Pass the Microsoft Microsoft Certified: Security Compliance and Identity Fundamentals SC-900 Questions and answers with CertsForce

access

In Microsoft Entra ID (formerly Azure AD), dynamic groups are a key feature used to automate the access lifecycle for users and devices. SCI learning material on identity governance explains that organizations can automate the access lifecycle process through technologies such as dynamic groups, alongside automated user provisioning. These resources describe the access lifecycle as managing a user’s access to resources from the moment they join the organization, through role or department changes, until they leave. Dynamic groups help with this by using attribute-based rules (for example, department, job title, location, or device platform) to automatically add or remove identities from groups as their attributes change.

Because group membership typically controls access to applications, SharePoint sites, Teams, and licenses, this automatic membership update keeps access aligned with the user’s current role without manual intervention. When a user changes departments, the dynamic rules reevaluate and move them into the appropriate groups, granting new access and removing old access as required. This is exactly what Microsoft refers to as automating the access lifecycle.

The other options do not match the terminology used in SCI content: “object lifecycle” is not the term used in Entra identity governance, and “privileged access” lifecycle is handled specifically by Privileged Identity Management (PIM), not by dynamic groups. Therefore, the sentence is correctly completed with access.

In Microsoft Entra ID (formerly Azure AD), self-service password reset (SSPR) is the feature that explicitly supports email as an authentication method when users need to verify their identity to reset or unlock their password.

According to Microsoft’s identity and access documentation and the SCI learning content, SSPR lets administrators choose which verification methods are available to users, such as mobile phone, office phone, mobile app, security questions, and email. When email is enabled, a verification code can be sent to a registered alternate email address. The user proves their identity by entering this code, which is treated as an authentication step in the SSPR process.

By contrast:

Microsoft Entra Multi-Factor Authentication (MFA) does not support email as an MFA method; it focuses on methods like authenticator apps, phone calls, and text messages.

Microsoft Entra ID Protection detects and responds to risky sign-ins and users but does not provide email-based authentication.

Microsoft Entra Password Protection deals with banned and compromised passwords, not with email verification.

Therefore, the only option in the list that uses email as a supported authentication method is self-service password reset (SSPR).

Explanation

In Microsoft’s hybrid identity guidance, Azure AD Connect is the supported tool to bridge on-premises Active Directory Domain Services (AD DS) with Azure Active Directory (Azure AD). Microsoft Learn describes it plainly: “Azure AD Connect is Microsoft’s tool for connecting on-premises directories to Azure AD.” It “synchronizes user, group, and device objects” so cloud identities stay aligned with on-premises accounts and attributes. Azure AD Connect also supports multiple sign-in methods: “password hash synchronization, pass-through authentication, and federation integration.” In other words, you can sync identities and choose how users authenticate to Microsoft Entra ID (Azure AD).

By contrast, Active Directory Federation Services (AD FS) is a federation service used for claims-based authentication; it does not perform directory synchronization. Azure Sentinel (now Microsoft Sentinel) is a cloud-native SIEM/SOAR and is unrelated to identity sync. Privileged Identity Management (PIM) is an identity governance feature for just-in-time privileged access; it does not synchronize identities. Therefore, in a hybrid identity model where the requirement is to sync identities between AD DS and Azure AD, the correct Microsoft-endorsed solution is Azure AD Connect, which “keeps identities in sync between on-premises directories and Azure AD.”

Microsoft’s Security, Compliance, and Identity materials describe Azure Policy as the governance service that lets you “create, assign, and manage policies” so resources “stay compliant with your corporate standards and service level agreements.” Policies are enforced through effects such as Deny, Audit, Append, AuditIfNotExists, DeployIfNotExists, and Modify, which enable organizations to block non-compliant creations, append required settings, or deploy configuration automatically at the time of creation. The documentation further explains that Azure Policy “supports remediation of existing resources” by running remediation tasks for policies that use DeployIfNotExists or Modify, allowing Azure Policy to automatically bring resources into compliance without manual intervention.

Evaluation is continuous, not only at create or update time. Azure Policy “evaluates resources at deployment and regularly re-evaluates compliance,” and admins can also trigger on-demand scans. This means compliance state is updated both when a resource is created/changed and during periodic background assessments, ensuring drift is detected and corrected. Together, these capabilities allow Azure Policy to enforce standards for new resources, auto-remediate existing ones, and provide ongoing compliance posture—which is why the first two statements are Yes, while the claim that evaluation occurs only on create/modify is No.

Security defaults make it easy to protect your organization with the following preconfigured security settings:

Requiring all users to register for Azure AD Multi-Factor Authentication.

