SC-900 Cheat Sheet 2026
The 30 highest-yield SC-900 facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
45 questions
45 min time limit
70% to pass
- Microsoft Defender for Cloud can protect resources in which of the following environments? → Azure, AWS, Google Cloud, and on-premises
- What type of security solution is Microsoft Defender for Cloud Apps primarily classified as? → Cloud Access Security Broker (CASB)
- What Microsoft 365 Defender capability does Microsoft Defender for Cloud Apps contribute to when integrated into the unified security operations platform? → Cross-domain threat signals for extended detection and response (XDR)
- Which of the following is NOT one of the four pillars of the Cloud Access Security Broker (CASB) framework that Defender for Cloud Apps provides? → Network Segmentation
- What term describes the use of unauthorized or unapproved cloud applications within an organization that Defender for Cloud Apps helps identify? → Shadow IT
- How does the 'History' tab and benchmark comparison feature in Secure Score help security administrators? → By tracking score changes over time and comparing against similar organizations.
- What is the primary goal of Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint? → To prevent malware from running by blocking common malicious behaviors.
- Which of the following can be accomplished with the use of the Azure Privileged Identity Management Service? → Provide just-in-time access to resources roles in Azure
- What is the primary goal of a Microsoft Purview Data Loss Prevention (DLP) policy? → To prevent the unintentional sharing of sensitive information
- Which Microsoft Defender for Endpoint capability is designed to discover, prioritize, and remediate software vulnerabilities and misconfigurations on devices? → Threat & Vulnerability Management
- When an Insider Risk Management policy generates a high-severity alert, what is the typical next step in the built-in workflow? → The alert is triaged, and an investigator can create a case for deeper analysis.
- Which of the following best describes a 'control' in the context of Microsoft Purview Compliance Manager? → A requirement of a regulation or standard.
- Where are the protection settings, such as encryption and access rights, for a sensitivity label defined? → In the Microsoft Purview compliance portal
- What does a 'File Policy' in Microsoft Defender for Cloud Apps allow an organization to do? → Scan files stored in connected cloud apps and apply governance actions based on content
- In the context of Microsoft Secure Score, what is an 'improvement action'? → A recommended configuration task that will improve the security score when completed.
- Which Microsoft Defender for Cloud Apps capability allows administrators to set policies that trigger alerts when unusual user behavior is detected? → Anomaly Detection Policies
- A security analyst wants to proactively search for new and unknown threats in their organization's data. Which Microsoft Sentinel feature should they use? → Hunting
- What is the function of assessment templates in Compliance Manager? → To provide frameworks for assessing compliance against specific regulations.
- What does Conditional Access App Control in Microsoft Defender for Cloud Apps enable? → Real-time session monitoring and control of user activity in cloud apps
- What is the primary function of Cloud Security Posture Management (CSPM) within Microsoft Defender for Cloud? → To identify and remediate security misconfigurations across cloud resources.
- An organization wants to ensure that all documents containing a passport number are automatically labeled as 'Highly Confidential'. What feature enables this? → Automatic sensitivity labeling policies
- Which Defender for Cloud Apps capability helps detect when a user account may have been compromised by analyzing impossible travel scenarios? → Anomaly Detection — Impossible Travel
- How does Microsoft Sentinel collect log data from various sources like Azure services, Microsoft 365, and on-premises systems? → By configuring data connectors
- Which feature of Microsoft Defender for Cloud Apps helps organizations discover unsanctioned cloud applications being used by employees? → Cloud Discovery
- Which of the following provides: "an end to end workflow to preserve, collect, analyze, review and export content in MS365"? → Advanced eDiscovery
- Match Microsoft 365 insider risk management workflow step to the appropriate task. "Create cases in the Case dashboard" → Investigate
- What is the purpose of the secure score in Microsoft Defender for Cloud? → To measure and track the security posture of your cloud environment.
- In the context of Microsoft Defender for Cloud Apps, what does 'sanctioning' a cloud application mean? → Officially approving an app for use within the organization
- Microsoft Secure Score provides a holistic view by providing recommendations across which set of categories? → Identity, Devices, and Apps.
- What can you use to scan email attachments and forward the attachments to recipients only if the attachments are free from malware? → Microsoft Defender for Office 365
Turn these facts into recall: