Microsoft 365 Administrator MS-102 (MS-102) — Questions 901975

975 questions total · 13pages · All types, answers revealed

Page 12

Page 13 of 13

901
MCQmedium

A security administrator needs to block outbound network connections from a compromised Windows device to a known malicious IP address. The solution should be configured in Microsoft Defender for Endpoint and must work at the network layer, not relying on a user-installed client. Which feature should the administrator enable?

A.Attack surface reduction (ASR) rules
B.Custom detection rules (advanced hunting)
C.Network protection
D.Web protection (web threat protection)
AnswerC

Network protection uses the Windows Defender Firewall to block outbound connections to malicious IPs and domains, as defined by Microsoft threat intelligence.

Why this answer

Option C, Network protection, is correct because it is a Microsoft Defender for Endpoint feature that blocks outbound connections to malicious IP addresses and domains at the network layer, using the Windows Filtering Platform (WFP) to enforce policies without requiring a user-installed client. This ensures the block applies system-wide, even if the device is compromised, as it operates before the TCP/IP stack processes the connection.

Exam trap

The trap here is that candidates often confuse Network protection with Web protection, mistakenly thinking Web protection can block IP-based outbound connections, when in fact Web protection only filters HTTP/HTTPS traffic based on URL reputation and does not operate at the network layer for arbitrary IP addresses.

How to eliminate wrong answers

Option A is wrong because Attack surface reduction (ASR) rules are designed to block specific behaviors (e.g., script execution, Office macro abuse) at the endpoint, not to block outbound network connections to a specific IP address. Option B is wrong because Custom detection rules (advanced hunting) only create alerts based on queries against telemetry data; they do not actively block network traffic. Option D is wrong because Web protection (web threat protection) focuses on blocking malicious URLs and web content based on reputation, not on blocking outbound connections to a known malicious IP address at the network layer.

902
MCQhard

Your organization has a Microsoft 365 E5 subscription and uses Microsoft Entra ID. You are implementing Privileged Identity Management (PIM) to manage access to Azure AD roles. You need to ensure that when a user activates a privileged role, the activation request must be approved by their manager and must include a ticket number. What should you configure?

A.Create an access review for the role
B.Modify the role settings in PIM to require approval and justification with ticket number
C.Configure an access package in Entitlement Management
D.Use Conditional Access policy with session controls
AnswerB

PIM role settings allow approval requirement and ticket info.

Why this answer

Option B is correct because PIM role settings allow you to configure activation requirements, including requiring approval and mandating a justification field. By enabling 'Require approval to activate' and configuring the approver as the user's manager, and by setting 'Require ticket information on activation', you enforce that every activation request includes a ticket number and is routed to the manager for approval.

Exam trap

The trap here is that candidates confuse Entitlement Management access packages (which also support approval workflows) with PIM role settings, but only PIM role settings allow you to require a ticket number and specify the manager as the approver for Azure AD role activation.

How to eliminate wrong answers

Option A is wrong because access reviews are used for periodic recertification of role assignments, not for controlling the activation process itself. Option C is wrong because Entitlement Management access packages manage resource access through catalogs and policies, but they do not enforce manager approval and ticket number requirements for Azure AD role activation—that is a PIM role settings feature. Option D is wrong because Conditional Access policies control authentication and session behavior, not the approval workflow or justification requirements for PIM role activation.

903
MCQmedium

Refer to the exhibit. You run the PowerShell commands shown. The output displays 10 mailboxes with various RecipientTypeDetails, including UserMailbox, SharedMailbox, and RoomMailbox. You need to ensure that only user mailboxes are returned. What should you modify?

A.Use the -Properties parameter to specify additional attributes
B.Change RecipientTypeDetails to RecipientType in the Select-Object
C.Add the parameter -Filter "RecipientTypeDetails -eq 'UserMailbox'"
D.Remove the -ShowProgress parameter
AnswerC

This filters the results to user mailboxes only.

Why this answer

The correct answer is C because the Get-Mailbox cmdlet returns all mailbox types by default. To filter only user mailboxes, you must use the -Filter parameter with the condition 'RecipientTypeDetails -eq 'UserMailbox''. This ensures that only mailboxes with RecipientTypeDetails set to UserMailbox are returned, excluding shared, room, and other mailbox types.

Exam trap

The trap here is that candidates often assume RecipientTypeDetails is a property that can be filtered by simply selecting it in Select-Object, but Select-Object only controls output columns, not which objects are retrieved; filtering must be done at the query level with -Filter.

How to eliminate wrong answers

Option A is wrong because the -Properties parameter is used to specify additional attributes to return in the output, not to filter results; it does not limit which mailboxes are retrieved. Option B is wrong because RecipientType is a broader classification that does not differentiate between user, shared, or room mailboxes; changing to RecipientType would not filter to only user mailboxes. Option D is wrong because the -ShowProgress parameter controls whether progress is displayed during command execution and has no effect on the filtering of mailbox types.

904
MCQhard

Your company is required to retain all emails sent to and from executives for 7 years due to regulatory compliance. You need to implement this with minimal administrative overhead. What should you use?

A.Create a Microsoft Purview retention policy for the executive mailboxes
B.Configure Exchange journaling to export to an external system
C.Place each executive mailbox on Litigation Hold
D.Enable the archive mailbox for each executive
AnswerA

Retention policies automatically retain emails for the specified duration with minimal overhead.

Why this answer

Microsoft Purview retention policies and retention labels can automatically retain emails for a specified period. Option B (Litigation Hold) is a manual process for specific users. Option C (Journaling) exports emails to an external system, adding complexity.

Option D (Archive mailbox) provides storage but not automatic retention enforcement. A retention policy or label is the most efficient way.

905
MCQeasy

You need to implement a solution that allows users to classify documents containing personal data as 'Highly Confidential' and automatically encrypt them when shared via email. What should you configure?

A.A sensitivity label with auto-labeling and encryption.
B.A retention label with a disposition action.
C.An information barrier policy.
D.A DLP policy with an action to block sharing.
AnswerA

Sensitivity labels can apply encryption automatically.

Why this answer

Sensitivity labels can apply encryption automatically when content is shared. Option B is correct. Option A is wrong because DLP policies block or monitor, not encrypt.

Option C is wrong because retention labels manage lifecycle. Option D is wrong because information barriers restrict communication.

906
MCQhard

Refer to the exhibit. You are reviewing the service principal for Microsoft Graph in your tenant. The passwordCredentials array is empty. What does this indicate?

A.The service principal is using federated credentials.
B.The service principal uses certificate-based authentication.
C.The Microsoft Graph application is disabled.
D.No client secret is configured for the service principal.
AnswerD

An empty passwordCredentials array means no secrets are set.

Why this answer

The passwordCredentials array being empty indicates that no client secret (password) has been configured for the service principal. Client secrets are one method of authentication for service principals, and their absence means that this particular authentication method is not set up. This does not imply the service principal is disabled or that other authentication methods like certificates or federated credentials are in use.

Exam trap

Microsoft often tests the misconception that an empty passwordCredentials array means the service principal is disabled or that no authentication is possible, when in fact other authentication methods like certificates or federated credentials may still be configured.

How to eliminate wrong answers

Option A is wrong because federated credentials are stored in the federatedIdentityCredentials array, not in passwordCredentials; an empty passwordCredentials array does not indicate federated credentials are being used. Option B is wrong because certificate-based authentication is indicated by the keyCredentials array, not passwordCredentials; an empty passwordCredentials array does not imply certificates are configured. Option C is wrong because the Microsoft Graph application being disabled is a separate property (accountEnabled) and is not indicated by the passwordCredentials array being empty.

907
MCQhard

Your company has a Microsoft 365 E5 subscription and uses Microsoft Entra ID. You have configured Microsoft Entra Identity Governance. You need to create an access review for all guest users in the tenant to ensure their access is still required. The review should be recurring every 90 days and should auto-remove guests if they are not approved. What should you configure?

A.Configure a Conditional Access policy to block guests after 90 days
B.Create an access review for all guest users with a recurrence of 90 days and auto-apply results
C.Configure PIM settings for guest users
D.Create an access package in entitlement management for guest users
AnswerB

Access reviews support recurring reviews and auto-removal.

Why this answer

Option B is correct because creating an access review for all guest users with a recurrence of 90 days and auto-apply results directly meets the requirement: it reviews guest access every 90 days and automatically removes guests who are not approved. Access reviews in Microsoft Entra ID Governance allow you to scope reviews to guest users, set recurrence, and enable auto-apply to enforce removal without manual intervention.

Exam trap

The trap here is that candidates confuse Conditional Access policies (which block access but do not remove accounts) with access reviews (which can automatically remove guest accounts), or they mistakenly think PIM or access packages can perform tenant-wide recurring guest reviews with auto-removal.

How to eliminate wrong answers

Option A is wrong because a Conditional Access policy controls access conditions (e.g., blocking sign-ins after 90 days) but does not perform recurring reviews or automatically remove guest accounts; it only blocks authentication, leaving the guest object and its assignments intact. Option C is wrong because PIM (Privileged Identity Management) settings manage just-in-time privileged role activation and approval, not recurring access reviews for all guest users or auto-removal of unapproved guests. Option D is wrong because creating an access package in entitlement management manages resource access through requests and approvals, but it does not provide a recurring review cycle with auto-removal for all guest users; access packages are for specific resource catalogs, not tenant-wide guest review.

908
MCQeasy

An organization uses Microsoft Entra ID. They want to ensure that users cannot install browser extensions from the Microsoft Edge Add-ons store on managed devices. Which Microsoft Entra ID feature should they use to enforce this policy?

A.Conditional Access policy
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID device management with MDM/MAM policies
D.Privileged Identity Management
AnswerC

Device management policies via MDM (e.g., Intune) can enforce settings such as blocking browser extensions on managed devices.

Why this answer

Microsoft Entra ID device management with MDM/MAM policies (Option C) is correct because browser extension restrictions for Microsoft Edge on managed devices are enforced through device compliance or app protection policies configured in Microsoft Intune, which is the core MDM/MAM service integrated with Entra ID. These policies can block installation from the Edge Add-ons store by using the 'Allow extensions from other stores' setting or by creating a custom OMA-URI policy to restrict extension installation. Conditional Access policies (Option A) control access based on signals like device compliance but cannot directly enforce device-level settings like browser extension installation.

Exam trap

The trap here is that candidates often confuse Conditional Access policies with device management policies, assuming that access controls can enforce device settings, when in fact Conditional Access only gates access based on existing device state and cannot push configuration changes.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies evaluate access conditions (e.g., user, location, device state) and apply access controls (e.g., block, require MFA), but they do not enforce device configuration settings like blocking browser extensions; that requires MDM/MAM policies. Option B is wrong because Microsoft Entra ID Identity Protection focuses on detecting and responding to identity risks (e.g., leaked credentials, anomalous sign-ins) and automating risk-based remediation, not managing device-level software installation policies. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role assignments and access reviews in Entra ID, not device configuration or application control policies.

909
MCQmedium

A security analyst needs to search for devices that have been communicating with a known malicious command-and-control server over the past 7 days. The analyst wants to identify the process that initiated the connection. Which advanced hunting query would be most efficient?

A.DeviceNetworkEvents | where RemoteIP == 'malicious IP' and Timestamp > ago(7d) | project DeviceName, InitiatingProcessFileName, Timestamp
B.DeviceProcessEvents | where ProcessId in (select ProcessId from DeviceNetworkEvents where RemoteIP == 'malicious IP' and Timestamp > ago(7d)) | project DeviceName, ProcessFileName, Timestamp
C.DeviceNetworkEvents | where Timestamp > ago(7d) | join DeviceProcessEvents on ProcessId | where RemoteIP == 'malicious IP' | project DeviceName, ProcessFileName, Timestamp
D.IdentityLogonEvents | where IPAddress == 'malicious IP' | project DeviceName, Timestamp
AnswerA

Correct. This query directly retrieves the required fields from DeviceNetworkEvents, which already contains the initiating process name.

Why this answer

Option A is correct because DeviceNetworkEvents contains network connection data including the remote IP and the initiating process details. Filtering by RemoteIP and Timestamp directly retrieves the required information without unnecessary joins or subqueries, making it the most efficient query for identifying the process that initiated the connection to a known malicious C2 server.

Exam trap

The trap here is that candidates may choose Option C thinking a join is necessary to get process details, but DeviceNetworkEvents already includes the initiating process name, making the join redundant and inefficient.

How to eliminate wrong answers

Option B is wrong because it uses a subquery on DeviceNetworkEvents to get ProcessIds, but DeviceProcessEvents does not contain network connection data; it focuses on process creation events, so it cannot directly identify processes that initiated network connections. Option C is wrong because it performs a join on ProcessId after filtering by Timestamp, which is inefficient and may return incorrect results if ProcessId is not unique across tables; it also filters RemoteIP after the join, processing more data than necessary. Option D is wrong because IdentityLogonEvents tracks authentication events, not network connections, and IPAddress in this table refers to the logon source IP, not the destination IP of a C2 server.

910
Multi-Selectmedium

A security administrator needs to block unsanctioned cloud apps in real time using a reverse proxy. Which two Microsoft Defender for Cloud Apps components must be configured?

Select 2 answers
A.Cloud Discovery
B.Conditional Access App Control
C.App governance
D.Session control policies
AnswersB, D

This component enables the reverse proxy for real-time session control.

Why this answer

Conditional Access App Control (B) is the reverse proxy component in Microsoft Defender for Cloud Apps that enforces real-time session-level monitoring and control of cloud app access. Session control policies (D) are the specific policy objects that define the actions (e.g., block download, block access) applied through that reverse proxy. Together, they enable blocking unsanctioned cloud apps in real time by intercepting user traffic via the reverse proxy architecture.

Exam trap

The trap here is that candidates confuse Cloud Discovery (which only detects unsanctioned apps via log analysis) with the real-time blocking capability, or they assume App governance provides reverse proxy controls when it actually focuses on OAuth app permissions and lifecycle management.

911
Multi-Selectmedium

Your organization uses Microsoft Defender XDR. You need to configure automatic response actions for a high-severity incident. Which TWO options are available in the Microsoft Defender XDR automated investigation and response capabilities?

Select 2 answers
A.Create a mailbox rule to delete suspicious emails
B.Isolate a device from the network
C.Collect an investigation package from a device
D.Delegate mailbox permissions
E.Reset user passwords
AnswersB, C

Device isolation is a supported action.

Why this answer

Correct: A and D. Automated investigation can initiate device isolation and collect investigation packages. Option B is wrong because mailbox delegation is not automated.

Option C is wrong because resetting passwords is not an automated response action. Option E is wrong because creating a mailbox rule is not an automated action.

912
MCQmedium

The security team wants to require approval for any activation of the Global Administrator role in Azure AD Privileged Identity Management (PIM). The approvers must be members of a security group named 'GA-Approvers'. Activations must require a business justification and expire after 4 hours. Which PIM configuration should the administrator modify?

A.Role settings for Global Administrator: require approval, set maximum activation duration to 4 hours, and require justification
B.Role settings for Global Administrator: require MFA, set maximum activation duration to 4 hours, and require justification
C.In the eligible assignments for Global Administrator, add 'GA-Approvers' as approvers
D.Both A and C
AnswerD

Option A enables approval, duration, and justification; option C adds the approver group. Both are required.

Why this answer

Option D is correct because configuring PIM role settings for Global Administrator requires both enabling approval (with the 'GA-Approvers' group as designated approvers) and setting the activation parameters (maximum duration of 4 hours and justification requirement). Option A alone only sets the role settings but does not specify which group serves as approvers; Option C alone adds the approvers group but does not configure the activation duration or justification. Both A and C together fulfill the full requirement.

Exam trap

The trap here is that candidates often confuse role settings (which control activation policies like duration and approval) with eligible assignments (which define who can activate), leading them to select only Option A or only Option C, missing that both must be configured together to meet the full requirement.

How to eliminate wrong answers

Option A is wrong because while it correctly sets require approval, maximum activation duration to 4 hours, and require justification, it does not specify the 'GA-Approvers' group as the approvers—the approvers must be defined separately in the role settings. Option B is wrong because it requires MFA instead of approval, which does not meet the requirement for approval-based activation. Option C is wrong because adding 'GA-Approvers' as approvers in eligible assignments does not configure the activation duration or justification; those parameters are set in the role settings, not in assignments.

913
Multi-Selectmedium

Administrators want to enforce multi-factor authentication (MFA) for all users when accessing cloud applications from untrusted networks. They plan to use Azure AD Conditional Access with named locations. Which two components must be configured to meet this requirement? (Select two.)

Select 2 answers
A.location policy
B.named location for the corporate network
C.Conditional Access policy targeting all cloud apps
D.Conditional Access policy targeting MFA registration
AnswersB, C

Named locations define trusted IP ranges that the Conditional Access policy can use to distinguish trusted from untrusted networks.

Why this answer

Option B is correct because named locations in Azure AD Conditional Access allow administrators to define trusted network boundaries, such as the corporate network's public IP range. By marking this named location as a trusted location, the Conditional Access policy can then require MFA when users access cloud applications from any network that is not the corporate network, effectively enforcing MFA from untrusted networks.

Exam trap

The trap here is that candidates often confuse 'named location' with 'location policy' (Option A) or mistakenly think that targeting MFA registration (Option D) is sufficient to enforce MFA during access, when in fact registration policies only handle the enrollment flow, not the authentication challenge at sign-in.

914
MCQeasy

After adding a custom domain name to a Microsoft 365 tenant, what is the first step the administrator must complete before users can sign in using the custom domain?

A.Add the domain as an accepted domain in Exchange Online
B.Set the custom domain as the default domain for new users
C.Verify domain ownership by adding a DNS TXT record
D.Create user accounts with usernames ending with the custom domain
AnswerC

Microsoft requires a TXT record verification to prove control over the domain. This is the first mandatory step. After verification, other configurations like email setup become possible.

Why this answer

Before a custom domain can be used for user sign-ins or email routing in Microsoft 365, the administrator must prove ownership of the domain. This is done by adding a specific DNS TXT record provided by the Microsoft 365 domain setup wizard. Until the TXT record is verified, the domain remains unverified and cannot be used for any Microsoft 365 services.

Exam trap

The trap here is that candidates often confuse the order of operations, thinking they can add the domain to Exchange Online or create users first, but Microsoft 365 strictly enforces domain verification as the prerequisite for all subsequent domain-related configurations.

How to eliminate wrong answers

Option A is wrong because adding the domain as an accepted domain in Exchange Online is a later step that requires the domain to already be verified; you cannot add an unverified domain as an accepted domain. Option B is wrong because setting the custom domain as the default domain for new users also requires the domain to be verified first; the system will not allow an unverified domain to be set as default. Option D is wrong because creating user accounts with usernames ending with the custom domain is only possible after the domain is verified; the Microsoft 365 authentication system will reject unverified domains during user creation.

915
MCQmedium

Your organization has a hybrid identity deployment with Microsoft Entra Connect. You have synchronized all on-premises Active Directory users to Microsoft Entra ID. You need to enable Microsoft Entra ID Password Protection to automatically block weak passwords. You have installed the Password Protection proxy on a server and registered it. You also need to enforce the password protection policy for on-premises users. What additional step is required?

A.Install the Password Protection DC agent on each domain controller.
B.Install the Password Protection proxy on all domain controllers.
C.Enable the password filter in the Microsoft Entra Connect configuration.
D.Configure a Group Policy to require password complexity.
AnswerA

The DC agent enforces the policy on-premises.

Why this answer

The Password Protection DC agent is required on each domain controller to intercept and validate password changes against the Microsoft Entra ID Password Protection policy. Without this agent, the proxy server alone cannot enforce the policy for on-premises users, as the DC agent is the component that applies the password filter during password change operations.

Exam trap

The trap here is that candidates often assume the proxy server alone enforces the policy, but the proxy only facilitates communication, while the DC agent is the enforcement point on each domain controller.

How to eliminate wrong answers

Option B is wrong because the Password Protection proxy is not installed on domain controllers; it is installed on a separate server to communicate with Microsoft Entra ID, while the DC agent is installed on domain controllers to enforce the policy. Option C is wrong because Microsoft Entra Connect does not include a password filter for on-premises password protection; the password filter is part of the DC agent, not the Connect configuration. Option D is wrong because configuring a Group Policy for password complexity does not enable Microsoft Entra ID Password Protection; it only enforces local Windows password policies, which are separate from the cloud-based weak password detection.

916
MCQmedium

You are configuring Microsoft Defender for Cloud Apps to detect anomalous behavior. You need to set up a policy that triggers an alert when a user downloads more than 100 files from SharePoint Online in 10 minutes. Which policy template should you use?

A.Activity from anonymous IP addresses
B.Impossible travel
C.Malware detection
D.Ransomware detection
E.Unusual file sharing by user
AnswerA

This template can be configured for high download rates.

Why this answer

Option B is correct because the 'Activity from anonymous IP addresses' template is used to detect unusual download volumes. Option A is wrong because 'Impossible travel' is for geographic anomalies. Option C is wrong because 'Unusual file sharing' is for sharing to external users.

Option D is wrong because 'Malware detection' is for malware. Option E is wrong because 'Ransomware detection' is for ransomware.

917
MCQhard

Your organization has Microsoft Defender for Endpoint deployed. You are investigating a potential ransomware incident. The device timeline shows a series of events: a user downloaded a malicious attachment from an email, which then executed a script that encrypted files and attempted to propagate to other devices via SMB. You need to configure a custom detection rule to alert on similar behavior in the future. Which KQL query should you use as a basis?

A.DeviceFileEvents | where FileName endswith '.encrypted'
B.DeviceLogonEvents | where LogonType == 3
C.DeviceRegistryEvents | where RegistryKey contains 'Run'
D.DeviceProcessEvents | join DeviceNetworkEvents on DeviceId
AnswerD

Combines process creation and network events to detect script execution followed by SMB propagation.

Why this answer

Option A is correct because DeviceProcessEvents can capture process creation events (script execution) and DeviceNetworkEvents can capture SMB outbound connections, allowing correlation of initial script execution with later network propagation. Option B is wrong because DeviceFileEvents captures file modifications but not process or network events. Option C is wrong because DeviceRegistryEvents captures registry changes.

Option D is wrong because DeviceLogonEvents captures logon activity.

918
MCQmedium

You are a security administrator. You need to configure a policy that automatically blocks sign-ins from anonymous IP addresses for all users in your Microsoft 365 tenant. Which policy should you configure in Microsoft Entra ID?

A.Password protection policy
B.Conditional Access policy with user risk condition
C.Conditional Access policy with sign-in risk condition
D.Identity Protection user risk policy
AnswerC

Sign-in risk includes anonymous IP address detection.

Why this answer

Option C is correct because Conditional Access policies can block anonymous IP sign-ins. Option A is wrong because Identity Protection detects but doesn't block. Option B is wrong because password protection doesn't control sign-in.

Option D is wrong because it's for user risk.

919
MCQmedium

Your organization uses Microsoft 365 and wants to ensure that only compliant devices can access Exchange Online. You have Microsoft Intune for device management. What should you configure?

A.Configure devices to be Azure AD Joined
B.Create a Conditional Access policy with 'Require device to be marked as compliant'
C.Create an app protection policy in Intune
D.Create a device compliance policy in Intune
AnswerB

This enforces that only compliant devices can access Exchange Online.

Why this answer

To enforce that only compliant devices can access Exchange Online, you need a Conditional Access policy that includes the 'Require device to be marked as compliant' grant control. This policy evaluates the device compliance status reported by Intune and blocks or grants access accordingly. Without this Conditional Access policy, even compliant devices are not forced to meet compliance requirements before accessing Exchange Online.

Exam trap

The trap here is that candidates often confuse creating a device compliance policy (which only defines rules) with the Conditional Access policy that actually enforces those rules, leading them to select Option D instead of B.

How to eliminate wrong answers

Option A is wrong because Azure AD Join alone does not enforce compliance; it only registers the device in Azure AD, and without a Conditional Access policy, any joined device can access Exchange Online regardless of compliance. Option C is wrong because an app protection policy (MAM) manages data protection at the app level without requiring device enrollment or compliance, and it does not block access from non-compliant devices. Option D is wrong because a device compliance policy defines the compliance rules (e.g., encryption, OS version) but does not enforce access control; it is the Conditional Access policy that uses the compliance status to grant or deny access.

920
MCQhard

Your organization uses Microsoft Entra ID Governance. You need to automate the removal of access when an employee leaves the company. The identity lifecycle should trigger access reviews and automatic deprovisioning. What should you configure?

A.Microsoft Entra Entitlement Management
B.Microsoft Entra Lifecycle Workflows
C.Microsoft Entra Access Reviews
D.Microsoft Entra Privileged Identity Management
AnswerB

Lifecycle Workflows automate the entire lifecycle, including deprovisioning.

Why this answer

Option D is correct because Lifecycle Workflows automate joiner, mover, leaver processes. Option A is wrong because Entitlement Management manages access packages. Option B is wrong because Access Reviews are manual unless automated by Lifecycle Workflows.

Option C is wrong because PIM is for privileged roles.

921
MCQmedium

A security administrator needs to configure a policy that automatically blocks high-confidence phishing emails in Microsoft Defender for Office 365. The policy should be applied to all users in the finance department. The administrator wants to ensure that if an email is determined to be high-confidence phishing, it is quarantined and the user is not notified. Which type of policy should the administrator configure?

A.Anti-phishing policy
B.Safe Attachments policy
C.Anti-spam policy
D.Safe Links policy
AnswerA

Anti-phishing policies can quarantine high-confidence phishing emails.

Why this answer

Option A is correct because Anti-phishing policies in Defender for Office 365 can be configured to take action on high-confidence phishing emails, such as quarantining them. Option B is wrong because Safe Links policies protect against malicious URLs, not the overall email classification. Option C is wrong because Safe Attachments policies handle malicious attachments.

Option D is wrong because Anti-spam policies handle spam, not high-confidence phishing.

922
MCQmedium

A company wants to allow users to log in to Microsoft 365 using their existing on-premises Active Directory credentials and ensure that password changes are reflected immediately in the cloud. Which authentication method should be implemented?

A.Password Hash Synchronization (PHS)
B.Pass-through Authentication (PTA)
C.Federation with AD FS
D.Azure AD Seamless SSO
AnswerC

AD FS federates authentication so that Microsoft 365 trusts the on-premises system; any password change in on-prem AD is immediately reflected.

Why this answer

Federation with AD FS is correct because it allows users to authenticate directly against on-premises Active Directory, and password changes made on-premises are immediately reflected in the cloud since authentication never passes the password hash to Azure AD. This meets the requirement for instant password change propagation without any synchronization delay.

Exam trap

The trap here is that candidates often confuse Pass-through Authentication (PTA) with federation, assuming PTA also provides instant password change reflection, but PTA still requires password hash synchronization for cloud services like Azure AD Password Protection, and on-premises password changes are not instantly reflected in Azure AD without additional sync.

How to eliminate wrong answers

Option A is wrong because Password Hash Synchronization (PHS) synchronizes password hashes on a schedule (typically every 2 minutes), so password changes are not reflected immediately in the cloud. Option B is wrong because Pass-through Authentication (PTA) validates passwords on-premises but still relies on password writeback for cloud password changes, and on-premises password changes are not instantly reflected in Azure AD without additional synchronization. Option D is wrong because Azure AD Seamless SSO is not an authentication method itself; it is a feature that works on top of PHS or PTA to provide single sign-on, and it does not handle password change propagation.

923
Multi-Selecteasy

Which TWO are valid methods to add users to a Microsoft 365 tenant?

Select 2 answers
A.Create users by adding a DNS record.
B.Add users in the Azure portal.
C.Create users in the Exchange admin center.
D.Add users individually in the Microsoft 365 admin center.
E.Synchronize users from on-premises Active Directory using Microsoft Entra ID Connect.
AnswersD, E

Admins can add users manually in the admin center.

Why this answer

Option D is correct because the Microsoft 365 admin center provides a native web interface to add users individually, which is the most straightforward method for small-scale user provisioning. Option E is correct because synchronizing users from on-premises Active Directory using Microsoft Entra ID Connect (formerly Azure AD Connect) is the standard hybrid identity method for large-scale user management, ensuring directory objects are replicated to Azure AD.

Exam trap

The trap here is that candidates may confuse the Azure portal (which can create Azure AD users) with the Microsoft 365 admin center, or think the Exchange admin center can create users, when in fact it only manages mailbox-enabled users that already exist in Azure AD.

924
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only compliant devices can access Microsoft 365 resources. What should you configure?

A.Configure an app protection policy in Intune.
B.Create a device compliance policy in Intune.
C.Configure a Windows Hello for Business policy in Intune.
D.Create a conditional access policy in Microsoft Entra ID requiring compliant devices.
AnswerD

Conditional access policies enforce access control based on device compliance.

Why this answer

Option D is correct because Conditional Access policies in Microsoft Entra ID (formerly Azure AD) are the mechanism that enforces access controls based on signals such as device compliance. By creating a policy that requires compliant devices, you ensure that only devices meeting your compliance standards can access Microsoft 365 resources. This works in conjunction with Intune compliance policies, but the enforcement point is the Conditional Access policy.

Exam trap

The trap here is that candidates often confuse the role of Intune compliance policies (which only define and report compliance) with Conditional Access policies (which enforce access decisions), leading them to select Option B instead of D.

How to eliminate wrong answers

Option A is wrong because app protection policies (MAM) manage data protection at the application level without requiring device enrollment or compliance; they do not block access to Microsoft 365 resources based on device compliance. Option B is wrong because a device compliance policy in Intune defines the compliance requirements (e.g., encryption, OS version) but does not itself enforce access restrictions; it only marks the device as compliant or non-compliant. Option C is wrong because Windows Hello for Business policy configures biometric or PIN-based authentication on devices, but it does not control access to Microsoft 365 resources based on device compliance.

925
MCQmedium

Your organization has a Microsoft 365 E5 subscription and uses Microsoft Teams. You need to prevent external users from being added to sensitive teams that contain financial data. What should you configure?

A.A sensitivity label for containers that blocks guest access.
B.Azure AD Conditional Access policy for guest users.
C.An information barrier policy between finance and external.
D.A DLP policy for Teams chat and channel messages.
AnswerA

Sensitivity labels can control guest access to teams and groups.

Why this answer

Sensitivity labels for containers can restrict guest access. Option D is correct. Option A is wrong because DLP policies monitor content, not guest access.

Option B is wrong because Azure AD Conditional Access controls sign-in, not team membership. Option C is wrong because information barriers restrict communication, not guest access.

926
MCQhard

A compliance officer needs to automatically identify and label content that is conceptually similar to existing sensitive documents, such as internal strategy memos or proprietary technical specifications, without relying on explicit keywords or recognized sensitive information types. Which Microsoft Purview solution should the officer use to achieve this?

A.trainable classifier
B.sensitive information type
C.An auto-labeling policy with a retention label
D.Data Loss Prevention (DLP) policy that blocks sharing
AnswerA

Trainable classifiers are designed to identify content based on examples and can learn to recognize documents that are conceptually similar, such as internal memos or proprietary specs, without needing exact keywords or predefined sensitive info types.

Why this answer

A trainable classifier uses machine learning to identify content based on patterns and context learned from sample documents, making it ideal for recognizing conceptually similar content without relying on explicit keywords or predefined sensitive information types. This allows the compliance officer to automatically label internal strategy memos or proprietary technical specifications that share conceptual similarity with existing sensitive documents.

Exam trap

The trap here is that candidates often confuse trainable classifiers with sensitive information types, assuming that keyword or regex-based patterns are sufficient for conceptual similarity, when in fact trainable classifiers are the only Microsoft Purview solution that uses machine learning to identify content based on learned patterns rather than explicit rules.

How to eliminate wrong answers

Option B is wrong because sensitive information types rely on predefined patterns (e.g., regex, keywords, checksums) and cannot identify conceptually similar content without explicit keywords or recognized types. Option C is wrong because an auto-labeling policy with a retention label applies labels based on conditions like sensitive info types or trainable classifiers, but the retention label itself does not perform conceptual identification; the labeling policy would still require a trainable classifier to trigger. Option D is wrong because a Data Loss Prevention (DLP) policy that blocks sharing can use classifiers or sensitive info types to enforce actions, but it is a protective control, not a labeling solution for automatic identification and labeling of conceptually similar content.

927
MCQhard

You are investigating an incident in Microsoft 365 Defender. The incident involves a user who received a malicious link in an email and clicked it. The link led to a credential phishing page. You need to identify which user accounts might have been compromised. Which Microsoft 365 Defender feature should you use?

A.Live Response
B.Investigation package
C.File investigation
D.Action center
AnswerB

The investigation package includes details on compromised accounts.

Why this answer

Option C is correct because the investigation package contains evidence for compromised accounts. Option A is wrong because it's for automated actions. Option B is wrong because it's for device investigation.

Option D is wrong because it's for file investigation.

928
MCQeasy

Refer to the exhibit. You have a Conditional Access policy configured as shown. What is the effect of this policy?

A.It requires multi-factor authentication for trusted IPs.
B.It blocks access from all locations.
C.It blocks access from untrusted IP addresses.
D.It blocks access from trusted IP addresses.
AnswerD

The policy includes AllTrusted locations and applies a block control.

Why this answer

The policy is configured to 'Block access' for 'All users' and 'All cloud apps' when the location condition is set to 'Trusted IPs'. This means that when a user attempts to access from an IP address defined as trusted in the organization's named locations, access is explicitly blocked. The effect is that trusted IP addresses are blocked, not untrusted ones.

Exam trap

The trap here is that candidates mistakenly think 'Block access' combined with 'Trusted IPs' blocks untrusted IPs, when in fact the policy explicitly blocks the trusted IPs, leaving untrusted IPs unaffected by this policy.

How to eliminate wrong answers

Option A is wrong because the policy is set to 'Block access', not 'Grant access requiring multi-factor authentication', so it does not enforce MFA for any location. Option B is wrong because the policy only applies to the 'Trusted IPs' location condition, not to 'All locations' or 'Any location', so it does not block access from all locations. Option C is wrong because the policy targets 'Trusted IPs', not 'Untrusted IPs'; untrusted IPs are not affected by this policy and would fall through to other policies or default behavior.

929
MCQeasy

You need to monitor which users have accessed a specific document stored in SharePoint Online over the last 90 days. What should you use?

A.Data Loss Prevention reports.
B.eDiscovery (Premium) case.
C.Content search in Microsoft Purview.
D.Audit log search in Microsoft Purview.
AnswerD

Audit logs track file access events.

Why this answer

Audit log in Microsoft Purview records user activities including file access. Option A is correct. Option B is wrong because DLP reports show policy matches, not access.

Option C is wrong because content search searches for content, not access. Option D is wrong because eDiscovery cases are for legal holds and reviews.

930
MCQmedium

Your organization uses Microsoft Entra ID P2. You want to automatically remediate high-risk users by requiring them to change their password. However, you also want to allow users to self-remediate if they believe the risk detection is false positive. What should you implement?

A.User risk policy with 'Require password change' and enable user feedback
B.Sign-in risk policy with 'Require password change'
C.User risk policy with 'Block access' and enable user feedback
D.Sign-in risk policy with 'Require multifactor authentication'
AnswerA

Password change remediates high risk, and user feedback allows dismissing false positives.

Why this answer

Option C is correct because the user risk policy with 'Require password change' can include user feedback options like 'Dismiss risk' for false positives. Option A is wrong because blocking access does not allow self-remediation. Option B is wrong because MFA does not change password.

Option D is wrong because sign-in risk policy addresses sign-in risk, not user risk.

931
MCQmedium

Your organization uses Microsoft Defender for Endpoint. You need to collect investigation packages from multiple devices for forensic analysis. What is the most efficient method?

A.Use the central investigations feature to collect packages from multiple devices.
B.Use the Microsoft 365 Defender portal's forensic collection tool.
C.Initiate a Live Response session on each device.
D.Run a manual collection from each device's page.
AnswerA

Central investigations allow bulk collection.

Why this answer

Option B is correct because the central investigations feature allows you to collect packages from multiple devices in one action. Option A is wrong because the device page only handles one device. Option C is wrong because a Live Response session is manual and one device at a time.

Option D is wrong because the Microsoft 365 Defender portal does not have a dedicated forensic collection tool.

932
MCQeasy

Your organization uses Microsoft Entra ID. You need to ensure that users cannot reuse their last 5 passwords when changing passwords. What should you configure?

A.Password protection policy - enforce password history.
B.Multi-factor authentication settings.
C.Account lockout threshold.
D.Smart lockout settings.
AnswerA

Password protection policy includes password history settings.

Why this answer

The password history policy in Microsoft Entra ID (formerly Azure AD) enforces the number of unique passwords a user must use before they can reuse an old password. By setting the password history value to 5, users cannot reuse any of their last 5 passwords when changing their password. This directly meets the requirement to prevent reuse of the last 5 passwords.

Exam trap

The trap here is that candidates often confuse password history (which prevents reuse) with password expiration or complexity settings, or they mistakenly think smart lockout or MFA can enforce password reuse rules.

How to eliminate wrong answers

Option B is wrong because multi-factor authentication settings control additional verification methods (e.g., phone call, app notification) and do not manage password reuse history. Option C is wrong because account lockout threshold defines the number of failed sign-in attempts before an account is locked, not password reuse restrictions. Option D is wrong because smart lockout settings help block brute-force attacks by locking accounts after repeated failed attempts from unfamiliar locations, but they do not enforce password history or reuse rules.

933
Multi-Selectmedium

You are a Microsoft 365 Administrator for a multinational organization that is deploying a new Microsoft 365 tenant. The organization has strict compliance and security requirements. Which four of the following actions should you take to properly deploy and manage the tenant? Choose all that apply. (There are four correct answers.)

Select 4 answers
.Configure password hash synchronization (PHS) from the on-premises Active Directory to Microsoft Entra ID to enable Hybrid Identity.
.Create and assign custom administrative roles using Role-Based Access Control (RBAC) to delegate specific management tasks without granting global admin privileges.
.Enable Microsoft Defender for Office 365 and configure Safe Attachments and Safe Links policies to protect against advanced threats in email and collaboration tools.
.Configure a Microsoft 365 usage location for each user before assigning licenses to comply with regional licensing and data residency requirements.
.Use the Microsoft 365 admin center to directly edit and manage all user objects in the on-premises Active Directory to ensure synchronization consistency.
.Disable multi-factor authentication (MFA) for all users during the initial deployment to simplify onboarding, and enable it after 30 days.

Why this answer

Configuring password hash synchronization (PHS) from on-premises Active Directory to Microsoft Entra ID is a foundational step for hybrid identity. It synchronizes user password hashes, enabling users to use the same credentials for cloud and on-premises resources, and is required for features like Identity Protection and leaked credential detection.

Exam trap

The trap here is that candidates may think disabling MFA temporarily is acceptable for deployment simplicity, but Microsoft explicitly requires MFA to be enabled from day one for all users, especially privileged roles, and the exam tests this security-first mindset.

934
MCQhard

You are a Microsoft 365 administrator for Contoso Corporation, a multinational company with 20,000 users. The company uses Microsoft 365 E5, Microsoft Entra ID P2, Microsoft Defender XDR, Microsoft Purview, and Microsoft Intune. The security team wants to implement a zero-trust access model. Requirements: 1. All access to corporate resources must require multifactor authentication (MFA) and device compliance. 2. Users must register for MFA before accessing any app. 3. Legacy authentication protocols must be blocked for all users. 4. External collaboration must be governed by identity governance. 5. Sensitive data in SharePoint Online must be protected by DLP. 6. All administrative actions must be audited. You need to design the configuration. Which combination of actions should you take?

A.Enable Security defaults, configure SharePoint DLP, and use Microsoft Purview Audit for admin actions
B.Create a Conditional Access policy requiring MFA, block legacy auth, and use Microsoft Defender for Cloud Apps to monitor admin actions
C.Use Microsoft Intune compliance policies, enable MFA per-user, and deploy Microsoft Sentinel for auditing
D.Create Conditional Access policies requiring MFA and compliant devices, block legacy auth, enforce MFA registration via Identity Protection, set up Microsoft Entra ID Governance for external users, configure Purview DLP for SharePoint, and enable Purview Audit
AnswerD

This combination meets all requirements.

Why this answer

Option C is correct. A Conditional Access policy requiring MFA and compliant devices, blocking legacy auth, and using Entra ID Identity Protection to enforce MFA registration meets requirements 1,2,3. Microsoft Entra ID Governance (Entitlement Management) handles external collaboration (requirement 4).

Microsoft Purview DLP protects SharePoint (requirement 5). Microsoft Purview Audit (Standard or Premium) audits admin actions (requirement 6). Option A is wrong because Security defaults are less granular and may not block legacy auth for all users.

Option B is wrong because Intune compliance policies alone do not enforce MFA. Option D is wrong because Microsoft Sentinel is for SIEM, not primary audit logging for admin actions (Purview Audit is correct).

935
MCQeasy

Your organization uses Microsoft Defender XDR. You need to configure automated investigation and response (AIR) for email and collaboration content. Which policy type should you configure in the Microsoft 365 Defender portal?

A.Attack simulation training
B.Safe attachments policies
C.Quarantine policies
D.Automated investigation and response
AnswerD

This policy enables AIR for email and collaboration.

Why this answer

Option A is correct because AIR for email is configured via the 'Automated investigation and response' policy within Email & collaboration policies. Option B is wrong because attack simulation training is for phishing simulations. Option C is wrong because quarantine policies manage quarantined messages.

Option D is wrong because safe attachments policies are part of anti-malware settings.

936
MCQeasy

A company wants to reduce help desk calls by allowing users to reset their own passwords securely. Users should be able to reset their passwords using a mobile phone number or email as verification. Which Microsoft Entra ID feature should be enabled?

A.Conditional Access
B.Self-Service Password Reset (SSPR)
C.Password Protection
D.Identity Protection
AnswerB

SSPR enables users to reset their own passwords using configured authentication methods.

Why this answer

Self-Service Password Reset (SSPR) is the Microsoft Entra ID feature specifically designed to allow users to reset their own passwords without help desk intervention. It supports verification methods such as mobile phone number (via SMS or phone call) and email, meeting the company's requirement for secure, user-driven password resets.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access after authentication) with SSPR (which handles the authentication recovery process), leading them to select Conditional Access when the question explicitly asks about password reset functionality.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or blocking sign-ins from untrusted locations) based on signals like user, device, or location; it does not provide password reset functionality. Option C is wrong because Password Protection is a feature that blocks weak or compromised passwords by enforcing custom banned password lists and global banned lists, but it does not enable users to reset their own passwords. Option D is wrong because Identity Protection is a risk-based detection and remediation tool that identifies suspicious sign-in behaviors and user risks (e.g., leaked credentials), but it does not offer self-service password reset capabilities.

937
MCQhard

Your organization uses Microsoft Entra ID P2 and has enabled Microsoft Entra ID Protection. You need to generate a weekly report of users who are at risk due to anomalous sign-in activity and send it to the security team. What is the most efficient way to achieve this?

A.Use the Microsoft Entra admin center to export the risky sign-ins report every week
B.Configure a Microsoft Sentinel analytics rule to generate incidents for risky sign-ins
C.Create a custom workbook in Microsoft Entra ID and schedule it to run weekly
D.Write a PowerShell script that uses the Microsoft Graph API to retrieve risky sign-ins and send an email weekly
AnswerC

Workbooks in Microsoft Entra ID can be scheduled and shared with the security team.

Why this answer

Option C is correct because Microsoft Entra ID custom workbooks can be configured with a scheduled refresh, allowing you to automatically generate and deliver a weekly report of risky sign-ins without manual intervention or additional infrastructure. This leverages the built-in reporting and scheduling capabilities of Entra ID, making it the most efficient solution for a recurring report.

Exam trap

The trap here is that candidates often assume that any automated task requires PowerShell or external tools, overlooking the built-in scheduling capabilities of Entra ID workbooks, which are specifically designed for recurring report generation without additional scripting.

How to eliminate wrong answers

Option A is wrong because manually exporting the risky sign-ins report every week is not efficient; it requires human intervention and does not automate the delivery to the security team. Option B is wrong because Microsoft Sentinel analytics rules are designed for security incident detection and response, not for generating scheduled reports; using Sentinel for this purpose introduces unnecessary complexity and cost. Option D is wrong because writing a PowerShell script with Microsoft Graph API to retrieve risky sign-ins and send an email weekly is less efficient than using a built-in scheduled workbook, as it requires custom development, maintenance, and handling of authentication and scheduling logic.

938
MCQhard

You run the KQL query in Microsoft Defender XDR. The query returns a list of users who logged into Exchange Online more than 10 times in the last day from a single IP address. However, you notice that some IP addresses are internal corporate IPs. What should you add to the query to focus on suspicious logons from external IPs?

A.Add a line: | where IPAddress !startswith "10."
B.Add a line: | where Application == "Outlook Web App"
C.Add a line: | summarize by Application
D.Add a line: | where TotalLogons > 50
E.Add a line: | sort by TotalLogons desc
AnswerA

This filters out internal IPs in the 10.0.0.0/8 range.

Why this answer

Option C is correct because the query should filter by an IP range that excludes internal corporate IPs. Option A is wrong because filtering by Application would not exclude internal IPs. Option B is wrong because summarizing by Application is unnecessary.

Option D is wrong because filtering by TotalLogons > 10 already exists. Option E is wrong because sorting does not exclude internal IPs.

939
MCQhard

A company has a Microsoft 365 E5 tenant with 10,000 users. You need to delegate the ability to manage Microsoft Entra ID roles to a group of support engineers. The solution must follow the principle of least privilege and allow engineers to assign only specific roles to users. What should you do?

A.Assign the engineers the Privileged Role Administrator role
B.Add the engineers to the Global Administrator role in Microsoft Entra ID
C.Create a group in Microsoft Entra ID and assign it the User Administrator role, then use PIM to elevate
D.Create a custom role in Microsoft Entra ID with permissions to assign specific roles, and use PIM to enable just-in-time access
AnswerD

Custom roles with PIM provide least-privilege delegation.

Why this answer

Option D is correct because it follows the principle of least privilege by creating a custom role that grants only the specific permissions needed to assign designated roles, and using Privileged Identity Management (PIM) for just-in-time (JIT) access ensures engineers are elevated only when required. This approach avoids granting standing administrative privileges and allows granular control over which roles can be assigned, meeting the requirement to delegate role management without over-provisioning.

Exam trap

The trap here is that candidates often confuse the Privileged Role Administrator role (which can assign any role) with a custom role that limits assignments to specific roles, or mistakenly think that adding engineers to a built-in role like User Administrator with PIM elevation is sufficient, when in fact PIM does not change the underlying permissions of the role itself.

How to eliminate wrong answers

Option A is wrong because the Privileged Role Administrator role grants full control over all role assignments in Microsoft Entra ID, including the ability to assign any role (including Global Administrator), which violates the principle of least privilege by providing excessive permissions. Option B is wrong because the Global Administrator role has unrestricted access to all tenant settings and resources, far exceeding the need to manage only specific role assignments, and is a classic over-privileged assignment. Option C is wrong because the User Administrator role only allows management of users and groups, not the assignment of Microsoft Entra ID roles to users; it does not include permissions to delegate role management, and using PIM with this role does not grant the ability to assign other roles.

940
Multi-Selectmedium

A compliance administrator wants to automatically apply a 'Confidential' sensitivity label to documents that contain tax identification numbers. Which two configurations are required? (Choose two.)

Select 2 answers
A.Define a sensitive information type for tax IDs
B.Create a sensitivity label with the desired protection settings
C.Configure a data loss prevention (DLP) rule
D.Create an auto-labeling policy
AnswersA, D

Sensitive information types define patterns (e.g., regex) to detect specific data like tax IDs.

Why this answer

Option A is correct because a sensitive information type (SIT) defines the pattern to detect tax identification numbers (e.g., using regex or keyword lists) in content. Option D is correct because an auto-labeling policy automatically applies the sensitivity label to documents when the SIT is matched, without requiring user intervention. Together, they enable automatic classification based on content inspection.

Exam trap

The trap here is that candidates often confuse DLP rules with auto-labeling policies, but DLP rules enforce actions like blocking or alerting on sensitive data, while auto-labeling policies specifically apply sensitivity labels based on content matching.

941
MCQmedium

Your organization uses Microsoft Purview to classify and protect data. You need to create a custom sensitive info type that detects employee IDs formatted as 'EMP-XXXXX' where X is a digit. Which approach should you use?

A.Create a custom sensitive info type using a regular expression.
B.Use a keyword dictionary for the pattern.
C.Use exact data match (EDM) based classification.
D.Use the built-in 'Employee ID' sensitive info type.
AnswerA

Custom sensitive info types can use regex patterns to detect specific formats.

Why this answer

Option B is correct because you can create a custom sensitive info type using a regular expression pattern. Option A is wrong because the built-in type may not match exactly. Option C is wrong because the keyword dictionary can be used as an additional element, but the pattern is best defined by regex.

Option D is wrong because exact data match requires a source of truth, not a pattern.

942
MCQhard

Your organization has Microsoft Defender for Cloud Apps (MCAS) deployed. You need to create a policy that automatically blocks downloads of files classified as 'Highly Confidential' from SharePoint Online to unmanaged devices. Which policy type should you use?

A.Access policy
B.Activity policy
C.App discovery policy
D.Session policy
AnswerD

Uses reverse proxy to control actions in real-time.

Why this answer

Option B is correct because session policy uses reverse proxy to monitor and control user actions in real-time, allowing blocking of downloads based on device state. Option A is wrong because access policy controls sign-in conditions, not file downloads. Option C is wrong because activity policy monitors activities but does not block in real-time.

Option D is wrong because app discovery policy identifies shadow IT, not controls file downloads.

943
Drag & Dropmedium

Drag and drop the steps to configure a compliance retention policy in Microsoft Purview in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Retention policies are created in Purview, locations selected, retention settings defined, and then published.

944
MCQmedium

Refer to the exhibit. An administrator runs the KQL query in Microsoft Defender for Endpoint. The result set is empty. What is the most likely reason?

A.The device is not onboarded to Microsoft Defender for Endpoint.
B.The query is case-sensitive and the account name is 'Admin' with a capital A.
C.No logon events with the account name 'admin' exist in the past 7 days.
D.There are no logon events in the last 7 days.
AnswerC

The query filters on AccountName == "admin"; if no events match, the result set is empty.

Why this answer

The KQL query filters for logon events where the AccountName equals 'admin' (lowercase). If no such events occurred in the last 7 days, the result set will be empty. This is the most likely reason because the query explicitly restricts the time range and account name, and an empty result does not indicate a broader issue with onboarding or case sensitivity.

Exam trap

The trap here is that candidates may assume an empty result set always indicates a configuration or onboarding problem, rather than recognizing that the query's specific filter (account name and time range) simply returned no matching data.

How to eliminate wrong answers

Option A is wrong because if the device were not onboarded to Microsoft Defender for Endpoint, the query would return an error or no data at all, but the question states the result set is empty, which is consistent with a valid query returning zero matching records. Option B is wrong because KQL is case-sensitive by default, but the query uses 'admin' (lowercase) and the exhibit shows the account name is 'admin' (lowercase), so case sensitivity is not the issue; the query would match 'admin' exactly. Option D is wrong because the query specifically filters for the account name 'admin', so even if there are other logon events in the last 7 days, they would not appear unless they match the account name; an empty result does not imply no logon events at all.

945
MCQeasy

A company wants to allow users to reset their own passwords without administrator intervention. They need to configure Self-Service Password Reset (SSPR) for all cloud-only users. Which Azure AD license is required for all users to enable SSPR?

A.Azure AD Free
B.Azure AD Premium P1
C.Microsoft 365 Business Basic
D.Azure AD Premium P2
AnswerB

Azure AD Premium P1 is the minimum license required to enable SSPR for cloud-only users.

Why this answer

Azure AD Premium P1 includes the Self-Service Password Reset (SSPR) capability for cloud-only users. Azure AD Free only supports SSPR for cloud users if the tenant has at least one Azure AD Premium P1 license assigned, but the feature itself is a Premium P1 benefit. Microsoft 365 Business Basic does not include SSPR; it provides basic identity features without password reset self-service.

Azure AD Premium P2 includes all P1 features plus Identity Protection and Privileged Identity Management, but SSPR does not require P2.

Exam trap

The trap here is that candidates often assume Azure AD Free includes SSPR because Microsoft offers a 'free' tier, but SSPR is a Premium P1 feature, and the free tier only allows basic directory services without self-service password reset capabilities.

How to eliminate wrong answers

Option A is wrong because Azure AD Free does not include SSPR for users; it only allows basic directory features and requires at least one Premium P1 license to enable SSPR. Option C is wrong because Microsoft 365 Business Basic does not include Azure AD Premium features; it provides only basic identity management without self-service password reset. Option D is wrong because Azure AD Premium P2 includes SSPR but is not required; Premium P1 is the minimum license needed for SSPR, making P2 an unnecessary over-licensing for this scenario.

946
MCQmedium

A legal hold is required for all emails in a user's mailbox related to a litigation case. The administrator needs to ensure that the mailbox content is preserved even if the user tries to delete emails. Which Microsoft Purview feature should be used?

A.Litigation Hold
B.eDiscovery (Standard) case hold
C.Retention policy
D.In-Place Hold
AnswerA

Litigation Hold preserves all mailbox items until the hold is removed, even if the user deletes them. It is suitable for legal holds.

Why this answer

Litigation Hold is the correct choice because it is a Microsoft Purview feature specifically designed to preserve all mailbox content, including deleted items and original versions of modified items, for legal or compliance purposes. When enabled, it places the user's entire mailbox on hold, preventing permanent deletion by the user or automated processes, and ensures that all data related to a litigation case is retained indefinitely until the hold is removed.

Exam trap

The trap here is that candidates often confuse Litigation Hold with eDiscovery case holds or retention policies, but Litigation Hold is the simplest and most direct feature for preserving an entire mailbox indefinitely for legal purposes, without needing to create a case or define retention rules.

How to eliminate wrong answers

Option B (eDiscovery (Standard) case hold) is wrong because it is used to preserve content for a specific eDiscovery case, but it requires creating an eDiscovery case and associating a hold with that case, which is more complex and not the simplest direct method for a single user's mailbox in a litigation scenario. Option C (Retention policy) is wrong because retention policies are designed for managing data lifecycle based on age or other criteria, not for indefinite preservation in response to a legal hold, and they can allow deletion after a specified period. Option D (In-Place Hold) is wrong because In-Place Hold is a legacy Exchange Online feature that has been deprecated in favor of Litigation Hold and eDiscovery holds; it is no longer available in modern Microsoft Purview deployments.

947
MCQmedium

A user is leaving the organization, and a litigation hold must be placed on their Exchange Online mailbox to preserve all existing and future data indefinitely. The user's mailbox will continue to be monitored for any attempts to delete data. Which Microsoft Purview feature should the compliance officer use?

A.Litigation Hold
B.eDiscovery hold (Core or Advanced)
C.retention policy with 'Preserved forever' state
D.In-Place Hold (Exchange Online)
AnswerA

Litigation Hold places a hold on the entire mailbox, preserving all content until the hold is explicitly released. Even after the user is deleted, the mailbox remains preserved.

Why this answer

Litigation Hold is the correct feature because it is specifically designed to preserve all mailbox content indefinitely, including future data, and prevents any deletion or modification of items by users or automated processes. It also allows the compliance officer to monitor the mailbox for deletion attempts, as the hold is placed directly on the mailbox via the Exchange Admin Center or PowerShell, ensuring immutable retention.

Exam trap

The trap here is that candidates often confuse Litigation Hold with eDiscovery holds or retention policies, but Litigation Hold is the only feature that provides indefinite, mailbox-specific preservation with built-in monitoring for deletion attempts, as it is a direct hold on the mailbox rather than a policy-based retention.

How to eliminate wrong answers

Option B is wrong because eDiscovery holds (Core or Advanced) are intended for preserving data related to specific legal cases or investigations, not for indefinite preservation of all mailbox data for a departing user; they require a defined search query and are not designed for indefinite monitoring. Option C is wrong because a retention policy with 'Preserved forever' state applies to all content across the organization or specific locations, but it does not provide the same mailbox-level monitoring for deletion attempts as Litigation Hold, and it may not prevent users from deleting items if the policy is not configured correctly. Option D is wrong because In-Place Hold is a legacy feature from on-premises Exchange that has been deprecated in Exchange Online; it is not available in the cloud and cannot be used for modern compliance requirements.

948
MCQmedium

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos ticket request. You need to investigate which user account is potentially compromised. Which tool should you use to correlate the alert with user activity?

A.Microsoft Defender XDR portal
B.Microsoft Intune admin center
C.Microsoft Purview compliance portal
D.Microsoft Entra admin center
AnswerA

This provides unified incident view across Defender products.

Why this answer

Option C is correct because Microsoft Defender XDR provides a unified incident view that correlates alerts from Defender for Identity with user and device information. Option A is wrong because Microsoft 365 compliance center is for compliance, not security investigation. Option B is wrong because it manages endpoints, not identity alerts.

Option D is wrong because it is for identity governance, not security incident correlation.

949
MCQmedium

A security administrator wants to block users from uploading files to personal cloud storage apps (e.g., Dropbox) from managed Windows devices, while allowing access from compliant mobile devices. Which Microsoft 365 Defender feature should be used?

A.Microsoft Defender for Endpoint Attack Surface Reduction rules
B.Microsoft Defender for Cloud Apps session policy
C.Microsoft Defender for Office 365 Safe Attachments
D.Microsoft Defender for Identity
AnswerB

Session policies allow granular control of user sessions in SaaS apps, including blocking file uploads based on device compliance.

Why this answer

Microsoft Defender for Cloud Apps session policies use reverse proxy architecture to monitor and control user activities in real time. By configuring a session policy with the 'Block' action for the 'Upload file' activity on managed Windows devices, the administrator can prevent file uploads to personal cloud storage apps like Dropbox. Conditional Access App Control enforces this policy based on device compliance, allowing compliant mobile devices to bypass the block.

Exam trap

The trap here is that candidates confuse host-level ASR rules (Option A) with cloud-level session policies, failing to recognize that ASR rules cannot enforce conditional access based on device compliance or control uploads to specific cloud apps.

How to eliminate wrong answers

Option A is wrong because Attack Surface Reduction rules are host-level controls that block specific behaviors (e.g., Office apps creating child processes) but cannot differentiate between managed and unmanaged devices or enforce conditional access based on device compliance for cloud app uploads. Option C is wrong because Safe Attachments is a feature of Defender for Office 365 that scans email attachments for malware in a sandbox environment; it does not control user uploads to third-party cloud storage apps. Option D is wrong because Defender for Identity monitors on-premises Active Directory for identity-based threats (e.g., Kerberoasting, pass-the-hash) and has no capability to block file uploads to cloud apps.

950
MCQmedium

Refer to the exhibit. You have created a conditional access policy as shown. Users report that they can still access cloud apps from non-compliant devices. What is the most likely reason?

A.The policy does not exclude specific users
B.The policy does not include all cloud apps
C.The grant control operator is set to "OR" with only one control, which requires no controls to be satisfied
D.The policy uses session controls instead of grant controls
AnswerC

With OR and one control, the policy is satisfied even if the device is not compliant.

Why this answer

Option C is correct because the conditional access policy's grant control is set to 'OR' with only a single control selected (e.g., 'Require device to be marked as compliant'). When the operator is 'OR' and only one control is listed, the policy effectively requires that control to be satisfied. However, if the control is not enforced due to a misconfiguration or the device not being evaluated (e.g., the device platform is not specified), the 'OR' operator with a single control can be interpreted as granting access if any control is met—but since only one exists, it still must be met.

The most likely reason users can still access cloud apps from non-compliant devices is that the policy's grant control operator is set to 'OR' with only one control, which means the policy does not actually block access if the control is not satisfied; instead, it allows access because the 'OR' condition is technically satisfied by the absence of a second control to fail against. In practice, this configuration is a common misconfiguration that results in the policy being ineffective.

Exam trap

The trap here is that candidates assume a single grant control with 'OR' operator works the same as 'AND' operator, but Microsoft's logic treats 'OR' with one control as a pass-through if the control is not enforced, leading to unintended access.

How to eliminate wrong answers

Option A is wrong because excluding specific users is not required for a conditional access policy to block non-compliant devices; the policy can target all users and still enforce compliance. Option B is wrong because the policy does not need to include all cloud apps to block non-compliant devices; it can target specific apps and still enforce the grant control. Option D is wrong because session controls (e.g., 'Use app enforced restrictions') are used for session-level restrictions, not for blocking access based on device compliance; the issue here is with grant controls, not session controls.

951
MCQeasy

An administrator needs to configure email notifications for Exchange Online service health incidents to be sent to a specific IT support mailbox. Where should the administrator configure these notifications in the Microsoft 365 admin center?

A.Health > Service health > Customize notifications
B.Organization profile > Notifications > Service health
C.Mail flow connectors
D.Settings > Service settings
AnswerA

Navigate to Health > Service health, then select 'Customize notifications' to set up specific email recipients for Exchange Online alerts.

Why this answer

Option A is correct because the 'Customize notifications' link under Health > Service health in the Microsoft 365 admin center is the dedicated interface for configuring email notifications for service health incidents, including Exchange Online. This allows administrators to specify which email addresses (such as an IT support mailbox) receive alerts for service incidents, advisories, and other health events, with granular control over which services and severity levels trigger notifications.

Exam trap

The trap here is that candidates confuse the 'Notifications' section under Organization profile (which handles admin email notifications for password resets or license assignments) with the service health notification settings, leading them to select Option B instead of navigating to the correct Health > Service health path.

How to eliminate wrong answers

Option B is wrong because 'Organization profile > Notifications > Service health' is not a valid path in the Microsoft 365 admin center; the actual notification settings for service health are located under Health > Service health, not under Organization profile. Option C is wrong because 'Mail flow connectors' are used to configure email routing between Exchange Online and on-premises or third-party email systems, not for setting up service health notifications. Option D is wrong because 'Settings > Service settings' is a generic path that does not exist in the current Microsoft 365 admin center UI; service health notifications are managed under the Health section, not under Settings.

952
MCQmedium

A company uses Microsoft Entra ID P1 licenses. They want to enforce multi-factor authentication (MFA) for all users accessing a critical cloud application. However, they have a group of service accounts that cannot perform MFA and must be excluded. What is the recommended approach?

A.Create a Conditional Access policy that targets the application, requires MFA, and excludes the service account group
B.Enable per-user MFA for all users, then disable it for each service account
C.Enable Security Defaults
D.Use Identity Protection risk policies
AnswerA

This provides granular control and allows exclusion of service accounts.

Why this answer

Conditional Access policies allow granular control by targeting specific cloud applications and requiring MFA, while excluding groups like service accounts that cannot perform MFA. This approach is the recommended method because it avoids the limitations of per-user MFA (which is deprecated) and Security Defaults (which cannot exclude specific accounts).

Exam trap

The trap here is that candidates may confuse per-user MFA (legacy) with Conditional Access MFA, or assume Security Defaults can be customized with exclusions, when in fact it is a fixed baseline policy.

How to eliminate wrong answers

Option B is wrong because per-user MFA is a legacy, less flexible method that Microsoft recommends against; it cannot be scoped to specific applications and requires manual disabling for each service account, which is error-prone. Option C is wrong because Security Defaults enforces MFA for all users and cannot exclude any accounts, including service accounts, making it unsuitable when exclusions are required. Option D is wrong because Identity Protection risk policies focus on user risk and sign-in risk, not on enforcing MFA for a specific application; they are designed for adaptive access based on risk, not for blanket MFA requirements with exclusions.

953
MCQmedium

Your company uses Microsoft Purview to manage data classification. A user reports that a sensitive document is being blocked from external sharing even though the applied sensitivity label allows external sharing. The document is stored in SharePoint Online. What should you check first?

A.Verify that the sensitivity label is published to the user.
B.Check the DLP policies in Microsoft Purview compliance portal for any rules that block external sharing.
C.Confirm that the document is not under a retention policy.
D.Review the SharePoint external sharing settings for the site collection.
AnswerB

DLP policies can block external sharing even if the label allows it.

Why this answer

The issue is that external sharing is blocked despite a permissive label. This is often caused by a restrictive data loss prevention (DLP) policy overriding the label. Checking DLP policies is the first step.

Option A is wrong because sensitivity labels define encryption and marking, not sharing permissions directly. Option C is wrong because SharePoint sharing settings are tenant-wide and affect all content. Option D is wrong because retention policies do not control sharing.

954
MCQeasy

A company purchases Microsoft 365 E5 licenses for 500 users. The administrator wants to automatically assign licenses to new users based on their group membership. Which method should the administrator use?

A.Run a PowerShell script to assign licenses individually
B.Configure group-based licensing in Microsoft Entra ID
C.Manually assign licenses in the Microsoft 365 admin center for each user
D.Use a volume licensing product key to activate licenses
AnswerB

Group-based licensing assigns licenses automatically to members of a group, including new members.

Why this answer

Group-based licensing in Microsoft Entra ID (formerly Azure AD) allows automatic assignment and removal of licenses based on group membership. When a user is added to a licensed group, the license is automatically assigned; when removed, the license is revoked. This eliminates manual effort and ensures consistent licensing for all 500 users.

Exam trap

The trap here is that candidates often confuse group-based licensing with manual or scripted methods, assuming that PowerShell or the admin center are the only ways to assign licenses, but Microsoft Entra ID's group-based licensing is the correct automated solution for this scenario.

How to eliminate wrong answers

Option A is wrong because running a PowerShell script to assign licenses individually is a manual, scripted approach that does not scale well for 500 users and lacks the automatic, membership-driven assignment required. Option C is wrong because manually assigning licenses in the Microsoft 365 admin center for each user is time-consuming and error-prone, not leveraging automation. Option D is wrong because volume licensing product keys are used for on-premises or subscription activation, not for assigning Microsoft 365 E5 licenses to users in a cloud tenant.

955
MCQhard

A security administrator notices that users are receiving phishing emails that evade built-in anti-spam filters. The administrator wants to enable users to report these suspicious emails from Outlook and have them automatically trigger an investigation and block the sender. Which feature should be configured in Microsoft Defender for Office 365?

A.Attack simulation training
B.Threat Explorer
C.User reported settings in the Microsoft 365 Defender portal
D.Safe Links
AnswerC

These settings can be configured to route reported messages for automated investigation and automatically block senders detected as malicious.

Why this answer

User reported settings in the Microsoft 365 Defender portal allow administrators to configure how user-reported messages are handled. When enabled, users can report suspicious emails directly from Outlook, and these reports can automatically trigger an investigation and block the sender via automated investigation and response (AIR) policies. This directly addresses the requirement to have user-reported emails initiate security actions.

Exam trap

The trap here is that candidates often confuse user reporting features with attack simulation training or threat hunting tools, not realizing that the specific setting to enable automated investigation and blocking from user reports is found in the User reported settings within the Microsoft 365 Defender portal.

How to eliminate wrong answers

Option A is wrong because Attack simulation training is a tool for creating and launching simulated phishing campaigns to train users, not for handling real user-reported emails or triggering automated investigations. Option B is wrong because Threat Explorer is a real-time reporting and investigation tool for analyzing threats, but it does not provide a mechanism for users to report emails or automatically block senders based on user reports. Option D is wrong because Safe Links is a time-of-click protection feature that scans URLs in emails and Office documents, but it does not enable user reporting or automated investigation workflows.

956
Multi-Selecthard

Your organization uses Microsoft Purview to enforce data loss prevention (DLP) policies. You need to block users from sharing credit card numbers via email. Which THREE components are required to implement this policy?

Select 3 answers
A.The built-in 'Credit Card Number' sensitive info type.
B.A sensitivity label that identifies credit card information.
C.Microsoft Defender for Cloud Apps.
D.Microsoft Entra ID P2 licenses.
E.A DLP policy configured in the Microsoft Purview compliance portal.
AnswersA, B, E

DLP policies use sensitive info types to detect patterns like credit card numbers.

Why this answer

The built-in 'Credit Card Number' sensitive info type is required because Microsoft Purview DLP policies rely on predefined or custom sensitive information types to detect specific data patterns, such as credit card numbers, using regular expressions and checksums. Without this type, the DLP policy would not know what content to scan for in emails.

Exam trap

The trap here is that candidates often confuse the requirement for a sensitivity label (which is optional for DLP and used for classification, not detection) with the mandatory sensitive info type, or they assume Defender for Cloud Apps is needed for email DLP, when it is only for cloud app shadow IT scenarios.

957
MCQmedium

Your organization is a multinational company with 10,000 users. You use Microsoft Defender for Office 365 Plan 2, Microsoft Defender for Endpoint Plan 2, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. Recently, a sophisticated phishing campaign targeted your executives. The campaign used personalized emails with malicious links that bypassed Safe Links protection. Several executives clicked the links and entered their credentials on a fake login page. The attackers then used those credentials to access the executives' mailboxes and exfiltrate sensitive data. You need to implement a solution that prevents similar attacks in the future by automatically blocking access to newly discovered phishing sites and providing real-time protection when users click unknown URLs. The solution should also allow you to simulate phishing campaigns to train users. What should you do?

A.Create a Safe Links policy that blocks all URLs from domains not in the allowed list.
B.Deploy Safe Attachments policies with dynamic delivery and enable 'Automatic forwarding of attachments' for unknown files.
C.Add the known phishing domain to the Tenant Allow/Block List and block it.
D.Configure Attack Simulation Training in Microsoft 365 Defender, create a simulated phishing campaign targeting executives, and use the training to educate users on reporting phishing. Additionally, ensure Safe Links policy uses the 'Do not allow users to click through to the original URL' option and enable 'URL detonation' for unknown URLs.
AnswerD

Attack Simulation Training combined with Safe Links detonation provides proactive protection and user education.

Why this answer

Option A is correct because Attack Simulation Training allows you to create and run phishing campaigns to educate users, and it integrates with Defender for Office 365 to improve detection. Option B is wrong because Safe Attachments handles attachments, not URLs. Option C is wrong because Safe Links already failed to protect; the issue is that the phishing site was new.

Option D is wrong because tenant allow/block list is reactive, not proactive.

958
MCQeasy

Refer to the exhibit. You run this PowerShell command in your Microsoft 365 tenant. What is the purpose of the command?

A.To list all users with sign-in blocked
B.To list all unlicensed users with a specific usage location
C.To list all unlicensed users in the tenant
D.To list all users who have a license assigned
AnswerC

The filter selects users without a license.

Why this answer

The PowerShell command `Get-MgUser -Filter 'assignedLicenses/$count eq 0' -ConsistencyLevel eventual` retrieves all users in the Microsoft 365 tenant who have no licenses assigned. The `assignedLicenses/$count eq 0` filter checks that the count of assigned licenses is zero, and `-ConsistencyLevel eventual` is required for advanced queries on directory objects. This directly corresponds to listing all unlicensed users in the tenant.

Exam trap

The trap here is that candidates may confuse the `assignedLicenses/$count eq 0` filter with a filter for unlicensed users in a specific location or with sign-in status, but the command lacks any additional filters for usage location or account status.

How to eliminate wrong answers

Option A is wrong because the command does not filter by `accountEnabled` or `SignInActivity`, which are required to identify users with sign-in blocked. Option B is wrong because the command does not include any filter for `usageLocation`; it only checks for unlicensed users without specifying a location. Option D is wrong because the command explicitly filters for users where `assignedLicenses/$count eq 0`, meaning it returns users without licenses, not those with licenses assigned.

959
Multi-Selectmedium

Which TWO actions can an admin take to reduce the number of passwords in use for end users?

Select 2 answers
A.Enforce complex password policies
B.Enable Windows Hello for Business
C.Configure self-service password reset
D.Implement password hash sync
E.Deploy Microsoft Authenticator for passwordless sign-in
AnswersB, E

Passwordless sign-in.

Why this answer

Windows Hello for Business replaces traditional password authentication with strong two-factor authentication tied to a user's device, using biometrics or a PIN. This directly reduces the reliance on passwords for end users by enabling passwordless sign-in to Windows devices and integrated applications.

Exam trap

The trap here is that candidates often confuse password reduction with password management improvements, such as SSPR or password policies, which do not actually decrease the number of passwords users must remember.

960
MCQhard

You are reviewing a Conditional Access policy in Microsoft Entra ID. The exhibit shows the policy configuration. You need to allow users to access Office 365 applications from personal devices that are not enrolled in Microsoft Intune. However, the policy currently blocks access because it requires a compliant device. Users are prompted for MFA but then blocked due to device compliance. What should you modify in the policy?

A.Add a session control for sign-in frequency.
B.Remove "compliantDevice" from the builtInControls grant control list.
C.Remove the cloudAppSecurity session control.
D.Change cloudAppSecurityType to "blockDownloads".
AnswerB

Removing the compliant device requirement allows access from any device.

Why this answer

Option C is correct because the policy requires both MFA and compliant device (grantControls). To allow access from non-compliant devices, you can remove the compliantDevice requirement and only require MFA. Alternatively, you can add an exception for personal devices, but modifying the grant controls is straightforward.

Option A is wrong because changing session controls does not affect grant requirements. Option B is wrong because cloud app security is a session control, not a grant control. Option D is wrong because sign-in frequency is a session control.

961
MCQmedium

You are a Microsoft 365 administrator. A user reports that they cannot send emails to a specific external domain. You check the Exchange Admin Center and see that the domain is not blocked. What should you check next?

A.Verify that the user has a full mailbox and is not over the send limit.
B.Review the outbound spam filter policy.
C.Check the mail flow rules (transport rules) in Exchange Online.
D.Check the spam filter policy to see if the domain is on the blocked sender list.
AnswerC

A mail flow rule could be blocking messages to that domain.

Why this answer

Mail flow rules (transport rules) in Exchange Online can block or redirect messages based on conditions like sender, recipient domain, or message content, even if the domain is not listed in any block list. Since the domain is not blocked in the spam filter or outbound policies, a transport rule is the most likely cause of the issue, as it can silently reject or quarantine messages without appearing in the standard block lists.

Exam trap

The trap here is that candidates often assume domain blocking only occurs in the spam filter or outbound policies, overlooking that transport rules can enforce granular domain-based restrictions that are invisible in those sections.

How to eliminate wrong answers

Option A is wrong because send limits (e.g., 10,000 recipients per day) apply to all external domains equally, not to a specific domain, and the user would typically receive a non-delivery report (NDR) if over the limit. Option B is wrong because the outbound spam filter policy controls bulk email thresholds and sending limits for outbound spam, not the ability to send to a specific domain. Option D is wrong because the spam filter policy's blocked sender list applies to inbound messages (from external senders to your users), not outbound messages sent by your users to external domains.

962
MCQeasy

Your organization requires that all administrators use phishing-resistant authentication methods. Which Microsoft Entra ID authentication method meets this requirement?

A.SMS-based verification
B.Microsoft Authenticator push notification
C.Temporary Access Pass
D.FIDO2 security key
AnswerD

FIDO2 is phishing-resistant by design.

Why this answer

FIDO2 security keys are phishing-resistant because they use public key cryptography and cannot be phished. Option A is wrong because SMS is vulnerable to phishing. Option B is wrong because push notifications can be phished.

Option D is wrong because a temporary access pass is not a primary authentication method.

963
MCQeasy

Your company uses Microsoft 365 Business Premium. You need to ensure that all company-owned Windows 10 devices are automatically enrolled in Microsoft Intune when users sign in with their work account. The devices are Azure AD joined. You have configured automatic enrollment in Intune. However, some devices are not enrolling. You need to troubleshoot the issue. What should you check first?

A.Ensure that devices are Azure AD joined and not domain joined.
B.Check the Windows 10 version; version 1607 or later is required.
C.Verify that each user has an appropriate Microsoft Intune license assigned.
D.Check that the MDM authority is set to Microsoft Intune in Microsoft Entra ID.
AnswerC

Without a license, devices cannot enroll in Intune even if automatic enrollment is configured.

Why this answer

Option C is correct because automatic enrollment in Microsoft Intune requires each user to have an appropriate Intune license (e.g., Microsoft 365 Business Premium includes Intune). Without a license, the device will not be able to enroll even if all other prerequisites are met. The license is checked during the enrollment process, and if missing, enrollment fails silently.

Exam trap

The trap here is that candidates often assume device-level prerequisites (like Azure AD join or OS version) are the most common cause, but Microsoft Intune enrollment is user-license-driven, and missing licenses are a frequent real-world issue that is easy to overlook.

How to eliminate wrong answers

Option A is wrong because the question states the devices are already Azure AD joined, so this is not a missing prerequisite; checking this again would not resolve the issue. Option B is wrong because Windows 10 version 1607 or later is a requirement, but the question does not indicate that devices are running an older version; this is a secondary check, not the first step. Option D is wrong because the MDM authority is automatically set to Microsoft Intune when you configure automatic enrollment in the Microsoft Entra admin center; if it were not set, no devices would enroll, but the question states that some devices are enrolling, so this is not the immediate issue.

964
MCQhard

Your company is migrating from an on-premises file server to SharePoint Online. You need to ensure that files containing personally identifiable information (PII) are automatically detected and classified with a sensitivity label. What should you use?

A.A retention label auto-applied by a trainable classifier.
B.Microsoft Information Protection scanner.
C.A DLP policy to block sharing of PII.
D.Auto-labeling for sensitivity labels in Microsoft 365.
AnswerD

Auto-labeling can scan SharePoint sites and apply labels automatically.

Why this answer

Auto-labeling for sensitivity labels can scan files at rest in SharePoint and apply labels based on sensitive info types. Option C is correct. Option A is wrong because Microsoft Information Protection scanner is for on-premises file servers, not SharePoint.

Option B is wrong because DLP policies do not apply labels. Option D is wrong because retention labels are for lifecycle, not classification.

965
Multi-Selecthard

An organization has Microsoft Entra ID P2 licenses and wants to configure a Conditional Access policy to restrict access to Microsoft 365 services. Which of the following can be used as conditions in the policy? (Choose two that apply)

Select 2 answers
A.Device platform
B.User risk
C.Authentication strength
D.Application ID
AnswersA, B

Device platform is a standard condition in Conditional Access that allows policies to be scoped based on the user's device operating system.

Why this answer

Device platform is a valid condition in Microsoft Entra Conditional Access policies, allowing administrators to target specific operating systems such as Windows, macOS, iOS, or Android. This enables granular control over access based on the device type, which is essential for enforcing security requirements like requiring compliant devices on certain platforms.

Exam trap

The trap here is that candidates confuse 'conditions' (which evaluate the request context) with 'grant controls' (which enforce actions like requiring MFA or authentication strength), leading them to select Authentication strength as a condition instead of a control.

966
MCQmedium

An organization uses a third-party SaaS application that supports SAML-based single sign-on. The application is not in the Azure AD gallery. What is the first step to configure SSO?

A.Create a new enterprise application from the 'Non-gallery application' option in Azure AD
B.Configure Azure AD Connect to sync on-premises users
C.Add the application in the Microsoft 365 admin center under 'Integrated apps'
D.Create a custom role in Azure AD for the application
AnswerA

This is the standard first step for integrating a custom SAML application that is not pre-listed in the gallery.

Why this answer

The correct first step is to create a new enterprise application from the 'Non-gallery application' option in Azure AD. This allows you to configure SAML-based SSO for any third-party application that supports SAML 2.0, even if it is not listed in the Azure AD gallery. The non-gallery application template provides the necessary endpoints and metadata to establish trust between Azure AD and the SaaS application.

Exam trap

The trap here is that candidates often confuse the 'Integrated apps' section in the Microsoft 365 admin center with Azure AD enterprise applications, but the former is for managing add-ins and the latter is the correct location for SAML SSO configuration.

How to eliminate wrong answers

Option B is wrong because Azure AD Connect is used to synchronize on-premises Active Directory users to Azure AD, not to configure SSO for a third-party SaaS application. Option C is wrong because the Microsoft 365 admin center 'Integrated apps' section is for managing Microsoft 365 add-ins and integrations, not for configuring SAML-based SSO with external applications. Option D is wrong because custom roles in Azure AD are for managing administrative permissions, not for configuring application SSO.

967
Multi-Selecthard

A security administrator needs to discover which cloud apps are being used in the organization and then block usage of unsanctioned apps in real time using a reverse proxy. Which two Microsoft Defender for Cloud Apps features must be configured to meet these requirements? (Select all that apply.)

Select 2 answers
A.Cloud Discovery
B.App Connectors
C.Conditional Access App Control
D.API connectors
AnswersA, C

Cloud Discovery identifies cloud apps being used in the organization.

Why this answer

Cloud Discovery (A) is correct because it analyzes traffic logs from your network to identify all cloud apps in use, providing visibility into sanctioned and unsanctioned apps. Conditional Access App Control (C) is correct because it enforces real-time access controls via a reverse proxy, allowing you to block unsanctioned apps as users attempt to access them.

Exam trap

The trap here is confusing App Connectors/API connectors (which provide API-based control for specific apps) with the reverse proxy and discovery capabilities of Cloud Discovery and Conditional Access App Control, leading candidates to select options that manage existing apps rather than discover and block unsanctioned ones.

968
MCQhard

An administrator is creating a Microsoft Purview auto-labeling policy for documents containing personally identifiable information. Before turning the policy on automatically, what should the administrator do to reduce false positives?

A.Run the auto-labeling policy in simulation mode and review matches
B.Publish the label directly to all users and enable automatic application immediately
C.Create an eDiscovery hold for the SharePoint locations
D.Configure a retention policy before creating the sensitivity label
AnswerA

Simulation mode validates the detection logic and helps tune the policy before enforcement.

Why this answer

Running the auto-labeling policy in simulation mode allows the administrator to review which documents would be matched by the policy without actually applying labels. This enables analysis of the detection results to identify and reduce false positives before enabling automatic application, ensuring the policy accurately targets only documents containing the specified PII.

Exam trap

The trap here is that candidates may confuse simulation mode with other compliance features like eDiscovery or retention, or assume that immediate application is safe because the policy uses predefined PII types, but Microsoft explicitly recommends simulation mode to validate and reduce false positives before enabling automatic labeling.

How to eliminate wrong answers

Option B is wrong because publishing the label to all users and enabling automatic application immediately skips the validation step, leading to potential false positives and incorrect labeling across the tenant. Option C is wrong because an eDiscovery hold is used to preserve content for legal or investigative purposes, not to test or refine auto-labeling policy accuracy. Option D is wrong because configuring a retention policy before creating the sensitivity label does not address false positives; retention policies manage data lifecycle, not classification accuracy.

969
MCQhard

Your organization has a Microsoft 365 E5 tenant. You want to ensure that all users are automatically signed in to Microsoft 365 apps using single sign-on (SSO) when they are on the corporate network. You have Azure AD joined the devices. What additional configuration is required?

A.Enable Azure AD Seamless Single Sign-On.
B.No additional configuration is required; Azure AD joined devices provide SSO automatically.
C.Configure Azure AD Application Proxy for each app.
D.Deploy a trusted certificate for the corporate network.
AnswerB

The PRT on Azure AD joined devices provides automatic SSO.

Why this answer

Azure AD joined devices are already registered with Azure AD and use the Primary Refresh Token (PRT) to enable seamless SSO for Microsoft 365 apps without any additional configuration. When a user signs into a Windows 10/11 device that is Azure AD joined, the PRT is obtained during the initial authentication and is automatically used for browser and app sign-ins on the corporate network. Therefore, no extra steps like enabling Seamless SSO or deploying certificates are needed.

Exam trap

The trap here is that candidates often confuse Azure AD Seamless SSO (which is for non-Azure AD joined devices) with the built-in SSO capability of Azure AD joined devices, leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because Azure AD Seamless Single Sign-On is a separate feature for non-Azure AD joined devices (e.g., domain-joined or non-joined devices) that relies on Kerberos delegation; it is unnecessary when devices are already Azure AD joined, as the PRT handles SSO natively. Option C is wrong because Azure AD Application Proxy is designed for publishing on-premises apps externally, not for enabling SSO on the corporate network for Microsoft 365 apps. Option D is wrong because deploying a trusted certificate is not required for SSO on Azure AD joined devices; the PRT-based SSO uses Azure AD's token infrastructure and does not depend on a locally trusted certificate for authentication.

970
MCQhard

An organization needs to restrict access to Microsoft 365 admin center to only specific users. Which approach should be used?

A.Enable MFA for all admins
B.Create a Conditional Access policy targeting the Microsoft Admin Portals cloud app
C.Assign Global Admin role only to required users
D.Use Privileged Identity Management
AnswerB

Can block access to admin portals for specified users.

Why this answer

Option B is correct because a Conditional Access policy targeting the 'Microsoft Admin Portals' cloud app allows granular control over which users can access the Microsoft 365 admin center. This policy can enforce conditions such as user/group membership, device compliance, or location to restrict access, ensuring only specific authorized users can reach the admin portals.

Exam trap

The trap here is that candidates often confuse role-based access control (assigning Global Admin) with access control to the admin center itself, assuming limiting role assignments is sufficient, but Conditional Access policies are required to explicitly block or allow access to the admin portals regardless of role membership.

How to eliminate wrong answers

Option A is wrong because enabling MFA for all admins enhances authentication security but does not restrict which users can access the admin center; any user with admin roles can still sign in after MFA. Option C is wrong because assigning the Global Admin role only to required users limits administrative privileges but does not prevent those users from accessing the admin center; the goal is to restrict access to the admin center itself, not just the role assignment. Option D is wrong because Privileged Identity Management (PIM) provides just-in-time role activation and approval workflows, but it does not directly block access to the admin center; users with eligible roles can still activate and access it unless combined with a Conditional Access policy.

971
Multi-Selecthard

Your organization uses Microsoft Defender for Cloud Apps. You need to detect and block the use of a newly discovered cloud app that is classified as 'high risk' by the Cloud App Catalog. Which THREE actions should you take? (Choose three.)

Select 3 answers
A.Create a session policy to block downloads or uploads for the app.
B.Create an access policy to block access for the app.
C.Sanction the app in the Cloud App Catalog.
D.Create an app discovery policy for the app.
E.Unsanction the app in the Cloud App Catalog.
AnswersA, B, C

Session policies can control actions in real-time.

Why this answer

A, B, and D are correct. Sanctioning the app is required to apply policies. A session policy can block uploads/downloads.

An access policy can block access. C is wrong because unsanctioning the app alone does not block it; policies must be enforced. E is wrong because the app discovery policy only identifies apps, not blocks them.

972
MCQmedium

An administrator wants to prevent users from inviting guest users from the domain 'contoso.com' to the tenant. The administrator needs to block all invitations for that specific domain while allowing invitations from all other external domains. Which setting in Microsoft Entra ID should be configured?

A.Cross-tenant access settings
B.External collaboration settings
C.User settings
D.Domain federation
AnswerB

External collaboration settings allow you to block invitations to specific domains by adding them to the blocked domains list.

Why this answer

External collaboration settings in Microsoft Entra ID (formerly Azure AD) allow administrators to configure domain-based restrictions for B2B collaboration invitations. By adding 'contoso.com' to the 'Deny list' under 'Cross-tenant access settings' or specifically within the 'External collaboration settings' blade, invitations to that domain are blocked while all other external domains remain allowed. This setting directly controls the guest invitation behavior at the domain level.

Exam trap

The trap here is that candidates often confuse 'Cross-tenant access settings' (which manage tenant-to-tenant trust and access) with 'External collaboration settings' (which control domain-level invitation restrictions), leading them to select Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because Cross-tenant access settings control inbound and outbound access for specific tenants, not domain-based invitation blocking for all external domains; they are used for granular trust and access policies between tenants. Option C is wrong because User settings in Entra ID manage user permissions like self-service group creation or sign-in restrictions, not domain-level guest invitation blocking. Option D is wrong because Domain federation configures trust relationships for authentication (e.g., SAML/WS-Fed) with external identity providers, not invitation restrictions for specific domains.

973
Multi-Selecthard

A security analyst is investigating a potential attack where a user received a malicious email with an HTML attachment. The HTML file, when opened, fetched a JavaScript payload from a remote server that then dropped a binary on the user's machine and executed it. The analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when an email contains an HTML attachment with an external link, and that attachment is opened, causing a process creation. Which two tables should the analyst join in the KQL query to correlate the email attachment with the resulting process?

Select 2 answers
A.EmailAttachmentInfo and DeviceProcessEvents
B.EmailEvents and DeviceProcessEvents
C.EmailAttachmentInfo and DeviceFileEvents
D.EmailUrlInfo and DeviceProcessEvents
AnswersA, B

Correct. Join these tables on the SHA256 hash of the attachment to link the email attachment to a specific process that was created after the attachment was opened.

Why this answer

Option A is correct because the analyst needs to correlate the email attachment (identified by its SHA256 hash in EmailAttachmentInfo) with the process creation event (DeviceProcessEvents) that occurs when the HTML attachment is opened and executes a binary. Joining these two tables on the SHA256 hash of the attachment allows the query to trace from the malicious email attachment directly to the resulting process on the same device, fulfilling the detection requirement.

Exam trap

The trap here is that candidates often confuse EmailEvents (email metadata) with EmailAttachmentInfo (attachment details), or mistakenly think DeviceFileEvents (file events) can substitute for DeviceProcessEvents (process creation), when only the hash-based join between EmailAttachmentInfo and DeviceProcessEvents directly links the attachment to its execution.

974
MCQhard

Refer to the exhibit. You have two DLP compliance rules as shown. A user sends an email containing both PII and credit card numbers. Which rule will be applied?

A.Block PII rule only
B.Block Credit Cards rule only
C.Neither rule will apply because they conflict.
D.Both rules will be evaluated, and the most restrictive action will be applied.
AnswerD

DLP evaluates all matching rules and applies the most restrictive action. Since both block, the block action is applied.

Why this answer

Option D is correct because the DLP system evaluates all rules and applies the most restrictive action. Since both rules have BlockAccess, both would block, but in practice, the system applies the highest priority rule (lowest number) or the most restrictive. In this case, both have BlockAccess, so the rule with priority 1 (Block Credit Cards) takes precedence.

However, the correct answer is that both rules are evaluated and the most restrictive action is applied; since both block, the block action from either is applied. But given the options, D correctly states that both rules are evaluated and the most restrictive action is taken.

975
MCQmedium

A company wants to allow users to reset their own forgotten passwords using a mobile app notification as the verification method. Which Microsoft Entra feature should be enabled and configured?

A.Azure AD Password Protection
B.Self-service password reset
C.Privileged Identity Management
D.Identity Protection
AnswerB

Correct. SSPR can be configured to allow mobile app notification as a verification method for password resets.

Why this answer

Self-service password reset (SSPR) is the Microsoft Entra feature that allows users to reset their own forgotten passwords. To use a mobile app notification as the verification method, the administrator must enable SSPR and configure the 'Mobile app notification' authentication method under the 'Authentication methods' policy. This satisfies the requirement for a password reset triggered by a mobile app notification.

Exam trap

The trap here is that candidates often confuse Identity Protection (which can trigger a password reset based on risk) with the actual self-service password reset feature, forgetting that Identity Protection only initiates the reset process but does not provide the user-facing portal or verification methods for forgotten passwords.

How to eliminate wrong answers

Option A is wrong because Azure AD Password Protection is a feature that detects and blocks weak passwords and password spray attacks, not a mechanism for users to reset their own passwords. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time privileged access and role activation, not self-service password reset for end users. Option D is wrong because Identity Protection uses risk-based policies to detect and respond to identity threats, such as risky sign-ins or leaked credentials, but does not enable users to reset their own passwords.

Page 12

Page 13 of 13