Microsoft Security, Compliance, and Identity Fundamentals (SC-900日本語版) - SC-900日本語 Exam Practice Test

Explanation:

In Microsoft Purview Information Protection, sensitivity labels are the core mechanism to classify and protect content. The Microsoft SCI learning content explains that a sensitivity label can "apply protection such as encryption and rights restrictions to files and emails," allowing you to define who can access the content and what they can do (view, edit, print, forward). When you configure a label with Encrypt settings, the service uses Azure Rights Management to enforce protection persistently, so the encryption travels with the file wherever it goes.
Labels can also apply content marking. The official guidance states that labels can "add visual markings- headers and footers-to Office files and email to make the sensitivity of content obvious." This is commonly used to stamp messages and documents with text such as Confidential or Internal. SCI materials further clarify that labels can apply watermarks to Office documents (Word, Excel, PowerPoint) as part of content marking, but watermarks are not applied to email messages; only headers and footers are supported for email.
Putting it together: encryption (Yes) and headers/footers on documents (Yes) are supported label actions.
Watermarks are supported for documents but not for email, so "Sensitivity labels can apply watermarks to emails" is No.

Explanation:

In Microsoft's Security, Compliance, and Identity portfolio, Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) integrates directly with Microsoft Entra Conditional Access to provide Conditional Access App Control-Microsoft's real-time session control. Microsoft's documentation describes this capability as enabling organizations to "monitor and control user sessions in real time" and to "protect downloads, restrict uploads, block copy/paste and print, and apply access or session policies" for sanctioned and unsanctioned applications. The enforcement is achieved through a reverse-proxy session that is invoked by Conditional Access policy decisions, allowing continuous inspection and dynamic controls after authentication.
By contrast, other options in the list do not offer real-time session enforcement via Conditional Access. Azure AD Privileged Identity Management (PIM) focuses on just-in-time role activation, approval workflows, and access reviews for privileged accounts-not session control of app usage. Microsoft Defender for Cloud provides cloud security posture management and workload protection across Azure, multicloud, and hybrid resources-again, not Conditional Access-based user session governance. Microsoft Sentinel is a SIEM
/SOAR solution used for ingestion, detection, investigation, and response; it does not apply Conditional Access policies to control user sessions. Therefore, the service that can use Conditional Access policies to control sessions in real time is Microsoft Defender for Cloud Apps through Conditional Access App Control.

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Explanation:

In Microsoft identity architecture, federation establishes trust between different identity providers to enable single sign-on (SSO) across organizational and platform boundaries. Microsoft Learn explains that federation uses standards such as SAML, WS-Federation, and OpenID Connect/OAuth 2.0 so a user can authenticate with their home identity provider and obtain tokens that are accepted by a relying party (the application or service). This trust relationship lets organizations share identities securely without copying passwords or synchronizing credentials, providing a seamless sign-in experience across multiple systems and clouds.
By contrast, Active Directory Domain Services (AD DS) and a domain controller provide on-premises directory and authentication services primarily within a single Windows domain/forest using Kerberos
/NTLM, not cross-provider SSO on their own. Microsoft Entra Privileged Identity Management (PIM) manages just-in-time, approval-based elevation for roles and does not deliver SSO capabilities. Therefore, the technology explicitly intended to provide SSO across multiple identity providers is federation.

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Reference:
In Microsoft SCI terminology, authorization is the stage that answers "what can this authenticated user do?" Microsoft Learn explains that authorization is "the process of determining what a user is allowed to do or access after they have been authenticated" and governs access to specific resources (apps, APIs, data) through policies such as role assignments, permissions, and Conditional Access. By contrast, authentication is "the process of proving identity," for example by entering a password, using MFA, or presenting a certificate- authentication verifies who the user is, not what they can access.
SCI guidance further clarifies adjacent concepts: single sign-on (SSO) streamlines the authentication experience by allowing a user to sign in once and then access multiple applications without repeated prompts; it does not decide the user's rights within those apps. Federation establishes trust between identity providers and service providers to enable cross-domain authentication, but authorization decisions still occur based on the receiving service's policies and the user's claims/roles.
Therefore, when the sentence asks for "the process of identifying whether a signed-in user can access a specific resource," the correct concept is authorization, because it evaluates the user's permissions and enforces access control after successful authentication.

Explanation:

Box 1: Yes
Azure Defender provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, your storage, and more Box 2: Yes Cloud security posture management (CSPM) is available for free to all Azure users.
Box 3: Yes
Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they ' re in Azure or not - as well as on premises.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/azure-defender
https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction https://docs.
microsoft.com/en-us/azure/security-center/security-center-introduction

Reference:
https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/cloud-services-security-baseline

Explanation:

Microsoft positions Compliance Manager as a capability available inside the Microsoft 365 Compliance Center (now Microsoft Purview compliance portal). In Microsoft's SCI learning content, Compliance Manager is described as the centralized workspace in the compliance portal that "helps you manage your organization's compliance requirements," providing a compliance score, pre-built and custom assessments, and improvement actions you track and assign. The documentation explains that admins "use the Microsoft
365 Compliance Center to access Compliance Manager," where they can review the score, map controls to regulations and standards, and manage evidence and testing of controls. It also clarifies that Compliance Manager is surfaced directly in the compliance portal navigation, enabling authorized roles (such as Compliance Administrator, Global Administrator, or Compliance Data Administrator) to open the Compliance Manager blade to create or view assessments, assign actions, and review detailed guidance. By contrast, the Microsoft 365 admin center focuses on tenant, billing, and user management; the Microsoft 365 Defender portal focuses on security operations and threat protection; and the Microsoft Support portal is for service requests. Therefore, the direct and intended entry point for Compliance Manager is the Microsoft 365 Compliance Center.

Explanation:

Microsoft documents for Defender for Endpoint (MDE) describe it as an enterprise endpoint security platform that supports Windows 10/11, Windows Server, Linux, macOS, and mobile platforms (Android and iOS
/iPadOS). The platform provides threat and vulnerability management, attack surface reduction, next- generation protection, endpoint detection and response, and automated investigation and remediation across those supported operating systems. Because MDE supports Windows client operating systems and servers, it can also be used on Azure virtual machines that run supported Windows versions; onboarding methods include local scripts, Microsoft Endpoint Manager, or cloud integrations, allowing VM endpoints to receive the same protection and EDR capabilities as physical devices.
By contrast, malware scanning in SharePoint Online, OneDrive, and Microsoft Teams is provided by Microsoft Defender for Office 365 (Safe Attachments for SharePoint, OneDrive, and Teams)-a different service within the Microsoft 365 Defender family. This service analyzes files as they are uploaded or shared to detect and block malicious content in collaboration workloads, which is outside the scope of MDE's endpoint-focused protections. Therefore: Android protection (Yes), Azure VMs running Windows 10 (Yes), and SharePoint Online anti-virus protection by MDE (No, handled by Defender for Office 365).

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).