Microsoft 365 Administrator MS-102 (MS-102) — Questions 676750

975 questions total · 13pages · All types, answers revealed

Page 9

Page 10 of 13

Page 11
676
MCQmedium

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email and clicks a link to a known malicious domain. Which advanced hunting table should the analyst query to track the clicked URL?

A.EmailEvents
B.EmailUrlInfo
C.EmailAttachmentInfo
D.DeviceEvents
AnswerB

EmailUrlInfo includes the URL, click status, and other URL-related details, making it suitable for tracking clicked links.

Why this answer

The EmailUrlInfo table in Advanced Hunting for Microsoft Defender XDR contains records of URLs that were present in emails, including the URL domain and whether the link was clicked. By joining EmailEvents with EmailUrlInfo on the NetworkMessageId, the analyst can identify when a user clicked a URL that leads to a known malicious domain, making it the correct table for tracking clicked URLs.

Exam trap

The trap here is that candidates often confuse EmailUrlInfo (which stores URL metadata and supports click tracking) with EmailEvents (which only contains email flow data), leading them to incorrectly select EmailEvents as the primary table for URL click analysis.

How to eliminate wrong answers

Option A is wrong because EmailEvents captures metadata about email delivery events (e.g., sender, recipient, delivery action) but does not include the specific URLs contained in the email or click actions. Option C is wrong because EmailAttachmentInfo tracks file attachments in emails, not URLs or link clicks. Option D is wrong because DeviceEvents logs system-level events on endpoints (e.g., process creation, registry changes) and does not contain email URL click data.

677
MCQeasy

An organization wants to prevent users from running executable files from the Windows Temp folder. Which Microsoft Defender for Endpoint capability should be configured?

A.Attack surface reduction rules
B.Network protection
C.Exploit protection
D.Controlled folder access
AnswerA

ASR rules can block executables from running from common temporary folders, reducing the risk of malware execution.

Why this answer

Attack surface reduction (ASR) rules are a Microsoft Defender for Endpoint capability that can block executable files from running from specific locations, such as the Windows Temp folder. Rule GUID 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 specifically targets this behavior by preventing executables and scripts from launching from temporary folders. This is the correct capability because ASR rules are designed to reduce the attack surface by controlling common malware entry points and persistence mechanisms.

Exam trap

The trap here is that candidates often confuse Controlled folder access (which protects files from modification) with execution control, or they mistakenly think Network protection can block local file execution because it sounds like a broad security measure.

How to eliminate wrong answers

Option B (Network protection) is wrong because it prevents users from accessing malicious websites or IP addresses, not from running local executable files from a folder. Option C (Exploit protection) is wrong because it applies mitigations to system processes and applications to prevent exploitation of vulnerabilities, such as heap spray or code injection, not to block execution from a specific folder path. Option D (Controlled folder access) is wrong because it protects folders from unauthorized changes by untrusted applications, such as ransomware encryption, but does not block the execution of executables from the Temp folder.

678
MCQhard

Your organization uses Microsoft Defender for Endpoint (Plan 2) and Microsoft Defender for Identity. A user reports that their device is running slowly and exhibiting unusual network traffic. You investigate in Microsoft Defender XDR and see a high number of alerts for the device. You need to determine if the device is compromised and, if so, initiate an automated investigation. What should you do first?

A.Isolate the device from the network immediately
B.Initiate a Live Response session to gather forensic data
C.Use the Microsoft Defender XDR portal to trigger an automated investigation on the device
D.Run a full antivirus scan from Microsoft Defender Antivirus
AnswerC

Automated investigation uses XDR capabilities.

Why this answer

Option C is correct because using the Microsoft Defender XDR portal to initiate an automated investigation will leverage the full XDR capabilities. Option A is wrong because live response is manual and not automated. Option B is wrong because running a full scan is not automated investigation.

Option D is wrong because device isolation is a manual step.

679
MCQhard

Refer to the exhibit. You run the KQL query and see that a device named 'WORKSTATION42' has made 1500 connections to a public IP address 203.0.113.55 in the last day. You suspect the device may be compromised. What should you do next to gain the most context?

A.Isolate the device immediately using Microsoft Defender for Endpoint
B.Expand the query to join with DeviceProcessEvents to see which process initiated the connections
C.Add the IP address to the Tenant Allow/Block List to block it
D.Create a Safe Links policy to block the IP address
AnswerB

Provides context on the process causing the traffic.

Why this answer

Option B is correct because expanding the query to include process information can reveal which process is making the connections, helping identify malware. Option A is wrong because simply isolating the device loses forensic data. Option C is wrong because Safe Links is for email, not device network.

Option D is wrong because blocking the IP is reactive and may disrupt legitimate traffic.

680
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to generate alerts when a user downloads more than 100 files from SharePoint Online within 10 minutes. What should you configure?

A.Create an activity policy
B.Create an app discovery policy
C.Create a session policy
D.Create an OAuth app policy
AnswerA

Activity policies can detect anomalous download activity.

Why this answer

Option C is correct because an anomaly detection policy in Defender for Cloud Apps can detect such activity. Option A is wrong because app discovery policies identify apps. Option B is wrong because session policies control access.

Option D is wrong because OAuth app policies manage app permissions.

681
Multi-Selectmedium

Your organization needs to implement a Conditional Access policy that blocks access from countries where the company has no business operations. Which TWO conditions should you configure?

Select 1 answer
A.Device platforms
B.Locations
C.User risk
D.Client apps
E.Sign-in risk
AnswersB

Named locations can include countries.

Why this answer

Option A (Locations) is correct because you can define named locations for blocked countries. Option B (Sign-in risk) is incorrect because it does not filter by country. Option C (Device platforms) is incorrect.

Option D (Client apps) is incorrect. Option E (User risk) is incorrect.

682
MCQhard

A security administrator wants to block executable files from running from writable system directories such as %TEMP% and %APPDATA% on Windows devices. Which attack surface reduction (ASR) rule should be enabled?

A.Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
B.Block Office communication application from creating child processes.
C.Block credential stealing from the Windows local security authority subsystem (lsass.exe).
D.Block executable content from email client and webmail.
AnswerA

This ASR rule is designed to block executables in writable system directories where persistence is common.

Why this answer

The ASR rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) is designed specifically to block executables (e.g., .exe, .dll, .scr) from running from writable locations like %TEMP% and %APPDATA% unless they have sufficient global prevalence, are older than a certain age, or are on a trusted list. This directly addresses the administrator's requirement to prevent untrusted executables from executing from these directories.

Exam trap

The trap here is that candidates often confuse the 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' rule with the 'Block executable content from email client and webmail' rule, mistakenly thinking the latter covers all executable execution from writable directories when it only applies to email/webmail sources.

How to eliminate wrong answers

Option B is wrong because 'Block Office communication application from creating child processes' targets Microsoft Office communication apps (e.g., Outlook, Teams) from spawning child processes, which is a different attack vector (e.g., script-based attacks), not executable files from writable directories. Option C is wrong because 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' specifically protects LSASS from credential dumping via tools like Mimikatz, not from executables running in %TEMP% or %APPDATA%. Option D is wrong because 'Block executable content from email client and webmail' prevents executable attachments from being launched from email clients (e.g., Outlook, Gmail), which is a different entry point than local writable system directories.

683
Multi-Selecteasy

A company is deploying Microsoft Defender for Office 365 to protect against advanced threats. Which two features are available only in Defender for Office 365 Plan 2 and not in Plan 1? (Choose two.)

Select 2 answers
A.Automated Investigation & Response
B.Anti-phishing
C.Safe Attachments
D.Safe Links
E.Threat Explorer
AnswersA, E

AIR is Plan 2 only.

Why this answer

Options C and D are correct. Threat Explorer and Automated Investigation & Response (AIR) are only available in Plan 2. Option A is wrong because Safe Attachments is available in both plans.

Option B is wrong because Anti-phishing is available in both plans. Option E is wrong because Safe Links is available in both plans.

684
MCQmedium

Your company has a Microsoft 365 E5 subscription. You need to prevent users from sharing files containing credit card numbers with external users. What should you configure?

A.A retention policy for SharePoint sites.
B.An information barrier policy.
C.A sensitivity label with encryption.
D.A DLP policy that blocks sharing of content with sensitive info type.
AnswerD

DLP policies can block sharing based on sensitive info types.

Why this answer

Data Loss Prevention (DLP) policies can detect sensitive information like credit card numbers and block sharing. Option B is correct. Option A is wrong because retention policies manage lifecycle, not prevent sharing.

Option C is wrong because sensitivity labels require manual or automatic classification but do not block sharing directly. Option D is wrong because information barriers restrict communication between groups, not data sharing.

685
Multi-Selecteasy

Your organization uses Microsoft Defender XDR. You need to configure automated actions for high-confidence phishing emails. Which TWO actions can be automatically taken by Microsoft Defender for Office 365?

Select 2 answers
A.Add a header to the email indicating it is phishing
B.Permanently delete the email from the user's mailbox
C.Soft delete the email from the user's mailbox
D.Move the email to quarantine
E.Forward the email to the security team
AnswersC, D

Soft delete moves the email to the recoverable items folder.

Why this answer

Option A (Move to quarantine) and Option C (Soft delete) are automated actions that can be configured for phishing emails. Option B (Delete from the user's mailbox permanently) is not a direct automated action; soft delete is used. Option D (Forward to the security team) is not an automated action.

Option E (Add a header to the email) is not a typical automated action for phishing.

686
MCQhard

A security analyst needs to create a custom detection rule in Microsoft 365 Defender that triggers when a suspicious PowerShell process (e.g., using -EncodedCommand) is detected on a device, and within 5 minutes, an outbound network connection to a known malicious IP address occurs. Which two advanced hunting tables must be joined?

A.DeviceProcessEvents and DeviceNetworkEvents
B.DeviceEvents and DeviceFileCertificateInfo
C.IdentityLogonEvents and CloudAppEvents
D.EmailEvents and EmailAttachmentInfo
AnswerA

DeviceProcessEvents logs process creation events (e.g., PowerShell), and DeviceNetworkEvents logs network connections. Joining these on DeviceId within a time range identifies the described pattern.

Why this answer

The custom detection rule requires correlating a suspicious PowerShell process event with a subsequent outbound network connection to a malicious IP within a 5-minute window. DeviceProcessEvents contains process creation data (e.g., command line, process name) for detecting encoded PowerShell commands, while DeviceNetworkEvents logs network connections (destination IP, port, protocol). Joining these two tables on DeviceId and a time range allows the rule to identify the sequence of a process event followed by a network event from the same device.

Exam trap

The trap here is that candidates may confuse the purpose of DeviceEvents (which covers broader system events like driver loads or registry changes) with DeviceProcessEvents, or mistakenly think cloud or email tables are relevant to endpoint-based process and network correlation.

