Reinforce MS-900 concepts with active-recall study cards covering all 5 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For MS-900 preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the MS-900 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your MS-900 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real MS-900 exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass MS-900.
Sample cards from the MS-900 flashcard bank. Read the question, think of the answer, then read the explanation below.
A marketing team needs to collaboratively create and edit documents in real time, share files securely, and track version history. Which Microsoft 365 service should they primarily use?
SharePoint Online
SharePoint Online is the correct choice because it is designed for team collaboration with real-time co-authoring, granular permission-based file sharing, and built-in version history that tracks every change. Unlike OneDrive, which is optimized for individual file storage and sharing, SharePoint provides a centralized team site where multiple users can simultaneously edit documents and manage versions at the site or library level.
Your organization has 500 users with Microsoft 365 E3 licenses. You want to add security features such as Microsoft Defender for Office 365 (Plan 1) and Microsoft Purview Information Protection. Which licensing approach should you recommend?
Upgrade all users to Microsoft 365 E5
Microsoft 365 E5 includes both Defender for Office 365 (Plan 1) and Purview Information Protection (formerly Azure Information Protection P2) natively, whereas E3 requires separate add-ons. Upgrading all users to E5 is the simplest and most cost-effective licensing approach when both security features are needed for all 500 users, as it avoids the complexity and potential per-user cost of stacking multiple add-on SKUs.
A company is evaluating moving its on-premises infrastructure to a cloud environment. They want a service that provides virtual machines, storage, and networking capabilities while retaining full control over the operating system and applications. Which cloud service model best meets this requirement?
Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) provides virtualized computing resources, including virtual machines, storage, and networking, over the internet. The customer retains full administrative control over the operating system, applications, and middleware, while the cloud provider manages the underlying physical hardware. This matches the requirement for full OS and application control.
An organization is concerned about data leakage from sensitive emails. They want to enforce encryption on emails containing financial information automatically. Which Microsoft 365 solution should they configure?
Microsoft Purview Message Encryption
Microsoft Purview Message Encryption (Option B) is the correct solution because it enables organizations to send and receive encrypted email messages, and it can be configured with mail flow rules to automatically encrypt emails containing sensitive financial information. This service leverages Azure Rights Management (Azure RMS) to provide persistent protection that follows the email, ensuring only authorized recipients can decrypt and read the content.
A non-profit organization with 250 employees is considering Microsoft 365. They want the most cost-effective plan that includes business-class email, web and mobile versions of Office apps, and 1 TB of cloud storage per user. Which subscription should they choose?
Microsoft 365 Business Basic
Microsoft 365 Business Basic is the most cost-effective plan that includes business-class email (Exchange Online), web and mobile versions of Office apps, and 1 TB of OneDrive cloud storage per user. It meets all stated requirements without the higher cost of desktop app licenses or advanced security features found in other plans.
Your company uses Microsoft 365 and wants to ensure that when employees share sensitive documents externally, access is automatically revoked after 30 days. Which solution should you use?
Microsoft Entra ID Conditional Access
Microsoft Entra ID (formerly Azure AD) Conditional Access policies can enforce time-based access restrictions for external sharing, such as requiring access to be revoked after 30 days. Option A (Microsoft Intune) is used for mobile device and application management, not for setting access durations. Option B (Microsoft Defender for Cloud Apps) offers cloud app security and session controls but does not directly provide automatic revocation after a fixed period. Option D (Microsoft Information Protection) focuses on classifying and protecting sensitive data with labels, not access expiration.
A company is deploying Microsoft 365 Copilot and wants to ensure that only users with the appropriate sensitivity labels can access Copilot-generated content. What should the administrator configure to enforce this requirement?
Enable auto-labeling for sensitivity labels in Microsoft Purview Information Protection
Option D is correct. Auto-labeling for sensitivity labels in Microsoft Purview Information Protection can automatically apply sensitivity labels based on content classification, and Copilot-generated content will respect these labels, ensuring only authorized users can access it. Option A is wrong because retention labels manage data retention, not access control. Option B is wrong because Conditional Access policies control access to apps and resources but do not automatically label content. Option C is wrong because DLP policies prevent data sharing but do not enforce sensitivity labeling on content.
A compliance-aware administrator is selecting the right Microsoft 365 capability to use Microsoft 365 and another public cloud provider for different workloads. Cloud concept or benefit best matches this requirement?
Multi-cloud
Multi-cloud is the correct answer because the requirement explicitly involves using Microsoft 365 alongside another public cloud provider for different workloads. Multi-cloud refers to the strategy of leveraging services from multiple cloud providers (e.g., Microsoft Azure and AWS) to avoid vendor lock-in, optimize costs, or meet compliance needs. This directly matches the scenario of using Microsoft 365 and another public cloud provider together.
A company currently has Microsoft 365 E3 licenses for all users. They need to retain all Exchange Online mailbox data for 10 years and place legal holds for litigation. Which add-on license provides these retention and eDiscovery capabilities?
