Microsoft Security, Compliance, and Identity Fundamentals SC-900 Exam Questions

Answer : A, B, C

documents: =

Microsoft's Windows Hello for Business replaces passwords with strong, two-factor authentication that is tied to the device and unlocked with a user gesture. The Microsoft Learn description states that Windows Hello for Business ''replaces passwords with strong authentication'' and that ''users sign in using a gesture, such as a PIN, facial recognition, or fingerprint.'' It further clarifies that the credential is protected by the device's secure hardware and that the gesture (PIN or biometric) unlocks the private key used to authenticate. The guidance explains that ''biometrics (face or fingerprint) or a PIN'' are supported as the user's sign-in method, and that the PIN ''is unique to the device'' and does not roam, reducing attack surface.

By contrast, email verification and security questions are not authentication gestures for Windows Hello for Business. They are not listed as supported methods for unlocking the Hello for Business key or completing interactive sign-in to Windows. Therefore, the three supported Windows Hello for Business authentication methods from the options provided are fingerprint, facial recognition, and PIN. This aligns with Microsoft's documented model where the user enrolls a biometric (face or fingerprint) or creates a PIN, and subsequently uses that gesture to unlock the hardware-bound credential for secure sign-in and access to resources.

Answer : C

Explanation

In Microsoft's hybrid identity guidance, Azure AD Connect is the supported tool to bridge on-premises Active Directory Domain Services (AD DS) with Azure Active Directory (Azure AD). Microsoft Learn describes it plainly: ''Azure AD Connect is Microsoft's tool for connecting on-premises directories to Azure AD.'' It ''synchronizes user, group, and device objects'' so cloud identities stay aligned with on-premises accounts and attributes. Azure AD Connect also supports multiple sign-in methods: ''password hash synchronization, pass-through authentication, and federation integration.'' In other words, you can sync identities and choose how users authenticate to Microsoft Entra ID (Azure AD).

By contrast, Active Directory Federation Services (AD FS) is a federation service used for claims-based authentication; it does not perform directory synchronization. Azure Sentinel (now Microsoft Sentinel) is a cloud-native SIEM/SOAR and is unrelated to identity sync. Privileged Identity Management (PIM) is an identity governance feature for just-in-time privileged access; it does not synchronize identities. Therefore, in a hybrid identity model where the requirement is to sync identities between AD DS and Azure AD, the correct Microsoft-endorsed solution is Azure AD Connect, which ''keeps identities in sync between on-premises directories and Azure AD.''

Answer : A, D

Azure Firewall is a managed, cloud-based network security service designed to secure traffic inside and across Azure Virtual Networks. Microsoft describes Azure Firewall as a stateful firewall that ''protects Azure Virtual Network resources'' by enforcing network and application rules, central logging, and threat intelligence--based filtering. Because it is deployed into a VNet/subnet (often as the hub in a hub-and-spoke), it directly governs East/West and North/South flows to workloads such as Azure virtual machines and platform services reachable through the VNet, using DNAT/SNAT and rule collections. Microsoft guidance highlights capabilities to ''centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks,'' and to filter traffic for peered VNets, branch connections (VPN/ExpressRoute), and internet traffic. These capabilities explicitly map to protecting Azure virtual networks and the VMs and subnets inside them. In contrast, Azure AD users, Exchange Online inboxes, and SharePoint Online sites are SaaS/identity resources protected by Microsoft Entra controls, Exchange/SharePoint security, and Purview/Defender for Office 365---not by a VNet firewall. Therefore, the Azure Firewall--protectable resource types among the options are Azure virtual machines and Azure virtual networks.

