Microsoft 365 Administrator MS-102 (MS-102) — Questions 751825

975 questions total · 13pages · All types, answers revealed

Page 10

Page 11 of 13

Page 12
751
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that automatically blocks downloads of files containing sensitive information from SharePoint Online to unmanaged devices. What type of policy should you create?

A.Session policy
B.Microsoft Purview Data Loss Prevention policy
C.Activity policy
D.File policy
AnswerA

Correct: Session policies can block downloads based on content inspection.

Why this answer

Session policies in Defender for Cloud Apps can monitor and control user sessions in real-time, including blocking downloads based on content inspection. Option A is wrong because file policies are for alerts and governance actions on files at rest. Option B is wrong because activity policies trigger on events but do not control sessions.

Option D is wrong because this is a broader tool, not a specific policy type for this scenario.

752
MCQmedium

You are configuring a network security policy in Microsoft Defender for Cloud Apps. The exhibit shows a policy to block traffic from known Tor exit nodes. However, the policy is not blocking traffic from IP 185.220.101.5. What is the most likely reason?

A.The action is set to Alert only, not block.
B.The IP address is not in the specified subnet.
C.The protocol condition is too restrictive.
D.The source address condition is missing a wildcard.
E.Another policy with a higher priority is allowing the traffic.
AnswerE

A policy with lower priority number (higher priority) may be allowing.

Why this answer

Option D is correct because the policy order must be set to a higher priority (lower number) to be evaluated first. Option A is wrong because the IP is within the range. Option B is wrong because the action is AlertAndBlock.

Option C is wrong because the protocol is Any. Option E is wrong because the source address condition is correct.

753
MCQeasy

Your company is using Microsoft 365 Business Premium. You want to ensure that all company-owned Windows 10 devices are automatically upgraded to Windows 11 when it becomes available through Windows Update. What should you configure?

A.Create a Windows 10 update ring policy in Intune that deploys quality updates.
B.Create a feature update policy for Windows 10 devices in Intune, targeting the Windows 11 version.
C.Create a device compliance policy in Intune that requires Windows 11.
D.Configure a Windows 11 readiness assessment in Microsoft Intune.
AnswerB

Feature update policies allow you to deploy OS feature upgrades.

Why this answer

A feature update policy in Intune is specifically designed to upgrade Windows devices from one version to another, such as from Windows 10 to Windows 11. By targeting the Windows 11 version in this policy, you ensure that eligible Windows 10 devices automatically receive the upgrade when it becomes available via Windows Update. This is the correct mechanism for controlling OS version upgrades in a Microsoft 365 Business Premium environment.

Exam trap

The trap here is that candidates often confuse update ring policies (which handle quality updates and deferral settings) with feature update policies (which are required for OS version upgrades), leading them to select option A instead of B.

How to eliminate wrong answers

Option A is wrong because a Windows 10 update ring policy for quality updates only manages monthly cumulative and security patches, not feature upgrades like moving from Windows 10 to Windows 11. Option C is wrong because a device compliance policy enforces security and configuration requirements on devices that are already enrolled, but it cannot trigger an OS upgrade; it only reports non-compliance if the OS version does not match the policy. Option D is wrong because a Windows 11 readiness assessment in Intune only evaluates hardware compatibility and provides a report, but it does not configure or deploy the actual upgrade to devices.

754
MCQmedium

Your organization uses Microsoft Entra ID and has enabled Microsoft Entra Domain Services (Azure AD DS). You need to ensure that legacy applications that require NTLM authentication can still authenticate against the managed domain. What should you configure?

A.Configure Kerberos delegation
B.Disable NTLM v1 authentication on the managed domain
C.Enable NTLM v1 authentication on the managed domain
D.Enable password hash synchronization for the managed domain
AnswerC

This allows legacy apps to use NTLM.

Why this answer

Legacy applications that require NTLM authentication must have NTLM v1 enabled on the managed domain because Azure AD DS, by default, disables NTLM v1 for security reasons. Enabling NTLM v1 allows these older applications to authenticate against the managed domain using the NTLM protocol, which is necessary when Kerberos is not supported.

Exam trap

The trap here is that candidates often confuse enabling NTLM v1 with disabling it for security, or think that password hash synchronization alone enables NTLM authentication, but the key is that NTLM v1 must be explicitly enabled on the managed domain for legacy apps that require it.

How to eliminate wrong answers

Option A is wrong because Kerberos delegation is used for constrained or unconstrained delegation of Kerberos authentication, not for enabling NTLM authentication for legacy apps. Option B is wrong because disabling NTLM v1 would prevent legacy applications that require NTLM from authenticating, which is the opposite of what is needed. Option D is wrong because password hash synchronization is already required for Azure AD DS to function and does not control which authentication protocols are enabled on the managed domain.

755
MCQmedium

An administrator needs to delegate the ability to view sign-in logs, audit logs, and security recommendations to a junior admin without granting any other administrative permissions. The junior admin should not be able to reset passwords or modify settings. Which built-in Microsoft Entra role should the administrator assign?

A.Global Reader
B.Security Reader
C.Reports Reader
D.Security Administrator
AnswerB

Security Reader provides targeted read-only access to security features, including Azure AD sign-in logs, audit logs, and Microsoft 365 Defender recommendations. It is designed for monitoring without additional permissions.

Why this answer

The Security Reader role in Microsoft Entra ID is specifically designed to grant read-only access to security-related data, including sign-in logs, audit logs, and security recommendations, without allowing any write operations such as password resets or configuration changes. This makes it the correct choice for delegating visibility into security monitoring without administrative control.

Exam trap

The trap here is that candidates often confuse 'Reports Reader' (a non-existent role in Entra ID) with the actual Security Reader role, or they assume Global Reader includes all read permissions, forgetting that security-specific logs require a dedicated role.

How to eliminate wrong answers

Option A (Global Reader) is wrong because while it provides read-only access to many settings, it does not grant access to sign-in logs or audit logs by default; those require the Security Reader or a more privileged role. Option C (Reports Reader) is wrong because this role does not exist in Microsoft Entra ID; the closest is 'Reports Reader' in Exchange Online, which is unrelated to Entra ID sign-in or audit logs. Option D (Security Administrator) is wrong because it includes write permissions, such as the ability to modify security policies and reset passwords, which violates the requirement to only view logs and recommendations.

756
MCQmedium

An organization is involved in a legal case and needs to preserve all emails in a user's mailbox, including future emails, without deleting or modifying them. The user must continue to work normally. Which Microsoft Purview feature should be applied to the user's mailbox?

A.Litigation Hold
B.Retention policy
C.Sensitivity label
D.Data Loss Prevention (DLP)
AnswerA

Correct. Litigation Hold preserves all mailbox content for legal purposes without interrupting user productivity.

Why this answer

Litigation Hold (option A) is the correct feature because it preserves all mailbox content, including future emails, in its original state without allowing deletion or modification by users or automated processes. Unlike a retention policy, Litigation Hold places the entire mailbox on indefinite hold, ensuring that any item changed or deleted by the user is retained in the Recoverable Items folder, while the user continues to work normally. This meets the legal preservation requirement without disrupting daily operations.

Exam trap

Microsoft often tests the distinction between Litigation Hold and Retention Policy, where candidates mistakenly choose Retention Policy because they think it 'retains' data, but they miss that Retention Policy can delete data after a period, whereas Litigation Hold preserves everything indefinitely without deletion.

How to eliminate wrong answers

Option B (Retention policy) is wrong because retention policies are designed to manage data lifecycle by deleting or retaining items based on age or rules, not to preserve all content indefinitely for legal hold; they can delete items after a specified period, which violates the preservation requirement. Option C (Sensitivity label) is wrong because sensitivity labels classify and protect data based on sensitivity (e.g., encryption or marking), but they do not prevent deletion or modification of emails, nor do they preserve mailbox content for legal purposes. Option D (Data Loss Prevention (DLP)) is wrong because DLP policies detect and prevent accidental sharing of sensitive information (e.g., credit card numbers) but do not impose holds or preserve mailbox items; they focus on data exfiltration prevention, not legal preservation.

757
Multi-Selecthard

Which THREE actions can be taken by a Microsoft Purview Data Loss Prevention (DLP) policy in Exchange Online?

Select 3 answers
A.Block the email from being sent
B.Allow the sender to override the block
C.Block all emails from the sender
D.Notify the sender with a policy tip
E.Encrypt the email message
AnswersA, D, E

DLP can block the email.

Why this answer

DLP policies in Exchange Online can block sending, encrypt the message, and notify the sender with a policy tip. Justifying override is not an action; it's a user response. Blocking all emails is not granular; DLP actions are rule-based.

758
Multi-Selecthard

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. A security incident involves a user who accessed a malicious link from an email and then uploaded sensitive data to an external cloud app. Which THREE Microsoft Defender XDR components would provide relevant alerts and insights for this incident?

Select 3 answers
A.Microsoft Defender for Office 365
B.Microsoft Defender XDR incident correlation
C.Microsoft Sentinel
D.Microsoft Defender for Identity
E.Microsoft Defender for Cloud Apps
AnswersA, B, E

Provides email security alerts.

Why this answer

Correct: A, B, and D. Defender for Office 365 alerts on malicious links in email; Defender for Cloud Apps alerts on data upload to external apps; Microsoft Defender XDR correlates them into a single incident. Option C is wrong because Defender for Identity focuses on identity-related threats, not email or cloud app data upload.

Option E is wrong because Microsoft Sentinel is a SIEM, not a component of Defender XDR.

759
MCQmedium

A security administrator wants to automatically block malicious IP addresses from sending email to Exchange Online mailboxes. Which Microsoft Defender component should be configured?

A.Exchange Online Protection (EOP)
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerA

EOP includes connection filtering and IP allow/block lists to block malicious senders at the mail transport level.

Why this answer

Exchange Online Protection (EOP) is the cloud-based email filtering service that protects Exchange Online mailboxes from spam, malware, and malicious IP addresses. It includes connection filtering, which can automatically block messages from specified IP addresses by using the default connection filter policy or custom IP Allow/Block lists. This makes EOP the correct component for blocking malicious IPs from sending email to Exchange Online.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Endpoint (which handles device-level threats) with email security, or assume that Defender for Cloud Apps (a CASB) can filter inbound email, when in fact only EOP provides the connection filtering and IP block list functionality for Exchange Online mail flow.

How to eliminate wrong answers

Option B (Microsoft Defender for Endpoint) is wrong because it focuses on endpoint detection and response (EDR) for devices, not email traffic filtering or IP-based blocking for Exchange Online. Option C (Microsoft Defender for Identity) is wrong because it monitors on-premises Active Directory for identity-based threats (e.g., lateral movement, privilege escalation), not inbound email from IP addresses. Option D (Microsoft Defender for Cloud Apps) is wrong because it provides cloud access security broker (CASB) capabilities for SaaS applications, including shadow IT discovery and app permissions, but does not directly block IP addresses from sending email to Exchange Online.

760
MCQhard

You are reviewing a Conditional Access session control configuration in Microsoft Entra ID. Based on the exhibit, what is the expected behavior when a user signs in?

A.The user is blocked from accessing the application unless they have a compliant device.
B.The user is prompted to reauthenticate every hour.
C.The user must reauthenticate every time they access the application, and session monitoring is enabled.
D.The session is not monitored because cloud app security is null.
AnswerC

Sign-in frequency 'EveryTime' forces reauthentication, and cloud app security is enabled in monitor-only mode.

