Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
MuleSoft
Okta
Palo Alto Networks
Salesforce
SAP
All Vendors
  1. Home
  2. Microsoft
  3. SC-900

Microsoft SC-900 Exam (page: 6)
Microsoft Security, Compliance, and Identity Fundamentals
Updated on: 28-Jul-2025

Viewing Page 6 of 30
SC-900 PDF 226 Questions

You plan to move resources to the cloud.
You are evaluating the use of Infrastructure as a service (IaaS), Platform as a service (PaaS), and Software as
a service (SaaS) cloud models.
You plan to manage only the data, user accounts, and user devices for a cloud-based app. Which cloud model will you use?

  1. SaaS
  2. PaaS
  3. IaaS

Answer(s): A

Explanation:

Software as a service (SaaS) allows users to connect to and use cloud-based apps over the Internet. Common examples are email, calendaring, and office tools (such as Microsoft Office 365).
SaaS provides a complete software solution that you purchase on a pay-as-you-go basis from a cloud service provider. You rent the use of an app for your organization, and your users connect to it over the Internet, usually with a web browser. All of the underlying infrastructure, middleware, app software, and app data are located in the service provider’s data center. The service provider manages the hardware and software, and with the appropriate service agreement, will ensure the availability and the security of the app and your data as well.
SaaS allows your organization to get quickly up and running with an app at minimal upfront cost.
Note: Advantages of SaaS
Gain access to sophisticated applications. To provide SaaS apps to users, you don’t need to purchase, install, update, or maintain any hardware, middleware, or software. SaaS makes even sophisticated enterprise applications, such as ERP and CRM, affordable for organizations that lack the resources to buy, deploy, and manage the required infrastructure and software themselves.
Pay only for what you use. You also save money because the SaaS service automatically scales up and down according to the level of usage.
Use free client software. Users can run most SaaS apps directly from their web browser without needing to download and install any software, although some apps require plugins. This means that you don’t need to purchase and install special software for your users.
Mobilize your workforce easily. SaaS makes it easy to “mobilize” your workforce because users can access SaaS apps and data from any Internet-connected computer or mobile device. You don’t need to worry about developing apps to run on different types of computers and devices because the service provider has already done so. In addition, you don’t need to bring special expertise onboard to manage the security issues inherent in mobile computing. A carefully chosen service provider will ensure the security of your data, regardless of the type of device consuming it.
Access app data from anywhere. With data stored in the cloud, users can access their information from any Internet-connected computer or mobile device. And when app data is stored in the cloud, no data is lost if a user’s computer or device fails.


Reference:

https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-saas



HOTSPOT (Drag and Drop is not supported)
Select the answer that correctly completes the sentence.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box: is tied to the lifecycle of the resource that uses it Managed identity types
There are two types of managed identities:
System-assigned. Some Azure resources, such as virtual machines allow you to enable a managed identity directly on the resource. When you enable a system-assigned managed identity:
A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is tied to the lifecycle of that Azure resource. When the Azure resource is deleted, Azure automatically deletes the service principal for you.
By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID. You authorize the managed identity to have access to one or more services.
Etc.
User-assigned.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview



HOTSPOT (Drag and Drop is not supported)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Device identity can be stored in Microsoft Entra ID.
A device identity is an object in Microsoft Entra ID. This device object is similar to users, groups, or applications. A device identity gives administrators information they can use when making access or configuration decisions.
Box 2: No
System-assigned. Some Azure resources, such as virtual machines allow you to enable a managed identity directly on the resource. When you enable a system-assigned managed identity:
A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is tied to the lifecycle of that Azure resource. When the Azure resource is deleted, Azure automatically deletes the service principal for you.
By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID. You authorize the managed identity to have access to one or more services.
The name of the system-assigned service principal is always the same as the name of the Azure resource it is created for. For a deployment slot, the name of its system-assigned identity is <app-name>/slots/<slot-name>.
Box 3: No
User-assigned. You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more Azure Resources. When you enable a user- assigned managed identity:
A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is managed separately from the resources that use it.
User-assigned identities can be used by multiple resources.
You authorize the managed identity to have access to one or more services.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/devices/overview https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview



Which score measures an organization’s progress in completing actions that help reduce risks associated to data protection and regulatory standards?

  1. Adoption Score
  2. Microsoft Secure Score
  3. Secure score in Microsoft Defender for Cloud
  4. Compliance score

Answer(s): D

Explanation:

The Compliance Manager dashboard displays your overall compliance score. This score measures your progress in completing recommended improvement actions within controls. Your score can help you understand your current compliance posture. It can also help you prioritize actions based on their potential to reduce risk.
A score value is assigned at these levels:
Improvement action: Each action has a different impact on your score depending on the potential risk involved. See Action types and points below for details.
* Assessment: This score is calculated using improvement action scores. Each Microsoft action and each improvement action managed by your organization is counted once, regardless of how often it's referenced in a control.


Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager?view=o365-worldwide https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-score-calculation?view=o365- worldwide



HOTSPOT (Drag and Drop is not supported)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Yes
GitHub is a cloud-based identity provider.
To use GitHub or GitHub Enterprise as an identity provider, you must register an application to use. Configuring a GitHub or GitHub Enterprise identity provider
Configure the github identity provider to validate user names and passwords against GitHub or GitHub Enterprise’s OAuth authentication server. OAuth facilitates a token exchange flow between OpenShift Container Platform and GitHub or GitHub Enterprise.
You can use the GitHub integration to connect to either GitHub or GitHub Enterprise. For GitHub Enterprise integrations, you must provide the hostname of your instance and can optionally provide a ca certificate bundle to use in requests to the server.
Box 2: Yes
Federation provides single sign-on (SSO) with multiple service providers.
What provides SSO capabilities across multiple identity providers?
Federation - When you set up SSO to work between multiple identity providers, it's called federation. An SSO implementation based on federation protocols improves security, reliability, end-user experiences, and implementation.
Box 3: No
An identity provider creates, maintains, and manages identity information while providing authentication services to applications.
Auditing is not provided.


Reference:

https://docs.openshift.com/container-platform/4.8/authentication/identity_providers/configuring-github-identity- provider.html
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on https://learn.microsoft.com/en-us/azure/active-directory/external-identities/identity-providers



DRAG DROP (Drag and Drop is not supported)
You need to identify which cloud service models place the most responsibility on the customer in a shared responsibility model.
In which order should you list the service models from the most customer responsibility to the least? To answer, move all models from the list of models to the answer area and arrange them in the correct order.
Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Division of responsibility
In an on-premises datacenter, you own the whole stack. As you move to the cloud some responsibilities transfer to Microsoft. The following diagram illustrates the areas of responsibility between you and Microsoft, according to the type of deployment of your stack.


Reference:

https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility



HOTSPOT (Drag and Drop is not supported)
Select the answer that correctly completes the sentence.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box: A user-assigned managed identity
Managed identities for Azure resources is a Microsoft Entra ID feature that you can use free of charge. Using managed identities is the recommended way for applications hosted in Azure to authenticate to Azure resources and services.
User-assigned managed identity
User-assigned managed identities are created as standalone Azure resources. They're independent of any app or service instance. When a user-assigned managed identity is provisioned, Azure creates a service principal just as it does for a system-assigned managed identity.
However, a user-assigned managed identity isn't tied to a specific resource, so you can assign it to more than one application. For example:
If your web app is deployed on 10 front-end VMs, you can create a user-assigned managed identity for the app, grant the managed identity the necessary rights, and then associate it with all 10 VMs.
If you used system-assigned managed identity, you'd need 10 identities, and you'd have to manage access for each one.
Incorrect:
* System-assigned managed identity
You can enable system-assigned managed identities directly on an Azure service instance, such as a VM. When you enable managed identities, Azure creates a service principal through Azure Resource Manager. A system-assigned managed identity has its lifecycle linked to the resource instance where it was created. For example:
If you have two VMs and you want to use system-assigned managed identities, you need to enable managed identities on each VM.
If the resource is deleted, so is the managed identity. A resource can have only one system-assigned managed identity.
* a service principal
When to use service principals
We've now explored the manual processes to create Microsoft Entra applications, associate service principals, and grant access to resources. You use these manual processes in only two scenarios:
Your application or service is running on-premises.
The resources or applications that you need to access don't support managed identities.
The most secure and convenient way to handle authentication within Azure is to use managed identities.


Reference:

https://learn.microsoft.com/en-us/training/modules/authenticate-apps-with-managed-identities/3-managed- identities



Which Microsoft portal provides information about how Microsoft cloud services comply with regulatory standard, such as International Organization for Standardization (ISO)?

  1. the Microsoft 365 admin center
  2. Azure Cost Management + Billing
  3. Microsoft Service Trust Portal
  4. the Microsoft Purview compliance portal

Answer(s): C

Explanation:

The Microsoft Service Trust Portal contains details about Microsoft's implementation of controls and processes that protect our cloud services and the customer data therein.
Incorrect:
* Azure Cost Management + Billing
* the Microsoft 365 admin center
* the Microsoft Endpoint Manager admin center
* the Microsoft Entra admin center
* the Microsoft Purview compliance portal


Reference:

https://learn.microsoft.com/en-us/microsoft-365/compliance/get-started-with-service-trust-portal



Viewing Page 6 of 30



Share your comments for Microsoft SC-900 exam with other users:

Greg 11/16/2023 6:59:00 AM

hope for the best
UNITED STATES


zazza 6/16/2023 9:08:00 AM

question 21 answer is alerts
ITALY


Synt 5/23/2023 9:33:00 PM

need to view
UNITED STATES


zazza 6/16/2023 10:47:00 AM

question 44 answer is user risk
ITALY