Answer : C

Microsoft defines defense in depth as a security strategy that uses multiple, reinforcing layers of protection to reduce the chance that a single failure leads to compromise. In Microsoft's security guidance, defense in depth is described as employing ''a series of mechanisms across multiple layers'' to protect identities, endpoints, applications, data, and the network. The model spans layers such as identity, perimeter, network, compute, application, and data, with controls at each layer designed to detect, prevent, and contain attacks. Typical Azure/Microsoft 365 implementations include identity protections (MFA, Conditional Access), network controls (Azure Firewall, NSGs), perimeter filtering (WAF, DDoS Protection), endpoint safeguards (Defender for Endpoint), application security (code and runtime controls), and data protection (encryption, DLP, Purview Information Protection). By ''placing multiple layers of defense throughout a network infrastructure,'' an organization limits blast radius and increases resilience if one layer is bypassed. This contrasts with threat modeling (a design-time analysis technique), identity as the security perimeter (a principle of Zero Trust), and the shared responsibility model (a cloud governance concept). The scenario in the question precisely matches Microsoft's defense in depth methodology.

Answer : D

The Compliance score in Microsoft Purview Compliance Manager is a measurement tool that evaluates an organization's progress toward meeting data protection and regulatory compliance requirements. It is specifically designed to help organizations reduce risks related to data governance, privacy, and compliance with various standards such as GDPR, ISO 27001, NIST 800-53, and Microsoft Data Protection Baselines.

According to Microsoft's official documentation on Compliance Manager, the Compliance score ''helps organizations track, improve, and demonstrate their compliance posture by providing a quantifiable measure of compliance with regulations and standards.'' Each action within Compliance Manager contributes a certain number of points to the overall score. These points are weighted based on risk, meaning that actions with a greater impact on reducing compliance risk contribute more significantly to the total score.

The score is not an absolute measure of legal compliance but rather an indicator of progress toward implementing recommended controls and risk-reducing actions. Microsoft emphasizes that Compliance score ''assists organizations in identifying areas of improvement, prioritizing compliance tasks, and maintaining an auditable record of their compliance activities.''

By contrast, Microsoft Secure Score measures security posture related to identity, device, and application protection, while Productivity Score evaluates collaboration and technology experience. Thus, the metric that specifically assesses data protection and regulatory compliance progress is the Compliance score in Microsoft Purview Compliance Manager.

https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-score-calculation?view=o365- worldwide

Answer : D

Microsoft Defender for Office 365 is the Microsoft 365 solution designed to protect users from threats delivered through email and collaboration workloads. SCI training material explains that Defender for Office 365 protects Exchange Online, Microsoft Teams, SharePoint Online, and OneDrive for Business by detecting and blocking malware, phishing, and other advanced attacks that use messages and shared content as the delivery channel.

A key capability is Safe Links, which specifically protects against malicious URLs. When a user receives an email, Teams chat message, or channel post that contains a hyperlink, Safe Links scans and rewrites that URL. At the moment the user clicks, the link is checked again; if it is identified as malicious or leads to a known phishing or malware-hosting site, access is blocked and a warning page is shown. This time-of-click protection is emphasized in Microsoft's security documentation as a primary defense against weaponized links in email and collaborative communications.

By comparison, Microsoft Defender for Identity focuses on detecting identity-related threats in on-premises Active Directory, Defender for Endpoint protects devices and endpoints, and Defender for Cloud Apps secures SaaS applications and shadow IT. None of these are the primary solution for blocking malicious links in email, chats, and channels. Therefore, the correct choice is Microsoft Defender for Office 365.

Answer : B, C

In Microsoft guidance, network segmentation and isolation are core security principles. Azure virtual networks (VNets) are ''a fundamental building block... that enable isolation and segmentation of resources,'' and multiple VNets are commonly used to separate environments, business units, or security boundaries. This aligns with Zero Trust and SCI guidance that recommends isolating workloads to reduce blast radius and to apply least privilege and policy-based controls per boundary. Microsoft also emphasizes governance alignment, stating that enterprises should structure Azure resources so that policies, RBAC, and compliance requirements can be applied at appropriate scopes (management group, subscription, resource group, or network boundary). Deploying multiple VNets supports these goals by enabling per-environment policy assignment (for example, dev/test vs. production), differentiated security controls (such as NSGs, ASGs, and firewalls), and independent address spaces to prevent overlap across organizations or regions. Options A and D are not primary drivers: budgeting is handled at subscription/resource group scopes rather than VNet count, and a single VNet can already host and connect many resource types; creating multiple VNets is therefore primarily about governance and isolation that reduce risk and enforce organizational policies.