Pass the Microsoft Microsoft Certified: Security Compliance and Identity Fundamentals SC-900 Questions and answers with CertsForce

Box 1: Yes

The MailItemsAccessed event is a mailbox auditing action and is triggered when mail data is accessed by mail protocols and mail clients.

Box 2: No

Basic Audit retains audit records for 90 days.

Advanced Audit retains all Exchange, SharePoint, and Azure Active Directory audit records for one year. This is accomplished by a default audit log retention policy that retains any audit record that contains the value of Exchange, SharePoint, or AzureActiveDirectory for the Workload property (which indicates the service in which the activity occurred) for one year.

Box 3: yes

Advanced Audit in Microsoft 365 provides high-bandwidth access to the Office 365 Management Activity API.

In Microsoft identity architecture, federation establishes trust between different identity providers to enable single sign-on (SSO) across organizational and platform boundaries. Microsoft Learn explains that federation uses standards such as SAML, WS-Federation, and OpenID Connect/OAuth 2.0 so a user can authenticate with their home identity provider and obtain tokens that are accepted by a relying party (the application or service). This trust relationship lets organizations share identities securely without copying passwords or synchronizing credentials, providing a seamless sign-in experience across multiple systems and clouds.

By contrast, Active Directory Domain Services (AD DS) and a domain controller provide on-premises directory and authentication services primarily within a single Windows domain/forest using Kerberos/NTLM, not cross-provider SSO on their own. Microsoft Entra Privileged Identity Management (PIM) manages just-in-time, approval-based elevation for roles and does not deliver SSO capabilities. Therefore, the technology explicitly intended to provide SSO across multiple identity providers is federation.

 An external email address can be used to authenticate self-service password reset (SSPR). → Yes

 A notification to the Microsoft Authenticator app can be used to authenticate self-service password reset (SSPR). → Yes

 To perform self-service password reset (SSPR), a user must already be signed in and authenticated to Azure AD. → No

For Microsoft Entra self-service password reset (SSPR), users must register one or more authentication methods that can later be used when they forget their password or are locked out. Microsoft’s end-user guidance states that an email address option lets users configure “an alternate email address that can be used without requiring your forgotten or missing password,” and that this method is available only for password reset. In practice, this alternate address is typically a personal or external email (for example, Gmail), so using an external email to authenticate SSPR is valid.

SSPR can also use the Microsoft Authenticator app as an authentication method. Microsoft documents that Authenticator push notifications, including number matching, are supported for several scenarios, explicitly listing self-service password reset (SSPR) among them. This means a push notification to the app on the user’s device can be used to verify identity during SSPR.

Finally, SSPR is designed for situations where the user cannot sign in. Official SSPR process descriptions explain that users start from the “Can’t access your account?” or password-reset page, provide their username, and then use their registered methods to prove identity. They do not need to be already authenticated to Azure AD; SSPR exists precisely to recover access when sign-in fails.