Microsoft 365 Administrator MS-102 (MS-102) — Questions 175

975 questions total · 13pages · All types, answers revealed

Page 1 of 13

Page 2
1
MCQeasy

An administrator adds the custom domain 'contoso.com' to a new Microsoft 365 tenant and needs to verify domain ownership. Which type of DNS record must be added to the public DNS zone to complete verification?

A.MX record
B.TXT record
C.CNAME record
D.record
AnswerB

A TXT record with a unique verification string from Microsoft is the standard method to prove domain ownership.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record with a specific verification string provided by the Microsoft 365 admin center to the public DNS zone. The TXT record is used because it can store arbitrary text data, which the Microsoft 365 domain verification service queries to confirm that you control the domain. This is the standard method defined in RFC 1035 for domain ownership verification.

Exam trap

The trap here is that candidates often confuse the TXT record used for domain verification with other DNS records like MX or CNAME, which are used for different purposes (mail routing or service aliasing) in Microsoft 365 configuration, but only the TXT record is required for the initial ownership proof.

How to eliminate wrong answers

Option A is wrong because an MX record is used for mail routing (specifying mail exchange servers), not for domain ownership verification; it does not carry the required verification token. Option C is wrong because a CNAME record is used to alias one domain name to another (canonical name mapping), and while it can be used for some Microsoft 365 services like autodiscover, it is not the record type used for initial domain ownership verification. Option D is wrong because 'record' is an incomplete and non-specific DNS record type; the actual required record is a TXT record, and a generic 'record' does not exist in DNS standards.

2
MCQmedium

A company uses Azure AD Identity Protection. The security administrator wants to block user sign-ins when the sign-in risk level is detected as 'High' for a custom SaaS application. Which Conditional Access policy configuration should the administrator use?

A.Create a Conditional Access policy with a grant control to require MFA when sign-in risk is high
B.Create a Conditional Access policy set to block access when sign-in risk is high
C.Configure a session control in Conditional Access to sign out users when risk is high
D.Enable Identity Protection risk policy to automatically block users
AnswerB

This directly blocks sign-ins with high risk, as required.

Why this answer

Option B is correct because the requirement is to block sign-ins when the sign-in risk level is 'High' for a custom SaaS application. In Microsoft Entra ID (formerly Azure AD), a Conditional Access policy can be configured with a 'Block access' grant control, which directly denies authentication when the specified condition (sign-in risk level equals High) is met. This is the most straightforward and secure approach to prevent access without relying on additional authentication factors or session controls.

Exam trap

The trap here is that candidates often confuse Identity Protection risk policies with Conditional Access policies, or mistakenly think that requiring MFA is equivalent to blocking access when the requirement explicitly states 'block user sign-ins.'

How to eliminate wrong answers

Option A is wrong because requiring MFA when sign-in risk is high does not block access; it allows access after successful MFA, which does not meet the requirement to block sign-ins. Option C is wrong because session controls, such as 'Sign out users when risk is high,' apply after authentication has already occurred and do not prevent the initial sign-in; they manage active sessions but do not block the authentication request itself. Option D is wrong because Identity Protection risk policies (user risk or sign-in risk policies) are separate from Conditional Access and can automatically block users, but the question specifically asks for a Conditional Access policy configuration, making this option incorrect in context.

3
Multi-Selecthard

You are deploying Microsoft Entra ID Governance. Which THREE capabilities should you include to meet compliance requirements for access recertification and lifecycle management?

Select 3 answers
A.Identity Protection
B.Access Reviews
C.B2B Collaboration
D.Lifecycle Workflows
E.Entitlement Management
AnswersB, D, E

Access Reviews allow periodic recertification of access.

Why this answer

Access Reviews (B) are a core capability of Microsoft Entra ID Governance that directly enables compliance-driven access recertification. They allow administrators to create recurring reviews of group memberships, application assignments, and privileged roles, ensuring that only authorized users retain access. This satisfies regulatory requirements like SOX, GDPR, or HIPAA by providing attestation workflows and audit trails.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based conditional access with governance recertification, or assume B2B Collaboration covers lifecycle management, when in fact only Access Reviews, Lifecycle Workflows, and Entitlement Management directly address compliance-driven access recertification and lifecycle automation.

4
MCQeasy

A compliance officer needs to ensure that all documents in a SharePoint Online library are automatically labeled with a 'Confidential' sensitivity label if they contain at least one of a predefined list of sensitive information types such as credit card numbers or social security numbers. Users should be able to override the label with a business justification. Which Microsoft Purview feature should the officer configure?

A.Auto-labeling policy for SharePoint Online
B.Data Loss Prevention (DLP) policy
C.Retention label policy
D.Sensitivity label with manual classification
AnswerA

Auto-labeling policies automatically apply sensitivity labels based on conditions like sensitive info types, and allow override with justification.

Why this answer

Auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels to documents in SharePoint Online based on the detection of sensitive information types (e.g., credit card numbers, SSNs). This policy supports user override with a business justification, meeting the compliance officer's requirement exactly. Manual classification (Option D) would not automate the labeling, and DLP policies (Option B) focus on preventing data loss, not applying sensitivity labels.

Exam trap

Microsoft often tests the distinction between auto-labeling policies (which apply sensitivity labels automatically) and DLP policies (which enforce actions like blocking or alerting), causing candidates to confuse the two because both can detect sensitive information types.

How to eliminate wrong answers

Option B is wrong because Data Loss Prevention (DLP) policies are designed to detect and block the sharing of sensitive data, not to automatically apply sensitivity labels to documents; they can trigger alerts or block actions but do not label content. Option C is wrong because retention label policies manage how long content is kept or deleted, not sensitivity classification; they are unrelated to labeling based on sensitive information types. Option D is wrong because a sensitivity label with manual classification requires users to manually apply the label, which does not satisfy the requirement for automatic labeling based on content detection.

5
MCQhard

An organization uses Microsoft Entra ID with Pass-through Authentication (PTA) and Seamless Single Sign-On (SSO). They notice that password changes in on-premises Active Directory are not reflecting immediately in Microsoft Entra ID for some users. What is the most likely cause?

A.The PTA agents are overloaded
B.The user's password change has not replicated to all domain controllers
C.The Seamless SSO feature is disabled
D.Microsoft Entra ID has a password hash sync delay
AnswerB

Replication latency between on-premises domain controllers can cause the PTA agent to query a DC that hasn't received the updated password yet.

Why this answer

In a Pass-through Authentication environment, password changes are processed by on-premises Active Directory. The password change must replicate to all domain controllers before Microsoft Entra ID can authenticate the new password via the PTA agent. If replication is incomplete, the PTA agent may contact a domain controller that still has the old password, causing the delay.

Exam trap

The trap here is that candidates often assume PTA agents instantly reflect on-premises changes, overlooking the critical dependency on Active Directory replication latency across domain controllers.

How to eliminate wrong answers

Option A is wrong because PTA agents are stateless and forward authentication requests to on-premises AD; overloaded agents would cause authentication failures or timeouts, not a delay in reflecting password changes. Option C is wrong because Seamless SSO is a Kerberos-based feature that provides silent sign-on for domain-joined devices; disabling it does not affect how password changes are propagated to Microsoft Entra ID. Option D is wrong because password hash sync is not used in a PTA-only deployment; the delay described is not due to hash sync, as PTA relies on real-time validation against on-premises AD.

6
Multi-Selecteasy

Your organization uses Microsoft Defender for Office 365. You need to create a Safe Attachments policy that will block all attachments with a specific file type. Which TWO elements must you configure? (Choose two.)

Select 2 answers
A.Enable the redirect option to send the attachment to a security mailbox.
B.Set the action to 'Block' for the file type.
C.Add the file type to the policy's file type list.
D.Specify the recipient domain in the policy condition.
E.Select the user or group to apply the policy to.
AnswersB, C

Block action prevents delivery.

Why this answer

A and C are correct. The 'Block' action is necessary to block the attachment. Setting the file type in the policy configuration targets the specific type.

B is wrong because the redirect option is for delivering to a different location, not blocking. D is wrong because the policy applies to mailboxes, not individual users. E is wrong because the policy applies to a domain, not recipients.

7
Multi-Selecthard

Which THREE components are required to implement Microsoft Purview Data Lifecycle Management for Microsoft 365? (Choose three.)

Select 3 answers
A.Retention labels
B.Retention policies
C.Sensitivity labels
D.Data loss prevention policies
E.File plan
AnswersA, B, E

Retention labels define retention settings for items.

Why this answer

Options A, B, and C are correct because retention labels, policies, and file plan are core components. Option D is incorrect because sensitivity labels are part of Information Protection, not Data Lifecycle Management. Option E is incorrect because DLP is a separate solution.

8
MCQhard

A security administrator wants to create a custom detection rule in Microsoft Defender XDR that alerts when a device initiates an outbound TCP connection to a known malicious IP address on a non-standard port (e.g., port 4444). Which advanced hunting table should be queried to find these network connections?

A.DeviceNetworkEvents
B.DeviceProcessEvents
C.EmailEvents
D.IdentityLogonEvents
AnswerA

This table contains detailed network connection logs, including destination IP, port, and protocol, which is exactly what is needed.

Why this answer

DeviceNetworkEvents is the correct table because it specifically captures network connection events, including outbound TCP connections to IP addresses and ports. This table contains fields like RemoteIP, RemotePort, and Protocol, making it ideal for detecting connections to known malicious IPs on non-standard ports such as 4444.

Exam trap

The trap here is that candidates may confuse DeviceProcessEvents with network events because processes often initiate network connections, but DeviceProcessEvents does not contain network-level details like remote IP or port, leading to an incorrect choice.

How to eliminate wrong answers

Option B is wrong because DeviceProcessEvents logs process creation and execution events, not network connections; it lacks network-specific fields like RemoteIP or RemotePort. Option C is wrong because EmailEvents tracks email-related activities (delivery, phishing, etc.) and has no network connection data. Option D is wrong because IdentityLogonEvents records authentication and logon events for user identities, not device-level network traffic.

9
MCQmedium

Your company is implementing a Zero Trust security model. You need to ensure that all user access requests to corporate resources are verified continuously, not just at the initial sign-in. Which Microsoft Entra ID feature should you use?

A.Continuous Access Evaluation (CAE)
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management (PIM)
D.Microsoft Entra Verified ID
AnswerA

CAE evaluates access in real-time and can revoke tokens when conditions change.

Why this answer

Continuous Access Evaluation (CAE) is the correct choice because it enforces real-time token validation and policy enforcement for every access request, not just at initial authentication. CAE works by having critical events (e.g., user disablement, IP address change, or risk elevation) trigger a revocation message to the resource provider, which then immediately blocks access—even if the token is still valid. This aligns directly with the Zero Trust principle of 'verify explicitly and continuously' rather than relying on a one-time sign-in.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based conditional access policies with continuous enforcement, but Identity Protection only triggers a block at sign-in or via a conditional access policy check, not mid-session for every subsequent request.

How to eliminate wrong answers

Option B (Microsoft Entra Identity Protection) is wrong because it focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins) but does not provide continuous, real-time access enforcement for every resource request—it is a risk-detection and remediation tool, not a session-level enforcement mechanism. Option C (Microsoft Entra Privileged Identity Management) is wrong because it manages just-in-time privileged role activation and approval workflows, not continuous verification of all user access requests; it addresses privilege escalation, not ongoing access validation. Option D (Microsoft Entra Verified ID) is wrong because it is a decentralized identity solution for verifying credentials (e.g., employment or education claims) via verifiable credentials, not a mechanism for continuously evaluating access tokens or enforcing policy at runtime.

10
MCQeasy

A company wants to ensure that all new users register for multi-factor authentication (MFA) within 14 days of account creation. Which Microsoft Entra ID feature should be used?

A.MFA registration campaign
B.Conditional Access policy
C.Identity Protection
D.Access Reviews
AnswerA

MFA registration campaign allows admins to require users to register for MFA within a set timeframe.

Why this answer

The MFA registration campaign in Microsoft Entra ID is specifically designed to enforce user registration for MFA within a defined time frame, such as 14 days. It targets new users and sends them reminders to register, blocking access until registration is completed, which directly meets the company's requirement.

Exam trap

The trap here is that candidates often confuse Conditional Access policies (which enforce MFA at sign-in) with the registration campaign (which enforces the initial setup), leading them to select Conditional Access as the solution for a time-bound registration requirement.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies enforce MFA during sign-in but do not natively enforce a registration deadline for new users; they require MFA to be already registered. Option C is wrong because Identity Protection detects risks and can trigger MFA, but it does not manage the initial registration process or enforce a time-bound registration campaign. Option D is wrong because Access Reviews are used to audit and recertify existing access assignments, not to enforce new user MFA registration within a specific period.

11
MCQmedium

A company has a Microsoft 365 tenant with the domain contoso.com. They acquire a subsidiary with the domain fabrikam.com and want to add it as an additional domain to the same tenant. The domain is already purchased and DNS management is available. What is the first step the administrator should take in the Microsoft 365 admin center?

A.Add the domain and verify ownership by adding a TXT record
B.Create a new tenant for fabrikam.com
C.Set up email forwarding from contoso.com to fabrikam.com
D.Convert fabrikam.com to a federated domain
AnswerA

Domain verification via TXT record is always the first step when adding a custom domain.

Why this answer

To add an existing domain like fabrikam.com to a Microsoft 365 tenant, the first step is to add the domain in the Microsoft 365 admin center and then verify ownership by adding a TXT record to the domain's DNS zone. This verification proves the administrator controls the domain, which is a prerequisite for using it with Microsoft 365 services such as Exchange Online or SharePoint.

Exam trap

The trap here is that candidates may confuse the order of operations and attempt to configure advanced features like federation or email routing before completing the mandatory domain verification step, which is always the first action required when adding a new domain to a tenant.

How to eliminate wrong answers

Option B is wrong because creating a new tenant for fabrikam.com would isolate the subsidiary's users and resources from the existing contoso.com tenant, defeating the purpose of consolidating domains under one tenant. Option C is wrong because email forwarding from contoso.com to fabrikam.com is a post-verification routing configuration, not a domain addition step, and it does not establish domain ownership. Option D is wrong because converting fabrikam.com to a federated domain requires the domain to first be added and verified in the tenant; federation is an advanced authentication configuration that cannot be performed as the initial step.

12
MCQeasy

A compliance officer needs to prevent users from sharing emails that contain credit card numbers with external recipients. When a user attempts to send such an email, it should be blocked immediately, and a policy tip should notify the user. Which Microsoft Purview solution should the officer configure?

A.Data Loss Prevention (DLP) policy
B.sensitivity label
C.retention label
D.An information barrier policy
AnswerA

DLP policies can inspect email content for sensitive info and block delivery while showing a policy tip to the user.

Why this answer

A Data Loss Prevention (DLP) policy is the correct solution because it is specifically designed to detect sensitive information, such as credit card numbers, in transit (e.g., email) and enforce actions like blocking the message and displaying a policy tip to the user. DLP policies use sensitive information types (e.g., Credit Card Number) and rules to inspect content in Exchange Online, SharePoint, OneDrive, and Teams, allowing real-time blocking with user notification. This directly meets the compliance officer's requirement to prevent external sharing and provide immediate feedback.

Exam trap

Microsoft often tests the distinction between DLP policies and sensitivity labels, where candidates mistakenly think a sensitivity label alone can block email transmission, but labels require a DLP policy to enforce actions like blocking, while DLP policies can work independently of labels.

How to eliminate wrong answers

Option B (sensitivity label) is wrong because sensitivity labels classify and protect data at rest (e.g., encryption, visual markings) but do not natively block email transmission based on content inspection or provide policy tips in real-time; they require additional DLP policies to enforce actions on labeled content. Option C (retention label) is wrong because retention labels manage data lifecycle (retention and deletion) and have no capability to inspect email content for sensitive data or block messages. Option D (information barrier policy) is wrong because information barriers restrict communication between specific user groups (e.g., to prevent conflicts of interest) and do not scan for sensitive data like credit card numbers or block external sharing.

13
MCQmedium

A company is deploying Microsoft 365 and wants to ensure that users in the finance department have access to only the apps they need. You need to recommend a licensing strategy that minimizes administrative overhead while enforcing access restrictions. What should you do?

A.Create a security group with explicit membership and assign licenses to the group.
B.Create a dynamic Azure AD group based on department attribute and assign licenses using group-based licensing.
C.Assign licenses to users one by one in the Microsoft 365 admin center.
D.Use PowerShell to assign licenses based on user department attribute.
AnswerB

This automates license assignment and removal when users change departments.

Why this answer

Option B is correct because using a dynamic Azure AD group based on the department attribute automates membership updates as users change departments, and group-based licensing assigns the appropriate licenses to all members without manual intervention. This minimizes administrative overhead by eliminating the need to manually add or remove users from the group or assign licenses individually, while enforcing access restrictions by ensuring only finance users receive the licensed apps.

Exam trap

The trap here is that candidates often choose Option A (security group with explicit membership) because they think it provides more control, but they overlook the administrative overhead of manual membership management and the fact that group-based licensing works with any Azure AD group type, including security groups, as long as the group is used for license assignment.

How to eliminate wrong answers

Option A is wrong because a security group with explicit membership requires manual updates when users join or leave the finance department, increasing administrative overhead and risking stale memberships. Option C is wrong because assigning licenses one by one in the Microsoft 365 admin center is highly manual and does not scale, nor does it enforce dynamic access restrictions based on department changes. Option D is wrong because using PowerShell to assign licenses based on department attribute requires scripting, scheduled runs, and error handling, which adds complexity and overhead compared to the built-in dynamic group and group-based licensing feature.

14
Multi-Selectmedium

Contoso wants to require multi-factor authentication (MFA) for all users when accessing cloud applications from any network except the corporate headquarters (trusted IP range). They plan to use Azure AD Conditional Access. Which two components must be configured to achieve this requirement? (Select all that apply.)

Select 2 answers
A.Conditional Access policy targeting all users and cloud apps, with conditions for locations
B.named location defining the corporate headquarters' trusted IP ranges
C.An Identity Protection user risk policy
D.An MFA registration policy requiring users to register for MFA
AnswersA, B

This policy enforces MFA based on location conditions, which is necessary.

Why this answer

Option A is correct because a Conditional Access policy must be created to enforce MFA based on location conditions. The policy targets all users and cloud apps, and uses the 'locations' condition to exclude the trusted IP range (corporate headquarters) while requiring MFA for all other locations. This ensures MFA is triggered only when access originates from outside the trusted network.

Exam trap

The trap here is that candidates often confuse the MFA registration policy (which only ensures users have registered MFA methods) with the Conditional Access policy that actually enforces MFA based on location conditions, leading them to incorrectly select Option D as a required component.

15
MCQeasy

A user reports that they cannot access a legitimate external website because Microsoft Defender for Endpoint is blocking it. The website is required for business. What should you do to allow access while maintaining security?

A.Exclude the device from the policy
B.Disable network protection for the device
C.Add the URL to the custom indicators allow list
D.Add the user to a custom group with lower security
AnswerC

Custom indicators allow specific URLs while keeping protections.

Why this answer

Option C is correct because adding the URL to the custom indicator allows the site while keeping other protections. Option A is wrong because disabling network protection removes all URL filtering. Option B is wrong because allowing the site per user is not granular.

Option D is wrong because excluding the device weakens security.

16
MCQmedium

A compliance officer needs to ensure that all documents in a Microsoft Teams channel are automatically retained for 3 years after creation and then permanently deleted. The retention policy should apply only to the specific channel, not the entire team. Which approach should the officer use?

A.Create a retention policy in Microsoft Purview and select the location 'Teams channel messages', then specify the channel name
B.Create a retention policy in Microsoft Purview and select the location 'Teams chats' for the entire team
C.Publish a retention label to the channel and configure auto-application rules based on creation date
D.Use Exchange Online PowerShell to create a retention policy for the channel mailbox
AnswerA

Correct. The retention policy can target a specific channel by using the 'Teams channel messages' location and specifying the channel name in the scope.

Why this answer

Option A is correct because Microsoft Purview retention policies can be scoped to specific Teams channel messages by selecting the 'Teams channel messages' location and specifying the channel name. This ensures that only messages in that channel are retained for 3 years and then permanently deleted, without affecting the rest of the team or other content types.

Exam trap

The trap here is that candidates often confuse 'Teams channel messages' with 'Teams chats' or assume that a retention label can automatically enforce deletion for all channel content without understanding that labels require explicit application or complex auto-application rules that may not cover all messages.

How to eliminate wrong answers

Option B is wrong because selecting 'Teams chats' applies the policy to 1:1 and group chats, not to channel messages; it also cannot be scoped to a single channel. Option C is wrong because retention labels are designed for user-applied or auto-classification scenarios, not for automatic retention and deletion of all channel messages based solely on creation date; they require manual application or complex auto-application rules that do not guarantee coverage of all existing and future messages. Option D is wrong because Exchange Online PowerShell can manage mailbox-level retention policies, but Teams channel messages are stored in a dedicated group mailbox and cannot be targeted to a specific channel using Exchange retention policies; the correct method is through Purview's Teams channel messages location.

17
MCQmedium

A security administrator wants to prevent attackers from stealing credentials by blocking access to the Local Security Authority Subsystem Service (LSASS) from untrusted processes. Which Attack Surface Reduction (ASR) rule should the administrator enable to meet this requirement?

A.Block credential stealing from the Windows local security authority subsystem (lsass.exe).
B.Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
C.Block Office applications from creating child processes.
D.Block persistence through Windows Management Instrumentation (WMI) event subscription.
AnswerA

This rule blocks untrusted processes from accessing LSASS, directly preventing credential theft techniques.

Why this answer

The ASR rule 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) directly prevents untrusted processes from accessing LSASS memory, which is a common technique used by attackers to dump credentials via tools like Mimikatz. This rule blocks attempts to open lsass.exe with specific access rights (e.g., PROCESS_VM_READ) from non-trusted processes, thereby protecting credential material stored in LSASS.

Exam trap

The trap here is that candidates often confuse the 'Block credential stealing from LSASS' rule with other ASR rules that address different attack vectors, such as blocking executable files or Office child processes, because they all fall under the same 'Attack Surface Reduction' umbrella but target distinct behaviors.

How to eliminate wrong answers

Option B is wrong because it addresses executable file execution based on prevalence, age, or trusted list criteria, which is a different ASR rule (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) focused on preventing untrusted or unknown executables from running, not specifically protecting LSASS from credential theft. Option C is wrong because it blocks Office applications from creating child processes (GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a), which prevents malware from using Office apps as a launch point but does not directly protect LSASS from credential access. Option D is wrong because it blocks persistence through WMI event subscription (GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b), which prevents attackers from establishing persistence via WMI, but does not address the immediate credential theft from LSASS.

