Microsoft SC-900 Certification Exam

SC-900 Microsoft Security, Compliance, and Identity Fundamentals Practice Exam

The SC-900 Microsoft Security, Compliance, and Identity Fundamentals Exam is an essential certification for anyone looking to validate their foundational knowledge of Microsoft security, compliance, and identity solutions. This certification is designed for professionals who want to demonstrate their understanding of the core principles that help protect organizations’ data and digital environments using Microsoft technologies.

What is the SC-900 Certification Exam?

The SC-900 exam tests your grasp of basic security, compliance, and identity concepts as they apply within Microsoft cloud services. It is ideal for beginners or individuals involved in sales, marketing, or technical roles who require a broad understanding of Microsoft’s security ecosystem. Unlike more advanced certifications, SC-900 focuses on the fundamentals, making it accessible even if you don’t have deep technical experience.

By passing this exam, candidates showcase their ability to describe Microsoft’s security, compliance, and identity solutions, including how they support organizational security posture and regulatory compliance.

What Will You Learn?

Preparing for the SC-900 exam helps you gain comprehensive insights into important concepts such as:

• Core security principles in Microsoft Azure and Microsoft 365

• Identity and access management (IAM) using Azure Active Directory (Azure AD)

• Compliance management and data protection using Microsoft Purview

• Microsoft Defender solutions for threat protection and endpoint security

• Risk management strategies, including Conditional Access and Multi-Factor Authentication (MFA)

This foundational knowledge equips you with the confidence to contribute to your organization’s security strategy or take a first step toward more advanced Microsoft security certifications.

Key Topics Covered

The SC-900 exam covers a wide range of relevant topics, including:

• Security, compliance, and identity concepts: Understand basic terminology and principles related to cybersecurity, compliance frameworks, and identity management.

• Microsoft identity and access management solutions: Learn how Azure AD manages users, groups, and roles, and how Conditional Access enforces policies based on risk.

• Microsoft security solutions: Explore Microsoft Defender’s role in threat detection and response, including email and endpoint protection.

• Microsoft compliance solutions: Gain knowledge of Microsoft Purview tools that assist in data classification, retention, and regulatory compliance.

• Risk management: Study how Microsoft’s security tools help identify and mitigate risks, including identity protection and insider risk management.

Why Choose Exam Sage for Your SC-900 Exam Preparation?

Exam Sage offers a comprehensive, up-to-date practice exam specifically tailored to the SC-900 certification. Our questions are carefully crafted by experts to reflect the latest exam objectives and real-world scenarios. By practicing with Exam Sage, you gain:

• Detailed explanations: Understand the reasoning behind each answer to deepen your learning.

• Realistic practice environment: Simulate the actual exam experience with timed tests and varied question formats.

• Continuous updates: Stay current with evolving exam content as Microsoft updates its certification standards.

• Convenient access: Study anytime, anywhere with our user-friendly platform.

Passing the SC-900 exam with Exam Sage’s preparation materials can accelerate your career by proving your foundational security and compliance knowledge with Microsoft technologies.

Sample Questions and Answers

1. What is the primary purpose of Microsoft Defender for Endpoint?

A) Manage user identities across the organization
B) Provide cloud-based threat protection for email
C) Detect, investigate, and respond to advanced threats on endpoints
D) Manage compliance policies for data retention

Answer: C) Detect, investigate, and respond to advanced threats on endpoints

Explanation: Microsoft Defender for Endpoint is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats on endpoints such as desktops, laptops, and servers.

2. Which Microsoft service is primarily responsible for managing identities and access to cloud applications?

A) Azure Active Directory
B) Microsoft Information Protection
C) Microsoft Intune
D) Azure Sentinel

Answer: A) Azure Active Directory

Explanation: Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources securely.

3. What does the Zero Trust security model assume?

A) Trust all internal users by default
B) Assume breach and verify explicitly
C) Only external users pose a threat
D) Network perimeter is the only defense

Answer: B) Assume breach and verify explicitly

Explanation: The Zero Trust model assumes no implicit trust in any user or device, regardless of location, and requires continuous verification of identity and device compliance before granting access.

