Microsoft SC-900 Security Fundamentals Practice Test

SC-900 is a Microsoft Security route for candidates building Microsoft security, compliance, and identity fundamentals.

IT Mastery coverage for SC-900 is under review. Use this page to try 12 original sample questions, review the route fit, likely assessed areas, and related live practice pages.

Route snapshot

• Issuer: Microsoft
• Family: Microsoft Security
• Exam code: SC-900
• Route name: Microsoft Security, Compliance, and Identity Fundamentals
• Current IT Mastery status: Sample questions

What to review first

Related live or adjacent routes

Practice options

• IT Mastery coverage for this exam: under review
• Best use right now: try the 12 sample questions, confirm that SC-900 is your target exam, then use the closest live Azure, Microsoft, security, data, DevOps, or IT fundamentals pages while coverage expands
• Update form: use the Notify me form near the top of this page if SC-900 is your actual target exam
• Quick review: open the SC-900 cheat sheet before the sample questions if you need a compact security, compliance, and identity checklist.

Sample Exam Questions

Try these 12 original sample questions for Microsoft SC-900. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: security fundamentals

A manager asks why identity is central to Microsoft security. Which answer is strongest?

• A. Identity controls who can access resources and is a core enforcement point for Zero Trust.
• B. Identity matters only for email branding.
• C. Identity replaces all network and data controls.
• D. Identity is unrelated to cloud security.

Best answer: A

Explanation: SC-900 is fundamentals-level, so it rewards recognizing identity as a core security boundary without overstating it as the only control.

What this tests: Microsoft security and identity fundamentals.

Question 2

Topic: Zero Trust

Which statement best describes Zero Trust?

• A. Trust every device inside the office network.
• B. Verify explicitly, use least privilege, and assume breach rather than trusting by network location.
• C. Disable MFA to improve productivity.
• D. Give users permanent administrator access.

Best answer: B

Explanation: Zero Trust combines explicit verification, least privilege, and breach-aware design. It is not a single product or a perimeter-only model.

What this tests: Zero Trust principles.

Question 3

Topic: Microsoft Entra

A company wants single sign-on and conditional access for cloud apps. Which Microsoft platform is most relevant?

• A. Azure Cost Management only.
• B. Microsoft Planner only.
• C. Microsoft Entra ID.
• D. A local spreadsheet of users.

Best answer: C

Explanation: Microsoft Entra ID provides identity, authentication, conditional access, and SSO capabilities for Microsoft cloud environments.

What this tests: Recognizing Microsoft identity services.

Question 4

Topic: Microsoft Defender

A security team wants endpoint threat detection and response across user devices. Which product family is most relevant?

• A. Microsoft Forms.
• B. Azure DNS only.
• C. A storage lifecycle policy.
• D. Microsoft Defender.

Best answer: D

Explanation: Microsoft Defender includes endpoint and XDR capabilities. SC-900 candidates should know broad product-family fit.

What this tests: Matching security needs to Microsoft security product families.

Question 5

Topic: Microsoft Purview

A compliance team needs data classification, sensitivity labels, and retention controls. Which Microsoft family is most relevant?

• A. Microsoft Purview.
• B. Azure Virtual Desktop only.
• C. GitHub Actions only.
• D. Azure Bastion only.

Best answer: A

Explanation: Purview is the Microsoft compliance, information protection, data governance, and risk-management family.

What this tests: Recognizing compliance and information-protection tooling.

Question 6

Topic: MFA

A user password is stolen. Which control most directly reduces the chance that the stolen password alone grants access?

• A. A shorter username.
• B. Multi-factor authentication.
• C. A larger mailbox.
• D. A public IP address.

Best answer: B

Explanation: MFA requires another proof beyond the password. It is a common baseline control in identity security.

What this tests: Understanding authentication controls.

Question 7

Topic: shared responsibility

In cloud security, what does shared responsibility mean?

