Objectives in this domain

Design solutions for security operations, including detection, response, logging, SOAR, and threat detection coverage.
Section 2.1hard
Design solutions for identity and access management across SaaS, PaaS, IaaS, hybrid, and multicloud resources.
Section 2.2hard
Design solutions for securing privileged access using the enterprise access model.
Section 2.3hard
Design solutions for regulatory compliance by translating requirements into security controls.
Section 2.4medium

Sample question from this domain

Free sampleDesign Security Operations, Identity, and Compliance Capabilitieshard

A bank wants its session controls to react when a user's access is revoked or their token is flagged as risky mid-session, rather than waiting up to an hour for the existing access token to expire. The design must apply to Exchange Online and SharePoint Online access from Microsoft Entra ID. Which capability should the architect specify to meet this near-real-time enforcement requirement?

AEnable continuous access evaluation so that supported services receive revocation and critical-event signals and reject the existing token within minutes of the change. Correct
BTighten the Conditional Access sign-in frequency to a short interval so that users are forced to re-authenticate against the latest policy at frequent points during the day.
CConfigure Microsoft Entra ID Protection risk policies so that a user flagged as high risk is blocked the next time they attempt to authenticate to a protected application.
DShorten the configurable access token lifetime through a token lifetime policy so that issued tokens stop working far sooner than the default window allows.

Continuous access evaluation enforces revocation and critical events in near real time, which fixed token lifetimes and sign-in frequency cannot. Continuous access evaluation lets Microsoft Entra ID push critical events such as account disablement, password change, and elevated user risk directly to supporting resource providers, which then reject an already issued access token within minutes instead of honouring it until expiry. This closes the window that any fixed token lifetime or re-authentication interval leaves open.

Why A is correct: Continuous access evaluation establishes a near-real-time channel between Microsoft Entra ID and supported resources such as Exchange Online and SharePoint Online, so revocation or a risky-user event invalidates the live token almost immediately rather than at expiry.

Why B is wrong: Reducing sign-in frequency does reapply policy more often and feels responsive, but it still only acts at the next scheduled prompt rather than the moment of revocation, so it cannot deliver the near-real-time enforcement the requirement demands.

Why C is wrong: Risk policies score the identity and gate the next authentication, which is tempting because risk is involved, but they evaluate at sign-in and do not terminate an access token that has already been issued, so the active session continues.

Why D is wrong: A shorter token lifetime narrows the exposure window and looks like a direct fix, but it still leaves a fixed gap between revocation and expiry and Microsoft now steers customers to continuous evaluation instead, so it does not meet the requirement.

Other domains in this exam

Design Solutions that Align with Security Best Practices and Priorities23% of the exam
Design Security Solutions for Infrastructure27% of the exam
Design Security Solutions for Applications and Data23% of the exam

See also the SC-100 cert hub, the study guide, and the cheat sheet.