Microsoft SC-900 Microsoft Security, Compliance, and Identity Fundamentals Exam Dumps and Practice Test Questions Set 13 Q181-195

Visit here for our full Microsoft SC-900 exam dumps and practice test questions.

Question 181

A company wants to classify and protect sensitive documents containing financial and personal information across Microsoft 365. Which solution should be implemented?

A) Microsoft Purview Information Protection
B) Microsoft Entra Conditional Access
C) Microsoft Defender for Endpoint
D) Microsoft Intune Compliance Policies

Correct Answer: A) Microsoft Purview Information Protection

Explanation

Microsoft Purview Information Protection is the correct solution because it enables organizations to classify, label, and protect sensitive information based on content, context, and location. It supports automated, recommended, or manual labeling and applies encryption, rights management, and access controls to protect data from unauthorized access or sharing. Sensitive documents such as financial statements, personal data, or proprietary reports can be automatically detected and protected using built-in or custom sensitivity labels.

Conditional Access enforces authentication and access policies rather than data classification or protection. While it can control who can access applications or resources, it does not apply encryption, labeling, or rights management to documents.

Defender for Endpoint focuses on endpoint protection and threat detection. It monitors devices for malware, ransomware, and suspicious activity, but does not provide content classification or document-level protection.

Intune Compliance Policies ensure that devices meet security standards before accessing resources. Although device compliance can indirectly help secure sensitive data, Intune does not classify or label documents.

By using Microsoft Purview Information Protection, organizations can maintain regulatory compliance, prevent accidental data leaks, and ensure that sensitive information is encrypted and shared only with authorized users. Integration with Microsoft 365 apps like Word, Excel, and Outlook ensures seamless protection across collaboration tools, providing both security and productivity.

Question 182

A company needs to monitor user activities and detect abnormal sign-in patterns in Azure Active Directory. Which solution should be used?

A) Microsoft Defender for Identity
B) Microsoft Entra Conditional Access
C) Microsoft Purview Information Protection
D) Microsoft Intune Compliance Policies

Correct Answer: A) Microsoft Defender for Identity

Explanation

Microsoft Defender for Identity is correct because it provides advanced monitoring and detection of identity-based threats in both on-premises Active Directory and Azure Active Directory. It analyzes user behavior, authentication patterns, and access requests to detect anomalies, including unusual sign-ins, lateral movements, and suspicious activities that could indicate account compromise. Alerts can be sent in real-time for proactive threat mitigation.

Conditional Access enforces access control policies, including MFA, based on risk conditions but does not continuously monitor user behavior or detect threats post-authentication.

Purview Information Protection is used for classifying and protecting sensitive data, not for monitoring sign-in patterns or detecting identity threats.

Intune Compliance Policies focus on device compliance and security before granting access to resources. While it ensures secure devices, it does not detect abnormal user sign-in patterns or compromised accounts.

Defender for Identity enables organizations to identify compromised accounts early, investigate suspicious activities, and integrate with other Microsoft security solutions like Sentinel to provide a comprehensive threat response strategy. This proactive monitoring is crucial for maintaining security and compliance across hybrid environments.

Question 183

A company wants to restrict access to cloud apps based on user location and device compliance. Which solution is most appropriate?

A) Microsoft Entra Conditional Access
B) Microsoft Purview Information Protection
C) Microsoft Defender for Endpoint
D) Microsoft Intune Compliance Policies

Correct Answer: A) Microsoft Entra Conditional Access

Explanation

Microsoft Entra Conditional Access is the correct choice because it enables policy-based access control based on multiple conditions, including user location, device compliance, application sensitivity, and sign-in risk. Administrators can require MFA or block access if conditions are not met, supporting a Zero Trust security approach.

Purview Information Protection focuses on protecting sensitive data but does not manage authentication or access based on location or device compliance.

Defender for Endpoint provides threat protection for devices, but cannot enforce conditional access to cloud apps.

Intune Compliance Policies ensure device compliance, which can be used as a condition in Conditional Access, but by itself, it does not enforce access restrictions to cloud applications based on multiple criteria.

Conditional Access allows organizations to secure cloud applications effectively, ensuring only authorized and compliant users can access sensitive apps, mitigating the risk of unauthorized access and maintaining regulatory compliance.

