Free SC-900 Practice Exam – 2025 Updated

A. Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution, used for threat detection and response, not resource deployment.

B. Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) that provides security recommendations and threat protection, not resource deployment.

C. Azure Policy is used to enforce organizational standards and assess compliance. While it can trigger deployments for non-compliant resources, its primary purpose is governance, not the orchestrated deployment of a complete environment.

1. Microsoft Learn: "Overview of Azure Blueprints". Microsoft Docs. "Just as a blueprint allows an engineer or an architect to sketch a project's design parameters, Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. [...] With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved."

2. Microsoft Learn: "What is Azure Policy?". Microsoft Docs. "Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements." (This highlights its role in enforcement, not initial orchestrated deployment).

3. Microsoft Learn: "What is Microsoft Sentinel?". Microsoft Docs. "Microsoft Sentinel is a scalable, cloud-native solution that provides: Security information and event management (SIEM) [and] Security orchestration, automation, and response (SOAR)."

4. Microsoft Learn: "What is Microsoft Defender for Cloud?". Microsoft Docs. "Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment, and can protect workloads across multicloud and hybrid environments from evolving threats."

A. resource health: Azure Resource Health is a service that reports on the availability and operational health of Azure resources, not their security posture as defined by Defender for Cloud.

C. the status of recommendations: The status of individual recommendations (e.g., healthy, unhealthy) provides the detailed data that is used to calculate the secure score, but it is not the single, aggregated metric for overall health.

D. completed controls: Security controls are logical groups of related recommendations. While completing controls improves the secure score, the number of completed controls is a component, not the final overall metric itself.

1. Microsoft Learn. "Secure score in Microsoft Defender for Cloud." Microsoft Docs. Accessed May 20, 2024. In the "Introduction to secure score" section, it states, "Microsoft Defender for Cloud's secure score is a numerical value that represents your security posture."

2. Microsoft Learn. "Security controls and their recommendations." Microsoft Docs. Accessed May 20, 2024. This document explains that "Recommendations are grouped into security controls," clarifying that controls are a component of the overall score calculation.

3. Microsoft Learn. "Overview of Azure Resource Health." Microsoft Docs. Accessed May 20, 2024. The "What is Resource Health?" section clarifies its purpose: "Azure Resource Health helps you diagnose and get support for service problems that affect your Azure resources," distinguishing it from security posture management.

A. This is incorrect because Endpoint DLP also supports macOS, not just Windows operating systems.

B. This is incorrect because Endpoint DLP does not support Android. It supports macOS instead.

D. This is incorrect because Android is not a supported operating system for Endpoint DLP.

1. Microsoft. (2024). Get started with Endpoint data loss prevention. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/purview/endpoint-dlp-getting-started#prerequisites. (Refer to the "Prerequisites" section, which lists supported operating systems as "Windows 10, Windows 11, and macOS Catalina 10.15 and higher").

2. Microsoft. (2024). Learn about Microsoft Purview Data Loss Prevention. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp#dlp-on-endpoints. (Refer to the "DLP on endpoints" section, which states, "You can apply DLP policies to Windows 10/11 and macOS devices").

A. Prompting for multi-factor authentication (MFA) is a grant control, a condition required to gain access, not a control applied within the session.

C. Enforcing device compliance is a grant control. It checks if the device meets organizational policy requirements before allowing access.

D. Enforcing client app compliance (requiring an approved client app) is a grant control, ensuring the user connects from a managed application.

1. Microsoft Learn. (2023). Conditional Access: Session. "Within a Conditional Access policy, administrators can make use of session controls to enable limited experiences within a cloud application." The document lists "Use Conditional Access App Control" which enables features like "Block download (preview)".

2. Microsoft Learn. (2023). Conditional Access: Grant. This document explicitly lists "Require multifactor authentication," "Require device to be marked as compliant," and "Require approved client app" as Grant controls, which are evaluated to determine if a user can be granted access.

Device identity can be stored in Azure AD.

• Yes. Azure Active Directory (Azure AD) is an identity provider that stores and manages various identity objects, including users, groups, applications, and devices. Registering a device with Azure AD creates a device identity, which is used to authenticate the device and apply security policies.

A single system-assigned managed identity can be used by multiple Azure resources.

• No. A system-assigned managed identity is created as part of an Azure resource and is tied directly to its lifecycle. It can only be used by the specific resource for which it was enabled and cannot be shared. If the parent resource is deleted, the system-assigned identity is automatically deleted as well.

If you delete an Azure resource that has a user-assigned managed identity, the managed identity is deleted automatically.

• No. A user-assigned managed identity is a standalone Azure resource with a lifecycle independent of any resource it is assigned to. Deleting a resource that uses a user-assigned identity does not delete the identity itself. It must be deleted separately. This design allows a single user-assigned identity to be assigned to multiple resources.

Microsoft Documentation. (2023). What is a device identity? Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/devices/overview.

Reference: The "Introduction" section explicitly states, "A device identity is an object in Azure Active Directory (Azure AD)."

Microsoft Documentation. (2023). What are managed identities for Azure resources? Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview.

Reference: Under the "Managed identity types" section, it clarifies: "System-assigned: ...This identity's lifecycle is directly tied to the Azure resource. If the resource is deleted, Azure automatically cleans up the identity for you." and "User-assigned: ...The identity's lifecycle is managed separately from the lifecycle of the Azure resources that use it."

Microsoft Documentation. (2023). Managed identities for Azure resources frequently asked questions (FAQ). Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identities-faq.

Reference: The FAQ section confirms, "The system-assigned managed identity is deleted when the resource is deleted." In contrast, it explains that a user-assigned identity is an independent resource, implying its separate lifecycle management.

A. to separate the resources for budgeting

Budgeting and cost management in Azure are typically handled at the subscription, resource group, or through tagging resources, not by creating separate VNets.

D. to connect multiple types of resources

A single virtual network is designed to connect various types of Azure resources (like VMs, databases, and App Services) that need to communicate with each other.

---

1. Microsoft Learn, "What is Azure Virtual Network?" - Under the "Why use an Azure virtual network?" section, the concept of isolation is highlighted as a key benefit. The document states, "Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure... VNet provides an isolated environment for your virtual machines and other resources."

2. Microsoft Cloud Adoption Framework for Azure, "Security - Network segmentation strategies" - This document explicitly links network segmentation using multiple VNets to governance and isolation. It states, "Network segmentation is a central part of enterprise security governance... By isolating workloads into their own virtual networks, you can limit the effect of a security compromise to that network."

3. Microsoft Learn, "Azure landing zones - Network topology and connectivity" - This official guidance on enterprise-scale architecture describes the hub-spoke model, which uses multiple VNets (spokes) to isolate individual workloads. This design is a direct implementation of governance policies for network security and management.

B. authorization: This pillar determines what an authenticated user is permitted to do or access. It is about granting permissions, not tracking the subsequent access.

C. authentication: This is the process of verifying a user's identity by validating their credentials. It answers "who are you?" but does not track actions after verification.

D. administration: This pillar involves the management of identities, including their creation, modification, and deletion, as well as the assignment of roles and policies.

1. Microsoft Learn, "Describe the concepts of identity - SC-900," Module 1, Unit 3. The documentation outlines the four pillars of identity. It defines Auditing as the process of tracking who accesses which resources and when.

2. Microsoft Learn, "Describe authentication and authorization." This document distinguishes between Authentication (AuthN), which is the process of proving you are who you say you are, and Authorization (AuthZ), which is the act of granting an authenticated party permission to do something. This clarifies that neither is about tracking access.

3. Microsoft Learn, "Microsoft Entra audit logs." This resource states, "Microsoft Entra audit logs provide records of system activities for compliance. To access the audit log, select Audit logs in the Monitoring section of Microsoft Entra ID. An audit log has a default list view that shows... the activity." This directly supports the definition of auditing as tracking activity.

Authentication is the security process that verifies a user's identity by validating the credentials they provide, such as a username and password, a biometric scan, or a security token. This process confirms that the user is who they claim to be. In contrast, authorization occurs after successful authentication and determines what resources or actions the verified user is permitted to access. Auditing is the process of reviewing logs of user activities, and administration involves the overall management of the system. Therefore, verifying credentials to prove identity is the specific function of authentication.

Saltzer, J. H., & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Communications of the ACM, 18(9), 61. (Reprint from Proceedings of the IEEE, 63(9), 1278-1308). In Section I.A.3, the authors distinguish between authentication ("verifying the identity of a user") and authorization ("the question of which user is authorized to do what").

DOI: https://doi.org/10.1145/361011.361062

National Institute of Standards and Technology (NIST). (2017). Digital Identity Guidelines. (NIST Special Publication 800-63-3). In Section 4.1, "Authentication," the document states: "Authentication is the process of verifying the identity of a subject (e.g., user, process, or device) as a prerequisite to allowing access to resources in an information system."

DOI: https://doi.org/10.6028/NIST.SP.800-63-3

Abowd, G. D., & Mynatt, E. D. (2000). Charting past, present, and future research in ubiquitous computing. ACM Transactions on Computer-Human Interaction (TOCHI), 7(1), 29-58. The paper discusses security fundamentals, defining authentication as the challenge of "determining and verifying the identity of a person or entity."

DOI: https://doi.org/10.1145/344949.344988

A. line-of-business (LOB) applications that require modern authentication: Modern authentication (e.g., OAuth 2.0, OpenID Connect) is a feature of cloud identity providers like Microsoft Entra ID, not traditional on-premises AD DS.

B. mobile devices: Mobile devices are typically managed through Mobile Device Management (MDM) solutions, such as Microsoft Intune, rather than being created as native objects directly within AD DS.

D. software as a service (SaaS) applications that require modern authentication: Integrating SaaS applications for single sign-on using modern authentication is a core capability of Microsoft Entra ID, not on-premises AD DS.

1. Microsoft Learn. (2023). Active Directory Domain Services Overview. "AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications... Data stored in AD DS includes information about user accounts... groups, computers, printers, and other network resources."

Section: What Is Active Directory Domain Services?