Why this answer

The sign-in frequency is set to 'EveryTime', so the user must reauthenticate every time. The cloud app security is set to monitor only, so session monitoring is enabled but not enforced. Option B is wrong because the session is not blocked.

Option C is wrong because frequency is every time, not every hour. Option D is wrong because cloud app security is explicitly enabled.

761
MCQmedium

Your organization uses Microsoft 365 Defender for Office 365. You need to ensure that phishing emails reported by users are automatically submitted for analysis in Microsoft Defender XDR. What should you configure?

A.Modify the anti-phishing policy to include user-reported submissions.
B.Use the Attack simulation training to collect user reports.
C.Enable Safe Attachments policy to automatically submit reported messages.
D.Configure the User-reported messages settings in the Microsoft 365 Defender portal.
AnswerD

This setting controls how user-reported messages are submitted for analysis.

Why this answer

The User-reported messages settings in the Microsoft 365 Defender portal allow you to configure how user-reported phishing emails are handled. By enabling automatic submission to Microsoft for analysis, you ensure that reported messages are sent directly to the Microsoft security team for threat intelligence and policy tuning. This is the correct setting because it specifically controls the submission behavior for user-reported messages in Defender for Office 365.

Exam trap

The trap here is that candidates often confuse the anti-phishing policy (which handles detection settings) with the User-reported messages settings (which handles submission of user-reported emails), leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because the anti-phishing policy controls protection settings like spoof intelligence and impersonation detection, not the submission of user-reported messages for analysis. Option B is wrong because Attack simulation training is used to create and manage simulated phishing campaigns, not to automatically submit real user-reported emails to Microsoft. Option C is wrong because Safe Attachments policy handles the scanning of email attachments in a sandbox environment, not the submission of user-reported messages for analysis.

762
MCQeasy

Your company has a Microsoft 365 E5 tenant. You need to ensure that all external emails are marked with a warning banner at the top of the email body. What should you configure?

A.A Safe Attachments policy in Microsoft Defender for Office 365.
B.External email tagging in the Microsoft 365 Defender portal.
C.A DLP policy with a sensitive information type.
D.A mail flow rule (transport rule) to add a disclaimer.
AnswerD

Transport rules can append a warning banner to external emails.

Why this answer

Option D is correct because a mail flow rule (transport rule) in Exchange Online can be configured to prepend a disclaimer (warning banner) to the body of all external emails. This is the only mechanism that directly modifies the email body content for inbound or outbound messages based on sender/recipient criteria, such as when the sender is external to the organization.

Exam trap

The trap here is that candidates confuse 'external email tagging' (which adds a header or subject prefix) with adding a visible banner inside the email body, leading them to choose Option B instead of the correct mail flow rule.

How to eliminate wrong answers

Option A is wrong because Safe Attachments policies in Microsoft Defender for Office 365 are designed to detect and block malicious attachments, not to add visual warning banners to email bodies. Option B is wrong because External email tagging in the Microsoft 365 Defender portal adds an external tag to the email subject line or as a header, not a banner within the email body. Option C is wrong because a DLP policy with a sensitive information type is used to detect and protect sensitive data (e.g., credit card numbers) and can apply actions like blocking or notifying, but it cannot add a custom warning banner to the top of the email body.

763
MCQhard

Your company is planning to adopt Microsoft Copilot for Microsoft 365. The security team is concerned about data leakage. What must you implement to ensure that Copilot respects your organization's sensitivity labels and data classification?

A.Use Microsoft Defender for Cloud Apps to control Copilot
B.Configure Data Loss Prevention (DLP) policies
C.Deploy Microsoft Purview Information Protection with sensitivity labels
D.Enable Customer Lockbox
AnswerC

Copilot respects sensitivity labels to prevent data leakage.

Why this answer

Microsoft Purview Information Protection with sensitivity labels is the correct answer because Copilot for Microsoft 365 uses these labels to enforce data governance at the content level. When a sensitivity label is applied to a document or email, Copilot respects that label's encryption, marking, and access restrictions, preventing the model from generating responses that leak classified data. This is the foundational mechanism for ensuring Copilot adheres to your organization's data classification policies.

Exam trap

The trap here is that candidates often confuse DLP policies (which monitor and block data in transit or at rest) with sensitivity labels (which define and enforce data classification at the content level), leading them to choose DLP as the solution for controlling Copilot's behavior.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps is a CASB (Cloud Access Security Broker) that provides visibility and control over cloud app usage, but it does not directly enforce sensitivity labels within Copilot's processing pipeline. Option B is wrong because Data Loss Prevention (DLP) policies detect and prevent sharing of sensitive data after it is created, but they do not control how Copilot accesses or uses labeled content at the time of generation. Option D is wrong because Customer Lockbox provides a control mechanism for Microsoft support personnel to access your data, but it has no role in governing how Copilot respects sensitivity labels or classification.

764
MCQeasy

Your organization is deploying Microsoft 365 for a multinational company. You need to ensure users in different regions authenticate against the nearest Microsoft Entra ID endpoint for performance. What should you configure?

A.Add the appropriate regional subdomain (e.g., us.contoso.com) as a custom domain.
B.No additional configuration is required; Microsoft Entra ID automatically routes to the nearest endpoint.
C.Create a conditional access policy to route authentication to the nearest region.
D.Configure a traffic manager profile in Azure to route authentication requests.
AnswerB

Microsoft Entra ID uses global load balancing to direct users to the closest endpoint.

Why this answer

Microsoft Entra ID (formerly Azure AD) uses a global anycast network to automatically route authentication requests to the nearest available endpoint based on DNS resolution and network latency. No additional configuration is required because Entra ID's infrastructure is designed to provide optimal performance globally without manual traffic management.

Exam trap

The trap here is that candidates often overthink performance optimization and assume manual configuration (like custom domains or traffic managers) is needed, when Microsoft Entra ID's built-in anycast routing automatically handles regional proximity without any tenant-side setup.

How to eliminate wrong answers

Option A is wrong because adding a regional subdomain as a custom domain does not affect authentication routing; custom domains are used for user principal name (UPN) suffixes and email addresses, not for directing traffic to regional endpoints. Option C is wrong because Conditional Access policies control access based on conditions like location or device state, not the physical routing of authentication traffic to a nearest region. Option D is wrong because Azure Traffic Manager is used for load-balancing traffic to custom endpoints (e.g., web apps), but Microsoft Entra ID's authentication endpoints are managed by Microsoft and cannot be redirected via a Traffic Manager profile.

765
MCQmedium

An organization has registered the domain contoso.com and added it to their Microsoft 365 tenant. What is the next step to use this domain for user email addresses?

A.Add a DNS TXT record provided by Microsoft to the domain registrar
B.Create user accounts with the new domain
C.Configure Exchange Online connectors
D.Set up MX records for email routing
AnswerA

Domain verification requires adding a specific TXT record to prove ownership of the domain.

Why this answer

After adding a custom domain to Microsoft 365, the domain's ownership must be verified by adding a specific DNS TXT record provided by Microsoft at the domain registrar. This verification proves you control the domain and is a prerequisite before you can assign user email addresses or configure other DNS records like MX. Without this step, Microsoft 365 will not trust the domain for email routing.

Exam trap

The trap here is that candidates often confuse domain verification (TXT record) with mail routing (MX record) and assume MX records are the immediate next step, but Microsoft 365 requires ownership proof before any DNS-based services can be configured.

How to eliminate wrong answers

Option B is wrong because creating user accounts with the new domain before verification will fail; Microsoft 365 rejects unverified domains for user creation. Option C is wrong because configuring Exchange Online connectors is an advanced step for hybrid or third-party mail flow, not the immediate next step after adding a domain. Option D is wrong because setting up MX records for email routing is done after domain verification, as MX records are used to direct incoming mail and require a verified domain to function correctly.

766
MCQeasy

An administrator needs to configure the default anti-spam policy for all users in the Microsoft 365 Defender portal. Where should the administrator navigate to find these settings?

A.Email & collaboration > Policies & rules > Threat policies > Anti-spam
B.Email & collaboration > Policies & rules > Threat policies > Anti-phishing
C.Email & collaboration > Policies & rules > Threat policies > Anti-malware
D.Email & collaboration > Policies & rules > Threat policies > Safe Attachments
AnswerA

This is the correct location to manage anti-spam policies.

Why this answer

The default anti-spam policy is configured under Email & collaboration > Policies & rules > Threat policies > Anti-spam in the Microsoft 365 Defender portal. This is the correct location because anti-spam settings, including the default policy that applies to all users, are managed specifically within the Anti-spam section of Threat policies. The other options address different threat protection areas (anti-phishing, anti-malware, Safe Attachments) that do not contain spam filtering configurations.

Exam trap

The trap here is that candidates often confuse the Anti-spam policy with Anti-phishing or Anti-malware policies because all are under Threat policies, but each addresses a distinct security layer, and the question specifically asks for spam configuration.

How to eliminate wrong answers

Option B is wrong because Anti-phishing policies handle protection against phishing attacks, not spam filtering, and include settings like impersonation protection and spoof intelligence. Option C is wrong because Anti-malware policies manage malware detection and quarantine actions for malicious files, not spam classification. Option D is wrong because Safe Attachments policies are part of Microsoft Defender for Office 365 and focus on scanning email attachments in a sandbox environment, not on spam filtering.

767
Multi-Selectmedium

You are a security administrator for a company that uses Microsoft Defender XDR. You need to configure an automated investigation and response (AIR) policy to automatically remediate threats on devices. Which two actions can be taken automatically without requiring administrator approval? (Choose two.)

Select 2 answers
A.Quarantine file
B.Block URL
C.Run antivirus scan
D.Isolate device
E.Collect investigation package
AnswersA, D

Quarantine file can be automated in AIR.

Why this answer

Options A and C are correct because 'Quarantine file' and 'Isolate device' are both remediation actions that can be set to run automatically depending on the automation level. Option B is wrong because 'Run antivirus scan' is typically an investigation action, not a remediation action. Option D is wrong because 'Collect investigation package' is an investigation action.

Option E is wrong because 'Block URL' is a remediation action but often requires approval.

768
MCQhard

A tenant administrator runs the above PowerShell command to create a Conditional Access policy. Users on iOS and Android devices report that they are still prompted for MFA, but the policy is intended to exclude those platforms. What is the issue?

A.The policy does not apply to iOS and Android because they are not listed in IncludeApplications.
B.The policy creation failed due to invalid syntax.
C.The policy requires MFA for all apps, overriding the platform exclusion.
D.The ExcludePlatforms parameter is placed incorrectly in the JSON body; it should be under conditions.platforms.excludePlatforms.
AnswerD

The correct structure requires the excludePlatforms under conditions.

Why this answer

The 'ExcludePlatforms' property is used to exclude platforms from the policy. However, in the New-MgIdentityConditionalAccessPolicy cmdlet, the parameter for excluding platforms is 'ExcludePlatforms' but the correct property name in the body should be 'conditions' > 'platforms' > 'excludePlatforms'. The exhibit's structure is incorrect; the 'ExcludePlatforms' at the top level is ignored.

Therefore, the policy applies to all platforms, including iOS and Android. Option A is correct. Option B is wrong because the policy is successfully created.

Option C is wrong because MFA is enforced as intended for other platforms. Option D is wrong because the policy does apply.

