Free and Premium Microsoft SC-900 Dumps Questions Answers

Microsoft Entra Conditional Access evaluates signals to make real-time access decisions. Microsoft describes it as bringing “signals together to make decisions and enforce organizational policies,” where administrators choose controls such as Block access, Require multi-factor authentication, Require device to be marked as compliant, or Require hybrid Azure AD joined device. Because MFA is only one of several grant controls, it is incorrect that policies always enforce MFA; they can also simply block, allow, or require other conditions.

Location is a first-class condition. Microsoft states you can define named locations (by countries/regions or IP ranges) and then use them in policy conditions to block or grant access. A common scenario is “Block access from specific locations” or require additional controls when a sign-in originates from an untrusted network. Therefore, Conditional Access can block access to an application based on user location.

Finally, Conditional Access targets users, groups, workload identities, and cloud apps regardless of device join state. Device-related conditions and filters are optional; policies are not limited to “Azure AD-joined devices.” Controls like Require device to be marked as compliant or Require Hybrid Azure AD joined device are only enforced if configured. Hence, Conditional Access does not only affect users on Azure AD-joined devices.

In Microsoft Entra ID Protection, risk-based Conditional Access policies use signals such as User risk and Sign-in risk to evaluate potential threats during authentication and identity usage. These are core to adaptive access and identity protection features taught in Microsoft’s SC-300 and SC-900 learning paths.

User risk:

Defined by Microsoft as: “The probability that a specific identity or account is compromised.”

User risk is assessed based on activities and behaviors that indicate the account may have been compromised—such as leaked credentials or atypical user activity over time.

Sign-in risk:

Defined as: “The probability that the authentication request is not performed by the legitimate identity owner.”

Sign-in risk is calculated at the time of authentication based on indicators such as unfamiliar locations, anonymous IP addresses, impossible travel, or malware-linked sign-ins.

These signals help automate access decisions, such as requiring MFA or blocking access, based on real-time risk assessments.

Microsoft Purview Compliance Manager organizes improvement actions into control action subcategories that mirror core security control types used throughout Microsoft Learn’s SCI content: preventative, detective, and corrective. In the SC-900 security fundamentals guidance, Microsoft describes these control types as follows: “Preventive controls are intended to deter or stop an attack from occurring (for example, encryption and access controls). Detective controls are used to discover and detect attacks that are in progress or have occurred (for example, logging, auditing, and monitoring). Corrective controls are used to limit the damage caused by an incident and to return systems to normal operations (for example, configuration changes, incident response, and recovery activities).”

Applying those definitions to Compliance Manager actions: Encrypt data at rest is a preventative control because it deters exposure by protecting data before an event. Perform a system access audit is a detective action because auditing and reviewing access logs are used to discover and detect misuse or anomalies. Make configuration changes in response to a security incident is a corrective action because it remediates and restores the environment after detection, aligning with Compliance Manager’s corrective action guidance. These mappings reflect how Compliance Manager measures completion of improvement actions that reduce compliance risk through the right mix of preventative, detective, and corrective controls.

In Microsoft guidance, network segmentation and isolation are core security principles. Azure virtual networks (VNets) are “a fundamental building block… that enable isolation and segmentation of resources,” and multiple VNets are commonly used to separate environments, business units, or security boundaries. This aligns with Zero Trust and SCI guidance that recommends isolating workloads to reduce blast radius and to apply least privilege and policy-based controls per boundary. Microsoft also emphasizes governance alignment, stating that enterprises should structure Azure resources so that policies, RBAC, and compliance requirements can be applied at appropriate scopes (management group, subscription, resource group, or network boundary). Deploying multiple VNets supports these goals by enabling per-environment policy assignment (for example, dev/test vs. production), differentiated security controls (such as NSGs, ASGs, and firewalls), and independent address spaces to prevent overlap across organizations or regions. Options A and D are not primary drivers: budgeting is handled at subscription/resource group scopes rather than VNet count, and a single VNet can already host and connect many resource types; creating multiple VNets is therefore primarily about governance and isolation that reduce risk and enforce organizational policies.

Microsoft’s privacy commitments are framed as principles that include Control, Transparency, Security, Strong legal protections, No content-based targeting, and Benefits to you. Under these commitments, Microsoft emphasizes compliance with regional and sectoral laws: it provides “strong legal protections” for data and commits to handling data “in accordance with applicable laws,” including respecting local privacy and data-protection requirements and supporting cross-border transfers only as permitted by law. The principles also state Microsoft does not use customer content for advertising, and it enables customers to manage their own privacy settings and choices. Therefore:

A is false (Microsoft does collect data but minimizes and protects it).

B is false (Microsoft states no content-based targeting for customer email/chat).

C is false (Microsoft provides settings; customers control them).

D aligns with Microsoft’s principle to respect and comply with applicable local privacy laws.

Conditional Access session controls enable user app access and sessions to be monitored and controlled in real time based on access and session policies.

Based on this definition, the best answer for your question is B. enable limited experiences, such as blocking download of sensitive information.

YES YES YES

Microsoft Entra Conditional Access is explicitly described by Microsoft as a system of policies that act as if-then statements: if a user wants to access a resource, then certain controls must be satisfied. These are called Conditional Access policies, and they combine assignments and access controls to enforce organizational requirements.

Among the configurable conditions in a policy is Device platforms. The documentation explains that Conditional Access identifies the device platform (Android, iOS, Windows, macOS, Linux) from the user agent and notes that this condition is typically used with grant controls such as block access or in combination with other controls. This allows administrators to block or allow access based specifically on the operating system of the user’s device.

For scoping, the Users and groups assignment lets you include or exclude groups instead of individual users. Microsoft’s Entra groups overview states that you can create a Conditional Access policy that applies to a group, and that Entra supports both security groups and Microsoft 365 groups, while another architecture article notes that either a security group or a Microsoft 365 Group can be used in Conditional Access policies.

In Microsoft’s Security, Compliance, and Identity materials, Azure AD B2B collaboration is the feature designed for working with external organizations. Microsoft describes it as follows: “Azure AD B2B collaboration allows you to securely share your company’s applications and services with guest users from any other organization, while maintaining control over your own corporate data. Guest users sign in with their own work, school, or social identities, and appear as guest users in your directory.” This directly matches the sentence in the prompt—enabling collaboration with suppliers, partners, and vendors while ensuring that external users appear as guest users in the tenant.

By contrast, Active Directory Domain Services (AD DS) is an on-premises directory service for Windows domain joined resources and does not provide cloud guest user collaboration. Active Directory forest trusts establish trust relationships between AD DS forests for resource access, not modern cloud guest access using Conditional Access, MFA, or entitlement processes. Azure AD B2C is for consumer/retail scenarios where you build customer-facing apps, managing their identities in a separate customer directory; it is not intended for partner collaboration within your enterprise tenant. Therefore, the capability that fits the statement—external partner collaboration with users appearing as guest accounts—is Azure AD B2B.

