Skip Navigation Links
 

Microsoft - SC-900: Microsoft Security, Compliance, and Identity Fundamentals

Sample Questions

Question: 61
Measured Skill: Describe the capabilities of Microsoft security solutions (30-35%)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

(NOTE: Each correct selection is worth one point.)

www.cert2brain.com

ANetwork security groups (NSGs) can deny inbound traffic from the internet: Yes
Network security groups (NSGs) can deny outbound traffic to the internet: Yes
Network security groups (NSGs) can filter traffic based on IP address, protocol, and port: Yes
B Network security groups (NSGs) can deny inbound traffic from the internet: Yes
Network security groups (NSGs) can deny outbound traffic to the internet: Yes
Network security groups (NSGs) can filter traffic based on IP address, protocol, and port: No
C Network security groups (NSGs) can deny inbound traffic from the internet: Yes
Network security groups (NSGs) can deny outbound traffic to the internet: No
Network security groups (NSGs) can filter traffic based on IP address, protocol, and port: No
D Network security groups (NSGs) can deny inbound traffic from the internet: No
Network security groups (NSGs) can deny outbound traffic to the internet: Yes
Network security groups (NSGs) can filter traffic based on IP address, protocol, and port: No
E Network security groups (NSGs) can deny inbound traffic from the internet: No
Network security groups (NSGs) can deny outbound traffic to the internet: No
Network security groups (NSGs) can filter traffic based on IP address, protocol, and port: Yes
F Network security groups (NSGs) can deny inbound traffic from the internet: No
Network security groups (NSGs) can deny outbound traffic to the internet: No
Network security groups (NSGs) can filter traffic based on IP address, protocol, and port: No

Correct answer: A

Explanation:

You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

The exhibit below shows the configuration options for an inbound security rule.



Reference: Network security groups



Question: 62
Measured Skill: Describe the capabilities of Microsoft security solutions (30-35%)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

(NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AYou can create one Azure Bastion per virtual network: Yes
Azure Bastion provides secure user connections by using RDP: Yes
Azure Bastion provides a secure connection to an Azure virtual machine by using the Azure portal: Yes
B You can create one Azure Bastion per virtual network: Yes
Azure Bastion provides secure user connections by using RDP: Yes
Azure Bastion provides a secure connection to an Azure virtual machine by using the Azure portal: No
C You can create one Azure Bastion per virtual network: Yes
Azure Bastion provides secure user connections by using RDP: No
Azure Bastion provides a secure connection to an Azure virtual machine by using the Azure portal: Yes
D You can create one Azure Bastion per virtual network: No
Azure Bastion provides secure user connections by using RDP: Yes
Azure Bastion provides a secure connection to an Azure virtual machine by using the Azure portal: No
E You can create one Azure Bastion per virtual network: No
Azure Bastion provides secure user connections by using RDP: Yes
Azure Bastion provides a secure connection to an Azure virtual machine by using the Azure portal: Yes
F You can create one Azure Bastion per virtual network: No
Azure Bastion provides secure user connections by using RDP: No
Azure Bastion provides a secure connection to an Azure virtual machine by using the Azure portal: No

Correct answer: A

Explanation:

Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software.

Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.

References:

What is Azure Bastion?

Tutorial: Configure Bastion and connect to a Windows VM



Question: 63
Measured Skill: Describe the capabilities of Microsoft compliance solutions (25-30%)

You are considering the use of sensitivity labels in Microsoft 365.

Can sensitivity labels be used to encrypt the contents in documents?

AYes
B No

Correct answer: A

Explanation:

To get their work done, people in your organization collaborate with others both inside and outside the organization. This means that content no longer stays behind a firewall—it can roam everywhere, across devices, apps, and services. And when it roams, you want it to do so in a secure, protected way that meets your organization's business and compliance policies.

Sensitivity labels from the Microsoft Information Protection solution let you classify and protect your organization's data, while making sure that user productivity and their ability to collaborate isn't hindered.

