Microsoft SC-900 Microsoft Security Compliance and Identity Fundamentals Exam Practice Test

Microsoft’s identity guidance classifies social identity services (e.g., GitHub, Google, Facebook) as cloud-based identity providers that can be used for external identities with Microsoft Entra ID. In this model, GitHub functions as an IdP using OAuth/OpenID Connect to authenticate users and issue tokens that applications or Entra ID can accept. Federation in Microsoft terms is the trust relationship that allows SSO across organizational boundaries and with multiple identity providers, such as Active Directory Federation Services (AD FS), SAML, or OpenID Connect providers, so users can authenticate once and access multiple apps without repeated sign-ins.

Crucially, SCI materials distinguish roles: an identity provider primarily handles authentication (proving who the user is and issuing claims/tokens). Authorization—deciding what the user can do—is enforced by the application or resource (often using roles/claims from the IdP). Auditing spans multiple planes: the IdP provides sign-in and audit logs, while applications and other services maintain their own activity logs. Therefore, it is incorrect to say a central IdP “manages all modern authentication services” including authorization and auditing; those responsibilities are shared across the identity platform and the relying applications/resources.

Sensitive Information Types (SITs) support regular expressions (regex), which allow for custom pattern matching to detect sensitive content like credit card numbers, social security numbers, or custom identifiers. Regex is fundamental to the detection logic within SITs.

SCI Extract: "Sensitive information types use pattern matching techniques, including regular expressions, keyword matches, and checksums to identify sensitive data."

In Microsoft identity terminology, authentication is the step that proves who the user is when they attempt to sign in. Microsoft Learn defines it plainly: “Authentication is the process of proving the identity of a user, device, or service.” By contrast, “Authorization is the process of determining what a user, device, or service can do.” During sign-in to Microsoft Entra ID (formerly Azure AD), “the identity provider validates credentials and, upon successful authentication, issues tokens that applications use to grant access.” Microsoft further explains the available methods: “Microsoft Entra ID supports multiple authentication methods, including passwords, multi-factor authentication, FIDO2 security keys, certificate-based authentication, and federated authentication.”

Auditing and administration are not the mechanisms that verify identity at sign-in. Auditing “records security-relevant events for investigation and compliance,” while administration “refers to configuring and managing identities, access policies, and settings.” Therefore, in the sentence “When users sign in, _____ verifies their credentials to prove their identity,” the correct completion is authentication, because it is the control that validates the user’s credentials and establishes identity before any authorization decisions are made.

Microsoft defines Microsoft Entra ID Governance as the capability to manage “the identity lifecycle, access lifecycle, and privileged access” so organizations can ensure “the right people have the right access to the right resources at the right time.” The product family explicitly lists the following core features: “Lifecycle workflows, Entitlement management, Access reviews, and Privileged Identity Management (PIM).” Microsoft further explains that PIM helps you “manage, control, and monitor access within your organization,” enabling just-in-time elevation, approval workflows, MFA/justification on activation, and detailed auditing for privileged roles. By contrast, the other options are separate Microsoft Entra offerings outside ID Governance: Verifiable credentials (Microsoft Entra Verified ID) issues and validates digital credentials; Permissions Management (Microsoft Entra Permissions Management) provides CIEM for multi-cloud permissions; and Identity Protection offers risk-based detection and policies for sign-ins and users. Therefore, among the choices, the feature that is included in Microsoft Entra ID Governance is Privileged Identity Management (PIM), which is specifically called out by Microsoft as a pillar of ID Governance and is used to govern privileged access with policy-based controls, time-bound assignments, approvals, and comprehensive auditability.

Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.

Microsoft states that Identity Protection is used to “detect potential vulnerabilities affecting your organization’s identities, configure automated responses, and investigate suspicious actions related to your organization’s identities.” It evaluates user risk and sign-in risk using detections such as “leaked credentials, anonymous IP address, unfamiliar sign-in properties, [and] impossible travel.” These built-in detections confirm that the service can detect whether valid user credentials have been found in public or criminal datasets—commonly referred to as leaked credentials—thereby reducing identity compromise risk.

Identity Protection includes policy controls that “automate the response to detected risks,” specifically the User risk policy and Sign-in risk policy. Microsoft describes that these policies can “require password change when user risk is detected” and “require multi-factor authentication when sign-in risk is detected.” Therefore, Identity Protection can invoke MFA based on risk as part of Conditional Access–backed risk policies.

However, Identity Protection does not perform group lifecycle management. Microsoft positions group membership automation under Azure AD dynamic groups/Identity Governance, not Identity Protection. Consequently, adding users to groups based on risk level is not a function of Identity Protection, which focuses on detection, risk evaluation, and policy-driven remediation (e.g., MFA or password reset), not group assignment.

 Compliance Manager tracks only customer-managed controls. No

 Compliance Manager provides predefined templates for creating assessments. Yes

 Compliance Manager can help you assess whether data adheres to specific data protection standards. No

Microsoft Purview Compliance Manager is described as a feature that “helps you manage your organization’s compliance requirements” by giving you assessments, improvement actions, and a compliance score that “measures your progress in completing recommended actions” aligned to regulations and standards. The service does not track only customer-managed controls; Microsoft’s documentation clarifies that Compliance Manager includes “Microsoft-managed controls and customer-managed controls,” and it tracks both within each assessment to show overall posture. It also provides prebuilt (predefined) assessment templates for common regulations and industry standards so organizations can “create assessments from templates” such as GDPR, ISO/IEC 27001, and the Data Protection Baseline.

Importantly, Compliance Manager evaluates control implementation and improvement actions mapped to requirements; it does not scan or classify individual data to determine whether specific data items “adhere” to a standard. Instead, it helps you assess organizational compliance posture by tracking the status of controls, assigning actions, and recording evidence. Thus:

“Tracks only customer-managed controls” → No (it tracks Microsoft-managed and customer-managed).

“Provides predefined templates for creating assessments” → Yes (prebuilt templates are a core feature).

“Helps you assess whether data adheres to specific data protection standards” → No (it measures control/compliance posture, not data-level adherence).

Box 1: No

Compliance Manager tracks Microsoft managed controls, customer-managed controls, and shared controls. Box 2: Yes

Box 3: Yes

Explanation

Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization.

With Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your own business and security needs, you can define entries in a custom banned password list.

YES YES YES

Microsoft Entra Conditional Access is explicitly described by Microsoft as a system of policies that act as if-then statements: if a user wants to access a resource, then certain controls must be satisfied. These are called Conditional Access policies, and they combine assignments and access controls to enforce organizational requirements.

Among the configurable conditions in a policy is Device platforms. The documentation explains that Conditional Access identifies the device platform (Android, iOS, Windows, macOS, Linux) from the user agent and notes that this condition is typically used with grant controls such as block access or in combination with other controls. This allows administrators to block or allow access based specifically on the operating system of the user’s device.

For scoping, the Users and groups assignment lets you include or exclude groups instead of individual users. Microsoft’s Entra groups overview states that you can create a Conditional Access policy that applies to a group, and that Entra supports both security groups and Microsoft 365 groups, while another architecture article notes that either a security group or a Microsoft 365 Group can be used in Conditional Access policies.

 Enabling multi-factor authentication (MFA) increases the Microsoft Secure Score. Yes

 A higher Microsoft Secure Score means a lower identified risk level in the Microsoft 365 tenant. Yes

 Microsoft Secure Score measures progress in completing actions based on controls that include key regulations and standards for data protection and governance. No

Microsoft Secure Score is a measurement of an organization’s security posture in Microsoft 365. The SCI materials explain that Secure Score is calculated from improvement actions such as requiring multi-factor authentication for users, especially administrators. When you configure and enforce MFA, you complete one of these recommended actions, and Secure Score awards points, so enabling MFA directly increases Microsoft Secure Score.

The documentation further states that Secure Score reflects how many recommended security controls you have implemented. A higher score indicates that more recommended controls are in place, which reduces exposure to common threats and therefore represents a lower residual risk level in the tenant. While it is not an absolute guarantee of security, it is an indicator that risk has been reduced compared to a lower score.

The third statement, however, describes the purpose of Microsoft Purview Compliance Manager and its compliance score, which tracks progress against controls mapped to regulations and standards for data protection and governance. Secure Score does not measure alignment with regulatory frameworks; it is focused on technical security configurations and behaviors in Microsoft 365. Therefore, that statement is No.

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.

Microsoft states that Azure AD Multi-Factor Authentication “adds a second form of verification” to sign-ins and supports multiple verification methods. The documented methods include Microsoft Authenticator app notifications or verification codes, text message (SMS) codes, and phone call verification. In Microsoft’s description, users can approve a push notification in the Microsoft Authenticator app or enter a code from the app; they can receive a text message containing a verification code; or they can answer a phone call to complete the challenge. Email verification and security questions are not listed as supported MFA methods for Azure AD sign-ins and are not valid second factors in Azure AD MFA. Consequently, the correct methods from the options provided are Phone call, Text message (SMS), and Microsoft Authenticator app. These align with Azure AD’s core MFA capabilities used in Conditional Access and per-user MFA to strengthen authentication beyond the password and to meet compliance and security requirements for strong user verification.

Microsoft 365 Endpoint Data Loss Prevention (Endpoint DLP) extends DLP controls directly to supported desktops. Microsoft states: “Endpoint DLP extends the activity monitoring and protection capabilities of DLP to Windows 10 (and later) devices.” The platform coverage is explicitly broadened to Apple desktops: “Endpoint DLP for macOS enables the same set of DLP capabilities on macOS devices (supported versions) so you can monitor and protect sensitive items across Windows and Mac endpoints.” At the same time, Microsoft clarifies the mobile scope: “Endpoint DLP is supported on Windows and macOS devices.” This means Android is not a supported operating system for Endpoint DLP (mobile data protection on Android uses different controls such as app protection policies via Microsoft Intune and conditional access). Therefore, the correct pairing of operating systems for Endpoint DLP support is Windows 10 and newer, and macOS—not Android. This aligns with Microsoft’s Endpoint DLP platform support guidance and the intended desktop-focused endpoint protections for activities such as file copy, print, upload, and removable media interactions.

In Microsoft Purview, eDiscovery (Standard) (formerly Core eDiscovery) provides case management, holds, searches, and export. Microsoft describes that eDiscovery (Standard) lets investigators “search across Microsoft 365 data sources and export the results,” including options to export native files, email to PST, and CSV reports for further review. It uses the same Content search engine and supports selecting locations such as **Exchange Online mailboxes, Microsoft 365 Groups, Teams, SharePoint sites, OneDrive accounts, and Exchange public folders,” enabling organization-wide discovery that includes public folders.

Integration for end-to-end legal review from Microsoft Purview Insider Risk Management is specifically aligned to eDiscovery (Premium) (formerly Advanced eDiscovery). Insider Risk cases provide actions like “Send to eDiscovery (Premium)” to create a review set and apply advanced processing, analytics, and review workflows. Those advanced integrations (review sets, analytics, legal hold communications) are not features of eDiscovery (Standard). Therefore: exporting results (Yes), Insider Risk integration (No, as it targets eDiscovery Premium), and searching Exchange Online public folders (Yes) are the correct evaluations based on the Microsoft Security, Compliance, and Identity study materials for Purview eDiscovery capabilities.

In Microsoft cloud identity, access to Azure resources follows the classical order of authenticate, then authorize. Microsoft Learn defines the two steps clearly: “Authentication is the process of establishing the identity of a person or service,” while “Authorization is the process of determining what a person or service can do.” In an Azure sign-in, Microsoft Entra ID (formerly Azure AD) first validates the user’s credentials (password, MFA, Conditional Access, device compliance, risk evaluation). Upon success, a security token is issued that proves the user’s identity. Only after this identity is established does Azure proceed to authorization, where the Azure Resource Manager evaluates role-based access control (RBAC) assignments to decide what actions are allowed. SCI guidance emphasizes this sequence for Zero Trust: “Verify explicitly” (authenticate with strong signals) and then “use least privilege access” (authorize by RBAC or Privileged Identity Management). Therefore, when users sign in to the Azure portal, the first step is authentication—verifying who they are. The subsequent step is authorization, which determines what resources and operations they can access based on roles, scope, and policy. This ordering underpins secure identity and access management across Microsoft 365 and Azure.

Microsoft’s identity platform (Microsoft Entra ID, formerly Azure AD) supports built-in and custom directory roles. The official guidance states that you can “create your own custom roles to grant permissions for management of Microsoft Entra resources,” and those roles consist of specific role permissions that you select to tailor least-privilege administration. The documentation also lists Global administrator (formerly Company Administrator) as a built-in role that “has access to all administrative features” and can delegate role assignments, reset passwords for all users, and manage identity settings across the tenant. Regarding assignments, Microsoft is explicit that role assignment is many-to-many: administrators can “assign one or more roles to a user,” and the user’s effective permissions are the union of the privileges from all assigned roles. Consequently, (1) creating custom roles is supported (Yes), (2) Global administrator is indeed a defined Azure AD/Microsoft Entra role (Yes), and (3) a user being limited to only one role is incorrect (No) because multiple role assignments to the same user are permitted and commonly used to implement least privilege and separation of duties.

Box 1: Yes

Azure AD supports custom roles.