769
MCQmedium

You are the Microsoft 365 administrator for a multinational company. The company has deployed Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. Recently, the security team detected that a user's credentials were compromised and used to access SharePoint Online from an unusual location. You need to investigate the incident and determine the full scope of the breach. The solution must use Microsoft 365 Defender to correlate events. What should you do first?

A.Use the Microsoft Purview compliance portal to search for the user's activity in audit logs.
B.Use advanced hunting in Microsoft 365 Defender portal to query for events related to the user across workloads.
C.Use Microsoft Defender for Cloud Apps to investigate the user's activity log.
D.Use Microsoft Sentinel to query the user's events from the workspace.
AnswerB

Advanced hunting allows correlation of events from Defender for Office 365, Defender for Cloud Apps, and Microsoft Entra ID.

Why this answer

Option B is correct because advanced hunting in the Microsoft 365 Defender portal allows you to query raw, cross-workload telemetry (e.g., from Identity, Exchange Online, SharePoint Online, and Defender for Cloud Apps) in a single Kusto Query Language (KQL) query. This is the most efficient first step to correlate events such as sign-ins, mailbox access, file downloads, and app sessions related to the compromised user, enabling you to determine the full scope of the breach across all Microsoft 365 services.

Exam trap

The trap here is that candidates often default to the audit log (Option A) because it is familiar from compliance scenarios, but the question explicitly requires correlation across workloads using Microsoft 365 Defender, which is only possible with advanced hunting's cross-table queries.

How to eliminate wrong answers

Option A is wrong because the Microsoft Purview compliance portal audit log search provides a limited, filtered view of audit records and does not natively correlate events across workloads like Identity, Defender for Cloud Apps, or advanced threat signals; it also lacks the raw telemetry and cross-query capabilities of advanced hunting. Option C is wrong because Microsoft Defender for Cloud Apps activity logs are scoped to cloud app sessions and do not include identity, mailbox, or endpoint events from other Defender workloads, making it insufficient for a full cross-workload investigation. Option D is wrong because Microsoft Sentinel is a separate SIEM that requires additional licensing, configuration, and data ingestion from Microsoft 365 Defender; it is not the first tool to use when the goal is to correlate events within the Microsoft 365 Defender portal itself.

770
MCQeasy

Your organization uses Microsoft Entra ID and wants to allow users to reset their own passwords using self-service password reset (SSPR). What is the minimum licensing required?

A.Microsoft Entra ID P2
B.Microsoft 365 Business Basic
C.Microsoft Entra ID Free
D.Microsoft Entra ID P1
AnswerB

Any paid Microsoft 365 license includes Azure AD Free which provides SSPR for cloud users.

Why this answer

Microsoft Entra ID Free includes self-service password reset (SSPR) for cloud-only users. Since the question does not specify hybrid or on-premises requirements, the minimum licensing needed is the free tier. Microsoft 365 Business Basic includes Entra ID Free, making it a valid minimum licensing option that provides SSPR for cloud users.

Exam trap

The trap here is that candidates assume SSPR always requires a premium license (P1 or P2) because they think of hybrid scenarios or advanced features, but the free tier fully supports SSPR for cloud-only users.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID P2 includes additional features like Identity Protection and Privileged Identity Management, but SSPR for cloud users is already available in the free tier, so P2 is not the minimum. Option C is wrong because Microsoft Entra ID Free is a licensing tier, not a product name that includes a Microsoft 365 subscription; the question asks for licensing, and while Entra ID Free provides SSPR, it is not a standalone license for users—users need a subscription like Microsoft 365 Business Basic that includes Entra ID Free. Option D is wrong because Microsoft Entra ID P1 adds features like Conditional Access and dynamic groups, but SSPR for cloud users does not require P1; the free tier suffices.

771
Multi-Selecthard

Your company uses Microsoft Defender for Endpoint and wants to perform a live response on a device. Which THREE prerequisites must be met?

Select 3 answers
A.The user must be assigned a role that includes live response permissions
B.The device must be running a supported operating system (e.g., Windows 10 or newer)
C.The device must be managed by Microsoft Intune
D.The device must have Microsoft Defender Antivirus as the primary antivirus solution
E.The device must be onboarded to Microsoft Defender for Endpoint
AnswersA, B, E

Permissions are required to initiate live response sessions.

Why this answer

Option A is correct because live response in Microsoft Defender for Endpoint requires the user to be assigned a role that includes specific live response permissions, such as 'Live response' or 'Live response advanced' under the Microsoft 365 Defender role-based access control (RBAC). Without these permissions, the user cannot initiate a live response session, regardless of other configurations.

Exam trap

The trap here is that candidates often assume Intune management is required for live response, but Microsoft only requires the device to be onboarded to Defender for Endpoint and running a supported OS, with the user having the correct RBAC permissions.

772
Multi-Selecteasy

Which TWO of the following are features of Microsoft Entra ID Identity Protection? (Choose two.)

Select 2 answers
A.Sign-in risk policy that can block risky sign-ins.
B.Risk detections such as leaked credentials and anonymous IP address.
C.Conditional Access policies integration.
D.User risk policy that can block sign-ins or require password change.
E.Advanced Threat Protection (ATP) for identities.
AnswersA, D

Sign-in risk policies are part of Identity Protection.

Why this answer

Option A is correct because Microsoft Entra ID Identity Protection includes a sign-in risk policy that can automatically block risky sign-ins based on real-time risk levels (e.g., high, medium, low). This policy evaluates sign-in risk detections and enforces actions such as blocking access or requiring multi-factor authentication (MFA) without manual intervention.

Exam trap

The trap here is that candidates confuse the risk detection types (like leaked credentials) with the policy features that act on those detections, leading them to select Option B as a feature instead of recognizing that the actual features are the sign-in risk policy and user risk policy (Options A and D).

773
MCQmedium

A compliance officer needs to prevent users from accidentally sharing documents containing credit card numbers with external users via email. The block should occur at the time the user attempts to send the email. Which Microsoft Purview feature should be configured?

A.Communication compliance
B.Data Loss Prevention (DLP)
C.Records management
D.Insider risk management
AnswerB

DLP policies can be configured to detect sensitive info types in email and block the message from being sent, with options to allow override.

Why this answer

Data Loss Prevention (DLP) is the correct feature because it is specifically designed to inspect email content in transit for sensitive data patterns, such as credit card numbers, and enforce policy actions like blocking the message at the transport layer. In Microsoft Purview, DLP policies can be configured to scan Exchange Online messages in real time using sensitive information types (e.g., Credit Card Number) and apply a block action with an optional policy tip to the user before the email leaves the outbound queue.

Exam trap

The trap here is that candidates often confuse Communication compliance (which also monitors email) with DLP, but Communication compliance is a reactive auditing tool for policy violations, not a proactive, inline blocking mechanism for sensitive data.

How to eliminate wrong answers

Option A is wrong because Communication compliance is designed to detect and remediate inappropriate or policy-violating communications (e.g., harassment, insider trading) after they are sent, not to block outbound emails containing sensitive data in real time. Option C is wrong because Records management focuses on classifying, retaining, and disposing of records based on regulatory requirements, not on inspecting or blocking email content during transmission. Option D is wrong because Insider risk management uses analytics to identify risky user activities (e.g., data exfiltration patterns) over time, but it does not provide inline blocking of email messages at the moment of sending.

774
MCQeasy

An administrator wants to restrict which users in the organization can create Microsoft 365 groups. The requirement is that only members of the IT department (identified by the department attribute in Azure AD) should be able to create groups. Which configuration should the administrator use?

A.Azure AD > Groups > Group settings > Group creation settings.
B.Azure AD Identity Governance > Access reviews.
C.Azure AD > Groups > Naming policy.
D.Microsoft 365 admin center > Groups > Add group.
AnswerA

This setting allows you to restrict group creation to specific security groups.

Why this answer

Option A is correct because the Azure AD 'Group settings' blade includes a 'Group creation settings' option that allows administrators to restrict group creation to specific security groups. By configuring this setting, the administrator can limit group creation to only members of the IT department, identified by the department attribute in Azure AD, by placing those users into a designated security group.

Exam trap

The trap here is that candidates often confuse the 'Naming policy' (which controls group names) with the 'Group creation settings' (which controls who can create groups), or they mistakenly think that Access Reviews can enforce creation restrictions when it only reviews existing access.

How to eliminate wrong answers

Option B is wrong because Azure AD Identity Governance > Access reviews is used for periodic review and certification of access to groups, applications, and roles, not for controlling who can create groups. Option C is wrong because Azure AD > Groups > Naming policy enforces naming conventions and blocked words for groups, but does not restrict which users can create groups. Option D is wrong because the Microsoft 365 admin center > Groups > Add group is a manual creation interface for administrators and does not provide a tenant-wide policy to restrict group creation to specific users or departments.

775
MCQeasy

You are planning a Microsoft 365 tenant migration from an on-premises Exchange environment. You need to minimize the impact on end users during the migration. Which migration approach should you use?

A.Perform a staged migration to move mailboxes in batches.
B.Deploy a hybrid Exchange configuration.
C.Perform a cutover migration to move all mailboxes at once.
D.Use an IMAP migration to migrate only email data.
AnswerA

Staged migration moves users in batches, minimizing impact.

Why this answer

A staged migration allows you to move mailboxes in batches, which minimizes end-user disruption by spreading the migration workload over time and enabling you to test and validate each batch before proceeding. This approach is ideal for organizations with many mailboxes that need to maintain continuity, as users in later batches remain fully functional in the on-premises environment until their turn.

Exam trap

The trap here is that candidates often confuse 'hybrid configuration' as a migration method rather than a coexistence state, or they assume 'cutover' is faster and thus less impactful, when in reality it causes the most disruption due to the all-at-once cutover.

How to eliminate wrong answers

Option B is wrong because deploying a hybrid Exchange configuration is not a migration method itself; it establishes coexistence between on-premises and Exchange Online, which can be used with other migration types but adds complexity and is unnecessary if the goal is simply to minimize user impact during a full migration. Option C is wrong because a cutover migration moves all mailboxes at once, which causes a hard cutover with potential downtime and user disruption, making it unsuitable for minimizing impact. Option D is wrong because an IMAP migration only migrates email data (not calendar, contacts, or tasks) and does not support mailbox batching, leading to a less seamless user experience and missing critical mailbox items.

776
MCQhard

Your company uses Microsoft Entra ID with hybrid joined devices. You need to enforce multi-factor authentication (MFA) for all cloud app access but want to exclude specific locations (trusted IPs). What is the most efficient way to implement this?

A.Use Microsoft Intune to enforce MFA for all corporate devices
B.Enable per-user MFA and exclude trusted IPs in the MFA service settings
C.Configure a user risk policy in Microsoft Entra ID Protection to require MFA when risk is medium or higher
D.Create a Conditional Access policy targeting all cloud apps, requiring MFA, with a condition to exclude trusted IPs
AnswerD

Conditional Access allows granular control including location exclusions.

Why this answer

Conditional Access is the correct approach to enforce MFA with location exclusions. Option B is wrong because per-user MFA does not support location exclusions. Option C is incorrect because Microsoft Entra ID Protection is for risk-based policies, not trusted IPs.

Option D is not a valid MFA enforcement method.

777
Multi-Selecteasy

Your company is planning to use Microsoft 365 Copilot for Microsoft 365. Which THREE prerequisites are required for Copilot to function? (Choose three.)

