SC-900 Microsoft Security Compliance and Identity Fundamentals Question and Answers

Microsoft states that Azure Bastion is a fully managed PaaS service that provides “secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL” and “eliminates the need to expose public IP addresses on your VMs.” With Bastion, users open the VM blade in the Azure portal and launch an in-browser RDP or SSH session; no separate RDP or SSH client is required because the session is proxied through Bastion using HTTPS/TLS. The platform is designed to be agentless and browser-based, providing connectivity without VPN or jump hosts and enforcing least-exposure by keeping management ports off the internet. While traditional tools such as Remote Desktop Connection or an SSH client are common for direct access, Bastion’s prescribed access method in Microsoft guidance is to initiate the session from the Azure portal. PowerShell remoting is unrelated to Bastion’s web-based brokering. Therefore, to connect to an Azure virtual machine by using Azure Bastion, you use the Azure portal.

Microsoft’s Identity Protection provides risk-based detections and automated policies—not group management. Microsoft Learn explains that Identity Protection “uses detections to identify potential vulnerabilities affecting your organization’s identities” and exposes user risk and sign-in risk for policy decisions. It does not support adding users to groups by “risk level”; group membership is handled by static or dynamic rules based on directory attributes, while risk is a transient signal surfaced to policies.

Identity Protection includes specific detections such as “Leaked credentials”, where Microsoft’s threat intelligence finds credentials “on the dark web or other dumps,” and flags the affected account as risky. This directly confirms the ability to detect whether credentials have been exposed publicly.

For enforcement, Identity Protection policies and Conditional Access can require stronger authentication when risk is present. The documentation states that you can configure policies to “require multi-factor authentication for sign-ins assessed as risky” and use Conditional Access conditions like User risk or Sign-in risk with the grant control Require multi-factor authentication. Thus, Identity Protection signals can invoke MFA based on risk, but they do not place users into groups.

In Microsoft Entra ID Protection, risk-based Conditional Access policies use signals such as User risk and Sign-in risk to evaluate potential threats during authentication and identity usage. These are core to adaptive access and identity protection features taught in Microsoft’s SC-300 and SC-900 learning paths.

User risk:

Defined by Microsoft as: “The probability that a specific identity or account is compromised.”

User risk is assessed based on activities and behaviors that indicate the account may have been compromised—such as leaked credentials or atypical user activity over time.

Sign-in risk:

Defined as: “The probability that the authentication request is not performed by the legitimate identity owner.”

Sign-in risk is calculated at the time of authentication based on indicators such as unfamiliar locations, anonymous IP addresses, impossible travel, or malware-linked sign-ins.

These signals help automate access decisions, such as requiring MFA or blocking access, based on real-time risk assessments.

In the Microsoft 365 Defender (Microsoft Defender XDR) portal, the Reports area is the feature designed to surface security trends and provide protection status views across workloads, including identities. Microsoft guidance explains that the Reports workspace offers curated dashboards and exportable reports for specific domains (for example, Identities, Email & collaboration, Endpoints), so security teams can review trend lines, coverage/health, and status without running queries. For identities specifically (backed by Microsoft Defender for Identity), the reports include overview dashboards and scheduled/on-demand reports that show items such as identity security posture, open health issues, alert volumes over time, and sensor/coverage status. This aligns with SCI learning paths that distinguish portal areas by purpose: Secure score is a measurement of overall posture and recommended actions, Incidents is for triage and response to individual cases, and Hunting is for ad-hoc, query-driven investigations. When the task is to “view security trends and track the protection status of identities,” Microsoft directs administrators to the Reports > Identities experience in the Defender portal, which provides the built-in, continuously updated visualizations and summaries required for ongoing monitoring.

In Microsoft’s official guidance, the Microsoft Cloud Adoption Framework for Azure (CAF) is described as the end-to-end approach that “provides best practices, documentation, and tools” to help organizations create and implement business and technology strategies for cloud adoption. The framework aggregates field experience from “Microsoft employees, partners, and customers” and offers prescriptive guidance across strategy, planning, readiness, governance, security, and management to ensure a secure and compliant Azure landing zone. Within SCI-aligned materials, CAF is highlighted as the authoritative body of guidance that helps organizations reduce risk by aligning cloud architecture, identity, security, and compliance controls with Zero Trust principles and regulatory needs. It enables teams to map security baselines, identity governance (e.g., using Microsoft Entra and Conditional Access), and compliance controls (e.g., data protection and regulatory mappings) into deployment blueprints and policy-driven guardrails.

By contrast, Azure Blueprints package artifacts (policies, RBAC, templates) for consistent deployments; Azure Policy enforces and audits configuration through policy definitions; and resource locks prevent accidental modification or deletion. While these are important technical controls, the statement in the question explicitly refers to a body of best practices and guidance that assists an Azure deployment end to end—this is precisely the role of the Microsoft Cloud Adoption Framework for Azure.

Microsoft defines Microsoft Entra ID (formerly Azure Active Directory) as “a cloud-based identity and access management (IAM) service” that “helps your employees sign in and access resources.” In SCI learning paths, Entra ID is positioned as the tenant’s identity provider (IdP) that authenticates users and issues tokens for applications using standards such as OpenID Connect, OAuth 2.0, and SAML, which applications then use to authorize access based on roles/claims. Microsoft further explains that Entra ID provides single sign-on, Conditional Access, MFA, and token-based authorization—all core IdP capabilities that govern who can access what across Microsoft 365, Azure, and thousands of SaaS apps.

By contrast, an extended detection and response (XDR) system refers to Microsoft Defender XDR, which focuses on incident detection, correlation, and response—not identity provisioning or token issuance. A security information and event management (SIEM) system refers to Microsoft Sentinel, which aggregates and analyzes logs and alerts—not primary authentication. An Azure management group is a governance scope used to organize subscriptions and apply policy/RBAC at scale; it is not an authentication/authorization service. Therefore, within Microsoft’s SCI scope, Microsoft Entra ID is an identity provider used to perform authentication (verifying identity and issuing tokens) and to enable authorization in applications and resources that consume those tokens.

Microsoft’s security and compliance learning content explains that digital signatures are built on public key (asymmetric) cryptography. In this model, each identity has a key pair: a private key that is kept secret and a public key that can be shared. The signing operation is performed with the private key to produce a signature bound to the content and the signer’s identity. Verification is then performed by anyone who has access to the corresponding public key, which mathematically validates the signature and confirms both integrity (the content wasn’t altered) and authenticity (it was signed by the holder of the private key). SCI materials (covering Microsoft Purview Information Protection, Azure Key Vault/PKI concepts, and identity fundamentals) emphasize that the private key must never be disclosed or required for verification; only the public key is used to validate signatures and certificates. This is the same principle used across Microsoft 365 for certificate-based trust, code signing, and document signing: sign with the private key; verify with the public key. Therefore, statements one and two are true, and the statement claiming verification requires the private key is false.

