Microsoft Security, Compliance, and Identity Fundamentals Practice Test (SC-900)

Hashing uses a one-way mathematical function to convert input data into a fixed-length digest. Because the function is non-reversible, the original password cannot be reconstructed from the hash, yet the application can verify a user by hashing the provided password and comparing the digests. Symmetric and asymmetric encryption are reversible by design, so administrators with the appropriate keys could recover the plaintext. TLS protects data only while it is in transit and does not secure how the password is stored.

Microsoft Defender Threat Intelligence (Defender TI) supplies curated, Microsoft-sourced threat intelligence inside the Defender portal. Analysts can query domains, IPs, URLs, or hashes to discover associated indicators of compromise, view threat actor profiles, and examine related vulnerabilities or malware campaigns. Services like Microsoft Defender for Endpoint or Defender for Office 365 protect specific assets, and Microsoft Sentinel is a SIEM/SOAR platform; none of those provide the dedicated, portal-integrated threat intelligence research tools that Defender TI offers.

AD DS stores objects in a hierarchical structure that includes forests, domains, and organizational units (OUs), which administrators use together with Group Policy. Azure AD is a cloud-based, multi-tenant directory that keeps users, groups, and other objects in a flat structure scoped to a single tenant and does not provide OUs or Group Policy. The other options either reverse the protocol support, incorrectly state that Azure AD depends on on-premises domain controllers, or misrepresent which service is multi-tenant.

Microsoft Purview DLP fully supports Exchange Online mailboxes as a policy location. A DLP policy scoped to Exchange email can inspect messages for sensitive data like credit-card numbers and, if configured to block, prevent the message from being sent. Purview DLP does not natively inspect Azure Virtual Network traffic, cannot directly enforce policy on Azure Blob Storage, and does not support GitHub Enterprise repositories, so selecting any of those locations would not satisfy the requirement.

Defender for Identity works by installing sensors on Active Directory domain controllers. These sensors capture and send authentication-related network traffic and security event logs from the on-premises domain controllers to the Defender for Identity cloud service. By focusing on this on-premises Active Directory data, the service can spot techniques such as pass-the-hash, pass-the-ticket, and other lateral-movement behaviors. It does not directly analyze Azure AD sign-ins, Azure Resource Manager changes, or Exchange Online message metadata; those data sources are monitored by other Microsoft security solutions.

A sensitivity label policy can be configured to force users to give a business justification before they remove a label or replace it with one that has a lower classification. This extra step discourages accidental or inappropriate downgrades. Deleting content after a retention period is a function of retention policies, controlling file downloads is handled by conditional access or session policies, and translating label names is done when creating the label itself, not through the publishing policy.

In Microsoft Sentinel, analytics rules are used to implement threat detection logic. You define a Kusto Query Language (KQL) query that looks for indicators of compromise in the data collected by Sentinel. The rule runs on a configurable schedule, evaluates the query results, and automatically creates an incident if the defined threshold or condition is met.

Other options do not provide this functionality:

• Data connectors are used to ingest data from various sources into Sentinel but do not generate alerts by themselves.
• Workbooks offer interactive dashboards for visualizing data and reporting but do not trigger incidents.
• Playbooks (built on Azure Logic Apps) automate responses after an alert or incident has been generated; they do not detect threats on their own.

Microsoft Defender for Identity connects to domain controllers and monitors on-premises Active Directory authentication traffic to spot suspicious activities such as pass-the-hash, brute-force, or lateral-movement attacks. Defender for Endpoint focuses on signals from client and server operating systems, not directly on domain controller traffic. Microsoft Defender for Cloud Apps analyzes SaaS application usage and shadow IT, while Microsoft Sentinel is a separate SIEM/SOAR platform rather than an XDR component. Therefore, only Microsoft Defender for Identity meets the requirement to analyze on-premises AD authentications for credential threats.

Compliance Manager is the Microsoft Purview capability designed to simplify compliance management. It maps Microsoft and customer responsibilities to specific regulatory requirements, suggests improvement actions, and expresses overall progress as a percentage-based compliance score. Features such as Insider Risk Management, Advanced eDiscovery, and the Information protection scanner address other governance or investigative needs but do not calculate compliance scores or track control implementation against regulations.

The scenario describes automated actions that orchestrate and execute a response when a security incident is detected. Those actions-such as running Logic App playbooks to isolate hosts or disable accounts-are part of security orchestration, automation, and response (SOAR). By contrast, SIEM focuses on collecting and analyzing event data, CSPM assesses cloud configuration compliance, and UEBA looks for anomalous user or entity behavior; none of these inherently perform automated remediation steps.

