Microsoft Certified: Security Compliance and Identity Fundamentals SC-900 Updated Exam

You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

Microsoft describes Azure Policy as the built-in governance service that lets you “create, assign, and manage policies” to enforce organizational standards and “assess compliance at scale.” It continuously evaluates existing resources for compliance and can take effect-enforcement actions such as deny, append, or modify during create/update operations. Azure Policy “helps you audit and enforce your standards” across subscriptions and resource groups, and its compliance dashboard shows overall and per-policy compliance states for all resources. By contrast, Azure Blueprints focuses on orchestrating deployments of artifacts (such as policy assignments, role assignments, and templates) for new environments; Microsoft guidance positions Policy as the engine that evaluates and enforces those standards on existing resources. Sentinel is a SIEM/SOAR for security analytics, and Anomaly Detector is a Cognitive Service—not a governance/compliance enforcement tool. Therefore, to assess compliance and enforce standards for existing Azure resources, the prescribed control plane is Azure Policy with its evaluation cycle, initiative (policy set) support, and remediation tasks.

In Microsoft’s shared responsibility model, responsibilities vary by service type. For IaaS (for example, Azure Virtual Machines), Microsoft states that it is responsible for protecting and maintaining the cloud infrastructure that runs customer workloads, while customers secure what they deploy in that infrastructure. Microsoft’s guidance explains that Microsoft “operates and secures the datacenters, physical hosts, networking, and the virtualization fabric,” and handles the underlying platform maintenance, including “hardware and firmware” that support those hosts. Conversely, customers are responsible for what runs inside their VM: “the guest operating system (including updates and security configuration), applications, identity, and data.”

Applied to the options in this question:

Updating the operating system and updating installed applications are customer tasks because they are inside the guest VM.

Configuring permissions for shared folders is also a customer responsibility because it’s an OS/application configuration within the guest.

Updating the firmware of the disk controller belongs to Microsoft, because firmware and hardware on the physical hosts (including storage controllers) are part of the infrastructure of the cloud that Microsoft manages and secures.

This aligns with SCI study materials that summarize: Microsoft secures “the security of the cloud” (physical datacenter, hosts, network, and hypervisor/firmware), while customers secure “security in the cloud” (guest OS, apps, and data).