18
Multi-Selecthard

Which THREE are features of Microsoft Entra ID Governance? (Choose three.)

Select 3 answers
A.Password protection
B.Entitlement management
C.Conditional access policies
D.Access reviews
E.Privileged Identity Management (PIM)
AnswersB, D, E

Entitlement management is governance.

Why this answer

Options A, C, and E are correct. Option B is wrong because conditional access is a separate feature. Option D is wrong because password protection is part of Identity Protection.

19
MCQeasy

You are troubleshooting a user who cannot sign in to Microsoft Teams. Sign-in logs show error code 53003 with additional details 'Blocked by Conditional Access'. The user is a member of a group that is excluded from the Conditional Access policy. What is the most likely cause?

A.The Conditional Access policy is in Report-only mode.
B.The user's group membership has not yet been updated in the token.
C.The user's device is not compliant.
D.The user is a member of an included group via nested group membership.
AnswerD

Nested groups can cause policy application despite exclusion.

Why this answer

The error indicates a Conditional Access block. If the user is excluded, maybe the policy was recently changed but not propagated, or the user is in an included group as well. The most common cause is that the user is a member of an included group indirectly via a nested group, and Conditional Access policies evaluate transitive membership.

So even if the user is directly excluded, if they are in an included group via nesting, the policy applies.

20
Multi-Selectmedium

Your organization uses Microsoft Defender for Endpoint. You need to configure advanced hunting to query device information. Which TWO tables contain device-related data?

Select 2 answers
A.AlertInfo
B.EmailEvents
C.IdentityLogonEvents
D.DeviceInfo
E.DeviceTvmInfoGathering
AnswersD, E

Contains device information like OS, device name.

Why this answer

Options B and D are correct because DeviceInfo and DeviceTvmInfoGathering are tables in advanced hunting that contain device information. Option A is wrong because AlertInfo contains alert metadata, not device info. Option C is wrong because EmailEvents contains email data.

Option E is wrong because IdentityLogonEvents contains authentication events.

21
Multi-Selectmedium

Your organization is implementing Microsoft Purview Data Loss Prevention (DLP). You need to ensure that sensitive data such as credit card numbers cannot be shared externally via email. Which THREE components should you configure?

Select 3 answers
A.Define sensitive information types for credit card numbers
B.Enable Microsoft Purview Insider Risk Management
C.Configure DLP rule actions to block external sharing
D.Configure a retention policy for email
E.Create a DLP policy in Microsoft Purview
AnswersA, C, E

Sensitive info types are used to detect credit card numbers.

Why this answer

A is correct because sensitive information types (SITs) are predefined or custom patterns that detect specific data like credit card numbers (e.g., regex matching major credit card formats). Defining the SIT for credit card numbers allows the DLP policy to identify this sensitive content in emails, which is the first step before any action can be taken.

Exam trap

The trap here is that candidates may confuse Insider Risk Management (a behavior-based tool) with DLP (a content-based policy), or think a retention policy is needed to block sharing, when in fact DLP policies alone handle detection and enforcement via SITs and rule actions.

22
MCQeasy

A company has purchased Microsoft 365 Business Premium and added a custom domain 'contoso.com' to the tenant. They want all new users to have email addresses like user@contoso.com instead of the default onmicrosoft.com domain. What should the administrator do in the Microsoft 365 admin center?

A.Set the custom domain as the default domain in the Domains settings.
B.Add a DNS TXT record for the custom domain.
C.Change the primary domain in the tenant's organization profile.
D.Update the MX record for the custom domain to point to Exchange Online.
AnswerA

Setting a custom domain as default assigns that domain to new user email addresses automatically.

Why this answer

Setting the custom domain as the default domain in the Domains settings ensures that any new user created in the Microsoft 365 admin center automatically receives an email address ending with @contoso.com instead of the default @<tenant>.onmicrosoft.com. This is the correct administrative action because the default domain setting controls the domain suffix applied to new user principal names (UPNs) and email addresses during user creation.

Exam trap

The trap here is that candidates confuse the default domain for new users with domain verification (TXT records) or mail routing (MX records), leading them to select options that are necessary for domain setup but not for controlling the email address assigned to new users.

How to eliminate wrong answers

Option B is wrong because adding a DNS TXT record is used for domain ownership verification, not for setting the default email domain for new users. Option C is wrong because changing the primary domain in the tenant's organization profile affects the initial onmicrosoft.com domain used for the tenant itself, not the default domain for new user email addresses. Option D is wrong because updating the MX record controls mail routing for the domain, not the default domain assigned to new users' email addresses.

23
Multi-Selectmedium

A security analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when a process spawned by Microsoft Word (winword.exe) makes an outbound connection to a known malicious IP address. Which two Advanced Hunting tables must be joined in the KQL query?

Select 2 answers
A.DeviceProcessEvents and DeviceNetworkEvents
B.DeviceProcessEvents and DeviceEvents
C.DeviceNetworkEvents and IdentityLogonEvents
D.DeviceProcessEvents and DeviceFileEvents
AnswersA, B

DeviceProcessEvents provides process creation details, and DeviceNetworkEvents provides network connection details. Joining them correlates a process to its network connections.

Why this answer

To detect a process spawned by winword.exe making an outbound connection to a known malicious IP, you need to first identify the process creation event (parent-child relationship) in DeviceProcessEvents, then correlate it with the network connection event in DeviceNetworkEvents. Joining these two tables on DeviceId and a timestamp window allows you to link the specific process (winword.exe) to its outbound network activity.

Exam trap

The trap here is that candidates mistakenly think DeviceEvents (which includes security alerts) can substitute for network connection data, but DeviceNetworkEvents is the only table that records actual outbound IP addresses and ports.

24
MCQmedium

A company with 200 on-premises Exchange mailboxes plans to migrate to Exchange Online. They want to use a Microsoft-provided tool that supports granular control over mailbox migrations, allows batch migrations, and provides detailed reporting. Which migration method should the administrator choose?

A.Azure AD Connect
B.Exchange Admin Center (EAC) migration dashboard
C.Third-party migration tool (e.g., BitTitan MigrationWiz)
D.IMAP migration
AnswerB

The EAC migration dashboard supports several migration types (cutover, staged, hybrid) and provides batch management, status reports, and error logs. It is the recommended Microsoft tool for migrating on-premises mailboxes to Exchange Online.

Why this answer

The Exchange Admin Center (EAC) migration dashboard is the correct choice because it is a Microsoft-provided tool that supports granular control over mailbox migrations (e.g., selecting specific users, setting migration endpoints, and configuring throttling), allows batch migrations with the ability to start, stop, and monitor multiple batches simultaneously, and provides detailed reporting on migration status, errors, and sync progress. This method is specifically designed for migrating on-premises Exchange mailboxes to Exchange Online in a controlled, staged manner, making it ideal for the scenario described.

Exam trap

The trap here is that candidates often confuse Azure AD Connect (identity sync) with a migration tool, or they assume any Microsoft tool (like IMAP migration) is sufficient, but the question specifically requires granular control, batch support, and detailed reporting, which only the EAC migration dashboard provides for on-premises Exchange to Exchange Online migrations.

How to eliminate wrong answers

Option A is wrong because Azure AD Connect is a directory synchronization tool that syncs on-premises Active Directory objects to Azure AD, but it does not perform mailbox migration, provide granular control over mailbox moves, or offer batch migration reporting; it handles identity only. Option C is wrong because while third-party tools like BitTitan MigrationWiz can offer granular control and reporting, the question explicitly asks for a 'Microsoft-provided tool,' so a third-party solution does not meet that requirement. Option D is wrong because IMAP migration only migrates email data (folders, messages) from an IMAP-enabled source, not full mailbox items like calendar, contacts, or tasks, and it lacks granular control over individual mailboxes, batch management, and detailed reporting; it is a basic cutover method, not suitable for a controlled, staged migration from on-premises Exchange.

25
MCQhard

A security operations team uses Microsoft Defender XDR. They want to create a custom detection rule that alerts when a specific process (e.g., wscript.exe) launches from a user's temp directory and then performs a network connection to an external IP. Which advanced hunting query language should they use?

A.Kusto Query Language (KQL)
B.PowerShell
C.Splunk SPL
D.SQL
AnswerA

KQL is the query language used in Microsoft Defender XDR advanced hunting to create custom detection rules.

Why this answer

Microsoft Defender XDR uses Kusto Query Language (KQL) for advanced hunting queries, including custom detection rules. KQL allows querying the DeviceProcessEvents and DeviceNetworkEvents tables to correlate process launches with network connections, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates may confuse the query language used in Microsoft Defender XDR with other common tools like PowerShell or SQL, but Microsoft specifically designed KQL for its security analytics and it is the only language supported for custom detections in this context.

How to eliminate wrong answers

Option B is wrong because PowerShell is a scripting language used for automation and configuration, not for querying Microsoft Defender XDR's underlying data schema; advanced hunting queries require KQL, not PowerShell cmdlets. Option C is wrong because Splunk SPL (Search Processing Language) is proprietary to Splunk and cannot be used in Microsoft Defender XDR, which has its own query engine. Option D is wrong because SQL is a relational database query language not supported by Microsoft Defender XDR's advanced hunting; the platform uses KQL, which is based on a tabular data stream model, not SQL.

26
MCQeasy

You need to ensure that all documents in a SharePoint Online site are automatically labeled with a 'Confidential' sensitivity label. Which Microsoft Purview feature should you use?

A.Microsoft Purview auto-labeling policy
B.Microsoft Purview Data Loss Prevention policy
C.Microsoft Purview retention policy
D.Microsoft Purview manual labeling
AnswerA

Auto-labeling automatically applies labels based on conditions.

Why this answer

Option C is correct because auto-labeling policies can automatically apply sensitivity labels to documents in SharePoint. Option A is wrong because DLP policies don't apply labels. Option B is wrong because manual labeling requires user action.

Option D is wrong because retention policies don't apply sensitivity labels.

27
MCQmedium

An administrator has configured group-based licensing in Azure AD. After adding users to the group, some users do not receive licenses. The users are in the group and have an assigned usage location. What is a possible reason?

A.The group is a mail-enabled security group, which is not supported for group-based licensing
B.The license product name in the group setting does not match the available licenses in the tenant
C.The users have conflicting license assignments from another source
D.The users have not accepted the Microsoft Online Service Terms
AnswerC

Conflicting license assignments (e.g., direct assignment or another group) can cause group-based licensing to skip those users. The licensing status in Azure AD will show an error.

Why this answer

Option C is correct because group-based licensing in Azure AD can fail when a user already has a license assigned from another source, such as direct assignment or another group. Azure AD's group-based licensing processes assignments in a deterministic order, and if a conflict arises (e.g., different service plans or SKUs), the system may skip the user and log an error in the audit logs. This is a common scenario when users are migrated from direct licensing to group-based licensing without removing the existing assignments.

Exam trap

The trap here is that candidates often assume group-based licensing always works if the user is in the group and has a usage location, overlooking the common real-world scenario where pre-existing direct license assignments cause silent failures that require manual conflict resolution.

How to eliminate wrong answers

Option A is wrong because mail-enabled security groups are fully supported for group-based licensing in Azure AD, as long as the group is a security group (mail-enabled or not). Option B is wrong because if the license product name in the group setting does not match an available license in the tenant, the group-based licensing assignment would fail for all users, not just some, and the administrator would receive a clear error during configuration. Option D is wrong because Microsoft Online Service Terms acceptance is a tenant-wide prerequisite that must be completed before any licensing can be applied; if it were not accepted, no users in the tenant would receive licenses at all, not just some users in a group.

28
MCQmedium

Refer to the exhibit. You need to ensure that users accessing Exchange Online from unmanaged devices are blocked. What should you modify in the policy?

A.Remove the MFA control
B.Add the 'approvedClientApp' grant control with OR
C.Add a session control for app protection policies
D.Change the operator from OR to AND
AnswerD

AND requires both MFA and compliant device, blocking unmanaged devices.

Why this answer

The exhibit shows a conditional access policy with two grant controls: 'Require multi-factor authentication' and 'Require device to be marked as compliant', connected by OR. With OR, users can satisfy either control, so unmanaged devices can still authenticate via MFA alone. Changing the operator to AND forces both MFA and device compliance, blocking access from unmanaged devices that cannot be compliant.

Exam trap

The trap here is that candidates overlook the OR operator and assume both controls are already required, not realizing that OR creates an alternative path that allows unmanaged devices to authenticate with just MFA.

How to eliminate wrong answers

Option A is wrong because removing the MFA control would leave only the device compliance requirement, which still blocks unmanaged devices but weakens security by removing MFA for managed devices. Option B is wrong because adding 'approvedClientApp' with OR would introduce another alternative path, making it even easier for unmanaged devices to bypass the block. Option C is wrong because session controls for app protection policies apply after access is granted (to restrict data exfiltration), not to block initial access from unmanaged devices.

29
MCQeasy

You need to allow external users from a specific partner organization to access a SharePoint Online site using their own Microsoft Entra ID credentials. Which feature should you configure?

A.Direct Federation
B.Self-service password reset
C.Microsoft Entra B2C
D.Microsoft Entra B2B collaboration
AnswerD

B2B allows external users to access apps with their own credentials.

Why this answer

Option B is correct because B2B collaboration allows external users to sign in with their own identities. Option A is wrong because B2C is for customer-facing apps. Option C is wrong because federation is for identity provider integration, not direct access.

Option D is wrong because self-service password reset is for internal users.

30
MCQhard

You are troubleshooting an issue where users from a partner organization cannot access a shared app in your Microsoft Entra ID tenant. The partner uses Microsoft Entra ID with a custom domain. You have configured cross-tenant access settings. Which setting is most likely misconfigured?

A.Outbound cross-tenant access settings for the partner's tenant ID
B.The app's user assignment and provisioning configuration
C.Default inbound cross-tenant access settings for the partner's tenant ID
D.The partner's inbound cross-tenant access settings for your tenant
AnswerC

Inbound settings determine if external users can access your apps.

Why this answer

The default inbound cross-tenant access settings control how external users from other tenants access your tenant's resources. Since the partner cannot access the shared app, the most likely misconfiguration is that the default inbound settings for the partner's tenant ID are set to block access, or the partner's tenant ID is not explicitly allowed in the inbound settings. This overrides any app-level permissions, as cross-tenant access settings act as a gate before user assignment is evaluated.

Exam trap

The trap here is that candidates often focus on app-level configuration (user assignment or provisioning) or confuse inbound/outbound directions, overlooking that cross-tenant access settings act as a mandatory first gate that must explicitly allow the partner's tenant ID before any app access can occur.

How to eliminate wrong answers

Option A is wrong because outbound cross-tenant access settings control how your users access resources in the partner's tenant, not how partner users access your app. Option B is wrong because user assignment and provisioning configuration are app-level settings that only apply after cross-tenant access is allowed; if inbound access is blocked, the app settings are irrelevant. Option D is wrong because the partner's inbound cross-tenant access settings control access to their own resources, not to your tenant's app; you configure settings for your tenant, not the partner's.

31
MCQeasy

You are a security administrator. You need to configure Microsoft Defender for Cloud Apps to detect anomalous user activities such as impossible travel. Which feature should you enable?

A.App Discovery
B.Cloud Discovery
C.Anomaly Detection policies
D.Conditional Access App Control
AnswerC

Anomaly Detection policies detect unusual user activities.

Why this answer

Option D is correct because Anomaly Detection policies in Microsoft Defender for Cloud Apps detect unusual behavior like impossible travel, mass download, etc. Option A (App Discovery) finds shadow IT apps. Option B (Conditional Access App Control) provides real-time session controls.

Option C (Cloud Discovery) identifies cloud app usage.

32
MCQeasy

An administrator wants to add a custom domain 'fabrikam.com' to a new Microsoft 365 tenant. What is the first step the administrator should perform?

A.Add the domain in the Microsoft 365 admin center.
B.Create an SPF record for the domain.
C.Create a MX record pointing to Exchange Online.
D.Assign Microsoft 365 licenses to users with @fabrikam.com addresses.
AnswerA

Adding the domain initiates the verification process and is required before any other DNS or licensing steps.

Why this answer

The first step to add a custom domain to a Microsoft 365 tenant is to add the domain in the Microsoft 365 admin center. This initiates the domain verification process, where Microsoft provides a TXT record or MX record that the administrator must add to the domain's DNS hosting provider to prove ownership. Without completing this verification step, no other domain-related configurations (such as SPF, MX records, or user licensing) can proceed.

Exam trap

The trap here is that candidates often confuse the order of operations, thinking that DNS records like SPF or MX must be configured before the domain is added, when in fact the domain must first be verified via a TXT record in the admin center before any other DNS changes can be applied.

How to eliminate wrong answers

Option B is wrong because creating an SPF record is a post-verification step that helps prevent email spoofing, but it is not required to initially add or verify the domain. Option C is wrong because creating an MX record pointing to Exchange Online is only possible after the domain has been verified and added to the tenant; attempting to set it beforehand would fail as the domain is not yet recognized by Microsoft 365. Option D is wrong because assigning Microsoft 365 licenses to users with @fabrikam.com addresses requires the domain to first be verified and added to the tenant; otherwise, the domain is not available for user creation.

33
MCQeasy

A security team wants to automatically investigate and respond to security incidents across endpoints, email, and identities without manual intervention. Which Microsoft Defender XDR capability provides this automation?

A.Automated investigation and response (AIR)
B.Advanced hunting
C.Threat analytics
D.Attack surface reduction rules
AnswerA

AIR uses automation to investigate alerts and take predefined remediation actions, such as isolating devices or deleting malicious emails.

Why this answer

Automated investigation and response (AIR) is the Microsoft Defender XDR capability that automatically investigates alerts and takes remediation actions across endpoints, email, and identities without manual intervention. It uses playbooks and machine learning to triage incidents, determine scope, and apply actions like isolating devices or deleting malicious emails.

Exam trap

The trap here is that candidates confuse 'automated investigation and response' with 'advanced hunting' because both involve security analysis, but only AIR provides the automated remediation workflow without manual querying.

How to eliminate wrong answers

Option B is wrong because advanced hunting is a query-based tool for manually searching raw telemetry data using Kusto Query Language (KQL), not an automated response mechanism. Option C is wrong because threat analytics provides threat intelligence reports and vulnerability assessments but does not perform automated investigation or response actions. Option D is wrong because attack surface reduction rules are endpoint-specific configurations that block common attack techniques (e.g., Office macro execution), but they do not automate the investigation and response lifecycle across multiple domains.

34
MCQhard

You are configuring Microsoft Defender for Office 365 anti-phish policy. You want to protect against user impersonation attacks. The CEO and CFO are frequent targets. What should you configure in the anti-phish policy?

A.Configure spoof intelligence
B.Add the CEO and CFO's domains to domain impersonation
C.Enable user impersonation protection and add the CEO and CFO as protected users
D.Enable mailbox intelligence
AnswerC

User impersonation protection specifically protects selected users.

Why this answer

Option B is correct because user impersonation protection allows you to define specific users to protect. Option A is wrong because domain impersonation protects against domain spoofing. Option C is wrong because mailbox intelligence is for general impersonation detection.

Option D is wrong because spoof intelligence is for domain spoofing.

35
MCQmedium

A company uses Password Hash Synchronization (PHS) to synchronize identities to Microsoft Entra ID. They want to enable users to access Microsoft 365 applications from their domain-joined work devices without being prompted to re-enter their credentials. Which feature should they enable in addition to PHS?

A.Seamless Single Sign-On
B.Pass-through Authentication
C.Azure AD Connect Health
D.Conditional Access
AnswerA

Seamless SSO enables silent sign-in for domain-joined devices when combined with PHS or PTA.

Why this answer

Seamless Single Sign-On (SSO) is the correct feature to enable alongside Password Hash Synchronization (PHS) because it allows users on domain-joined devices to automatically authenticate to Microsoft 365 applications without being prompted for credentials. It works by integrating with Kerberos authentication, using a computer account in the on-premises Active Directory to issue a Kerberos ticket that Microsoft Entra ID can validate, eliminating the need for re-authentication.

Exam trap

The trap here is that candidates often confuse Pass-through Authentication (PTA) with Seamless SSO, thinking PTA alone provides the same credential-free experience, but PTA only handles password validation without the automatic ticket-based sign-on that Seamless SSO provides.

How to eliminate wrong answers

Option B (Pass-through Authentication) is wrong because it validates passwords directly against on-premises Active Directory without using password hashes, and while it can also be combined with Seamless SSO, the question specifically asks for a feature to add to PHS to avoid credential prompts, not a replacement for PHS. Option C (Azure AD Connect Health) is wrong because it is a monitoring and diagnostics tool for the synchronization infrastructure, not an authentication feature that provides single sign-on. Option D (Conditional Access) is wrong because it is a policy-based access control mechanism that enforces conditions like device compliance or location, but it does not eliminate the need for users to re-enter credentials; it only controls access after authentication.

36
MCQmedium

A user reports that they are unable to access a file in SharePoint Online. You check the audit log and see that the file was quarantined by Microsoft Defender for Office 365. What is the most likely reason?

A.The file was overwritten by a previous version.
B.The file was detected as malware by Safe Attachments.
C.The file has a retention policy that moved it to the Preservation Hold library.
D.The file was labeled as highly confidential by Microsoft Purview Information Protection.
E.The file contains sensitive information and triggered a Data Loss Prevention (DLP) policy.
AnswerB

Safe Attachments quarantines malicious files.

Why this answer

Option C is correct because Defender for Office 365 can quarantine files that are detected as malicious by Safe Attachments. Option A is wrong because DLP policies block sharing, but do not quarantine files. Option B is wrong because retention policies do not quarantine.

Option D is wrong because versioning does not cause quarantine. Option E is wrong because sensitivity labels classify, not quarantine.

37
MCQmedium

An organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They want to create a policy that blocks users from pasting credit card numbers into web forms in Microsoft Edge. Which type of DLP policy should they configure?

A.Endpoint DLP
B.Exchange DLP
C.SharePoint DLP
D.Teams DLP
AnswerA

Endpoint DLP monitors devices and can block clipboard paste actions on web forms in Edge.

Why this answer

Endpoint DLP is correct because it monitors and controls activities on Windows 10/11 and macOS endpoints, including the ability to block pasting sensitive data like credit card numbers into web forms in Microsoft Edge. This policy extends DLP protection to unmanaged browsers and specific user actions, such as paste, clipboard, and print, which are not covered by cloud-based DLP policies.

Exam trap

The trap here is that candidates often assume all DLP policies are cloud-based and overlook that only Endpoint DLP can enforce restrictions on local user actions like pasting into web forms, confusing it with Exchange or SharePoint DLP which only inspect data at rest or in transit within Microsoft 365 services.

