Preview real exam-style questions before you buy—see exactly what you're getting.
Free sample questions with detailed explanations • No signup required.
SC-900 Microsoft Security, Compliance, and Identity Fundamentals Practice Exam
Get cloud-security confident with the Microsoft SC-900: Security, Compliance, and Identity Fundamentals Practice Exam. Designed for beginners and professionals who need a crisp, business-focused grounding in security, identity, and compliance concepts, this practice pack mirrors the structure and tone of the official SC-900 exam while keeping explanations clear and practical. Questions cover core topics—from identity and access management to compliance frameworks and basic threat protection—paired with concise, human-friendly answers that explain not just the “what” but the “why” behind each choice. Whether you’re preparing for certification, supporting cloud adoption in your organization, or building foundational knowledge for a security career, this resource helps you identify gaps, rehearse scenario-based decision making, and gain the vocabulary and conceptual clarity hiring managers and teams expect.
What is the Microsoft SC-900 exam?
The Microsoft SC-900 certification validates a candidate’s fundamental understanding of security, compliance, and identity (SCI) concepts and how they map to Microsoft cloud services. It’s an entry-level credential intended for business stakeholders, administrators, sales engineers, and technical professionals who need to speak knowledgeably about security and compliance in Azure and Microsoft 365 environments without requiring deep hands-on engineering experience.
The exam focuses on three pillars: identity and access management (how organizations authenticate and authorize users), platform protection and threat detection (basic principles of defending cloud workloads and data), and compliance, governance, and privacy (how organizations meet regulatory obligations and manage risk). Preparation emphasizes concept clarity—zero trust principles, role of identity providers, basics of encryption and data protection, and common compliance controls—plus how Microsoft solutions (e.g., Azure AD, Microsoft Defender, and Microsoft Purview) implement these ideas. Mastering SC-900 helps you contribute to security discussions, evaluate vendor features, and understand the foundational controls every cloud project should consider.
Topics covered in this practice exam
This practice exam targets the high-value areas you’ll encounter on the SC-900 and in practical cloud security conversations:
- Identity & Access Management (IAM): Authentication vs authorization, single sign-on (SSO), multi-factor authentication (MFA), conditional access, identity lifecycle, and role-based access control (RBAC).
- Zero Trust Fundamentals: Principles of “verify explicitly,” “least privilege,” and “assume breach,” and how these guide policy and architecture.
- Platform & Workload Protection: Basic threat detection, endpoint and cloud workload protection concepts, identity protection, and secure configuration.
- Security Operations Basics: Alerting, incident response fundamentals, security monitoring, and the role of SIEM and XDR in detection and investigation.
- Data Protection & Encryption: Data classification, encryption at rest and in transit, information protection labels, and data loss prevention (DLP) concepts.
- Compliance & Governance: Compliance frameworks, risk assessment basics, retention policies, audits, and privacy principles (data subject rights and GDPR concepts at a high level).
- Microsoft Security & Compliance Tools (Conceptual): High-level mapping of Microsoft solutions—identity (Azure AD), threat protection (Microsoft Defender family), compliance and data governance (Microsoft Purview), and management tools—framed as conceptual use cases rather than deep product how-to.
- Business Use Cases & Decision Making: How to recommend controls, balance usability and security, and communicate risks to stakeholders.
Each question includes a clear explanation, practical guidance for spotting distractors, and small mnemonic tips to remember key ideas.
Who should take this practice exam?
- Non-technical and technical professionals preparing for the Microsoft SC-900 certification.
- Business leaders, project managers, and compliance officers who need a working vocabulary for security discussions.
- Sales engineers, consultants, and pre-sales staff who evaluate cloud security features for customers.
- IT generalists and early-career security practitioners beginning to specialize in cloud security or identity management.
Who will find it useful?
- Candidates aiming to pass SC-900 with confidence and apply fundamentals in real workplace scenarios.
- Teams implementing cloud adoption who want cross-functional members to share basic security and compliance knowledge.