Box 2: Yes

Global Administrator has access to all administrative features in Azure Active Directory. Box 3: No

In Microsoft identity and access management terminology, federation refers to the establishment of a trust relationship between identity providers, which enables single sign-on (SSO) across different organizations or platforms.

According to the Microsoft Security, Compliance, and Identity (SCI) learning path, particularly in the SC-900 and SC-300 certifications, the following definition is provided:

“Federation is a means of establishing trust between two identity systems. This trust allows users from one domain to access resources in another domain without needing to authenticate again, typically using SAML, WS-Federation, or OAuth protocols.”

This concept is essential in cross-organization SSO scenarios, such as enabling users from one enterprise (or identity provider) to authenticate with services hosted in another, using existing credentials.

SCI documentation further states:

“Single sign-on (SSO) between multiple identity providers is enabled through federation protocols, which delegate authentication and allow token-based identity propagation across systems.”

The other options are not accurate in this context:

Integration is a vague term and not specific to SSO configuration.

Password hash synchronization and pass-through authentication are Azure AD authentication methods used for hybrid identity with on-premises AD, not for federating with external identity providers.

✅ Therefore, SSO configured between multiple identity providers is best classified as an example of federation.

Microsoft 365 Insider Risk Management follows a clear operational flow: Triage → Investigate → Action. Microsoft’s guidance explains that the Alerts dashboard is used first to review and filter alerts, prioritize by severity, and decide what needs deeper review—this is the Triage stage. The documentation describes triage activities as reviewing alert details, applying filters, and determining whether an alert should be escalated for investigation.

When an alert warrants deeper inquiry, analysts move to Investigate, where they create cases, add relevant alerts and users, and examine activity timelines and related signals. Microsoft states that cases are the vehicle for structured investigations, allowing analysts to group evidence and manage workflow from the Case dashboard.

After investigation, organizations proceed to Action, where insider risk controls allow response steps such as sending user policy reminders, escalating to HR or legal, or taking other governance actions. Microsoft describes that actions can include notifying the user with a policy reminder to reduce future risk or applying stronger controls, all of which are part of the response phase.

Accordingly, the correct matches are: Triage → Review and filter alerts, Investigate → Create cases in the Case dashboard, and Action → Send a reminder of corporate policies to users.

In the Microsoft Cloud Adoption Framework (CAF) for Azure, the methodology is organized into sequential stages that guide an organization from initial intent through operations. Microsoft describes the flow as: “Strategy → Plan → Ready → Adopt → Govern → Manage.” The guidance explains that before building landing zones or preparing environments (Ready), organizations should complete the Strategy and Plan work. Microsoft states that the framework “helps you create and align your business strategy, define business outcomes, and justify cloud adoption” in the Strategy stage; then, in Plan, you “translate that strategy into an actionable adoption plan, rationalize portfolios, and prepare a cloud adoption backlog.” Only after these two stages does the Ready phase occur, where you “prepare your cloud environment (landing zone) to host the workloads.”

Additionally, CAF emphasizes that Govern and Manage are ongoing disciplines that operate alongside and after adoption rather than preceding Ready: “Govern and Manage provide iterative guardrails and operational baselines that evolve as you adopt more workloads.” Therefore, the two phases addressed before the Ready phase are Define Strategy and Plan, aligning with Microsoft’s prescribed order and intent of the Cloud Adoption Framework methodology.

Microsoft 365 Advanced Audit is a capability of the Microsoft Purview audit solution that enhances auditing by adding additional high-value audit events, extended retention (up to one year by default, longer with add-ons), and intelligent insights. Microsoft documentation explains that Advanced Audit provides Exchange-specific events such as “MailItemsAccessed” and “SearchQueryInitiated”, which log when users access mailbox items and when they initiate a search in Exchange (including Outlook on the web). These records include who performed the action, when it occurred, the client/app used, and other metadata that helps investigations and forensics.

Advanced Audit is not a billing tool; billing information is handled separately in Microsoft 365 admin/billing portals and isn’t part of the audit schema. Likewise, audit logs do not expose message content; they capture activity metadata (actor, operation, workload, timestamp, and parameters) rather than the actual body of emails or file contents. The purpose is to improve auditability and investigation without revealing user content. Therefore, statements about viewing billing details or email contents are No, while identifying mailbox search actions (e.g., a user using the Outlook on the web search bar) is Yes, because Advanced Audit includes the SearchQueryInitiated (Exchange) event that records such activity.

In the Microsoft 365 security center (now Microsoft 365 Defender), incidents are used to triage and investigate threats across the tenant. Microsoft’s security documentation explains that “an incident is a collection of related alerts” that are automatically correlated to give analysts a single, end-to-end view of an attack. Within each incident, the portal surfaces impacted assets such as devices, users, mailboxes, and applications, enabling responders to quickly identify which endpoints are affected by a given alert and to take response actions (isolate device, collect investigation package, run AV scan, etc.). This design allows security teams to move beyond individual alerts and instead work a consolidated investigation that lists affected devices in the incident’s Evidence & Response/Assets sections, complete with alert timelines and device details.

By comparison, Secure Score measures the organization’s security posture and recommendations; policies are configuration/enforcement objects (e.g., Defender or compliance policies) and are not the investigative view for alerts; classifications relate to information protection labeling rather than alert investigation. Therefore, to identify devices that are affected by an alert, you use the Incidents experience in Microsoft 365 Defender, where correlated alerts show the devices involved alongside the entities and evidence connected to the threat.

Microsoft Entra Conditional Access evaluates signals to make real-time access decisions. Microsoft describes it as bringing “signals together to make decisions and enforce organizational policies,” where administrators choose controls such as Block access, Require multi-factor authentication, Require device to be marked as compliant, or Require hybrid Azure AD joined device. Because MFA is only one of several grant controls, it is incorrect that policies always enforce MFA; they can also simply block, allow, or require other conditions.

Location is a first-class condition. Microsoft states you can define named locations (by countries/regions or IP ranges) and then use them in policy conditions to block or grant access. A common scenario is “Block access from specific locations” or require additional controls when a sign-in originates from an untrusted network. Therefore, Conditional Access can block access to an application based on user location.

Finally, Conditional Access targets users, groups, workload identities, and cloud apps regardless of device join state. Device-related conditions and filters are optional; policies are not limited to “Azure AD-joined devices.” Controls like Require device to be marked as compliant or Require Hybrid Azure AD joined device are only enforced if configured. Hence, Conditional Access does not only affect users on Azure AD-joined devices.

Microsoft Purview Compliance Manager organizes improvement actions into control action subcategories that mirror core security control types used throughout Microsoft Learn’s SCI content: preventative, detective, and corrective. In the SC-900 security fundamentals guidance, Microsoft describes these control types as follows: “Preventive controls are intended to deter or stop an attack from occurring (for example, encryption and access controls). Detective controls are used to discover and detect attacks that are in progress or have occurred (for example, logging, auditing, and monitoring). Corrective controls are used to limit the damage caused by an incident and to return systems to normal operations (for example, configuration changes, incident response, and recovery activities).”

Applying those definitions to Compliance Manager actions: Encrypt data at rest is a preventative control because it deters exposure by protecting data before an event. Perform a system access audit is a detective action because auditing and reviewing access logs are used to discover and detect misuse or anomalies. Make configuration changes in response to a security incident is a corrective action because it remediates and restores the environment after detection, aligning with Compliance Manager’s corrective action guidance. These mappings reflect how Compliance Manager measures completion of improvement actions that reduce compliance risk through the right mix of preventative, detective, and corrective controls.

Microsoft Purview Data Loss Prevention (DLP) defines supported service locations for policy enforcement. The Microsoft Learn/SCI materials state that DLP policies “help protect sensitive information across Microsoft 365 services” and can be scoped to common workloads. In the DLP overview, Microsoft explicitly lists the core cloud locations: “You can create DLP policies that protect content in Exchange Online, SharePoint Online, and OneDrive for Business.” The Teams workload is also included: “DLP can monitor and take protective actions on Microsoft Teams chat and channel messages.” These statements confirm that applying a DLP policy to Exchange Online email (A), OneDrive accounts (B), and Teams chat and channel messages (D) is supported.

By contrast, Exchange Online public folders (C) are not listed among supported DLP locations in the SCI documentation, and Viva Engage (formerly Yammer) (E) is not a standard Microsoft Purview DLP location in the core list above (Viva Engage has separate governance and communication compliance controls). Therefore, from the supported locations enumerated in Microsoft’s DLP guidance, the correct answers are Exchange Online email, OneDrive accounts, and Teams chat and channel messages.

When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant.

Microsoft’s Conditional Access (part of Microsoft Entra ID) evaluates multiple signals to make access decisions. The official description lists typical signals such as “user or group membership, IP location information, device state, application, and real-time risk.” The device state element explicitly refers to conditions like “compliant or hybrid Azure AD joined devices,” allowing policies that grant or block access—or require extra controls—based on whether a device meets compliance/registration requirements.

Regarding evaluation timing, Microsoft’s guidance states that Conditional Access “policies are enforced after the first-factor authentication is completed.” This means the engine needs the user’s primary sign-in context (who the user is and how they authenticated) to evaluate the conditions and then decide whether to allow, block, or require additional controls. Therefore, the statement that policies apply before first factor is not correct.

Finally, Conditional Access includes grant controls such as “Require multi-factor authentication,” and policies can be scoped to specific cloud apps or actions. As a result, you can target a particular application and require MFA when a user attempts to access it, satisfying application-specific risk mitigation while preserving user productivity.

In Microsoft’s Security, Compliance, and Identity guidance, the Microsoft Service Trust Portal (STP) is identified as the public destination where Microsoft publishes independent audit reports, compliance certifications, assessment reports, and trust-related documentation for Microsoft cloud services. The documentation explains that the STP provides customers with access to materials such as SOC 1/SOC 2 reports, ISO/IEC certifications, audit summaries, and compliance guides, enabling organizations to evaluate Microsoft’s controls and map them to their own regulatory requirements. The STP is expressly positioned for transparency and due diligence, allowing customers and auditors to review Microsoft’s compliance posture and understand how Microsoft manages security, privacy, and compliance across its cloud platforms.

By contrast, the Microsoft Purview compliance portal is a tenant-admin portal used to configure and manage compliance solutions (e.g., DLP, Information Protection, eDiscovery, Insider Risk, Compliance Manager) within your organization—not a public repository of Microsoft’s audit artifacts. The Microsoft Purview governance portal focuses on data governance and cataloging scenarios. The Azure EA portal is used for Enterprise Agreement billing and usage management. Therefore, the public site for publishing audit reports and other compliance-related information for Microsoft cloud services is the Microsoft Service Trust Portal.

Azure DDoS Protection Standard is a platform-native service designed to mitigate distributed denial of service attacks against Azure-hosted workloads that expose public IP addresses. Microsoft’s guidance explains that DDoS Protection Standard is “enabled on a virtual network” and, once enabled, “automatically protects resources within the virtual network with public IP addresses” (for example, Application Gateway, Azure Load Balancer, and virtual machines). The service is “tuned to the traffic patterns of the protected resources” and provides adaptive real-time mitigation with telemetry and attack analytics.

Critically, the scope of enablement is at the virtual network (VNet) level, not at the resource group level, and it does not apply to Azure Active Directory (Microsoft Entra ID) users or applications, which are identity services rather than network resources. Microsoft’s materials emphasize that by associating a DDoS protection plan to a VNet, you “protect all public IPs assigned to resources in that VNet”, giving layered protection alongside Azure’s always-on basic protections.

Therefore, the only option that correctly completes the sentence is virtual networks, because Azure DDoS Protection Standard is configured on, and provides coverage for, resources inside a VNet that have public endpoints—exactly matching Microsoft’s SCI/Azure security documentation.

In Microsoft Entra ID (formerly Azure AD), Managed Identities for Azure resources are the built-in way for an Azure resource to authenticate to other Azure services without storing credentials. Microsoft’s documentation states: “Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory.” It further distinguishes the two types and clarifies the one used here: “A system-assigned managed identity is enabled directly on an Azure service instance. When enabled, Azure creates an identity for the instance in Azure AD.” Microsoft also emphasizes the lifecycle binding: “This identity is tied to the lifecycle of that service instance and is deleted when the resource is deleted.” Once enabled, the resource can call Azure services by requesting tokens: “You can use this identity to obtain Azure AD tokens for authentication to services that support Azure AD authentication.”

Because the prompt explicitly says “system-assigned”, the correct completion is managed identity. The other options do not match Microsoft’s definition: a user identity refers to a human user; a service principal is the underlying object applications use but isn’t what Azure terms “system-assigned”; and an Azure AD–joined device pertains to device registration, not resource-to-service authentication. Therefore, the sentence correctly reads: “An Azure resource can use a system-assigned managed identity to access Azure services.”

The recommended way to enable and use Azure AD Multi-Factor Authentication is with Conditional Access policies. Conditional Access lets you create and define policies that react to sign-in events and that request additional actions before a user is granted access to an application or service.

Microsoft describes Windows Hello for Business (WHfB) as replacing passwords with a device-bound credential: “Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or a PIN.” WHfB authenticators are biometric gesture or PIN unlocking an asymmetric key stored on the device (typically in the TPM). Microsoft clarifies that the PIN is not a password and is “local to the device” and used to unlock the user’s private key. Consequently, Yes—a PIN is a supported WHfB sign-in gesture.

