Microsoft Security, Compliance, and Identity Fundamentals · Domain 1 · 13% of exam

Describe the concepts of security, compliance, and identity

Drill 20 practice questions focused entirely on Describe the concepts of security, compliance, and identity for the Microsoft SC-900 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A company runs all of its user accounts and computers on servers located in its own data center. The IT team uses a Windows Server role that stores account information and lets employees sign in to domain-joined desktops on the corporate network. The company has not extended any of this to cloud services. Which technology are they using?

Reviewed for accuracy · Report an issue
Question 2 of 20

A user at Contoso enters their username and password to sign in to a company portal. After signing in successfully, the system checks whether the user is permitted to open the HR salary reports. Which security concept is being applied when the system determines what the user is allowed to access after sign-in?

Reviewed for accuracy · Report an issue
Question 3 of 20

A compliance auditor asks a company that runs all of its workloads in Microsoft Azure who is responsible for the physical security of the datacenters, including guards, fencing, and hardware disposal. Under the shared responsibility model, which party holds this responsibility regardless of whether the workload is IaaS, PaaS, or SaaS?

Reviewed for accuracy · Report an issue
Question 4 of 20

A security architect at a manufacturing company is designing protections for a critical web application. She wants to ensure that if an attacker bypasses one control, other independent controls will still protect the data. She implements a perimeter firewall, network segmentation, multi-factor authentication, endpoint protection, and data encryption at rest. Which security concept is she applying?

Reviewed for accuracy · Report an issue
Question 5 of 20

A development team at Contoso needs to store user passwords in a database. Security requires that even database administrators cannot reverse the stored values back to the original passwords, but the system must still be able to verify a password a user enters at sign-in. Which technique should the team apply to the stored password values?

Reviewed for accuracy · Report an issue
Question 6 of 20

Contoso and Fabrikam are separate companies, each with its own identity system. Contoso needs to allow Fabrikam's employees to sign in to a shared web application using their existing Fabrikam credentials, without Contoso creating or managing accounts for those users. Which identity concept enables this cross-organization trust?

Reviewed for accuracy · Report an issue
Question 7 of 20

A company's leadership wants to formalize how they identify potential threats to the business, define internal policies that dictate how employees handle data, and ensure the organization meets regulatory requirements such as GDPR. The security team maps these three efforts to a well-known framework. Which set of concepts does this framework represent?

Reviewed for accuracy · Report an issue
Question 8 of 20

A retail company has moved most of its business applications to various SaaS providers. Employees now work from home offices, coffee shops, and client sites using laptops, personal phones, and tablets. The security team notes that the old approach of protecting a corporate network boundary no longer covers where users and data actually reside. Which security concept best explains why the team should now treat user and service identities as the main control point for securing access?

Reviewed for accuracy · Report an issue
Question 9 of 20

A company wants employees to sign in once and then access dozens of cloud applications without re-entering credentials for each one. The IT team needs a central service that authenticates users and issues tokens that the applications trust. Which component provides this capability?

Reviewed for accuracy · Report an issue
Question 10 of 20

Contoso is moving its workloads to Microsoft Azure. The IT team plans to deploy several virtual machines (IaaS) to host a custom line-of-business application. Under the cloud shared responsibility model, which task remains the responsibility of Contoso rather than Microsoft?

Reviewed for accuracy · Report an issue
Question 11 of 20

Contoso is deploying a custom web application to Azure App Service, a Platform as a Service (PaaS) offering. During a security review, the team wants to clarify which responsibilities belong to Contoso versus Microsoft under the shared responsibility model. Which task remains Contoso's responsibility in this PaaS scenario?

Reviewed for accuracy · Report an issue
Question 12 of 20

Your company adopts a Software-as-a-Service (SaaS) application to manage customer records. During a security review, a manager asks who is responsible for classifying and protecting the customer data stored in the application. According to the cloud shared responsibility model, who holds this responsibility?

Reviewed for accuracy · Report an issue
Question 13 of 20

A company is implementing the Zero Trust model. The security team wants to gain visibility into how their SaaS and on-premises applications are being used, control access to them based on real-time analytics, and monitor for abnormal behavior across all apps in use. Which Zero Trust pillar does this effort primarily address?

Reviewed for accuracy · Report an issue
Question 14 of 20

A security architect at Contoso is redesigning the network so that even traffic originating from inside the corporate LAN is treated as untrusted, network segments are isolated to limit lateral movement, and all sessions are logged and analyzed for anomalies. Which guiding principle of the Zero Trust model is the architect primarily applying?

Reviewed for accuracy · Report an issue
Question 15 of 20

A financial services company is adopting the Zero Trust model. Their security team wants to ensure that sensitive files remain protected even if they are copied to an unmanaged personal device or shared externally by accident. They plan to apply classification labels and encryption that travel with the files regardless of where they are stored. Which pillar of the Zero Trust model does this initiative primarily address?

Reviewed for accuracy · Report an issue
Question 16 of 20

Contoso is adopting a Zero Trust strategy. The security team wants to ensure that only company-managed laptops and phones that meet health requirements—such as having disk encryption enabled and current antivirus definitions—are allowed to access corporate resources. Which pillar of the Zero Trust model directly addresses this requirement?

Reviewed for accuracy · Report an issue
Question 17 of 20

A financial services company is redesigning its security strategy around the Zero Trust model. The security architect wants to focus on one Zero Trust pillar that ensures every user account is strongly verified with multi-factor authentication and evaluated for risk before being granted access to any resource. Which Zero Trust pillar addresses this requirement?

Reviewed for accuracy · Report an issue
Question 18 of 20

A financial services company is redesigning access controls under a Zero Trust strategy. Their security architect wants to ensure that when users are granted access, they receive only the minimum permissions required to complete their current task, and that broad standing administrative access is eliminated in favor of time-limited, task-specific access. Which Zero Trust guiding principle does this approach directly implement?

Reviewed for accuracy · Report an issue
Question 19 of 20

A security architect is designing a network for a company adopting the Zero Trust model. Instead of relying on a single trusted internal network zone, they want to divide the network into many small isolated segments so that if one workload is compromised, an attacker cannot freely move laterally to reach other systems. Which Zero Trust practice does this design represent?

Reviewed for accuracy · Report an issue
Question 20 of 20

Contoso is adopting a Zero Trust security strategy. A security architect wants to ensure that every access request is fully authenticated, authorized, and evaluated against multiple data points—such as user identity, device health, location, and the sensitivity of the resource—before access is granted, regardless of whether the request originates from inside or outside the corporate network. Which Zero Trust guiding principle does this approach represent?

Reviewed for accuracy · Report an issue

More SC-900 practice

Keep going with the other Microsoft Security, Compliance, and Identity Fundamentals domains, or take a full timed mock exam.

← Back to SC-900 overview