Practice Free SC-900 Microsoft Security Compliance and Identity Fundamentals Exam Questions Answers With Explanation

In Microsoft Entra ID (formerly Azure AD), Managed Identities for Azure resources are the built-in way for an Azure resource to authenticate to other Azure services without storing credentials. Microsoft’s documentation states: “Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory.” It further distinguishes the two types and clarifies the one used here: “A system-assigned managed identity is enabled directly on an Azure service instance. When enabled, Azure creates an identity for the instance in Azure AD.” Microsoft also emphasizes the lifecycle binding: “This identity is tied to the lifecycle of that service instance and is deleted when the resource is deleted.” Once enabled, the resource can call Azure services by requesting tokens: “You can use this identity to obtain Azure AD tokens for authentication to services that support Azure AD authentication.”

Because the prompt explicitly says “system-assigned”, the correct completion is managed identity. The other options do not match Microsoft’s definition: a user identity refers to a human user; a service principal is the underlying object applications use but isn’t what Azure terms “system-assigned”; and an Azure AD–joined device pertains to device registration, not resource-to-service authentication. Therefore, the sentence correctly reads: “An Azure resource can use a system-assigned managed identity to access Azure services.”

In Microsoft’s Security, Compliance, and Identity learning content for Microsoft Defender for Cloud, the service is described as providing ongoing posture management and threat protection. The official description states that Defender for Cloud “continuously assesses your resources to identify security misconfigurations and weaknesses” and “continuously discovers and evaluates resources” across your subscriptions. The recommendations and secure-score updates are produced as the platform “continuously analyzes your environment using security policies and analytics,” surfacing issues the moment they’re detected and mapping them to remediation guidance. This continuous assessment model underpins Defender for Cloud’s cloud security posture management (CSPM) capability and ensures that newly created or modified resources are evaluated without waiting for a scheduled job. By design, there is no fixed interval (such as hourly, every 15 minutes, or daily) required to trigger assessments—policy-driven evaluation and data collection run as changes occur and signals are received. Therefore, the sentence “Microsoft Defender for Cloud assesses Azure resources ____ for security issues” is correctly completed with continuously, reflecting Microsoft’s emphasis on persistent, real-time security posture evaluation rather than periodic scans.

eDiscovery

In Microsoft Purview, eDiscovery is the purpose-built compliance solution for legal and investigative workflows. Microsoft’s SCI materials describe eDiscovery as the tool that enables organizations to identify, preserve/hold, collect, review, and export potentially relevant content across Microsoft 365 services. Official guidance explains that eDiscovery (Standard) “provides search, hold, and export capabilities” for content in Exchange, SharePoint, OneDrive, Teams, and more. Another description states that eDiscovery (Premium) helps you “identify, preserve, collect, review, analyze, and export content” for legal matters and internal investigations. These capabilities are designed to support the eDiscovery lifecycle by allowing admins and case managers to: create cases, define custodians and non-custodial data sources, run targeted searches, apply legal holds to prevent data alteration or deletion, perform review and analytics, and export responsive data packages for counsel or regulators.

By contrast, Data Loss Prevention (DLP) protects sensitive information from accidental or inappropriate sharing; Customer Lockbox governs Microsoft engineer access to your data for support; and resource locks protect Azure resources from accidental deletion or modification. Therefore, the Microsoft SCI control that is explicitly used to identify, hold, and export electronic information for an investigation is Microsoft Purview eDiscovery.

In the Microsoft 365 security center/Microsoft 365 Defender portal, the Reports area is designed to provide organization-wide visibility into security posture and activity over time. Microsoft describes the Reports experience as enabling you to “view security trends and track the protection status across identities, endpoints, email & collaboration, and cloud apps.” Within Reports, the Identity section aggregates signals from Microsoft Entra ID protection and related identity defenses so security teams can monitor trends such as risky sign-ins, user risk, MFA adoption/registration, and other identity protection metrics. These curated, read-only dashboards are aimed at measuring protection status and changes over time, helping you validate the impact of controls and prioritize remediation.

By contrast, Attack simulator is used to run user training simulations (e.g., phishing) and is not intended for posture trend reporting. Hunting (Advanced hunting) lets analysts query raw telemetry for investigations, not to provide summarized trend dashboards. Incidents correlates alerts into incident records for triage and response, rather than showing long-term trends and protection status views. Therefore, to view security trends and track the protection status of identities, the correct place is Reports in the Microsoft 365 security center/Microsoft 365 Defender portal.

In Microsoft’s Security, Compliance, and Identity guidance, the Microsoft Service Trust Portal (STP) is identified as the public destination where Microsoft publishes independent audit reports, compliance certifications, assessment reports, and trust-related documentation for Microsoft cloud services. The documentation explains that the STP provides customers with access to materials such as SOC 1/SOC 2 reports, ISO/IEC certifications, audit summaries, and compliance guides, enabling organizations to evaluate Microsoft’s controls and map them to their own regulatory requirements. The STP is expressly positioned for transparency and due diligence, allowing customers and auditors to review Microsoft’s compliance posture and understand how Microsoft manages security, privacy, and compliance across its cloud platforms.

By contrast, the Microsoft Purview compliance portal is a tenant-admin portal used to configure and manage compliance solutions (e.g., DLP, Information Protection, eDiscovery, Insider Risk, Compliance Manager) within your organization—not a public repository of Microsoft’s audit artifacts. The Microsoft Purview governance portal focuses on data governance and cataloging scenarios. The Azure EA portal is used for Enterprise Agreement billing and usage management. Therefore, the public site for publishing audit reports and other compliance-related information for Microsoft cloud services is the Microsoft Service Trust Portal.

Microsoft states that Security defaults are baseline protections in Azure Active Directory (now Microsoft Entra ID) that “make it easier to help protect your organization from identity-related attacks.” One of the core behaviors is that security defaults “require all users to register for Azure AD Multi-Factor Authentication,” and enforce “multi-factor authentication for all users,” with special emphasis that “administrators are required to do multi-factor authentication.” Security defaults also “block legacy authentication” and add protections for privileged operations, but the universal control that applies to every user is MFA. Importantly, enabling security defaults does not turn on paid capabilities such as Azure AD Identity Protection or Privileged Identity Management (PIM); those are separate, premium features. The baseline is intentionally simple and tenant-wide: require MFA registration, challenge with MFA when risk or sensitive operations are detected, and reduce exposure by disabling legacy protocols. Therefore, when you enable security defaults, multi-factor authentication (MFA) will be enabled for all Azure AD users, aligning with Microsoft’s guidance that security defaults “help protect all organizations by requiring MFA and disabling legacy authentication.”

