Microsoft Security SC-900 Exam Questions 2025

A. Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution, used for threat detection and response, not resource deployment.

B. Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) that provides security recommendations and threat protection, not resource deployment.

C. Azure Policy is used to enforce organizational standards and assess compliance. While it can trigger deployments for non-compliant resources, its primary purpose is governance, not the orchestrated deployment of a complete environment.

1. Microsoft Learn: "Overview of Azure Blueprints". Microsoft Docs. "Just as a blueprint allows an engineer or an architect to sketch a project's design parameters, Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. [...] With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved."

2. Microsoft Learn: "What is Azure Policy?". Microsoft Docs. "Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements." (This highlights its role in enforcement, not initial orchestrated deployment).

3. Microsoft Learn: "What is Microsoft Sentinel?". Microsoft Docs. "Microsoft Sentinel is a scalable, cloud-native solution that provides: Security information and event management (SIEM) [and] Security orchestration, automation, and response (SOAR)."

4. Microsoft Learn: "What is Microsoft Defender for Cloud?". Microsoft Docs. "Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment, and can protect workloads across multicloud and hybrid environments from evolving threats."

A. resource health: Azure Resource Health is a service that reports on the availability and operational health of Azure resources, not their security posture as defined by Defender for Cloud.

C. the status of recommendations: The status of individual recommendations (e.g., healthy, unhealthy) provides the detailed data that is used to calculate the secure score, but it is not the single, aggregated metric for overall health.

D. completed controls: Security controls are logical groups of related recommendations. While completing controls improves the secure score, the number of completed controls is a component, not the final overall metric itself.

1. Microsoft Learn. "Secure score in Microsoft Defender for Cloud." Microsoft Docs. Accessed May 20, 2024. In the "Introduction to secure score" section, it states, "Microsoft Defender for Cloud's secure score is a numerical value that represents your security posture."

2. Microsoft Learn. "Security controls and their recommendations." Microsoft Docs. Accessed May 20, 2024. This document explains that "Recommendations are grouped into security controls," clarifying that controls are a component of the overall score calculation.

3. Microsoft Learn. "Overview of Azure Resource Health." Microsoft Docs. Accessed May 20, 2024. The "What is Resource Health?" section clarifies its purpose: "Azure Resource Health helps you diagnose and get support for service problems that affect your Azure resources," distinguishing it from security posture management.

A. This is incorrect because Endpoint DLP also supports macOS, not just Windows operating systems.

B. This is incorrect because Endpoint DLP does not support Android. It supports macOS instead.

D. This is incorrect because Android is not a supported operating system for Endpoint DLP.

1. Microsoft. (2024). Get started with Endpoint data loss prevention. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/purview/endpoint-dlp-getting-started#prerequisites. (Refer to the "Prerequisites" section, which lists supported operating systems as "Windows 10, Windows 11, and macOS Catalina 10.15 and higher").

2. Microsoft. (2024). Learn about Microsoft Purview Data Loss Prevention. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp#dlp-on-endpoints. (Refer to the "DLP on endpoints" section, which states, "You can apply DLP policies to Windows 10/11 and macOS devices").

A. Prompting for multi-factor authentication (MFA) is a grant control, a condition required to gain access, not a control applied within the session.

C. Enforcing device compliance is a grant control. It checks if the device meets organizational policy requirements before allowing access.

D. Enforcing client app compliance (requiring an approved client app) is a grant control, ensuring the user connects from a managed application.

1. Microsoft Learn. (2023). Conditional Access: Session. "Within a Conditional Access policy, administrators can make use of session controls to enable limited experiences within a cloud application." The document lists "Use Conditional Access App Control" which enables features like "Block download (preview)".

2. Microsoft Learn. (2023). Conditional Access: Grant. This document explicitly lists "Require multifactor authentication," "Require device to be marked as compliant," and "Require approved client app" as Grant controls, which are evaluated to determine if a user can be granted access.

Device identity can be stored in Azure AD.

• Yes. Azure Active Directory (Azure AD) is an identity provider that stores and manages various identity objects, including users, groups, applications, and devices. Registering a device with Azure AD creates a device identity, which is used to authenticate the device and apply security policies.