In Microsoft’s SCI guidance, encryption at rest is defined as protecting data when it is stored on a disk or other persistent media. Microsoft describes it as controls that “help safeguard your data to meet your organizational security and compliance commitments by encrypting data when it is persisted,” distinguishing it from protections for data in transit. Within Azure and Microsoft 365, examples include Azure Disk Encryption for IaaS VMs (using BitLocker for Windows and DM-Crypt for Linux), server-side encryption for storage accounts, and Transparent Data Encryption for databases. A virtual machine’s OS and data disks encrypted with BitLocker or DM-Crypt are canonical cases of at-rest encryption because the encryption keys protect the physical media; the data becomes unreadable if the disks are accessed outside the authorized context. By contrast, site-to-site VPN, HTTPS web sessions, and encrypted email protect data in transit—they secure network communications but do not encrypt the data where it is stored. Therefore, among the options provided, encrypting a virtual machine disk is the correct example of encryption at rest in Microsoft’s security model.

Microsoft 365 Information Barriers are compliance policies used “to prevent certain segments of users from communicating or collaborating with each other.” In Microsoft’s guidance, IB policies are designed for scenarios like insider trading restrictions, M & A deal rooms, or research–sales separation, where it’s necessary to block chats, calls, and collaboration between defined user segments. The documentation explains that when IB policies are in place, “users in the blocked segments cannot search, discover, or communicate with each other in Microsoft Teams,” and IB v2 extends these controls to additional collaboration workloads such as SharePoint and OneDrive. By contrast, email restrictions in Exchange Online are addressed through mail flow rules or other Exchange features, not information barriers, and restricting unauthenticated access or external sharing is handled by identity access controls and sharing settings, not IB. Therefore, the specific use case is restricting Microsoft Teams chats (and related collaboration) between certain groups within an organization.

In Microsoft Defender for Office 365, Threat Trackers (also known as threat analytics in the security portal) surface curated intelligence on prevailing and emerging cyberthreats, giving security teams insight into current campaigns, affected regions, and recommended actions. Threat Explorer (Explorer/Real-time detections) is the investigation workspace that provides near real-time visibility into detected phishing, malware, and other malicious email content, allowing analysts to identify, filter, and analyze recent threats and take remediation actions (e.g., purge messages). Anti-phishing protection is configured via anti-phishing policies and uses machine learning and impersonation settings (user and domain impersonation) to detect and block impersonation attempts and other phishing techniques in Exchange Online. Together, these capabilities map directly to the statements: Trackers = intelligence on active threats, Explorer = real-time analysis and reporting, and Anti-phishing = detection of impersonation.

In Microsoft 365 Defender (Microsoft 365 security center), Incidents are designed to consolidate and correlate security signals so analysts can see the full scope of an attack. Microsoft’s documentation explains that an incident is “a collection of related alerts that, when viewed together, provide a richer context for the attack and its impact.” The service “automatically groups alerts that are likely to be associated with the same threat activity,” which allows security teams to investigate a single incident rather than many fragmented alerts. Microsoft further notes that incidents “aggregate alerts, affected assets (users, devices, mailboxes), evidences, and entities into one view,” helping analysts triage, investigate, and remediate more efficiently.

This is distinct from other areas in the portal: Reports provide trend and posture reporting; Hunting offers proactive, query-based threat hunting across raw data; and Attack simulator (in Defender for Office 365) is used to run training and awareness simulations (e.g., phishing), not to aggregate real alerts. Therefore, when you need to “view an aggregation of alerts that relate to the same attack” in the Microsoft 365 security center, the correct place is Incidents, which presents the correlated attack story and enables end-to-end response and remediation from a single, consolidated record.

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.

In Microsoft’s Security, Compliance, and Identity materials, Customer Lockbox is described as the feature that controls any Microsoft engineer access to your tenant content during support operations. Microsoft states that Customer Lockbox “ensures that Microsoft cannot access your content to perform a service operation without your explicit approval.” It is specifically applicable to Microsoft 365 workloads that store customer data, including “Exchange Online, SharePoint Online, and OneDrive for Business.” When a support case requires elevated access, “a lockbox request is created and routed to the customer for approval or rejection,” and access is only granted if the organization’s authorized admin approves the request within the defined window. The request contains who is requesting access, the reason, the scope, and the duration, and all actions are audited for compliance reporting. This capability aligns with Microsoft’s zero standing access principles by making engineer access time-bound, least-privileged, and customer-approved. By contrast, Information barriers segregate communications between groups, Privileged Access Management (PAM) governs privileged tasks inside Microsoft 365, and Sensitivity labels classify and protect data. Therefore, the feature that “can be used to provide Microsoft Support Engineers with access to an organization’s data stored in Microsoft Exchange Online, SharePoint Online, and OneDrive for Business” is Customer Lockbox.

Yes

NO

NO

YES - As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.

NO - The most restrictive lock in the inheritance takes precedence.

NO - If you delete a resource group with a locked resource, the portal UI will give you an error and no resources are deleted.

In Microsoft identity and access management terminology, federation refers to the establishment of a trust relationship between identity providers, which enables single sign-on (SSO) across different organizations or platforms.

According to the Microsoft Security, Compliance, and Identity (SCI) learning path, particularly in the SC-900 and SC-300 certifications, the following definition is provided:

“Federation is a means of establishing trust between two identity systems. This trust allows users from one domain to access resources in another domain without needing to authenticate again, typically using SAML, WS-Federation, or OAuth protocols.”

This concept is essential in cross-organization SSO scenarios, such as enabling users from one enterprise (or identity provider) to authenticate with services hosted in another, using existing credentials.

SCI documentation further states:

“Single sign-on (SSO) between multiple identity providers is enabled through federation protocols, which delegate authentication and allow token-based identity propagation across systems.”

The other options are not accurate in this context:

Integration is a vague term and not specific to SSO configuration.

Password hash synchronization and pass-through authentication are Azure AD authentication methods used for hybrid identity with on-premises AD, not for federating with external identity providers.

✅ Therefore, SSO configured between multiple identity providers is best classified as an example of federation.