- Trainers and bootcamps seeking exam-style questions and clear, concept-first explanations.
- Anyone transitioning into security-adjacent roles who needs to understand governance and identity basics quickly.
Study tips — get the most out of this practice exam
- Focus on concepts, not product minutiae: SC-900 rewards understanding of principles (e.g., zero trust, least privilege) and how they translate into controls.
- Make concept cards: Create one-line definitions for IAM, MFA, RBAC, DLP, SIEM, and zero trust—review them daily.
- Use scenario practice: After each question, describe aloud how you’d explain the recommended control to a non-technical manager.
- Map problems to controls: Practice linking common business risks (data exfiltration, credential theft) to basic preventive or detective controls.
- Simulate exam conditions: Time yourself and practice with mixed questions to build speed and reduce exam anxiety.
- Learn common distractors: Practice questions often include plausible but incorrect options—train yourself to spot overbroad or technically inconsistent answers.
- Reinforce with light hands-on exposure: If possible, explore basic Azure AD settings or trial dashboards to see concepts in context—practical familiarity shortens study time.
The Microsoft SC-900 Practice Exam bridges exam readiness and practical understanding. It builds a solid conceptual foundation you can use to explain risks, evaluate cloud features, and collaborate with security teams. Clear explanations and scenario-based questions make abstract ideas tangible and prepare you to pass the SC-900 while becoming a credible participant in security and compliance conversations within your organization. Download the practice pack, set a study schedule, and start turning fundamentals into confidence.
Sample Questions and Answers
1. What is the primary purpose of Microsoft Defender for Endpoint?
A) Manage user identities across the organization
B) Provide cloud-based threat protection for email
C) Detect, investigate, and respond to advanced threats on endpoints
D) Manage compliance policies for data retention
Answer: C) Detect, investigate, and respond to advanced threats on endpoints
Explanation: Microsoft Defender for Endpoint is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats on endpoints such as desktops, laptops, and servers.
2. Which Microsoft service is primarily responsible for managing identities and access to cloud applications?
A) Azure Active Directory
B) Microsoft Information Protection
C) Microsoft Intune
D) Azure Sentinel
Answer: A) Azure Active Directory
Explanation: Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources securely.
3. What does the Zero Trust security model assume?
A) Trust all internal users by default
B) Assume breach and verify explicitly
C) Only external users pose a threat
D) Network perimeter is the only defense
Answer: B) Assume breach and verify explicitly
Explanation: The Zero Trust model assumes no implicit trust in any user or device, regardless of location, and requires continuous verification of identity and device compliance before granting access.
4. Which compliance framework does Microsoft align with to help customers comply with global standards?
A) HIPAA
B) GDPR
C) ISO/IEC 27001
D) All of the above
Answer: D) All of the above
Explanation: Microsoft aligns with multiple compliance frameworks, including HIPAA, GDPR, and ISO/IEC 27001, to help customers meet regulatory requirements across industries and regions.
5. What feature does Microsoft Information Protection use to classify and protect data?
A) Machine learning classification
B) Encryption keys management only
C) Firewall rules
D) User password policies
Answer: A) Machine learning classification
Explanation: Microsoft Information Protection uses machine learning and predefined policies to classify, label, and protect sensitive data automatically.
6. What is the role of Microsoft Defender for Identity?
A) Protect cloud applications from external attacks
B) Detect identity-related threats and compromised credentials on-premises
C) Manage endpoint configurations
D) Automate compliance reporting
Answer: B) Detect identity-related threats and compromised credentials on-premises
Explanation: Microsoft Defender for Identity helps detect advanced identity threats and malicious activities within an on-premises Active Directory environment.
7. What type of authentication does Azure AD support to enhance security?
A) Password-only authentication
B) Multi-Factor Authentication (MFA)
C) Single password for all services
D) No authentication required
Answer: B) Multi-Factor Authentication (MFA)
Explanation: Azure AD supports Multi-Factor Authentication, which requires users to verify their identity through multiple methods to enhance security.