How to eliminate wrong answers

Option B (Exchange DLP) is wrong because it only applies to email messages in transit or at rest in Exchange Online, not to web form pasting in Edge. Option C (SharePoint DLP) is wrong because it protects documents stored in SharePoint Online and OneDrive for Business, not user actions in a browser. Option D (Teams DLP) is wrong because it covers messages and files in Microsoft Teams chats and channels, not web form interactions in Edge.

38
Multi-Selecteasy

Which TWO actions can you perform in the Microsoft Defender XDR portal to investigate a security incident?

Select 2 answers
A.View the incident timeline
B.Run advanced hunting queries
C.Create mail flow rules
D.Reset user passwords
E.Review impacted assets
AnswersA, E

The incident timeline shows the sequence of alerts and events.

Why this answer

Options B and D are correct. Viewing the incident timeline shows the sequence of events, and reviewing impacted assets shows affected devices and users. Option A is wrong because you cannot reset passwords directly in Defender XDR.

Option C is wrong because advanced hunting is a separate feature. Option E is wrong because creating mail flow rules is in Exchange admin center.

39
MCQhard

You are configuring Microsoft Purview Information Protection for your tenant. You need to ensure that documents containing credit card numbers are automatically labeled as 'Highly Confidential' and encrypted. Which two components must you configure?

A.A data loss prevention (DLP) policy.
B.A sensitive info type for credit card numbers.
C.An auto-labeling policy for sensitivity labels.
D.A retention label.
AnswerB, C

Correct: Required to detect the sensitive data.

Why this answer

Sensitive info types detect credit card numbers, and auto-labeling policies apply the label and encryption automatically. Option A is wrong because DLP policies alert but don't label. Option B is wrong because retention labels are for retention, not classification.

Option D is wrong because the sensitivity label must be published first.

40
MCQeasy

You run the above KQL query in Microsoft Defender XDR Advanced Hunting. The query returns no results. What is the most likely reason?

A.The EmailDirection filter should be 'Outbound'.
B.No inbound emails were blocked in the last 30 days.
C.The time range should be 7 days instead of 30 days.
D.The column name SenderDomain does not exist in EmailEvents.
AnswerD

The correct column is 'SenderMailFromDomain'.

Why this answer

Option B is correct because the column name is 'SenderMailFromDomain' or 'SenderDomain' might not exist; the correct column in EmailEvents is 'SenderMailFromDomain'. Option A (no inbound emails blocked) is possible but less likely if the environment has filtering. Option C (time range too short) is not the issue.

Option D (only outbound emails) would still show inbound if any.

41
MCQeasy

Your organization uses Microsoft Defender for Endpoint (MDE). You need to configure an automated investigation and response (AIR) capability that will automatically remediate a confirmed malware infection on endpoints. Which action should you enable?

A.Run antivirus scan
B.Notify users via email
C.Automatically resolve alerts
D.Isolate device
AnswerC

Enables automatic remediation actions.

Why this answer

Option A is correct because 'Automatically resolve alerts' enables automatic remediation actions like quarantining files or killing processes. Option B is wrong because it only isolates the device, not remediates malware. Option C is wrong because it only sends an email, not remediates.

Option D is wrong because it is a response action, not automated investigation.

42
MCQeasy

A company needs to automatically retain all emails sent to or from external partners for 7 years. They also need to ensure that after 7 years, the emails are permanently deleted. What should you configure in Microsoft Purview?

A.Create a retention label with a retention period of 7 years and publish it to all users.
B.Create a retention policy for Exchange email with a retention period of 7 years, followed by deletion.
C.Create an eDiscovery hold for all external partner communications.
D.Create a data loss prevention (DLP) policy to block deletion of emails after 7 years.
AnswerB

Combines retain and delete automatically.

Why this answer

Option A is correct because a retention policy with both retain and delete actions meets the requirement. Option B is wrong because a retention label requires manual or auto-classification. Option C is wrong because a DLP policy is for preventing data loss, not retention.

Option D is wrong because an eDiscovery hold preserves content indefinitely.

43
MCQmedium

A company wants to display a custom help desk phone number and email on the Microsoft 365 sign-in page so that users can contact support easily. Which area of the Microsoft 365 admin center should the administrator use to configure this?

A.Settings > Org settings > Security & privacy
B.Settings > Org settings > Organization profile
C.Billing > Licenses
D.Health > Service Health
AnswerB

Organization profile contains custom branding settings for the sign-in page, including help desk contact info.

Why this answer

Option B is correct because the custom help desk contact information (phone number and email) for the Microsoft 365 sign-in page is configured under Settings > Org settings > Organization profile, specifically in the 'Custom branding' section. This setting allows administrators to add custom support contact details that appear on the sign-in page, enhancing user self-service and support accessibility.

Exam trap

The trap here is that candidates often confuse the 'Security & privacy' settings (Option A) with branding customization, mistakenly thinking that support contact details are a security-related configuration rather than a branding and user experience setting.

How to eliminate wrong answers

Option A is wrong because Settings > Org settings > Security & privacy is used for configuring security policies, data loss prevention, and privacy-related settings, not for customizing the sign-in page branding or support contact information. Option C is wrong because Billing > Licenses is used to manage user licenses, subscriptions, and billing details, not for tenant-wide branding or support contact configuration. Option D is wrong because Health > Service Health provides real-time service status and incident information, but does not allow customization of the sign-in page or support contact details.

44
MCQmedium

A user reports that they cannot access Microsoft Teams from their mobile device. Other Microsoft 365 services work fine. You verify that the device is compliant with Intune policies. What is the most likely cause?

A.The user's authentication method is not registered for Microsoft Entra ID
B.The Microsoft Teams service is degraded
C.A Conditional Access policy requires an approved client app for Teams
D.The device is not enrolled in Microsoft Intune
AnswerC

If the Teams app is not approved or protected, access is blocked.

Why this answer

Option C is correct because a Conditional Access policy requiring an approved client app for Microsoft Teams would block access from a mobile device even if the device is Intune-compliant, as the policy specifically checks for the use of an approved app (e.g., the official Microsoft Teams app) rather than just device compliance. Since the user can access other Microsoft 365 services, the issue is isolated to Teams, and the device compliance status rules out broader device-level blocks.

Exam trap

The trap here is that candidates assume device compliance alone guarantees access, overlooking that Conditional Access policies can impose app-level requirements that are separate from device health checks.

How to eliminate wrong answers

Option A is wrong because authentication method registration for Microsoft Entra ID affects sign-in capabilities across all services, not just Teams, and the user can access other Microsoft 365 services, indicating authentication is functional. Option B is wrong because a degraded Microsoft Teams service would impact all users and devices, not just a single user on a mobile device, and the user can access other services, ruling out a widespread service issue. Option D is wrong because the device is explicitly stated to be compliant with Intune policies, which implies it is enrolled in Microsoft Intune; non-enrollment would prevent compliance evaluation entirely.

45
MCQmedium

Your organization uses Microsoft Defender for Identity. You need to configure a honeytoken account to detect attackers trying to use the account. In which location should you place the honeytoken account?

A.A domain user account with no privileges
B.A service account with high privileges
C.A non-existent account alias in AD
D.A guest account
AnswerA

Honeytoken accounts should be real user accounts with no privileges.

Why this answer

Option B is correct because honeytoken accounts should be real user accounts with no privileges and no recent activity to attract attackers. Option A is wrong because service accounts may have elevated privileges and trigger false positives. Option C is wrong because they are often used and may cause false alerts.

Option D is wrong because the account must exist in Active Directory to be monitored.

46
MCQmedium

A company uses Microsoft Defender for Office 365. Users report that phishing emails with malicious links are occasionally delivered to their inboxes. The security team wants to ensure that suspicious URLs are detonated in a sandbox before delivery for all recipients. What should the security team configure?

A.Configure a Safe Links policy with 'Use Safe Attachments to scan content' enabled.
B.Enable the 'Block URLs' option in the anti-phishing policy.
C.Configure a Safe Attachments policy for email messages.
D.Enable 'Safe Links for Microsoft Teams' in the global settings.
AnswerA

This triggers sandbox detonation of URLs before delivery.

Why this answer

Safe Links for email messages scans URLs at time of click, but to detonate before delivery, you need to enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, or use a policy that triggers sandbox analysis. However, to detonate URLs before delivery, you need to configure a Safe Links policy with 'Do not track user clicks' and 'Do not allow users to click through to original URL' and ensure 'Scan URLs in email messages' is enabled and 'Use Safe Attachments to scan content' is selected. Actually, the correct answer is to enable 'Use Safe Attachments to scan content' in a Safe Links policy, which triggers sandbox detonation of URLs in email.

Option C is correct because Safe Links with sandbox detonation (Safe Attachments scanning) is the recommended approach. Option A is wrong because Safe Attachments for email scans attachments, not URLs. Option B is wrong because that policy does not detonate URLs.

Option D is wrong because it only scans at click time.

47
MCQhard

A security administrator needs to block outbound network connections from a compromised Windows device to command-and-control servers. The solution must work at the network layer and be centrally managed via Microsoft 365 Defender. Which feature should the administrator enable?

A.Network Protection
B.Attack Surface Reduction rules
C.Session control in Defender for Cloud Apps
D.Windows Firewall with Advanced Security
AnswerA

Network Protection prevents outbound connections to malicious endpoints, providing network-layer blocking managed via Defender for Endpoint.

Why this answer

Network Protection in Microsoft Defender for Endpoint blocks outbound connections to command-and-control (C2) servers at the network layer by inspecting traffic using the Windows Filtering Platform (WFP). It is centrally managed via Microsoft 365 Defender policies and does not require per-device firewall rule configuration, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates confuse 'network layer blocking' with Windows Firewall, but the question specifically requires a solution centrally managed via Microsoft 365 Defender, which Network Protection fulfills through the Defender for Endpoint security configuration.

How to eliminate wrong answers

Option B is wrong because Attack Surface Reduction (ASR) rules focus on blocking file-based and script-based attack techniques (e.g., Office macro execution, credential theft from LSASS), not network-layer outbound connections to C2 servers. Option C is wrong because Session control in Defender for Cloud Apps operates at the application layer (HTTP/S) via reverse proxy, not the network layer, and is designed for controlling access to cloud apps, not blocking C2 traffic from a compromised device. Option D is wrong because Windows Firewall with Advanced Security can block outbound connections but is not centrally managed via Microsoft 365 Defender; it requires Group Policy or PowerShell for centralized management, and it lacks the threat intelligence integration that Network Protection provides for dynamic C2 blocking.

48
MCQmedium

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. You need to ensure that when a user reports a phishing email via the Microsoft Report Message add-in, the URL in the email is automatically blocked on all endpoints. What should you configure?

A.Configure Safe Links policies to block the URL.
B.Configure an automated investigation and response (AIR) playbook in Microsoft 365 Defender.
C.Configure anti-phishing policies in Defender for Office 365.
D.Configure the Tenant Allow/Block List for URLs in the Microsoft 365 Defender portal.
AnswerD

When a user reports a phishing email, the URL is automatically added to the tenant block list, which Defender for Endpoint uses to block the URL on all endpoints.

Why this answer

Option C is correct because Defender for Office 365 can automatically block URLs reported as phishing in the tenant's block list, which Defender for Endpoint respects. Option A is wrong because Safe Links applies protection on email but not automatically block on endpoints. Option B is wrong because it's part of Defender for Office 365 but doesn't block on endpoints.

Option D is wrong because it's for endpoint detection response, not automatic blocking based on user reports.

49
Multi-Selecteasy

You are configuring Microsoft 365 tenant-to-tenant migration. Which THREE tasks must be completed before migrating users?

Select 3 answers
A.Change MX records to point to the target tenant
B.Obtain tenant consent for data migration (e.g., via admin consent)
C.Delete source tenant user mailboxes
D.Verify domain ownership in the target tenant
E.Set up directory synchronization between tenants (if needed)
AnswersB, D, E

Required for accessing source data.

Why this answer

Options A, C, and E are correct. You need to verify the target domain, ensure directory synchronization is set up, and obtain consent for data migration. Option B is wrong because MX record changes happen after migration.

Option D is wrong because you should not delete existing mailboxes until after migration.

50
Multi-Selecteasy

Your organization uses Microsoft Entra ID and wants to implement a passwordless authentication strategy. Which TWO authentication methods are considered passwordless by Microsoft? (Choose two.)

Select 2 answers
A.Windows Hello for Business
B.Microsoft Authenticator with notification
C.Password Hash Synchronization
D.FIDO2 security keys
E.SMS-based one-time passcode
AnswersA, D

Windows Hello uses biometrics or PIN, passwordless.

Why this answer

Windows Hello for Business is a passwordless authentication method that uses biometric or PIN-based credentials tied to a user's device, leveraging asymmetric key pairs to authenticate against Microsoft Entra ID without transmitting a password. It satisfies Microsoft's definition of passwordless because the private key never leaves the device, and authentication is performed via a cryptographic challenge-response protocol.

Exam trap

The trap here is that Microsoft Authenticator with notification is often marketed as 'passwordless' in casual contexts, but Microsoft's official documentation strictly classifies it as a multi-factor authentication method, not a passwordless one, because it still requires a password as the first factor.

51
Multi-Selecteasy

You are a security analyst. You need to investigate a potential malware outbreak on a device using Microsoft Defender XDR. Which three data sources can you include in an advanced hunting query to gather relevant information? (Choose three.)

Select 3 answers
A.CloudAppEvents
B.DeviceFileEvents
C.EmailAttachmentInfo
D.DeviceNetworkEvents
E.DeviceProcessEvents
AnswersB, D, E

Contains file creation and modification events.

Why this answer

Options A, B, and C are correct because DeviceProcessEvents, DeviceNetworkEvents, and DeviceFileEvents are all standard tables in advanced hunting for process, network, and file activities. Option D is wrong because EmailAttachmentInfo is for email, not device. Option E is wrong because CloudAppEvents is for cloud apps.

52
MCQmedium

You are a Microsoft 365 administrator. A user reports that they received a Microsoft Teams message from an external user containing a link to a malicious website. The user clicked the link but did not enter any credentials. You need to prevent similar incidents in the future. What should you configure?

A.Configure a Teams messaging policy to block all messages from external users.
B.Enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
C.Enable Safe Links for Microsoft Teams in Defender for Office 365.
D.Configure an anti-phishing policy to protect against impersonation in Teams.
AnswerC

Safe Links for Teams rewrites and checks URLs at the time of click, blocking malicious links.

Why this answer

Option D is correct because enabling Safe Links for Microsoft Teams in Defender for Office 365 provides time-of-click protection for links shared in Teams. Option A is wrong because blocking all external messages would hinder collaboration. Option B is wrong because Safe Attachments scans files, not links.

Option C is wrong because anti-phishing policies for Teams are not available in the same way; Safe Links is the appropriate protection.

53
MCQhard

The exhibit shows the output of a PowerShell command for a user. The user reports that they cannot access Microsoft Teams, although they have an E3 license (ENTERPRISEPACK). What is the most likely cause?

A.The Teams service plan is disabled in the user's license.
B.The user's license is suspended.
C.The user's license has expired.
D.The user does not have a license assigned.
AnswerA

The license may have Teams service plan turned off.

Why this answer

The PowerShell output shows the user has an E3 license (ENTERPRISEPACK) assigned, but the Teams service plan is disabled. Even with an active E3 license, if the Teams service plan is explicitly turned off in the license assignment, the user cannot access Microsoft Teams. This is a common configuration where an admin disables specific service plans to control feature access.

Exam trap

The trap here is that candidates assume an assigned E3 license grants access to all included services by default, overlooking that individual service plans can be disabled within the license, which is a common configuration tested in MS-102.

How to eliminate wrong answers

Option B is wrong because a suspended license would typically show a status of 'Suspended' or 'Disabled' in the output, and the user would lose access to all licensed services, not just Teams. Option C is wrong because an expired license would also affect all services under that license, and the output would likely show an expiration date or a 'Disabled' status; the E3 license shown is still active. Option D is wrong because the output clearly shows the user has an ENTERPRISEPACK license assigned, so they do have a license.

54
MCQmedium

You need to ensure that all users in your Microsoft 365 tenant are automatically enrolled in Microsoft Intune when they sign up for Microsoft 365. You want to use the default enrollment policy. What should you do?

A.Set the MDM authority to Microsoft Intune and configure automatic MDM enrollment via Azure AD.
B.Create a conditional access policy that requires device compliance and block access if not enrolled.
C.Configure a PowerShell script to run daily that adds all users to Intune.
D.Ensure that the Microsoft Intune license is assigned to each user and enable the 'Enroll automatically' setting in the Microsoft 365 admin center.
AnswerA

This enables automatic device enrollment when users sign in.

Why this answer

Option A is correct because setting the MDM authority to Microsoft Intune and configuring automatic MDM enrollment via Azure AD enables the default enrollment policy. This ensures that when users sign up for Microsoft 365, they are automatically enrolled in Intune without manual intervention, leveraging Azure AD's built-in MDM enrollment integration.

Exam trap

The trap here is that candidates often confuse the 'Enroll automatically' concept with a setting in the Microsoft 365 admin center, when in reality it is configured through Azure AD's MDM enrollment settings, not a simple toggle in the admin center.

How to eliminate wrong answers

Option B is wrong because a conditional access policy that requires device compliance and blocks access if not enrolled does not automatically enroll users; it only enforces compliance after enrollment, leaving users to manually enroll or be blocked. Option C is wrong because running a PowerShell script daily to add users to Intune is not a supported or reliable method for automatic enrollment; Intune enrollment is managed via Azure AD policies, not direct user addition scripts. Option D is wrong because while assigning Intune licenses is necessary, the 'Enroll automatically' setting does not exist in the Microsoft 365 admin center; automatic enrollment is configured via Azure AD's MDM enrollment settings, not through a separate admin center toggle.

55
MCQeasy

You are a Microsoft 365 administrator. Users report that they cannot access Microsoft Teams. You check the Microsoft 365 admin center and see that the service health for Microsoft Teams shows a 'Service degradation' incident. What is the most appropriate initial action?

A.Contact the Microsoft regional escalation engineer immediately.
B.Open a support request with Microsoft to report the outage.
C.Review the incident details in the service health dashboard for an estimated resolution time and workaround.
D.Restart the Microsoft Teams service on all client machines.
AnswerC

The dashboard provides updates and guidance for ongoing incidents.

Why this answer

Option C is correct because the most appropriate initial action when a service degradation incident is already visible in the Microsoft 365 admin center is to review the incident details in the service health dashboard. This provides the estimated resolution time, current status, and any available workarounds published by Microsoft, allowing you to inform users and mitigate impact without immediately escalating or opening a support request.

Exam trap

The trap here is that candidates assume a service degradation requires immediate escalation or a support ticket, but the correct first step is to check the service health dashboard for existing incident details and workarounds before taking any further action.

How to eliminate wrong answers

Option A is wrong because contacting a Microsoft regional escalation engineer is a premature escalation step; this should only be done after reviewing the incident details and if the issue is critical and not being addressed. Option B is wrong because opening a support request to report the outage is redundant when Microsoft has already acknowledged the incident in the service health dashboard; support requests are for issues not yet recognized or requiring tenant-specific troubleshooting. Option D is wrong because restarting the Microsoft Teams service on client machines is a client-side action that cannot resolve a service-wide degradation incident that originates from Microsoft's infrastructure.

56
MCQeasy

An administrator is setting up a new Microsoft 365 tenant and has added the custom domain 'contoso.com'. The domain status shows 'Pending verification'. Which type of DNS record must the administrator add to the public DNS zone to complete domain ownership verification?

A.MX record
B.TXT record
C.CNAME record
D.SPF record
AnswerB

A TXT record containing the unique verification token provided by Microsoft proves domain ownership.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record containing the unique verification string provided by the Microsoft 365 admin center to the public DNS zone. The TXT record proves you control the domain by allowing Microsoft to query the DNS and match the value. This is the standard method defined by RFC 1035 for domain validation.

Exam trap

The trap here is that candidates often confuse the TXT record used for domain verification with the SPF record, which is also a TXT record but serves a completely different purpose, leading them to select SPF instead of the generic TXT record option.

How to eliminate wrong answers

Option A is wrong because an MX record specifies the mail exchange server for the domain and is not used for domain ownership verification; it would be added later for mail routing. Option C is wrong because a CNAME record maps an alias to a canonical name and is not used for verification; it is typically used for services like autodiscover. Option D is wrong because an SPF record is a TXT record that specifies authorized mail servers to prevent spoofing, but it is not the specific record type used for domain verification; the verification requires a unique TXT record with a specific value, not an SPF policy.

57
MCQeasy

An administrator is planning to migrate from on-premises Exchange to Exchange Online. The current on-premises environment is Exchange 2016. The company has a hybrid deployment with Azure AD Connect. They want to use the cutover migration method. What is a prerequisite for starting a cutover migration?

A.The on-premises Exchange server must be reachable from the Microsoft 365 migration service via a public endpoint
B.The on-premises Exchange server must have the MRS Proxy service installed and running
C.TLS certificate must be bound to the on-premises Exchange server for migration authentication
D.The administrator executing the migration must have on-premises Exchange Organization Management role
AnswerA

Correct. The migration service needs to connect to the on-premises Exchange server to pull mailbox data over a secure connection.

Why this answer

For a cutover migration from on-premises Exchange 2016 to Exchange Online, the Microsoft 365 migration service must be able to connect to the on-premises Exchange server via a public endpoint. This is because cutover migration uses IMAP or Exchange Web Services (EWS) over HTTPS, requiring the on-premises server to be accessible from the internet without a VPN or private connection. Without this public endpoint, the migration service cannot discover mailboxes or synchronize data.

Exam trap

The trap here is that candidates often confuse cutover migration prerequisites with those of a hybrid deployment, incorrectly assuming MRS Proxy or Organization Management role are required, when cutover migration only needs basic EWS/IMAP accessibility and recipient management permissions.

How to eliminate wrong answers

Option B is wrong because the MRS Proxy service is required for hybrid migrations (specifically for moves using the Migration API), not for cutover migrations, which rely on direct EWS or IMAP connectivity. Option C is wrong because while TLS is used for encryption, there is no requirement to bind a specific TLS certificate to the Exchange server for migration authentication; the server's existing certificate (e.g., from a public CA) suffices. Option D is wrong because the administrator executing the cutover migration only needs the Exchange Recipient Management role (or equivalent) in on-premises, not the Organization Management role, which is a higher-privilege role.

58
Multi-Selecteasy

Your organization is deploying Microsoft 365 Copilot. You need to ensure that data security is maintained. Which THREE actions should you take?

Select 3 answers
A.Disable Microsoft 365 Copilot for all users.
B.Block all external sharing for SharePoint and OneDrive.
C.Enable audit logging in Microsoft 365.
D.Configure data loss prevention (DLP) policies.
E.Create sensitivity labels to classify and protect data.
AnswersC, D, E

Audit logging helps monitor Copilot interactions and detect anomalies.

Why this answer

Option C is correct because enabling audit logging in Microsoft 365 is essential for tracking user interactions with Microsoft 365 Copilot, including prompts, responses, and data access events. This provides a forensic trail to detect unauthorized data exposure or misuse, which is a foundational requirement for maintaining data security in AI-powered workloads.

Exam trap

The trap here is that candidates often assume blocking external sharing (Option B) is a primary security control for Copilot, when in fact Copilot's data security risks are more about internal data leakage through AI processing, which requires audit logging, DLP, and sensitivity labels to mitigate.

59
MCQhard

A security analyst needs to identify the specific process (filename) that initiated a network connection from a device to a known malicious IP address over the last 24 hours. Which advanced hunting table in Microsoft Defender XDR provides the necessary data including the initiating process filename and the remote IP address?

A.DeviceNetworkEvents
B.DeviceProcessEvents
C.DeviceEvents
D.DeviceRegistryEvents
AnswerA

This table records network connections with fields for remote IP and initiating process details.

Why this answer

DeviceNetworkEvents is the correct table because it specifically captures network connection events, including the initiating process filename (InitiatingProcessFileName) and the remote IP address (RemoteIP). This table is designed for hunting network-related activities, such as connections to known malicious IPs, within Microsoft Defender XDR's advanced hunting schema.

Exam trap

The trap here is that candidates often confuse DeviceProcessEvents (which shows process creation) with network connection data, mistakenly thinking that process events include network details, but DeviceProcessEvents lacks the RemoteIP field entirely.

How to eliminate wrong answers

Option B (DeviceProcessEvents) is wrong because it focuses on process creation events (e.g., file execution, command-line arguments) and does not include network-specific fields like RemoteIP or remote port. Option C (DeviceEvents) is wrong because it aggregates various system-level events (e.g., file creation, registry modifications) but lacks the dedicated network connection fields required to identify the initiating process filename and remote IP address. Option D (DeviceRegistryEvents) is wrong because it only captures registry modification events (e.g., key changes, value writes) and has no relevance to network connections or IP addresses.

60
Multi-Selecthard

Which THREE factors are considered when Microsoft Entra ID evaluates a conditional access policy?

Select 3 answers
A.User or group membership
B.Mailbox size
C.User's department attribute in Microsoft Entra ID
D.Location (IP range or country)
E.Device platform (e.g., Windows, iOS)
AnswersA, D, E

Policies can be targeted to specific users or groups.

Why this answer

Microsoft Entra ID evaluates conditional access policies based on signals from the user, device, and location. User or group membership (Option A) is a primary signal because policies are typically assigned to specific users or groups to control access. Location (Option D) is evaluated using IP ranges or country codes to enforce restrictions like blocking access from untrusted networks.

Device platform (Option E) allows policies to target specific operating systems (e.g., Windows, iOS) to enforce compliance requirements like requiring Intune enrollment.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID attributes (like department) with actual conditional access conditions, but Microsoft only supports specific signals (user/group, location, device platform, risk, client apps, and sign-in risk) and not arbitrary directory attributes.

61
MCQeasy

Your company uses Microsoft Entra ID and wants to use Microsoft's recommendation to protect against password spray attacks. Which feature should you enable?

A.Smart Lockout
B.Identity Protection
C.Password Hash Synchronization
D.Multifactor Authentication
AnswerA

Smart Lockout locks accounts after repeated failed attempts.

Why this answer

Smart Lockout is Microsoft's recommended feature to protect against password spray attacks because it intelligently locks out bad actors after a threshold of failed attempts while allowing legitimate users to continue. It uses adaptive logic to distinguish between real users and attackers by considering the sign-in pattern and IP address, making it the correct choice for this specific threat.

Exam trap

The trap here is that candidates often confuse Identity Protection (which detects risky sign-ins) with the direct mitigation feature Smart Lockout, or they assume MFA alone is sufficient to stop password spray attacks, when in fact Smart Lockout is the specific Microsoft-recommended control for this attack vector.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it is a broader risk-detection and remediation service that identifies compromised identities and risky sign-ins, but it does not directly lock out attackers during a password spray attack; it relies on policies like Conditional Access to act on risks. Option C (Password Hash Synchronization) is wrong because it is a synchronization mechanism for password hashes from on-premises AD to Entra ID, not a security feature that mitigates password spray attacks. Option D (Multifactor Authentication) is wrong because while MFA adds a second layer of verification, it does not prevent the initial password spray attempts from being made, and Microsoft recommends Smart Lockout as the primary defense against this brute-force pattern.

62
MCQeasy

You are configuring policies in Microsoft Defender for Office 365. You need to ensure that users cannot click through to a malicious website that is hosted on a newly registered domain. Which policy setting should you enable?

A.Anti-phishing
B.Safe Links
C.Anti-spam
D.Safe Attachments
AnswerB

Safe Links scans and blocks malicious URLs at click time.

Why this answer

Option A is correct because Safe Links checks URLs at time of click and can block newly registered domains if configured. Option B is wrong because Safe Attachments deals with attachments. Option C is wrong because anti-phishing policies protect against phishing but not specifically against malicious URLs in emails.

Option D is wrong because anti-spam policies filter spam, not malicious URLs.

63
Multi-Selectmedium

An administrator needs to open a Microsoft 365 support request because all users are experiencing intermittent service outages for Exchange Online. Before contacting support, which two pieces of information should the administrator have ready to ensure efficient troubleshooting? (Choose two.)

Select 2 answers
A.Tenant ID (or Microsoft 365 tenant domain name)
B.Number of affected users
C.Detailed description of the problem and troubleshooting steps attempted
D.Network bandwidth graph from the past 24 hours
AnswersA, C

Support needs to identify the specific tenant to check service configuration and health.

Why this answer

The Tenant ID (or Microsoft 365 tenant domain name) is required by Microsoft Support to uniquely identify your tenant in their systems, enabling them to pull up your service configuration, subscription details, and relevant health data. This identifier is essential for routing the support request to the correct engineering team and for correlating the issue with backend telemetry.

Exam trap

The trap here is that candidates often confuse 'nice-to-have' diagnostic data (like the number of affected users or network graphs) with the mandatory identification and problem description that Microsoft Support requires to initiate a case.

64
Multi-Selectmedium

Your company uses Microsoft Entra ID with hybrid identity. You need to ensure that when a user is disabled in on-premises Active Directory, the corresponding cloud user is also disabled. Which TWO configurations are required?

Select 2 answers
A.Password writeback
B.Privileged Identity Management
C.Group writeback
D.Microsoft Entra Connect with directory synchronization
E.Disable the on-premises user account
AnswersD, E

Entra Connect synchronizes user attributes including account status.

Why this answer

Directory synchronization (Microsoft Entra Connect) propagates changes, and disabling the on-premises user will sync to cloud. Option B is wrong because password writeback is for password changes. Option E is wrong because PIM is for privileged access.

Option C is wrong because group writeback is for cloud groups to on-premises. Option D is wrong because cloud sync is an alternative to Connect, but Connect is typically used.

65
MCQeasy

Your organization has a Microsoft 365 E5 subscription. You want to enable Microsoft Defender for Office 365 to protect against malicious attachments in email. Which policy should you configure?

A.Anti-phishing policy
B.Anti-malware policy
C.Safe Attachments policy
D.Safe Links policy
AnswerC

Safe Attachments scans email attachments for malicious content.

Why this answer

Safe Attachments policy is the correct choice because Microsoft Defender for Office 365's Safe Attachments feature specifically protects against malicious attachments in email by detonating them in a virtual sandbox environment before delivery. This policy allows you to configure actions for detected malware, such as blocking, replacing, or dynamically delivering attachments based on threat analysis.

Exam trap

The trap here is that candidates often confuse the basic Anti-malware policy (which uses signature-based detection) with the advanced Safe Attachments policy (which uses sandbox detonation), leading them to select Option B incorrectly.

How to eliminate wrong answers

Option A is wrong because Anti-phishing policy protects against phishing attempts by analyzing sender reputation, impersonation, and spoofing, not by scanning attachments for malware. Option B is wrong because Anti-malware policy provides basic malware protection using the built-in malware engine but does not include the advanced sandboxing and detonation capabilities of Safe Attachments. Option D is wrong because Safe Links policy protects users from malicious URLs in email and Office documents by checking links at time of click, not by scanning attachments.

66
Multi-Selecteasy

Which TWO Microsoft Purview solutions are primarily used for data classification?

Select 2 answers
A.Data Loss Prevention
B.Auto-labeling
C.Communication Compliance
D.Data Lifecycle Management
E.Sensitivity labels
AnswersB, E

Auto-labeling automatically classifies content.

Why this answer

Auto-labeling applies labels based on sensitive info types. Sensitivity labels are the classification labels themselves. DLP is for protection.

Data Lifecycle Management is for retention. Communication Compliance is for monitoring.

67
MCQhard

You run the above KQL query in Microsoft Defender for Endpoint advanced hunting. What is the purpose of this query?

A.To identify the top 10 devices with the most suspicious process injection alerts
B.To correlate device alerts with user activities
C.To list all devices with high severity alerts
D.To find the top 10 devices with the most alerts of any type
AnswerA

It filters for that alert title and returns top 10.

Why this answer

Option C is correct. The query summarizes by DeviceName and counts alerts, then returns top 10. Option A is wrong because it does not filter by severity.

Option B is wrong because it does not list individual alerts. Option D is wrong because it does not correlate with other data.

68
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) for role activation. They want to require that any activation of the Security Administrator role be approved by a designated group of approvers called 'Security Approvers'. Activations must include a ticket number and expire after 8 hours. Which PIM configuration should the administrator modify?

A.Role settings for Security Administrator
B.Role assignments for Security Administrator
C.Access reviews for Security Administrator
D.Alerts for Security Administrator
AnswerA

Role settings configure activation rules such as whether approval is required, justification, and max duration.

Why this answer

Option A is correct because Azure AD PIM role settings for a specific role, such as Security Administrator, control activation requirements including approval workflow, justification (ticket number), and maximum activation duration. By modifying the role settings, the administrator can require approval from the 'Security Approvers' group, mandate a ticket number, and set an 8-hour expiration.

Exam trap

The trap here is confusing role settings (which control activation policies) with role assignments (which control who can activate), leading candidates to mistakenly choose Option B when the question asks about activation requirements rather than eligibility.

How to eliminate wrong answers

Option B is wrong because role assignments define who is eligible or active for the role, not the activation policies like approval or duration. Option C is wrong because access reviews are periodic attestations of existing assignments, not a mechanism to configure activation requirements. Option D is wrong because alerts in PIM notify about suspicious activities or configuration changes, but do not control activation settings.

69
MCQhard

Your company is deploying Microsoft Copilot for Microsoft 365. You need to ensure that only users who have completed a specific training course can use Copilot. What should you configure?

A.Use Terms of Use to require acceptance of training policy
B.Configure Authentication strengths to require training certificate
C.Create a Conditional Access policy that requires a custom attribute indicating training completion
D.Assign Copilot licenses only to users who completed training
AnswerC

Conditional Access can use custom security attributes to require a condition.

