SC-900: Microsoft Security, Compliance, and Identity Fundamentals Sample Questions

Last Updated: 1/19/2022

PLEASE COMPLETE THIS SURVEY

Microsoft is exploring the possibility of providing sample questions as an exam preparation resource, and we would like your feedback. While we prefer that you complete the survey after taking the exam, you may complete it at any time. Thank You!

User Guide

These sample questions are intended to provide an overview of the style, wording, and difficulty of the questions that you are likely to experience on this exam. These questions are not the same as what you will see on the exam nor is this document illustrative of the length of the exam or its complexity (e.g., you may see additional question types, multiple case studies, and possibly labs). These questions are examples only to provide insight into what to expect on the exam and help you determine if additional preparation is required.

In the first section, you will find the questions without answers so that you can test your knowledge. In the second section, the answer, a rationale, and a URL that will link you to additional information is provided immediately below each question.

Questions

Question # 1 (Multiple Choice)

The zero-trust model operates on the principle of “trust no one, verify everything.” You need to implement the zero-trust model in your organization.

Which two options are the guiding principles of a zero-trust model?

A. Verify explicitly
B. Assume breach
C. Role based access
D. Perimeter security

Question # 2 (Sentence Completion)

Select the answer that correctly completes the sentence.

_______________ is the new security perimeter.

A. Firewall
B. Identity
C. Network
D. Azure Active Directory

Question # 3 (Matching)

Match the Azure Active Directory (Azure AD) device identity on the left to the correct description on the right.

Azure AD device identity Descriptions
A. Azure AD registered devices 1. These devices are typically owned by an organization and are signed in with an Active Directory Domain Service account belonging to that organization. They exist in the cloud and on-premises.
B. Azure AD joined devices 2. These devices are typically personally owned, rather than by the organization. They are signed in with a personal Microsoft account or another local account.
C. Hybrid Azure AD joined devices 3. These devices exist only in the cloud and are typically owned by an organization. They are signed in with an organization Azure AD account.

Question # 4 (Multiple Choice)

You need to look for a hybrid identity solution between Azure Active Directory (Azure AD) and your on-premises active directory. It needs to provide a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers.

Which authentication method should you use?

A. Password Hash synchronization
B. Pass-through authentication
C. Federated authentication
D. Directory synchronization

Question # 5 (Multiple Choice)

How many authentication factors must be presented by a user after you enable multi-factor authentication (MFA)?

A. two
B. three
C. four
D. five

Question # 6 (Multiple Choice)

Sign-in risk is a signal used by Conditional Access policies to decide whether to grant or deny access.

What is a sign-in risk?

A. The probability that the device is owned by the identity owner.
B. The probability that the authentication request is not authorized by the identity owner.
C. The probability that the user is authorized to view data from a particular application.
D. The probability that a given identity or account is compromised.

Question # 7 (Multiple Choice)

Which two Azure Active Directory features can be implemented for end users to see the relevant legal disclaimers or the compliance requirement statement being displayed?

A. Terms of use
B. Conditional Access Policy
C. Privileged Identity Management
D. Identity Protection

Question # 8 (Multiple Choice)

You want to restrict and audit an administrator’s access in Azure Active Directory (Azure AD).

Which feature can you use to provide just-in-time and audit administrator access to Azure resources?

A. Azure AD conditional access policies
B. Azure AD privileged Identity Management (PIM)
C. Azure role-based access control (Azure RBAC)
D. Azure AD Identity Protection

Question # 9 (Multiple Choice)

Which is the most cost-effective Azure service that can be used to filter the traffic to Azure Virtual Machines?

A. Bastion
B. Firewall
C. Network Security Groups
D. DDoS Protection

Question # 10 (Sentence Completion)

Select the answer that correctly completes the sentence.

You can use ______________to provide secure Remote Desktop Protocol (RDP) connection into an Azure virtual machine by using web browser and the Azure portal.

A. Azure Bastion
B. Azure Front Door
C. Azure Load Balancer
D. Application Security Group

Question # 11 (Multiple Choice)

You need to strengthen your cloud security posture and have a secure score in comparison to industry standards. You also need to view reports of various security configurations done in the environment.

Which tool helps you complete these tasks?

