SC-900 - Microsoft Security, Compliance, and Identity Fundamentals Identity Protection and Governance Questions and Answers

Question 1

An organization is using Microsoft Entra ID Protection and has configured risk policies. A user's sign-in attempt is flagged with a high 'sign-in risk', but their overall 'user risk' level remains low. Which of the following events would MOST likely trigger a high sign-in risk without immediately elevating the user risk?

Accepted Answer

A sign-in is attempted from an IP address associated with a TOR browser.

Answer

A sign-in risk evaluates the probability that a specific authentication request is not authorized, focusing on the context of that single sign-in. Using a TOR browser or anonymous IP address is a classic real-time indicator of a high-risk sign-in. In contrast, user risk is a calculation of the overall probability that an identity is compromised, based on a cumulative history of risky behaviors. While a sign-in from a new country ('atypical travel') or leaked credentials would contribute to risk, a sign-in from an anonymous IP is a strong, immediate indicator of a high-risk *sign-in event* itself, which may not instantly raise the overall user risk to high.

Question 2

A company wants to streamline access requests for a new marketing project. They need to bundle access to a specific SharePoint site, a Microsoft Team, and a SaaS application into a single requestable unit. They also want managers to approve these requests and for the access to automatically expire after 90 days. Which Microsoft Entra ID Governance feature is designed for this specific purpose?

Accepted Answer

Entitlement Management

Answer

Entitlement management is the Microsoft Entra ID Governance feature that allows organizations to manage the identity and access lifecycle at scale by automating access request workflows, access assignments, reviews, and expiration. It uses 'access packages' to bundle resources like groups, applications, and SharePoint sites, and defines policies for how users can request access, who must approve it, and for how long the access is granted.

Question 3

An administrator is tasked with configuring Microsoft Entra Privileged Identity Management (PIM) for the Global Administrator role. The goal is to ensure that when a user activates this role, they must provide a business justification and also complete a multi-factor authentication (MFA) challenge. Where in the Microsoft Entra admin center would the administrator configure these activation requirements?

Accepted Answer

In the PIM role settings for the Global Administrator role

Answer

Microsoft Entra Privileged Identity Management (PIM) allows for specific activation requirements to be configured for each role. Within the PIM settings for a specific role, such as Global Administrator, an administrator can define settings that include requiring MFA, justification, or approval for activation. These settings are distinct from Conditional Access policies or general authentication method policies.

Question 4

An IT manager wants to ensure that access to a critical financial application is reviewed every quarter. They want the direct manager of each user to be responsible for approving or denying their subordinate's continued access. Which Microsoft Entra feature should be used to automate this periodic certification process?

Accepted Answer

Access Reviews

Answer

Microsoft Entra access reviews are designed to help organizations manage resource access lifecycles by scheduling regular reviews of who has access to specific resources, such as applications and groups. They can be configured to run on a schedule (e.g., quarterly) and can assign the review task to specific people, such as managers, to attest to their direct reports' need for continued access.

Question 5

An administrator is creating several new Conditional Access policies and wants to understand their combined impact on a specific user's sign-in to Microsoft Teams from an unmanaged device. Which tool should the administrator use to simulate this scenario without affecting any users?

Accepted Answer

The What If tool

Answer

The Conditional Access What If tool is specifically designed to help administrators understand the impact of their Conditional Access policies. It allows them to simulate a sign-in event by specifying a user, application, and various conditions (like device state or location) to see which policies would apply and what the outcome would be, without actually enforcing the policies or affecting users.

(SC-900) Microsoft Security, Compliance, and Identity Fundamentals Exam Practice Test

(SC-900) Microsoft Security, Compliance, and Identity Fundamentals Exam Practice Test

SC-900 - Microsoft Security, Compliance, and Identity Fundamentals Identity Protection and Governance Questions and Answers