← All Certifications Microsoft Certifications

Microsoft Certification Prep

Study guides, domain breakdowns, and practice questions for the full Microsoft certification portfolio — Microsoft 365, Security, Identity, Data, and AI. Covers role-based credentials from fundamentals through expert, with a focus on the certifications most in demand for enterprise IT and security professionals.

Overview

Microsoft Certification Portfolio

Microsoft organises certifications into four levels (Fundamentals, Associate, Expert, Specialty) across role-based technology tracks. Cloud/Azure certifications (AZ-900, AZ-104, AZ-500) are covered in the Cloud Certifications section. This page focuses on the Microsoft 365, Security, Identity, Data, and AI tracks.

Fundamentals track

Entry Points

MS-900 — Microsoft 365 Fundamentals. SC-900 — Microsoft Security, Compliance, and Identity Fundamentals. DP-900 — Azure Data Fundamentals. AI-900 — Azure AI Fundamentals. These are concept-level exams for non-technical stakeholders and IT newcomers — 45 questions, 60 minutes, no prerequisites.

Associate track

Role-Based Specialist

MD-102 — Microsoft 365 Endpoint Administrator. SC-300 — Microsoft Identity and Access Administrator. SC-400 — Microsoft Information Protection Administrator. PL-300 — Power BI Data Analyst. AI-102 — Azure AI Engineer. DP-203 — Azure Data Engineer (covered in Cloud section).

Expert track

Advanced Credentials

MS-102 — Microsoft 365 Administrator Expert (prerequisite: MD-102 or equivalent). SC-100 — Microsoft Cybersecurity Architect Expert (prerequisite: associate-level security cert). Expert-level exams are scenario-heavy, requiring deep cross-product knowledge and design-level decision-making.

Exam format

What to expect

Microsoft exams include multiple choice, drag-and-drop, case studies (read a scenario description, then answer a series of questions), and active screen / lab tasks (live Azure portal or PowerShell tasks). Passing scores range from 700–750 on a 100–999 scale. Exams can be taken online (proctored) or at Pearson VUE test centres.

Microsoft 365 Administration

Microsoft 365 Certifications

The Microsoft 365 track is the most in-demand certification path for enterprise IT administrators and helpdesk engineers. It covers the deployment, management, and security of Microsoft 365 services — Exchange Online, SharePoint, Teams, Intune, and the Entra ID (formerly Azure AD) identity platform that underpins all of them.

MS-900 — Microsoft 365 Fundamentals

Domain 1 · 33%

Cloud Concepts

Shared responsibility model, cloud deployment models (public, private, hybrid, multi-cloud), cloud economics (CapEx vs OpEx, consumption-based pricing), and the benefits of cloud services: high availability, scalability, elasticity, agility, disaster recovery.

Domain 2 · 33%

Microsoft 365 Services & Productivity

Core Microsoft 365 applications and services: Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, Microsoft 365 Apps (Office), Viva, and Power Platform basics (Power Apps, Power Automate, Power BI overview). Understand licensing models (Microsoft 365 Business Basic/Standard/Premium, E3, E5).

Domain 3 · 33%

Security, Compliance & Privacy

Zero Trust principles in Microsoft 365, Microsoft Defender for Microsoft 365, Microsoft Purview compliance features (Information Protection, Data Loss Prevention, eDiscovery, Insider Risk Management), and Microsoft 365 admin centre navigation fundamentals.

MD-102 — Microsoft 365 Endpoint Administrator (Associate)

MD-102 validates the ability to deploy, configure, and maintain Windows clients and Microsoft 365 endpoints in an enterprise environment. Heavy focus on Microsoft Intune, Windows Autopilot, and Microsoft Endpoint Configuration Manager (MECM/SCCM).

Domain 1 · 25%

Deploy Windows Client

Windows 11 deployment strategies: Windows Autopilot (white-glove, user-driven, self-deploying modes), deployment profiles and assignments, Autopilot Reset, and co-management with Configuration Manager. Understand deployment prerequisites: Intune enrolment, TPM, Autopilot hardware hash registration.

Domain 2 · 20%

Manage Identity & Compliance

Configure Entra ID join and hybrid Entra ID join. Implement Conditional Access policies for device compliance. Manage device compliance policies in Intune (Windows, iOS, Android). Configure Microsoft Purview Information Protection labels, DLP policies, and Microsoft 365 retention policies applied to endpoints.

Domain 3 · 30%

Manage, Maintain & Protect Devices

Configure and assign Intune device configuration profiles (device restrictions, Wi-Fi, VPN, email). Deploy applications using Intune (Win32 apps, LOB apps, Microsoft 365 apps). Manage Windows Updates using Windows Update for Business and Intune update rings. Deploy Microsoft Defender for Endpoint via Intune and manage security baselines.

Domain 4 · 25%

Manage Applications

Application lifecycle management in Intune: deployment, targeting, supersedence, and required vs available assignment types. Configure Microsoft 365 Apps using the Office Deployment Tool and customisation XML. Implement Mobile Application Management (MAM) policies for BYOD scenarios without device enrolment.

MS-102 — Microsoft 365 Administrator Expert

The expert-level Microsoft 365 credential. Requires MD-102 (or predecessor exams). MS-102 focuses on tenant-wide administration, security, compliance, and Microsoft 365 service integration at scale.

Domain 1 · 20%

Deploy & Manage Microsoft 365 Tenants

Tenant configuration (custom domains, admin roles, licensing), Microsoft 365 Apps deployment strategy, Microsoft 365 Groups and Teams governance, planning migration from on-premises Exchange and Active Directory, and managing hybrid environments (Entra Connect, Exchange Hybrid).

Domain 2 · 35%

Implement & Manage Security & Threats

Microsoft Defender for Microsoft 365 (Defender for Office 365 Plans 1 & 2: Safe Attachments, Safe Links, anti-phishing policies). Microsoft Defender XDR (Defender for Endpoint integration). Microsoft Secure Score management. Conditional Access policy design including Named Locations, sign-in risk, and MFA registration policies.

Domain 3 · 45%

Manage Compliance

Microsoft Purview compliance portal: Information Protection (sensitivity labels, auto-labelling, label policies), DLP policies (Exchange, SharePoint, Teams, Endpoints), Insider Risk Management, Communication Compliance, eDiscovery (Standard and Premium), Microsoft Purview Audit (Standard and Premium), and retention labels and policies across Microsoft 365 workloads.

SC-series

Microsoft Security & Identity Certifications

The SC-series is the Microsoft security specialist track. SC-900 is the fundamentals entry point; SC-300 and SC-400 are associate-level credentials for identity and information protection specialists; SC-100 is the expert-level cybersecurity architect credential.

SC-900 — Microsoft Security, Compliance & Identity Fundamentals

Domain 1 · 15%

Security, Compliance & Identity Concepts

Zero Trust model (verify explicitly, use least privilege, assume breach), shared responsibility, defence-in-depth, common threat types (social engineering, ransomware, supply chain), and key compliance concepts (data residency, data sovereignty, data privacy).

Domain 2 · 30%

Capabilities of Microsoft Entra

Microsoft Entra ID (identity types, authentication methods, SSPR, MFA), Conditional Access, RBAC, Privileged Identity Management (PIM), Microsoft Entra ID Protection, Microsoft Entra External Identities (B2B, B2C), and Identity Governance (access reviews, entitlement management).

Domain 3 · 35%

Capabilities of Microsoft Security Solutions

Microsoft Defender XDR (Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps). Microsoft Sentinel (SIEM and SOAR). Microsoft Defender for Cloud. Microsoft Firewall and DDoS protection overview.

Domain 4 · 20%

Capabilities of Microsoft Compliance Solutions

Microsoft Purview compliance portal capabilities: Information Protection, Insider Risk Management, eDiscovery, Audit, Data Lifecycle Management. Microsoft Priva (privacy risk management). Microsoft Service Trust Portal overview.

SC-300 — Microsoft Identity & Access Administrator (Associate)

Domain 1 · 25%

Implement Identities in Entra ID

Configure and manage Entra ID tenants, user and group provisioning (SCIM, HR-driven), administrative units, custom security attributes, Entra ID Connect (password hash sync, pass-through authentication, federation), and synchronisation rule customisation. Manage external identities (B2B collaboration, B2B direct connect).

Domain 2 · 25%

Implement Authentication & Access Management

Multi-factor authentication registration and enforcement. Passwordless authentication (FIDO2, Windows Hello for Business, Microsoft Authenticator). Conditional Access policy design (sign-in risk, user risk, device compliance, location conditions, session controls). Authentication strength policies and token protection.

Domain 3 · 25%

Implement Access Management for Applications

Enterprise application registration in Entra ID. Single sign-on (SAML, OIDC, Password SSO, header-based). Application proxy for on-premises app publishing. App Governance, OAuth 2.0 permission management, and consent framework configuration. Manage application roles and service principals.

Domain 4 · 25%

Implement Identity Governance

Entitlement Management (access packages, connected organisations, assignment policies). Access reviews for users, groups, and application assignments. Privileged Identity Management (PIM) for Entra roles and Azure resources — just-in-time activation, approval workflows, and access reviews. Lifecycle Workflows for joiner/mover/leaver automation.

SC-100 — Microsoft Cybersecurity Architect (Expert)

The pinnacle Microsoft security credential. Requires an active associate-level security certification (SC-300, SC-400, AZ-500, MD-102, or equivalent). SC-100 is design and strategy-focused — questions present complex enterprise scenarios and ask for the best architectural decision. No Azure portal tasks; all scenario-based reasoning.

Domain 1 · 20%

Design Zero Trust Strategy & Architecture

Translate business goals into security requirements. Evaluate security posture using Microsoft Secure Score and regulatory frameworks. Design Zero Trust architecture across identities, endpoints, network, data, and applications. Design a Secure Access Service Edge (SASE) strategy using Microsoft security services.

Domain 2 · 20%

Evaluate GRC Strategies

Design regulatory compliance strategies using Microsoft Purview Compliance Manager. Evaluate privacy requirements using Microsoft Priva. Design an Azure Landing Zone and governance strategy (Management Groups, Policy, RBAC). Architect data residency and sovereignty controls across Microsoft 365 and Azure.

Domain 3 · 30%

Design Security Operations, Identity & Compliance Capabilities

Design a Microsoft Sentinel deployment (workspace architecture, data connectors, analytics rules, playbooks). Design a Microsoft Defender XDR strategy. Design Privileged Access workstation (PAW) strategy. Architect identity governance for large hybrid organisations. Design Microsoft Purview Information Protection strategy including auto-labelling and DLP at scale.

Domain 4 · 30%

Design Security for Infrastructure & Applications

Design security for Azure workloads (AKS, App Service, Functions, Azure SQL, Storage). Design multi-cloud and hybrid security posture management using Defender for Cloud. Architect DevSecOps pipeline security (GitHub Advanced Security, Defender for DevOps). Design network security architecture using Azure Firewall, Azure WAF, DDoS protection, and Private Endpoints.

PL and AI series

Data & AI Certifications

The Power Platform and AI tracks address the growing demand for data analysis, business intelligence, and applied AI engineering skills. These certifications are increasingly in-demand as organisations operationalise AI and analytics within Microsoft 365 and Azure environments.

PL-300 — Microsoft Power BI Data Analyst (Associate)

Domain 1 · 25%

Prepare the Data

Connect to data sources (Excel, SQL, SharePoint, web, REST APIs, dataflows). Profiling data for quality (column distribution, quality, profile statistics). Transform and shape data in Power Query (merge, append, pivot, unpivot, split columns, conditional columns). Identify and resolve data quality issues. Configure query load settings and incremental refresh.

Domain 2 · 25%

Model the Data

Design and implement star schema data models (fact tables, dimension tables). Configure table and column properties. Define and manage relationships (cardinality, filter direction, active vs inactive). Implement row-level security (RLS) using DAX roles. Create calculated tables, calculated columns, and measures using DAX. Optimise model performance (aggregations, cardinality reduction, query folding).

Domain 3 · 25%

Visualise & Analyse the Data

Create and configure report visuals (bar/column charts, tables, matrices, maps, decomposition trees, key influencers). Apply conditional formatting. Implement drill-down, drill-through, and cross-filtering. Design accessible reports (alt text, colour contrast, keyboard navigation). Create paginated reports using Power BI Report Builder. Use Q&A natural language features.

Domain 4 · 25%

Deploy & Maintain Assets

Manage workspaces and datasets in Power BI Service. Configure scheduled refresh and gateway connections. Create and manage Apps for distribution. Implement deployment pipelines (Development, Test, Production). Manage dataset access and row-level security deployment. Configure sensitivity labels on Power BI content using Microsoft Purview integration.

AI-102 — Azure AI Engineer Associate

Domain 1 · 15%

Plan and Manage an Azure AI Solution

Select appropriate Azure AI services (Azure AI Services multi-service, single-service endpoints). Configure Azure AI Services authentication (API keys, managed identities). Implement service security (network isolation, private endpoints). Monitor AI service usage and configure diagnostics logging to Azure Monitor and Application Insights.

Domain 2 · 15%

Implement Computer Vision Solutions

Azure AI Vision — image analysis (objects, tags, captions, faces), OCR (Read API for document text extraction), spatial analysis (video analysis, people counting). Azure AI Custom Vision — train and publish image classification and object detection models. Azure AI Face service for face detection, recognition, and verification scenarios.

Domain 3 · 15%

Implement Natural Language Processing Solutions

Azure AI Language — sentiment analysis, key phrase extraction, entity recognition (NER), custom text classification, custom NER, and question answering (QnA). Azure AI Translator for real-time text translation. Azure AI Speech — speech-to-text, text-to-speech, speaker recognition, and custom speech model training.

Domain 4 · 15%

Implement Knowledge Mining & Document Intelligence

Azure AI Search — create search indexes, configure indexers and skillsets (built-in cognitive skills: OCR, entity recognition, sentiment). Implement custom skills using Azure Functions. Azure AI Document Intelligence — prebuilt models (invoice, receipt, ID document), custom extraction models, and composed models for multi-type document processing.

