Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Design security operations, identity, and compliance capabilities practice sets

SC-100 Design security operations, identity, and compliance capabilities • Complete Question Bank

SC-100 Design security operations, identity, and compliance capabilities — All Questions With Answers

Complete SC-100 Design security operations, identity, and compliance capabilities question bank — all 0 questions with answers and detailed explanations.

231
Questions
Free
No signup
Certifications/SC-100/Practice Test/Design security operations, identity, and compliance capabilities/All Questions
Question 1easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel and wants to automatically respond to high-severity incidents. Which feature should you configure?

Question 2mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company plans to implement Microsoft Purview to enforce data loss prevention (DLP) policies. They need to prevent users from sharing credit card numbers via email. What should they configure?

Question 3hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender for Cloud to secure multi-cloud workloads. You need to ensure that Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) resources are assessed against the same security baseline. What should you do?

Question 4easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. What should you configure?

Question 5mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Entra ID and wants to implement a passwordless authentication strategy. Users have smartphones. Which method should you recommend as the primary authentication method?

Question 6hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel to aggregate logs from on-premises and cloud sources. You need to reduce the cost of data ingestion while ensuring security-critical logs are retained for at least one year. What should you do?

Question 7easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender for Office 365. You need to protect users from malicious links in emails. What should you configure?

Question 8mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Entra ID and needs to ensure that external partners can access only specific applications for 30 days. What should you configure?

Question 9hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender XDR for detection and response. You need to create a custom detection rule that alerts when a user performs more than 10 failed sign-ins from different countries within 5 minutes. Which component should you use?

Question 10mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview to classify sensitive data. You need to automatically apply a sensitivity label to documents that contain personally identifiable information (PII). Which TWO components should you configure?

Question 11hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a unified security operations platform. Which THREE capabilities should you enable?

Question 12hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Entra ID and needs to implement a Zero Trust identity strategy. Which THREE principles should you apply?

Question 13easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is implementing a zero-trust security model and needs to ensure that all access to cloud resources is verified in real-time. You plan to use Microsoft Entra ID Conditional Access. Which policy component enforces real-time verification of user identity and device compliance before granting access?

Question 14mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company uses Microsoft Defender for Cloud to manage security posture across hybrid workloads. You need to ensure that critical vulnerabilities found on Azure VMs are automatically remediated without manual intervention. Which feature should you enable?

Question 15hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel to centralize security logs from multiple clouds. The security team needs a solution that automatically investigates low-fidelity alerts and creates incidents only when confirmed malicious. Which Microsoft Sentinel feature should you configure?

Question 16mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company is deploying Microsoft Intune for mobile device management. You need to ensure that corporate data on personally owned devices is protected without affecting the user's personal data. Which Intune feature should you use?

Question 17hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is implementing a data loss prevention (DLP) strategy using Microsoft Purview. The compliance team needs to automatically classify and label sensitive data in Microsoft 365, Azure SQL Database, and Amazon S3. Which Purview feature should you use?

Question 18easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender XDR to detect and respond to threats. The SOC team wants to automatically isolate a device when a high-severity incident is confirmed. Which automation feature should you configure?

Question 19mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can authenticate using their existing on-premises credentials while gradually moving to cloud-only authentication. Which authentication method should you implement first?

Question 20hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel as a SIEM. The security team wants to use Microsoft Copilot for Security to assist in incident investigation. You need to ensure that Copilot can access Sentinel data while meeting compliance requirements. Which integration should you configure?

Question 21easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization needs to enforce multi-factor authentication (MFA) for all users accessing sensitive applications. You plan to use Microsoft Entra ID Conditional Access. Which grant control should you configure?

Question 22mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is implementing a privileged access strategy using Microsoft Entra ID. You need to provide just-in-time (JIT) access to Azure resources for administrators. Which TWO features should you use?

Question 23hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is using Microsoft Sentinel to detect advanced threats. You need to ensure that alerts from Microsoft Defender XDR are automatically synchronized with Sentinel and that incidents are created. Which THREE components are required?

Question 24easymulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview Information Protection to label sensitive emails. You need to ensure that labels are applied automatically based on content. Which THREE methods can you use?

Question 25hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are reviewing a Conditional Access policy JSON. The policy is intended to block legacy authentication. However, users are still able to access email using Outlook (modern auth). What is the most likely reason?

Exhibit

{
  "properties": {
    "displayName": "Block legacy authentication",
    "state": "enabled",
    "conditions": {
      "applications": {
        "includeApplications": ["All"]
      },
      "users": {
        "includeUsers": ["All"]
      },
      "clientAppTypes": ["exchangeActiveSync", "otherClients"]
    },
    "grantControls": {
      "builtInControls": ["block"]
    }
  }
}
Question 26mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. A KQL query is used in Microsoft Sentinel to detect brute-force attacks. The query returns no results despite known brute-force attempts. What is the most likely issue?

Exhibit

SecurityEvent
| where EventID == 4625
| summarize FailureCount = count() by Account, IPAddress
| where FailureCount > 10
| project Account, IPAddress, FailureCount
Question 27easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are reviewing an ARM template for an Azure storage account. The security team requires that only HTTPS traffic is allowed and that TLS 1.2 is enforced. Does this template meet the requirements?

Exhibit

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2021-02-01",
      "name": "[parameters('storageName')]",
      "location": "[resourceGroup().location]",
      "kind": "StorageV2",
      "properties": {
        "supportsHttpsTrafficOnly": true,
        "minimumTlsVersion": "TLS1_2",
        "networkAcls": {
          "bypass": "AzureServices",
          "defaultAction": "Deny"
        }
      }
    }
  ]
}
Question 28easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel and has enabled User and Entity Behavior Analytics (UEBA). The security team receives an alert for a user who has failed authentication 10 times in 5 minutes. What should you configure to reduce false positives while ensuring legitimate brute-force attacks are still detected?

Question 29mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Defender for Cloud to assess the security posture of their hybrid environment. They need to ensure that all Azure subscriptions are evaluated against the same set of regulatory compliance standards. What should they configure?

Question 30hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Intune to manage devices. You need to ensure that corporate data on personally owned devices is removed when a user leaves the company, but personal data remains intact. What should you use?

Question 31mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They want to prevent users from sharing credit card numbers in email but allow sharing via encrypted email. What should they configure?

Question 32easymultiple choice
Study the full multicast explanation →

Your organization has Microsoft Entra ID (Azure AD) and uses Privileged Identity Management (PIM). You need to ensure that when a user activates a privileged role, they must provide a reason and a ticket number. What should you configure?

Question 33hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. Based on the JSON snippet, what is the most likely outcome when a user with high user risk attempts to sign in?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Block high-risk sign-ins",
    "conditions": {
      "userRiskLevels": ["high"],
      "signInRiskLevels": []
    },
    "grantControls": {
      "builtInControls": ["block"]
    }
  }
}
```
Question 34mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are analyzing a Microsoft Sentinel analytics rule. What does this rule detect?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Microsoft Sentinel Analytics Rule",
    "query": "SecurityEvent
| where EventID == 4625
| summarize Count = count() by Account, bin(TimeGenerated, 5m)
| where Count > 10",
    "frequency": "PT5M",
    "period": "PT10M",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0
  }
}
```
Question 35easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are configuring a Microsoft Purview sensitivity label. When a user applies this label to an email, what happens?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Sensitivity label: Confidential",
    "encryption": {
      "encryptionEnabled": true,
      "protectWithDoNotForward": true
    }
  }
}
```
Question 36hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender XDR to correlate alerts across endpoints, email, and identities. You need to create a custom detection rule that triggers when a user receives a phishing email and then attempts to log in from a new location. Which approach should you use?

Question 37mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which TWO actions should you take to implement a zero-trust identity strategy in Microsoft Entra ID?

Question 38hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which THREE capabilities does Microsoft Purview provide for compliance management?

Question 39easymulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which TWO configurations are required to enable Microsoft Defender for Cloud Apps to monitor cloud app usage?

Question 40hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel as a SIEM. You need to reduce the cost of data ingestion while ensuring that security-relevant events are retained. You have identified that Windows Event ID 4624 (successful logon) produces a high volume of logs. What should you do?

Question 41mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only devices with a TPM (Trusted Platform Module) version 2.0 can access corporate resources. What should you configure?

Question 42easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender for Cloud to manage the security posture of Azure resources. You need to receive alerts when a virtual machine is deployed without just-in-time (JIT) access enabled. What should you do?

Question 43easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Sentinel for security operations. The security team wants to automatically create an incident in Microsoft Sentinel when Microsoft Defender for Cloud detects a high-severity vulnerability on a virtual machine. What should the security team configure?

Question 44mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A global organization uses Microsoft Entra ID with Conditional Access policies. They want to enforce multifactor authentication (MFA) for all users accessing sensitive apps from outside the corporate network, but allow access without MFA from trusted IPs. What should they configure?

Question 45hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. The query returns a list of users and IP addresses with failed sign-ins due to 'User Account Disabled' (ResultType 50057). The analyst wants to create a scheduled analytics rule that generates an incident when a user exceeds 5 such failures from the same IP in an hour. Which setting is missing from the query to meet the requirement?

Exhibit

KQL query:
```kusto
let threshold = 5;
SigninLogs
| where TimeGenerated >= ago(1h)
| where ResultType == "50057"
| summarize Count = count() by UserPrincipalName, IPAddress
| where Count > threshold
```
Question 46easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Purview to enforce Data Loss Prevention (DLP) policies. They want to prevent users from sharing credit card numbers via email. Which action should they configure in the DLP policy?

Question 47mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

An organization uses Microsoft Intune to manage devices. They need to ensure that only devices compliant with security baselines can access corporate email via Microsoft Outlook. The solution should use existing Microsoft 365 security features. What should they implement?

Question 48hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. An organization uses Microsoft Entra ID Governance. This access review policy is intended to review guest users created after January 1, 2025. The reviewers are users with job title 'Manager'. However, the review is not starting automatically. What is the most likely cause?

Exhibit

JSON policy snippet:
```json
{
  "policyType": "AccessReview",
  "displayName": "Review guest access",
  "scope": {
    "@odata.type": "#microsoft.graph.accessReviewScope",
    "query": "/users?$filter=userType eq 'Guest' and createdDateTime ge 2025-01-01",
    "queryType": "MicrosoftGraph"
  },
  "reviewers": [
    {
      "query": "/users?$filter=jobTitle eq 'Manager'",
      "queryType": "MicrosoftGraph"
    }
  ],
  "settings": {
    "mailNotificationsEnabled": true,
    "reminderNotificationsEnabled": true,
    "autoReviewEnabled": false,
    "autoApplyReviewEnabled": false,
    "instanceDurationInDays": 30
  }
}
```
Question 49easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company wants to monitor and respond to threats across their entire digital estate, including on-premises servers, cloud workloads, and identities. Which Microsoft solution should they use as a central security information and event management (SIEM) and extended detection and response (XDR) platform?

Question 50mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Defender for Cloud Apps to discover and control cloud apps. They want to receive alerts when a user accesses a sanctioned app from an unusual location. Which feature should they configure?

Question 51hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. An administrator runs this Microsoft Graph PowerShell command to retrieve an access review policy. The review is set to run quarterly but no recurrence is shown in the output. The review has not started. What is the most likely cause?

Exhibit

PowerShell script output:
```powershell
Get-MgPolicyAccessReview -Filter "displayName eq 'Quarterly Access Review'" | Select-Object -Property Id, DisplayName, Scope, Reviewers, Settings

Id          : 12345678-1234-1234-1234-123456789abc
DisplayName : Quarterly Access Review
Scope       : @{query=/groups; queryType=MicrosoftGraph}
Reviewers   : {@{query=/users/abc123; queryType=MicrosoftGraph}}
Settings    : @{instanceDurationInDays=30; recurrence=; autoReviewEnabled=False; autoApplyReviewEnabled=False}
```
Question 52easymulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

A company wants to implement a Zero Trust security model. Which TWO principles are fundamental to Zero Trust? (Choose two.)

Question 53mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

An organization uses Microsoft Purview to classify and protect sensitive data. Which THREE capabilities can be used to discover sensitive data? (Choose three.)

Question 54hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

A security operations center (SOC) uses Microsoft Sentinel. They want to automate incident response for common alerts. Which THREE components are required to build an automated response? (Choose three.)

Question 55easymulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

A company needs to ensure that only authorized users can access sensitive data in Microsoft SharePoint Online. Which TWO controls can be used? (Choose two.)

Question 56mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

An organization uses Microsoft Defender XDR to detect and respond to threats. Which THREE data sources does Defender XDR ingest? (Choose three.)

Question 57hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

A company wants to implement hybrid identity with Microsoft Entra ID. Which TWO components are required for password hash synchronization? (Choose two.)

Question 58easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel and wants to automatically respond to high-severity incidents without human intervention. Which feature should you configure?

Question 59mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company uses Microsoft Defender for Cloud Apps and wants to prevent users from uploading sensitive files to personal cloud storage apps. What should you configure?

Question 60hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview and needs to automatically apply a retention label to all documents containing personally identifiable information (PII) in SharePoint Online. What should you configure?

Question 61easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

You need to design a solution to synchronize on-premises Active Directory users to Microsoft Entra ID for hybrid identity. Which tool should you use?

Question 62mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel and wants to correlate security events from multiple sources to detect multi-stage attacks. What should you create?

Question 63hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Intune to manage devices and wants to ensure that only compliant devices can access corporate email. Which conditional access policy setting should you configure?

Question 64easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender for Office 365 and wants to block malicious links in email messages in real time. Which policy should you configure?

Question 65mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview and needs to prevent users from copying sensitive data to USB drives. Which solution should you implement?

Question 66hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel and wants to reduce alert fatigue by grouping related alerts into incidents. Which configuration should you use?

Question 67mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You create this conditional access policy in Microsoft Entra ID. What is the result?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Block risky sign-ins",
    "conditions": {
      "userRiskLevels": ["medium","high"],
      "applications": {"includeApplications": ["All"]}
    },
    "grantControls": {
      "operator": "OR",
      "builtInControls": ["block"]
    }
  }
}
```
Question 68hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What is the primary purpose?

