freefiles

Microsoft SC-900 Exam Dumps & Practice Test Questions

Question 1:

When Windows Hello for Business is used for authentication, where is the user's biometric information—such as facial recognition or fingerprint data—stored?

A. Saved on a detachable hardware component
B. Retained solely on the local user machine
C. Synced to Azure Active Directory (Azure AD)
D. Shared across all user-assigned systems

Correct Answer:  B

Explanation:

Windows Hello for Business is a modern, secure authentication solution developed by Microsoft that replaces traditional passwords with two-factor authentication, which often includes a biometric component (e.g., facial recognition or fingerprint scanning) paired with a device-bound private key. One of the fundamental principles guiding the design of Windows Hello for Business is user privacy and device-centric security, which significantly impacts how and where biometric data is stored.

The correct answer is B — biometric data used by Windows Hello for Business is retained solely on the local user machine. More specifically, biometric data such as fingerprint patterns or facial recognition templates are stored within a secure, isolated location on the device, such as the Trusted Platform Module (TPM) or other secure hardware components like Windows Secure Enclave. This local storage ensures that sensitive biometric data never leaves the user's device and is not transmitted across the network or synced to the cloud.

This approach is designed to prevent identity theft, data breaches, and centralized biometric compromise, which could occur if biometric data were stored in a shared repository or synced to a central service like Azure AD. Microsoft has made it a policy that biometric templates are never uploaded to the cloud. Instead, what gets used for authentication with Azure AD or Active Directory is a public key that corresponds to a private key securely stored on the device.

Now let’s examine the other options:

A is incorrect. Biometric data is not stored on detachable hardware. In fact, storing sensitive identity information on removable media would pose a significant security risk. Windows Hello for Business depends on non-exportable keys, which are bound to the device itself, not portable storage.

C is incorrect. While Windows Hello for Business registers a public key with Azure AD or on-premises Active Directory, biometric data itself is not synced. Only cryptographic data required for authentication (e.g., the public key) is sent to Azure AD, never the user’s actual biometric information.

D is incorrect. Biometric data is not shared across multiple systems. Since it is bound to the physical device and stored locally in secure hardware, even if a user logs into different devices, they must enroll their biometrics separately on each one. The biometric profile is not portable or synchronized between devices, ensuring it cannot be exploited across a compromised system.

To summarize: Windows Hello for Business is engineered with a privacy-first approach. It uses biometric authentication stored locally on a secure device component, never transmitted or stored externally. This ensures both security and compliance with modern data protection standards, making B the correct answer.

Question 2:

What is the main reason for deploying Azure AD Password Protection in a business environment?

A. To manage how often password changes are enforced
B. To monitor and handle devices that bypass MFA requirements
C. To secure user passwords through standard encryption protocols
D. To block users from selecting passwords that are weak or commonly used

Correct Answer:  D

Explanation:

Azure AD Password Protection is a security feature offered by Microsoft as part of the Azure Active Directory suite. Its core objective is to enhance password security across an organization by preventing users from creating passwords that are considered weak, common, or easily guessable. It addresses one of the most persistent vulnerabilities in enterprise environments: poor password hygiene.

The correct answer is D because Azure AD Password Protection is designed to block users from selecting insecure passwords, including:

  • Known commonly used passwords (e.g., "Password123", "Welcome1")

  • Variants of the user’s account name or other predictable inputs

  • Passwords that attackers often use in brute-force and credential-stuffing attacks

Microsoft maintains a global banned password list, which is frequently updated using telemetry and data from actual attacks across millions of accounts. Additionally, organizations can define a custom banned password list, tailoring password policies to their own business-specific terms, geographic language patterns, or security posture.

Here’s how it works in practice: when a user attempts to set or reset a password—whether in Azure AD (cloud) or Active Directory (on-premises, when using the Azure AD Password Protection proxy and agent)—the password is evaluated against the banned password list. If the password is found to be too weak or predictable, the system rejects it and prompts the user to choose a stronger alternative.

Now let’s consider why the other options are incorrect:

A is incorrect because managing the frequency of password changes (e.g., requiring password changes every 90 days) is a separate policy setting in Azure AD or Group Policy, not the primary function of Azure AD Password Protection. In fact, modern guidance advises reducing forced password changes and instead focusing on stronger, less guessable passwords.

