最新的Microsoft Security, Compliance, and Identity Fundamentals (SC-900 Deutsch Version) - SC-900 Deutsch免費考試真題

Explanation:

Microsoft's identity platform (Microsoft Entra ID, formerly Azure AD) supports built-in and custom directory roles. The official guidance states that you can "create your own custom roles to grant permissions for management of Microsoft Entra resources," and those roles consist of specific role permissions that you select to tailor least-privilege administration. The documentation also lists Global administrator (formerly Company Administrator) as a built-in role that "has access to all administrative features" and can delegate role assignments, reset passwords for all users, and manage identity settings across the tenant. Regarding assignments, Microsoft is explicit that role assignment is many-to-many: administrators can "assign one or more roles to a user," and the user's effective permissions are the union of the privileges from all assigned roles. Consequently, (1) creating custom roles is supported (Yes), (2) Global administrator is indeed a defined Azure AD/Microsoft Entra role (Yes), and (3) a user being limited to only one role is incorrect (No) because multiple role assignments to the same user are permitted and commonly used to implement least privilege and separation of duties.
Box 1: Yes
Azure AD supports custom roles.
Box 2: Yes
Global Administrator has access to all administrative features in Azure Active Directory. Box 3: No Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles https://docs.microsoft.
com/en-us/azure/active-directory/roles/permissions-reference

Explanation:

Microsoft Defender for Identity (formerly Azure ATP) is designed to protect on-premises identity infrastructures by analyzing signals from Active Directory Domain Services (AD DS). In Microsoft's SCI guidance, Defender for Identity is described as a "cloud service that uses sensors installed on your domain controllers to monitor and analyze user activities and information across your on-premises Active Directory." The sensors "collect authentication, replication, and other security-relevant events and network traffic," enabling analytics to detect techniques such as Pass-the-Hash, Pass-the-Ticket, Golden Ticket, reconnaissance, lateral movement, and domain dominance. The product's purpose is to surface advanced threats, compromised identities, and malicious insider actions by continuously profiling and learning from AD DS behavior and security events.
While Defender for Identity integrates with other Microsoft security solutions (for example, Microsoft 365 Defender and Microsoft Defender for Cloud Apps) to enrich investigations, it does not rely on Azure Active Directory (Microsoft Entra ID) signals for its core detections, nor does it collect telemetry from Azure AD Connect itself. Instead, its foundational telemetry source is on-premises AD DS domain controllers via lightweight sensors, which provide the deep authentication and directory-service context required to identify sophisticated identity-based attacks in hybrid environments.

Explanation:

In Microsoft's Security, Compliance, and Identity guidance, Microsoft Defender for Identity (formerly Azure ATP) is explicitly described as "a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats." The service deploys lightweight sensors on domain controllers to collect and analyze Active Directory (AD) authentication and activity data.
Using behavioral analytics and built-in detections, it helps security teams surface indicators of compromised identities, lateral movement, pass-the-ticket/NTLM relay, and other identity-driven attack techniques.
Documentation further explains that Defender for Identity "profiles and learns entity behavior," correlates events, and raises security alerts with investigation timelines and evidence to accelerate incident response in hybrid environments.
This precisely matches the sentence in the prompt: the only Microsoft security product whose core purpose is to use on-premises AD signals to identify, detect, and investigate advanced threats is Defender for Identity.
By contrast, Microsoft Defender for Endpoint focuses on endpoint prevention and EDR; Microsoft Defender for Office 365 protects email and collaboration workloads from phishing and malware; and Microsoft Cloud App Security (now Microsoft Defender for Cloud Apps) operates as a CASB for app discovery, control, and session monitoring. Therefore, aligning with SCI study guides and product descriptions, the correct completion is Microsoft Defender for Identity.

Explanation:

In Microsoft identity architecture, federation establishes trust between different identity providers to enable single sign-on (SSO) across organizational and platform boundaries. Microsoft Learn explains that federation uses standards such as SAML, WS-Federation, and OpenID Connect/OAuth 2.0 so a user can authenticate with their home identity provider and obtain tokens that are accepted by a relying party (the application or service). This trust relationship lets organizations share identities securely without copying passwords or synchronizing credentials, providing a seamless sign-in experience across multiple systems and clouds.
By contrast, Active Directory Domain Services (AD DS) and a domain controller provide on-premises directory and authentication services primarily within a single Windows domain/forest using Kerberos
/NTLM, not cross-provider SSO on their own. Microsoft Entra Privileged Identity Management (PIM) manages just-in-time, approval-based elevation for roles and does not deliver SSO capabilities. Therefore, the technology explicitly intended to provide SSO across multiple identity providers is federation.

