Free SC-900 Questions for Microsoft Security Compliance and Identity Fundamentals SC-900 Exam as PDF & Practice Test Engine

Explanation:

In Microsoft Purview Compliance Manager, the built-in Compliance score and assessments are designed for ongoing, risk-based monitoring of your organization's compliance posture. Microsoft's SCI materials describe Compliance Manager as a solution that "helps you track, improve, and demonstrate your compliance posture" by mapping regulations and standards to improvement actions and assessments. The experience is not a one-time or periodic snapshot; it is intended to be continuous. As you implement controls, provide evidence, or when automated tests record results, "your score is updated as you complete actions," reflecting current progress toward data protection and regulatory requirements.
Assessments in Compliance Manager persist over time and are maintained through continuous evaluation:
actions can be automatically tested when supported (for example, configuration-based controls in Microsoft
365) or manually assessed on an ongoing basis by compliance teams. This design enables organizations to prioritize and remediate issues as they arise, rather than waiting for monthly or quarterly reviews. Because of this continuous scoring and reassessment model, Compliance Manager assesses compliance data continually for an organization, providing near real-time insight into control effectiveness and residual risk across standards such as GDPR, ISO 27001, and NIST frameworks.

Explanation:

In Microsoft's security portfolio, Microsoft Defender for Cloud is the service that provides cloud workload protection for Azure and hybrid cloud resources. Microsoft describes it as a "cloud-native application protection platform (CNAPP) that helps strengthen the security posture of your cloud resources and protect workloads across multicloud and hybrid environments." The service delivers Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) by continuously assessing configurations and protecting workloads such as virtual machines, containers, databases, and storage. Documentation further states that Defender for Cloud "provides threat protection for workloads running in Azure, on-premises, and in other clouds," giving a single pane to harden resources, detect active threats, and remediate.
By contrast, Azure Monitor focuses on telemetry and observability; the Microsoft cloud security benchmark is a set of prescriptive best practices; and Microsoft Secure Score is an aggregate metric reflecting security posture. None of those deliver the workload protection and active defense capabilities (e.g., recommendations, hardening, and threat detection for servers, containers, and PaaS services) that Defender for Cloud offers.
Therefore, the sentence correctly completes as: Microsoft Defender for Cloud provides cloud workload protection for Azure and hybrid cloud resources.

Explanation:

Microsoft Entra Conditional Access (CA) evaluates signals from the user, device, location, and risk to make access decisions. The platform explicitly notes that CA decisions occur after primary sign-in: "Conditional Access policies are enforced after the first-factor authentication has been completed." This means a user must successfully present their initial credentials (e.g., password, Windows Hello, FIDO2) before the CA engine evaluates policy logic. Therefore, the statement that CA is evaluated before a user is authenticated is not correct.
Regarding scoping, CA can target ordinary and privileged identities. The assignment options allow administrators to aim policies at users, groups, and directory roles: "You can include or exclude users and groups... [and] include or exclude specific Azure AD directory roles from a Conditional Access policy." Because Global Administrator is a directory role, policies can be applied to those accounts (with Microsoft's best-practice guidance to maintain at least one excluded break-glass account to prevent lockout).
For signals/conditions, CA supports device platform filtering. The documented device platform condition states: "This condition is based on the operating system platform of the device... iOS, Android, Windows, macOS (and others)." Administrators commonly use this to require different controls (like MFA or compliant device) based on Android or iOS.
Putting these together:
CA can apply to Global Administrators (Yes).
CA is evaluated after first-factor authentication (No to "before").
Device platform (e.g., Android/iOS) is a valid CA signal (Yes).

Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).

Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).

Explanation:

In the Microsoft Purview compliance portal, administrators can tailor the user experience to match the roles and responsibilities of users in the organization. One key feature provided to enable this customization is the
"Customize navigation" option.
According to Microsoft's Security, Compliance, and Identity (SCI) learning paths and SC-series certification materials (especially SC-400 and SC-900), the Customize navigation option in the Microsoft Purview compliance portal is used to add, remove, or rearrange features in the navigation pane. This is especially useful for compliance or security administrators who want to streamline the portal for ease of use or hide sections that are not relevant to their work.
The SCI documentation states:
"The Microsoft Purview compliance portal provides a Customize navigation option that allows admins to personalize the left-hand navigation pane. This feature supports removing unused features or rearranging the order in which services appear, improving navigation efficiency and reducing clutter." This setting does not change permissions or access to features but purely controls the visibility and layout for users. The other listed options like Compliance Manager, Policies, and Settings are functional sections of the portal, but only " Customize navigation " is explicitly designed to manage the visual layout and visibility of the features shown in the portal ' s navigation pane.

Explanation:

Microsoft Entra ID Protection is designed to detect and respond to identity compromise by calculating user risk and sign-in risk and surfacing risk detections such as "leaked credentials," "anonymous IP address,"
"impossible travel," and related signals. Microsoft explains that Identity Protection "uses adaptive machine learning and threat intelligence to detect risky users and risky sign-ins and assigns each a risk level of Low, Medium, or High." These detections include "Leaked credentials (found on public or dark-web lists)", confirming that Identity Protection can detect when user credentials have been exposed.
ID Protection is integrated with Conditional Access to take policy-driven actions: "Risk-based Conditional Access policies let you require multi-factor authentication (MFA), block access, or require password change when a user or sign-in risk level is met." The built-in policies include User risk policy and Sign-in risk policy, which can automatically enforce MFA or password reset when the configured risk threshold is reached.
However, Identity Protection does not manage Azure AD group membership. There is no capability to add users to groups based on risk level; group membership changes are outside the scope of Identity Protection's controls. Instead, remediation is applied through Conditional Access or password reset policies driven by the calculated risk.
Therefore: adding users to groups based on risk (No); detecting leaked credentials (Yes); invoking MFA based on risk via Conditional Access (Yes).

Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).

Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).

Explanation:

In Microsoft's Security, Compliance, and Identity guidance, encryption is described as the control that
"converts data into a form that cannot be understood by anyone who does not possess the appropriate decryption key." In the Microsoft Purview Information Protection (sensitivity labels with encryption) documentation, Microsoft explains that when encryption is applied to a file, "only authorized users and services that present the correct keys and usage rights can open and use the content," and that access is enforced even if the file is moved outside the organization. Azure Rights Management (part of Microsoft Purview) further states that encryption "protects data at rest and in transit by using keys so that only permitted identities can decrypt and use the information." This aligns precisely with the sentence: encrypting a file makes the data readable and usable to viewers that have the appropriate key (and unreadable to those who do not). By contrast, archiving organizes or preserves data for long-term storage; compressing reduces file size without controlling access; and deduplicating removes redundant copies to save space. None of these provide the key-based, identity-bound access control described in Microsoft SCI materials. Therefore, the correct completion is Encrypting.

Explanation:

Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks