SC 900 - Questões de Prova - Eng

Certy IQ
Premium exam material

Get certification quickly with the CertyIQ Premium exam material.
Everything you need to prepare, learn & pass your certification exam easily. Lifetime free updates
First attempt guaranteed success.
https://www.CertyIQ.com
Microsoft
(SC-900)
Microsoft Security, Compliance, and Identity Fundamentals
Total: 186 Questions

Link: https://certyiq.com/papers?provider=microsoft&exam=sc-900
Question: 1 CertyIQ
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Explanation:
1) No - https://azure.microsoft.com/en-us/pricing/details/active-directory/: Azure Active Directory comes in

four editions—Free, Office 365 apps, Premium P1, and Premium P2.
2) Yes - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-
create-new-tenant You can do all of your administrative tasks using the Azure Active Directory (Azure AD)
portal, including creating a new tenant for your organization.
3) No - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis Azure
Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service
Question: 2 CertyIQ
HOTSPOT -
Select the answer that correctly completes the sentence.
Hot Area:
Answer:
Explanation:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/
"The Cloud Adoption Framework is a collection of documentation, implementation guidance, best practices,
and tools that are proven guidance from Microsoft designed to accelerate your cloud adoption journey."
Reference:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/get-started/
Question: 3 CertyIQ
HOTSPOT -
Hot Area:
Answer:
Explanation:
The correct answer MUST be eDiscovery. Customer Lockbox for Microsoft Azure provides an interface for
customers to review and approve or reject customer data access requests.
Customer Lockbox doesn't identify or hold export electronic data.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/customer-lockbox-overview
Question: 4 CertyIQ
HOTSPOT -
Hot Area:
Answer:
Explanation:
The answer is: Microsoft Endpoint Manager
"Endpoint Manager combines services you may know and already be using, including Microsoft Intune,
Configuration Manager, Desktop Analytics, co-management, and Windows Autopilot. These services are part
of the Microsoft 365 stack to help secure access, protect data, respond to risk, and manage risk."
Source - https://docs.microsoft.com/en-us/mem/endpoint-manager-overview
Question: 5 CertyIQ
HOTSPOT -
Hot Area:
Answer:
Explanation:
"Federation enables the access of services across organizational or domain boundaries by establishing trust
relationships between the respective domain’s identity provider. "
https://learn.microsoft.com/en-us/training/modules/describe-identity-principles-concepts/6-describe-
concept-federation
Federation is a collection of domains that have established trust.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed
Question: 6 CertyIQ
HOTSPOT -
Hot Area:
Answer:
Explanation:
Box 1: Yes -
System updates reduces security vulnerabilities, and provide a more stable environment for end users. Not
applying updates leaves unpatched vulnerabilities and results in environments that are susceptible to attacks.
Box 2: Yes -
Box 3: Yes -
If you only use a password to authenticate a user, it leaves an attack vector open. With MFA enabled, your
accounts are more secure.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/secure-score-security-controls
Question: 7 CertyIQ
Which score measures an organization's progress in completing actions that help reduce risks associated to data
protection and regulatory standards?
A. Microsoft Secure Score

B. Productivity Score
C. Secure score in Azure Security Center
D. Compliance score
Answer: D
Explanation:
Answer is: Compliance score D
"Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal that helps
you manage your organization’s compliance requirements with greater ease and convenience. Compliance
Manager can help you throughout your compliance journey, from taking inventory of your data protection
risks to managing the complexities of implementing controls, staying current with regulations and
certifications, and reporting to auditors."
Source - https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager?view=o365-
worldwide&viewFallbackFrom=o365-worldwide%20https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fdocs.microsoft.com%2Fen-
us%2Fmicrosoft-365%2Fcompliance%2Fcompliance-score-calculation%3Fview%3Do365-worldwide
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-score-calculation?view=o365-
worldwide
Question: 8 CertyIQ
What do you use to provide real-time integration between Azure Sentinel and another security source?
A. Azure AD Connect
B. a Log Analytics workspace
C. Azure Information Protection
D. a connector
Answer: D
Explanation:
To on-board Azure Sentinel, you first need to connect to your security sources. Azure Sentinel comes with a
number of connectors for Microsoft solutions, including Microsoft 365 Defender solutions, and Microsoft 365
sources, including Office 365, Azure AD, Microsoft Defender for Identity, and Microsoft Cloud App
Security, etc.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/overview
Question: 9 CertyIQ
Which Microsoft portal provides information about how Microsoft cloud services comply with regulatory standard,
such as International Organization for
Standardization (ISO)?
A. the Microsoft Endpoint Manager admin center

B. Azure Cost Management + Billing
C. Microsoft Service Trust Portal
D. the Azure Active Directory admin center
Answer: C
Explanation:
The Microsoft Service Trust Portal contains details about Microsoft's implementation of controls and
processes that protect our cloud services and the customer data therein.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal?view=o36
5-worldwide
Question: 10 CertyIQ
In the shared responsibility model for an Azure deployment, what is Microsoft solely responsible for managing?
A. the management of mobile devices

B. the permissions for the user data stored in Azure
C. the creation and management of user accounts
D. the management of the physical hardware
Answer: D
HOTSPOT -
Hot Area:
Answer:
Explanation:
Box 1: Yes -
Box 2: Yes -
Box 3: No -
The Zero Trust model does not assume that everything behind the corporate firewall is safe, the Zero Trust
model assumes breach and verifies each request as though it originated from an uncontrolled network.
Reference:
https://docs.microsoft.com/en-us/security/zero-trust/
HOTSPOT -
Hot Area:
Answer:
Explanation:
The Six privacy principles are:
Control: We will put you in control of your privacy with easy-to-use tools and clear choices.
Transparency: We will be transparent about data collection and use so you can make informed decisions.
Security: We will protect the data you entrust to us through strong security and encryption.
Strong legal protections: We will respect your local privacy laws and fight for legal protection of your privacy
as a fundamental human right.
No content-based targeting: We will not use your email, chat, files or other personal content to target ads to
you.
Benefits to you: When we do collect data, we will use it to benefit you and to make your experiences better.
Reference:
https://privacy.microsoft.com/en-US/
HOTSPOT -
Hot Area:
Answer:
Explanation:
the question it says “to viewers that have the appropriate key”. So keyword is the word “KEY”.
Encryption is a means of securing digital data using one or more mathematical techniques, along with a
password or "key" used to decrypt the information.
Decryption is a process that transforms encrypted information into its original format. To do this, parties to a
private conversation use an encryption scheme, called an algorithm, and the keys to encrypt and decrypt
messages.
HOTSPOT -
Hot Area:
Answer:
Explanation:
Box 1: Yes -
A certificate is required that provides a private and a public key.
Box 2: Yes -
The public key is used to validate the private key that is associated with a digital signature.
Box 3: No-
As the private key is only used (and owned) by the signer to sign the document, and the associated public key
is used to verify the authenticity.
Reference:
https://support.microsoft.com/en-us/office/obtain-a-digital-certificate-and-create-a-digital-signature-
e3d9d813-3305-4164-a820-2e063d86e512 https://docs.microsoft.com/en-us/dynamics365/fin-ops-core/fin-
ops/organization-administration/electronic-signature-overview
HOTSPOT -
Hot Area:
Answer:
Explanation:
Authentication is who you say you are.
Authorization is what permission to do you have.
HOTSPOT -
Hot Area:
Answer:
Explanation:
Correct - from: https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization >

"...authorization (providing access to secure data)..."
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
HOTSPOT -
Hot Area:
Answer:
Explanation:
"Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External
Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you
can securely share your company's applications and services with guest users from any other organization,
while maintaining control over your own corporate data."
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b
In the Microsoft Cloud Adoption Framework for Azure, which two phases are addressed before the Ready phase?
Each correct answer presents a complete solution.
A. Plan
B. Manage
C. Adopt
D. Govern
E. Define Strategy
Answer: AE
Explanation:
Plan and Define Strategy
Reference:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/overview
HOTSPOT -
Hot Area:
Answer:
Explanation:
It’s NYY.
Question 2 say: Manaaging the physical network. That is the responsibility for Microsoft.
https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility
If it would have said “network controls” then it would have been NO as this is the responsibility for the
customer
Assume we take this services SAAS , Iaas or
1 : In Saas - system updates - Cloud Provider
2 : We take Iaas : Physical Network - Cloud Provider
3. We take cloud services which provides IAAS, Saas Paas from provider , We give data and information -
organization
HOTSPOT -
Hot Area:
Answer:
HOTSPOT -
Hot Area:
Answer:
Explanation:
"Security baselines for Azure help you strengthen security through improved tooling, tracking, and security
features. They also provide you a consistent experience when securing your environment."
Reference:
https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/cloud-services-security-baseline
What is an example of encryption at rest?
A. encrypting communications by using a site-to-site VPN

B. encrypting a virtual machine disk
C. accessing a website by using an encrypted HTTPS connection
D. sending an encrypted email
Answer: B
Explanation:
Encryption at rest for PaaS customers
Platform as a Service (PaaS) customer's data typically resides in a storage service such as Blob Storage but
may also be cached or stored in the application execution environment, such as a virtual machine. To see the
encryption at rest options available to you, examine the Data encryption models: supporting services table for
the storage and application platforms that you use.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest
Which three statements accurately describe the guiding principles of Zero Trust? Each correct answer presents a
complete solution.
A. Define the perimeter by physical locations.

B. Use identity as the primary security boundary.
C. Always verify the permissions of a user explicitly.
D. Always assume that the user system can be breached.
E. Use the network as the primary security boundary.
Answer: BCD
Explanation:
Zero Trust is a security a strategy. It is not a product or a service, but an approach in designing and
implementing the following set of security principles:
Verify explicitly
Use least privilege access
Assume breach
Reference:
https://docs.microsoft.com/en-us/security/zero-trust/
HOTSPOT -
Which service should you use to view your Azure secure score? To answer, select the appropriate service in the
answer area.
Hot Area:
Answer:
Explanation:
Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud
Reference:
https://docs.microsoft.com/en-us/azure/security-center/secure-score-access-and-track
DRAG DROP -
You are evaluating the compliance score in Compliance Manager.
Match the compliance score action subcategories to the appropriate actions.
To answer, drag the appropriate action subcategory from the column on the left to its action on the right. Each
action subcategory may be used once, more than once, or not at all.
NOTE: Each correct match is worth one point.
Select and Place:
Answer:
Explanation:
Box 1: Preventative -
Preventative actions address specific risks. For example, protecting information at rest using encryption is a
preventative action against attacks and breaches.
Separation of duties is a preventative action to manage conflict of interest and guard against fraud.
Box 2: Detective -
Detective actions actively monitor systems to identify irregular conditions or behaviors that represent risk, or
that can be used to detect intrusions or breaches.
Examples include system access auditing and privileged administrative actions. Regulatory compliance audits
are a type of detective action used to find process issues.
Box 3: Corrective -
Corrective actions try to keep the adverse effects of a security incident to a minimum, take corrective action
to reduce the immediate effect, and reverse the damage if possible. Privacy incident response is a corrective
action to limit damage and restore systems to an operational state after a breach.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-score-calculation
HOTSPOT -
Hot Area:
Answer:
Explanation:
Compliance Centre is now known as Microsoft Purview
Sign in to Compliance Manager -
1. Go to the Microsoft Purview compliance portal and sign in with your Microsoft 365 global administrator
account.
2. Select Compliance Manager on the left navigation pane. You'll arrive at your Compliance Manager
dashboard.
The direct link to access Compliance Manager is https://compliance.microsoft.com/compliancemanager
Note: Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area
have been rebranded.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-setup
HOTSPOT -
Hot Area:
Answer:
Explanation:
Box 1: Yes -
Microsoft Secure Score has updated improvement actions to support security defaults in Azure Active
Directory, which make it easier to help protect your organization with pre-configured security settings for
common attacks.
If you turn on security defaults, you'll be awarded full points for the following improvement actions:
Ensure all users can complete multi-factor authentication for secure access (9 points)
Require MFA for administrative roles (10 points)
Enable policy to block legacy authentication (7 points)
Box 2: Yes -
Each improvement action is worth 10 points or less, and most are scored in a binary fashion. If you implement
the improvement action, like create a new policy or turn on a specific setting, you get 100% of the points. For
other improvement actions, points are given as a percentage of the total configuration.
Note: Following the Secure Score recommendations can protect your organization from threats. From a
centralized dashboard in the Microsoft 365 Defender portal, organizations can monitor and work on the
security of their Microsoft 365 identities, apps, and devices.
Box 3: No-
"Compliance Manager gives you an initial score based on the Microsoft 365 data protection baseline. This
baseline is a set of controls that includes key regulations and standards for data protection and general data
governance. This baseline draws elements primarily from NIST CSF (National Institute of Standards and
Technology Cybersecurity Framework) and ISO (International Organization for Standardization), as well as
from FedRAMP (Federal Risk and Authorization Management Program) and GDPR (General Data Protection
Regulation of the European Union)." source: https://learn.microsoft.com/en-us/microsoft-
365/compliance/compliance-score-calculation?view=o365-worldwide
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score
What can you use to provide a user with a two-hour window to complete an administrative task in Azure?
A. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)