• A. The provider owns every security decision.
• B. The customer owns nothing after moving to cloud.
• C. The cloud provider and customer each own different security responsibilities depending on the service model.
• D. Only auditors own cloud security.

Best answer: C

Explanation: Shared responsibility clarifies who manages physical, platform, identity, data, and configuration controls.

What this tests: Cloud shared-responsibility concepts.

Question 8

Topic: least privilege

A user needs to read compliance reports but not change policies. What is the best access principle?

• A. Make the user a global administrator.
• B. Share the compliance administrator password.
• C. Disable audit logging.
• D. Grant only the permissions needed for the reporting task.

Best answer: D

Explanation: Least privilege limits access to what is needed. This reduces accidental and malicious risk.

What this tests: Applying least privilege.

Question 9

Topic: SIEM basics

A team wants to collect security events, correlate detections, and investigate incidents. Which tool category fits?

• A. SIEM and security operations tooling such as Microsoft Sentinel.
• B. A presentation template.
• C. A billing export only.
• D. A desktop wallpaper service.

Best answer: A

Explanation: Sentinel is Microsoft’s cloud-native SIEM/SOAR option. The fundamentals route expects category recognition.

What this tests: Understanding security operations tooling.

Question 10

Topic: compliance

A regulation requires proof of access reviews and audit records. What should the organization maintain?

• A. Only informal chat messages.
• B. Auditable controls, review evidence, and reporting aligned to the requirement.
• C. No records to reduce storage.
• D. A public link to all data.

Best answer: B

Explanation: Compliance depends on implemented controls and evidence. The answer should preserve auditability.

What this tests: Connecting compliance requirements to evidence.

Question 11

Topic: data protection

A file contains confidential customer information. What should be considered first?

• A. Publishing the file publicly.
• B. Removing all labels.
• C. Classification, access controls, encryption, retention, and sharing restrictions.
• D. Ignoring data location and ownership.

Best answer: C

Explanation: Data protection is layered. Classification helps drive access, encryption, sharing, and lifecycle decisions.

What this tests: Data-security fundamentals.

Question 12

Topic: route fit

A candidate is new to Microsoft security and wants fundamentals before analyst or architect paths. Which route is the closest fit?

• A. SC-100 only.
• B. AZ-120 only.
• C. MB-330 only.
• D. SC-900.

Best answer: D

Explanation: SC-900 is the fundamentals route for security, compliance, and identity. Advanced routes assume more role-specific knowledge.

What this tests: Choosing the correct Microsoft security route.

SC-900 fundamentals map

Use this map to connect the sample questions to the decision pattern Microsoft usually tests for this security route.

    flowchart LR
	  S1["Security concept"] --> S2
	  S2["Identity and access control"] --> S3
	  S3["Microsoft security tools"] --> S4
	  S4["Compliance and data protection"] --> S5
	  S5["Shared responsibility"] --> S6
	  S6["Choose next security route"]

Quick Cheat Sheet

Mini Glossary

• Authentication: Verifying who a user or workload is.
• Authorization: Deciding what an authenticated identity is allowed to do.
• Compliance: Meeting regulatory, contractual, or internal policy obligations.
• Microsoft Entra ID: Microsoft cloud identity and access platform.
• Microsoft Purview: Microsoft product family for data governance, compliance, and information protection.

Microsoft SC-900 practice update

Use this page to review SC-900 sample questions and use the Notify me form for updates. The related pages below help you compare adjacent IT Mastery Microsoft security practice options before choosing what to study next.

What to open next

• Microsoft Certification Practice Hub for the full Microsoft taxonomy
• Microsoft Security Certification Practice Hub for related Microsoft Security routes
• IT Exams for current live IT Mastery practice pages

In this section

• Microsoft SC-900 Cheat Sheet: Security Fundamentals
  Review Microsoft Security, Compliance, and Identity Fundamentals (SC-900) identity, Zero Trust, Microsoft Entra, Defender, Purview, compliance, and governance traps before using the SC-900 practice page.