How to eliminate wrong answers

Option B is wrong because DeviceEvents and DeviceFileCertificateInfo are used for tracking system-level events (e.g., driver loading, registry changes) and file certificate information, not for correlating process execution with network connections. Option C is wrong because IdentityLogonEvents and CloudAppEvents track user authentication and cloud application activity, not device-level process or network events. Option D is wrong because EmailEvents and EmailAttachmentInfo are focused on email delivery and attachment metadata, which are irrelevant to detecting PowerShell process behavior and outbound network connections on endpoints.

687
Multi-Selectmedium

Your organization is using Microsoft 365 Business Premium. You need to ensure that devices are automatically enrolled in Microsoft Intune when users sign in with their work account. Which TWO configurations are required?

Select 2 answers
A.Enable MDM automatic enrollment in Microsoft Entra ID
B.Create a device compliance policy in Intune
C.Set device enrollment restrictions to allow all platforms
D.Assign device categories to users
E.Configure Intune auto-enrollment via Group Policy or Microsoft Entra ID
AnswersA, E

This triggers enrollment on first sign-in.

Why this answer

Option A is correct because Microsoft Entra ID (formerly Azure AD) provides the MDM automatic enrollment feature that, when enabled, automatically enrolls Windows 10/11 and other supported devices into Intune when a user signs in with their work account. This is the core configuration that triggers the enrollment process at sign-in, leveraging the MDM discovery URL and the user's Entra ID token.

Exam trap

The trap here is that candidates often confuse 'MDM automatic enrollment' (a single toggle in Entra ID) with 'Intune auto-enrollment via Group Policy or Entra ID' (Option E), which is actually a redundant or alternative method for domain-joined devices, but the question specifically asks for the two required configurations, and both A and E are correct as they represent the same underlying mechanism (Entra ID-based enrollment) from different administrative perspectives.

688
MCQeasy

You are the Microsoft 365 administrator for Contoso, a company with 5,000 users. The company recently acquired a subsidiary, Fabrikam, which has 2,000 users currently using on-premises Exchange and Active Directory. The goal is to migrate Fabrikam users to Microsoft 365 and merge their identities into the existing Contoso tenant. The migration must minimize user password changes and preserve existing email addresses. You need to plan the identity migration. What should you do first?

A.Create a new Microsoft 365 tenant for Fabrikam and then perform a cross-tenant migration.
B.Extend the existing Contoso Active Directory to include Fabrikam objects and use a single Azure AD Connect instance.
C.Create a new Active Directory forest for Fabrikam and configure Azure AD Connect to sync to the existing Contoso tenant.
D.Export Fabrikam users to a CSV and use PowerShell to bulk create users in Microsoft Entra ID.
AnswerC

A new forest avoids naming conflicts and allows separate sync, preserving email addresses and passwords.

Why this answer

Option C is correct because creating a new Active Directory forest for Fabrikam and configuring Azure AD Connect to sync to the existing Contoso tenant allows you to merge identities without disrupting the existing Contoso directory. This approach preserves Fabrikam users' existing email addresses (via SMTP matching or custom domain verification) and minimizes password changes by syncing their on-premises passwords to Azure AD. It also avoids the complexity of extending the existing Contoso AD forest, which could cause namespace conflicts or schema issues.

Exam trap

The trap here is that candidates often assume extending the existing Active Directory forest (Option B) is simpler, but they overlook the identity conflicts and the fact that Azure AD Connect can natively handle multiple forests, making a separate forest the correct first step to isolate and preserve Fabrikam's identity namespace.

How to eliminate wrong answers

Option A is wrong because creating a new Microsoft 365 tenant for Fabrikam would result in a separate identity system, requiring cross-tenant migration and potentially breaking email continuity; it does not merge identities into the existing Contoso tenant as required. Option B is wrong because extending the existing Contoso Active Directory to include Fabrikam objects would require a single forest with multiple domains or OUs, which can cause UPN and SMTP address conflicts, and it does not allow preserving Fabrikam's existing email addresses without complex attribute manipulation. Option D is wrong because exporting Fabrikam users to a CSV and using PowerShell to bulk create users in Microsoft Entra ID would create new cloud-only identities, forcing all Fabrikam users to change passwords and losing their existing on-premises password hashes and email addresses.

689
MCQmedium

You manage a Microsoft Defender for Endpoint environment. A device onboarded to Defender for Endpoint is not reporting alerts. You run the Microsoft Defender for Endpoint client analyzer and see that the service is running. Which log should you review to troubleshoot the issue?

A.Network Protection logs in %ProgramData%\Microsoft\Windows Defender\NIS
B.Microsoft 365 Defender portal audit log
C.Microsoft Defender for Endpoint sensor logs located in %ProgramData%\Microsoft\Windows Defender Advanced Threat Protection\Datamart
D.Windows Event Log (Applications and Services Logs/Microsoft/Windows/Defender)
AnswerC

Sensor logs contain diagnostic info for troubleshooting communication issues.

Why this answer

Option C is correct because the Microsoft Defender for Endpoint sensor logs contain detailed information about the sensor's communication with the cloud. Option A is wrong because Windows Event Logs may not contain sensor-specific errors. Option B is wrong because Microsoft 365 Defender portal logs are cloud-side.

Option D is wrong because Network Protection logs are for network filtering.

690
MCQmedium

A company uses Azure AD Conditional Access to enforce MFA for all cloud apps. They have some users who are physically located in countries that are considered high-risk by the security team. The team wants to require device compliance (as defined by Intune) for sign-ins from those specific countries, while still requiring MFA from all other locations. How should the administrator configure the Conditional Access policy?

A.Create two Conditional Access policies: one for the high-risk countries requiring MFA and device compliance, and another for all other locations requiring only MFA
B.Create a single Conditional Access policy that includes both conditions (locations) and grant controls (MFA and device compliance) with an 'OR' operator
C.Use Azure AD Identity Protection to automatically evaluate location risk, and let Conditional Access apply the same policy to all users
D.Configure a single Conditional Access policy with multiple location conditions and multiple grant controls using an 'AND' operator
AnswerA

Correct. Separate policies allow different grant controls for different location conditions.

Why this answer

Option A is correct because Conditional Access policies are evaluated independently, and each policy can target specific conditions with distinct grant controls. By creating two separate policies—one for high-risk countries requiring both MFA and device compliance, and another for all other locations requiring only MFA—the administrator can enforce the exact requirements per location group. This approach avoids conflicts and ensures that users in high-risk countries are subject to stricter controls while others are not.

Exam trap

The trap here is that candidates often think a single policy can combine multiple location conditions with an 'AND' operator, but Conditional Access treats multiple locations within one policy as an 'OR' condition, making it impossible to enforce different grant controls for different location groups in one policy.

How to eliminate wrong answers

Option B is wrong because using an 'OR' operator between grant controls (MFA OR device compliance) would allow sign-ins that meet either requirement, not both; the requirement is to enforce both MFA and device compliance for high-risk countries. Option C is wrong because Azure AD Identity Protection evaluates sign-in risk (e.g., anonymous IP, leaked credentials) not geographic location risk; it cannot be used to enforce device compliance based on country. Option D is wrong because a single policy with multiple location conditions using an 'AND' operator would require a user to be in all specified locations simultaneously, which is impossible; Conditional Access evaluates location conditions with an 'OR' logic within a single policy, not 'AND'.

691
MCQmedium

You need to ensure that guest users who are invited to your Microsoft Entra ID tenant can access resources without needing to accept an invitation. What should you configure?

A.Configure the 'External collaboration settings' to allow invitations to specific domains only.
B.Set the 'Guest invite settings' to 'Anyone in the organization can invite guest users'.
C.Set the 'Guest invite settings' to 'Only users assigned to specific admin roles can invite'.
D.Enable 'Email one-time passcode for guests' and set 'Allow invitations to be sent to any user' to Yes.
AnswerD

This allows guests to redeem without accepting an invitation.

Why this answer

Option D is correct because enabling 'Email one-time passcode for guests' and setting 'Allow invitations to be sent to any user' to Yes allows guest users to redeem an invitation without needing to accept it interactively. This configuration leverages the email one-time passcode (OTP) authentication flow, which bypasses the need for the guest to click an acceptance link, enabling direct resource access after the OTP is verified.

Exam trap

The trap here is that candidates often confuse settings that control who can invite guests (Options B and C) with settings that control the guest acceptance process, leading them to overlook the email one-time passcode feature that directly addresses the requirement to bypass acceptance.

How to eliminate wrong answers

Option A is wrong because configuring 'External collaboration settings' to allow invitations to specific domains only restricts which domains can be invited, but does not eliminate the need for guests to accept the invitation. Option B is wrong because setting 'Guest invite settings' to 'Anyone in the organization can invite guest users' controls who can send invitations, not whether guests must accept them. Option C is wrong because setting 'Guest invite settings' to 'Only users assigned to specific admin roles can invite' restricts invitation permissions to admins, but still requires guests to accept the invitation.

692
MCQhard

Refer to the exhibit. You are analyzing a KQL query in Microsoft Defender XDR Advanced Hunting. The query returns a list of devices where PowerShell or cmd.exe with encoded commands executed more than 5 times in the last 7 days. The security team suspects that one of the devices is compromised due to excessive use of encoded commands. However, a legitimate administrative script uses encoded commands regularly. How can you refine the query to reduce false positives while still detecting potentially malicious activity?

A.Increase the Count threshold to 10.
B.Add a filter to exclude processes signed by a trusted certificate or running under specific service accounts.
C.Remove cmd.exe from the FileName filter.
D.Change the time range to 1 day instead of 7 days.
AnswerB

Excluding known trusted processes reduces false positives.

Why this answer

Option A is correct because adding a filter to exclude known administrative accounts or processes that are approved would reduce false positives. Option B is wrong because changing the time range to 1 day might miss legitimate administrative activity but does not target the false positive source. Option C is wrong because looking for only powershell.exe would miss cmd.exe encoded commands.

Option D is wrong because increasing the count threshold to 10 might still include the legitimate script if it runs frequently.

693
Multi-Selectmedium

A security analyst is investigating a potential lateral movement attack. They need to identify which processes were created on a compromised device and then which network connections were made by those processes. Which two advanced hunting tables should the analyst join in a KQL query?

Select 2 answers
A.A: DeviceProcessEvents and DeviceNetworkEvents
B.B: DeviceEvents and DeviceFileEvents
C.C: IdentityLogonEvents and DeviceProcessEvents
D.D: EmailEvents and DeviceNetworkEvents
AnswersA, C

DeviceProcessEvents logs process creations; DeviceNetworkEvents logs network connections. Joining them identifies processes that made connections.

Why this answer

Option A is correct because the analyst needs to correlate process creation events (DeviceProcessEvents) with network connections initiated by those processes (DeviceNetworkEvents). Joining these two tables on a common field like DeviceId and ProcessId allows the analyst to trace which specific processes on the compromised device made outbound connections, directly mapping lateral movement indicators such as SMB, RDP, or WinRM traffic.

