Microsoft - SC-900: Microsoft Security, Compliance, and Identity Fundamentals
Sample Questions
Question: 146
Measured Skill: Describe the capabilities of Microsoft security solutions (30-35%)
Which type of alert can you manage from the Microsoft 365 Defender portal?| A | Microsoft Defender for Storage |
| B | Microsoft Defender for SQL |
| C | Microsoft Defender for Endpoint |
| D | Microsoft Defender for IoT |
Correct answer: CExplanation:
The Alerts queue in Microsoft 365 Defender shows the current set of alerts. You get to the alerts queue from Incidents & alerts > Alerts on the quick launch of the Microsoft 365 Defender portal.
Alerts from different Microsoft security solutions like Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft 365 Defender appear here.
By default, the alerts queue in the Microsoft 365 Defender portal displays the new and in progress alerts from the last 30 days. The most recent alert is at the top of the list so you can see it first.
Reference: Investigate alerts in Microsoft 365 Defender
Question: 147
Measured Skill: Describe the capabilities of Microsoft compliance solutions (25-30%)
You are evaluating the compliance score in Compliance Manager.
Match the compliance score action subcategories to the appropriate actions.
(To answer, drag the appropriate action subcategory from the column on the left to its action on the right. Each action subcategory may be used once, more than once, or not at all. NOTE: Each correct match is worth one point.)
| A | Encrypt data at rest: Corrective
Perform a system access audit: Detective
Make configuration changes in response to a security incident: Preventative |
| B | Encrypt data at rest: Corrective
Perform a system access audit: Preventative
Make configuration changes in response to a security incident: Detective |
| C | Encrypt data at rest: Detective
Perform a system access audit: Corrective
Make configuration changes in response to a security incident: Preventative |
| D | Encrypt data at rest: Detective
Perform a system access audit: Preventative
Make configuration changes in response to a security incident: Corrective |
| E | Encrypt data at rest: Preventative
Perform a system access audit: Corrective
Make configuration changes in response to a security incident: Detective |
| F | Encrypt data at rest: Preventative
Perform a system access audit: Detective
Make configuration changes in response to a security incident: Corrective |
Correct answer: FExplanation:
Compliance Manager automatically identifies settings in your Microsoft 365 environment that help determine when certain configurations meet improvement action implementation requirements. Compliance Manager detects signals from other compliance solutions you may have deployed, including data lifecycle management, information protection, communication compliance, and insider risk management, and also leverages Microsoft Secure Score monitoring of complementary improvement actions.
Your action status is updated on your dashboard within 24 hours of a change being made. Once you follow a recommendation to implement a control, you’ll typically see the control status updated the next day.
For example, if you turn on multi-factor authentication (MFA) in the Azure AD portal, Compliance Manager detects the setting and reflects it in the control access solution details. Conversely, if you didn’t turn on MFA, Compliance Manager flags that as a recommended action for you to take.
Actions are assigned a score value based on whether they’re mandatory or discretionary, and whether they’re preventative, detective, or corrective.
Mandatory and discretionary actions
Mandatory actions can't be bypassed, either intentionally or accidentally. An example of a mandatory action is a centrally managed password policy that sets requirements for password length, complexity, and expiration. Users must follow these requirements to access the system.
Discretionary actions rely upon users to understand and adhere to a policy. For example, a policy requiring users to lock their computer when they leave it is a discretionary action because it relies on the user.
Preventative, detective, and corrective actions
Preventative actions address specific risks. For example, protecting information at rest using encryption is a preventative action against attacks and breaches. Separation of duties is a preventative action to manage conflict of interest and guard against fraud.
Detective actions actively monitor systems to identify irregular conditions or behaviors that represent risk, or that can be used to detect intrusions or breaches. Examples include system access auditing and privileged administrative actions. Regulatory compliance audits are a type of detective action used to find process issues.
Corrective actions try to keep the adverse effects of a security incident to a minimum, take corrective action to reduce the immediate effect, and reverse the damage if possible. Privacy incident response is a corrective action to limit damage and restore systems to an operational state after a breach.
Each action has an assigned value in Compliance Manager based on the risk it represents:
Reference: Compliance score calculation
Question: 148
Measured Skill: Describe the capabilities of Microsoft identity and access management solutions (25-30%)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | Windows Hello for Business can use the Microsoft Authenticator app as an authentication method: Yes
Windows Hello for Business can use a PIN code as an authentication method: Yes
Windows Hello for Business authentication information syncs across all the devices registered by a user: Yes |
| B | Windows Hello for Business can use the Microsoft Authenticator app as an authentication method: Yes
Windows Hello for Business can use a PIN code as an authentication method: Yes
Windows Hello for Business authentication information syncs across all the devices registered by a user: No |
| C | Windows Hello for Business can use the Microsoft Authenticator app as an authentication method: Yes
Windows Hello for Business can use a PIN code as an authentication method: No
Windows Hello for Business authentication information syncs across all the devices registered by a user: Yes |
| D | Windows Hello for Business can use the Microsoft Authenticator app as an authentication method: No
Windows Hello for Business can use a PIN code as an authentication method: Yes
Windows Hello for Business authentication information syncs across all the devices registered by a user: No |
| E | Windows Hello for Business can use the Microsoft Authenticator app as an authentication method: No
Windows Hello for Business can use a PIN code as an authentication method: Yes
Windows Hello for Business authentication information syncs across all the devices registered by a user: Yes |
| F | Windows Hello for Business can use the Microsoft Authenticator app as an authentication method: No
Windows Hello for Business can use a PIN code as an authentication method: No
Windows Hello for Business authentication information syncs across all the devices registered by a user: No |
Correct answer: DExplanation:
The Microsoft Authenticator app helps you sign in to your accounts when you're using two-step verification. Two-step verification helps you to use your accounts more securely because passwords can be forgotten, stolen, or compromised. Two-step verification uses a second step like your phone to make it harder for other people to break in to your account. You can use the Authenticator app in multiple ways:
Two-step verification: The standard verification method, where one of the factors is your password. After you sign in using your username and password, you can either approve a notification or enter a provided verification code.