A. Microsoft Sentinel
B. Microsoft Defender for Cloud
C. Azure Firewall
D. Microsoft Defender for Identity

Question # 12 (Sentence Completion)

Select the answer that correctly completes the sentence.

______________________ is a cloud-native security information and event management (SIEM) and security orchestration automated response (SOAR) solution. It provides a single solution for alert detection, threat visibility, proactive hunting, and threat protection.

A. Azure Advisor
B. Azure Bastion
C. Azure Monitor
D. Microsoft Sentinel

Question # 13 (Multiple Choice)

Which Microsoft 365 Defender service safeguards your organization against threats posed by malicious email messages and links (URLs)?

A. Microsoft Defender for Office 365
B. Microsoft Defender for Identity
C. Microsoft Defender for Endpoint
D. Microsoft Defender for Cloud Apps

Question # 14 (Sentence Completion)

Select the answer that correctly completes the sentence.

_______________ is one of the tools in the Microsoft 365 Defender portal and is a representation of a company's security posture.

A. Insider Risk Management
B. Secure Score
C. Information Governance
D. App Governance

Question # 15 (Sentence Completion)

Select the answer that correctly completes the sentence.

_______________ includes Microsoft Secure Score for Devices.

A. Microsoft Defender for Cloud
B. Microsoft Defender for Identity
C. Microsoft Defender for Endpoint
D. Microsoft Defender for Office 365

Question # 16 (Multiple Choice)

What is the preferred way to add Microsoft compliance documents and resources that are relevant to your organization in the Service Trust Portal?

A. Save the documents to your My Library.
B. Print each document so you can easily refer to them.
C. Download each document.
D. Go to the resources section

Question # 17 (Multiple Choice)

Your organization uses Microsoft Teams to collaborate on all projects. The compliance administrator wants to prevent users from accidentally sharing sensitive information in a Microsoft Teams chat session.

Which capability can address this requirement?

A. Data loss prevention policies
B. Records Management
C. Retention policies
D. Azure Information Protection

Question # 18 (Multiple Choice)

Which Microsoft 365 feature can you use to prevent employees in the HR department from communicating with employees in the Finance department?

A. Administrative units
B. Management groups
C. Data loss prevention
D. Information barriers

Question # 19 (Multiple Choice)

A company has a Microsoft 365 subscription. The company documents are stored on SharePoint sites.

You need to encrypt the documents that contain credit card numbers.

What should you use to encrypt the documents?

A. Information barriers
B. Sensitivity label policies
C. Retention label policies
D. Data loss prevention policies

Question # 20 (Matching)

Match the Azure service on the left to the correct description on the right.

Azure service Descriptions
A. Azure Blueprints _____ 1. manages who has access to Azure resources, what they can do with those resources, and what areas they can access
B. Azure Policy 2. enforces standards and assess compliance across your organization
C. Azure Role-based access control 3. rapidly provisions and runs new environments with the knowledge that they are in line with the organization’s compliance requirements

Questions and Answers

Question # 1 (Multiple Choice)

The zero-trust model operates on the principle of “trust no one, verify everything.” You need to implement the zero-trust model in your organization.

Which two options are the guiding principles of a zero-trust model?

A. Verify explicitly
B. Assume breach
C. Role based access
D. Perimeter security

Item Description
Answer: A, B
Objective: 1.1 Describe security and compliance concepts
Rationale: The Zero Trust model has three principles which guide and underpin how security is implemented. These are: verify explicitly, least privilege access, and assume breach.
Verify explicitly. Always authenticate and authorize based on the available data points, including user identity, location, device, service or workload, data classification, and anomalies.
Least privileged access. Limit user access with just-in-time and just-enough access (JIT/JEA), risk based adaptive policies, and data protection to protect both data and productivity.
Assume breach. Segment access by network, user, devices, and application. Use encryption to protect data, and use analytics to get visibility, detect threats, and improve your security.
URL: https://learn.microsoft.com/training/modules/describe-security-concepts-methodologies/2-describe-zero-trust-methodology?ns-enrollment-type=LearningPath&ns-enrollment-id=learn.wwl.describe-concepts-of-security-compliance-identity

Question # 2 (Sentence Completion)

Select the answer that correctly completes the sentence.

_______________ is the new security perimeter.

A. Firewall
B. Identity
C. Network
D. Azure Active Directory

Item Description
Answer: B
Objective: 1.2 Define identity concepts
Rationale: A traditional perimeter-based security model is no longer enough for most organizations. Identity has become the new security perimeter that enables organizations to secure their assets. An identity is how someone or something can be verified and authenticated to be who they say they are. An identity may be associated with a user, an application, a device, or something else.
URL: https://learn.microsoft.com/training/modules/describe-identity-principles-concepts/3-define-identity-primary-security-perimeter

Question # 3 (Matching)

Match the Azure Active Directory (Azure AD) device identity on the left to the correct description on the right.

Azure AD device identity Descriptions
A. Azure AD registered devices 1. These devices are typically owned by an organization and are signed in with an Active Directory Domain Service account belonging to that organization. They exist in the cloud and on-premises.
B. Azure AD joined devices 2. These devices are typically personally owned, rather than by the organization. They are signed in with a personal Microsoft account or another local account.
C. Hybrid Azure AD joined devices 3. These devices exist only in the cloud and are typically owned by an organization. They are signed in with an organization Azure AD account.
Item Description
Answer: A2, B3, C1
Objective: 2.1 Describe the basic identity services and identity types of Azure AD
Rationale: Azure AD registered devices can be Windows 10, iOS, Android, or macOS devices. Devices that are Azure AD registered are typically owned personally, rather than by the organization. They are signed in with a personal Microsoft account or another local account.
Azure AD joined devices exist only in the cloud. Azure AD joined devices are owned by an organization and signed in with an organization Azure AD account. Users sign into their devices with their Azure AD or synced Active Directory work or school accounts. You can configure Azure AD joined devices for all Windows 10 devices (except Windows 10 Home).
Hybrid Azure AD joined devices can be Windows 7, 8.1, or 10 or Windows Server 2008 or newer. Devices that are hybrid Azure AD joined are owned by an organization and are signed in with an Active Directory Domain Services account belonging to that organization. They exist in the cloud and on-premises
URL: https://learn.microsoft.com/training/modules/explore-basic-services-identity-types/4-describe-identity-types?ns-enrollment-type=LearningPath&ns-enrollment-id=learn.wwl.describe-capabilities-of-microsoft-identity-access-management-solutions

Question # 4 (Multiple Choice)

You need to look for a hybrid identity solution between Azure Active Directory (Azure AD) and your on-premises active directory. It needs to provide a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers.

Which authentication method should you use?

A. Password Hash synchronization
B. Pass-through authentication
C. Federated authentication
D. Directory synchronization

Item Description
Answer: B
Objective: 2.1 Describe the basic identity services and identity types of Azure AD
Rationale: Pass-through authentication (PTA). Provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with an on-premises Active Directory, which ensures that the password validation does not happen in the cloud.
URL: https://learn.microsoft.com/training/modules/explore-basic-services-identity-types/6-describe-concept-of-hybrid-identities

Question # 5 (Multiple Choice)

How many authentication factors must be presented by a user after you enable Multi-Factor Authentication (MFA) in Azure Active Directory?

A. two
B. three
C. four
D. five

Item Description
Answer: A
Objective: 2.2 Describe the authentication capabilities of Azure AD
Rationale: Azure Active Directory Multi-Factor Authentication works by requiring:
Something you know – typically a password or PIN and
Something you have – such as a trusted device that's not easily duplicated, like a phone or hardware key or
Something you are – biometrics like a fingerprint or face scan.
MFA requires that a user presents at least two authentication factors.
URL: https://learn.microsoft.com/training/modules/explore-authentication-capabilities/2-describe-multi-factor-authentication

Question # 6 (Multiple Choice)

Sign-in risk is a signal used by Conditional Access policies to decide whether to grant or deny access.

What is a sign-in risk?

A. The probability that the device is owned by the identity owner.
B. The probability that the authentication request is not authorized by the identity owner.
C. The probability that the user is authorized to view data from a particular application.
D. The probability that a given identity or account is compromised.

Item Description
Answer: B
Objective: 2.3 Describe the access management capabilities of Azure AD
Rationale: Sign-in risk is the real-time calculation that a given authentication request was made by the specific user’s identity.
Real-time sign-in risk detection- Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to perform password changes or multifactor authentication to reduce their risk level or be blocked from access until an administrator takes manual action.
Sign-in risk is independent of device, access rights and only works on signals like: Anonymous IP address, Atypical travel, Anomalous Token, Token Issuer Anomaly, Malware linked IP address, Suspicious browser, Unfamiliar sign-in properties, Admin confirmed user compromised, Malicious IP address, Suspicious inbox manipulation rules, Password spray, Impossible travel, New country, Activity from anonymous IP address, Suspicious inbox forwarding, Azure AD threat intelligence.
URL: https://learn.microsoft.com/training/modules/explore-access-management-capabilities/2-describe-conditional-access-its-benefits
https://learn.microsoft.com/azure/active-directory/identity-protection/concept-identity-protection-risks

Question # 7 (Multiple Choice)

Which two Azure Active Directory features can be implemented for end users to see the relevant legal disclaimers or the compliance requirement statement being displayed?

A. Terms of use
B. Conditional Access Policy
C. Privileged Identity Management
D. Identity Protection

Item Description
Answer: A, B
Objective: 2.4 Describe the identity protection and governance capabilities of Azure AD
Rationale: Conditional Access policies are used to require a terms of use statement being displayed and ensuring the user has agreed to those terms before accessing an application. Admins can then view who has agreed to terms of use, and who has declined.
Azure AD terms of use allow information to be presented to users before they access data or an application. Terms of use ensure users read relevant disclaimers for legal or compliance requirements.
URL: https://learn.microsoft.com/training/modules/describe-identity-protection-governance-capabilities/3-describe-what-entitlement-management-access-reviews

Question # 8 (Multiple Choice)

You want to restrict and audit an administrator’s access in Azure Active Directory (Azure AD).

Which Azure feature can you use to provide just-in-time and audit administrator access to Azure resources?

A. Azure AD conditional access policies
B. Azure AD privileged Identity Management (PIM)
C. Azure role-based access control (Azure RBAC)
D. Azure AD Identity Protection

Item Description
Answer: B
Objective: 2.4 Describe the identity protection and governance capabilities of Azure AD
Rationale: Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about.
URL: https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure

Question # 9 (Multiple Choice)

Which is the most cost-effective Azure service that can be used to filter the traffic to Azure Virtual Machines?

A. Bastion
B. Firewall
C. Network Security Groups
D. DDoS Protection

Item Description
Answer: C
Objective: 3.1 Describe basic security capabilities in Azure
Rationale: Network Security Group -Network security groups (NSGs) let you allow or deny network traffic to and from Azure resources that exist in your Azure virtual network, for example, a virtual machine. When you create an NSG, it can be associated with multiple subnets or network interfaces in your VNet. An NSG consists of rules that define how the traffic is filtered.
URL: https://learn.microsoft.com/training/modules/describe-basic-security-capabilities-azure/2-describe-azure-network-security-groups

Question # 10 (Sentence Completion)

Select the answer that correctly completes the sentence.

You can use ______________ to provide secure Remote Desktop Protocol (RDP) connection into an Azure virtual machine by using web browser and the Azure portal.

A. Azure Bastion
B. Azure Front Door
C. Azure Load Balancer
D. Application Security Group

Item Description
Answer: A
Objective: 3.1 Describe basic security capabilities in Azure
Rationale: Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal.
This article shows you how to securely and seamlessly SSH to your Linux VMs in an Azure virtual network. You can connect to a VM directly from the Azure portal. When using Azure Bastion, VMs don’t require a client, agent, or additional software
URL: https://learn.microsoft.com/azure/bastion/bastion-connect-vm-ssh
Azure Bastion - https://learn.microsoft.com/training/modules/describe-basic-security-capabilities-azure/5-describe-what-azure-bastion?ns-enrollment-type=LearningPath&ns-enrollment-id=learn.wwl.describe-capabilities-of-microsoft-security-solutions

Question # 11 (Multiple Choice)

You need to strengthen your cloud security posture and have a secure score in comparison to industry standards. You also need to view reports of various security configurations done in the environment.

Which tool helps you complete these tasks?

A. Microsoft Sentinel
B. Microsoft Defender for Cloud
C. Azure Firewall
D. Microsoft Defender for Identity

Item Description
Answer: B
Objective: 3.2 Describe security management capabilities in Azure
Rationale: Microsoft Defender for Cloud is a tool for security posture management and threat protection. It strengthens the security posture of your cloud resources, and with its integrated Microsoft Defender plans, Defender for Cloud protects workloads running in Azure, hybrid, and other cloud platforms.
Defender for Cloud provides the tools needed to harden your resources, track your security posture, protect against cyberattacks, and streamline security management. Because it's natively integrated, deployment of Defender for Cloud is easy, providing you with simple auto provisioning to secure your resources by default.
URL: https://learn.microsoft.com/azure/security-center/security-center-introduction
Microsoft Defender for Cloud- https://learn.microsoft.com/training/modules/describe-security-management-capabilities-of-azure/3-describe-defender-cloud
Microsoft Sentinel - https://learn.microsoft.com/training/modules/describe-security-capabilities-of-azure-sentinel/

Question # 12 (Sentence Completion)

Select the answer that correctly completes the sentence.

______________________ is a cloud-native security information and event management (SIEM) and security orchestration automated response (SOAR) solution. It provides a single solution for alert detection, threat visibility, proactive hunting, and threat protection.

A. Azure Advisor
B. Azure Bastion
C. Azure Monitor
D. Microsoft Sentinel

Item Description
Answer: D
Objective: 3.3 Describe security capabilities of Microsoft Sentinel
Rationale: Azure Sentinel – Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.
URL: https://learn.microsoft.com/azure/sentinel/overview
Microsoft Sentinel- https://learn.microsoft.com/training/modules/describe-security-capabilities-of-azure-sentinel/

Question # 13 (Multiple Choice)

Which Microsoft 365 Defender service safeguards your organization against threats posed by malicious email messages and links (URLs)?

A. Microsoft Defender for Office 365
B. Microsoft Defender for Identity
C. Microsoft Defender for Endpoint
D. Microsoft Defender for Cloud Apps

Item Description
Answer: A
Objective: 3.4 Describe threat protection with Microsoft 365 Defender
Rationale: Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:
• Threat protection policies: Define threat-protection policies to set the appropriate level of protection for your organization.
• Reports: View real-time reports to monitor Defender for Office 365 performance in your organization.
Threat investigation and response capabilities: Use leading-edge tools to investigate, understand, simulate, and prevent threats.
Automated investigation and response capabilities: Save time and effort investigating and mitigating threats.
URL: https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?view=o365-worldwide&preserve-view=true
MS- Learn- https://learn.microsoft.com/training/modules/describe-threat-protection-with-microsoft-365-defender/4-describe-defender-office

Question # 14 (Sentence Completion)

Select the answer that correctly completes the sentence.

_______________ is one of the tools in the Microsoft 365 Defender portal and is a representation of a company's security posture.

A. Insider Risk Management
B. Secure Score
C. Information Governance
D. App Governance

Item Description
Answer: B
Objective: 3.4 Describe threat protection with Microsoft 365 Defender
Rationale: Microsoft Secure Score, one of the tools in the Microsoft 365 Defender portal, is a representation of a company's security posture. The higher the score, the better your protection. Secure Score helps organizations:
• Report on the current state of their security posture.
• Improve their security posture by providing discoverability, visibility, guidance, and control.
• Compare benchmarks and establish key performance indicators (KPIs).
URL: https://learn.microsoft.com/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide&preserve-view=true
Microsoft Sentinel- https://learn.microsoft.com/training/modules/describe-security-capabilities-of-azure-sentinel/

Question # 15 (Sentence Completion)

Select the answer that correctly completes the sentence.

_______________ includes Microsoft Secure Score for Devices.

A. Microsoft Defender for Cloud
B. Microsoft Defender for Identity
C. Microsoft Defender for Endpoint
D. Microsoft Defender for Office 365

Item Description
Answer: C
Objective: 3.4 Describe threat protection with Microsoft 365 Defender
Rationale: Microsoft Defender for Endpoint includes Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve overall security.
URL: https://learn.microsoft.com/training/modules/describe-threat-protection-with-microsoft-365-defender/5-describe-defender-endpoint

Question # 16 (Multiple Choice)

What is the preferred way to add Microsoft compliance documents and resources that are relevant to your organization in the Service Trust Portal?

