SC-900 Exam Dumps - Microsoft Security Compliance and Identity Fundamentals

In Microsoft’s SCI materials, the Solutions catalog is described as part of the Microsoft Purview experience: “The Microsoft Purview compliance portal is the home for solutions to manage your organization’s data security and compliance needs.” Within this portal, Microsoft states that “the Solutions catalog provides a single place to discover, learn about, and set up Microsoft Purview solutions.” The catalog organizes capabilities across compliance domains, for example “Information Protection, Data Lifecycle Management, Data Loss Prevention, Insider Risk Management, eDiscovery, Audit, and Compliance Manager,” and from the catalog “administrators can open setup guides and configuration wizards for each solution.” This positioning makes the Purview compliance portal the correct portal when you are asked where the solution catalog lives.

By comparison, the Microsoft 365 admin center focuses on tenant administration and licensing, the Microsoft 365 Defender portal consolidates threat protection and security operations, and the Microsoft 365 Apps admin center targets Office app management and servicing. None of these are identified as the home of the Purview Solutions catalog. Therefore, the portal that contains the solution catalog is the Microsoft Purview compliance portal.

In Microsoft identity terminology, authentication is the step that proves who the user is when they attempt to sign in. Microsoft Learn defines it plainly: “Authentication is the process of proving the identity of a user, device, or service.” By contrast, “Authorization is the process of determining what a user, device, or service can do.” During sign-in to Microsoft Entra ID (formerly Azure AD), “the identity provider validates credentials and, upon successful authentication, issues tokens that applications use to grant access.” Microsoft further explains the available methods: “Microsoft Entra ID supports multiple authentication methods, including passwords, multi-factor authentication, FIDO2 security keys, certificate-based authentication, and federated authentication.”

Auditing and administration are not the mechanisms that verify identity at sign-in. Auditing “records security-relevant events for investigation and compliance,” while administration “refers to configuring and managing identities, access policies, and settings.” Therefore, in the sentence “When users sign in, _____ verifies their credentials to prove their identity,” the correct completion is authentication, because it is the control that validates the user’s credentials and establishes identity before any authorization decisions are made.

In Microsoft Defender for Cloud, the metric that represents the overall security health of your Azure subscription is secure score. Microsoft’s documentation explains: “Secure score provides an aggregated view of your security posture across your subscriptions and resources. It’s based on security recommendations; addressing those recommendations improves your score.” Defender for Cloud calculates secure score by assessing controls and recommendations mapped to standards, then weighting them by risk and importance: “Each recommendation contributes to the secure score. Completing remediation steps increases the score and reduces risk.” This single percentage view lets security teams quickly gauge how well current configurations and protections align with Microsoft’s security best practices and regulatory mappings. Other elements surfaced in Defender for Cloud—like “resource health,” “status of recommendations,” or “completed controls”—are components and statuses that feed into or relate to the scoring model, but the overall subscription security health indicator presented and tracked over time is secure score.

According to Microsoft’s Security, Compliance, and Identity (SCI) documentation and learning paths (specifically SC-900, SC-300, and Azure AD Identity Protection modules):

“Conditional Access policies in Azure AD are the primary method for enforcing access controls based on specific conditions such as user, group, location, device compliance, and application.”

In this case, the organization can configure a Conditional Access policy that targets a specific Azure AD group and requires MFA as a condition before access is granted. The typical policy setup includes:

Assignments: Target users or groups (e.g., “Finance Department Users”).

Cloud apps or actions: Specify which applications or services are protected (e.g., Microsoft 365).

Access controls: Set the control to “Require multi-factor authentication.”

Microsoft’s SCI training materials further state:

“Conditional Access enables administrators to enforce MFA for specific users, groups, or scenarios. It provides flexibility to protect access without enabling MFA globally for all users.”

Other options explained:

Azure Policy (A) applies to Azure resources, not user authentication.

Communication compliance policy (B) monitors message content for compliance violations.

User risk policy (D) is part of Azure AD Identity Protection, enforcing MFA based on detected user risk levels, not group membership.

Therefore, the verified and correct answer is: ✅ C. a Conditional Access policy.

 An external email address can be used to authenticate self-service password reset (SSPR). → Yes

 A notification to the Microsoft Authenticator app can be used to authenticate self-service password reset (SSPR). → Yes

 To perform self-service password reset (SSPR), a user must already be signed in and authenticated to Azure AD. → No

For Microsoft Entra self-service password reset (SSPR), users must register one or more authentication methods that can later be used when they forget their password or are locked out. Microsoft’s end-user guidance states that an email address option lets users configure “an alternate email address that can be used without requiring your forgotten or missing password,” and that this method is available only for password reset. In practice, this alternate address is typically a personal or external email (for example, Gmail), so using an external email to authenticate SSPR is valid.

SSPR can also use the Microsoft Authenticator app as an authentication method. Microsoft documents that Authenticator push notifications, including number matching, are supported for several scenarios, explicitly listing self-service password reset (SSPR) among them. This means a push notification to the app on the user’s device can be used to verify identity during SSPR.

Finally, SSPR is designed for situations where the user cannot sign in. Official SSPR process descriptions explain that users start from the “Can’t access your account?” or password-reset page, provide their username, and then use their registered methods to prove identity. They do not need to be already authenticated to Azure AD; SSPR exists precisely to recover access when sign-in fails.

Microsoft’s SCI learning content describes the Microsoft 365 Defender portal as a unified security operations experience that surfaces security posture and active threats on a card-based dashboard. In the overview of the portal, Microsoft explains that the home page “presents key security information in dashboard cards,” and that among these cards are summaries that highlight risky entities such as “Users at risk” and “Devices at risk.” These cards provide quick, actionable visibility for analysts by aggregating detections and exposure data across Microsoft Defender services (for identities and endpoints). The guidance emphasizes that the portal “correlates signals across identities, endpoints, email, and applications” and that security teams can use the dashboard cards to pivot directly into incidents and investigations from “Users at risk” or “Devices at risk” to take containment or remediation actions.

By contrast, Compliance Score is part of Microsoft Purview Compliance Manager, not the Microsoft 365 Defender portal; Service Health and User Management are functions of the Microsoft 365 admin center. Therefore, the cards you’ll find on the Microsoft 365 Defender portal that match the choices provided are Users at risk and Devices at risk.

Microsoft Defender for Endpoint includes Automated investigation and remediation (AIR) and Attack surface reduction (ASR) as core capabilities. Microsoft’s guidance states that AIR “uses inspection algorithms and playbooks to examine alerts, determine if they are malicious, and then take remediation actions such as stopping processes, quarantining files, and rolling back changes.” It is designed to “reduce the volume of alerts that require analyst attention and to remediate threats at machine speed across your estate,” helping security teams contain and fix issues without manual intervention.

Defender for Endpoint also provides attack surface reduction features to proactively limit exposure. The Microsoft learn materials describe that ASR “helps organizations minimize areas that attackers can exploit,” and includes “attack surface reduction rules, network protection, web protection, application control (Windows Defender Application Control), and controlled folder access.” These controls “block or constrain risky behaviors and common attacker techniques,” thereby preventing many initial compromise and lateral-movement attempts before they generate incidents.

By contrast, transport encryption is a general platform/security baseline capability rather than a specific Defender for Endpoint feature, and shadow IT detection is addressed through Microsoft Defender for Cloud Apps (App discovery), which can use Defender for Endpoint network signals but is not itself a native MDE capability. Therefore, the two correct capabilities of Microsoft Defender for Endpoint are Automated investigation and remediation and Attack surface reduction.

Box 1: Yes

Azure Defender provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, your storage, and more

Box 2: Yes

Cloud security posture management (CSPM) is available for free to all Azure users.

Box 3: Yes

Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they ' re in Azure or not - as well as on premises.