8. What is the Microsoft Compliance Manager?
A) A tool to monitor endpoint security
B) A service to help organizations manage regulatory compliance activities
C) A firewall management tool
D) A device management solution
Answer: B) A service to help organizations manage regulatory compliance activities
Explanation: Microsoft Compliance Manager is a workflow-based risk assessment tool that helps organizations track compliance with regulations and standards.
9. Which of the following is a key principle of identity and access management (IAM)?
A) Grant all users admin access by default
B) Use least privilege access
C) Allow anonymous access to all resources
D) Disable authentication mechanisms
Answer: B) Use least privilege access
Explanation: IAM principles include providing users with the minimum access necessary to perform their jobs to reduce the risk of unauthorized access.
10. Which Microsoft tool provides a centralized dashboard for threat detection and response across Microsoft 365?
A) Azure Security Center
B) Microsoft Defender Security Center
C) Azure Sentinel
D) Microsoft Intune
Answer: B) Microsoft Defender Security Center
Explanation: Microsoft Defender Security Center provides a centralized view to detect, investigate, and respond to threats across Microsoft 365 services.
11. What is Conditional Access in Azure AD?
A) Automatic software updates for devices
B) A tool to configure security policies based on user, device, and location
C) A firewall rule set
D) A password recovery tool
Answer: B) A tool to configure security policies based on user, device, and location
Explanation: Conditional Access allows organizations to enforce access controls based on conditions such as user risk, device compliance, and network location.
12. What does Data Loss Prevention (DLP) help to prevent?
A) Unauthorized access to user accounts
B) Data breaches by blocking sensitive data sharing
C) Network outages
D) Software installation
Answer: B) Data breaches by blocking sensitive data sharing
Explanation: DLP policies help detect and prevent unintentional or malicious sharing of sensitive information outside the organization.
13. Which compliance score indicates an organization is fully compliant in Microsoft Compliance Manager?
A) 100%
B) 0%
C) 50%
D) 75%
Answer: A) 100%
Explanation: A compliance score of 100% indicates all controls and actions required for a specific regulation are fully implemented.
14. What kind of threats does Microsoft Defender for Office 365 protect against?
A) Email phishing and malware
B) Network intrusion only
C) Physical theft
D) Software bugs
Answer: A) Email phishing and malware
Explanation: Microsoft Defender for Office 365 helps protect organizations from phishing attacks, malicious links, and malware in email and collaboration tools.
15. What is the function of Privileged Identity Management (PIM) in Azure AD?
A) Automate user password resets
B) Provide just-in-time privileged access with time-bound permissions
C) Monitor endpoint health
D) Encrypt data at rest
Answer: B) Provide just-in-time privileged access with time-bound permissions
Explanation: PIM helps secure privileged accounts by providing time-limited access to admins and reducing the risk of standing admin privileges.
16. What is a key feature of Azure Sentinel?
A) Endpoint antivirus protection
B) Cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR)
C) Email filtering
D) Data classification
Answer: B) Cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR)
Explanation: Azure Sentinel is a cloud-native SIEM and SOAR tool that collects security data across the enterprise to detect and respond to threats.
17. What is Microsoft Intune primarily used for?
A) Managing mobile devices and applications
B) Identity management
C) Compliance reporting
D) Email filtering
Answer: A) Managing mobile devices and applications
Explanation: Microsoft Intune is a cloud-based service for managing mobile devices, apps, and enforcing device compliance policies.
18. What does Microsoft Secure Score measure?
A) The health of your network devices
B) The security posture of your Microsoft 365 environment
C) The number of users in Azure AD
D) The speed of your internet connection
Answer: B) The security posture of your Microsoft 365 environment
Explanation: Microsoft Secure Score evaluates your security configuration and suggests improvements to reduce risk.
19. Which of the following is NOT a type of sensitivity label in Microsoft Information Protection?
A) Confidential
B) Public
C) Encrypted
D) Spam
Answer: D) Spam
Explanation: Spam is not a sensitivity label; labels classify data as Confidential, Public, Internal, etc., often with encryption applied.
