Free Microsoft SC-900 Practice Test Questions MCQs

Stop wondering if you're ready. Our Microsoft SC-900 practice test is designed to identify your exact knowledge gaps. Validate your skills with Microsoft Security Compliance and Identity Fundamentals questions that mirror the real exam's format and difficulty. Build a personalized study plan based on your free SC-900 exam questions mcqs performance, focusing your effort where it matters most.

Targeted practice like this helps candidates feel significantly more prepared for Microsoft Security Compliance and Identity Fundamentals exam day.

2850+ already prepared
Updated On : 7-Apr-2026
85 Questions
Microsoft Security Compliance and Identity Fundamentals
4.9/5.0

Page 1 out of 9 Pages

Select the answer that correctly completes the sentence 




Explanation:
In the Microsoft 365 Defender (Security Center), you can use incidents to identify devices, users, and entities affected by alerts.
An incident in Microsoft 365 Defender automatically groups related alerts together that are likely part of the same attack or campaign. This allows security analysts to see all impacted assets — including devices, users, mailboxes, and applications — in a single view for investigation and response.
Classifications – refer to data labeling (like confidential, internal, public), not alerts or device tracking.
Policies – define security or compliance rules but don’t show affected devices for alerts.
Secure score – measures your organization’s security posture, not incident details.

Reference:
Microsoft Learn: Investigate incidents in Microsoft 365 Defender
Microsoft 365 Defender overview

In a hybrid identity model, what can you use to sync identities between Active Directory Domain Services (AD DS) and Azure Active Directory (Azure AD)?

A. Active Directory Federation Services (AD FS)

B. Azure Sentinel

C. Azure AD Connect

D. Azure Ad Privileged Identity Management (PIM)

C.   Azure AD Connect

Explanation:
In a hybrid identity model, organizations use both on-premises Active Directory Domain Services (AD DS) and Azure Active Directory (Azure AD).
To ensure that user identities are synchronized between these environments, Azure AD Connect is the tool designed for this purpose.

Azure AD Connect:
Synchronizes on-premises users, groups, and passwords to Azure AD.
Enables Single Sign-On (SSO) so users can access both cloud and on-prem resources with one identity.
Can also support password hash synchronization, pass-through authentication, or federation depending on your configuration.

Why other options are incorrect:
A. Active Directory Federation Services (AD FS):
Used for authentication (federation), not for syncing identities. It can work with Azure AD Connect but doesn’t perform the synchronization itself.
B. Azure Sentinel:
A cloud-native SIEM (Security Information and Event Management) solution, used for security monitoring and analytics, not identity synchronization.
D. Azure AD Privileged Identity Management (PIM):
Used to manage, monitor, and control privileged access in Azure AD, not for syncing user accounts or passwords.

Reference:
Microsoft Learn: What is Azure AD Connect?
Microsoft Identity platform overview

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.




Explanation:
1. Azure Defender can detect vulnerabilities and threats for Azure Storage. ✅ Yes
Azure Defender for Storage (now part of Microsoft Defender for Cloud) provides threat protection for Azure Blob Storage.
It detects unusual and potentially harmful attempts to access or exploit storage accounts, including malware uploads and data exfiltration.
Reference:
Microsoft Defender for Storage

2. Cloud Security Posture Management (CSPM) is available for all Azure subscriptions. ❌ No
CSPM features in Microsoft Defender for Cloud are only available in subscriptions onboarded to Defender for Cloud.
Some CSPM capabilities require enabling Defender plans or using Azure Policy initiatives, which are not automatically included in all subscriptions.
Reference:
Defender for Cloud CSPM capabilities

3. Azure Security Center can evaluate the security of workloads deployed to Azure or on-premises. ✅ Yes
Azure Security Center (now part of Microsoft Defender for Cloud) supports hybrid environments.
It can assess workloads in Azure, on-premises, and even in other clouds via Azure Arc integration.
Reference:
Hybrid security with Defender for Cloud

What can you use to provision Azure resources across multiple subscriptions in a consistent manner?

A. Azure Defender

B. Azure Blueprints

C. Azure Sentinel

D. Azure Policy

B.   Azure Blueprints

Explanation:
Azure Blueprints is specifically designed for this purpose. It allows you to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. You can package together key artifacts like:

Role Assignments
Policy Assignments
Azure Resource Manager (ARM) Templates
Resource Groups

Once defined, a blueprint can be applied to multiple subscriptions in a consistent manner. This ensures that every subscription you create is set up according to the same governance, security, and compliance rules from the very start.