Requiring administrators to do multi-factor authentication.

Blocking legacy authentication protocols.

Requiring users to do multi-factor authentication when necessary.

Protecting privileged activities like access to the Azure portal.

In Microsoft Purview (Microsoft 365 compliance), a retention policy applied to a SharePoint site keeps content for the specified period (e.g., 1 year) even if users delete it. Items are retained and recoverable until the retention period expires, meeting your preservation requirement.

Microsoft’s SCI guidance defines the supported passwordless methods in Entra ID (Azure AD). The documentation states: “Microsoft recommends three passwordless authentication options: Windows Hello for Business, FIDO2 security keys, and the Microsoft Authenticator app (phone sign-in).” Windows Hello for Business “replaces passwords with strong two-factor authentication on Windows devices,” allowing users to sign in with a gesture (biometric or PIN) that does not require a password during interactive sign-in. Likewise, “FIDO2 security keys enable users to sign in using an external security key,” providing a standards-based passwordless credential that can work across supported browsers and devices.

By contrast, OATH software tokens (for example, time-based one-time passcodes in an authenticator app) are documented as multifactor verification methods: “OATH software tokens generate time-based codes used for MFA.” These OTP codes serve as a second factor and are not a passwordless primary sign-in method; users typically still enter a password and then the OTP. Therefore: software tokens → No (not passwordless), Windows Hello → Yes, FIDO2 security keys → Yes. This mapping aligns directly with Microsoft’s Entra ID passwordless authentication guidance and the delineation between passwordless sign-in and MFA second-factor methods.

Microsoft defines defense in depth as a security strategy that uses multiple, reinforcing layers of protection to reduce the chance that a single failure leads to compromise. In Microsoft’s security guidance, defense in depth is described as employing “a series of mechanisms across multiple layers” to protect identities, endpoints, applications, data, and the network. The model spans layers such as identity, perimeter, network, compute, application, and data, with controls at each layer designed to detect, prevent, and contain attacks. Typical Azure/Microsoft 365 implementations include identity protections (MFA, Conditional Access), network controls (Azure Firewall, NSGs), perimeter filtering (WAF, DDoS Protection), endpoint safeguards (Defender for Endpoint), application security (code and runtime controls), and data protection (encryption, DLP, Purview Information Protection). By “placing multiple layers of defense throughout a network infrastructure,” an organization limits blast radius and increases resilience if one layer is bypassed. This contrasts with threat modeling (a design-time analysis technique), identity as the security perimeter (a principle of Zero Trust), and the shared responsibility model (a cloud governance concept). The scenario in the question precisely matches Microsoft’s defense in depth methodology.

Microsoft positions Compliance Manager as a capability available inside the Microsoft 365 Compliance Center (now Microsoft Purview compliance portal). In Microsoft’s SCI learning content, Compliance Manager is described as the centralized workspace in the compliance portal that “helps you manage your organization’s compliance requirements,” providing a compliance score, pre-built and custom assessments, and improvement actions you track and assign. The documentation explains that admins “use the Microsoft 365 Compliance Center to access Compliance Manager,” where they can review the score, map controls to regulations and standards, and manage evidence and testing of controls. It also clarifies that Compliance Manager is surfaced directly in the compliance portal navigation, enabling authorized roles (such as Compliance Administrator, Global Administrator, or Compliance Data Administrator) to open the Compliance Manager blade to create or view assessments, assign actions, and review detailed guidance. By contrast, the Microsoft 365 admin center focuses on tenant, billing, and user management; the Microsoft 365 Defender portal focuses on security operations and threat protection; and the Microsoft Support portal is for service requests. Therefore, the direct and intended entry point for Compliance Manager is the Microsoft 365 Compliance Center.

multi-factor authentication (MFA)

In Microsoft Entra ID (formerly Azure AD), Security defaults are a baseline of recommended identity protections that, when turned on, automatically apply tenant-wide. Microsoft’s guidance explains that security defaults “help protect your organization with preconfigured security settings” and specifically require that “all users register for Azure AD Multi-Factor Authentication.” When enabled, the defaults enforce MFA challenges for users and admins during risky or sensitive operations, and they block legacy authentication protocols that can’t satisfy modern MFA requirements. Microsoft further notes that security defaults “provide basic identity security mechanisms… such as requiring multi-factor authentication for all users and administrators.” These controls are designed to raise the overall security posture without custom policy design, which is ideal for small and medium organizations or any tenant that hasn’t yet implemented Conditional Access. Therefore, when you enable security defaults, MFA is enabled for all Azure AD users, driving strong authentication as the default and reducing account-takeover risk stemming from password-only sign-ins.