Phone sign-in. A version of two-factor verification that lets you sign in without requiring a password, using your username and your mobile device with your fingerprint, face, or PIN.
Code generation. As a code generator for any other accounts that support authenticator apps.
Authenticator works with any account that uses two-factor verification and supports the time-based one-time password (TOTP) standards.
Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN.
Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to replay attacks.
- Users can inadvertently expose their passwords due to phishing attacks.
Windows Hello lets users authenticate to:
- A Microsoft account.
- An Active Directory account.
- A Microsoft Azure Active Directory (Azure AD) account.
- Identity Provider Services or Relying Party Services that support Fast ID Online (FIDO) v2.0 authentication.
After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
References:
Download and install the Microsoft Authenticator app
Windows Hello for Business Overview
Why a PIN is better than an online password
Question: 149
Measured Skill: Describe the capabilities of Microsoft identity and access management solutions (25-30%)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | Azure Active Directory (Azure AD) Identity Protection generates risk detections once...: Yes
Azure Active Directory (Azure AD) Identity Protection assigns a risk level of Low,...: Yes
A user risk in Azure Active Directory (Azure AD) Identity Protection represents the...: Yes |
| B | Azure Active Directory (Azure AD) Identity Protection generates risk detections once...: Yes
Azure Active Directory (Azure AD) Identity Protection assigns a risk level of Low,...: Yes
A user risk in Azure Active Directory (Azure AD) Identity Protection represents the...: No |
| C | Azure Active Directory (Azure AD) Identity Protection generates risk detections once...: Yes
Azure Active Directory (Azure AD) Identity Protection assigns a risk level of Low,...: No
A user risk in Azure Active Directory (Azure AD) Identity Protection represents the...: Yes |
| D | Azure Active Directory (Azure AD) Identity Protection generates risk detections once...: No
Azure Active Directory (Azure AD) Identity Protection assigns a risk level of Low,...: Yes
A user risk in Azure Active Directory (Azure AD) Identity Protection represents the...: Yes |
| E | Azure Active Directory (Azure AD) Identity Protection generates risk detections once...: No
Azure Active Directory (Azure AD) Identity Protection assigns a risk level of Low,...: No
A user risk in Azure Active Directory (Azure AD) Identity Protection represents the...: Yes |
| F | Azure Active Directory (Azure AD) Identity Protection generates risk detections once...: No
Azure Active Directory (Azure AD) Identity Protection assigns a risk level of Low,...: No
A user risk in Azure Active Directory (Azure AD) Identity Protection represents the...: No |
Correct answer: AExplanation:
Identity Protection generates risk detections only when the correct credentials are used. If incorrect credentials are used on a sign-in, it does not represent risk of credential compromise.
Identity Protection categorizes risk into three tiers: low, medium, and high. When configuring Identity protection policies, you can also configure it to trigger upon No risk level. No Risk means there's no active indication that the user's identity has been compromised. Microsoft doesn't provide specific details about how risk is calculated. Each level of risk brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.
A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Risky activity can be detected for a user that isn't linked to a specific malicious sign-in but to the user itself.
Reference: What is risk?
Question: 150
Measured Skill: Describe the capabilities of Microsoft security solutions (30-35%)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | Each network security group (NSG) rule must have a unique name: Yes
Network security group (NSG) default rules can be deleted: Yes
Network security group (NSG) rules can be configured to check TCP,...: Yes |
| B | Each network security group (NSG) rule must have a unique name: Yes
Network security group (NSG) default rules can be deleted: Yes
Network security group (NSG) rules can be configured to check TCP,...: No |
| C | Each network security group (NSG) rule must have a unique name: Yes
Network security group (NSG) default rules can be deleted: No
Network security group (NSG) rules can be configured to check TCP,...: Yes |
| D | Each network security group (NSG) rule must have a unique name: No
Network security group (NSG) default rules can be deleted: Yes
Network security group (NSG) rules can be configured to check TCP,...: No |
| E | Each network security group (NSG) rule must have a unique name: No
Network security group (NSG) default rules can be deleted: No
Network security group (NSG) rules can be configured to check TCP,...: Yes |
| F | Each network security group (NSG) rule must have a unique name: No
Network security group (NSG) default rules can be deleted: No
Network security group (NSG) rules can be configured to check TCP,...: No |
Correct answer: CExplanation:
You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
Security rules are evaluated and applied based on the five-tuple (source, source port, destination, destination port, and protocol) information. You can't create two security rules with the same priority and direction. A flow record is created for existing connections. Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful. If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. You only need to specify an inbound security rule if communication is initiated externally. The opposite is also true. If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port.
You can't remove the default rules, but you can override them by creating rules with higher priorities.
Reference: Network security groups