Why the other options are incorrect:
A. Azure Defender:
This is a cloud workload protection platform (CWPP) for advanced threat protection across Azure, hybrid, and multi-cloud environments. It is a security tool, not a resource provisioning and governance tool.
C. Azure Sentinel:
This is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution. It is used for security analytics and alerting, not for deploying resources.
D. Azure Policy:
While Azure Policy is a core component of governance and is often used within an Azure Blueprint, its primary function is to enforce organizational standards and assess compliance at scale. It focuses on creating, assigning, and managing policy definitions that enforce rules for resource properties. It does not, by itself, provision a full set of resources like virtual networks or storage accounts across subscriptions.

Reference:
Microsoft Learn: What is Azure Blueprints? - "Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements."

What can you use to provide threat detection for Azure SQL Managed Instance?

A. Microsoft Secure Score

B. application security groups

C. Azure Defender

D. Azure Bastion

C.   Azure Defender

Explanation:
Azure Defender, integrated into Microsoft Defender for Cloud, provides advanced threat protection for Azure SQL Managed Instance. It offers real-time threat detection by monitoring database activities for suspicious patterns, such as SQL injection attempts, unusual access locations, or anomalous data extraction. Azure Defender uses machine learning and behavioral analytics to identify threats, generating actionable alerts with remediation steps. These alerts can be viewed in the Azure portal or sent via email, enabling quick response to potential security incidents. For Azure SQL Managed Instance, enabling Azure Defender at the subscription level ensures comprehensive coverage for all databases, enhancing security with features like vulnerability assessments and threat intelligence.

Why other options are incorrect:
A. Microsoft Secure Score:
This tool assesses an organization’s security posture by providing a numerical score based on implemented security controls and recommendations. It focuses on improving overall security hygiene across Azure resources but does not offer real-time threat detection or monitoring for specific services like Azure SQL Managed Instance. It’s more about proactive security improvement than reactive threat detection.
B. Application Security Groups (ASGs):
ASGs are used to simplify network security management by grouping virtual machines and applying network security group (NSG) rules to control traffic. They operate at the network layer and are not designed to monitor or detect threats within database services like Azure SQL Managed Instance, making them irrelevant for this use case.
D. Azure Bastion:
This service provides secure RDP and SSH connectivity to Azure virtual machines through a browser or the Azure portal, eliminating the need for public IP addresses. It focuses on secure access to VMs, not on monitoring or protecting database services like Azure SQL Managed Instance from threats.

Reference:
Microsoft Learn - Configure Advanced Threat Protection for Azure SQL Managed Instance
Microsoft Learn - Microsoft Defender for Cloud Overview

Select the answer that correctly completes the sentence.



Explanation:
The key phrase in the question is "readable and usable to viewers that have the appropriate key." This directly points to the process of encryption and decryption.
Encrypting is the process of converting data (plaintext) into an encoded version (ciphertext) that cannot be easily understood by unauthorized entities. The process of reversing this, known as decryption, requires a specific secret key. Only someone with the correct key can decrypt the data, making it readable and usable again.

Why the other options are incorrect:
Archiving:
This is the process of moving data that is no longer actively used to a separate storage device for long-term retention. It does not require a key to access the data.
Compressing:
This is the process of reducing the size of a file by encoding its information more efficiently. The goal is to save storage space or bandwidth. A compressed file can be decompressed back to its original form using a standard algorithm, without the need for a cryptographic key.
Deduplicating:
This is a data compression technique for eliminating duplicate copies of repeating data. It is used to improve storage utilization. Like compression, it does not involve keys for access; it's a backend storage efficiency process.

Reference:
Microsoft Learn: What is encryption? - "Encryption is the process of making data unreadable and unusable to unauthorized viewers. To read or use the encrypted data, it must be decrypted, which requires the use of a secret key."

Which Microsoft portal provides information about how Microsoft manages privacy, compliance, and security?

A. Microsoft Service Trust Portal

B. Compliance Manager

C. Microsoft 365 compliance center

D. Microsoft Support

A.   Microsoft Service Trust Portal

Explanation:
The Microsoft Service Trust Portal (STP) is the central hub for customers to access Microsoft's comprehensive documentation, reports, and guides regarding how Microsoft cloud services manage and protect data. It is specifically designed to provide transparency on our security, privacy, compliance, and risk management practices.

The types of resources available on the Service Trust Portal include:
Audit Reports:
Such as SOC 1, SOC 2, and ISO certifications.
Compliance Offerings:
Detailed information on regulations like GDPR, HIPAA, and FedRAMP.
Privacy Information:
Documentation on how Microsoft handles and protects data.
Security Implementation Guides:
Best practices and technical details on Microsoft's security controls.

