Preparing for the SC-900 Security, Compliance, and Identity Fundamentals exam? Testing yourself with realistic practice questions is the best way to identify knowledge gaps and build confidence before exam day.
These 25 questions aren't basic definitions—they're scenario-based questions that mirror the actual exam format. Each question includes detailed explanations for all answer options, helping you understand not just what's correct, but why other options are wrong.
What You'll Get:
- ✓25 practice questions across all SC-900 exam domains
- ✓Detailed explanations for correct and incorrect answers
- ✓Real exam format with scenario-based questions
- ✓Coverage of Zero Trust, Azure AD, Defender suite, and Compliance Manager
Created by Microsoft certified security professionals with hands-on experience, these questions reflect current exam objectives and the question patterns you'll encounter on test day.
How to Use These Practice Questions
Getting the Most Value
Don't casually browse. Treat this as a mini practice exam for maximum learning:
- 1.Take it as a timed test: Give yourself 25 minutes for all 25 questions
- 2.Don't peek at answers: Complete all questions before checking results
- 3.Review ALL explanations: Even for correct answers—you might have guessed
- 4.Identify weak areas: Note which domains need more study focus
What These Questions Cover
Practice Test Instructions
- • Each question has ONE correct answer
- • Read scenarios carefully before selecting your answer
- • Track your answers (write them down)
- • Scroll to answer key after finishing
- • Target completion time: 25 minutes
Security, Compliance & Identity Concepts
Questions 1-4
Zero Trust Principles
Your organization is implementing a Zero Trust security model. The security team needs to ensure that every access request is fully authenticated and authorized regardless of where it originates—inside or outside the corporate network. They want to minimize the impact of a potential breach.
Which Zero Trust principle addresses limiting the impact of a breach?
Defense in Depth
Your company is designing a security strategy for their Azure infrastructure. They want to implement multiple layers of protection so that if one security control fails, others will still provide protection.
Which security principle are they implementing?
Shared Responsibility Model
Your organization is moving workloads to Azure using Platform as a Service (PaaS). The security team needs to understand who is responsible for securing the operating system.
In a PaaS model, who is responsible for operating system security?
Encryption Concepts
Your company stores sensitive customer data in Azure Storage. The compliance team requires that data must be protected both when stored on disk and when being transmitted over the network.
Which two types of encryption should be implemented? (Choose two)
Ready to Master SC-900?
Get access to hundreds of practice questions with detailed explanations. Start practicing now.
Identity & Access Management Solutions
Questions 5-11
Azure Active Directory
Your company wants to implement a cloud-based identity and access management solution for managing user access to Microsoft 365, Azure, and other cloud applications. Which Microsoft service should they use?
Select the correct answer:
Multi-Factor Authentication
The IT team wants to add an extra layer of security beyond passwords for user sign-ins. They want users to verify their identity using something they have (like a phone) in addition to something they know (password).
What should they implement?
Conditional Access
Your security team wants to automatically require MFA when users sign in from untrusted locations or devices, but allow passwordless sign-in from company devices. Which Azure AD feature enables this?
Select the correct answer:
Azure AD Identity Protection
Your organization wants to automatically detect and respond to identity-based risks like compromised credentials, impossible travel, and suspicious sign-in patterns. Which Azure AD feature provides this?
Select the correct answer:
Single Sign-On (SSO)
Employees complain about having to sign in separately to Microsoft 365, Salesforce, and other cloud apps. What capability allows users to sign in once and access all authorized applications?
Select the correct answer:
Role-Based Access Control (RBAC)
Your company needs to grant specific Azure permissions to users based on their job roles. For example, developers should be able to manage virtual machines but not modify billing. What access control model should you use?
Select the correct answer:
Privileged Identity Management (PIM)
Your security team wants to provide just-in-time administrative access that expires after a set time period, rather than permanent admin rights. Which Azure AD feature enables this?
Select the correct answer:
Microsoft Security Solutions
Questions 12-19
Microsoft Defender for Cloud
Your organization uses Azure and needs a solution that provides security recommendations, detects vulnerabilities, and continuously monitors the security posture of their cloud resources. Which service should they use?
Select the correct answer:
Microsoft Sentinel
The security team needs a cloud-native SIEM (Security Information and Event Management) solution that can collect security data from across the organization, detect threats using AI, and automate incident response.
Which Microsoft solution provides these capabilities?
Azure Key Vault
Your development team needs to securely store application secrets, API keys, and encryption keys that their applications need to access. Which Azure service is specifically designed for this purpose?
Select the correct answer:
Microsoft Defender for Endpoint
Your company needs endpoint protection for Windows, macOS, Linux, Android, and iOS devices that can detect malware, ransomware, and advanced threats. Which Microsoft solution provides this?
Select the correct answer:
Microsoft Defender for Office 365
The IT team wants to protect against phishing emails, malicious attachments, and unsafe links in Microsoft 365 email and collaboration tools. Which solution provides this protection?
Select the correct answer:
Microsoft Defender for Cloud Apps
Your security team needs visibility into cloud app usage, the ability to control data sharing, and protection against threats in sanctioned and unsanctioned cloud applications. Which solution provides this?
Select the correct answer:
Azure DDoS Protection
Your company's public-facing web application in Azure needs protection against distributed denial-of-service (DDoS) attacks. Which Azure service provides automatic DDoS protection?
Select the correct answer:
Azure Firewall
Your network team needs a cloud-based network security service that can filter traffic, provide threat intelligence, and centrally create, enforce, and log application and network connectivity policies. What should they use?
Select the correct answer:
Microsoft Compliance Solutions
Questions 20-25
Service Trust Portal
Your compliance officer needs to access audit reports, compliance guides, and security assessments for Microsoft cloud services. Where should they look for this information?
Select the correct answer:
Microsoft Purview
Your organization needs to discover, classify, and protect sensitive data across Microsoft 365, including emails, documents, and Teams conversations. Which solution provides these data governance capabilities?
Select the correct answer:
Compliance Manager
The compliance team wants to assess their organization's compliance posture, get recommendations for improvement, and track progress toward regulatory requirements like GDPR and ISO 27001.
Which tool should they use?
Sensitivity Labels
Your organization wants to classify and protect documents and emails by applying labels like "Confidential" or "Public." These labels should persist with the data and apply encryption. What Microsoft feature provides this?
Select the correct answer:
Data Loss Prevention (DLP)
The compliance team wants to prevent users from accidentally sharing credit card numbers, social security numbers, or other sensitive information via email or Teams. What Microsoft feature should they implement?
Select the correct answer:
Retention Policies
Your legal department requires that all financial emails be kept for 7 years for regulatory compliance, while general emails can be deleted after 1 year. What Microsoft feature manages data lifecycle this way?
Select the correct answer:
Answer Key & Explanations
Scoring Guide
- • 20-25 correct: Excellent! You're exam-ready
- • 15-19 correct: Good progress. Review weak areas
- • 10-14 correct: More study needed. Focus on core concepts
- • Below 10: Spend more time with learning materials
Question 1: C - Assume breach
Explanation: "Assume breach" means designing security as if attackers are already in your environment. This principle minimizes blast radius through segmentation, encryption, and analytics.
Why not A? "Verify explicitly" is about authentication, not limiting breach impact.Why not B? Least privilege limits access but doesn't specifically address breach containment.
Question 2: B - Defense in depth
Explanation: Defense in depth is the strategy of using multiple layers of security controls. If one layer fails, others continue protecting resources.
Question 3: B - Microsoft is responsible for the operating system
Explanation: In PaaS, Microsoft manages the operating system, runtime, and middleware. Customers are responsible for applications and data.
Question 4: A and B - Encryption at rest and in transit
Explanation: Encryption at rest protects data stored on disk. Encryption in transit protects data being transmitted over networks. Both are needed for comprehensive protection.
Question 5: A - Azure Active Directory (Azure AD)
Explanation: Azure AD is Microsoft's cloud-based identity and access management service. It manages user identities for Microsoft 365, Azure, and third-party cloud apps.
Question 6: B - Multi-Factor Authentication (MFA)
Explanation: MFA requires multiple forms of verification: something you know (password), something you have (phone), and/or something you are (biometrics).
Question 7: B - Conditional Access
Explanation: Conditional Access policies use signals like location, device state, and risk level to automatically enforce access controls like requiring MFA.
Question 12: A - Microsoft Defender for Cloud
Explanation: Defender for Cloud provides security posture management and threat protection for Azure, hybrid, and multi-cloud environments.
