Microsoft 365 Administrator MS-102 (MS-102) — Questions 826900

975 questions total · 13pages · All types, answers revealed

Page 11

Page 12 of 13

Page 13
826
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a custom Line-of-Business (LOB) app to a group of devices. The app is not in the Microsoft Store. What is the recommended method to deploy the app?

A.Add the app as a Microsoft Store app (business) in Intune.
B.Use Group Policy to deploy the app via a network share.
C.Publish the app to the Microsoft Store for Business and assign it.
D.Upload the app package to Intune as a Line-of-Business app and assign it to the device group.
AnswerD

Correct: This is the standard method for deploying LOB apps via Intune.

Why this answer

Option D is correct because Intune natively supports deploying custom Line-of-Business (LOB) apps by uploading the app package (e.g., .msi, .exe, .appx) directly into the Intune console and assigning it to a device group. This method is the recommended approach for apps not available in the Microsoft Store, as it leverages Intune's mobile device management (MDM) capabilities to push the app to Windows 10 devices without requiring external infrastructure like Group Policy or the Microsoft Store for Business.

Exam trap

The trap here is that candidates may confuse the Microsoft Store for Business (now Microsoft Store) as a viable publishing platform for custom LOB apps, not realizing that the store only accepts apps that meet Microsoft's submission requirements and is not designed for internal, proprietary applications.

How to eliminate wrong answers

Option A is wrong because adding the app as a Microsoft Store app (business) in Intune is intended for apps that are already available in the Microsoft Store for Business, not for custom LOB apps that are not in the store. Option B is wrong because Group Policy deployment via a network share is a traditional on-premises method that does not integrate with Intune's cloud-based MDM, and it requires devices to be domain-joined and connected to the corporate network, which is not recommended for modern, cloud-managed environments. Option C is wrong because publishing a custom LOB app to the Microsoft Store for Business is not supported; the store only accepts apps that meet specific submission criteria and are not intended for internal, proprietary line-of-business applications.

827
MCQmedium

A junior administrator needs permission to view sign-in logs, audit logs, and security recommendations in the Microsoft Entra admin center, but must not be able to reset passwords, modify settings, or manage roles. Which built-in Microsoft Entra role should the administrator assign?

A.Global Reader
B.Security Reader
C.Reports Reader
D.Security Administrator
AnswerB

Security Reader provides read-only access to security features, including sign-in logs, audit logs, and security recommendations. It does not allow any modification, meeting the requirement.

Why this answer

The Security Reader role grants read-only access to security-related data, including sign-in logs, audit logs, and security recommendations, without permitting any write operations such as password resets, setting modifications, or role management. This aligns precisely with the junior administrator's required permissions.

Exam trap

The trap here is that candidates often confuse the Security Reader role with the Security Administrator role, mistakenly assuming that viewing security recommendations requires write permissions, or they overlook the legacy Reports Reader role which does not cover all required log types.

How to eliminate wrong answers

Option A is wrong because the Global Reader role provides read-only access to all aspects of Microsoft Entra ID, including settings and configurations, which is broader than the required scope and could inadvertently expose sensitive configuration data. Option C is wrong because the Reports Reader role is a legacy role that only allows viewing reports in the Azure portal, not the full set of sign-in logs, audit logs, and security recommendations in the Microsoft Entra admin center. Option D is wrong because the Security Administrator role has write permissions that include the ability to modify security policies, reset passwords, and manage roles, which exceeds the junior administrator's required restrictions.

828
Multi-Selecteasy

Your company is implementing Microsoft Purview Data Loss Prevention (DLP) to protect credit card numbers in emails. Which THREE actions can a DLP policy take when a match is found?

Select 3 answers
A.Delete the email from the recipient's inbox.
B.Encrypt the email automatically.
C.Allow the user to override the block with a business justification.
D.Send a notification to the user with a policy tip.
E.Block the email from being sent.
AnswersC, D, E

Override with justification is configurable.

Why this answer

Options A, B, and C are correct because DLP can block sending, send notification, and allow override. Option D is wrong because encrypting email with rights management is an action, but not listed as a standard DLP action (it is an exception). Option E is wrong because DLP does not delete emails automatically.

829
MCQhard

An administrator deployed the above Intune device configuration policy for Microsoft Defender for Endpoint on Windows 10 devices. Users report that some potentially unwanted applications (PUA) are still being installed. What is the most likely cause?

A.The cloud timeout value is too low, causing PUA detection to fail.
B.The PUAProtection setting is in AuditMode and not blocking PUAs.
C.Cloud-delivered protection is set to High level, which does not affect PUAs.
D.Real-time monitoring is disabled.
AnswerB

AuditMode only logs, does not block.

Why this answer

The PUAProtection is set to 'AuditMode', which only logs PUA events but does not block them. To block PUAs, the setting should be 'Enabled' or 'Block'. Option A is correct.

Option B is wrong because cloud-delivered protection is enabled. Option C is wrong because real-time monitoring is enabled. Option D is wrong because cloud timeout is not related to PUA detection.

830
MCQhard

Your organization uses Microsoft Entra ID Governance. You need to implement an access review for all users who have access to a critical application. The review must be recurring every quarter and require reviewers to provide a justification for their decisions. Which access review settings should you configure?

A.Frequency: Quarterly, Justification required: No
B.Frequency: Quarterly, Justification required: Yes
C.Frequency: Annually, Justification required: Yes
D.Frequency: Monthly, Justification required: Yes
AnswerB

Matches both requirements.

Why this answer

Option C is correct because quarterly recurrence with justification required matches the requirement. Option A is wrong because it is monthly, not quarterly. Option B is wrong because it does not require justification.

Option D is wrong because it is annual.

831
MCQmedium

A legal department needs to preserve all communications related to an ongoing lawsuit. They identify specific users and require that their mailbox items and OneDrive files are not altered or deleted. Which Microsoft Purview feature should be used?

A.Litigation Hold
B.Retention Policy
C.Data Loss Prevention (DLP)
D.eDiscovery
AnswerA

Litigation Hold preserves mailbox and OneDrive content in-place, preventing deletion or changes.

Why this answer

Litigation Hold is the correct feature because it preserves all mailbox items and OneDrive files for specific users in their current state, preventing any alteration or deletion by users or automated processes. This is essential for legal holds where data must be immutable for eDiscovery purposes, and it applies at the user level rather than broadly across the organization.

Exam trap

The trap here is that candidates often confuse retention policies with litigation holds, thinking retention policies can preserve data indefinitely, but retention policies allow deletion after the retention period and do not block user-initiated edits or deletions during the policy's active duration.

How to eliminate wrong answers

Option B (Retention Policy) is wrong because retention policies are designed for managing data lifecycle and can delete or archive items after a specified period, but they do not prevent users from modifying or deleting content while the policy is active; litigation hold explicitly locks content. Option C (Data Loss Prevention) is wrong because DLP focuses on preventing sensitive data from being shared or leaked through rules and policies, not on preserving data from alteration or deletion. Option D (eDiscovery) is wrong because eDiscovery is a tool for searching, holding, and exporting data as part of legal investigations, but it is not a hold feature itself; litigation hold is the underlying mechanism that eDiscovery uses to preserve content.

832
Multi-Selectmedium

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email (delivered to inbox) and then, from their Windows device, establishes a network connection to a known malicious IP address. The rule will be based on an advanced hunting query. Which two tables should the analyst join in the KQL query to capture both the email delivery event and the network connection event?

Select 2 answers
A.EmailEvents and DeviceNetworkEvents
B.EmailEvents and DeviceProcessEvents
C.EmailPostDeliveryEvents and DeviceNetworkEvents
D.EmailAttachmentInfo and DeviceRegistryEvents
AnswersA, C

EmailEvents contains email delivery data (RecipientEmailAddress, Timestamp), and DeviceNetworkEvents contains network connection data (DeviceName, RemoteIP, Timestamp). Joining these on a common key like recipient email/device identity and time window enables detection of post-click connections.

Why this answer

Option A is correct because the rule requires capturing both the phishing email delivery event and the subsequent network connection to a malicious IP. The EmailEvents table records email delivery status (including 'Delivered' to inbox), and the DeviceNetworkEvents table records outbound network connections from Windows devices, including destination IP addresses. Joining these two tables on a common identifier (such as RecipientObjectId and DeviceId) allows the analyst to correlate the email receipt with the network connection event.

Exam trap

The trap here is that candidates confuse EmailPostDeliveryEvents (post-delivery actions) with EmailEvents (initial delivery), or assume DeviceProcessEvents can capture network connections when it only records process creation.

833
MCQmedium

A company uses password hash synchronization with Microsoft Entra Connect. The security team wants to enable self-service password reset (SSPR) so that users can reset their own passwords, and the password changes must be written back to the on-premises Active Directory. Which additional configuration is required to achieve password writeback?

A.Configure SSPR to use federation with on-premises AD FS
B.Enable password hash synchronization in Microsoft Entra Connect
C.Install Microsoft Entra Connect with password writeback enabled
D.Set the SSPR property 'Password writeback' to 'Yes' in the Microsoft Entra admin center
AnswerC

Password writeback requires the password writeback feature to be enabled in Microsoft Entra Connect (re-run wizard or reconfigure).

Why this answer

Password writeback requires the installation of Microsoft Entra Connect with the password writeback feature explicitly enabled during setup. This allows password changes initiated via SSPR to be written back to on-premises Active Directory. Option C is correct because it directly addresses the necessary infrastructure component.

Exam trap

The trap here is that candidates often confuse configuring the SSPR policy setting (Option D) with the actual installation requirement, assuming the admin center toggle alone enables writeback without realizing the Entra Connect component must be installed first.

How to eliminate wrong answers

Option A is wrong because federation with AD FS is not required for password writeback; SSPR with password hash synchronization works independently of federation. Option B is wrong because password hash synchronization is already in place per the scenario, but enabling it again does not enable writeback; writeback is a separate feature. Option D is wrong because setting the SSPR property 'Password writeback' to 'Yes' in the admin center only configures the SSPR policy; it does not install or enable the writeback service in Entra Connect, which is a prerequisite.

834
MCQmedium

A company with Azure AD Premium P2 licenses wants to enforce that all activations of the Global Administrator role require approval from a designated security group. The activation must also require a business justification and expire after 4 hours. Which Azure AD feature should the administrator configure?

A.Azure AD Identity Protection
B.Azure AD Privileged Identity Management (PIM)
C.Azure AD Conditional Access
D.Azure AD Multi-Factor Authentication
AnswerB

PIM provides just-in-time privileged access with approval, justification, and expiration settings.

Why this answer

Azure AD Privileged Identity Management (PIM) provides time-bound and approval-based role activation. It allows you to require approval from a designated security group, mandate a business justification, and set a maximum activation duration (e.g., 4 hours) for privileged roles like Global Administrator. This directly matches all the requirements in the question.

Exam trap

The trap here is that candidates confuse Conditional Access (which controls sign-in conditions) with PIM (which controls role activation), leading them to select Option C because they think 'approval' is a conditional access policy, but PIM is the only feature that manages role activation workflows and expiration.