To on-board Azure Sentinel, you first need to connect to your security sources. Azure Sentinel comes with a number of connectors for Microsoft solutions, including Microsoft 365 Defender solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity, and Microsoft Cloud App Security, etc.

In Microsoft’s SCI guidance, encryption at rest is defined as protecting data when it is stored on a disk or other persistent media. Microsoft describes it as controls that “help safeguard your data to meet your organizational security and compliance commitments by encrypting data when it is persisted,” distinguishing it from protections for data in transit. Within Azure and Microsoft 365, examples include Azure Disk Encryption for IaaS VMs (using BitLocker for Windows and DM-Crypt for Linux), server-side encryption for storage accounts, and Transparent Data Encryption for databases. A virtual machine’s OS and data disks encrypted with BitLocker or DM-Crypt are canonical cases of at-rest encryption because the encryption keys protect the physical media; the data becomes unreadable if the disks are accessed outside the authorized context. By contrast, site-to-site VPN, HTTPS web sessions, and encrypted email protect data in transit—they secure network communications but do not encrypt the data where it is stored. Therefore, among the options provided, encrypting a virtual machine disk is the correct example of encryption at rest in Microsoft’s security model.

Endpoint data loss prevention (Endpoint DLP), a feature in Microsoft Purview, supports Windows 10 and 11 and now also supports macOS for core DLP capabilities. It allows organizations to monitor and restrict actions like copying sensitive files to USBs, printing, or uploading to unapproved cloud services.

SCI Extract: " Endpoint DLP extends Microsoft Purview Data Loss Prevention to Windows 10, Windows 11, and macOS devices, allowing for monitoring and control of sensitive data usage at the endpoint. "

Other platforms like Linux, iOS, and Android are not currently supported for Endpoint DLP

Microsoft defines defense in depth as a security strategy that uses multiple, reinforcing layers of protection to reduce the chance that a single failure leads to compromise. In Microsoft’s security guidance, defense in depth is described as employing “a series of mechanisms across multiple layers” to protect identities, endpoints, applications, data, and the network. The model spans layers such as identity, perimeter, network, compute, application, and data, with controls at each layer designed to detect, prevent, and contain attacks. Typical Azure/Microsoft 365 implementations include identity protections (MFA, Conditional Access), network controls (Azure Firewall, NSGs), perimeter filtering (WAF, DDoS Protection), endpoint safeguards (Defender for Endpoint), application security (code and runtime controls), and data protection (encryption, DLP, Purview Information Protection). By “placing multiple layers of defense throughout a network infrastructure,” an organization limits blast radius and increases resilience if one layer is bypassed. This contrasts with threat modeling (a design-time analysis technique), identity as the security perimeter (a principle of Zero Trust), and the shared responsibility model (a cloud governance concept). The scenario in the question precisely matches Microsoft’s defense in depth methodology.

In Microsoft’s Security, Compliance, and Identity guidance, Data Loss Prevention (DLP) is configured from the compliance portal (formerly called the Microsoft 365 Compliance Center, now Microsoft Purview compliance portal). Microsoft’s documentation states that DLP is administered from the compliance experience: “Use data loss prevention (DLP) policies in the Microsoft Purview compliance portal to help identify, monitor, and automatically protect sensitive items” across Microsoft 365 workloads. It further specifies where you create policies: “To create a DLP policy, go to the Microsoft Purview compliance portal > Data loss prevention > Policies and choose Create policy.” The portal provides policy templates, locations, and rules that “help prevent the inadvertent sharing of sensitive information” and enable “policy tips and automatic remediation actions” (such as restricting access, auditing, or blocking).

By contrast, the Microsoft 365 admin center is for tenant administration and licensing, not DLP policy authoring. The Microsoft Endpoint Manager admin center (Intune) manages device and app protection policies, not Microsoft 365 DLP policies. The Microsoft 365 Defender portal surfaces security alerts and investigations but does not host the creation workflow for DLP policies. Therefore, when the requirement is to create a DLP policy, Microsoft directs administrators to the Microsoft 365 Compliance center (Microsoft Purview compliance portal) where the DLP solutions and policy creation wizard reside.

Conditional Access session controls enable user app access and sessions to be monitored and controlled in real time based on access and session policies.

Based on this definition, the best answer for your question is B. enable limited experiences, such as blocking download of sensitive information.

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-session

Microsoft 365 Insider Risk Management follows a clear operational flow: Triage ? Investigate ? Action. Microsoft’s guidance explains that the Alerts dashboard is used first to review and filter alerts, prioritize by severity, and decide what needs deeper review—this is the Triage stage. The documentation describes triage activities as reviewing alert details, applying filters, and determining whether an alert should be escalated for investigation.

When an alert warrants deeper inquiry, analysts move to Investigate, where they create cases, add relevant alerts and users, and examine activity timelines and related signals. Microsoft states that cases are the vehicle for structured investigations, allowing analysts to group evidence and manage workflow from the Case dashboard.

After investigation, organizations proceed to Action, where insider risk controls allow response steps such as sending user policy reminders, escalating to HR or legal, or taking other governance actions. Microsoft describes that actions can include notifying the user with a policy reminder to reduce future risk or applying stronger controls, all of which are part of the response phase.

Accordingly, the correct matches are: Triage ? Review and filter alerts, Investigate ? Create cases in the Case dashboard, and Action ? Send a reminder of corporate policies to users.

Microsoft documents for Defender for Endpoint (MDE) describe it as an enterprise endpoint security platform that supports Windows 10/11, Windows Server, Linux, macOS, and mobile platforms (Android and iOS/iPadOS). The platform provides threat and vulnerability management, attack surface reduction, next-generation protection, endpoint detection and response, and automated investigation and remediation across those supported operating systems. Because MDE supports Windows client operating systems and servers, it can also be used on Azure virtual machines that run supported Windows versions; onboarding methods include local scripts, Microsoft Endpoint Manager, or cloud integrations, allowing VM endpoints to receive the same protection and EDR capabilities as physical devices.

By contrast, malware scanning in SharePoint Online, OneDrive, and Microsoft Teams is provided by Microsoft Defender for Office 365 (Safe Attachments for SharePoint, OneDrive, and Teams)—a different service within the Microsoft 365 Defender family. This service analyzes files as they are uploaded or shared to detect and block malicious content in collaboration workloads, which is outside the scope of MDE’s endpoint-focused protections. Therefore: Android protection (Yes), Azure VMs running Windows 10 (Yes), and SharePoint Online anti-virus protection by MDE (No, handled by Defender for Office 365).

In Microsoft’s Security, Compliance, and Identity guidance, Azure AD Privileged Identity Management (PIM) is the service used to manage, control, and monitor access to important resources in Azure and Microsoft 365. The documentation explains that PIM enables “just-in-time” and “time-bound” activation of privileged roles, requiring users to elevate only when needed and for a limited duration. PIM policies can require approval before a role is activated, enforce multifactor authentication, capture business justification, send notifications, and maintain detailed auditing and access review records. These controls are designed to reduce the risk associated with standing administrative privileges by ensuring that elevation is temporary, approved, and tracked.

By contrast, Windows Hello for Business provides strong, device-bound authentication; Azure AD Identity Protection focuses on detecting and remediating risky sign-ins and users; and Azure AD Access Reviews periodically reattest existing assignments but do not provide the on-demand, approval-based, time-limited activation of roles. Therefore, when the requirement is approval-based, time-bound role activation, Microsoft’s prescribed capability is Azure AD PIM, which delivers just-in-time elevation with approvers, duration limits, and audit/logging to support least privilege and Zero Trust operational practices.

In Microsoft Purview, eDiscovery (Standard) (formerly Core eDiscovery) provides case management, holds, searches, and export. Microsoft describes that eDiscovery (Standard) lets investigators “search across Microsoft 365 data sources and export the results,” including options to export native files, email to PST, and CSV reports for further review. It uses the same Content search engine and supports selecting locations such as **Exchange Online mailboxes, Microsoft 365 Groups, Teams, SharePoint sites, OneDrive accounts, and Exchange public folders,” enabling organization-wide discovery that includes public folders.

Integration for end-to-end legal review from Microsoft Purview Insider Risk Management is specifically aligned to eDiscovery (Premium) (formerly Advanced eDiscovery). Insider Risk cases provide actions like “Send to eDiscovery (Premium)” to create a review set and apply advanced processing, analytics, and review workflows. Those advanced integrations (review sets, analytics, legal hold communications) are not features of eDiscovery (Standard). Therefore: exporting results (Yes), Insider Risk integration (No, as it targets eDiscovery Premium), and searching Exchange Online public folders (Yes) are the correct evaluations based on the Microsoft Security, Compliance, and Identity study materials for Purview eDiscovery capabilities.

The Content Search tool in the Security & Compliance Center can be used to quickly find email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Skype for Business.

The first step is to starting using the Content Search tool to choose content locations to search and configure a keyword query to search for specific items.

Microsoft explains that Conditional Access (CA) evaluates signals and then enforces access decisions using grant and session controls: “Conditional Access policies are enforced after first-factor authentication is completed” and are used to “make access control decisions.” CA policies target users and groups—including administrators—unless explicitly excluded. Microsoft guidance recommends excluding only break-glass accounts: “Customers with Azure AD roles such as Global administrator should have at least one emergency access account excluded from policies.” This means admins are not exempt by default; they are in scope unless you configure exclusions.

CA does not manage directory role assignments; that is handled by role assignment and Privileged Identity Management (PIM). CA’s grant controls focus on access conditions: “Grant access… Require multi-factor authentication” and Microsoft lists a common baseline: “Require multi-factor authentication for all users.” Therefore, CA can require MFA to access cloud apps, but it cannot add users to Azure AD roles.

These statements from Microsoft’s SCI materials confirm the outcomes: Admins are not inherently exempt (No), CA cannot assign roles (No), and CA can force MFA for app access (Yes).

In Microsoft 365, Data Loss Prevention (DLP) policies are designed to “help you identify, monitor, and automatically protect sensitive information” across services such as Exchange Online, SharePoint Online, OneDrive, and Microsoft Teams. Microsoft’s guidance explains that DLP uses sensitive information types—including built-in classifiers like Credit Card Number—to detect when content matches a defined pattern and then enforce protective actions. With DLP, you can create rules that trigger when email messages contain customer lists with credit card numbers, and choose actions to block the message, restrict access, or notify and educate users via policy tips and incident reports. Microsoft further notes that DLP “prevents the accidental sharing of sensitive information,” can require user justification to override, and supports granular conditions (e.g., number of matches, recipients internal vs. external) to ensure that only risky transmissions are stopped. By applying a DLP policy to Exchange with the Credit Card Number sensitive info type, an organization can block or quarantine outbound mail that includes those numbers, thereby reducing regulatory and data-exposure risk. Other options listed—retention policies, conditional access, and information barriers—serve different purposes (data lifecycle, access/authentication conditions, and restricting communication between groups) and do not inspect message contents for sensitive data. Hence, DLP policies are the correct control to restrict sending emails that contain customer lists and associated credit card numbers.

Microsoft defines Information Barriers (IB) as policies that “restrict communication and collaboration between specific users or groups” to meet regulatory or conflict-of-interest requirements. In Microsoft 365, IB enforcement is provided across collaboration workloads—most notably Microsoft Teams and, with IB v2, SharePoint and OneDrive—so that users placed in segments that shouldn’t interact are prevented from chatting, meeting, or sharing files with one another. The service “controls who can communicate and collaborate with whom” and applies those controls to Teams chats/channels and SharePoint/OneDrive sites and files so that segment boundaries are honored when users attempt to share or access content.

By contrast, Exchange Online email is not a supported enforcement surface for Information Barriers; IB does not block or route mail. Email restrictions are handled with other capabilities (for example, mail flow rules), not IB. Therefore, in alignment with Microsoft’s SCI guidance: IB does work with Microsoft Teams and with Microsoft SharePoint/OneDrive, but it does not provide policy enforcement for Exchange email.

Microsoft Entra Conditional Access evaluates signals to make real-time access decisions. Microsoft describes it as bringing “signals together to make decisions and enforce organizational policies,” where administrators choose controls such as Block access, Require multi-factor authentication, Require device to be marked as compliant, or Require hybrid Azure AD joined device. Because MFA is only one of several grant controls, it is incorrect that policies always enforce MFA; they can also simply block, allow, or require other conditions.

Location is a first-class condition. Microsoft states you can define named locations (by countries/regions or IP ranges) and then use them in policy conditions to block or grant access. A common scenario is “Block access from specific locations” or require additional controls when a sign-in originates from an untrusted network. Therefore, Conditional Access can block access to an application based on user location.