Microsoft 365 E5 Compliance
Microsoft 365 E5 Compliance is the correct add-on because it includes advanced eDiscovery (e.g., eDiscovery Premium) and retention capabilities such as Preservation Lock and 10-year retention policies via Microsoft Purview. The base E3 license only provides basic retention and eDiscovery, lacking the extended 10-year retention and litigation hold features required for this scenario.
Your organization has a Microsoft 365 E5 subscription and wants to centrally manage security incidents across identities, endpoints, and cloud apps. Which Microsoft solution provides this capability?
Microsoft Defender XDR
Microsoft Defender XDR (formerly Microsoft 365 Defender) centrally correlates security signals across identities, endpoints, cloud apps, and email to provide a unified incident management experience. Option A (Microsoft Entra ID Protection) focuses only on identity risks. Option B (Microsoft Sentinel) is a SIEM/SOAR solution that ingests logs from many sources but is not the primary tool for cross-domain incident management within Microsoft 365. Option D (Microsoft Defender for Endpoint) is limited to endpoint detection and response. Therefore, option C is the correct answer.
A nonprofit organization with 50 users needs to use Microsoft 365 for email, file storage, and online versions of Office apps. They have a very limited budget. Which Microsoft 365 plan should they consider first?
Microsoft 365 Nonprofit Business Basic
Microsoft 365 Nonprofit Business Basic (Option D) is the correct choice because it provides email (Exchange Online), file storage (OneDrive and SharePoint), and online versions of Office apps (Word, Excel, etc.) at no cost for eligible nonprofit organizations with up to 300 users. This plan is specifically designed for nonprofits with limited budgets, offering the required functionality without the expense of paid plans.
A legal firm must ensure that all documents containing a specific project code are automatically retained for 7 years after the project ends. After the 7-year period, the documents should be permanently deleted. The firm already uses sensitivity labels to classify documents. Which Microsoft Purview solution should they configure?
Microsoft Purview Records Management
Microsoft Purview Records Management is the correct solution because it provides the ability to mark documents as records (or regulatory records) and apply retention labels that enforce a specific retention period—in this case, 7 years after the project ends—followed by automatic deletion. Unlike Data Lifecycle Management, Records Management includes disposition review and the ability to trigger deletion based on an event (e.g., project end date), which aligns with the legal firm's requirement for event-based retention and permanent deletion.
A legal team needs to preserve all data related to a specific user involved in litigation, including Exchange emails, SharePoint documents, OneDrive files, and Teams chats. They require a hold that cannot be removed by the user and must allow for later searching and export. Which Microsoft Purview solution should they use?
eDiscovery (Standard)
eDiscovery (Standard) is the correct solution because it allows legal teams to place a hold on all content relevant to a specific user, including Exchange emails, SharePoint documents, OneDrive files, and Teams chats. This hold is enforced at the service level, preventing the user from deleting or modifying the data, and it preserves the content in its original location for later searching and export via Content Search or eDiscovery export tools.
A company wants to ensure that employees can access corporate email on personal mobile devices without the company being able to wipe the entire device. What should you use?
Microsoft Intune App Protection Policies (APP)
Microsoft Intune App Protection Policies (APP) (option D) protect corporate data at the app level and support selective wipe of only corporate data, without affecting personal data on the device. Option A (MDM) can wipe the entire device, which is not desired. Option B (Conditional Access) controls access but does not provide selective wipe capabilities. Option C (Mobile Application Management - MAM) is essentially the same as APP, making D the correct choice.
An administrator configures the SharePoint Online sharing policy as shown in the exhibit. What is the result of this configuration?
External users and guests from fabrikam.com can access content after accepting an invitation.
Option C is correct. The policy allows external users and guests from fabrikam.com to access content after they accept the sharing invitation. The allowed domain list permits fabrikam.com, and the requirement for invitation acceptance is implied by the non-'Anyone' sharing setting. Option A is wrong because external users must accept an invitation; they are not allowed to access content without accepting. Option B is wrong because external users and guests from fabrikam.com can access, but they must accept an invitation; they are not added manually in this context. Option D is wrong because external sharing is not blocked for all domains except fabrikam.com; rather, sharing is allowed only from fabrikam.com.
Refer to the exhibit. You are reviewing a Microsoft Purview Information Protection policy created by a colleague. The policy is intended to prevent users from sharing files labeled 'Highly Confidential' with external parties. However, users are still able to share these files externally. Which of the following is the most likely reason?
The sensitivity label is not published to the users.
Option A is correct because even if the policy condition checks for the 'Highly Confidential' sensitivity label, the label itself must be published to users for the policy to apply correctly. If the label is not published, users may not have the label available to assign, and the policy may not enforce as intended. Option B is incorrect because the absence of a 'blockAccess' action is not stated; the policy likely already includes a blocking action like 'blockSharing'. Option C is incorrect because setting the action to 'blockAccess' only would not address the root cause—the label being unpublished. Option D is incorrect because checking file extension is not a substitute for sensitivity label; the policy is correctly using label-based conditions.
