sc-900 exam questions
Which functionality is provided by Azure AD? - ANS-Azure AD provides SSO. Azure AD
provides federation. Azure AD is one perimeter of defense in depth. Azure AD does not
provide file services. Azure AD does not provide the encryption of data in transit.
Which two authentication methods are available in Azure AD during sign in? Each
correct answer presents a complete solution. - ANS-Passwords are the most common
form of authentication and are supported in Azure AD. Text messaging can be used as
a primary form of authentication. The Google Authenticator app can be used as a
primary form of authentication to sign into any Azure AD account. Calling the Microsoft
Helpdesk is not a valid authentication method in Azure AD. Security questions are not
used during sign in.
An organization is migration to the Microsoft cloud. The plan is to use a hybrid identity
model.
What can be used to sync identities between Active Directory Domain Services (AD DS)
and Azure AD? - ANS-Azure AD Connect is designed to meet and accomplish hybrid
identity goals. ADFS cannot be used for hybrid identity models. Microsoft Sentinel is not
an identity product. PIM is used for managing and monitoring access to important
resources.
Which authentication method can use a time-based, one-time password? - ANS-OATH
hardware tokens use time-based, one-time passwords. Strong passwords are not
one-time passwords. Password hash synchronization syncs hashes across Active
Directory and Azure AD. Windows Hello uses a camera or passcode for authentication.
What can you use to prevent users from using an organization's name or the names of
the organization's products as passwords in Azure AD? - ANS-Azure AD Password
Protection - The global banned password list does not cover your own organization and
product names. Azure AD Password Protection provides protection from password
spray. MFA does not manage password entries.
Based on a Microsoft Azure Security Score recommendation, an administrator decides
to improve identity security within an organization.
What provides the greatest protection to user identities? - ANS-using the Microsoft
Authenticator app - The Microsoft Authenticator app (phone sign in) is the strongest
authentication method. Enforcing a password change or enforcing a complex password
, will not provide the greatest protection alone. Using soft tokens does not offer as strong
a protection as Microsoft Authenticator.
What are three things that a user can use for Azure AD Multi-Factor Authentication
(MFA)? Each correct answer presents a complete solution. - ANS-something the
claimant knows, something the claimant has, something the claimant is. - Azure AD
MFA works by requiring something you know (such as a password), and something you
have (such as a phone), or something you are (biometrics).
Which Azure AD feature helps reduce help desk calls and the loss of productivity when
a user cannot sign in to their device or an application? - ANS-SSPR is a feature of
Azure AD that allows users to change or reset their password without administrator or
help desk involvement. Without enabling SSPR, Identity protection cannot provide the
requested solution. Conditional Access brings signals together, to make decisions, and
enforce organizational policies but not SSPR. Azure AD Password Protection reduces
the risk when users set weak passwords.
Which three actions should be performed to enable self-service password reset (SSPR)
for a user? Each correct answer presents part of the solution. - ANS-Assign an Azure
AD license, Enable SSPR for the user, Register an authentication method, To use
SSPR, users must be assigned an Azure AD license that is enabled for SSPR by an
administrator and registered with the authentication methods they want to use. Two or
more authentication methods are recommended in case one is unavailable.
What should you use in Azure AD to provide users with the ability to perform
administrative tasks? - ANS-roles - Roles in Azure AD have permission to perform
certain administrative tasks. You assign these roles to users.
Which Azure feature provides network-level filtering, application-level filtering, and
outbound SNAT? - ANS-
What are types of distributed denial-of-service (DDoS) attacks? - ANS-resource layer
attacks, protocol attacks, and volumetric attacks - Resource layer attacks, protocol
attacks, and volumetric attacks are the most common DDoS attacks. Password sprays
and MITM attacks are not DDoS attacks.
What can you use in Azure to implement network segmentation based on departments?
- ANS-virtual networks - The main reasons for network segmentation are the ability to
group related assets that are a part of (or support) workload operations, the isolation of
resources, and to use governance policies set by an organization. Virtual networks
Which functionality is provided by Azure AD? - ANS-Azure AD provides SSO. Azure AD
provides federation. Azure AD is one perimeter of defense in depth. Azure AD does not
provide file services. Azure AD does not provide the encryption of data in transit.
Which two authentication methods are available in Azure AD during sign in? Each
correct answer presents a complete solution. - ANS-Passwords are the most common
form of authentication and are supported in Azure AD. Text messaging can be used as
a primary form of authentication. The Google Authenticator app can be used as a
primary form of authentication to sign into any Azure AD account. Calling the Microsoft
Helpdesk is not a valid authentication method in Azure AD. Security questions are not
used during sign in.
An organization is migration to the Microsoft cloud. The plan is to use a hybrid identity
model.
What can be used to sync identities between Active Directory Domain Services (AD DS)
and Azure AD? - ANS-Azure AD Connect is designed to meet and accomplish hybrid
identity goals. ADFS cannot be used for hybrid identity models. Microsoft Sentinel is not
an identity product. PIM is used for managing and monitoring access to important
resources.
Which authentication method can use a time-based, one-time password? - ANS-OATH
hardware tokens use time-based, one-time passwords. Strong passwords are not
one-time passwords. Password hash synchronization syncs hashes across Active
Directory and Azure AD. Windows Hello uses a camera or passcode for authentication.
What can you use to prevent users from using an organization's name or the names of
the organization's products as passwords in Azure AD? - ANS-Azure AD Password
Protection - The global banned password list does not cover your own organization and
product names. Azure AD Password Protection provides protection from password
spray. MFA does not manage password entries.
Based on a Microsoft Azure Security Score recommendation, an administrator decides
to improve identity security within an organization.
What provides the greatest protection to user identities? - ANS-using the Microsoft
Authenticator app - The Microsoft Authenticator app (phone sign in) is the strongest
authentication method. Enforcing a password change or enforcing a complex password
, will not provide the greatest protection alone. Using soft tokens does not offer as strong
a protection as Microsoft Authenticator.
What are three things that a user can use for Azure AD Multi-Factor Authentication
(MFA)? Each correct answer presents a complete solution. - ANS-something the
claimant knows, something the claimant has, something the claimant is. - Azure AD
MFA works by requiring something you know (such as a password), and something you
have (such as a phone), or something you are (biometrics).
Which Azure AD feature helps reduce help desk calls and the loss of productivity when
a user cannot sign in to their device or an application? - ANS-SSPR is a feature of
Azure AD that allows users to change or reset their password without administrator or
help desk involvement. Without enabling SSPR, Identity protection cannot provide the
requested solution. Conditional Access brings signals together, to make decisions, and
enforce organizational policies but not SSPR. Azure AD Password Protection reduces
the risk when users set weak passwords.
Which three actions should be performed to enable self-service password reset (SSPR)
for a user? Each correct answer presents part of the solution. - ANS-Assign an Azure
AD license, Enable SSPR for the user, Register an authentication method, To use
SSPR, users must be assigned an Azure AD license that is enabled for SSPR by an
administrator and registered with the authentication methods they want to use. Two or
more authentication methods are recommended in case one is unavailable.
What should you use in Azure AD to provide users with the ability to perform
administrative tasks? - ANS-roles - Roles in Azure AD have permission to perform
certain administrative tasks. You assign these roles to users.
Which Azure feature provides network-level filtering, application-level filtering, and
outbound SNAT? - ANS-
What are types of distributed denial-of-service (DDoS) attacks? - ANS-resource layer
attacks, protocol attacks, and volumetric attacks - Resource layer attacks, protocol
attacks, and volumetric attacks are the most common DDoS attacks. Password sprays
and MITM attacks are not DDoS attacks.
What can you use in Azure to implement network segmentation based on departments?
- ANS-virtual networks - The main reasons for network segmentation are the ability to
group related assets that are a part of (or support) workload operations, the isolation of
resources, and to use governance policies set by an organization. Virtual networks
