Microsoft 365 Administrator MS-102 (MS-102) — Questions 76150

975 questions total · 13pages · All types, answers revealed

Page 1

Page 2 of 13

Page 3
76
MCQmedium

A company uses Microsoft Entra ID P2 licenses. The security team wants to require multi-factor authentication (MFA) for all users when accessing any cloud application from networks that are not trusted corporate locations. A group named 'BreakGlass' must be excluded from MFA requirements. Additionally, the company wants to block legacy authentication protocols. Which approach should the administrator use?

A.Create one Conditional Access policy for MFA (targeting all users, excluding BreakGlass, with location condition) and another policy to block legacy authentication (targeting all users, with client apps condition)
B.Create a single Conditional Access policy that grants access only if MFA is performed and block legacy client apps in the same policy
C.Enable Security defaults in Entra ID
D.Use baseline Conditional Access policies
AnswerA

Correct. Separate policies allow independent management and clear condition targeting.

Why this answer

Option A is correct because it separates the MFA requirement and legacy authentication block into two distinct Conditional Access policies, which is the recommended approach for granular control. The MFA policy targets all users except the BreakGlass group and uses the location condition to require MFA only from untrusted networks. The second policy blocks legacy authentication by targeting all users with the client apps condition set to 'Exchange ActiveSync clients' and 'Other clients', effectively preventing protocols like POP3, IMAP, and SMTP from bypassing modern authentication.

Exam trap

The trap here is that candidates often think a single Conditional Access policy can logically combine a block and a grant control, but Microsoft's policy engine evaluates all conditions and controls together, so a block control overrides any grant control, making it impossible to require MFA while also blocking legacy clients in the same policy without unintended consequences.

How to eliminate wrong answers

Option B is wrong because combining the MFA grant control and the block legacy client apps control in a single policy would cause the policy to evaluate both conditions simultaneously; if a user accesses from a trusted location but uses a legacy client, the policy would still block access, but the MFA requirement would not apply as expected, leading to inconsistent behavior. Option C is wrong because Security defaults enforces MFA for all users, including the BreakGlass group, and does not allow exclusion of specific groups or granular location-based conditions; it also blocks legacy authentication but lacks the flexibility to exclude break-glass accounts. Option D is wrong because baseline Conditional Access policies are deprecated and do not support the exclusion of a BreakGlass group or the precise location-based MFA requirement; they are rigid and cannot be customized to meet the specified requirements.

77
MCQmedium

A company wants to ensure that all new users created in Microsoft 365 are automatically assigned a specific set of licenses based on their department. The company has 200 users across Sales, Marketing, and IT departments. Each department uses different Microsoft 365 license plans. Which approach should the administrator use?

A.A: Create a PowerShell script that runs on a schedule to assign licenses based on department attribute.
B.B: Use group-based licensing and assign each department's users to a security group with the appropriate license.
C.C: Use Azure AD Dynamic Groups to automatically add users to groups based on department, and then assign licenses to those groups.
D.D: Manually assign licenses to each user after creation.
AnswerC

Dynamic groups combined with group-based licensing provide fully automatic license assignment based on user attributes.

Why this answer

Option C is correct because Azure AD Dynamic Groups can automatically add users to groups based on their department attribute (e.g., using a rule like `user.department -eq "Sales"`), and group-based licensing can then assign the appropriate Microsoft 365 license plan to each dynamic group. This ensures that any new user created with the correct department attribute is automatically added to the corresponding group and receives the license without manual intervention or scheduled scripts.

Exam trap

The trap here is that candidates often confuse 'group-based licensing' (which requires groups to be populated) with 'dynamic groups' (which automate group membership), leading them to choose Option B because they think group-based licensing alone is sufficient, but without dynamic groups, the groups must be manually maintained.

How to eliminate wrong answers

Option A is wrong because a scheduled PowerShell script introduces latency (users may not get licenses until the script runs), requires maintenance, and is less reliable than Azure AD's native automatic licensing engine. Option B is wrong because it suggests manually assigning users to security groups, which does not automate the process for new users; group-based licensing requires the groups to be populated automatically (via dynamic groups) to achieve the stated goal. Option D is wrong because manual assignment is not scalable for 200 users and does not meet the requirement of automatic license assignment for new users.

78
MCQmedium

A security analyst has identified a new malware sample with a specific SHA256 hash. The analyst needs to immediately block this file from executing on any managed endpoint across the organization, including prevention of future execution. Which Microsoft Defender for Endpoint capability should the analyst use?

A.Attack surface reduction (ASR) rules
B.Indicators (IoCs) for file hashes
C.Custom detection rules via advanced hunting
D.Microsoft Defender Vulnerability Management
AnswerB

Indicators for file hashes with action 'Block and Remediate' block execution of the specific file across all endpoints and remove it if found.

Why this answer

Option B is correct because Indicators of Compromise (IoCs) for file hashes in Microsoft Defender for Endpoint allow an analyst to create a block indicator for a specific SHA256 hash. This action immediately prevents the file from executing on any managed endpoint and persists across reboots, effectively blocking future execution attempts. Unlike other capabilities, IoCs provide a direct, hash-based block that is enforced by the Microsoft Defender Antivirus engine at the point of execution.

Exam trap

The trap here is that candidates often confuse ASR rules (which block behaviors) with IoC-based blocking (which blocks specific file hashes), or they assume custom detection rules can directly block execution when they only generate alerts or run limited response actions.

How to eliminate wrong answers

Option A is wrong because Attack Surface Reduction (ASR) rules are behavior-based policies that reduce the attack surface by blocking common malware behaviors (e.g., Office apps creating child processes), not by blocking specific file hashes. Option C is wrong because Custom detection rules via advanced hunting are used to create custom alerts based on query results, but they do not directly block file execution; they only trigger alerts or run response actions that may not be immediate or persistent. Option D is wrong because Microsoft Defender Vulnerability Management focuses on identifying, assessing, and remediating vulnerabilities (e.g., missing patches), not on blocking specific malware file hashes.

79
Multi-Selecthard

Your company uses Microsoft Entra ID P2. You need to configure Identity Protection to automatically remediate high-risk users. Which THREE actions can you configure?

Select 3 answers
A.Require password change
B.Send email to user
C.Block sign-in
D.Require re-registration of MFA
E.Require multifactor authentication
AnswersA, C, E

Standard remediation for compromised users.

Why this answer

Option A (Require password change) is correct for high-risk users. Option B (Block sign-in) is correct as a remediation. Option D (Require MFA) is correct.

Option C (Require re-registration) is for MFA registration, not remediation. Option E (Send email) is a notification, not remediation.

80
MCQmedium

You are reviewing a Microsoft Defender for Cloud Apps policy JSON. What does this policy do?

A.Blocks sign-ins from a specific IP address range
B.Blocks sign-ins from anonymous proxy IP addresses
C.Alerts when a sign-in occurs from an anonymous proxy
D.Blocks sign-ins from risky sessions based on user behavior
AnswerB

The filter specifies IP category as AnonymousProxy.

Why this answer

Option B is correct. The policy blocks sign-ins from anonymous proxy IP addresses. Option A is wrong because the filter is on IP address category, not location.

Option C is wrong because it blocks sign-ins, not sessions. Option D is wrong because the action is Block, not alert.

81
MCQmedium

Your company has a Microsoft 365 E5 subscription and uses Microsoft Entra ID. You need to configure a conditional access policy that blocks access from devices that are not compliant with your organization's device compliance policies, as defined by Microsoft Intune. Which assignment should you configure in the policy?

A.Grant > Require hybrid Azure AD joined device
B.Grant > Require multifactor authentication
C.Grant > Require device to be marked as compliant
D.Grant > Require approved client app
AnswerC

This enforces Intune device compliance.

Why this answer

Option C is correct because the 'Require device to be marked as compliant' grant control in a Conditional Access policy enforces access decisions based on the compliance status reported by Microsoft Intune. When a device is marked as non-compliant by Intune (e.g., missing required updates or having an unapproved app), the policy blocks access. This directly meets the requirement to block devices that do not meet the organization's device compliance policies.

Exam trap

The trap here is that candidates often confuse 'device compliance' with 'hybrid Azure AD join' or 'MFA', assuming any of those controls enforce device health, but only the 'Require device to be marked as compliant' grant directly uses Intune's compliance evaluation.

How to eliminate wrong answers

Option A is wrong because 'Require hybrid Azure AD joined device' controls access based on domain join status, not Intune compliance; a hybrid joined device could still be non-compliant with Intune policies. Option B is wrong because 'Require multifactor authentication' addresses identity verification, not device health or compliance; a non-compliant device can still satisfy MFA. Option D is wrong because 'Require approved client app' restricts access to specific applications (e.g., Outlook mobile) but does not evaluate the device's compliance with Intune policies.

82
MCQhard

The security team at Contoso wants to require that any activation of the Global Administrator role in Azure AD Privileged Identity Management (PIM) must be approved by members of a security group named 'GA-Approvers'. Activations must require a business justification and expire after 4 hours. Which PIM configuration should the administrator modify to achieve this?

A.The role settings for Global Administrator, on the Activation tab
B.The role settings for Global Administrator, on the Assignment tab
C.The role settings for Global Administrator, on the Notification tab
D.The role settings for Global Administrator, on the Alert tab
AnswerA

Activation settings control approval, justification, and duration for role activations.

Why this answer

Option A is correct because the Activation tab in the role settings for Global Administrator allows you to configure approval requirements, justification, and maximum activation duration. By setting 'Require approval to activate' to 'Enabled' and specifying the 'GA-Approvers' group as the approver, requiring a business justification, and setting the activation maximum duration to 4 hours, you meet all the stated requirements.

Exam trap

The trap here is that candidates often confuse the Assignment tab (which deals with role eligibility duration and permanent assignment) with the Activation tab (which controls the activation process including approval, justification, and maximum activation time).

How to eliminate wrong answers

Option B is wrong because the Assignment tab controls settings for eligible and active assignments (such as assignment duration and whether permanent assignment is allowed), not the activation process. Option C is wrong because the Notification tab configures email alerts for role activations, assignments, or alerts, but does not control approval, justification, or duration settings. Option D is wrong because the Alert tab manages security alerts and risk-based policies, not the activation approval workflow or duration.

83
MCQmedium

A security administrator wants to configure Microsoft Defender for Cloud Apps to block downloads of sensitive files from Salesforce to unmanaged devices in real time. Which Defender for Cloud Apps component must be configured?

A.Cloud Discovery
B.App Connectors
C.Conditional Access App Control
D.Activity policies
AnswerC

Conditional Access App Control uses a reverse proxy to monitor and control sessions in real time, enabling block actions.

Why this answer

Conditional Access App Control (CAAC) is the correct component because it enables real-time session-level monitoring and control of user activities in SaaS apps like Salesforce. By integrating with Azure AD Conditional Access, CAAC can enforce policies to block downloads of sensitive files to unmanaged devices at the moment of access, using reverse proxy architecture to inspect and intervene in the traffic.

Exam trap

The trap here is that candidates often confuse App Connectors (API-based governance) with Conditional Access App Control (proxy-based real-time control), assuming both can block downloads in real time, but only the reverse proxy can intercept and block actions during the session.

How to eliminate wrong answers

Option A is wrong because Cloud Discovery is used to identify shadow IT and analyze traffic logs to discover cloud apps in use, not to enforce real-time blocking policies on managed SaaS apps. Option B is wrong because App Connectors are used for API-based integration to scan and govern data at rest (e.g., applying DLP labels or quarantine), not for real-time session control of downloads. Option D is wrong because Activity policies are reactive, rule-based alerts triggered after an activity occurs (e.g., multiple failed logins), and cannot block actions in real time during the session.

84
MCQhard

Refer to the exhibit. You run this PowerShell script to disable high-risk users. However, some high-risk users remain enabled. What is the most likely reason?

A.The Set-AzureADUser cmdlet fails for disabled users
B.The script does not have permission to read risky users
C.High-risk users are protected by a Conditional Access policy
D.The Get-AzureADIdentityRiskyUser cmdlet does not support the -Filter parameter
AnswerD

The correct syntax is `Get-AzureADIdentityRiskyUser -Filter "riskLevel eq 'high'"` but the script filters by userPrincipalName first, then checks riskLevel, which might not work as expected because the filter might be invalid.

Why this answer

The Get-AzureADIdentityRiskyUser cmdlet does not support the -Filter parameter. This means the script's attempt to filter for high-risk users using -Filter "riskLevel eq high" will fail, returning no users or an error, so the subsequent Set-AzureADUser cmdlet never runs against the intended high-risk users, leaving them enabled.

Exam trap

Microsoft often tests the misconception that all Get-* cmdlets in Azure AD support the -Filter parameter, when in reality some cmdlets like Get-AzureADIdentityRiskyUser have limited or no filter support, leading candidates to overlook the need for client-side filtering.

How to eliminate wrong answers

Option A is wrong because Set-AzureADUser does not fail for disabled users; it can modify disabled users, and the issue is that the cmdlet never receives the target users. Option B is wrong because the script would need permission to read risky users (e.g., Identity Risky User Read.All), but the error would be an access denied, not a silent failure to return users; the core problem is the unsupported filter. Option C is wrong because Conditional Access policies do not protect users from being modified by administrative scripts; they enforce access controls during sign-in, not against PowerShell cmdlets.

85
MCQmedium

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. You need to configure automated remediation for a confirmed phishing email that was delivered to a user's inbox. The remediation should also block the sender's domain across the tenant. Which action should you include in the automation playbook?

A.Create an attack simulation training campaign for the affected user
B.Create a data loss prevention policy to classify the email as malicious
C.Create a playbook in Microsoft Defender XDR that triggers automated actions
D.Configure a Safe Links policy to block the URL at click time
AnswerC

Playbooks can automate remediation actions like soft-delete and domain block.

Why this answer

Option B is correct because a playbook in Microsoft Defender XDR can trigger automatic remediation actions such as soft-deleting emails and blocking sender domains. Option A is wrong because attack simulation is for testing, not remediation. Option C is wrong because Safe Links policies protect links, not remediate delivered emails.

Option D is wrong because data loss prevention policies focus on data classification, not email remediation.

86
MCQmedium

A company uses Microsoft Entra ID and has enabled self-service password reset (SSPR). Users are required to register for SSPR. Management wants to ensure that users from the HR department, who handle sensitive data, must use two methods for authentication during SSPR, while other users can use one method. What is the best way to achieve this?

A.Create a separate SSPR policy for the HR department using PowerShell
B.Use Microsoft Entra ID Governance to create an access package that requires two methods
C.Assign the HR users to a group and configure the SSPR policy for that group in the Entra admin center
D.This is not possible because SSPR authentication method requirements are tenant-wide
AnswerD

SSPR settings are global; you cannot enforce different numbers of methods per group. To achieve this, you would need separate tenants or use Conditional Access for MFA.

Why this answer

SSPR authentication method requirements in Microsoft Entra ID are configured at the tenant level, not per user or group. This means you cannot specify that one group of users must use two methods while others use one; the number of methods required applies uniformly to all users enabled for SSPR. Therefore, option D is correct because the requirement cannot be differentiated by department or group.

Exam trap

The trap here is that candidates assume group-based targeting for SSPR extends to authentication method requirements, when in reality group targeting only controls which users are enabled for SSPR, not the number of methods required, which is a tenant-wide setting.

How to eliminate wrong answers

Option A is wrong because PowerShell can be used to configure SSPR settings, but it cannot override the tenant-wide nature of authentication method requirements; any policy created would still apply to all users. Option B is wrong because Microsoft Entra ID Governance access packages manage resource access and entitlements, not SSPR authentication method requirements, which are a separate feature. Option C is wrong because while you can target SSPR to a group, the number of methods required is a tenant-wide setting and cannot be configured per group in the Entra admin center.

87
MCQeasy

A user reports that they cannot access their Microsoft 365 mailbox from the Outlook desktop client, but they can access it via Outlook on the web. Other users in the same tenant are not experiencing issues. What is the most likely cause?

A.There is a service incident affecting only the Outlook desktop client.
B.The user's Outlook profile is corrupted or needs to be re-created.
C.The user's account has been disabled.
D.The user's Microsoft 365 license has expired.
AnswerB

Correct: A corrupted profile can prevent desktop client access while OWA works fine.

Why this answer

If a user can access via OWA but not Outlook desktop, it often indicates an authentication or client configuration issue rather than a service outage. Disabled MFA would affect both. A service incident would affect many users.

License issues would also affect OWA. The most likely cause is that the user's profile is corrupted or authentication token has expired.

88
MCQeasy

You are a Microsoft 365 administrator for a small business with 50 users. The company is using Microsoft 365 Business Basic. You need to configure email for the custom domain contoso.com. You have added the domain in the Microsoft 365 admin center and verified ownership. Users currently have onmicrosoft.com email addresses. You need to change the primary email address for all users to their custom domain (e.g., user@contoso.com). What should you do?

A.Remove the onmicrosoft.com domain from the tenant.
B.Convert all mailboxes to shared mailboxes and reassign licenses.
C.Change the primary email address for each user to user@contoso.com in the admin center.
D.Configure the MX record for contoso.com to point to Exchange Online.
AnswerC

After domain verification, you can update user email addresses.

Why this answer

Option C is correct because in Microsoft 365, after adding and verifying a custom domain, you must manually update each user's primary email address (User Principal Name and primary SMTP address) from the default onmicrosoft.com domain to the custom domain. This is done in the Microsoft 365 admin center under Users > Active Users, by editing the username and email fields. Simply adding the domain does not automatically change existing user addresses.

Exam trap

The trap here is that candidates assume adding and verifying a custom domain automatically updates existing user email addresses, when in fact it only makes the domain available for use, requiring manual or scripted updates per user.

How to eliminate wrong answers

Option A is wrong because removing the onmicrosoft.com domain is not possible—it is a reserved default domain that cannot be deleted, and doing so would break authentication and routing for users still using it. Option B is wrong because converting mailboxes to shared mailboxes and reassigning licenses does not change the primary email address; shared mailboxes have their own SMTP addresses and are not a mechanism for domain migration. Option D is wrong because configuring the MX record for contoso.com to point to Exchange Online is a DNS step for mail routing, but it does not change the primary email address of existing users; that requires explicit user attribute updates.

89
MCQhard

Your company has a Microsoft 365 tenant with Microsoft Entra ID. You are configuring Conditional Access policies to enforce multifactor authentication (MFA) for all users. However, you want to exclude break-glass emergency access accounts from MFA. What is the recommended best practice for managing these emergency access accounts?

A.Disable sign-in for the emergency access accounts until needed
B.Make the emergency access accounts cloud-only and enforce MFA
C.Configure the emergency access accounts with a long, complex password and exclude them from MFA policies
D.Assign FIDO2 security keys to the emergency access accounts
AnswerC

This ensures access during emergencies without MFA.

Why this answer

Option B is correct because Microsoft recommends that emergency access accounts be configured with a long, complex password and excluded from MFA policies to ensure access during outages. Option A is wrong because FIDO2 keys are not recommended for emergency accounts. Option C is wrong because emergency accounts should not be cloud-only; they should be cloud-only but not limited to cloud-only.

Option D is wrong because disabling sign-in for emergency accounts would prevent their use.

90
MCQmedium

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos ticket request. You need to investigate the alert. Which log should you analyze in Microsoft Defender for Identity?

A.Lateral movement paths
B.Entity profile
C.Network activities
D.Security alerts
AnswerC

Network activities include Kerberos requests and other protocol activities.

Why this answer

Option D is correct because Kerberos ticket requests are captured as network activities. Option A is wrong because lateral movement paths show potential attack paths. Option B is wrong because entity profiles show user or machine details.

Option C is wrong because security alerts are the alerts themselves, not the underlying data.

91
MCQmedium

An administrator wants to receive real-time notifications for service incidents in Microsoft 365. The notifications must be sent to a Microsoft Teams channel instead of email. Which configuration should the administrator set up?

A.Configure a webhook connector in Microsoft Teams to subscribe to the Office 365 Service Communications API.
B.Configure an email notification rule in the Microsoft 365 admin center and forward it to a Teams email address.
C.Use Power Automate to check service health and post to Teams every 5 minutes.
D.Configure a message center alert to email and then use a third-party integration to post to Teams.
AnswerA

The Office 365 Service Communications API webhook allows Teams to receive service health notifications. Setting up the connector is the standard method.

Why this answer

Option A is correct because the Office 365 Service Communications API provides real-time webhook-based notifications for service incidents. By configuring a webhook connector in Microsoft Teams, the administrator can subscribe to this API and receive incident alerts directly in a Teams channel without polling or email forwarding.

Exam trap

The trap here is that candidates may assume Power Automate or email forwarding is sufficient for real-time needs, but the exam specifically tests the understanding that webhook subscriptions to the Service Communications API are the only method that guarantees real-time, push-based notifications to a Teams channel.

How to eliminate wrong answers

Option B is wrong because forwarding an email notification to a Teams email address does not provide real-time delivery; Teams email integration is asynchronous and subject to delays, and the admin center email rules do not support direct Teams channel posting. Option C is wrong because Power Automate polling every 5 minutes introduces latency and is not real-time; the requirement specifies real-time notifications, which the Service Communications API webhook delivers instantly. Option D is wrong because it adds unnecessary complexity and delay by relying on email as an intermediary and a third-party integration, whereas a native webhook connector directly subscribes to the API for immediate delivery.

92
MCQeasy

You need to ensure that all Microsoft 365 users in your organization have a consistent password policy that requires passwords to be at least 12 characters and include complexity requirements. What should you configure?

A.Device compliance policy in Microsoft Intune
B.Outlook on the web mailbox policy
C.Password policy in Microsoft Entra ID
D.Data loss prevention policy in Microsoft Purview
AnswerC

Entra ID holds the password policy for cloud users.

Why this answer

Microsoft Entra ID (formerly Azure AD) is the identity service that enforces tenant-wide password policies for cloud-only user accounts. Configuring the password policy in Entra ID allows you to set minimum length (e.g., 12 characters) and complexity requirements (e.g., must include uppercase, lowercase, digits, and special characters) that apply to all Microsoft 365 users. This is the correct location because Entra ID is the authoritative source for authentication policies in a Microsoft 365 tenant.

Exam trap

The trap here is that candidates often confuse device-level password policies (Intune compliance) with user-level password policies (Entra ID), leading them to choose Option A when the question specifically asks for a consistent password policy for all Microsoft 365 users, not just for managed devices.

