매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Microsoft Security Compliance and Identity Fundamentals 온라인 연습
최종 업데이트 시간: 2026년06월04일
당신은 온라인 연습 문제를 통해 Microsoft SC-900 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 SC-900 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 198개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
Microsoft Purview Information Protection (in the Microsoft 365 compliance center) enables you to discover, classify, label, and protect sensitive information across emails, documents, and other data stores. Labels and policies can enforce encryption, access restrictions, and visual markings, helping prevent unauthorized disclosure of sensitive data―inside or outside your organization.
정답:
Explanation:
The Service Trust Portal is Microsoft’s public-facing portal that centralizes how Microsoft manages privacy, compliance, and security for its cloud services. It provides independent audit reports, compliance guides, data protection resources, and details on Microsoft’s internal controls and practices. It’s the authoritative place to learn how Microsoft meets global, regional, and industry standards.
정답:
Explanation:
In the Core eDiscovery (Microsoft Purview) workflow, you first create a case, add case members, and then (typically) apply eDiscovery holds to relevant locations to preserve potentially responsive content before you run searches. While a hold isn’t strictly required to execute a search, Microsoft’s documented workflow shows holds occur prior to creating and running content searches so that items aren’t altered or deleted during the investigation. After holds, you create searches, review, and export.
정답: 
Explanation:
In Microsoft’s Security, Compliance, and Identity materials, Customer Lockbox is described as the feature that controls any Microsoft engineer access to your tenant content during support operations. Microsoft states that Customer Lockbox “ensures that Microsoft cannot access your content to perform a service operation without your explicit approval.” It is specifically applicable to Microsoft 365 workloads that store customer data, including “Exchange Online, SharePoint Online, and OneDrive for Business.” When a support case requires elevated access, “a lockbox request is created and routed to the customer for approval or rejection,” and access is only granted if the organization’s authorized admin approves the request within the defined window. The request contains who is requesting access, the reason, the scope, and the duration, and all actions are audited for compliance reporting. This capability aligns with Microsoft’s zero standing access principles by making engineer access time-bound, least-privileged, and customer-approved. By contrast, Information barriers segregate communications between groups, Privileged Access Management (PAM) governs privileged tasks inside Microsoft 365, and Sensitivity labels classify and protect data. Therefore, the feature that “can be used to provide Microsoft Support Engineers with access to an organization’s data stored in Microsoft Exchange Online, SharePoint Online, and OneDrive for Business” is Customer Lockbox.
정답:
Explanation:
In Microsoft 365, Data Loss Prevention (DLP) policies are designed to “help you identify, monitor, and automatically protect sensitive information” across services such as Exchange Online, SharePoint Online, OneDrive, and Microsoft Teams. Microsoft’s guidance explains that DLP uses sensitive information types―including built-in classifiers like Credit Card Number―to detect when content matches a defined pattern and then enforce protective actions. With DLP, you can create rules that trigger when email messages contain customer lists with credit card numbers, and choose actions to block the message, restrict access, or notify and educate users via policy tips and incident reports. Microsoft further notes that DLP “prevents the accidental sharing of sensitive information,” can require user justification to override, and supports granular conditions (e.g., number of matches, recipients internal vs. external) to ensure that only risky transmissions are stopped. By applying a DLP policy to Exchange with the Credit Card Number sensitive info type, an organization can block or quarantine outbound mail that includes those numbers, thereby reducing regulatory and data-exposure risk. Other options listed―retention policies, conditional access, and information barriers―serve different purposes (data lifecycle, access/authentication conditions, and restricting communication between groups) and do not inspect message contents for sensitive data. Hence, DLP policies are the correct control to restrict sending emails that contain customer lists and associated credit card numbers.
정답: 
Explanation:
Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/microsoft-365-compliance-center?view=o365-worldwide
MIP capabilities are included with Microsoft 365 Compliance and give you the tools to know your data, protect your data, and prevent data loss.
https://docs.microsoft.com/en-us/microsoft-365/compliance/information-protection?view=o365-worldwide
정답:
Explanation:
In Microsoft Entra ID (Azure AD), Conditional Access is the policy engine that evaluates signals about the user, device, app, and session to determine whether to grant access and under what conditions. Microsoft’s guidance explains that Conditional Access is “the tool used by Azure AD to bring signals together, make decisions, and enforce organizational policies.” In device-centric scenarios, Conditional Access integrates with Microsoft Intune device compliance so you can enforce controls such as “Require device to be marked as compliant” or “Require approved client app” before granting access to corporate resources like Microsoft 365 and Azure apps. This allows organizations to block or limit access from unmanaged or noncompliant devices, and to allow access only from devices that meet your compliance policies (encryption, OS version, jailbreak/root status, etc.).