Why the other options are incorrect:
B. Compliance Manager:
This is a tool within the Microsoft Purview compliance portal that helps your organization manage its own compliance activities. It provides a compliance score and helps you implement controls for your specific regulatory requirements. It is not the public-facing portal for Microsoft's own policies and practices.
C. Microsoft 365 compliance center:
Now part of the Microsoft Purview compliance portal, this is a workspace for your organization's compliance administrators to use Microsoft's compliance tools. It is focused on your data and your compliance, not on providing information about Microsoft's internal controls.
D. Microsoft Support:
This portal is for opening and managing technical support tickets for Microsoft products and services. It is not the repository for public compliance, security, and privacy documentation.

Reference:
Microsoft Learn: Describe the Service Trust Portal - "The Service Trust Portal (STP) hosts the Compliance Manager service and also provides access to Microsoft's audit reports, compliance offerings, and other documentation... that describe how Microsoft cloud services protect data, how they manage data privacy and security controls, and how they comply with regulatory standards."

What can you use to scan email attachments and forward the attachments to recipients only if the attachments are free from malware?

A. Microsoft Defender for Office 365

B. Microsoft Defender Antivirus

C. Microsoft Defender for Identity

D. Microsoft Defender for Endpoint

A.   Microsoft Defender for Office 365

Explanation:
Microsoft Defender for Office 365 is a cloud-based email filtering service that protects organizations against malicious threats posed by email messages, links (URLs), and collaboration tools. Its core functions include:

Safe Attachments:
This feature specifically scans email attachments for malware, ransomware, and other malicious software in a secure, virtual environment. Emails with attachments are held until the scan is complete. They are only delivered to the recipient's inbox if the attachment is determined to be safe.
Safe Links:
This feature scans URLs in emails and Office documents at the time of click to provide protection against malicious websites.
This capability to intercept, scan in a sandbox, and release only clean emails is a defining feature of Defender for Office 365.

Why the other options are incorrect:
B. Microsoft Defender Antivirus:
This is the built-in anti-malware component for Windows operating systems. It scans files on a local device or server but does not intercept and scan email attachments in transit before they reach the user's mailbox.
C. Microsoft Defender for Identity:
This is a cloud-based security solution that uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at an organization. It focuses on user behavioral analytics, not email attachment scanning.
D. Microsoft Defender for Endpoint:
This is an enterprise endpoint security platform designed to help prevent, detect, investigate, and respond to advanced threats on network devices (like PCs, Macs, and servers). While it includes antivirus capabilities (and often integrates with Defender Antivirus), its primary role is not to scan and filter email attachments before they enter the mail flow.

Reference:
Microsoft Learn: Microsoft Defender for Office 365 - "Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools... [including] Safe Attachments for email, which provides zero-day protection to scan for unknown malware in email attachments."

Which Microsoft portal provides information about how Microsoft cloud services comply with regulatory standard, such as International Organization for Standardization (ISO)?

A. the Microsoft Endpoint Manager admin center

B. Azure Cost Management + Billing

C. Microsoft Service Trust Portal

D. the Azure Active Directory admin center

C.   Microsoft Service Trust Portal

Explanation:
The Microsoft Service Trust Portal (STP) is the official, dedicated platform for customers to access comprehensive documentation, audit reports, and compliance guides related to Microsoft's cloud services. It is specifically designed to provide transparency into Microsoft's security, privacy, and compliance practices, including adherence to standards like those from the International Organization for Standardization (ISO).

On the Service Trust Portal, you can find:
Audit Reports:
Independent third-party audit reports for standards like ISO 27001, ISO 27018, SOC 1, SOC 2, and more.
Compliance Guides:
Detailed information on how Microsoft cloud services can help you comply with various global, regional, and industry-specific regulations.
Trust Documents:
White papers, FAQs, and other resources detailing Microsoft's security and data protection controls.

Why the other options are incorrect:
A. The Microsoft Endpoint Manager admin center:
This is a tool for IT administrators to manage and secure devices (PCs, mobile devices) and applications within an organization. It is unrelated to providing public documentation on Microsoft's corporate-level compliance with regulatory standards.
B. Azure Cost Management + Billing:
This portal is used for monitoring, allocating, and optimizing cloud spending and managing billing accounts. It has no function related to compliance documentation.
D. The Azure Active Directory admin center:
This is a management portal for configuring and managing identity and access services, such as users, groups, and application registrations. While crucial for implementing your own security controls, it does not host Microsoft's compliance reports for its cloud infrastructure.