Finally, Conditional Access targets users, groups, workload identities, and cloud apps regardless of device join state. Device-related conditions and filters are optional; policies are not limited to “Azure AD-joined devices.” Controls like Require device to be marked as compliant or Require Hybrid Azure AD joined device are only enforced if configured. Hence, Conditional Access does not only affect users on Azure AD-joined devices.

Microsoft states that Azure AD Multi-Factor Authentication “adds a second form of verification” to sign-ins and supports multiple verification methods. The documented methods include Microsoft Authenticator app notifications or verification codes, text message (SMS) codes, and phone call verification. In Microsoft’s description, users can approve a push notification in the Microsoft Authenticator app or enter a code from the app; they can receive a text message containing a verification code; or they can answer a phone call to complete the challenge. Email verification and security questions are not listed as supported MFA methods for Azure AD sign-ins and are not valid second factors in Azure AD MFA. Consequently, the correct methods from the options provided are Phone call, Text message (SMS), and Microsoft Authenticator app. These align with Azure AD’s core MFA capabilities used in Conditional Access and per-user MFA to strengthen authentication beyond the password and to meet compliance and security requirements for strong user verification.

Azure Firewall is a managed, cloud-based network security service designed to secure traffic inside and across Azure Virtual Networks. Microsoft describes Azure Firewall as a stateful firewall that “protects Azure Virtual Network resources” by enforcing network and application rules, central logging, and threat intelligence–based filtering. Because it is deployed into a VNet/subnet (often as the hub in a hub-and-spoke), it directly governs East/West and North/South flows to workloads such as Azure virtual machines and platform services reachable through the VNet, using DNAT/SNAT and rule collections. Microsoft guidance highlights capabilities to “centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks,” and to filter traffic for peered VNets, branch connections (VPN/ExpressRoute), and internet traffic. These capabilities explicitly map to protecting Azure virtual networks and the VMs and subnets inside them. In contrast, Azure AD users, Exchange Online inboxes, and SharePoint Online sites are SaaS/identity resources protected by Microsoft Entra controls, Exchange/SharePoint security, and Purview/Defender for Office 365—not by a VNet firewall. Therefore, the Azure Firewall–protectable resource types among the options are Azure virtual machines and Azure virtual networks.

In Microsoft Entra Conditional Access, policy evaluation occurs after the user successfully completes first-factor authentication (for example, username + password or Windows Hello for Business key). Microsoft Learn explains that Conditional Access “is the tool used by Azure AD to bring signals together, make decisions, and enforce organizational policies” and that it’s applied “after the first-factor authentication is completed.” Once primary authentication succeeds, Conditional Access evaluates signals like user, device state, location, risk (from Identity Protection), and application, and then enforces controls such as requiring MFA, blocking access, or applying session controls.

This design ensures Conditional Access does not replace primary authentication and is not enforced before or during the initial credential verification. Instead, it adds a second policy decision point that can demand stronger proof (e.g., MFA), restrict access paths, or limit sessions. Therefore, “after” is correct, while “before,” “during,” or “instead of” first-factor authentication are incorrect because Conditional Access relies on the initial sign-in to collect the necessary signals and then applies the configured access decisions and protections.

Microsoft Purview Information Protection (in the Microsoft 365 compliance center) enables you to discover, classify, label, and protect sensitive information across emails, documents, and other data stores. Labels and policies can enforce encryption, access restrictions, and visual markings, helping prevent unauthorized disclosure of sensitive data—inside or outside your organization.

Microsoft’s SCI guidance defines the supported passwordless methods in Entra ID (Azure AD). The documentation states: “Microsoft recommends three passwordless authentication options: Windows Hello for Business, FIDO2 security keys, and the Microsoft Authenticator app (phone sign-in).” Windows Hello for Business “replaces passwords with strong two-factor authentication on Windows devices,” allowing users to sign in with a gesture (biometric or PIN) that does not require a password during interactive sign-in. Likewise, “FIDO2 security keys enable users to sign in using an external security key,” providing a standards-based passwordless credential that can work across supported browsers and devices.

By contrast, OATH software tokens (for example, time-based one-time passcodes in an authenticator app) are documented as multifactor verification methods: “OATH software tokens generate time-based codes used for MFA.” These OTP codes serve as a second factor and are not a passwordless primary sign-in method; users typically still enter a password and then the OTP. Therefore: software tokens ? No (not passwordless), Windows Hello ? Yes, FIDO2 security keys ? Yes. This mapping aligns directly with Microsoft’s Entra ID passwordless authentication guidance and the delineation between passwordless sign-in and MFA second-factor methods.

The Compliance score in Microsoft Purview Compliance Manager is a measurement tool that evaluates an organization’s progress toward meeting data protection and regulatory compliance requirements. It is specifically designed to help organizations reduce risks related to data governance, privacy, and compliance with various standards such as GDPR, ISO 27001, NIST 800-53, and Microsoft Data Protection Baselines.

According to Microsoft’s official documentation on Compliance Manager, the Compliance score “helps organizations track, improve, and demonstrate their compliance posture by providing a quantifiable measure of compliance with regulations and standards.” Each action within Compliance Manager contributes a certain number of points to the overall score. These points are weighted based on risk, meaning that actions with a greater impact on reducing compliance risk contribute more significantly to the total score.

The score is not an absolute measure of legal compliance but rather an indicator of progress toward implementing recommended controls and risk-reducing actions. Microsoft emphasizes that Compliance score “assists organizations in identifying areas of improvement, prioritizing compliance tasks, and maintaining an auditable record of their compliance activities.”

By contrast, Microsoft Secure Score measures security posture related to identity, device, and application protection, while Productivity Score evaluates collaboration and technology experience. Thus, the metric that specifically assesses data protection and regulatory compliance progress is the Compliance score in Microsoft Purview Compliance Manager.

Conditional access policies always enforce MFA = NoMicrosoft Entra Conditional Access policies are flexible and do not always require MFA. MFA is one possible control, but policies can enforce other access controls such as requiring a compliant device, blocking access entirely, requiring Terms of Use acceptance, or enforcing session controls.

SCI Extract: “Conditional Access is the tool used by Azure AD to bring signals together, to make decisions, and enforce organizational policies. These policies can require MFA, but it is not mandatory for all policies.”

Block access based on location = YesConditional Access supports location-based conditions using named locations (such as country or IP ranges). Policies can block or allow access based on where the user is signing in from.

SCI Extract: “Administrators can use Conditional Access policies to block or grant access based on user location, using named locations to define trusted or risky areas.”

Only affects Entra joined devices = NoConditional Access applies to all users and devices, including:

Entra-joined,

Hybrid Entra-joined,

Registered devices (via Microsoft Intune or Azure AD),

And even unmanaged (BYOD) devices depending on configuration.

SCI Extract: “Conditional Access policies apply to all users and devices based on selected conditions, not only Microsoft Entra joined devices.”

Security defaults make it easy to protect your organization with the following preconfigured security settings:

Requiring all users to register for Azure AD Multi-Factor Authentication.

Requiring administrators to do multi-factor authentication.

Blocking legacy authentication protocols.

Requiring users to do multi-factor authentication when necessary.

Protecting privileged activities like access to the Azure portal.

In Microsoft Defender for Cloud, the metric that represents the overall security health of your Azure subscription is secure score. Microsoft’s documentation explains: “Secure score provides an aggregated view of your security posture across your subscriptions and resources. It’s based on security recommendations; addressing those recommendations improves your score.” Defender for Cloud calculates secure score by assessing controls and recommendations mapped to standards, then weighting them by risk and importance: “Each recommendation contributes to the secure score. Completing remediation steps increases the score and reduces risk.” This single percentage view lets security teams quickly gauge how well current configurations and protections align with Microsoft’s security best practices and regulatory mappings. Other elements surfaced in Defender for Cloud—like “resource health,” “status of recommendations,” or “completed controls”—are components and statuses that feed into or relate to the scoring model, but the overall subscription security health indicator presented and tracked over time is secure score.

In Microsoft’s Security, Compliance, and Identity (SCI) learning content, Multi-Factor Authentication (MFA) is defined as requiring more than one verification method during sign-in. Microsoft states: “Multi-factor authentication (MFA) requires two or more verification methods” and Azure AD (Microsoft Entra ID) MFA “works by requiring two or more of the following: something you know (password), something you have (trusted device or token), something you are (biometrics).” The SCI fundamentals also explain that MFA strengthens authentication beyond a single password by combining distinct factor types, noting that “strong authentication uses at least two different factors to verify identity.”

When you enable Azure AD MFA, a user must successfully present two factors from those categories to complete the authentication—commonly a password (something you know) plus a second factor such as Microsoft Authenticator approval, a FIDO2 security key, SMS/voice code, or Windows Hello (something you have/are). This is the core of Azure AD’s risk-based and conditional access controls, which can require MFA based on conditions or risk signals. Therefore, the number of factors required after enabling Azure AD MFA is two, aligning with Microsoft’s definition and implementation of multi-factor authentication in Entra ID.

Explanation

In Microsoft’s hybrid identity guidance, Azure AD Connect is the supported tool to bridge on-premises Active Directory Domain Services (AD DS) with Azure Active Directory (Azure AD). Microsoft Learn describes it plainly: “Azure AD Connect is Microsoft’s tool for connecting on-premises directories to Azure AD.” It “synchronizes user, group, and device objects” so cloud identities stay aligned with on-premises accounts and attributes. Azure AD Connect also supports multiple sign-in methods: “password hash synchronization, pass-through authentication, and federation integration.” In other words, you can sync identities and choose how users authenticate to Microsoft Entra ID (Azure AD).

By contrast, Active Directory Federation Services (AD FS) is a federation service used for claims-based authentication; it does not perform directory synchronization. Azure Sentinel (now Microsoft Sentinel) is a cloud-native SIEM/SOAR and is unrelated to identity sync. Privileged Identity Management (PIM) is an identity governance feature for just-in-time privileged access; it does not synchronize identities. Therefore, in a hybrid identity model where the requirement is to sync identities between AD DS and Azure AD, the correct Microsoft-endorsed solution is Azure AD Connect, which “keeps identities in sync between on-premises directories and Azure AD.”

Microsoft’s shared-responsibility model states that the cloud provider secures the cloud, while the customer secures what they put in the cloud. The Azure Security documentation explains: “Regardless of the type of deployment, you always retain responsibility for your data, endpoints, accounts, and access management.” This applies to IaaS, PaaS, and SaaS, so statement 3 is Yes because the organization is always accountable for the security of information and data.

For SaaS, Microsoft describes that customers “don’t manage or control the underlying cloud infrastructure—including network, servers, operating systems, or even individual application capabilities” and that the provider handles service maintenance and updates. In SaaS, tasks like patching or applying service packs to the application code are owned by the service provider, while the customer focuses on data, identity, and access. Therefore, statement 1 is No.

For IaaS, Microsoft notes the provider manages the physical estate: “Microsoft is responsible for the physical hosts, network, and datacenter facilities,” while the customer configures and secures the guest OS, applications, and network controls within their subscription. Thus, managing the physical network is the cloud provider’s duty, making statement 2 Yes.

These SCI principles are foundational to Microsoft Learn/Docs guidance on Azure’s shared responsibility: provider—“security OF the cloud”; customer—“security IN the cloud,” with data protection always remaining the customer’s responsibility.

Microsoft defines hybrid identity as enabling a common identity across on-premises and cloud by integrating your directory services. Microsoft Learn states: “Hybrid identity is achieved by integrating your on-premises Active Directory with Azure Active Directory.” This integration is delivered through the synchronization and optional federation capabilities that connect AD DS to Azure AD so users can access both on-premises and cloud resources with one identity.

To implement this integration, Microsoft’s tooling is explicit: “Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals.” Azure AD Connect (now Microsoft Entra Connect) synchronizes users, groups, and optionally passwords or hashes to Azure AD, providing the foundation for hybrid scenarios such as single sign-on and seamless sign-in.

Regarding tenants, Microsoft’s identity platform clarifies that “A Microsoft 365 organization is associated with a single Azure AD tenant.” Therefore, a hybrid identity deployment does not require two Microsoft 365 tenants; it typically links a single Azure AD (Microsoft Entra ID) tenant with one or more on-premises AD DS forests. In summary, Azure AD Connect enables hybrid identity, hybrid identity is the synchronization/integration of AD DS with Azure AD, and it does not necessitate multiple Microsoft 365 tenants.

In Microsoft Sentinel, automation is delivered through playbooks, which are built on Azure Logic Apps. Microsoft’s Sentinel documentation explains that playbooks “help automate and orchestrate your response to threats” and can be triggered by analytics alerts or incidents to run predefined actions. Typical automated tasks include “enriching alerts with data, blocking IP addresses, disabling users, or creating tickets,” allowing security teams to standardize and speed up their response and remediation processes. Sentinel also uses automation rules to decide when a playbook should run (for example, on incident creation or update), enabling consistent handling of common SOC tasks.

By contrast, the other options are not intended for automation: deep investigation tools are used to investigate incidents and entities; hunting search-and-query tools (built on KQL) are for proactive threat hunting rather than automating responses; and workbooks provide dashboards and visualizations for monitoring and reporting. Therefore, when the requirement is to automate common tasks—such as triggering actions across Microsoft 365 Defender, Azure, or third-party systems—the correct Sentinel capability is playbooks powered by Logic Apps. This aligns with the SCI guidance that emphasizes using Sentinel playbooks to “automate common workflows and response actions” and reduce manual effort while improving consistency and speed in security operations.

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

documents: =

Microsoft Entra ID Protection evaluates risk during authentication, not only after the user is authenticated. The service provides “real-time” assessment as part of the sign-in flow and also processes “offline” detections, enabling Conditional Access to act before a session is granted. In Microsoft’s terminology, “sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner,” while “user risk represents the probability that a given identity or account is compromised.” These risks are surfaced as risk detections and can be used to trigger MFA, block access, or require secure password reset. Each detection and calculated risk is classified by Microsoft Entra ID Protection with “Low, Medium, or High” levels so administrators can triage and automate policy responses appropriately. Because detections are calculated in real time as part of the sign-in evaluation (and also through subsequent analysis), it is incorrect to say they are generated once the user is authenticated. The accurate view is that Identity Protection continuously analyzes telemetry and produces detections and risk levels that may be acted upon before, during, and after sign-in, with user risk expressing the likelihood that the identity itself is compromised and sign-in risk expressing the likelihood that a particular authentication attempt is not legitimate.

Azure AD Privileged Identity Management (PIM) provides just-in-time privileged access to Azure AD and Azure resources

In Microsoft Purview Information Protection, pre-trained (Microsoft-provided) trainable classifiers are designed to automatically recognize specific categories of content by learning from examples rather than relying only on patterns or keywords. Microsoft’s guidance explains that trainable classifiers “look for data by learning from examples,” and that Microsoft supplies a catalog of “pre-trained classifiers that you can use immediately in your tenant.” The documentation explicitly lists content types these classifiers can recognize, including “Resumes,” along with other categories such as Source code, Threat and harassment, and more. Because they’re already trained by Microsoft, you can use them “to identify and classify items across SharePoint, OneDrive, and Exchange,” and then take actions such as auto-labeling or enforcing DLP policies based on the classifier match.

By contrast, Content explorer is a reporting tool that lets you view where sensitive info types/labels were found; it doesn’t identify resumes on its own. Activity explorer shows events like DLP policy matches over time. eDiscovery is used for legal hold, search, and review, not for semantic content identification. Therefore, to identify documents that are employee resumes, the correct Microsoft compliance feature is the pre-trained (Microsoft-provided) trainable classifier for Resumes.

In Microsoft 365, the unified audit log retention depends on the audit tier included with the subscription. Current SCI/Compliance documentation states that Audit (Standard)—which is available with Microsoft 365 E3—retains audit records for 180 days. The docs describe that organizations with E3 receive “up to 180 days of audit log retention” for user and admin activities captured in the unified audit pipeline. Longer retention (for example 365 days and beyond with customizable policies) is part of Audit (Premium) features generally associated with E5/E5 Compliance. Because the scenario specifies a Microsoft 365 E3 subscription using the unified audit log and Basic/Standard Audit, the retention period for audit records is 180 days.

Microsoft documents describe Microsoft Entra Privileged Identity Management (PIM) as the service that delivers approval-based, time-limited elevation to privileged roles. Official guidance states: “Privileged Identity Management (PIM) enables you to manage, control, and monitor access to important resources in Microsoft Entra ID, Azure, and Microsoft 365.” PIM specifically supports just-in-time and time-bound activations: “PIM provides just-in-time privileged access to Microsoft Entra roles and Azure resources” and “allows you to make access time-bound by setting start and end dates.” It also supports approval workflows: “You can require approval to activate privileged roles, and designate approvers to receive and approve requests.” Additional controls include “require multi-factor authentication to activate, provide a justification, and ticket number,” and auditing: “PIM records all activations and changes for review and alerting.”

By contrast, Microsoft Entra ID Protection focuses on risk detections and automated remediation, not role elevation workflows. Conditional Access enforces access policies at sign-in and session but does not provide approval-based role activation. Access Reviews help you “review and attest to continued access” but do not supply just-in-time elevation. Therefore, the Microsoft Purview/Entra feature that implements approval-based, time-bound role activation is Microsoft Entra Privileged Identity Management (PIM).

In Microsoft’s Security, Compliance, and Identity materials, Azure AD B2B collaboration is the feature designed for working with external organizations. Microsoft describes it as follows: “Azure AD B2B collaboration allows you to securely share your company’s applications and services with guest users from any other organization, while maintaining control over your own corporate data. Guest users sign in with their own work, school, or social identities, and appear as guest users in your directory.” This directly matches the sentence in the prompt—enabling collaboration with suppliers, partners, and vendors while ensuring that external users appear as guest users in the tenant.

By contrast, Active Directory Domain Services (AD DS) is an on-premises directory service for Windows domain joined resources and does not provide cloud guest user collaboration. Active Directory forest trusts establish trust relationships between AD DS forests for resource access, not modern cloud guest access using Conditional Access, MFA, or entitlement processes. Azure AD B2C is for consumer/retail scenarios where you build customer-facing apps, managing their identities in a separate customer directory; it is not intended for partner collaboration within your enterprise tenant. Therefore, the capability that fits the statement—external partner collaboration with users appearing as guest accounts—is Azure AD B2B.

Microsoft describes Azure Policy as the built-in governance service that lets you “create, assign, and manage policies” to enforce organizational standards and “assess compliance at scale.” It continuously evaluates existing resources for compliance and can take effect-enforcement actions such as deny, append, or modify during create/update operations. Azure Policy “helps you audit and enforce your standards” across subscriptions and resource groups, and its compliance dashboard shows overall and per-policy compliance states for all resources. By contrast, Azure Blueprints focuses on orchestrating deployments of artifacts (such as policy assignments, role assignments, and templates) for new environments; Microsoft guidance positions Policy as the engine that evaluates and enforces those standards on existing resources. Sentinel is a SIEM/SOAR for security analytics, and Anomaly Detector is a Cognitive Service—not a governance/compliance enforcement tool. Therefore, to assess compliance and enforce standards for existing Azure resources, the prescribed control plane is Azure Policy with its evaluation cycle, initiative (policy set) support, and remediation tasks.

In the Microsoft 365 security center (now Microsoft 365 Defender), incidents are used to triage and investigate threats across the tenant. Microsoft’s security documentation explains that “an incident is a collection of related alerts” that are automatically correlated to give analysts a single, end-to-end view of an attack. Within each incident, the portal surfaces impacted assets such as devices, users, mailboxes, and applications, enabling responders to quickly identify which endpoints are affected by a given alert and to take response actions (isolate device, collect investigation package, run AV scan, etc.). This design allows security teams to move beyond individual alerts and instead work a consolidated investigation that lists affected devices in the incident’s Evidence & Response/Assets sections, complete with alert timelines and device details.

By comparison, Secure Score measures the organization’s security posture and recommendations; policies are configuration/enforcement objects (e.g., Defender or compliance policies) and are not the investigative view for alerts; classifications relate to information protection labeling rather than alert investigation. Therefore, to identify devices that are affected by an alert, you use the Incidents experience in Microsoft 365 Defender, where correlated alerts show the devices involved alongside the entities and evidence connected to the threat.

Microsoft’s identity guidance classifies social identity services (e.g., GitHub, Google, Facebook) as cloud-based identity providers that can be used for external identities with Microsoft Entra ID. In this model, GitHub functions as an IdP using OAuth/OpenID Connect to authenticate users and issue tokens that applications or Entra ID can accept. Federation in Microsoft terms is the trust relationship that allows SSO across organizational boundaries and with multiple identity providers, such as Active Directory Federation Services (AD FS), SAML, or OpenID Connect providers, so users can authenticate once and access multiple apps without repeated sign-ins.

Crucially, SCI materials distinguish roles: an identity provider primarily handles authentication (proving who the user is and issuing claims/tokens). Authorization—deciding what the user can do—is enforced by the application or resource (often using roles/claims from the IdP). Auditing spans multiple planes: the IdP provides sign-in and audit logs, while applications and other services maintain their own activity logs. Therefore, it is incorrect to say a central IdP “manages all modern authentication services” including authorization and auditing; those responsibilities are shared across the identity platform and the relying applications/resources.

? Azure DDoS Protection Standard protects against man-in-the-middle (MITM) attacks. = No

? Azure DDoS Protection Standard is enabled by default in an Azure subscription. = No

? Azure DDoS Protection Standard protects against protocol attacks. = Yes

Microsoft’s security guidance for Azure states that DDoS Protection is designed to defend internet-facing resources from distributed denial-of-service events at the network and transport layers (L3/L4). The documentation explains that DDoS Protection Standard provides “adaptive, real-time tuning and automatic attack mitigation for volumetric and protocol attacks (for example, SYN/ACK floods, UDP amplification, and other L3/L4 patterns).” It further clarifies that DDoS Protection is not intended to address attacks like man-in-the-middle (MITM), which are interception/alteration threats rather than traffic-exhaustion scenarios.

Regarding enablement, Microsoft notes that Azure DDoS Protection Standard is not enabled by default. The platform provides “basic DDoS protection for all Azure public IP addresses,” but the Standard plan must be explicitly enabled on a virtual network and then applied to public IP resources in that VNet to gain its enhanced telemetry, mitigation policies, and cost-protection benefits.

Putting this together: (1) MITM is out of scope for DDoS Protection Standard ? No; (2) Standard is opt-in, not automatic ? No; (3) Protection against protocol attacks is a primary capability of the Standard plan ? Yes.

Azure Blueprints allow cloud architects and central IT to define a repeatable set of Azure resources and governance artifacts—including Azure Policy assignments, role assignments (RBAC), resource groups, and ARM/Bicep templates—and then deploy them consistently across subscriptions. Microsoft’s guidance describes Blueprints as a way to “orchestrate the deployment of various resource templates and other artifacts” to establish standards, patterns, and compliance for environments at scale. This is distinct from Azure Policy, which evaluates and enforces configuration but does not package multi-artifact environments; Microsoft Sentinel and Defender are security analytics/protection services rather than provisioning frameworks. Thus, for consistent provisioning across multiple subscriptions, the prescribed solution is Azure Blueprints.

No

No

Yes

Microsoft states that Communication Compliance is administered in Microsoft Purview, not the Microsoft 365 admin center. The Learn article shows configuration and policy templates “in the Microsoft Purview portal” and directs admins to “configure Communication Compliance” there, confirming the management plane is the Purview compliance portal, not the M365 admin center.

Regarding supported locations, Microsoft lists the communication channels that policies can inspect: “Microsoft Teams… Exchange Online… Viva Engage… [and] Third-party sources.” SharePoint Online is not listed among supported channels, so SharePoint content isn’t monitored by Communication Compliance policies.

Finally, Communication Compliance includes built-in workflows to address findings. The Learn page explicitly provides a Remediate step: “Remediate Communication Compliance issues you investigate by using the following options:” such as “Notify the user” and “Escalate to another reviewer.” These actions demonstrate that the solution does more than detect; it supports remediation within the Purview portal workflow.

Exact extracts (selected):

“You can choose from the following policy templates in the Microsoft Purview portal.”

“Communication Compliance policies check… Microsoft Teams… Exchange Online… Viva Engage… Third-party sources.”

“Remediate Communication Compliance issues you investigate by using the following options: Notify the user… Escalate to another reviewer.”

Microsoft Secure Score in the Microsoft 365 Defender portal aggregates improvement actions across Microsoft security workloads, including Microsoft Defender for Cloud Apps (formerly Cloud App Security). Microsoft states that “Defender for Cloud Apps automatically provides SSPM data in Microsoft Secure Score, for any supported and connected app.” This means Secure Score can surface and recommend actions tied to Cloud App Security/Defender for Cloud Apps, validating statement 1 as Yes. Microsoft Learn

Secure Score also includes peer comparison so organizations can benchmark their progress. The Microsoft documentation explicitly notes: “Compare your score to organizations like yours. There are two places to see how your score compares to organizations that are similar to yours.” This capability appears on the Overview experience in the Defender portal, confirming statement 2 as Yes. Microsoft Learn

Finally, Secure Score recognizes mitigations implemented outside Microsoft tooling. In the official guidance for improvement actions, Microsoft explains the status options “Resolved through third party and Resolved through alternate mitigation,” adding: “You’ll gain the points that the action is worth, so your score better reflects your overall security posture.” Therefore, if you address an improvement action via a third-party product, Secure Score awards the associated points—making statement 3 Yes.