Exhibit

Refer to the exhibit.
```kusto
SecurityAlert
| where TimeGenerated > ago(7d)
| where Severity == "High"
| summarize AlertCount = count() by AlertName, CompromisedEntity
| where AlertCount > 5
| project AlertName, CompromisedEntity, AlertCount
```
Question 69easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You configure this mail flow rule in Exchange Online. What happens to emails with 'FREE' in the subject?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Mark email as spam",
    "conditions": {
      "subjectContains": ["FREE"]
    },
    "actions": {
      "markAsSpam": true
    }
  }
}
```
Question 70mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which TWO of the following are valid methods to protect privileged accounts in Microsoft Entra ID?

Question 71hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which THREE of the following are capabilities of Microsoft Purview Information Protection?

Question 72easymulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which TWO of the following are components of Microsoft Defender XDR (Extended Detection and Response)?

Question 73mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel for security operations. You need to ensure that an attacker cannot disable data collection by deleting the diagnostic settings on the Sentinel workspace. What should you configure?

Question 74hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company uses Microsoft Defender for Cloud Apps (MDA). You need to create a policy that automatically suspends a user's access to a cloud app if the user is confirmed as compromised by Microsoft Entra ID Protection. Which policy type should you use?

Question 75easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

You are designing a compliance solution for your organization that must enforce retention policies for documents stored in SharePoint Online. Which Microsoft Purview solution should you use?

Question 76mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are reviewing a Conditional Access policy JSON in Microsoft Entra ID. The policy is not blocking any sign-ins even though there are high-risk users. What is the most likely reason?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Block high-risk sign-ins",
    "conditions": {
      "userRiskLevels": ["high"],
      "signInRiskLevels": [],
      "applications": {
        "includeApplications": ["All"]
      }
    },
    "grantControls": {
      "builtInControls": ["block"],
      "operator": "OR"
    }
  }
}
```
Question 77hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You need to create an analytics rule in Sentinel that triggers an incident when a device is reported as 'high risk' by MDE. Which data source and rule type should you use?

Question 78easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company needs to automatically classify and label sensitive documents in Microsoft 365 based on their content. Which Microsoft Purview solution should you implement?

Question 79mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are troubleshooting a KQL query in Microsoft Sentinel that is supposed to return alerts for ransomware detections in the last day. The query returns no results, but you know there were ransomware alerts. What is the most likely cause?

Exhibit

Refer to the exhibit.
```kusto
SecurityAlert
| where AlertName == "Malware detected"
| where TimeGenerated > ago(1d)
| extend ThreatFamily = tostring(parse_json(ExtendedProperties).ThreatFamily)
| where ThreatFamily == "Ransomware"
| project TimeGenerated, AlertName, Computer, ThreatFamily
```
Question 80hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Entra ID and plans to implement a Zero Trust architecture. You need to ensure that all access requests to internal applications are verified continuously, not just at the initial sign-in. What should you configure?

Question 81easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

You need to audit user activities in Microsoft 365, including who accessed a specific file in SharePoint Online. Which Microsoft Purview solution should you use?

Question 82mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which TWO actions should you take to meet a compliance requirement that all emails containing credit card numbers must be encrypted before delivery?

Question 83hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which TWO components are required to enable Microsoft Sentinel to ingest data from Amazon Web Services (AWS) CloudTrail?

Question 84mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which THREE capabilities are provided by Microsoft Defender for Cloud Apps (MDA) when integrated with Microsoft Defender XDR?

Question 85hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which THREE conditions can trigger a Microsoft Entra ID Protection user risk policy to require a password change?

Question 86mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You run the PowerShell command in Microsoft Entra ID to find compliance roles. You need to assign the Compliance Administrator role to a user. What is the correct parameter to use in the Add-AzureADMSRoleAssignment cmdlet?

Exhibit

Refer to the exhibit.
```powershell
Get-AzureADMSRoleDefinition | Where-Object {$_.DisplayName -like "*Compliance*"} | Select-Object DisplayName, Id

DisplayName                        Id
---------------------------------- ------------------------------------
Compliance Administrator           173a97e2-97f2-4c7a-8e7c-7e2f1c1e2f1c
Compliance Data Administrator      e9b6a4e1-1c1e-4b1e-9c1e-1e2f1c1e2f1c
```
Question 87hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are deploying this Bicep template to enable Microsoft Defender for Cloud's VM protection. After deployment, you notice that Agentless VM scanning is not enabled for existing VMs. What is the most likely reason?

Exhibit

Refer to the exhibit.
```bicep
resource defenderForCloudSettings 'Microsoft.Security/pricings@2023-01-01' = {
  name: 'VirtualMachines'
  properties: {
    pricingTier: 'Standard'
    extensions: [
      {
        name: 'AgentlessVmScanning'
        isEnabled: true
      }
    ]
  }
}
```
Question 88easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incident investigations are automatically captured for compliance reporting. Which feature should you enable?

Question 89mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company is implementing a zero-trust security model. They need to enforce conditional access policies that require device compliance from Microsoft Intune. However, some users report being blocked when using personal devices that are not enrolled. What is the best approach to allow access while maintaining security?

Question 90hardmultiple choice
Study the full multicast explanation →

Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM). You need to design a role activation policy that requires approval from a security group for global administrator roles, but allows self-activation for other roles. What is the correct configuration?

Question 91easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization needs to monitor and respond to threats across email, endpoints, and identities. Which Microsoft solution provides a unified incident response experience?

Question 92mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Purview to classify data and enforce retention policies. They need to automatically apply a retention label to all documents containing credit card numbers. Which approach should they use?

Question 93hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to design a solution that automatically creates an incident in Sentinel when a high-severity alert is generated in Defender for Cloud. What should you configure?

Question 94easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization wants to enforce that all users authenticate using Microsoft Authenticator app for Microsoft Entra ID. Which authentication method should you configure as the primary?

Question 95mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Intune to manage devices. They need to ensure that only devices with a minimum OS version can access corporate email. Which policy type should they implement?

Question 96hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Entra ID with external identities. You need to design a solution that allows partners to self-service sign up using their existing Azure AD or Microsoft account credentials, while preventing them from accessing other resources. What should you use?

Question 97mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is implementing Microsoft Defender for Office 365 to protect against phishing attacks. Which TWO features can be used to simulate phishing attacks and train users?

Question 98hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel and wants to improve threat hunting efficiency. Which THREE actions should you take?

Question 99easymulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization needs to comply with regulatory requirements for data retention and deletion. Which TWO Microsoft Purview features should you use?

