Microsoft SC-900 Deutsch Actual Free Exam Questions & Community Discussion

Explanation:

documents: =
Microsoft Entra ID Protection evaluates risk during authentication, not only after the user is authenticated.
The service provides "real-time" assessment as part of the sign-in flow and also processes "offline" detections, enabling Conditional Access to act before a session is granted. In Microsoft's terminology, "sign- in risk represents the probability that a given authentication request isn't authorized by the identity owner," while "user risk represents the probability that a given identity or account is compromised." These risks are surfaced as risk detections and can be used to trigger MFA, block access, or require secure password reset.
Each detection and calculated risk is classified by Microsoft Entra ID Protection with "Low, Medium, or High" levels so administrators can triage and automate policy responses appropriately. Because detections are calculated in real time as part of the sign-in evaluation (and also through subsequent analysis), it is incorrect to say they are generated once the user is authenticated. The accurate view is that Identity Protection continuously analyzes telemetry and produces detections and risk levels that may be acted upon before, during, and after sign-in, with user risk expressing the likelihood that the identity itself is compromised and sign-in risk expressing the likelihood that a particular authentication attempt is not legitimate.

Explanation:

In Azure networking, each Network Security Group (NSG) is created with a built-in set of default security rules. Microsoft's documentation for NSGs explains: "Azure creates several default security rules within each network security group. You can't remove the default security rules, but you can override them by creating rules with a higher priority." The rule processing model is priority-based: "Security rules are processed in priority order, with lower numbers processed before higher numbers. Once a rule matches traffic, processing stops." Because the defaults have relatively low precedence (high priority numbers), an administrator can create an explicit allow or deny rule with a lower priority number to supersede the default behavior.
This is why the correct completion is override rather than copy or delete. You cannot delete the default rules; they remain present to provide baseline behavior (such as denying inbound traffic from the internet by default and allowing virtual network traffic). Instead, you override the defaults by adding your own NSG rules- using lower priority numbers-to achieve the desired access control outcome while preserving Azure's baseline protections and evaluation logic.

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation:

Microsoft's hybrid identity guidance explains that Microsoft Entra Connect (formerly Azure AD Connect) is the tool used to synchronize identities from on-premises AD DS to a Microsoft Entra tenant, enabling hybrid identity. Microsoft states that hybrid identity is achieved by connecting your on-premises directory with your cloud directory so users have a single identity to access both environments. This does not require two Microsoft 365 tenants; rather, it requires one Microsoft Entra tenant integrated with your on-premises AD DS.
For authentication models-Password Hash Synchronization (PHS), Pass-through Authentication (PTA), or federation (AD FS)-Microsoft specifies that directory synchronization is required so that user objects exist in Entra ID and can authenticate to cloud services while maintaining a consistent identity. Thus, Entra Connect is used to implement the synchronization underpinning hybrid identity; two M365 tenants are unnecessary; and synchronization between AD DS and Entra ID is required for authenticating hybrid identities across Microsoft cloud services.

Explanation:
access and application control
In Microsoft Defender for Cloud, the capabilities grouped as access and application control are designed to harden Azure virtual machines by limiting both what can access a VM and what can run on it. Microsoft's documentation explains that Adaptive application controls "help you control which applications can run on your VMs by allowing only known-safe applications," which directly helps block malware and other unwanted applications. In the same family, Just-in-time (JIT) VM access "reduces exposure to attacks by locking down inbound traffic to your VMs and opening only the required ports, for approved users, for a limited time," thereby reducing the network attack surface. These capabilities are surfaced in Defender for Cloud recommendations and policies to enforce least privilege at the network edge and on the endpoint execution layer.
By contrast, Cloud Security Posture Management (CSPM) provides continuous assessment and secure-score- driven recommendations but isn't the control that actively blocks applications or time-bounds inbound access.
Container security targets container images and runtimes, and vulnerability assessment identifies software vulnerabilities but doesn't enforce allow-listing or time-bound access. Therefore, the correct completion is access and application control, which encompasses Adaptive application controls and JIT VM access to protect VMs from unwanted apps and minimize exposed network surface.

