e.g., DLP, Information Protection, eDiscovery, Insider Risk, Compliance Manager) within your organization—not a public repository of Microsoft’s audit artifacts. The Microsoft Purview governance portal focuses on data governance and cataloging scenarios. The Azure EA portal is used for Enterprise Agreement billing and usage management. Therefore, the public site for publishing audit reports and other compliance-related information for Microsoft cloud services is the Microsoft Service Trust Portal.

Assessments

In Microsoft Purview Compliance Manager, assessments are the core components used to track compliance with groupings of controls from specific regulations, standards, or requirements.

According to official Microsoft Security, Compliance, and Identity (SCI) learning content, particularly within the SC-400 and SC-900 certification tracks, the role of assessments is explicitly defined as:

“Assessments in Compliance Manager help you track, implement, and improve compliance with requirements from standards and regulations. Each assessment maps to a specific regulation or control framework, such as ISO 27001, NIST, GDPR, or HIPAA, and includes a set of controls and recommended improvement actions.”

Further extracted content from SCI documentation confirms:

“An assessment is used to measure your compliance posture against a particular regulation or standard. It includes control mappings and provides insight into what’s in place and what still needs to be addressed to meet the compliance goals.”

The other options in the dropdown — Templates, Improvement actions, and Solutions — serve different functions:

Templates provide a blueprint for creating assessments.

Improvement actions are actionable steps generated within assessments.

Solutions in Microsoft Purview refer to bundled capabilities like Insider Risk Management, Information Protection, etc.

Therefore, to track compliance with groupings of controls from a specific regulation or requirement, the correct and Microsoft-verified term is "Assessments."

Microsoft defines Information Barriers (IB) as policies that “restrict communication and collaboration between specific users or groups” to meet regulatory or conflict-of-interest requirements. In Microsoft 365, IB enforcement is provided across collaboration workloads—most notably Microsoft Teams and, with IB v2, SharePoint and OneDrive—so that users placed in segments that shouldn’t interact are prevented from chatting, meeting, or sharing files with one another. The service “controls who can communicate and collaborate with whom” and applies those controls to Teams chats/channels and SharePoint/OneDrive sites and files so that segment boundaries are honored when users attempt to share or access content.

By contrast, Exchange Online email is not a supported enforcement surface for Information Barriers; IB does not block or route mail. Email restrictions are handled with other capabilities (for example, mail flow rules), not IB. Therefore, in alignment with Microsoft’s SCI guidance: IB does work with Microsoft Teams and with Microsoft SharePoint/OneDrive, but it does not provide policy enforcement for Exchange email.

Yes

NO

NO

YES - As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.

NO - The most restrictive lock in the inheritance takes precedence.

NO - If you delete a resource group with a locked resource, the portal UI will give you an error and no resources are deleted.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json

In Microsoft’s SCI materials, the Solutions catalog is described as part of the Microsoft Purview experience: “The Microsoft Purview compliance portal is the home for solutions to manage your organization’s data security and compliance needs.” Within this portal, Microsoft states that “the Solutions catalog provides a single place to discover, learn about, and set up Microsoft Purview solutions.” The catalog organizes capabilities across compliance domains, for example “Information Protection, Data Lifecycle Management, Data Loss Prevention, Insider Risk Management, eDiscovery, Audit, and Compliance Manager,” and from the catalog “administrators can open setup guides and configuration wizards for each solution.” This positioning makes the Purview compliance portal the correct portal when you are asked where the solution catalog lives.

By comparison, the Microsoft 365 admin center focuses on tenant administration and licensing, the Microsoft 365 Defender portal consolidates threat protection and security operations, and the Microsoft 365 Apps admin center targets Office app management and servicing. None of these are identified as the home of the Purview Solutions catalog. Therefore, the portal that contains the solution catalog is the Microsoft Purview compliance portal.

In the Microsoft 365 security center/Microsoft 365 Defender portal, the Reports area is designed to provide organization-wide visibility into security posture and activity over time. Microsoft describes the Reports experience as enabling you to “view security trends and track the protection status across identities, endpoints, email & collaboration, and cloud apps.” Within Reports, the Identity section aggregates signals from Microsoft Entra ID protection and related identity defenses so security teams can monitor trends such as risky sign-ins, user risk, MFA adoption/registration, and other identity protection metrics. These curated, read-only dashboards are aimed at measuring protection status and changes over time, helping you validate the impact of controls and prioritize remediation.

By contrast, Attack simulator is used to run user training simulations (e.g., phishing) and is not intended for posture trend reporting. Hunting (Advanced hunting) lets analysts query raw telemetry for investigations, not to provide summarized trend dashboards. Incidents correlates alerts into incident records for triage and response, rather than showing long-term trends and protection status views. Therefore, to view security trends and track the protection status of identities, the correct place is Reports in the Microsoft 365 security center/Microsoft 365 Defender portal.

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based directory and identity platform. In Microsoft’s SCI materials, Entra ID is described as “Microsoft’s cloud-based identity and access management service that helps your employees sign in and access resources,” underscoring that it’s not deployed on-premises; instead, organizations can synchronize or federate with on-premises Active Directory using tools like Entra Connect. The same documentation explains that Entra ID is included with Microsoft 365 subscriptions, providing tenant identity services for apps such as Exchange Online, SharePoint Online, and Teams. Core capabilities listed include authentication, single sign-on (SSO), Conditional Access, device registration, and application access management, all of which classify Entra ID as an identity and access management (IAM) service. Thus: (1) on-premises deployment — No (it’s cloud-native), (2) provided with Microsoft 365 — Yes (a directory is created for each tenant), and (3) IAM service — Yes (it delivers identity, access, and governance controls used across Microsoft cloud services).

Microsoft’s Conditional Access (part of Microsoft Entra ID) evaluates multiple signals to make access decisions. The official description lists typical signals such as “user or group membership, IP location information, device state, application, and real-time risk.” The device state element explicitly refers to conditions like “compliant or hybrid Azure AD joined devices,” allowing policies that grant or block access—or require extra controls—based on whether a device meets compliance/registration requirements.

Regarding evaluation timing, Microsoft’s guidance states that Conditional Access “policies are enforced after the first-factor authentication is completed.” This means the engine needs the user’s primary sign-in context (who the user is and how they authenticated) to evaluate the conditions and then decide whether to allow, block, or require additional controls. Therefore, the statement that policies apply before first factor is not correct.

Finally, Conditional Access includes grant controls such as “Require multi-factor authentication,” and policies can be scoped to specific cloud apps or actions. As a result, you can target a particular application and require MFA when a user attempts to access it, satisfying application-specific risk mitigation while preserving user productivity.

In Microsoft’s Security, Compliance, and Identity (SCI) learning content, Multi-Factor Authentication (MFA) is defined as requiring more than one verification method during sign-in. Microsoft states: “Multi-factor authentication (MFA) requires two or more verification methods” and Azure AD (Microsoft Entra ID) MFA “works by requiring two or more of the following: something you know (password), something you have (trusted device or token), something you are (biometrics).” The SCI fundamentals also explain that MFA strengthens authentication beyond a single password by combining distinct factor types, noting that “strong authentication uses at least two different factors to verify identity.”

When you enable Azure AD MFA, a user must successfully present two factors from those categories to complete the authentication—commonly a password (something you know) plus a second factor such as Microsoft Authenticator approval, a FIDO2 security key, SMS/voice code, or Windows Hello (something you have/are). This is the core of Azure AD’s risk-based and conditional access controls, which can require MFA based on conditions or risk signals. Therefore, the number of factors required after enabling Azure AD MFA is two, aligning with Microsoft’s definition and implementation of multi-factor authentication in Entra ID.

Microsoft sets out clear privacy principles for Microsoft 365 and Microsoft cloud services. In Microsoft’s privacy commitments, Microsoft states that customers control their data: “You control your data.” Microsoft also pledges transparency about data practices: “We are transparent about data collection and use.” These two commitments are among the core privacy principles articulated across Microsoft 365 privacy and Microsoft Purview documentation, which emphasize customer choice, clear explanations of data processing, and admin capabilities to access, export, and delete data. Additional Microsoft privacy principles often listed alongside these include security of your data, strong legal protections, no content-based targeting, and benefits to you, but the key point for this question is that Control and Transparency are explicitly called out as privacy principles.