B. Azure Multi-Factor Authentication (MFA)
C. Azure Active Directory (Azure AD) Identity Protection
D. conditional access policies
Answer: A
Explanation:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks
of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of
the key features of Privileged Identity Management:
Provide just-in-time privileged access to Azure AD and Azure resources
Assign time-bound access to resources using start and end dates
Require approval to activate privileged roles
Enforce multi-factor authentication to activate any role
Use justification to understand why users activate
Get notifications when privileged roles are activated
Conduct access reviews to ensure users still need roles
Download audit history for internal or external audit
Prevents removal of the last active Global Administrator role assignment
In a hybrid identity model, what can you use to sync identities between Active Directory Domain Services (AD DS)
and Azure Active Directory (Azure AD)?
A. Active Directory Federation Services (AD FS)

B. Microsoft Sentinel
C. Azure AD Connect
D. Azure AD Privileged Identity Management (PIM)
Answer: C
Explanation:
Azure AD Connect Sync Server,
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect
HOTSPOT -
Hot Area:
Answer:
Explanation:
Box 1: Yes -
Azure AD supports custom roles.
Box 2: Yes -
Global Administrator has access to all administrative features in Azure Active Directory.
Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles https://docs.microso
ft.com/en-us/azure/active-directory/roles/permissions-reference
HOTSPOT -
Hot Area:
Answer:
Explanation:
Box 1: No -
Azure Active Directory (Azure AD) is a cloud-based user identity and authentication service.
Box 2: Yes -
Microsoft 365 uses Azure Active Directory (Azure AD). Azure Active Directory (Azure AD) is included with your
Microsoft 365 subscription.
Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/microsoft-365/enterprise/about-microsoft-365-identity?view=o365-worldw
ide
HOTSPOT -
Hot Area:
Answer:
Explanation:
Biometrics templates are stored locally on a device.
Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview
What is the purpose of Azure Active Directory (Azure AD) Password Protection?
A. to control how often users must change their passwords