How to eliminate wrong answers

Option A is wrong because Azure AD Identity Protection is a risk-based tool that detects and responds to identity threats (e.g., leaked credentials, sign-in risks) but does not manage role activation, approval workflows, or activation duration. Option C is wrong because Azure AD Conditional Access enforces access policies based on conditions like location or device state, but it cannot control role activation approval or expiration; it applies to sign-in events, not role elevation. Option D is wrong because Azure AD Multi-Factor Authentication adds an extra verification step during authentication but does not provide approval workflows, business justification prompts, or time-bound role activation.

835
Drag & Dropmedium

Drag and drop the steps to configure role-based access control (RBAC) in Microsoft 365 Defender in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

RBAC roles are created/edited in Defender, permissions assigned, and then assigned to users/groups.

836
Multi-Selectmedium

You are a Microsoft 365 administrator responsible for managing security and threats by using Microsoft Defender XDR. Which four of the following are core components or capabilities of Microsoft Defender XDR? (Choose all that apply. There are four correct answers.)

Select 4 answers
.Microsoft Defender for Endpoint
.Microsoft Defender for Office 365
.Microsoft Defender for Identity
.Microsoft Defender for Cloud Apps
.Microsoft Intune
.Microsoft 365 Defender portal Threat Analytics

Why this answer

Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively integrates signals from four core Microsoft Defender components: Defender for Endpoint (endpoint detection and response), Defender for Office 365 (email and collaboration security), Defender for Identity (on-premises Active Directory identity threat detection), and Defender for Cloud Apps (SaaS application access and shadow IT control). These four are the foundational pillars that feed into the Microsoft 365 Defender portal, enabling cross-domain correlation and automated incident response.

Exam trap

The trap here is that candidates often confuse Microsoft Intune (a management tool) or Threat Analytics (a reporting feature) as core components of Defender XDR, when in fact the exam expects the four specific Defender-branded products that natively integrate to form the XDR solution.

837
MCQmedium

A company uses Microsoft Entra ID P2 licenses. A security administrator needs to grant a user temporary elevation to the Global Administrator role for a specific task. The elevation should require approval from a designated group and be time-limited. Which Microsoft Entra feature should be configured?

A.Conditional Access
B.Privileged Identity Management
C.Identity Protection
D.Access Reviews
AnswerB

PIM enables just-in-time privileged access with approval and time limits.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID P2 provides just-in-time (JIT) privileged access with time-bound activation, approval workflows, and audit logging. This directly meets the requirement for temporary elevation to Global Administrator with approval from a designated group and a time limit.

Exam trap

The trap here is that candidates confuse Privileged Identity Management with Conditional Access, thinking Conditional Access can enforce time-limited role elevation, but Conditional Access only controls authentication conditions, not role activation or approval workflows.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces policies based on signals like user location or device state at sign-in, but it does not provide time-limited role elevation with approval workflows. Option C is wrong because Identity Protection focuses on detecting and remediating identity-based risks (e.g., leaked credentials, impossible travel), not on managing privileged role assignments or approvals. Option D is wrong because Access Reviews are used to periodically review and certify existing group memberships or role assignments, not to grant temporary, on-demand elevation with approval.

838
Multi-Selecteasy

Your organization needs to manage guest access to Microsoft Teams. Which TWO methods can you use to control guest access?

Select 2 answers
A.Use sensitivity labels to restrict guest access.
B.Configure SharePoint Online external sharing settings.
C.Enable guest access in the Teams admin center.
D.Set conditional access policies for guest users.
E.Configure external collaboration settings in Microsoft Entra ID.
AnswersC, E

This allows guests to be added to teams.

Why this answer

Option C is correct because enabling guest access in the Teams admin center is a required step to allow guest users to join Teams. Without this toggle enabled, guest access is blocked at the Teams level regardless of other settings. This setting works in conjunction with Microsoft Entra ID external collaboration settings to control guest access.

Exam trap

The trap here is that candidates often confuse the separate layers of control—Teams-specific settings (admin center) versus tenant-wide identity settings (Entra ID)—and may think that only one of these two correct options is needed, or that SharePoint settings (Option B) are sufficient for Teams guest access.

839
MCQeasy

You need to prevent users from registering security information for Microsoft Entra self-service password reset (SSPR) if they are not in a specific group. What should you configure?

A.Microsoft Entra Identity Protection user risk policy
B.Combined registration for SSPR and Microsoft Entra multifactor authentication
C.SSPR scope setting to require group membership
D.Conditional Access policy to block registration for non-group members
AnswerC

SSPR can be scoped to a specific group, only those users can register.

Why this answer

Option B is correct because the SSPR scope can be set to a specific group. Option A is wrong because combined registration is for both SSPR and MFA. Option C is wrong because Conditional Access can block registration but not scope it.

Option D is wrong because Identity Protection is for risk.

840
MCQmedium

A company uses Microsoft Entra ID P2 licenses and wants to enforce multi-factor authentication (MFA) for all users when accessing corporate applications. However, a small group of break-glass accounts must be excluded from MFA requirements to ensure emergency access. The administrator creates a Conditional Access policy targeting all users. Which configuration should be applied to achieve the exclusion?

A.Set 'Grant' control to 'Require multi-factor authentication' and include all users including break-glass accounts.
B.Under 'Assignments' > 'Users and groups', select 'Exclude' and choose the security group containing break-glass accounts.
C.Under 'Session' controls, configure 'Sign-in frequency' with a value of 0 to disable MFA for break-glass accounts.
D.Create a separate policy for break-glass accounts that does not impose MFA and assign it a lower priority.
AnswerB

Excluding the break-glass group from the policy ensures they are not subject to MFA, preserving emergency access.

Why this answer

Option B is correct because Conditional Access policies in Microsoft Entra ID allow administrators to exclude specific users or groups from policy enforcement. By excluding the security group containing break-glass accounts under 'Assignments' > 'Users and groups', the MFA requirement is applied to all other users while ensuring emergency access accounts remain unblocked. This is the standard and recommended approach for handling break-glass accounts in a Conditional Access policy targeting all users.

Exam trap

The trap here is that candidates may confuse session controls (like sign-in frequency) with grant controls (like MFA requirement), or incorrectly assume that a lower-priority policy can override a higher-priority policy that includes the same users, when in fact exclusion is the only reliable method to bypass a policy targeting all users.

How to eliminate wrong answers

Option A is wrong because including break-glass accounts in the policy would force them to satisfy MFA, defeating their purpose as emergency access accounts that must bypass all authentication requirements. Option C is wrong because the 'Sign-in frequency' session control manages how often users must re-authenticate, not whether MFA is required; setting it to 0 disables the session control but does not exclude break-glass accounts from MFA enforcement. Option D is wrong because creating a separate policy with lower priority does not override the existing policy that targets all users; Conditional Access policies are evaluated cumulatively, and the break-glass accounts would still be subject to the MFA requirement unless explicitly excluded.

841
MCQeasy

An administrator adds the custom domain 'fabrikam.com' to a new Microsoft 365 tenant. After adding the domain, the status shows 'Pending verification'. Which type of DNS record must be added to the public DNS zone to complete domain ownership verification?

A.MX record
B.TXT record
C.CNAME record
D.SPF record
AnswerB

A TXT record with the verification string is added to the domain's DNS zone to confirm ownership.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record with a specific verification value provided by the Microsoft 365 admin center to the public DNS zone. This proves you control the domain because only the domain owner can modify DNS records. Other record types like MX, CNAME, or SPF are used for mail routing or service configuration, not for ownership verification.

Exam trap

The trap here is that candidates confuse the verification TXT record with other TXT-based records like SPF or DKIM, or assume any DNS record type can be used for verification, but Microsoft specifically requires a TXT record with a unique token for domain ownership proof.

How to eliminate wrong answers

Option A is wrong because MX records are used to specify mail exchange servers for email routing, not for domain ownership verification. Option C is wrong because CNAME records alias one domain name to another and are not used for verification; they are typically used for service-specific configurations like autodiscover. Option D is wrong because SPF records are a type of TXT record used to authorize sending servers for email authentication, but the verification process requires a specific TXT record with a unique token, not an SPF record.

842
MCQmedium

You are reviewing a Conditional Access policy in JSON format. The policy is applied to all users accessing Office 365 from trusted locations. What is the intended behavior of this policy?

A.Users are blocked if they are not using a compliant device
B.Users must provide MFA and use a compliant device
C.Users only need to provide MFA regardless of device
D.Users must provide MFA or use a compliant device
AnswerD

The OR operator means at least one condition must be met.

Why this answer

The policy grants access when users are in a trusted location and either provide MFA or use a compliant device. The 'OR' condition between MFA and device compliance means that satisfying either requirement is sufficient, not both. This is the standard behavior when multiple controls are assigned with 'Require one of the selected controls' in Conditional Access.

Exam trap

The trap here is that candidates often assume multiple grant controls always require all conditions (AND logic), but Conditional Access defaults to OR logic unless the policy explicitly specifies 'Require all the selected controls'.

How to eliminate wrong answers

Option A is wrong because the policy does not block users; it grants access with conditions, and trusted location users are not blocked if they fail device compliance as long as they provide MFA. Option B is wrong because the policy does not require both MFA and a compliant device; it uses an OR condition, so only one is needed. Option C is wrong because the policy does not grant access with MFA alone regardless of device; it also allows access with a compliant device without MFA, so device compliance is a separate path.

843
MCQmedium

A compliance officer needs to retain all email messages in a user's Exchange Online mailbox for 7 years after the message is sent or received, and then automatically delete them. The retention must be enforced regardless of user actions. Which Microsoft Purview solution should be used?

A.Litigation hold
B.Retention policy with Exchange location
C.Classification policy
D.In-place eDiscovery hold
AnswerB

A retention policy can retain and then delete content after a specified period.

Why this answer

A retention policy with the Exchange location in Microsoft Purview allows you to define a retention period (e.g., 7 years) and then automatically delete messages after that period. It enforces the retention regardless of user actions because it operates at the service level, not relying on user cooperation. This meets the compliance officer's requirement for mandatory, time-based retention and deletion.

Exam trap

The trap here is that candidates often confuse Litigation hold (which preserves indefinitely) with a retention policy (which can both preserve and delete after a set time), leading them to select Litigation hold for time-based deletion scenarios.

How to eliminate wrong answers

Option A is wrong because Litigation hold preserves all mailbox content indefinitely until the hold is removed, but it does not automatically delete messages after a specific period; it is designed for legal preservation, not time-based retention with deletion. Option C is wrong because Classification policy (e.g., sensitivity labels) applies metadata and protection actions but does not enforce time-based retention or automatic deletion of email messages. Option D is wrong because In-place eDiscovery hold is a deprecated feature that preserves content for eDiscovery purposes without automatic deletion; it also does not support time-based retention policies.

844
MCQmedium

You are examining the default cross-tenant access policy for your Microsoft Entra ID tenant. Based on the exhibit, which statement is true?

A.Your users can use their Microsoft Authenticator app to sign in to partner tenants.
B.B2B direct connect is enabled for all external organizations.
C.External users must always reauthenticate even if their home tenant requires MFA.
D.Compliant device claims from external tenants are trusted.
AnswerC

IsMfaAccepted is $false, so MFA claims from external tenants are not trusted.

Why this answer

The default policy shows that MFA claims are not trusted from external tenants. Option A is wrong because the default policy can be modified, but as shown, MFA is not trusted. Option B is wrong because B2B direct connect inbound is empty, meaning no trust.

Option D is wrong because compliant device is not trusted.

845
MCQmedium

An organization wants to delegate user creation to help desk staff without granting global admin rights. Which role should be assigned?

A.Global Administrator
B.Helpdesk Administrator
C.License Administrator
D.User Administrator
AnswerD

Can create users and manage licenses.

Why this answer

The User Administrator role is the correct choice because it grants the specific permissions needed to create and manage users and groups, including resetting passwords, without the broad privileges of Global Administrator. This role aligns with the principle of least privilege for help desk staff who need to perform user creation tasks.

Exam trap

The trap here is that candidates often confuse Helpdesk Administrator with User Administrator because both can reset passwords, but only User Administrator can create users, which is the specific task required in the question.

How to eliminate wrong answers

Option A is wrong because Global Administrator has unrestricted access to all Azure AD and Microsoft 365 settings, which is excessive and violates security best practices for delegating user creation. Option B is wrong because Helpdesk Administrator can reset passwords and manage service requests but cannot create users or modify user attributes beyond password resets. Option C is wrong because License Administrator can only assign and manage licenses for users and groups, not create new user accounts.

846
Matchingmedium

Match each Microsoft 365 migration tool to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Migrate mailboxes from on-premises to Exchange Online

Migrate files from on-premises to SharePoint and OneDrive

Sync on-premises identities to Azure AD

Orchestrate large-scale migrations

Migrate data from Google Workspace

Why these pairings

These tools are used to migrate data and identities to Microsoft 365.

847
MCQmedium

A company plans to enable Self-Service Password Reset (SSPR) for all users. The administrator needs to ensure that users are required to register at least two authentication methods before they can use SSPR. Which configuration setting should the administrator modify?

A.Set the 'Number of methods required to reset' to 2 in the SSPR authentication methods settings.
B.Enable combined registration for SSPR and Microsoft Entra ID Multi-Factor Authentication.
C.Configure a Conditional Access policy requiring MFA registration for SSPR.
D.Set the 'Number of questions required to register' to 2 in the security questions settings.
AnswerA

This setting directly enforces that users must register at least two methods to use SSPR.

Why this answer

Option A is correct because the 'Number of methods required to reset' setting directly controls how many authentication methods a user must provide during the SSPR reset process. By setting this value to 2, the administrator ensures that users must register at least two methods (e.g., phone and email) before they can reset their password, as SSPR requires the registered methods to match the reset requirement.

Exam trap

The trap here is confusing the 'Number of methods required to reset' (which controls the reset process) with the 'Number of methods required to register' (which controls initial registration), leading candidates to mistakenly choose options that affect registration but not the reset requirement.

How to eliminate wrong answers

Option B is wrong because enabling combined registration for SSPR and Microsoft Entra ID Multi-Factor Authentication simplifies the registration process but does not enforce a minimum number of methods for SSPR usage. Option C is wrong because a Conditional Access policy requiring MFA registration for SSPR can mandate MFA registration but does not control the number of authentication methods needed for SSPR reset. Option D is wrong because the 'Number of questions required to register' setting applies only to security questions, which are a specific authentication method, and does not enforce the overall number of methods required for reset; also, security questions are not a recommended method for SSPR.

848
MCQeasy

An organization has just purchased Microsoft 365 Business Standard licenses. The administrator adds a new user through the admin center. By default, does the new user receive a welcome email with sign-in instructions?

A.Yes, always, regardless of how the user is created.
B.Yes, if the administrator does not clear the 'Send welcome email' checkbox during user creation.
C.No, the administrator must manually send the welcome email using a script.
D.No, welcome emails are only sent when using the 'Add multiple users' option.
AnswerB

The admin center has a checkbox labeled 'Send welcome email in email' that is checked by default. Unchecking it will suppress the email.

Why this answer

When an administrator adds a new user through the Microsoft 365 admin center, the default behavior is to send a welcome email containing the user's sign-in name and temporary password. The administrator can opt out by clearing the 'Send welcome email in email' checkbox during the creation process. Therefore, the user receives the email unless the administrator explicitly deselects that option.

Exam trap

The trap here is that candidates may assume the welcome email is always sent or never sent, overlooking the specific checkbox control that allows the administrator to suppress the email during user creation.

How to eliminate wrong answers

Option A is wrong because the welcome email is not always sent; it depends on the checkbox state during user creation, and if the user is created via other methods (e.g., PowerShell, bulk CSV import), the email may not be sent by default. Option C is wrong because the administrator does not need to manually send the email using a script; the admin center provides a built-in checkbox to control sending, and the email is sent automatically unless the checkbox is cleared. Option D is wrong because the welcome email is sent for single user creation as well, not only when using the 'Add multiple users' option; the checkbox exists in both single and bulk creation flows.

849
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to ensure that all email messages containing encrypted attachments are automatically scanned for malware before delivery. What should you configure?

A.Safe Attachments policy with Dynamic Delivery enabled
B.Safe Links policy with URL scanning
C.Anti-malware policy
D.Anti-spam policy
AnswerA

Dynamic Delivery allows scanning encrypted attachments.

Why this answer

Option A is correct because Safe Attachments policy can be configured to scan encrypted attachments. Option B is wrong because it's for links. Option C is wrong because it's for anti-spam.

Option D is wrong because it's for anti-malware.

850
MCQmedium

Your organization uses Microsoft Defender for Office 365. Users report that legitimate emails from a specific partner domain are being moved to Junk Email folder. You verify that the partner's SPF, DKIM, and DMARC records are correctly configured. Which two actions should you take to resolve this issue?

A.Modify the Anti-Spam policy to increase the spam threshold.
B.Review the Anti-Phishing policy's spoof intelligence settings.
C.Configure the Outbound spam filter policy.
D.Disable the Spam filter for the affected users.
E.Add the partner domain to the Tenant Allow/Block List as an allowed domain.
AnswerB, E

Spoof intelligence may be incorrectly marking the partner domain as spoofed.

Why this answer

Option A is correct because you can create an Allow entry in the Tenant Allow/Block List to explicitly allow emails from the partner domain. Option D is correct because reviewing the phishing simulation and spoof intelligence settings can help identify if the system is misclassifying the domain. Option B is wrong because the Anti-Spam policy is not the cause; the issue is likely in the anti-phishing or spoof settings.

Option C is wrong because disabling spam filtering is too aggressive and not recommended. Option E is wrong because the issue is with inbound filtering, not outbound.

851
MCQhard

You have a Microsoft 365 E5 tenant with Microsoft Defender for Cloud Apps. You need to discover unsanctioned cloud apps used by users. What should you configure?

A.Conditional Access App Control
B.Microsoft Purview Data Loss Prevention
C.Microsoft Defender for Endpoint App Control
D.Microsoft Defender for Cloud Apps Cloud Discovery
AnswerD

Cloud Discovery identifies unsanctioned apps from traffic logs.

Why this answer

Microsoft Defender for Cloud Apps Cloud Discovery is the correct feature for identifying unsanctioned cloud apps used in your environment. It analyzes traffic logs from your network or endpoints to discover all cloud app usage, categorizes them by risk, and allows you to sanction or unsanction them. This directly fulfills the requirement to discover unsanctioned cloud apps.

Exam trap

The trap here is that candidates confuse Conditional Access App Control (a policy enforcement mechanism for sanctioned apps) with Cloud Discovery (the actual discovery and risk assessment feature), leading them to select Option A instead of the correct answer.

How to eliminate wrong answers

Option A is wrong because Conditional Access App Control is a session-level policy enforcement feature that works with sanctioned apps to control access and data exfiltration, not a discovery tool for finding unsanctioned apps. Option B is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to prevent sensitive data from being shared or leaked, not to discover or inventory cloud app usage. Option C is wrong because Microsoft Defender for Endpoint App Control (Windows Defender Application Control) is a host-based security feature that controls which executables can run on Windows devices, not a cloud app discovery mechanism.

852
Multi-Selecthard

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that detects when a user signs in from an unknown IP address and then downloads a large number of files. Which THREE components should you configure?

Select 3 answers
A.IP address range category
B.Scope (users and groups)
C.Anomaly detection policy template
D.Session policy
E.Alert settings
AnswersB, C, E

Specifies which users to monitor.

Why this answer

Options A, B, and D are correct because an anomaly detection policy requires a template, scope (users/groups), and alerts. Option C is wrong because the IP range is defined in the policy template itself, not separately. Option E is wrong because a session policy is used for real-time control, not detection.

853
MCQmedium

The exhibit shows a KQL query used in Microsoft 365 Defender. The query returns no results for admin@contoso.com. What is the most likely reason?

A.The user does not have the Global Administrator role.
B.The KQL query syntax is invalid.
C.The role name in the query is misspelled.
D.Microsoft Defender for Identity is not enabled for the tenant.
AnswerD

The IdentityInfo table relies on Defender for Identity data.

Why this answer

The KQL query uses the `IdentityLogonEvents` table, which is populated by Microsoft Defender for Identity (MDI). If MDI is not enabled for the tenant, this table contains no data, so the query returns no results regardless of the user's role or query syntax. The query itself is syntactically correct and the role name 'GlobalAdministrator' is valid, but without MDI being provisioned, the table is empty.

Exam trap

The trap here is that candidates often assume a query returning no results must have a syntax error or a misspelled value, when in fact the underlying data source (Defender for Identity) may not be provisioned, causing the table to be empty.

How to eliminate wrong answers

Option A is wrong because the query filters on the `AccountUpn` field, not on administrative roles; even if the user lacks the Global Administrator role, the query would still return logon events for that user if MDI were enabled. Option B is wrong because the KQL syntax is valid: it correctly uses the `where` operator with a string comparison and a logical `and` to filter on `ActionType`. Option C is wrong because 'GlobalAdministrator' is the correct role name as stored in the `AccountSid` or related fields in Defender for Identity; a misspelling would cause a syntax error or no match, but the query returns no results for a valid user, indicating the data source itself is missing.

854
MCQhard

A user with an E5 license is unable to use Azure Information Protection (AIP). The admin confirms the license is assigned. What is the most likely cause?

A.AIP requires an additional subscription
B.AIP client is not installed
C.AIP service plan is disabled in the license
D.User account is blocked
AnswerC

Service plans can be toggled per user.

Why this answer

Even with an E5 license assigned, the Azure Information Protection (AIP) service plan must be explicitly enabled for the user. By default, some service plans within an E5 license may be disabled, and the AIP service plan (commonly labeled as 'Azure Information Protection' or 'Information Protection for Office 365') must be toggled on in the user's license settings in the Microsoft 365 admin center. Without this, the user cannot activate AIP features regardless of license assignment.

Exam trap

The trap here is that candidates assume an E5 license automatically grants full access to all included features, but Microsoft requires each service plan to be individually enabled, and the exam tests this granular licensing behavior.

How to eliminate wrong answers

Option A is wrong because E5 already includes AIP; no additional subscription is needed. Option B is wrong because the AIP client is only required for on-premises labeling or unified labeling client scenarios, but the core AIP service (e.g., protection, labeling in Office apps) works via the cloud service plan. Option D is wrong because a blocked user account would prevent all access, not just AIP, and the question states the user is unable to use AIP specifically, not that they are blocked from all services.

855
MCQhard

You are the identity architect for Contoso, a multinational company with 50,000 employees. Contoso uses Microsoft Entra ID with hybrid identity (PHS) and Microsoft Entra ID Protection. The company is deploying Microsoft Copilot for Microsoft 365 and wants to ensure that access to Copilot is controlled based on user risk, device compliance, and location. Additionally, the security team requires that all Copilot interactions are logged and auditable. You need to design a solution that meets these requirements with minimal administrative overhead. Current environment: - All users are synced from on-premises AD using Microsoft Entra Connect. - Devices are either Microsoft Entra hybrid joined or Microsoft Entra registered. - Microsoft Entra ID Protection is enabled with user risk and sign-in risk policies. - Microsoft Intune is used for device compliance policies. - All users have Microsoft 365 E5 licenses. Requirements: - Access to Copilot must be blocked for users with high user risk. - Access from untrusted locations must require MFA. - Only compliant devices can access Copilot. - All Copilot interactions must be captured in Microsoft Purview Audit (Standard). What should you do?

A.Use Microsoft Defender for Cloud Apps to create session policies for Copilot, and integrate with Entra ID Protection.
B.Create a Conditional Access policy targeting 'Microsoft Copilot' app. Configure conditions: user risk High to block, locations (untrusted) to require MFA, and device compliance to require compliant device. Ensure Purview Audit is enabled for Copilot.
C.Deploy Microsoft Intune app protection policies for Copilot, and use device compliance policies to block non-compliant devices.
D.Use Microsoft Entra ID Protection to block high-risk users, and configure Intune compliance policies to require MFA from untrusted locations.
AnswerB

Conditional Access provides unified access control for all requirements; Copilot interactions are audited by default in Purview.

Why this answer

Option A is correct because Conditional Access policies can enforce risk, location, and device compliance for Copilot as a cloud app, and Copilot interactions are automatically audited in Purview Audit. Option B is wrong because Entra ID Protection does not control device compliance. Option C is wrong because Intune policies do not enforce risk-based access.

Option D is wrong because Defender for Cloud Apps would be additional overhead and not directly address the requirements.

856
MCQeasy

Refer to the exhibit. You deploy this configuration profile to Windows devices. What is the most likely outcome?

A.Automated investigation will be triggered for alerts with severity Medium and above, and email notifications will be sent to admin@contoso.com.
B.Automated investigation will be triggered only for alerts with severity High, and email notifications will be sent to all admins.
C.Automated investigation will be disabled, and email notifications will be sent to admin@contoso.com.
D.Automated investigation will be triggered for all alerts regardless of severity, and no email notifications will be sent.
AnswerA

The configuration enables automated investigation for Medium severity and above, and enables email notifications.

Why this answer

Option A is correct because the configuration enables automated investigation and sets the minimum alert severity to Medium, meaning automated investigation will trigger for alerts of severity Medium or higher. Option B is wrong because it says High or higher. Option C is wrong because the configuration enables automated investigation, not disables.

Option D is wrong because it says only for alerts of severity Low or higher, which is not configured.

857
Multi-Selectmedium

Your organization uses Microsoft Defender for Cloud Apps. You want to control the use of personal cloud storage apps. Which TWO actions should you take?

Select 2 answers
A.Create a DLP policy to prevent sharing of sensitive data to personal cloud storage apps.
B.Create a conditional access policy to require managed apps for cloud storage.
C.Block all personal cloud storage apps using Defender for Cloud Apps.
D.Create a session policy to monitor and control downloads to personal cloud storage apps.
E.Use app governance to monitor and control app permissions.
AnswersD, E

Session policies can monitor and restrict activities within cloud apps in real time.

Why this answer

Options A and D are correct because you can use app governance to control app permissions and session policies to monitor downloads. Option B is wrong because blocking all personal storage apps might be too restrictive and not granular. Option C is wrong because DLP policies do not control app usage.

Option E is wrong because a conditional access policy can require app protection but does not directly control cloud app usage.

858
Multi-Selecthard

Your organization uses Microsoft Entra ID and has strict security requirements. You need to implement a Zero Trust security model. Which THREE of the following are foundational principles of Zero Trust that should be implemented?

Select 3 answers
A.Assume trust based on location
B.Segment access
C.Use least privilege access
D.Assume breach
E.Verify explicitly
AnswersC, D, E

Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA).

Why this answer

Option C is correct because least privilege access is a foundational principle of Zero Trust, ensuring users and devices are granted only the minimum permissions necessary to perform their tasks. In Microsoft Entra ID, this is implemented through features like Privileged Identity Management (PIM) and conditional access policies that restrict access based on role and context, reducing the attack surface.

Exam trap

Microsoft often tests the distinction between security best practices (like segmentation) and the specific foundational principles of Zero Trust, causing candidates to select 'Segment access' because it sounds correct, but it is not one of the three core pillars defined by Microsoft.

859
MCQmedium

A security administrator needs to implement a just-in-time (JIT) privileged access solution for the Global Administrator role. Users must request activation and provide a business justification. The request must be approved by a separate group of approvers, and the role activation should expire after 4 hours. Which Microsoft Entra feature should be configured?

A.Conditional Access
B.Privileged Identity Management (PIM)
C.Azure AD Roles (default role settings)
D.Identity Protection
AnswerB

PIM enables time-bound role activation with approval, justification, and automatic deactivation.

Why this answer

Privileged Identity Management (PIM) is the Microsoft Entra feature specifically designed for just-in-time (JIT) privileged access. It allows you to configure role activation with approval workflows, require a business justification, set a maximum activation duration (e.g., 4 hours), and designate specific approvers. This directly matches all requirements in the question.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access to apps) with PIM (which controls privileged role activation), or they assume default role settings can enforce JIT activation without realizing that PIM is the only feature that provides time-bound, approval-based role elevation.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces access policies based on signals like user location or device state, but it does not provide JIT role activation, approval workflows, or time-bound role elevation. Option C is wrong because Azure AD Roles (default role settings) only define static role assignments and permissions; they lack the ability to require activation requests, business justification, or approval from a separate group. Option D is wrong because Identity Protection focuses on detecting and remediating identity risks (e.g., leaked credentials, anomalous sign-ins) and does not manage privileged role activation or approval processes.

860
MCQmedium

A Global Administrator signs in to the Microsoft 365 admin center but is not prompted for MFA. The policy in the exhibit is the only Conditional Access policy. What is the most likely reason?

A.The Microsoft 365 admin center is not included in the policy.
B.The administrator is connecting from a trusted IP address that is excluded from MFA.
C.The policy does not include the Global Administrator role.
D.The policy is in 'report-only' mode.
AnswerB

If the admin is on a trusted network, MFA might be bypassed if the policy has location exclusions.

Why this answer

The policy targets 'All' applications, but the Microsoft 365 admin center might be considered a 'browser' app, which should be covered. However, if the administrator has configured trusted IPs or location-based exclusion, MFA might be skipped. Option D is a common reason.

Option A is incorrect because the policy includes Global Administrator. Option B is incorrect because the policy is enabled. Option C is incorrect because the admin center is included via 'All' applications.

861
MCQmedium

A compliance officer wants to automatically apply a 'Confidential' sensitivity label to documents in SharePoint Online that contain credit card numbers. The label should be applied when the documents are created or modified. Which Microsoft Purview feature should be configured?

A.Create an auto-labeling policy for sensitivity labels
B.Create a retention label policy
C.Create a Data Loss Prevention (DLP) policy
D.Configure a default sensitivity label
AnswerA

Auto-labeling policies scan content for sensitive data and automatically apply sensitivity labels, meeting the requirement.

Why this answer

Auto-labeling policies for sensitivity labels in Microsoft Purview can automatically apply a sensitivity label to documents in SharePoint Online based on sensitive information types, such as credit card numbers. This policy scans documents when they are created or modified and applies the label without user intervention, meeting the compliance officer's requirement.

Exam trap

The trap here is that candidates often confuse a DLP policy's ability to detect sensitive data with the ability to automatically apply a sensitivity label, but DLP policies only trigger alerts or block actions, not label documents.

How to eliminate wrong answers

Option B is wrong because retention label policies are designed to manage data retention and deletion, not to apply sensitivity labels for classification or protection. Option C is wrong because a Data Loss Prevention (DLP) policy can detect and block sharing of sensitive data but cannot automatically apply a sensitivity label to documents. Option D is wrong because configuring a default sensitivity label applies the label to new documents automatically but does not scan for specific content like credit card numbers, nor does it trigger on modification.

862
MCQmedium

A company is planning to migrate from on-premises Exchange to Exchange Online and needs to ensure that mail flow can coexist between the two environments during the transition. Which tool should the administrator use to configure this hybrid deployment?

A.Azure AD Connect
B.Exchange Hybrid Configuration Wizard
C.Microsoft 365 Admin Center
D.Exchange Admin Center
AnswerB

This wizard guides through the steps to establish a hybrid relationship between on-premises Exchange and Exchange Online, including mail flow and free/busy sharing.

Why this answer

The Exchange Hybrid Configuration Wizard (HCW) is the correct tool because it automates the configuration of coexistence features between on-premises Exchange and Exchange Online, including mail flow routing, free/busy sharing, and OAuth authentication. It generates the necessary connectors and settings to support a hybrid deployment, ensuring seamless mail flow during migration.

Exam trap

The trap here is that candidates often confuse Azure AD Connect's directory synchronization role with hybrid mail flow configuration, assuming it handles all hybrid setup, when in fact it only syncs objects and does not configure Exchange-specific routing or coexistence.

How to eliminate wrong answers

Option A is wrong because Azure AD Connect synchronizes directory objects (users, groups) but does not configure mail flow or hybrid coexistence settings between Exchange environments. Option C is wrong because the Microsoft 365 Admin Center provides high-level tenant management and licensing but lacks the granular Exchange-specific hybrid configuration capabilities. Option D is wrong because the Exchange Admin Center (EAC) in Exchange Online or on-premises can manage individual connectors and settings but does not provide the guided, automated workflow of the HCW for establishing a full hybrid deployment.

863
MCQhard

Your organization uses Microsoft Purview Data Lifecycle Management and has a retention policy that retains all SharePoint documents for three years. However, for a specific research project, you need to retain documents for five years after the project ends. Some documents are already marked with a different retention label. What should you do?

A.Modify the existing retention policy to exclude the research project site.
B.Apply a retention label with a five-year retention period to the research documents.
C.Remove the existing retention labels from the research documents and rely on the policy.
D.Create a new retention policy that applies to the research project site and set the retention period to five years.
AnswerB

Item-level retention labels override policy-level retention.

Why this answer

Option D is correct because a retention label applied at the item level takes precedence over a broader retention policy. Option A is incorrect because a new policy would not override an existing label unless the label is removed. Option B is incorrect because you cannot exclude specific documents from a policy; you must use labels.

Option C is incorrect because labels have precedence over policies.

864
MCQeasy

A new administrator needs to automatically assign Microsoft 365 E5 licenses to all users in the Sales department. The Sales department is identified by the 'department' attribute in Azure AD. Which licensing method should the administrator use to minimize manual effort?

A.Manual license assignment per user
B.Group-based licensing using a dynamic group
C.PowerShell script to assign licenses
D.Bulk license assignment via CSV file
AnswerB

Dynamic groups automatically update membership based on attributes, and group-based licensing assigns licenses to all members.

Why this answer

Group-based licensing using a dynamic group is the correct method because it automatically assigns Microsoft 365 E5 licenses to all users in the Sales department based on the 'department' attribute in Azure AD. Dynamic groups evaluate membership rules in real time, so when a user's department attribute is set to 'Sales', the license is assigned without manual intervention. This minimizes administrative effort by eliminating the need for per-user or batch operations.

Exam trap

The trap here is that candidates often choose PowerShell scripting (Option C) thinking it is the most automated method, but they overlook that group-based licensing provides true zero-touch, attribute-driven automation without requiring custom code or scheduled tasks.

How to eliminate wrong answers

Option A is wrong because manual license assignment per user requires an administrator to individually assign licenses to each Sales department user, which is labor-intensive and does not scale. Option C is wrong because a PowerShell script, while automatable, still requires manual execution or scheduling and does not provide real-time, attribute-based automatic assignment like group-based licensing does. Option D is wrong because bulk license assignment via CSV file is a one-time operation that does not automatically handle new users or attribute changes, requiring repeated manual exports and imports.

865
MCQeasy

You need to configure Microsoft Defender for Cloud Apps to detect anomalous user behavior such as impossible travel. Which type of policy should you create?

A.Access policy
B.Session policy
C.Anomaly detection policy
D.File policy
AnswerC

Anomaly detection policies use machine learning to detect unusual behavior like impossible travel.

Why this answer

Option A is correct because an anomaly detection policy detects impossible travel, unusual activity, etc. Option B is wrong because file policies handle data protection. Option C is wrong because session policies control real-time access.

Option D is wrong because access policies control access conditions.

866
MCQeasy

A security administrator needs a single console to investigate and respond to a complex incident involving alerts from endpoints, email, and identities. Which Microsoft portal should they use?

A.Microsoft 365 Defender portal
B.Microsoft Sentinel
C.Microsoft Defender for Cloud
D.Microsoft 365 compliance center
AnswerA

This portal provides a unified incident management view across Microsoft Defender XDR products, correlating alerts from multiple domains.

Why this answer

The Microsoft 365 Defender portal (security.microsoft.com) is the correct choice because it provides a unified incident management console that correlates alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. This allows the security administrator to investigate and respond to a complex incident spanning endpoints, email, and identities from a single pane of glass, leveraging automated investigation and response (AIR) capabilities.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with the Microsoft 365 Defender portal (an XDR console), assuming that any security investigation must go through a SIEM, but the question specifically asks for the single console that natively correlates alerts from endpoints, email, and identities without additional data ingestion setup.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR platform that ingests logs from multiple sources, but it is not the single console designed for native XDR incident correlation across Microsoft 365 Defender workloads; it requires additional configuration and data connectors to unify alerts from endpoints, email, and identities. Option C is wrong because Microsoft Defender for Cloud is focused on securing cloud workloads (IaaS, PaaS, and data services) and does not natively integrate email and identity alerts from Microsoft 365 Defender. Option D is wrong because the Microsoft 365 compliance center is designed for data governance, eDiscovery, and compliance management, not for real-time security incident investigation and response.

867
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using their Google Workspace credentials without creating external identities. What should you configure?

A.Enable Microsoft Entra Verified ID for Google Workspace users
B.Configure Google as a social identity provider in Microsoft Entra External ID
C.Configure Microsoft Entra B2B collaboration with Google Workspace
D.Configure SAML/WS-Fed identity provider federation with Google Workspace
AnswerD

Microsoft Entra ID supports direct federation with Google Workspace as a SAML/WS-Fed identity provider.

Why this answer

Option D is correct because configuring SAML/WS-Fed identity provider federation with Google Workspace allows users to sign in using their Google Workspace credentials directly, without creating external identities. This federation establishes a trust relationship between Microsoft Entra ID and Google Workspace as an identity provider, enabling seamless authentication for users who already have Google accounts.

Exam trap

The trap here is that candidates often confuse social identity provider configuration (Option B) with enterprise federation, but social IdPs are designed for consumer scenarios and create external identities, whereas SAML/WS-Fed federation preserves the user's existing identity without creating new objects in the directory.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Verified ID is a decentralized identity solution using verifiable credentials, not designed for federating with Google Workspace for sign-in. Option B is wrong because configuring Google as a social identity provider in Microsoft Entra External ID is intended for consumer-facing applications and creates external identities, not for enterprise users with existing Google Workspace accounts. Option C is wrong because Microsoft Entra B2B collaboration creates external guest user objects in the directory, which contradicts the requirement to avoid creating external identities.

868
MCQeasy

A compliance officer wants to prevent users from sending emails that contain personally identifiable information (PII), such as social security numbers, to external recipients. If a user attempts to send such an email from Outlook, the email should be blocked and a policy tip explaining the block should be displayed. Which Microsoft Purview solution should the officer configure?

A.Microsoft Purview Data Loss Prevention (DLP) policy
B.Microsoft Purview Information Protection sensitivity label
C.Microsoft Purview Records Management retention label
D.Microsoft Purview eDiscovery case
AnswerA

DLP policies can identify sensitive info types (e.g., SSN) in email, block the message, and display a policy tip in Outlook. This matches the requirement perfectly.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policies are specifically designed to detect and block sensitive information, such as PII (e.g., social security numbers), in transit. When a DLP rule matches, it can block the email and display a policy tip in Outlook, informing the user why the message was blocked. This meets the compliance officer's requirement to prevent external sending of PII with real-time user notification.

Exam trap

The trap here is that candidates confuse sensitivity labels (which apply protection at rest) with DLP policies (which enforce actions on data in motion), leading them to choose Option B because they associate labels with 'protecting' PII, but labels do not block outbound email or trigger policy tips.

How to eliminate wrong answers

Option B is wrong because sensitivity labels classify and protect data at rest (e.g., encryption, visual markings) but do not natively block outbound email based on content inspection or display policy tips in Outlook. Option C is wrong because retention labels manage data lifecycle (retention and deletion) and are not designed to inspect or block email content in transit. Option D is wrong because eDiscovery cases are used for legal hold, search, and export of content, not for real-time prevention of email sending or policy tip enforcement.

869
MCQhard

You are a Microsoft 365 administrator. Users report that they cannot create Microsoft Teams meetings using the Teams desktop client. They receive an error: 'Meeting creation is disabled by your IT administrator.' You need to enable meeting creation. You check the Teams admin center and find that meeting policies are set to 'Off' for 'Allow private meeting scheduling'. However, after changing it to 'On', users still get the error. What is the most likely cause?

A.The user does not have an OAuth 2.0 token.
B.The global meeting policy is overriding the user-level policy.
C.The user's mailbox is still on-premises and not migrated to Exchange Online.
D.The user does not have a Microsoft Teams license assigned.
AnswerC

Teams meeting scheduling relies on Exchange Online mailbox; if mailbox is on-premises, the Teams policy cannot be enforced.

Why this answer

The error persists because the user's mailbox is still on-premises and not migrated to Exchange Online. Microsoft Teams relies on Exchange Online for scheduling features, including private meeting creation. Even with the meeting policy set to 'On', if the mailbox is on-premises, the Teams client cannot communicate with Exchange Online to create the meeting, resulting in the error.

Exam trap

The trap here is that candidates often assume changing the meeting policy in the Teams admin center is sufficient, overlooking the critical dependency on Exchange Online for Teams calendar features, which is a common misconfiguration in hybrid environments.

How to eliminate wrong answers

Option A is wrong because OAuth 2.0 tokens are used for authentication and authorization, not for enabling or disabling meeting creation; the error is policy-related, not token-related. Option B is wrong because the global meeting policy only applies if no user-level policy is assigned; if a user-level policy is explicitly set to 'On', it should override the global policy, so this would not cause the error. Option D is wrong because if the user lacked a Teams license, they would not be able to access the Teams desktop client at all, or would see a different error about licensing, not a specific meeting creation disabled error.

870
MCQeasy

Your company is deploying Microsoft 365 for a new subsidiary with 500 users. You need to configure the initial tenant with a custom domain (contoso.com) and verify ownership. What is the first step you must perform?

A.Delegate the contoso.com zone to Microsoft 365 DNS servers.
B.Create user accounts with the custom domain before verification.
C.Add a TXT record provided by Microsoft 365 to the contoso.com DNS zone.
D.Set contoso.com as the default domain in the Microsoft 365 admin center.
AnswerC

Verification requires adding a DNS record provided by the domain setup wizard.

Why this answer

To verify ownership of a custom domain in Microsoft 365, you must prove you control the domain's DNS zone. Microsoft provides a unique TXT record value that you add to the public DNS zone of contoso.com. Once the TXT record propagates, Microsoft queries it and confirms ownership, allowing you to proceed with domain configuration.

Exam trap

The trap here is that candidates may confuse the order of operations, thinking they can set the domain as default or create users first, but Microsoft 365 strictly requires domain ownership verification before any domain-based configuration can proceed.

How to eliminate wrong answers

Option A is wrong because delegating the entire contoso.com zone to Microsoft 365 DNS servers is not the first step; delegation is optional and only performed after domain verification if you want Microsoft to manage your DNS records. Option B is wrong because you cannot create user accounts with a custom domain before the domain is verified; Microsoft 365 will reject the domain until ownership is proven. Option D is wrong because setting contoso.com as the default domain requires the domain to already be verified; attempting to set it before verification will fail.

871
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that alerts when a user downloads more than 10 files from SharePoint Online within 10 minutes. This activity should be considered anomalous. Which type of policy should you create?

A.Cloud Discovery policy
B.Activity policy
C.Session policy
D.App discovery policy
AnswerB

Activity policies can detect anomalous activities like multiple file downloads.

Why this answer

Option B is correct because Activity policies in Defender for Cloud Apps can detect anomalous activities based on thresholds, such as multiple file downloads. Option A is wrong because App discovery policies are used to discover shadow IT. Option C is wrong because Cloud Discovery policies are for discovering cloud app usage.

Option D is wrong because Session policies control sessions in real-time, not alert on historical activity.

872
MCQmedium

An administrator runs the Azure CLI command shown in the exhibit. What is the result of this command?

A.A new application registration is created with requested permissions to Graph
B.An existing application registration is updated
C.The application is configured with single-tenant sign-in audience
D.An admin consent is granted for the Microsoft Graph permissions
AnswerA

The command creates a new app with required resource accesses to Graph.

Why this answer

The Azure CLI command `az ad app create --display-name 'MyApp' --required-resource-accesses '[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4923c","type":"Scope"}]}]'` creates a new application registration in Microsoft Entra ID. The `--required-resource-accesses` parameter specifies the Microsoft Graph (resourceAppId `00000003-0000-0000-c000-000000000000`) and the permission with ID `e1fe6dd8-ba31-4d61-89e7-88639da4923c` (which corresponds to the `User.Read` delegated permission). This registers the app with requested permissions to Microsoft Graph, but does not grant admin consent or configure sign-in audience.

Exam trap

The trap here is that candidates confuse requesting permissions (which happens during app registration) with granting admin consent (a separate administrative action), leading them to incorrectly select Option D.

How to eliminate wrong answers

Option B is wrong because the `az ad app create` command always creates a new application registration; it does not update an existing one (use `az ad app update` for updates). Option C is wrong because the command does not include any parameter to set the sign-in audience (e.g., `--sign-in-audience`); by default, the audience is set to `AzureADMyOrg` (single-tenant), but the command itself does not configure it—the default applies. Option D is wrong because the command only requests permissions; admin consent requires a separate step, such as using `az ad app permission admin-consent` or the Microsoft Entra admin center.

873
MCQeasy

A company wants to prevent their Microsoft 365 tenant from allowing external users to be invited by default. Only specific administrators should be able to invite guests. Which setting should be changed?

A.External Identities – External collaboration settings
B.Conditional Access policy to block external users
C.Tenant restrictions
D.B2B direct connect
AnswerA

This setting controls who can invite guest users; it can be changed to restrict invitations to administrators.

Why this answer

The correct setting is under External Identities – External collaboration settings, specifically the 'Guest invite settings' option. By default, this is set to 'Anyone in the organization can invite guest users including guests and non-admins'. Changing it to 'Only users assigned to specific admin roles can invite guest users' restricts guest invitations to designated administrators, meeting the requirement to prevent default external user invitations.

Exam trap

The trap here is that candidates often confuse 'blocking external users' via Conditional Access (Option B) with controlling the invitation process, but Conditional Access only applies after the user is already in the directory, not to the invitation permission itself.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies control access conditions (like location or device compliance) after a user is already in the tenant, not the ability to invite external users. Option C is wrong because Tenant restrictions control inbound/outbound access to external tenants via HTTP headers, not the invitation process within the same tenant. Option D is wrong because B2B direct connect is a feature for Teams Connect shared channels that allows external users to access resources without being invited as guests; it does not control guest invitation settings.

874
MCQmedium

Your organization has a Microsoft 365 tenant with 5,000 users. You need to plan for tenant migration from an on-premises Exchange environment. You have a limited maintenance window and want to minimize user impact. Which approach should you recommend?

A.Perform a staged migration.
B.Perform an IMAP migration.
C.Perform a cutover migration.
D.Use a hybrid configuration.
AnswerA

Staged migration allows batch migration with minimal user impact and is suitable for organizations with up to 5,000 users.

Why this answer

A staged migration is the best choice because it allows you to move mailboxes in batches over a limited maintenance window, minimizing user impact by keeping the majority of users on-premises until their specific batch is migrated. This approach supports up to 2,000 mailboxes per batch and requires a cutover period of only a few hours per batch, making it ideal for an organization with 5,000 users where a single cutover window is not feasible.

Exam trap

The trap here is that candidates often confuse 'cutover migration' with 'staged migration' because both involve a final cutover step, but cutover requires all mailboxes to be migrated at once, while staged allows batching to fit a limited maintenance window.

How to eliminate wrong answers

Option B is wrong because an IMAP migration only migrates email data (not calendar, contacts, or tasks) and requires users to reconfigure their Outlook profiles, causing significant user impact and no support for a limited maintenance window. Option C is wrong because a cutover migration requires migrating all 5,000 mailboxes in a single synchronization window (typically up to 72 hours) and a final cutover period, which exceeds a limited maintenance window and causes downtime for all users simultaneously. Option D is wrong because a hybrid configuration is not a migration method but a long-term coexistence architecture that requires ongoing directory synchronization and Exchange Hybrid Server setup, which is overkill for a simple migration and does not directly address the limited maintenance window requirement.

875
Drag & Dropmedium

Drag and drop the steps to configure Data Loss Prevention (DLP) policies in Microsoft Purview in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DLP policies are created in Purview, conditions and actions defined, and then deployed after testing.

876
MCQhard

Your company, Alpine Ski House, uses Microsoft Entra ID P2. You have the following requirements: 1) Users in the Finance department must be required to use MFA when accessing the financial application, but only if they are not on the corporate network. 2) All users must be automatically blocked if Identity Protection detects their account as compromised (high user risk). 3) You need to ensure that the password change process after a high-risk detection does not allow users to reuse the last 5 passwords. 4) The solution must minimize false positives and allow users to self-remediate if they believe a risk detection is incorrect. Which configuration should you implement?

A.Create a conditional access policy for Finance requiring MFA from non-corporate networks, create a sign-in risk policy to block high-risk users, and configure password protection to enforce password history
B.Create a conditional access policy for Finance requiring MFA from non-corporate networks, create a user risk policy to block high-risk users with user feedback enabled, and configure password protection to enforce the last 5 password history
C.Create a conditional access policy for Finance requiring MFA from non-corporate networks, create a user risk policy to block high-risk users, and enable user feedback for risk detections
D.Create a conditional access policy for Finance requiring MFA from non-corporate networks, create a user risk policy to require password change, and configure password protection to enforce password history
AnswerB

All requirements are met: MFA for Finance, block high-risk, user feedback, password history.

Why this answer

Option D is correct because it combines a conditional access policy for Finance MFA, a user risk policy with block and user feedback, and custom password protection to enforce history. Option A is wrong because sign-in risk policy is for sign-in risk, not user risk. Option B is wrong because it lacks password history enforcement.

Option C is wrong because it does not include user feedback for false positives.

877
MCQmedium

A compliance officer needs to prevent users from sending emails that contain sensitive information, such as social security numbers, to external recipients. If a user attempts to send such an email, the action should be blocked and a policy tip should be displayed to the user. Which Microsoft Purview solution should the officer configure?

A.Data Loss Prevention (DLP) policy
B.sensitivity label with encryption
C.Information Rights Management (IRM)
D.retention label with deletion
AnswerA

DLP policies can be configured to identify sensitive data (e.g., social security numbers) in Exchange Online email, block the message, and display a policy tip to the sender, educating them about the policy.

Why this answer

A Data Loss Prevention (DLP) policy in Microsoft Purview is designed to inspect email content for sensitive information (e.g., social security numbers) and can block the message while displaying a policy tip to the user. This matches the requirement exactly, as DLP policies enforce actions on data in transit (email) with user notifications.

Exam trap

The trap here is that candidates confuse sensitivity labels (which protect data at rest) with DLP (which protects data in motion), leading them to choose Option B because they think encryption prevents sending, but encryption does not block the email or show a policy tip at the point of sending.

How to eliminate wrong answers

Option B (sensitivity label with encryption) is wrong because sensitivity labels primarily classify and protect data at rest (e.g., files in SharePoint) and can apply encryption, but they do not natively block outbound email in real-time or display policy tips during send. Option C (Information Rights Management) is wrong because IRM protects content after delivery by restricting actions like forwarding or printing, but it does not inspect or block emails before they are sent based on sensitive data patterns. Option D (retention label with deletion) is wrong because retention labels manage data lifecycle (e.g., how long to keep or when to delete) and have no capability to scan outbound email content or block transmission.

878
Multi-Selecthard

A Microsoft Purview auto-labeling policy for sensitivity labels is matching too many SharePoint documents after simulation. Which two changes would most directly reduce false positives before enabling automatic labeling? (Choose two.)

Select 2 answers
A.Increase the confidence level or instance-count requirement for the sensitive information type
B.Add supporting keyword or contextual conditions to the auto-labeling rule
C.Turn on automatic labeling immediately and wait for users to report problems
D.Replace the sensitivity label with a retention label
AnswersA, B

Higher confidence or occurrence thresholds reduce accidental matches from isolated or ambiguous patterns.

Why this answer

Increasing the confidence level or instance-count requirement for the sensitive information type (SIT) directly reduces false positives by raising the threshold for what qualifies as a match. A higher confidence level means the classification engine requires stronger evidence (e.g., more keywords or a closer proximity to a pattern), while a higher instance count requires the sensitive data to appear multiple times in the document. Both adjustments make the auto-labeling rule more selective, ensuring only documents with a high likelihood of containing the specified sensitive content are labeled.

Exam trap

The trap here is that candidates may think immediate enforcement (Option C) is the fastest way to fix false positives, but Microsoft explicitly recommends using simulation mode to tune rules before enabling automatic labeling, and waiting for user reports is not a valid tuning strategy.

879
MCQhard

Contoso is a multinational company with 50,000 users. They have a Microsoft 365 E5 subscription and use Microsoft Entra ID for identity. They recently deployed Microsoft Copilot for Microsoft 365 to 10,000 users. The security team wants to ensure that Copilot responses do not expose sensitive information. They also need to monitor Copilot usage for unusual activity. The company uses Microsoft Purview Information Protection and Microsoft Defender for Cloud Apps. You need to configure the environment to meet these requirements. Which action should you take?

A.Create a Microsoft Purview DLP policy that includes Copilot as a location.
B.Configure a Conditional Access policy to restrict Copilot to managed devices.
C.Enable session monitoring in Microsoft Defender for Cloud Apps for Copilot.
D.Create sensitivity labels and auto-labeling policies for Copilot.
AnswerA

Correct: DLP policies can monitor and block sensitive data in Copilot interactions.

Why this answer

Option A is correct because Microsoft Purview Data Loss Prevention (DLP) policies can include Microsoft Copilot for Microsoft 365 as a location, allowing the security team to detect and prevent sensitive information from being exposed in Copilot responses. This directly addresses the requirement to ensure Copilot responses do not expose sensitive data by scanning and blocking content based on sensitivity labels or sensitive info types.

Exam trap

The trap here is that candidates often confuse monitoring (Defender for Cloud Apps session monitoring) with prevention (DLP), or assume that sensitivity labels alone can block sensitive data in Copilot responses without a DLP policy explicitly targeting Copilot as a location.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies restrict access based on device compliance or location, but they do not prevent sensitive information from appearing in Copilot responses; they only control who can access Copilot, not what data is exposed. Option C is wrong because session monitoring in Microsoft Defender for Cloud Apps provides visibility into user sessions and can detect anomalous behavior, but it does not proactively block sensitive data in Copilot responses; it is more about monitoring usage for unusual activity, which is a separate requirement. Option D is wrong because creating sensitivity labels and auto-labeling policies for Copilot helps classify and protect data, but without a DLP policy that includes Copilot as a location, the labels alone do not enforce blocking or warning actions when sensitive data is shared via Copilot responses.

880
MCQeasy

You need to configure self-service password reset (SSPR) for users in Microsoft Entra ID. Which license is required?

A.Microsoft 365 F3
B.Microsoft 365 E3
C.Microsoft Entra ID P1
D.Microsoft Entra ID Free
AnswerC

P1 includes SSPR.

Why this answer

Option B is correct because SSPR for cloud users requires Microsoft Entra ID P1 or P2. Option A is wrong because Free does not include SSPR. Option C is wrong because E3 includes P1.

Option D is wrong because F3 includes P1.

881
MCQmedium

A company adds and verifies the custom domain 'contoso.com' in their Microsoft 365 tenant. However, emails sent to new users at user@contoso.com bounce back. The existing MX record for contoso.com points to the on-premises mail server. What is the most likely cause of the bounce?

A.The domain verification failed and needs to be repeated
B.The MX record must be updated to point to Exchange Online
C.Users must be added to the domain in the admin center
D.The SPF record is missing or misconfigured
AnswerB

The MX record determines where incoming emails are sent. It must point to Exchange Online for delivery to Microsoft 365 mailboxes.

Why this answer

B is correct because the MX record for contoso.com still points to the on-premises mail server. When a user is created in Exchange Online with the domain contoso.com, inbound email is routed according to the MX record. Since the MX record directs mail to the on-premises server, which does not have a mailbox for the new user, the message bounces.

To deliver mail to Exchange Online, the MX record must be updated to point to Exchange Online (e.g., contoso-com.mail.protection.outlook.com).

Exam trap

The trap here is that candidates often confuse domain verification (a one-time DNS check) with ongoing mail routing (MX record), leading them to think verification failure is the cause, when in fact the MX record is the direct culprit.

How to eliminate wrong answers

Option A is wrong because domain verification is a one-time DNS TXT record check; once verified, it remains valid and does not cause email bounces for new users. Option C is wrong because users are already added to the domain in the admin center (the question states 'adds and verifies the custom domain'), and adding users does not affect mail routing. Option D is wrong because a missing or misconfigured SPF record can cause email to be rejected or marked as spam, but it does not cause a bounce due to the MX record pointing to the wrong server; the immediate cause is the MX record destination.

882
MCQhard

You are a security administrator for a large enterprise with 10,000 users. The company uses Microsoft 365 E5 licenses, which include Microsoft Defender XDR. The company has recently experienced a series of ransomware attacks where attackers gained initial access through phishing emails, then moved laterally using compromised credentials, and finally deployed ransomware on file servers. The CISO wants to implement a comprehensive defense strategy that reduces the attack surface and automates response. The requirements are: 1) Prevent phishing emails from reaching users, especially those targeting executives. 2) Detect and block lateral movement using compromised credentials. 3) Automatically contain compromised devices during an incident. 4) Provide a unified incident view across email, endpoints, and identities. You need to recommend a solution that meets all requirements with minimal manual effort. What should you do?

A.Configure Microsoft Defender XDR by enabling Defender for Office 365 with anti-phish and impersonation protection, Defender for Identity, and Defender for Endpoint with automated investigation and response.
B.Use Microsoft Purview to classify and protect sensitive data, and configure data loss prevention policies to block ransomware.
C.Deploy Microsoft Sentinel and create analytics rules to detect phishing, lateral movement, and ransomware. Configure automated playbooks to contain devices.
D.Upgrade to Microsoft Entra ID P2 and enable Identity Protection for risky sign-ins and user risk. Use Conditional Access to block access from compromised devices.
AnswerA

Defender XDR meets all requirements: anti-phish, lateral movement detection, automatic containment, unified incident view.

Why this answer

Option A is correct because Microsoft Defender XDR integrates Defender for Office 365 (for anti-phish with impersonation protection), Defender for Identity (for detecting lateral movement), Defender for Endpoint (for automatic containment), and provides a unified incident view. Option B is wrong because Microsoft Sentinel alone does not include all the required protections. Option C is wrong because Microsoft Purview is for compliance, not security.

Option D is wrong because Microsoft Entra ID P2 lacks endpoint and email protection.

883
MCQmedium

Refer to the exhibit. You manage an application registration in Microsoft Entra ID. The JSON shows the current state of the app's password credentials. The application is used by a daemon to acquire tokens. The certificate used for authentication expires on 2025-12-31. The application is currently using a client secret. The security policy requires rotating secrets every 6 months. What is the best course of action?

A.Switch the daemon to use certificate-based authentication and remove the secret
B.Do nothing; the secret does not expire until 2025-12-31
C.Create a new client secret, update the daemon to use the new secret, then delete the old secret
D.Extend the endDateTime of the existing secret to 2026-12-31
AnswerC

This rotates the secret properly.

Why this answer

Option C is correct because the security policy requires rotating secrets every 6 months, and the current secret's endDateTime is set to 2025-12-31, which exceeds that interval. Creating a new client secret, updating the daemon to use it, and then deleting the old secret ensures compliance with the rotation policy while maintaining uninterrupted token acquisition. This approach follows the least-privilege and secret rotation best practices for application credentials in Microsoft Entra ID.

Exam trap

Microsoft often tests the distinction between secret expiration and rotation policy, where candidates mistakenly think that a long expiration date satisfies security requirements, but rotation policies mandate periodic replacement regardless of the original expiration date.

How to eliminate wrong answers

Option A is wrong because the daemon is currently using a client secret, and switching to certificate-based authentication is not required by the policy; the policy only mandates rotating secrets every 6 months, not changing authentication methods. Option B is wrong because doing nothing violates the security policy that requires rotating secrets every 6 months, even though the current secret does not expire until 2025-12-31. Option D is wrong because extending the endDateTime of the existing secret does not rotate it; it merely prolongs the life of the same secret, which fails to meet the rotation requirement and increases security risk.

884
MCQmedium

Refer to the exhibit. What is the effect of this session policy?

A.Allows viewing but blocks downloading files on managed devices
B.Blocks all access to SharePoint and OneDrive from unmanaged native clients only
C.Blocks upload of files to SharePoint Online and OneDrive from unmanaged devices
D.Blocks download of files from SharePoint Online and OneDrive on unmanaged devices
AnswerD

The policy blocks download actions.

Why this answer

Option B is correct because the policy blocks download actions for SharePoint Online and OneDrive for Business when accessed from browsers or native clients on unmanaged devices. Option A is wrong because it blocks download, not upload. Option C is wrong because it applies to both browsers and native clients.

Option D is wrong because it blocks downloads, not view.

885
Multi-Selecteasy

Which TWO tools can be used to manage Microsoft 365 tenant settings and configurations?

Select 2 answers
A.Microsoft 365 admin center
B.Exchange admin center (EAC)
C.SharePoint admin center
D.Microsoft 365 PowerShell
E.Microsoft Intune admin center
AnswersA, D

The admin center manages tenant-wide settings.

Why this answer

The Microsoft 365 admin center is the primary web-based portal for managing tenant-wide settings such as user licensing, domain management, service health, and security policies. It provides a unified dashboard for configuring core tenant configurations without requiring role-specific consoles.

Exam trap

The trap here is that candidates often confuse role-specific admin centers (like EAC or SharePoint admin center) with the tenant-wide Microsoft 365 admin center, assuming any admin center can manage all tenant settings, whereas each is scoped to its own service.

886
MCQmedium

A compliance administrator needs to preserve all communications in a user's mailbox and OneDrive for an ongoing litigation. The user must continue working normally, but their data should not be altered or deleted. Which Microsoft Purview feature should be applied?

A.eDiscovery Hold
B.Litigation Hold
C.Retention policy
D.Data Loss Prevention (DLP) policy
AnswerB

Litigation Hold preserves all mailbox and OneDrive content for a user, while allowing normal operations.

Why this answer

Litigation Hold is the correct feature because it preserves all mailbox and OneDrive content in its original state, including deleted and modified items, while allowing the user to continue working normally. Unlike eDiscovery Hold, which is applied to specific search results, Litigation Hold is placed directly on the user's mailbox and OneDrive to prevent any data from being altered or deleted during ongoing litigation.

Exam trap

The trap here is that candidates often confuse Litigation Hold with eDiscovery Hold, mistakenly thinking that eDiscovery Hold is the primary tool for preserving all user data, when in fact Litigation Hold is the direct hold applied to a user's entire mailbox and OneDrive for legal preservation.

How to eliminate wrong answers

Option A is wrong because eDiscovery Hold is used to preserve content that matches a specific search query within an eDiscovery case, not to preserve all communications in a user's mailbox and OneDrive for litigation. Option C is wrong because a retention policy is designed to retain or delete content based on a schedule, but it does not prevent users from modifying or deleting data while the policy is active. Option D is wrong because a Data Loss Prevention (DLP) policy monitors and protects sensitive data from being shared or leaked, but it does not preserve or hold data for legal purposes.

887
MCQeasy

Your organization uses Microsoft Defender XDR. You need to configure automatic attack disruption for SaaS applications. Which Microsoft 365 security solution provides this capability?

A.Microsoft Defender for Identity
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Office 365
D.Microsoft Defender for Endpoint
AnswerB

Automatic attack disruption is part of Defender for Cloud Apps.

Why this answer

Option A is correct because automatic attack disruption is a feature of Microsoft Defender for Cloud Apps that can stop attacks in SaaS applications. Option B is wrong because Microsoft Defender for Endpoint focuses on endpoints. Option C is wrong because Microsoft Defender for Office 365 focuses on email and collaboration.

Option D is wrong because Microsoft Defender for Identity focuses on on-premises Active Directory.

888
Multi-Selecthard

You are configuring Microsoft Defender for Identity. Which THREE capabilities does it provide?

Select 3 answers
A.Scanning of email attachments for malware.
B.Detection of compromised accounts through behavioral analytics.
C.Detection of reconnaissance activities such as LDAP enumeration.
D.Creation of data loss prevention (DLP) policies.
E.Detection of lateral movement between domain-joined machines.
AnswersB, C, E

Defender for Identity uses behavioral analytics to identify compromised accounts.

Why this answer

Options A, C, and E are correct because Defender for Identity provides detection of compromised accounts, lateral movement, and reconnaissance activities. Option B is wrong because email scanning is done by Defender for Office 365. Option D is wrong because DLP policies are in Microsoft Purview.

889
Multi-Selecteasy

Which TWO features are part of Microsoft Purview Communication Compliance?

Select 2 answers
A.Restricting communication between specific groups.
B.Applying retention labels to communications.
C.Policy tips to notify users of policy violations.
D.Detection of inappropriate or offensive language in emails.
E.Automatic encryption of sensitive communications.
AnswersC, D

Policy tips can be configured in Communication Compliance.

Why this answer

Communication Compliance includes detection of inappropriate language and policy tips for violations. Option A is correct because it can detect offensive language. Option D is correct because it can provide policy tips.

Option B is wrong because encryption is not a Communication Compliance feature. Option C is wrong because retention labels are separate. Option E is wrong because information barriers are separate.

890
Multi-Selectmedium

Which TWO of the following are required to configure Microsoft Entra ID self-service password reset (SSPR) for cloud-only users? (Choose two.)

Select 2 answers
A.Microsoft Entra ID P1 or P2 license.
B.Azure AD Connect synchronization.
C.Users must be assigned a license.
D.A paid Microsoft 365 license.
E.Users must register for MFA.
AnswersC, D

Users need a license to use SSPR.

Why this answer

Option C is correct because each user must be assigned a Microsoft Entra ID license (such as P1 or P2) to be eligible for SSPR. Without a license assignment, the user cannot use the SSPR feature, even if the tenant has the required licenses available. Option D is correct because a paid Microsoft 365 license (e.g., Microsoft 365 Business Premium, E3, or E5) includes the necessary Microsoft Entra ID P1 or P2 functionality, which is required for SSPR.

Cloud-only users do not require Azure AD Connect or MFA registration for basic SSPR, though MFA is recommended for stronger security.

Exam trap

The trap here is that candidates often confuse 'having a license in the tenant' (Option A) with 'assigning the license to each user' (Option C), and they may incorrectly think MFA registration (Option E) is mandatory for SSPR, when it is only required if the administrator enforces it via policy.

891
Multi-Selecteasy

Your company uses Microsoft Entra ID for identity management. You are planning to implement Conditional Access policies. Which TWO components are required to create a Conditional Access policy?

Select 2 answers
A.MFA registration status
B.Identity Protection risk policies
C.Azure AD roles
D.Assignments (users, groups, cloud apps, conditions)
E.Access controls (grant or block, session controls)
AnswersD, E

Defines who and what the policy applies to.

Why this answer

A Conditional Access policy requires assignments (users/groups, cloud apps, conditions) and access controls (grant or block, session controls). Option B (assignments) and Option C (access controls) are the two main components. Option A (identity protection) is a separate service, not a required component.

Option D (Azure AD roles) are not part of policy creation. Option E (MFA registration) is a prerequisite but not a component of the policy.

892
Matchingmedium

Match each Microsoft 365 networking port to its protocol.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

HTTPS

SMTP

SMTP (submission)

IMAP

IMAP over SSL

Why these pairings

These ports are commonly used for Microsoft 365 connectivity.

893
MCQeasy

A company has recently signed up for Microsoft 365 Business Premium. They want to change the default domain from onmicrosoft.com to a custom domain they own. Which step must be completed first before the custom domain can be used for user email addresses?

A.Add the custom domain in the Microsoft 365 admin center
B.Verify domain ownership by adding a TXT record to the domain's DNS
C.Create user accounts with the new domain as their primary email
D.Configure email exchange records (MX)
AnswerA

Adding the domain is the first step; verification follows.

Why this answer

Before a custom domain can be used for user email addresses in Microsoft 365, the domain must first be added to the tenant in the Microsoft 365 admin center. This step creates a domain object in Azure AD that allows Microsoft to associate the domain with your tenant and prepare for ownership verification. Without adding the domain first, subsequent steps like DNS verification or user creation cannot proceed because the system has no record of the domain.

Exam trap

The trap here is that candidates often confuse the order of operations, assuming DNS verification (Option B) is the first step, but Microsoft 365 requires the domain to be added to the tenant as a prerequisite before any DNS records can be validated.

How to eliminate wrong answers

Option B is wrong because verifying domain ownership by adding a TXT record is a required step, but it must occur after the domain is added in the admin center; you cannot verify a domain that hasn't been registered in the tenant. Option C is wrong because creating user accounts with the new domain as their primary email is a later step that requires the domain to be both added and verified first. Option D is wrong because configuring MX records is part of the final DNS configuration for mail routing, which depends on the domain being verified and the tenant ready to accept mail.

894
MCQmedium

You manage Microsoft Defender for Endpoint. A device is showing as 'Inactive' in the device inventory. The device is turned on and connected to the network. What is the most likely cause?

A.The device is turned off
B.A firewall is blocking communication with the Microsoft Defender for Endpoint cloud service
C.The Microsoft Defender for Endpoint sensor is not reporting
D.The onboarding script was not run successfully
AnswerC

If the sensor stops reporting, the device shows as inactive.

Why this answer

Option D is correct because the sensor needs to communicate regularly; if not, the device shows inactive. Option A is wrong because the device is on. Option B is wrong because the firewall might block, but usually the sensor communication uses HTTPS.

Option C is wrong because the onboarding script is only for initial setup.

895
MCQmedium

Your organization has a Microsoft Purview data classification policy that automatically applies a 'General' label to all documents. However, users are complaining that the label is not being applied to documents stored in SharePoint Online. You confirm that the policy is configured correctly and the license is assigned. What is the most likely cause?

A.The sensitivity label is not published to the users.
B.The auto-labeling policy is disabled.
C.The sensitivity label requires encryption and the users don't have the encryption key.
D.The auto-labeling policy is not configured to scan SharePoint Online.
AnswerD

Auto-labeling policies must include the locations to scan; SharePoint must be selected.

Why this answer

Option B is correct because auto-labeling requires the scanner to crawl the content; if scanning is not enabled for SharePoint, labels won't be applied. Option A is wrong because the label is already published. Option C is wrong because sensitivity labels do not require encryption.

Option D is wrong because the policy is enabled.

896
Multi-Selectmedium

You are a Microsoft 365 administrator for a multinational organization. You are implementing Microsoft Defender XDR to provide centralized threat management across multiple domains. Which three of the following capabilities are core components of Microsoft Defender XDR? (Choose three.)

Select 3 answers
.Microsoft Defender for Endpoint
.Microsoft Defender for Office 365
.Microsoft Defender for Identity
.Microsoft Entra ID Governance
.Microsoft Purview Information Protection
.Microsoft Intune Device Enrollment

Why this answer

Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively integrates signals from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. These three components are the core pillars that provide endpoint detection and response (EDR), email and collaboration protection, and identity threat detection, respectively, enabling automated incident correlation and remediation across the kill chain.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Information Protection or Microsoft Intune with security detection components, but they are governance/compliance and management tools, respectively, not part of the Defender XDR suite.

897
MCQmedium

You are investigating a phishing campaign targeting your organization. In Microsoft Defender XDR, you run a KQL query in Advanced Hunting to find all email messages that contain a specific phishing URL. Which table should you query?

A.EmailUrlInfo
B.EmailAttachmentInfo
C.UrlClickEvents
D.EmailEvents
AnswerA

EmailUrlInfo contains URL information from email messages.

Why this answer

Option C is correct because the EmailUrlInfo table contains URL information from email messages, including URLs that can be used to identify phishing links. Option A (EmailEvents) contains email delivery events but not URL details. Option B (EmailAttachmentInfo) contains attachment info.

Option D (UrlClickEvents) contains click events, not email-level URL info.

898
MCQmedium

Your organization uses Microsoft Entra Conditional Access. You need to block access from countries where your company does not operate. The list of blocked countries changes frequently. What is the most efficient way to manage this?

A.Enable Microsoft Entra multifactor authentication for all users from blocked countries
B.Create a Conditional Access policy that blocks all locations except the allowed countries
C.Use IP ranges in Conditional Access to block specific country IPs
D.Create Named Locations for blocked countries and use them in Conditional Access
AnswerD

Named Locations can be easily updated with new countries.

Why this answer

Named Locations in Microsoft Entra Conditional Access allow you to define countries by IP ranges and then use those locations in a policy to block access. This is the most efficient approach because you can update the list of blocked countries in the Named Locations configuration without modifying the Conditional Access policy itself, which is ideal when the list changes frequently.

Exam trap

The trap here is that candidates often think using IP ranges directly in the policy (Option C) is more precise, but they overlook the administrative overhead of maintaining those ranges manually, whereas Named Locations with country selection provide a simpler and more scalable solution for frequently changing country lists.

How to eliminate wrong answers

Option A is wrong because enabling MFA for users from blocked countries does not block access; it only adds an authentication challenge, which is not a block action and does not meet the requirement to prevent access. Option B is wrong because creating a policy that blocks all locations except allowed countries is inefficient when the list of blocked countries changes frequently, as you would need to constantly update the allowed list, and it is easier to manage a list of blocked countries directly. Option C is wrong because using IP ranges in Conditional Access to block specific country IPs is impractical and inefficient; you would need to manually gather and maintain a list of all IP ranges for each blocked country, which is error-prone and does not leverage the built-in country-based location detection that Named Locations provide.

899
MCQhard

Your company has implemented Microsoft Entra ID tenant restrictions to prevent data exfiltration. You need to ensure that external users from a partner organization can access a SharePoint Online site without being blocked by tenant restrictions. What should you do?

A.Add the partner tenant ID to the AllowedTenants list in the tenant restrictions policy.
B.Create a Conditional Access policy to exclude partner users from tenant restriction evaluation.
C.Configure Azure AD B2B collaboration and invite partner users as guests.
D.Configure cross-tenant access settings in Microsoft Entra ID to allow partner tenant.
AnswerA

Adding the partner tenant ID to the AllowedTenants list allows users from that tenant to access resources without being blocked.

Why this answer

Tenant restrictions use the X-MS-Cloud-Extension header to allow or block access. To allow partner users, you need to add their tenant ID to the 'AllowedTenants' list in the tenant restrictions policy. Option D is the correct approach.

Option A (Azure AD B2B) is about inviting external users but does not bypass tenant restrictions. Option B (cross-tenant access settings) is for inbound/outbound access but not for tenant restrictions. Option C (Conditional Access) can be used to control access but does not override tenant restrictions.

900
Multi-Selecthard

A company wants to enable self-service password reset (SSPR) for all users. Which two configurations are mandatory to allow users to reset their own passwords? (Choose two.)

Select 2 answers
A.A: Enable SSPR for 'All' users.
B.B: Select at least one authentication method (e.g., mobile phone or email).
C.C: Configure a custom helpdesk URL.
D.D: Enforce registration after 30 days.
AnswersA, B

SSPR must be enabled; without this, no users can reset passwords.

Why this answer

Option A is correct because enabling SSPR for 'All' users is a mandatory configuration that ensures every user in the tenant is licensed and permitted to use self-service password reset. Without this setting, SSPR would not be activated for the intended user population, even if authentication methods are configured.

Exam trap

The trap here is that candidates often confuse optional configurations (like custom helpdesk URL or registration enforcement) with mandatory prerequisites, leading them to select those instead of the required scope and authentication method settings.

Page 11

Page 12 of 13

Page 13