Microsoft SC-900 Actual Free Exam Questions & Community Discussion

Explanation:

In Microsoft Purview Information Protection, sensitivity labels are the core mechanism to classify and protect content. The Microsoft SCI learning content explains that a sensitivity label can "apply protection such as encryption and rights restrictions to files and emails," allowing you to define who can access the content and what they can do (view, edit, print, forward). When you configure a label with Encrypt settings, the service uses Azure Rights Management to enforce protection persistently, so the encryption travels with the file wherever it goes.
Labels can also apply content marking. The official guidance states that labels can "add visual markings- headers and footers-to Office files and email to make the sensitivity of content obvious." This is commonly used to stamp messages and documents with text such as Confidential or Internal. SCI materials further clarify that labels can apply watermarks to Office documents (Word, Excel, PowerPoint) as part of content marking, but watermarks are not applied to email messages; only headers and footers are supported for email.
Putting it together: encryption (Yes) and headers/footers on documents (Yes) are supported label actions.
Watermarks are supported for documents but not for email, so "Sensitivity labels can apply watermarks to emails" is No.

Explanation:
Assessments
In Microsoft Purview Compliance Manager, assessments are the core components used to track compliance with groupings of controls from specific regulations, standards, or requirements.
According to official Microsoft Security, Compliance, and Identity (SCI) learning content, particularly within the SC-400 and SC-900 certification tracks, the role of assessments is explicitly defined as:
"Assessments in Compliance Manager help you track, implement, and improve compliance with requirements from standards and regulations. Each assessment maps to a specific regulation or control framework, such as ISO 27001, NIST, GDPR, or HIPAA, and includes a set of controls and recommended improvement actions." Further extracted content from SCI documentation confirms:
"An assessment is used to measure your compliance posture against a particular regulation or standard. It includes control mappings and provides insight into what's in place and what still needs to be addressed to meet the compliance goals." The other options in the dropdown - Templates, Improvement actions, and Solutions - serve different functions:
Templates provide a blueprint for creating assessments.
Improvement actions are actionable steps generated within assessments.
Solutions in Microsoft Purview refer to bundled capabilities like Insider Risk Management, Information Protection, etc.
Therefore, to track compliance with groupings of controls from a specific regulation or requirement, the correct and Microsoft-verified term is " Assessments. "

Explanation:

In Microsoft's SCI learning content, the core objective of protecting information is framed by the CIA triad.
Microsoft explains that "confidentiality, integrity, and availability are foundational security principles." Within this model, integrity is described as the assurance that information remains trustworthy and unchanged from its intended state. The SCI materials state that integrity means "preventing unauthorized modification and ensuring the accuracy and completeness of data." When a requirement says, "ensuring that the data you retrieve is the same as the data you stored," it directly maps to this integrity principle-verifying that data hasn't been altered, corrupted, or tampered with during storage or transmission.
Microsoft's guidance further highlights that integrity is supported by controls that "detect or prevent unauthorized changes," including cryptographic hashes, checksums, and digital signatures that can "provide proof that content hasn't been modified." By contrast, confidentiality focuses on restricting access (for example, through least privilege and encryption), and availability focuses on "reliable and timely access to information and systems." Because the scenario emphasizes that the retrieved data is identical to the stored data, it is not about access or uptime but about preserving correctness and detecting alteration-which is precisely the integrity objective in Microsoft's Security, Compliance, and Identity guidance.

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation:

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/overview

Explanation:

Microsoft positions Compliance Manager as a capability available inside the Microsoft 365 Compliance Center (now Microsoft Purview compliance portal). In Microsoft's SCI learning content, Compliance Manager is described as the centralized workspace in the compliance portal that "helps you manage your organization's compliance requirements," providing a compliance score, pre-built and custom assessments, and improvement actions you track and assign. The documentation explains that admins "use the Microsoft
365 Compliance Center to access Compliance Manager," where they can review the score, map controls to regulations and standards, and manage evidence and testing of controls. It also clarifies that Compliance Manager is surfaced directly in the compliance portal navigation, enabling authorized roles (such as Compliance Administrator, Global Administrator, or Compliance Data Administrator) to open the Compliance Manager blade to create or view assessments, assign actions, and review detailed guidance. By contrast, the Microsoft 365 admin center focuses on tenant, billing, and user management; the Microsoft 365 Defender portal focuses on security operations and threat protection; and the Microsoft Support portal is for service requests. Therefore, the direct and intended entry point for Compliance Manager is the Microsoft 365 Compliance Center.

Explanation:

Microsoft defines Information Barriers (IB) as policies that "restrict communication and collaboration between specific users or groups" to meet regulatory or conflict-of-interest requirements. In Microsoft 365, IB enforcement is provided across collaboration workloads-most notably Microsoft Teams and, with IB v2, SharePoint and OneDrive-so that users placed in segments that shouldn't interact are prevented from chatting, meeting, or sharing files with one another. The service "controls who can communicate and collaborate with whom" and applies those controls to Teams chats/channels and SharePoint/OneDrive sites and files so that segment boundaries are honored when users attempt to share or access content.
By contrast, Exchange Online email is not a supported enforcement surface for Information Barriers; IB does not block or route mail. Email restrictions are handled with other capabilities (for example, mail flow rules), not IB. Therefore, in alignment with Microsoft's SCI guidance: IB does work with Microsoft Teams and with Microsoft SharePoint/OneDrive, but it does not provide policy enforcement for Exchange email.