In Microsoft 365, the unified audit log retention depends on the audit tier included with the subscription. Current SCI/Compliance documentation states that Audit (Standard)—which is available with Microsoft 365 E3—retains audit records for 180 days. The docs describe that organizations with E3 receive “up to 180 days of audit log retention” for user and admin activities captured in the unified audit pipeline. Longer retention (for example 365 days and beyond with customizable policies) is part of Audit (Premium) features generally associated with E5/E5 Compliance. Because the scenario specifies a Microsoft 365 E3 subscription using the unified audit log and Basic/Standard Audit, the retention period for audit records is 180 days.

access and application control

In Microsoft Defender for Cloud, the capabilities grouped as access and application control are designed to harden Azure virtual machines by limiting both what can access a VM and what can run on it. Microsoft’s documentation explains that Adaptive application controls “help you control which applications can run on your VMs by allowing only known-safe applications,” which directly helps block malware and other unwanted applications. In the same family, Just-in-time (JIT) VM access “reduces exposure to attacks by locking down inbound traffic to your VMs and opening only the required ports, for approved users, for a limited time,” thereby reducing the network attack surface. These capabilities are surfaced in Defender for Cloud recommendations and policies to enforce least privilege at the network edge and on the endpoint execution layer.

By contrast, Cloud Security Posture Management (CSPM) provides continuous assessment and secure-score-driven recommendations but isn’t the control that actively blocks applications or time-bounds inbound access. Container security targets container images and runtimes, and vulnerability assessment identifies software vulnerabilities but doesn’t enforce allow-listing or time-bound access. Therefore, the correct completion is access and application control, which encompasses Adaptive application controls and JIT VM access to protect VMs from unwanted apps and minimize exposed network surface.

In Microsoft 365 Defender (Microsoft 365 security center), Incidents are designed to consolidate and correlate security signals so analysts can see the full scope of an attack. Microsoft’s documentation explains that an incident is “a collection of related alerts that, when viewed together, provide a richer context for the attack and its impact.” The service “automatically groups alerts that are likely to be associated with the same threat activity,” which allows security teams to investigate a single incident rather than many fragmented alerts. Microsoft further notes that incidents “aggregate alerts, affected assets (users, devices, mailboxes), evidences, and entities into one view,” helping analysts triage, investigate, and remediate more efficiently.

This is distinct from other areas in the portal: Reports provide trend and posture reporting; Hunting offers proactive, query-based threat hunting across raw data; and Attack simulator (in Defender for Office 365) is used to run training and awareness simulations (e.g., phishing), not to aggregate real alerts. Therefore, when you need to “view an aggregation of alerts that relate to the same attack” in the Microsoft 365 security center, the correct place is Incidents, which presents the correlated attack story and enables end-to-end response and remediation from a single, consolidated record.

The Content Search tool in the Security & Compliance Center can be used to quickly find email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Skype for Business.

The first step is to starting using the Content Search tool to choose content locations to search and configure a keyword query to search for specific items.

Azure DDoS Protection Standard is a platform-native service designed to mitigate distributed denial of service attacks against Azure-hosted workloads that expose public IP addresses. Microsoft’s guidance explains that DDoS Protection Standard is “enabled on a virtual network” and, once enabled, “automatically protects resources within the virtual network with public IP addresses” (for example, Application Gateway, Azure Load Balancer, and virtual machines). The service is “tuned to the traffic patterns of the protected resources” and provides adaptive real-time mitigation with telemetry and attack analytics.

Critically, the scope of enablement is at the virtual network (VNet) level, not at the resource group level, and it does not apply to Azure Active Directory (Microsoft Entra ID) users or applications, which are identity services rather than network resources. Microsoft’s materials emphasize that by associating a DDoS protection plan to a VNet, you “protect all public IPs assigned to resources in that VNet”, giving layered protection alongside Azure’s always-on basic protections.

Therefore, the only option that correctly completes the sentence is virtual networks, because Azure DDoS Protection Standard is configured on, and provides coverage for, resources inside a VNet that have public endpoints—exactly matching Microsoft’s SCI/Azure security documentation.

Microsoft Secure Score for Devices

Artikel

12.05.2022

3 Minuten Lesedauer

Applies to:

Microsoft Defender for Endpoint Plan 2

Microsoft Defender Vulnerability Management

Microsoft 365 Defender

Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

To sign up for the Defender Vulnerability Management public preview or if you have any questions, contact us (mdvmtrial@microsoft.com).

Already have Microsoft Defender for Endpoint P2? Sign up for a free trial of the Defender Vulnerability Management Add-on.

Configuration score is now part of vulnerability management as Microsoft Secure Score for Devices.

Your score for devices is visible in the Defender Vulnerability Management dashboard of the Microsoft 365 Defender portal. A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories:

Application

Operating system

Network

Accounts

Security controls

Select a category to go to the Security recommendations page and view the relevant recommendations.

Turn on the Microsoft Secure Score connector

Forward Microsoft Defender for Endpoint signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data.

Changes might take up to a few hours to reflect in the dashboard.

In the navigation pane, go to Settings > Endpoints > General > Advanced features

Scroll down to Microsoft Secure Score and toggle the setting to On.

Select Save preferences.

How it works

Microsoft Secure Score for Devices currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.

The data in the Microsoft Secure Score for Devices card is the product of meticulous and ongoing vulnerability discovery process. It is aggregated with configuration discovery assessments that continuously:

Compare collected configurations to the collected benchmarks to discover misconfigured assets

Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction)

Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)

Collect and monitor changes of security control configuration state from all assets

In Microsoft’s Security, Compliance, and Identity guidance, multi-factor authentication (MFA) is based on combining independent categories of credentials to verify a user. Microsoft describes the three factor types as: something you know (knowledge), something you have (possession), and something you are (inherence). A password is explicitly categorized as “something you know,” because it relies on a secret the user memorizes and types during sign-in. MFA improves security by requiring two or more of these distinct factors—e.g., a password (know) plus a phone approval or hardware token (have), or a biometric like Windows Hello (are). Using factors from different categories mitigates common attacks such as password spray, credential stuffing, and phishing, because compromising one factor (for example, the password) does not grant access without the second, unrelated factor. Microsoft recommends enabling MFA broadly and pairing passwords with stronger possession or inherence methods to achieve a measurable reduction in account compromise risk. Therefore, in the MFA model used by Microsoft Entra ID (Azure AD), a password is considered something you know.