Conversely, the Microsoft Authenticator app is a separate Azure AD (Microsoft Entra ID) authentication method (push notifications, TOTP, passwordless phone sign-in). It is not the WHfB credential; WHfB relies on keys/certificates on the device, not on the Authenticator app.

Finally, WHfB credentials are per-device: Microsoft states the credential is “tied to a device” and the private key never leaves the device, which means it does not roam/sync across a user’s different devices. Each device enrolls and provisions its own WHfB key and gesture. These statements from Microsoft SCI documentation lead to the outcomes: No / Yes / No.

Microsoft documents Information Barriers (IB) as a Microsoft Purview capability that “restricts communication and collaboration between specific groups of users” across Microsoft 365. The service coverage explicitly includes “Microsoft Teams, SharePoint, OneDrive, and Exchange Online.” In Exchange Online, IB policies “block communication” between segmented users, which includes sending or receiving email and related collaboration, thereby meeting the statement about restricting communication in Exchange.

With IB v2, Microsoft states that policies also apply to SharePoint and OneDrive so that users in different segments are “prevented from accessing sites and content” not permitted by policy. This means a SharePoint Online site can be segmented so that members outside the allowed segments are denied access, satisfying the second statement.

For Microsoft Teams, IB policies “restrict collaboration scenarios such as chats, channel conversations, and file sharing” when participants are in segments that shouldn’t interact. Because Teams file sharing is backed by SharePoint/OneDrive, IB v2 enforcement “prevents sharing and accessing files across restricted segments.” In effect, a user cannot share a file with another user in Teams if an IB policy disallows interaction between their segments.

These behaviors align with SCI guidance that IB policies are designed to reduce conflict-of-interest risk by controlling who can communicate, collaborate, or access content across Microsoft 365 workloads.

Microsoft’s Identity Protection provides risk-based detections and automated policies—not group management. Microsoft Learn explains that Identity Protection “uses detections to identify potential vulnerabilities affecting your organization’s identities” and exposes user risk and sign-in risk for policy decisions. It does not support adding users to groups by “risk level”; group membership is handled by static or dynamic rules based on directory attributes, while risk is a transient signal surfaced to policies.

Identity Protection includes specific detections such as “Leaked credentials”, where Microsoft’s threat intelligence finds credentials “on the dark web or other dumps,” and flags the affected account as risky. This directly confirms the ability to detect whether credentials have been exposed publicly.

For enforcement, Identity Protection policies and Conditional Access can require stronger authentication when risk is present. The documentation states that you can configure policies to “require multi-factor authentication for sign-ins assessed as risky” and use Conditional Access conditions like User risk or Sign-in risk with the grant control Require multi-factor authentication. Thus, Identity Protection signals can invoke MFA based on risk, but they do not place users into groups.

In Microsoft Purview Compliance Manager, improvement actions are categorized by control type to reflect how they reduce risk and contribute to your compliance score. Microsoft’s SCI guidance explains that preventative controls are safeguards that “prevent a security or compliance incident from occurring by enforcing protections in advance (for example, enforcing encryption of data at rest and in transit, access restrictions, and configuration baselines).” This directly aligns with the task “Use encryption to protect data at rest”, which is a classic prevention mechanism intended to stop unauthorized disclosure before it can happen.

The guidance also states that detective controls are measures that “identify, log, and surface anomalous or non-compliant activities so they can be investigated and addressed (for example, continuous monitoring, alerting, audit logging, and analytics).” This maps to “Actively monitor systems to identify irregularities that might represent risks”, because the goal is to detect suspicious behavior or drift as it occurs.

By comparison, corrective controls are used to “remediate issues and restore a desired state after a problem is discovered (for example, patching, incident response, or configuration correction).” No corrective action is described in the two listed tasks, so Corrective is not selected. This mapping reflects how Compliance Manager classifies actions that contribute points to the compliance score based on their risk-reducing impact.

In the Microsoft 365 Defender (Microsoft Defender XDR) portal, the Reports area is the feature designed to surface security trends and provide protection status views across workloads, including identities. Microsoft guidance explains that the Reports workspace offers curated dashboards and exportable reports for specific domains (for example, Identities, Email & collaboration, Endpoints), so security teams can review trend lines, coverage/health, and status without running queries. For identities specifically (backed by Microsoft Defender for Identity), the reports include overview dashboards and scheduled/on-demand reports that show items such as identity security posture, open health issues, alert volumes over time, and sensor/coverage status. This aligns with SCI learning paths that distinguish portal areas by purpose: Secure score is a measurement of overall posture and recommended actions, Incidents is for triage and response to individual cases, and Hunting is for ad-hoc, query-driven investigations. When the task is to “view security trends and track the protection status of identities,” Microsoft directs administrators to the Reports > Identities experience in the Defender portal, which provides the built-in, continuously updated visualizations and summaries required for ongoing monitoring.

Azure Active Directory (Azure AD) is a cloud-based user identity and authentication service. Reference:

https://docs.microsoft.com/en-us/microsoft-365/enterprise/about-microsoft-365-identity?view=o365-worldwide

Microsoft Purview Information Protection (in the Microsoft 365 compliance center) enables you to discover, classify, label, and protect sensitive information across emails, documents, and other data stores. Labels and policies can enforce encryption, access restrictions, and visual markings, helping prevent unauthorized disclosure of sensitive data—inside or outside your organization.

In Microsoft Entra ID (formerly Azure AD), self-service password reset (SSPR) is the feature that explicitly supports email as an authentication method when users need to verify their identity to reset or unlock their password.

According to Microsoft’s identity and access documentation and the SCI learning content, SSPR lets administrators choose which verification methods are available to users, such as mobile phone, office phone, mobile app, security questions, and email. When email is enabled, a verification code can be sent to a registered alternate email address. The user proves their identity by entering this code, which is treated as an authentication step in the SSPR process.

By contrast:

Microsoft Entra Multi-Factor Authentication (MFA) does not support email as an MFA method; it focuses on methods like authenticator apps, phone calls, and text messages.

Microsoft Entra ID Protection detects and responds to risky sign-ins and users but does not provide email-based authentication.

Microsoft Entra Password Protection deals with banned and compromised passwords, not with email verification.

Therefore, the only option in the list that uses email as a supported authentication method is self-service password reset (SSPR).

Microsoft Entra ID Identity Protection is a risk-based conditional access capability that “automates the detection and remediation of identity-based risks” and enables admins to investigate risky users and sign-ins. SCI guidance explains that Identity Protection evaluates signals such as user risk and sign-in risk, raises risk detections, and can automatically remediate by enforcing actions like password reset or blocking access via risk-based policies. The portal provides rich investigation experiences for risky users, risky sign-ins, and risk detections, allowing security teams to review evidence and confirm/dismiss risks. In addition, identity risk data can be exported through Azure Monitor/diagnostic settings and integrated with SIEM/SOAR tools, enabling “export of risk detections and security alerts to third-party solutions” for correlation and response. Tasks such as configuring external access for partner organizations are handled by B2B collaboration features, and creating/assigning sensitivity labels belongs to Microsoft Purview Information Protection—not Identity Protection. Therefore, the tasks Identity Protection supports are: export risk detection (B), automate detection and remediation of identity-based risks (C), and investigate risks related to user authentication (D).