A single system-assigned managed identity can be used by multiple Azure resources.

• No. A system-assigned managed identity is created as part of an Azure resource and is tied directly to its lifecycle. It can only be used by the specific resource for which it was enabled and cannot be shared. If the parent resource is deleted, the system-assigned identity is automatically deleted as well.

If you delete an Azure resource that has a user-assigned managed identity, the managed identity is deleted automatically.

• No. A user-assigned managed identity is a standalone Azure resource with a lifecycle independent of any resource it is assigned to. Deleting a resource that uses a user-assigned identity does not delete the identity itself. It must be deleted separately. This design allows a single user-assigned identity to be assigned to multiple resources.

Microsoft Documentation. (2023). What is a device identity? Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/devices/overview.

Reference: The "Introduction" section explicitly states, "A device identity is an object in Azure Active Directory (Azure AD)."

Microsoft Documentation. (2023). What are managed identities for Azure resources? Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview.

Reference: Under the "Managed identity types" section, it clarifies: "System-assigned: ...This identity's lifecycle is directly tied to the Azure resource. If the resource is deleted, Azure automatically cleans up the identity for you." and "User-assigned: ...The identity's lifecycle is managed separately from the lifecycle of the Azure resources that use it."

Microsoft Documentation. (2023). Managed identities for Azure resources frequently asked questions (FAQ). Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identities-faq.

Reference: The FAQ section confirms, "The system-assigned managed identity is deleted when the resource is deleted." In contrast, it explains that a user-assigned identity is an independent resource, implying its separate lifecycle management.

A. to separate the resources for budgeting

Budgeting and cost management in Azure are typically handled at the subscription, resource group, or through tagging resources, not by creating separate VNets.

D. to connect multiple types of resources

A single virtual network is designed to connect various types of Azure resources (like VMs, databases, and App Services) that need to communicate with each other.

---

1. Microsoft Learn, "What is Azure Virtual Network?" - Under the "Why use an Azure virtual network?" section, the concept of isolation is highlighted as a key benefit. The document states, "Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure... VNet provides an isolated environment for your virtual machines and other resources."

2. Microsoft Cloud Adoption Framework for Azure, "Security - Network segmentation strategies" - This document explicitly links network segmentation using multiple VNets to governance and isolation. It states, "Network segmentation is a central part of enterprise security governance... By isolating workloads into their own virtual networks, you can limit the effect of a security compromise to that network."

3. Microsoft Learn, "Azure landing zones - Network topology and connectivity" - This official guidance on enterprise-scale architecture describes the hub-spoke model, which uses multiple VNets (spokes) to isolate individual workloads. This design is a direct implementation of governance policies for network security and management.

B. authorization: This pillar determines what an authenticated user is permitted to do or access. It is about granting permissions, not tracking the subsequent access.

C. authentication: This is the process of verifying a user's identity by validating their credentials. It answers "who are you?" but does not track actions after verification.

D. administration: This pillar involves the management of identities, including their creation, modification, and deletion, as well as the assignment of roles and policies.

1. Microsoft Learn, "Describe the concepts of identity - SC-900," Module 1, Unit 3. The documentation outlines the four pillars of identity. It defines Auditing as the process of tracking who accesses which resources and when.

2. Microsoft Learn, "Describe authentication and authorization." This document distinguishes between Authentication (AuthN), which is the process of proving you are who you say you are, and Authorization (AuthZ), which is the act of granting an authenticated party permission to do something. This clarifies that neither is about tracking access.

3. Microsoft Learn, "Microsoft Entra audit logs." This resource states, "Microsoft Entra audit logs provide records of system activities for compliance. To access the audit log, select Audit logs in the Monitoring section of Microsoft Entra ID. An audit log has a default list view that shows... the activity." This directly supports the definition of auditing as tracking activity.

Authentication is the security process that verifies a user's identity by validating the credentials they provide, such as a username and password, a biometric scan, or a security token. This process confirms that the user is who they claim to be. In contrast, authorization occurs after successful authentication and determines what resources or actions the verified user is permitted to access. Auditing is the process of reviewing logs of user activities, and administration involves the overall management of the system. Therefore, verifying credentials to prove identity is the specific function of authentication.