2. Microsoft Learn. (2023). Computer Objects. "Computer objects in Active Directory are used to uniquely identify and manage computers that are members of a domain... When you join a computer to a domain, a computer account is created in Active Directory."

Section: Computer Objects in Active Directory.

3. Microsoft Learn. (2024). Compare Active Directory to Microsoft Entra ID. "Active Directory Domain Services... Core services: Domain join for Windows PCs... Microsoft Entra ID... Core services: Authentication for web and mobile apps, including Microsoft 365."

Section: Compare features and services.

4. Microsoft Learn. (2024). What is application management with Microsoft Entra ID?. "Microsoft Entra ID is an identity and access management (IAM) system. It provides a single place to manage users and applications... You can manage access to thousands of SaaS applications..."

Section: What are the benefits of application management?

Microsoft Defender for Cloud is a comprehensive solution that provides unified security management and advanced threat protection across hybrid cloud workloads. It fulfills two primary objectives: Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP). The CWP capabilities are specifically designed to protect various resources such as servers, containers, storage, databases, and other workloads in Azure and on-premises environments from evolving threats by using advanced analytics and threat intelligence.

• Azure Monitor is a service for collecting, analyzing, and acting on telemetry data for performance and availability, not primarily for workload threat protection.
• Microsoft cloud security benchmark is a framework of security recommendations, not a service that provides active protection.
• Microsoft Secure Score is a feature within Defender for Cloud that measures security posture; it doesn't provide the protection itself.

Microsoft Learn. "What is Microsoft Defender for Cloud?" Microsoft Docs. "Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection (CWP) solution that finds weak spots across your cloud configuration... and can protect workloads across multicloud and hybrid environments from evolving threats."

Microsoft Learn. "Introduction to cloud workload protection in Microsoft Defender for Cloud." Microsoft Docs. "Defender for Cloud's integrated cloud workload protection platform (CWPP), brings advanced, intelligent protection of your Azure and hybrid resources and workloads."

Microsoft Learn. "Azure Monitor overview." Microsoft Docs. "Azure Monitor helps you maximize the availability and performance of your applications and services. It delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments."

Azure Active Directory (Azure AD) Self-Service Password Reset (SSPR) allows users to reset their passwords without administrator intervention by verifying their identity using pre-registered authentication methods. An alternate email address and a notification to the Microsoft Authenticator app are both officially supported methods for this verification process.

The fundamental purpose of SSPR is to provide a recovery mechanism for users who are unable to sign in, typically because they have forgotten their password. Therefore, the process is initiated from the sign-in screen before the user is authenticated, making the third statement false.

Microsoft Learn | Azure Active Directory Documentation: In the article "Authentication methods for Azure AD self-service password reset," the list of available methods explicitly includes Email and Mobile app notification.

Source: Microsoft. (2023, September 15). Authentication methods for Azure AD self-service password reset. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-authentication-methods (Section: "Authentication methods").

Microsoft Learn | Azure Active Directory Documentation: The "How it works: Azure AD self-service password reset" article details the user workflow, which begins when a user selects a "Can't access your account" link on the sign-in page. This confirms the user is not authenticated when initiating SSPR.

Source: Microsoft. (2023, September 15). How it works: Azure AD self-service password reset. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#how-does-the-password-reset-process-work (Section: "How does the password reset process work?").

When you enable security defaults in Azure Active Directory (Azure AD), a baseline set of identity security policies is enforced across your organization. The most significant of these policies is the requirement for all users to register for multi-factor authentication (MFA). Security defaults also require administrators to perform MFA, block legacy authentication protocols, and prompt users for MFA when a risky sign-in is detected. Azure AD Privileged Identity Management (PIM) and Azure AD Identity Protection are more advanced features that require Azure AD Premium licenses and are not enabled by the basic security defaults.

Microsoft Entra documentation: "What are security defaults?".

Reference: In the section "What do security defaults provide?", the first policy listed is "Requiring all users to register for Azure AD Multi-Factor Authentication." This confirms that MFA registration is a universal requirement for all users when security defaults are enabled. The document further clarifies that MFA will be required for administrators and for users during risky sign-ins.

Microsoft Entra documentation: "Azure AD Multi-Factor Authentication versions and consumption plans".

Reference: This document contrasts the MFA capabilities provided by different licenses. It specifies that "Security defaults" are available for the "Microsoft Entra ID Free" tier and provide MFA enforcement. In contrast, features like "Identity Protection" and "Privileged Identity Management (PIM)" are listed under the "Microsoft Entra ID P2" tier, confirming they are separate, premium offerings.

Microsoft Sentinel utilizes Azure Monitor workbook templates to provide rich, interactive dashboards and visualizations. These workbooks are specifically designed to offer security analysts immediate insights into the data collected from various sources. They allow for the creation of charts, graphs, and tables that help in monitoring security events, hunting for threats, and understanding an organization's security posture at a glance. Playbooks, built on Azure Logic Apps, are used for automating responses to alerts, while Azure Resource Graph Explorer is for querying Azure resource metadata, not analyzing security log data for insights.

