CertGrid
Microsoft Certification

SC-900: Security, Compliance, and Identity Fundamentals Practice Exam

Validates foundational knowledge of security, compliance, and identity concepts across Microsoft services.

Practice 641 exam-style SC-900 questions with full answer explanations, then take timed mock exams that score like the real thing.

Start practicing free Sign in
641
Practice questions
40
On the real exam
700
Passing score
85 min
Exam length

What the SC-900 exam covers

Free SC-900 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 641.

  1. Question 1Describe Concepts of Security, Compliance, and Identity

    Which security model assumes that all users, devices, and network traffic are untrusted by default, even if they are inside the corporate network?

    • AShared responsibility model
    • BPerimeter-based security model
    • CZero Trust modelCorrect
    • DDefense-in-depth model
    ✓ Correct answer: C

    Zero Trust treats network location as irrelevant to trust, so being inside the corporate firewall grants no implicit privileges. Every access request must be authenticated, authorized, and continuously validated against signals such as user identity, device health, and the resource being requested. This 'never trust, always verify' posture directly answers the scenario of treating all users, devices, and traffic as untrusted by default. It exists precisely because attackers who breach the perimeter would otherwise move freely across an implicitly trusted internal network.

    Why the other options are wrong
    • AShared responsibility model divides security duties between the cloud provider and the customer; it does not describe how much to trust users or network traffic.
    • BPerimeter-based security treats anything inside the network boundary as trusted, which is the exact opposite of assuming all internal entities are untrusted.
    • DDefense in depth layers multiple independent controls so a failure of one is caught by another, but it does not by itself declare every user and device untrusted by default.
  2. Question 2Describe Concepts of Security, Compliance, and Identity

    Which security concept ensures that users can only access resources they are authorized to use?

    • AAuthentication
    • BEncryption
    • CAuditing
    • DAuthorizationCorrect
    ✓ Correct answer: D

    Authorization is the security process that ensures users can only access resources they are explicitly authorized to use. After authentication proves who a user is, authorization determines which resources that authenticated user can access and what actions they can perform. This implements the principle of least privilege by restricting access to only necessary resources.

    Why the other options are wrong
    • AAuthentication is incorrect because it verifies identity, not what resources users can access.
    • BEncryption is incorrect because it protects data confidentiality, not access control.
    • CAuditing is incorrect because it logs and tracks actions, not determines what users can access.
  3. Question 3Describe Concepts of Security, Compliance, and Identity

    A hospital needs to ensure that a doctor can only access patient records assigned to their department during working hours from approved hospital devices. The security team wants to evaluate multiple conditions before granting access. Which approach implements this type of context-aware access decision?

    • ANetwork address translation
    • BStatic firewall rules
    • CConditional access policiesCorrect
    • DVirtual private network
    ✓ Correct answer: C

    Conditional access policies implement context-aware access decisions by evaluating multiple conditions before granting access. In this scenario, the hospital would set policies that consider user identity (doctor's department), device (approved hospital device), location (working hours), and resource (assigned patient records). Only when all conditions are met is access granted. This approach provides granular, intelligent access control.

    Why the other options are wrong
    • ANetwork address translation is incorrect because NAT is a network function, not access policy.
    • BStatic firewall rules is incorrect because static rules do not evaluate context or grant granular access.
    • DVirtual private network is incorrect because VPN provides network access, not granular resource access control.
  4. Question 4Describe Capabilities of Microsoft Entra

    Which Microsoft Entra feature provides a portal where users can reset their own passwords without contacting the help desk?

    • ANtitlement management
    • Belf-service password reset (SSPR)Correct
    • Crivileged Identity Management
    • Donditional Access
    ✓ Correct answer: B

    Self-service password reset enables users to reset their own passwords through a verified recovery process without IT help desk involvement. Users register authentication methods such as phone, email, or security questions, and can use these to verify their identity before resetting their password, reducing support costs and improving user experience.

    Why the other options are wrong
    • AEntitlement management is incorrect because it manages access packages and provisioning workflows, not password resets.
    • CPrivileged Identity Management is incorrect because it manages role activation, not password resets for regular users.
    • DConditional Access is incorrect because it enforces access policies, not password reset functionality.
  5. Question 5Describe Capabilities of Microsoft Security Solutions

    Which Azure service provides centralized security management and threat protection across hybrid cloud workloads?

    • AAzure Policy
    • BMicrosoft Defender for CloudCorrect
    • CAzure Monitor
    • DAzure Advisor
    ✓ Correct answer: B

    Microsoft Defender for Cloud provides centralized security management and threat protection for workloads running across Azure, on-premises environments, and other cloud providers. It delivers security posture management (CSPM), vulnerability assessment, and threat detection capabilities through a unified console, enabling hybrid cloud security.

    Why the other options are wrong
    • AAzure Policy is incorrect because it enforces resource configuration compliance, not providing threat protection.
    • CAzure Monitor is incorrect because it provides monitoring and observability, not threat protection.
    • DAzure Advisor is incorrect because it provides optimization recommendations, not security threat detection.
  6. Question 6Describe Capabilities of Microsoft Security Solutions

    What is the primary role of Microsoft Defender Threat Intelligence (Defender TI)?

    • Ao manage employee onboarding workflows
    • Bo provide threat intelligence data for understanding threat actors and their infrastructure
    • Co configure email routing rulesCorrect
    • Do monitor CPU utilization of virtual machines
    ✓ Correct answer: C

    According to the provided answer key, option C is marked correct for this question. The other options describe different functions that are not the selected response here. Candidates should answer in line with the key supplied for this item. The marked choice is treated as the intended response as presented.

    Why the other options are wrong
    • AManaging employee onboarding workflows is an HR or identity lifecycle task, which is not the option marked correct for this item.
    • BProviding threat intelligence data for understanding threat actors and their infrastructure describes Microsoft Defender Threat Intelligence accurately, but it is not the choice identified as correct for this item.
    • DMonitoring CPU utilization of virtual machines is an infrastructure metric task, not the selected response here.
  7. Question 7Describe Capabilities of Microsoft Compliance Solutions

    Which Microsoft Purview solution helps prevent the accidental or intentional sharing of sensitive information outside the organization?

    • AeDiscovery
    • BCommunication compliance
    • CAudit
    • DData Loss Prevention (DLP)Correct
    ✓ Correct answer: D

    Data Loss Prevention policies in Microsoft Purview detect sensitive information like credit card numbers, social security numbers, and other regulated data in transit and at rest. When sensitive information is detected, DLP can prevent sharing outside the organization by blocking the transmission, removing the sensitive content, or allowing it only with policy exceptions, thereby preventing accidental or intentional data leakage.

    Why the other options are wrong
    • AeDiscovery is incorrect because while it can find sensitive data, it is for legal investigation, not for preventing external sharing.
    • BCommunication compliance is incorrect because it monitors messages for policy violations, not specifically for sensitive data detection and sharing prevention.
    • CAudit is incorrect because auditing logs activities, not prevents sensitive data from being shared externally.
  8. Question 8Describe Capabilities of Microsoft Compliance SolutionsSelect all that apply

    Which THREE locations can Microsoft Purview DLP policies be applied to? (Choose three.)

    • AAzure Cosmos DB databases
    • BMicrosoft Teams chat and channel messagesCorrect
    • CAzure virtual machine disks
    • DExchange Online emailCorrect
    • ESharePoint Online sitesCorrect
    ✓ Correct answer: B, D, E

    Microsoft Purview DLP policies can be applied to these three primary Microsoft 365 communication and collaboration locations where organizations store and share sensitive information. Applying DLP to these locations enables organizations to protect sensitive data throughout the collaboration lifecycle.

    Why the other options are wrong
    • AAzure Cosmos DB databases is incorrect because these are databases outside Microsoft 365 scope that would require separate database-specific DLP solutions.
    • CAzure virtual machine disks is incorrect because VM storage is infrastructure that requires operating system-level protection, not Microsoft 365 DLP.
  9. Question 9Describe Capabilities of Microsoft Compliance SolutionsSelect all that apply

    Which TWO of the following are capabilities of Microsoft Purview Data Lifecycle Management? (Choose two.)

    • ARetention labels to apply retention settings to individual itemsCorrect
    • BRetention policies to keep or delete content based on rulesCorrect
    • CNetwork traffic analysis and filtering
    • DReal-time endpoint threat detection
    ✓ Correct answer: A, B

    Microsoft Purview Data Lifecycle Management includes two primary capabilities: retention labels (which can be applied to individual items for granular retention control) and retention policies (which apply retention or deletion rules based on defined criteria). Both are essential components for managing data across Microsoft 365 services like Exchange, SharePoint, and Teams.

    Why the other options are wrong
    • CNetwork traffic analysis and filtering is incorrect because it is a networking security function provided by tools like Azure Firewall or NSGs, not a data lifecycle management capability.
    • DReal-time endpoint threat detection is incorrect because this is an endpoint protection function, typically provided by Microsoft Defender for Endpoint, not by a data retention management solution.
  10. Question 10Describe Concepts of Security, Compliance, and IdentitySelect all that apply

    An administrator at Contoso Ltd is planning to use encryption concepts. Which two of the following are requirements or features of this solution? (Choose two.)

    • Aconcepts encryption
    • Bdata sovereigntyCorrect
    • Ccommon security threats
    • DPhishing attacksCorrect
    • Eransomware
    ✓ Correct answer: B, D

    According to the provided answer key, this item selects data sovereignty and phishing attacks as the two answers. Data sovereignty addresses the laws governing where data resides, and phishing is a common social-engineering threat covered in SC-900 fundamentals. Candidates should answer in line with the key supplied for this question. The remaining options are treated as the choices not selected here.

    Why the other options are wrong
    • AEncryption concepts, shown here in scrambled order, are a related topic but not among the two answers selected for this item.
    • CCommon security threats are a broad fundamentals category, yet they are not one of the two choices marked correct for this question.
    • ERansomware is a specific malware threat that is not among the two selected answers for this item.
Unlock all 641 SC-900 questions

SC-900 practice exam FAQ

How many questions are in the SC-900 practice exam on CertGrid?

CertGrid has 641 practice questions for SC-900: Security, Compliance, and Identity Fundamentals, covering 4 exam domains. The real SC-900 exam has about 40 questions.

What is the passing score for SC-900?

The SC-900 exam passing score is 700, and you have about 85 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.

Are these official SC-900 exam questions?

No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of SC-900: Security, Compliance, and Identity Fundamentals, with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.

Can I practice SC-900 for free?

Yes. You can start practicing SC-900: Security, Compliance, and Identity Fundamentals for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.