Reference:
Microsoft Learn:
Describe the Service Trust Portal - "The Service Trust Portal (STP) hosts the Compliance Manager service and also provides access to Microsoft's audit reports, compliance offerings, and other documentation... that describe how Microsoft cloud services protect data, how they manage data privacy and security controls, and how they comply with regulatory standards."

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.


Explanations:

1. Statement: You can create one Azure Bastion per virtual network.
Answer: No
Explanation: This statement is false. You can deploy multiple Azure Bastion hosts within a single virtual network. This is a common design for scaling to accommodate a large number of concurrent connections or for deploying Bastion hosts in different Azure availability zones for high availability. The limitation is one Bastion host per subnet, not per virtual network.

2. Statement: Azure Bastion provides secure user connections by using RDP.
Answer: No
Explanation:
This statement is misleading and therefore considered false in this context. While the underlying protocol used for Windows VMs is indeed RDP, the key security value of Azure Bastion is that users do not connect directly via RDP. Instead, they connect through the Azure portal (over TLS/SSL) using their browser, and the Bastion service brokers the RDP/SSH session to the VM internally. From a user's perspective, they are not "using RDP"; they are using a secure, browser-based session. The direct RDP/SSH ports are not exposed to the public internet.

3. Statement: Azure Bastion provides a secure connection to an Azure virtual machine by using the Azure portal.
Answer: Yes
Explanation:
This statement is entirely accurate and describes the core functionality of the service. Users connect to the Azure portal over a secure HTTPS (TLS) connection. From there, they can select a VM and click "Connect" to establish a seamless, remote session (RDP for Windows, SSH for Linux) that is brokered by the Azure Bastion service, without exposing the VM to the public internet.

Reference:
Microsoft Learn:
What is Azure Bastion? - "Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over SSL. When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software."

Page 1 out of 9 Pages
Next
123

Microsoft Security Compliance and Identity Fundamentals Practice Exam Questions

These SC-900 practice questions with explanations help learners build a strong foundation in Microsoft security and compliance concepts. Topics include identity management, security solutions, compliance tools, and zero trust principles. Each explanation clearly breaks down the reasoning behind the correct answer, helping candidates understand fundamental concepts. This approach promotes better retention and practical understanding. By practicing regularly, candidates can identify knowledge gaps, strengthen their fundamentals, and confidently prepare for the certification exam.

SC-900: Your Fast Track to Security & Identity Fundamentals


The SC-900 is the essential starting point for the Microsoft security and identity learning path. This is a fundamentals exam—your goal is to understand core concepts, not deep technical configuration. The path to passing is efficient and concept-focused.

Master the Three Pillars:


Identity & Access (40%): Grasp the core concepts of Microsoft Entra ID (Azure AD), including authentication (MFA, SSPR), authorization (RBAC), and identity protection. Understand the principles of Zero Trust and identity as the new security perimeter.

Security (40%): Learn the purpose and capabilities of the Microsoft Security ecosystem, including Microsoft 365 Defender, Microsoft Defender for Cloud, and Microsoft Sentinel. Know what each tool protects and its primary use case (e.g., Defender for Office 365 secures email and collaboration).

Compliance (20%): Understand how Microsoft Purview helps organizations meet regulatory and privacy standards. Focus on the capabilities of solutions like Compliance Manager, Information Protection, and Insider Risk Management.

Your Efficient 2-Week Strategy:


Week 1: Conceptual Learning. Complete the free Microsoft Learn SC-900 learning path. Watch the associated videos. Focus on building a strong mental map of how the concepts and services relate to each other. This is a theory-heavy exam.

Week 2: Active Recall & Validation. Use a platform like MSMCQ.com to test your understanding. Free Microsoft Security Compliance and Identity Fundamentals exam questions are ideal for reinforcing definitions, comparing service capabilities, and solidifying the "what, why, and when" of each offering. Review all answer explanations, especially for any questions you get wrong.

Key to Success: Think in Categories. The SC-900 tests your ability to categorize and differentiate. For example:

Is this a preventative, detective, or responsive control?
Does this scenario describe a compliance need or a security need?
Which Microsoft cloud service category (Purview, Defender, Entra) addresses this requirement?

Final Tip: You do not need hands-on lab experience for this exam. Your success is based on absorbing the core concepts and practicing with targeted Microsoft Security Compliance and Identity Fundamentals questions to ensure you can apply them to simple scenarios. A focused study of the Learn content, reinforced with SC-900 practice tests, will make passing straightforward.

Our Happy Customers


Foundational security concepts were easy to understand with MSmcqs.com while preparing for Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900). The practice questions were clear and beginner-friendly.
Aisha Khan | Dubai