Free Microsoft SC-900 Practice Test Questions MCQs

Explanation:
In a hybrid identity model, organizations use both on-premises Active Directory Domain Services (AD DS) and Azure Active Directory (Azure AD).
To ensure that user identities are synchronized between these environments, Azure AD Connect is the tool designed for this purpose.

Azure AD Connect:
Synchronizes on-premises users, groups, and passwords to Azure AD.
Enables Single Sign-On (SSO) so users can access both cloud and on-prem resources with one identity.
Can also support password hash synchronization, pass-through authentication, or federation depending on your configuration.

Why other options are incorrect:
A. Active Directory Federation Services (AD FS):
Used for authentication (federation), not for syncing identities. It can work with Azure AD Connect but doesn’t perform the synchronization itself.
B. Azure Sentinel:
A cloud-native SIEM (Security Information and Event Management) solution, used for security monitoring and analytics, not identity synchronization.
D. Azure AD Privileged Identity Management (PIM):
Used to manage, monitor, and control privileged access in Azure AD, not for syncing user accounts or passwords.

Reference:
Microsoft Learn: What is Azure AD Connect?
Microsoft Identity platform overview

Explanation:
Azure Blueprints is specifically designed for this purpose. It allows you to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. You can package together key artifacts like:

Role Assignments
Policy Assignments
Azure Resource Manager (ARM) Templates
Resource Groups

Once defined, a blueprint can be applied to multiple subscriptions in a consistent manner. This ensures that every subscription you create is set up according to the same governance, security, and compliance rules from the very start.

Why the other options are incorrect:
A. Azure Defender:
This is a cloud workload protection platform (CWPP) for advanced threat protection across Azure, hybrid, and multi-cloud environments. It is a security tool, not a resource provisioning and governance tool.
C. Azure Sentinel:
This is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution. It is used for security analytics and alerting, not for deploying resources.
D. Azure Policy:
While Azure Policy is a core component of governance and is often used within an Azure Blueprint, its primary function is to enforce organizational standards and assess compliance at scale. It focuses on creating, assigning, and managing policy definitions that enforce rules for resource properties. It does not, by itself, provision a full set of resources like virtual networks or storage accounts across subscriptions.

Reference:
Microsoft Learn: What is Azure Blueprints? - "Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements."

Explanation:
Azure Defender, integrated into Microsoft Defender for Cloud, provides advanced threat protection for Azure SQL Managed Instance. It offers real-time threat detection by monitoring database activities for suspicious patterns, such as SQL injection attempts, unusual access locations, or anomalous data extraction. Azure Defender uses machine learning and behavioral analytics to identify threats, generating actionable alerts with remediation steps. These alerts can be viewed in the Azure portal or sent via email, enabling quick response to potential security incidents. For Azure SQL Managed Instance, enabling Azure Defender at the subscription level ensures comprehensive coverage for all databases, enhancing security with features like vulnerability assessments and threat intelligence.

Why other options are incorrect:
A. Microsoft Secure Score:
This tool assesses an organization’s security posture by providing a numerical score based on implemented security controls and recommendations. It focuses on improving overall security hygiene across Azure resources but does not offer real-time threat detection or monitoring for specific services like Azure SQL Managed Instance. It’s more about proactive security improvement than reactive threat detection.
B. Application Security Groups (ASGs):
ASGs are used to simplify network security management by grouping virtual machines and applying network security group (NSG) rules to control traffic. They operate at the network layer and are not designed to monitor or detect threats within database services like Azure SQL Managed Instance, making them irrelevant for this use case.
D. Azure Bastion:
This service provides secure RDP and SSH connectivity to Azure virtual machines through a browser or the Azure portal, eliminating the need for public IP addresses. It focuses on secure access to VMs, not on monitoring or protecting database services like Azure SQL Managed Instance from threats.

Reference:
Microsoft Learn - Configure Advanced Threat Protection for Azure SQL Managed Instance
Microsoft Learn - Microsoft Defender for Cloud Overview

Explanation:
The Microsoft Service Trust Portal (STP) is the central hub for customers to access Microsoft's comprehensive documentation, reports, and guides regarding how Microsoft cloud services manage and protect data. It is specifically designed to provide transparency on our security, privacy, compliance, and risk management practices.

