Microsoft - SC-900: Microsoft Security, Compliance, and Identity Fundamentals
Sample Questions
Question: 199
Measured Skill: Describe the capabilities of Microsoft identity and access management solutions (25-30%)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | Device identity can be stored in Azure AD: Yes
A single system-assigned managed identity can be used by multiple Azure resources: Yes
If you delete an Azure resource that has a user-assigned managed identity, the managed identity is deleted automatically: Yes |
| B | Device identity can be stored in Azure AD: Yes
A single system-assigned managed identity can be used by multiple Azure resources: No
If you delete an Azure resource that has a user-assigned managed identity, the managed identity is deleted automatically: No |
| C | Device identity can be stored in Azure AD: Yes
A single system-assigned managed identity can be used by multiple Azure resources: No
If you delete an Azure resource that has a user-assigned managed identity, the managed identity is deleted automatically: Yes |
| D | Device identity can be stored in Azure AD: No
A single system-assigned managed identity can be used by multiple Azure resources: Yes
If you delete an Azure resource that has a user-assigned managed identity, the managed identity is deleted automatically: No |
| E | Device identity can be stored in Azure AD: No
A single system-assigned managed identity can be used by multiple Azure resources: No
If you delete an Azure resource that has a user-assigned managed identity, the managed identity is deleted automatically: Yes |
| F | Device identity can be stored in Azure AD: No
A single system-assigned managed identity can be used by multiple Azure resources: No
If you delete an Azure resource that has a user-assigned managed identity, the managed identity is deleted automatically: No |
Correct answer: BExplanation:
A device identity is an object in Azure Active Directory (Azure AD). This device object is similar to users, groups, or applications. A device identity gives administrators information they can use when making access or configuration decisions.
There are three ways to get a device identity:
- Azure AD registration
- Azure AD join
- Hybrid Azure AD join
You can think of a device identity as a computer account.
The following table shows the differences between system-assigned and user-assigned managed identities:
References:
What is a device identity?
What are managed identities for Azure resources?
Question: 200
Measured Skill: Describe the capabilities of Microsoft identity and access management solutions (25-30%)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | GitHub is a cloud-based identity provider: Yes
Federation provides single sign-on (SSO) with multiple service providers: Yes
A central identity provider manages all modern authentication services, such as authentication, authorization, and auditing: Yes |
| B | GitHub is a cloud-based identity provider: Yes
Federation provides single sign-on (SSO) with multiple service providers: Yes
A central identity provider manages all modern authentication services, such as authentication, authorization, and auditing: No |
| C | GitHub is a cloud-based identity provider: No
Federation provides single sign-on (SSO) with multiple service providers: Yes
A central identity provider manages all modern authentication services, such as authentication, authorization, and auditing: No |
| D | GitHub is a cloud-based identity provider: No
Federation provides single sign-on (SSO) with multiple service providers: Yes
A central identity provider manages all modern authentication services, such as authentication, authorization, and auditing: Yes |
| E | GitHub is a cloud-based identity provider: No
Federation provides single sign-on (SSO) with multiple service providers: No
A central identity provider manages all modern authentication services, such as authentication, authorization, and auditing: Yes |
| F | GitHub is a cloud-based identity provider: No
Federation provides single sign-on (SSO) with multiple service providers: No
A central identity provider manages all modern authentication services, such as authentication, authorization, and auditing: No |
Correct answer: DExplanation:
GitHub is a platform and cloud-based service for software development and version control using Git, allowing developers to store and manage their code. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continuous integration, and wikis for every project. Headquartered in California, it has been a subsidiary of Microsoft since 2018.
Federation is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost always includes authorization. A typical federation might include a number of organizations that have established trust for shared access to a set of resources.
An identity provider creates, maintains, and manages identity information while offering authentication, authorization, and auditing services. With modern authentication, all services, including all authentication services, are supplied by a central identity provider. Information that's used to authenticate the user with the server is stored and managed centrally by the identity provider. With a central identity provider, organizations can establish authentication and authorization policies, monitor user behavior, identify suspicious activities, and reduce malicious attacks. Microsoft Azure Active Directory is an example of a cloud-based identity provider. Other examples include Twitter, Google, Amazon, LinkedIn, and GitHub.
References:
Wikipedia: GitHub
What is federation with Azure AD?
Identity provider
Question: 201
Measured Skill: Describe the concepts of security, compliance, and identity (5-10%)
You need to identify which cloud service models place the most responsibility on the customer in a shared responsibility model.
In which order should you list the service models from the most customer responsibility to the least?
(To answer, move all models from the list of models to the answer area and arrange them in the correct order.)
| A | 1: On-premises datacenter
2: Software-as-a-Service (SaaS)
3: Infrastructure-as-a-Service (IaaS)
4: Platform-as-a-Service (PaaS) |
| B | 1: On-premises datacenter
2: Infrastructure-as-a-Service (IaaS)
3: Platform-as-a-Service (PaaS)
4: Software-as-a-Service (SaaS) |
| C | 1: On-premises datacenter
2: Infrastructure-as-a-Service (IaaS)
3: Software-as-a-Service (SaaS)
4: Platform-as-a-Service (PaaS) |
| D | 1: On-premises datacenter
2: Platform-as-a-Service (PaaS)
3: Infrastructure-as-a-Service (IaaS)
4: Software-as-a-Service (SaaS) |
Correct answer: BExplanation:
Software as a Service (SaaS) is a software licensing and delivery model in which software is licensed to a user. The software, or application is accessed via the internet and a web browser. You do not need to install and maintain the software locally. You can start configuring and using it right away.
Infrastructure as a service (IaaS) is a type of cloud computing service that offers essential compute, storage, and networking resources on demand, on a pay-as-you-go basis. IaaS lets you bypass the cost and complexity of buying and managing physical servers and datacenter infrastructure. Each resource is offered as a separate service component, and you only pay for a particular resource for as long as you need it. A cloud computing service provider like Azure manages the infrastructure, while you purchase, install, configure, and manage your own software—including operating systems, middleware, and applications.
Like IaaS, PaaS includes infrastructure—servers, storage, and networking—but also middleware, development tools, business intelligence (BI) services, database management systems, and more. Azure Backup is an example of a PaaS solution.
References:
What is PaaS?
What is IaaS?
What is SaaS?
Understand the hosting models
Question: 202
Measured Skill: Describe the capabilities of Microsoft identity and access management solutions (25-30%)
Select the answer that correctly completes the sentence.
| A | You can assign a management group to an Azure AD role. |
| B | You can assign a resource group to an Azure AD role. |
| C | You can assign a security principal to an Azure AD role. |
| D | You can assign an administrative unit to an Azure AD role. |
Correct answer: CExplanation:
When you register a new application in Azure AD, a service principal is automatically created for the app registration. The service principal is the app's identity in the Azure AD tenant. Access to resources is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to sign in with a user identity.
Important: Instead of creating a service principal, consider using managed identities for Azure resources for your application identity. If your code runs on a service that supports managed identities and accesses resources that support Azure AD authentication, managed identities are a better option for you.
Reference: Create an Azure Active Directory application and service principal that can access resources
Question: 203
Measured Skill: Describe the capabilities of Microsoft security solutions (30-35%)
Select the answer that correctly completes the sentence.
| A | Azure Application Insights provides baseline recommendations and guidance for protecting Azure services. |
| B | Azure Network Watcher provides baseline recommendations and guidance for protecting Azure services. |
| C | Log Analytics workspace provides baseline recommendations and guidance for protecting Azure services. |
| D | Microsoft cloud security benchmark provides baseline recommendations and guidance for protecting Azure services. |
Correct answer: DExplanation:
New services and features are released daily in Azure and cloud service providers platforms, developers are rapidly publishing new cloud applications built on these services, and attackers are constantly seeking new ways to exploit misconfigured resources. The cloud moves fast, developers move fast, and attackers also move fast. How do you keep up and make sure that your cloud deployments are secure? How are security practices for cloud systems different from on-premises systems and different between cloud service providers? How do you monitor your workload for consistency across multiple cloud platforms?
Microsoft has found that using security benchmarks can help you quickly secure cloud deployments. A comprehensive security best practice framework from cloud service providers can give you a starting point for selecting specific security configuration settings in your cloud environment, across multiple service providers and allow you to monitor these configurations using a single pane of glass.
The Microsoft cloud security benchmark (MCSB) includes a collection of high-impact security recommendations you can use to help secure your cloud services in a single or multi-cloud environment. MCSB recommendations include two key aspects:
-
Security controls: These recommendations are generally applicable across your cloud workloads. Each recommendation identifies a list of stakeholders that are typically involved in planning, approval, or implementation of the benchmark.
-
Service baselines: These apply the controls to individual cloud services to provide recommendations on that specific service’s security configuration. We currently have service baselines available only for Azure.
Reference: Introduction to the Microsoft cloud security benchmark