Question 184

A company needs to ensure that only compliant and secure devices can access Microsoft 365 resources. Which solution should be implemented?

A) Microsoft Intune Compliance Policies
B) Microsoft Entra Conditional Access
C) Microsoft Defender for Identity
D) Microsoft Purview Information Protection

Correct Answer: A) Microsoft Intune Compliance Policies

Explanation

Microsoft Intune Compliance Policies is the correct solution because it evaluates and enforces device security and compliance requirements. Policies can require encryption, password protection, OS version updates, and antivirus installation. Devices that do not meet compliance standards can be blocked from accessing Microsoft 365 resources, ensuring that sensitive data is protected from insecure endpoints.

Conditional Access enforces access based on conditions, often leveraging device compliance from Intune, but it does not define what constitutes a compliant device.

Defender for Identity monitors identity threats but does not enforce device security compliance.

Purview Information Protection protects data through labeling and encryption, but it does not control access based on device compliance.

Intune ensures a secure and managed device posture, reducing the attack surface for corporate data while integrating seamlessly with Conditional Access to enforce policies at the point of access. This combination strengthens overall security.

Question 185

A company wants to analyze security alerts, correlate events, and generate actionable insights across Microsoft 365 and Azure. Which solution should be used?

A) Microsoft Sentinel
B) Microsoft Entra Conditional Access
C) Microsoft Purview Information Protection
D) Microsoft Intune Compliance Policies

Correct Answer: A) Microsoft Sentinel

Explanatio

Microsoft Sentinel is the ideal solution because it provides a comprehensive, cloud-native Security Information and Event Management system, designed to centralize security monitoring and streamline incident response across an organization. Unlike traditional SIEM solutions that may require complex on-premises infrastructure, Sentinel leverages the cloud to collect and analyze security data from multiple sources, including Microsoft 365, Azure, and third-party systems. By consolidating data from across the enterprise, Sentinel offers a holistic view of security events and potential threats, ensuring that organizations can detect, investigate, and respond to risks more efficiently.

A key strength of Microsoft Sentinel lies in its ability to process and correlate vast amounts of telemetry in real time. Through the use of artificial intelligence, machine learning, and advanced analytics, Sentinel identifies anomalies that may indicate malicious activity, such as unusual sign-in patterns, abnormal data access, or suspicious system behavior. By correlating events from different sources, it can detect complex attack patterns that would be difficult or impossible to identify through manual monitoring. This correlation enables security teams to prioritize alerts based on severity and potential impact, reducing the noise from low-priority events and allowing analysts to focus on the most critical threats.

Sentinel also provides a range of tools for automation and orchestration. Security teams can create automated workflows that respond to specific alerts, such as isolating compromised devices, blocking malicious accounts, or triggering notifications for further investigation. These automated responses accelerate mitigation efforts and reduce the window of opportunity for attackers. Dashboards and reporting features give teams clear visibility into security trends, ongoing incidents, and compliance status, helping organizations maintain a proactive security posture while meeting regulatory requirements.

When compared to other solutions, the advantages of Sentinel become clear. Conditional Access is designed to enforce access policies based on device compliance, user location, risk assessment, and authentication context. While it effectively controls who can access resources and under what conditions, it does not provide centralized analysis of security events, alert correlation, or automated incident response capabilities. Similarly, Purview Information Protection focuses on the classification, labeling, and protection of sensitive data. Although it ensures that documents and emails are handled securely, it does not analyze security incidents, detect attacks, or provide actionable insights for threat response. Intune Compliance Policies enforce device health and configuration standards, helping to maintain secure endpoints, but they do not offer centralized monitoring, event correlation, or advanced analytics for security incidents.

By combining centralized log collection, real-time analytics, AI-driven threat detection, and automated response, Microsoft Sentinel empowers organizations to take a proactive approach to security. Analysts can identify trends, investigate incidents in depth, and remediate threats rapidly, reducing the likelihood of breaches and minimizing operational impact. Sentinel’s integration with Microsoft 365, Azure, and other platforms allows organizations to unify their security operations, improve visibility across hybrid and cloud environments, and maintain compliance with internal policies and regulatory standards. Overall, Sentinel enhances an organization’s security posture by enabling faster detection, smarter response, and more efficient management of security events.