You can use sensitivity labels to:

  • Provide protection settings that include encryption and content markings. For example, apply a "Confidential" label to a document or email, and that label encrypts the content and applies a "Confidential" watermark. Content markings include headers and footers as well as watermarks, and encryption can also restrict what actions authorized people can take on the content.

  • Protect content in Office apps across different platforms and devices. Supported by Word, Excel, PowerPoint, and Outlook on the Office desktop apps and Office on the web. Supported on Windows, macOS, iOS, and Android.

  • Protect content in third-party apps and services by using Microsoft Cloud App Security. With Cloud App Security, you can detect, classify, label, and protect content in third-party apps and services, such as SalesForce, Box, or DropBox, even if the third-party app or service does not read or support sensitivity labels.

  • Protect containers that include Teams, Microsoft 365 Groups, and SharePoint sites. For example, set privacy settings, external user access and external sharing, and access from unmanaged devices.

  • Extend sensitivity labels to Power BI: When you turn on this capability, you can apply and view labels in Power BI, and protect data when it's saved outside the service.

  • Extend sensitivity labels to assets in Azure Purview: When you turn on this capability, currently in preview, you can apply your sensitivity labels to assets such as SQL columns, files in Azure Blob Storage, and more.

  • Extend sensitivity labels to third-party apps and services. Using the Microsoft Information Protection SDK, third-party apps can read sensitivity labels and apply protection settings.

  • Classify content without using any protection settings. You can also simply assign a label as a result of classifying the content. This provides users with a visual mapping of classification to your organization's label names, and can use the labels to generate usage reports and see activity data for your sensitive content. Based on this information, you can always choose to apply protection settings later.

In all these cases, sensitivity labels in Microsoft 365 can help you take the right actions on the right content. With sensitivity labels, you can classify data across your organization, and enforce protection settings based on that classification.

Reference: Learn about sensitivity labels



Question: 64
Measured Skill: Describe the capabilities of Microsoft identity and access management solutions (25-30%)

Your company is planning on using Azure Active Directory for the storage of identities. They want to make use of the self-service password reset feature.

Which of the following authentication methods are available for self-service password reset?

(Each correct answer presents a complete solution. Choose three.)

AAn email message
B A passport identification number
C A picture message
D A mobile app notification
E A mobile app code

Correct answer: A, D, E

Explanation:

Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work. This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application.

A user can reset or change their password using the SSPR portal. They must first have registered their desired authentication methods. When a user accesses the SSPR portal, the Azure platform considers the following factors:

  • How should the page be localized?
  • Is the user account valid?
  • What organization does the user belong to?
  • Where is the user's password managed?
  • Is the user licensed to use the feature?

When a user is enabled for SSPR, they must register at least one authentication method. Microsoft highly recommends that you choose two or more authentication methods so that your users have more flexibility in case they're unable to access one method when they need it.

The following authentication methods are available for SSPR:

  • Mobile app notification
  • Mobile app code
  • Email
  • Mobile phone
  • Office phone (available only for tenants with paid subscriptions)
  • Security questions

Users can only reset their password if they have registered an authentication method that the administrator has enabled.

Reference: How it works: Azure AD self-service password reset



Question: 65
Measured Skill: Describe the capabilities of Microsoft identity and access management solutions (25-30%)

Your company wants to start making use of Azure. They are looking at different security aspects when it comes to using Azure.

Which of the following can be used for the following requirement?
  • Enforce Multi-Factor authentication based on the sign-in risk.


AAzure AD Identity Protection
B Azure Conditional Access
C Azure AD Roles
D Azure AD Connect

Correct answer: A

Explanation:

We should use an Azure AD Identity Protection sign-in risk policy to allow access and enforce the use of Multi-Factor authentication for users having a specific sign-in risk.

Reference: What is Identity Protection?





 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2021 by cert2brain.com