A healthcare organization must ensure that electronic protected health information (ePHI) in Microsoft 365 is encrypted both at rest and in transit. Which Microsoft 365 feature provides encryption for data in transit?
TLS/SSL encryption
Microsoft 365 uses TLS to encrypt data in transit between clients and Microsoft servers. Option B (TLS/SSL encryption) is correct. Azure Information Protection and Microsoft Purview Information Protection are for data classification and protection policies, not encryption in transit. BitLocker encrypts data at rest.
A company uses Microsoft Purview Communication Compliance to detect inappropriate messages. Which action can an administrator take after reviewing a flagged message?
Resolve the case with a notification to the sender
Option C is correct because Microsoft Purview Communication Compliance provides actions such as 'Resolve with notification' to notify the sender after reviewing a flagged message. Option A is incorrect because retention policies are configured separately and not directly applied from Communication Compliance. Option B is incorrect because while Communication Compliance can feed into DLP policies, it does not create a DLP policy automatically from a single flagged message. Option D is incorrect because message recall is an Exchange Online feature, not a direct action within Communication Compliance.
A non-profit organization with 200 employees needs to equip their staff with Microsoft 365 Business Premium, which includes desktop Office apps, Microsoft Intune, Microsoft Entra ID Premium P1, and Microsoft Defender for Office 365 Plan 1. They are eligible for non-profit pricing. What is the most cost-effective way to obtain these capabilities?
Microsoft 365 Business Premium (non-profit pricing)
Microsoft 365 Business Premium (non-profit pricing) is the most cost-effective option because it bundles all required capabilities—desktop Office apps, Microsoft Intune, Microsoft Entra ID Premium P1, and Microsoft Defender for Office 365 Plan 1—into a single per-user license at a significantly reduced non-profit rate. Purchasing separate add-ons or a higher-tier plan like E3 would incur unnecessary costs without providing additional needed features.
A marketing manager can access the company's cloud resources from her laptop at home, her tablet while traveling, and her smartphone. Which essential characteristic of cloud computing does this describe?
Broad network access
Broad network access means cloud resources can be accessed over standard network protocols (e.g., HTTPS, TLS) from a wide range of client devices, such as laptops, tablets, and smartphones. The scenario explicitly describes access from multiple device types and locations, which is the defining characteristic of broad network access as per NIST SP 800-145.
A security administrator needs to automatically restrict access to documents labeled as 'Highly Confidential' when accessed from devices that are not joined to the domain. The restriction should block editing and printing, and apply encryption. Which combination of Microsoft 365 solutions should the administrator use?
Microsoft Purview Information Protection + Microsoft Entra ID Conditional Access
Option A is correct because Microsoft Purview Information Protection (MIP) allows you to create sensitivity labels that apply encryption, restrict editing, and block printing on documents. Microsoft Entra ID Conditional Access can then enforce that these labels are automatically applied based on device compliance (e.g., devices not joined to the domain). Together, they provide the automated, policy-driven restriction described.
A security administrator needs to audit all activities related to a specific user in Exchange Online, SharePoint Online, and Microsoft Entra ID for the past 90 days. They also need to export the audit log as a CSV file. Which Microsoft Purview solution provides this capability without additional licensing beyond Microsoft 365 E3?
Microsoft Purview Audit (Standard)
Microsoft Purview Audit (Standard) is included with Microsoft 365 E3 and provides the ability to search and export audit logs for user activities across Exchange Online, SharePoint Online, and Microsoft Entra ID for up to 90 days. This meets the administrator's requirement without needing additional licensing.
A compliance administrator needs to block sharing of documents containing credit card numbers. Which Microsoft 365 capability is the best fit?
Data Loss Prevention policies
Data Loss Prevention (DLP) policies in Microsoft 365 are specifically designed to identify, monitor, and automatically protect sensitive information—such as credit card numbers—across Exchange Online, SharePoint, OneDrive, and Teams. By configuring a DLP policy with a built-in sensitive info type for credit card numbers, the administrator can block users from sharing documents containing that data, either by preventing the action or triggering a notification. This directly addresses the compliance requirement to block sharing of documents with credit card numbers.
The MS-900 flashcard bank covers all 5 official blueprint domains published by Microsoft. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Describe Microsoft 365 apps and services
Describe Microsoft 365 pricing, licensing, and support
Describe cloud concepts
Describe security, compliance, privacy, and trust in Microsoft 365
Describe Microsoft 365 pricing and support
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that MS-900 questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.MS-900 questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective MS-900 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
Yes. Courseiva provides free MS-900 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.
Courseiva has 985+ original MS-900 flashcards across all 5 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official Microsoft exam objectives.
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official MS-900 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included