Microsoft positions Compliance Manager as a capability available inside the Microsoft 365 Compliance Center (now Microsoft Purview compliance portal). In Microsoft’s SCI learning content, Compliance Manager is described as the centralized workspace in the compliance portal that “helps you manage your organization’s compliance requirements,” providing a compliance score, pre-built and custom assessments, and improvement actions you track and assign. The documentation explains that admins “use the Microsoft 365 Compliance Center to access Compliance Manager,” where they can review the score, map controls to regulations and standards, and manage evidence and testing of controls. It also clarifies that Compliance Manager is surfaced directly in the compliance portal navigation, enabling authorized roles (such as Compliance Administrator, Global Administrator, or Compliance Data Administrator) to open the Compliance Manager blade to create or view assessments, assign actions, and review detailed guidance. By contrast, the Microsoft 365 admin center focuses on tenant, billing, and user management; the Microsoft 365 Defender portal focuses on security operations and threat protection; and the Microsoft Support portal is for service requests. Therefore, the direct and intended entry point for Compliance Manager is the Microsoft 365 Compliance Center.

Microsoft’s identity platform (Microsoft Entra ID, formerly Azure AD) supports built-in and custom directory roles. The official guidance states that you can “create your own custom roles to grant permissions for management of Microsoft Entra resources,” and those roles consist of specific role permissions that you select to tailor least-privilege administration. The documentation also lists Global administrator (formerly Company Administrator) as a built-in role that “has access to all administrative features” and can delegate role assignments, reset passwords for all users, and manage identity settings across the tenant. Regarding assignments, Microsoft is explicit that role assignment is many-to-many: administrators can “assign one or more roles to a user,” and the user’s effective permissions are the union of the privileges from all assigned roles. Consequently, (1) creating custom roles is supported (Yes), (2) Global administrator is indeed a defined Azure AD/Microsoft Entra role (Yes), and (3) a user being limited to only one role is incorrect (No) because multiple role assignments to the same user are permitted and commonly used to implement least privilege and separation of duties.

Box 1: Yes

Azure AD supports custom roles.

Box 2: Yes

Global Administrator has access to all administrative features in Azure Active Directory. Box 3: No

Microsoft Purview Information Protection (in the Microsoft 365 compliance center) enables you to discover, classify, label, and protect sensitive information across emails, documents, and other data stores. Labels and policies can enforce encryption, access restrictions, and visual markings, helping prevent unauthorized disclosure of sensitive data—inside or outside your organization.

documents: =

Microsoft’s Windows Hello for Business replaces passwords with strong, two-factor authentication that is tied to the device and unlocked with a user gesture. The Microsoft Learn description states that Windows Hello for Business “replaces passwords with strong authentication” and that “users sign in using a gesture, such as a PIN, facial recognition, or fingerprint.” It further clarifies that the credential is protected by the device’s secure hardware and that the gesture (PIN or biometric) unlocks the private key used to authenticate. The guidance explains that “biometrics (face or fingerprint) or a PIN” are supported as the user’s sign-in method, and that the PIN “is unique to the device” and does not roam, reducing attack surface.

By contrast, email verification and security questions are not authentication gestures for Windows Hello for Business. They are not listed as supported methods for unlocking the Hello for Business key or completing interactive sign-in to Windows. Therefore, the three supported Windows Hello for Business authentication methods from the options provided are fingerprint, facial recognition, and PIN. This aligns with Microsoft’s documented model where the user enrolls a biometric (face or fingerprint) or creates a PIN, and subsequently uses that gesture to unlock the hardware-bound credential for secure sign-in and access to resources.

Microsoft Learn explains that Azure Active Directory (now Microsoft Entra ID) is a Microsoft-managed identity and access management service delivered from the cloud. It does not require you to provision or host infrastructure such as virtual machines; the directory is operated as a service by Microsoft, and tenants are created and administered within Microsoft’s cloud environment. The official learning paths further clarify that administration is performed through the Azure portal (the Entra/Microsoft Entra admin center and Azure portal blades), PowerShell, and Graph—so managing a tenant in the Azure portal is fully supported.

Regarding licensing, Microsoft’s SCI study materials detail that Azure AD/Entra ID is offered in multiple editions (Free, Microsoft 365 apps edition, Premium P1, and Premium P2). Each edition unlocks different capabilities: for example, features like Conditional Access are in Premium tiers; Identity Protection and Privileged Identity Management (PIM) are P2 capabilities. Because capabilities vary by tier, the statement that all license editions include the same features is incorrect.

Putting this together: feature parity across editions is not the case (No); tenant management in the Azure portal is supported (Yes); and you do not need to deploy Azure VMs to host an Azure AD/Entra ID tenant (No).

Endpoint data loss prevention (Endpoint DLP), a feature in Microsoft Purview, supports Windows 10 and 11 and now also supports macOS for core DLP capabilities. It allows organizations to monitor and restrict actions like copying sensitive files to USBs, printing, or uploading to unapproved cloud services.

SCI Extract: " Endpoint DLP extends Microsoft Purview Data Loss Prevention to Windows 10, Windows 11, and macOS devices, allowing for monitoring and control of sensitive data usage at the endpoint. "

Other platforms like Linux, iOS, and Android are not currently supported for Endpoint DLP

A Security Information and Event Management (SIEM) system is designed to collect and aggregate security data from multiple sources—such as servers, devices, applications, and security appliances—across an organization. It then analyzes the data for anomalies, correlations, and patterns that could indicate potential threats or breaches.

From the SCI certification learning paths, especially SC-200 (Microsoft Security Operations Analyst), Microsoft defines SIEM as follows:

“SIEM tools collect and analyze activity from multiple resources across your IT infrastructure. Microsoft Sentinel is Microsoft’s cloud-native SIEM that provides intelligent security analytics and threat intelligence to help detect and respond to security threats.”

A SIEM system:

Ingests large volumes of data (logs, events).

Uses built-in rules, AI, and analytics to identify threats.

Correlates alerts from various sources to form incidents.

Generates alerts and dashboards for security analysts.

Microsoft Sentinel, as Microsoft’s SIEM solution, embodies all of these capabilities.

Other options in the dropdown (incorrect for this context):

SOAR is focused on automating responses after SIEM alerts.

TAXII is a threat intel transport protocol, not a detection system.

ASR (Attack Surface Reduction) refers to endpoint hardening, not centralized event analysis.

✅ Therefore, the correct and Microsoft-verified term is: A security information and event management (SIEM).

Microsoft describes hybrid identity as integrating on-premises Active Directory with Microsoft Entra ID (Azure AD) so that “your on-premises identities are synchronized to Azure AD” for a single identity across cloud and on-prem apps. In this model, directory objects (users, groups, and selected attributes) flow from on-premises AD to Azure AD using Azure AD Connect or Cloud Sync; this is the canonical direction for provisioning in hybrid environments. Microsoft further explains that while certain writeback features (such as password writeback, device or group writeback scenarios) are supported, cloud-created users do not automatically sync down to on-premises AD; account provisioning remains authoritative on-prem unless you deploy specific, limited writeback features—there is no default “user account creation from Azure AD to AD DS.” For authentication, Microsoft states that hybrid identity supports cloud authentication (Password Hash Synchronization or Pass-through Authentication) where Azure AD performs the sign-in, or federation with another identity provider (e.g., AD FS or a third-party IdP) where that provider validates credentials and issues tokens to Azure AD. These statements align with Microsoft’s SCI guidance on hybrid identity: on-prem to cloud sync is standard; automatic reverse user sync is not; and authentication can be handled by Azure AD or a federated IdP depending on the chosen sign-in method.

In Microsoft Purview Information Protection, sensitivity labels are the core mechanism to classify and protect content. The Microsoft SCI learning content explains that a sensitivity label can “apply protection such as encryption and rights restrictions to files and emails,” allowing you to define who can access the content and what they can do (view, edit, print, forward). When you configure a label with Encrypt settings, the service uses Azure Rights Management to enforce protection persistently, so the encryption travels with the file wherever it goes.

Labels can also apply content marking. The official guidance states that labels can “add visual markings—headers and footers—to Office files and email to make the sensitivity of content obvious.” This is commonly used to stamp messages and documents with text such as Confidential or Internal. SCI materials further clarify that labels can apply watermarks to Office documents (Word, Excel, PowerPoint) as part of content marking, but watermarks are not applied to email messages; only headers and footers are supported for email.

Putting it together: encryption (Yes) and headers/footers on documents (Yes) are supported label actions. Watermarks are supported for documents but not for email, so “Sensitivity labels can apply watermarks to emails” is No.

access and application control

In Microsoft Defender for Cloud, the capabilities grouped as access and application control are designed to harden Azure virtual machines by limiting both what can access a VM and what can run on it. Microsoft’s documentation explains that Adaptive application controls “help you control which applications can run on your VMs by allowing only known-safe applications,” which directly helps block malware and other unwanted applications. In the same family, Just-in-time (JIT) VM access “reduces exposure to attacks by locking down inbound traffic to your VMs and opening only the required ports, for approved users, for a limited time,” thereby reducing the network attack surface. These capabilities are surfaced in Defender for Cloud recommendations and policies to enforce least privilege at the network edge and on the endpoint execution layer.

By contrast, Cloud Security Posture Management (CSPM) provides continuous assessment and secure-score-driven recommendations but isn’t the control that actively blocks applications or time-bounds inbound access. Container security targets container images and runtimes, and vulnerability assessment identifies software vulnerabilities but doesn’t enforce allow-listing or time-bound access. Therefore, the correct completion is access and application control, which encompasses Adaptive application controls and JIT VM access to protect VMs from unwanted apps and minimize exposed network surface.

documents: =

Microsoft Entra ID Protection evaluates risk during authentication, not only after the user is authenticated. The service provides “real-time” assessment as part of the sign-in flow and also processes “offline” detections, enabling Conditional Access to act before a session is granted. In Microsoft’s terminology, “sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner,” while “user risk represents the probability that a given identity or account is compromised.” These risks are surfaced as risk detections and can be used to trigger MFA, block access, or require secure password reset. Each detection and calculated risk is classified by Microsoft Entra ID Protection with “Low, Medium, or High” levels so administrators can triage and automate policy responses appropriately. Because detections are calculated in real time as part of the sign-in evaluation (and also through subsequent analysis), it is incorrect to say they are generated once the user is authenticated. The accurate view is that Identity Protection continuously analyzes telemetry and produces detections and risk levels that may be acted upon before, during, and after sign-in, with user risk expressing the likelihood that the identity itself is compromised and sign-in risk expressing the likelihood that a particular authentication attempt is not legitimate.

In Microsoft’s hybrid identity model, organizations keep their authoritative identities in Active Directory Domain Services (AD DS) and surface those identities in Microsoft Entra ID (Azure AD). Microsoft guidance explains that hybrid identity is implemented by synchronizing on-premises directory objects (users, groups, and selected attributes) into Azure AD using Azure AD Connect or Cloud Sync. Azure AD Connect is explicitly documented as the Microsoft tool that establishes and maintains synchronization between AD DS and Azure AD and is therefore used to implement hybrid identity—hence statement 1 is Yes. Hybrid identity does not require two Microsoft 365 tenants; the standard design is one Azure AD tenant connected to one or more on-premises AD forests, so statement 2 is No. For users to authenticate to Microsoft cloud resources with their on-premises identity, Azure AD must have a corresponding cloud identity object, which is achieved by directory synchronization; sign-in can then be handled by cloud authentication (Password Hash Synchronization or Pass-through Authentication) or by federation (e.g., AD FS). Because these sign-in options depend on synchronized identities being present in Azure AD, statement 3 is Yes. This aligns with SCI guidance that hybrid identity = synchronized identities + a chosen authentication method (PHS/PTA or federation).

Microsoft documents for Defender for Endpoint (MDE) describe it as an enterprise endpoint security platform that supports Windows 10/11, Windows Server, Linux, macOS, and mobile platforms (Android and iOS/iPadOS). The platform provides threat and vulnerability management, attack surface reduction, next-generation protection, endpoint detection and response, and automated investigation and remediation across those supported operating systems. Because MDE supports Windows client operating systems and servers, it can also be used on Azure virtual machines that run supported Windows versions; onboarding methods include local scripts, Microsoft Endpoint Manager, or cloud integrations, allowing VM endpoints to receive the same protection and EDR capabilities as physical devices.

By contrast, malware scanning in SharePoint Online, OneDrive, and Microsoft Teams is provided by Microsoft Defender for Office 365 (Safe Attachments for SharePoint, OneDrive, and Teams)—a different service within the Microsoft 365 Defender family. This service analyzes files as they are uploaded or shared to detect and block malicious content in collaboration workloads, which is outside the scope of MDE’s endpoint-focused protections. Therefore: Android protection (Yes), Azure VMs running Windows 10 (Yes), and SharePoint Online anti-virus protection by MDE (No, handled by Defender for Office 365).

Microsoft’s official description of Azure Key Vault in the Security, Compliance, and Identity learning materials states that Key Vault is “a cloud service for securely storing and accessing secrets.” The same guidance clarifies that “a secret is anything you want to tightly control, such as API keys, passwords, or connection strings.” In addition to secrets, Key Vault provides key management: “Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services.” It further explains that organizations can “generate, import, rotate, disable, and delete keys” and use them for operations such as “encrypt and decrypt, sign and verify, wrap and unwrap.” These excerpts confirm that Key Vault’s core capabilities include the secure storage and lifecycle management of secrets and cryptographic keys.

By contrast, the SCI content makes clear that infrastructure features like Azure DDoS Protection and Network Security Groups (NSGs) are networking/security controls delivered by Azure networking services, not Key Vault. Likewise, ARM templates are deployment artifacts stored in repositories such as Azure Repos or GitHub; Key Vault does not store or manage template files. Therefore, the two correct actions you can perform with Azure Key Vault—aligned with Microsoft’s documentation—are to store (and manage) keys and store (and manage) secrets.

Azure Blueprints lets you define a repeatable set of artifacts—like ARM/Bicep templates, role assignments, and Azure Policy—that you can assign to multiple subscriptions to deploy resources and guardrails consistently.

In Microsoft Defender for Cloud, the Free plan provides continuous security assessment and visibility into your posture via Secure Score and security recommendations. Microsoft explains that the free tier offers “foundational CSPM capabilities,” including recommendations and a security score (Secure score) to help you prioritize hardening tasks. Advanced features—such as vulnerability scanning for V Ms (Qualys-based), Just-In-Time (JIT) VM access, and threat protection alerts—require the enhanced/paid Defender plans (for example, Defender for Servers). Consequently, among the listed options, only Secure score is available in the free mode. This score aggregates the effect of recommendations across subscriptions and resources so you can track and improve security posture without enabling any of the paid Defender plans.

In Microsoft Sentinel, playbooks are the feature that integrates with Azure Logic Apps to automate response. Microsoft’s documentation describes them as “collections of procedures that can be run from Microsoft Sentinel in response to an alert” and clarifies that “playbooks are built on Azure Logic Apps” providing a workflow engine and a gallery of connectors to other Microsoft and third-party services. Playbooks can be triggered automatically from analytics rules or manually from incidents and alerts, enabling orchestration such as assigning owners, creating tickets, disabling accounts, blocking IPs, or posting to collaboration channels. The platform emphasizes that the Logic Apps foundation gives security teams a visual designer, managed connectors, and run history to track execution and outcomes. In short, Sentinel uses playbooks to “automate and orchestrate responses to alerts and incidents”, reducing mean-time-to-respond and standardizing actions across your SOC. Other Sentinel components serve different purposes: analytic rules detect threats, hunting queries aid proactive investigation, and workbooks provide dashboards and visualizations. Therefore, the correct completion is: Microsoft Sentinel playbooks use Azure Logic Apps to automate and orchestrate responses to alerts.

Microsoft states that Microsoft Sentinel includes connectors for both Microsoft and non-Microsoft sources. The product overview explains that Sentinel “comes with built-in connectors” for services such as Microsoft 365, Defender, and Azure sources, and also built-in connectors for non-Microsoft solutions like firewalls and other security products. Therefore, the claim that data connectors support only Microsoft services is false.

For visualization and monitoring, the documentation clarifies that “Microsoft Sentinel uses Azure Monitor workbooks to provide rich visualizations of your data.” Workbooks are the native dashboarding framework in Sentinel and can be customized to monitor logs, incidents, and telemetry that Sentinel ingests. Hence, using Azure Monitor Workbooks to monitor data collected by Sentinel is true.

Regarding threat hunting, Microsoft describes the Hunting capability as a proactive feature: “Hunting lets you proactively hunt for security threats,” using Kusto Query Language queries and analytic patterns to find indicators of compromise before alerts are generated. Analysts can run, save, and schedule hunts to uncover suspicious activity that hasn’t yet raised an alert, making the statement about identifying threats before an alert is triggered true.

The Content Search tool in the Security & Compliance Center can be used to quickly find email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Skype for Business.

The first step is to starting using the Content Search tool to choose content locations to search and configure a keyword query to search for specific items.

You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

In Microsoft Defender for Endpoint, attack surface reduction (ASR) is described as the first defensive layer in the protection stack, and Network protection is a core ASR capability. Microsoft’s documentation states that “Attack surface reduction provides the first line of defense in the stack.” It further explains that these capabilities are designed to reduce opportunities for compromise before malware can run or persistence can be established. Within ASR, Microsoft specifically defines Network protection as a feature that “helps reduce the attack surface of your devices from Internet-based events.” Microsoft also clarifies how it works: “It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.”

Because the question asks for the feature in Defender for Endpoint that delivers the first line of defense by reducing the attack surface, the applicable ASR capability is Network protection. It proactively blocks access to known malicious IPs, domains, and URLs, shrinking the exploitable surface area and thereby reducing risk before an attack can execute. By contrast, automated investigation and automated remediation act after detections to contain and fix issues, and advanced hunting is an analyst-driven, query-based detection and investigation tool—not an attack-surface–reduction control. Hence, Network protection is the correct choice.

Explanation

In Microsoft’s hybrid identity guidance, Azure AD Connect is the supported tool to bridge on-premises Active Directory Domain Services (AD DS) with Azure Active Directory (Azure AD). Microsoft Learn describes it plainly: “Azure AD Connect is Microsoft’s tool for connecting on-premises directories to Azure AD.” It “synchronizes user, group, and device objects” so cloud identities stay aligned with on-premises accounts and attributes. Azure AD Connect also supports multiple sign-in methods: “password hash synchronization, pass-through authentication, and federation integration.” In other words, you can sync identities and choose how users authenticate to Microsoft Entra ID (Azure AD).

By contrast, Active Directory Federation Services (AD FS) is a federation service used for claims-based authentication; it does not perform directory synchronization. Azure Sentinel (now Microsoft Sentinel) is a cloud-native SIEM/SOAR and is unrelated to identity sync. Privileged Identity Management (PIM) is an identity governance feature for just-in-time privileged access; it does not synchronize identities. Therefore, in a hybrid identity model where the requirement is to sync identities between AD DS and Azure AD, the correct Microsoft-endorsed solution is Azure AD Connect, which “keeps identities in sync between on-premises directories and Azure AD.”

Microsoft’s identity model highlights four pillars: administration, authentication, authorization, and auditing. In this model, auditing is the capability that records and reports identity-related activities, providing visibility into “who accessed what, when, from where, and how.” SCI-aligned guidance explains that authentication verifies identity and authorization grants permissions, while auditing tracks and logs the resulting access to resources so organizations can investigate activity, satisfy compliance obligations, and detect anomalies. Microsoft services such as Microsoft Entra ID (sign-in logs and audit logs), Access Reviews, Privileged Identity Management (PIM) reports, and Microsoft Purview Audit are explicitly positioned to capture user access events and administrative changes across cloud apps and services. This evidence enables security operations and compliance teams to monitor access patterns, prove regulatory adherence, and respond to incidents. Therefore, when the question focuses on tracking the resources accessed by a user, the pillar that directly addresses this requirement is auditing, not authentication (identity proof), authorization (permission assignment), or administration (lifecycle and configuration).

Azure Active Directory (Azure AD) is a cloud-based user identity and authentication service. Reference:

Microsoft Purview Data Loss Prevention (DLP) is designed to prevent the inadvertent or inappropriate sharing of sensitive data across Microsoft 365 services. Microsoft’s guidance states that DLP “helps you discover, monitor, and protect sensitive items across Microsoft 365,” and that with DLP policies you can “identify, monitor, and automatically protect sensitive items in Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams.” This directly supports option C, because DLP can detect sensitive info in OneDrive documents and automatically apply protective actions such as blocking external sharing, restricting access, or auditing the event.

DLP also provides end-user coaching through policy tips: “Policy tips are informative notices that appear when users are working with content that contains sensitive info … to help prevent data loss.” When a user is about to send or share sensitive data in violation of policy, these tips surface in Outlook and Office apps (including when files are stored in SharePoint/OneDrive), aligning with option A.

By contrast, enabling disk encryption (e.g., BitLocker) and applying device security baselines are endpoint/device management tasks handled through Microsoft Intune or Group Policy—not by DLP. Therefore, A and C are the correct tasks you can implement with Microsoft 365 DLP policies.

In Microsoft 365 information protection guidance, Microsoft explains that sensitivity labels are persistent: when a label is applied to a file or email, the label information is stored as metadata so that the protection settings “travel with the content” wherever it’s saved or shared. Labels can apply encryption, content marking (headers, footers, watermarks), and DLP-friendly metadata, but encryption is optional—some labels only classify/mark without encryption. Microsoft also emphasizes that labels are not restricted to predefined categories; administrators can create custom label names, descriptions, and scoped policies to reflect an organization’s taxonomy (for example, Public, Confidential, Highly Confidential, or industry-specific categories). Because the defining property that always applies is that the label remains attached to the content and enforces configured policy across Microsoft 365 services and supported third-party locations, the accurate characteristic is persistent. Options “encrypted” (not always) and “restricted to predefined categories” (incorrect—labels are customizable) do not universally describe sensitivity labels.

Microsoft defines Microsoft Entra ID Governance as the capability to manage “the identity lifecycle, access lifecycle, and privileged access” so organizations can ensure “the right people have the right access to the right resources at the right time.” The product family explicitly lists the following core features: “Lifecycle workflows, Entitlement management, Access reviews, and Privileged Identity Management (PIM).” Microsoft further explains that PIM helps you “manage, control, and monitor access within your organization,” enabling just-in-time elevation, approval workflows, MFA/justification on activation, and detailed auditing for privileged roles. By contrast, the other options are separate Microsoft Entra offerings outside ID Governance: Verifiable credentials (Microsoft Entra Verified ID) issues and validates digital credentials; Permissions Management (Microsoft Entra Permissions Management) provides CIEM for multi-cloud permissions; and Identity Protection offers risk-based detection and policies for sign-ins and users. Therefore, among the choices, the feature that is included in Microsoft Entra ID Governance is Privileged Identity Management (PIM), which is specifically called out by Microsoft as a pillar of ID Governance and is used to govern privileged access with policy-based controls, time-bound assignments, approvals, and comprehensive auditability.

Microsoft’s SCI/Learn content describes Azure AD (now Microsoft Entra ID) as a cloud service, not something you install on-premises. The docs state Azure AD is a “cloud-based identity and access management service” that “helps your employees sign in and access resources.” This clarifies the third statement (IAM service) as Yes, and the first statement (on-premises deployment) as No, because the native on-prem directory is Windows Server Active Directory, whereas Azure AD runs in Microsoft’s cloud and can be synchronized with on-prem AD via tools like Azure AD Connect.

Microsoft also explains licensing/availability: the service comes in several editions, and the free/Office 365 tier is included with many suites. The documentation explicitly notes that Azure AD is “included with subscriptions such as Microsoft 365” (formerly Office 365) and provides tenant-wide identity for those services. Therefore, stating that Azure AD is provided as part of a Microsoft 365 subscription is Yes.

In summary: Azure AD/Entra ID is a cloud identity and access management platform; it’s not deployed on-premises, and Microsoft 365 subscriptions include an Azure AD tenant/edition to manage users, groups, apps, and access policies.

Microsoft’s SCI documentation explains that Information Barriers (part of Microsoft Purview and enforced across Microsoft Teams, SharePoint, OneDrive, and Exchange) are used to “restrict communication and collaboration between specific groups of users to avoid conflicts of interest or to comply with regulatory obligations.” Policies define which segments can communicate and which must be blocked, and they control chat, channel conversations, meetings, file sharing, and e-discovery visibility between the defined segments. Typical scenarios include preventing communication between investment banking and research, or between merger deal teams and the rest of the organization. This is fundamentally different from other features: Sensitivity label policies classify and protect content but do not block who can talk to whom; Customer Lockbox manages Microsoft engineer access to customer data during support; and Privileged Access Management (PAM) limits admin task approvals and elevated operations, not end-user communication. When the requirement is to “restrict communication and the sharing of information between members of two departments,” Microsoft prescribes Information Barriers as the purpose-built capability to enforce those restrictions across collaboration workloads.

In Microsoft Purview, eDiscovery (Standard) (formerly Core eDiscovery) provides case management, holds, searches, and export. Microsoft describes that eDiscovery (Standard) lets investigators “search across Microsoft 365 data sources and export the results,” including options to export native files, email to PST, and CSV reports for further review. It uses the same Content search engine and supports selecting locations such as **Exchange Online mailboxes, Microsoft 365 Groups, Teams, SharePoint sites, OneDrive accounts, and Exchange public folders,” enabling organization-wide discovery that includes public folders.

Integration for end-to-end legal review from Microsoft Purview Insider Risk Management is specifically aligned to eDiscovery (Premium) (formerly Advanced eDiscovery). Insider Risk cases provide actions like “Send to eDiscovery (Premium)” to create a review set and apply advanced processing, analytics, and review workflows. Those advanced integrations (review sets, analytics, legal hold communications) are not features of eDiscovery (Standard). Therefore: exporting results (Yes), Insider Risk integration (No, as it targets eDiscovery Premium), and searching Exchange Online public folders (Yes) are the correct evaluations based on the Microsoft Security, Compliance, and Identity study materials for Purview eDiscovery capabilities.

Sensitivity labels can apply content markings (headers, footers, and watermarks) to documents and emails, and can also enforce encryption and access controls. When configuring a label, you can specify the watermark text, size, and placement so that protected content is visibly marked according to your organization’s policy.

