Microsoft Updated SC-900 Exam Questions and Answers by chase

Microsoft’s Security, Compliance, and Identity materials describe Azure Policy as the governance service that lets you “create, assign, and manage policies” so resources “stay compliant with your corporate standards and service level agreements.” Policies are enforced through effects such as Deny, Audit, Append, AuditIfNotExists, DeployIfNotExists, and Modify, which enable organizations to block non-compliant creations, append required settings, or deploy configuration automatically at the time of creation. The documentation further explains that Azure Policy “supports remediation of existing resources” by running remediation tasks for policies that use DeployIfNotExists or Modify, allowing Azure Policy to automatically bring resources into compliance without manual intervention.

Evaluation is continuous, not only at create or update time. Azure Policy “evaluates resources at deployment and regularly re-evaluates compliance,” and admins can also trigger on-demand scans. This means compliance state is updated both when a resource is created/changed and during periodic background assessments, ensuring drift is detected and corrected. Together, these capabilities allow Azure Policy to enforce standards for new resources, auto-remediate existing ones, and provide ongoing compliance posture—which is why the first two statements are Yes, while the claim that evaluation occurs only on create/modify is No.

Azure Bastion is a managed PaaS service that provides secure and seamless RDP/SSH connectivity to your Azure virtual machines directly from the Azure portal over TLS/HTTPS. SCI and Azure security documentation summarize it as eliminating public IP exposure on VMs by using a fully managed bastion host deployed inside your virtual network. Users connect through their browser and the service brokers the RDP or SSH session, which “protects your VMs from exposing RDP/SSH to the Internet.” Bastion does not provide access to Azure Files, SQL Managed Instance, or App Service; it is specifically built to secure management access to VMs without requiring a VPN or public endpoints. Therefore, the resource type Azure Bastion securely connects to is Azure virtual machines.

Compliance score

In Microsoft Purview Compliance Manager, the Compliance score is the metric that measures an organization’s progress in completing improvement actions that help reduce compliance and data-protection risk. Microsoft describes this score as a quantifiable indicator of your compliance posture across regulatory standards and data-protection baselines. Each recommended improvement action in Compliance Manager is assigned points; completing, testing, and attesting to those actions increases your score. Points are weighted by risk, so implementing controls with greater impact on reducing risk contributes more to the overall score. Microsoft also clarifies that the Compliance score is an operational progress indicator, not a certification or a legal determination of compliance, but it enables organizations to track, prioritize, and demonstrate the implementation of controls across frameworks such as GDPR, ISO/IEC 27001, NIST 800-53, and Microsoft Data Protection Baselines.

By contrast, Microsoft Purview compliance portal reports provide reporting and insights (for example, DLP, Insider Risk, Audit) but do not calculate a unified risk-reduction progress metric. The Trust Center is Microsoft’s public site for transparency about security, privacy, and compliance commitments, and Trust Documents (auditor reports, certifications, and white papers) supply evidence and reference materials. Neither of these provide an in-product, points-based measure of progress—Compliance score does.

Microsoft’s shared-responsibility model states that the cloud provider secures the cloud, while the customer secures what they put in the cloud. The Azure Security documentation explains: “Regardless of the type of deployment, you always retain responsibility for your data, endpoints, accounts, and access management.” This applies to IaaS, PaaS, and SaaS, so statement 3 is Yes because the organization is always accountable for the security of information and data.

For SaaS, Microsoft describes that customers “don’t manage or control the underlying cloud infrastructure—including network, servers, operating systems, or even individual application capabilities” and that the provider handles service maintenance and updates. In SaaS, tasks like patching or applying service packs to the application code are owned by the service provider, while the customer focuses on data, identity, and access. Therefore, statement 1 is No.

For IaaS, Microsoft notes the provider manages the physical estate: “Microsoft is responsible for the physical hosts, network, and datacenter facilities,” while the customer configures and secures the guest OS, applications, and network controls within their subscription. Thus, managing the physical network is the cloud provider’s duty, making statement 2 Yes.

These SCI principles are foundational to Microsoft Learn/Docs guidance on Azure’s shared responsibility: provider—“security OF the cloud”; customer—“security IN the cloud,” with data protection always remaining the customer’s responsibility.