Free Microsoft Security SC-900 Actual Exam Questions - Question 8 Discussion
HOTSPOT For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. 
I’m thinking A is a No too because Zero Trust doesn’t trust users or devices just because they’re inside the network perimeter. For D, it feels like a Yes since continuous monitoring and validation is a must in Zero Trust to catch any suspicious activity early. C seems off since Zero Trust goes beyond just location or device risk, it’s about verifying every access request regardless. B definitely stands out as Yes since least privilege is all about limiting access, which is central to Zero Trust.
I’d say for A, it’s more of a No since Zero Trust assumes breach and never fully trusts any user or device by default. B should be Yes because least privilege access is a core principle in Zero Trust. For C, I’d go with Yes because location can be a factor but not the only one in conditional access. D definitely feels right as Yes since ongoing verification is key in Zero Trust. The framework is all about never assuming trust, so continuous checks are essential.
For D, I think it should be Yes because zero trust usually requires continuous monitoring and validation of user access, not just a one-time check. B seems tricky since zero trust isn’t just about starting with minimal settings but about ongoing verification and adapting based on risk. So, B is likely No. A and C are more straightforward if you consider the principles behind zero trust and risk-based access controls. This question really depends on how strictly they define those concepts in the exam context.
I’d say A is definitely Yes since zero trust revolves around verifying every request, no exceptions. B feels off because zero trust isn’t about default settings being minimal but about continuously checking permissions and behavior. For C, I agree with No since risk-based access covers multiple factors, not just location, so it’s too narrow. D also should be No because SaaS applications can absolutely fit into zero trust if managed right—they’re not excluded just by being SaaS. So the main thing is continuous verification and least privilege, not just defaults or app type.
I’m with the take that A is definitely Yes since verifying every access request is core to zero trust. For B, the idea of using minimum default settings feels off because zero trust is more about continuous verification and least privilege rather than just a default config. C also feels like No since conditional access covers way more than just location—it’s about multiple signals. D seems like a No too because being SaaS alone doesn’t exclude zero trust, it’s how it’s managed that matters. So overall, only A fits the true statement best here.
I agree with rejecting B since zero trust is about the principle of least privilege, not just minimum default settings. Also, for D, being SaaS doesn’t exclude zero trust, so No fits better there.
D looks off to me because just because an app is SaaS doesn’t mean it can’t be part of zero trust; it depends on configuration, not the app type itself.
For C, I’d say No because risk-based conditional access isn’t always about user location; it includes device health and other factors too. So it’s more than just that one aspect.
A seems right since zero trust always verifies every access request.
B is a trap here, it says "minimum", but it's really about default settings.