Microsoft Learn | Visualize and monitor your data with Microsoft Sentinel workbooks: "After you've connected your data sources to Microsoft Sentinel, you can visualize and monitor the data using the Microsoft Sentinel adoption of Azure Monitor Workbooks... Microsoft Sentinel allows you to create custom workbooks from your data, and also comes with built-in workbook templates to allow you to quickly gain insights across your data as soon as you connect a data source."

Microsoft Learn | Automate threat response with playbooks in Microsoft Sentinel: "A playbook is a collection of procedures that can be run from Microsoft Sentinel in response to an alert. A playbook can help automate and orchestrate your response..." (This distinguishes playbooks as an automation/response tool, not an insight/visualization tool).

Microsoft Learn | What is Azure Resource Graph?: "Azure Resource Graph is an Azure service designed to extend Azure Resource Management by providing efficient and performant resource exploration... Use the Azure Resource Graph Explorer to query your Azure resource types and properties." (This confirms its purpose is for querying resource metadata, not security data insights).

Insider risk management is a compliance solution within the Microsoft Purview suite designed to help organizations detect, investigate, and act on malicious and inadvertent risks from within the organization. The configuration of policies, review of alerts, and overall management of this feature is performed exclusively within the Microsoft Purview compliance portal. This portal centralizes data governance and compliance tools. The Microsoft 365 admin center is for general tenant management, while the Microsoft 365 Defender and Defender for Cloud Apps portals are focused on security threat protection and cloud app security, respectively, not compliance-centric insider risk policy configuration.

Microsoft. (2024). Get started with insider risk management. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/purview/insider-risk-management-get-started.

Reference Point: In the section "Step 1 (required): Enable permissions for insider risk management," the first instruction states, "Go to the Microsoft Purview compliance portal..." confirming this as the starting point for configuration.

Microsoft. (2024). Learn about the Microsoft Purview compliance portal. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/purview/microsoft-purview-compliance-portal-overview.

Reference Point: The article includes a table titled "Solutions in the compliance portal," which explicitly lists Insider risk management as a solution available and managed within this portal.

Microsoft. (2024). Microsoft 365 admin centers. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/microsoft-365/admin/manage/admin-centers?view=o365-worldwide.

Reference Point: This document distinguishes between the portals, defining the Microsoft Purview compliance portal for "data protection and compliance" and the Microsoft 365 Defender portal for "security management," thereby differentiating their primary functions and confirming Purview as the correct location for a compliance tool.

In the Microsoft Purview compliance portal, the Customize navigation feature allows administrators to modify the left navigation pane. This functionality enables the hiding of features or solutions that an organization does not use, thereby simplifying the interface for users. Administrators can create custom navigation experiences and assign them to specific administrative roles, ensuring that users only see the tools relevant to their responsibilities. This helps streamline workflows and reduces clutter within the portal.

Microsoft Learn. (2024). Customize the navigation pane in the Microsoft Purview portal. Microsoft Docs. Retrieved from the section "Customize the navigation pane," which states, "The global admin for your organization can customize the navigation pane in the Microsoft Purview portal for your organization."

Microsoft Learn. (2024). Microsoft Purview compliance portal overview. Microsoft Docs. Retrieved from the section "Access the Microsoft Purview compliance portal," which describes the portal's layout and mentions the ability for customization to tailor the user experience.

Integrity is the security principle that ensures data remains accurate, consistent, and trustworthy over its entire lifecycle. It guarantees that the data has not been subject to unauthorized modification, alteration, or destruction. The scenario described—retrieving the exact same data that was originally stored—is the fundamental definition of maintaining data integrity. In contrast, confidentiality prevents unauthorized disclosure, availability ensures data is accessible when needed, and transparency is not a core pillar of the foundational CIA security triad.

National Institute of Standards and Technology (NIST). (2021). Glossary of Terms. Computer Security Resource Center.

Reference: Under the term "Integrity," the definition is provided as: "The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and in transit."

Saltzer, J. H., & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Communications of the ACM, 17(7), 38-49.

DOI: https://doi.org/10.1145/361011.361062

Reference: Section 1.A.2, "Integrity (preventing unauthorized modification of information)," clearly distinguishes integrity as the mechanism for ensuring information is not improperly altered.

Kaushik, S. (2012). Security, Privacy and Trust in Cloud Systems. IEEE.

DOI: https://doi.org/10.1109/MCE.2012.2223594

Reference: Section "Security," Paragraph 1, defines the three security goals: "Confidentiality, Integrity, and Availability (CIA). Integrity is the assurance that information is trustworthy and accurate."

Microsoft Purview Compliance Manager is designed to provide an ongoing, up-to-date view of an organization's compliance posture. It achieves this through the continuous assessment of technical controls mapped to various regulations and standards. The system automatically monitors Microsoft 365 services and updates the status of these controls as settings change. This provides a dynamic compliance score, reflecting the current state rather than a static, point-in-time evaluation like a monthly or quarterly audit.

Microsoft Learn. "Microsoft Purview Compliance Manager." Microsoft Docs. Accessed October 13, 2025.