Exam trap

The trap here is that candidates often confuse DeviceEvents (which includes generic security events like process creation alerts) with DeviceProcessEvents (the dedicated table for process creation data), leading them to pick Option B, but DeviceEvents lacks the detailed process-to-network mapping fields needed for this investigation.

694
MCQhard

Your organization uses Microsoft Purview Information Protection. You need to ensure that when a user applies a sensitivity label to a document in SharePoint, the label is automatically applied to the document when it is downloaded. What should you configure?

A.Use a Data Loss Prevention (DLP) policy to enforce labeling.
B.Create a Conditional Access policy requiring label application.
C.Configure a sensitivity label with client-side labeling.
D.Create an auto-labeling policy in Microsoft Purview.
AnswerD

Auto-labeling can automatically apply labels to documents.

Why this answer

Auto-labeling policies in Purview can apply labels based on conditions. Option C is correct. Option A is wrong because client-side labeling is manual.

Option B is wrong because conditional access does not apply labels. Option D is wrong because DLP policies do not apply labels.

695
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to generate a report of all external users who have shared sensitive files from SharePoint Online. Which feature should you use?

A.OAuth app policies
B.Activity log
C.App permissions report
D.Cloud Discovery
AnswerB

Activity log can filter by external users and file actions.

Why this answer

Option A is correct because Cloud Discovery is used for shadow IT, not user activity. Option B is correct because Activity log can filter by external users and file actions. Option C is wrong because App permissions report shows consent grants to apps, not user file sharing.

Option D is wrong because OAuth app policies govern app permissions, not user activity.

696
MCQeasy

You are implementing Microsoft Entra Verified ID. Which technology does it use to create decentralized digital identities?

A.Decentralized Identifiers (DIDs)
B.OpenID Connect
C.OAuth 2.0
D.Security Assertion Markup Language (SAML)
AnswerA

DIDs are the foundation of Verified ID.

Why this answer

Microsoft Entra Verified ID uses Decentralized Identifiers (DIDs) as the core technology to create decentralized digital identities. DIDs are globally unique identifiers that are cryptographically verifiable and do not rely on a centralized registry, enabling self-sovereign identity scenarios where users control their own identity data.

Exam trap

The trap here is that candidates confuse authentication/authorization protocols (OpenID Connect, OAuth 2.0, SAML) with the underlying decentralized identity infrastructure (DIDs), mistakenly thinking these protocols are used to create the identity itself rather than to secure access to it.

How to eliminate wrong answers

Option B is wrong because OpenID Connect is an authentication protocol built on top of OAuth 2.0, used for verifying user identity via ID tokens, not for creating decentralized identifiers. Option C is wrong because OAuth 2.0 is an authorization framework that issues access tokens, not a technology for generating decentralized digital identities. Option D is wrong because SAML is an XML-based federated identity standard for single sign-on (SSO) that relies on a centralized identity provider, not a decentralized identity model.

697
Multi-Selecthard

You are investigating an incident in Microsoft Defender XDR. The incident involves multiple alerts from different sources. Which THREE actions should you take during the investigation?

Select 3 answers
A.Review the incident timeline to understand the sequence of events.
B.Delete all emails related to the incident from all mailboxes.
C.Use advanced hunting to query for related activities across devices and identities.
D.Isolate affected devices from the network using Microsoft Defender for Endpoint.
E.Reset the passwords of all user accounts involved.
AnswersA, C, D

The incident timeline provides a chronological view of alerts and activities.

Why this answer

Options A, C, and D are correct because during investigation, you should analyze alerts, gather evidence, and isolate affected devices. Option B is wrong because immediately deleting all related emails may destroy evidence. Option E is wrong because resetting passwords should be done after analysis.

698
Multi-Selecthard

Your organization is deploying Microsoft 365 Copilot for 200 users. You need to ensure that Copilot can access user data from Microsoft Graph to provide personalized responses. Which THREE permissions must be granted?

Select 3 answers
A.Chat.ReadWrite (Microsoft Graph)
B.Calendars.ReadWrite (Microsoft Graph)
C.Files.ReadWrite.All (Microsoft Graph)
D.User.Read.All (Microsoft Graph)
E.Mail.Send (Microsoft Graph)
AnswersA, B, C

Allows Copilot to read and write chat messages.

Why this answer

Option A is correct because Chat.ReadWrite is required for Microsoft 365 Copilot to access and process user chat data from Microsoft Graph, enabling personalized responses based on chat history and context. This permission allows Copilot to read and write chat messages, which is essential for generating context-aware replies.

Exam trap

The trap here is that candidates often assume broad permissions like User.Read.All are needed for personalization, but Microsoft 365 Copilot requires only specific data scopes (chat, calendar, files) and not directory-level read access.

699
MCQmedium

A security administrator wants to monitor and control user downloads from a third-party SaaS application (e.g., Box) in real time. The administrator needs to apply session-level policies to block downloads based on risk. Which Microsoft 365 Defender feature should be used?

A.Cloud Discovery
B.Conditional Access App Control
C.App Connectors
D.Anomaly Detection Policies
AnswerB

Conditional Access App Control (session control) allows real-time monitoring and restriction of user actions in cloud apps, such as blocking downloads from specific sessions.

Why this answer

Conditional Access App Control (CAAC) is the correct feature because it enables real-time session-level monitoring and control of user activities within third-party SaaS applications like Box. By integrating with Microsoft Defender for Cloud Apps, CAAC can apply policies to block downloads based on risk signals such as user location, device compliance, or anomalous behavior, all within the user's active session.

Exam trap

The trap here is that candidates often confuse App Connectors (API-based control) with Conditional Access App Control (proxy-based session control), mistakenly thinking API integration can enforce real-time download blocks when it only provides retrospective or policy-based actions on stored data.

How to eliminate wrong answers

Option A is wrong because Cloud Discovery is a tool for identifying shadow IT and assessing cloud app usage from traffic logs, not for applying real-time session-level download controls. Option C is wrong because App Connectors provide API-based visibility and control for data at rest (e.g., file scanning) but cannot enforce session-level policies in real time. Option D is wrong because Anomaly Detection Policies identify suspicious activities after they occur (e.g., impossible travel) and trigger alerts, not block downloads in real time within a session.

700
Multi-Selectmedium

Your organization is planning to migrate from on-premises Exchange to Exchange Online. You need to choose a migration strategy. Which TWO statements about migration methods are correct?

Select 2 answers
A.A hybrid migration requires that you do not synchronize on-premises Active Directory with Microsoft Entra ID.
B.A minimal hybrid deployment allows you to manage mailboxes in both on-premises and Exchange Online.
C.A staged migration can be used to migrate mailboxes from Exchange 2019 to Exchange Online.
D.A cutover migration is suitable for organizations with fewer than 2000 mailboxes.
E.An IMAP migration migrates email, contacts, and calendar data.
AnswersB, D

Minimal hybrid provides coexistence and migration capabilities.

Why this answer

Options A and D are correct. Option A: Minimal hybrid is a valid migration approach. Option D: Cutover migration is for fewer than 2000 mailboxes.

Option B is wrong because staged migration not supported for Exchange 2019. Option C is wrong because IMAP migration does not migrate calendar data. Option E is wrong because hybrid migration requires AD synchronization.

701
MCQhard

You are configuring Microsoft Defender for Office 365 to protect against business email compromise (BEC) attacks. Which policy setting should you enable to analyze email sender behavior and detect impersonation attempts?

A.Safe Attachments policy - Dynamic Delivery
B.Anti-phishing policy - Impersonation protection
C.Safe Links policy - URL scan
D.Anti-malware policy - Malware filter
AnswerB

Impersonation protection detects impersonation of users, domains, or brands.

Why this answer

Option C is correct because Anti-phishing policies in Defender for Office 365 include impersonation protection that analyzes sender behavior to detect impersonation attempts. Option A (Anti-malware) deals with malware. Option B (Safe Attachments) deals with attachments.

Option D (Safe Links) deals with URLs.

702
MCQhard

A company uses Microsoft Entra ID Governance to automate the lifecycle of user access. They want to automatically remove a user's group membership for a critical application 30 days after the user's employment end date is captured from the HR system. Which feature should be configured to meet this requirement?

A.Access Reviews
B.Entitlement management
C.Lifecycle Workflows
D.Privileged Identity Management
AnswerC

Lifecycle Workflows can be triggered by HR events (e.g., termination) and execute tasks like removing group memberships automatically.

Why this answer

Lifecycle Workflows (LCW) in Microsoft Entra ID Governance are specifically designed to automate joiner, mover, and leaver processes triggered by HR data. A 'leaver' workflow can be configured to remove group memberships a defined number of days after the employee's employment end date is captured from the HR system, meeting the 30-day requirement precisely.

Exam trap

The trap here is confusing Lifecycle Workflows (which handle HR-triggered automated actions with delays) with Entitlement management (which manages access packages and requests but lacks native HR event-driven scheduling).

How to eliminate wrong answers

Option A is wrong because Access Reviews are periodic attestation processes that require manual or scheduled approval to confirm access, not automated time-based removal triggered by an HR event. Option B is wrong because Entitlement management manages access packages and requests but does not natively support a delay-based removal triggered by an HR employment end date; it relies on access reviews or expiration policies that are not tied to HR lifecycle events. Option D is wrong because Privileged Identity Management (PIM) provides just-in-time activation and approval for privileged roles, not automated removal of standard group memberships based on an HR-driven schedule.

703
MCQeasy

You need to provide external partners with access to specific SharePoint Online sites without creating user objects in your Microsoft Entra ID. What should you use?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra B2C
C.Application Proxy
D.Microsoft Entra Connect
AnswerA

B2B collaboration allows external users to access apps and sites via guest accounts.

Why this answer

Microsoft Entra B2B collaboration allows you to share SharePoint Online sites with external partners without creating user objects in your Microsoft Entra ID. Instead, B2B collaboration creates lightweight guest user objects that represent external identities, enabling access via their own organizational or social credentials. This is the correct approach because it provides the necessary access while minimizing identity management overhead.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration with Microsoft Entra B2C, mistakenly thinking B2C is for business partners when it is actually designed for consumer-facing applications.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra B2C is a customer-facing identity management service designed for consumer applications, not for granting external partners access to SharePoint Online sites. Option C is wrong because Application Proxy is used to publish on-premises web applications to external users, not to manage external access to SharePoint Online. Option D is wrong because Microsoft Entra Connect is a tool for synchronizing on-premises Active Directory with Microsoft Entra ID, not for providing external partner access.

704
MCQhard

Your organization is a financial services company with 5,000 users. You use Microsoft Defender XDR, including Defender for Endpoint Plan 2, Defender for Identity, Defender for Office 365 Plan 2, and Defender for Cloud Apps. You have recently deployed Microsoft Copilot for Security to assist your security operations center (SOC) analysts. A high-severity incident is generated: 'A user named jdoe accessed a malicious IP address from their device, and then logged into Azure Portal from an anonymous IP address. Defender for Identity detected a suspicious Kerberos ticket request from the same user's domain controller. The SOC analysts are overwhelmed with alerts and need to quickly understand the full scope of the incident, including related alerts, impacted assets, and recommended actions. They also want to use natural language to ask questions about the incident. What should you do to enable the analysts to efficiently investigate this incident?

