Microsoft Security, Compliance, and Identity Fundamentals (SC-900 Deutsch Version) - SC-900 Deutsch Exam Practice Test

Explanation:

Microsoft describes hybrid identity as integrating on-premises Active Directory with Microsoft Entra ID (Azure AD) so that "your on-premises identities are synchronized to Azure AD" for a single identity across cloud and on-prem apps. In this model, directory objects (users, groups, and selected attributes) flow from on- premises AD to Azure AD using Azure AD Connect or Cloud Sync; this is the canonical direction for provisioning in hybrid environments. Microsoft further explains that while certain writeback features (such as password writeback, device or group writeback scenarios) are supported, cloud-created users do not automatically sync down to on-premises AD; account provisioning remains authoritative on-prem unless you deploy specific, limited writeback features-there is no default "user account creation from Azure AD to AD DS." For authentication, Microsoft states that hybrid identity supports cloud authentication (Password Hash Synchronization or Pass-through Authentication) where Azure AD performs the sign-in, or federation with another identity provider (e.g., AD FS or a third-party IdP) where that provider validates credentials and issues tokens to Azure AD. These statements align with Microsoft's SCI guidance on hybrid identity: on-prem to cloud sync is standard; automatic reverse user sync is not; and authentication can be handled by Azure AD or a federated IdP depending on the chosen sign-in method.

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Explanation:

Microsoft states that Identity Protection is used to "detect potential vulnerabilities affecting your organization' s identities, configure automated responses, and investigate suspicious actions related to your organization's identities." It evaluates user risk and sign-in risk using detections such as "leaked credentials, anonymous IP address, unfamiliar sign-in properties, [and] impossible travel." These built-in detections confirm that the service can detect whether valid user credentials have been found in public or criminal datasets-commonly referred to as leaked credentials-thereby reducing identity compromise risk.
Identity Protection includes policy controls that "automate the response to detected risks," specifically the User risk policy and Sign-in risk policy. Microsoft describes that these policies can "require password change when user risk is detected" and "require multi-factor authentication when sign-in risk is detected." Therefore, Identity Protection can invoke MFA based on risk as part of Conditional Access-backed risk policies.
However, Identity Protection does not perform group lifecycle management. Microsoft positions group membership automation under Azure AD dynamic groups/Identity Governance, not Identity Protection.
Consequently, adding users to groups based on risk level is not a function of Identity Protection, which focuses on detection, risk evaluation, and policy-driven remediation (e.g., MFA or password reset), not group assignment.

Explanation:

In Microsoft identity and access management terminology, federation refers to the establishment of a trust relationship between identity providers, which enables single sign-on (SSO) across different organizations or platforms.
According to the Microsoft Security, Compliance, and Identity (SCI) learning path, particularly in the SC-900 and SC-300 certifications, the following definition is provided:
"Federation is a means of establishing trust between two identity systems. This trust allows users from one domain to access resources in another domain without needing to authenticate again, typically using SAML, WS-Federation, or OAuth protocols." This concept is essential in cross-organization SSO scenarios, such as enabling users from one enterprise (or identity provider) to authenticate with services hosted in another, using existing credentials.
SCI documentation further states:
"Single sign-on (SSO) between multiple identity providers is enabled through federation protocols, which delegate authentication and allow token-based identity propagation across systems." The other options are not accurate in this context:
Integration is a vague term and not specific to SSO configuration.
Password hash synchronization and pass-through authentication are Azure AD authentication methods used for hybrid identity with on-premises AD, not for federating with external identity providers.
# Therefore, SSO configured between multiple identity providers is best classified as an example of federation.

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Explanation:

In Microsoft's Security, Compliance, and Identity guidance, multi-factor authentication (MFA) is based on combining independent categories of credentials to verify a user. Microsoft describes the three factor types as:
something you know (knowledge), something you have (possession), and something you are (inherence). A password is explicitly categorized as "something you know," because it relies on a secret the user memorizes and types during sign-in. MFA improves security by requiring two or more of these distinct factors-e.g., a password (know) plus a phone approval or hardware token (have), or a biometric like Windows Hello (are).
Using factors from different categories mitigates common attacks such as password spray, credential stuffing, and phishing, because compromising one factor (for example, the password) does not grant access without the second, unrelated factor. Microsoft recommends enabling MFA broadly and pairing passwords with stronger possession or inherence methods to achieve a measurable reduction in account compromise risk. Therefore, in the MFA model used by Microsoft Entra ID (Azure AD), a password is considered something you know.

Explanation:

Microsoft Purview Compliance Manager is designed to give organizations a continuous view of their compliance posture. In Microsoft's Security, Compliance, and Identity guidance, Compliance Manager is described as a capability that assesses your compliance posture against regulatory standards and data protection baselines and updates the compliance score as you implement or fail controls. The platform aggregates signals from assessments, controls, and improvement actions, then recalculates your compliance score as evidence is collected and actions are marked complete or tested. Because these evaluations are tied to live improvement actions and mapped controls (such as access, data protection, and governance controls), your organization's status isn't limited to a fixed reporting cycle; rather, it reflects ongoing progress and gaps across supported regulations and standards.
SCI study materials also emphasize that the score is not a one-time audit: it's a running indicator of risk reduction and control implementation. As you address recommendations, add or update evidence, or connect automated tests where available, the score and related dashboards refresh to show the latest compliance state.
This makes Compliance Manager suitable for continuous assessment, enabling organizations to monitor posture, prioritize work, and demonstrate incremental improvements over time-hence, it assesses compliance data continually for an organization.