Demo Microsoft SC-900 Exam Questions

Term	Concept Description	Why it is Correct / Incorrect
a trust relationship	Correct Selection: Federation allows an organization to trust identity assertions (tokens) issued by an external organization's identity provider.	This mechanism establishes a formal trust relationship that permits single sign-on (SSO) and safe resource sharing across distinct corporate boundaries without managing external credentials locally.
multi-factor authentication (MFA)	Incorrect Selection: MFA is a security verification method requiring multiple forms of identification.	While federation policies can pass or request MFA claims, federation itself is not an MFA method.
user account synchronization	Incorrect Selection: This involves copying and updating identity database objects from one directory system to another.	Federation specifically avoids account duplication by letting users log in using their home directory credentials directly.
a VPN connection	Incorrect Selection: A Virtual Private Network provides security at the network layer.	Federation operates entirely at the identity and application layers rather than establishing hardware or network-level tunnels.

In Microsoft identity and access scenarios, federation is explicitly defined as a mechanism to create trust between autonomous organizations so that identities authenticated in one can be accepted by another. Microsoft describes this as: “Federation is a collection of domains that have established trust.” In a federation, “this trust relationship lets each organization accept the other’s user authentication” and enables access to resources without the need to duplicate user accounts or require separate credentials. Within Azure AD/Microsoft Entra and AD FS guidance, Microsoft further explains that federation enables “claims-based access across security boundaries” and “allows users to access applications in a partner organization using their existing credentials.” These statements underline that the purpose of federation is to establish a trust relationship across identity providers or directories, not to provide multi-factor authentication, synchronize accounts, or build network tunnels. MFA is an authentication strength that can be applied on top of federated sign-in, user accountsynchronization is handled by services like Microsoft Entra Connect (Azure AD Connect), and VPNs provide network connectivity, not identity trust. Therefore, the completion that aligns with Microsoft SCI documentation is that federation establishes a trust relationship between organizations.

Portal / Option	Purpose and Role	Why it is Correct / Incorrect
Microsoft Endpoint Manager admin center.	Correct Selection: This portal is the unified administrative console designed for managing endpoints, including device enrollment, configuration profiles, compliance policies, and application deployments through Microsoft Intune.	Microsoft Endpoint Manager brings together Intune cloud management and Configuration Manager infrastructure into a single console.
Azure Active Directory admin center.	Incorrect Selection: This center focuses primarily on user identity, groups, licenses, domain management, and access control settings.	While Intune relies on Azure Active Directory for user and group definitions, it is not used to manage Intune device policies directly.
Microsoft 365 compliance center.	Incorrect Selection: This specialized administrative hub is dedicated to data protection, risk management, data retention, information governance, and auditing.	It does not contain tools or interfaces for general endpoint and mobile device configuration.
Microsoft 365 security center.	Incorrect Selection: This workspace is designed for tracking and managing security alerts, identity protection, threat detection, and response capabilities across the tenant.	It lacks capabilities related to device provisioning and software management.

In Microsoft’s Security, Compliance, and Identity learning content and product documentation, Intune administration is performed in the dedicated Intune portal that, for exam and study-guide purposes, is referred to as the Microsoft Endpoint Manager admin center. Microsoft explains that “Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM)” and that “administrators manage Intune in the Intune (Endpoint Manager) admin center, where you configure device enrollment, compliance, apps, and endpoint security.” The admin experience consolidates device, app, and policy management, including device compliance policies, configuration profiles, app protection policies, software update rings, and endpoint security baselines, all from this portal. By contrast, the Azure Active Directory admin center (Microsoft Entra admin center) is designed for identity and access tasks (users, groups, roles, Conditional Access), not full device/app management. The Microsoft 365 compliance center is focused on data governance and risk (DLP, information protection, eDiscovery, audit), while the Microsoft 365 security center/Defender portal isforsecurity operations and threat protection. Therefore, when the sentence states, “You can manage Microsoft Intune by using the…,” the correct completion—aligned with Microsoft SCI study materials—is Microsoft Endpoint Manager admin center, the portal intentionally built for Intune device and app lifecycle management.

eDiscovery In Microsoft Purview, eDiscovery is the purpose-built compliance solution for legal and investigative workflows. Microsoft’s SCI materials describe eDiscovery as the tool that enables organizations to identify, preserve/hold, collect, review, and export potentially relevant content across Microsoft 365 services. Official guidance explains that eDiscovery (Standard) “provides search, hold, and export capabilities” for content in Exchange, SharePoint, OneDrive, Teams, and more. Another description states that eDiscovery (Premium) helps you “identify, preserve, collect, review, analyze, and export content” for legal matters and internal investigations. These capabilities are designed to support the eDiscovery lifecycle by allowing admins and case managers to: create cases, define custodians and non-custodial data sources, run targeted searches, apply legal holds to prevent data alteration or deletion, perform review and analytics, and export responsive data packages for counsel or regulators. By contrast, Data Loss Prevention (DLP) protects sensitive information from accidental or inappropriate sharing; Customer Lockbox governs Microsoft engineer access to your data for support; and resource locks protect Azure resources from accidental deletion or modification. Therefore, the Microsoft SCI control that is explicitly used to identify, hold, and export electronic information for an investigation is Microsoft Purview eDiscovery.