Question 100mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

The exhibit shows a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

Exhibit

Refer to the exhibit.
```kusto
SecurityAlert
| where TimeGenerated > ago(7d)
| where AlertSeverity == "High"
| summarize AlertCount = count() by AlertName, bin(TimeGenerated, 1d)
| order by AlertCount desc
```
Question 101hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

The exhibit shows a conditional access policy in Microsoft Entra ID. What will be the effect of this policy?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Block all apps except Microsoft 365",
    "state": "enabled",
    "conditions": {
      "applications": {
        "includeApplications": ["All"],
        "excludeApplications": ["Office365"]
      },
      "users": {
        "includeUsers": ["All"]
      },
      "clientAppTypes": ["All"]
    },
    "grantControls": {
      "builtInControls": ["block"]
    }
  }
}
Question 102easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

The exhibit shows a conditional access policy from Microsoft Entra ID Identity Protection. When will this policy require MFA?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "policyType": "IdentityProtection",
    "displayName": "MFA for risky sign-ins",
    "conditions": {
      "userRiskLevels": ["medium", "high"],
      "signInRiskLevels": ["high"]
    },
    "grantControls": {
      "builtInControls": ["mfa"]
    }
  }
}
Question 103mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Sentinel for security operations. The SOC team needs to automatically respond to a specific type of incident involving a known malicious IP address. They want to create an automated response that blocks the IP at the firewall and creates a Teams notification. Which feature should they use?

Question 104hardmultiple choice
Study the full multicast explanation →

A global enterprise uses Microsoft Entra ID with Privileged Identity Management (PIM) and Conditional Access. They need to ensure that all privileged role activations require an approval workflow, and that the approval process is documented for compliance. What configuration should they implement?

Question 105easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Defender for Cloud Apps to discover and control Shadow IT. They want to block the use of a newly discovered unsanctioned app. What should they do?

Question 106mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Defender XDR and wants to ensure that all devices are reporting to the service. They notice that some devices are not appearing in the device inventory. Which log source should they check first to troubleshoot?

Question 107hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

An organization uses Microsoft Purview to enforce data loss prevention (DLP) policies. They need to prevent users from pasting sensitive data into AI-powered tools like Microsoft Copilot. Which DLP rule condition should they configure?

Question 108easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Sentinel and wants to use a built-in connector to ingest logs from Amazon Web Services (AWS). Which connector should they use?

Question 109hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy is enabled but users who are detected as high risk are still able to sign in. What is the most likely reason?

Exhibit

{
  "properties": {
    "displayName": "Block high-risk sign-ins",
    "state": "enabled",
    "conditions": {
      "userRiskLevels": ["high"],
      "signInRiskLevels": ["high"],
      "applications": {
        "includeApplications": ["All"]
      }
    },
    "grantControls": {
      "builtInControls": ["block"]
    }
  }
}
Question 110mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the primary purpose of this query?

Exhibit

SecurityEvent
| where EventID == 4625
| where Account !contains "$"
| summarize FailedLogins = count() by Account, IPAddress, bin(TimeGenerated, 1h)
| where FailedLogins > 10
Question 111easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Defender for Identity (MDI) to monitor on-premises Active Directory. They want to integrate MDI alerts into Microsoft Sentinel. Which data connector should they use?

Question 112mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Purview to classify and label sensitive data. They want to automatically apply a sensitivity label to documents containing a specific custom sensitive information type. Which TWO components are required for this?

Question 113hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Intune to manage devices. They need to ensure that only compliant devices can access corporate email. They plan to use Conditional Access in Microsoft Entra ID. Which THREE components must be configured?

Question 114easymulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Sentinel as its SIEM. They want to minimize storage costs for verbose logs that are rarely accessed but must be retained for one year for compliance. Which TWO actions should they take?

Question 115mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Purview Data Lifecycle Management. They need to retain financial records for 7 years and then delete them. Which TWO actions should they configure?

Question 116hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Defender for Cloud to secure multicloud environments. They want to assess compliance with SOC 2. Which THREE steps should they take?

Question 117mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Intune and wants to ensure that devices are compliant before accessing corporate resources. They create a Conditional Access policy that requires devices to be marked as compliant. However, some users report that they are blocked even though their device shows as compliant in Intune. What is the most likely cause?

Question 118mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company uses Microsoft Sentinel for security operations. You need to design a solution to automatically respond to a confirmed ransomware incident by isolating affected devices and blocking malicious IPs. What should you use?

Question 119easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization needs to enforce multi-factor authentication (MFA) for all users accessing Microsoft Entra ID integrated applications. However, users in the finance department should be exempted from MFA when accessing a specific legacy financial app that does not support modern authentication. What should you design?

Question 120hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is implementing a zero-trust security model. You need to design a solution that continuously verifies user identity, device compliance, and access context before granting access to corporate resources. The solution should also support risk-based policies. Which Microsoft security capability should be at the core of this design?

Question 121mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview to govern sensitive data. You need to design a solution that automatically detects and protects credit card numbers in emails and documents stored in Microsoft 365. The solution should also provide data loss prevention (DLP) policy tips to users when they try to share such data externally. What should you configure?

Question 122hardmultiple choice
Read the full NAT/PAT explanation →

Your company is deploying a new line-of-business application in Azure that must comply with PCI DSS. The application uses Azure SQL Database. You need to design a solution to encrypt sensitive data at rest and in transit, and to audit access to sensitive columns. Which combination of Microsoft security capabilities should you recommend?

Question 123easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization wants to use Microsoft Defender XDR to automatically investigate and respond to alerts. You need to ensure that the solution can autonomously remediate confirmed threats on endpoints, such as quarantining files and isolating devices. What should you enable?

Question 124hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel as its SIEM. You receive a large number of low-severity alerts from various sources, overwhelming the security operations team. You need to design a solution to reduce alert fatigue while ensuring that critical incidents are not missed. The solution should also automatically collect feedback from analysts when they close an incident. What should you implement?

Question 125mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company uses Microsoft Intune to manage corporate devices. You need to design a compliance policy that requires devices to have a minimum OS version, be encrypted, and not be jailbroken or rooted. Additionally, you want to automatically block non-compliant devices from accessing corporate email. What should you configure?

Question 126easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is required to retain all Microsoft Teams chat messages for 7 years due to regulatory compliance. You need to design a solution that automatically retains and, if needed, e-discovery searches these messages. What should you configure?

Question 127mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is designing a privileged access strategy using Microsoft Entra ID. Which TWO configurations should be part of the design to protect privileged accounts?

Question 128hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company is deploying Microsoft Defender XDR. You need to design a solution that uses advanced hunting to proactively search for threats. Which THREE data sources should be included in the advanced hunting schema to enable comprehensive threat hunting across endpoints, identities, and cloud apps?

Question 129easymulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization needs to comply with GDPR. You need to design a data protection strategy using Microsoft Purview. Which THREE capabilities should you include?

Question 130hardmultiple choice
Read the full Ansible explanation →

Refer to the exhibit. You are reviewing a Microsoft Defender for Cloud automation resource. You want the automation to trigger a playbook in Microsoft Sentinel when a high-severity security assessment is found. Based on the exhibit, what is the missing configuration?

Exhibit

{
  "type": "Microsoft.Security/automations",
  "apiVersion": "2021-01-01-preview",
  "properties": {
    "description": "Automation to isolate compromised devices",
    "sources": [
      {
        "eventSource": "Assessments",
        "ruleSets": [
          {
            "rules": [
              {
                "propertyJPath": "properties.metadata.severity",
                "operator": "Equals",
                "expectedValue": "High"
              }
            ]
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "EventHub",
        "actionConfiguration": {
          "eventHubResourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.EventHub/namespaces/.../eventhubs/...",
          "connectionString": "..."
        }
      }
    ]
  }
}
Question 131mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are analyzing a KQL query in Microsoft Defender XDR advanced hunting. The query is intended to identify the top 10 devices by the number of executable process creations in the last 7 days. However, the results are showing only a few entries with low counts. What is the most likely issue?

Exhibit

KQL query:
let TimeRange = 7d;
DeviceEvents
| where Timestamp > ago(TimeRange)
| where ActionType == "ProcessCreate"
| where FileName endswith ".exe"
| summarize Count = count() by bin(Timestamp, 1h), DeviceName
| order by Count desc
| take 10
Question 132easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition for GDPR compliance. The policy is intended to audit storage accounts that do not have encryption enabled. However, the policy is not evaluating correctly. What is the most likely reason?

Exhibit

{
  "properties": {
    "displayName": "GDPR Compliance Policy",
    "description": "Ensure resources meet GDPR requirements",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "parameters": {},
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts"
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.Storage/storageAccounts/...",
          "existenceCondition": {
            "field": "Microsoft.Storage/storageAccounts/encryption",
            "exists": "true"
          }
        }
      }
    }
  }
}
Question 133mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization deploys Microsoft Sentinel and wants to automatically respond to phishing emails reported by users. You need to recommend a solution that creates an incident in Sentinel and blocks the email sender in Exchange Online. What should you configure?

Question 134hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Defender for Cloud Apps to monitor SaaS apps. They discover that a user is downloading large volumes of data from SharePoint Online from an atypical IP address. The security team wants to automatically suspend the user's access to all cloud apps. What is the most efficient way to achieve this?

Question 135easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Intune for mobile device management. Employees report they cannot access corporate email on their personal iOS devices. The helpdesk confirms devices are enrolled and compliant. What should you check first?

Question 136hardmultiple choice
Read the full NAT/PAT explanation →

A multinational company uses Microsoft Purview for data governance. They need to automatically classify sensitive data in Microsoft 365 and apply retention labels. The solution must use pattern-based detection for credit card numbers and support custom keywords. What should they configure?

Question 137easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

You need to design a security operations strategy for a hybrid environment using Microsoft Sentinel. Your environment includes on-premises servers and Azure VMs. Which data connector should you use to collect security events from both sources?

Question 138mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender for Endpoint (MDE) and wants to implement automated investigation and response (AIR) for ransomware. You need to ensure that when a suspicious file is detected, the investigation is automatically started and the file is contained. What should you configure?

Question 139hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company uses Microsoft Entra ID with P2 licenses and wants to implement a zero-trust identity security model. They need to require multi-factor authentication (MFA) for all external users accessing internal applications. The solution should not require external users to have Entra ID licenses. What should you configure?

Question 140easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

You are designing an incident response plan for a company using Microsoft Defender XDR. The team needs to automatically notify the SOC via email when an incident of high severity is created. What should you use?

Question 141mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview Information Protection to label sensitive documents. You need to ensure that documents containing personally identifiable information (PII) are automatically labeled when saved in SharePoint Online. What should you configure?

Question 142mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which TWO actions should you take to implement a least-privilege identity security model using Microsoft Entra ID? (Choose two.)

Question 143hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company uses Microsoft Sentinel to manage security incidents. You need to design a solution that automatically triages low-severity incidents and enriches them with threat intelligence. Which THREE capabilities would you include? (Choose three.)

Question 144easymulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which THREE are valid methods to secure privileged access in Microsoft Entra ID? (Choose three.)

Question 145mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

You need to design a compliance solution using Microsoft Purview that automatically detects and protects credit card numbers in emails and documents. Which TWO features should you include? (Choose two.)

Question 146hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

A company wants to automate incident response in Microsoft 365 Defender. Which THREE actions can be automated using automated investigation and response (AIR) capabilities? (Choose three.)

Question 147hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

You are analyzing a custom detection rule in Microsoft 365 Defender. Based on the exhibit, what is a potential operational issue with this rule?

Exhibit

Refer to the exhibit.

{
    "alertRuleTemplate": "Suspicious process execution",
    "displayName": "Custom Rule - Suspicious PowerShell",
    "description": "Detects suspicious PowerShell commands",
    "query": "DeviceProcessEvents | where FileName in~ ('powershell.exe', 'pwsh.exe') | where ProcessCommandLine has_any ('-EncodedCommand', '-e ', 'Invoke-Expression')",
    "severity": "High",
    "queryFrequency": "PT1H",
    "queryPeriod": "PT1H",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 5
}
Question 148easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel to centralize security events. You need to ensure that alerts from Microsoft Defender for Cloud are automatically ingested into Sentinel. Which data connector should you enable?

Question 149mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

A company is implementing Microsoft Purview Compliance Manager to manage compliance activities. They need to assign a specific control action to a compliance officer. Which role should be assigned to the user in Purview Compliance Manager?

Question 150hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Intune for mobile device management. You need to configure a compliance policy for iOS devices that requires the device to be jailbreak-detected and have a minimum OS version. Which two settings should you configure in the compliance policy? (Choose two.)

Question 151mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender XDR. You need to configure automatic attack disruption for ransomware attacks. Which action should you take?

Question 152easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

You are designing identity security for a hybrid organization using Microsoft Entra ID. You need to enforce multi-factor authentication (MFA) for all users accessing sensitive applications. What is the recommended approach?

Question 153mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview to protect sensitive data. You need to create a sensitivity label that automatically encrypts documents containing credit card numbers when they are shared externally. Which configuration should you use?

Question 154hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization has Microsoft Sentinel. You need to create an analytics rule that detects when a user account is created outside of business hours (9 AM to 5 PM, Monday-Friday). Which KQL query should you use as the rule query?

Question 155easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only compliant devices can access Exchange Online. Which Microsoft Entra ID feature should you use?

Question 156mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is deploying Microsoft Defender for Cloud Apps. Which THREE capabilities are included in Defender for Cloud Apps? (Select three.)

Question 157hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel. You need to design a solution to detect and respond to threats across on-premises and cloud workloads. Which TWO components are essential for this? (Select two.)

Question 158easymulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is implementing Microsoft Entra ID governance. Which TWO features are part of Microsoft Entra ID Governance? (Select two.)

Question 159mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel for security operations. You need to ensure that incident investigations automatically enrich alerts with relevant user and device information from Microsoft Defender XDR and Microsoft Entra ID. What should you configure?

Question 160easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company uses Microsoft Purview to protect sensitive data. You need to automatically apply a retention label to documents containing credit card numbers detected in SharePoint Online. What should you configure?

