100% Free Microsoft SC-200 Practice Test Questions

Question 1

Your company has a single office in Istanbul and a Microsoft 365 subscription.
The company plans to use conditional access policies to enforce multi-factor authentication (MFA).
You need to enforce MFA for all users who work remotely.
What should you include in the solution?

A : a fraud alert

B : a user risk policy

C : a named location

D : a sign-in user policy

Answer: C

Question 2

You have a third-party security information and event management (SIEM) solution.

You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign-events in near real time.

What should you do to route events to the SIEM solution?

A : Create an Azure Sentinel workspace that has a Security Events connector.

B : Configure the Diagnostics settings in Azure AD to stream to an event hub.

C : Create an Azure Sentinel workspace that has an Azure Active Directory connector.

D : Configure the Diagnostics settings in Azure AD to archive to a storage account.

Answer: B

Question 3

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains the devices shown in the following table.You initiate a live response session on each device. You need to collect a Defender for Endpoint investigation package from each device.On which devices can you collect the package by running advanced live response commands from the command-line interface (CLI)?

A : Device1 and Device2 only

B : Device1, Device2, and Device3 only

C : Device3 and Device4 only

D : Device1, Devke2, Device3, and Device4

Answer: B

Question 4

You have the following advanced hunting query in Microsoft 365 Defender.

Other-Image-2e3b9f357-3e81-40fe-b409-d17265778393

You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A : Create a detection rule.

B : Create a suppression rule.

C : Add | order by Timestamp to the query.

D : Replace DeviceProcessEvents with DeviceNetworkEvents.

E : Add DeviceId and ReportId to the output of the query.

Answer: A

Question 5

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains the devices shown in the following table.You initiate a live response session on each device. You need to collect a Defender for Endpoint investigation package from each device.On which devices can you collect the package by running advanced live response commands from the command-line interface (CLI)?

A : Device1 and Device2 only

B : Device1, Device2, and Device3 only

C : Device3 and Device4 only

D : Device1, Devke2, Device3, and Device4

Answer: B

Free Practice Microsoft SC-200 Exam Questions 2025