CS-900 Microsoft Security Fundamentals

Question 1

Describe the shared responsibility model

Answer 1

Identifies which security tasks are handled by the cloud provider, and which security tasks are handled by you, the customer. The responsibilities vary depending on where the workload is hosted. It makes responsibilities clear.

Question 2

Defense in Depth

Answer 2

Layered approach to security, rather than relying on a single perimeter. A defense in-depth strategy uses a series of mechanisms to slow the advance of an attack. Each layer provides protection so that, if one layer is breached, a subsequent layer will prevent an attacker getting unauthorized access to data.

Question 3

Zero Trust Model

Answer 3

Assumes everything is on an open and untrusted network, even resources behind the firewalls of the corporate network. The Zero Trust model operates on the principle of “trust no one, verify everything.”

Question 4

Encryption

Answer 4

Is the process of making data unreadable and unusable to unauthorized viewers. To use or read encrypted data, it must be decrypted, which requires the use of a secret key. There are two top-level types of encryptions: symmetric and asymmetric.

Question 5

Hashing

Answer 5

Uses an algorithm to convert text to a unique fixed-length value called a hash. Each time the same text is hashed using the same algorithm, the same hash value is produced.

Question 6

Salted

Answer 6

Refers to adding a fixed-length random value to the input of hash functions to create unique hashes for same input.

Question 7

Data Compliance

Answer 7

Regulations to help protect and govern the use of data. From personal and financial information to data protection and
privacy, organizations can be accountable for meeting dozens of regulations to be compliant

Question 8

Data residency

Answer 8

Governs the physical locations where data can be stored and how and when it can be transferred, processed, or accessed internationally. These regulations can differ significantly depending on jurisdiction.

Question 9

Data sovereignty

Answer 9

The concept that data, particularly personal data, is subject to the laws and regulations of the country/region in which it’s physically collected, held, or processed. Can be subject to laws from different countries/regions if processing, storage or collection are done in different locations

Question 10

Data privacy

Answer 10

Providing notice and being transparent about the collection, processing, use, and sharing of personal data are fundamental principles of privacy laws and regulations

Question 11

Personal Data or PII

Answer 11

Any data that is directly linked or indirectly linkable back to a person

Question 12

Azure Policy

Answer 12

Enforce standards and assess compliance across your organization no matter who you are, evaluates all
resources in Azure and Arc enabled resources

Question 13

Azure Role Based Access Control (RBAC)

Answer 13

Manages who has access to Azure resources, what they can do with those resources,
and what areas they can access

Question 14

Data Catalog

Answer 14

Find relevant data using a search experience with filters based on various lenses like glossary terms, classifications, sensitivity labels, and more

Question 15

Data Estate Insights

Answer 15

Gives a bird’s eye view and at a glance understanding of what data is actively scanned, where sensitive data is, and how it moves

Question 16

Data Map

Answer 16

Scanning registered data sources is able to capture metadata about enterprise data, to identify and classify sensitive data

Question 17

Authentication (AuthN)

Answer 17

Process of proving that a person is who they claim to be.

Question 18

Authorization (AuthZ)

Answer 18

What that person can see and touch and where they can go (Permissions).

Question 19

Identity

Answer 19

Set of things that define or characterize someone or something. (Username and password)

Question 20

4 Pillars:

Answer 20

Administration – creation and management/governance of identities for users, devices, and services
Authentication – sufficient proof that you are who you claim to be
Authorization – level of access granted to entity
Auditing – tracking of who does what, when, where, and how (in-depth reporting)

Question 21

Identity Provider

Answer 21

Creates, maintains, and manages while providing authentication, authorization, and auditing

Question 22

Active Directory

Answer 22

Stores info about members of the domain including devices and users, verifies their credentials and defines their access rights

Question 23

Federation

Answer 23

Enables the access of services across organizational or domain boundaries by establishing trust relationships between the respective domain’s identity provider.

Question 24

Azure AD Free

Answer 24

You can administer users, create groups, sync with on premise AD, create basic reports, config self service passwords, and enable single sign on

Question 25

Office 365 Apps – Everything from free plus self-service password reset, device writeback (2-way access with on prem).

Answer 25

Everything from free plus self-service password reset, device writeback (2-way access with on premise).

Question 26

Azure AD Premium 1

Answer 26

Everything from Free and Office 365 plus advanced admin, dynamic groups, self-service group management, Microsoft IAM, and cloud write back.

Question 27

Azure Ad Premium 2

Answer 27

All of the above plus Azure ID protection (risked based conditional access to apps), Privileged ID Management (discover, restrict, and monitor) admins and their access

Question 28

Users

Answer 28

Representations of something that is managed in Azure (employees, guests).

Question 29

Service Principal

Answer 29

Identity for an application, register with Azure AD, enables AuthN and AuthZ

Question 30

Managed Identities

Answer 30

Type of service principal that are automatically managed in Azure AD. Eliminate the need for developers to manage credentials

Question 31

System Assigned Identity

Answer 31

When you enable managed identity on a service instance. Tied to lifecycle and is deleted when resource is deleted.

Question 32

User Assigned Identity– manage as a stand alone can be assigned to 1 or more instances of a service.

Answer 32

Manage as a stand alone can be assigned to 1 or more instances of a service.

Question 33

Azure AD Registered Devices

Answer 33

Provides users with support for bring your own device (BYOD) or mobile device.

Question 34

Azure AD Joined

Answer 34

Device joined to Azure AD through an organizational account, which is then used to sign into the device. Azure AD joined devices are generally owned by the organization

Question 35

Hybrid Azure AD Joined

Answer 35

Existing on-premises Active Directory implementations can benefit from the functionality provided by Azure AD. The devices are joined to your on-premises Active Directory and Azure AD requiring organizational account to sign into the device

Question 36

External Identities

Answer 36

Set of capabilities that enable organizations to allow access to external users, such as customers or partners

Question 37

B2B

Answer 37

Allows you to share your organization’s applications and services with guest users from other organizations, while maintaining control over your own data

Question 38

B2C

Answer 38

Customer identity access management (CIAM) solution. allows external users to sign in with their preferred social, enterprise, or local account identities

Question 39

Hybrid Identity

Answer 39

Identity solutions span on-premises and cloud-based capabilities and create a common user identity for authentication and authorization to all resources, regardless of location

Question 40

Azure AD Password hash synchronization

Answer 40

Simplest way to enable authentication for on-premises directory objects in Azure AD

Question 41

Azure AD pass through authentication

Answer 41

Allows users to sign into both on-premises and cloud-based applications using the same passwords

Question 42

Federated authentication

Answer 42

Azure AD hands off the authentication process to a separate trusted authentication system, to validate the user’s password

Question 43

Windows Hello

Answer 43

Replaces passwords with strong two-factor authentication on devices. Key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics)

Question 44

Fido2

Answer 44

Open standard for password less authentication uses an external security key, or a platform key built into a device

Question 45

Azure AD Password Protection

Answer 45

Detects, and blocks known weak passwords and their variants, and can also block other weak terms that are specific to your organization

Question 46

Protecting against password spray

Answer 46

Password spray attacks submit only a few of the known weakest passwords against each of the accounts in an enterprise

Question 47

Hybrid security

Answer 47

Component installed in the on-premises environment receives the global banned password list and custom password protection policies from Azure AD

Question 48

Conditional Access

Answer 48

Policies that provides an extra layer of security before allowing authenticated users to access data or other assets.

Question 49

Conditional Access Signals

Answer 49

User or group membership, Named Location, Device, Application, Real time sign in risk detection, Cloud apps or actions, User risk

Question 50

Access Controls

Answer 50

Decisions to grant access, block access, that require extra verification (MFA, Device or App is Compliant, etc.)

Question 51

Sessions controls

Answer 51

Enable limited experiences within specific cloud apps. (Blocking copy, paste, cut, print, etc.…)

Question 52

Built-in-Roles

Answer 52

Pre-Configured and can not be altered in anyway (Global Admin, User Admin, Billing Admin)

Question 53

Custom Roles

Answer 53

Allows you to choose permissions from a list of available permissions in the system

Question 54

Scope

Answer 54

Set of Azure AD resources the role member has access to.

Question 55

Azure AD Specific

Answer 55

Grant permissions to manage resources with Azure only

Question 56

Azure AD Service Specific

Answer 56

For major Microsoft 365 services Azure has built in roles that grant permissions to manage those services

Question 57

Azure AD Cross Service

Answer 57

Roles that span across services like security admin and compliance admin

Question 58

Azure AD Cross Service

Answer 58

Roles that span across services like security admin and compliance admin

Question 59

Azure AD RBAC

Answer 59

Control access to Azure AD resources like groups, users, and apps

Question 60

Azure RBAC

Answer 60

Control access to Azure resource like virtual machines or storage

Question 61

Identity Governance

Answer 61

Gives the ability to control the identity lifecycle, access lifecycle, and secure privileged access for admins

Question 62

Identity Lifecycle

Answer 62

No access (Pre-Employment), Join (Hired), Move (Role change), Leave (retirement). Updating access to what a user needs access to at each point in the journey

Question 63

Privileged access Lifecycle

Answer 63

Monitoring of admin access to reduce risk of misuse

Question 64

Entitlement Management

Answer 64

Enables managing identity and access at scale by automating access request workflows, access assignments, reviews, and expirations

Question 65

Challenges when managing employee access to resources

Answer 65

Access for external users
Internal users do not know what access they need
Getting approval for access
Holding access for longer than needed

Question 66

Capabilities to address these challenges

Answer 66

Delegate to non admins

users can be invited into directory and removed automatically

Question 67

Access Reviews

Answer 67

Enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignment

Question 68

Terms of use

Answer 68

Are presented to users prior to access, relevant disclaimers

Question 69

Conditional Access

Answer 69

Requires users to accept terms of use prior to gaining access

Question 70

Privileged Identity Management (PIM)

Answer 70

Enables you to manage, control, and monitor access to important resources

Question 71

Security information and event management (SIEM)

Answer 71

Identity protection tool like Microsoft Sentinel

Question 72

Sign-in Risks Detected by Azure AD

Answer 72

Anonymous IP address
Atypical travel
Malware linked IP address
Unfamiliar sign-in properties
Password spray 
Azure AD threat intelligence

Question 73

User Risks Detected by Azure AD

Answer 73

Leaked credentials

Azure AD threat intelligence

Question 74

Azure Identity Protection reports

Answer 74

risky user, risky sign ins, risk detections

Question 75

Distributed Denial of Service (DDoS)

Answer 75

Purpose is to overwhelm the resources of your apps and services making them slow and unresponsive

Question 76

Volumetric attacks

Answer 76

Flood the network with seemingly legitimate traffic, overwhelming the available bandwidth.

Question 77

Protocol attacks

Answer 77

Render a target inaccessible by exhausting server resources with false protocol requests that exploit weaknesses in layer 3 (network) and layer 4 (transport) protocols.

Question 78

Resource (application) layer attacks

Answer 78

Target web application packets, to disrupt the transmission of data between hosts.

Question 79

Azure DDoS Protection

Answer 79

Designed to protect apps and servers by analyzing network traffic and discarding anything that looks like a DDoS attack
Always on

Question 80

Azure Firewall

Answer 80

Managed, cloud-based network security service that protects your Azure virtual network (VNet) resources from attackers

Question 81

Azure Firewall Features

Answer 81

Built-in high availability and availability zones
Network and application-level filtering
Outbound SNAT and inbound DNAT to communicate with internet resources
Multiple public IP addresses
Threat intelligence
Integration with Azure Monitor

Question 82

Web Application Firewall (WAF)

Answer 82

Centralized protection of your web applications from common exploits and vulnerabilities

Question 83

Azure Virtual Network (VNet)

Answer 83

Fundamental building block for your organization’s private network in Azure.

Question 84

Network security groups (NSGs)

Answer 84

Allow you to filter network traffic to and from Azure resources in an Azure virtual network

Question 85

Inbound & Outbound Security

Answer 85

Evaluated by priority using five information points: source, source port, destination, destination port, and protocol to either allow or deny the traffic
Can not be removed but can be overwritten by new rules with higher priority

Question 86

NSG Rule Properties

Answer 86

unique name that describes its purpose
priority order, with lower numbers processed before higher numbers.
Source or destination
Protocol
Direction, in or out
Port range
Action

Question 87

Azure Bastion

Answer 87

Service you deploy that lets you connect to a virtual machine using your browser and the Azure portal

Question 88

Just in Time Access (JIT)

Answer 88

Allows lock down of the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed
Microsoft Defender for servers to be enabled

Question 89

Bastion Features

Answer 89

DP and SSH directly in Azure portal
Remote session over TLS and firewall traversal for RDP/SSH:
No Public IP required on the Azure VM
No hassle of managing NSGs
Protection against port scanning
Hardening in one place to protect against zero-day exploits

Question 90

Azure Storage Service Encryption

Answer 90

Protects data at rest by automatically encrypting it and decrypts the data before retrieval

Question 91

Azure Disk Encryption

Answer 91

Encrypt Windows and Linux IaaS virtual machine disks (bitlocker)

Question 92

Transparent Data Encryption (TDE)

Answer 92

Real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application

Question 93

Azure Key Vault

Answer 93

Centralized cloud service for storing your application secrets

Question 94

Cloud security posture management (CSPM)

Answer 94

New class of tools designed to assess system automatically and alert IT if vulnerability is found

Question 95

Microsoft Defender for Cloud

Answer 95

Tool for threat protection and security posture management by protecting workloads running in
Azure, hybrid, and other cloud platforms by continuously assessing, securing, and defending

Question 96

Cloud workload Protection (CWP)

Answer 96

Detect and resolve threats to resources, workloads, and services

Question 97

Defender for Cloud Free

Answer 97

Provides the secure score and its related features: security policy, continuous security assessment, and actionable security recommendations

Question 98

Defender for Cloud Enhanced Security

Answer 98

Extends the capabilities of the free mode to workloads running in Azure, hybrid, and other cloud platforms, providing unified security management and threat protection across your workloads

Question 99

Defender Enhanced Security Features:

Answer 99

Comprehensive endpoint detection and response.
Vulnerability scanning for virtual machines, container registries, and SQL resources
Multi-cloud security
Hybrid security
Threat protection alerts
Track compliance with a range of standards
Access and application controls

Question 100

Azure Security Benchmark (ASB) - provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure (Very similar to the CCM)

Answer 100

Provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure (Very similar to the CCM)

Question 101

Security Baselines for Azure

Answer 101

Provide organizations a consistent experience when securing their environment through improved tooling, tracking, and security features

Question 102

Security information event management (SIEM)

Answer 102

Tool to collect data from across the whole estate, including infrastructure, software, and resources and analyzes, looks for correlations or anomalies, and generates alerts and incidents

Question 103

Security orchestration automated response (SOAR)

Answer 103

Takes the alerts and triggers action driven automated workflows and process to run security and mitigate issues

Question 104

Sentinel

Answer 104

Single solution for alert detection, threat visibility, proactive hunting, and threat response.

Question 105

End-to-end functionality of Microsoft Sentinel

Answer 105

Collect
Detect
Investigate
Respond

Question 106

Capacity Reservations

Answer 106

You’re billed a fixed fee based on the selected tier, enabling a predictable total cost for Microsoft Sentinel

Question 107

Pay-As-You-Go

Answer 107

You’re billed per gigabyte (GB) for the volume of data ingested for analysis in Microsoft Sentinel and stored in the Azure Monitor Log Analytics workspace.

Question 108

365 Defender

Answer 108

Enterprise defense suite that protects against sophisticated cyberattacks that can natively coordinate the detection, prevention, investigation, and response to threats across endpoints, identities, email, and applications

Question 109

Defender for Office 365

Answer 109

Safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools

Question 110

Defender for Office 365 Keys areas of cover

Answer 110

Threat protection policies
Reports
Threat investigation and response capabilities
Automated investigation and response capabilities

Question 111

Defender for Endpoint

Answer 111

Is a platform designed to help enterprise networks protect endpoints by preventing, detecting, investigating, and responding to advanced threats. This technology built into Windows 10 and MSFT cloud services.

Question 112

Defender for Endpoint includes

Answer 112

Threat and vulnerability management
Attack surface reduction
Next generation protection
Endpoint detection and response
Automated investigation and remediation 
Microsoft Threat Experts
Management and APIs

Question 113

Defender for cloud

Answer 113

Comprehensive cross-SaaS solution that operates as an intermediary or CASB between a cloud user and the cloud provider

Question 114

Cloud Access Security Broker (CASB) - a gatekeeper to broker real-time access between your enterprise users and the cloud resources they use at all times and on any device

Answer 114

Gatekeeper to broker real-time access between your enterprise users and the cloud resources they use at all times and on any device

Question 115

Defender for cloud Four Pillars

Answer 115

Visibility
Threat Protection
Data Security
Compliance

Question 116

Defender for cloud Framework

Answer 116

Discover and control the use of Shadow IT
Protect against cyberthreats and anomalies
Protect your sensitive information anywhere in the cloud
Assess your cloud apps’ compliance

Question 117

Defender for Cloud Features and Functionality

Answer 117

Cloud Discovery 
Sanction and un-sanctioning apps 
App Connectors 
Conditional Access 
Policies

Question 118

Defender for Identity

Answer 118

Uses on premises Active Directory Data to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions

Question 119

Defender Portal

Answer 119

Natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks

Must be assigned the appropriate role to access the Portal

Question 120

Hunting

Answer 120

Query-based threat-hunting tool that lets security professionals explore up to 30 days of raw data

Question 121

Threat Analytics

Answer 121

Threat intelligence solution from expert Microsoft security researchers

Question 122

Secure Score

Answer 122

Represents a company security posture

Question 123

Learning Hub

Answer 123

Official guidance from resources such as the Microsoft security blog, the Microsoft security community on YouTube, and the official documentation at docs.microsoft.com

Question 124

Reports

Answer 124

General security report, and branch into specific reports about endpoints, email & collaboration

Question 125

Service Trust Portal

Answer 125

Provides information, tools, and other resources about Microsoft security, privacy, and compliance practices

Question 126

Trust Portal Provides Access to

Answer 126

Compliance Manager
Trust Documents
Industries & Regions
Trust Center
Resources
My Library
More - Global admin only

Question 127

Privacy Principles

Answer 127

Control
Transparency
Security
Strong Legal Protection
No Content Based Targeting
Benefits to You

Question 128

Priva

Answer 128

Microsoft’s way of assisting customers with privacy. Using a privacy by default stance

Question 129

Purview Compliance Portal

Answer 129

Tools and data that are needed to help understand and manage an organization’s compliance needs
Requires Global Admin, Compliance Admin, or Compliance data admin to access

Question 130

Compliance Manager

Answer 130

Feature of Purview to help with compliance requirements by inventorying risks, managing controls, staying current with regulations and certs

Question 131

Compliance Manager Key Elements

Answer 131

Controls - requirement of a regulation, standard, or policy defining how to assess and manage
Assessments - grouping of controls from a specific regulation, standard, or policy
Templates - help admins to quickly create assessments, can be modified for specific needs
Improvement Actions - centralize compliance activities, recommended guidance to align with data protection regulations and standards

Question 132

Benefits of Compliance Manager

Answer 132

Translating complicated regulations, standards, company policies, or other control framework
Providing access to a large variety of out-of-the-box assessments and custom assessments
Mapping regulatory controls against recommended improvement actions
Providing step-by-step guidance on how to implement the solutions
Helping admins and users to prioritize actions that will have the highest impact

Question 133

Use and Benefits of Compliance Score

Answer 133

Measures progress in completing recommended improvement actions within controls
Understand current compliance posture
Prioritize actions based on their potential to reduce risk

Question 134

Purview Data Lifecycle Management

Answer 134

Import, store, and classify business-critical data so you can keep what you need and delete what you don’t

Question 135

Know your data

Answer 135

Understand data landscape and identify important data across on-premises, cloud, and hybrid environments

