Microsoft Security, Compliance, and Identity Fundamentals · Domain 2 · 27% of exam

Describe the capabilities of Microsoft Entra

Drill 20 practice questions focused entirely on Describe the capabilities of Microsoft Entra for the Microsoft SC-900 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A compliance officer at Contoso needs to ensure that members of a sensitive project group are periodically re-evaluated so that people who no longer need access are removed. The officer wants group owners to attest to each member's continued need for access on a recurring basis. Which Microsoft Entra capability should be used?

Reviewed for accuracy · Report an issue
Question 2 of 20

A security administrator notices that several sign-ins to Microsoft 365 are occurring through older email clients that do not support modern authentication, and these clients cannot enforce multi-factor authentication. The administrator wants to automatically block these legacy authentication attempts across the organization based on signals like the client app being used. Which Microsoft Entra capability should the administrator configure?

Reviewed for accuracy · Report an issue
Question 3 of 20

A financial services company wants to eliminate passwords for employees signing in to Microsoft Entra ID. They need a phishing-resistant authentication method that uses a physical hardware security key employees plug into their laptops, with no password entered at any point. Which authentication method should they deploy?

Reviewed for accuracy · Report an issue
Question 4 of 20

A company wants to allow employees to access Microsoft 365 from any location, but if a user signs in from an untrusted network, they must complete multi-factor authentication before access is granted. Which Conditional Access configuration meets this requirement?

Reviewed for accuracy · Report an issue
Question 5 of 20

A company wants to reduce multifactor authentication prompts for employees who sign in from inside the corporate headquarters. Administrators plan to define the office's public IP address range so that Conditional Access policies can treat sign-ins from that range differently from sign-ins elsewhere. Which Microsoft Entra Conditional Access feature should they configure to represent the corporate office by its IP range?

Reviewed for accuracy · Report an issue
Question 6 of 20

A company wants to test a new Conditional Access policy that would require access to a sensitive finance application only from compliant devices. The security team is concerned about accidentally locking users out before they can verify the policy behaves as expected. Which Conditional Access policy state should they use to evaluate the impact without enforcing the controls?

Reviewed for accuracy · Report an issue
Question 7 of 20

A security administrator wants to require multi-factor authentication only when users sign in from outside the corporate network, while allowing seamless access from trusted office locations. Which Microsoft Entra capability lets the administrator enforce this based on signals such as user location?

Reviewed for accuracy · Report an issue
Question 8 of 20

A financial services company allows employees to access a sensitive payroll web application from personal, unmanaged devices. Security requires that users be forced to re-authenticate every 4 hours during their session with this app, rather than remaining signed in for the default period. Which Conditional Access session control should the administrator configure to meet this requirement?

Reviewed for accuracy · Report an issue
Question 9 of 20

A financial services company must ensure that all external partners accessing a shared SharePoint site formally accept a legal disclaimer before they can open any files. Compliance requires proof that each user acknowledged the terms, and re-acceptance must be enforced annually. Which Conditional Access grant control should the administrator configure to meet this requirement?

Reviewed for accuracy · Report an issue
Question 10 of 20

Contoso runs Active Directory Domain Services on-premises and has recently adopted Microsoft 365. The IT team wants on-premises user accounts to automatically appear in Microsoft Entra ID so employees can sign in to cloud apps with the same credentials, without deploying heavy infrastructure. Which approach establishes this hybrid identity?

Reviewed for accuracy · Report an issue
Question 11 of 20

Contoso runs an on-premises Active Directory Domain Services environment and has just adopted Microsoft 365. The IT team wants employees to use the same username and password for both on-premises resources and cloud apps, and they want on-premises identities automatically synchronized to Microsoft Entra ID. Which solution should they deploy to achieve this hybrid identity synchronization?

Reviewed for accuracy · Report an issue
Question 12 of 20

A company wants group membership to update automatically whenever an employee's department attribute changes in Microsoft Entra ID, so users are added or removed from department-based groups without any manual administrator action. Which type of group should the administrator create?

Reviewed for accuracy · Report an issue
Question 13 of 20

Contoso runs a manufacturing plant and wants floor workers who have no email address and no company credentials to sign in to a shift-scheduling app using their existing Google or Facebook accounts. The company does not want to create traditional employee accounts or invite them as business guests. Which Microsoft Entra identity capability should Contoso use?

Reviewed for accuracy · Report an issue
Question 14 of 20

Contoso runs Active Directory on-premises and wants employees to sign in to Microsoft 365 cloud apps using the same username and password they already use for their domain accounts. The IT team wants the simplest option that keeps authentication working even if the on-premises servers become temporarily unavailable. Which approach should they implement?

Reviewed for accuracy · Report an issue
Question 15 of 20

A company frequently onboards external contractors who need temporary access to a specific set of applications, SharePoint sites, and groups. The IT team wants to bundle these resources together so contractors can request access themselves, have the request approved by a manager, and have access automatically expire after 90 days without manual cleanup. Which Microsoft Entra ID Governance feature should they use?

Reviewed for accuracy · Report an issue
Question 16 of 20

A company has accumulated hundreds of external guest accounts in Microsoft Entra ID over the past two years. Management wants an automated, recurring process where resource owners periodically confirm whether each guest still needs access, with the system automatically removing guests that are not approved. Which Microsoft Entra capability should the company use?

Reviewed for accuracy · Report an issue
Question 17 of 20

A large enterprise wants to automate onboarding tasks so that when a new employee record appears in the HR system and syncs to Microsoft Entra ID, the account is automatically enabled, assigned to the correct groups, and receives a welcome email on their start date. They also want offboarding tasks to run automatically on the employee's last day. Which Microsoft Entra ID Governance capability should they use?

Reviewed for accuracy · Report an issue
Question 18 of 20

A cloud administrator at Contoso is documenting the different identity types in their Microsoft Entra ID tenant. They need to identify which identity type represents a physical person who signs in interactively to access company resources such as email and SharePoint. Which identity type should the administrator document for these interactive human sign-ins?

Reviewed for accuracy · Report an issue
Question 19 of 20

Contoso wants to enable Privileged Identity Management (PIM) and Microsoft Entra ID Protection risk-based policies for its administrators. Which Microsoft Entra ID edition must the company assign to the affected users to use these features?

Reviewed for accuracy · Report an issue
Question 20 of 20

A security analyst at Contoso wants to understand how Microsoft Entra ID Protection evaluates threats. They notice that a single user account triggered alerts based on anonymous IP address usage, an unfamiliar sign-in location, and a leaked-credentials indicator found on the dark web. What does Microsoft Entra ID Protection produce by aggregating and analyzing these individual signals?

Reviewed for accuracy · Report an issue

More SC-900 practice

Keep going with the other Microsoft Security, Compliance, and Identity Fundamentals domains, or take a full timed mock exam.

← Back to SC-900 overview