By contrast, shared responsibility is not a privacy principle; it is a cloud security model used in Azure/Microsoft cloud guidance. That model explains that security is a shared responsibility between Microsoft (for the cloud infrastructure) and the customer (for their data, identities, endpoints, and configurations). It describes how duties are divided for protecting services and workloads, not a privacy promise to end users. Therefore, the correct selections are Yes for Control and Transparency, and No for Shared responsibility.

Explanation

In Microsoft’s hybrid identity guidance, Azure AD Connect is the supported tool to bridge on-premises Active Directory Domain Services (AD DS) with Azure Active Directory (Azure AD). Microsoft Learn describes it plainly: “Azure AD Connect is Microsoft’s tool for connecting on-premises directories to Azure AD.” It “synchronizes user, group, and device objects” so cloud identities stay aligned with on-premises accounts and attributes. Azure AD Connect also supports multiple sign-in methods: “password hash synchronization, pass-through authentication, and federation integration.” In other words, you can sync identities and choose how users authenticate to Microsoft Entra ID (Azure AD).

By contrast, Active Directory Federation Services (AD FS) is a federation service used for claims-based authentication; it does not perform directory synchronization. Azure Sentinel (now Microsoft Sentinel) is a cloud-native SIEM/SOAR and is unrelated to identity sync. Privileged Identity Management (PIM) is an identity governance feature for just-in-time privileged access; it does not synchronize identities. Therefore, in a hybrid identity model where the requirement is to sync identities between AD DS and Azure AD, the correct Microsoft-endorsed solution is Azure AD Connect, which “keeps identities in sync between on-premises directories and Azure AD.”

Microsoft’s shared responsibility guidance explains that the customer’s responsibility decreases as you move from on-premises to SaaS. In an on-premises datacenter, “you own the whole stack—applications, data, runtime, middleware, OS, virtualization, servers, storage, and networking.” With IaaS, the cloud provider operates the physical datacenter and virtualization, while “you’re responsible for configuring and managing the guest OS, network controls, identity, applications, and data.” With PaaS, the provider operates more of the stack so that “the cloud provider manages the platform (OS, middleware, and runtime) and you focus on your applications and data.” Finally, with SaaS, responsibility is minimized for customers because “the service provider manages the application and underlying infrastructure; customers primarily manage identity, data, and access/usage.”

These Microsoft Learn statements map directly to the requested order—from most customer responsibility (on-premises) to least (SaaS)—with IaaS and PaaS in between, reflecting the progressive shift of operational and security controls from the customer to the cloud provider as the service model moves up the stack.

access and application control

In Microsoft Defender for Cloud, the capabilities grouped as access and application control are designed to harden Azure virtual machines by limiting both what can access a VM and what can run on it. Microsoft’s documentation explains that Adaptive application controls “help you control which applications can run on your VMs by allowing only known-safe applications,” which directly helps block malware and other unwanted applications. In the same family, Just-in-time (JIT) VM access “reduces exposure to attacks by locking down inbound traffic to your VMs and opening only the required ports, for approved users, for a limited time,” thereby reducing the network attack surface. These capabilities are surfaced in Defender for Cloud recommendations and policies to enforce least privilege at the network edge and on the endpoint execution layer.

By contrast, Cloud Security Posture Management (CSPM) provides continuous assessment and secure-score-driven recommendations but isn’t the control that actively blocks applications or time-bounds inbound access. Container security targets container images and runtimes, and vulnerability assessment identifies software vulnerabilities but doesn’t enforce allow-listing or time-bound access. Therefore, the correct completion is access and application control, which encompasses Adaptive application controls and JIT VM access to protect VMs from unwanted apps and minimize exposed network surface.