In Microsoft Sentinel, playbooks are the feature that integrates with Azure Logic Apps to automate response. Microsoft’s documentation describes them as “collections of procedures that can be run from Microsoft Sentinel in response to an alert” and clarifies that “playbooks are built on Azure Logic Apps” providing a workflow engine and a gallery of connectors to other Microsoft and third-party services. Playbooks can be triggered automatically from analytics rules or manually from incidents and alerts, enabling orchestration such as assigning owners, creating tickets, disabling accounts, blocking IPs, or posting to collaboration channels. The platform emphasizes that the Logic Apps foundation gives security teams a visual designer, managed connectors, and run history to track execution and outcomes. In short, Sentinel uses playbooks to “automate and orchestrate responses to alerts and incidents”, reducing mean-time-to-respond and standardizing actions across your SOC. Other Sentinel components serve different purposes: analytic rules detect threats, hunting queries aid proactive investigation, and workbooks provide dashboards and visualizations. Therefore, the correct completion is: Microsoft Sentinel playbooks use Azure Logic Apps to automate and orchestrate responses to alerts.

No

No

Yes

Microsoft states that Communication Compliance is administered in Microsoft Purview, not the Microsoft 365 admin center. The Learn article shows configuration and policy templates “in the Microsoft Purview portal” and directs admins to “configure Communication Compliance” there, confirming the management plane is the Purview compliance portal, not the M365 admin center.

Regarding supported locations, Microsoft lists the communication channels that policies can inspect: “Microsoft Teams… Exchange Online… Viva Engage… [and] Third-party sources.” SharePoint Online is not listed among supported channels, so SharePoint content isn’t monitored by Communication Compliance policies.

Finally, Communication Compliance includes built-in workflows to address findings. The Learn page explicitly provides a Remediate step: “Remediate Communication Compliance issues you investigate by using the following options:” such as “Notify the user” and “Escalate to another reviewer.” These actions demonstrate that the solution does more than detect; it supports remediation within the Purview portal workflow.

Exact extracts (selected):

“You can choose from the following policy templates in the Microsoft Purview portal.”

“Communication Compliance policies check… Microsoft Teams… Exchange Online… Viva Engage… Third-party sources.”

“Remediate Communication Compliance issues you investigate by using the following options: Notify the user… Escalate to another reviewer.”

Azure AD Privileged Identity Management (PIM) provides just-in-time privileged access to Azure AD and Azure resources

Microsoft documents for Defender for Endpoint (MDE) describe it as an enterprise endpoint security platform that supports Windows 10/11, Windows Server, Linux, macOS, and mobile platforms (Android and iOS/iPadOS). The platform provides threat and vulnerability management, attack surface reduction, next-generation protection, endpoint detection and response, and automated investigation and remediation across those supported operating systems. Because MDE supports Windows client operating systems and servers, it can also be used on Azure virtual machines that run supported Windows versions; onboarding methods include local scripts, Microsoft Endpoint Manager, or cloud integrations, allowing VM endpoints to receive the same protection and EDR capabilities as physical devices.

By contrast, malware scanning in SharePoint Online, OneDrive, and Microsoft Teams is provided by Microsoft Defender for Office 365 (Safe Attachments for SharePoint, OneDrive, and Teams)—a different service within the Microsoft 365 Defender family. This service analyzes files as they are uploaded or shared to detect and block malicious content in collaboration workloads, which is outside the scope of MDE’s endpoint-focused protections. Therefore: Android protection (Yes), Azure VMs running Windows 10 (Yes), and SharePoint Online anti-virus protection by MDE (No, handled by Defender for Office 365).

Microsoft’s SCI learning content describes the Microsoft 365 Defender portal as a unified security operations experience that surfaces security posture and active threats on a card-based dashboard. In the overview of the portal, Microsoft explains that the home page “presents key security information in dashboard cards,” and that among these cards are summaries that highlight risky entities such as “Users at risk” and “Devices at risk.” These cards provide quick, actionable visibility for analysts by aggregating detections and exposure data across Microsoft Defender services (for identities and endpoints). The guidance emphasizes that the portal “correlates signals across identities, endpoints, email, and applications” and that security teams can use the dashboard cards to pivot directly into incidents and investigations from “Users at risk” or “Devices at risk” to take containment or remediation actions.

By contrast, Compliance Score is part of Microsoft Purview Compliance Manager, not the Microsoft 365 Defender portal; Service Health and User Management are functions of the Microsoft 365 admin center. Therefore, the cards you’ll find on the Microsoft 365 Defender portal that match the choices provided are Users at risk and Devices at risk.

In Microsoft’s SCI materials, the Solutions catalog is described as part of the Microsoft Purview experience: “The Microsoft Purview compliance portal is the home for solutions to manage your organization’s data security and compliance needs.” Within this portal, Microsoft states that “the Solutions catalog provides a single place to discover, learn about, and set up Microsoft Purview solutions.” The catalog organizes capabilities across compliance domains, for example “Information Protection, Data Lifecycle Management, Data Loss Prevention, Insider Risk Management, eDiscovery, Audit, and Compliance Manager,” and from the catalog “administrators can open setup guides and configuration wizards for each solution.” This positioning makes the Purview compliance portal the correct portal when you are asked where the solution catalog lives.

By comparison, the Microsoft 365 admin center focuses on tenant administration and licensing, the Microsoft 365 Defender portal consolidates threat protection and security operations, and the Microsoft 365 Apps admin center targets Office app management and servicing. None of these are identified as the home of the Purview Solutions catalog. Therefore, the portal that contains the solution catalog is the Microsoft Purview compliance portal.

Microsoft positions Compliance Manager as a capability available inside the Microsoft 365 Compliance Center (now Microsoft Purview compliance portal). In Microsoft’s SCI learning content, Compliance Manager is described as the centralized workspace in the compliance portal that “helps you manage your organization’s compliance requirements,” providing a compliance score, pre-built and custom assessments, and improvement actions you track and assign. The documentation explains that admins “use the Microsoft 365 Compliance Center to access Compliance Manager,” where they can review the score, map controls to regulations and standards, and manage evidence and testing of controls. It also clarifies that Compliance Manager is surfaced directly in the compliance portal navigation, enabling authorized roles (such as Compliance Administrator, Global Administrator, or Compliance Data Administrator) to open the Compliance Manager blade to create or view assessments, assign actions, and review detailed guidance. By contrast, the Microsoft 365 admin center focuses on tenant, billing, and user management; the Microsoft 365 Defender portal focuses on security operations and threat protection; and the Microsoft Support portal is for service requests. Therefore, the direct and intended entry point for Compliance Manager is the Microsoft 365 Compliance Center.

