|||questions and answers with
rationales/graded A+/2026
update/100% correct /instant
download
Exam Name: Microsoft Security, Compliance, and Identity Fundamentals
Exam Code: SC-900
Instructions: Choose the best answer for each question. The correct answer is
highlighted in bold, and a rationale is provided below each question.
Section 1: Core Concepts (Security, Compliance, Identity, Zero Trust)
1. An organization wants to move from a traditional network perimeter
security model to one that assumes breach and verifies every request as
though it originates from an uncontrolled network. Which security principle is
the organization adopting?
A) Defense in Depth
B) Zero Trust
C) Shared Responsibility
D) Least Privilege
Correct Answer: B
Rationale: Zero Trust is a security model that assumes breach and verifies every
request as though it originates from an uncontrolled network. It follows the guiding
principle "never trust, always verify," regardless of whether the request comes
from inside or outside the corporate network .
2. According to the shared responsibility model in a Software as a Service
(SaaS) deployment like Microsoft 365, who is responsible for securing the
customer's data and identities?
A) Microsoft only
,B) The customer only
C) A third-party auditor
D) Both Microsoft and the customer share equal responsibility
Correct Answer: B
Rationale: In the shared responsibility model, Microsoft is responsible for the
security "of" the cloud (physical hosts, datacenters, network). The customer is
always responsible for what they put "in" the cloud, including their data, identities,
user devices, and accounts .
3. A retail company is subject to GDPR because it stores data of EU citizens.
They must ensure data is only stored in datacenters located in the European
Union. What concept does this requirement describe?
A) Data Sovereignty
B) Data Residency
C) Data Classification
D) Data At Rest
Correct Answer: B
Rationale: Data residency refers to the physical location (geographic boundaries)
where data is stored. While data sovereignty refers to the legal implications (local
laws governing the data), residency is the actual geographic location requirement.
GDPR enforces strict data residency rules for EU citizen data .
4. Which pillar of the Zero Trust model requires verifying explicit conditions
like user role, location, and device health before granting access?
A) Assume Breach
B) Use Least Privilege Access
C) Verify Explicitly
D) Segmentation
Correct Answer: C
Rationale: "Verify Explicitly" means that all access requests are authenticated and
authorized based on all available data points (user identity, location, device health,
workload, classification) before granting the minimal necessary access.
5. What is the primary purpose of "Defense in Depth"?
A) To ensure every user has only the minimum necessary access rights.
B) To use a single, powerful firewall to block all attacks.
,C) To apply a series of layered security mechanisms to slow down an attack.
D) To move all data to a single, secure cloud location.
Correct Answer: C
Rationale: The strategy of defense in depth is to use multiple layers of protection
(physical, identity, network, application, data) to create a comprehensive security
posture. If one layer is breached, subsequent layers prevent further damage .
6. A company wants to ensure employees can only access the specific customer
database required for their job, not the entire HR system. Which principle is
the company enforcing?
A) Separation of Duties
B) Zero Trust
C) Authentication
D) Least Privilege
Correct Answer: D
Rationale: The principle of least privilege ensures users are granted only the
minimum access necessary to perform their job functions. This reduces the attack
surface and limits the potential damage from compromised credentials .
7. The human resources department needs to prove that a specific employee
agreement document has not been altered since it was signed three years ago.
Which security mechanism provides this assurance?
A) Data Classification
B) Hashing
C) Tokenization
D) Data Obfuscation
Correct Answer: B
Rationale: Hashing is a one-way function that creates a unique digital fingerprint
of data. If the data changes even slightly, the hash output changes completely.
Comparing hashes verifies the integrity of the data .
8. Which security concept is defined as the process of verifying the identity of
a user or device?
A) Authorization
B) Auditing
C) Authentication
D) Accounting
, Correct Answer: C
Rationale: Authentication (AuthN) is the act of proving identity (e.g., "You are
who you say you are," using a password or biometric). Authorization (AuthZ) is
the act of granting permission to access a resource .
9. A government regulation requires that all emails containing personally
identifiable information (PII) be automatically encrypted if sent outside the
organization. This is an example of a requirement driven by which domain?
A) Identity Management
B) Threat Protection
C) Compliance
D) Network Security
Correct Answer: C
Rationale: Compliance refers to the process of adhering to laws, regulations,
standards, and organizational policies. The requirement to encrypt PII based on a
government mandate falls directly under compliance obligations .
10. In the "Assume Breach" principle of Zero Trust, security architects design
systems assuming an attacker is already inside the network. What is the
primary goal of this mindset?
A) To focus only on external threats.
B) To reduce the Mean Time to Repair (MTTR).
C) To prioritize detection and rapid response over simple prevention.
D) To eliminate the need for firewalls.
Correct Answer: C
Rationale: Assuming breach shifts focus from solely preventing perimeter
breaches to quickly detecting and responding to lateral movement and data
exfiltration, acknowledging that prevention controls will eventually fail .
Section 2: Identity & Access Management (Microsoft Entra ID)
11. Which Microsoft service is the cloud-based identity and access
management solution that provides authentication and authorization for
Microsoft 365, Azure, and third-party applications?
A) Microsoft Entra ID
B) Active Directory Domain Services (AD DS)