Domain 5 · 40%

Implement Generative AI Solutions

Azure OpenAI Service — deploy GPT-4, DALL-E, and Whisper models in Azure. Implement prompt engineering best practices (system messages, few-shot examples, chain-of-thought). Configure retrieval-augmented generation (RAG) using Azure AI Search as a vector store. Implement Azure AI Foundry (formerly AI Studio) for model lifecycle management. Apply Responsible AI principles and content filters in generative AI deployments.

Mixed track practice

Practice Questions

Questions covering MD-102, SC-900, and SC-300 exam objectives. Microsoft questions are heavily scenario-based — practise identifying the key constraint in each question (cost, compliance requirement, role, or tool) before selecting an answer.

1. (MD-102) A company uses Windows Autopilot to provision new laptops. IT needs to ensure that devices are fully configured with corporate apps, Wi-Fi, and compliance policies before being handed to users, with no IT desk interaction. Which Autopilot deployment mode should be used?

  • A) Autopilot user-driven mode with Entra ID join
  • B) Autopilot self-deploying mode
  • C) Autopilot pre-provisioning (white-glove) mode
  • D) Autopilot Reset mode
Answer: C White-glove (pre-provisioning) mode allows IT or a partner to perform the technician phase in advance — the device completes all app and policy assignments before reaching the user. The user then completes only a short second phase to register their identity. Self-deploying mode (B) requires no user interaction at all, making it suitable for kiosk/shared devices — not typical user laptops, which need user-context app assignments.

2. (SC-300) Users in the Finance department must use MFA only when accessing the SAP Finance application from outside the corporate network. How should you implement this requirement with the least administrative effort?

  • A) Enable MFA for all users in the Microsoft 365 admin centre
  • B) Create a Conditional Access policy targeting the SAP application, with a Named Location condition excluding the corporate network, and Grant requiring MFA
  • C) Configure per-user MFA settings for Finance department members only
  • D) Create a Conditional Access policy requiring MFA for all cloud apps with a Named Location exclusion for the corporate network
Answer: B A Conditional Access policy scoped to the specific SAP application with a Named Location condition (exclude Trusted IPs = corporate network) and a Grant control requiring MFA precisely meets the requirement. Option A enables MFA for everything — not scoped. Option D also applies to all apps, not just SAP. Option C (per-user MFA) does not support location-based conditions and creates maintenance overhead.

3. (MS-102 / SC-100) The CISO wants to ensure that sensitive documents labelled "Confidential — Finance" cannot be shared externally via email, even by Finance department members. The solution must work for Microsoft 365 on mobile and desktop. Which Microsoft Purview capability should you configure?

  • A) A Microsoft Purview Data Loss Prevention policy scoped to Exchange, targeting the "Confidential — Finance" sensitivity label with a block external sharing action
  • B) A sensitivity label with encryption that grants Decrypt rights only to internal users
  • C) An Insider Risk Management policy with an exfiltration trigger
  • D) A retention policy that prevents deletion of Finance documents
Answer: A A DLP policy in Microsoft Purview can detect the sensitivity label "Confidential — Finance" on emails and block transmission to external recipients — this is the enforcement mechanism. Option B (label encryption) also helps but requires the recipient to be able to authenticate to the Microsoft Rights Management Service, which external recipients cannot do — however, this alone doesn't prevent someone from forwarding an unencrypted copy. A DLP policy enforces the control even when encryption is not applied. Options C and D do not prevent real-time external sharing.

4. (SC-900) Which Microsoft Entra feature allows an administrator to require users to re-confirm their access to a group every 90 days and remove access for users who do not respond?

  • A) Privileged Identity Management (PIM)
  • B) Microsoft Entra Access Reviews
  • C) Microsoft Entra ID Protection
  • D) Conditional Access
Answer: B Access Reviews in Microsoft Entra Identity Governance allows periodic reviews of group membership, application access, and privileged roles. Reviews can be configured to auto-remove access for non-responders after the review period. PIM (A) manages privileged role activation — not regular group membership reviews. Entra ID Protection (C) responds to risky sign-ins, not periodic access certification. Conditional Access (D) evaluates access policies at sign-in time.

5. (PL-300) In a Power BI report, you have a measure that calculates the total sales for the selected period. You need to create a measure that always shows total sales for the entire year regardless of any date filters applied by the report user. Which DAX function should you use?