How to eliminate wrong answers

Option A is wrong because Device compliance policy in Microsoft Intune controls device-level settings (e.g., encryption, jailbreak detection) and can enforce password length on the device itself, but it does not set the cloud-based password policy for user accounts in Microsoft 365. Option B is wrong because Outlook on the web mailbox policy manages mailbox features and settings (e.g., message format, retention) and has no influence on password length or complexity requirements. Option D is wrong because Data loss prevention policy in Microsoft Purview is designed to protect sensitive data from being shared or leaked (e.g., credit card numbers, PII) and does not manage user authentication or password policies.

93
MCQhard

Your company uses Microsoft Entra ID and has a hybrid identity with PHS. You need to ensure that when an on-premises user account is disabled, the corresponding cloud user is also blocked from signing in within 5 minutes. What should you configure?

A.Deploy Azure AD Connect cloud sync
B.Enable password writeback
C.Configure Azure AD Connect to sync the 'userAccountControl' attribute
D.Configure Microsoft Entra Connect Sync to use filtered synchronization
AnswerA

Cloud sync can sync changes more frequently, down to 1 minute, meeting the 5-minute requirement.

Why this answer

Option B is correct because Azure AD Connect can be configured for password writeback and also syncs account control flags. However, the specific feature to block sign-in quickly is not password writeback. Actually, the correct approach is to use Azure AD Connect's 'Exchange hybrid deployment' or 'UserPrincipalName update'? Wait, the correct answer is to use 'Azure AD Connect Sync' with 'userAccountControl' attribute sync.

But among the options, Option B (Enable password writeback) does not block sign-in. Option A (Configure Azure AD Connect to sync the 'userAccountControl' attribute) is correct because the 'userAccountControl' attribute includes the 'ACCOUNTDISABLE' flag, and syncing it will disable the cloud account. However, the sync cycle runs every 30 minutes by default.

To achieve 5 minutes, you need to use 'Azure AD Connect cloud sync' or 'Microsoft Identity Manager'. Since the question says 'configure', the closest is to enable the 'Password writeback'? No. Let me re-evaluate: The correct answer is to use 'Azure AD Connect' with 'Exchange hybrid' to sync 'msExchUserAccountControl'? Actually, the standard way is to sync 'userAccountControl' and set the sync interval to 5 minutes.

But that's not an option. Option C (Deploy Azure AD Connect cloud sync) is the best because cloud sync can sync changes more frequently than 30 minutes. Option B (Enable password writeback) is for password changes, not account disable.

Option D (Configure Microsoft Entra Connect Sync to use filtered synchronization) does not help. So Option C is correct.

94
MCQeasy

A company recently acquired another company and needs to allow users from the acquired tenant to access its SharePoint Online sites as guest users, but only if those users already have accounts in the acquired Azure AD tenant. Which Microsoft 365 feature should be configured?

A.Cross-tenant access settings for B2B collaboration
B.B2B direct connect
C.Multi-Geo
D.Tenant Restrictions
AnswerA

Cross-tenant access settings for B2B collaboration allow you to control which external tenants can be used for guest access and fine-tune authentication.

Why this answer

Cross-tenant access settings for B2B collaboration allow you to configure inbound and outbound access between two Azure AD tenants. By enabling B2B collaboration with the acquired tenant and setting the appropriate cross-tenant access policies, you can invite users who already have accounts in that tenant as guest users to access SharePoint Online sites. This ensures that only authenticated users from the acquired tenant are granted access, meeting the requirement.

Exam trap

The trap here is that candidates confuse B2B direct connect with B2B collaboration, assuming both provide guest access to SharePoint, but B2B direct connect is limited to Teams shared channels and does not support SharePoint guest invitations.

How to eliminate wrong answers

Option B (B2B direct connect) is wrong because it is designed for Teams Connect shared channels, not for granting guest access to SharePoint Online sites, and it does not support inviting users as guests with Azure AD accounts. Option C (Multi-Geo) is wrong because it addresses data residency and geographic location of tenant data, not cross-tenant user access or guest invitations. Option D (Tenant Restrictions) is wrong because it controls access to SaaS apps based on tenant ID via HTTP headers, but it does not enable inviting external users from another tenant as guests.

95
MCQmedium

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a device is onboarded, it automatically receives all current threat intelligence signatures. What should you verify is configured?

A.The device is configured to receive updates from Microsoft Update.
B.Network protection is enabled in the attack surface reduction rules.
C.Sample submission is enabled in the advanced features.
D.Cloud-delivered protection is enabled in the Microsoft 365 Defender portal.
AnswerD

Cloud-delivered protection provides real-time signature updates from Microsoft.

Why this answer

Option B is correct because cloud-delivered protection ensures devices receive the latest signatures from Microsoft. Option A is wrong because sample submission is for advanced analysis, not signature updates. Option C is wrong because it's part of the detection engine but not specifically for signature updates.

Option D is wrong because network protection is a feature, not signature delivery.

96
Multi-Selectmedium

Which TWO Microsoft Defender XDR components provide protection for email and collaboration tools? (Choose two.)

Select 2 answers
A.Microsoft Defender for Identity
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud
D.Microsoft Defender for Cloud Apps
E.Microsoft Defender for Endpoint
AnswersB, D

Protects email and collaboration tools.

Why this answer

Options B and D are correct. Microsoft Defender for Office 365 protects email and collaboration tools like SharePoint, OneDrive, and Teams. Microsoft Defender for Cloud Apps provides visibility and control over cloud apps including email and collaboration platforms.

Option A (Defender for Endpoint) protects endpoints. Option C (Defender for Identity) protects on-premises Active Directory. Option E (Defender for Cloud) protects cloud workloads.

97
MCQhard

Your organization, Contoso, uses Microsoft Purview Data Lifecycle Management to manage data retention. You have a retention policy that deletes emails in Exchange Online after 3 years. The legal department has started a litigation hold for a specific user, requiring that all the user's emails be preserved indefinitely. You need to ensure that the litigation hold takes precedence over the retention policy, and that no emails are deleted. What should you do?

A.Place the user's mailbox on litigation hold in the Exchange admin center.
B.Apply a retention label to all emails in the user's mailbox that prevents deletion.
C.Apply a preservation hold to the user's mailbox using Microsoft Purview Data Lifecycle Management.
D.Modify the retention policy to exclude the user's mailbox from the deletion action.
AnswerA

Litigation hold preserves all mailbox content, overriding deletion policies.

Why this answer

Option A is correct because placing a user on litigation hold in Exchange Online preserves all mailbox content, including items subject to deletion policies; retention policies do not delete items under hold. Option B is wrong because preservation lock is for SharePoint/OneDrive, not for litigation hold. Option C is wrong because changing the retention policy would affect all users.

Option D is wrong because a retention label does not override litigation hold; the hold already preserves.

98
MCQmedium

Your organization has Microsoft Defender for Office 365. Users report that legitimate emails from a partner domain are being quarantined. You need to ensure these emails are delivered while maintaining security. What should you do?

A.Add the partner domain to the Allow list in the Tenant Allow/Block List.
B.Disable spam filtering for the partner domain.
C.Lower the spam confidence level (SCL) threshold for the organization.
D.Create a mail flow rule to bypass spam filtering for the partner domain.
AnswerA

This allows the domain while maintaining filtering for other domains; however, the root cause should be addressed.

Why this answer

Option B is correct because adding the partner domain to the Allow list in the Tenant Allow/Block List allows the emails but may be used temporarily; long-term best practice is to fix authentication. Option A is wrong because disabling filtering is not recommended. Option C is wrong because it affects all external emails.

Option D is wrong because creating a transport rule bypasses security checks and is not best practice.

99
MCQhard

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to stream advanced hunting data from Defender XDR to Sentinel to run analytics rules. What should you configure?

A.Configure Diagnostic settings in Microsoft Defender XDR to send logs to Log Analytics.
B.Install the Microsoft Defender XDR data connector in Microsoft Sentinel.
C.Use the Microsoft 365 Defender connector in Sentinel.
D.Configure the Threat Intelligence – TAXII connector in Sentinel.
AnswerB

The connector streams advanced hunting data directly into Sentinel.

Why this answer

Option B is correct because the Microsoft Defender XDR data connector in Sentinel streams advanced hunting data. Option A is wrong because the Diagnostic settings in Defender XDR export to Log Analytics, but the direct connector is simpler. Option C is wrong because the Microsoft 365 Defender connector is for Office 365 data.

Option D is wrong because the Threat Intelligence connector ingests threat intel, not telemetry.

100
MCQeasy

A company uses Microsoft Entra ID for identity management. The security team wants to ensure that users cannot register applications in the tenant to prevent potential data leakage. Which setting should be configured?

A.Set the 'Admin consent requests' setting to 'Allow'
B.Enable the 'Admin consent workflow'
C.Set 'Users can register applications' to 'No' in User settings
D.Set 'Users can consent to apps accessing company data' to 'No'
AnswerC

This prevents users from registering applications.

Why this answer

Option C is correct because setting 'Users can register applications' to 'No' in the Microsoft Entra ID User settings explicitly prevents non-admin users from creating application registrations in the tenant. This directly addresses the security team's goal of blocking users from registering apps, which could otherwise expose tenant data through misconfigured or malicious applications.

Exam trap

The trap here is that candidates often confuse 'users registering applications' with 'users consenting to applications,' leading them to select Option D, which only controls consent, not the creation of the app registration itself.

How to eliminate wrong answers

Option A is wrong because 'Admin consent requests' setting controls whether users can request admin consent for applications, not whether users can register applications themselves. Option B is wrong because enabling the 'Admin consent workflow' allows users to request admin approval for app permissions, but does not block user-initiated app registration. Option D is wrong because setting 'Users can consent to apps accessing company data' to 'No' prevents users from granting permissions to apps, but does not prevent users from registering new applications in the tenant.

101
MCQeasy

A user account was accidentally deleted 10 days ago. The administrator needs to restore the user's mailbox and OneDrive for Business content. Which method should the administrator use?

A.Recreate the user account with the same name, and the data will be automatically restored.
B.Restore the user from the 'Deleted users' page in the Microsoft 365 admin center.
C.Use the Exchange admin center to recover the mailbox only.
D.Submit a support request to Microsoft to recover the deleted data.
AnswerB

This is the correct method to restore a deleted user and their data within the 30-day soft-delete period.

Why this answer

Option B is correct because Microsoft 365 retains deleted user objects, including their Exchange Online mailbox and OneDrive for Business data, for 30 days in the 'Deleted users' list. Restoring the user from this page within the retention period automatically recovers the associated mailbox and OneDrive content without requiring separate tools or support requests.

Exam trap

The trap here is that candidates often confuse the 30-day soft-delete retention with the ability to simply recreate the user account, or they assume that separate admin centers are required for mailbox and OneDrive recovery, when in fact the unified 'Deleted users' restore handles both.

How to eliminate wrong answers

Option A is wrong because simply recreating a user account with the same name does not automatically restore the original mailbox or OneDrive data; the new account receives a fresh mailbox and OneDrive, and the deleted user's data remains in the recycle bin only if the original object is restored. Option C is wrong because the Exchange admin center can recover a soft-deleted mailbox only if the user object still exists or was recently deleted, but it cannot recover OneDrive for Business content, which requires the full user restoration from the Microsoft 365 admin center. Option D is wrong because Microsoft support is not needed for this scenario; the administrator can self-service restore the user from the 'Deleted users' page within the 30-day retention period without submitting a support request.

102
MCQeasy

Your organization uses Microsoft Defender XDR. You want to create a custom detection rule that triggers an alert when a specific process is created on multiple endpoints. Which advanced hunting table should you use?

A.DeviceNetworkEvents
B.DeviceFileEvents
C.DeviceLogonEvents
D.DeviceRegistryEvents
E.DeviceProcessEvents
AnswerE

This table logs process creation events on endpoints.

Why this answer

Option A is correct because DeviceProcessEvents contains process creation events. Option B is wrong because DeviceNetworkEvents is for network connections. Option C is wrong because DeviceFileEvents is for file operations.

Option D is wrong because DeviceLogonEvents is for logon events. Option E is wrong because DeviceRegistryEvents is for registry changes.

103
MCQeasy

You are planning a migration from on-premises Active Directory to Microsoft Entra ID using cloud sync. You need to synchronize user passwords so that users can authenticate using their existing passwords. Which feature should you enable?

A.Pass-through Authentication
B.Password Hash Synchronization
C.Federation with AD FS
D.Seamless Single Sign-On
AnswerB

PHS syncs password hashes for cloud authentication.

Why this answer

Password Hash Synchronization (PHS) is the correct feature because it synchronizes the hash of a user's on-premises Active Directory password to Microsoft Entra ID, allowing users to authenticate with the same password without any additional on-premises infrastructure. Cloud sync specifically relies on PHS to replicate password hashes from AD to Entra ID, enabling seamless authentication for cloud-based services.

Exam trap

The trap here is that candidates often confuse Pass-Through Authentication with password synchronization, but PTA does not synchronize hashes—it only validates passwords in real time against on-premises AD, which is not the same as synchronizing passwords for cloud sync.

How to eliminate wrong answers

Option A is wrong because Pass-Through Authentication (PTA) validates passwords directly against on-premises AD without synchronizing password hashes, requiring agents and network connectivity, and does not meet the requirement of synchronizing passwords for cloud sync. Option C is wrong because Federation with AD FS relies on a federated trust and on-premises AD FS servers for authentication, not password synchronization, and adds complexity beyond cloud sync's scope. Option D is wrong because Seamless Single Sign-On (SSO) only provides automatic sign-in for domain-joined devices on corporate networks, but does not synchronize password hashes or enable password-based authentication from non-domain-joined devices.

104
MCQmedium

Your organization has a Microsoft 365 tenant configured with a custom domain contoso.com. Users report they cannot receive email from external senders; internal email works fine. You verify the MX record for contoso.com points to the Microsoft 365 mail exchanger. What should you check next?

A.Check the Exchange admin center for connector configuration.
B.Verify that an SPF TXT record exists for contoso.com.
C.Wait 48 hours for DNS propagation.
D.Verify that the MX record has a priority of 0.
AnswerB

External senders often reject mail if SPF is missing or misconfigured.

Why this answer

The most common cause of external email delivery failure after MX record configuration is a missing or incorrect SPF record. SPF is required to prevent spoofing and ensure delivery. Option B (Sender Policy Framework record) is correct.

Option A is wrong because the MX record is already verified. Option C is wrong because DNS propagation typically completes within minutes to hours; waiting longer is not a diagnostic step. Option D is wrong because Exchange admin center settings do not affect inbound mail flow at the DNS level.

105
MCQmedium

A compliance officer needs to prevent users from sharing documents that have been labeled 'Highly Confidential' with external users. When a user attempts to share such a document externally, the action should be blocked and the user should see a policy tip. Which Microsoft Purview solution should the officer configure?

A.Data Loss Prevention (DLP) policy
B.Sensitivity label encryption
C.Retention policy
D.Records management
AnswerA

DLP policies can use sensitivity labels as conditions to block sharing and show policy tips.

Why this answer

A Data Loss Prevention (DLP) policy is the correct solution because it can inspect content and context (including sensitivity labels) to enforce rules that block external sharing of documents labeled 'Highly Confidential' and display a policy tip to the user. DLP policies in Microsoft Purview are specifically designed to prevent accidental or intentional data leakage by monitoring and controlling sharing actions in real time.

Exam trap

The trap here is that candidates often confuse sensitivity label encryption (which protects the file) with DLP (which controls the sharing action), leading them to choose encryption when the requirement explicitly involves blocking the share and showing a policy tip.

How to eliminate wrong answers

Option B is wrong because sensitivity label encryption protects the document at rest and in transit by encrypting it, but it does not block the sharing action itself or show a policy tip; it only controls access after the file is shared. Option C is wrong because a retention policy is used to preserve or delete content after a specified period, not to block real-time sharing actions or display policy tips. Option D is wrong because records management marks content as a record to prevent deletion or modification, but it does not block external sharing or provide policy tips during sharing attempts.

106
MCQhard

You are designing an incident response plan using Microsoft Defender XDR. You want to automate the containment of compromised devices when a high-severity incident is detected. What should you configure?

A.Configure custom detection rules in Microsoft Defender for Endpoint
B.Configure device groups in Microsoft Defender for Endpoint
C.Enable automated investigation and response (AIR) in Microsoft Defender XDR
D.Create a playbook in Microsoft Sentinel
AnswerC

AIR can automatically contain devices based on incident severity.

Why this answer

Option C is correct because automated investigation and response (AIR) in Microsoft Defender XDR can automatically contain devices. Option A is wrong because playbooks in Microsoft Sentinel require manual triggering or separate automation. Option B is wrong because custom detection rules only create alerts.

Option D is wrong because device groups are for management, not automation.

107
MCQhard

A company uses Microsoft Entra ID with group-based licensing. You assign a license to a group, but some members do not receive the license. There are no error messages in the audit logs. What is the most likely cause?

A.Users have the license directly assigned
B.The group has more than 500 members
C.The group is a dynamic group
D.The product license is out of stock
AnswerA

Direct assignments conflict with group assignments.

Why this answer

When a user has a license directly assigned, group-based licensing skips that user because the direct assignment takes precedence. The group licensing engine detects the existing license and does not attempt to reassign it, so no error is logged. This is the most common cause of silent license assignment failures in Microsoft Entra ID.

Exam trap

The trap here is that candidates assume a missing license must be caused by an error or limitation, but Microsoft intentionally designs group-based licensing to silently skip users with direct assignments to avoid duplicate license conflicts.

How to eliminate wrong answers

Option B is wrong because group-based licensing supports groups with up to 500 members per licensing operation, and larger groups are processed in batches without silent failures. Option C is wrong because dynamic groups are fully supported for group-based licensing; the group type does not cause silent license assignment failures. Option D is wrong because Microsoft Entra ID does not have a concept of 'out of stock' for product licenses; license availability is managed at the tenant level and would generate an error if insufficient.

108
Multi-Selectmedium

A compliance officer needs to automatically apply a sensitivity label that encrypts documents in SharePoint Online when they contain credit card numbers. The solution must not require manual user action. Which two Microsoft Purview components must be configured? (Select the option that correctly identifies both required components.)

Select 2 answers
A.Sensitivity labels and auto-labeling policies
B.Data loss prevention (DLP) policies and retention labels
C.Sensitivity labels and retention policies
D.Auto-labeling policies and communication compliance policies
AnswersA, B

Correct. Sensitivity labels define the protection (encryption), and auto-labeling policies automatically apply them when sensitive info types are detected.

Why this answer

Option A is correct because sensitivity labels define the encryption and protection settings for content, while auto-labeling policies automatically apply those labels to documents in SharePoint Online when they match sensitive information types like credit card numbers, without requiring manual user action. Together, they enable automated, policy-based classification and protection based on content inspection.

Exam trap

The trap here is that candidates confuse DLP policies with auto-labeling, assuming DLP can both detect and protect, but DLP does not apply sensitivity labels or encryption—it only blocks or alerts on policy violations.

109
MCQeasy

A company has just purchased Microsoft 365 E3 licenses. They want to configure the default mailbox storage limit for all new users. Which setting should they modify?

A.Exchange admin center -> recipients -> mailboxes -> default mailbox quota
B.Microsoft 365 admin center -> Users -> Active users -> default storage limit
C.Exchange Online PowerShell: Set-OrganizationConfig -DefaultMailboxSize
D.Microsoft 365 admin center -> Org settings -> Mailbox storage
AnswerC

This cmdlet sets the default mailbox size for all new users in the organization.

Why this answer

Option C is correct because the default mailbox storage limit for all new users in Exchange Online is configured via the Set-OrganizationConfig cmdlet with the -DefaultMailboxSize parameter. This setting applies to mailboxes created after the change, overriding the default 50 GB limit for Microsoft 365 E3 licenses. The Exchange admin center and Microsoft 365 admin center do not expose this specific default quota setting for new mailboxes.

Exam trap

The trap here is that candidates assume the default mailbox quota can be set via the Exchange admin center's 'default mailbox quota' option, but that setting applies to mailbox databases in on-premises Exchange, not Exchange Online, where the default is controlled at the organization level via PowerShell.

How to eliminate wrong answers

Option A is wrong because the Exchange admin center -> recipients -> mailboxes allows you to modify quotas for individual existing mailboxes, not set the default quota for all new users. Option B is wrong because the Microsoft 365 admin center -> Users -> Active users does not have a 'default storage limit' setting; storage limits are managed via Exchange Online. Option D is wrong because the Microsoft 365 admin center -> Org settings -> Mailbox storage does not exist; mailbox storage defaults are configured only through Exchange Online PowerShell or the Exchange admin center's default mailbox quota settings (which are per-database, not per-tenant).

110
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that automatically alerts when a user downloads more than 100 files from SharePoint Online in 10 minutes. What type of policy should you create?

A.Session policy
B.App discovery policy
C.Anomaly detection policy
D.OAuth app policy
AnswerC

Anomaly detection policies detect unusual file download activity.

Why this answer

Option A is correct because an anomaly detection policy detects unusual download activity. Option B is wrong because an app discovery policy identifies shadow IT. Option C is wrong because an OAuth app policy governs third-party app permissions.

Option D is wrong because a session policy controls real-time access, not download thresholds.

111
Multi-Selectmedium

Which TWO of the following are valid conditions that can be used in a Microsoft Entra ID conditional access policy? (Choose two.)

Select 2 answers
A.Network location
B.Sign-in risk
C.Application sensitivity label
D.User risk
E.Device manufacturer
AnswersB, D

Valid condition in conditional access.

Why this answer

Sign-in risk (B) and user risk (D) are both valid conditions in Microsoft Entra ID Conditional Access policies. These risk levels are calculated by Microsoft Entra ID Protection using real-time signals such as anonymous IP addresses, atypical travel, or leaked credentials, and can be used to trigger policies like requiring multi-factor authentication or blocking access.

Exam trap

The trap here is that candidates may confuse 'Network location' with the valid 'Locations' condition, or assume that application sensitivity labels (which are part of Microsoft Purview) can be used directly in Conditional Access policies, when in fact they are not a supported condition.

112
MCQmedium

A company wants to implement just-in-time (JIT) privileged access for the Global Administrator role in Microsoft Entra ID. Users must request activation and provide a business justification. The request must be approved by a separate group of approvers, and the role activation should expire after 4 hours. Which Microsoft Entra feature should the administrator configure?