B. to identify devices to which users can sign in without using multi-factor authentication (MFA)
C. to encrypt a password by using globally recognized encryption standards
D. to prevent users from using specific words in their passwords
Answer: D
Explanation:
Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also
block additional weak terms that are specific to your organization.
With Azure AD Password Protection, default global banned password lists are automatically applied to all
users in an Azure AD tenant. To support your own business and security needs, you can define entries in a
custom banned password list.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premi
ses
Which Azure Active Directory (Azure AD) feature can you use to evaluate group membership and automatically
remove users that no longer require membership in a group?
A. access reviews
B. managed identities
C. conditional access policies
D. Azure AD Identity Protection
Answer: A
Explanation:
there is no capability to AUTOMATICALLY remove user access rights. The whole point of (manual user-driven)
access reviews is that in some cases automation isn't possible. (See the link already provided here:
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview)
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group
memberships, access to enterprise applications, and role assignments.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
HOTSPOT -
Hot Area:
Answer:
Explanation:
Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional
form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
HOTSPOT -
Hot Area:
Answer:
Explanation:
Box 1: Yes -
Box 2: No -
Conditional Access policies are enforced after first-factor authentication is completed.
Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
HOTSPOT -
Hot Area:
Answer:
Explanation:
Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active
Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious
insider actions directed at your organization.
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/what-is
HOTSPOT -
Hot Area:
Answer:
Explanation:
Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active
Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious
insider actions directed at your organization.
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/what-is
HOTSPOT -
Hot Area:
Answer:
Explanation:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/enterprise/about-microsoft-365-identity?view=o365-worldw
ide
Which Azure Active Directory (Azure AD) feature can you use to provide just-in-time (JIT) access to manage Azure
resources?
A. conditional access policies

B. Azure AD Identity Protection
C. Azure AD Privileged Identity Management (PIM)
D. authentication method policies
Answer: C
Explanation:
Azure AD Privileged Identity Management (PIM) provides just-in-time privileged access to Azure AD and Azure
resources
Reference:
Which three authentication methods can be used by Azure Multi-Factor Authentication (MFA)? Each correct
answer presents a complete solution.
A. text message (SMS)

B. Microsoft Authenticator app
C. email verification
D. phone call
E. security question
Answer: ABD
Explanation:
Available verification methods
When users sign in to an application or service and receive an MFA prompt, they can choose from one of their
registered forms of additional verification. Users can access My Profile to edit or add verification methods.
The following additional forms of verification can be used with Azure AD Multi-Factor Authentication:
Microsoft Authenticator app
Windows Hello for Business
FIDO2 security key
OATH hardware token (preview)
OATH software token
SMS
Voice call
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
Which Microsoft 365 feature can you use to restrict communication and the sharing of information between
members of two departments at your organization?
A. sensitivity label policies

B. Customer Lockbox
C. information barriers
D. Privileged Access Management (PAM)
Answer: C
Explanation:
INFORMATION BARRIERS are a Microsoft 365 feature which you can use to restrict communication and the
sharing of information between members of two departments at your organization
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/information-barriers
HOTSPOT -
Hot Area:
Answer:
Explanation:
Reference:
HOTSPOT -
Hot Area:
Answer:
Explanation:
Box 1: Yes -
Conditional access policies can be applied to all users
Box 2: No -
Conditional access policies are applied after first-factor authentication is completed.
Box 3: Yes -
Users with devices of specific platforms or marked with a specific state can be used when enforcing
Conditional Access policies.
Reference:
HOTSPOT -
Hot Area:
Answer:
Explanation:
When you register an application through the Azure portal, an application object and service principal are
automatically created in your home directory or tenant.
A service principal is a security identity used to represent an application in Azure Active Directory (AAD). It is
used to authenticate the application to access resources, and also to assign permissions to those resources.
A service principal is like a user identity (login and password or certificate) for an application.
An application object, on the other hand, is a representation of an application in Azure Active Directory. It
contains information about the application, such as its name and URL, as well as its associated service
principal.
In summary, a service principal is a security identity used to authenticate an application, while an application
object is a representation of the application in Azure Active Directory that contains information about the
application and its associated service principal.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
Which three authentication methods does Windows Hello for Business support? Each correct answer presents a
complete solution.
A. fingerprint
B. facial recognition
C. PIN
D. email verification
E. security question
Answer: ABC
Explanation:
Windows Hello in Windows 10 enables users to sign in to their device using a PIN.
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-
better-than-password
Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking
a device. With Windows Hello, authentication happens when the employee provides his or her unique
biometric identifier while accessing the device-specific Windows Hello credentials.
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-
in-enterprise
Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-
works-authentication
HOTSPOT -
Hot Area:
Answer:
Explanation:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-
defaults
Security defaults make it easier to help protect your organization from these attacks with preconfigured
security settings:
- Requiring all users to register for Azure AD Multi-Factor Authentication.
- Requiring administrators to do multi-factor authentication.
- Blocking legacy authentication protocols.
- Requiring users to do multi-factor authentication when necessary.
- Protecting privileged activities like access to the Azure portal.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-
defaults
You have an Azure subscription.
You need to implement approval-based, time-bound role activation.
What should you use?
A. Windows Hello for Business

