Microsoft SC-900 Deutsch Actual Free Exam Questions & Community Discussion

Explanation:

Microsoft Learn explains that Azure Active Directory (now Microsoft Entra ID) is a Microsoft-managed identity and access management service delivered from the cloud. It does not require you to provision or host infrastructure such as virtual machines; the directory is operated as a service by Microsoft, and tenants are created and administered within Microsoft's cloud environment. The official learning paths further clarify that administration is performed through the Azure portal (the Entra/Microsoft Entra admin center and Azure portal blades), PowerShell, and Graph-so managing a tenant in the Azure portal is fully supported.
Regarding licensing, Microsoft's SCI study materials detail that Azure AD/Entra ID is offered in multiple editions (Free, Microsoft 365 apps edition, Premium P1, and Premium P2). Each edition unlocks different capabilities: for example, features like Conditional Access are in Premium tiers; Identity Protection and Privileged Identity Management (PIM) are P2 capabilities. Because capabilities vary by tier, the statement that all license editions include the same features is incorrect.
Putting this together: feature parity across editions is not the case (No); tenant management in the Azure portal is supported (Yes); and you do not need to deploy Azure VMs to host an Azure AD/Entra ID tenant (No).

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation:

Microsoft defines hybrid identity as enabling a common identity across on-premises and cloud by integrating your directory services. Microsoft Learn states: "Hybrid identity is achieved by integrating your on-premises Active Directory with Azure Active Directory." This integration is delivered through the synchronization and optional federation capabilities that connect AD DS to Azure AD so users can access both on-premises and cloud resources with one identity.
To implement this integration, Microsoft's tooling is explicit: "Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals." Azure AD Connect (now Microsoft Entra Connect) synchronizes users, groups, and optionally passwords or hashes to Azure AD, providing the foundation for hybrid scenarios such as single sign-on and seamless sign-in.
Regarding tenants, Microsoft's identity platform clarifies that "A Microsoft 365 organization is associated with a single Azure AD tenant." Therefore, a hybrid identity deployment does not require two Microsoft 365 tenants; it typically links a single Azure AD (Microsoft Entra ID) tenant with one or more on-premises AD DS forests. In summary, Azure AD Connect enables hybrid identity, hybrid identity is the synchronization
/integration of AD DS with Azure AD, and it does not necessitate multiple Microsoft 365 tenants.

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation:

In Microsoft identity architecture, federation establishes trust between different identity providers to enable single sign-on (SSO) across organizational and platform boundaries. Microsoft Learn explains that federation uses standards such as SAML, WS-Federation, and OpenID Connect/OAuth 2.0 so a user can authenticate with their home identity provider and obtain tokens that are accepted by a relying party (the application or service). This trust relationship lets organizations share identities securely without copying passwords or synchronizing credentials, providing a seamless sign-in experience across multiple systems and clouds.
By contrast, Active Directory Domain Services (AD DS) and a domain controller provide on-premises directory and authentication services primarily within a single Windows domain/forest using Kerberos
/NTLM, not cross-provider SSO on their own. Microsoft Entra Privileged Identity Management (PIM) manages just-in-time, approval-based elevation for roles and does not deliver SSO capabilities. Therefore, the technology explicitly intended to provide SSO across multiple identity providers is federation.

Explanation:

In Microsoft's Security, Compliance, and Identity guidance, encryption is described as the control that
"converts data into a form that cannot be understood by anyone who does not possess the appropriate decryption key." In the Microsoft Purview Information Protection (sensitivity labels with encryption) documentation, Microsoft explains that when encryption is applied to a file, "only authorized users and services that present the correct keys and usage rights can open and use the content," and that access is enforced even if the file is moved outside the organization. Azure Rights Management (part of Microsoft Purview) further states that encryption "protects data at rest and in transit by using keys so that only permitted identities can decrypt and use the information." This aligns precisely with the sentence: encrypting a file makes the data readable and usable to viewers that have the appropriate key (and unreadable to those who do not). By contrast, archiving organizes or preserves data for long-term storage; compressing reduces file size without controlling access; and deduplicating removes redundant copies to save space. None of these provide the key-based, identity-bound access control described in Microsoft SCI materials. Therefore, the correct completion is Encrypting.

Explanation:
Microsoft's security and compliance learning content explains that digital signatures are built on public key (asymmetric) cryptography. In this model, each identity has a key pair: a private key that is kept secret and a public key that can be shared. The signing operation is performed with the private key to produce a signature bound to the content and the signer's identity. Verification is then performed by anyone who has access to the corresponding public key, which mathematically validates the signature and confirms both integrity (the content wasn't altered) and authenticity (it was signed by the holder of the private key). SCI materials (covering Microsoft Purview Information Protection, Azure Key Vault/PKI concepts, and identity fundamentals) emphasize that the private key must never be disclosed or required for verification; only the public key is used to validate signatures and certificates. This is the same principle used across Microsoft 365 for certificate-based trust, code signing, and document signing: sign with the private key; verify with the public key. Therefore, statements one and two are true, and the statement claiming verification requires the private key is false.

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation:
Security defaults require an Azure Active Directory (Azure AD) Premium license. No Security defaults can be enabled for a single Azure Active Directory (Azure AD) user. No When Security defaults are enabled, all administrators must use multi-factor authentication (MFA). Yes Microsoft explains that Security defaults are baseline identity protections that are "available to all tenants at no additional cost" and are intended to "help protect your organization from common identity-related attacks." They are a tenant-wide setting: Microsoft states that security defaults are "either on or off for the entire tenant" and "can't be customized or targeted to specific users or groups." If you require per-user or granular targeting, Microsoft directs customers to use Conditional Access policies instead.
A core behavior of security defaults is enforcing MFA: "All users are required to register for Azure AD Multi- Factor Authentication," and "administrators are required to perform MFA." In addition, security defaults
"block legacy authentication" and apply other baseline requirements, but they do not enable premium features such as Azure AD Identity Protection or PIM. Summarizing the implications for the statements: no premium license is required; you cannot enable security defaults for just one user because the control is global; and when enabled, administrators must use MFA, with Microsoft recommending exclusion only for a break-glass account if necessary.

Explanation:

In Microsoft's Security, Compliance, and Identity guidance, multi-factor authentication (MFA) is based on combining independent categories of credentials to verify a user. Microsoft describes the three factor types as:
something you know (knowledge), something you have (possession), and something you are (inherence). A password is explicitly categorized as "something you know," because it relies on a secret the user memorizes and types during sign-in. MFA improves security by requiring two or more of these distinct factors-e.g., a password (know) plus a phone approval or hardware token (have), or a biometric like Windows Hello (are).
Using factors from different categories mitigates common attacks such as password spray, credential stuffing, and phishing, because compromising one factor (for example, the password) does not grant access without the second, unrelated factor. Microsoft recommends enabling MFA broadly and pairing passwords with stronger possession or inherence methods to achieve a measurable reduction in account compromise risk. Therefore, in the MFA model used by Microsoft Entra ID (Azure AD), a password is considered something you know.

Explanation:
In Microsoft identity terminology, authentication is the step that proves who the user is when they attempt to sign in. Microsoft Learn defines it plainly: "Authentication is the process of proving the identity of a user, device, or service." By contrast, "Authorization is the process of determining what a user, device, or service can do." During sign-in to Microsoft Entra ID (formerly Azure AD), "the identity provider validates credentials and, upon successful authentication, issues tokens that applications use to grant access." Microsoft further explains the available methods: "Microsoft Entra ID supports multiple authentication methods, including passwords, multi-factor authentication, FIDO2 security keys, certificate-based authentication, and federated authentication." Auditing and administration are not the mechanisms that verify identity at sign-in. Auditing "records security- relevant events for investigation and compliance," while administration "refers to configuring and managing identities, access policies, and settings." Therefore, in the sentence "When users sign in, _____ verifies their credentials to prove their identity," the correct completion is authentication, because it is the control that validates the user's credentials and establishes identity before any authorization decisions are made.