  • A) CALCULATE with REMOVEFILTERS on the date table
  • B) TOTALYTD function
  • C) ALL function applied to the date column
  • D) SAMEPERIODLASTYEAR function
Answer: A CALCULATE([Total Sales], REMOVEFILTERS(DateTable)) removes all filters on the date table so the measure always returns the grand total regardless of user-selected dates. ALL(DateTable) (C) is similar — REMOVEFILTERS is the more explicit modern approach and behaves identically in most cases. TOTALYTD (B) calculates year-to-date — not the annual total. SAMEPERIODLASTYEAR (D) shifts the period to the prior year.
Recommended learning sequences

Microsoft Certification Study Paths

Enterprise IT Administrator path

  1. MS-900 Fundamentals — 2–3 weeks (optional but good context)
  2. MD-102 Endpoint Administrator — 10–12 weeks
  3. MS-102 Administrator Expert — 14–16 weeks (requires MD-102)

Security & Identity specialist path

  1. SC-900 Security Fundamentals — 2–3 weeks
  2. SC-300 Identity & Access Administrator — 10 weeks
  3. SC-400 Information Protection Administrator — 10 weeks
  4. SC-100 Cybersecurity Architect — 14 weeks (requires one of the above)

Data analyst path

  1. DP-900 Azure Data Fundamentals — 2 weeks (optional)
  2. PL-300 Power BI Data Analyst — 10–12 weeks
  3. DP-203 Azure Data Engineer (see Cloud page) — 12–14 weeks

Study resources (all free or included)

  • Microsoft Learn (learn.microsoft.com): Free, official, exam-aligned learning paths for every Microsoft certification. Use the exam study guide to identify which Learn modules to complete.
  • John Savill's Technical Training (YouTube): Exceptional free deep-dive content on SC-100, AZ-500, SC-300. His "AZ-305 Study Cram" approach works well for other exams too.
  • Microsoft official free practice assessments: Available directly on Microsoft Learn for most certifications — look for "Practice for exam" on each cert page.
  • Microsoft 365 Developer Program: Free 90-day renewable E5 tenant for hands-on practice with all Microsoft 365 and security features.

Microsoft exam tips

  • Microsoft exams change frequently — verify the current exam objectives on learn.microsoft.com before purchasing study materials.
  • Case study sections appear at the start of the exam and cannot be revisited — read them thoroughly before attempting the associated questions.
  • For expert-level exams (SC-100, MS-102), the correct answer often requires choosing the most appropriate design for the described constraints — treat these as architecture decisions, not feature recall.
  • Microsoft Fundamentals exams (MS-900, SC-900) are not prerequisites for associate exams — but they are efficient ways to build conceptual foundations in 2–3 weeks before a deeper associate certification.
  • Use the Microsoft 365 Developer Program E5 tenant and Azure free account to practise every configuration task — exam questions often include portal screenshots or PowerShell output to interpret.

Explore other certification tracks

← All Certifications Cloud (AWS/Azure/GCP) → ISC2 Prep →
AZ-500 · Azure Security Engineer Associate

Practice Questions — AZ-500 Azure Security

AZ-500 questions test security architecture decisions in Azure. Nearly all questions are scenario-based — identify the specific tool or service Microsoft expects you to use for each scenario, as multiple products may seem applicable.

1. A security engineer needs to ensure that Azure VMs can access a storage account without exposing data to the public internet. Which feature should be configured?

  • A) Configure firewall rules on the storage account to allow all traffic
  • B) Use a Private Endpoint for the storage account within the VM's VNet
  • C) Enable storage account key access and share the key with the VM
  • D) Use VNet Service Endpoints with access restricted to the VM's subnet
Answer: B A Private Endpoint creates a private IP address within the VNet for the storage account, routing all traffic through the Azure backbone without traversing the public internet. The storage account's public endpoint can then be disabled entirely. Service Endpoints (D) restrict access to the VNet but still use the storage account's public IP as the traffic destination — they do not fully eliminate public internet exposure.

2. A security team needs just-in-time privileged access to Azure VMs for administrators, with all access requests logged and requiring approval. Which Microsoft service provides this?

  • A) Azure Bastion
  • B) Microsoft Entra Privileged Identity Management (PIM)
  • C) Microsoft Defender for Cloud — Just-In-Time VM Access
  • D) Azure Key Vault access policies
Answer: C Microsoft Defender for Cloud's Just-In-Time VM Access locks down inbound management ports (RDP/SSH) by default and opens them only when an administrator requests access for a defined time window — with full logging of who requested access, from which IP, and for how long. Entra PIM (B) provides JIT for Azure RBAC roles and Entra directory roles, not VM-level network port access. Azure Bastion (A) provides browser-based secure RDP/SSH without public IP but doesn't implement JIT port management.

3. An organisation needs to detect unusual sign-in behaviour — such as sign-ins from impossible travel locations or unfamiliar devices — and automatically enforce MFA or block access. Which service should be configured?

  • A) Microsoft Entra ID Protection with risk-based Conditional Access policies
  • B) Microsoft Sentinel with custom analytics rules
  • C) Microsoft Defender for Identity
  • D) Azure Monitor with sign-in log alerts
Answer: A Microsoft Entra ID Protection detects risky sign-ins using machine learning (impossible travel, anonymised IP, atypical location, malware-linked IP) and generates sign-in risk signals. Combining this with risk-based Conditional Access policies enables automatic responses — requiring MFA for medium-risk sign-ins and blocking high-risk sign-ins in real time, without manual analyst intervention. Defender for Identity (C) focuses on on-premises Active Directory threats, not cloud identity risk.