A.Train the analysts to use Advanced Hunting to query across all data sources and build custom KQL queries to correlate the alerts.
B.Create custom detection rules in Microsoft Defender XDR to generate more specific alerts for similar activity.
C.Use Microsoft Copilot for Security integrated with Microsoft Defender XDR to get a natural language summary of the incident, ask follow-up questions, and receive recommended actions.
D.Configure automated investigation and remediation to automatically contain the threat and then review the results.
AnswerC

Copilot for Security provides natural language incident analysis.

Why this answer

Option D is correct because Copilot for Security is designed to summarize incidents, provide insights, and answer natural language questions, which directly addresses the analysts's needs. Option A is wrong because advanced hunting requires KQL knowledge and is not natural language. Option B is wrong because automated investigation runs but does not provide natural language interaction.

Option C is wrong because custom detection rules add more alerts, not help investigate existing ones.

705
Multi-Selectmedium

A compliance officer needs to automatically detect and apply a sensitivity label to documents in SharePoint Online that contain personally identifiable information (PII) such as social security numbers. The label should be applied automatically, and users must be able to override the label with a justification. Which two Microsoft Purview components must be configured to achieve this?

Select 2 answers
A.sensitive info type (SIT) and an auto-labeling policy
B.sensitivity label with auto-labeling for SharePoint and a policy tip
C.data loss prevention (DLP) policy and a retention label
D.default sensitivity label and a compliance tag
AnswersA, B

SIT detects the PII pattern; auto-labeling policy applies the sensitivity label automatically without user intervention.

Why this answer

Option A is correct because auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels to documents in SharePoint Online based on sensitive info types (SITs), such as social security numbers. The auto-labeling policy supports user override with justification when configured with the 'Mandatory labeling with justification' setting, meeting the compliance officer's requirements.

Exam trap

The trap here is that candidates confuse the label's auto-labeling configuration (which only applies to Office apps) with the auto-labeling policy (which scans SharePoint and OneDrive), and they overlook that policy tips are a DLP feature, not a sensitivity label override mechanism.

706
Multi-Selecthard

Which THREE components are required to implement auto-labeling for sensitivity labels in Microsoft 365?

Select 3 answers
A.A sensitivity label configured for auto-labeling.
B.A DLP policy for the same sensitive info type.
C.A sensitive info type or trainable classifier.
D.An auto-labeling policy that specifies the label and locations.
E.An information barrier policy.
AnswersA, C, D

The label must exist and be enabled for auto-labeling.

Why this answer

Auto-labeling requires a sensitivity label configured for auto-labeling, a policy that specifies the label and locations, and a sensitive info type or trainable classifier to trigger labeling. Option A is correct because the label must be created first. Option C is correct because the auto-labeling policy defines when and where to apply.

Option E is correct because the policy uses sensitive info types or trainable classifiers to detect content. Option B is wrong because DLP policies are separate. Option D is wrong because information barriers are not required.

707
MCQmedium

Your organization uses Microsoft Purview Data Lifecycle Management. You need to review the disposition of content that has reached the end of its retention period. What should you configure?

A.Create a DLP policy to notify administrators.
B.Place the content on an eDiscovery hold.
C.Enable disposition review in the retention policy or label.
D.Create a retention label with a retention period.
AnswerC

Disposition review provides a review workflow.

Why this answer

Option C is correct because a disposition review allows managers to review content before permanent deletion. Option A is wrong because retention labels do not require a review unless disposition review is configured. Option B is wrong because eDiscovery holds preserve content.

Option D is wrong because DLP policies do not manage disposition.

708
MCQeasy

Your organization, Wingtip Toys, has a Microsoft 365 E3 tenant. You are implementing Microsoft Entra ID Governance. You need to create an access review for all guest users who have access to the company's HR application. The review must be performed by the application owner, and any denied access should be automatically removed after the review completes. You also need to ensure that if the reviewer does not respond, their access is automatically revoked. You have the following options: A. Create an access review with scope: All guest users, reviewers: Application owner, auto-apply results: Yes, action to apply if reviewers don't respond: Remove access. B. Create an access review with scope: All users, reviewers: Resource owners, auto-apply results: No, action to apply if reviewers don't respond: Keep access. C. Create an access review with scope: Group members, reviewers: Group owner, auto-apply results: Yes, action to apply if reviewers don't respond: Keep access. D. Create an access review with scope: All guest users, reviewers: Resource owner, auto-apply results: No, action to apply if reviewers don't respond: Remove access. Which option should you choose?

A.Access review with guest users, application owner, auto-apply, remove access if no response
B.Access review with all users, resource owners, no auto-apply, keep access if no response
C.Access review with guest users, resource owner, no auto-apply, remove access if no response
D.Access review with group members, group owner, auto-apply, keep access if no response
AnswerA

Meets all requirements.

Why this answer

Option A is correct because it matches all requirements: guest users, application owner as reviewer, auto-apply, and remove access if no response. Option B is wrong because it includes all users and no auto-apply. Option C is wrong because it uses group instead of application.

Option D is wrong because auto-apply is disabled.

709
MCQhard

Your organization has Microsoft 365 E5 licenses and uses Microsoft Defender for Office 365. You need to ensure that users are warned before clicking on malicious URLs in email messages, even if the URL is clicked after the email is delivered. Which policy should you configure?

A.Anti-malware policy
B.Safe Attachments policy
C.Safe Links policy
D.Anti-phishing policy
AnswerC

Safe Links provides time-of-click protection for URLs in email.

Why this answer

Option B is correct because Safe Links protection for email messages provides time-of-click protection, warning users when they click on malicious URLs after delivery. Option A (anti-phishing) does not provide URL click protection. Option C (anti-malware) deals with attachments.

Option D (Safe Attachments) deals with attachments, not URLs.

710
MCQhard

You are the compliance administrator for Contoso Ltd., a multinational corporation with 10,000 users. The company uses Microsoft 365 E5 licenses and has deployed Microsoft Purview. The legal department requires that all email communications related to ongoing litigation be preserved for the duration of the case. You have identified the custodians and relevant keywords. You need to ensure that all relevant emails are preserved, regardless of whether users delete them. Additionally, you need to allow authorized reviewers to search and export the preserved emails without affecting the original data. Finally, you must ensure that the preservation is lifted automatically when the case is closed. What should you do?

A.Create an eDiscovery (Premium) case, add custodians, place them on hold, and use the case to search and export. Close the case to release the hold.
B.Configure a DLP policy to protect sensitive data and preserve the emails.
C.Create a retention label with a preservation action and publish it to the entire organization.
D.Place an in-place hold on all mailboxes using the Exchange admin center.
AnswerA

eDiscovery (Premium) supports case-based holds and exports.

Why this answer

Option A is correct because eDiscovery (Premium) provides case-based preservation (legal hold) that can be lifted when the case is closed. Option B is incorrect because retention labels require manual application or auto-labeling, which may not capture all relevant emails. Option C is incorrect because DLP does not preserve data.

Option D is incorrect because litigation hold in Exchange is per-mailbox and not case-based.

711
MCQeasy

Refer to the exhibit. You search the unified audit log and find an entry where the SecureScore changed from 75 to 80. Which Microsoft Purview feature is most likely responsible for this change?

A.A sensitivity label was applied to a document.
B.A retention policy was modified.
C.A DLP policy was created.
D.An improvement action was implemented in Compliance Manager.
AnswerD

Compliance Manager actions update the secure score.

Why this answer

Option B is correct because Compliance Manager calculates and updates the secure score based on improvement actions. Option A is wrong because the secure score is not directly updated by applying sensitivity labels. Option C is wrong because DLP policies do not directly change the secure score.

Option D is wrong because retention policies affect compliance but not the secure score directly.

712
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to ensure that malicious links in email messages are blocked at the time of click by checking the link reputation in real time. What should you enable?

A.Anti-spam policy.
B.Safe Attachments policy.
C.Safe Links policy.
D.Anti-phishing policy.
AnswerC

Safe Links provides time-of-click protection by checking link reputation.

Why this answer

Option A is correct because Safe Links in Defender for Office 365 rewrites URLs and checks them against a dynamic list of known malicious links at click time. Option B is wrong because Safe Attachments scans email attachments, not links. Option C is wrong because anti-phishing policies protect against phishing attempts but do not provide real-time link checking.

Option D is wrong because anti-spam policies filter spam, not malicious links.

713
MCQmedium

Your organization uses Microsoft 365 E5 licenses. You need to ensure that all external sharing links for SharePoint Online expire after 30 days by default. You configure this in the SharePoint admin center. However, users report that links created before the change still do not have an expiration. What should you do?

A.Use the Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount parameter.
B.Reconfigure the setting in SharePoint admin center and save again.
C.Run Set-SPOTenant -DefaultSharingLinkExpirationInDays 30.
D.Create a data loss prevention (DLP) policy in Microsoft Purview to block unexpired links.
AnswerA

This parameter forces existing anonymous links to expire after the default number of days.

Why this answer

Option A is correct because the `Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount` parameter, when set to `$true`, forces all external sharing links to require the invited account to match the accepting account, which effectively invalidates any pre-existing links that do not meet this condition. This is the only way to enforce expiration on links created before the policy change, as the SharePoint admin center setting for default link expiration only applies to newly created links, not existing ones.

Exam trap

The trap here is that candidates assume the `-DefaultSharingLinkExpirationInDays` parameter applies retroactively to existing links, when in fact it only affects links created after the setting is applied, leading them to choose Option C instead of the correct retroactive enforcement via `RequireAcceptingAccountMatchInvitedAccount`.

How to eliminate wrong answers

Option B is wrong because simply reconfiguring and saving the same setting in the SharePoint admin center will not retroactively apply the expiration to links created before the change; the setting only affects new links. Option C is wrong because `Set-SPOTenant -DefaultSharingLinkExpirationInDays 30` sets the default expiration for new sharing links but does not expire existing links; it is the same setting available in the admin center, not a retroactive fix. Option D is wrong because a data loss prevention (DLP) policy in Microsoft Purview can block sharing of sensitive content but cannot enforce expiration dates on existing sharing links; DLP policies are for content protection, not link lifecycle management.

714
MCQhard

Your company, Fabrikam Inc., uses Microsoft Entra ID with hybrid identity. You have an on-premises Active Directory and use Microsoft Entra Connect Sync to synchronize users. You need to configure Microsoft Entra ID Protection to detect leaked credentials and risky sign-ins. Additionally, you must ensure that when a user is detected as high risk, their access is automatically blocked and they are required to change their password. You also need to enable password writeback so that password changes are written back to on-premises AD. You have the following options: A. Enable Identity Protection, configure user risk policy to require password change, and enable password writeback in Microsoft Entra Connect. B. Enable Identity Protection, configure sign-in risk policy to block access, and enable password hash sync. C. Configure Conditional Access policy to require MFA for all users, and enable seamless SSO. D. Deploy Microsoft Defender for Identity and configure automatic remediation. Which option should you choose?