B is incorrect because device monitoring or MFA enforcement is handled by other components of Azure AD, such as Conditional Access policies or Identity Protection. Password Protection does not monitor devices or manage MFA settings.

C is incorrect because while passwords are encrypted and securely handled within Azure AD, encryption is a default security protocol, not a feature unique to Azure AD Password Protection. Password Protection is focused on preventing weak password choices, not on managing encryption standards.

To summarize: Azure AD Password Protection is a proactive defense mechanism that blocks weak, common, or easily guessed passwords, thus significantly reducing the risk of account compromise due to poor password choices. It promotes better password practices by enforcing robust criteria for user-created passwords, making D the correct answer.

Question 3:

As an administrator in an Azure AD environment, you want to regularly assess user memberships in security groups to ensure they still need access. What Azure AD feature allows for these scheduled reviews and can revoke access if it's no longer required?

A. Review-based Access Control
B. System-assigned Managed Identity
C. Dynamic Conditional Access Policies
D. Identity Governance Access Reviews

Correct Answer:  D

Explanation:

In Azure AD, Identity Governance Access Reviews is a key feature designed specifically to enable administrators to regularly assess user access to resources like security groups, applications, and roles. It automates the process of reviewing access and helps ensure that users retain access only to the resources they need, aligning with the principle of least privilege. If a user no longer requires access, the review process can automatically revoke their permissions, reducing the security risks associated with unnecessary or excessive access.

The Identity Governance Access Reviews feature works by enabling periodic reviews, during which administrators, managers, or even the users themselves are asked to certify whether individuals still require access to particular resources. If the reviewer determines that access is no longer necessary, they can revoke it. These reviews can be scheduled based on different criteria, such as monthly, quarterly, or yearly.

In summary, D is correct because Identity Governance Access Reviews allows administrators to perform regular and automated reviews of user access, ensuring that users' permissions are current and removing access when it's no longer needed.

Let’s evaluate why the other options are incorrect:

A is incorrect. Review-based Access Control is not a specific Azure AD feature. The term could refer to the broader concept of reviewing and controlling access, but it does not point to a specific Azure AD feature like Access Reviews.

B is incorrect. System-assigned Managed Identity refers to an identity automatically created and managed by Azure AD for Azure resources like virtual machines, web apps, or Azure functions. It’s primarily used to authenticate applications and services, not for conducting user access reviews.

C is incorrect. Dynamic Conditional Access Policies are used to enforce real-time security policies based on conditions like user location, device state, or risk level (for example, requiring multi-factor authentication for specific users or conditions). While useful for controlling access, Conditional Access policies are not designed for scheduling or automating periodic reviews of user access memberships.

In conclusion, Identity Governance Access Reviews is the best feature for periodically reviewing and managing user access in Azure AD, making D the correct answer. This feature helps organizations maintain security and compliance by ensuring that users have appropriate access rights and that unnecessary or outdated permissions are promptly revoked.

Question 4:

Fill in the blank:
 _________ adds an extra layer of user validation by requiring something like a one-time passcode delivered via phone to verify identity.

A. Multi-step authentication (MFA)
B. Seamless pass-through authentication
C. Password synchronization with cloud
D. Unified single sign-on experience

Correct Answer:  A

Explanation:

The correct term to fill in the blank is Multi-step authentication (MFA). Multi-factor authentication (MFA) is a security measure that adds an extra layer of verification beyond just the username and password. It requires users to provide two or more forms of authentication to prove their identity. This typically involves something the user knows (like a password), something the user has (like a phone or security token), or something the user is (biometrics like fingerprints or facial recognition).

In this specific context, the "one-time passcode delivered via phone" is a common form of second factor in MFA. For example, after entering a password (first factor), the user may receive a one-time passcode (second factor) sent to their phone via text or an authentication app (e.g., Microsoft Authenticator, Google Authenticator). This extra validation significantly reduces the risk of unauthorized access, even if the user’s password is compromised.

Let’s look at why the other options are incorrect:

B is incorrect. Seamless pass-through authentication is a feature that allows users to authenticate without having to manually enter their credentials again once they’re logged into their local network. It doesn’t require additional steps like a passcode or other forms of verification, which makes it not related to multi-factor authentication.

C is incorrect. Password synchronization with cloud simply ensures that a user’s password is synchronized between on-premises Active Directory and cloud-based Azure Active Directory. This mechanism doesn't add an extra layer of validation like MFA does. It just keeps password data consistent across environments.

D is incorrect. Unified single sign-on (SSO) allows users to authenticate once and then gain access to multiple applications without needing to log in again for each one. While this improves convenience and user experience, it does not introduce additional layers of validation (like MFA) beyond the initial login process.

In conclusion, multi-step authentication (MFA) adds the required extra layer of security by requesting a one-time passcode or other verification methods, making A the correct answer.

Question 5:

Your organization is looking for a Microsoft cloud-based tool that connects with on-prem Active Directory to track advanced threats like abnormal user behavior and internal attacks. Which Defender solution should you choose?

A. Microsoft Defender for Cloud Applications
B. Microsoft Defender for Devices
C. Microsoft Defender for Identity Services
D. Microsoft Defender for Email and Collaboration

Correct Answer:  C

Explanation:

The correct solution for tracking advanced threats like abnormal user behavior and internal attacks, particularly with integration to on-premises Active Directory, is Microsoft Defender for Identity Services.

Microsoft Defender for Identity is a cloud-based security solution designed specifically to protect Active Directory environments, both on-premises and in the cloud. It provides visibility into potential security threats by analyzing user activity, authentication patterns, and other behavioral data. The solution integrates directly with Active Directory to track and identify signs of abnormal behavior, such as privilege escalation, lateral movement, or anomalous login activity, which can be indicators of internal attacks or compromised accounts.

It leverages machine learning and behavioral analytics to identify suspicious activities and alerts administrators to possible security risks. This makes it an ideal choice for organizations that want to monitor and respond to threats related to their on-premises Active Directory infrastructure.

Let’s go over the other options to see why they are not the correct choice:

A is incorrect. Microsoft Defender for Cloud Applications focuses on protecting cloud applications like Office 365, Salesforce, or other third-party cloud-based apps. While it provides security for SaaS applications, it does not specifically target on-premises Active Directory or advanced internal threat detection.

B is incorrect. Microsoft Defender for Devices (formerly Defender for Endpoint) is a solution aimed at securing devices (e.g., workstations, laptops, mobile devices) against threats. While it’s excellent for endpoint protection, it doesn't specialize in tracking user behavior in Active Directory or monitoring internal attacks within the directory itself.

D is incorrect. Microsoft Defender for Email and Collaboration focuses on securing email systems and collaboration tools (like Microsoft Teams and SharePoint) from threats like phishing, spam, and other email-based attacks. It is not intended for tracking or protecting user behavior in Active Directory or detecting internal threats within the organization.

In conclusion, Microsoft Defender for Identity Services is the most appropriate solution for organizations that need to track abnormal user behavior, detect internal attacks, and integrate with on-premises Active Directory. This makes C the correct answer.

Question 6:

While setting up security controls in Microsoft Azure, you need to identify the component that validates user identities and grants resource access permissions. What is Azure AD best defined as?

A. A cross-platform threat response platform
B. A cloud-based identity service provider
C. A top-level organizational unit
D. A security event analytics solution

Correct Answer:  B

Explanation:

The correct answer is B — Azure Active Directory (Azure AD) is best defined as a cloud-based identity service provider. Azure AD is a cloud-based service that handles identity and access management for users, devices, and applications within the Microsoft ecosystem. It is responsible for validating user identities when they log into cloud resources (like Microsoft 365, Azure services, and third-party applications) and granting access based on defined permissions and roles.

In more detail, Azure AD manages the authentication (who the user is) and authorization (what the user can access) processes for both cloud and on-premises resources. It also integrates with multi-factor authentication (MFA), conditional access policies, and identity protection to ensure that access control is both secure and efficient.

Here’s a breakdown of why the other options are incorrect:

A is incorrect. A cross-platform threat response platform is a general term for solutions designed to detect and respond to security threats across different platforms, but it doesn't describe Azure AD’s core function. Azure AD focuses on identity management, not threat response.