Select 3 answers
A.Microsoft Entra ID (formerly Azure AD)
B.Microsoft Sentinel for security monitoring
C.Microsoft Intune for mobile device management
D.A Copilot for Microsoft 365 license assigned to each user
E.An active Microsoft 365 subscription (E3, E5, Business Premium, etc.)
AnswersA, D, E

Entra ID provides identity and authentication.

Why this answer

Microsoft Entra ID (formerly Azure AD) is required because Copilot for Microsoft 365 relies on Entra ID for authentication, identity management, and policy enforcement. Without Entra ID, Copilot cannot verify user identities, apply conditional access policies, or access Microsoft Graph to retrieve user and organizational data.

Exam trap

The trap here is that candidates confuse optional security or management services (Sentinel, Intune) with mandatory infrastructure (Entra ID), leading them to select non-essential components as prerequisites.

778
MCQmedium

A compliance officer needs to prevent users from sharing documents labeled 'Confidential' via email with external recipients. If a user attempts to send such an email, the action should be blocked and a policy tip displayed. Which Microsoft Purview feature should be configured?

A.Retention labels
B.Data Loss Prevention (DLP) policy
C.Sensitivity labels
D.Information barriers
AnswerB

DLP policies can include rules to detect sensitivity labels and block or warn on email sharing with external users.

Why this answer

A Data Loss Prevention (DLP) policy is the correct Microsoft Purview feature because it is specifically designed to inspect email content and attachments for sensitive information, such as documents labeled 'Confidential', and enforce actions like blocking the email and displaying a policy tip to the user. DLP policies can be configured with conditions that detect sensitivity labels and apply protective actions, including blocking external sharing and notifying users via policy tips.

Exam trap

Microsoft often tests the misconception that sensitivity labels alone can enforce blocking actions, but in reality, sensitivity labels only apply classification and protection (e.g., encryption) and must be combined with a DLP policy to inspect and block outbound email based on those labels.

How to eliminate wrong answers

Option A is wrong because retention labels are used to manage data lifecycle (retain or delete content) and do not have the capability to block email transmission or display policy tips. Option C is wrong because sensitivity labels classify and protect data (e.g., encryption, marking) but do not directly enforce real-time blocking of email sharing with external recipients; DLP policies are required to inspect and block outbound email based on those labels. Option D is wrong because information barriers restrict communication and collaboration between specific groups of users within an organization, not between internal and external recipients, and cannot block email based on document labels or display policy tips.

779
Multi-Selectmedium

You are a Microsoft 365 administrator. You need to ensure that users can reset their own passwords without contacting the help desk. Which TWO components must be configured?

Select 2 answers
A.Configure Microsoft Entra ID Protection user risk policy
B.Microsoft Entra ID P1 or P2 licenses assigned to users
C.Azure AD Connect with password hash synchronization
D.Enable SSPR in the Microsoft Entra admin center
E.Enable password writeback in Azure AD Connect
AnswersB, D

SSPR requires P1 or P2 licensing.

Why this answer

Options A and C are correct. SSPR requires Microsoft Entra ID P1 or P2 licensing and the SSPR feature must be enabled. Option B is wrong because Azure AD Connect syncs identities but is not required for SSPR.

Option D is wrong because MFA is not mandatory for SSPR, though it can be configured. Option E is wrong because password writeback is for password changes to sync back to on-premises, not required for cloud-only users.

780
MCQeasy

Your organization uses Microsoft Entra ID and requires that all guest users must have a mobile phone number registered for authentication. You need to enforce this requirement. What should you configure?

A.Create a Terms of Use policy that guests must accept.
B.Configure a Conditional Access policy requiring multifactor authentication for guest users.
C.Configure the Authentication methods policy to require mobile phone registration for guests.
D.Create an access review for guest users in Identity Governance.
AnswerC

Authentication methods policy can require specific methods to be registered.

Why this answer

Option C is correct because the Authentication methods policy in Microsoft Entra ID allows you to define which authentication methods are available to users, including guest users. By configuring this policy to require mobile phone registration, you enforce that all guest users must register a mobile phone number for authentication, directly addressing the requirement.

Exam trap

The trap here is that candidates confuse requiring multifactor authentication (MFA) with requiring a specific authentication method (mobile phone), but MFA can be satisfied by other methods like email OTP or authenticator app, whereas the Authentication methods policy directly mandates registration of a mobile phone number.

How to eliminate wrong answers

Option A is wrong because a Terms of Use policy requires users to accept terms but does not enforce registration of a mobile phone number for authentication. Option B is wrong because a Conditional Access policy requiring multifactor authentication (MFA) for guest users enforces MFA at sign-in but does not specifically require the registration of a mobile phone number; MFA can be satisfied by other methods like email OTP or authenticator app. Option D is wrong because an access review in Identity Governance is used to review and attest to guest user access rights periodically, not to enforce authentication method registration.

781
MCQeasy

A user is unable to sign in to Microsoft Teams because the account is locked. The administrator needs to unlock the account without resetting the password. What should the administrator do?

A.Disable and re-enable the user
B.Reassign the user's license
C.Reset the user's password
D.Enable the user's account in Microsoft Entra ID
AnswerD

Unlocking the account re-enables sign-in.

Why this answer

When a user account is locked due to failed sign-in attempts, the administrator can unlock it by enabling the account in Microsoft Entra ID (formerly Azure AD) without resetting the password. This action clears the lockout state while preserving the existing password, which is exactly what the scenario requires.

Exam trap

The trap here is that candidates confuse account lockout with account disablement, assuming that toggling the account status (disable/re-enable) will unlock it, when in fact only the 'Enable account' action in Entra ID clears the lockout state without affecting the password.

How to eliminate wrong answers

Option A is wrong because disabling and re-enabling the user does not clear the account lockout state; it only toggles the account's enabled status, which may not reset the lockout counter. Option B is wrong because reassigning the user's license does not affect the lockout state; it only changes licensing entitlements and does not unlock the account. Option C is wrong because resetting the user's password is unnecessary and goes against the requirement to unlock the account without changing the password; it forces a password change when only unlocking is needed.

782
Matchingmedium

Match each Microsoft 365 service to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Email and calendar

Document management and collaboration

Chat, meetings, and collaboration

Personal cloud storage

Enterprise social networking

Why these pairings

These are core Microsoft 365 workloads.

783
MCQmedium

Your organization uses Microsoft Entra ID and has an application that requires the 'User.Read.All' permission. You need to grant this permission to the application but ensure that only an administrator can consent, not users. What should you do?

A.Grant admin consent for the application from the Enterprise applications blade.
B.Enable user consent for this application in the enterprise application settings.
C.Configure the user consent settings to allow user consent for low-risk permissions.
D.Set the 'Consent and permissions' settings to block user consent.
AnswerA

Admin consent grants the permission without user interaction.

Why this answer

Option A is correct because granting admin consent from the Enterprise applications blade explicitly authorizes the application to access the 'User.Read.All' permission without requiring individual user consent. This is the only way to satisfy the requirement that only an administrator can consent, as admin consent bypasses user consent policies entirely and applies tenant-wide.

Exam trap

The trap here is that candidates often confuse blocking user consent (Option D) with granting admin consent, thinking that blocking users automatically grants the permission, but blocking only prevents consent without actually authorizing the application.

How to eliminate wrong answers

Option B is wrong because enabling user consent for this application would allow any user to consent to the 'User.Read.All' permission, which directly contradicts the requirement that only an administrator can consent. Option C is wrong because configuring user consent for low-risk permissions does not apply to 'User.Read.All', which is a high-risk permission (it allows reading all user profiles); users would still be blocked from consenting, but the requirement is to grant the permission, not just block users. Option D is wrong because blocking user consent entirely prevents users from consenting but does not grant the required permission to the application; admin consent must still be explicitly performed.

784
MCQhard

You are a security administrator. You need to configure a Microsoft Defender for Endpoint policy that prevents users from running executables from the Temp folder. Which Attack Surface Reduction (ASR) rule should you enable?

A.Block credential stealing from the Windows local security authority subsystem (lsass.exe)
B.Block Office communication application from creating child processes
C.Block process injections originating from Windows executable files
D.Block executable files from running unless they meet a prevalence, age, or trusted list criterion
AnswerD

This rule blocks executables in Temp folder.

Why this answer

Option A is correct because the ASR rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' covers Temp folder executables. Option B is wrong because it blocks credential theft. Option C is wrong because it blocks macros.

Option D is wrong because it blocks process injection.

785
MCQhard

A security administrator needs to configure an automated investigation and response (AIR) playbook in Microsoft 365 Defender that will automatically isolate a device whenever a high-severity alert from Microsoft Defender for Endpoint is generated. The playbook must run without requiring manual approval. Which configuration must the administrator set to achieve automatic device isolation?

A.Set the automation level for device isolation to 'Full - automatically remediate threats' in the Advanced Features settings.
B.Create a custom detection rule that triggers on high-severity alerts and uses an automated action.
C.Configure the device isolation action to require approval in the automation level settings.
D.Enable automatic remediation only for medium severity and above.
AnswerA

The automation level controls whether AIR actions like device isolation are executed automatically. 'Full - automatically remediate' allows automatic isolation without manual approval.

Why this answer

Option A is correct because the automation level for device isolation in Microsoft 365 Defender's Advanced Features settings controls whether the AIR playbook executes actions automatically. Setting it to 'Full - automatically remediate threats' ensures that when a high-severity alert triggers the playbook, device isolation is performed without requiring manual approval, meeting the requirement for fully automated response.

Exam trap

The trap here is that candidates often confuse custom detection rules (Option B) with built-in AIR automation levels, or mistakenly think that enabling automatic remediation for a severity range (Option D) automatically applies to all actions, when in fact each action type must be individually configured for full automation.

How to eliminate wrong answers

Option B is wrong because custom detection rules are used for creating custom alerts based on advanced hunting queries, not for configuring the automation level of built-in AIR playbook actions like device isolation. Option C is wrong because configuring device isolation to require approval would prevent automatic execution, contradicting the requirement to run without manual approval. Option D is wrong because enabling automatic remediation only for medium severity and above does not guarantee that high-severity alerts will trigger automatic device isolation; the automation level must be explicitly set to 'Full' for the specific action.

786
Multi-Selectmedium

Which TWO permissions are required for a custom role to manage Conditional Access policies in Microsoft Entra ID?

Select 2 answers
A.microsoft.directory/conditionalAccessPolicies/allProperties/read
B.microsoft.directory/conditionalAccessPolicies/read
C.microsoft.directory/conditionalAccessPolicies/delete
D.microsoft.directory/conditionalAccessPolicies/update
E.microsoft.directory/conditionalAccessPolicies/create
AnswersB, D

Read is required to view policies.

Why this answer

To manage Conditional Access policies in Microsoft Entra ID, a custom role requires both the read and update permissions. The 'read' permission (option B) is necessary to view existing policies, while the 'update' permission (option D) is required to modify or configure policy settings. Without both, the role cannot effectively manage policies, as management implies the ability to change them.

Exam trap

The trap here is that candidates often assume 'create' or 'delete' permissions are needed for management, but Microsoft defines 'manage' as the combination of read and update, not full CRUD access.

787
Multi-Selecthard

A company uses Microsoft Entra ID with conditional access policies. They need to ensure that all external users who are invited via B2B collaboration must perform multi-factor authentication (MFA) when accessing the corporate SharePoint Online site. Which two configurations are required? (Choose two.)

Select 2 answers
A.Create a conditional access policy targeting all guest users, requiring MFA, and scope to SharePoint Online.
B.Enable cross-tenant access settings for the partner tenant to trust MFA claims.
C.Configure the SharePoint Online external sharing settings to require MFA for guest users.
D.Set the guest user access level in the SharePoint admin center to require MFA.
AnswersA, B

This is the primary policy to enforce MFA for guests on the SharePoint app.

Why this answer

Option A is correct because a conditional access policy in Microsoft Entra ID can be configured to target 'Guest or external users' (the 'All guest users' scope) and require multi-factor authentication (MFA) when accessing SharePoint Online. This directly enforces MFA for B2B collaboration users accessing the corporate SharePoint site, as the policy is evaluated at the resource tenant (the tenant hosting SharePoint).

Exam trap

The trap here is that candidates often confuse SharePoint's external sharing settings (which control sharing permissions) with Entra ID conditional access policies (which control authentication requirements), leading them to select Option C or D instead of recognizing that MFA enforcement must be configured at the identity layer via conditional access.

788
Multi-Selectmedium

A compliance officer needs to ensure that all documents uploaded to SharePoint Online that contain passport numbers are automatically labeled with a 'Highly Confidential' sensitivity label. Which two Microsoft Purview features must be configured together to achieve this? (Choose two.)

Select 2 answers
A.Auto-labeling policy for SharePoint Online
B.Data Loss Prevention (DLP) policy
C.Retention label policy
D.Sensitive info type (passport number)
AnswersA, D

Auto-labeling policies automatically apply sensitivity labels to content matching conditions like sensitive info types.

Why this answer

Option A is correct because an auto-labeling policy in Microsoft Purview can automatically apply a sensitivity label to documents containing sensitive information, such as passport numbers, when they are uploaded to SharePoint Online. This policy uses conditions based on sensitive info types to trigger the labeling action without user intervention.

Exam trap

The trap here is that candidates often confuse DLP policies with auto-labeling policies, but DLP does not apply sensitivity labels—it only monitors and blocks data sharing, while auto-labeling is the correct feature for automatic label assignment.

789
MCQhard

Your organization uses Microsoft Purview Information Protection with sensitivity labels. Users complain that when they apply the 'Confidential' label to a document, the footer and header are not applied automatically. The label is configured to have a footer reading 'Confidential' and a header reading 'Sensitive'. What is the most likely cause?

A.The label is configured with encryption, which prevents markings.
B.The label is not published to the users.
C.The sensitivity bar is disabled in the applications.
D.The Microsoft 365 Apps for enterprise client is not configured to apply markings.
AnswerD

Client settings control whether markings are applied.

Why this answer

Option C is correct because automatic marking requires the client to be configured to apply headers and footers. Option A is wrong because the label configuration itself does not need client configuration. Option B is wrong because encryption does not affect markings.

Option D is wrong because the sensitivity bar is for selecting labels, not for applying markings.

790
MCQeasy

A company wants to use Azure AD Identity Protection features such as user risk policies and sign-in risk policies to automatically respond to risky behavior. Which Azure AD license is required to enable these capabilities?

A.Azure AD Free
B.Azure AD Premium P1
C.Azure AD Premium P2
D.Microsoft 365 E3
AnswerC

Azure AD Premium P2 is the correct license. It includes all P1 features plus Identity Protection, Privileged Identity Management, and risk-based access policies.

Why this answer

Azure AD Identity Protection features like user risk policies and sign-in risk policies require Azure AD Premium P2. This is because P2 includes Identity Protection, which provides risk-based conditional access policies that automatically respond to detected risks. Azure AD Premium P1 supports Conditional Access but lacks the risk detection and automated remediation capabilities of Identity Protection.

Exam trap

The trap here is that candidates often confuse Azure AD Premium P1 with P2, assuming Conditional Access alone enables risk policies, but P1 lacks the risk detection engine (Identity Protection) required for automated risk-based responses.

How to eliminate wrong answers

Option A is wrong because Azure AD Free provides no Conditional Access or Identity Protection capabilities, only basic directory services. Option B is wrong because Azure AD Premium P1 includes Conditional Access but not Identity Protection; it cannot evaluate user or sign-in risk levels or enforce risk-based policies. Option D is wrong because Microsoft 365 E3 includes Azure AD Premium P1, not P2, and therefore lacks Identity Protection features such as risk policies.

791
MCQmedium

Your organization uses Microsoft Entra ID. You need to ensure that users can only access company resources from trusted networks. Which Conditional Access condition should you configure?

A.Sign-in risk
B.Device platforms
C.Client apps
D.Locations
AnswerD

Locations include trusted IP ranges.

Why this answer

Option C is correct because the locations condition allows targeting trusted networks. Option A is wrong because device platforms target OS types. Option B is wrong because client apps target app types.

Option D is wrong because sign-in risk targets risky sign-ins.

792
MCQeasy

A company has purchased 1000 Microsoft 365 E5 licenses and wants to automatically assign licenses to users based on their department attribute, which is synchronized from on-premises Active Directory. The department attribute is stored in Azure AD. Which automated method should the administrator use to achieve this?

A.Group-based licensing with dynamic groups
B.scheduled PowerShell script that runs daily
C.Manual license assignment via the Microsoft 365 admin center
D.Bulk assign licenses using the admin center import feature
AnswerA

Correct. Dynamic groups automatically include users based on rules (e.g., department equals 'Sales'), and licenses assigned to the group are automatically applied.

Why this answer

Group-based licensing with dynamic groups is the correct method because it allows automatic license assignment based on user attributes like department, which is synchronized from on-premises Active Directory via Azure AD Connect. Dynamic groups evaluate membership rules in Azure AD, and when a user's department attribute matches the rule, the group-based licensing policy automatically assigns or removes the Microsoft 365 E5 license without manual intervention.

Exam trap

The trap here is that candidates often choose a scheduled PowerShell script (Option B) thinking it is more flexible or reliable, but they overlook that group-based licensing is the native, fully automated, and supported method for attribute-driven license assignment in Azure AD.

How to eliminate wrong answers

Option B is wrong because a scheduled PowerShell script that runs daily introduces latency (up to 24 hours) and requires ongoing maintenance, whereas group-based licensing provides near-real-time assignment and revocation. Option C is wrong because manual license assignment via the Microsoft 365 admin center is not automated and does not scale to 1000 users based on a dynamic attribute. Option D is wrong because bulk assign licenses using the admin center import feature is a one-time, static assignment based on a CSV file, not an automated method that responds to changes in the department attribute.

793
MCQeasy

A user reports they cannot access a SharePoint Online site. They receive an error stating that their account is disabled. You check Microsoft Entra ID and see the user's account is enabled. What is the most likely cause?

A.The user has been configured to require multi-factor authentication
B.The user has been removed from all groups
C.The user is synced from on-premises Active Directory and the on-premises account is disabled
D.The user has been converted to a guest user
AnswerC

A disabled on-premises account will be synced as disabled in the cloud, but the cloud account status might not update immediately.

Why this answer

The most likely cause is that the user is synced from on-premises Active Directory and the on-premises account is disabled. When a user is synchronized via Microsoft Entra Connect, the on-premises account status (enabled/disabled) is replicated to Microsoft Entra ID. However, the SharePoint Online service may still enforce the on-premises disabled state for authentication, even if the Microsoft Entra ID account appears enabled, because the token issued by Entra ID includes a claim reflecting the on-premises account status.

Exam trap

The trap here is that candidates assume the Microsoft Entra ID 'AccountEnabled' property is the sole source of truth, but in hybrid environments, the on-premises account status can override the cloud setting for service-specific access like SharePoint Online.

How to eliminate wrong answers

Option A is wrong because requiring multi-factor authentication does not disable an account; it only adds an additional authentication step, and the error message specifically states the account is disabled, not that MFA is needed. Option B is wrong because being removed from all groups does not disable the user account; the user can still access SharePoint Online sites that allow all authenticated users or have direct permissions, and the error would typically be 'access denied' rather than 'account disabled'. Option D is wrong because converting a user to a guest user changes their user type but does not disable their account; guest users can still access resources they are invited to, and the error would not state the account is disabled.

794
Multi-Selectmedium

A compliance administrator needs to automatically apply a retention label to documents in a SharePoint Online site that contain the keyword 'Project Alpha'. The label should retain the documents for 5 years and then delete them. Which two Microsoft Purview features must be configured to achieve this? (Choose two.)

Select 2 answers
A.Trainable classifiers
B.Auto-labeling policy for SharePoint Online
C.Document Fingerprinting
D.Sensitive info type with a keyword dictionary (e.g., 'Project Alpha')
AnswersB, D

Auto-labeling policies can apply retention labels based on conditions, including sensitive info types.

Why this answer

An auto-labeling policy for SharePoint Online (option B) is required because it can automatically apply a retention label to documents based on conditions such as the presence of specific keywords. The sensitive info type with a keyword dictionary (option D) defines the condition by creating a custom sensitive information type that matches the exact phrase 'Project Alpha', which the auto-labeling policy then uses to trigger the label application.

Exam trap

The trap here is that candidates often confuse trainable classifiers with keyword-based sensitive info types, assuming machine learning is needed for any content detection, when in fact a simple keyword dictionary is sufficient and more appropriate for fixed terms.

795
Multi-Selecthard

A security team is investigating a potential ransomware outbreak using Microsoft Defender XDR. They have identified a suspicious PowerShell command that was executed on several devices. The team wants to use Advanced Hunting to find all other activities associated with the same command. Which three columns should they include in their KQL query to effectively correlate the activities? (Choose three.)

Select 3 answers
A.SHA256
B.ProcessId
C.AccountUpn
D.Timestamp
E.DeviceId
AnswersA, B, E

SHA256 identifies the file.

Why this answer

Options A, D, and E are correct. DeviceId uniquely identifies the device. ProcessId identifies the process.

SHA256 identifies the file. These three columns can be used to correlate activities across devices and processes. Option B is wrong because AccountUpn may change.

Option C is wrong because Timestamp is not unique.

796
Multi-Selectmedium

You are implementing Microsoft Entra ID governance for a large enterprise. Which three of the following can be used to enforce access recertification and lifecycle management for users and groups? (Choose three.)

Select 3 answers
.Microsoft Entra ID Governance access reviews
.Microsoft Entra ID Identity Governance entitlement management
.Microsoft Entra ID Identity Governance lifecycle workflows
.Microsoft Entra ID Privileged Identity Management (PIM) activation settings
.Microsoft Entra ID Conditional Access policies
.Microsoft Entra ID multi-factor authentication (MFA) registration campaign

Why this answer

Microsoft Entra ID Governance access reviews are correct because they enable administrators to create recurring reviews for group memberships, application access, and role assignments, ensuring that only authorized users retain access. Entitlement management is correct as it automates the lifecycle of access packages, including expiration and recertification policies for groups and applications. Lifecycle workflows are correct because they automate user lifecycle events (e.g., onboarding, offboarding, group membership changes) based on triggers like time-based conditions, enforcing recertification and lifecycle management.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with general identity governance, but PIM focuses on privileged role activation, not broad user/group lifecycle management or recertification.

797
MCQhard

Refer to the exhibit. You are a Microsoft Purview administrator. The exhibit shows the configuration of a sensitivity label. Users report that when they create a document containing a credit card number, the label is automatically applied, but the document is not encrypted. What is the most likely cause?

A.Auto-labeling does not apply encryption; encryption is only applied when the label is applied manually or via a client-side policy.
B.Auto-labeling is not enabled for the label.
C.The Rights Management template ID is missing or invalid.
D.The encryption setting is not enabled in the label configuration.
AnswerA

Auto-labeling in the cloud does not encrypt; encryption requires manual or client-side application.

Why this answer

Option C is correct because auto-labeling does not automatically encrypt documents; encryption is applied only when the user manually selects the label or when the label is applied via a client-side auto-labeling policy that supports encryption. Option A is incorrect because the encryption setting is enabled in the label configuration. Option B is incorrect because the Rights Management template ID is specified.

Option D is incorrect because auto-labeling is enabled.

798
Multi-Selecthard

Which THREE are valid Microsoft Entra ID license plans that include Identity Protection?

Select 3 answers
A.Microsoft Entra ID P1
B.Microsoft 365 E3
C.Microsoft 365 E5 Security
D.Microsoft 365 E5
E.Microsoft Entra ID P2
AnswersC, D, E

E5 Security add-on includes P2 and Identity Protection.

Why this answer

Microsoft Entra ID Identity Protection is a premium feature that requires either a Microsoft Entra ID P2 license or inclusion in a suite like Microsoft 365 E5 or Microsoft 365 E5 Security. Option C (Microsoft 365 E5 Security) is correct because it includes Microsoft Entra ID P2, which provides full Identity Protection capabilities including risk-based conditional access and user risk policies.

Exam trap

The trap here is that candidates often assume Microsoft 365 E3 includes all security features of E5, but E3 only provides Entra ID P1, which lacks Identity Protection's risk detection and remediation capabilities.

799
MCQeasy

An administrator runs the PowerShell command shown in the exhibit. What is the immediate effect on the user?

A.The user is disabled after 90 days of inactivity.
B.The user is blocked from signing in immediately.
C.The user is deleted after 90 days of inactivity.
D.The user's password is reset.
AnswerB

Setting blockSignIn to $true blocks sign-in.

Why this answer

The PowerShell command `Set-MgUser -UserId user@domain.com -BlockCredential $true` immediately blocks the user from signing in by setting the `BlockCredential` property to true. This prevents any new authentication attempts, effectively locking the account without changing the password or deleting the user.

Exam trap

The trap here is that candidates confuse `BlockCredential` with disabling the account or setting an inactivity policy, but the command only blocks sign-in immediately without any time-based or deletion behavior.

How to eliminate wrong answers

Option A is wrong because the command does not set any inactivity-based disablement; that would require a different cmdlet like `Set-MgUser` with `-SignInActivity` or a conditional access policy. Option C is wrong because the command does not delete the user; deletion requires `Remove-MgUser`. Option D is wrong because the command does not reset the password; password reset requires `Update-MgUserPassword` or the admin portal.

800
MCQeasy

A company has just signed up for Microsoft 365 Business Standard without adding a custom domain. An administrator needs to create the first user accounts. What will be the default email address format for these new users?

A.username@contoso.com
B.username@onmicrosoft.com
C.username@<tenantname>.onmicrosoft.com
D.username@microsoftonline.com
AnswerC

By default, new users get email addresses using the initial domain, which is tenantname.onmicrosoft.com.

Why this answer

When a Microsoft 365 tenant is created without adding a custom domain, the default domain is the `<tenantname>.onmicrosoft.com` domain. New user accounts are automatically assigned an email address in the format `username@<tenantname>.onmicrosoft.com`, as this is the initial domain provisioned for the tenant. Option C correctly reflects this default behavior.

Exam trap

The trap here is that candidates often confuse the default `onmicrosoft.com` domain with the generic `microsoftonline.com` domain used for Azure AD authentication, or assume a custom domain like `contoso.com` is automatically assigned, leading them to select A or D instead of recognizing the tenant-specific subdomain format.

How to eliminate wrong answers

Option A is wrong because `contoso.com` is a custom domain that must be explicitly added and verified in the tenant; it is not the default domain when no custom domain is configured. Option B is wrong because `onmicrosoft.com` is a Microsoft-owned domain used for services like Outlook, but the tenant-specific subdomain (e.g., `contoso.onmicrosoft.com`) is required; a bare `@onmicrosoft.com` address is not valid for a tenant. Option D is wrong because `microsoftonline.com` is the domain used for Azure AD authentication endpoints (e.g., login.microsoftonline.com), not for user email addresses.

801
MCQhard

You are a Microsoft 365 administrator. Your tenant has a Microsoft Entra ID P2 license. You need to create a dynamic group for all users whose department is 'Engineering' and who are located in the United States. Which rule syntax should you use?

A.user.department -eq "Engineering" and user.country -eq "US"
B.user.department -eq "Engineering" And user.country -eq "United States"
C.user.department -eq "Engineering" and user.country -eq "United States"
D.user.department -eq "Engineering" AND user.country -eq "United States"
AnswerC

Correct syntax using lower case 'and' and proper property values.

Why this answer

Option C is correct because dynamic group rules in Microsoft Entra ID require the use of lowercase 'and' as the logical operator, and the country attribute value must match the display name 'United States' as stored in the directory. The rule syntax must follow the property -operator 'value' format exactly, with no capitalization of 'and'.

Exam trap

The trap here is that candidates often confuse the country attribute value with the two-letter ISO code 'US' or incorrectly capitalize the logical operator 'and', leading them to choose options that would fail validation or produce incorrect membership results.

How to eliminate wrong answers

Option A is wrong because it uses 'US' as the country value, but Microsoft Entra ID stores the country attribute as the full display name 'United States', not the two-letter ISO code. Option B is wrong because it capitalizes 'And' as 'And', but dynamic group rules require the logical operator to be all lowercase 'and'. Option D is wrong because it capitalizes 'AND' as 'AND', but the rule syntax mandates the lowercase 'and' operator.

802
Multi-Selecthard

A security analyst is building a custom detection rule in Microsoft 365 Defender to identify when a user clicks a malicious URL in a phishing email and subsequently visits the malicious site from their corporate device. The analyst plans to use advanced hunting with Kusto Query Language (KQL). Which two tables must be joined to capture both the URL click event and the network connection to the malicious site?

Select 2 answers
A.EmailEvents and DeviceNetworkEvents
B.EmailUrlInfo and DeviceNetworkEvents
C.EmailAttachmentInfo and DeviceProcessEvents
D.EmailEvents and DeviceFileEvents
AnswersA, B

EmailEvents contains email delivery info but not URL click events; DeviceNetworkEvents is correct but EmailEvents does not provide click data.

Why this answer

Option B is correct because EmailUrlInfo contains the URL click events from phishing emails, and DeviceNetworkEvents logs network connections from corporate devices. Joining these two tables on the URL value captures the full chain: the user clicking the malicious link and the device subsequently connecting to that site.

Exam trap

The trap here is that candidates confuse EmailEvents (email metadata) with EmailUrlInfo (URL click data), assuming the email event table contains the URL click details, when in fact EmailUrlInfo is the dedicated table for that telemetry.

803
MCQhard

Your organization has deployed Microsoft Defender for Cloud Apps. You want to detect anomalous behavior such as impossible travel for users accessing cloud apps. You need to configure the appropriate policy. Which policy type should you create?

A.App discovery policy
B.Activity policy
C.Session policy
D.File policy
AnswerB

Activity policies can detect anomalous activities such as impossible travel.

Why this answer

Option A is correct because activity policies can detect anomalies like impossible travel. Option B is wrong because file policies monitor file sharing. Option C is wrong because app discovery policies discover shadow IT.

Option D is wrong because session policies control real-time access.

804
MCQhard

Refer to the exhibit. You are configuring Microsoft Purview Records Management. You have a document that is classified under 'Finance' department and 'Invoices' category. Which retention label will be applied if both labels are auto-applied based on the same condition?

A.Both labels will be applied, causing a conflict.
B.HR Retention
C.Finance Retention
D.No label will be applied because of the conflict.
AnswerC

The label with the longest retention period is applied when multiple match.

Why this answer

Option B is correct because when multiple retention labels could be applied, the system applies the one with the longest retention period. 'Finance Retention' retains for 7 years, while 'HR Retention' retains for 5 years. Option A is wrong because both labels are auto-applied. Option C is wrong because there is no conflict; the longest retention wins.

Option D is wrong because the system does not apply both; it chooses one.

805
MCQmedium

A company uses Azure AD Identity Protection. The security team wants to automatically block users from signing in when the user risk level is 'High'. Which policy should they configure?

A.Conditional Access policy with user risk condition
B.Sign-in risk policy
C.User risk policy
D.MFA registration policy
AnswerC

The User risk policy in Identity Protection can block sign-in when user risk is high.

Why this answer

The User risk policy in Azure AD Identity Protection is specifically designed to automatically block sign-ins when the user risk level is 'High'. This policy evaluates the probability that a user's identity has been compromised based on signals like leaked credentials or anomalous behavior, and can enforce actions such as blocking access or requiring password change. Option C is correct because it directly targets user risk, not sign-in risk or other conditions.

Exam trap

The trap here is that candidates often confuse the User risk policy with the Sign-in risk policy, or think a Conditional Access policy with user risk condition is the only way to block based on user risk, but the exam expects the dedicated Identity Protection policy as the direct answer.

How to eliminate wrong answers

Option A is wrong because a Conditional Access policy with a user risk condition can also block sign-ins based on user risk, but the question asks for the specific policy to configure in Identity Protection, and the User risk policy is the dedicated, simpler policy for this purpose without requiring additional Conditional Access configuration. Option B is wrong because the Sign-in risk policy targets the risk level of individual sign-in sessions (e.g., anonymous IP, atypical travel), not the overall user risk level. Option D is wrong because the MFA registration policy enforces registration for Azure AD Multi-Factor Authentication, not blocking sign-ins based on user risk.

806
MCQmedium

A company wants to automatically assign Microsoft 365 E5 licenses to all users in the Sales department. The department is identified by the department attribute in Microsoft Entra ID. The administrator needs to configure a method where licenses are assigned based on group membership, and the group membership is automatically updated based on user attributes. Which licensing approach should the administrator use?

A.Per-user licensing with a PowerShell script.
B.Group-based licensing with a dynamic group that uses the department attribute.
C.Subscription-based licensing via the Microsoft 365 admin center.
D.Group-based licensing with an assigned group that must be manually updated.
AnswerB

Group-based licensing assigns licenses to all members of a group. A dynamic group automatically updates membership based on user attributes like department, fulfilling the automated requirement.

Why this answer

Option B is correct because group-based licensing in Microsoft Entra ID allows automatic license assignment based on group membership, and a dynamic group can automatically update its membership using the department attribute rule (e.g., `user.department -eq "Sales"`). This meets the requirement for both automated license assignment and attribute-driven membership updates without manual intervention.

Exam trap

The trap here is that candidates may confuse group-based licensing with assigned groups (Option D) and overlook the dynamic group requirement, assuming any group-based licensing approach automatically updates membership, when in fact only dynamic groups provide attribute-driven automatic membership updates.

How to eliminate wrong answers

Option A is wrong because per-user licensing with a PowerShell script requires manual execution or scheduled automation, and does not provide real-time, attribute-driven automatic membership updates; it also lacks the native integration of group-based licensing. Option C is wrong because subscription-based licensing via the Microsoft 365 admin center refers to managing subscription quantities, not assigning licenses to individual users based on attributes or group membership. Option D is wrong because group-based licensing with an assigned group requires manual updates to group membership, which contradicts the requirement for automatic membership updates based on the department attribute.

807
MCQmedium

Your organization uses Microsoft Entra ID and has a Conditional Access policy that requires compliant devices for access to corporate resources. You need to ensure that iOS devices are compliant before accessing Exchange Online. Which Microsoft Intune policy should you configure?

A.Device configuration policy
B.Device compliance policy
C.App protection policy
D.Enrollment restrictions
AnswerB

Compliance policies define requirements like encryption, jailbreak detection.

Why this answer

Option A is correct because Compliance policies define device compliance rules. Option B is wrong because Configuration policies are for settings. Option C is wrong because App protection policies are for app-level management.

Option D is wrong because Enrollment restrictions control device enrollment.

808
Multi-Selecthard

You are implementing Microsoft Defender for Office 365. You need to configure anti-phishing policies to protect against user impersonation. Which THREE settings should you configure?

Select 3 answers
A.Enable impersonation protection for domains you own.
B.Enable mailbox intelligence to detect impersonation based on user behavior.
C.Set the bulk email threshold.
D.Enable impersonation protection for users who are defined as protected users.
E.Configure spoof intelligence to allow or block senders.
AnswersA, B, D

Protects against impersonation of your own domains.

Why this answer

Option A is correct because enabling impersonation protection for domains you own allows Defender for Office 365 to detect and act on attempts to spoof your organization's domain in the From address. This setting ensures that emails claiming to be from your domain are inspected for impersonation patterns, such as lookalike domains or display name spoofing, and can be automatically quarantined or have safety tips applied.

Exam trap

The trap here is that candidates confuse anti-phishing settings with anti-spam or spoof intelligence settings, mistakenly selecting bulk email threshold or spoof intelligence when the question explicitly targets user impersonation protection.

809
MCQeasy

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can access internal applications using single sign-on (SSO) without storing passwords in the cloud. Which authentication method should you implement?

A.Federation with AD FS
B.Windows Hello for Business
C.Password hash synchronization
D.Pass-through authentication
AnswerB

Windows Hello for Business uses asymmetric keys, eliminating passwords.

Why this answer

Windows Hello for Business is correct because it enables passwordless single sign-on (SSO) to internal applications using biometric or PIN credentials, with the private key stored on the user's device rather than in the cloud. This meets the requirement of no passwords stored in the cloud while still providing seamless SSO access.

Exam trap

The trap here is that candidates often confuse 'no passwords stored in the cloud' with 'no passwords used at all,' leading them to choose Pass-through authentication (which still uses passwords) or Federation (which still relies on passwords), rather than recognizing Windows Hello for Business as the only passwordless option that stores credentials locally on the device.

How to eliminate wrong answers

Option A is wrong because Federation with AD FS still relies on passwords stored in on-premises Active Directory and does not eliminate cloud password storage; it only offloads authentication to an on-premises server. Option C is wrong because Password hash synchronization stores password hashes in Microsoft Entra ID, directly violating the requirement of not storing passwords in the cloud. Option D is wrong because Pass-through authentication validates passwords against on-premises Active Directory but still requires the password to be transmitted and temporarily processed in the cloud, and the user's password hash is not stored, but the password itself is still used in the authentication flow.

810
MCQmedium

Your organization uses Microsoft Defender for Office 365. You receive a report that users are receiving spoofed email messages that appear to come from your own domain. The spoofed messages are not being filtered. You need to ensure that spoofed messages from your domain are blocked. What should you do?

A.Add your domain to the allowed domains list in the anti-spam policy
B.Configure spoof intelligence settings to block the spoofed domain
C.Configure DKIM signing for your domain
D.Configure DMARC policy to reject messages that fail SPF or DKIM
AnswerB

Spoof intelligence allows blocking spoofed senders.

Why this answer

Option B is correct because spoof intelligence in Microsoft Defender for Office 365 allows you to block spoofed messages from your own domain. Option A is wrong because DKIM signing is important but does not block spoofed messages by itself. Option C is wrong because DMARC policy can help but spoof intelligence is more direct.

Option D is wrong because adding domain to allowed list would actually allow spoofing.

811
Multi-Selecteasy

You are implementing Microsoft Purview Data Lifecycle Management. You need to retain all emails for a minimum of 5 years but automatically delete them after 7 years. Which TWO actions should you configure?

Select 2 answers
A.Use Messaging Records Management (MRM) retention policies.
B.Create a retention policy with 'Delete items after 7 years'.
C.Create a retention tag for emails with 'Keep for 5 years'.
D.Configure a sensitivity label for the emails.
E.Place the mailbox on litigation hold.
AnswersB, C

Correct: This deletes emails after 7 years.

Why this answer

A retention tag with 'Keep for 5 years' and a retention policy with 'Delete after 7 years' together define a minimum retention of 5 years and maximum of 7 years. Option C is wrong because litigation hold prevents deletion. Option D is wrong because this is not related to retention.

Option E is wrong because MRM policies are for on-premises, not Purview.

812
MCQeasy

Your company, Northwind Traders, uses Microsoft Entra ID P1. You need to allow employees to reset their own passwords without help desk intervention. The company policy requires that password resets be secured with two verification methods. Additionally, users must not be able to reuse the last 10 passwords. The solution must minimize administrative effort. What should you configure?

A.Enable Microsoft Entra self-service password reset (SSPR) and configure the number of methods required to reset to 2, and set password history to enforce last 10 passwords
B.Enable Privileged Identity Management (PIM) for all users
C.Enable Microsoft Entra password protection and configure password history in the on-premises policy
D.Configure a conditional access policy to require MFA during password change
AnswerA

SSPR provides self-service reset with configurable verification and history.

Why this answer

Option A is correct because SSPR meets the requirement for self-service password reset and can enforce two verification methods and password history. Option B is wrong because password protection does not include self-service reset. Option C is wrong because PIM is for privileged access.

Option D is wrong because conditional access does not handle password reset policies.

813
MCQhard

An administrator creates a Conditional Access policy as shown in the exhibit. A user reports that they can still access Exchange Online using Outlook (modern authentication). Why does the policy not block the user?

A.The policy is not assigned to any users or groups.
B.The grant control is set to 'Require multi-factor authentication' instead of 'Block'.
C.The client app type for modern authentication is not specified in the policy.
D.Exchange ActiveSync is not included in the policy.
AnswerC

Modern authentication client app type (e.g., 'browser' or 'mobileAppsAndDesktopClients') is not included; only legacy protocols are blocked.

Why this answer

Option C is correct because the Conditional Access policy does not include the 'Modern authentication clients' client app type. Without this selection, the policy does not apply to modern authentication protocols like OAuth 2.0, which Outlook (modern authentication) uses. The policy only targets the default 'Browser' and 'Mobile apps and desktop clients' categories, but the specific 'Modern authentication clients' toggle must be enabled to enforce controls on apps using modern auth.

Exam trap

The trap here is that candidates assume selecting 'Mobile apps and desktop clients' automatically covers all non-browser apps, including those using modern authentication, but Microsoft requires the explicit 'Modern authentication clients' toggle to enforce policies on OAuth 2.0-based traffic.

How to eliminate wrong answers

Option A is wrong because the exhibit shows the policy is assigned to 'All users', so user/group assignment is not the issue. Option B is wrong because the grant control is set to 'Block', not 'Require multi-factor authentication', as shown in the exhibit. Option D is wrong because Exchange ActiveSync is a separate client app type that is not relevant here; the policy already includes 'Exchange ActiveSync clients' in the exhibit, but the issue is that modern authentication clients are not explicitly targeted.

814
Multi-Selectmedium

Your organization uses Microsoft Purview Records Management. You need to declare a document as a regulatory record. Which TWO conditions must be met?

Select 2 answers
A.The document must have a retention label that is configured to mark items as a regulatory record.
B.The document must be placed on an eDiscovery hold.
C.The document must be stored in a location that supports regulatory records (e.g., SharePoint Online).
D.The retention period must be set to indefinite.
E.The document must be encrypted with Microsoft Purview Message Encryption.
AnswersA, C

Regulatory record marking is a label property.

Why this answer

Options A and D are correct because regulatory records require a retention label with regulatory record marking and the location must be in SharePoint or OneDrive with appropriate configuration. Option B is wrong because regulatory records do not require encryption. Option C is wrong because the retention period must be locked, but that is part of the label configuration.

Option E is wrong because eDiscovery hold is separate.

815
MCQmedium

A security administrator wants to configure Automated Investigation and Response (AIR) in Microsoft 365 Defender to automatically isolate a device when a high-severity alert for malware is detected. Which step is required?

A.A: Create an automation rule in Microsoft Sentinel.
B.B: Create a custom detection rule in advanced hunting.
C.C: Configure the device to be part of a device group and enable automation level.
D.D: Enable auto-removal of malware from devices.
AnswerC

Device groups are the mechanism to define automation levels (e.g., full automation) that allow automatic isolation.

Why this answer

To enable Automated Investigation and Response (AIR) in Microsoft Defender for Endpoint, the device must be added to a device group, and the automation level for that group must be set to 'Full – remediate threats automatically' or a similar level. This configuration allows Defender to automatically isolate a device when a high-severity malware alert is triggered, as part of the built-in AIR playbooks.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel automation rules (which are for cross-source orchestration) with the device group automation settings in Microsoft Defender for Endpoint, leading them to pick Option A instead of the correct device group configuration.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel automation rules are used for orchestration and response across multiple data sources, not for configuring device-level automated isolation in Microsoft Defender for Endpoint. Option B is wrong because custom detection rules in advanced hunting are for creating custom alerts based on KQL queries, not for enabling automated response actions like device isolation. Option D is wrong because 'auto-removal of malware' is not a configurable setting in Defender for Endpoint; remediation actions are controlled via automation levels and device groups, not a separate toggle.

816
MCQhard

A company uses Microsoft Purview Information Protection to classify and protect sensitive data. They have configured auto-labeling policies for Microsoft 365 apps. However, users report that some documents containing credit card numbers are not being labeled automatically. You verify that the sensitive info type for credit cards is correctly defined. What is the most likely cause?

A.The auto-labeling policy only applies to Word, Excel, and PowerPoint files.
B.The documents are stored in on-premises file shares, not in SharePoint or OneDrive.
C.The sensitivity label used for auto-labeling is not published to users.
D.The DLP policy for credit cards is blocking the auto-labeling process.
AnswerB

Auto-labeling policies only apply to content in Microsoft 365 cloud locations.

Why this answer

Option B is correct because auto-labeling policies can only label documents that are stored in Microsoft 365 (SharePoint Online, OneDrive for Business) or Exchange Online, not on-premises file shares. Option A is incorrect because auto-labeling is not limited to Word, Excel, PowerPoint; it also works for other formats. Option C is incorrect because sensitivity labels can be configured for auto-labeling.

Option D is incorrect because the DLP policy does not affect auto-labeling.

817
MCQhard

You are reviewing directory settings for Microsoft 365 Groups. Based on the exhibit, which statement is true?

A.Only users in a specific security group can create Microsoft 365 Groups
B.A naming policy is enforced for new groups
C.Groups must have a classification label
D.All users in the tenant can create Microsoft 365 Groups
AnswerD

EnableGroupCreation is true, so all users can create groups.