A.Enable Identity Protection, configure user risk policy to require password change, enable password writeback
B.Enable Identity Protection, configure sign-in risk policy to block access, enable password hash sync
C.Deploy Microsoft Defender for Identity, configure automatic remediation
D.Configure Conditional Access policy to require MFA, enable seamless SSO
AnswerA

Meets all requirements.

Why this answer

Option A is correct because it directly addresses all requirements: enabling Identity Protection allows detection of leaked credentials and risky sign-ins; configuring the user risk policy to require a password change automatically blocks high-risk users until they change their password; and enabling password writeback in Microsoft Entra Connect ensures that password changes performed in the cloud are written back to on-premises Active Directory, maintaining hybrid identity synchronization.

Exam trap

The trap here is that candidates often confuse sign-in risk policies (which block access) with user risk policies (which can require a password change), and they may overlook that password writeback must be explicitly enabled in Microsoft Entra Connect, not just password hash sync.

How to eliminate wrong answers

Option B is wrong because configuring a sign-in risk policy to block access does not require the user to change their password—it only blocks the sign-in attempt, and enabling password hash sync alone does not enable password writeback, which is necessary for on-premises password changes. Option C is wrong because deploying Microsoft Defender for Identity focuses on detecting on-premises attacks and does not natively provide user risk policies for leaked credentials or automatic password change enforcement in Entra ID Protection. Option D is wrong because configuring a Conditional Access policy to require MFA does not detect leaked credentials or risky sign-ins, and enabling seamless SSO does not provide password writeback or automatic blocking with password change for high-risk users.

715
MCQmedium

Your organization uses Microsoft Defender for Endpoint. A user reports that their device is not receiving security updates. You need to ensure that the device is properly onboarded to Defender for Endpoint. Which log should you check first?

A.Event Viewer Application logs
B.System logs
C.Microsoft Defender for Endpoint client logs
D.Windows Update logs
AnswerC

Client logs provide detailed information about onboarding and updates.

Why this answer

Option D is correct because the Microsoft Defender for Endpoint client logs (e.g., C:\ProgramData\Microsoft\Windows Defender\Platform\*\MpCmdRun.log) provide detailed information about onboarding and update issues. Option A (Event Viewer Application logs) may show some errors but not as detailed. Option B (Windows Update logs) are for Windows Update, not Defender updates.

Option C (System logs) are for system events.

716
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. You discover that a user is downloading large amounts of data from SharePoint Online to an unmanaged device. You need to automatically block the download and alert the security team. What should you configure?

A.Session policy
B.Access policy
C.File policy
D.Anomaly detection policy
AnswerA

Session policies can control and block specific actions like downloads.

Why this answer

Option B is correct because a session policy can control access and block downloads in real-time. Option A is wrong because an anomaly detection policy only alerts, it does not block. Option C is wrong because an access policy can block access entirely, but not specifically block downloads.

Option D is wrong because a file policy monitors file activities but does not block downloads real-time.

717
MCQhard

You are a Microsoft 365 administrator for a medium-sized company with 500 users. The company uses Microsoft 365 E3 licenses. Recently, the company acquired a small subsidiary with 50 users who already have their own Microsoft 365 tenant with E3 licenses. You need to migrate the subsidiary's users to the main tenant while minimizing downtime and ensuring that users retain their existing email and OneDrive data. You plan to use cross-tenant migration. However, after setting up the migration, you notice that the subsidiary's users cannot access the main tenant's SharePoint Online sites. They receive an access denied error. You verify that the users have been added to the main tenant's Azure AD and are assigned licenses. What should you do to resolve the issue?

A.Re-run the cross-tenant migration and select the option to convert users to mail-in-contact.
B.In the SharePoint admin center, add the subsidiary's domain as an allowed domain for sharing.
C.Assign the users a new license from the main tenant's subscription.
D.Configure cross-tenant access settings in Azure AD to allow the subsidiary's tenant to access the main tenant's resources.
AnswerD

Cross-tenant access policies control how external users access resources.

Why this answer

Option D is correct because cross-tenant migration in Microsoft 365 requires explicit cross-tenant access settings in Azure AD to allow users from the subsidiary's tenant to access resources in the main tenant, such as SharePoint Online. Without configuring these settings, the subsidiary's users will receive access denied errors even after being added to the main tenant's Azure AD and assigned licenses, as SharePoint enforces tenant-level access policies.

Exam trap

The trap here is that candidates often confuse cross-tenant migration with simple user addition and assume that assigning a license or adjusting sharing settings resolves access, when in fact Azure AD cross-tenant access settings are mandatory for SharePoint Online resource access after migration.

How to eliminate wrong answers

Option A is wrong because re-running the migration with the 'convert users to mail-in-contact' option would remove the users from Azure AD and break their ability to access any resources, including SharePoint, and is not a valid step for resolving access issues. Option B is wrong because adding the subsidiary's domain as an allowed domain for sharing in the SharePoint admin center only controls external sharing policies, not cross-tenant authentication or authorization for migrated users. Option C is wrong because the users already have licenses assigned from the main tenant's subscription, and assigning a new license does not address the underlying cross-tenant access control issue.

718
MCQhard

Refer to the exhibit. You are a compliance administrator. You need to ensure that documents in the Project X site are retained for 365 days after the last modification and then deleted. The current configuration is shown. What is the outcome?

A.The label is applied only to new items, not existing.
B.The label is not applied automatically; users must apply it manually.
C.The label is applied automatically to all items in the site, retaining them for 365 days from last modification.
D.The label is applied, but the retention period starts from the creation date.
AnswerC

The policy auto-applies the label.

Why this answer

The retention label is configured with RetentionType set to 'ModificationAgeInDays', which means the retention period starts from the item's last modification date. However, the policy applies the label to the site via an adaptive scope. The label will automatically apply to all items in the site and retain them for 365 days from the last modification, then delete.

Option B is correct because the label applies automatically via the policy. Option A is wrong because the policy applies the label. Option C is wrong because the retention is based on modification age, not creation.

Option D is wrong because the label is applied automatically.

719
MCQmedium

A company is using Microsoft Defender for Identity (MDI) and wants to receive alerts when a user account is involved in a suspicious network connection. The security team has enabled MDI alerts but is not receiving any alerts for a specific account that is showing anomalous behavior. What should the team check first?

A.Verify that the MDI sensor is running correctly on the domain controller.
B.Check that the user has an appropriate Microsoft 365 license.
C.Confirm that the user's Active Directory attributes are synced to Azure AD.
D.Ensure the user's email address is configured in the MDI alert settings.
AnswerD

Alerts are sent to the user's email; if missing, no alert.

Why this answer

Option C is correct because MDI needs to be configured with the user's email address for alerts to be sent. If the email is missing or incorrect, alerts will not be delivered. Option A is wrong because the sensor status would affect all accounts, not just one.

Option B is wrong because licensing is per user. Option D is wrong because directory data is not required for alerts.

720
MCQmedium

An administrator who is not a Global Administrator needs to manage just-in-time privileged access to Azure resources using Microsoft Entra Privileged Identity Management (PIM). Which built-in role must be assigned to the administrator to allow PIM management for Azure resources?

A.Privileged Role Administrator
B.User Administrator
C.Security Administrator
D.Application Administrator
AnswerA

Privileged Role Administrators can configure PIM settings, approve activations, and manage assignments for Azure resources.

Why this answer

The Privileged Role Administrator role is the only built-in role that grants permissions to manage all aspects of Privileged Identity Management (PIM) for Azure resources, including configuring just-in-time access, managing role assignments, and approving activation requests. This role is specifically designed for administrators who need to oversee PIM without requiring Global Administrator privileges, as it provides full control over PIM policies and role settings across Azure AD and Azure resources.

Exam trap

The trap here is that candidates often confuse the Privileged Role Administrator role with the Global Administrator role, assuming only Global Admins can manage PIM, but Microsoft specifically designed the Privileged Role Administrator to delegate PIM management without granting full tenant-wide administrative control.

How to eliminate wrong answers

Option B (User Administrator) is wrong because it can manage user accounts and groups but lacks permissions to configure PIM role settings, activation policies, or approve requests for Azure resource roles. Option C (Security Administrator) is wrong because it focuses on security features like conditional access and identity protection, not on managing PIM role assignments or just-in-time access policies. Option D (Application Administrator) is wrong because it is limited to managing enterprise applications and app registrations, with no ability to manage PIM role configurations or privileged access workflows.

721
MCQhard

Your company is migrating from on-premises Exchange to Exchange Online. You have configured a hybrid deployment. During testing, you notice that free/busy information is not being shared between on-premises and cloud users. All other hybrid features work. What is the most likely cause?

A.The organization relationship between the on-premises and cloud tenants is missing or misconfigured.
B.Azure AD Connect has not been configured with the correct synchronization scope.
C.The on-premises firewall is blocking traffic to the Exchange Online endpoints.
D.OAuth authentication is not configured between on-premises and Exchange Online.
AnswerA

The organization relationship is required for free/busy sharing in hybrid.

Why this answer

The organization relationship defines the trust and sharing settings between on-premises Exchange and Exchange Online tenants, specifically for free/busy information. Since all other hybrid features (e.g., mail flow, mailbox moves) work, the issue is isolated to the organization relationship, which must be configured on both sides to enable cross-premises calendar availability queries.

Exam trap

The trap here is that candidates assume OAuth is required for all hybrid features, but Microsoft specifically decouples free/busy sharing from OAuth in hybrid scenarios, making the organization relationship the primary culprit when only calendar availability fails.

How to eliminate wrong answers

Option B is wrong because Azure AD Connect synchronization scope controls identity and attribute sync (e.g., users, groups), not free/busy sharing; incorrect scope would cause missing or mismatched user objects, not a failure of free/busy queries specifically. Option C is wrong because firewall blocks would affect all hybrid traffic (e.g., SMTP, Autodiscover, EWS), not just free/busy; since other features work, a firewall issue is unlikely. Option D is wrong because OAuth authentication is required for modern hybrid features like archive access and eDiscovery, but free/busy sharing can function with legacy organization relationship settings using the AvailabilityAddressSpace or IntraOrganizationConnector; OAuth is not strictly necessary for basic free/busy.

722
MCQeasy

An admin needs to provide a vendor with temporary access to a SharePoint site. What should the admin create?

A.Guest user in Azure AD
B.Anonymous sharing link
C.Security group
D.New user in your domain
AnswerA

Allows external access with B2B collaboration.