Saltzer, J. H., & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Communications of the ACM, 18(9), 61. (Reprint from Proceedings of the IEEE, 63(9), 1278-1308). In Section I.A.3, the authors distinguish between authentication ("verifying the identity of a user") and authorization ("the question of which user is authorized to do what").

DOI: https://doi.org/10.1145/361011.361062

National Institute of Standards and Technology (NIST). (2017). Digital Identity Guidelines. (NIST Special Publication 800-63-3). In Section 4.1, "Authentication," the document states: "Authentication is the process of verifying the identity of a subject (e.g., user, process, or device) as a prerequisite to allowing access to resources in an information system."

DOI: https://doi.org/10.6028/NIST.SP.800-63-3

Abowd, G. D., & Mynatt, E. D. (2000). Charting past, present, and future research in ubiquitous computing. ACM Transactions on Computer-Human Interaction (TOCHI), 7(1), 29-58. The paper discusses security fundamentals, defining authentication as the challenge of "determining and verifying the identity of a person or entity."

DOI: https://doi.org/10.1145/344949.344988

A. line-of-business (LOB) applications that require modern authentication: Modern authentication (e.g., OAuth 2.0, OpenID Connect) is a feature of cloud identity providers like Microsoft Entra ID, not traditional on-premises AD DS.

B. mobile devices: Mobile devices are typically managed through Mobile Device Management (MDM) solutions, such as Microsoft Intune, rather than being created as native objects directly within AD DS.

D. software as a service (SaaS) applications that require modern authentication: Integrating SaaS applications for single sign-on using modern authentication is a core capability of Microsoft Entra ID, not on-premises AD DS.

1. Microsoft Learn. (2023). Active Directory Domain Services Overview. "AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications... Data stored in AD DS includes information about user accounts... groups, computers, printers, and other network resources."

Section: What Is Active Directory Domain Services?

2. Microsoft Learn. (2023). Computer Objects. "Computer objects in Active Directory are used to uniquely identify and manage computers that are members of a domain... When you join a computer to a domain, a computer account is created in Active Directory."

Section: Computer Objects in Active Directory.

3. Microsoft Learn. (2024). Compare Active Directory to Microsoft Entra ID. "Active Directory Domain Services... Core services: Domain join for Windows PCs... Microsoft Entra ID... Core services: Authentication for web and mobile apps, including Microsoft 365."

Section: Compare features and services.

4. Microsoft Learn. (2024). What is application management with Microsoft Entra ID?. "Microsoft Entra ID is an identity and access management (IAM) system. It provides a single place to manage users and applications... You can manage access to thousands of SaaS applications..."

Section: What are the benefits of application management?

Microsoft Defender for Cloud is a comprehensive solution that provides unified security management and advanced threat protection across hybrid cloud workloads. It fulfills two primary objectives: Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP). The CWP capabilities are specifically designed to protect various resources such as servers, containers, storage, databases, and other workloads in Azure and on-premises environments from evolving threats by using advanced analytics and threat intelligence.

• Azure Monitor is a service for collecting, analyzing, and acting on telemetry data for performance and availability, not primarily for workload threat protection.
• Microsoft cloud security benchmark is a framework of security recommendations, not a service that provides active protection.
• Microsoft Secure Score is a feature within Defender for Cloud that measures security posture; it doesn't provide the protection itself.

Microsoft Learn. "What is Microsoft Defender for Cloud?" Microsoft Docs. "Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection (CWP) solution that finds weak spots across your cloud configuration... and can protect workloads across multicloud and hybrid environments from evolving threats."

Microsoft Learn. "Introduction to cloud workload protection in Microsoft Defender for Cloud." Microsoft Docs. "Defender for Cloud's integrated cloud workload protection platform (CWPP), brings advanced, intelligent protection of your Azure and hybrid resources and workloads."

Microsoft Learn. "Azure Monitor overview." Microsoft Docs. "Azure Monitor helps you maximize the availability and performance of your applications and services. It delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments."