199+ Free Azure SC-900 Practice Questions

Pass your Microsoft Security, Compliance, and Identity Fundamentals (SC-900) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~75-85% Pass Rate

199+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

What is the primary purpose of the shared responsibility model in cloud computing?

To assign all security responsibilities to the cloud provider

To clarify which security tasks are handled by the cloud provider and which are handled by the customer

To ensure customers are fully responsible for all security aspects

To eliminate the need for customer security teams

to track

2026 Statistics

Key Facts: Azure SC-900 Exam

40-60

Exam Questions

Microsoft

700/1000

Passing Score

Microsoft (scaled)

65 min

Exam Duration

Microsoft

$99

Exam Fee

Microsoft

35-40%

Security Solutions

Largest domain

Never

Expiration

Does not expire

The Azure SC-900 exam has 40-60 questions in 65 minutes with a passing score of 700/1000. Key domains: Microsoft Security Solutions (35-40%), Microsoft Entra (25-30%), Microsoft Compliance Solutions (20-25%), and Security/Compliance/Identity Concepts (10-15%). No prerequisites required. Certification does not expire. Exam fee is $99. Available in-person or online proctored.

Sample Azure SC-900 Practice Questions

Try these sample questions to test your Azure SC-900 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 199+ question experience with AI tutoring.

1What is the primary purpose of the shared responsibility model in cloud computing?

A.To assign all security responsibilities to the cloud provider

B.To clarify which security tasks are handled by the cloud provider and which are handled by the customer

C.To ensure customers are fully responsible for all security aspects

D.To eliminate the need for customer security teams

Explanation: The shared responsibility model clarifies security responsibilities between the cloud provider and the customer. The provider is responsible for securing the cloud infrastructure (physical security, network, hypervisors), while the customer is responsible for securing what they put in the cloud (data, applications, identities, access management). This model varies by service type: IaaS places more responsibility on the customer, while SaaS places more on the provider.

2Which security principle involves implementing multiple layers of defense to protect resources?

A.Zero Trust

B.Defense in depth

C.Least privilege

D.Separation of duties

Explanation: Defense in depth is a security strategy that employs multiple layers of security controls to protect resources. If one layer fails, subsequent layers provide protection. Azure implements defense in depth across seven layers: physical security, identity and access, perimeter, network, compute, application, and data. Each layer has specific security controls, creating a comprehensive security posture.

3What is the core principle of the Zero Trust security model?

A.Trust but verify

B.Never trust, always verify

C.Trust internal networks, verify external networks

D.Verify once, trust always

Explanation: The Zero Trust model operates on the principle of "never trust, always verify." It assumes breach and verifies each request as though it originated from an uncontrolled network. Zero Trust requires strict identity verification for every person and device trying to access resources, regardless of whether they are inside or outside the network perimeter. Microsoft implements Zero Trust through strong identity verification, device compliance validation, and least privilege access.

4Which Azure service is used to store and manage cryptographic keys, certificates, and secrets?

A.Azure Security Center

B.Azure Key Vault

C.Azure Active Directory

D.Azure Policy

Explanation: Azure Key Vault is a cloud service for securely storing and managing cryptographic keys, certificates, and secrets (such as passwords, API keys, and connection strings). It provides centralized storage with FIPS 140-2 Level 2 validated hardware security modules (HSMs), access monitoring, and simplified certificate management. Key Vault helps prevent accidental credential exposure in code and configuration files.

5What is the primary difference between authentication and authorization?

A.They are the same thing

B.Authentication verifies identity; authorization determines what actions are permitted

C.Authentication determines permissions; authorization verifies identity

D.Authentication is for users; authorization is for devices only

Explanation: Authentication verifies who you are (proving identity through credentials like passwords, biometrics, or tokens), while authorization determines what you are allowed to do (access rights and permissions). Authentication always precedes authorization - you must first prove who you are before the system can determine what resources you can access.

6In the context of encryption, what is the main difference between symmetric and asymmetric encryption?

A.Symmetric uses one key; asymmetric uses a key pair

B.Symmetric is faster but less secure; asymmetric is slower but more secure

C.Symmetric is used for data at rest; asymmetric is used for data in transit

D.Both A and B are correct

Explanation: Symmetric encryption uses a single shared key for both encryption and decryption, making it faster but requiring secure key distribution. Asymmetric encryption uses a key pair (public and private), where data encrypted with the public key can only be decrypted with the private key. Asymmetric encryption is computationally intensive but solves the key distribution problem. In practice, hybrid approaches often use asymmetric encryption to exchange symmetric keys, then use symmetric encryption for bulk data.

7What is hashing used for in security?

A.To encrypt data for storage

B.To verify data integrity and store passwords securely

C.To compress data for faster transmission

D.To authenticate users in real-time

Explanation: Hashing is a one-way function that converts data into a fixed-size string of characters (hash value). It is primarily used for verifying data integrity (detecting tampering) and securely storing passwords (storing the hash rather than the plain text). Unlike encryption, hashing cannot be reversed - you cannot recover the original data from its hash. Common hash algorithms include SHA-256 and bcrypt for passwords.

8Which component of GRC (Governance, Risk, and Compliance) focuses on ensuring organizational activities align with business goals and policies?

A.Risk

B.Compliance

C.Governance

D.Security operations

Explanation: Governance in GRC focuses on establishing and maintaining the organizational structure, policies, and processes to ensure that IT and business activities align with organizational goals. It includes defining roles and responsibilities, decision-making frameworks, and oversight mechanisms. Risk management identifies and mitigates threats, while Compliance ensures adherence to regulatory requirements and standards.

9What is Microsoft Entra ID (formerly Azure AD)?

A.A database service for storing user information

B.Microsoft's cloud-based identity and access management service

C.A virtual network service for Azure

D.A backup and disaster recovery solution

Explanation: Microsoft Entra ID is Microsoft's cloud-based identity and access management (IAM) service. It provides authentication, authorization, and user management for Microsoft 365, Azure, and SaaS applications. Entra ID enables single sign-on (SSO), multifactor authentication (MFA), conditional access, and identity protection. It supports various identity types including cloud-only, synchronized from on-premises AD, and guest users.

10Which Entra ID identity type represents users who are managed entirely in the cloud?

A.Synchronized identities

B.Cloud-only identities

C.Federated identities

D.Guest identities

Explanation: Cloud-only identities are user accounts created and managed entirely within Microsoft Entra ID, with no connection to on-premises Active Directory. These accounts exist only in the cloud and are authenticated by Entra ID. In contrast, synchronized identities are replicated from on-premises AD using Microsoft Entra Connect, and federated identities authenticate through an external identity provider.

About the Azure SC-900 Exam

The Microsoft SC-900 exam validates foundational knowledge of security, compliance, and identity concepts across cloud-based and related Microsoft services including Microsoft Entra, Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Purview.

Questions

50 scored questions

Time Limit

65 minutes

Passing Score

700/1000 (scaled)

Exam Fee

$99 (Microsoft / Pearson VUE)

Azure SC-900 Exam Content Outline

10-15%

Security, Compliance, and Identity Concepts

Zero Trust principles, shared responsibility model, defense in depth, encryption concepts, identity as security perimeter

25-30%

Microsoft Entra

Entra ID features (SSO, MFA, Conditional Access), hybrid identity, identity protection, governance (PIM, access reviews)

35-40%

Microsoft Security Solutions

Defender XDR (Endpoint, Identity, Office 365, Cloud Apps), Microsoft Sentinel (SIEM, SOAR), Azure network security

20-25%

Microsoft Compliance Solutions

Microsoft Purview (sensitivity labels, DLP, records management), Compliance Manager, Insider Risk Management, eDiscovery

How to Pass the Azure SC-900 Exam

What You Need to Know

Passing score: 700/1000 (scaled)
Exam length: 50 questions
Time limit: 65 minutes
Exam fee: $99

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

Azure SC-900 Study Tips from Top Performers

1Focus on Microsoft Security Solutions (35-40%) — know Defender XDR, Sentinel, and Azure network security

2Master Microsoft Entra concepts — SSO, MFA, Conditional Access, PIM, and access reviews

3Understand Zero Trust principles: verify explicitly, use least privilege, assume breach

4Know Microsoft Purview capabilities — sensitivity labels, DLP, retention policies, and eDiscovery

5Use the free Microsoft Learn paths — they align directly with exam objectives

6This is a concepts exam — focus on "what does it do" rather than "how to configure it"

Frequently Asked Questions

What is the Azure SC-900 exam?

The SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) exam validates foundational knowledge of security, compliance, and identity across Microsoft cloud services. It covers Zero Trust, Microsoft Entra ID, Defender XDR, Sentinel, and Purview compliance tools.

How many questions are on the SC-900 exam?

The SC-900 exam has 40-60 multiple-choice questions in 65 minutes. The passing score is 700 out of 1000 (scaled). Questions test conceptual understanding rather than hands-on configuration skills.

Are there prerequisites for the SC-900 exam?

No prerequisites are required. Anyone can take the SC-900 exam. AZ-900 (Azure Fundamentals) is recommended but not required. The certification does not expire, making it a permanent addition to your credentials.

What is the largest domain on the SC-900 exam?

Microsoft Security Solutions is the largest domain at 35-40%. It covers Microsoft Defender XDR suite (Endpoint, Identity, Office 365, Cloud Apps), Microsoft Sentinel (SIEM/SOAR), Azure network security (Firewall, NSGs, DDoS), and Defender for Cloud.

How should I prepare for the SC-900 exam?

Plan for 20-30 hours of study over 2-4 weeks. Use the free Microsoft Learn paths as your primary study material. Focus heavily on Microsoft Security Solutions (35-40%) and Microsoft Entra (25-30%). Complete 200+ practice questions and aim for 80%+ before scheduling.