Microsoft’s Azure networking services have distinct roles that map directly to the statements in the prompt. Azure Firewall is a stateful, cloud-native network security service that explicitly supports Source NAT (SNAT) and Destination NAT (DNAT) to control and translate traffic flows. In Microsoft’s description, Azure Firewall “provides network address translation (SNAT/DNAT) and filtering for inbound and outbound traffic,” making it the correct match for NAT services.

Azure Bastion is designed to deliver “secure and seamless RDP and SSH connectivity to your virtual machines directly from the Azure portal over TLS” without exposing a public IP on the VM. This aligns precisely with secure Remote Desktop connectivity to Azure virtual machines.

Network security groups (NSGs) are Azure’s built-in mechanism for traffic filtering. Microsoft explains that an NSG “contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources” and that rules can be applied to subnets or to individual network interfaces (NICs) on a virtual network. Therefore, NSGs are the right choice for traffic filtering applied to specific network interfaces.

Together, these mappings reflect Azure’s layered network security model: NSGs for rule-based filtering at NIC/subnet, Azure Firewall for centralized stateful inspection and NAT, and Azure Bastion for secure, browser-based RDP/SSH access.

Microsoft Entra Conditional Access evaluates signals to make real-time access decisions. Microsoft describes it as bringing “signals together to make decisions and enforce organizational policies,” where administrators choose controls such as Block access, Require multi-factor authentication, Require device to be marked as compliant, or Require hybrid Azure AD joined device. Because MFA is only one of several grant controls, it is incorrect that policies always enforce MFA; they can also simply block, allow, or require other conditions.

Location is a first-class condition. Microsoft states you can define named locations (by countries/regions or IP ranges) and then use them in policy conditions to block or grant access. A common scenario is “Block access from specific locations” or require additional controls when a sign-in originates from an untrusted network. Therefore, Conditional Access can block access to an application based on user location.

Finally, Conditional Access targets users, groups, workload identities, and cloud apps regardless of device join state. Device-related conditions and filters are optional; policies are not limited to “Azure AD-joined devices.” Controls like Require device to be marked as compliant or Require Hybrid Azure AD joined device are only enforced if configured. Hence, Conditional Access does not only affect users on Azure AD-joined devices.

Box 1: Yes

Azure Defender provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, your storage, and more

Box 2: Yes

Cloud security posture management (CSPM) is available for free to all Azure users.

Box 3: Yes

Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises.

Microsoft’s SCI/Learn content describes Azure AD (now Microsoft Entra ID) as a cloud service, not something you install on-premises. The docs state Azure AD is a “cloud-based identity and access management service” that “helps your employees sign in and access resources.” This clarifies the third statement (IAM service) as Yes, and the first statement (on-premises deployment) as No, because the native on-prem directory is Windows Server Active Directory, whereas Azure AD runs in Microsoft’s cloud and can be synchronized with on-prem AD via tools like Azure AD Connect.

Microsoft also explains licensing/availability: the service comes in several editions, and the free/Office 365 tier is included with many suites. The documentation explicitly notes that Azure AD is “included with subscriptions such as Microsoft 365” (formerly Office 365) and provides tenant-wide identity for those services. Therefore, stating that Azure AD is provided as part of a Microsoft 365 subscription is Yes.

In summary: Azure AD/Entra ID is a cloud identity and access management platform; it’s not deployed on-premises, and Microsoft 365 subscriptions include an Azure AD tenant/edition to manage users, groups, apps, and access policies.

In Microsoft’s SCI learning content, the core objective of protecting information is framed by the CIA triad. Microsoft explains that “confidentiality, integrity, and availability are foundational security principles.” Within this model, integrity is described as the assurance that information remains trustworthy and unchanged from its intended state. The SCI materials state that integrity means “preventing unauthorized modification and ensuring the accuracy and completeness of data.” When a requirement says, “ensuring that the data you retrieve is the same as the data you stored,” it directly maps to this integrity principle—verifying that data hasn’t been altered, corrupted, or tampered with during storage or transmission.

Microsoft’s guidance further highlights that integrity is supported by controls that “detect or prevent unauthorized changes,” including cryptographic hashes, checksums, and digital signatures that can “provide proof that content hasn’t been modified.” By contrast, confidentiality focuses on restricting access (for example, through least privilege and encryption), and availability focuses on “reliable and timely access to information and systems.” Because the scenario emphasizes that the retrieved data is identical to the stored data, it is not about access or uptime but about preserving correctness and detecting alteration—which is precisely the integrity objective in Microsoft’s Security, Compliance, and Identity guidance.

Azure Blueprints allow cloud architects and central IT to define a repeatable set of Azure resources and governance artifacts—including Azure Policy assignments, role assignments (RBAC), resource groups, and ARM/Bicep templates—and then deploy them consistently across subscriptions. Microsoft’s guidance describes Blueprints as a way to “orchestrate the deployment of various resource templates and other artifacts” to establish standards, patterns, and compliance for environments at scale. This is distinct from Azure Policy, which evaluates and enforces configuration but does not package multi-artifact environments; Microsoft Sentinel and Defender are security analytics/protection services rather than provisioning frameworks. Thus, for consistent provisioning across multiple subscriptions, the prescribed solution is Azure Blueprints.

In Microsoft 365 compliance, sensitivity labels (Microsoft Purview Information Protection) are the feature designed to classify and automatically protect data. Microsoft states that sensitivity labels “let you classify and protect your organization’s data” and that a label “can apply protection settings such as encryption” to files and emails. Labels can be deployed so that protection is applied without user action: Microsoft explains that labels “can be applied automatically, recommended, or by users,” and that administrators can “auto-apply a sensitivity label to content in SharePoint, OneDrive, and Exchange based on conditions such as sensitive info types, keywords, or trainable classifiers.” When a label with protection is applied, “encryption settings travel with the content” and enforce usage rights like who can open, print, or forward, even outside the organization.

By contrast, Content Search and eDiscovery are discovery/investigative tools and do not enforce protection. Retention policies manage how long content is kept or deleted, but they don’t encrypt content. Therefore, the Microsoft 365 compliance capability that encrypts content automatically based on specific conditions is sensitivity labels with auto-labeling policies in Microsoft Purview.

Microsoft Purview Data Loss Prevention (DLP) is designed to “detect and protect sensitive items” across Microsoft 365 locations, endpoints, and cloud apps. Microsoft explains that Purview DLP policies use sensitive information types, exact data match (EDM), and machine learning–based trainable classifiers to identify content, and then automatically apply protective actions such as blocking or restricting sharing, notifying users with policy tips, auditing, or auto-quarantining/justifying activities. This fulfills the description “use machine learning algorithms to detect and automatically protect sensitive items.” While eDiscovery focuses on legal hold and content discovery, and Communication compliance monitors communications for policy violations (ethics/regulatory scenarios), they are not positioned to broadly and automatically protect sensitive data across services. “Information risks” is not a distinct Purview solution category. Therefore, the Purview capability that leverages machine learning classifiers and automatically enforces protections on sensitive data is Data loss prevention (DLP).