Why this answer

The exhibit shows that under 'Group creation settings,' the option 'Set which users can create Microsoft 365 Groups' is configured to 'Everyone.' This means all users in the tenant are permitted to create groups, regardless of membership in any security group. Therefore, option D is correct because the setting explicitly allows all users to create Microsoft 365 Groups.

Exam trap

The trap here is that candidates often assume a naming policy or classification label is always enforced for Microsoft 365 Groups, but the exhibit clearly shows no such configuration, and the question tests the ability to read the actual directory settings rather than relying on default assumptions.

How to eliminate wrong answers

Option A is wrong because the exhibit shows 'Everyone' is selected, not a specific security group; if a security group were required, the setting would show 'Selected security group' with a group specified. Option B is wrong because the exhibit does not display any naming policy configuration; a naming policy would be visible under 'Naming policy' settings, which are not shown or enabled here. Option C is wrong because the exhibit does not indicate that a classification label is required; classification labels are optional and must be explicitly configured in the 'Classification' settings, which are absent from the exhibit.

818
MCQhard

Contoso uses Microsoft 365 E5 and has enabled Microsoft Defender for Office 365. Users report that legitimate external emails are being quarantined. You need to reduce false positives without reducing protection. What should you do?

A.Disable third-party email filtering integration.
B.Reduce the Spam Confidence Level (SCL) threshold in anti-spam policies.
C.Allow all emails from the sender's domain in the Tenant Allow/Block List.
D.Configure Advanced Delivery for trusted senders from the external domain.
AnswerD

Advanced Delivery allows specific trusted senders to bypass filtering, reducing false positives without compromising overall protection.

Why this answer

Option D is correct because configuring User Mailbox Advanced Delivery allows trusted senders to bypass filtering only for specific domains, reducing false positives while maintaining general protection. Option A is wrong because allowing all senders from the same domain weakens security. Option B is wrong because reducing the spam confidence level threshold increases false negatives.

Option C is wrong because disabling third-party email filtering removes necessary protection.

819
MCQeasy

Your organization has a Microsoft 365 E5 tenant. You need to set up a shared mailbox for the IT help desk (helpdesk@contoso.com). The help desk team needs to monitor the mailbox and respond to emails. What is the recommended way to grant access to the shared mailbox?

A.Assign an Exchange Online license to each help desk user and grant them Full Access via PowerShell.
B.Create a security group and add it to the shared mailbox permissions.
C.Add the help desk users as members of the shared mailbox from the Exchange admin center.
D.Create a distribution group containing the help desk users and grant the group access to the mailbox.
AnswerC

Members automatically get Full Access and Send As permissions.

Why this answer

Option C is correct because the recommended method to grant access to a shared mailbox in Exchange Online is to add users as members directly from the Exchange admin center (EAC). This automatically assigns the necessary Full Access and Send As permissions without requiring licenses for each user, as shared mailboxes can be accessed by licensed users without needing a separate license for the mailbox itself.

Exam trap

The trap here is that candidates often confuse distribution groups with security groups or assume that licensing is required for each user accessing a shared mailbox, leading them to select PowerShell or group-based options instead of the straightforward member addition in the Exchange admin center.

How to eliminate wrong answers

Option A is wrong because assigning an Exchange Online license to each help desk user is unnecessary and costly; shared mailboxes do not require licenses for users to access them, and granting Full Access via PowerShell is not the recommended approach when the EAC provides a simpler method. Option B is wrong because security groups cannot be directly added to shared mailbox permissions in Exchange Online; shared mailbox permissions must be granted to individual user accounts or mail-enabled security groups, but the latter is not a standard supported method for shared mailboxes. Option D is wrong because distribution groups are designed for email distribution, not for granting access permissions to a mailbox; they cannot be assigned Full Access or Send As permissions to a shared mailbox.

820
Multi-Selecteasy

Your organization uses Microsoft Defender for Endpoint (Plan 2). You need to configure a custom detection rule that alerts when a specific process attempts to access the internet. Which TWO components are required to create this custom detection?

Select 2 answers
A.Attack surface reduction rule
B.Response action in the detection rule
C.Microsoft Sentinel automation rule
D.Indicator of compromise (IOC)
E.Advanced Hunting query
AnswersB, E

Response actions trigger alerts.

Why this answer

Correct: B and D. Custom detections use Advanced Hunting queries (KQL) to define detection logic. Alerts can trigger automated actions via response actions.

Option A is wrong because attack surface reduction rules are predefined. Option C is wrong because indicators of compromise are for threat intelligence. Option E is wrong because automation rules in Microsoft Sentinel are separate.

821
MCQhard

An organization with Microsoft Entra ID P2 licenses needs to enforce that all users accessing the Azure portal must use FIDO2 security keys for multi-factor authentication. Which configuration should be implemented?

A.Create a Conditional Access policy that requires MFA and select FIDO2 as the authentication strength in the grant controls
B.Create a Conditional Access policy that requires MFA and set the grant control to require a specific device platform
C.Configure an authentication strength policy that requires FIDO2 and assign it to a Conditional Access policy
D.Configure an authentication methods policy that allows only FIDO2 security keys
AnswerC

Authentication strengths define acceptable methods; they are then referenced in Conditional Access grant controls to enforce the required method.

Why this answer

Option C is correct because in Microsoft Entra ID, authentication strengths allow you to define a specific set of authentication methods (e.g., FIDO2 security keys) and then assign that strength to a Conditional Access policy. This ensures that only FIDO2 security keys are accepted for MFA when accessing the Azure portal, meeting the requirement precisely.

Exam trap

The trap here is that candidates often confuse the direct selection of an authentication method in Conditional Access grant controls with the correct two-step process of first defining an authentication strength policy and then assigning it to a Conditional Access policy.

How to eliminate wrong answers

Option A is wrong because selecting FIDO2 as the authentication strength in the grant controls of a Conditional Access policy is not a valid configuration; authentication strengths are defined separately and then referenced by the policy, not selected directly in grant controls. Option B is wrong because requiring a specific device platform (e.g., Windows) does not enforce the use of FIDO2 security keys; it only restricts the device type, not the authentication method. Option D is wrong because configuring an authentication methods policy to allow only FIDO2 security keys would block all other methods globally, but it does not integrate with Conditional Access to target specific apps like the Azure portal; it applies to all sign-ins, which is too broad and not the intended enforcement mechanism.

822
Multi-Selectmedium

Your organization uses Microsoft Entra ID. You need to enable users to reset their own passwords without administrator intervention. Which TWO components must be configured?

Select 2 answers
A.Microsoft Entra self-service password reset (SSPR)
B.Microsoft Entra Identity Protection
C.Conditional Access policies
D.Microsoft Entra Privileged Identity Management
E.Authentication methods registration
AnswersA, E

SSPR must be enabled to allow self-service password reset.

Why this answer

Microsoft Entra self-service password reset (SSPR) is the core feature that allows users to reset their own passwords without administrator intervention. It must be enabled and configured at the tenant level, and it relies on users having registered authentication methods to verify their identity during the reset process.

Exam trap

The trap here is that candidates often confuse optional security features like Identity Protection or Conditional Access as prerequisites for SSPR, when in fact only SSPR enablement and authentication method registration are strictly required.

823
MCQeasy

A compliance officer needs to ensure that any email sent from the organization that contains personally identifiable information (PII) such as social security numbers is automatically encrypted when the recipient is outside the organization. Which Microsoft Purview solution should the officer configure?

A.Sensitivity labels with auto-labeling
B.Data Loss Prevention (DLP) policy with encryption action
C.Office 365 Message Encryption (OME) configuration
D.Retention policy and labels
AnswerB

DLP policies can monitor email for sensitive data and, when detected, automatically apply encryption via Office 365 Message Encryption and notify the user.

Why this answer

Option B is correct because a Data Loss Prevention (DLP) policy in Microsoft Purview can be configured with an 'Encrypt email messages' action that automatically applies Office 365 Message Encryption (OME) to emails containing sensitive information types (e.g., Social Security Number) when sent to external recipients. This meets the compliance requirement for automatic encryption based on content detection, without requiring user intervention or manual label application.

Exam trap

The trap here is that candidates confuse the underlying encryption technology (OME) with the policy that triggers it, leading them to select OME configuration (Option C) instead of the DLP policy that actually detects PII and enforces the encryption action.

How to eliminate wrong answers

Option A is wrong because sensitivity labels with auto-labeling can apply classification and protection, but they are designed for persistent labeling across documents and emails, not specifically to trigger encryption based on PII detection at the point of sending; auto-labeling for emails requires Exchange mail flow rules or DLP policies to enforce encryption. Option C is wrong because Office 365 Message Encryption (OME) is the underlying encryption technology, not a policy or configuration that automatically detects PII and triggers encryption; OME must be invoked by a DLP policy or mail flow rule. Option D is wrong because retention policies and labels manage data lifecycle and deletion, not real-time content inspection or encryption of outbound emails.

824
MCQhard

A security administrator wants to prevent malware from using Office macros to spawn malicious processes. Specifically, they want to block Excel, Word, and PowerPoint from creating child processes. Which Microsoft Defender for Endpoint capability should be configured?

A.Threat & Vulnerability Management
B.Attack Surface Reduction (ASR) rules
C.Web Protection
D.Network Protection
AnswerB

ASR rules are designed to block specific common attack techniques like Office apps spawning child processes.

Why this answer

Attack Surface Reduction (ASR) rules are a Microsoft Defender for Endpoint capability specifically designed to block common malware behaviors, such as Office applications (Excel, Word, PowerPoint) from creating child processes. This rule (GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869) prevents macros from spawning cmd.exe, powershell.exe, or other executables, directly addressing the administrator's requirement.

Exam trap

The trap here is that candidates often confuse Attack Surface Reduction rules with other Defender for Endpoint capabilities like Network Protection or Web Protection, mistakenly thinking that blocking network traffic is equivalent to blocking local process creation, when ASR rules are the only option that directly controls child process spawning from Office apps.

How to eliminate wrong answers

Option A is wrong because Threat & Vulnerability Management (TVM) identifies, prioritizes, and remediates vulnerabilities in software and configurations, but it does not enforce runtime behavioral blocks like preventing child process creation. Option C is wrong because Web Protection blocks access to malicious URLs, IPs, and web content, but it does not control local process spawning from Office macros. Option D is wrong because Network Protection blocks outbound connections to malicious domains or IPs at the network layer, but it does not prevent local child process creation from Office applications.

825
Multi-Selectmedium

Which TWO roles can manage user licenses without being able to create users?

Select 2 answers
A.License Administrator
B.Billing Administrator
C.Global Administrator
D.User Administrator
E.Helpdesk Administrator
AnswersA, B

Can assign/remove licenses.

Why this answer

The License Administrator role in Microsoft 365 is specifically designed to allow users to manage licenses assigned to users and groups without having permissions to create new user accounts. This role grants access to the Microsoft 365 admin center's Billing > Licenses section and the Azure AD Licenses blade, enabling license assignment, removal, and consumption monitoring, but it explicitly excludes user creation or deletion capabilities.

Exam trap

The trap here is that candidates often confuse the License Administrator with the User Administrator, assuming that license management inherently includes user creation, but Microsoft explicitly separates these permissions to enforce least-privilege access.

Page 10

Page 11 of 13

Page 12