Azure Key Vault is a fully managed cloud service that safeguards cryptographic keys, secrets (such as connection strings or passwords), and certificates. It provides centralized secret management, built-in access control through Azure AD, and full audit logging, all without requiring customers to deploy or maintain hardware. Azure Firewall, Azure DDoS Protection, and Microsoft Defender for Cloud address network filtering, denial-of-service mitigation, and security posture management respectively, but they do not store or manage secrets and keys.

The only framework in the list that is both certifiable and explicitly focused on the requirements for an information security management system (ISMS) is ISO/IEC 27001. Organizations can be audited against ISO/IEC 27001 and, if they meet all requirements, receive formal certification.

The NIST Cybersecurity Framework provides voluntary guidance but is not a certification standard. GDPR is a regulation that sets legal obligations rather than a certifiable framework. The CIS Critical Security Controls are best-practice recommendations and likewise do not provide a certifiable ISMS.

The Microsoft Defender portal is the unified console for Microsoft Defender XDR. It correlates alerts from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and other Defender services into a single incident queue, allowing analysts to investigate and respond from one place. Conditional Access policy management is done in the Entra (Azure AD) portal, Azure Firewall rules are configured in the Azure portal, and license purchasing is handled in the Microsoft 365 admin center, not in the Defender portal.

Azure Bastion is a platform-managed service that is deployed inside an Azure virtual network. It lets administrators connect to virtual machines over RDP or SSH directly from the Azure portal through an HTML5 browser using an outbound TLS (TCP 443) connection. Because connections go through the Bastion host, the target VMs do not need public IP addresses, and users do not have to install or configure any VPN or additional agents.

The other options do not satisfy the stated constraints:

• Azure VPN gateway enables secure connectivity but requires users to set up a VPN client, which the policy forbids.
• Azure Application Gateway is a Layer 7 load balancer (often used with Web Application Firewall) and is not intended for remote desktop or SSH access to VMs.
• Azure Firewall provides network-level traffic filtering and does not offer interactive RDP/SSH session capabilities to VMs without public IPs.

The Microsoft Purview compliance portal unifies Microsoft 365 compliance capabilities. It contains the Information Protection section where administrators define sensitivity labels and the Data classification section that includes Content explorer. Other portals-such as the Microsoft 365 admin center, Microsoft Defender portal, and the Service Trust Portal-do not provide both of these capabilities in one place.

Microsoft Entra ID is Microsoft's cloud-based identity and access management service. It keeps directories of users and groups, authenticates those identities, and issues the authorization tokens that let them access Microsoft 365, Azure resources, and thousands of integrated third-party applications. It is not a general database service, a compute service such as virtual machines, or a network security appliance. Those other services do not provide directory, authentication, or single sign-on capabilities, so they cannot replace Microsoft Entra ID for identity needs.

Workload identities are intended for non-human entities such as applications, services, automation scripts, or containers. They enable software to sign in and obtain tokens without interactive sign-on. Device identities map to individual devices, external (guest) identities correspond to users from another organization, and user identities are for human users, so none of those satisfy the scenario.

Threat and vulnerability management (TVM) in Microsoft Defender for Endpoint continually scans supported Windows client and Windows Server devices for missing patches, insecure configurations, and vulnerable software. It assigns exposure and security scores, ranks weaknesses by exploit likelihood, and provides recommended remediation actions that can be launched through tools such as Microsoft Intune or Microsoft Endpoint Configuration Manager.

Attack surface reduction rules enforce preventive policies like blocking suspicious scripts but do not inventory vulnerabilities. Endpoint detection and response (EDR) focuses on detecting and investigating active threats rather than pre-existing weaknesses. Live response offers a remote shell for manual investigation and remediation and does not calculate exposure scores. Therefore, TVM is the appropriate capability.

Network security groups (NSGs) provide stateful packet filtering based on source and destination IP address, port, and protocol. They can be associated with individual subnets or individual network interfaces, making them ideal for controlling inbound and outbound traffic to specific workloads. Azure DDoS Protection focuses on large-scale volumetric attacks but does not let you author custom port and protocol rules. Azure Firewall offers centralized, stateful filtering at the virtual-network perimeter, not directly on subnets or NICs. Web Application Firewall protects HTTP/S traffic at the application layer but cannot create general network-level allow/deny rules for other protocols.

Microsoft Entra ID Protection includes risk policies that continuously evaluate sign-in and user behavior. A user risk policy can automatically block access or force a password reset when the calculated user risk is high, directly addressing the requirement to detect compromised credentials and require a password change. Privileged Identity Management focuses on just-in-time elevation of privileged roles, not risk-based password resets. Access reviews help verify continued access appropriateness but do not enforce real-time password changes based on risk. Conditional Access enforces access decisions based on conditions such as location or device compliance, yet it relies on signals (including risk) surfaced by ID Protection; it does not itself calculate user risk or mandate password resets. Therefore, configuring Microsoft Entra ID Protection risk policies is the correct choice.