By contrast, Network Security Groups (NSGs) filter traffic at the virtual network/subnet/NIC level and are not identity-aware; Privileged Identity Management (PIM) governs just-in-time elevation and access reviews for privileged roles; and resource locks prevent accidental deletion or modification of Azure resources. Therefore, the Azure AD feature specifically designed to restrict access by Intune-managed device state and enforce device-based access conditions to corporate resources is Conditional Access.
정답: 
Explanation:
Microsoft Secure Score in the Microsoft 365 Defender portal aggregates improvement actions across Microsoft security workloads, including Microsoft Defender for Cloud Apps (formerly Cloud App Security). Microsoft states that “Defender for Cloud Apps automatically provides SSPM data in Microsoft Secure Score, for any supported and connected app.” This means Secure Score can surface and recommend actions tied to Cloud App Security/Defender for Cloud Apps, validating statement 1 as Yes. Microsoft Learn Secure Score also includes peer comparison so organizations can benchmark their progress. The Microsoft documentation explicitly notes: “Compare your score to organizations like yours. There are two places to see how your score compares to organizations that are similar to yours.” This capability appears on the Overview experience in the Defender portal, confirming statement 2 as Yes. Microsoft Learn Finally, Secure Score recognizes mitigations implemented outside Microsoft tooling. In the official guidance for improvement actions, Microsoft explains the status options “Resolved through third party and Resolved through alternate mitigation,” adding: “You’ll gain the points that the action is worth, so your score better reflects your overall security posture.” Therefore, if you address an improvement action via a third-party product, Secure Score awards the associated points―making statement 3 Yes.
정답:
Explanation:
For Azure data services such as Azure SQL Managed Instance, Microsoft provides threat detection and protection through Microsoft Defender for Cloud (via Microsoft Defender for SQL). Microsoft documentation states that Defender for Cloud “provides advanced threat protection for your SQL resources,” including Azure SQL Database and Azure SQL Managed Instance, by “continuously monitoring for anomalous activities and potential SQL injection, brute force, and exploitation attempts.” When enabled, the plan “generates security alerts when suspicious activities are detected,” and these alerts can be surfaced in Defender for Cloud, forwarded to Microsoft Sentinel, or integrated with workflows for response. Microsoft Secure Score is a security posture metric, application security groups are for network segmentation in Azure, and Azure Bastion provides secure RDP/SSH over TLS―none of these deliver database-specific threat detection. Therefore, to provide threat detection for Azure SQL Managed Instance, you use Microsoft Defender for Cloud (Defender for SQL).
정답:
Explanation:
Microsoft positions Microsoft Sentinel as a cloud-native SIEM and SOAR that “collects data at cloud scale” and “detects, investigates, and responds to threats.” The extended detection and response (XDR) layer in Microsoft’s security stack is delivered by Microsoft 365 Defender, which “correlates signals across endpoints, identities, email, and apps to automatically detect, investigate, and remediate attacks.” Sentinel’s XDR capability is realized through its integration with Microsoft 365 Defender, enabling incident synchronization, alert enrichment, and bi-directional actions. Documentation explains that this integration “brings Microsoft 365 Defender incidents into Microsoft Sentinel,” unifying SIEM/SOAR analytics with the cross-domain XDR detections from Defender. Features such as automatic incident grouping, advanced hunting, and entity behavior flow from Microsoft 365 Defender to Sentinel, giving analysts an end-to-end XDR view. By contrast, threat hunting and workbooks are valuable Sentinel features, and compliance center is unrelated to XDR. The specific capability that provides Sentinel’s XDR experience is its integration with Microsoft 365 Defender.
정답:
Explanation:
Microsoft Defender for Office 365 includes Safe Attachments, a protection that “checks attachments in a secure, virtual environment to detect malicious behavior.” In Microsoft’s guidance, Safe Attachments is described as part of the anti-malware pipeline that “routes messages with attachments to a detonation chamber; if no suspicious activity is detected, the message is released to the recipient, and if malicious behavior is found, the attachment is blocked or removed.” Administrators can choose Block, Replace, Dynamic Delivery, or Monitor actions. The Dynamic Delivery option specifically supports the use case in the question: the email body is delivered while the attachment is scanned, and “the attachment automatically reattached and forwarded to the recipient only when it is determined to be safe.” This capability is unique to Defender for Office 365’s Safe Attachments, not to be confused with endpoint antivirus or identity tools. Defender Antivirus protects Windows devices, Defender for Identity secures on-premises identities, and Defender for Endpoint focuses on endpoint detection and response. Therefore, the Microsoft service you use to scan email attachments and forward them only when clean is Microsoft Defender for Office 365 (Safe Attachments).