The types of resources available on the Service Trust Portal include:
Audit Reports:
Such as SOC 1, SOC 2, and ISO certifications.
Compliance Offerings:
Detailed information on regulations like GDPR, HIPAA, and FedRAMP.
Privacy Information:
Documentation on how Microsoft handles and protects data.
Security Implementation Guides:
Best practices and technical details on Microsoft's security controls.

Why the other options are incorrect:
B. Compliance Manager:
This is a tool within the Microsoft Purview compliance portal that helps your organization manage its own compliance activities. It provides a compliance score and helps you implement controls for your specific regulatory requirements. It is not the public-facing portal for Microsoft's own policies and practices.
C. Microsoft 365 compliance center:
Now part of the Microsoft Purview compliance portal, this is a workspace for your organization's compliance administrators to use Microsoft's compliance tools. It is focused on your data and your compliance, not on providing information about Microsoft's internal controls.
D. Microsoft Support:
This portal is for opening and managing technical support tickets for Microsoft products and services. It is not the repository for public compliance, security, and privacy documentation.

Reference:
Microsoft Learn: Describe the Service Trust Portal - "The Service Trust Portal (STP) hosts the Compliance Manager service and also provides access to Microsoft's audit reports, compliance offerings, and other documentation... that describe how Microsoft cloud services protect data, how they manage data privacy and security controls, and how they comply with regulatory standards."

Explanation:
Microsoft Defender for Office 365 is a cloud-based email filtering service that protects organizations against malicious threats posed by email messages, links (URLs), and collaboration tools. Its core functions include:

Safe Attachments:
This feature specifically scans email attachments for malware, ransomware, and other malicious software in a secure, virtual environment. Emails with attachments are held until the scan is complete. They are only delivered to the recipient's inbox if the attachment is determined to be safe.
Safe Links:
This feature scans URLs in emails and Office documents at the time of click to provide protection against malicious websites.
This capability to intercept, scan in a sandbox, and release only clean emails is a defining feature of Defender for Office 365.

Why the other options are incorrect:
B. Microsoft Defender Antivirus:
This is the built-in anti-malware component for Windows operating systems. It scans files on a local device or server but does not intercept and scan email attachments in transit before they reach the user's mailbox.
C. Microsoft Defender for Identity:
This is a cloud-based security solution that uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at an organization. It focuses on user behavioral analytics, not email attachment scanning.
D. Microsoft Defender for Endpoint:
This is an enterprise endpoint security platform designed to help prevent, detect, investigate, and respond to advanced threats on network devices (like PCs, Macs, and servers). While it includes antivirus capabilities (and often integrates with Defender Antivirus), its primary role is not to scan and filter email attachments before they enter the mail flow.

Reference:
Microsoft Learn: Microsoft Defender for Office 365 - "Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools... [including] Safe Attachments for email, which provides zero-day protection to scan for unknown malware in email attachments."

Explanation:
The Microsoft Service Trust Portal (STP) is the official, dedicated platform for customers to access comprehensive documentation, audit reports, and compliance guides related to Microsoft's cloud services. It is specifically designed to provide transparency into Microsoft's security, privacy, and compliance practices, including adherence to standards like those from the International Organization for Standardization (ISO).

On the Service Trust Portal, you can find:
Audit Reports:
Independent third-party audit reports for standards like ISO 27001, ISO 27018, SOC 1, SOC 2, and more.
Compliance Guides:
Detailed information on how Microsoft cloud services can help you comply with various global, regional, and industry-specific regulations.
Trust Documents:
White papers, FAQs, and other resources detailing Microsoft's security and data protection controls.

Why the other options are incorrect:
A. The Microsoft Endpoint Manager admin center:
This is a tool for IT administrators to manage and secure devices (PCs, mobile devices) and applications within an organization. It is unrelated to providing public documentation on Microsoft's corporate-level compliance with regulatory standards.
B. Azure Cost Management + Billing:
This portal is used for monitoring, allocating, and optimizing cloud spending and managing billing accounts. It has no function related to compliance documentation.
D. The Azure Active Directory admin center:
This is a management portal for configuring and managing identity and access services, such as users, groups, and application registrations. While crucial for implementing your own security controls, it does not host Microsoft's compliance reports for its cloud infrastructure.

Reference:
Microsoft Learn:
Describe the Service Trust Portal - "The Service Trust Portal (STP) hosts the Compliance Manager service and also provides access to Microsoft's audit reports, compliance offerings, and other documentation... that describe how Microsoft cloud services protect data, how they manage data privacy and security controls, and how they comply with regulatory standards."