SC-900 試験問題を無料オンラインアクセス

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

正解：

Explanation:

Microsoft's identity platform (Microsoft Entra ID, formerly Azure AD) supports built-in and custom directory roles. The official guidance states that you can "create your own custom roles to grant permissions for management of Microsoft Entra resources," and those roles consist of specific role permissions that you select to tailor least-privilege administration. The documentation also lists Global administrator (formerly Company Administrator) as a built-in role that "has access to all administrative features" and can delegate role assignments, reset passwords for all users, and manage identity settings across the tenant. Regarding assignments, Microsoft is explicit that role assignment is many-to-many: administrators can "assign one or more roles to a user," and the user's effective permissions are the union of the privileges from all assigned roles. Consequently, (1) creating custom roles is supported (Yes), (2) Global administrator is indeed a defined Azure AD/Microsoft Entra role (Yes), and (3) a user being limited to only one role is incorrect (No) because multiple role assignments to the same user are permitted and commonly used to implement least privilege and separation of duties.
Box 1: Yes
Azure AD supports custom roles.
Box 2: Yes
Global Administrator has access to all administrative features in Azure Active Directory. Box 3: No Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles https://docs.microsoft.
com/en-us/azure/active-directory/roles/permissions-reference

Select the answer that correctly completes the sentence.

正解：

Explanation:

In Microsoft Entra Conditional Access, policy evaluation occurs after the user successfully completes first- factor authentication (for example, username + password or Windows Hello for Business key). Microsoft Learn explains that Conditional Access "is the tool used by Azure AD to bring signals together, make decisions, and enforce organizational policies" and that it's applied "after the first-factor authentication is completed." Once primary authentication succeeds, Conditional Access evaluates signals like user, device state, location, risk (from Identity Protection), and application, and then enforces controls such as requiring MFA, blocking access, or applying session controls.
This design ensures Conditional Access does not replace primary authentication and is not enforced before or during the initial credential verification. Instead, it adds a second policy decision point that can demand stronger proof (e.g., MFA), restrict access paths, or limit sessions. Therefore, "after" is correct, while
"before," "during," or "instead of" first-factor authentication are incorrect because Conditional Access relies on the initial sign-in to collect the necessary signals and then applies the configured access decisions and protections.

What Microsoft Purview feature can use machine learning algorithms to detect and automatically protect sensitive items?

• A.eDiscovery
• B.Communication compliance
• C.Information risks
• D.Data loss prevention

Which three tasks can be performed by using Azure Active Directory (Azure AD) Identity Protection? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

• A.Investigate risks that relate to user authentication.
• B.Create and automatically assign sensitivity labels to data.
• C.Automate the detection and remediation of identity based-risks.
• D.Export risk detection to third-party utilities.
• E.Configure external access for partner organizations.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

正解：

Explanation:

Microsoft describes Windows Hello for Business (WHfB) as replacing passwords with a device-bound credential: "Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or a PIN." WHfB authenticators are biometric gesture or PIN unlocking an asymmetric key stored on the device (typically in the TPM). Microsoft clarifies that the PIN is not a password and is "local to the device" and used to unlock the user's private key. Consequently, Yes-a PIN is a supported WHfB sign-in gesture.
Conversely, the Microsoft Authenticator app is a separate Azure AD (Microsoft Entra ID) authentication method (push notifications, TOTP, passwordless phone sign-in). It is not the WHfB credential; WHfB relies on keys/certificates on the device, not on the Authenticator app.
Finally, WHfB credentials are per-device: Microsoft states the credential is "tied to a device" and the private key never leaves the device, which means it does not roam/sync across a user's different devices. Each device enrolls and provisions its own WHfB key and gesture. These statements from Microsoft SCI documentation lead to the outcomes: No / Yes / No.