Free Practice Questions for Microsoft SC-900 Exam

Microsoft states that Azure AD Multi-Factor Authentication “adds a second form of verification” to sign-ins and supports multiple verification methods. The documented methods include Microsoft Authenticator app notifications or verification codes, text message (SMS) codes, and phone call verification. In Microsoft’s description, users can approve a push notification in the Microsoft Authenticator app or enter a code from the app; they can receive a text message containing a verification code; or they can answer a phone call to complete the challenge. Email verification and security questions are not listed as supported MFA methods for Azure AD sign-ins and are not valid second factors in Azure AD MFA. Consequently, the correct methods from the options provided are Phone call, Text message (SMS), and Microsoft Authenticator app. These align with Azure AD’s core MFA capabilities used in Conditional Access and per-user MFA to strengthen authentication beyond the password and to meet compliance and security requirements for strong user verification.

In Microsoft Entra Conditional Access, policy evaluation occurs after the user successfully completes first-factor authentication (for example, username + password or Windows Hello for Business key). Microsoft Learn explains that Conditional Access “is the tool used by Azure AD to bring signals together, make decisions, and enforce organizational policies” and that it’s applied “after the first-factor authentication is completed.” Once primary authentication succeeds, Conditional Access evaluates signals like user, device state, location, risk (from Identity Protection), and application, and then enforces controls such as requiring MFA, blocking access, or applying session controls.

This design ensures Conditional Access does not replace primary authentication and is not enforced before or during the initial credential verification. Instead, it adds a second policy decision point that can demand stronger proof (e.g., MFA), restrict access paths, or limit sessions. Therefore, “after” is correct, while “before,” “during,” or “instead of” first-factor authentication are incorrect because Conditional Access relies on the initial sign-in to collect the necessary signals and then applies the configured access decisions and protections.

In Microsoft’s Security, Compliance, and Identity guidance, Data Loss Prevention (DLP) is configured from the compliance portal (formerly called the Microsoft 365 Compliance Center, now Microsoft Purview compliance portal). Microsoft’s documentation states that DLP is administered from the compliance experience: “Use data loss prevention (DLP) policies in the Microsoft Purview compliance portal to help identify, monitor, and automatically protect sensitive items” across Microsoft 365 workloads. It further specifies where you create policies: “To create a DLP policy, go to the Microsoft Purview compliance portal > Data loss prevention > Policies and choose Create policy.” The portal provides policy templates, locations, and rules that “help prevent the inadvertent sharing of sensitive information” and enable “policy tips and automatic remediation actions” (such as restricting access, auditing, or blocking).

By contrast, the Microsoft 365 admin center is for tenant administration and licensing, not DLP policy authoring. The Microsoft Endpoint Manager admin center (Intune) manages device and app protection policies, not Microsoft 365 DLP policies. The Microsoft 365 Defender portal surfaces security alerts and investigations but does not host the creation workflow for DLP policies. Therefore, when the requirement is to create a DLP policy, Microsoft directs administrators to the Microsoft 365 Compliance center (Microsoft Purview compliance portal) where the DLP solutions and policy creation wizard reside.