Question 136

Protect your data

Answer 136

Apply flexible protection actions including encryption, access restrictions, and visual markings

Question 137

Prevent data loss

Answer 137

Detect risky behavior and prevent accidental oversharing of sensitive information

Question 138

Govern your data

Answer 138

Automatically keep, delete, and store data and records in a compliant manner

Question 139

Three ways to identify items for classification:

Answer 139

Manually, pattern recognition, machine learning

Question 140

Sensitivity Labels

Answer 140

Add layer of security that is used to determine what can be done with the content

Question 141

Label Policies

Answer 141

Publish labels to be used to groups or users

Question 142

Endpoint data loss Prevention

Answer 142

Extends the activity monitoring and protection to items that are physically stored

Question 143

Data loss prevention in Microsoft Teams

Answer 143

Administrators can define policies that prevent users from sharing sensitive information in a Teams chat session or channel, whether in a message, or a file

Question 144

Retention Label and Policies

Answer 144

Help organizations to manage and govern information by ensuring content is kept only for a required time, and then permanently deleted

Question 145

Records Management

Answer 145

solution to manage regulatory, legal, and business-critical records across their corporate data

Question 146

Records Management Features

Answer 146

Labeling content as a record.
Establishing retention and deletion policies within the record label
Triggering event-based retention.
Reviewing and validating disposition.
Proof of records deletion.
Exporting information about disposed items.

Question 147

Insider Risk Management

Answer 147

Helps minimize internal risks by enabling an organization to detect, investigate, and act on risky and malicious activities.

Question 148

Insider risk management workflow

Answer 148

Identify, investigate, and address internal risks using policy templates, comprehensive activity signaling across Microsoft 365, and a flexible workflow

Question 149

Insider risk management is centered around

Answer 149

Transparency
Configurability
Integrated
Actionable

Question 150

Communication Compliance

Answer 150

Helps minimize communication risks by enabling organizations to detect, capture, and take remediation
actions for inappropriate messages

Question 151

Information Barriers

Answer 151

policies that admins can configure to prevent individuals or groups from communicating with each other
Can only be used as a two-way solution. Cannot block in one direction

Question 152

eDiscovery Solutions in Purview

Answer 152

identifying and delivering electronic information that can be used as evidence in legal cases.

Question 153

Three Levels of eDiscovery Solutions

Answer 153

Content Search - tool to search for content across Microsoft 365 data sources and then export the search results to a local computer
eDiscovery (Standard) – above plus, enabling you to create eDiscovery cases and assign eDiscovery managers to specific cases.
eDiscovery (Premium) – above plus, provides an end-to-end workflow to identify, preserve, collect, review, analyze, and export content that’s responsive to your organization’s internal and external investigations

Question 154

Audit Solutions in Purview

Answer 154

help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations

Question 155

Audit Standard

Answer 155

Ability to log and search for audited activities and power your forensic, IT, compliance, and legal investigations. On by default for all orgs

Question 156

Audit Premium

Answer 156

Builds on standard with audit log retention policies and longer retention of audit records, audit records for high-value crucial events to help investigate possible security or compliance breaches and determine the scope of compromise, more bandwidth to access auditing logs

Question 157

Azure Policy

Answer 157

Enforce standards and assess compliance across your organization no matter who you are, evaluates all resources in Azure and Arc enabled resources

Question 158

Azure Policy Triggers

Answer 158

A resource has been created, deleted, or updated in scope with a policy assignment.
A policy or an initiative is newly assigned to a scope.
A policy or an initiative that’s been assigned to a scope is updated.
The standard compliance evaluation cycle (happens once every 24 hours

Question 159

Azure Blueprints

Answer 159

Way to define a repeatable set of Azure resources, for rapid deployment and provisioning of new environments

Question 160

Microsoft Purview

Answer 160

Unified data governance service that helps organizations manage and govern their on-premises, multi-cloud, and software-as-a-service (SaaS) data. With Microsoft Purview, organization can create a holistic, up-to-date map of the organization’s data landscape with automated data discovery, sensitive data
classification, and end-to-end data lineage.