In Microsoft’s shared responsibility model, responsibilities vary by service type. For IaaS (for example, Azure Virtual Machines), Microsoft states that it is responsible for protecting and maintaining the cloud infrastructure that runs customer workloads, while customers secure what they deploy in that infrastructure. Microsoft’s guidance explains that Microsoft “operates and secures the datacenters, physical hosts, networking, and the virtualization fabric,” and handles the underlying platform maintenance, including “hardware and firmware” that support those hosts. Conversely, customers are responsible for what runs inside their VM: “the guest operating system (including updates and security configuration), applications, identity, and data.”

Applied to the options in this question:

Updating the operating system and updating installed applications are customer tasks because they are inside the guest VM.

Configuring permissions for shared folders is also a customer responsibility because it’s an OS/application configuration within the guest.

Updating the firmware of the disk controller belongs to Microsoft, because firmware and hardware on the physical hosts (including storage controllers) are part of the infrastructure of the cloud that Microsoft manages and secures.

This aligns with SCI study materials that summarize: Microsoft secures “the security of the cloud” (physical datacenter, hosts, network, and hypervisor/firmware), while customers secure “security in the cloud” (guest OS, apps, and data).

The Compliance score in Microsoft Purview Compliance Manager is a measurement tool that evaluates an organization’s progress toward meeting data protection and regulatory compliance requirements. It is specifically designed to help organizations reduce risks related to data governance, privacy, and compliance with various standards such as GDPR, ISO 27001, NIST 800-53, and Microsoft Data Protection Baselines.

According to Microsoft’s official documentation on Compliance Manager, the Compliance score “helps organizations track, improve, and demonstrate their compliance posture by providing a quantifiable measure of compliance with regulations and standards.” Each action within Compliance Manager contributes a certain number of points to the overall score. These points are weighted based on risk, meaning that actions with a greater impact on reducing compliance risk contribute more significantly to the total score.

The score is not an absolute measure of legal compliance but rather an indicator of progress toward implementing recommended controls and risk-reducing actions. Microsoft emphasizes that Compliance score “assists organizations in identifying areas of improvement, prioritizing compliance tasks, and maintaining an auditable record of their compliance activities.”

By contrast, Microsoft Secure Score measures security posture related to identity, device, and application protection, while Productivity Score evaluates collaboration and technology experience. Thus, the metric that specifically assesses data protection and regulatory compliance progress is the Compliance score in Microsoft Purview Compliance Manager.

multi-factor authentication (MFA)

In Microsoft Entra ID (formerly Azure AD), Security defaults are a baseline of recommended identity protections that, when turned on, automatically apply tenant-wide. Microsoft’s guidance explains that security defaults “help protect your organization with preconfigured security settings” and specifically require that “all users register for Azure AD Multi-Factor Authentication.” When enabled, the defaults enforce MFA challenges for users and admins during risky or sensitive operations, and they block legacy authentication protocols that can’t satisfy modern MFA requirements. Microsoft further notes that security defaults “provide basic identity security mechanisms… such as requiring multi-factor authentication for all users and administrators.” These controls are designed to raise the overall security posture without custom policy design, which is ideal for small and medium organizations or any tenant that hasn’t yet implemented Conditional Access. Therefore, when you enable security defaults, MFA is enabled for all Azure AD users, driving strong authentication as the default and reducing account-takeover risk stemming from password-only sign-ins.

Microsoft 365 Endpoint Data Loss Prevention (Endpoint DLP) extends DLP controls to endpoints. Microsoft documentation describes Endpoint DLP as applying protections on “Windows 10/11 devices” (and, in current guidance, also macOS). The feature monitors and restricts actions like copying to USB, printing, or uploading to the web when sensitive items are involved. Importantly, Microsoft does not document Endpoint DLP support for iOS or Android; those platforms are governed through app protection policies in Intune and Microsoft Defender for Endpoint mobile capabilities, not Endpoint DLP. Given the answer choices provided, the only correct option that aligns with Microsoft’s Endpoint DLP platform support and excludes unsupported mobile OSs is Windows 10 only (noting that Microsoft also supports Windows 11 and macOS today, which are absent from the choices). Therefore, among the listed options, Windows 10 only is the correct selection because Endpoint DLP does not run on iOS or Android.

Microsoft documents describe Azure Bastion as a managed PaaS jump-host that’s deployed inside a virtual network to provide secure remote access: “Azure Bastion is deployed in your virtual network and provides seamless RDP and SSH connectivity to your virtual machines directly in the Azure portal over SSL.” The platform design is per-VNet, with the limit stated as: “One Bastion host can be deployed per virtual network,” ensuring a single managed entry point for that network. Connectivity is delivered using the native protocols while avoiding public exposure: “Bastion enables RDP and SSH sessions… without requiring a public IP on your virtual machines, using TLS (port 443).” Access is brokered through the web experience: “You connect to the VM directly from the Azure portal using your browser,” which provides an HTML5 client for RDP/SSH. These statements collectively validate that (1) deployment is one Bastion per VNet, (2) it provides secure user connections by using RDP (and SSH), and (3) it provides a secure connection to an Azure VM via the Azure portal, aligning with Zero Trust principles by eliminating inbound RDP/SSH exposure on public IPs.

In Microsoft’s SCI guidance, encryption at rest is defined as protecting data when it is stored on a disk or other persistent media. Microsoft describes it as controls that “help safeguard your data to meet your organizational security and compliance commitments by encrypting data when it is persisted,” distinguishing it from protections for data in transit. Within Azure and Microsoft 365, examples include Azure Disk Encryption for IaaS VMs (using BitLocker for Windows and DM-Crypt for Linux), server-side encryption for storage accounts, and Transparent Data Encryption for databases. A virtual machine’s OS and data disks encrypted with BitLocker or DM-Crypt are canonical cases of at-rest encryption because the encryption keys protect the physical media; the data becomes unreadable if the disks are accessed outside the authorized context. By contrast, site-to-site VPN, HTTPS web sessions, and encrypted email protect data in transit—they secure network communications but do not encrypt the data where it is stored. Therefore, among the options provided, encrypting a virtual machine disk is the correct example of encryption at rest in Microsoft’s security model.