Question 186

A company wants to enforce multi-factor authentication (MFA) for all users accessing Azure and Microsoft 365 resources to reduce the risk of compromised accounts. Which solution should be implemented?

A) Microsoft Entra Conditional Access
B) Microsoft Purview Information Protection
C) Microsoft Intune Compliance Policies
D) Microsoft Defender for Endpoint

Correct Answer: A) Microsoft Entra Conditional Access

Explanation

Microsoft Entra Conditional Access is the appropriate solution because it provides a structured, policy-driven method for enforcing multi-factor authentication across Microsoft 365, Azure services, and other connected applications. It allows administrators to create rules that determine exactly when users must provide an additional authentication factor, such as a text message, biometric verification, a phone call, or an authenticator app prompt. This type of layered verification dramatically reduces the risk posed by stolen or leaked passwords, which remain one of the most common entry points for attackers. By requiring more than one form of proof, Conditional Access ensures that even if an attacker gains access to a user’s password, they cannot easily take over the account.

One of the major strengths of Conditional Access is its flexibility. Administrators can design policies that adapt to different circumstances, combining various signals to determine the appropriate enforcement action. These signals may include user location, device platform, session risk, sign-in behavior, or the sensitivity of the resource being accessed. For example, a user logging in from an unfamiliar location or a risky network could be challenged with MFA, while a user accessing from a trusted device and location may be allowed to sign in without friction. This dynamic evaluation aligns with the Zero Trust security model, where every access request is continuously verified rather than automatically trusted.

Conditional Access also integrates closely with device compliance programs. Although Intune Compliance Policies ensure devices meet security standards such as encryption, OS version requirements, or threat protection status, they do not independently enforce MFA. Instead, Conditional Access is the component that uses these compliance signals as part of its decision-making. If a device is found to be non-compliant, Conditional Access can require MFA, block access entirely, or direct the user through remediation steps, ensuring that only secure devices and legitimate users access organizational data.

Purview Information Protection plays a different role in the Microsoft ecosystem. Its primary purpose is to classify and protect sensitive data through labeling, encryption, and rights management. While it is crucial for safeguarding documents and emails, it has no involvement in authentication workflows. Purview does not challenge users during sign-in or influence the methods users must use to prove their identity.

Similarly, Microsoft Defender for Endpoint enhances security from the perspective of threat detection and device-level protection. It monitors endpoints for malware, ransomware, suspicious behaviors, and active exploits. Although it significantly contributes to endpoint security, it does not control how users authenticate to cloud services and cannot enforce MFA.

By leveraging Conditional Access to mandate MFA, organizations strengthen their identity security posture and reduce exposure to attacks such as credential stuffing, phishing, and brute-force attempts. The solution also supports regulatory compliance by ensuring strong authentication for sensitive or high-risk applications. Because it integrates seamlessly across Microsoft cloud platforms, organizations can deploy consistent and centralized policies that govern authentication for all users and devices. This comprehensive approach plays a key role in reducing risk, safeguarding user accounts, and ensuring secure access across the organization.

Question 187

A company needs to detect and respond to phishing attacks targeting Microsoft 365 users. Which solution should be deployed?

A) Microsoft Defender for Office 365
B) Microsoft Entra Conditional Access
C) Microsoft Purview Information Protection
D) Microsoft Intune Compliance Policies

Correct Answer: A) Microsoft Defender for Office 365

Explanation

Microsoft Defender for Office 365 is the most suitable solution because it is specifically designed to protect users and organizations from email-based attacks such as phishing, malicious links, and harmful attachments. Email continues to be one of the most common entry points for attackers, and this service provides multiple layers of defense to stop threats before they reach users. Defender for Office 365 evaluates incoming messages in real time, scanning for suspicious URLs, embedded scripts, abnormal sender behavior, spoofed domains, and files that may contain malware or exploits. Its safe links feature rewrites and analyzes URLs at the time of click, ensuring that even if a link becomes malicious after delivery, users remain protected. Safe attachments perform a similar role, opening files within a secure environment to detect previously unseen or zero-day threats before they reach the mailbox.

In addition to prevention, the solution includes robust investigation and response capabilities. Security teams can use automated investigation tools to analyze potential incidents quickly, identify affected accounts, and remediate threats. This includes actions such as revoking malicious emails across all mailboxes, disabling compromised accounts, or alerting administrators to abnormal activity. Automated workflows reduce the time required to contain a threat, minimizing organizational impact. The platform also includes tools for tracking phishing campaigns, identifying targeted users, and providing detailed reporting to help administrators strengthen their defenses.

By comparison, Conditional Access focuses on controlling access to applications based on specific conditions such as device compliance, user risk, location, or authentication strength. While it plays an important role in protecting organizational resources, it does not scan emails, detect phishing campaigns, or analyze content for malicious intent. Its purpose is policy enforcement, not email threat mitigation.

Purview Information Protection aims to classify, label, and safeguard sensitive information based on data type or user-defined rules. It is essential for controlling how confidential information is shared or stored, but it does not scan email content for malicious attachments or detect phishing attempts. Its focus is on data governance and protection rather than detecting and responding to email-borne threats.

Intune Compliance Policies ensure that devices meet organizational security requirements, such as having encryption enabled, being malware-free, or having the latest updates installed. This helps reduce device-level risks but does nothing to stop phishing messages from being delivered to users or to protect against malicious content that arrives through email.

Microsoft Defender for Office 365 stands out because it actively detects, analyzes, and blocks email-borne threats. It integrates with Microsoft Sentinel to provide deeper analytics, extended detection, and improved threat investigation. It also supports user education through attack simulation training, helping employees recognize risky behavior and avoid falling victim to phishing attempts. With its layered protection, automated response features, and strong investigative capabilities, Defender for Office 365 significantly strengthens an organization’s overall security posture.

Question 188

A company wants to classify and label sensitive data in emails and documents to comply with GDPR regulations. Which solution should be implemented?

A) Microsoft Purview Information Protection
B) Microsoft Entra Conditional Access
C) Microsoft Defender for Endpoint
D) Microsoft Intune Compliance Policies

Correct Answer: A) Microsoft Purview Information Protection

Explanation

Microsoft Purview Information Protection is correct because it enables automated or manual classification, labeling, and protection of sensitive data. It can detect personally identifiable information (PII), financial records, and other regulated data, applying sensitivity labels and encryption to ensure compliance with GDPR. Labels can automatically restrict access, prevent forwarding, and monitor usage.

Conditional Access controls authentication and access but does not classify or protect content.

Defender for Endpoint protects devices against threats but does not handle document-level classification or GDPR compliance.

Intune Compliance Policies enforce device security, not data protection or labeling.

Purview Information Protection ensures organizations can safeguard sensitive data, meet regulatory requirements, and maintain control over how information is shared, reducing compliance risk while maintaining user productivity.

Question 189

A company wants to monitor suspicious sign-in attempts and identify compromised user accounts in real-time. Which solution should be used?

A) Microsoft Defender for Identity
B) Microsoft Purview Information Protection
C) Microsoft Intune Compliance Policies
D) Microsoft Entra Conditional Access

Correct Answer: A) Microsoft Defender for Identity

Explanation

Microsoft Defender for Identity is the appropriate solution in this scenario because it is designed specifically to detect identity-centered threats by analyzing patterns of user behavior, authentication attempts, and directory activity. It continuously monitors how users interact with resources, looking for deviations from established behavioral baselines. This includes tracking unusual sign-ins, suspicious authentication sequences, unexpected privilege escalations, and potential lateral movement attempts within the environment. When any activity appears abnormal or aligns with known attack techniques, the system generates alerts that security teams can investigate immediately. By focusing on identity signals, Defender for Identity helps organizations uncover compromised accounts before attackers can progress deeper into the network.

The strength of Defender for Identity comes from its ability to gather and correlate signals from both on-premises Active Directory and cloud-based Azure Active Directory. This hybrid visibility is crucial because attackers often target identity infrastructures that span across environments. Defender for Identity watches for credential theft, attempts to use outdated protocols, repeated authentication failures, and behaviors that resemble reconnaissance activities used during the early stages of an attack. Through these insights, organizations receive a comprehensive view of potential identity misuse, allowing them to detect breaches earlier and respond more effectively.