B. Azure Active Directory (Azure AD) Identity Protection
C. access reviews in Azure Active Directory (Azure AD)
D. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
Answer: D
Explanation:
D. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is designed specifically for
implementing approval-based, time-bound role activation in an Azure subscription. PIM allows you to manage
and control access to privileged roles in Azure AD, Azure resources, and Azure AD-integrated SaaS apps. It
enables you to elevate access on a just-in-time basis and provides an approval workflow for role activation,
which can be restricted to specific time periods. This makes it an ideal choice for implementing the
requirements specified in the question.
Reference:
HOTSPOT -
Hot Area:
Answer:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview https://docs.microsoft.c
om/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa
When security defaults are enabled for an Azure Active Directory (Azure AD) tenant, which two requirements are
enforced? Each correct answer presents a complete solution.
A. All users must authenticate from a registered device.

B. Administrators must always use Azure Multi-Factor Authentication (MFA).
C. Azure Multi-Factor Authentication (MFA) registration is required for all users.
D. All users must authenticate by using passwordless sign-in.
E. All users must authenticate by using Windows Hello.
Answer: BC
Explanation:
Security defaults make it easy to protect your organization with the following preconfigured security settings:
✑ Requiring all users to register for Azure AD Multi-Factor Authentication.
✑ Requiring administrators to do multi-factor authentication.
✑ Blocking legacy authentication protocols.
✑ Requiring users to do multi-factor authentication when necessary.
✑ Protecting privileged activities like access to the Azure portal.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defau
lts
Which type of identity is created when you register an application with Active Directory (Azure AD)?
A. a user account
B. a user-assigned managed identity
C. a system-assigned managed identity
D. a service principal
Answer: D
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
Which three tasks can be performed by using Azure Active Directory (Azure AD) Identity Protection? Each correct
answer presents a complete solution.
A. Configure external access for partner organizations.

B. Export risk detection to third-party utilities.
C. Automate the detection and remediation of identity based-risks.
D. Investigate risks that relate to user authentication.
E. Create and automatically assign sensitivity labels to data.
Answer: BCD
Explanation:
BCD
Directly from the SC-900 Fundamentals training slides:
Azure Identity Protection
Enables organizations to accomplish three key tasks:
• Automate the detection and remediation of identity based risks.
• Investigate risks using data in the portal.
• Export risk detection data to third party utilities for further analysis.
HOTSPOT -
Hot Area:
Answer:
Explanation:
Box 1: know -
Multifactor authentication combines two or more independent credentials: what the user knows, such as a
password; what the user has, such as a security token; and what the user is, by using biometric verification
methods.
Reference:
https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA
HOTSPOT -
Hot Area:
Answer:
Explanation:
Box 1: No -
The Microsoft Authenticator app helps you sign in to your accounts when you're using two-factor verification.
Two-factor verification helps you to use your accounts more securely because passwords can be forgotten,
stolen, or compromised. Two-factor verification uses a second factor like your phone to make it harder for
other people to break in to your account.
Box 2: Yes -
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on
devices. This authentication consists of a new type of user credential that is tied to a device and uses a
biometric or PIN.
Box 3: No -
Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can
be bound to the device, and the token that is obtained using the credential is also bound to the device.
Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview
HOTSPOT -
Hot Area:
Answer:
Explanation:
Managed identities provide an identity for applications to use when connecting to resources that support
Azure Active Directory (Azure AD) authentication.
Here are some of the benefits of using managed identities:
You don't need to manage credentials. Credentials aren't even accessible to you.
You can use managed identities to authenticate to any resource that supports Azure AD authentication,
including your own applications.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
HOTSPOT -
Hot Area:
Answer:
Explanation:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide
Thank you
Thank you for being so interested in the premium exam material.
I'm glad to hear that you found it informative and helpful.
But Wait
I wanted to let you know that there is more content available in the full version.
The full paper contains additional sections and information that you may find helpful,
and I encourage you to download it to get a more comprehensive and detailed view of
all the subject matter.
Download Full Version Now
Total: 186 Questions

Link: https://certyiq.com/papers?provider=microsoft&exam=sc-900

SC 900 - Questões de Prova - Eng

Uploaded by

Copyright:

Available Formats

SC 900 - Questões de Prova - Eng

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SC 900 - Questões de Prova - Eng

Uploaded by

Copyright:

Available Formats

Certy IQ

Premium exam material

Microsoft Security, Compliance, and Identity Fundamentals

Total: 186 Questions

1) No - https://azure.microsoft.com/en-us/pricing/details/active-directory/: Azure Active Directory comes in

Customer Lockbox doesn't identify or hold export electronic data.

The answer is: Microsoft Endpoint Manager

Federation is a collection of domains that have established trust.

A. Microsoft Secure Score

Answer is: Compliance score D

A. the Microsoft Endpoint Manager admin center

A. the management of mobile devices

The Six privacy principles are:

A certificate is required that provides a private and a public key.

Authentication is who you say you are.

Authorization is what permission to do you have.

Correct - from: https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization >

Plan and Define Strategy

Assume we take this services SAAS , Iaas or

1 : In Saas - system updates - Cloud Provider

2 : We take Iaas : Physical Network - Cloud Provider

A. encrypting communications by using a site-to-site VPN

Encryption at rest for PaaS customers

A. Define the perimeter by physical locations.

Use least privilege access

Compliance Centre is now known as Microsoft Purview

Sign in to Compliance Manager -

The direct link to access Compliance Manager is https://compliance.microsoft.com/compliancemanager

Require MFA for administrative roles (10 points)

Enable policy to block legacy authentication (7 points)

A. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)

Provide just-in-time privileged access to Azure AD and Azure resources

Assign time-bound access to resources using start and end dates

Require approval to activate privileged roles

Enforce multi-factor authentication to activate any role

Use justification to understand why users activate

Get notifications when privileged roles are activated

Conduct access reviews to ensure users still need roles

Download audit history for internal or external audit

Prevents removal of the last active Global Administrator role assignment

A. Active Directory Federation Services (AD FS)

Azure AD Connect Sync Server,

A. to control how often users must change their passwords

A. conditional access policies

A. text message (SMS)

Available verification methods

Microsoft Authenticator app

Windows Hello for Business

FIDO2 security key

OATH hardware token (preview)

OATH software token

A. sensitivity label policies

- Requiring all users to register for Azure AD Multi-Factor Authentication.

- Requiring administrators to do multi-factor authentication.

- Blocking legacy authentication protocols.

- Requiring users to do multi-factor authentication when necessary.

- Protecting privileged activities like access to the Azure portal.

A. Windows Hello for Business

D. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)