Free Microsoft Security SC-900 Actual Exam Questions

I'd pick the option that fits with managing who can do what, probably about permissions rather than just roles. The sentence seems to need a word about controlling access rights.

From what I can make out, the sentence is about choosing the right term related to identity or access management. If the options are about user roles or permissions, I’d focus on the term that closely relates to controlling access based on attributes or responsibilities rather than just user identity. That usually points to something like “role-based access control” instead of just “authentication” or similar concepts. So, I’d rule out answers that are about verifying identity alone and pick the one that’s about managing access rights dynamically.

Some statements clearly describe Azure AD features, so those get a Yes. Others mention endpoint detection, which only fits Defender, so No there. Mixing identity and endpoint tools can be tricky here.

This looks like it’s about Microsoft's security solutions, not just Defender. Some options seem to mix endpoint protection with identity management features, so not every statement fits all products.

I’m thinking A might be No because self-service password reset isn’t fully available in the free tier, right? So unless specified, it’s safer to say No here. B is definitely Yes for MFA as a default. For C, I’m also doubting it since not every app connects straight away with Azure AD without some setup. D has to be No because passwordless sign-in requires additional steps to activate, so it can’t be on by default.

I’d say B is definitely Yes because MFA is a core security default now. For C, I’m skeptical since not every app integrates with Azure AD by default—usually some config’s needed.

I think the first statement is a clear Yes since AES is pretty much standard now. For the second, it doesn’t really hold because less secure ciphers like RC4 have been deprecated, so No makes more sense there. The third one is tricky, but since modern TLS versions prefer GCM modes for performance and security, I’d say Yes fits better. The last definitely feels like a No because weaker MAC algorithms aren’t accepted anymore. So overall, I’d go Yes, No, Yes, No.

The first statement looks solid since AES is widely supported, but I’m skeptical about the third one being Yes since GCM isn’t always mandatory. The last definitely feels off given current security standards.

Statement 3 looks like it should be Yes since some roles can be assigned at both user and tenant scope, depending on the role type. That flexibility is key here.

I think statement 1 should be No because global admin roles impact the entire directory, not just individual users. So it’s not really user scope like that.

For the second statement about OAuth 2.0 being an authorization protocol, that’s definitely true—it’s designed for authorization, not authentication. Also, the third statement about SAML using XML makes sense; SAML is XML-based, so that should be Yes. The last statement about SAML being RESTful is false, since SAML relies on XML and SOAP, not REST. So overall, I’d say Yes for the first three and No for the last.

This one’s tricky since the statements are about identity providers and protocols. The first statement is definitely true - OpenID Connect is built on OAuth 2.0. The last one feels off because SAML isn’t based on REST, so that should be No. For the middle ones, I’d say “Yes” to standards being used by Azure AD for federation, but I’m less sure about WS-Federation’s current role since it’s kind of legacy. Would avoid marking everything as Yes straight away since some could be partial truths or outdated info. Also watch out for confusing OAuth and OpenID-it’s a common trap here.

I’m going with C as well. Conditional Access is definitely tied to Azure AD Premium, and C highlights that integration best. The others don’t really mention the core feature like this one does. Without tier specifics, it’s a bit of a guess, but C fits the general scenario for Conditional Access use.

I’d pick C too, it’s the only one matching the conditional access feature here.

I’m thinking A is a No too because Zero Trust doesn’t trust users or devices just because they’re inside the network perimeter. For D, it feels like a Yes since continuous monitoring and validation is a must in Zero Trust to catch any suspicious activity early. C seems off since Zero Trust goes beyond just location or device risk, it’s about verifying every access request regardless. B definitely stands out as Yes since least privilege is all about limiting access, which is central to Zero Trust.

I’d say for A, it’s more of a No since Zero Trust assumes breach and never fully trusts any user or device by default. B should be Yes because least privilege access is a core principle in Zero Trust. For C, I’d go with Yes because location can be a factor but not the only one in conditional access. D definitely feels right as Yes since ongoing verification is key in Zero Trust. The framework is all about never assuming trust, so continuous checks are essential.

I went with D here. The question is about preventing privilege escalation, and D talks about assigning permissions based on the least privilege principle, which makes sense. B seems more about monitoring rather than prevention.

B

I agree B feels right here since it's about putting rules in place before access is allowed. The others seem off because they focus more on user verification or monitoring, not setting access requirements. It’s about controlling entry based on conditions, which is exactly what Conditional Access policies do.

I picked B as well since it directly relates to setting conditions that must be met before granting access, which fits the sentence about controlling access. The other options mostly cover authentication methods or monitoring, not enforcing conditional policies. So, B feels like the best match here because it’s about applying rules based on user, device, or location.

Probably A, C, E—B and D deal more with infrastructure, not app security.

A, C, E—B and D don’t fit the cloud app security profile at all.

B. Azure Blueprints lets you set up environments repeatedly across subscriptions; it's designed for consistent initial provisioning, not continuous policy enforcement like D.

Makes sense to rule out A and C since they’re more security-focused; B fits provisioning best.

It’s A and D, since Endpoint DLP primarily supports Windows and macOS devices.

A and D definitely. Endpoint DLP is mainly focused on desktops, so Windows 11 and macOS are the solid picks. Linux and mobile OS support isn’t fully baked yet.

C imo, public folders are still part of Exchange Online, so they should be included for DLP policies alongside emails (A). Teams messages (D) might be partially supported, but I wouldn’t count on full coverage everywhere yet. Viva Engage (E) feels less likely since it’s more community/social than document or email storage. So I’d go with A, B, and C as the main solid choices here.

A/B/C? Exchange Online public folders seem like a standard DLP target alongside emails and OneDrive. Teams and Viva Engage might have more limited or evolving support.

Makes sense to pick B since retention policies specifically handle preserving files after deletion, unlike the other options. Sticking with B here.

B, because DLP and sensitivity labels don’t preserve deleted files like retention policies do.