In contrast, Purview Information Protection serves an entirely different purpose. Its function is to classify and protect sensitive data based on content and context, applying labels, encryption, and usage restrictions. While this is valuable for safeguarding documents and preventing accidental data exposure, Purview does not monitor user sign-ins or detect identity anomalies. It focuses on data protection rather than identity threat detection, making it unsuitable for identifying suspicious login activities or compromised accounts.

Intune Compliance Policies also do not address the challenge described in the scenario. Intune ensures that devices meet organizational standards, such as having up-to-date operating systems, required security configurations, and approved applications. While these policies contribute to a secure environment, they provide no capability to detect account compromise or analyze malicious user behavior. Compliance policies relate solely to device health, not identity threats.

Conditional Access adds another layer of protection by enforcing access requirements based on risk levels, device status, location, and user conditions. Although Conditional Access can block or challenge sign-ins based on predefined rules, it does not provide deep anomaly detection or threat hunting capabilities. It reacts to conditions rather than discovering threats, and it does not perform the behavioral analysis offered by Defender for Identity.

The advantage of Microsoft Defender for Identity lies in its proactive posture. It empowers security teams to respond quickly to unusual or malicious identity activity by providing early warnings and detailed attack insights. By integrating seamlessly with Microsoft Sentinel, organizations can combine Defender for Identity alerts with broader SIEM data, enabling more advanced investigation, automated response workflows, and unified threat analysis. Through this combination of behavioral analytics, continuous monitoring, and centralized visibility, Defender for Identity significantly strengthens an organization’s ability to prevent and contain identity-based attacks.

Question 190

A company needs to ensure secure access to Microsoft 365 apps based on device compliance and user risk. Which solution is most appropriate?

A) Microsoft Entra Conditional Access
B) Microsoft Purview Information Protection
C) Microsoft Defender for Endpoint
D) Microsoft Intune Compliance Policies

Correct Answer: A) Microsoft Entra Conditional Access

Explanation

Microsoft Entra Conditional Access plays a central role in modern identity-based security because it evaluates a wide range of contextual signals before allowing, denying, or adjusting access to Microsoft 365 applications and other connected resources. Rather than relying solely on traditional authentication methods, it assesses multiple risk indicators that reflect the real-time security posture of the user and the device. These indicators include factors such as user risk level, sign-in risk derived from behavioral analytics, the geographic location of the authentication attempt, the network type, device compliance status, and the sensitivity of the application being accessed. By combining these signals, Conditional Access constructs a dynamic access decision that aligns with organizational security requirements and reduces the chance of unauthorized entry.

The platform operates as a core component of Microsoft’s Zero Trust architecture, an approach built on the principle that no user or device should be implicitly trusted, even if it is operating inside the organization’s network perimeter. Traditional security models often relied on perimeter-based trust, where internal traffic was treated as safe by default. However, with the rise of cloud services, hybrid work, personal devices, and widely distributed users, this model is insufficient. Conditional Access shifts security toward continual validation, ensuring that every authentication request is thoroughly inspected. Access is granted only after confirming that the identity is legitimate, the device meets compliance expectations, and the context of the request does not introduce unusual or suspicious indicators.

Within this model, Conditional Access policies can enforce requirements such as multi-factor authentication to establish a stronger proof of identity. If the system detects that a user is signing in from an unfamiliar location, a risk-prone network, or a device that lacks necessary compliance status, it can automatically prompt the user for additional authentication methods. These measures may include verification codes, biometric checks, or authenticator app confirmations. If the risk scenario is deemed severe enough, the policy can block access entirely until security concerns are addressed. By automating these decisions and tying them to contextual conditions, organizations reduce the burden on security teams and streamline protection mechanisms across the environment.

Question 191

Which technology allows a Cisco SD-WAN router to steer traffic dynamically based on real-time transport-level performance such as latency, jitter, and packet loss?

OSPF Path Cost
B. Application-Aware Routing
C. Policy-Based Routing
D. IP SLA Static Tracking

Correct Answer: B

Explanation:

A discusses a classic interior gateway attribute that influences path computation strictly by numerical cost. It does not evaluate live performance metrics such as jitter or loss, making it unsuitable for real-time application steering in SD-WAN environments.

B represents a core capability within Cisco SD-WAN that monitors transport-level characteristics like delay, loss, and jitter. It uses this information to evaluate data-plane tunnels and select the best-performing WAN path dynamically. It integrates application recognition, monitoring, and policy enforcement to adjust forwarding decisions based on defined SLA profiles. It adapts automatically as underlying conditions fluctuate, enabling high-quality service for voice, video, and mission-critical workloads. This is the only technology listed that incorporates continuous real-time measurement across WAN transport options.

C refers to traditional control-plane redirection based on matching traffic attributes and applying a fixed next hop. It does not evaluate real-time WAN link performance and cannot adjust forwarders automatically when latency or loss changes. It is static and cannot guarantee SLA-driven application performance.

D provides measurement capabilities for reachability and latency but is not tied to any automatic forwarding or dynamic SD-WAN decision-making. Although it can track certain parameters, it cannot independently steer traffic across multiple WAN circuits based on SLA conditions. It is not application-aware and does not integrate with SD-WAN fabric routing.

The accurate technology for dynamic, application-integrated WAN path selection is B, which uniquely provides continuous performance monitoring, automated steering, and SLA-based decision frameworks.

Question 192

Which BGP feature is used in Enterprise networks to prevent flapping external prefixes from causing constant route updates in the control plane?

BGP Confederations
B. BGP Next-Hop Tracking
C. BGP Route Dampening
D. BGP Local Preference

Correct Answer: C

Explanation:

A reorganizes a large autonomous system into sub-AS structures to reduce internal complexity. It does not suppress unstable prefixes or mitigate excessive updates caused by external route flaps, so it does not solve the flapping problem directly.

B focuses on reacting quickly when next-hop reachability changes, optimizing convergence rather than preventing excessive churn. It does not track instability from external routes and cannot slow down repeated updates from flapping peers.

C provides a mechanism for penalizing routes that exhibit instability. When a prefix flaps repeatedly, penalties accumulate until they exceed a suppress threshold. At that point, the prefix is suppressed, meaning it is not advertised until the penalty decays below the reuse threshold. This dampening protects neighbors and internal devices from continuous updates. It significantly reduces control-plane churn and prevents route instability from spreading through the network. This directly matches the problem described in the question.

D influences exit-routing selection by adjusting values used to select outbound paths. It does not perform any form of update suppression or stability evaluation, so it cannot mitigate frequent update announcements triggered by unstable prefixes.

Thus C is correct because it is explicitly designed to prevent the propagation of excessive updates associated with route flapping.

Question 193

In a wireless deployment, which feature allows multiple APs to conduct real-time spectrum analysis to detect non-Wi-Fi interference sources?

Rx-SOP
B. CleanAir
C. DFS
D. ClientLoad-Balancing

Correct Answer: B

Explanation:

Option A refers to adjusting the receiver sensitivity thresholds on an access point, a technique often used to influence how far the AP can hear client transmissions. By raising these thresholds, the AP becomes less responsive to weaker signals, which can help increase spatial reuse within dense wireless environments. This adjustment reduces contention by preventing APs from responding to distant or marginal clients. While this capability has value for improving overall Wi-Fi performance in certain scenarios, it does not provide any insight into non-Wi-Fi sources of interference. It also does not perform collaborative spectrum analysis across multiple access points, nor does it classify or identify interferers operating outside the 802.11 standard. Its scope is purely related to Wi-Fi signal interpretation and threshold tuning, not comprehensive RF intelligence.

Option B describes a Cisco feature built specifically for advanced spectrum intelligence. Unlike simple Wi-Fi signal interpretation, this capability relies on dedicated hardware integrated into supported access points. The specialized chipsets continuously monitor the RF environment, capturing energy patterns and waveform signatures that originate from a wide variety of non-802.11 devices. These may include technologies such as Bluetooth, microwave ovens, wireless video cameras, cordless phones, Zigbee devices, and numerous other sources of interference that can degrade Wi-Fi performance without being part of the Wi-Fi protocol itself. Because this solution is hardware-driven, it can analyze raw RF energy rather than relying on Wi-Fi frames, enabling real-time and highly accurate identification of interferer types.

Furthermore, multiple access points can feed their spectrum data into a centralized controller or management system. By aggregating input from several APs, the system can build a broader and more accurate picture of the interference landscape. This multi-AP collaboration allows network operators to view patterns, detect persistent or transient interferers, determine their approximate location, and receive suggestions for mitigation. These insights are particularly valuable in dense or complex wireless environments where external devices can cause unpredictable performance issues. This aligns precisely with the feature described in the original question, which focuses on multi-AP spectrum analysis specifically targeting non-Wi-Fi interference sources.

Option C deals with radar detection mechanisms associated with Dynamic Frequency Selection within the 5 GHz band. While this function is essential for regulatory compliance, particularly in regions where certain 5 GHz frequencies overlap with weather or military radar, its capabilities are limited to identifying radar signatures. It does not analyze general RF interference, nor does it provide classification of diverse non-Wi-Fi devices. Additionally, it does not perform multi-AP spectrum correlation or deliver broad-spectrum intelligence.

Option D involves load balancing strategies designed to distribute clients more evenly across available access points. This feature helps improve overall performance by steering clients toward less congested APs, but it has no spectrum analysis capability and does not detect or classify any interference sources.

Given these distinctions, option B is clearly the feature that matches the described requirement for comprehensive, hardware-based, multi-AP spectrum intelligence focused on identifying non-802.11 interferers.

Question 194

Which feature of Cisco TrustSec assigns security attributes directly to traffic, enabling scalable policy enforcement across the network?

VRF-Lite
B. SGT (Security Group Tags)
C. IPsec Tunnels
D. 802.1X

Correct Answer: B

Explanation:

A divides routing tables for segmentation but does not embed identity or role information into packets. It provides separation but does not allow a distributed security policy tied to user or device attributes.

B provides tag-based classification where identity and role information are encoded directly into packets through inline or hardware tagging. Devices can enforce policies based on these tags rather than relying on IP addresses or topological context. This allows scalable, consistent segmentation and security management across complex enterprise environments. It is central to Cisco TrustSec architecture and matches the description exactly.

C provides encryption, integrity, and confidentiality but does not embed identity-based attributes for distributed policy enforcement.

D authenticates clients and provides identity onboarding, but does not propagate tag-based attributes throughout the network automatically.

Therefore,e B is the correct feature enabling identity-based, scalable policy enforcement.

Question 195

Which SD-Access control-plane component maintains fabric endpoint-to-edge node mappings? 

LISP Map-Server/Map-Resolver
B. DNA Center PnP Agent
C. ISE pxGrid
D. WLC Mobility Agent

Correct Answer: A

Explanation:

In a Software-Defined Access (SD-Access) environment, the control plane is one of the most important architectural components because it determines how endpoints are located, identified, and reached throughout the fabric. Among the options provided in the scenario, option A represents the component that performs the crucial role of maintaining the mapping between endpoint identifiers and their corresponding locations within the SD-Access fabric. This mapping responsibility is not minor; it is foundational to how the fabric forwards traffic, enforces segmentation, supports mobility, and ensures efficient routing between users and applications.

The core idea behind SD-Access is to build a network environment where policy, segmentation, and identity follow the user, device, or workload regardless of where it moves within the infrastructure. This can only work if the fabric has an authoritative, always-updated reference for where each endpoint actually resides. To accomplish this, SD-Access uses a control-plane node running the Locator/ID Separation Protocol (LISP). This particular component stores endpoint identifier-to-location mappings. Whenever an endpoint joins the network, authenticates, or moves, the fabric edge node where that endpoint connects registers the identity and its corresponding location information with the control-plane node. The control-plane node then records this association in its mapping database so that every fabric node can look up the current position of any identity whenever needed.

By contrast, the other options in the question serve very different purposes and do not provide the mapping capabilities required for SD-Access forwarding operations. Option B refers to the component used for provisioning network devices, onboarding them into the SD-Access environment, pushing template configurations, and enabling automation workflows. While provisioning systems are extremely useful for network deployment and management, they are not involved in storing endpoint identifier-to-location information. Their function is focused on automating configuration and deployment, not facilitating control-plane operations.