Reference: In the "How Compliance Manager works" section, the documentation states, "Compliance Manager helps you simplify compliance and reduce risk by providing... Continuous assessment of your compliance posture against regulations and standards." This confirms that the process is ongoing.

Microsoft Learn. "Understand your compliance score in Compliance Manager." Microsoft Docs. Accessed October 13, 2025.

Reference: Under the "How the compliance score is calculated" section, it explains that the score is based on improvement actions. For technical actions managed by Microsoft, it notes, "We test the controls and record the results of that testing...Compliance Manager detects your system settings and continuously and automatically updates the technical action status."

The classification of security actions depends on their purpose and timing relative to a security incident.

• Preventative controls are proactive measures designed to stop security incidents from happening. Encrypting data at rest is a preventative action because it protects data from being compromised if an attacker gains unauthorized access to the physical storage, thus preventing a data breach.
• Detective controls are implemented to identify and report that an incident has occurred or is in progress. Performing a system access audit involves reviewing logs and records to discover unauthorized activities or policy violations that have already taken place, which is a classic detective function.
• Corrective controls are reactive measures used to fix issues, mitigate damage, and restore systems after a security incident has been detected. Making configuration changes in response to a security incident is a corrective action aimed at closing the vulnerability that was exploited and bringing the system back to a secure state.

Microsoft. (2024). Improvement actions in Microsoft Purview Compliance Manager. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/purview/compliance-manager-improvement-actions.

This official Microsoft documentation explains that improvement actions in Compliance Manager are categorized by their function. It defines preventative, detective, and corrective actions, aligning with the logic used in the solution. For example, it states, "A preventative action addresses specific risks... A detective action helps you detect potential risks... A corrective action helps you fix a potential risk."

National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication 800-53, Revision 5). Section 2.3, "Control Structure."

While NIST doesn't use these exact terms as primary categories, the functions are embedded in their control families. For instance, the Audit and Accountability (AU) control family serves a detective function, the Access Control (AC) family serves a preventative function, and the Incident Response (IR) family includes corrective actions.

Saltzer, J. H., & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9), 1278–1308. https://doi.org/10.1109/PROC.1975.9939.

This foundational academic paper outlines design principles for secure systems. The principles it discusses, such as "least privilege" and "complete mediation," are inherently preventative. The need for mechanisms to review actions after the fact relates to detective controls, forming the bedrock of modern security control classification.

Statement 1: No Communication compliance policies are not configured in the main Microsoft 365 admin center. Instead, they are managed within the specialized Microsoft Purview compliance portal. While this portal is part of the broader Microsoft 365 ecosystem, the admin center is used for more general tenant administration, not specific compliance workloads like this.

Statement 2: Yes Microsoft SharePoint Online is a supported location for communication compliance. When users share files in Microsoft Teams channels or chats, those files are stored in either SharePoint Online or OneDrive for Business. Communication compliance policies scan these cloud attachments as part of the messages, making SharePoint support an integral part of the service's functionality.

Statement 3: Yes A core feature of communication compliance is the ability to remediate issues. After a policy detects a potential violation and an alert is generated, reviewers can take several remediation actions. These actions include removing the message from Microsoft Teams, notifying the user via an automatically generated email, or escalating the issue for further investigation. This allows organizations to actively address and resolve compliance risks.

Microsoft Learn. (2024). Configure communication compliance. "You'll configure policies and review alerts in the Microsoft Purview compliance portal."

Microsoft Learn. (2024). Learn about communication compliance. "Communication compliance supports capturing and analyzing messages and attachments from the following Microsoft 365 services: Microsoft Teams, Exchange Online, Yammer, Viva Engage." The document further clarifies that files shared in Teams are stored in SharePoint Online and are scanned as attachments.

Microsoft Learn. (2024). Remediate communication compliance alerts. This document details the remediation actions available for alerts, stating, "For messages with detected issues, you can take remediation actions such as removing a message from Microsoft Teams or sending a user a notification to take corrective action."

In compliance management frameworks, such as Microsoft Purview Compliance Manager, templates are pre-defined frameworks containing the necessary groupings of controls that correspond to the requirements of a specific regulation, standard, or policy (e.g., GDPR, ISO 27001, NIST). An organization selects a relevant template to create an assessment. This assessment then uses the controls defined in the template to measure, manage, and track the organization's compliance status against that specific regulation. Therefore, templates are the foundational component used to track compliance with specific control groupings.

Microsoft. (2024). Understand assessment templates in Microsoft Purview Compliance Manager. Microsoft Learn. Retrieved from learn.microsoft.com. In the "How templates are structured" section, it states, "A template is a framework of controls for a specific regulation, standard, or policy."

Microsoft. (2024). Create an assessment in Microsoft Purview Compliance Manager. Microsoft Learn. Retrieved from learn.microsoft.com. The instructions under the "Select a template" section demonstrate that the process of tracking compliance begins by choosing a template corresponding to a specific regulation or standard.

Windows Hello for Business and Microsoft Authenticator: Windows Hello for Business relies on authentication gestures performed directly on the device, such as a PIN or biometrics (fingerprint, facial recognition). The Microsoft Authenticator app is a separate authentication method used for multi-factor authentication (MFA) and passwordless sign-in, but it is not an integrated gesture within the Windows Hello for Business framework itself.