Explanation:
Microsoft Defender for Cloud can detect vulnerabilities and threats for Azure Storage. Yes Cloud Security Posture Management (CSPM) is available for all Azure subscriptions. Yes Microsoft Defender for Cloud can evaluate the security of workloads deployed to Azure or on-premises. Yes Microsoft Defender for Cloud provides both workload protection and posture management. For Azure Storage, the Defender plan (Microsoft Defender for Storage) offers threat detection such as anomalous access, malware scanning, and sensitive-data threat alerts, while the CSPM guidance in Defender for Cloud flags misconfigurations that create vulnerabilities (for example, public blob access, weak TLS settings). CSPM capabilities-secure score, recommendations, and baseline assessments-are available to all Azure subscriptions (foundational CSPM), giving every tenant visibility into security posture without requiring a premium add-on for basic posture features. Beyond Azure, Defender for Cloud supports hybrid and multicloud: using Azure Arc and the Defender for Servers plan, it can onboard and assess on-premises servers and resources in other clouds, applying recommendations, security assessments, and threat protections across those environments. Collectively, these capabilities confirm that Defender for Cloud can detect storage- related threats and posture weaknesses, CSPM is broadly available to Azure subscriptions, and the service evaluates workloads running in Azure or on-premises.

Explanation:

In Microsoft 365 Defender, security signals from across Microsoft 365 services are raised as alerts. Microsoft' s documentation defines an incident as "a collection of correlated alerts" that represent the end-to-end story of an attack. The incident object aggregates the related signals, entities, and evidence so analysts can triage and remediate holistically rather than handling individual alerts in isolation. Microsoft further explains that incidents "group together related alerts, assets, users, and evidence" to reduce noise and provide context for investigation, and that automated correlation "helps SOCs focus on what matters most" by stitching alerts from Defender for Endpoint, Defender for Office 365, Defender for Identity, and Microsoft Defender for Cloud Apps into one case. Within an incident, analysts see a timeline, impacted assets and users, alert details, and recommended actions, and they can trigger response measures (for example, isolate device, block URL
/file, or disable user). This contrasts with events (raw telemetry), vulnerabilities (exposure findings managed by Defender Vulnerability Management), and Microsoft Secure Score improvement actions (posture recommendations). Therefore, in the Microsoft 365 Defender portal, an incident is specifically a collection of correlated alerts, designed to streamline investigation and coordinated remediation across the Microsoft 365 security stack.

Explanation:

Microsoft Entra Conditional Access (CA) evaluates signals from the user, device, location, and risk to make access decisions. The platform explicitly notes that CA decisions occur after primary sign-in: "Conditional Access policies are enforced after the first-factor authentication has been completed." This means a user must successfully present their initial credentials (e.g., password, Windows Hello, FIDO2) before the CA engine evaluates policy logic. Therefore, the statement that CA is evaluated before a user is authenticated is not correct.
Regarding scoping, CA can target ordinary and privileged identities. The assignment options allow administrators to aim policies at users, groups, and directory roles: "You can include or exclude users and groups... [and] include or exclude specific Azure AD directory roles from a Conditional Access policy." Because Global Administrator is a directory role, policies can be applied to those accounts (with Microsoft's best-practice guidance to maintain at least one excluded break-glass account to prevent lockout).
For signals/conditions, CA supports device platform filtering. The documented device platform condition states: "This condition is based on the operating system platform of the device... iOS, Android, Windows, macOS (and others)." Administrators commonly use this to require different controls (like MFA or compliant device) based on Android or iOS.
Putting these together:
CA can apply to Global Administrators (Yes).
CA is evaluated after first-factor authentication (No to "before").
Device platform (e.g., Android/iOS) is a valid CA signal (Yes).

Explanation:

In Microsoft's hybrid identity model, organizations keep their authoritative identities in Active Directory Domain Services (AD DS) and surface those identities in Microsoft Entra ID (Azure AD). Microsoft guidance explains that hybrid identity is implemented by synchronizing on-premises directory objects (users, groups, and selected attributes) into Azure AD using Azure AD Connect or Cloud Sync. Azure AD Connect is explicitly documented as the Microsoft tool that establishes and maintains synchronization between AD DS and Azure AD and is therefore used to implement hybrid identity-hence statement 1 is Yes. Hybrid identity does not require two Microsoft 365 tenants; the standard design is one Azure AD tenant connected to one or more on-premises AD forests, so statement 2 is No. For users to authenticate to Microsoft cloud resources with their on-premises identity, Azure AD must have a corresponding cloud identity object, which is achieved by directory synchronization; sign-in can then be handled by cloud authentication (Password Hash Synchronization or Pass-through Authentication) or by federation (e.g., AD FS). Because these sign-in options depend on synchronized identities being present in Azure AD, statement 3 is Yes. This aligns with SCI guidance that hybrid identity = synchronized identities + a chosen authentication method (PHS/PTA or federation).