Free practice test · no sign-up

SC-900Free Microsoft Security, Compliance & Identity Fundamentals practice test

  • ✓ 10 free questions
  • ✓ Instant answers & explanations
  • ✓ No sign-up, no email

10 real SC-900 practice questions with instant answers and explanations — no account, no credit card, no email. Score yourself, then unlock the full bank of 74 questions whenever you’re ready. The SC-900 passing score is 700 / 1000.

Question 1 of 10

When an organization runs its workloads on a Software as a Service (SaaS) offering, which responsibility almost always remains with the customer rather than the cloud provider?

Answer key

All 10 SC-900 questions & answers

Prefer to just read the answers and explanations? Here’s the full key for this free SC-900 test.

Q1. When an organization runs its workloads on a Software as a Service (SaaS) offering, which responsibility almost always remains with the customer rather than the cloud provider?

Correct answer: C. Managing user accounts, access rights, and the data they put into the service

Under the shared responsibility model, the provider handles the physical infrastructure and the platform, but the customer always keeps responsibility for their own accounts, access management, and data regardless of the service model.

Q2. A company places firewalls, network segmentation, endpoint protection, and data encryption at successive layers so that a single failure does not expose everything. Which security principle does this describe?

Correct answer: A. Defense in depth

Defense in depth layers multiple independent controls so that if one control is bypassed, others still stand between an attacker and the protected asset.

Q3. The Zero Trust guiding principle 'assume breach' most directly encourages an organization to do which of the following?

Correct answer: B. Limit the blast radius by segmenting access and continuously monitoring for anomalies

'Assume breach' means treating every request as if the environment is already compromised, so organizations minimize blast radius through segmentation, least privilege, and continuous verification and monitoring.

Q4. Which statement best captures the Zero Trust principle of 'verify explicitly'?

Correct answer: B. Access decisions should be based on all available signals such as identity, location, device health, and the resource requested

Verify explicitly means authenticating and authorizing every request using multiple data points, including user identity, device state, location, and the sensitivity of the resource, rather than assuming trust.

Q5. In the CIA triad, which element is protected when a system ensures that data has not been tampered with or altered by unauthorized parties?

Correct answer: B. Integrity

Integrity concerns keeping data accurate and unaltered; controls like hashing and digital signatures help detect unauthorized modification.

Q6. Which description correctly distinguishes symmetric encryption from asymmetric encryption?

Correct answer: A. Symmetric encryption uses the same key to encrypt and decrypt, while asymmetric encryption uses a public/private key pair

Symmetric algorithms rely on a single shared secret key for both operations, whereas asymmetric algorithms use a mathematically related public and private key pair.

Q7. Why is hashing, rather than encryption, commonly used to store password verifiers?

Correct answer: B. Hashing is a one-way function, so the stored value cannot be practically converted back to the original password

A hash function transforms input into a fixed-length value that cannot be feasibly reversed, so systems can verify a password by comparing hashes without ever storing the plaintext.

Q8. A user signs in successfully and is then allowed to open only the files their role permits. Which pair of terms describes 'signing in successfully' and 'being allowed to open only permitted files'?

Correct answer: B. Authentication and authorization

Authentication proves who the user is, and authorization then determines what that authenticated user is permitted to do.

Q9. A trust relationship is configured so that users authenticated by one organization's identity system can access another organization's applications without a separate account. What is this arrangement called?

Correct answer: A. Federation

Federation establishes trust between separate identity domains so an identity verified in one domain can be accepted by resources in another, avoiding duplicate credentials.

Q10. What is the primary purpose of Microsoft Entra ID?

Correct answer: A. To provide a cloud-based identity and access management service for signing in and accessing resources

Microsoft Entra ID is a cloud identity and access management service that authenticates users and controls access to applications and resources.

Exam facts and objectives sourced from the official Microsoft certification page. Last reviewed June 2026.

Ready for the full SC-900 bank? Start free.

74 questions, timed mock exams, and missed-question review — 30 free questions, no card.

Start free trial
SC-900 study guide & details →