PIN as an Authentication Method: A PIN is a fundamental authentication gesture for Windows Hello for Business. It is often configured during enrollment and can be used as the primary method or as a fallback if biometric authentication fails or is unavailable.

Device-Specific Credentials: A core security feature of Windows Hello for Business is that its credentials are asymmetric key pairs that are bound to a specific device and protected by its Trusted Platform Module (TPM). The private key never leaves the device. Therefore, this information does not sync across a user's other devices. Each device has its own unique and separate Windows Hello for Business credential.

Microsoft Corporation. (2024). How Windows Hello for Business works: Authentication. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.

Supporting evidence: This document outlines the authentication process, stating, "The user provides a gesture to unlock the device. The gesture can be a PIN or biometric gesture...". It does not list the Microsoft Authenticator app as a gesture.

Microsoft Corporation. (2023). Why a PIN is better than a password. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.

Supporting evidence: This source clarifies, "The Windows Hello for Business PIN is tied to the device on which it was set up. The PIN is not transmitted to the server and is not shared between devices." This confirms that credentials do not sync.

Yes. A hybrid identity model begins with creating a user object in the on-premises Active Directory (AD). This identity is then synchronized to Azure Active Directory (Azure AD) using a tool like Azure AD Connect, effectively making it a hybrid identity that exists in both directories.

No. The standard synchronization flow with Azure AD Connect is one-way for user objects: from on-premises AD to Azure AD. While features like password writeback exist, creating a new user account directly in Azure AD does not automatically synchronize it back to the on-premises directory.

Yes. A hybrid model offers multiple authentication options. Authentication can be handled directly by Azure AD through Password Hash Synchronization (PHS). Alternatively, it can be delegated to an on-premises identity provider, either through Pass-through Authentication (PTA), which validates against on-premises AD, or through Federation (like AD FS), which uses a separate trusted identity provider.

Microsoft Entra Documentation (formerly Azure AD): What is hybrid identity with Microsoft Entra ID? This document states, "With hybrid identity, the users are created in on-premises Active Directory and then synchronized to Microsoft Entra ID." This confirms the first statement.

Microsoft Entra Documentation: Microsoft Entra Connect Sync: Understand and customize synchronization. This documentation outlines the synchronization architecture, clarifying that the primary data flow for directory objects is from on-premises to the cloud. It details that "writeback" features are for specific attributes (like passwords or devices), not for entire user objects created in the cloud. This supports the reasoning for the second statement being false.

Microsoft Entra Documentation: What is federation with Microsoft Entra ID? and Microsoft Entra Pass-through Authentication. These resources explain that federation delegates authentication to a separate trusted identity provider (like on-premises AD FS) and that Pass-through Authentication validates credentials directly against the on-premises Active Directory, confirming that authentication can be handled by another provider besides Azure AD itself.

In Microsoft Sentinel, playbooks are the primary mechanism for automating and orchestrating threat responses. A playbook is a collection of procedures, built on Azure Logic Apps, that can be run automatically when an alert is triggered. These automated workflows can perform a wide range of actions, such as creating a ticket in a service management system, sending notifications to a security team via email or Microsoft Teams, blocking a malicious IP address in a firewall, or isolating a compromised machine. This capability is central to a Security Orchestration, Automation, and Response (SOAR) strategy, allowing security operations centers (SOCs) to handle routine tasks efficiently and respond to threats more quickly.

Microsoft. (2024). Automate threat response with playbooks in Microsoft Sentinel. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks.

Reference Point: In the "What is a playbook?" section, the documentation states, "A playbook is a collection of procedures that can be run from Microsoft Sentinel in response to an alert. A playbook can help automate and orchestrate your threat response..."

Microsoft. (2023). Work with playbooks in Microsoft Sentinel. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/sentinel/tutorial-use-playbooks.

Reference Point: The introduction clearly defines playbooks as the feature for "automated threat response" and "Security Orchestration, Automation, and Response (SOAR)."

Microsoft. (2023). Visualize and monitor your data. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/sentinel/monitor-your-data.

Reference Point: This document clarifies the role of workbooks, stating, "Microsoft Sentinel workbooks provide a flexible canvas for data analysis and the creation of rich visual reports," distinguishing them from automation tasks.

A. the Anomaly Detector service: This is a cognitive service for detecting unusual patterns in time-series data. It is not used for managing or enforcing compliance of Azure resources.

B. Microsoft Sentinel: This is a Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution used for threat detection and response, not for enforcing resource configuration standards.

C. Azure Blueprints: This service is used to orchestrate the deployment of new, standardized Azure environments. While it can assign policies, its primary purpose is deployment, not the ongoing assessment of existing resources.

1. Microsoft Learn: "What is Azure Policy?". Microsoft Docs. "Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by continuously evaluating your resources for non-compliance with assigned policies."

2. Microsoft Learn: "SC-900: Describe the capabilities of Microsoft security solutions - Describe Azure Policy". Microsoft Docs. "Azure Policy helps you manage and prevent IT issues with policy definitions that enforce rules and effects for your resources. When you use Azure Policy, resources stay compliant with your corporate standards and service-level agreements."

3. Microsoft Learn: "What is Azure Blueprints?". Microsoft Docs. "Just as a blueprint allows an engineer or an architect to sketch a project's design parameters, Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources..." This highlights its role in defining and deploying new environments.

4. Microsoft Learn: "What is Microsoft Sentinel?". Microsoft Docs. "Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution." This defines its purpose as a security operations tool.

A. Microsoft collects customer data to operate its services, provide support, and improve its products, as detailed in the Microsoft Privacy Statement.

B. Microsoft's "No content-based targeting" principle explicitly states it does not use email, chat, files, or other personal content to target ads.

C. Microsoft's principle of "Control" asserts that customers are in control of their own privacy with easy-to-use tools and clear choices, not that Microsoft manages settings for them.

1. Microsoft Trust Center, "Our privacy principles." Under the section "Strong legal protections," it states, "We will respect the local privacy laws that apply to you and will fight for the protection of your privacy as a fundamental human right." This directly supports option D.

2. Microsoft Trust Center, "Our privacy principles." The "Control" principle states, "You are in control of your data... We give you control of your data so you can make choices that are right for you." This contradicts option C.

3. Microsoft Learn, "SC-900: Describe the privacy principles of Microsoft," Unit 3. This module details the six privacy principles. The section on "Strong legal protections" reinforces that Microsoft respects local privacy laws. The section on "No content-based targeting" directly refutes option B.

4. Microsoft Privacy Statement, "Personal data we collect." This section details the various types of data Microsoft collects to provide and improve its services, which shows that option A is incorrect.

A. vulnerability scanning of virtual machines: This is an advanced protection feature included in the paid Microsoft Defender for Servers plan, not the free foundational tier.

C. just-in-time (JIT) VM access to Azure virtual machines: JIT VM access is a workload protection feature that requires the paid Microsoft Defender for Servers plan to be enabled.

D. threat protection alerts: Real-time security alerts that detect and respond to threats are a core benefit of the paid enhanced security plans, not the free CSPM offering.

---

1. Microsoft Learn. "Overview of Microsoft Defender for Cloud." Microsoft Docs, Microsoft, Accessed May 20, 2024. In the section "Defender for Cloud free vs enhanced security features," the documentation explicitly lists "Secure score with recommendations" as a free feature, while threat alerts, JIT VM access, and vulnerability assessments are listed under the enhanced (paid) plans.

2. Microsoft Learn. "Secure score in Microsoft Defender for Cloud." Microsoft Docs, Microsoft, Accessed May 20, 2024. This document describes the secure score as a foundational capability: "Microsoft Defender for Cloud continually assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score..." This continuous assessment is part of the free offering.

3. Microsoft Learn. "Understanding just-in-time (JIT) VM access." Microsoft Docs, Microsoft, Accessed May 20, 2024. Under the "Availability" section, it states, "To use JIT, you must have Microsoft Defender for Servers Plan 2 enabled on the subscription," confirming it is a paid feature.

4. Microsoft Learn. "Vulnerability assessment with Microsoft Defender Vulnerability Management." Microsoft Docs, Microsoft, Accessed May 20, 2024. The "Prerequisites" section clearly states, "To deploy the Defender Vulnerability Management scanner, you need Microsoft Defender for Servers Plan 2," indicating it is part of a paid plan.

Authorization is the process of determining the level of access or the specific permissions a user has to resources after their identity has been successfully verified. Authentication precedes authorization and is the process of confirming a user's identity (i.e., proving they are who they say they are). The question specifically asks what controls their level of access, which is the explicit function of authorization.

For example, when you log into your online bank account, you first authenticate with your username and password. Once authenticated, the system uses authorization rules to determine what you can do—view your balance, transfer funds, or pay bills.

Microsoft Documentation: In the context of Azure Active Directory, Microsoft defines the two concepts: "Authentication (AuthN) is the process of proving you are who you say you are... Authorization (AuthZ) is the act of granting an authenticated party permission to do something. It specifies what data you're allowed to access and what you can do with it."

Source: Microsoft Entra Documentation, "Authentication vs. authorization."

MIT OpenCourseWare: In the course materials for "6.858 Computer Systems Security," access control is discussed as the mechanism for enforcing policies. The lecture notes explain that after authentication, the system must decide whether to grant access based on an authorization policy.

Source: MIT OpenCourseWare, 6.858 Computer Systems Security, Fall 2014, Lecture 5: "Controlling Information Flow," Section 2.

IEEE Xplore Digital Library: A survey on access control states, "Authorization is the process to determine if a user has the right to perform an action on a resource." This directly aligns with controlling a user's level of access.

Source: Alshehri, S., & Sandhu, R. (2020). "A Survey of Access Control Models for IoT: A Centralized and Distributed Approach." IEEE Access, 8, 203874-203893. DOI: 10.1109/ACCESS.2020.3036496 (Section II.A).

A. Azure Policy: This service enforces rules and compliance for Azure resources (like virtual machines or storage), not for user sign-in and identity access control.

B. a communication compliance policy: This is a Microsoft Purview feature used to monitor and manage risks in user communications (e.g., email, Teams messages), not for authentication.

D. a user risk policy: This is a specific type of policy within Azure AD Identity Protection that enforces controls based on a calculated user risk level, not simply on group membership.

---

1. Microsoft Learn. "What is Conditional Access in Azure Active Directory?". Microsoft Entra documentation. This document states, "Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action... Common signals... include... User or group membership... Common decisions... include... Require multi-factor authentication." This directly supports using Conditional Access to require MFA for a specific group.

2. Microsoft Learn. "Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication". Microsoft Entra documentation. This tutorial provides a step-by-step guide on creating a Conditional Access policy. Step 4, "Create a Conditional Access policy," explicitly shows how to select a specific user group under "Assignments" and then select "Require multi-factor authentication" under "Access controls."

3. Microsoft Learn. "What is Azure Policy?". Azure Governance documentation. This source clarifies that Azure Policy "evaluates resources in Azure by comparing the properties of those resources to business rules." This confirms its focus is on resource governance, not identity access.

4. Microsoft Learn. "Configure and enable risk policies". Microsoft Entra documentation. This document explains, "The user risk policy detects the probability that a user account is compromised and allows administrators to configure an automated response... such as... requiring a secure password change or requiring multi-factor authentication." This shows that user risk policies are triggered by risk, not just group membership.

Statement 1: No. Azure AD Identity Protection can generate risk detections both offline and in real-time. Offline detections, such as Leaked credentials, occur when user credentials are found on the dark web, independent of any active authentication attempt by the user. Real-time detections occur during the sign-in process. Because detections can be generated without a user authenticating, the statement is false.

Statement 2: Yes. Azure AD Identity Protection categorizes the severity of each detected risk event. It assigns a calculated risk level of Low, Medium, or High. This allows administrators to configure risk-based policies that respond differently depending on the severity of the threat. For example, a high-risk sign-in can be blocked, while a medium-risk sign-in might be prompted for multi-factor authentication.

Statement 3: Yes. This statement accurately defines user risk. Azure AD Identity Protection calculates user risk as the probability (indicated as Low, Medium, or High) that an identity has been compromised. This calculation is based on an aggregation of all active risk detections and historical sign-in patterns associated with that specific user account.

Microsoft Documentation | What is risk?: This document provides the official definitions for risk types and levels in Azure AD Identity Protection.

It explicitly states, "At a basic level, Identity Protection analyzes signals from each sign-in..." for real-time detections, but also covers offline detections like "Leaked credentials". This confirms that not all detections are generated upon authentication.

It confirms that risk levels are assigned: "Identity Protection categorizes risk into three tiers: low, medium, and high."

It defines user risk: "User risk is a calculation of the probability that an identity has been compromised."

Microsoft Documentation | Risk detection and remediation: This page details the different types of risk detections.

Under the section "Risk detection types," it lists detections that are calculated "Offline" (e.g., Leaked credentials, Azure AD threat intelligence) and those calculated in "Real-time" during sign-in. This distinction supports the "No" answer for the first statement.

Azure AD Connect can be used to implement hybrid identity. This statement is Yes. Azure AD Connect is the primary Microsoft tool designed to meet and accomplish hybrid identity goals. It facilitates the synchronization of on-premises Active Directory objects (like users and groups) to cloud-based Azure Active Directory, creating a common identity for users across both environments.

Hybrid identity requires the implementation of two Microsoft 365 tenants. This statement is No. A standard hybrid identity implementation connects an on-premises Active Directory forest to a single Azure AD tenant. While more complex multi-tenant configurations are possible, they are not a fundamental requirement for establishing a hybrid identity.

Authentication of hybrid identities requires the synchronization of Active Directory Domain Services (AD DS) and Azure AD. This statement is Yes. For any hybrid authentication method to function (such as Password Hash Synchronization or Pass-through Authentication), the user's identity object must first be synchronized from the on-premises AD DS to Azure AD. This synchronization creates the user principal in the cloud, which is the target for all cloud authentication requests.

Microsoft Learn. (2023). What is Azure AD Connect?. Microsoft Entra Documentation. Retrieved October 14, 2025. In the "What is Azure AD Connect?" section, it states, "Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals... It provides the following features: Password hash synchronization... Pass-through authentication... Federation integration... Synchronization... Health Monitoring."

Microsoft Learn. (2023). What is hybrid identity with Azure Active Directory?. Microsoft Entra Documentation. Retrieved October 14, 2025. The document explains, "Hybrid identity is creating a common user identity for authentication and authorization to all resources, regardless of location." It details how on-premises AD is connected to a single Azure AD tenant.

Microsoft Learn. (2024). Azure AD Connect: Design concepts - User sign-in. Microsoft Entra Documentation. Retrieved October 14, 2025. This document outlines the three methods for user sign-in in a hybrid model. It implicitly confirms that synchronization is a prerequisite for all methods, stating, "With Azure AD Connect, you can synchronize your on-premises Active Directory with Azure AD."