정답: 
Explanation:
Microsoft documents for Defender for Endpoint (MDE) describe it as an enterprise endpoint security platform that supports Windows 10/11, Windows Server, Linux, macOS, and mobile platforms (Android and iOS/iPadOS). The platform provides threat and vulnerability management, attack surface reduction, next-generation protection, endpoint detection and response, and automated investigation and remediation across those supported operating systems. Because MDE supports Windows client operating systems and servers, it can also be used on Azure virtual machines that run supported Windows versions; onboarding methods include local scripts, Microsoft Endpoint Manager, or cloud integrations, allowing VM endpoints to receive the same protection and EDR capabilities as physical devices.
By contrast, malware scanning in SharePoint Online, OneDrive, and Microsoft Teams is provided by Microsoft Defender for Office 365 (Safe Attachments for SharePoint, OneDrive, and Teams)―a different service within the Microsoft 365 Defender family. This service analyzes files as they are uploaded or shared to detect and block malicious content in collaboration workloads, which is outside the scope of MDE’s endpoint-focused protections. Therefore: Android protection (Yes), Azure VMs running Windows 10 (Yes), and SharePoint Online anti-virus protection by MDE (No, handled by Defender for Office 365).
정답:
Explanation:
Microsoft defines defense in depth as a security strategy that uses multiple, reinforcing layers of protection to reduce the chance that a single failure leads to compromise. In Microsoft’s security guidance, defense in depth is described as employing “a series of mechanisms across multiple layers” to protect identities, endpoints, applications, data, and the network. The model spans layers such as identity, perimeter, network, compute, application, and data, with controls at each layer designed to detect, prevent, and contain attacks. Typical Azure/Microsoft 365 implementations include identity protections (MFA, Conditional Access), network controls (Azure Firewall, NSGs), perimeter filtering (WAF, DDoS Protection), endpoint safeguards (Defender for Endpoint), application security (code and runtime controls), and data protection (encryption, DLP, Purview Information Protection). By “placing multiple layers of defense throughout a network infrastructure,” an organization limits blast radius and increases resilience if one layer is bypassed. This contrasts with threat modeling (a design-time analysis technique), identity as the security perimeter (a principle of Zero Trust), and the shared responsibility model (a cloud governance concept). The scenario in the question precisely matches Microsoft’s defense in depth methodology.
정답:
Explanation:
Azure Firewall is a managed, cloud-based network security service designed to secure traffic inside and across Azure Virtual Networks. Microsoft describes Azure Firewall as a stateful firewall that “protects Azure Virtual Network resources” by enforcing network and application rules, central logging, and threat intelligenceCbased filtering. Because it is deployed into a VNet/subnet (often as the hub in a hub-and-spoke), it directly governs East/West and North/South flows to workloads such as Azure virtual machines and platform services reachable through the VNet, using DNAT/SNAT and rule collections. Microsoft guidance highlights capabilities to “centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks,” and to filter traffic for peered VNets, branch connections (VPN/ExpressRoute), and internet traffic. These capabilities explicitly map to protecting Azure virtual networks and the VMs and subnets inside them. In contrast, Azure AD users, Exchange Online inboxes, and SharePoint Online sites are SaaS/identity resources protected by Microsoft Entra controls, Exchange/SharePoint security, and Purview/Defender for Office 365―not by a VNet firewall. Therefore, the Azure FirewallCprotectable resource types among the options are Azure virtual machines and Azure virtual networks.
정답: 
Explanation:
In Microsoft Sentinel, automation is delivered through playbooks, which are built on Azure Logic Apps. Microsoft’s Sentinel documentation explains that playbooks “help automate and orchestrate your response to threats” and can be triggered by analytics alerts or incidents to run predefined actions. Typical automated tasks include “enriching alerts with data, blocking IP addresses, disabling users, or creating tickets,” allowing security teams to standardize and speed up their response and remediation processes. Sentinel also uses automation rules to decide when a playbook should run (for example, on incident creation or update), enabling consistent handling of common SOC tasks.
By contrast, the other options are not intended for automation: deep investigation tools are used to investigate incidents and entities; hunting search-and-query tools (built on KQL) are for proactive threat hunting rather than automating responses; and workbooks provide dashboards and visualizations for monitoring and reporting. Therefore, when the requirement is to automate common tasks―such as triggering actions across Microsoft 365 Defender, Azure, or third-party systems―the correct Sentinel capability is playbooks powered by Logic Apps. This aligns with the SCI guidance that emphasizes using Sentinel playbooks to “automate common workflows and response actions” and reduce manual effort while improving consistency and speed in security operations.