sc-900 exam questions
Which feature in Microsoft Defender for Cloud Apps is used to retrieve data from activity logs?
App connectors - Connectors retrieve data from apps and their activity logs. Policies detect risky behavior, violations, and suspicious data points. The Cloud apps catalog is used to sanction or unsanction apps. Cloud Discovery is used to identify cloud environments and apps used by an organization.
Which three actions should be performed to enable self-service password reset (SSPR) for a user? Each correct answer presents part of the solution.
Assign an Azure AD license, Enable SSPR for the user, Register an authentication method, To use SSPR, users must be assigned an Azure AD license that is enabled for SSPR by an administrator and registered with the authentication methods they want to use. Two or more authentication methods are recommended in case one is unavailable.
Which feature is only available in Microsoft Defender for Office 365 Plan 2?
Attack Simulator - Attack Simulator is only available in Microsoft Defender for Office 365 Plan 2.
In Microsoft Purview, what can be used to investigate possible security or compliance breaches and identify their scope based on records?
Audit (Premium) - Audit (Premium) can be used to investigate possible security or compliance breaches and identify their scope based on records. Content search is used to search documents. eDiscovery (Standard) allows you to create cases and assign managers, not auditing. eDiscovery (Premium) allows you to assign custodians.
Which identity provider allows you to use software as a service (SaaS) and platform as a service (PaaS) in Azure with the least administrative effort?
Azure AD - Azure AD can be used without the need for AD servers. Active Directory requires virtual machines or physical servers running Active Directory. Google and Facebook identity requires federation.
Which service enables Azure AD to authenticate external users by using their social identifies such as Google or Apple IDs?
Azure AD B2C customer identity access management (CIAM) - Azure AD B2C allows external users to sign in with their preferred social, enterprise, or local account identities to get single sign-on (SSO) to applications. AD DS cannot be configured to allow external users to authenticate with their social identities. ADWS is a Windows service that provides a web service interface to AD DS and Active Directory Lightweight Directory Services (AD LDS) directory service. Azure AD B2B allows you to share apps and services with a guest user.
An organization is migration to the Microsoft cloud. The plan is to use a hybrid identity model. What can be used to sync identities between Active Directory Domain Services (AD DS) and Azure AD?
Azure AD Connect is designed to meet and accomplish hybrid identity goals. ADFS cannot be used for hybrid identity models. Microsoft Sentinel is not an identity product. PIM is used for managing and monitoring access to important resources.
Which service can help mitigate the impact of compromised user accounts?
Azure AD Identity Protection - Azure Identity Protection is a tool that allows organizations to utilize security signals to identify potential threats. Microsoft Defender can only protect the end-point, and it cannot help mitigate this specific task. While Conditional Access can be useful to improve the security of the organization, it cannot help mitigate this specific task. Azure AD Identity Protection is a service that enables you to manage, control, and monitor access to important resources in an organization.
What can you use to prevent users from using an organization's name or the names of the organization's products as passwords in Azure AD?
Azure AD Password Protection
A malicious user is attempting to access many user accounts by using commonly used passwords. The user repeats the action every 20 minutes to avoid triggering an account lockout. Which Azure AD feature can protect organizations from such attacks?
Azure AD Password Protection - Azure AD Password Protection helps you defend against password spray attacks. Conditional Access brings signals together to make decisions and enforce organizational policies, but it cannot stop password attacks by itself. SSPR allows users to change or reset their password, without administrator or help-desk involvement, but it cannot prevent password attacks. Windows Hello for Business replaces passwords with strong two-factor authentication on devices.
What can you use to prevent users from using an organization's name or the names of the organization's products as passwords in Azure AD?
Azure AD Password Protection - The global banned password list does not cover your own organization and product names. Azure AD Password Protection provides protection from password spray. MFA does not manage password entries.
You need to allow external users to use either Microsoft accounts or Google accounts to access an application hosted in Azure. What is the minimum edition of Azure AD that you can use?
Azure AD Premium P1 - Both Azure AD Premium P1 and P2 allow external users, but Azure AD Premium P1 is the minimum edition that allows this. Free and Office 365 apps do not provide external access.
What is the minimum edition of Azure AD needed to use Azure AD Privilege Identity Management (PIM)?
Azure AD Premium P2
Which functionality is provided by Azure AD?
Azure AD provides SSO. Azure AD provides federation. Azure AD is one perimeter of defense in depth. Azure AD does not provide file services. Azure AD does not provide the encryption of data in transit.
What can you use to connect to Azure virtual machines remotely over RDP and SSH from the Azure portal?
Azure Bastion - Bastion is a service that lets you connect to virtual machines by using a browser and the Azure portal. The Bastion service is a fully platform-managed platform as a service (PaaS) service that you provision on a virtual network.
Which Azure service provides centralized protection of web apps from common exploits and vulnerabilities?
Azure Web Application Firewall (WAF) - Azure WAF provides centralized protection of web app from common exploits and vulnerabilities. Key Vault is a centralized cloud service for storing application secrets. Defender for Cloud is an Endpoint protection solution and cannot help mitigate the attacks.
In Microsoft Purview, what can you use to scan for offensive language across an organization?
Communication compliance - Communication compliance allows you to detect and remediate inappropriate language. Information barriers can be used to disable certain interactions, but not based on language. Activity explorer can be used to view activities in Compliance Manager. Policy compliance lets you see which policies are in or out of compliance.
Which three roles have permission to sign in to the Microsoft Purview compliance portal? Each correct answer presents a complete solution.
Compliance Data Administrator, Compliance Administrator, Global Administrator - The compliance portal is available to customers with a Microsoft 365 SKU and one of the following roles: Global Administrator, Compliance Administrator, Compliance Data Administrator.
What can be used to enforce multi-factor authentication (MFA) when users access an application registered in Azure AD?
Conditional Access - Conditional Access can be used to enforce MFA based on a condition (accessing an app). Password hash synchronization enables password sync with Active Directory. RBAC provides authorization, not authentication. NSGs provide rules for network access.
For which two services can you extend Microsoft Defender for Cloud by obtaining Defender plans? Each correct answer presents a complete solution.
Defender for Cloud has the following Defender plans: Microsoft Defender for Servers Microsoft Defender for Storage Microsoft Defender for SQL Microsoft Defender for Containers Microsoft Defender for App Service Microsoft Defender for Key Vault Microsoft Defender for Resource Manager Microsoft Defender for DNS Microsoft Defender for open-source relational database Microsoft Defender for Azure Cosmos DB
Which two types communications can Microsoft Purview communication compliance monitor? Each correct answer present part of the solution.
Emails in Microsoft Exchange Online, Messages in Microsoft Teams - Communication compliance helps minimize communication risks by enabling organizations to detect, capture, and take remediation actions for inappropriate messages. Communication compliance enables reviewers to investigate scanned emails, and messages across Microsoft Teams, Exchange Online, and Yammer.
What is a characteristic of federation?
Federation enables access to services across organizations - Federation enables access to services across organizations. Identity providers can be on-premises, trust is not always bidirectional, and users do not need to maintain different usernames in other domains.
In Microsoft Purview, what can you use to detect potential leaks of sensitive data and theft of intellectual property?
Insider risk management - Insider risk management is a solution that helps minimize the risks associated with sensitive data leaks, data spillage, confidentiality violations, intellectual property theft, fraud, insider trading, and regulatory compliance violations.
Which Microsoft solution allows you to meet compliance standards for General Data Protection Regulation (GDPR) and Payment Card Industry (PCI)?
Microsoft Defender for Cloud Apps - Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It allows you to meet the compliance standards for GDPR and PCI.
What can be used to set up a unified data governance service that enables end-to-end data lineage?
Microsoft Purview - Microsoft Purview is a unified data governance service that helps you manage and govern on-premises, multi-cloud, and software-as-a-service (SaaS) data. It can be used to set up a unified data governance service, enabling end-to-end data lineage.
What can you use to prevent the inadvertent disclosure of sensitive information shared in Microsoft Teams?
Microsoft Purview data loss prevention (DLP) policies - DLP is a way to protect sensitive information and prevent its inadvertent disclosure.
What can you use to aggregate security alerts into incidents and to create automated responses to security alerts?
Microsoft Sentinel - Aggregating security alerts into incidents and creating automated responses to security alerts can be completed by using Microsoft Sentinel. Microsoft for Cloud and Microsoft 365 Defender cannot help you manage cyber incidents unless it is connected to Microsoft Sentinel. Intune cannot help you manage cyber incidents.
For which two services does Microsoft Secure Score provide recommendations? Each correct answer presents a complete solution.
Microsoft Teams, Azure AD, - Microsoft Secure Score supports recommendations for Microsoft 365 (including Exchange Online), Azure AD, Microsoft Defender for Endpoint, Defender for Identity, Defender Cloud Apps, and Teams.
Which type of Compliance Manager controls are used for Microsoft cloud services?
Microsoft-managed controls - Microsoft-managed controls are used to control Microsoft cloud services.
What are the three types of controls used in Microsoft Purview Compliance Manager? Each correct answer presents part of the solution.
Microsoft-managed controls, shared controls, and customer-managed controls - Compliance Manager uses Microsoft-managed controls, shared controls, as well as customer controls. It does not use third-party controls or government controls.
Which authentication method can use a time-based, one-time password?
OATH hardware tokens use time-based, one-time passwords. Strong passwords are not one-time passwords. Password hash synchronization syncs hashes across Active Directory and Azure AD. Windows Hello uses a camera or passcode for authentication.
Which two authentication methods are available in Azure AD during sign in? Each correct answer presents a complete solution.
Passwords are the most common form of authentication and are supported in Azure AD. Text messaging can be used as a primary form of authentication. The Google Authenticator app can be used as a primary form of authentication to sign into any Azure AD account. Calling the Microsoft Helpdesk is not a valid authentication method in Azure AD. Security questions are not used during sign in.
Which statement describes network security groups (NSG)?
Provide network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. NSGs provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription.
Which Azure AD feature helps reduce help desk calls and the loss of productivity when a user cannot sign in to their device or an application?
SSPR is a feature of Azure AD that allows users to change or reset their password without administrator or help desk involvement. Without enabling SSPR, Identity protection cannot provide the requested solution. Conditional Access brings signals together, to make decisions, and enforce organizational policies but not SSPR. Azure AD Password Protection reduces the risk when users set weak passwords.
[Answer choice] can be used to apply guidance from the Azure Security Benchmark to services such as Azure AD.
Security baselines - Security baselines for Azure apply guidance from the Azure Security Benchmark to the specific service for which it is defined and provide organizations with a consistent experience when securing their environment.
What are two characteristics of an identity as the primary security perimeter model? Each correct answer presents a complete solution.
Software as a service (SaaS) applications for business-critical workloads can be hosted outside of a corporate network, Bring your own device (BYOD) can be used to complete corporate tasks - SaaS applications for business-critical workloads can be hosted outside of the corporate network and BYOD can be used to complete corporate tasks in the identity as the primary security perimeter model. The other options represent the traditional perimeter-based security model.
What is the least privileged Azure AD role that can be used to create and manage users and groups?
User Administrator - User Administrator can manage both users and groups. Global Administrator can also manage users and groups, but the role has far too many privileges.
In Microsoft Purview insider risk management, what should you create for alerts that require further investigation?
a case - Insider risk management is a solution that helps minimize internal risks by enabling an organization to detect, investigate, and act on risky and malicious activities. It enables you to protect against sensitive data leaks, confidentiality violations, and intellectual property theft. Alerts must be triaged, and alerts that require further investigation must be added to a case. Each case is associated to one user and may contain several alerts.
In Microsoft Purview, what can you use to label items as regulatory records, maintain proof of item deletion, and export information about disposed items?
a retention label and a retention label policy - These are features of records management. Sensitivity labels allow us to label items. Azure Policy cannot be used to handle documents. DLP does not handle the disposition of items.
In Microsoft Purview, what should you create to automatically encrypt documents marked by users as sensitive?
a sensitivity label and a sensitivity label policy - A sensitivity label and a sensitivity label policy are needed to publish a label for users to use. The other options are for data loss prevention (DLP), not sensitivity labeling. DLP policies cannot encrypt data.
Which two characteristics are part of a security orchestration automated response (SOAR) solution? Each correct answer presents a complete solution.
action-driven workflows, issue mitigation, Action-driven workflows and issue mitigation are done by SOAR systems.
In Microsoft Sentinel, an incident is a group of related [answer choice].
alerts - Microsoft Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that together create an actionable possible-threat that you can investigate and resolve.
What does the compliance score in Compliance Manager measure?
an organization's progress toward implementing controls - The compliance score in Compliance Manager measures an organization's progress toward implementing controls.
Which three components are protected by using Microsoft Defender? Each correct answer provides a complete solution.
applications, endpoints, identity - Microsoft 365 Defender suite protects identities with Microsoft Defender for Identity and Azure AD Identity Protection, endpoints with Microsoft Defender for Endpoint, applications with Microsoft Defender for Cloud Apps, and email and collaboration with Microsoft Defender for Office 365.
Which feature is only available in the Premium edition of eDiscovery for Microsoft Purview?
assigning custodians - Assigning custodians is only available in Premium
Which encryption method uses a public key and private key pair?
asymmetric encryption - Asymmetric encryption uses a public key and private key pair. Either the public or private key can encrypt data, but either on their own cannot be used to decrypt encrypted data.
Which Microsoft Defender for Endpoint feature regulates access to malicious IP addresses, domains, and URLs?
attack surface reduction (ASR) - ASR handles access to malicious endpoints. AIR uses playbooks to analyze alerts and take action. Microsoft threat experts handle the SOCs of Microsoft. Threat and vulnerability management scans for vulnerabilities and misconfiguration.
Which pillar of an identity infrastructure is responsible for defining the level of access a user has over the resources on a network?
authorization - Authorization is responsible for determining which level of access authenticated users have. Administration is responsible for managing user accounts. Authentication is responsible for identifying who a user is. Auditing is responsible for keeping track of how authentication, authorization, administration, and access to resources occurs.
Microsoft Purview information protection and data lifecycle management work together to [answer choice] data.
classify, protect, and govern - Information protection and data lifecycle management work together to classify, protect, and govern data. You cannot share data via Microsoft Purview.
What are two characteristics of a security information and event management (SIEM) solution? Each correct answer presents a complete solution.
collection of data from IT estate, correlation of data - The collection of data from IT estate and the correlation of data are part of a SIEM system.
The Microsoft approach to privacy is built on [answer choice].
control, transparency, security, strong legal protections, no content-based targeting, and benefits to you.
What feature can you use to assign users with access to resources based on the city attribute of the user?
dynamic groups - Dynamic groups have their membership determined automatically based on use attributes, such as city. No roles in Azure AD have dynamic membership. PIM allows you to force authentication based on rights.
Which components can be protected by using Microsoft 365 Defender?
endpoints, identities, email, and applications - Endpoints, identities, email, and applications are protected by using Microsoft 365 Defender. Microsoft 365 Defender cannot protect physical devices.
What should you use for storing passwords in a protected format?
hashing - Hashing is the best option for password encryption. Asymmetric and symmetric encryption permits decryption, which you do not want for passwords.
Which type of policy can you use to prevent user from sharing files with users in other departments?
information barrier policy - DLP policies can prevent data loss, but only based on sensitivity labels, not based on which application (Teams) is used. Retention policies are used to specify how long files are kept. Azure policies are used to govern Azure resources, not files. Information barrier policies can be used to prevent users from sharing files and communicating in Teams.
What is a user risk in Azure AD Identity Protection?
leaked credentials - Leaked credentials is a user risk. Atypical travel, anonymous IP address, and password spray are sign-in risks.
What is a capability of Active Directory Domain Services (AD DS)?
manages on-premises systems by using a single identity per user - AD DS allows you to manage multiple on-premises infrastructure components and systems by using a single identity per user. AD DS does not support mobile devices, SaaS applications, or LOB apps that require modern authentication methods.
Which Azure AD feature allows you to authenticate users by using an on-premises Active Directory domain without needing to connect to on-premises domain controllers?
password hash synchronization - Password hash synchronization syncs passwords (hash of hash) between Active Directory and Azure AD. Pass-through authentication requires authentication on-premises. Federated authentication requires authentication on-premises. PIM is used for authentication when elevating rights.
What are types of distributed denial-of-service (DDoS) attacks?
resource layer attacks, protocol attacks, and volumetric attacks - Resource layer attacks, protocol attacks, and volumetric attacks are the most common DDoS attacks. Password sprays and MITM attacks are not DDoS attacks.
What should you use in Azure AD to provide users with the ability to perform administrative tasks?
roles - Roles in Azure AD have permission to perform certain administrative tasks. You assign these roles to users.
Which Microsoft privacy principle defines the use and management of encryption keys?
security - The security principle defines the use of encryption and key management. The control principle states that customers are in control of their data. The strong legal protection principle states that any request from legal authorities for access to customer data must go to the customer, not Microsoft. The transparency principle describes how Microsoft informs all parties of how data is used and accessed.
Which two authentication methods are available for self-service password reset (SSPR) in Azure AD? Each correct answer presents a complete solution.
security questions, email - Email and security questions are two authentication methods that are available for SSPR in Azure AD.
In Microsoft Purview, what can you use to identify invoice numbers in data from your organization?
sensitive info types - Invoice numbers use the same format/pattern, for example two letters, followed by six numbers. The patterns are regular expressions, which can be used as sensitive info types (also keywords, keyword dictionaries and functions can be used as sensitive info types). Content explorer is a feature to explore content in Microsoft 365 to find sensitive content. Exact data match (EDM) is used to find exact strings, such as social security numbers, in content stored in Microsoft 365. Sensitive info type identifies any string that matches a pattern, EDM identifies only a limited number of strings, which are explicitly specified. Trainable classifiers use machine learning to learn patterns. You first need to train a model by using a large amount of data and then provide feedback to the classifier. You can then publish and a classifier.