Explanation:

Microsoft Purview Compliance Manager is designed to give organizations a continuous view of their compliance posture. In Microsoft's Security, Compliance, and Identity guidance, Compliance Manager is described as a capability that assesses your compliance posture against regulatory standards and data protection baselines and updates the compliance score as you implement or fail controls. The platform aggregates signals from assessments, controls, and improvement actions, then recalculates your compliance score as evidence is collected and actions are marked complete or tested. Because these evaluations are tied to live improvement actions and mapped controls (such as access, data protection, and governance controls), your organization's status isn't limited to a fixed reporting cycle; rather, it reflects ongoing progress and gaps across supported regulations and standards.
SCI study materials also emphasize that the score is not a one-time audit: it's a running indicator of risk reduction and control implementation. As you address recommendations, add or update evidence, or connect automated tests where available, the score and related dashboards refresh to show the latest compliance state.
This makes Compliance Manager suitable for continuous assessment, enabling organizations to monitor posture, prioritize work, and demonstrate incremental improvements over time-hence, it assesses compliance data continually for an organization.

Explanation:

Microsoft's security guidance for hybrid and cloud environments adopts the Zero Trust approach, which explicitly positions identity as the primary boundary for access decisions. Microsoft states that in modern, distributed environments, "the traditional network perimeter is no longer sufficient" and that identity becomes the new security perimeter for protecting access to resources across on-premises and cloud. In Zero Trust, access is granted based on who the user or workload is, the risk of the sign-in, the device health, and the context of the session. Microsoft summarizes this shift as: "Identity is the control plane," emphasizing that authentication, authorization, and continuous evaluation of trust are enforced through identity-centric controls such as Conditional Access, multifactor authentication, Privileged Identity Management, device compliance, and session controls.
While tools like firewalls and services such as Microsoft Defender for Cloud remain important layers in a defense-in-depth strategy, they are not the primary perimeter in a hybrid model. Because users, devices, and applications operate from anywhere, identity is the consistent, verifiable layer through which policy is enforced for both on-premises and cloud resources. Therefore, in an environment that spans on-premises and cloud, Microsoft recommends treating identity as the primary security perimeter, applying continuous verification and least-privilege access through identity-driven policies.

Explanation:

Microsoft documents Information Barriers (IB) as a Microsoft Purview capability that "restricts communication and collaboration between specific groups of users" across Microsoft 365. The service coverage explicitly includes "Microsoft Teams, SharePoint, OneDrive, and Exchange Online." In Exchange Online, IB policies "block communication" between segmented users, which includes sending or receiving email and related collaboration, thereby meeting the statement about restricting communication in Exchange.
With IB v2, Microsoft states that policies also apply to SharePoint and OneDrive so that users in different segments are "prevented from accessing sites and content" not permitted by policy. This means a SharePoint Online site can be segmented so that members outside the allowed segments are denied access, satisfying the second statement.
For Microsoft Teams, IB policies "restrict collaboration scenarios such as chats, channel conversations, and file sharing" when participants are in segments that shouldn't interact. Because Teams file sharing is backed by SharePoint/OneDrive, IB v2 enforcement "prevents sharing and accessing files across restricted segments." In effect, a user cannot share a file with another user in Teams if an IB policy disallows interaction between their segments.
These behaviors align with SCI guidance that IB policies are designed to reduce conflict-of-interest risk by controlling who can communicate, collaborate, or access content across Microsoft 365 workloads.

Explanation:

Microsoft positions Compliance Manager as a capability available inside the Microsoft 365 Compliance Center (now Microsoft Purview compliance portal). In Microsoft's SCI learning content, Compliance Manager is described as the centralized workspace in the compliance portal that "helps you manage your organization's compliance requirements," providing a compliance score, pre-built and custom assessments, and improvement actions you track and assign. The documentation explains that admins "use the Microsoft
365 Compliance Center to access Compliance Manager," where they can review the score, map controls to regulations and standards, and manage evidence and testing of controls. It also clarifies that Compliance Manager is surfaced directly in the compliance portal navigation, enabling authorized roles (such as Compliance Administrator, Global Administrator, or Compliance Data Administrator) to open the Compliance Manager blade to create or view assessments, assign actions, and review detailed guidance. By contrast, the Microsoft 365 admin center focuses on tenant, billing, and user management; the Microsoft 365 Defender portal focuses on security operations and threat protection; and the Microsoft Support portal is for service requests. Therefore, the direct and intended entry point for Compliance Manager is the Microsoft 365 Compliance Center.