Microsoft SC-900 Exam Questions Instant Access

Question 1

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains multiple subnets and virtual machines.

You deploy an Azure Firewall named FW1 to VNet1.

You need to ensure that FW1 can analyze and filter all the internet traffic to and from VNet1. The solution must minimize costs.

What should you do?

ACreate and associate route tables.

BConfigure network peerings.

CCreate service endpoints.

DImplement Azure Route Server.

Answer : A

Question 2

Which service includes Microsoft Secure Score for Devices?

AMicrosoft Defender for Endpoint

BMicrosoft Defender for loT

CMicrosoft Defender for Identity

DMicrosoft Defender for Office 365

Answer : A

Question 3

Which security feature is available in the free mode of Microsoft Defender for Cloud?

Avulnerability scanning of virtual machines

Bsecure score

Cjust-in-time (JIT) VM access to Azure virtual machines

Dthreat protection alerts

Answer : B

In Microsoft Defender for Cloud, the Free plan provides continuous security assessment and visibility into your posture via Secure Score and security recommendations. Microsoft explains that the free tier offers ''foundational CSPM capabilities,'' including recommendations and a security score (Secure score) to help you prioritize hardening tasks. Advanced features---such as vulnerability scanning for VMs (Qualys-based), Just-In-Time (JIT) VM access, and threat protection alerts---require the enhanced/paid Defender plans (for example, Defender for Servers). Consequently, among the listed options, only Secure score is available in the free mode. This score aggregates the effect of recommendations across subscriptions and resources so you can track and improve security posture without enabling any of the paid Defender plans.

Question 4

What is a feature of Microsoft Defender for Cloud Apps?

Acloud security posture management (CSPM)

Bautomated investigation and response (AIR)

CSaaS security posture management (SSPM)

Dcloud workload protection platform (CWPP)

Answer : C

Question 5

Which feature provides the extended detection and response (XDR) capability of Azure Sentinel?

Aintegration with the Microsoft 365 compliance center

Bsupport for threat hunting

Cintegration with Microsoft 365 Defender

Dsupport for Azure Monitor Workbooks

Answer : C

Microsoft positions Microsoft Sentinel as a cloud-native SIEM and SOAR that ''collects data at cloud scale'' and ''detects, investigates, and responds to threats.'' The extended detection and response (XDR) layer in Microsoft's security stack is delivered by Microsoft 365 Defender, which ''correlates signals across endpoints, identities, email, and apps to automatically detect, investigate, and remediate attacks.'' Sentinel's XDR capability is realized through its integration with Microsoft 365 Defender, enabling incident synchronization, alert enrichment, and bi-directional actions. Documentation explains that this integration ''brings Microsoft 365 Defender incidents into Microsoft Sentinel,'' unifying SIEM/SOAR analytics with the cross-domain XDR detections from Defender. Features such as automatic incident grouping, advanced hunting, and entity behavior flow from Microsoft 365 Defender to Sentinel, giving analysts an end-to-end XDR view. By contrast, threat hunting and workbooks are valuable Sentinel features, and compliance center is unrelated to XDR. The specific capability that provides Sentinel's XDR experience is its integration with Microsoft 365 Defender.

Question 6

Which Azure Active Directory (Azure AD) feature can you use to restrict Microsoft Intune-managed devices from accessing corporate resources?

Anetwork security groups (NSGs)

BAzure AD Privileged Identity Management (PIM)

Cconditional access policies

Dresource locks

Answer : C

In Microsoft Entra ID (Azure AD), Conditional Access is the policy engine that evaluates signals about the user, device, app, and session to determine whether to grant access and under what conditions. Microsoft's guidance explains that Conditional Access is ''the tool used by Azure AD to bring signals together, make decisions, and enforce organizational policies.'' In device-centric scenarios, Conditional Access integrates with Microsoft Intune device compliance so you can enforce controls such as ''Require device to be marked as compliant'' or ''Require approved client app'' before granting access to corporate resources like Microsoft 365 and Azure apps. This allows organizations to block or limit access from unmanaged or noncompliant devices, and to allow access only from devices that meet your compliance policies (encryption, OS version, jailbreak/root status, etc.).

By contrast, Network Security Groups (NSGs) filter traffic at the virtual network/subnet/NIC level and are not identity-aware; Privileged Identity Management (PIM) governs just-in-time elevation and access reviews for privileged roles; and resource locks prevent accidental deletion or modification of Azure resources. Therefore, the Azure AD feature specifically designed to restrict access by Intune-managed device state and enforce device-based access conditions to corporate resources is Conditional Access.

Question 7

Which type of identity is created when you register an application with Active Directory (Azure AD)?

Aa user account

Ba user-assigned managed identity

Ca system-assigned managed identity

Da service principal

Answer : D

When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant.

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

Microsoft Security, Compliance, and Identity Fundamentals SC-900 Exam Questions