Question 13: B - Microsoft Sentinel
Explanation: Sentinel is Microsoft's cloud-native SIEM and SOAR solution. It collects security data, uses AI for threat detection, and automates incident response.
Question 14: B - Azure Key Vault
Explanation: Key Vault securely stores and manages secrets, encryption keys, and certificates. Applications can retrieve secrets programmatically without embedding them in code.
Question 20: B - Service Trust Portal
Explanation: Service Trust Portal provides access to audit reports, compliance documentation, and security assessments for Microsoft cloud services.
Question 21: B - Microsoft Purview
Explanation: Microsoft Purview provides data governance, including data discovery, classification, and protection across Microsoft 365 services.
Question 22: B - Microsoft Compliance Manager
Explanation: Compliance Manager assesses compliance posture, provides improvement actions, and tracks progress toward regulatory standards like GDPR and ISO 27001.
Question 8: A - Azure AD Identity Protection
Explanation: Identity Protection uses AI and machine learning to detect risky sign-ins, compromised credentials, and anomalous user behavior, then automatically responds based on risk policies.
Question 9: B - Single Sign-On (SSO)
Explanation: SSO allows users to authenticate once with Azure AD and automatically access all integrated applications without signing in again.
Question 10: B - Role-Based Access Control (RBAC)
Explanation: RBAC assigns permissions based on job roles. Users inherit permissions from their assigned roles rather than receiving individual permissions.
Question 11: C - Privileged Identity Management (PIM)
Explanation: PIM provides just-in-time privileged access with time-bound activation, approval workflows, and audit trails for administrative roles.
Question 15: A - Microsoft Defender for Endpoint
Explanation: Defender for Endpoint is an enterprise endpoint security platform that detects, investigates, and responds to advanced threats across all major operating systems.
Question 16: B - Microsoft Defender for Office 365
Explanation: Defender for Office 365 protects against phishing, malware, and unsafe attachments/links in email, Teams, SharePoint, and OneDrive.
Question 17: A - Microsoft Defender for Cloud Apps
Explanation: Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility, data control, and threat protection across cloud applications.
Question 18: B - Azure DDoS Protection
Explanation: Azure DDoS Protection provides automatic protection against distributed denial-of-service attacks with always-on traffic monitoring.
Question 19: B - Azure Firewall
Explanation: Azure Firewall is a managed, cloud-based network security service that filters traffic using application and network rules with built-in threat intelligence.
Question 23: B - Sensitivity labels
Explanation: Sensitivity labels classify and protect data by applying persistent labels with optional encryption, content marking, and access restrictions.
Question 24: C - Data Loss Prevention (DLP) policies
Explanation: DLP policies detect and prevent unauthorized sharing of sensitive information like credit cards, SSNs, and other protected data types.
Question 25: B - Retention policies and retention labels
Explanation: Retention policies and labels manage data lifecycle by automatically retaining or deleting content after specified time periods for compliance requirements.
Frequently Asked Questions
What score do I need to pass SC-900?
You need a score of 700 out of 1000 to pass SC-900. This is a scaled score, meaning approximately 70% of questions must be answered correctly.
Are these practice questions similar to the real exam?
Yes. These questions mirror the real exam format with scenario-based questions covering all SC-900 domains: security concepts, identity management, security solutions, and compliance.
How many practice questions do I need before taking SC-900?
We recommend practicing with 300-400 unique questions across all domains. This ensures comprehensive coverage and familiarity with question formats.
What is the hardest part of SC-900?
Most candidates find the Microsoft Defender suite and compliance solutions challenging due to the number of similar-sounding products. Focus on understanding when to use each tool rather than memorizing features.
Can I pass SC-900 without security experience?
Yes. SC-900 is an entry-level certification designed for beginners. With 2-3 weeks of focused study, candidates without security backgrounds regularly pass.
Ready to Pass SC-900?
Get access to comprehensive practice questions with detailed explanations for every SC-900 domain.
Related Resources
How to Pass SC-900 First Try
Complete study guide with proven strategies and study timelines.
AZ-900 vs SC-900: Which First?
Compare certifications and choose the right starting point.
Complete SC-900 Practice Quiz
Access hundreds of practice questions in timed exam mode.
All Certification Guides
Browse complete collection of Microsoft certification resources.