SC-200 Exam Questions 2026 – Real Practice Test with Verified Answers

Explanation:
In Microsoft Defender for Cloud (previously Azure Security Center and Azure Defender), email notifications for security alerts are configured under the “Pricing & settings” section of the workspace or subscription settings. According to Microsoft documentation, each subscription connected to Defender for Cloud has a “Pricing & settings” page that allows administrators to manage configurations such as Defender plan activation, data collection settings, and email notifications for security alerts.
To enable the SOC team to receive alert notifications, you navigate to Microsoft Defender for Cloud
→ Environment settings → [Select Subscription] → Pricing & settings → Email notifications. There, you can specify:
The email addresses (up to 200) that will receive alerts.
Whether to send notifications for high-severity alerts only or for all alerts.
Whether to send to subscription owners, contributors, or specific emails.
This configuration ensures that alert emails are automatically sent whenever Defender for Cloud generates new security alerts, allowing the Security Operations team to stay informed without manual monitoring.
The other options are incorrect because:
Security solutions is for integrating third-party or partner security products.
Security policy defines compliance and assessment standards.
Security alerts shows existing alerts but does not control notification settings.
Azure Defender is the protection plan; it doesn’t control notification preferences.
Therefore, the correct answer is C. Pricing & settings.

Explanation:
In this scenario, App1 is a custom web app published through Microsoft Entra Application Proxy and authenticated using Active Directory Domain Services (AD DS). Because it’s integrated with Microsoft Entra ID (formerly Azure AD) for access control, the most appropriate and supported way to require MFA for users accessing the application is through Conditional Access.
Microsoft Entra Conditional Access policies evaluate user sign-in conditions such as risk level, device compliance, location, and sensitivity of data before granting access. Specifically, Microsoft’s documentation states:
“Conditional Access policies allow administrators to require multi-factor authentication, block access, or enforce specific controls such as app protection or session policies for cloud and on-premises applications integrated with Microsoft Entra ID.”
Therefore, to make MFA mandatory for users accessing App1, a Conditional Access policy must be created targeting that application.
For the second part, to implement a session policy that controls or monitors user behavior (such as downloading highly confidential documents), the correct choice is Microsoft Defender for Cloud Apps (MDA). Microsoft’s official guidance says:
“Session policies in Microsoft Defender for Cloud Apps provide real-time session controls that enable administrators to monitor and restrict user activity in cloud apps, including download, cut/copy, and upload actions based on sensitivity labels or user risk.”
These session policies integrate seamlessly with Conditional Access via the “Use Conditional Access
App Control” setting to apply continuous access evaluation during a user’s session.
Hence, the correct verified configuration is:
Require MFA: Conditional Access
Implement session policy: Microsoft Defender for Cloud Apps

Explanation:
Microsoft 365 Copilot for Security uses Security Compute Units (SCUs) to determine available processing capacity for AI-driven operations. Each SCU represents a fixed amount of compute resources for handling Copilot for Security prompts and plugin interactions (like Sentinel).
When a notification appears stating that “SCU usage is nearing the provisioned capacity limit,” it means that the organization’s current SCU allocation is insufficient for ongoing demand. To restore full response functionality, the tenant admin (or authorized role) must increase the number of provisioned SCUs.
Microsoft documentation states:
“If Copilot for Security indicates that requests cannot be processed due to SCU capacity, increase your provisioned SCUs in the Microsoft 365 admin center or Azure portal to meet demand.”
The other options do not resolve the issue:
Opening a second session does not add capacity.
Waiting does not guarantee SCU availability.
The Optimization Workbook relates to Sentinel performance, not Copilot SCU allocation.
✅ Answer. D. Update the provisioned SCUs

Explanation:
In Microsoft Sentinel, when you need to escalate or transfer responsibility for an incident (which can include multiple alerts), the proper method is to assign the incident to another user or group. Assigning updates the Owner field, notifying the designated analyst or administrator responsible for further investigation.
Sharing the incident URL (B) only provides a link but does not change ownership or trigger notifications.
Creating a scheduled query rule (C) or incident creation rule (A) defines detection logic, not escalation workflow.

Explanation:
Microsoft Defender for Cloud provides multiple specialized Defender plans to protect different layers of your environment.
Microsoft Defender for DevOps helps identify vulnerabilities in source code, exposed secrets, and insecure dependencies by integrating with CI/CD systems like GitHub and Azure DevOps. It scans repositories for known vulnerabilities (CVEs), weak configurations, and exposed credentials before code is deployed. This directly addresses the risks:
Vulnerabilities within application source code
Exposed secrets
Microsoft Defender for Resource Manager protects the Azure control plane and monitors management operations to detect threats such as deployment of malicious templates, exploitation toolkits in IaC (Infrastructure as Code), and operations from malicious IP addresses. It provides alerts when suspicious control-plane actions occur, for example, unexpected activity via ARM or Terraform. This covers:
Exploitation toolkits in declarative templates
Operations from malicious IP addresses
Together, these two Defender plans (Defender for DevOps + Defender for Resource Manager) mitigate all four risks listed in the question.
✅ Correct answers:
B. Microsoft Defender for Resource Manager and
D. Microsoft Defender for DevOps