4. A developer accidentally commits an Azure Storage account connection string (including the account key) to a public GitHub repository. What is the IMMEDIATE corrective action?

  • A) Delete the GitHub repository
  • B) Rotate the storage account keys immediately and audit recent access logs
  • C) Enable storage account encryption
  • D) Restrict the storage account firewall to known IP addresses
Answer: B Once credentials are exposed publicly, assume they have been harvested — treat them as fully compromised. Immediately rotate the keys to invalidate the exposed credentials. Then review access logs (Azure Monitor, storage diagnostic logs) to identify any unauthorised access. Deleting the repository (A) does not help — the secret is already indexed by search engines and credential-scraping bots. Long-term fix: use Managed Identity instead of connection strings so no credentials need to be stored.

5. (SC-300) An organisation wants to allow only managed and compliant devices to access Microsoft 365 applications. Which combination of tools achieves this?

  • A) Conditional Access policy requiring device compliance + Microsoft Intune compliance policies
  • B) Microsoft Entra ID password protection only
  • C) Azure AD Application Proxy
  • D) Microsoft Defender for Endpoint
Answer: A The Microsoft recommended Zero Trust pattern for device compliance combines Microsoft Intune (which defines and enforces device compliance policies — OS patching, encryption, AV) with Conditional Access (which checks device compliance status as a condition before granting access to M365). The CA policy grants access only to "compliant" devices as reported by Intune. Non-compliant or unmanaged devices are blocked or redirected to a remediation portal.
AI-102 & SC-100

Practice Questions — Azure AI Engineer & Cybersecurity Architect

AI-102 (Azure AI Engineer Associate) validates implementation of Azure Cognitive Services, Azure OpenAI, and machine learning workloads. SC-100 (Cybersecurity Architect Expert) is Microsoft's apex security credential, requiring strategic design of Zero Trust architectures.

1. (AI-102) An application uses Azure OpenAI to generate responses. The team wants to ground responses in their internal documentation to reduce hallucinations. Which approach is RECOMMENDED?

  • A) Fine-tune the base model on internal documents
  • B) Implement Retrieval-Augmented Generation (RAG) using Azure AI Search (formerly Cognitive Search) as the knowledge base, with vector embeddings to retrieve relevant context that is appended to the user prompt at inference time
  • C) Increase the model's temperature
  • D) Use a larger model variant
Answer: B RAG is the dominant pattern for grounding LLMs in proprietary data: 1) index documents as vector embeddings in Azure AI Search; 2) on user query, embed the query and perform a vector similarity search to retrieve relevant chunks; 3) append retrieved context to the prompt before sending to the model; 4) instruct the model to answer based on the provided context. Advantages over fine-tuning: cheaper, faster to iterate, allows updating knowledge without retraining, and provides citations to source documents. Fine-tuning is appropriate for style/format adaptation, not for adding factual knowledge.

2. (AI-102) An organisation is concerned about responsible AI. Which Azure feature applies content filtering across categories like hate, sexual, violence, and self-harm before responses are returned to users?

  • A) Azure Content Safety (formerly Content Moderator) integrated with Azure OpenAI content filters
  • B) Azure Sentinel
  • C) Azure Front Door WAF
  • D) Microsoft Purview
Answer: A Azure OpenAI applies a content filter on both prompt (input) and completion (output) across four harm categories (hate, sexual, violence, self-harm) with severity levels (safe, low, medium, high). Azure Content Safety extends this with prompt shields against jailbreak attempts, groundedness detection (catching hallucinations against a source document), and protected material detection (copyrighted content). AI-102 candidates must understand responsible AI controls in addition to model capabilities.

3. (SC-100) An enterprise is implementing Zero Trust across cloud and on-premises. Which sequence BEST represents the strategic priority order?

  • A) Identity first (strong authentication, Conditional Access, MFA), then device (compliance, posture), then network (segmentation), then data (classification, encryption, DLP), with continuous verification across all layers
  • B) Network first, then identity
  • C) Data first, then everything else
  • D) Implement all simultaneously without prioritisation
Answer: A Microsoft's Zero Trust model establishes identity as the new perimeter. Sequence rationale: identity is the most-targeted attack vector and provides immediate quick wins (MFA blocks 99%+ of credential attacks). Device posture builds on verified identity. Network segmentation reinforces both. Data protection capstones the strategy. SC-100 emphasises the architect's role in prioritising investments — candidates must justify sequencing decisions based on threat reduction per dollar spent and dependency relationships.