Assessments

In Microsoft Purview Compliance Manager, assessments are the core components used to track compliance with groupings of controls from specific regulations, standards, or requirements.

According to official Microsoft Security, Compliance, and Identity (SCI) learning content, particularly within the SC-400 and SC-900 certification tracks, the role of assessments is explicitly defined as:

“Assessments in Compliance Manager help you track, implement, and improve compliance with requirements from standards and regulations. Each assessment maps to a specific regulation or control framework, such as ISO 27001, NIST, GDPR, or HIPAA, and includes a set of controls and recommended improvement actions.”

Further extracted content from SCI documentation confirms:

“An assessment is used to measure your compliance posture against a particular regulation or standard. It includes control mappings and provides insight into what’s in place and what still needs to be addressed to meet the compliance goals.”

The other options in the dropdown — Templates, Improvement actions, and Solutions — serve different functions:

Templates provide a blueprint for creating assessments.

Improvement actions are actionable steps generated within assessments.

Solutions in Microsoft Purview refer to bundled capabilities like Insider Risk Management, Information Protection, etc.

Therefore, to track compliance with groupings of controls from a specific regulation or requirement, the correct and Microsoft-verified term is "Assessments."

Azure Blueprints lets you define a repeatable set of artifacts—like ARM/Bicep templates, role assignments, and Azure Policy—that you can assign to multiple subscriptions to deploy resources and guardrails consistently.

Explanation

Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization.

With Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your own business and security needs, you can define entries in a custom banned password list.

Microsoft describes hybrid identity as integrating on-premises Active Directory with Microsoft Entra ID (Azure AD) so that “your on-premises identities are synchronized to Azure AD” for a single identity across cloud and on-prem apps. In this model, directory objects (users, groups, and selected attributes) flow from on-premises AD to Azure AD using Azure AD Connect or Cloud Sync; this is the canonical direction for provisioning in hybrid environments. Microsoft further explains that while certain writeback features (such as password writeback, device or group writeback scenarios) are supported, cloud-created users do not automatically sync down to on-premises AD; account provisioning remains authoritative on-prem unless you deploy specific, limited writeback features—there is no default “user account creation from Azure AD to AD DS.” For authentication, Microsoft states that hybrid identity supports cloud authentication (Password Hash Synchronization or Pass-through Authentication) where Azure AD performs the sign-in, or federation with another identity provider (e.g., AD FS or a third-party IdP) where that provider validates credentials and issues tokens to Azure AD. These statements align with Microsoft’s SCI guidance on hybrid identity: on-prem to cloud sync is standard; automatic reverse user sync is not; and authentication can be handled by Azure AD or a federated IdP depending on the chosen sign-in method.

Microsoft’s privacy commitments are framed as principles that include Control, Transparency, Security, Strong legal protections, No content-based targeting, and Benefits to you. Under these commitments, Microsoft emphasizes compliance with regional and sectoral laws: it provides “strong legal protections” for data and commits to handling data “in accordance with applicable laws,” including respecting local privacy and data-protection requirements and supporting cross-border transfers only as permitted by law. The principles also state Microsoft does not use customer content for advertising, and it enables customers to manage their own privacy settings and choices. Therefore:

A is false (Microsoft does collect data but minimizes and protects it).

B is false (Microsoft states no content-based targeting for customer email/chat).

C is false (Microsoft provides settings; customers control them).

D aligns with Microsoft’s principle to respect and comply with applicable local privacy laws.

In Microsoft identity and access scenarios, federation is explicitly defined as a mechanism to create trust between autonomous organizations so that identities authenticated in one can be accepted by another. Microsoft describes this as: “Federation is a collection of domains that have established trust.” In a federation, “this trust relationship lets each organization accept the other’s user authentication” and enables access to resources without the need to duplicate user accounts or require separate credentials. Within Azure AD/Microsoft Entra and AD FS guidance, Microsoft further explains that federation enables “claims-based access across security boundaries” and “allows users to access applications in a partner organization using their existing credentials.” These statements underline that the purpose of federation is to establish a trust relationship across identity providers or directories, not to provide multi-factor authentication, synchronize accounts, or build network tunnels. MFA is an authentication strength that can be applied on top of federated sign-in, user account synchronization is handled by services like Microsoft Entra Connect (Azure AD Connect), and VPNs provide network connectivity, not identity trust. Therefore, the completion that aligns with Microsoft SCI documentation is that federation establishes a trust relationship between organizations.

In Microsoft Purview Information Protection, sensitivity labels are the core mechanism to classify and protect content. The Microsoft SCI learning content explains that a sensitivity label can “apply protection such as encryption and rights restrictions to files and emails,” allowing you to define who can access the content and what they can do (view, edit, print, forward). When you configure a label with Encrypt settings, the service uses Azure Rights Management to enforce protection persistently, so the encryption travels with the file wherever it goes.

Labels can also apply content marking. The official guidance states that labels can “add visual markings—headers and footers—to Office files and email to make the sensitivity of content obvious.” This is commonly used to stamp messages and documents with text such as Confidential or Internal. SCI materials further clarify that labels can apply watermarks to Office documents (Word, Excel, PowerPoint) as part of content marking, but watermarks are not applied to email messages; only headers and footers are supported for email.

Putting it together: encryption (Yes) and headers/footers on documents (Yes) are supported label actions. Watermarks are supported for documents but not for email, so “Sensitivity labels can apply watermarks to emails” is No.

When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant.

Microsoft Defender for Endpoint includes Automated investigation and remediation (AIR) and Attack surface reduction (ASR) as core capabilities. Microsoft’s guidance states that AIR “uses inspection algorithms and playbooks to examine alerts, determine if they are malicious, and then take remediation actions such as stopping processes, quarantining files, and rolling back changes.” It is designed to “reduce the volume of alerts that require analyst attention and to remediate threats at machine speed across your estate,” helping security teams contain and fix issues without manual intervention.

Defender for Endpoint also provides attack surface reduction features to proactively limit exposure. The Microsoft learn materials describe that ASR “helps organizations minimize areas that attackers can exploit,” and includes “attack surface reduction rules, network protection, web protection, application control (Windows Defender Application Control), and controlled folder access.” These controls “block or constrain risky behaviors and common attacker techniques,” thereby preventing many initial compromise and lateral-movement attempts before they generate incidents.