Which functionality is provided by Azure AD?
single sign on (SSO) for users - Azure AD provides SSO. Azure AD provides federation. Azure AD is one perimeter of defense in depth. Azure AD does not provide file services. Azure AD does not provide the encryption of data in transit.
What are three things that a user can use for Azure AD Multi-Factor Authentication (MFA)? Each correct answer presents a complete solution.
something the claimant knows, something the claimant has, something the claimant is. - Azure AD MFA works by requiring something you know (such as a password), and something you have (such as a phone), or something you are (biometrics).
Where can you access and review sensitive files from a snapshot of the scanned items?
the Microsoft Purview compliance portal - Scanned source content that is stored in different locations, such as Exchange, SharePoint, and OneDrive can be accessed and reviewed by using the Compliance Manager.
What can you use to monitor communications that contain sensitive information and minimize the exposed risk?
the Microsoft Purview compliance portal - The Microsoft Purview compliance portal helps admins manage an organization's compliance requirements with greater ease and convenience and can help reduce data risks. The Service Trust Portal only provides compliance practices via Compliance Manager. Defender for Cloud is a cloud workload protection solution. Intune helps organizations let their users use devices and applications.
Where can you find information, tools, and other resources about Microsoft security, privacy, and compliance practices?
the Microsoft Service Trust Portal - The Service Trust Portal is where you can find information, tools, and resources on security and privacy. The Azure portal is used to manage Azure resources. The Microsoft 365 Defender portal is where you manage Microsoft Defender.
Which condition can you use in a Conditional Access policy to evaluate the likelihood that a user account was compromised?
user risk - User risk can evaluate the likelihood that a user account was compromised. Sign-in risk can identify whether the sign-in attempt is considered risky, such as attempts to sign-in from compromised IP networks. Device state verifies the device platform. Locations are associated to specific IP networks.
What can you use to receive alerts for potentially compromised user accounts without blocking the users from signing in?
user risk - User risk represents the probability that a given identity or account is compromised. User risk can be configured for high, medium, or low probability. Admins can set up this signal without interrupting user sign-ins.
What is a feature of single sign-on (SSO)?
uses one credential to access multiple applications or resources - SSO allows a user to sign in with a single credential and have access to multiple applications and resources. It does not ensure that a user will not have to sign in again. It leverages a centralized identity provider. It has nothing to do with password resets.
Based on a Microsoft Azure Security Score recommendation, an administrator decides to improve identity security within an organization. What provides the greatest protection to user identities?
using the Microsoft Authenticator app - The Microsoft Authenticator app (phone sign in) is the strongest authentication method. Enforcing a password change or enforcing a complex password will not provide the greatest protection alone. Using soft tokens does not offer as strong a protection as Microsoft Authenticator.
What is a guiding principle of the Zero Trust model?
verify explicitly - The Zero Trust model has three guiding principles which are verify explicitly, least privilege access, and assume breach.
What can you use in Azure to implement network segmentation based on departments?
virtual networks - The main reasons for network segmentation are the ability to group related assets that are a part of (or support) workload operations, the isolation of resources, and to use governance policies set by an organization. Virtual networks provide you with the ability to segment networks in Azure. Virtual private networks can be used to connect networks together but are not needed to connect Azure virtual networks.
To implement network segmentation in Azure, you must create [answer choice].
virtual networks - Virtual networks are the core component for network segmentation. Firewalls can be used to control access between networks. Bastion hosts provide RDP and SSH access to virtual machines through a web portal. Security groups group users together to simplify assigning access to resources.
What are the four pillars of a Cloud Access Security Broker (CASB)?
visibility, compliance, data security, and threat protection - Visibility, compliance, data security, and threat protection are the four pillars of a CASB.
Which two features are part of Microsoft Defender for Clouds enhanced security? Each correct answer presents a complete solution.
vulnerability scanning for SQL resources, endpoint detection and response (EDR) - EDR and vulnerability scanning for SQL is part of Defender for Cloud enhanced security. SIEM coloration is part of Microsoft Sentinel and Security Benchmark Recommendation is part of Azure Security Benchmark.
What can you use in Microsoft Sentinel to create visual reports?
workbooks - You can monitor data by using Microsoft Sentinel integration with Azure Monitor workbooks. Microsoft Sentinel uses analytics to correlate alerts into incidents. Playbooks are collections of procedures that can be run from Microsoft Sentinel in response to an alert or incident. Hunting is a search-and-query tool, based on the MITRE framework.