4. (SC-100) An organisation must protect against insider threats and data exfiltration across SaaS applications. Which Microsoft solution provides Cloud Access Security Broker (CASB) capabilities?

  • A) Microsoft Defender for Cloud Apps (formerly MCAS)
  • B) Microsoft Defender for Endpoint
  • C) Microsoft Sentinel
  • D) Microsoft Defender for Identity
Answer: A Defender for Cloud Apps is Microsoft's CASB — providing four pillars: 1) discovery of shadow IT through firewall/proxy log ingestion; 2) data protection through DLP policies enforced via reverse proxy session control; 3) threat protection through anomaly detection; 4) compliance and governance. Integrates with Conditional Access for app session control (block downloads on unmanaged devices, apply watermarks, etc.). Defender for Identity (D) focuses on on-prem AD; Defender for Endpoint (B) protects devices; Sentinel (C) is SIEM/SOAR.

5. (SC-100) Which framework does Microsoft recommend as the foundation for cloud security architecture decisions on Azure?

  • A) Microsoft Cloud Adoption Framework (CAF) + Well-Architected Framework (WAF) Security pillar + Cybersecurity Reference Architecture (MCRA)
  • B) ISO 27001 alone
  • C) NIST SP 800-53 alone
  • D) PCI DSS alone
Answer: A Microsoft's reference architecture for SC-100 is a three-layer approach: CAF (organisational adoption strategy, landing zones, governance), WAF (per-workload design pillars — Reliability, Security, Cost, Operational Excellence, Performance), and MCRA (capability maps showing which Microsoft products address which threats). SC-100 candidates must reference these frameworks when justifying architectural decisions. Compliance frameworks (B/C/D) feed into the design but are not themselves architectural references.
Common questions

Microsoft Certification FAQ

Which Microsoft certification should I get first?

For IT professionals entering the Microsoft ecosystem: AZ-900 (Azure Fundamentals) is optional — many experienced IT professionals skip directly to AZ-104. For security-focused roles: SC-900 is a lightweight entry point followed by SC-300 or AZ-500. For non-technical business stakeholders: MS-900 (Microsoft 365 Fundamentals) is the most accessible. For AI engineers: AZ-900 or AI-900 as a foundation, then AI-102.

How hard is AZ-500 compared to AZ-104?

AZ-500 is significantly harder than AZ-104. AZ-104 covers general Azure administration; AZ-500 goes deep into Microsoft Defender for Cloud, Sentinel, Entra ID Privileged Identity Management, Azure Key Vault, network security, and container security at an advanced level. Most candidates should complete AZ-104 before AZ-500, as it builds the infrastructure knowledge AZ-500 assumes.

Do Microsoft certifications expire?

Yes — most Microsoft certifications expire after 1 year (role-based and specialty certifications). Fundamentals certifications (AZ-900, SC-900, etc.) do not expire. Microsoft offers a free online renewal assessment 6 months before expiry — no exam centre visit required. Renewal assessments are significantly shorter than the original exam and focus on new features added since certification.

Is AI-102 worth getting in 2026?

AI-102 (Designing and Implementing a Microsoft Azure AI Solution) is increasingly in demand as organisations deploy Azure OpenAI Service, Azure AI Foundry, and Azure Machine Learning at scale. It covers computer vision, NLP, speech, document intelligence, and generative AI including RAG (Retrieval-Augmented Generation) architectures. It is highly relevant for developers building enterprise AI applications on the Microsoft stack and is one of the fastest-growing credentials in the Microsoft portfolio.

Interactive · Timed · Fully explained

Interactive Practice Exam — Microsoft Azure Security Engineer (AZ-500)

Fifteen scenario-based AZ-500 practice items mapped to the official study areas (Identity, Networking, Compute/Storage/Database, SecOps). Each answer links to the relevant Microsoft Learn documentation and explains the Zero Trust principle behind the recommendation.

Loading the interactive practice exam… If it does not load, ensure JavaScript is enabled.

Case study · Apply Zero Trust thinking

Real-World Walkthrough: The Lapsus$ Identity Attacks (2022)

Lapsus$ is the textbook case for the AZ-500 identity domain — a young extortion group that compromised Microsoft, Okta, Nvidia, Samsung, Cisco, and Uber primarily by social engineering and abusing weak MFA. Every breach maps cleanly to Conditional Access, PIM, and Defender for Identity coverage.

Common attack pattern

  • Buy or phish initial credentials (Genesis Market, Russian Market, ICQ deals).
  • Trigger MFA push notifications dozens of times until the victim accepts ("MFA fatigue / push bombing").
  • Once inside, enumerate Microsoft Entra (formerly Azure AD) for privileged accounts; abuse standing role assignments and absent Conditional Access enforcement on management endpoints.
  • Steal source code or customer data, then extort the victim publicly via Telegram.