Compliance score

In Microsoft Purview Compliance Manager, the Compliance score is the metric that measures an organization’s progress in completing improvement actions that help reduce compliance and data-protection risk. Microsoft describes this score as a quantifiable indicator of your compliance posture across regulatory standards and data-protection baselines. Each recommended improvement action in Compliance Manager is assigned points; completing, testing, and attesting to those actions increases your score. Points are weighted by risk, so implementing controls with greater impact on reducing risk contributes more to the overall score. Microsoft also clarifies that the Compliance score is an operational progress indicator, not a certification or a legal determination of compliance, but it enables organizations to track, prioritize, and demonstrate the implementation of controls across frameworks such as GDPR, ISO/IEC 27001, NIST 800-53, and Microsoft Data Protection Baselines.

By contrast, Microsoft Purview compliance portal reports provide reporting and insights (for example, DLP, Insider Risk, Audit) but do not calculate a unified risk-reduction progress metric. The Trust Center is Microsoft’s public site for transparency about security, privacy, and compliance commitments, and Trust Documents (auditor reports, certifications, and white papers) supply evidence and reference materials. Neither of these provide an in-product, points-based measure of progress—Compliance score does.

In Microsoft’s Security, Compliance, and Identity guidance, Microsoft Defender for Identity (formerly Azure ATP) is explicitly described as “a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats.” The service deploys lightweight sensors on domain controllers to collect and analyze Active Directory (AD) authentication and activity data. Using behavioral analytics and built-in detections, it helps security teams surface indicators of compromised identities, lateral movement, pass-the-ticket/NTLM relay, and other identity-driven attack techniques. Documentation further explains that Defender for Identity “profiles and learns entity behavior,” correlates events, and raises security alerts with investigation timelines and evidence to accelerate incident response in hybrid environments.

This precisely matches the sentence in the prompt: the only Microsoft security product whose core purpose is to use on-premises AD signals to identify, detect, and investigate advanced threats is Defender for Identity. By contrast, Microsoft Defender for Endpoint focuses on endpoint prevention and EDR; Microsoft Defender for Office 365 protects email and collaboration workloads from phishing and malware; and Microsoft Cloud App Security (now Microsoft Defender for Cloud Apps) operates as a CASB for app discovery, control, and session monitoring. Therefore, aligning with SCI study guides and product descriptions, the correct completion is Microsoft Defender for Identity.

Microsoft states that Azure AD Multi-Factor Authentication “adds a second form of verification” to sign-ins and supports multiple verification methods. The documented methods include Microsoft Authenticator app notifications or verification codes, text message (SMS) codes, and phone call verification. In Microsoft’s description, users can approve a push notification in the Microsoft Authenticator app or enter a code from the app; they can receive a text message containing a verification code; or they can answer a phone call to complete the challenge. Email verification and security questions are not listed as supported MFA methods for Azure AD sign-ins and are not valid second factors in Azure AD MFA. Consequently, the correct methods from the options provided are Phone call, Text message (SMS), and Microsoft Authenticator app. These align with Azure AD’s core MFA capabilities used in Conditional Access and per-user MFA to strengthen authentication beyond the password and to meet compliance and security requirements for strong user verification.

The Compliance score in Microsoft Purview Compliance Manager is a measurement tool that evaluates an organization’s progress toward meeting data protection and regulatory compliance requirements. It is specifically designed to help organizations reduce risks related to data governance, privacy, and compliance with various standards such as GDPR, ISO 27001, NIST 800-53, and Microsoft Data Protection Baselines.

According to Microsoft’s official documentation on Compliance Manager, the Compliance score “helps organizations track, improve, and demonstrate their compliance posture by providing a quantifiable measure of compliance with regulations and standards.” Each action within Compliance Manager contributes a certain number of points to the overall score. These points are weighted based on risk, meaning that actions with a greater impact on reducing compliance risk contribute more significantly to the total score.

The score is not an absolute measure of legal compliance but rather an indicator of progress toward implementing recommended controls and risk-reducing actions. Microsoft emphasizes that Compliance score “assists organizations in identifying areas of improvement, prioritizing compliance tasks, and maintaining an auditable record of their compliance activities.”

By contrast, Microsoft Secure Score measures security posture related to identity, device, and application protection, while Productivity Score evaluates collaboration and technology experience. Thus, the metric that specifically assesses data protection and regulatory compliance progress is the Compliance score in Microsoft Purview Compliance Manager.

In Microsoft’s Security, Compliance, and Identity portfolio, Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) integrates directly with Microsoft Entra Conditional Access to provide Conditional Access App Control—Microsoft’s real-time session control. Microsoft’s documentation describes this capability as enabling organizations to “monitor and control user sessions in real time” and to “protect downloads, restrict uploads, block copy/paste and print, and apply access or session policies” for sanctioned and unsanctioned applications. The enforcement is achieved through a reverse-proxy session that is invoked by Conditional Access policy decisions, allowing continuous inspection and dynamic controls after authentication.

By contrast, other options in the list do not offer real-time session enforcement via Conditional Access. Azure AD Privileged Identity Management (PIM) focuses on just-in-time role activation, approval workflows, and access reviews for privileged accounts—not session control of app usage. Microsoft Defender for Cloud provides cloud security posture management and workload protection across Azure, multicloud, and hybrid resources—again, not Conditional Access–based user session governance. Microsoft Sentinel is a SIEM/SOAR solution used for ingestion, detection, investigation, and response; it does not apply Conditional Access policies to control user sessions. Therefore, the service that can use Conditional Access policies to control sessions in real time is Microsoft Defender for Cloud Apps through Conditional Access App Control.

In the Microsoft 365 security center (now Microsoft 365 Defender), incidents are used to triage and investigate threats across the tenant. Microsoft’s security documentation explains that “an incident is a collection of related alerts” that are automatically correlated to give analysts a single, end-to-end view of an attack. Within each incident, the portal surfaces impacted assets such as devices, users, mailboxes, and applications, enabling responders to quickly identify which endpoints are affected by a given alert and to take response actions (isolate device, collect investigation package, run AV scan, etc.). This design allows security teams to move beyond individual alerts and instead work a consolidated investigation that lists affected devices in the incident’s Evidence & Response/Assets sections, complete with alert timelines and device details.

By comparison, Secure Score measures the organization’s security posture and recommendations; policies are configuration/enforcement objects (e.g., Defender or compliance policies) and are not the investigative view for alerts; classifications relate to information protection labeling rather than alert investigation. Therefore, to identify devices that are affected by an alert, you use the Incidents experience in Microsoft 365 Defender, where correlated alerts show the devices involved alongside the entities and evidence connected to the threat.

Microsoft states that Azure Bastion is a fully managed PaaS service that provides “secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL” and “eliminates the need to expose public IP addresses on your VMs.” With Bastion, users open the VM blade in the Azure portal and launch an in-browser RDP or SSH session; no separate RDP or SSH client is required because the session is proxied through Bastion using HTTPS/TLS. The platform is designed to be agentless and browser-based, providing connectivity without VPN or jump hosts and enforcing least-exposure by keeping management ports off the internet. While traditional tools such as Remote Desktop Connection or an SSH client are common for direct access, Bastion’s prescribed access method in Microsoft guidance is to initiate the session from the Azure portal. PowerShell remoting is unrelated to Bastion’s web-based brokering. Therefore, to connect to an Azure virtual machine by using Azure Bastion, you use the Azure portal.

In Microsoft 365, the unified audit log retention depends on the audit tier included with the subscription. Current SCI/Compliance documentation states that Audit (Standard)—which is available with Microsoft 365 E3—retains audit records for 180 days. The docs describe that organizations with E3 receive “up to 180 days of audit log retention” for user and admin activities captured in the unified audit pipeline. Longer retention (for example 365 days and beyond with customizable policies) is part of Audit (Premium) features generally associated with E5/E5 Compliance. Because the scenario specifies a Microsoft 365 E3 subscription using the unified audit log and Basic/Standard Audit, the retention period for audit records is 180 days.

You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

Microsoft describes Azure Policy as the built-in governance service that lets you “create, assign, and manage policies” to enforce organizational standards and “assess compliance at scale.” It continuously evaluates existing resources for compliance and can take effect-enforcement actions such as deny, append, or modify during create/update operations. Azure Policy “helps you audit and enforce your standards” across subscriptions and resource groups, and its compliance dashboard shows overall and per-policy compliance states for all resources. By contrast, Azure Blueprints focuses on orchestrating deployments of artifacts (such as policy assignments, role assignments, and templates) for new environments; Microsoft guidance positions Policy as the engine that evaluates and enforces those standards on existing resources. Sentinel is a SIEM/SOAR for security analytics, and Anomaly Detector is a Cognitive Service—not a governance/compliance enforcement tool. Therefore, to assess compliance and enforce standards for existing Azure resources, the prescribed control plane is Azure Policy with its evaluation cycle, initiative (policy set) support, and remediation tasks.

In Microsoft’s shared responsibility model, responsibilities vary by service type. For IaaS (for example, Azure Virtual Machines), Microsoft states that it is responsible for protecting and maintaining the cloud infrastructure that runs customer workloads, while customers secure what they deploy in that infrastructure. Microsoft’s guidance explains that Microsoft “operates and secures the datacenters, physical hosts, networking, and the virtualization fabric,” and handles the underlying platform maintenance, including “hardware and firmware” that support those hosts. Conversely, customers are responsible for what runs inside their VM: “the guest operating system (including updates and security configuration), applications, identity, and data.”

Applied to the options in this question:

Updating the operating system and updating installed applications are customer tasks because they are inside the guest VM.

Configuring permissions for shared folders is also a customer responsibility because it’s an OS/application configuration within the guest.

Updating the firmware of the disk controller belongs to Microsoft, because firmware and hardware on the physical hosts (including storage controllers) are part of the infrastructure of the cloud that Microsoft manages and secures.

This aligns with SCI study materials that summarize: Microsoft secures “the security of the cloud” (physical datacenter, hosts, network, and hypervisor/firmware), while customers secure “security in the cloud” (guest OS, apps, and data).

 Azure DDoS Protection Standard protects against man-in-the-middle (MITM) attacks. = No

 Azure DDoS Protection Standard is enabled by default in an Azure subscription. = No

 Azure DDoS Protection Standard protects against protocol attacks. = Yes

Microsoft’s security guidance for Azure states that DDoS Protection is designed to defend internet-facing resources from distributed denial-of-service events at the network and transport layers (L3/L4). The documentation explains that DDoS Protection Standard provides “adaptive, real-time tuning and automatic attack mitigation for volumetric and protocol attacks (for example, SYN/ACK floods, UDP amplification, and other L3/L4 patterns).” It further clarifies that DDoS Protection is not intended to address attacks like man-in-the-middle (MITM), which are interception/alteration threats rather than traffic-exhaustion scenarios.

Regarding enablement, Microsoft notes that Azure DDoS Protection Standard is not enabled by default. The platform provides “basic DDoS protection for all Azure public IP addresses,” but the Standard plan must be explicitly enabled on a virtual network and then applied to public IP resources in that VNet to gain its enhanced telemetry, mitigation policies, and cost-protection benefits.

Putting this together: (1) MITM is out of scope for DDoS Protection Standard → No; (2) Standard is opt-in, not automatic → No; (3) Protection against protocol attacks is a primary capability of the Standard plan → Yes.

Within Microsoft Purview, Insider Risk Management is the solution that is explicitly designed to detect activities such as IP theft and data leakage. Microsoft describes it as a compliance solution that correlates many user and system signals to identify potentially malicious or inadvertent insider risks, including leaks of sensitive data and data spillage.

Organizations create Insider Risk Management policies that watch for risky behaviors such as unusual file downloads, copying data to removable media, or sharing sensitive information to external locations. When configured with templates like Data leaks, these policies can use high-severity alerts from Data Loss Prevention (DLP) policies as triggers, so that suspected data-leak events automatically generate alerts and cases for investigation. This workflow lets investigators quickly triage, investigate, and remediate possible data-exfiltration incidents.

The other options serve different purposes. Compliance Manager evaluates and tracks compliance posture against regulations and internal controls, rather than monitoring user behavior for leaks. Communication compliance focuses on inappropriate or non-compliant messages (such as harassment or improper sharing in chats and email). eDiscovery is used to find and preserve existing content for legal or investigative cases, not for proactive detection of leakage as it occurs.

Therefore, the Microsoft Purview solution used to identify data leakage is Insider Risk Management.

Azure Firewall is a managed, cloud-based network security service designed to secure traffic inside and across Azure Virtual Networks. Microsoft describes Azure Firewall as a stateful firewall that “protects Azure Virtual Network resources” by enforcing network and application rules, central logging, and threat intelligence–based filtering. Because it is deployed into a VNet/subnet (often as the hub in a hub-and-spoke), it directly governs East/West and North/South flows to workloads such as Azure virtual machines and platform services reachable through the VNet, using DNAT/SNAT and rule collections. Microsoft guidance highlights capabilities to “centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks,” and to filter traffic for peered VNets, branch connections (VPN/ExpressRoute), and internet traffic. These capabilities explicitly map to protecting Azure virtual networks and the VMs and subnets inside them. In contrast, Azure AD users, Exchange Online inboxes, and SharePoint Online sites are SaaS/identity resources protected by Microsoft Entra controls, Exchange/SharePoint security, and Purview/Defender for Office 365—not by a VNet firewall. Therefore, the Azure Firewall–protectable resource types among the options are Azure virtual machines and Azure virtual networks.