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Explanation:

Microsoft Entra Access Reviews are designed to help organizations regularly validate and right-size access.
Microsoft's documentation explains that access reviews can target group memberships, enterprise app assignments, Azure AD roles, and Azure resource roles (via Privileged Identity Management), allowing reviewers to assess whether users, service principals, or groups should retain access to Azure resources- confirming the first statement. Access Reviews support automation: you can configure a review to "Auto- apply results", so when the review ends, users who were denied or not reviewed are automatically removed from the group, application assignment, or role-validating the second statement. Finally, Access Reviews are a Premium P2 capability (now Microsoft Entra ID P2) alongside PIM and advanced identity governance.
They are not included in all service plans; tenants require the appropriate P2 licenses for reviewers and users in scope-therefore the third statement is No.

Explanation:

In Microsoft's Security, Compliance, and Identity materials, Azure AD B2B collaboration is the feature designed for working with external organizations. Microsoft describes it as follows: "Azure AD B2B collaboration allows you to securely share your company's applications and services with guest users from any other organization, while maintaining control over your own corporate data. Guest users sign in with their own work, school, or social identities, and appear as guest users in your directory." This directly matches the sentence in the prompt-enabling collaboration with suppliers, partners, and vendors while ensuring that external users appear as guest users in the tenant.
By contrast, Active Directory Domain Services (AD DS) is an on-premises directory service for Windows domain joined resources and does not provide cloud guest user collaboration. Active Directory forest trusts establish trust relationships between AD DS forests for resource access, not modern cloud guest access using Conditional Access, MFA, or entitlement processes. Azure AD B2C is for consumer/retail scenarios where you build customer-facing apps, managing their identities in a separate customer directory; it is not intended for partner collaboration within your enterprise tenant. Therefore, the capability that fits the statement- external partner collaboration with users appearing as guest accounts-is Azure AD B2B.

Explanation:

Microsoft explains that Conditional Access (CA) evaluates signals and then enforces access decisions using grant and session controls: "Conditional Access policies are enforced after first-factor authentication is completed" and are used to "make access control decisions." CA policies target users and groups-including administrators-unless explicitly excluded. Microsoft guidance recommends excluding only break-glass accounts: "Customers with Azure AD roles such as Global administrator should have at least one emergency access account excluded from policies." This means admins are not exempt by default; they are in scope unless you configure exclusions.
CA does not manage directory role assignments; that is handled by role assignment and Privileged Identity Management (PIM). CA's grant controls focus on access conditions: "Grant access... Require multi-factor authentication" and Microsoft lists a common baseline: "Require multi-factor authentication for all users." Therefore, CA can require MFA to access cloud apps, but it cannot add users to Azure AD roles.
These statements from Microsoft's SCI materials confirm the outcomes: Admins are not inherently exempt (No), CA cannot assign roles (No), and CA can force MFA for app access (Yes).

Explanation:

Microsoft's shared responsibility guidance explains that the customer's responsibility decreases as you move from on-premises to SaaS. In an on-premises datacenter, "you own the whole stack-applications, data, runtime, middleware, OS, virtualization, servers, storage, and networking." With IaaS, the cloud provider operates the physical datacenter and virtualization, while "you're responsible for configuring and managing the guest OS, network controls, identity, applications, and data." With PaaS, the provider operates more of the stack so that "the cloud provider manages the platform (OS, middleware, and runtime) and you focus on your applications and data." Finally, with SaaS, responsibility is minimized for customers because "the service provider manages the application and underlying infrastructure; customers primarily manage identity, data, and access/usage." These Microsoft Learn statements map directly to the requested order-from most customer responsibility (on-premises) to least (SaaS)-with IaaS and PaaS in between, reflecting the progressive shift of operational and security controls from the customer to the cloud provider as the service model moves up the stack.

Explanation:

Microsoft 365 Advanced Audit is a capability of the Microsoft Purview audit solution that enhances auditing by adding additional high-value audit events, extended retention (up to one year by default, longer with add- ons), and intelligent insights. Microsoft documentation explains that Advanced Audit provides Exchange- specific events such as "MailItemsAccessed" and "SearchQueryInitiated", which log when users access mailbox items and when they initiate a search in Exchange (including Outlook on the web). These records include who performed the action, when it occurred, the client/app used, and other metadata that helps investigations and forensics.
Advanced Audit is not a billing tool; billing information is handled separately in Microsoft 365 admin/billing portals and isn't part of the audit schema. Likewise, audit logs do not expose message content; they capture activity metadata (actor, operation, workload, timestamp, and parameters) rather than the actual body of emails or file contents. The purpose is to improve auditability and investigation without revealing user content. Therefore, statements about viewing billing details or email contents are No, while identifying mailbox search actions (e.g., a user using the Outlook on the web search bar) is Yes, because Advanced Audit includes the SearchQueryInitiated (Exchange) event that records such activity.

Explanation:

Conditional access policies always enforce MFA = NoMicrosoft Entra Conditional Access policies are flexible and do not always require MFA. MFA is one possible control, but policies can enforce other access controls such as requiring a compliant device, blocking access entirely, requiring Terms of Use acceptance, or enforcing session controls.
SCI Extract: "Conditional Access is the tool used by Azure AD to bring signals together, to make decisions, and enforce organizational policies. These policies can require MFA, but it is not mandatory for all policies." Block access based on location = YesConditional Access supports location-based conditions using named locations (such as country or IP ranges). Policies can block or allow access based on where the user is signing in from.
SCI Extract: "Administrators can use Conditional Access policies to block or grant access based on user location, using named locations to define trusted or risky areas." Only affects Entra joined devices = NoConditional Access applies to all users and devices, including:
Entra-joined,
Hybrid Entra-joined,
Registered devices (via Microsoft Intune or Azure AD),
And even unmanaged (BYOD) devices depending on configuration.
SCI Extract: "Conditional Access policies apply to all users and devices based on selected conditions, not only Microsoft Entra joined devices."