Azure Blueprints allow cloud architects and central IT to define a repeatable set of Azure resources and governance artifacts—including Azure Policy assignments, role assignments (RBAC), resource groups, and ARM/Bicep templates—and then deploy them consistently across subscriptions. Microsoft’s guidance describes Blueprints as a way to “orchestrate the deployment of various resource templates and other artifacts” to establish standards, patterns, and compliance for environments at scale. This is distinct from Azure Policy, which evaluates and enforces configuration but does not package multi-artifact environments; Microsoft Sentinel and Defender are security analytics/protection services rather than provisioning frameworks. Thus, for consistent provisioning across multiple subscriptions, the prescribed solution is Azure Blueprints.

Security defaults make it easy to protect your organization with the following preconfigured security settings:

Requiring all users to register for Azure AD Multi-Factor Authentication.

Requiring administrators to do multi-factor authentication.

Blocking legacy authentication protocols.

Requiring users to do multi-factor authentication when necessary.

Protecting privileged activities like access to the Azure portal.

When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant.

Microsoft 365 Advanced Audit is a capability of the Microsoft Purview audit solution that enhances auditing by adding additional high-value audit events, extended retention (up to one year by default, longer with add-ons), and intelligent insights. Microsoft documentation explains that Advanced Audit provides Exchange-specific events such as “MailItemsAccessed” and “SearchQueryInitiated”, which log when users access mailbox items and when they initiate a search in Exchange (including Outlook on the web). These records include who performed the action, when it occurred, the client/app used, and other metadata that helps investigations and forensics.

Advanced Audit is not a billing tool; billing information is handled separately in Microsoft 365 admin/billing portals and isn’t part of the audit schema. Likewise, audit logs do not expose message content; they capture activity metadata (actor, operation, workload, timestamp, and parameters) rather than the actual body of emails or file contents. The purpose is to improve auditability and investigation without revealing user content. Therefore, statements about viewing billing details or email contents are No, while identifying mailbox search actions (e.g., a user using the Outlook on the web search bar) is Yes, because Advanced Audit includes the SearchQueryInitiated (Exchange) event that records such activity.

Within Microsoft Purview, Insider Risk Management is the solution that is explicitly designed to detect activities such as IP theft and data leakage. Microsoft describes it as a compliance solution that correlates many user and system signals to identify potentially malicious or inadvertent insider risks, including leaks of sensitive data and data spillage.

Organizations create Insider Risk Management policies that watch for risky behaviors such as unusual file downloads, copying data to removable media, or sharing sensitive information to external locations. When configured with templates like Data leaks, these policies can use high-severity alerts from Data Loss Prevention (DLP) policies as triggers, so that suspected data-leak events automatically generate alerts and cases for investigation. This workflow lets investigators quickly triage, investigate, and remediate possible data-exfiltration incidents.

The other options serve different purposes. Compliance Manager evaluates and tracks compliance posture against regulations and internal controls, rather than monitoring user behavior for leaks. Communication compliance focuses on inappropriate or non-compliant messages (such as harassment or improper sharing in chats and email). eDiscovery is used to find and preserve existing content for legal or investigative cases, not for proactive detection of leakage as it occurs.

Therefore, the Microsoft Purview solution used to identify data leakage is Insider Risk Management.

Microsoft’s Azure networking services have distinct roles that map directly to the statements in the prompt. Azure Firewall is a stateful, cloud-native network security service that explicitly supports Source NAT (SNAT) and Destination NAT (DNAT) to control and translate traffic flows. In Microsoft’s description, Azure Firewall “provides network address translation (SNAT/DNAT) and filtering for inbound and outbound traffic,” making it the correct match for NAT services.

Azure Bastion is designed to deliver “secure and seamless RDP and SSH connectivity to your virtual machines directly from the Azure portal over TLS” without exposing a public IP on the VM. This aligns precisely with secure Remote Desktop connectivity to Azure virtual machines.

Network security groups (NSGs) are Azure’s built-in mechanism for traffic filtering. Microsoft explains that an NSG “contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources” and that rules can be applied to subnets or to individual network interfaces (NICs) on a virtual network. Therefore, NSGs are the right choice for traffic filtering applied to specific network interfaces.

Together, these mappings reflect Azure’s layered network security model: NSGs for rule-based filtering at NIC/subnet, Azure Firewall for centralized stateful inspection and NAT, and Azure Bastion for secure, browser-based RDP/SSH access.

Onboarding Microsoft Sentinel starts by enabling Sentinel on an existing Log Analytics workspace and then connecting data sources so analytics can operate on ingested security data. Microsoft’s Sentinel onboarding guidance emphasizes that after you add Sentinel to a workspace, you must “connect Microsoft services, non-Microsoft solutions, and custom sources” using built-in data connectors. Microsoft also states that “you need data in your workspace before you can use Microsoft Sentinel’s analytics, hunting, and investigation capabilities.” Features such as custom analytics rules, hunting queries, and incident correlation depend on ingested telemetry from sources like Microsoft Entra ID sign-in logs, Microsoft 365, Defender products, firewalls, and other appliances. Because the question already gives you a Log Analytics workspace (the prerequisite for enabling Sentinel), the first action in the onboarding workflow that unlocks Sentinel’s value is to connect your security sources. Only after data is flowing should you proceed to create analytics rules, hunting queries, and incident processes. Therefore, the correct first step to onboard Microsoft Sentinel is connect to your security sources.

Box 1: Yes

The MailItemsAccessed event is a mailbox auditing action and is triggered when mail data is accessed by mail protocols and mail clients.

Box 2: No

Basic Audit retains audit records for 90 days.

Advanced Audit retains all Exchange, SharePoint, and Azure Active Directory audit records for one year. This is accomplished by a default audit log retention policy that retains any audit record that contains the value of Exchange, SharePoint, or AzureActiveDirectory for the Workload property (which indicates the service in which the activity occurred) for one year.

Box 3: yes

Advanced Audit in Microsoft 365 provides high-bandwidth access to the Office 365 Management Activity API.

According to Microsoft’s Security, Compliance, and Identity (SCI) documentation and learning paths (specifically SC-900, SC-300, and Azure AD Identity Protection modules):

“Conditional Access policies in Azure AD are the primary method for enforcing access controls based on specific conditions such as user, group, location, device compliance, and application.”

In this case, the organization can configure a Conditional Access policy that targets a specific Azure AD group and requires MFA as a condition before access is granted. The typical policy setup includes:

Assignments: Target users or groups (e.g., “Finance Department Users”).

Cloud apps or actions: Specify which applications or services are protected (e.g., Microsoft 365).

Access controls: Set the control to “Require multi-factor authentication.”

Microsoft’s SCI training materials further state:

“Conditional Access enables administrators to enforce MFA for specific users, groups, or scenarios. It provides flexibility to protect access without enabling MFA globally for all users.”

Other options explained:

Azure Policy (A) applies to Azure resources, not user authentication.

Communication compliance policy (B) monitors message content for compliance violations.

User risk policy (D) is part of Azure AD Identity Protection, enforcing MFA based on detected user risk levels, not group membership.

Therefore, the verified and correct answer is: ? C. a Conditional Access policy.

Microsoft describes hybrid identity as integrating on-premises Active Directory with Microsoft Entra ID (Azure AD) so that “your on-premises identities are synchronized to Azure AD” for a single identity across cloud and on-prem apps. In this model, directory objects (users, groups, and selected attributes) flow from on-premises AD to Azure AD using Azure AD Connect or Cloud Sync; this is the canonical direction for provisioning in hybrid environments. Microsoft further explains that while certain writeback features (such as password writeback, device or group writeback scenarios) are supported, cloud-created users do not automatically sync down to on-premises AD; account provisioning remains authoritative on-prem unless you deploy specific, limited writeback features—there is no default “user account creation from Azure AD to AD DS.” For authentication, Microsoft states that hybrid identity supports cloud authentication (Password Hash Synchronization or Pass-through Authentication) where Azure AD performs the sign-in, or federation with another identity provider (e.g., AD FS or a third-party IdP) where that provider validates credentials and issues tokens to Azure AD. These statements align with Microsoft’s SCI guidance on hybrid identity: on-prem to cloud sync is standard; automatic reverse user sync is not; and authentication can be handled by Azure AD or a federated IdP depending on the chosen sign-in method.

In the Microsoft 365 security center (now Microsoft 365 Defender), incidents are used to triage and investigate threats across the tenant. Microsoft’s security documentation explains that “an incident is a collection of related alerts” that are automatically correlated to give analysts a single, end-to-end view of an attack. Within each incident, the portal surfaces impacted assets such as devices, users, mailboxes, and applications, enabling responders to quickly identify which endpoints are affected by a given alert and to take response actions (isolate device, collect investigation package, run AV scan, etc.). This design allows security teams to move beyond individual alerts and instead work a consolidated investigation that lists affected devices in the incident’s Evidence & Response/Assets sections, complete with alert timelines and device details.

By comparison, Secure Score measures the organization’s security posture and recommendations; policies are configuration/enforcement objects (e.g., Defender or compliance policies) and are not the investigative view for alerts; classifications relate to information protection labeling rather than alert investigation. Therefore, to identify devices that are affected by an alert, you use the Incidents experience in Microsoft 365 Defender, where correlated alerts show the devices involved alongside the entities and evidence connected to the threat.

In Microsoft 365 information protection guidance, Microsoft explains that sensitivity labels are persistent: when a label is applied to a file or email, the label information is stored as metadata so that the protection settings “travel with the content” wherever it’s saved or shared. Labels can apply encryption, content marking (headers, footers, watermarks), and DLP-friendly metadata, but encryption is optional—some labels only classify/mark without encryption. Microsoft also emphasizes that labels are not restricted to predefined categories; administrators can create custom label names, descriptions, and scoped policies to reflect an organization’s taxonomy (for example, Public, Confidential, Highly Confidential, or industry-specific categories). Because the defining property that always applies is that the label remains attached to the content and enforces configured policy across Microsoft 365 services and supported third-party locations, the accurate characteristic is persistent. Options “encrypted” (not always) and “restricted to predefined categories” (incorrect—labels are customizable) do not universally describe sensitivity labels.

Microsoft’s shared-responsibility model states that the cloud provider secures the cloud, while the customer secures what they put in the cloud. The Azure Security documentation explains: “Regardless of the type of deployment, you always retain responsibility for your data, endpoints, accounts, and access management.” This applies to IaaS, PaaS, and SaaS, so statement 3 is Yes because the organization is always accountable for the security of information and data.

For SaaS, Microsoft describes that customers “don’t manage or control the underlying cloud infrastructure—including network, servers, operating systems, or even individual application capabilities” and that the provider handles service maintenance and updates. In SaaS, tasks like patching or applying service packs to the application code are owned by the service provider, while the customer focuses on data, identity, and access. Therefore, statement 1 is No.

For IaaS, Microsoft notes the provider manages the physical estate: “Microsoft is responsible for the physical hosts, network, and datacenter facilities,” while the customer configures and secures the guest OS, applications, and network controls within their subscription. Thus, managing the physical network is the cloud provider’s duty, making statement 2 Yes.

These SCI principles are foundational to Microsoft Learn/Docs guidance on Azure’s shared responsibility: provider—“security OF the cloud”; customer—“security IN the cloud,” with data protection always remaining the customer’s responsibility.

Microsoft states that Azure AD Multi-Factor Authentication “adds a second form of verification” to sign-ins and supports multiple verification methods. The documented methods include Microsoft Authenticator app notifications or verification codes, text message (SMS) codes, and phone call verification. In Microsoft’s description, users can approve a push notification in the Microsoft Authenticator app or enter a code from the app; they can receive a text message containing a verification code; or they can answer a phone call to complete the challenge. Email verification and security questions are not listed as supported MFA methods for Azure AD sign-ins and are not valid second factors in Azure AD MFA. Consequently, the correct methods from the options provided are Phone call, Text message (SMS), and Microsoft Authenticator app. These align with Azure AD’s core MFA capabilities used in Conditional Access and per-user MFA to strengthen authentication beyond the password and to meet compliance and security requirements for strong user verification.

Microsoft Secure Score in the Microsoft 365 Defender portal aggregates improvement actions across Microsoft security workloads, including Microsoft Defender for Cloud Apps (formerly Cloud App Security). Microsoft states that “Defender for Cloud Apps automatically provides SSPM data in Microsoft Secure Score, for any supported and connected app.” This means Secure Score can surface and recommend actions tied to Cloud App Security/Defender for Cloud Apps, validating statement 1 as Yes. Microsoft Learn

Secure Score also includes peer comparison so organizations can benchmark their progress. The Microsoft documentation explicitly notes: “Compare your score to organizations like yours. There are two places to see how your score compares to organizations that are similar to yours.” This capability appears on the Overview experience in the Defender portal, confirming statement 2 as Yes. Microsoft Learn

Finally, Secure Score recognizes mitigations implemented outside Microsoft tooling. In the official guidance for improvement actions, Microsoft explains the status options “Resolved through third party and Resolved through alternate mitigation,” adding: “You’ll gain the points that the action is worth, so your score better reflects your overall security posture.” Therefore, if you address an improvement action via a third-party product, Secure Score awards the associated points—making statement 3 Yes.

Microsoft states that Identity Protection is used to “detect potential vulnerabilities affecting your organization’s identities, configure automated responses, and investigate suspicious actions related to your organization’s identities.” It evaluates user risk and sign-in risk using detections such as “leaked credentials, anonymous IP address, unfamiliar sign-in properties, [and] impossible travel.” These built-in detections confirm that the service can detect whether valid user credentials have been found in public or criminal datasets—commonly referred to as leaked credentials—thereby reducing identity compromise risk.

Identity Protection includes policy controls that “automate the response to detected risks,” specifically the User risk policy and Sign-in risk policy. Microsoft describes that these policies can “require password change when user risk is detected” and “require multi-factor authentication when sign-in risk is detected.” Therefore, Identity Protection can invoke MFA based on risk as part of Conditional Access–backed risk policies.

However, Identity Protection does not perform group lifecycle management. Microsoft positions group membership automation under Azure AD dynamic groups/Identity Governance, not Identity Protection. Consequently, adding users to groups based on risk level is not a function of Identity Protection, which focuses on detection, risk evaluation, and policy-driven remediation (e.g., MFA or password reset), not group assignment.

Azure Blueprints lets you define a repeatable set of artifacts—like ARM/Bicep templates, role assignments, and Azure Policy—that you can assign to multiple subscriptions to deploy resources and guardrails consistently.

Microsoft Purview Information Protection (in the Microsoft 365 compliance center) enables you to discover, classify, label, and protect sensitive information across emails, documents, and other data stores. Labels and policies can enforce encryption, access restrictions, and visual markings, helping prevent unauthorized disclosure of sensitive data—inside or outside your organization.

Microsoft Purview Data Loss Prevention (DLP) is designed to prevent the inadvertent or inappropriate sharing of sensitive data across Microsoft 365 services. Microsoft’s guidance states that DLP “helps you discover, monitor, and protect sensitive items across Microsoft 365,” and that with DLP policies you can “identify, monitor, and automatically protect sensitive items in Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams.” This directly supports option C, because DLP can detect sensitive info in OneDrive documents and automatically apply protective actions such as blocking external sharing, restricting access, or auditing the event.

DLP also provides end-user coaching through policy tips: “Policy tips are informative notices that appear when users are working with content that contains sensitive info … to help prevent data loss.” When a user is about to send or share sensitive data in violation of policy, these tips surface in Outlook and Office apps (including when files are stored in SharePoint/OneDrive), aligning with option A.

By contrast, enabling disk encryption (e.g., BitLocker) and applying device security baselines are endpoint/device management tasks handled through Microsoft Intune or Group Policy—not by DLP. Therefore, A and C are the correct tasks you can implement with Microsoft 365 DLP policies.

In Microsoft Entra ID (formerly Azure AD), Managed Identities for Azure resources are the built-in way for an Azure resource to authenticate to other Azure services without storing credentials. Microsoft’s documentation states: “Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory.” It further distinguishes the two types and clarifies the one used here: “A system-assigned managed identity is enabled directly on an Azure service instance. When enabled, Azure creates an identity for the instance in Azure AD.” Microsoft also emphasizes the lifecycle binding: “This identity is tied to the lifecycle of that service instance and is deleted when the resource is deleted.” Once enabled, the resource can call Azure services by requesting tokens: “You can use this identity to obtain Azure AD tokens for authentication to services that support Azure AD authentication.”

Because the prompt explicitly says “system-assigned”, the correct completion is managed identity. The other options do not match Microsoft’s definition: a user identity refers to a human user; a service principal is the underlying object applications use but isn’t what Azure terms “system-assigned”; and an Azure AD–joined device pertains to device registration, not resource-to-service authentication. Therefore, the sentence correctly reads: “An Azure resource can use a system-assigned managed identity to access Azure services.”

access

In Microsoft Entra ID (formerly Azure AD), dynamic groups are a key feature used to automate the access lifecycle for users and devices. SCI learning material on identity governance explains that organizations can automate the access lifecycle process through technologies such as dynamic groups, alongside automated user provisioning. These resources describe the access lifecycle as managing a user’s access to resources from the moment they join the organization, through role or department changes, until they leave. Dynamic groups help with this by using attribute-based rules (for example, department, job title, location, or device platform) to automatically add or remove identities from groups as their attributes change.

Because group membership typically controls access to applications, SharePoint sites, Teams, and licenses, this automatic membership update keeps access aligned with the user’s current role without manual intervention. When a user changes departments, the dynamic rules reevaluate and move them into the appropriate groups, granting new access and removing old access as required. This is exactly what Microsoft refers to as automating the access lifecycle.

The other options do not match the terminology used in SCI content: “object lifecycle” is not the term used in Entra identity governance, and “privileged access” lifecycle is handled specifically by Privileged Identity Management (PIM), not by dynamic groups. Therefore, the sentence is correctly completed with access.

In Microsoft Entra Conditional Access, policy evaluation occurs after the user successfully completes first-factor authentication (for example, username + password or Windows Hello for Business key). Microsoft Learn explains that Conditional Access “is the tool used by Azure AD to bring signals together, make decisions, and enforce organizational policies” and that it’s applied “after the first-factor authentication is completed.” Once primary authentication succeeds, Conditional Access evaluates signals like user, device state, location, risk (from Identity Protection), and application, and then enforces controls such as requiring MFA, blocking access, or applying session controls.

This design ensures Conditional Access does not replace primary authentication and is not enforced before or during the initial credential verification. Instead, it adds a second policy decision point that can demand stronger proof (e.g., MFA), restrict access paths, or limit sessions. Therefore, “after” is correct, while “before,” “during,” or “instead of” first-factor authentication are incorrect because Conditional Access relies on the initial sign-in to collect the necessary signals and then applies the configured access decisions and protections.

To on-board Azure Sentinel, you first need to connect to your security sources. Azure Sentinel comes with a number of connectors for Microsoft solutions, including Microsoft 365 Defender solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity, and Microsoft Cloud App Security, etc.

Box 1: Yes

Azure Defender provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, your storage, and more

Box 2: Yes

Cloud security posture management (CSPM) is available for free to all Azure users.

Box 3: Yes

Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises.

authorization

In the context of Microsoft identity and access management, when users attempt to access an application or a service, authorization is what controls their level of access. This concept is clearly defined in Microsoft’s Security, Compliance, and Identity (SCI) learning paths, particularly in SC-900 and SC-300 certifications.

From Microsoft SCI training materials:

“Authentication is the process of verifying the identity of a user, while authorization is the process of determining what resources a user can access and what actions they are permitted to perform.”

In more detail:

Authentication confirms who you are (e.g., verifying credentials through Azure AD, MFA).

Authorization decides what you can do (e.g., access to files, roles, permissions in an app or service).

SCI documentation explains:

“Once authentication is successful, authorization policies are applied to determine whether the authenticated user is allowed to access the requested resource and at what level.”

This principle is implemented using role-based access control (RBAC) in Microsoft Azure and Microsoft 365 environments. For example, even if a user successfully logs into the Microsoft 365 portal (authentication), their ability to manage Exchange Online settings or view compliance data depends on their assigned roles (authorization).