Question 161hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a security operations solution for a multinational organization using Microsoft Sentinel. The organization has multiple Azure subscriptions, each with its own Log Analytics workspace. You need to centralize incident management while minimizing data egress costs. What should you recommend?

Question 162mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Intune for mobile device management. You need to ensure that users can access corporate email on their personal iOS devices only if the device is enrolled in Intune and compliant with security policies. What should you configure?

Question 163easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is planning to migrate from on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can use the same passwords for both on-premises and cloud resources without having to change them. What should you implement?

Question 164hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to detect and block data exfiltration from sanctioned cloud apps to personal devices. What should you configure?

Question 165mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview to manage data governance. You need to create a unified data catalog that automatically classifies and labels data across Azure SQL Database, Amazon S3, and on-premises SQL Server. What should you configure?

Question 166easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Entra ID. You need to enforce multi-factor authentication (MFA) for all users accessing the Azure portal. What is the simplest way to configure this?

Question 167hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to automatically create incidents in Sentinel for high-severity alerts from Defender XDR. You also want to suppress low-severity alerts to reduce noise. What should you configure?

Question 168mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft 365 and wants to protect against phishing attacks. Which TWO configurations should you recommend?

Question 169hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is implementing Microsoft Entra ID governance. Which THREE capabilities should you include to manage the identity lifecycle and access reviews?

Question 170mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview to comply with regulatory requirements. Which TWO features should you use to manage data retention and deletion?

Question 171mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are reviewing a conditional access policy JSON in Microsoft Entra ID. What does this policy accomplish?

Exhibit

{
  "properties": {
    "displayName": "Block high-risk sign-ins",
    "state": "enabled",
    "conditions": {
      "signInRiskLevels": ["high"],
      "applications": {
        "includeApplications": ["All"]
      },
      "users": {
        "includeUsers": ["All"]
      }
    },
    "grantControls": {
      "builtInControls": ["block"],
      "operator": "OR"
    }
  }
}
Question 172hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

Exhibit

SecurityAlert
| where AlertName == "Mimikatz detected"
| extend CompromisedEntity = tostring(CompromisedEntity)
| join kind=inner (
    IdentityInfo
    | where TimeGenerated > ago(7d)
    | project AccountUPN, AccountName
) on $left.CompromisedEntity == $right.AccountUPN
| project AlertName, AccountName, TimeGenerated
Question 173mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. You are reviewing a Microsoft Purview Data Map resource pattern for scanning. What is this pattern intended to do?

Exhibit

resource-graph {
  pattern: "*.onmicrosoft.com"
  locations: ["Global", "USGov"]
  sensitivity-labels: ["Confidential", "Highly Confidential"]
}
Question 174mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incidents related to a specific critical asset are automatically assigned to the senior SOC analyst. The assignment should occur as soon as the incident is created. What should you configure?

Question 175hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company uses Microsoft Purview Compliance Manager to track compliance with regulatory standards. You need to generate a report that shows the percentage of controls that are not yet implemented for the PCI DSS standard. What should you do?

Question 176easymultiple choice
Read the full NAT/PAT explanation →

You are designing a security operations strategy for a multinational organization. The SOC team needs to correlate alerts from multiple sources including Microsoft Defender for Cloud, Microsoft Sentinel, and third-party firewalls. Which solution should you use as the primary platform for correlation?

Question 177mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Entra ID. You need to ensure that when a user's risk level is assessed as high by Identity Protection, the user is automatically blocked from signing in. The block should apply immediately. What should you configure?

Question 178hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You have deployed the automation shown in the exhibit in Microsoft Defender for Cloud. The automation triggers a Logic App when a high-severity alert is generated. Users report that the Logic App is not being triggered for some high-severity alerts. What is the most likely cause?

Exhibit

{
  "type": "Microsoft.Security/automations",
  "apiVersion": "2023-01-01-preview",
  "properties": {
    "description": "Automation for high severity incidents",
    "actions": [
      {
        "type": "LogicApp",
        "logicAppResourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Logic/workflows/CloseIncident"
      }
    ],
    "sources": [
      {
        "eventSource": "Alerts"
      }
    ],
    "triggers": [
      {
        "name": "HighSeverity",
        "conditions": [
          {
            "property": "Severity",
            "operator": "Equals",
            "value": "High"
          }
        ]
      }
    ]
  }
}
Question 179easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Intune for mobile device management. You need to ensure that only compliant devices can access corporate email. What should you configure?

Question 180mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company uses Microsoft 365 Copilot for Security. You need to ensure that only users in the 'SecurityAnalysts' group can access the Copilot for Security portal. All other users should not see the portal in their Microsoft 365 app launcher. What should you configure?

Question 181hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel with the Microsoft 365 Defender connector. You need to create an analytics rule that generates an incident when a user is reported as compromised by Microsoft Defender for Identity. The rule should use the most efficient method to get this data. What should you use as the data source?

Question 182easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company uses Microsoft Purview Data Loss Prevention (DLP). You need to ensure that credit card numbers are not shared externally via email. What should you configure?

Question 183mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to identify users who are downloading large amounts of data from a sanctioned cloud app in a short period. What should you configure?

Question 184mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which TWO actions should you take to implement a Zero Trust security strategy for identity and access? (Choose two.)

Question 185hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which THREE capabilities are part of Microsoft Purview's insider risk management solution? (Choose three.)

Question 186mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Which THREE are valid sources for ingesting data into Microsoft Sentinel? (Choose three.)

Question 187hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

You are a security architect for a global financial services company. The company is adopting Microsoft Sentinel as its primary SIEM and Microsoft Defender XDR for endpoint, email, and identity protection. The company has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. The SOC team needs to be able to investigate incidents that involve lateral movement between on-premises and cloud resources. Additionally, the company must comply with GDPR, requiring that personal data be protected and that data residency requirements are met: all security logs for EU users must remain within the EU. The company already has a Microsoft Sentinel workspace in the West Europe region. You need to design a solution that meets these requirements while minimizing administrative overhead. What should you do?

Question 188mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Intune for mobile device management and Microsoft Entra ID for identity. You are designing a solution to ensure that only devices that are compliant with security policies can access corporate resources. The requirements are: 1) Devices must have a minimum OS version. 2) Devices must have encryption enabled. 3) Devices must not be jailbroken or rooted. 4) Access to corporate apps must be blocked if the device is non-compliant. 5) The solution should automatically remediate non-compliant devices when possible. You need to recommend the minimum configuration. What should you do?

Question 189easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company uses Microsoft 365 E5 licenses and has deployed Microsoft Defender for Office 365. The security team wants to be alerted when a user reports a phishing email using the built-in report message button in Outlook. The alert should be sent to the security team's email address. You need to configure this in the Microsoft 365 Defender portal. What should you do?

Question 190mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that automatically creates an incident in Microsoft Sentinel when a Defender for Endpoint alert of severity 'High' is triggered for any device. The solution should minimize latency and administrative overhead. What should you configure?

Question 191hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview Information Protection and Microsoft Defender for Cloud Apps. You need to design a solution that automatically applies a 'Confidential' sensitivity label to documents that contain credit card numbers and are shared externally. The solution should also generate an alert when this occurs. Which two configurations should you implement? (Choose TWO.)

Question 192hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel. You need to design a solution to detect and automatically respond to a potential brute-force attack against an on-premises application that is published via Azure AD Application Proxy. The solution should block the attacker's IP address in Azure AD Conditional Access for one hour after detecting more than 10 failed login attempts within 5 minutes. What should you implement?

Question 193easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Intune to manage devices. You need to design a compliance policy that requires devices to have a minimum OS version and be encrypted. Which policy type should you use?

Question 194mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You receive an alert from Microsoft Defender for Cloud Apps. You need to investigate this alert in Microsoft Sentinel. Which Microsoft Sentinel feature should you use to visualize the relationship between the user account and the IP address?

Exhibit

{
  "alert": {
    "title": "Suspicious sign-in activity",
    "severity": "Medium",
    "description": "User 'jdoe@contoso.com' signed in from an anonymous IP address (111.222.333.444) using a new browser.",
    "source": "Microsoft Defender for Cloud Apps",
    "entities": [
      {"type": "account", "name": "jdoe@contoso.com"},
      {"type": "ip", "address": "111.222.333.444"}
    ]
  }
}
Question 195hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization plans to use Microsoft Sentinel and Microsoft Defender XDR to manage security incidents. You need to design a solution that ensures all Defender for Cloud Apps alerts are automatically synchronized to Microsoft Sentinel as incidents with the least administrative effort. What should you configure?

Question 196mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview to manage data governance. You need to design a solution that allows data owners to classify sensitive data in their Microsoft SharePoint Online sites and generate a data catalog. Which Purview tool should you use?

Question 197easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization needs to meet regulatory requirements that mandate keeping security audit logs for at least seven years. Which Microsoft Sentinel feature should you configure to comply with this requirement?

Question 198hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Entra ID and Microsoft Intune. You need to design a solution that allows corporate users to access a sensitive internal application only from managed devices that are compliant with company security policies. The solution should block access from personal devices. Which two components should you use? (Choose TWO.)

Question 199mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview. You need to design a solution that automatically detects and classifies sensitive data such as passport numbers stored in Microsoft OneDrive. The solution should apply a 'Highly Confidential' sensitivity label without user intervention. What should you configure?

Question 200easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel. You need to design a solution that automatically responds to a detected ransomware incident by isolating the affected device in Microsoft Defender for Endpoint. Which tool should you use to create the automated response?

Question 201mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Entra ID. You need to design a solution that requires users to perform multifactor authentication when accessing a critical application from an untrusted network. The solution should not require additional licensing beyond Microsoft Entra ID P1. What should you use?

Question 202hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview and Microsoft Sentinel. You need to design a solution that alerts the security team when a user tries to share a file labeled 'Highly Confidential' with an external email address. The alert should include the file name, user, and external recipient. Which two components should you use? (Choose TWO.)

Question 203mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Intune and Microsoft Defender for Endpoint. You need to design a solution that automatically remediates non-compliant devices by running a remediation script. Which Intune component should you use?

Question 204hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to design a solution that collects security events from Azure virtual machines and sends them to Microsoft Sentinel. The solution must minimize cost and management overhead. Which data connector should you use?

Question 205mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Entra ID and Microsoft Intune. You need to design a solution that allows only hybrid Azure AD joined devices to access a sensitive application. The solution must also require that the device is compliant with company policies. Which two components should you configure? (Choose TWO.)

Question 206hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that investigates and responds to a ransomware incident. Which three actions should you take? (Choose THREE.)

Question 207easymulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview. You need to design a solution that discovers and classifies sensitive data across Microsoft 365 services. Which two services should you include in your data map? (Choose TWO.)

Question 208hardmultiple choice
Read the full NAT/PAT explanation →

You are a security architect for a large organization that uses Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Entra ID. The organization has a hybrid identity environment with on-premises Active Directory synchronized to Azure AD. The security team needs to detect and automatically respond to a specific attack pattern: an attacker compromises a user's credentials and then uses a new device to sign in to a critical application from an unusual location. The response should block the user's account for one hour and reset the user's password. You have already configured Microsoft Sentinel to receive sign-in logs from Azure AD. You need to design the detection and automated response. What should you do?

Question 209mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Intune and Microsoft Defender for Endpoint. You need to design a solution that ensures all Windows 10 devices are running the latest security updates and have real-time protection enabled. If a device is non-compliant, it should be blocked from accessing corporate resources. You have already created a Conditional Access policy that requires compliant devices. You need to configure the compliance requirements and automatic remediation. What should you do?

Question 210easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Purview to manage data governance. The compliance team needs to be able to search for and investigate whether any sensitive data (e.g., credit card numbers) is stored in Microsoft Teams messages. They also need to place a legal hold on specific user's Teams messages for eDiscovery. You need to design the solution. What should you configure?

Question 211mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender for Cloud to secure a multi-cloud environment including Azure, AWS, and GCP. You need to design a solution that centralizes security alerts and automates remediation across all clouds. Which security operations capability should you prioritize?

Question 212hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is planning to use Microsoft Entra ID for identity management. You need to design a solution that enforces conditional access policies for sensitive applications while minimizing user friction. The solution must support offline access for mobile devices and require step-up authentication only when accessing high-risk data. What should you recommend?

Question 213easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization has a Microsoft 365 E5 subscription and wants to detect insider data exfiltration attempts. You need to design a solution that can identify users copying sensitive data to personal cloud storage services. Which Microsoft Purview capability should you use?

Question 214mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy appears to block all legacy authentication. However, some users report that they can still access Exchange Online using Outlook 2010 (which uses basic authentication). What is the most likely reason the policy is not blocking these connections?

Exhibit

{
  "properties": {
    "displayName": "Block legacy authentication",
    "state": "enabled",
    "conditions": {
      "clientAppTypes": ["exchangeActiveSync", "otherClients"],
      "signInRiskLevels": [],
      "userRiskLevels": []
    },
    "grantControls": {
      "builtInControls": ["block"]
    }
  }
}
Question 215hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel as a SIEM. You need to design a solution to detect advanced persistent threats (APTs) by correlating data from multiple sources, including network logs, endpoint data, and threat intelligence feeds. The solution must use machine learning to identify anomalies and reduce false positives. Which analytics rule type should you configure?

Question 216mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is implementing Microsoft Entra ID Governance. You need to design a solution that automates user access reviews for cloud applications. Which TWO capabilities should you include?

Question 217hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft 365 and wants to implement a data loss prevention (DLP) strategy. You need to ensure that sensitive data is protected both at rest and in transit, and that incidents are automatically reported to the security team. Which THREE actions should you take?

Question 218easymulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization needs to meet compliance requirements for GDPR. You need to design a solution that uses Microsoft Purview to classify and protect personal data. Which TWO capabilities should you include?

Question 219mediummulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender for Cloud and Microsoft Sentinel. You need to design a solution that automates incident response for critical security alerts. Which THREE components should you include?

Question 220hardmulti select
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is designing a Zero Trust architecture using Microsoft 365 security features. You need to ensure that all access requests are verified and least-privilege principles are applied. Which TWO capabilities should you implement?

Question 221hardmultiple choice
Read the full NAT/PAT explanation →

You are a security architect for a global financial services company that uses Microsoft 365 E5 and Azure. The company has 50,000 users across 10 regions. The security team needs to detect and respond to identity-based threats in real-time, automate remediation for compromised accounts, and meet regulatory requirements for audit logging. The following requirements must be met: (1) Detect risky sign-ins and user anomalies, (2) Automatically block sign-ins when risk level is high, (3) Provide a centralized dashboard for security analysts to investigate incidents, (4) Retain logs for at least one year for compliance, (5) Minimize false positives by using machine learning. You have the following services available: Microsoft Entra ID P2, Microsoft Sentinel, Microsoft Defender for Identity, Microsoft Purview, and Microsoft Intune. Which combination of services should you use to meet all requirements?

Question 222mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is a large healthcare provider that uses Microsoft 365 and Azure. You need to design a compliance solution that meets HIPAA requirements. The solution must automatically classify and protect electronic protected health information (ePHI) in Exchange Online, SharePoint Online, and OneDrive for Business. It must also provide reports on data access and sharing activities for auditors. The following requirements must be met: (1) Detect ePHI using built-in sensitive info types, (2) Apply encryption automatically to emails containing ePHI, (3) Prevent unauthorized sharing of ePHI in SharePoint, (4) Generate activity reports for auditors, (5) Use machine learning to improve classification accuracy. Which Microsoft Purview capabilities should you use?

Question 223easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization is a small business with 200 users using Microsoft 365 Business Premium. You need to secure user identities against common attacks like phishing and password spray. The solution must be easy to deploy and manage with minimal overhead. Requirements: (1) Enable multi-factor authentication (MFA) for all users, (2) Block legacy authentication protocols, (3) Detect and block risky sign-ins, (4) Provide security recommendations to users, (5) Integrate with Microsoft Defender for Office 365 for email protection. Which Microsoft security service should you primarily use?

Question 224hardmultiple choice
Read the full Ansible explanation →

Your organization is a multi-national corporation that uses Microsoft 365 E5 and Azure. You need to design a security operations center (SOC) to detect and respond to threats across identities, endpoints, and cloud apps. The SOC team will use a single pane of glass for incident management. Requirements: (1) Centralize alerts from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps, (2) Automate incident response playbooks, (3) Use advanced hunting across all data sources, (4) Integrate with external threat intelligence feeds, (5) Provide role-based access control for SOC analysts. Which Microsoft solution should you implement?

Question 225mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Entra ID for identity management and wants to implement a least-privilege access model for administrators. You need to reduce standing privileges and ensure that admin roles are activated only when needed with approval workflow. Requirements: (1) Require approval for activation of Global Administrator role, (2) Set activation duration to 4 hours maximum, (3) Require Azure MFA for activation, (4) Receive notifications when roles are activated, (5) Audit all activations for compliance. Which Microsoft Entra ID capability should you use?

Question 226easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incidents are automatically assigned to the appropriate analyst team based on the type of threat. What should you configure?

Question 227mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your company uses Microsoft Entra ID. You need to implement a policy that requires all guest users to complete a terms-of-use acceptance before accessing applications. Which two components must be configured?

Question 228hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization uses Microsoft Defender for Cloud to secure multi-cloud resources. You need to ensure that security recommendations are automatically remediated for non-compliant resources without manual intervention. What should you configure?

Question 229mediummultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Refer to the exhibit. You are reviewing a conditional access policy in Microsoft Entra ID. The policy is enabled but users report they can still sign in from high-risk sessions. What is the most likely reason?

Exhibit

{
  "properties": {
    "displayName": "Block high-risk sign-ins for external users",
    "state": "enabled",
    "conditions": {
      "userRiskLevels": ["high"],
      "signInRiskLevels": ["high"],
      "clientAppTypes": ["all"],
      "applications": {
        "includeApplications": ["All"]
      },
      "users": {
        "includeUsers": ["All"],
        "excludeUsers": [],
        "includeRoles": [],
        "excludeRoles": [],
        "includeGuestsOrExternalUsers": ["All"]
      }
    },
    "grantControls": {
      "operator": "OR",
      "builtInControls": ["block"]
    }
  }
}
Question 230hardmultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →

Your organization, Contoso Ltd., uses Microsoft 365 E5 licenses and has deployed Microsoft Sentinel in Azure. The security operations center (SOC) receives thousands of alerts daily from Microsoft Defender for Cloud, Microsoft Defender for Office 365, and Microsoft Defender for Endpoint. The SOC team is overwhelmed and needs to prioritize incidents effectively. You need to design a solution that uses Microsoft Sentinel to automatically classify incidents as true positive, false positive, or benign positive based on threat intelligence and analytics. Additionally, the solution should automatically close low-confidence false positive incidents after 24 hours if no analyst interaction occurs. You must minimize manual effort and ensure that critical incidents are escalated immediately. What should you do?

Question 231mediummultiple choice
Read the full NAT/PAT explanation →

Your organization, Fabrikam Inc., uses Microsoft Intune for device management and Microsoft Entra ID for identity. You need to design a solution to ensure that only compliant and healthy devices can access corporate resources. The solution must require that devices are either enrolled in Intune and compliant, or joined to Azure AD with a health attestation. Additionally, you need to block access from devices that are rooted or jailbroken. You have the following requirements: 1) Enforce conditional access policies to check device compliance and health. 2) Use Microsoft Defender for Endpoint integration for device health signals. 3) Provide a fallback option for unmanaged devices to access only web apps via browser with app protection policies. Which combination of actions should you take?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SC-100 Practice Test 1 — 10 Questions→SC-100 Practice Test 2 — 10 Questions→SC-100 Practice Test 3 — 10 Questions→SC-100 Practice Test 4 — 10 Questions→SC-100 Practice Test 5 — 10 Questions→SC-100 Practice Exam 1 — 20 Questions→SC-100 Practice Exam 2 — 20 Questions→SC-100 Practice Exam 3 — 20 Questions→SC-100 Practice Exam 4 — 20 Questions→Free SC-100 Practice Test 1 — 30 Questions→Free SC-100 Practice Test 2 — 30 Questions→Free SC-100 Practice Test 3 — 30 Questions→SC-100 Practice Questions 1 — 50 Questions→SC-100 Practice Questions 2 — 50 Questions→SC-100 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Design solutions that align with security best practices and prioritiesDesign security operations, identity, and compliance capabilitiesDesign security solutions for infrastructureDesign a Zero Trust strategy and architectureDesign security solutions for applications and dataEvaluate GRC and security operations strategiesDesign security for infrastructureDesign a strategy for data and applicationsRecommend security best practices and priorities

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Design security operations, identity, and compliance capabilities setsAll Design security operations, identity, and compliance capabilities questionsSC-100 Practice Hub