20. What is the benefit of using Multi-Factor Authentication (MFA)?
A) Speeds up user logins
B) Requires users to provide two or more verification methods to reduce unauthorized access
C) Removes the need for passwords
D) Prevents all malware infections
Answer: B) Requires users to provide two or more verification methods to reduce unauthorized access
Explanation: MFA increases security by requiring additional verification beyond just a password.
21. What is an identity protection risk detected by Azure AD Identity Protection?
A) A device with outdated software
B) Suspicious sign-in behavior, like impossible travel
C) Network congestion
D) Low battery on user device
Answer: B) Suspicious sign-in behavior, like impossible travel
Explanation: Azure AD Identity Protection identifies risks such as suspicious sign-in patterns that indicate compromised credentials.
22. What is the purpose of a retention label in Microsoft 365 compliance?
A) To classify data for deletion or preservation according to policy
B) To encrypt files
C) To manage user permissions
D) To filter spam emails
Answer: A) To classify data for deletion or preservation according to policy
Explanation: Retention labels help organizations meet compliance by managing data lifecycle and ensuring important data is retained or deleted properly.
23. Which Microsoft compliance solution helps organizations meet GDPR requirements?
A) Azure Firewall
B) Microsoft Compliance Manager
C) Microsoft Teams
D) Windows Defender
Answer: B) Microsoft Compliance Manager
Explanation: Compliance Manager helps organizations assess their GDPR compliance status and manage improvement actions.
24. What is a security baseline?
A) A pre-configured group of security settings recommended by Microsoft
B) A software update package
C) A hardware device used for authentication
D) An antivirus software
Answer: A) A pre-configured group of security settings recommended by Microsoft
Explanation: Security baselines provide organizations with recommended security settings to apply to devices and applications.
25. What type of access control does Azure AD implement by default?
A) Role-based access control (RBAC)
B) Mandatory access control (MAC)
C) Discretionary access control (DAC)
D) No access control
Answer: A) Role-based access control (RBAC)
Explanation: Azure AD uses RBAC to assign permissions based on roles to users and groups.
26. What does Microsoft Purview Information Protection help protect?
A) User credentials
B) Sensitive data across cloud and on-premises environments
C) Firewall rules
D) Network traffic
Answer: B) Sensitive data across cloud and on-premises environments
Explanation: Microsoft Purview Information Protection classifies and protects sensitive data wherever it lives or travels.
27. Which service is designed to help detect insider threats in Microsoft 365?
A) Microsoft Defender for Identity
B) Azure Sentinel
C) Microsoft Defender for Cloud Apps (formerly MCAS)
D) Azure AD Connect
Answer: C) Microsoft Defender for Cloud Apps (formerly MCAS)
Explanation: Defender for Cloud Apps helps detect unusual user activity and potential insider threats across cloud services.
28. What is the primary function of Microsoft Azure AD Connect?
A) Synchronize on-premises Active Directory with Azure AD
B) Manage device encryption
C) Block phishing emails
D) Enforce compliance policies
Answer: A) Synchronize on-premises Active Directory with Azure AD
Explanation: Azure AD Connect syncs identities and credentials from on-premises AD to Azure AD for hybrid identity management.
29. What is the function of Microsoft Endpoint Manager?
A) Manage and secure all endpoints, including PCs and mobile devices
B) Encrypt email messages
C) Provide antivirus protection for servers
D) Analyze security logs
Answer: A) Manage and secure all endpoints, including PCs and mobile devices
Explanation: Endpoint Manager includes Intune and Configuration Manager to manage device security and compliance.
30. Which Microsoft service provides audit and activity logs for security investigations?
A) Azure Sentinel
B) Microsoft Defender for Office 365
C) Microsoft 365 Compliance Center
D) Azure Firewall
Answer: C) Microsoft 365 Compliance Center
Explanation: The Compliance Center provides audit logs and reports to investigate user and admin activities related to security and compliance.