C is incorrect. While a top-level organizational unit could refer to an entity in Active Directory (AD) that represents a hierarchical structure for managing resources, Azure AD is not defined as an organizational unit. It is a service for managing identity and access, not a unit of the directory structure itself.

D is incorrect. A security event analytics solution would be more aligned with tools like Azure Sentinel or Microsoft Defender for Identity, which focus on analyzing security events and detecting threats. Azure AD, while it has some security features like identity protection, is primarily focused on identity management and access control.

To summarize, Azure AD is a cloud-based identity service provider that validates user identities and controls access to resources in the cloud and on-premises, making B the correct answer.

Question 7:

What is the role of Conditional Access policies in Microsoft Azure?

A. To automatically assign users to administrative roles
B. To enforce access rules based on user conditions like location or device
C. To back up user credentials to the cloud
D. To replace MFA requirements with password-only authentication

Correct Answer:  B

Explanation:

The correct answer is B — Conditional Access policies in Microsoft Azure are designed to enforce access rules based on specific conditions such as user location, device state, or risk level. These policies help to ensure that access to resources is granted only under certain conditions that align with an organization’s security requirements.

For example, Conditional Access policies can be configured to:

  • Block access to corporate resources from untrusted locations or devices

  • Require multi-factor authentication (MFA) when a user is logging in from a new or unknown device

  • Grant access only if a device is compliant with organizational security policies (e.g., device encryption, a specific OS version)

  • Apply risk-based policies to enforce additional security measures when high-risk user activity is detected

These policies enable granular control over how and when users can access critical resources, improving overall security by ensuring that access is based on factors like the context of the user’s request.

Let’s examine why the other options are incorrect:

A is incorrect. Conditional Access policies are not used to assign administrative roles. Role-based access control (RBAC) is the feature used for assigning users to administrative or other roles, whereas Conditional Access is about enforcing access controls based on conditions such as location or device status.

C is incorrect. Conditional Access does not involve backing up user credentials to the cloud. Credential management and storage are handled by Azure AD and other security features, but Conditional Access focuses on access control based on specific conditions rather than on backup operations.

D is incorrect. Conditional Access policies do not replace MFA. In fact, Conditional Access is often used to enforce MFA as part of access control measures. It does not allow for password-only authentication in scenarios where more stringent controls are required. Conditional Access helps to ensure that MFA is enforced under certain conditions, such as risky sign-ins or accessing sensitive data.

To summarize, Conditional Access policies provide a mechanism for defining and enforcing access controls based on dynamic conditions (e.g., location, device compliance), making B the correct answer. These policies are a key part of Microsoft’s zero-trust security model and help ensure that users and devices meet security requirements before being granted access to resources.

Question 8:

Which feature of Azure AD allows users to reset their own passwords without contacting IT support?

A. Password Vault
B. Self-Service Password Reset (SSPR)
C. Directory Sync Service
D. Credential Management Center

Correct Answer:  B

Explanation:

The correct answer is B — Self-Service Password Reset (SSPR) is a feature of Azure AD that enables users to reset their own passwords without needing to contact IT support. This feature is designed to improve user productivity and reduce the workload on IT teams by providing users with the ability to securely reset their passwords through a self-service portal.

SSPR can be configured to require multiple authentication methods, such as answering security questions or using multi-factor authentication (MFA), to ensure that the person requesting the password reset is indeed the account holder. Once authenticated, users can quickly reset their passwords and regain access to their accounts without intervention from IT staff.

Here’s a breakdown of why the other options are incorrect:

A is incorrect. Password Vault is not a feature of Azure AD. While a password vault may refer to a tool used for securely storing and managing passwords, it is not related to self-service password resets in Azure AD. SSPR is the actual tool designed for this purpose.

C is incorrect. Directory Sync Service (or Azure AD Connect) is used for synchronizing on-premises Active Directory with Azure AD. This tool is critical for hybrid environments, but it does not have functionality related to self-service password resets. Its purpose is primarily about identity synchronization.

D is incorrect. Credential Management Center is not a feature of Azure AD. The term could refer to a general concept or tool within an operating system for managing credentials, but it does not relate to Azure AD or self-service password resets.

To summarize, Self-Service Password Reset (SSPR) is the correct feature that allows users to reset their own passwords in Azure AD, reducing the need to contact IT support. This makes B the correct answer.

Question 9:

Which security tool in Microsoft Defender focuses primarily on endpoint protection including malware detection and device control?

A. Microsoft Defender for Cloud
B. Microsoft Defender for Endpoint
C. Microsoft Defender for Identity
D. Microsoft Defender for Apps

Correct Answer:  B

Explanation:

The correct answer is B — Microsoft Defender for Endpoint. This is a security solution designed to provide endpoint protection, which includes malware detection, device control, threat detection, and response capabilities for devices such as desktops, laptops, and mobile devices.

Microsoft Defender for Endpoint helps to secure endpoints by using a combination of antivirus, antimalware, behavioral analysis, real-time protection, and threat intelligence to identify, block, and remediate potential threats. It also includes features for device control, enabling administrators to monitor and manage device configurations and security settings to ensure compliance and reduce risk.

Here’s why the other options are incorrect:

A is incorrect. Microsoft Defender for Cloud (formerly Azure Security Center) is a cloud security solution primarily focused on securing cloud resources like virtual machines, databases, and networking components in Azure. It helps monitor cloud workloads but does not directly focus on endpoint protection for devices like laptops or desktops.

C is incorrect. Microsoft Defender for Identity is a security solution that focuses on protecting and securing Active Directory environments by detecting and investigating identity-based threats, such as unauthorized access or privilege escalation attempts. While it helps protect identity and access, it does not focus on endpoint protection or malware detection.

D is incorrect. Microsoft Defender for Apps is designed to provide security for applications, particularly in cloud environments. It focuses on protecting cloud-based applications (e.g., Office 365, SaaS applications) from security risks but does not directly provide endpoint protection.

To summarize, Microsoft Defender for Endpoint is the best solution for providing endpoint protection, including malware detection and device control, making B the correct answer. This tool is essential for securing devices within an organization by preventing, detecting, and responding to threats.

Question 10:

What does Identity Protection in Azure AD primarily help organizations do?

A. Encrypt confidential documents in OneDrive
B. Detect, analyze, and respond to suspicious login attempts
C. Restrict access to applications based on region
D. Block legacy authentication protocols

Correct Answer:  B

Explanation:

The correct answer is B — Identity Protection in Azure AD primarily helps organizations detect, analyze, and respond to suspicious login attempts. This feature is a key component of Azure Active Directory's security capabilities and is designed to enhance the organization’s ability to protect user identities by detecting risky sign-ins and potential security threats.

Identity Protection uses machine learning, behavioral analytics, and risk-based policies to evaluate user sign-in patterns and detect activities that are unusual or inconsistent with typical behavior. For example, it can flag sign-ins from unusual locations, unfamiliar devices, or any attempts that seem suspicious, such as multiple failed login attempts or login attempts from countries where the user does not normally access resources.

When such anomalies are detected, Azure AD Identity Protection can take predefined actions such as:

  • Multi-factor authentication (MFA) enforcement

  • Blocking access to the application

  • Notifying administrators about suspicious activities

  • Risk-based conditional access policies to safeguard the organization

This allows administrators to manage and mitigate the risk of identity compromise in real-time.

Let’s break down why the other options are incorrect:

A is incorrect. Encrypting confidential documents in OneDrive is a task that would be managed through Microsoft 365 compliance solutions, such as Information Protection, rather than through Identity Protection in Azure AD. While Identity Protection handles sign-in security, document encryption falls under data governance and compliance features.

C is incorrect. Restricting access to applications based on region could be part of a Conditional Access policy, but it is not the primary function of Identity Protection. Conditional Access controls access based on conditions like user location, but Identity Protection specifically focuses on detecting and responding to suspicious activities related to user identities.

D is incorrect. Blocking legacy authentication protocols is a separate security task within Azure AD, typically managed through Conditional Access policies. While this action enhances security by preventing outdated and less secure authentication methods, it is not directly related to Identity Protection.

In summary, Identity Protection in Azure AD focuses on detecting and responding to suspicious login attempts and identifying potential risks to user accounts. This makes B the correct answer.