Microsoft Security, Compliance, and Identity Fundamentals (SC-900 Deutsch Version) - SC-900 Deutsch Exam Practice Test

Explanation: Only visible for TrainingDump members. You can sign-up / login (it's free).

Explanation:

Biometrics templates are stored locally on a device. Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview

Explanation: Only visible for TrainingDump members. You can sign-up / login (it's free).

Explanation:
An external email address can be used to authenticate self-service password reset (SSPR). # Yes A notification to the Microsoft Authenticator app can be used to authenticate self-service password reset (SSPR). # Yes To perform self-service password reset (SSPR), a user must already be signed in and authenticated to Azure AD. # No For Microsoft Entra self-service password reset (SSPR), users must register one or more authentication methods that can later be used when they forget their password or are locked out. Microsoft's end-user guidance states that an email address option lets users configure "an alternate email address that can be used without requiring your forgotten or missing password," and that this method is available only for password reset. In practice, this alternate address is typically a personal or external email (for example, Gmail), so using an external email to authenticate SSPR is valid.
SSPR can also use the Microsoft Authenticator app as an authentication method. Microsoft documents that Authenticator push notifications, including number matching, are supported for several scenarios, explicitly listing self-service password reset (SSPR) among them. This means a push notification to the app on the user' s device can be used to verify identity during SSPR.
Finally, SSPR is designed for situations where the user cannot sign in. Official SSPR process descriptions explain that users start from the "Can't access your account?" or password-reset page, provide their username, and then use their registered methods to prove identity. They do not need to be already authenticated to Azure AD; SSPR exists precisely to recover access when sign-in fails.

Explanation:

Microsoft explains that Conditional Access (CA) evaluates signals and then enforces access decisions using grant and session controls: "Conditional Access policies are enforced after first-factor authentication is completed" and are used to "make access control decisions." CA policies target users and groups-including administrators-unless explicitly excluded. Microsoft guidance recommends excluding only break-glass accounts: "Customers with Azure AD roles such as Global administrator should have at least one emergency access account excluded from policies." This means admins are not exempt by default; they are in scope unless you configure exclusions.
CA does not manage directory role assignments; that is handled by role assignment and Privileged Identity Management (PIM). CA's grant controls focus on access conditions: "Grant access... Require multi-factor authentication" and Microsoft lists a common baseline: "Require multi-factor authentication for all users." Therefore, CA can require MFA to access cloud apps, but it cannot add users to Azure AD roles.
These statements from Microsoft's SCI materials confirm the outcomes: Admins are not inherently exempt (No), CA cannot assign roles (No), and CA can force MFA for app access (Yes).

Explanation: Only visible for TrainingDump members. You can sign-up / login (it's free).

Explanation:

Microsoft's SCI/Learn content describes Azure AD (now Microsoft Entra ID) as a cloud service, not something you install on-premises. The docs state Azure AD is a "cloud-based identity and access management service" that "helps your employees sign in and access resources." This clarifies the third statement (IAM service) as Yes, and the first statement (on-premises deployment) as No, because the native on-prem directory is Windows Server Active Directory, whereas Azure AD runs in Microsoft's cloud and can be synchronized with on-prem AD via tools like Azure AD Connect.
Microsoft also explains licensing/availability: the service comes in several editions, and the free/Office 365 tier is included with many suites. The documentation explicitly notes that Azure AD is "included with subscriptions such as Microsoft 365" (formerly Office 365) and provides tenant-wide identity for those services. Therefore, stating that Azure AD is provided as part of a Microsoft 365 subscription is Yes.
In summary: Azure AD/Entra ID is a cloud identity and access management platform; it's not deployed on- premises, and Microsoft 365 subscriptions include an Azure AD tenant/edition to manage users, groups, apps, and access policies.

Explanation:

Conditional access policies always enforce MFA = NoMicrosoft Entra Conditional Access policies are flexible and do not always require MFA. MFA is one possible control, but policies can enforce other access controls such as requiring a compliant device, blocking access entirely, requiring Terms of Use acceptance, or enforcing session controls.
SCI Extract: "Conditional Access is the tool used by Azure AD to bring signals together, to make decisions, and enforce organizational policies. These policies can require MFA, but it is not mandatory for all policies." Block access based on location = YesConditional Access supports location-based conditions using named locations (such as country or IP ranges). Policies can block or allow access based on where the user is signing in from.
SCI Extract: "Administrators can use Conditional Access policies to block or grant access based on user location, using named locations to define trusted or risky areas." Only affects Entra joined devices = NoConditional Access applies to all users and devices, including:
Entra-joined,
Hybrid Entra-joined,
Registered devices (via Microsoft Intune or Azure AD),
And even unmanaged (BYOD) devices depending on configuration.
SCI Extract: "Conditional Access policies apply to all users and devices based on selected conditions, not only Microsoft Entra joined devices."

Explanation:

You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview