Azure, Cloud Computing, Cyber Security

8 Mins Read

Top 25 Sample Questions for Microsoft Security, Compliance, and Identity Fundamentals SC-900 Certification Exam

Voiced by Amazon Polly

Security is one of the most in-demand skills in the current age. There are about 3.5 million+ available jobs in the security domain but organizations are unable to find the correct resources for their requirement. Microsoft is one of the leading providers of security solutions in the current era. It provides solutions to protect and manage identities, protection from threats, and also methods to be compliant with a lot of different regulations. Microsoft also has 4 certifications that help us prove our expertise in those solutions.

The certifications are:

SC-900: Microsoft Security, Compliance, and Identity Fundamentals

SC-200: Microsoft Security Operations Analyst

SC-300: Microsoft Identity and Access Administrator

SC-400: Microsoft Information Protection Administrator

In this article, we will try to discuss 25 sample questions for the SC-900 certification exam.

If you are just starting your journey as a beginner, here is a Study Guide for SC-900 Microsoft Security, and Compliance Fundamentals Certification Exam. 


  1. There are two steps involved in creating a digital signature from a message. What are they?

Select one or more:

  1. hash value
  2. signer’s private key
  3. the hash value is signed using the signer’s private key.
  4. digital signature


  1. The Zero Trust model has three principles that guide and underpin how security is implemented. Which are these three principles?

Select one:

  1. verify explicitly, least privilege access, and assume breach.
  2. least privilege access, verify implicitly and assume breach.
  3. verify implicitly, verify explicitly, and assume breach.
  4. verify implicitly, verify explicitly, and least privilege access.


  1. A defense-in-depth strategy uses series of mechanisms to slow the advance of an attack. Which security strategy is used by Defense-in-depth rather than relying on a single perimeter?

Select one:

  1. application layer approach
  2. network security
  3. layered approach
  4. data layer security


  1. Your organization wants to ensure that the stored sensitive data of employees is encrypted. Which security mechanism should you use?

Select one:

  1. Hashing
  2. Digital signing
  3. Encryption at rest.
  4. Encryption in transit


  1. The user wants to see information, tools, and other resources about Microsoft security, privacy, and compliance practices.

What should I use:

  1. Compliance Manager
  2. Service trust portal
  3. Compliance trust portal.
  4. Service manager


  1. An employee of your organization informs that he has received a mail which tells that your organization wants you to change your password for security purposes. But the mail is redirecting to some random website to change username password. Which type of attack it is?

Select one:

  1. Password-based attacks
  2. Spear phishing
  3. Phishing
  4. Spam


  1. Your organization wants to use modern authentication which allows the user to log in once and ensure that the credentials can be used to access multiple applications or resources. Which capability of an identity provider will help you achieve the goal?

Select one:

  1. Passwords always expire after 72 days.
  2. directory services
  3. a central identity provider can be used.
  4. single sign-on (SSO)


  1. How many types of risks are there and what are they?

Select one:

  1. two, identity risk and physical risk
  2. three, sign-in risk, user risk, and ethical risk
  3. two, user risk and sign-in risk.
  4. four, sign-in risk, user risk, identity risk, and ethical risk


  1. Your organization has an Azure AD free edition subscription. You are concerned if the free license has any object limit. Does the free license have any limit?

Select one:

  1. Yes
  2. No


  1. What is included in the free edition subscription of Azure AD?

Select one or more:

  1. Intune and Privileged Identity Management
  2. Office 365 and Azure, Dynamics 365
  3. Privileged Identity Management
  4. Intune and Power Platform


  1. An organization has developed an application and wants to give the capability to its users to sign in using Facebook, Google and Twitter credentials. You need to recommend an authentication solution to the team. Which one of the below options would be best suited?

Select one:

  1. Azure AD B2C
  2. Service principal
  3. Legacy authentication
  4. Assigned identities


  1. Your company has Microsoft 365 cloud identities for all users in the company.

What type of identity model is being used here?

Select one:

  1. Cloud only
  2. Cloud and Hybrid
  3. Hybrid-only
  4. On-premises only


  1. You want to get alerts for Data exfiltration, honeytokens, and other attacks such as account enumeration, remote code execution, etc. Which one of the following tools will you use to get alerts of these attacks on your on-prem AD?

Select one:

  1. Defender for Endpoint
  2. Defender for Office365
  3. Defender for Identity
  4. Defender for AD


  1. You have a hybrid infrastructure in place for your organization. What type of identity solution is your organization using if your organization has hashes of the password stored in the cloud?

Select one:

  1. Pass-through authentication.
  2. Password hash synchronization
  3. Federation authentication
  4. None of the above


  1. Recently your IT team has been under great pressure because of the numerous numbers of requests they have been receiving from the team for password resets. You find that this can also lead to bigger security risks for the organization. What should you recommend being implemented here?

Select one:

  1. Self- Service password reset.
  2. FIDO2
  3. Bitlocker encryption
  4. None of the above


  1. You forgot your password in the organization. Now you want to do a self-service password reset. How will you reset the password?

Select one or more:

  1. Enabled for SSPR by an administrator
  2. Account unlock – when a user can’t sign in because their account is locked out and want to unlock their account.
  3. Password reset – when a user knows their password but wants to change it to something new.
  4. Assigned an Azure AD license


  1. Which feature is more secure than a password?

Select one:

  1. Hybrid security
  2. Windows Hello
  3. OAUTH
  4. Security questions


  1. Your organization wants you to implement conditional access for the organization. You must grant and deny access for selected users. What must do you do to implement conditional access?

Select one:

  1. Check that all users have multi-factor authentication enabled.
  2. Remove all Global Admin roles assigned to users.
  3. Replace Global Admin roles with specific Azure AD roles.
  4. Create policies that enforce organizational rules.


  1. Your organization named Contoso has most of its data stored in the Azure Cloud. The security admin wants to have encryption for the data. Which one of the below services would help you in storing your application secrets?

Select one:

  1. Azure BitLocker
  2. Azure Key Vault
  3. Data encryption
  4. Key management system


  1. You are the security admin of an organization. You get to know about the Microsoft Secure score which gives you the current security posture of your organization in terms of a score. You check the score and find that the current score is well below the industry standards. What should you do?

Select one:

  1. Close recommendations
  2. Remove recommendations.
  3. Directly resolve recommendations.
  4. Take action on the improvement actions open.


  1. Your organization has a certain business requirement where it needs to continuously monitor the security status of its network. What Security Center tool would you recommend?

Select one:

  1. Continuous assessment.
  2. Network map.
  3. Network assessment
  4. Microsoft Defender


  1. You have a user named UserA who has been assigned to complete certain tasks in the compliance center. Which one of the below permissions the user would need to access that portal?

Select one:

  1. Compliance Administrator role
  2. Helpdesk Administrator role
  3. User Administrator role
  4. None of the above


  1. You are exploring the compliance manager in the compliance center portal. In the assessments option, you see three controls, namely, your controls shared controls, and Microsoft managed controls. What is the meaning of shared control?

Select one:

  1. Controls that both external regulators and Microsoft share responsibility for implementing.
  2. Controls that both your organization and external regulators share responsibility for implementing.
  3. Controls that both your organization and Microsoft share responsibility for implementing.
  4. Both controls are managed by the customer
  1. Due to certain compliance regulations, your organization needs to keep the data of the clients for 7 years stored on a specific site. You have been asked to find a solution to this issue. What should you recommend?

Select one:

  1. Sensitivity labels
  2. Retention policies
  3. Content Explorer
  4. Alert policies


  1. Due to certain compliance regulations, your organization needs to keep the data of the clients for 5 years stored in a specific one drive site and delete it automatically. You plan to use retention labels. Will the goal be accomplished?

Select one:

  1. Yes
  2. No

Customized Cloud Solutions to Drive your Business Success

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Correct Answers:

  1. Answer: A, & C
    Explanation: First, a hash value is created from the message. In the second step, the hash value is signed, using the signer’s private key. 
  2. Answer: A
    Explanation: The Zero Trust model has three principles that guide and underpin how security is implemented. These are: verify explicitly, least privilege access, and assume breach.
  3. Answer: C
    Explanation: Defense in depth uses a layered approach to security, rather than relying on a single perimeter. A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack.
  4. Answer: C
    Explanation: Data at rest is the data that’s stored on a physical device, such as a server. It may be stored in a database or a storage account but, regardless of where it’s stored, encryption of data at rest ensures the data is unreadable without the keys and secrets needed to decrypt it.
  5. Answer: B
    Explanation: The Service Trust Portal provides information, tools, and other resources about Microsoft security, privacy, and compliance practices.
  6. Answer: C
    Explanation: A phishing attack is when a hacker sends an email that appears to come from a reputable source. The email contains a credible story, such as a security breach, instructing the user to sign in and change their password. Instead of going to a legitimate website, the user is directed to the scammer’s website where they enter their username and password. The hacker has now captured the user’s identity and password.
  7. Answer: D
    Explanation: With SSO, the user logs in once, and that credential is used to access multiple applications or resources.,to%20every%20application%20they%20use.&text=You%20can%20find%20your%20apps,how%20it’s%20implemented%20in%20Azure.
  8. Answer: C
    Explanation: There are two types of risk: user risk and sign-in risk. User risk represents the probability that a given identity or account is compromised. Sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner.,user’s%20identity%20has%20been%20compromised.
  9. Answer: AExplanation: The free version of Azure AD has an object limit of 500000 object limits.
  10. Answer: B, & D
    Explanation: The free edition is included with subscriptions to Office 365, Azure, Dynamics 365, Intune, and Power Platform.
  11. Answer: A
    Explanation: Azure AD B2C authentication feature allows users to be able to sign in with their Facebook, Google, or Twitter credentials.
  12. Answer: A
    Explanation: A cloud-only identity uses user accounts that exist only in Azure AD. Cloud-only identity is typically used by small organizations that do not have on-premises servers or do not use AD DS to manage local identities.,exist%20only%20in%20Azure%20AD.&text=Both%20on%2Dpremises%20and%20remote,stored%20user%20accounts%20and%20passwords.
  13. Answer: C
    Explanation: Microsoft Defender for Identity security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
  14. Answer: B
    Explanation: Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash, of the hash, of a user’s password from an on-premises Active Directory instance to a cloud-based Azure AD instance.
  15. Answer: A
    Explanation: With SSPR (Self-service password reset) users would have the ability to reset their account passwords without getting in touch with the IT team by using methods such as phone numbers, security questions, etc.
  16. Answer: A & D
    Explanation: To use the self-service password reset, users must be: 1) Assigned an Azure AD license. 2) Enabled for SSPR by an administrator. 3) Registered, with the authentication methods they want to use. Two or more authentication methods are recommended in case one is unavailable.
  17. Answer: B
    Explanation: Windows Hello for Business is more secure because it uses PINs and biometric data to authenticate users.
  18. Answer: D Explanation: Conditional access is implemented using policies that enforce organizational rules.
  19. Answer: B
    Explanation: Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets. Azure key vaults may be created and managed through the Azure portal. 
  20. Answer: D
    Explanation: You’re given points for Addressing the improvement action with a third-party application or software or alternate mitigation.
  21. Answer: B
    Explanation: The network map provides a map of the topology of your network workloads, which lets you block unwanted connections. The interactive network map provides a graphical view with security overlays giving you recommendations and insights for hardening your network resources.
  22. Answer: A
    Explanation: To grant permissions to a user to perform a compliance task, add them to the appropriate Security & Compliance Center role group.
  23. Answer: C
    Explanation: An assessment is a grouping of controls from a specific regulation, standard, or policy. Completing the actions within an assessment help you meet the requirements of a standard, regulation, or law. For example, you may have an assessment that, when you complete all actions within it, helps to bring your Microsoft 365 settings in line with ISO 27001 requirements.
  24. Answer: B
    Explanation: To assign your retention settings to content, use retention policies and retention labels with label policies. You can use just one of these methods or combine them. Use a retention policy to assign the same retention settings for content at a site or mailbox level and use a retention label to assign retention settings at an item level (folder, document, email).
  25. Answer: A
    Explanation: You can create and configure a retention policy that automatically deletes content five years after it’s last modified and apply the policy to all OneDrive accounts.,publish%20to%20all%20OneDrive%20accounts.


These are some of the sample questions which you can expect in the SC-900 Microsoft Security, Compliance, and Identity Fundamentals. If you have just started your journey in Microsoft Security, this would be a good starting point. You can attend training by CloudThat to expedite the learning process.

SC-900 Training course Microsoft Security Compliance and Identity Fundamentals. 

In any case, you will need to tap into a question bank to practice more before you appear for the certification exam. Review through CloudThat’s TestPrep for thorough preparation.

Feel free to drop any questions in the comment box, I would love to address them and support your career growth. I hope you enjoyed the article. Best of luck!

Stay tuned for more sample questions on Microsoft Security.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More


CloudThat is a leading provider of cloud training and consulting services, empowering individuals and organizations to leverage the full potential of cloud computing. With a commitment to delivering cutting-edge expertise, CloudThat equips professionals with the skills needed to thrive in the digital era.



  1. Yanish

    Jun 20, 2022


    Hi Nako, your observation is correct that the labels must be published. But as retention labels are a partially correct answer that is why the answer is yes.

  2. Nako Ming

    Jun 19, 2022


    Question 25 is wrong, it should be no, as RETENTION LABELS on their own will not work, you need a policy.

    • Yanish

      Jun 20, 2022


      Hi Nako, your observation is correct that the labels must be published. But as retention labels are a partially correct answer that is why the answer is yes.

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!