Option C relates to sharing identity context across the fabric. This means that it knows who the user is, what type of device is connected, and what security or policy posture is associated with that identity. Although identity sharing is an important part of the SD-Access architecture, and it works closely with policy enforcement components, it does not maintain the actual location-based mapping needed for forwarding decisions. Knowing who a user is does not automatically reveal where that user is physically or logically located within the fabric. Identity services can authenticate endpoints and provide group-based policies, but they do not track mobility or fabric routing details.

Option D focuses on handling wireless mobility events. This includes tasks such as tracking when a wireless client roams between access points, updating session information, and ensuring seamless connectivity as the user moves. While this component plays an important role in providing a smooth wireless experience, it is not the entity that performs the SD-Access control-plane mapping function. Wireless mobility controllers operate at a more traditional mobility layer; they deal with client associations and movement between access points, but do not maintain the identity-to-location database required by the SD-Access fabric for routing decisions.

Only option A precisely aligns with the control-plane responsibilities defined in SD-Access. It is the mechanism that allows the fabric to understand where endpoints exist and how to reach them efficiently. Without this function, the entire fabric would be unable to forward traffic properly because no node would have a reliable method of determining where a given identity resides.

To understand why option A is correct, it is helpful to explore the architectural differences between traditional networks and fabric-based networks like SD-Access. In conventional networks, routing protocols store network prefixes and exchange route information in a distributed manner. Endpoints rely on IP addressing and subnet structures, and routing is based on learning about subnets rather than individual users or devices. Mobility, segmentation, and identity enforcement are often bolted on as additional layers, which creates operational complexity. Each device in the path must participate in learning and forwarding decisions, resulting in multiple control-plane exchanges across the network.

In SD-Access, the intent is to decouple identity from location. Instead of relying solely on distributed routing protocols to track how to reach an IP prefix, the fabric tracks the exact location of each endpoint, no matter where it currently sits. This is where the control-plane node becomes critical. It acts as a centralized database that replaces much of the traditional distributed control-plane activity. As soon as an endpoint appears on a fabric edge switch, the edge switch notifies the control-plane node and provides the identity and location. From that moment, any other fabric node that needs to forward traffic can simply ask the control-plane node where that identity lives.

Another advantage of the mapping system in option A is mobility handling. When an endpoint moves from one part of the fabric to another, the edge node it connects to updates the control-plane node. The control-plane node overwrites the previous mapping entry with the new one, ensuring that all future queries return the most current location. This mobility awareness operates seamlessly whether the endpoint is wired, wireless, or roaming across different parts of the enterprise. Without this mechanism, mobility would require complex recalculations or widespread route propagation, which is inefficient and slow.

The efficiency of this mapping system also enhances security. Since the control plane maintains a database of identities and locations, it becomes much easier to apply role-based or group-based access control. Policies follow the user instead of the IP address or physical port. When an endpoint moves, the policy stays intact because it is tied to the identity, not the location. The fabric only needs to know the new position of that identity, which the control-plane node provides instantly. This alignment of identity, policy, and location is at the heart of SD-Access security architecture.

In addition, because the control-plane node tracks identity-to-location information for the entire fabric, troubleshooting and analytics become far more streamlined. Network operators can quickly determine where an endpoint is connected, what policies are being applied, and how traffic is being forwarded. The centralized mapping reduces ambiguity and eliminates the guesswork typical in large, distributed networks where devices may appear on different switches without clear documentation.

To contrast this again with the other options, provisioning systems such as those in option B deal solely with automating initial configurations and updates. They simplify large-scale deployments but have no role in fabric forwarding. Identity systems in option C help authenticate and classify endpoints, but do not maintain the location of those endpoints. Wireless mobility controllers in option D track client movement across access points but do not store or manage the identity-to-location mappings that the SD-Access fabric requires.

Every component in SD-Access plays a specific role, but only the element described in option A fulfills the control-plane mapping function. Without this mapping, fabric operations would break down, identity-based policies could not be enforced effectively, and mobility would require cumbersome mechanisms. The mapping database is what ties the entire SD-Access framework together and ensures that endpoints can be found instantly whenever data needs to reach them.

For all these reasons, option A is undeniably the correct choice. It matches the precise requirement stated in the question and provides the core function that enables SD-Access to operate as a scalable, policy-driven, identity-centric, and mobility-friendly architecture.