Why this answer

A is correct because creating a guest user in Azure AD is the proper method to grant external users access to SharePoint Online resources with controlled permissions. Guest users are invited via Azure AD B2B collaboration, which allows the admin to assign specific SharePoint site permissions while maintaining oversight and the ability to revoke access. This approach ensures the vendor has a distinct identity for auditing and conditional access policies.

Exam trap

The trap here is that candidates often confuse anonymous sharing links (which are easy to create) with proper external user management, overlooking the need for identity-based access control and auditability required for vendor access.

How to eliminate wrong answers

Option B is wrong because an anonymous sharing link provides unrestricted access to anyone with the link, bypassing authentication and auditing, which violates the requirement for temporary, controlled vendor access. Option C is wrong because a security group is used to manage permissions for existing users within the organization, not to invite external vendors; it cannot create an external identity. Option D is wrong because creating a new user in your domain would require the vendor to have a mailbox and identity within your on-premises or cloud directory, which is unnecessary and introduces administrative overhead for temporary access.

723
Multi-Selectmedium

Which THREE features are part of Microsoft Defender XDR? (Select THREE.)

Select 3 answers
A.Microsoft Purview
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Office 365
D.Microsoft Sentinel
E.Microsoft Defender for Identity
AnswersB, C, E

Defender for Endpoint is a core component.

Why this answer

Defender XDR integrates signals from Microsoft 365 Defender, Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, and Defender for Office 365. Options A, B, and C are correct. Option D is wrong because Microsoft Sentinel is a separate SIEM.

Option E is wrong because Microsoft Purview is a separate compliance solution.

724
Multi-Selecthard

Your organization uses Microsoft Purview Data Lifecycle Management to manage data retention. You need to retain all documents in a SharePoint site for 5 years and then allow users to delete them manually. Which THREE settings must be configured?

Select 3 answers
A.Specify the SharePoint site as the location.
B.Set the retention period to 5 years and then start a retention period (no action).
C.Apply a default retention label to the document library.
D.Enable the option 'If you want to allow users to delete content within the retention period, select No for the item'.
E.Set the retention period to 5 years and then delete automatically.
AnswersA, B, D

Location is required to target the policy.

Why this answer

Options A, C, and D are correct because the policy must cover the site, retain for 5 years, and then allow manual deletion. Option B is wrong because auto-delete would delete automatically, not allow manual deletion. Option E is wrong because a label is not required for a site-level policy.

725
MCQeasy

An administrator needs to add a custom domain 'contoso.org' to their Microsoft 365 tenant. They have already purchased the domain and have access to the DNS registrar. What is the first step the administrator should perform in the Microsoft 365 admin center?

A.Add a TXT record in the public DNS zone
B.Add the domain in the Microsoft 365 admin center
C.Configure email routing (MX record)
D.Create user accounts with the new domain
AnswerB

The domain must be added to the tenant first. Then the admin center provides the verification DNS records.

Why this answer

The first step to add a custom domain to a Microsoft 365 tenant is to initiate the domain addition process in the Microsoft 365 admin center. This triggers Microsoft to generate the unique verification TXT record that must be published in the public DNS zone. Without first adding the domain in the admin center, the administrator would not know the specific verification string required for the TXT record.

Exam trap

The trap here is that candidates often confuse the sequence of steps and think that adding a DNS record (like TXT or MX) is the first action, when in reality the domain must first be registered in the admin center to obtain the required verification token.

How to eliminate wrong answers

Option A is wrong because adding a TXT record in the public DNS zone is the second step, performed after the domain has been added in the admin center to obtain the unique verification value. Option C is wrong because configuring email routing (MX record) is a later step that occurs after domain verification is complete and the domain is set as the primary email domain. Option D is wrong because creating user accounts with the new domain requires the domain to first be verified and added to the tenant; otherwise, the domain is not recognized by Azure AD.

726
Multi-Selectmedium

Your organization is planning to migrate from on-premises Active Directory to Microsoft Entra ID using Azure AD Connect. You need to ensure that password synchronization is enabled. Which TWO components are required for password synchronization to work?

Select 2 answers
A.Azure AD Connect with password hash synchronization selected.
B.Active Directory Federation Services (AD FS).
C.Password Writeback enabled.
D.Microsoft Identity Manager (MIM).
E.Microsoft Entra ID service to process synchronization.
AnswersA, E

Azure AD Connect must have password hash synchronization enabled.

Why this answer

Option A is correct because Azure AD Connect with password hash synchronization (PHS) selected is the component that hashes the on-premises Active Directory password and synchronizes it to Microsoft Entra ID. Option E is correct because the Microsoft Entra ID service must process the incoming password hashes and store them in the cloud directory, enabling authentication against Entra ID. Without both the local sync engine (Azure AD Connect) and the cloud-side service, password synchronization cannot function.

Exam trap

The trap here is that candidates often confuse Password Writeback (a separate feature for cloud-to-on-premises password changes) as a prerequisite for password synchronization, when in fact it is an optional add-on that is not required for the one-way sync of password hashes from on-premises to the cloud.

727
MCQhard

Your organization uses Microsoft Defender for Endpoint. You need to configure a rule that automatically isolates a device from the network when a specific threat is detected, but only if the device is in a specific device group. Which approach should you use?

A.Indicator of compromise (IoC)
B.Automation rule
C.Custom detection rule
D.Group policy in Intune
AnswerB

Automation rules allow conditions and actions like isolation.

Why this answer

Option B is correct because automation rules allow you to specify conditions, including device group, and actions like isolation. Option A is wrong because a custom detection rule creates custom alerts but does not automate isolation. Option C is wrong because an indicator of compromise (IoC) blocks files/processes, not isolates devices.

Option D is wrong because group policy is not part of Defender for Endpoint automation.

728
MCQhard

Your company recently deployed Microsoft 365 Copilot. Users report that Copilot occasionally generates responses based on sensitive internal documents that should not be shared broadly. What should you configure to restrict Copilot's access?

A.Create Data Loss Prevention (DLP) policies to block sharing.
B.Remove the sensitive documents from SharePoint Online.
C.Apply sensitivity labels to the documents and configure label scopes to exclude Copilot.
D.Configure Microsoft Search to exclude the sensitive documents.
AnswerC

Sensitivity labels can be scoped to prevent Copilot from using labeled content.

Why this answer

Option C is correct because sensitivity labels can be configured with a label scope that excludes Copilot from accessing the labeled content. By applying a 'Confidential' sensitivity label with the 'Copilot' scope deselected, you instruct Microsoft 365 Copilot to ignore those documents during response generation, preventing it from surfacing sensitive internal information.

Exam trap

The trap here is that candidates confuse DLP policies (which block sharing) with Copilot access controls, or assume that removing documents or excluding them from search is sufficient, when in fact sensitivity labels with the Copilot scope are the precise mechanism to control Copilot’s data access.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies block sharing of sensitive data (e.g., via email or external sharing) but do not restrict Copilot’s internal access to documents for response generation. Option B is wrong because removing sensitive documents from SharePoint Online is a blunt, disruptive approach that breaks user access and collaboration, whereas the requirement is to restrict Copilot’s access while preserving normal user access. Option D is wrong because Microsoft Search exclusion controls search results for users but does not affect Copilot’s ability to index and retrieve content for response generation; Copilot uses its own semantic index, not the search index.

729
MCQmedium

A company is planning to deploy Microsoft Defender for Endpoint to its Windows 10 devices. The devices are managed by Microsoft Intune. The security team wants to ensure that the MDE sensor is installed automatically on new devices that are enrolled in Intune. Which method should the team use?

A.Manually install MDE on each device.
B.Use Group Policy to deploy the MDE installation package.
C.Deploy MDE using Microsoft Configuration Manager.
D.Create an Endpoint security policy in Intune to deploy MDE.
AnswerD

Intune can deploy MDE via Endpoint security policies.

Why this answer

Option A is correct because Intune can push the MDE sensor as a 'Microsoft Defender for Endpoint' profile under Endpoint security. Option B is wrong because Group Policy is not used in a cloud-only Intune environment. Option C is wrong because Configuration Manager is on-premises and not needed.

Option D is wrong because manual installation is not automatic.

730
MCQeasy

A company has an existing Microsoft 365 tenant with the verified custom domain 'contoso.com'. The administrator now wants to add a second custom domain, 'contoso-europe.com', to the same tenant. What is the first step the administrator should take?

A.Add the domain in the Microsoft 365 admin center.
B.Add a TXT verification record in the public DNS zone for 'contoso-europe.com'.
C.Add an MX record pointing to Exchange Online in the public DNS zone for 'contoso-europe.com'.
D.Contact Microsoft support to enable the domain addition feature.
AnswerA

The domain must first be added to the Microsoft 365 tenant to begin the verification process.

Why this answer

The first step to add a second custom domain to an existing Microsoft 365 tenant is to initiate the domain addition process in the Microsoft 365 admin center. This triggers the system to generate the unique TXT verification record that must be added to the public DNS zone to prove ownership of the domain. Without first adding the domain in the admin center, the administrator would not know the specific verification value required for the DNS record.

Exam trap

The trap here is that candidates often assume the first step is to create a DNS record (like TXT or MX) directly, but the correct sequence requires initiating the domain addition in the admin center first to obtain the necessary verification value.

How to eliminate wrong answers

Option B is wrong because adding a TXT verification record in the public DNS zone is the second step, not the first; the administrator must first add the domain in the admin center to obtain the unique verification string. Option C is wrong because adding an MX record pointing to Exchange Online is a post-verification step used to route email, and it is not required for domain ownership verification. Option D is wrong because Microsoft 365 allows domain addition without contacting support; the feature is enabled by default for all tenants with verified custom domains.

731
MCQmedium

A compliance officer needs to ensure that all documents in a SharePoint Online site library are declared as permanent records, preventing any edits or deletions. Which Microsoft Purview solution should be used?

A.Retention label with 'Regulatory record'
B.Retention policy
C.Sensitivity label
D.eDiscovery hold
AnswerA

A retention label with 'Regulatory record' option permanently marks content as a record, blocking changes and deletion.

Why this answer

A retention label with the 'Regulatory record' option is the correct solution because it locks the record as a permanent record, preventing any edits or deletions by any user, including administrators. This is the only Purview feature that enforces immutable, unmodifiable records in SharePoint Online, meeting the compliance officer's requirement for permanent records.

Exam trap

The trap here is that candidates often confuse retention policies (which only control deletion) with retention labels that have the 'Regulatory record' option, mistakenly thinking a simple retention policy can prevent edits, but only the regulatory record label enforces full immutability.

How to eliminate wrong answers

Option B is wrong because a retention policy can prevent deletion but does not prevent edits to documents; it only enforces retention and deletion rules, not immutability. Option C is wrong because sensitivity labels control access and encryption (e.g., classification and protection), not the ability to edit or delete documents as permanent records. Option D is wrong because an eDiscovery hold preserves content for legal purposes but does not prevent edits; it only prevents deletion and allows modifications, which does not satisfy the requirement for permanent records.

732
MCQmedium

A company uses Microsoft Entra ID P2 licenses. The security team wants to automatically require a password change for users with medium sign-in risk, but only when the sign-in originates from outside the corporate network. Users with high sign-in risk should be blocked entirely. A group of break-glass accounts must be excluded from all policies. Which feature should the administrator implement?

A.Conditional Access policies with sign-in risk and location conditions
B.Identity Protection risk policies
C.Privileged Identity Management (PIM)
D.Azure AD Identity Governance
AnswerA

Conditional Access can use sign-in risk as a condition and apply actions like require password change or block access, combined with location conditions.

Why this answer

Option A is correct because Conditional Access policies in Microsoft Entra ID allow combining sign-in risk conditions with location conditions (e.g., 'Not trusted IPs' or 'All trusted locations' set to false) to target only sign-ins from outside the corporate network. The policy can be configured to require a password change for medium risk and block access for high risk, while excluding break-glass accounts via the 'Exclude' tab using a dedicated group.

Exam trap

The trap here is that candidates confuse Identity Protection risk policies (which lack location scoping) with Conditional Access policies (which support both risk and location conditions), leading them to select Option B despite its inability to meet the location requirement.

How to eliminate wrong answers

Option B is wrong because Identity Protection risk policies (user risk and sign-in risk policies) operate at the tenant level and cannot be scoped to location conditions like 'outside corporate network'; they apply globally to all sign-ins. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time role activation and approval workflows, not sign-in risk-based access controls or password change requirements. Option D is wrong because Azure AD Identity Governance focuses on access reviews, entitlement management, and lifecycle workflows, not real-time sign-in risk enforcement or location-based conditional access.

733
MCQhard

A company uses dynamic groups based on department attribute. A user moved from Sales to Marketing but the group membership did not update after 48 hours. What should the admin do first?

A.Delete and recreate the group
B.Run a PowerShell script to update membership
C.Wait another 24 hours
D.Manually refresh the dynamic group in Azure AD
AnswerD

Manual refresh forces recalculation.

Why this answer

Option D is correct because Azure AD dynamic group membership evaluation is not instantaneous; it occurs on a periodic schedule. When a user's attribute changes, the admin can manually trigger a refresh by selecting 'Refresh' on the dynamic group's overview page in the Azure portal, which forces an immediate evaluation of the membership rules. This is the first troubleshooting step before waiting longer or using other methods.

Exam trap

The trap here is that candidates assume dynamic group membership updates are instantaneous or that PowerShell can force a refresh, when in fact the only supported manual trigger is through the Azure portal or Graph API, and waiting is not the first recommended action.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the group would cause loss of group settings, assigned licenses, and policies, and is an unnecessary destructive action when a manual refresh can resolve the delay. Option B is wrong because there is no native PowerShell cmdlet to force a dynamic group membership refresh; the only supported method is through the Azure portal or Microsoft Graph API. Option C is wrong because waiting another 24 hours is not a proactive troubleshooting step; the admin should first attempt a manual refresh to expedite the evaluation.

734
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Purview Data Loss Prevention (DLP) policies?

Select 2 answers
A.Set retention periods for documents containing credit card numbers.
B.Show a policy tip to users when they attempt to share sensitive data.
C.Block users from sharing sensitive information via email.
D.Add a watermark to sensitive documents.
E.Automatically encrypt sensitive files when shared.
AnswersB, C

Policy tips are a DLP feature.

Why this answer

DLP policies can block sharing of sensitive information and notify users with policy tips. Option B is correct because DLP can block sharing. Option D is correct because policy tips can educate users.

Option A is wrong because DLP does not apply encryption. Option C is wrong because DLP does not manage retention. Option E is wrong because DLP does not add watermarks.

735
MCQmedium

An organization uses Microsoft Entra ID P2 licenses. They want to implement a policy that forces users to perform multi-factor authentication (MFA) only when they sign in from an untrusted location. The trusted locations include the corporate office IP range. Which type of policy should they create?

A.Identity Protection user risk policy
B.Conditional Access policy
C.MFA registration policy
D.Authentication methods policy
AnswerB

Conditional Access policies can include location conditions to require MFA only from untrusted locations.

Why this answer

Conditional Access policies in Microsoft Entra ID allow administrators to enforce MFA based on conditions like location. By configuring a policy that targets all users and cloud apps, with a condition excluding trusted IP ranges (corporate office), MFA is only triggered when sign-ins originate from untrusted locations. This is the precise mechanism for location-based MFA enforcement.

Exam trap

The trap here is confusing the purpose of Identity Protection policies (risk-based) with Conditional Access policies (condition-based), leading candidates to select A when the question explicitly requires location-based enforcement.

How to eliminate wrong answers

Option A is wrong because Identity Protection user risk policy evaluates user risk level (e.g., leaked credentials) and can force MFA or password change, but it does not filter by location or trusted IP ranges. Option C is wrong because MFA registration policy only enforces that users register for MFA, not when MFA is prompted based on location. Option D is wrong because Authentication methods policy defines which MFA methods are available (e.g., phone, app) but does not control the conditions under which MFA is required.

736
Multi-Selectmedium

You are configuring Microsoft Defender for Office 365. Which TWO actions should you take to protect users from phishing attacks that use impersonation?

Select 2 answers
A.Create a data loss prevention (DLP) policy to prevent sharing of credentials.
B.Configure anti-spam policies to increase the spam confidence level.
C.Configure anti-phishing policies to protect users from impersonation of custom domains.
D.Configure anti-phishing policies to protect users from impersonation of internal users.
E.Enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
AnswersC, D

Anti-phishing policies can also protect against impersonation of your organization's domains.

Why this answer

Options B and D are correct because anti-phishing policies can protect against impersonation of users and domains. Option A is wrong because Safe Attachments is for file scanning. Option C is wrong because anti-spam policies are for spam, not impersonation.

Option E is wrong because DLP protects sensitive data, not from phishing.

737
MCQmedium

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a device with a high-risk vulnerability is detected, it is automatically isolated from the network. What should you configure?

A.Run an advanced hunting query to identify high-risk devices.
B.Create an automation rule in Microsoft Defender XDR.
C.Create a device group and assign a device configuration policy.
D.Enable vulnerability management in Microsoft Defender for Endpoint.
AnswerB

Automation rules can trigger automatic isolation based on vulnerability data.

Why this answer

Option D is correct because an automation rule in Microsoft Defender XDR can automatically isolate a device when a vulnerability is detected. Option A is wrong because device groups control policy assignment, not automation. Option B is wrong because vulnerability management shows findings but does not automate isolation.

Option C is wrong because the advanced hunting query only identifies devices, it does not trigger actions.

738
MCQmedium

Your company uses Microsoft Defender for Endpoint and Microsoft Intune. You have a group of remote users who connect to the corporate network via VPN. Recently, several of these devices were compromised due to unpatched vulnerabilities. You need to ensure that devices that are missing critical security updates are automatically blocked from accessing corporate resources. The solution must integrate with Microsoft Defender for Endpoint's threat and vulnerability management (TVM) data. What should you configure?

A.Configure the VPN server to only allow devices that have the latest updates installed.
B.Create a Microsoft Defender for Endpoint device group and set the remediation level to 'block' for devices with critical vulnerabilities.
C.Configure a device compliance policy in Intune that requires all critical updates to be installed, and assign it to the VPN users group.
D.Create a conditional access policy in Microsoft Entra ID that uses 'Require device to be marked as compliant' and integrate Defender for Endpoint's risk level to block devices with high risk.
AnswerD

Conditional access can block access based on device compliance, which can be determined by Defender for Endpoint's risk assessment.

Why this answer

Option A is correct because conditional access with device compliance policies can use Defender for Endpoint's risk level to block non-compliant devices. Option B is wrong because Intune compliance policies can mark devices as non-compliant, but the question requires using TVM data; conditional access can use the risk level from Defender for Endpoint. Option C is wrong because VPN configuration does not integrate with TVM data for automatic blocking.

Option D is wrong because requiring all devices to be fully patched is not automatically enforceable without compliance policies.

739
MCQmedium

Your organization uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You are a security administrator. The security team wants to receive email notifications for high-severity incidents only. You need to configure the notification settings. What should you do?

A.In the Microsoft Defender XDR portal, go to Settings > Microsoft 365 Defender > Email notifications, and create a notification for high-severity incidents.
B.Create an incident response rule that sends an email when a high-severity incident is created.
C.Use the Microsoft Purview compliance portal to create an alert policy.
D.Configure a service health notification in the Microsoft 365 admin center.
AnswerA

Correct: Email notifications can be configured for specific severity.

Why this answer

Option C is correct because the notification settings in Microsoft Defender XDR allow you to create email notifications for specific severity levels. Option A is wrong because incident rules do not send email notifications. Option B is wrong because that's for service health.

Option D is wrong because alert policies in the compliance center are not for incident notifications.

740
Matchingmedium

Match each Microsoft 365 role to its administrative scope.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full access to all admin features

Resets passwords for non-admins

Manages Exchange Online

Manages users and groups

Manages security policies

Why these pairings

These roles are part of Azure AD role-based access control.

741
MCQmedium

Your organization has a Microsoft 365 E5 tenant with 10,000 users. You need to ensure that when a user is detected as high-risk by Microsoft Entra ID Protection, the user is automatically blocked from accessing sensitive SharePoint sites. The solution should minimize administrative overhead. What should you do?

A.Create a Conditional Access policy targeting high-risk users, apply to SharePoint, and set 'Block access' or 'Use app enforced restrictions'.
B.Create a session policy in Microsoft Defender for Cloud Apps to block high-risk users from accessing SharePoint.
C.Configure a user risk policy in Microsoft Entra ID Protection to block sign-ins for high-risk users.
D.Deploy Microsoft Sentinel and create a custom analytics rule to trigger an automated response via Logic App.
AnswerA

Conditional Access can use user risk as a condition and restrict access to selected cloud apps like SharePoint.

Why this answer

Option A is correct because a Conditional Access (CA) policy can directly target 'High risk' users (via Microsoft Entra ID Protection risk detection) and apply to SharePoint. By setting the grant control to 'Block access' or 'Use app enforced restrictions', you automatically block or restrict access to sensitive SharePoint sites without manual intervention, minimizing administrative overhead. This integrates natively with Microsoft 365 and requires no additional services or custom scripting.

Exam trap

The trap here is that candidates often confuse a user risk policy in Entra ID Protection (which blocks all sign-ins globally) with a Conditional Access policy (which can target specific applications like SharePoint), leading them to choose Option C instead of A.

How to eliminate wrong answers

Option B is wrong because a session policy in Microsoft Defender for Cloud Apps (MCAS) can only monitor or control access in real time after the user is already authenticated; it does not natively block access based on Entra ID Protection risk level without additional configuration, and it introduces extra overhead. Option C is wrong because a user risk policy in Microsoft Entra ID Protection blocks sign-ins globally (i.e., prevents authentication entirely), which is too broad and would block the user from all applications, not just sensitive SharePoint sites. Option D is wrong because deploying Microsoft Sentinel and creating a custom analytics rule with a Logic App is overly complex and introduces significant administrative overhead, violating the 'minimize administrative overhead' requirement; the native CA policy is simpler and more efficient.

742
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Purview eDiscovery (Premium)? (Choose two.)

Select 2 answers
A.Place a legal hold on custodians' mailboxes and sites.
B.Export search results to a local computer for review.
C.Create and apply retention labels to documents.
D.Automatically delete emails older than a specified date.
E.Configure sensitivity labels to encrypt documents.
AnswersA, B

eDiscovery (Premium) supports legal hold.

Why this answer

Options A and D are correct because eDiscovery (Premium) allows you to hold content in place (legal hold) and export search results for review. Option B is incorrect because eDiscovery does not automatically delete content; that is retention. Option C is incorrect because eDiscovery does not create retention labels.

Option E is incorrect because eDiscovery does not manage sensitivity labels.

743
MCQhard

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. You discover that a user's credentials were compromised and used to access sensitive data in SharePoint Online from an unusual location. You need to automatically suspend the user and prevent further access to cloud apps. What should you configure?

A.An anti-phishing policy in Defender for Office 365
B.A Safe Attachments policy in Defender for Office 365
C.A Safe Links policy in Defender for Office 365
D.A session policy in Defender for Cloud Apps
AnswerD

Session policies can block or suspend user access to cloud apps based on risk.

Why this answer

Option D is correct because Microsoft Defender for Cloud Apps offers session policies that can be set to block access or suspend users based on risk. Specifically, you can create a policy to automatically suspend the user when anomalous activity is detected. Option A is wrong because Safe Attachments is for email attachments.

Option B is wrong because anti-phishing policies are for email. Option C is wrong because Safe Links is for URL protection in email and Office documents.

744
Multi-Selectmedium

You are a Microsoft 365 Administrator for a company that is implementing a hybrid identity solution with Active Directory Federation Services (AD FS) for single sign-on (SSO). The company has recently acquired a subsidiary with its own on-premises Active Directory domain. You need to ensure that the identity lifecycle for users from the subsidiary is managed effectively through Microsoft Entra ID (formerly Azure AD) and that licensing is assigned efficiently. Which three of the following actions should you take? (Choose three.)

Select 3 answers
.Configure Microsoft Entra Connect to synchronize identities from the subsidiary’s Active Directory domain, and use group-based licensing to automatically assign Microsoft 365 licenses to synced users based on their department attribute.
.Create a new Microsoft Entra tenant for the subsidiary and configure cross-tenant synchronization to bring users into the main tenant.
.Use Microsoft Entra Connect to implement a filtered synchronization scope so that only users from the subsidiary’s sales department are synchronized initially.
.Configure Microsoft Entra cloud sync for the subsidiary domain to synchronize users, then assign licenses manually through PowerShell scripts to avoid any inheritance issues.
.Enable Microsoft Entra ID Governance’s Entitlement Management to create access packages that include Microsoft 365 licenses and automatically assign them to users based on their membership in dynamic groups.
.Configure password hash synchronization (PHS) for the subsidiary domain because AD FS cannot coexist with directory synchronization on separate domains.

Why this answer

Option A is correct because Microsoft Entra Connect can synchronize identities from multiple on-premises AD forests into a single Microsoft Entra tenant, and group-based licensing allows automatic assignment of Microsoft 365 licenses based on directory attributes like department, ensuring efficient lifecycle management. Option C is correct because filtered synchronization scope (e.g., using OU or attribute filtering) lets you initially synchronize only a subset of users (like sales) to control the rollout and test the hybrid identity configuration. Option E is correct because Microsoft Entra ID Governance’s Entitlement Management can create access packages that include licenses and assign them via dynamic group membership, providing automated, policy-driven license assignment that integrates with identity lifecycle.

Exam trap

The trap here is that candidates often assume a separate tenant is required for an acquired subsidiary (Option B) or that cloud sync is equivalent to Entra Connect for AD FS scenarios (Option D), when in fact multi-forest sync with a single tenant and group-based licensing is the recommended approach for hybrid identity lifecycle management.

745
Multi-Selectmedium

A security administrator is configuring Microsoft Defender for Cloud Apps to protect against data exfiltration from SaaS apps. The administrator wants to create a policy that alerts when a user attempts to download more than 50 files from SharePoint Online within 5 minutes. Which two components must be configured to achieve this? (Choose two.)

Select 2 answers
A.File policy
B.Session policy
C.Activity policy
D.Conditional Access App Control
E.App connector for SharePoint Online
AnswersC, E

Activity policies can detect anomalous download activity.

Why this answer

Options A and D are correct. An activity policy is needed to define the threshold (50 files in 5 minutes). The app connector for SharePoint Online must be enabled to allow Defender for Cloud Apps to monitor SharePoint activity.

Option B is wrong because a session policy is used for real-time control, not for alerting. Option C is wrong because Conditional Access App Control is for controlling access, not alerting. Option E is wrong because a file policy is for file sharing, not downloads.

746
MCQeasy

Contoso uses Microsoft Entra ID P2. Users report that password reset self-service does not work. You verify that the users have the required license. What should you check next?

A.Ensure the users are in a group scoped for SSPR
B.Check that the users have registered for SSPR
C.Confirm the users have Microsoft Entra ID P1 licenses
D.Verify SSPR is enabled in Microsoft Entra ID
AnswerD

SSPR must be explicitly enabled.

Why this answer

The users already have the required Microsoft Entra ID P2 license, which includes SSPR functionality. However, SSPR must be explicitly enabled at the tenant level in Microsoft Entra ID under 'Password reset' settings before users can use the self-service password reset feature. Without this tenant-wide enablement, even licensed users cannot reset their passwords.

Exam trap

The trap here is that candidates often assume that having the correct license (P2) automatically enables SSPR, but Microsoft requires an explicit tenant-level toggle to activate the feature, and the question's phrasing 'does not work' points to the most fundamental missing configuration.

How to eliminate wrong answers

Option A is wrong because SSPR can be enabled for 'All users' or 'Selected' groups; scoping to a specific group is not required for SSPR to work—it is a configuration choice, not a prerequisite. Option B is wrong because user registration for SSPR is a step that occurs after SSPR is enabled; if SSPR is not enabled, users cannot register. Option C is wrong because the question states users already have the required license (Microsoft Entra ID P2), which includes all P1 features; checking for P1 licenses is redundant and irrelevant.

747
MCQmedium

The exhibit shows a DLP policy configuration. A user reports that they cannot share a document containing a credit card number from OneDrive for Business. However, the document was shared successfully last week. What is the most likely reason for the change?

A.The DLP policy was recently deployed or updated.
B.The DLP policy requires administrator override for sharing.
C.The DLP policy is applied only to SharePoint Online, not OneDrive.
D.The DLP policy does not include Microsoft Teams.
AnswerA

The policy with block action was likely applied after the previous successful share.

Why this answer

The most likely reason is that the DLP policy was recently deployed or updated. DLP policies in Microsoft 365 are evaluated in near real-time, and a newly deployed or modified policy will immediately enforce its rules on content sharing. Since the document was shared successfully last week, the policy change is the most plausible cause for the sudden block.

Exam trap

The trap here is that candidates may assume DLP policies are static and only apply to new content, but Microsoft 365 DLP policies are dynamic and can affect existing shares when deployed or updated.

How to eliminate wrong answers

Option B is wrong because DLP policies do not require an administrator override for sharing; they either block or allow sharing based on policy rules, and an override is an optional feature that must be explicitly configured. Option C is wrong because DLP policies in Microsoft 365 can be applied to both SharePoint Online and OneDrive for Business, and the exhibit shows a policy that includes OneDrive. Option D is wrong because the question is about sharing from OneDrive for Business, not Microsoft Teams, and the policy's inclusion of Teams is irrelevant to the reported issue.

748
MCQeasy

Your organization uses Microsoft Purview Communication Compliance to detect inappropriate messages in Microsoft Teams. You need to configure a policy that monitors for potential harassment based on a built-in classifier. The policy should alert designated reviewers when a match is found. What is the minimum configuration required?

A.Create a communication compliance policy, select the built-in harassment classifier, specify the users to monitor, and assign reviewers.
B.Create a retention policy for Teams messages, then create a communication compliance policy with the harassment classifier.
C.Create a DLP policy that blocks harassment, then configure communication compliance to review DLP alerts.
D.Apply a sensitivity label to all Teams messages, then create a communication compliance policy that scans for the label.
AnswerA

This is the minimum configuration needed.

Why this answer

Option B is correct because a communication compliance policy requires selecting a classifier (e.g., built-in harassment classifier), choosing the scanning direction (inbound/outbound/internal), and selecting users to monitor and reviewers. Option A is wrong because a retention policy is not required; communication compliance works independently. Option C is wrong because a sensitivity label is not required for monitoring.

Option D is wrong because a DLP policy is separate.

749
Multi-Selecthard

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email and later clicks a link to a known malicious domain from their device. The rule will use advanced hunting queries. Which two tables should be joined to detect the click event from the device?

Select 2 answers
A.EmailEvents and EmailUrlInfo
B.EmailEvents and DeviceNetworkEvents
C.EmailUrlInfo and DeviceNetworkEvents
D.EmailAttachmentInfo and DeviceProcessEvents
AnswersB, C

This combination lacks the URL click info from EmailUrlInfo that indicates the user clicked the link.

Why this answer

Option C is correct because detecting a user clicking a link to a known malicious domain from their device requires joining the email URL information (EmailUrlInfo) with the device-level network event (DeviceNetworkEvents). EmailUrlInfo contains the URLs from emails, and DeviceNetworkEvents records outbound network connections from devices, including the destination domain. Joining these tables on the URL or domain allows you to correlate the email link with the subsequent device click event.

Exam trap

The trap here is that candidates often assume EmailEvents contains all necessary email data, but the click event requires device-level network logs, and the specific URL must be matched via EmailUrlInfo, not just the email metadata.

750
MCQmedium

Your organization uses Microsoft Purview eDiscovery (Premium) for a legal investigation. You need to collect data from Microsoft Teams chat messages and channel conversations. The case manager wants to search for specific keywords and exclude irrelevant content. What should you do?

A.Use Content Search (Standard) with keyword queries.
B.Create a DLP policy to capture matching content.
C.Use Communication Compliance to review messages.
D.Create a collection in eDiscovery (Premium) with a KQL query to search Teams data.
AnswerD

eDiscovery Premium supports Teams data and advanced queries.

Why this answer

Option A is correct because eDiscovery (Premium) allows searching Teams chats and channels with keyword queries and conditions. Option B is wrong because DLP is for preventing data loss, not discovery. Option C is wrong because Content Search (Standard) is less powerful and may not support advanced filtering.

Option D is wrong because Communication Compliance is for monitoring, not discovery.

Page 9

Page 10 of 13

Page 11