4. Which compliance framework does Microsoft align with to help customers comply with global standards?

A) HIPAA
B) GDPR
C) ISO/IEC 27001
D) All of the above

Answer: D) All of the above

Explanation: Microsoft aligns with multiple compliance frameworks, including HIPAA, GDPR, and ISO/IEC 27001, to help customers meet regulatory requirements across industries and regions.

5. What feature does Microsoft Information Protection use to classify and protect data?

A) Machine learning classification
B) Encryption keys management only
C) Firewall rules
D) User password policies

Answer: A) Machine learning classification

Explanation: Microsoft Information Protection uses machine learning and predefined policies to classify, label, and protect sensitive data automatically.

6. What is the role of Microsoft Defender for Identity?

A) Protect cloud applications from external attacks
B) Detect identity-related threats and compromised credentials on-premises
C) Manage endpoint configurations
D) Automate compliance reporting

Answer: B) Detect identity-related threats and compromised credentials on-premises

Explanation: Microsoft Defender for Identity helps detect advanced identity threats and malicious activities within an on-premises Active Directory environment.

7. What type of authentication does Azure AD support to enhance security?

A) Password-only authentication
B) Multi-Factor Authentication (MFA)
C) Single password for all services
D) No authentication required

Answer: B) Multi-Factor Authentication (MFA)

Explanation: Azure AD supports Multi-Factor Authentication, which requires users to verify their identity through multiple methods to enhance security.

8. What is the Microsoft Compliance Manager?

A) A tool to monitor endpoint security
B) A service to help organizations manage regulatory compliance activities
C) A firewall management tool
D) A device management solution

Answer: B) A service to help organizations manage regulatory compliance activities

Explanation: Microsoft Compliance Manager is a workflow-based risk assessment tool that helps organizations track compliance with regulations and standards.

9. Which of the following is a key principle of identity and access management (IAM)?

A) Grant all users admin access by default
B) Use least privilege access
C) Allow anonymous access to all resources
D) Disable authentication mechanisms

Answer: B) Use least privilege access

Explanation: IAM principles include providing users with the minimum access necessary to perform their jobs to reduce the risk of unauthorized access.

10. Which Microsoft tool provides a centralized dashboard for threat detection and response across Microsoft 365?

A) Azure Security Center
B) Microsoft Defender Security Center
C) Azure Sentinel
D) Microsoft Intune

Answer: B) Microsoft Defender Security Center

Explanation: Microsoft Defender Security Center provides a centralized view to detect, investigate, and respond to threats across Microsoft 365 services.

11. What is Conditional Access in Azure AD?

A) Automatic software updates for devices
B) A tool to configure security policies based on user, device, and location
C) A firewall rule set
D) A password recovery tool

Answer: B) A tool to configure security policies based on user, device, and location

Explanation: Conditional Access allows organizations to enforce access controls based on conditions such as user risk, device compliance, and network location.

12. What does Data Loss Prevention (DLP) help to prevent?

A) Unauthorized access to user accounts
B) Data breaches by blocking sensitive data sharing
C) Network outages
D) Software installation

Answer: B) Data breaches by blocking sensitive data sharing

Explanation: DLP policies help detect and prevent unintentional or malicious sharing of sensitive information outside the organization.

13. Which compliance score indicates an organization is fully compliant in Microsoft Compliance Manager?

A) 100%
B) 0%
C) 50%
D) 75%

Answer: A) 100%

Explanation: A compliance score of 100% indicates all controls and actions required for a specific regulation are fully implemented.

14. What kind of threats does Microsoft Defender for Office 365 protect against?

A) Email phishing and malware
B) Network intrusion only
C) Physical theft
D) Software bugs

Answer: A) Email phishing and malware

Explanation: Microsoft Defender for Office 365 helps protect organizations from phishing attacks, malicious links, and malware in email and collaboration tools.

15. What is the function of Privileged Identity Management (PIM) in Azure AD?

A) Automate user password resets
B) Provide just-in-time privileged access with time-bound permissions
C) Monitor endpoint health
D) Encrypt data at rest

Answer: B) Provide just-in-time privileged access with time-bound permissions

Explanation: PIM helps secure privileged accounts by providing time-limited access to admins and reducing the risk of standing admin privileges.

16. What is a key feature of Azure Sentinel?

A) Endpoint antivirus protection
B) Cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR)
C) Email filtering
D) Data classification

Answer: B) Cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR)

Explanation: Azure Sentinel is a cloud-native SIEM and SOAR tool that collects security data across the enterprise to detect and respond to threats.

17. What is Microsoft Intune primarily used for?

A) Managing mobile devices and applications
B) Identity management
C) Compliance reporting
D) Email filtering

Answer: A) Managing mobile devices and applications

Explanation: Microsoft Intune is a cloud-based service for managing mobile devices, apps, and enforcing device compliance policies.

18. What does Microsoft Secure Score measure?

A) The health of your network devices
B) The security posture of your Microsoft 365 environment
C) The number of users in Azure AD
D) The speed of your internet connection

Answer: B) The security posture of your Microsoft 365 environment

Explanation: Microsoft Secure Score evaluates your security configuration and suggests improvements to reduce risk.

19. Which of the following is NOT a type of sensitivity label in Microsoft Information Protection?

A) Confidential
B) Public
C) Encrypted
D) Spam

Answer: D) Spam

Explanation: Spam is not a sensitivity label; labels classify data as Confidential, Public, Internal, etc., often with encryption applied.

20. What is the benefit of using Multi-Factor Authentication (MFA)?

A) Speeds up user logins
B) Requires users to provide two or more verification methods to reduce unauthorized access
C) Removes the need for passwords
D) Prevents all malware infections

Answer: B) Requires users to provide two or more verification methods to reduce unauthorized access

Explanation: MFA increases security by requiring additional verification beyond just a password.

21. What is an identity protection risk detected by Azure AD Identity Protection?

A) A device with outdated software
B) Suspicious sign-in behavior, like impossible travel
C) Network congestion
D) Low battery on user device

Answer: B) Suspicious sign-in behavior, like impossible travel

Explanation: Azure AD Identity Protection identifies risks such as suspicious sign-in patterns that indicate compromised credentials.

22. What is the purpose of a retention label in Microsoft 365 compliance?

A) To classify data for deletion or preservation according to policy
B) To encrypt files
C) To manage user permissions
D) To filter spam emails

Answer: A) To classify data for deletion or preservation according to policy

Explanation: Retention labels help organizations meet compliance by managing data lifecycle and ensuring important data is retained or deleted properly.

23. Which Microsoft compliance solution helps organizations meet GDPR requirements?

A) Azure Firewall
B) Microsoft Compliance Manager
C) Microsoft Teams
D) Windows Defender

Answer: B) Microsoft Compliance Manager

Explanation: Compliance Manager helps organizations assess their GDPR compliance status and manage improvement actions.

24. What is a security baseline?

A) A pre-configured group of security settings recommended by Microsoft
B) A software update package
C) A hardware device used for authentication
D) An antivirus software

Answer: A) A pre-configured group of security settings recommended by Microsoft

Explanation: Security baselines provide organizations with recommended security settings to apply to devices and applications.

25. What type of access control does Azure AD implement by default?

A) Role-based access control (RBAC)
B) Mandatory access control (MAC)
C) Discretionary access control (DAC)
D) No access control

Answer: A) Role-based access control (RBAC)

Explanation: Azure AD uses RBAC to assign permissions based on roles to users and groups.

26. What does Microsoft Purview Information Protection help protect?

A) User credentials
B) Sensitive data across cloud and on-premises environments
C) Firewall rules
D) Network traffic

Answer: B) Sensitive data across cloud and on-premises environments

Explanation: Microsoft Purview Information Protection classifies and protects sensitive data wherever it lives or travels.

27. Which service is designed to help detect insider threats in Microsoft 365?

A) Microsoft Defender for Identity
B) Azure Sentinel
C) Microsoft Defender for Cloud Apps (formerly MCAS)
D) Azure AD Connect

Answer: C) Microsoft Defender for Cloud Apps (formerly MCAS)

Explanation: Defender for Cloud Apps helps detect unusual user activity and potential insider threats across cloud services.

28. What is the primary function of Microsoft Azure AD Connect?

A) Synchronize on-premises Active Directory with Azure AD
B) Manage device encryption
C) Block phishing emails
D) Enforce compliance policies

Answer: A) Synchronize on-premises Active Directory with Azure AD

Explanation: Azure AD Connect syncs identities and credentials from on-premises AD to Azure AD for hybrid identity management.

29. What is the function of Microsoft Endpoint Manager?

A) Manage and secure all endpoints, including PCs and mobile devices
B) Encrypt email messages
C) Provide antivirus protection for servers
D) Analyze security logs

Answer: A) Manage and secure all endpoints, including PCs and mobile devices

Explanation: Endpoint Manager includes Intune and Configuration Manager to manage device security and compliance.

30. Which Microsoft service provides audit and activity logs for security investigations?

A) Azure Sentinel
B) Microsoft Defender for Office 365
C) Microsoft 365 Compliance Center
D) Azure Firewall

Answer: C) Microsoft 365 Compliance Center

Explanation: The Compliance Center provides audit logs and reports to investigate user and admin activities related to security and compliance.

31. Which of the following best describes the purpose of Microsoft Defender for Cloud?

A) To secure Azure resources by providing threat protection and compliance monitoring
B) To provide identity and access management
C) To encrypt files stored in OneDrive
D) To filter spam in Outlook

Answer: A) To secure Azure resources by providing threat protection and compliance monitoring

Explanation: Microsoft Defender for Cloud helps secure Azure and hybrid environments by providing threat detection, vulnerability assessments, and compliance management.

32. What capability does Azure AD Identity Protection offer?

A) Managing group policies on Windows devices
B) Detecting and mitigating identity-based risks such as compromised accounts
C) Encrypting data at rest in Azure Storage
D) Automating software updates for devices

Answer: B) Detecting and mitigating identity-based risks such as compromised accounts

Explanation: Azure AD Identity Protection uses signals and machine learning to detect suspicious activities and allows administrators to configure risk-based policies.

33. What is the primary benefit of Microsoft Information Protection’s sensitivity labels?

A) Blocking external emails automatically
B) Classifying and protecting data based on sensitivity
C) Controlling user access to the network
D) Enhancing device performance

Answer: B) Classifying and protecting data based on sensitivity

Explanation: Sensitivity labels help organizations apply classification and protection such as encryption or access restrictions on documents and emails.

34. What does the term “compliance score” in Microsoft Compliance Manager represent?

A) Number of security incidents detected
B) The percentage of compliance controls an organization has implemented
C) The average number of audit logs generated daily
D) Total number of user accounts

Answer: B) The percentage of compliance controls an organization has implemented

Explanation: Compliance score measures how well an organization has implemented recommended compliance controls based on assessments.

35. Which service in Microsoft 365 helps you create and enforce Data Loss Prevention (DLP) policies?

A) Microsoft Defender for Endpoint
B) Microsoft Purview Compliance Portal
C) Azure Security Center
D) Microsoft Intune

Answer: B) Microsoft Purview Compliance Portal

Explanation: The Compliance Portal allows admins to create DLP policies to protect sensitive data from being accidentally or intentionally leaked.

36. What is the primary function of Microsoft Azure AD B2C?

A) Managing internal employee identities
B) Managing external customer identities and access
C) Encrypting data in transit
D) Monitoring cloud application usage

Answer: B) Managing external customer identities and access

Explanation: Azure AD B2C provides identity and access management for consumer-facing applications.

37. Which of the following is NOT a core pillar of Microsoft’s Zero Trust model?

A) Verify explicitly
B) Assume breach
C) Trust but verify
D) Least privilege access

Answer: C) Trust but verify

Explanation: The Zero Trust model assumes no trust and requires verification continuously, eliminating the “trust but verify” approach.

38. What is the key purpose of Conditional Access policies in Azure AD?

A) To provide access to users based on conditions such as location, device state, or user risk
B) To backup user data to the cloud
C) To update device firmware remotely
D) To block access to specific websites

Answer: A) To provide access to users based on conditions such as location, device state, or user risk

Explanation: Conditional Access enforces access controls based on real-time signals to improve security.

39. How does Microsoft Intune contribute to endpoint security?

A) By providing antivirus scanning for mobile devices
B) By managing device compliance and configuration policies remotely
C) By encrypting network traffic
D) By filtering email attachments

Answer: B) By managing device compliance and configuration policies remotely

Explanation: Intune enables admins to enforce policies, deploy software, and monitor compliance on managed devices.

40. What is Microsoft Cloud App Security (MCAS) primarily used for?

A) Monitoring and controlling cloud app usage across an organization
B) Managing device encryption keys
C) Filtering inbound emails
D) Managing user identities

Answer: A) Monitoring and controlling cloud app usage across an organization

Explanation: MCAS provides visibility and control over cloud apps, helping detect shadow IT and potential risks.

41. Which Microsoft 365 service provides audit logs and investigation tools for compliance?

A) Microsoft Defender for Endpoint
B) Microsoft 365 Compliance Center
C) Azure AD Connect
D) Azure Sentinel

Answer: B) Microsoft 365 Compliance Center

Explanation: The Compliance Center offers audit logs, content searches, and investigation tools for compliance management.

42. Which of the following best describes Role-Based Access Control (RBAC) in Azure AD?

A) Assigning permissions based on a user’s job role
B) Assigning random permissions to users
C) Providing unrestricted access to all users
D) Automatically creating user accounts

Answer: A) Assigning permissions based on a user’s job role

Explanation: RBAC simplifies management by assigning users permissions based on their role within an organization.

43. What does Microsoft Secure Score help organizations do?

A) Evaluate and improve their security posture in Microsoft 365
B) Measure network bandwidth usage
C) Encrypt emails automatically
D) Manage mobile devices

Answer: A) Evaluate and improve their security posture in Microsoft 365

Explanation: Secure Score provides actionable recommendations to improve security.

44. Which Microsoft service automates threat detection using Artificial Intelligence?

A) Azure Sentinel
B) Microsoft Intune
C) Microsoft Teams
D) Azure Firewall

Answer: A) Azure Sentinel

Explanation: Azure Sentinel uses AI and automation to detect, investigate, and respond to security threats.

45. What kind of attacks does Microsoft Defender for Endpoint help protect against?

A) Phishing emails only
B) Malware, ransomware, and advanced persistent threats on endpoints
C) Network traffic sniffing
D) Social engineering

Answer: B) Malware, ransomware, and advanced persistent threats on endpoints

Explanation: Defender for Endpoint provides comprehensive threat detection and response capabilities on devices.

46. What is the purpose of Microsoft Information Protection (MIP)?

A) Manage firewall rules
B) Classify, label, and protect sensitive data
C) Manage network bandwidth
D) Backup user devices

Answer: B) Classify, label, and protect sensitive data

Explanation: MIP helps secure sensitive data by applying classification and protection policies.

47. What does the “Assume Breach” principle in Zero Trust mean?

A) Assume every user is trustworthy
B) Assume attackers may already be inside the network and design security accordingly
C) Only focus on perimeter security
D) Ignore internal threats

Answer: B) Assume attackers may already be inside the network and design security accordingly

Explanation: It guides organizations to implement layered defenses anticipating that breaches can happen anywhere.

48. What is the difference between a sensitivity label and a retention label?

A) Sensitivity labels protect data; retention labels govern data lifecycle
B) Sensitivity labels delete data; retention labels encrypt data
C) Both labels have the same function
D) Retention labels protect data; sensitivity labels govern lifecycle

Answer: A) Sensitivity labels protect data; retention labels govern data lifecycle

Explanation: Sensitivity labels apply protection (like encryption), while retention labels define how long data is kept or deleted.

49. Which Microsoft tool helps you automate the response to security alerts?

A) Azure Sentinel SOAR capabilities
B) Microsoft Intune
C) Azure AD Connect
D) Microsoft Compliance Manager

Answer: A) Azure Sentinel SOAR capabilities

Explanation: Security Orchestration Automated Response (SOAR) in Sentinel automates and orchestrates responses to threats.

50. Which of the following helps organizations comply with data residency requirements?

A) Azure region selection and data residency policies
B) Azure AD B2C
C) Microsoft Intune compliance policies
D) Microsoft Defender for Endpoint

Answer: A) Azure region selection and data residency policies

Explanation: Organizations can select Azure regions to ensure data is stored within specific geographic locations to meet legal requirements.

51. Which feature of Azure AD helps reduce risk by requiring approval for privileged access?

A) Azure AD Privileged Identity Management (PIM)
B) Conditional Access
C) Azure AD B2B
D) MFA

Answer: A) Azure AD Privileged Identity Management (PIM)

Explanation: PIM requires just-in-time access with approval workflows for admin roles.

52. What is the main function of Microsoft Defender for Office 365?

A) Protect endpoints from malware
B) Provide threat protection for email and collaboration tools
C) Manage mobile devices
D) Classify sensitive data

Answer: B) Provide threat protection for email and collaboration tools

Explanation: Defender for Office 365 protects against phishing, malware, and unsafe attachments in emails and Teams.

53. What is an example of a data compliance control?

A) Encryption of data at rest and in transit
B) User password length requirements
C) Endpoint antivirus software
D) Network traffic filtering

Answer: A) Encryption of data at rest and in transit

Explanation: Compliance controls often include encryption to protect sensitive data according to regulations.

54. What does Microsoft 365 Defender unify?

A) Security across email, endpoints, identities, and apps
B) Device management tools
C) Office productivity applications
D) Cloud storage services

Answer: A) Security across email, endpoints, identities, and apps

Explanation: It provides integrated threat protection across Microsoft 365 environments.

55. How does Microsoft Defender for Cloud Apps (MCAS) help protect SaaS applications?

A) By monitoring usage patterns and enforcing policies on cloud apps
B) Encrypting SaaS data at rest
C) Managing user identities
D) Updating app software

Answer: A) By monitoring usage patterns and enforcing policies on cloud apps

Explanation: MCAS provides visibility and control over sanctioned and unsanctioned cloud apps.

56. What is the purpose of a “security alert” in Microsoft Defender?

A) Notify admins of potential security threats
B) Automatically block user access
C) Delete suspicious files
D) Update antivirus signatures

Answer: A) Notify admins of potential security threats

Explanation: Alerts help security teams respond quickly to threats and vulnerabilities.

57. Which of the following best describes Microsoft Compliance Manager?

A) A tool to assess and manage compliance risks and controls
B) A firewall configuration tool
C) A cloud-based backup solution
D) An endpoint antivirus program

Answer: A) A tool to assess and manage compliance risks and controls

Explanation: Compliance Manager helps track, assess, and improve compliance with regulations.

58. What does Azure AD Connect enable?

A) Synchronization of on-premises AD identities with Azure AD
B) Cloud-based antivirus protection
C) Automated compliance reporting
D) Email filtering

Answer: A) Synchronization of on-premises AD identities with Azure AD

Explanation: Azure AD Connect bridges on-premises and cloud identity environments.

59. How does Microsoft Defender for Endpoint help in threat investigation?

A) By providing detailed telemetry and forensic data on endpoint activity
B) By blocking all external devices
C) By scanning emails only
D) By resetting user passwords automatically

Answer: A) By providing detailed telemetry and forensic data on endpoint activity

Explanation: This allows security teams to understand attack vectors and respond effectively.

60. What is the main goal of Microsoft’s Secure Score?

A) To help organizations measure and improve their security posture with actionable insights
B) To score user productivity
C) To rate internet speed
D) To measure device health

Answer: A) To help organizations measure and improve their security posture with actionable insights

Explanation: Secure Score quantifies security and suggests improvements.