Box 1: Yes

Azure Defender provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, your storage, and more

Box 2: Yes

Cloud security posture management (CSPM) is available for free to all Azure users.

Box 3: Yes

Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they ' re in Azure or not - as well as on premises.

Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal that helps you manage your organization’s compliance requirements with greater ease and convenience. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

Watch the video below to learn how Compliance Manager can help simplify how your organization manages compliance:

Compliance Manager helps simplify compliance and reduce risk by providing:

Pre-built assessments for common industry and regional standards and regulations, or custom assessments to meet your unique compliance needs (available assessments depend on your licensing agreement; learn more).

Workflow capabilities to help you efficiently complete your risk assessments through a single tool.

Detailed step-by-step guidance on suggested improvement actions to help you comply with the standards and regulations that are most relevant for your organization. For actions that are managed by Microsoft, you’ll see implementation details and audit results.

A risk-based compliance score to help you understand your compliance posture by measuring your progress in completing improvement actions.

multi-factor authentication (MFA)

In Microsoft Entra ID (formerly Azure AD), Security defaults are a baseline of recommended identity protections that, when turned on, automatically apply tenant-wide. Microsoft’s guidance explains that security defaults “help protect your organization with preconfigured security settings” and specifically require that “all users register for Azure AD Multi-Factor Authentication.” When enabled, the defaults enforce MFA challenges for users and admins during risky or sensitive operations, and they block legacy authentication protocols that can’t satisfy modern MFA requirements. Microsoft further notes that security defaults “provide basic identity security mechanisms… such as requiring multi-factor authentication for all users and administrators.” These controls are designed to raise the overall security posture without custom policy design, which is ideal for small and medium organizations or any tenant that hasn’t yet implemented Conditional Access. Therefore, when you enable security defaults, MFA is enabled for all Azure AD users, driving strong authentication as the default and reducing account-takeover risk stemming from password-only sign-ins.

Microsoft Defender for Office 365 includes Safe Attachments, a protection that “checks attachments in a secure, virtual environment to detect malicious behavior.” In Microsoft’s guidance, Safe Attachments is described as part of the anti-malware pipeline that “routes messages with attachments to a detonation chamber; if no suspicious activity is detected, the message is released to the recipient, and if malicious behavior is found, the attachment is blocked or removed.” Administrators can choose Block, Replace, Dynamic Delivery, or Monitor actions. The Dynamic Delivery option specifically supports the use case in the question: the email body is delivered while the attachment is scanned, and “the attachment is automatically reattached and forwarded to the recipient only when it is determined to be safe.” This capability is unique to Defender for Office 365’s Safe Attachments, not to be confused with endpoint antivirus or identity tools. Defender Antivirus protects Windows devices, Defender for Identity secures on-premises identities, and Defender for Endpoint focuses on endpoint detection and response. Therefore, the Microsoft service you use to scan email attachments and forward them only when clean is Microsoft Defender for Office 365 (Safe Attachments).

Microsoft Entra Conditional Access (CA) evaluates signals from the user, device, location, and risk to make access decisions. The platform explicitly notes that CA decisions occur after primary sign-in: “Conditional Access policies are enforced after the first-factor authentication has been completed.” This means a user must successfully present their initial credentials (e.g., password, Windows Hello, FIDO2) before the CA engine evaluates policy logic. Therefore, the statement that CA is evaluated before a user is authenticated is not correct.

Regarding scoping, CA can target ordinary and privileged identities. The assignment options allow administrators to aim policies at users, groups, and directory roles: “You can include or exclude users and groups… [and] include or exclude specific Azure AD directory roles from a Conditional Access policy.” Because Global Administrator is a directory role, policies can be applied to those accounts (with Microsoft’s best-practice guidance to maintain at least one excluded break-glass account to prevent lockout).

For signals/conditions, CA supports device platform filtering. The documented device platform condition states: “This condition is based on the operating system platform of the device… iOS, Android, Windows, macOS (and others).” Administrators commonly use this to require different controls (like MFA or compliant device) based on Android or iOS.

Putting these together:

CA can apply to Global Administrators (Yes).

CA is evaluated after first-factor authentication (No to “before”).

Device platform (e.g., Android/iOS) is a valid CA signal (Yes).

Microsoft defines Microsoft Entra ID Governance as the capability to manage “the identity lifecycle, access lifecycle, and privileged access” so organizations can ensure “the right people have the right access to the right resources at the right time.” The product family explicitly lists the following core features: “Lifecycle workflows, Entitlement management, Access reviews, and Privileged Identity Management (PIM).” Microsoft further explains that PIM helps you “manage, control, and monitor access within your organization,” enabling just-in-time elevation, approval workflows, MFA/justification on activation, and detailed auditing for privileged roles. By contrast, the other options are separate Microsoft Entra offerings outside ID Governance: Verifiable credentials (Microsoft Entra Verified ID) issues and validates digital credentials; Permissions Management (Microsoft Entra Permissions Management) provides CIEM for multi-cloud permissions; and Identity Protection offers risk-based detection and policies for sign-ins and users. Therefore, among the choices, the feature that is included in Microsoft Entra ID Governance is Privileged Identity Management (PIM), which is specifically called out by Microsoft as a pillar of ID Governance and is used to govern privileged access with policy-based controls, time-bound assignments, approvals, and comprehensive auditability.

In Microsoft Purview (Microsoft 365 compliance), a retention policy applied to a SharePoint site keeps content for the specified period (e.g., 1 year) even if users delete it. Items are retained and recoverable until the retention period expires, meeting your preservation requirement.

Microsoft’s sensitivity labels (Microsoft Purview Information Protection) support user-driven labeling: “Users can manually apply sensitivity labels to files and emails” and organizations can also configure automatic or recommended labeling. This confirms that end users are permitted to choose a label themselves when policy allows. Microsoft also clarifies the cardinality for items: “A document or email can have only a single sensitivity label applied to it at a time.” Therefore, applying multiple sensitivity labels to the same file is not supported (labels are mutually exclusive on a given item). In addition to classification, labels can enforce protection and visual markings: “When you configure a sensitivity label, you can add protection settings such as encryption and content marking (headers, footers, and watermarks).” Word, Excel, and PowerPoint honor these content markings, so a label can automatically stamp a watermark on a Word document while embedding the label metadata for persistent protection. Together, these authoritative statements from Microsoft’s SCI documentation establish the correct responses: Yes (manual application), No (only one label per file), and Yes (labels can apply watermarks).