Microsoft Learn explains that Azure Active Directory (now Microsoft Entra ID) is a Microsoft-managed identity and access management service delivered from the cloud. It does not require you to provision or host infrastructure such as virtual machines; the directory is operated as a service by Microsoft, and tenants are created and administered within Microsoft’s cloud environment. The official learning paths further clarify that administration is performed through the Azure portal (the Entra/Microsoft Entra admin center and Azure portal blades), PowerShell, and Graph—so managing a tenant in the Azure portal is fully supported.

Regarding licensing, Microsoft’s SCI study materials detail that Azure AD/Entra ID is offered in multiple editions (Free, Microsoft 365 apps edition, Premium P1, and Premium P2). Each edition unlocks different capabilities: for example, features like Conditional Access are in Premium tiers; Identity Protection and Privileged Identity Management (PIM) are P2 capabilities. Because capabilities vary by tier, the statement that all license editions include the same features is incorrect.

Putting this together: feature parity across editions is not the case (No); tenant management in the Azure portal is supported (Yes); and you do not need to deploy Azure VMs to host an Azure AD/Entra ID tenant (No).

In Microsoft Purview Compliance Manager, the built-in Compliance score and assessments are designed for ongoing, risk-based monitoring of your organization’s compliance posture. Microsoft’s SCI materials describe Compliance Manager as a solution that “helps you track, improve, and demonstrate your compliance posture” by mapping regulations and standards to improvement actions and assessments. The experience is not a one-time or periodic snapshot; it is intended to be continuous. As you implement controls, provide evidence, or when automated tests record results, “your score is updated as you complete actions,” reflecting current progress toward data protection and regulatory requirements.

Assessments in Compliance Manager persist over time and are maintained through continuous evaluation: actions can be automatically tested when supported (for example, configuration-based controls in Microsoft 365) or manually assessed on an ongoing basis by compliance teams. This design enables organizations to prioritize and remediate issues as they arise, rather than waiting for monthly or quarterly reviews. Because of this continuous scoring and reassessment model, Compliance Manager assesses compliance data continually for an organization, providing near real-time insight into control effectiveness and residual risk across standards such as GDPR, ISO 27001, and NIST frameworks.

In Microsoft’s identity platform, Active Directory Domain Services (AD DS) is the on-premises directory that maintains directory objects such as users, groups, and computers. Microsoft documentation describes AD DS as a service that “stores information about objects on the network and makes this information easy for administrators and users to find and use.” It further explains that AD DS contains objects like “users, groups, computers, and other resources,” and that administrators use tools such as Active Directory Users and Computers to create and manage these objects. A key object type is the computer account; Microsoft states that “a computer that’s joined to a domain has a corresponding computer account object in Active Directory” and that these accounts are created and managed within AD DS to enable secure authentication and authorization for domain-joined devices.

By contrast, mobile devices are typically enrolled and managed through Microsoft Intune/Endpoint Manager and Azure AD device objects, not created in AD DS. Likewise, SaaS applications that require modern authentication integrate with Microsoft Entra ID (Azure AD) using OpenID Connect/OAuth 2.0—not with AD DS. Line-of-business apps that rely on modern authentication are also registered in Entra ID, while AD DS supports traditional Kerberos/NTLM for domain resources. Therefore, among the options provided, the object you can create in AD DS is computer accounts.

In Microsoft identity architecture, federation establishes trust between different identity providers to enable single sign-on (SSO) across organizational and platform boundaries. Microsoft Learn explains that federation uses standards such as SAML, WS-Federation, and OpenID Connect/OAuth 2.0 so a user can authenticate with their home identity provider and obtain tokens that are accepted by a relying party (the application or service). This trust relationship lets organizations share identities securely without copying passwords or synchronizing credentials, providing a seamless sign-in experience across multiple systems and clouds.

By contrast, Active Directory Domain Services (AD DS) and a domain controller provide on-premises directory and authentication services primarily within a single Windows domain/forest using Kerberos/NTLM, not cross-provider SSO on their own. Microsoft Entra Privileged Identity Management (PIM) manages just-in-time, approval-based elevation for roles and does not deliver SSO capabilities. Therefore, the technology explicitly intended to provide SSO across multiple identity providers is federation.

Microsoft 365 Information Barriers are compliance policies used “to prevent certain segments of users from communicating or collaborating with each other.” In Microsoft’s guidance, IB policies are designed for scenarios like insider trading restrictions, M&A deal rooms, or research–sales separation, where it’s necessary to block chats, calls, and collaboration between defined user segments. The documentation explains that when IB policies are in place, “users in the blocked segments cannot search, discover, or communicate with each other in Microsoft Teams,” and IB v2 extends these controls to additional collaboration workloads such as SharePoint and OneDrive. By contrast, email restrictions in Exchange Online are addressed through mail flow rules or other Exchange features, not information barriers, and restricting unauthenticated access or external sharing is handled by identity access controls and sharing settings, not IB. Therefore, the specific use case is restricting Microsoft Teams chats (and related collaboration) between certain groups within an organization.

Microsoft’s SCI documentation explains that Information Barriers (part of Microsoft Purview and enforced across Microsoft Teams, SharePoint, OneDrive, and Exchange) are used to “restrict communication and collaboration between specific groups of users to avoid conflicts of interest or to comply with regulatory obligations.” Policies define which segments can communicate and which must be blocked, and they control chat, channel conversations, meetings, file sharing, and e-discovery visibility between the defined segments. Typical scenarios include preventing communication between investment banking and research, or between merger deal teams and the rest of the organization. This is fundamentally different from other features: Sensitivity label policies classify and protect content but do not block who can talk to whom; Customer Lockbox manages Microsoft engineer access to customer data during support; and Privileged Access Management (PAM) limits admin task approvals and elevated operations, not end-user communication. When the requirement is to “restrict communication and the sharing of information between members of two departments,” Microsoft prescribes Information Barriers as the purpose-built capability to enforce those restrictions across collaboration workloads.

In Microsoft’s Security, Compliance, and Identity learning content for Microsoft Defender for Cloud, the service is described as providing ongoing posture management and threat protection. The official description states that Defender for Cloud “continuously assesses your resources to identify security misconfigurations and weaknesses” and “continuously discovers and evaluates resources” across your subscriptions. The recommendations and secure-score updates are produced as the platform “continuously analyzes your environment using security policies and analytics,” surfacing issues the moment they’re detected and mapping them to remediation guidance. This continuous assessment model underpins Defender for Cloud’s cloud security posture management (CSPM) capability and ensures that newly created or modified resources are evaluated without waiting for a scheduled job. By design, there is no fixed interval (such as hourly, every 15 minutes, or daily) required to trigger assessments—policy-driven evaluation and data collection run as changes occur and signals are received. Therefore, the sentence “Microsoft Defender for Cloud assesses Azure resources ____ for security issues” is correctly completed with continuously, reflecting Microsoft’s emphasis on persistent, real-time security posture evaluation rather than periodic scans.