Map to AZ-500 / Microsoft security stack

  • Phishing-resistant MFA: Switch from SMS / push approval to FIDO2 security keys or Windows Hello for Business. Microsoft published authentication strengths in Conditional Access specifically because of MFA fatigue.
  • Number matching: Default-on in Authenticator since Feb 2023 — defeats blind "approve" responses.
  • Conditional Access on management endpoints: Block sign-in to portal.azure.com / portal.office.com from non-compliant devices, unmanaged operating systems, and non-named locations.
  • PIM: No standing privileged role assignments. Activation requires MFA + approval + justification + max duration. AZ-500 frequently tests this exact pattern.
  • Defender for Identity: Detects anomalous sign-ins (impossible travel, atypical location), suspicious group membership changes, and Active Directory reconnaissance — feeds into Microsoft Sentinel.
  • Entra ID Protection: Risk-based Conditional Access blocks high-risk sign-ins or forces password change + MFA.
  • Privileged Access Workstations (PAW): Admins use dedicated, hardened workstations for management — never general-purpose endpoints.
  • Lessons: Microsoft's own Lapsus$ post-mortem stressed that identity is the new perimeter — assume the password will leak; design controls so the password alone never grants access.
Curated resources · Verified links

Helpful Materials — Microsoft Certifications

Hands-on labs

Recommended books

  • Yuri Diogenes & Tom Janetscheck — Microsoft Azure Security Technologies Certification and Beyond (Packt).
  • Yuri Diogenes & Erdal Ozkaya — Cybersecurity – Attack and Defense Strategies.

Free practice tests

Quick reference · Microsoft security stack

Microsoft Security Cheatsheet (AZ-500 / SC-200 / SC-100)

Identity (Microsoft Entra)

  • Conditional Access — policy engine for sign-in decisions (user, location, device, app, risk)
  • PIM — just-in-time privileged role activation
  • Entra ID Protection — user-risk & sign-in-risk signals (ML-driven)
  • Authentication strengths — require FIDO2 / Windows Hello / certificate-based for sensitive apps
  • Cross-tenant access — control B2B partner collaboration
  • Identity Governance — Access Reviews + Entitlement Management (access packages)

Defender suite roles

  • Defender for Cloud — CSPM + CWPP across Azure / AWS / GCP
  • Defender for Endpoint (MDE) — EDR for Windows / macOS / Linux / mobile
  • Defender for Identity — on-prem AD + Entra hybrid identity threats
  • Defender for Office 365 — email + collaboration threat protection
  • Defender for Cloud Apps (formerly MCAS) — SaaS CASB
  • Defender XDR — unified portal across all of the above

Network security

  • NSG — L3/L4 stateful filtering on subnets / NICs
  • Application Security Group (ASG) — group VMs for NSG rules
  • Azure Firewall — stateful NGFW; Premium adds TLS inspection + IDPS
  • Azure WAF — on App Gateway (regional) or Front Door (global)
  • Private Endpoint — private IP for PaaS access via Private Link
  • Service Endpoint — VNet-aware firewall rule (older pattern)
  • Bastion — RDP / SSH without public IPs
  • DDoS Protection — Standard (paid) or IP Protection (per-IP)

Data protection

  • Key Vault — standard tier (Premium = HSM-backed)
  • Managed HSM — single-tenant FIPS 140-3 Level 3 HSM cluster
  • CMK / BYOK — customer-controlled key for Storage / SQL / Disk
  • Purview — data governance, classification, DLP
  • Confidential Computing — Intel SGX / AMD SEV-SNP enclaves
Study tools · Active recall · AZ-900 / AZ-104 / AZ-500

Flashcards & Term-Matching Game

Active recall beats passive reading for long-term retention. Use the flashcards to drill definitions and the matching game to reinforce connections between concepts. Shuffle to mix domains and reset to start fresh. Keyboard navigation supported on flashcards.

Flashcard Deck — Key Terms

Loading flashcards… ensure JavaScript is enabled.

Term-Matching Game

Click a term on the left, then click its matching definition on the right. Correct pairs lock in green; wrong pairs flash red. Complete all pairs to advance to the next round.

Loading matching game… ensure JavaScript is enabled.

Speed Round — True or False

You have 10 seconds per statement. Answer TRUE or FALSE before the timer runs out. Build a combo multiplier for consecutive correct answers and beat your session high score.

Loading speed round… ensure JavaScript is enabled.

Fill in the Blank

Read the clue and type the missing term. One typo is forgiven for longer answers. Use the hint button if you're stuck — but it costs half the question's points.

Loading fill-in-the-blank… ensure JavaScript is enabled.

Domain Sprint — Categorise the Term

A term appears — click the correct exam domain it belongs to. Correct selections score 100 pts; wrong selections deduct 25 pts. Master domain knowledge before exam day.

Loading domain sprint… ensure JavaScript is enabled.