MS SC 900 Assessment

Question 1

What is the minimum edition of Azure AD needed to use Azure AD Privilege Identity Management (PIM)?
Select only one answer.

A. Free
B. Office 365 Apps
C. Azure AD Premium P1
D. Azure AD Premium P2

Answer 1

D. Azure AD Premium P2

Explanation:
Azure AD Premium P2 is the only edition that provides PIM support.

Question 2

You need to allow external users to use either Microsoft accounts or Google accounts to access an application hosted in Azure.

What is the minimum edition of Azure AD that you can use?
Select only one answer.

A. Free
B. Office 365 Apps
C. Azure AD Premium P1
D. Azure AD Premium P2

Answer 2

C. Azure AD Premium P1

Explanation:
Both Azure AD Premium P1 and P2 allow external users, but Azure AD Premium P1 is the minimum edition that allows this. Free and Office 365 apps do not provide external access.

Question 3

An organization is migration to the Microsoft cloud. The plan is to use a hybrid identity model.

What can be used to sync identities between Active Directory Domain Services (AD DS) and Azure AD?
Select only one answer.

A. Active Directory Federation Services (AD FS)
B. Microsoft Sentinel
C. Azure AD Connect
D. Azure AD Privileged Identity Management (PIM)

Answer 3

C. Azure AD Connect

Explanation:
Azure AD Connect is designed to meet and accomplish hybrid identity goals. ADFS cannot be used for hybrid identity models. Microsoft Sentinel is not an identity product. PIM is used for managing and monitoring access to important resources.

Question 4

Which authentication method can use a time-based, one-time password?
Select only one answer.

A. Windows Hello
B. OATH hardware tokens
C. strong passwords
D. password hash synchronization

Answer 4

B. OATH hardware tokens

Explanation:
OATH hardware tokens use time-based, one-time passwords. Strong passwords are not one-time passwords. Password hash synchronization syncs hashes across Active Directory and Azure AD. Windows Hello uses a camera or passcode for authentication.

Question 5

Which two additional forms of authentication are available in Azure AD for multi-factor authentication (MFA) from any device? Each correct answer presents a complete solution.

A. the Microsoft Authenticator app
B. voice call
C. face recognition
D. fingerprint recognition

Answer 5

A. the Microsoft Authenticator app
B. voice call

Explanation:
The Microsoft Authenticator app and FIDO2 security key are available in Azure AD for MFA from any device. Face and fingerprint recognition are only available for Windows devices with Windows Hello.

Question 6

What are three things that a user can use for Azure AD Multi-Factor Authentication (MFA)? Each correct answer presents a complete solution.

A. something the claimant knows
B. something the claimant has
C. something the claimant is
D. something the claimant can not reuse
E. something the claimant solves

Answer 6

A. something the claimant knows
B. something the claimant has
C. something the claimant is

Explanation:
Azure AD MFA works by requiring something you know (such as a password), and something you have (such as a phone), or something you are (biometrics).

Question 7

Which Azure AD feature helps reduce help desk calls and the loss of productivity when a user cannot sign in to their device or an application?

A. Self-service password reset (SSPR)
B. Identity Protection
C. Conditional Access
D. Azure AD Password Protection

Answer 7

A. Self-service password reset (SSPR)

Explanation:
SSPR is a feature of Azure AD that allows users to change or reset their password without administrator or help desk involvement. Without enabling SSPR, Identity protection cannot provide the requested solution. Conditional Access brings signals together, to make decisions, and enforce organizational policies but not SSPR. Azure AD Password Protection reduces the risk when users set weak passwords.

Question 8

Which three actions should be performed to enable self-service password reset (SSPR) for a user? Each correct answer presents part of the solution.
Select all answers that apply.

A. Assign an Azure AD license.
B. Enable SSPR for the user.
C. Register an authentication method.
D. Sign up for a Microsoft account.
E. Create a custom banned password list.

Answer 8

A. Assign an Azure AD license.
B. Enable SSPR for the user.
C. Register an authentication method.

Explanation:
To use SSPR, users must be assigned an Azure AD license that is enabled for SSPR by an administrator and registered with the authentication methods they want to use. Two or more authentication methods are recommended in case one is unavailable.

Question 9

What can be used to enforce multi-factor authentication (MFA) when users access an application registered in Azure AD?
Select only one answer.

A. password hash synchronization
B. Conditional Access
C. role-based access control (RBAC)
D. a network security group (NSG)

Answer 9

B. Conditional Access

Explanation:
Conditional Access can be used to enforce MFA based on a condition (accessing an app). Password hash synchronization enables password sync with Active Directory. RBAC provides authorization, not authentication. NSGs provide rules for network access.

Question 10

Which condition can you use in a Conditional Access policy to evaluate the likelihood that a user account was compromised?
Select only one answer.

A. location
B. device State
C. user risk
D. sign-in risk

Answer 10

C. user risk

Explanation:
User risk can evaluate the likelihood that a user account was compromised. Sign-in risk can identify whether the sign-in attempt is considered risky, such as attempts to sign-in from compromised IP networks. Device state verifies the device platform. Locations are associated to specific IP networks.

Question 11

What should you use in Azure AD to provide users with the ability to perform administrative tasks?
Select only one answer.

A. app registrations
B. external identities
C. groups
D. roles

Answer 11

D. roles

Explanation:
Roles in Azure AD have permission to perform certain administrative tasks. You assign these roles to users.

Question 12

What is the least privileged Azure AD role that can be used to create and manage users and groups?
Select only one answer.

A. Global Administrator
B. Security Administrator
C. User Administrator
D. Teams Administrator

Answer 12

C. User Administrator

Explanation:
User Administrator can manage both users and groups. Global Administrator can also manage users and groups, but the role has far too many privileges.

Question 13

What can you use to receive alerts for potentially compromised user accounts without blocking the users from signing in?
Select only one answer.

A. real-time sign-in risk detection
B. user risk
C. Application Signal
D. cloud apps or actions

Answer 13

B. user risk

Explanation:
User risk represents the probability that a given identity or account is compromised. User risk can be configured for high, medium, or low probability. Admins can set up this signal without interrupting user sign-ins.

Question 14

What is the difference between Azure AD role-based access control (RBAC) and Azure RBAC?
Select only one answer.

A. Azure AD roles control access to resources such as users, groups, and applications. Azure roles control access to resources, such as virtual machines.
B. Azure AD roles control access to resources, such as virtual machines. Azure roles control access to resources, such as users, groups, and applications.
C. Users with Azure AD roles can make purchases and manage subscriptions. Users with Azure roles have access to all the administrative features in Azure AD.
D. Users with Azure AD roles have access to all the administrative features in Azure AD. Users with Azure roles can make purchases and manage subscriptions.

Answer 14

A. Azure AD roles control access to resources such as users, groups, and applications. Azure roles control access to resources, such as virtual machines.

Explanation:
Azure AD built-in and custom roles are a form of RBAC in that Azure AD roles control access to Azure AD resources. This is referred as Azure AD RBAC. In the same way that Azure AD roles can control access to Azure AD resources, so too can Azure roles control access to Azure resources. This is referred to as Azure RBAC. Although the concept of RBAC applies to both Azure AD RBAC and Azure RBAC, what they control is different.

Question 15

What is a user risk in Azure AD Identity Protection?
Select only one answer.

A. leaked credentials
B. atypical travel
C. password spray
D. anonymous IP address

Answer 15

A. leaked credentials

Explanation:
Leaked credentials is a user risk. Atypical travel, anonymous IP address, and password spray are sign-in risks.

Question 16

Which security model uses a layered approach to security, providing mechanisms to stop a breach at the perimeter of each layer?
Select only one answer.

A. shared responsibility
B. defense in depth
C. Zero Trust
D. Payment Card Industry Data Security Standards (PCI DSS) compliance

Answer 16

B. defense in depth

Explanation:
Defense in depth uses a layered approach to security. Shared responsibility model is about defining the responsibilities of each party (company and vendor). PCI is a compliance regulation, not a security model.

Question 17

Which encryption method uses the same key to encrypt and decrypt data?
Select only one answer.

A. symmetric encryption
B. asymmetric encryption
C. hashing
D. generating a public key

Answer 17

A. symmetric encryption

Explanation:
Symmetric encryption uses the same key to encrypt and decrypt the data. Asymmetric encryption uses a public key and private key pair. Hashing uses an algorithm to convert text to a unique fixed-length value called a hash. Public key cryptography is an encryption system that is based on two pairs of keys. Public keys are used to encrypt messages for a receiver.

Question 18

What is a guiding principle of the Zero Trust model?
Select only one answer.

A. verify explicitly
B. advance user access
C. test for breach
D. trust the local network

Answer 18

A. verify explicitly

Explanation:
The Zero Trust model has three guiding principles which are verify explicitly, least privilege access, and assume breach.

Question 19

Which pillar of an identity infrastructure is responsible for defining the level of access a user has over the resources on a network?
Select only one answer.

A. administration
B. authentication
C. authorization
D. auditing

Answer 19

C. authorization

Explanation:
Authorization is responsible for determining which level of access authenticated users have. Administration is responsible for managing user accounts. Authentication is responsible for identifying who a user is. Auditing is responsible for keeping track of how authentication, authorization, administration, and access to resources occurs.

Question 20

What is a benefit of single sign-on (SSO) compared to other authentication methods?
Select only one answer.

A. Users can access resources in their domain.
B. Users can authenticate once and access resources anywhere.
C. Devices can be shared by multiple users.
D. Devices can only be used by a single user.

Answer 20

B. Users can authenticate once and access resources anywhere.

Explanation:
Users can authenticate once and access resources anywhere with SSO. Users accessing resources in their domain uses Basic authentication for a single domain, not SSO. Users are still required to be authenticated to share devices.

Question 21

What are two characteristics of an identity as the primary security perimeter model? Each correct answer presents a complete solution.
Select all answers that apply.

A. Software as a service (SaaS) applications for business-critical workloads can be hosted outside of a corporate network.
B. Only corporate devices can be used to complete corporate tasks.
C. Bring your own device (BYOD) can be used to complete corporate tasks.
D. Software as a service (SaaS) applications for business-critical workloads that might be hosted cannot be hosted outside of a corporate network.

Answer 21

A. Software as a service (SaaS) applications for business-critical workloads can be hosted outside of a corporate network.
C. Bring your own device (BYOD) can be used to complete corporate tasks.

Explanation:
SaaS applications for business-critical workloads can be hosted outside of the corporate network and BYOD can be used to complete corporate tasks in the identity as the primary security perimeter model. The other options represent the traditional perimeter-based security model.

Question 22

What is a feature of single sign-on (SSO)?
Select only one answer.

A. enables a user to sign in once, and then not have to sign in again
B. leverages individual identity providers
C. uses one credential to access multiple applications or resources
D. eliminates the need for password resets due centralized directory

Answer 22

C. uses one credential to access multiple applications or resources

Explanation:
SSO allows a user to sign in with a single credential and have access to multiple applications and resources. It does not ensure that a user will not have to sign in again. It leverages a centralized identity provider. It has nothing to do with password resets.

Question 23

What are types of distributed denial-of-service (DDoS) attacks?
Select only one answer.

A. password spray, protocol attacks, and man-in-the-middle (MITM) attacks
B. password spray, dictionary attack, and resource layer attacks
C. resource layer attacks, protocol attacks, and volumetric attacks
D. dictionary attacks, man-in-the-middle (MITM) attacks, and volumetric attacks

Answer 23

C. resource layer attacks, protocol attacks, and volumetric attacks

Explanation:
Resource layer attacks, protocol attacks, and volumetric attacks are the most common DDoS attacks. Password sprays and MITM attacks are not DDoS attacks.

Question 24

Which Azure feature provides network-level filtering, application-level filtering, and outbound SNAT?
Select only one answer.

A. distributed denial-of-service (DDoS) protection
B. Azure Firewall
C. Azure Web Application Firewall (WAF)
D. Azure Bastion hosts

Question 25

What Azure feature provides application-level filtering and SSL termination?
Select only one answer.

A. distributed denial-of-service (DDoS) protection
B. Azure Firewall
C. Azure Web Application Firewall (WAF)
D. Azure Bastion hosts

Answer 25

C. Azure Web Application Firewall (WAF)

Explanation:
Azure WAF provides all these capabilities. DDoS protection does not provide filtering. Azure Firewall does not provide SSL termination. Bastion does not provide filtering.

Question 26

What can you use to connect to Azure virtual machines remotely over RDP and SSH from the Azure portal?
Select only one answer.

A. Azure Web Application Firewall (WAF)
B. Azure AD Identity Protection
C. Microsoft Defender for Cloud
D. Azure Bastion

Question 27

You have the following inbound network security group (NSG) security rules in Azure:

AllowVNetInBound with a priority of 65000

AllowAzureLoadBalancerInBound with a priority of 65001

DenyAllInBound with a priority of 65500

No other inbound rules were defined for the NSG.

In which order will the rules be processed?
Select only one answer.

A. The AllowVNetInBound rule is processed first. The AllowAzureLoadBalancerInBound rule is processed second. The last rule that will be processed in the NSG, is the DenyAllInBound rule.
B. The DenyAllInBound rule is processed first. The AllowAzureLoadBalancerInBound rule is processed second. The last rule that will be processed in the NSG is the AllowVNetInBound rule.
C. The AllowAzureLoadBalancerInBound rule is processed first. The AllowVNetInBound rule is processed second. The last rule that will be processed in the NSG is the DenyAllInBound rule.
D. The DenyAllInBound rule is processed first. The AllowVNetInBound rule is processed second. The last rule that will be processed in the NSG is the AllowVNetInBound rule.

Answer 27

A. The AllowVNetInBound rule is processed first. The AllowAzureLoadBalancerInBound rule is processed second. The last rule that will be processed in the NSG, is the DenyAllInBound rule.

Explanation:
The lowest priority value always has the priority.

Question 28

Which Azure service provides centralized protection of web apps from common exploits and vulnerabilities?
Select only one answer.

A. Azure Key Vault
B. Azure Web Application Firewall (WAF)
C. Azure AD Identity Protection
D. Microsoft Defender for Cloud

Answer 28

B. Azure Web Application Firewall (WAF)

Explanation:
Azure WAF provides centralized protection of web app from common exploits and vulnerabilities. Key Vault is a centralized cloud service for storing application secrets. Defender for Cloud is an Endpoint protection solution and cannot help mitigate the attacks.

Question 29

Which two characteristics are part of a security orchestration automated response (SOAR) solution? Each correct answer presents a complete solution.
Select all answers that apply.

A. collection of data from IT estate
B. correlation of data
C. action-driven workflows
D. issue mitigation

Answer 29

C. action-driven workflows
D. issue mitigation

Explanation:
Action-driven workflows and issue mitigation are done by SOAR systems.

Question 30

Which two types of security systems make up Microsoft Sentinel? Each correct answer presents part of the solution.
Select all answers that apply.

A. data loss prevention (DLP)
B. security information and event management (SIEM)
C. security orchestration automated response (SOAR)
D. endpoint protection platform (EPP)

Answer 30

B. security information and event management (SIEM)
C. security orchestration automated response (SOAR)

Explanation:
Microsoft Sentinel is a mix of SIEM and SOAR systems.

Question 31

What can you use in Microsoft Sentinel to create visual reports?
Select only one answer.

A. workbooks
B. analytics
C. playbooks
D. hunting

Answer 31

A. workbooks

Explanation:
You can monitor data by using Microsoft Sentinel integration with Azure Monitor workbooks. Microsoft Sentinel uses analytics to correlate alerts into incidents. Playbooks are collections of procedures that can be run from Microsoft Sentinel in response to an alert or incident. Hunting is a search-and-query tool, based on the MITRE framework.

Question 32

Select the answer that correctly completes the sentence.

In Microsoft Sentinel, an incident is a group of related [answer choice].
Select only one answer.

A. alerts
B. workbooks
C. security tasks
D. hunting queries

Question 33

Which feature is only available in Microsoft Defender for Office 365 Plan 2?
Select only one answer.

A. Attack Simulator
B. Safe Links
C. Anti-phishing protection
D. Real-time detections

Answer 33

A. Attack Simulator

Explanation:
Attack Simulator is only available in Microsoft Defender for Office 365 Plan 2.

Question 34

Which feature in Microsoft Defender for Cloud Apps is used to retrieve data from activity logs?
Select only one answer.

A. Cloud Discovery
B. App connectors
C. policies
D. the Cloud apps catalog

Answer 34

B. App connectors

Explanation:
Connectors retrieve data from apps and their activity logs. Policies detect risky behavior, violations, and suspicious data points. The Cloud apps catalog is used to sanction or unsanction apps. Cloud Discovery is used to identify cloud environments and apps used by an organization.

Question 35

For which two services does Microsoft Secure Score provide recommendations? Each correct answer presents a complete solution.
Select all answers that apply.

A. Azure AD
B. Microsoft Teams
C. Azure SQL Database
D. Azure Cosmos DB

Answer 35

A. Azure AD
B. Microsoft Teams

Explanation:
Microsoft Secure Score supports recommendations for Microsoft 365 (including Exchange Online), Azure AD, Microsoft Defender for Endpoint, Defender for Identity, Defender Cloud Apps, and Teams.