Microsoft Updated SC-900 Exam Questions and Answers by maira

Assessments

In Microsoft Purview Compliance Manager, assessments are the core components used to track compliance with groupings of controls from specific regulations, standards, or requirements.

According to official Microsoft Security, Compliance, and Identity (SCI) learning content, particularly within the SC-400 and SC-900 certification tracks, the role of assessments is explicitly defined as:

“Assessments in Compliance Manager help you track, implement, and improve compliance with requirements from standards and regulations. Each assessment maps to a specific regulation or control framework, such as ISO 27001, NIST, GDPR, or HIPAA, and includes a set of controls and recommended improvement actions.”

Further extracted content from SCI documentation confirms:

“An assessment is used to measure your compliance posture against a particular regulation or standard. It includes control mappings and provides insight into what’s in place and what still needs to be addressed to meet the compliance goals.”

The other options in the dropdown — Templates, Improvement actions, and Solutions — serve different functions:

Templates provide a blueprint for creating assessments.

Improvement actions are actionable steps generated within assessments.

Solutions in Microsoft Purview refer to bundled capabilities like Insider Risk Management, Information Protection, etc.

Therefore, to track compliance with groupings of controls from a specific regulation or requirement, the correct and Microsoft-verified term is " Assessments. "

In Microsoft Entra ID (Azure AD), Conditional Access is the policy engine that evaluates signals about the user, device, app, and session to determine whether to grant access and under what conditions. Microsoft’s guidance explains that Conditional Access is “the tool used by Azure AD to bring signals together, make decisions, and enforce organizational policies.” In device-centric scenarios, Conditional Access integrates with Microsoft Intune device compliance so you can enforce controls such as “Require device to be marked as compliant” or “Require approved client app” before granting access to corporate resources like Microsoft 365 and Azure apps. This allows organizations to block or limit access from unmanaged or noncompliant devices, and to allow access only from devices that meet your compliance policies (encryption, OS version, jailbreak/root status, etc.).

By contrast, Network Security Groups (NSGs) filter traffic at the virtual network/subnet/NIC level and are not identity-aware; Privileged Identity Management (PIM) governs just-in-time elevation and access reviews for privileged roles; and resource locks prevent accidental deletion or modification of Azure resources. Therefore, the Azure AD feature specifically designed to restrict access by Intune-managed device state and enforce device-based access conditions to corporate resources is Conditional Access.

In Microsoft’s identity platform, Active Directory Domain Services (AD DS) is the on-premises directory that maintains directory objects such as users, groups, and computers. Microsoft documentation describes AD DS as a service that “stores information about objects on the network and makes this information easy for administrators and users to find and use.” It further explains that AD DS contains objects like “users, groups, computers, and other resources,” and that administrators use tools such as Active Directory Users and Computers to create and manage these objects. A key object type is the computer account; Microsoft states that “a computer that’s joined to a domain has a corresponding computer account object in Active Directory” and that these accounts are created and managed within AD DS to enable secure authentication and authorization for domain-joined devices.

By contrast, mobile devices are typically enrolled and managed through Microsoft Intune/Endpoint Manager and Azure AD device objects, not created in AD DS. Likewise, SaaS applications that require modern authentication integrate with Microsoft Entra ID (Azure AD) using OpenID Connect/OAuth 2.0—not with AD DS. Line-of-business apps that rely on modern authentication are also registered in Entra ID, while AD DS supports traditional Kerberos/NTLM for domain resources. Therefore, among the options provided, the object you can create in AD DS is computer accounts.

The Microsoft Service Trust Portal contains details about Microsoft ' s implementation of controls and processes that protect our cloud services and the customer data therein.