By contrast, transport encryption is a general platform/security baseline capability rather than a specific Defender for Endpoint feature, and shadow IT detection is addressed through Microsoft Defender for Cloud Apps (App discovery), which can use Defender for Endpoint network signals but is not itself a native MDE capability. Therefore, the two correct capabilities of Microsoft Defender for Endpoint are Automated investigation and remediation and Attack surface reduction.

In Microsoft identity terminology, authentication is the step that proves who the user is when they attempt to sign in. Microsoft Learn defines it plainly: “Authentication is the process of proving the identity of a user, device, or service.” By contrast, “Authorization is the process of determining what a user, device, or service can do.” During sign-in to Microsoft Entra ID (formerly Azure AD), “the identity provider validates credentials and, upon successful authentication, issues tokens that applications use to grant access.” Microsoft further explains the available methods: “Microsoft Entra ID supports multiple authentication methods, including passwords, multi-factor authentication, FIDO2 security keys, certificate-based authentication, and federated authentication.”

Auditing and administration are not the mechanisms that verify identity at sign-in. Auditing “records security-relevant events for investigation and compliance,” while administration “refers to configuring and managing identities, access policies, and settings.” Therefore, in the sentence “When users sign in, _____ verifies their credentials to prove their identity,” the correct completion is authentication, because it is the control that validates the user’s credentials and establishes identity before any authorization decisions are made.

In Microsoft Defender for Cloud (formerly Azure Security Center), Secure score is defined as “a measurement of an organization’s security posture; the higher the score, the lower the identified risk.” Microsoft states that Defender for Cloud provides security recommendations that “help you harden your resources and increase your secure score.” Among these recommendations is “Apply system updates” for virtual machines—Microsoft describes it as ensuring that “machines should have the latest security updates installed”, and completing this action adds points to your secure score because it remediates a vulnerability class (missing patches).

Defender for Cloud also supports wide scope evaluation: you can “view and manage the secure score across subscriptions and management groups,” allowing organizations with multiple Azure subscriptions to see an aggregated and per-scope score and track improvement actions consistently.

Identity protections are part of Defender for Cloud’s recommendations as well. Under the Azure Security Benchmark controls, Defender for Cloud includes the recommendation that “MFA should be enabled on accounts with owner permissions on your subscription.” Implementing this MFA control earns secure-score points because it mitigates high-impact identity risks.

Therefore, applying system updates (Yes), evaluating across multiple subscriptions (Yes), and enabling MFA (Yes) all increase or contribute to an organization’s secure score in Azure Security Center/Defender for Cloud.

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based directory and identity platform. In Microsoft’s SCI materials, Entra ID is described as “Microsoft’s cloud-based identity and access management service that helps your employees sign in and access resources,” underscoring that it’s not deployed on-premises; instead, organizations can synchronize or federate with on-premises Active Directory using tools like Entra Connect. The same documentation explains that Entra ID is included with Microsoft 365 subscriptions, providing tenant identity services for apps such as Exchange Online, SharePoint Online, and Teams. Core capabilities listed include authentication, single sign-on (SSO), Conditional Access, device registration, and application access management, all of which classify Entra ID as an identity and access management (IAM) service. Thus: (1) on-premises deployment — No (it’s cloud-native), (2) provided with Microsoft 365 — Yes (a directory is created for each tenant), and (3) IAM service — Yes (it delivers identity, access, and governance controls used across Microsoft cloud services).

Microsoft defines hybrid identity as enabling a common identity across on-premises and cloud by integrating your directory services. Microsoft Learn states: “Hybrid identity is achieved by integrating your on-premises Active Directory with Azure Active Directory.” This integration is delivered through the synchronization and optional federation capabilities that connect AD DS to Azure AD so users can access both on-premises and cloud resources with one identity.

To implement this integration, Microsoft’s tooling is explicit: “Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals.” Azure AD Connect (now Microsoft Entra Connect) synchronizes users, groups, and optionally passwords or hashes to Azure AD, providing the foundation for hybrid scenarios such as single sign-on and seamless sign-in.

Regarding tenants, Microsoft’s identity platform clarifies that “A Microsoft 365 organization is associated with a single Azure AD tenant.” Therefore, a hybrid identity deployment does not require two Microsoft 365 tenants; it typically links a single Azure AD (Microsoft Entra ID) tenant with one or more on-premises AD DS forests. In summary, Azure AD Connect enables hybrid identity, hybrid identity is the synchronization/integration of AD DS with Azure AD, and it does not necessitate multiple Microsoft 365 tenants.

In Microsoft’s hybrid identity model, organizations keep their authoritative identities in Active Directory Domain Services (AD DS) and surface those identities in Microsoft Entra ID (Azure AD). Microsoft guidance explains that hybrid identity is implemented by synchronizing on-premises directory objects (users, groups, and selected attributes) into Azure AD using Azure AD Connect or Cloud Sync. Azure AD Connect is explicitly documented as the Microsoft tool that establishes and maintains synchronization between AD DS and Azure AD and is therefore used to implement hybrid identity—hence statement 1 is Yes. Hybrid identity does not require two Microsoft 365 tenants; the standard design is one Azure AD tenant connected to one or more on-premises AD forests, so statement 2 is No. For users to authenticate to Microsoft cloud resources with their on-premises identity, Azure AD must have a corresponding cloud identity object, which is achieved by directory synchronization; sign-in can then be handled by cloud authentication (Password Hash Synchronization or Pass-through Authentication) or by federation (e.g., AD FS). Because these sign-in options depend on synchronized identities being present in Azure AD, statement 3 is Yes. This aligns with SCI guidance that hybrid identity = synchronized identities + a chosen authentication method (PHS/PTA or federation).

Microsoft’s SCI guidance defines the supported passwordless methods in Entra ID (Azure AD). The documentation states: “Microsoft recommends three passwordless authentication options: Windows Hello for Business, FIDO2 security keys, and the Microsoft Authenticator app (phone sign-in).” Windows Hello for Business “replaces passwords with strong two-factor authentication on Windows devices,” allowing users to sign in with a gesture (biometric or PIN) that does not require a password during interactive sign-in. Likewise, “FIDO2 security keys enable users to sign in using an external security key,” providing a standards-based passwordless credential that can work across supported browsers and devices.

By contrast, OATH software tokens (for example, time-based one-time passcodes in an authenticator app) are documented as multifactor verification methods: “OATH software tokens generate time-based codes used for MFA.” These OTP codes serve as a second factor and are not a passwordless primary sign-in method; users typically still enter a password and then the OTP. Therefore: software tokens → No (not passwordless), Windows Hello → Yes, FIDO2 security keys → Yes. This mapping aligns directly with Microsoft’s Entra ID passwordless authentication guidance and the delineation between passwordless sign-in and MFA second-factor methods.

Microsoft documents describe Microsoft Entra Privileged Identity Management (PIM) as the service that delivers approval-based, time-limited elevation to privileged roles. Official guidance states: “Privileged Identity Management (PIM) enables you to manage, control, and monitor access to important resources in Microsoft Entra ID, Azure, and Microsoft 365.” PIM specifically supports just-in-time and time-bound activations: “PIM provides just-in-time privileged access to Microsoft Entra roles and Azure resources” and “allows you to make access time-bound by setting start and end dates.” It also supports approval workflows: “You can require approval to activate privileged roles, and designate approvers to receive and approve requests.” Additional controls include “require multi-factor authentication to activate, provide a justification, and ticket number,” and auditing: “PIM records all activations and changes for review and alerting.”

By contrast, Microsoft Entra ID Protection focuses on risk detections and automated remediation, not role elevation workflows. Conditional Access enforces access policies at sign-in and session but does not provide approval-based role activation. Access Reviews help you “review and attest to continued access” but do not supply just-in-time elevation. Therefore, the Microsoft Purview/Entra feature that implements approval-based, time-bound role activation is Microsoft Entra Privileged Identity Management (PIM).

Microsoft Purview Compliance Manager is designed to give organizations a continuous view of their compliance posture. In Microsoft’s Security, Compliance, and Identity guidance, Compliance Manager is described as a capability that assesses your compliance posture against regulatory standards and data protection baselines and updates the compliance score as you implement or fail controls. The platform aggregates signals from assessments, controls, and improvement actions, then recalculates your compliance score as evidence is collected and actions are marked complete or tested. Because these evaluations are tied to live improvement actions and mapped controls (such as access, data protection, and governance controls), your organization’s status isn’t limited to a fixed reporting cycle; rather, it reflects ongoing progress and gaps across supported regulations and standards.

SCI study materials also emphasize that the score is not a one-time audit: it’s a running indicator of risk reduction and control implementation. As you address recommendations, add or update evidence, or connect automated tests where available, the score and related dashboards refresh to show the latest compliance state. This makes Compliance Manager suitable for continuous assessment, enabling organizations to monitor posture, prioritize work, and demonstrate incremental improvements over time—hence, it assesses compliance data continually for an organization.

In Microsoft 365 information protection guidance, Microsoft explains that sensitivity labels are persistent: when a label is applied to a file or email, the label information is stored as metadata so that the protection settings “travel with the content” wherever it’s saved or shared. Labels can apply encryption, content marking (headers, footers, watermarks), and DLP-friendly metadata, but encryption is optional—some labels only classify/mark without encryption. Microsoft also emphasizes that labels are not restricted to predefined categories; administrators can create custom label names, descriptions, and scoped policies to reflect an organization’s taxonomy (for example, Public, Confidential, Highly Confidential, or industry-specific categories). Because the defining property that always applies is that the label remains attached to the content and enforces configured policy across Microsoft 365 services and supported third-party locations, the accurate characteristic is persistent. Options “encrypted” (not always) and “restricted to predefined categories” (incorrect—labels are customizable) do not universally describe sensitivity labels.

In the Microsoft 365 security center/Microsoft 365 Defender portal, the Reports area is designed to provide organization-wide visibility into security posture and activity over time. Microsoft describes the Reports experience as enabling you to “view security trends and track the protection status across identities, endpoints, email & collaboration, and cloud apps.” Within Reports, the Identity section aggregates signals from Microsoft Entra ID protection and related identity defenses so security teams can monitor trends such as risky sign-ins, user risk, MFA adoption/registration, and other identity protection metrics. These curated, read-only dashboards are aimed at measuring protection status and changes over time, helping you validate the impact of controls and prioritize remediation.

By contrast, Attack simulator is used to run user training simulations (e.g., phishing) and is not intended for posture trend reporting. Hunting (Advanced hunting) lets analysts query raw telemetry for investigations, not to provide summarized trend dashboards. Incidents correlates alerts into incident records for triage and response, rather than showing long-term trends and protection status views. Therefore, to view security trends and track the protection status of identities, the correct place is Reports in the Microsoft 365 security center/Microsoft 365 Defender portal.

Microsoft sets out clear privacy principles for Microsoft 365 and Microsoft cloud services. In Microsoft’s privacy commitments, Microsoft states that customers control their data: “You control your data.” Microsoft also pledges transparency about data practices: “We are transparent about data collection and use.” These two commitments are among the core privacy principles articulated across Microsoft 365 privacy and Microsoft Purview documentation, which emphasize customer choice, clear explanations of data processing, and admin capabilities to access, export, and delete data. Additional Microsoft privacy principles often listed alongside these include security of your data, strong legal protections, no content-based targeting, and benefits to you, but the key point for this question is that Control and Transparency are explicitly called out as privacy principles.

By contrast, shared responsibility is not a privacy principle; it is a cloud security model used in Azure/Microsoft cloud guidance. That model explains that security is a shared responsibility between Microsoft (for the cloud infrastructure) and the customer (for their data, identities, endpoints, and configurations). It describes how duties are divided for protecting services and workloads, not a privacy promise to end users. Therefore, the correct selections are Yes for Control and Transparency, and No for Shared responsibility.

Biometrics templates are stored locally on a device. Reference:

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview

In Microsoft’s Security, Compliance, and Identity materials, Customer Lockbox is described as the feature that controls any Microsoft engineer access to your tenant content during support operations. Microsoft states that Customer Lockbox “ensures that Microsoft cannot access your content to perform a service operation without your explicit approval.” It is specifically applicable to Microsoft 365 workloads that store customer data, including “Exchange Online, SharePoint Online, and OneDrive for Business.” When a support case requires elevated access, “a lockbox request is created and routed to the customer for approval or rejection,” and access is only granted if the organization’s authorized admin approves the request within the defined window. The request contains who is requesting access, the reason, the scope, and the duration, and all actions are audited for compliance reporting. This capability aligns with Microsoft’s zero standing access principles by making engineer access time-bound, least-privileged, and customer-approved. By contrast, Information barriers segregate communications between groups, Privileged Access Management (PAM) governs privileged tasks inside Microsoft 365, and Sensitivity labels classify and protect data. Therefore, the feature that “can be used to provide Microsoft Support Engineers with access to an organization’s data stored in Microsoft Exchange Online, SharePoint Online, and OneDrive for Business” is Customer Lockbox.

Microsoft Purview Insider Risk Management is designed to identify, investigate, and act on risky activities by internal users—for example data exfiltration, data theft, policy violations, and user sentiments/signals that may indicate insider risk. SCI documentation explains that Insider Risk policies analyze signals such as file downloads, copying to USB, sharing to personal cloud, printing, or anomalous activity following events like performance warnings or resignation notices. Because it focuses on insider behaviors, it is not used to detect external threat vectors like phishing scams; those are addressed by Microsoft Defender for Office 365 and related anti-phishing protections—hence statement 1 is No. The solution is accessed in the Microsoft Purview (formerly Microsoft 365) compliance center under Insider risk management, where admins configure policies, alerts, and workflows—so statement 2 is Yes. Finally, its core purpose includes detecting and investigating potential data leaks by disgruntled or departing employees, using built-in policy templates (e.g., Data theft by departing employee, Data leaks), making statement 3 Yes.

Microsoft’s identity platform (Microsoft Entra ID, formerly Azure AD) supports built-in and custom directory roles. The official guidance states that you can “create your own custom roles to grant permissions for management of Microsoft Entra resources,” and those roles consist of specific role permissions that you select to tailor least-privilege administration. The documentation also lists Global administrator (formerly Company Administrator) as a built-in role that “has access to all administrative features” and can delegate role assignments, reset passwords for all users, and manage identity settings across the tenant. Regarding assignments, Microsoft is explicit that role assignment is many-to-many: administrators can “assign one or more roles to a user,” and the user’s effective permissions are the union of the privileges from all assigned roles. Consequently, (1) creating custom roles is supported (Yes), (2) Global administrator is indeed a defined Azure AD/Microsoft Entra role (Yes), and (3) a user being limited to only one role is incorrect (No) because multiple role assignments to the same user are permitted and commonly used to implement least privilege and separation of duties.

Box 1: Yes

Azure AD supports custom roles.

Box 2: Yes

Global Administrator has access to all administrative features in Azure Active Directory. Box 3: No

In Microsoft Entra ID (formerly Azure AD), Managed Identities for Azure resources are the built-in way for an Azure resource to authenticate to other Azure services without storing credentials. Microsoft’s documentation states: “Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory.” It further distinguishes the two types and clarifies the one used here: “A system-assigned managed identity is enabled directly on an Azure service instance. When enabled, Azure creates an identity for the instance in Azure AD.” Microsoft also emphasizes the lifecycle binding: “This identity is tied to the lifecycle of that service instance and is deleted when the resource is deleted.” Once enabled, the resource can call Azure services by requesting tokens: “You can use this identity to obtain Azure AD tokens for authentication to services that support Azure AD authentication.”

Because the prompt explicitly says “system-assigned”, the correct completion is managed identity. The other options do not match Microsoft’s definition: a user identity refers to a human user; a service principal is the underlying object applications use but isn’t what Azure terms “system-assigned”; and an Azure AD–joined device pertains to device registration, not resource-to-service authentication. Therefore, the sentence correctly reads: “An Azure resource can use a system-assigned managed identity to access Azure services.”

In Microsoft’s Security, Compliance, and Identity guidance, Data Loss Prevention (DLP) is configured from the compliance portal (formerly called the Microsoft 365 Compliance Center, now Microsoft Purview compliance portal). Microsoft’s documentation states that DLP is administered from the compliance experience: “Use data loss prevention (DLP) policies in the Microsoft Purview compliance portal to help identify, monitor, and automatically protect sensitive items” across Microsoft 365 workloads. It further specifies where you create policies: “To create a DLP policy, go to the Microsoft Purview compliance portal > Data loss prevention > Policies and choose Create policy.” The portal provides policy templates, locations, and rules that “help prevent the inadvertent sharing of sensitive information” and enable “policy tips and automatic remediation actions” (such as restricting access, auditing, or blocking).

By contrast, the Microsoft 365 admin center is for tenant administration and licensing, not DLP policy authoring. The Microsoft Endpoint Manager admin center (Intune) manages device and app protection policies, not Microsoft 365 DLP policies. The Microsoft 365 Defender portal surfaces security alerts and investigations but does not host the creation workflow for DLP policies. Therefore, when the requirement is to create a DLP policy, Microsoft directs administrators to the Microsoft 365 Compliance center (Microsoft Purview compliance portal) where the DLP solutions and policy creation wizard reside.

In Microsoft’s Security, Compliance, and Identity guidance, Microsoft Cloud App Security (now Microsoft Defender for Cloud Apps) integrates with Azure AD Conditional Access to provide Conditional Access App Control. This capability enables organizations to “monitor and control user sessions in real time” by routing traffic through a reverse proxy once a Conditional Access policy is triggered. With session controls, admins can enforce actions such as block, allow with inspection, apply download restrictions, require label application, or limit access to web apps based on context (user, device state, location, risk). SCI learning paths describe that Defender for Cloud Apps works with Conditional Access policies to provide session-based conditional access that “protects data in real time,” giving granular control after authentication while a session is active.

By comparison, Azure AD Privileged Identity Management (PIM) focuses on just-in-time elevation and governance of privileged roles, not real-time in-app session control. Azure Defender (Defender for Cloud) provides cloud workload protection and posture management, not Conditional Access session enforcement. Azure Sentinel (Microsoft Sentinel) is a SIEM/SOAR platform for analytics, hunting, and automation and does not apply Conditional Access session policies. Therefore, the Microsoft product that uses Conditional Access policies to control sessions in real time is Microsoft Cloud App Security (Defender for Cloud Apps).

Azure Firewall is a managed, cloud-based network security service designed to secure traffic inside and across Azure Virtual Networks. Microsoft describes Azure Firewall as a stateful firewall that “protects Azure Virtual Network resources” by enforcing network and application rules, central logging, and threat intelligence–based filtering. Because it is deployed into a VNet/subnet (often as the hub in a hub-and-spoke), it directly governs East/West and North/South flows to workloads such as Azure virtual machines and platform services reachable through the VNet, using DNAT/SNAT and rule collections. Microsoft guidance highlights capabilities to “centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks,” and to filter traffic for peered VNets, branch connections (VPN/ExpressRoute), and internet traffic. These capabilities explicitly map to protecting Azure virtual networks and the VMs and subnets inside them. In contrast, Azure AD users, Exchange Online inboxes, and SharePoint Online sites are SaaS/identity resources protected by Microsoft Entra controls, Exchange/SharePoint security, and Purview/Defender for Office 365—not by a VNet firewall. Therefore, the Azure Firewall–protectable resource types among the options are Azure virtual machines and Azure virtual networks.

In Microsoft’s cloud security terminology, Cloud Security Posture Management (CSPM) is the solution specifically designed to perform continuous security assessments of cloud resources and generate alerts when misconfigurations or vulnerabilities are detected. In Microsoft Defender for Cloud, the CSPM capabilities continuously analyze Azure, multi-cloud, and hybrid resources against built-in security benchmarks and regulatory standards. The platform evaluates configurations, detects insecure settings, missing protections, and exposure paths, then raises security recommendations and alerts so administrators can remediate issues that increase risk.

Microsoft’s security and SCI learning content describes CSPM as providing “continuous assessment, visibility, and guidance to improve the security posture of your cloud environment,” including automatic alerting when high-risk issues or vulnerabilities are found. These assessments are mapped to standards and best practices, helping organizations reduce risk proactively instead of waiting for an active attack.

By contrast, DevSecOps is a practice or methodology, not a specific product. A Cloud Workload Protection Platform (CWPP) focuses on runtime protection of workloads such as VMs, containers, and PaaS services. A SIEM solution (like Microsoft Sentinel) ingests and correlates logs and alerts from many sources but does not itself perform the core security posture assessments of cloud configurations. Therefore, the SCI domain clearly aligns this function with CSPM.

Microsoft states that Identity Protection is used to “detect potential vulnerabilities affecting your organization’s identities, configure automated responses, and investigate suspicious actions related to your organization’s identities.” It evaluates user risk and sign-in risk using detections such as “leaked credentials, anonymous IP address, unfamiliar sign-in properties, [and] impossible travel.” These built-in detections confirm that the service can detect whether valid user credentials have been found in public or criminal datasets—commonly referred to as leaked credentials—thereby reducing identity compromise risk.

Identity Protection includes policy controls that “automate the response to detected risks,” specifically the User risk policy and Sign-in risk policy. Microsoft describes that these policies can “require password change when user risk is detected” and “require multi-factor authentication when sign-in risk is detected.” Therefore, Identity Protection can invoke MFA based on risk as part of Conditional Access–backed risk policies.

However, Identity Protection does not perform group lifecycle management. Microsoft positions group membership automation under Azure AD dynamic groups/Identity Governance, not Identity Protection. Consequently, adding users to groups based on risk level is not a function of Identity Protection, which focuses on detection, risk evaluation, and policy-driven remediation (e.g., MFA or password reset), not group assignment.

Microsoft’s Conditional Access (part of Microsoft Entra ID) evaluates multiple signals to make access decisions. The official description lists typical signals such as “user or group membership, IP location information, device state, application, and real-time risk.” The device state element explicitly refers to conditions like “compliant or hybrid Azure AD joined devices,” allowing policies that grant or block access—or require extra controls—based on whether a device meets compliance/registration requirements.

Regarding evaluation timing, Microsoft’s guidance states that Conditional Access “policies are enforced after the first-factor authentication is completed.” This means the engine needs the user’s primary sign-in context (who the user is and how they authenticated) to evaluate the conditions and then decide whether to allow, block, or require additional controls. Therefore, the statement that policies apply before first factor is not correct.

Finally, Conditional Access includes grant controls such as “Require multi-factor authentication,” and policies can be scoped to specific cloud apps or actions. As a result, you can target a particular application and require MFA when a user attempts to access it, satisfying application-specific risk mitigation while preserving user productivity.

To on-board Azure Sentinel, you first need to connect to your security sources. Azure Sentinel comes with a number of connectors for Microsoft solutions, including Microsoft 365 Defender solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity, and Microsoft Cloud App Security, etc.

Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.

Microsoft describes Azure Policy as the built-in governance service that lets you “create, assign, and manage policies” to enforce organizational standards and “assess compliance at scale.” It continuously evaluates existing resources for compliance and can take effect-enforcement actions such as deny, append, or modify during create/update operations. Azure Policy “helps you audit and enforce your standards” across subscriptions and resource groups, and its compliance dashboard shows overall and per-policy compliance states for all resources. By contrast, Azure Blueprints focuses on orchestrating deployments of artifacts (such as policy assignments, role assignments, and templates) for new environments; Microsoft guidance positions Policy as the engine that evaluates and enforces those standards on existing resources. Sentinel is a SIEM/SOAR for security analytics, and Anomaly Detector is a Cognitive Service—not a governance/compliance enforcement tool. Therefore, to assess compliance and enforce standards for existing Azure resources, the prescribed control plane is Azure Policy with its evaluation cycle, initiative (policy set) support, and remediation tasks.

The Compliance score in Microsoft Purview Compliance Manager is a measurement tool that evaluates an organization’s progress toward meeting data protection and regulatory compliance requirements. It is specifically designed to help organizations reduce risks related to data governance, privacy, and compliance with various standards such as GDPR, ISO 27001, NIST 800-53, and Microsoft Data Protection Baselines.

According to Microsoft’s official documentation on Compliance Manager, the Compliance score “helps organizations track, improve, and demonstrate their compliance posture by providing a quantifiable measure of compliance with regulations and standards.” Each action within Compliance Manager contributes a certain number of points to the overall score. These points are weighted based on risk, meaning that actions with a greater impact on reducing compliance risk contribute more significantly to the total score.

The score is not an absolute measure of legal compliance but rather an indicator of progress toward implementing recommended controls and risk-reducing actions. Microsoft emphasizes that Compliance score “assists organizations in identifying areas of improvement, prioritizing compliance tasks, and maintaining an auditable record of their compliance activities.”

By contrast, Microsoft Secure Score measures security posture related to identity, device, and application protection, while Productivity Score evaluates collaboration and technology experience. Thus, the metric that specifically assesses data protection and regulatory compliance progress is the Compliance score in Microsoft Purview Compliance Manager.

access

In Microsoft Entra ID (formerly Azure AD), dynamic groups are a key feature used to automate the access lifecycle for users and devices. SCI learning material on identity governance explains that organizations can automate the access lifecycle process through technologies such as dynamic groups, alongside automated user provisioning. These resources describe the access lifecycle as managing a user’s access to resources from the moment they join the organization, through role or department changes, until they leave. Dynamic groups help with this by using attribute-based rules (for example, department, job title, location, or device platform) to automatically add or remove identities from groups as their attributes change.

Because group membership typically controls access to applications, SharePoint sites, Teams, and licenses, this automatic membership update keeps access aligned with the user’s current role without manual intervention. When a user changes departments, the dynamic rules reevaluate and move them into the appropriate groups, granting new access and removing old access as required. This is exactly what Microsoft refers to as automating the access lifecycle.

The other options do not match the terminology used in SCI content: “object lifecycle” is not the term used in Entra identity governance, and “privileged access” lifecycle is handled specifically by Privileged Identity Management (PIM), not by dynamic groups. Therefore, the sentence is correctly completed with access.