Why this answer

Option C is correct because a Conditional Access policy can evaluate a custom security attribute assigned to a user or group to enforce access controls. By requiring a custom attribute that indicates training completion, you can block or grant access to Copilot for Microsoft 365 based on that attribute. This approach integrates directly with Microsoft Entra ID's policy engine, allowing granular, attribute-based access control without relying on license assignment or user acceptance.

Exam trap

The trap here is that candidates often confuse license-based assignment (Option D) with attribute-based access control, assuming that simply not assigning a license is sufficient, but Microsoft Copilot for Microsoft 365 can still be accessed via trial or free features if not blocked by a Conditional Access policy; the exam tests your understanding that Conditional Access policies are the correct mechanism for enforcing granular, attribute-driven access restrictions.

How to eliminate wrong answers

Option A is wrong because Terms of Use (ToU) only require a user to accept a policy statement; they do not verify or enforce completion of a specific training course, nor can they evaluate dynamic attributes like training status. Option B is wrong because Authentication strengths control which authentication methods (e.g., FIDO2, certificate-based auth) are allowed during sign-in, not whether a user has completed training; a training certificate is not a standard authentication method and cannot be evaluated by Conditional Access as a condition. Option D is wrong because assigning Copilot licenses only to users who completed training is a manual, administrative approach that does not enforce ongoing compliance; a user could complete training, receive a license, and then later lose the training status without automatic revocation, and it does not integrate with Entra ID's policy engine for real-time enforcement.

70
MCQhard

You are deploying Microsoft 365 for a new subsidiary. The subsidiary has a single domain subsidiary.com. You need to configure a hybrid identity solution with Microsoft Entra ID. The on-premises Active Directory has a single domain and all user accounts are synchronized using Microsoft Entra Connect. You want to ensure that users can sign in to Microsoft 365 using their on-premises credentials without exposing the password hash to Microsoft. What should you do?

A.Configure password hash synchronization.
B.Create cloud-only user accounts and disable on-premises authentication.
C.Implement Active Directory Federation Services (AD FS) with Microsoft Entra ID.
D.Enable pass-through authentication (PTA) with Microsoft Entra Connect.
AnswerD

PTA validates passwords on-premises without storing hashes in the cloud.

Why this answer

Option D is correct because pass-through authentication (PTA) allows users to sign in to Microsoft 365 using their on-premises credentials without storing password hashes in Microsoft Entra ID. PTA validates passwords directly against on-premises Active Directory via an agent, ensuring no password hash is exposed to Microsoft, which meets the stated requirement.

Exam trap

The trap here is that candidates often confuse pass-through authentication with password hash synchronization, assuming both expose credentials, but PTA avoids any hash storage while still enabling cloud authentication.

How to eliminate wrong answers

Option A is wrong because password hash synchronization stores a hash of the on-premises password in Microsoft Entra ID, which directly exposes the password hash to Microsoft, violating the requirement. Option B is wrong because creating cloud-only user accounts and disabling on-premises authentication would break the hybrid identity requirement, as users would no longer use their on-premises credentials for sign-in. Option C is wrong because while AD FS also avoids storing password hashes in the cloud, it introduces additional infrastructure complexity and is not the simplest solution; PTA is the recommended choice for this specific scenario where password hash exposure must be avoided without deploying federation servers.

71
MCQmedium

A compliance officer needs to automatically retain emails that contain personally identifiable information (PII) for 10 years and then permanently delete them. Which Microsoft Purview feature should be configured?

A.Auto-apply retention labels based on sensitive information types
B.Data Lifecycle Management retention policy
C.Data classification
D.eDiscovery
AnswerA

Retention labels can be auto-applied to emails containing PII, triggering a 10-year retention and subsequent deletion.

Why this answer

Auto-apply retention labels based on sensitive information types allow you to automatically classify and retain emails containing PII for a specified period (10 years) and then permanently delete them. This feature uses sensitive information types (e.g., Social Security Number, Credit Card Number) to detect PII and applies a retention label that enforces the retention and deletion actions at the item level, which is required for targeted compliance scenarios.

Exam trap

The trap here is that candidates often confuse Data Lifecycle Management retention policies (which apply broadly to all content in a location) with auto-apply retention labels (which apply only to content matching specific sensitive information types), leading them to incorrectly select option B.

How to eliminate wrong answers

Option B is wrong because Data Lifecycle Management retention policy applies to all content in a location (e.g., entire mailbox or site) and cannot automatically target only emails containing specific sensitive information like PII; it lacks the auto-classification capability based on content inspection. Option C is wrong because Data classification is a discovery and labeling tool that identifies and categorizes data but does not itself enforce retention or deletion actions; it requires a retention label or policy to act on the classification. Option D is wrong because eDiscovery is used for searching and exporting content for legal or investigative purposes, not for automated retention and deletion based on content type.

72
MCQmedium

A compliance officer needs to prevent users from sending emails that contain credit card numbers to external recipients. When a user attempts to send such an email, the action should be blocked and a policy tip should be displayed in Outlook telling them why the email was blocked. Which Microsoft Purview solution should be configured?

A.Data Loss Prevention (DLP) policy
B.Retention label policy
C.Microsoft Purview Information Protection sensitivity label
D.Compliance Manager
AnswerA

DLP policies can identify, monitor, and protect sensitive data across Exchange Online, SharePoint, and OneDrive. They support policy tips and blocking actions.

Why this answer

A Data Loss Prevention (DLP) policy in Microsoft Purview is designed to detect and block sensitive information, such as credit card numbers, from being sent to external recipients. When configured with a 'Block' action and a policy tip, it prevents the email from being sent and displays a customizable notification in Outlook explaining the reason. This directly meets the compliance officer's requirement to block the email and show a policy tip.

Exam trap

The trap here is that candidates often confuse sensitivity labels (which classify and protect data) with DLP policies (which enforce actions like blocking based on content inspection), leading them to choose Option C because they think labeling alone can block emails.

How to eliminate wrong answers

Option B is wrong because a Retention label policy is used to retain or delete data based on compliance requirements, not to block the transmission of sensitive content in emails. Option C is wrong because a Microsoft Purview Information Protection sensitivity label applies classification and protection (e.g., encryption) to content, but it does not natively block outbound emails containing credit card numbers or display policy tips in Outlook. Option D is wrong because Compliance Manager is a risk assessment and compliance management tool that provides recommendations and tracks compliance posture, not a policy that enforces real-time blocking of sensitive data in email.

73
MCQeasy

An administrator needs to delegate the ability to manage user licenses and assign roles to a junior admin, but without granting them access to the Microsoft 365 admin center's other settings. Which role should the junior admin be assigned?

A.User Administrator
B.License Administrator
C.Global Administrator
D.Helpdesk Administrator
AnswerB

License Administrator can assign and remove licenses, manage license-based groups, and assign other administrative roles (with restrictions).

Why this answer

The License Administrator role is the correct choice because it specifically grants the ability to assign and remove licenses for users, as well as manage their location, without providing access to other Microsoft 365 admin center settings like user creation, role assignment, or security features. This role is designed for delegated license management while maintaining least privilege.

Exam trap

The trap here is that candidates often confuse the License Administrator role with the User Administrator role, mistakenly believing that User Administrator is required for license management, but the License Administrator role is the precise least-privilege role for this task.

How to eliminate wrong answers

Option A is wrong because the User Administrator role can create and manage user accounts, reset passwords, and assign licenses, but it also grants broader user management capabilities, including the ability to create and delete users, which exceeds the requirement to only manage licenses and assign roles. Option C is wrong because the Global Administrator role provides unrestricted access to all Microsoft 365 admin center settings, including security, compliance, and billing, which violates the requirement to limit access to other settings. Option D is wrong because the Helpdesk Administrator role is focused on password resets and service request management, and it does not include the ability to assign licenses or manage user roles.

74
MCQeasy

A compliance officer needs to ensure that all emails sent to a specific distribution group are automatically retained for 3 years and then deleted. Which Microsoft Purview feature should be used?

A.A: Data Lifecycle Management (retention policy)
B.B: Information Protection (sensitivity labels)
C.C: Data Loss Prevention (DLP policy)
D.D: eDiscovery (content search)
AnswerA

Retention policies can target Exchange Online mailboxes and apply a retention period followed by deletion.

Why this answer

Option A is correct because Data Lifecycle Management (retention policies) in Microsoft Purview is specifically designed to enforce retention and deletion rules for content across Exchange Online, SharePoint, OneDrive, and Teams. For emails sent to a distribution group, you can create a retention policy that applies to all messages in the group's mailbox, retaining them for exactly 3 years and then permanently deleting them, using the 'Retain for 3 years, then delete' action.

Exam trap

The trap here is that candidates often confuse retention policies (Data Lifecycle Management) with DLP policies, thinking DLP can enforce retention, but DLP only prevents data loss, not schedules deletion.

How to eliminate wrong answers

Option B is wrong because Information Protection (sensitivity labels) classify and protect data based on sensitivity (e.g., encryption, markings), not enforce time-based retention or deletion of emails. Option C is wrong because Data Loss Prevention (DLP policy) monitors and prevents unauthorized sharing of sensitive data (e.g., credit card numbers) but does not manage retention schedules or automatic deletion. Option D is wrong because eDiscovery (content search) is used to search and export content for legal or investigative purposes, not to automatically retain or delete emails on a fixed schedule.

75
MCQhard

You are the Microsoft 365 administrator for Contoso Ltd., a company with 500 users. The company uses a hybrid identity with Azure AD Connect. You have a dynamic group named 'SalesGroup' that includes all users with department attribute equal to 'Sales'. Recently, the HR system updated the department for 20 users from 'Sales' to 'Marketing'. The Azure AD Connect sync completed successfully, and the attribute changes are reflected in Azure AD. However, after 48 hours, these users are still members of 'SalesGroup'. You need to ensure that the group membership accurately reflects the department attribute within the next hour. The solution must use minimal administrative effort. What should you do?

A.Remove the users from the group manually
B.Delete and recreate the dynamic group with the same rule
C.Trigger a manual evaluation of the dynamic group in Azure AD
D.Wait another 24 hours for the next automatic evaluation
AnswerC

Forces immediate membership update.

Why this answer

Option C is correct because Azure AD dynamic groups are not automatically re-evaluated immediately after a sync; they rely on a periodic background evaluation process that can take up to 24 hours. By triggering a manual evaluation in the Azure AD admin center or via PowerShell (using the `Invoke-MgGraphRequest` or `Update-MgGroup` cmdlet), you force an immediate recalculation of group membership based on the current attribute values, ensuring the 20 users are removed from SalesGroup within the hour with minimal administrative effort.

Exam trap

The trap here is that candidates assume dynamic groups are evaluated immediately after an attribute sync, but Microsoft deliberately tests the understanding that dynamic group membership evaluation is asynchronous and can take up to 24 hours unless manually triggered.

How to eliminate wrong answers

Option A is wrong because manually removing users defeats the purpose of a dynamic group and requires ongoing administrative effort, which contradicts the 'minimal administrative effort' requirement and does not fix the underlying evaluation delay. Option B is wrong because deleting and recreating the dynamic group would cause temporary loss of the group object, potentially breaking assigned permissions or licenses, and still requires waiting for the new group to be evaluated; it is an unnecessary and disruptive workaround. Option D is wrong because waiting another 24 hours does not meet the requirement to resolve the issue within the next hour, and the automatic evaluation could take up to 24 hours from the last evaluation, not from the sync completion.

Page 1 of 13

Page 2