A. Save the documents to your My Library.
B. Print each document so you can easily refer to them.
C. Download each document.
D. Go to the resources section

Item Description
Answer: A
Objective: 4.1 Describe the compliance management capabilities of Microsoft
Rationale: Save the documents to My Library: Allows you to add documents and resources that are relevant to your organization, everything is in one place. You can also opt to have email notifications sent when a document is updated, as well as the frequency you receive notifications.
URL: Service Trust Portal (microsoft.com)
MS learn link- https://learn.microsoft.com/training/modules/describe-compliance-management-capabilities-microsoft/2a-describe-offerings-of-service-trust-portal

Question # 17 (Multiple Choice)

Your organization uses Microsoft Teams to collaborate on all projects. The compliance administrator wants to prevent users from accidentally sharing sensitive information in a Microsoft Teams chat session.

Which capability can address this requirement?

A. Data loss prevention policies
B. Records Management
C. Retention policies
D. Azure Information Protection

Item Description
Answer: A
Objective: 4.3 Describe information protection and governance capabilities of Microsoft 365
Rationale: With data loss prevention policies, administrators can now define policies that can prevent users from sharing sensitive information in a Microsoft Teams chat session or Teams channel, whether this information is in a message, or in a file.
Records Management or Retention policies/AIP will not let you do this
URL: https://learn.microsoft.com/training/modules/describe-information-protection-governance-capabilities-microsoft-365/5-describe-data-loss-prevention

Question # 18 (Multiple Choice)

Which Microsoft 365 feature can you use to prevent employees in the HR department from communicating with employees in the Finance department?

A. Administrative units
B. Management groups
C. Data loss prevention
D. Information barriers

Item Description
Answer: D
Objective: 4.4 Describe insider risk capabilities in Microsoft 365
Rationale: Information barriers are policies that administrators can configure to prevent individuals or groups from communicating with each other. When information barrier policies are in place, people who shouldn't communicate with other specific users can't find, select, chat, or call those users. With information barriers, checks are in place to prevent unauthorized communication.
URL: https://learn.microsoft.com/training/modules/describe-insider-risk-capabilities-microsoft-365/4-describe-information-barriers

Question # 19 (Multiple Choice)

A Company has a Microsoft 365 subscription. The company documents are stored on SharePoint sites.

You need to encrypt the documents that contain credit card numbers.

What should you use to encrypt the documents?

A. Information barriers
B. Sensitivity label policies
C. Retention label policies
D. Data loss prevention policies

Item Description
Answer: B
Objective: 4.4 Describe insider risk capabilities in Microsoft 365
Rationale: Sensitivity labels can be used to:
Encrypt email and documents.
Mark the content when Office apps are used.
Apply the label automatically in Office apps or recommend a label.
Protect content in containers such as sites and groups when this capability is enabled.
URL: https://learn.microsoft.com/training/modules/describe-information-protection-governance-capabilities-microsoft-365/4-describe-sensitivity-labels-policies

Question # 20 (Matching)

Match the Azure service on the left to the correct description on the right.

Azure service Descriptions
A. Azure Blueprints 1. manages who has access to Azure resources, what they can do with those resources, and what areas they can access
B. Azure Policy 2. enforces standards and assess compliance across your organization
C. Azure Role-based access control 3. rapidly provisions and runs new environments with the knowledge that they are in line with the organization’s compliance requirements
Item Description
Answer: A3, B2, C1
Objective: 4.5 Describe resource governance capabilities in Azure
Rationale: Azure Blueprints provide a way to define a repeatable set of Azure resources. Azure Blueprints enable development teams to rapidly provision and run new environments, with the knowledge that they're in line with the organization’s compliance requirements. Teams can also provide Azure resources across several subscriptions simultaneously, meaning they can achieve shorter development times and quicker delivery.
Azure Policy is designed to help enforce standards and assess compliance across your organization. Through its compliance dashboard, you can access an aggregated view to help evaluate the overall state of the environment. You can drill down to a per-resource, or per-policy level granularity. You can also use capabilities like bulk remediation for existing resources and automatic remediation for new resources, to resolve issues rapidly and effectively
Azure RBAC manages who has access to Azure resources, what they can do with those resources, and what areas they can access. If actions need to be controlled, then you would use Azure RBAC.
URL: https://learn.microsoft.com/azure/governance/policy/concepts/effects
https://learn.microsoft.com/azure/governance/blueprints/overview
https://learn.microsoft.com/azure/role-based-access-control/overview