A.Privileged Identity Management (PIM)
B.Identity Protection
C.Conditional Access
D.Access Reviews
AnswerA

Correct. PIM enables just-in-time activation with approval and time-bound assignments.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides just-in-time (JIT) privileged access by allowing users to activate roles like Global Administrator with a business justification, requiring approval from a designated group of approvers, and setting a configurable activation duration (e.g., 4 hours). This directly matches the company's requirements for time-bound, approved role activation.

Exam trap

The trap here is that candidates confuse PIM's JIT activation with Conditional Access policies, thinking that Conditional Access can enforce time-based access, but Conditional Access cannot manage role activation, approval workflows, or expiration of privileged roles.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it focuses on detecting and remediating identity risks (e.g., compromised credentials, anomalous sign-ins) and does not provide JIT role activation or approval workflows. Option C (Conditional Access) is wrong because it enforces access policies based on conditions like location or device state, but it cannot manage role activation, approval, or expiration. Option D (Access Reviews) is wrong because it automates periodic recertification of group memberships or role assignments, not on-demand activation with approval and expiration.

113
MCQeasy

An administrator has created a new user account in Microsoft Entra ID. To ensure the user has a mailbox in Exchange Online, what is the next step?

A.Assign an Exchange Online license to the user
B.Create an Exchange mailbox manually
C.Run the Microsoft 365 Setup wizard
D.Configure DNS records for the domain
AnswerA

A license that includes Exchange Online (e.g., Office 365 E3) triggers mailbox provisioning.

Why this answer

In Microsoft 365, a user must be assigned an Exchange Online license (part of an E3, E5, or standalone plan) before a mailbox is automatically provisioned in Exchange Online. Without a license, the user object exists in Entra ID but has no mailbox; the license assignment triggers the mailbox creation process within 24 hours.

Exam trap

The trap here is that candidates often think creating the user in Entra ID or configuring DNS automatically provisions a mailbox, but Microsoft 365 requires an explicit license assignment to enable the Exchange Online service plan for that user.

How to eliminate wrong answers

Option B is wrong because Exchange Online does not support manually creating a mailbox; mailboxes are automatically provisioned when a license is assigned, and manual creation is only possible in on-premises Exchange Server. Option C is wrong because the Microsoft 365 Setup wizard is used for initial tenant configuration (e.g., adding a domain or setting up admin accounts), not for provisioning a mailbox for an existing user. Option D is wrong because DNS records (MX, SPF, etc.) are required for mail routing to the tenant, but they do not create a mailbox; the mailbox must exist first via license assignment.

114
Multi-Selectmedium

You are configuring Microsoft Entra ID for your organization. You need to enable passwordless authentication for users. Which TWO authentication methods are passwordless and supported by Microsoft Entra ID?

Select 2 answers
A.SMS-based one-time passcode (OTP)
B.Hardware OATH tokens
C.Microsoft Authenticator app
D.OAuth 2.0 device authorization grant
E.FIDO2 security keys
AnswersC, E

Supports passwordless phone sign-in.

Why this answer

The Microsoft Authenticator app supports passwordless authentication by allowing users to approve sign-in requests via a notification or a number match on their mobile device, eliminating the need for a password. FIDO2 security keys are also a passwordless method, using public-key cryptography to authenticate users without a password, and are fully supported by Microsoft Entra ID for both Azure AD joined and hybrid joined devices.

Exam trap

The trap here is that candidates often confuse multi-factor authentication methods (like SMS OTP or OATH tokens) with passwordless methods, but passwordless requires the primary authentication factor to be something you have or are, not something you know (a password), and both SMS OTP and OATH tokens still require a password as the first factor in most configurations.

115
MCQhard

A compliance officer needs to automatically encrypt and apply a 'Do Not Forward' restriction to all outgoing emails sent by the finance department that contain credit card numbers. The solution must work without requiring users to manually apply labels. Which configuration is required?

A.Create a Data Loss Prevention (DLP) policy with the action 'Encrypt email messages'
B.Create an auto-labeling policy for Microsoft Purview Sensitivity Labels that applies a label with encryption and 'Do Not Forward' configured, scoped to the finance department
C.Create a mail flow rule in Exchange Online to apply Rights Management template 'Do Not Forward'
D.Create a retention label that encrypts the email
AnswerB

Auto-labeling policies can scan emails and automatically apply a sensitivity label that includes encryption and 'Do Not Forward' settings, meeting the requirement without user intervention.

Why this answer

Option B is correct because Microsoft Purview auto-labeling policies can automatically apply a sensitivity label that includes encryption and a 'Do Not Forward' restriction based on conditions such as sensitive information types (e.g., credit card numbers) and user scope (e.g., finance department). This meets the requirement of automatic enforcement without user intervention, as the label is applied at the time of sending via client-side auto-labeling.

Exam trap

The trap here is that candidates often confuse DLP encryption actions with sensitivity label encryption, not realizing that 'Do Not Forward' is a permission setting exclusive to sensitivity labels and cannot be applied by DLP policies or mail flow rules alone.

How to eliminate wrong answers

Option A is wrong because a DLP policy with the 'Encrypt email messages' action applies encryption via Azure Information Protection but does not enforce the 'Do Not Forward' restriction, which is a separate Rights Management permission. Option C is wrong because a mail flow rule in Exchange Online can apply a Rights Management template, but the 'Do Not Forward' template is not a built-in RMS template; it is a custom permission set that must be defined via a sensitivity label, and mail flow rules cannot natively apply the 'Do Not Forward' restriction without a label. Option D is wrong because retention labels are designed for data lifecycle management (retention and deletion), not for applying encryption or 'Do Not Forward' restrictions to emails.

116
MCQhard

A company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They recently deployed Microsoft Copilot for Microsoft 365. Users can now ask Copilot to summarize documents that contain sensitive information. How should the company extend DLP protection to Copilot interactions?

A.Apply a sensitivity label that restricts Copilot access.
B.Implement Information Barriers for Copilot.
C.Enable DLP for Copilot in the DLP policy settings.
D.Configure a Communication Compliance policy to monitor Copilot.
AnswerC

DLP policies can be extended to cover Copilot interactions.

Why this answer

Microsoft Purview DLP can now cover Microsoft Copilot for Microsoft 365 interactions. This is done by enabling DLP for Copilot in the DLP policy settings. Option B is incorrect because sensitivity labels alone don't block Copilot.

Option C is incorrect because Communication Compliance monitors internal communications, not Copilot. Option D is incorrect because Information Barriers are for restricting communication between groups.

117
MCQhard

A company uses Microsoft Entra ID P2 licenses. They want to create a Conditional Access policy that requires MFA for all users, but the policy should only be enforced when the sign-in risk is medium or higher. Additionally, they need to exclude a group named 'Emergency Access' from this policy. Which configuration is correct?

A.Assign policy to 'All users', exclude 'Emergency Access' group, set 'Sign-in risk' condition to 'High and Medium'
B.Assign policy to 'All users', exclude 'Emergency Access' group, set 'User risk' condition to 'High and Medium'
C.Assign policy to 'Emergency Access' group, set 'Device state' condition to 'All device states'
D.Assign policy to 'All users', exclude 'Emergency Access' group, set 'Locations' condition to 'All trusted locations'
AnswerA

Correct. This configuration targets all users except emergency accounts and only applies when sign-in risk is medium or higher.

Why this answer

Option A is correct because it assigns the Conditional Access policy to 'All users' (ensuring universal coverage), excludes the 'Emergency Access' group (to prevent lockout of break-glass accounts), and sets the 'Sign-in risk' condition to 'High and Medium' — which matches the requirement to enforce MFA only when sign-in risk is medium or higher. Sign-in risk is the correct condition for real-time risk during authentication, while user risk tracks historical compromise likelihood.

Exam trap

The trap here is confusing 'Sign-in risk' with 'User risk' — candidates often pick Option B because both terms sound similar, but only sign-in risk applies to the current authentication session and matches the requirement for risk-based MFA enforcement during sign-in.

How to eliminate wrong answers

Option B is wrong because it uses 'User risk' instead of 'Sign-in risk'; user risk reflects the likelihood that an account is compromised based on past activity, not the risk of the current sign-in session, so it does not meet the requirement to enforce MFA based on sign-in risk. Option C is wrong because it assigns the policy to the 'Emergency Access' group rather than excluding them, which would force MFA on emergency accounts and defeat their purpose; it also uses 'Device state' condition which is irrelevant to risk-based MFA enforcement. Option D is wrong because it uses 'Locations' condition with 'All trusted locations', which would enforce MFA only from trusted locations (or the opposite depending on configuration), not based on sign-in risk level, and thus does not address the risk-based requirement.

118
Multi-Selectmedium

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email (delivered to inbox) and later clicks a link from that email that leads to a known malicious domain. The rule will be based on an advanced hunting query. Which two tables should the analyst join in the query to capture both the email delivery event and the link click event? (Choose two.)

Select 2 answers
A.EmailEvents
B.UrlClickEvents
C.DeviceEvents
D.IdentityLogonEvents
AnswersA, B

This table contains details of email delivery events, including whether the email was delivered to the inbox, and the unique NetworkMessageId that can link to click events.

Why this answer

EmailEvents contains records of email delivery events, including phishing emails that were delivered to the inbox. UrlClickEvents captures user clicks on URLs in emails, including the target domain. Joining these two tables on the email's network message ID allows the analyst to correlate the specific phishing email delivery with the subsequent link click to a known malicious domain, which is the exact scenario described.

Exam trap

The trap here is that candidates may confuse UrlClickEvents with DeviceEvents, thinking that a link click is a device-level action, but in Microsoft Defender XDR, URL clicks from emails are specifically tracked in the UrlClickEvents table, not in endpoint event tables.

119
Multi-Selecteasy

Which TWO actions can a Microsoft 365 global administrator perform in the Microsoft 365 admin center to manage user accounts? (Choose two.)

Select 2 answers
A.Recover a deleted user account.
B.Assign admin roles to a user.
C.Reset a user's password.
D.Manage the service health of Microsoft 365.
E.Create mailbox delegation permissions.
AnswersB, C

Roles can be assigned from the admin center user management.

Why this answer

In the Microsoft 365 admin center, a global administrator can assign admin roles to a user by navigating to Active users, selecting the user, and choosing 'Manage roles'. This is a core identity management task that allows delegation of administrative privileges within the tenant. Option C is also correct because resetting a user's password is a standard user management action available in the same interface.

Exam trap

The trap here is that candidates confuse the Microsoft 365 admin center's scope with other specialized admin centers (e.g., Exchange admin center, Azure AD admin center) and select actions like mailbox delegation or service health management, which are not part of the core user account management tasks in the Microsoft 365 admin center.

120
MCQhard

Your company deploys Microsoft 365 Copilot. You need to enforce that Copilot responses are based only on data within the tenant, not external sources. Which setting should you configure?

A.Copilot's 'Responses' setting in the Microsoft 365 admin center
B.Sensitivity labels
C.Data Loss Prevention (DLP) policies
D.Microsoft Purview Compliance Manager
AnswerA

This setting restricts Copilot to tenant data.

Why this answer

The 'Responses' setting in the Microsoft 365 admin center controls whether Copilot can use data from external sources (such as the public web) or is restricted to your tenant's data. By configuring this setting to 'Only use data from your organization,' you enforce that Copilot responses are grounded solely in your Microsoft 365 tenant content (emails, documents, chats, etc.), preventing any reliance on external internet sources. This is the direct administrative toggle for Copilot's data grounding scope.

Exam trap

The trap here is that candidates often confuse data source control with data protection features like sensitivity labels or DLP, but the correct answer is the administrative toggle specifically designed for Copilot's grounding scope, not a security or compliance policy.

How to eliminate wrong answers

Option B is wrong because sensitivity labels classify and protect data based on sensitivity (e.g., confidential, general), but they do not control the data sources Copilot can query for generating responses. Option C is wrong because Data Loss Prevention (DLP) policies prevent accidental sharing of sensitive information but have no mechanism to restrict Copilot's grounding to tenant-only data. Option D is wrong because Microsoft Purview Compliance Manager provides compliance score and recommendations for regulatory standards, not a setting to limit Copilot's data source scope.

121
MCQeasy

A compliance officer needs to block users from sharing emails that contain credit card numbers with external recipients. When a user attempts to send such an email, it should be blocked immediately, and a policy tip should notify the user. Which Microsoft Purview solution should the officer configure?

A.Data Loss Prevention (DLP) policy.
B.Sensitivity label with encryption.
C.Microsoft Defender for Office 365 Safe Attachments policy.
D.Communication compliance policy.
AnswerA

DLP policies can detect credit card numbers in Exchange Online emails and block them with user notifications via policy tips.

Why this answer

A Data Loss Prevention (DLP) policy is the correct solution because it is specifically designed to detect sensitive information types (e.g., credit card numbers via predefined rule patterns matching the Luhn algorithm) in transit and enforce actions such as blocking the email and displaying a policy tip to the sender. This meets the compliance officer's requirement to block external sharing of credit card data immediately with user notification.

Exam trap

The trap here is that candidates often confuse the real-time blocking and notification capability of DLP with sensitivity labels (which only apply protection after classification) or communication compliance (which is a review-based solution, not a real-time enforcement mechanism).

How to eliminate wrong answers

Option B is wrong because a sensitivity label with encryption can protect content by restricting access or applying encryption, but it does not actively scan outbound email content for credit card numbers or block messages in transit with a policy tip. Option C is wrong because Microsoft Defender for Office 365 Safe Attachments policy focuses on scanning email attachments for malware and malicious content, not on detecting sensitive data patterns like credit card numbers. Option D is wrong because a communication compliance policy is designed to monitor and review internal/external communications for policy violations (e.g., harassment, insider trading) and typically requires manual review, not real-time blocking with a policy tip based on sensitive data patterns.

122
Multi-Selectmedium

A compliance officer needs to automatically classify documents in SharePoint Online that contain credit card numbers. The classification should apply a label that restricts access and adds a header. Which two Microsoft Purview features must be configured? (Choose two.)

Select 2 answers
A.Sensitivity labels
B.Retention labels
C.Data Loss Prevention (DLP) policies
D.Auto-labeling policies
AnswersA, D

Sensitivity labels define the actual protection settings, such as encryption, access restrictions, and header/footer markings.

Why this answer

Sensitivity labels are correct because they are the Microsoft Purview feature that applies classification markings (such as headers and footers) and encryption or access restrictions to documents. For this scenario, a sensitivity label must be configured to enforce the required header and access restrictions on content containing credit card numbers.

Exam trap

The trap here is that candidates often confuse DLP policies with auto-labeling, but DLP policies do not apply labels or headers—they only enforce actions like blocking or notification, whereas auto-labeling policies are required to automatically assign the sensitivity label.

123
Multi-Selectmedium

Your organization uses Microsoft Entra ID and wants to implement least-privilege administrative access for managing Microsoft 365 services. Which three of the following should you configure? (Choose three.)

Select 3 answers
.Create custom administrative units (AUs) to delegate scoped administrative permissions
.Assign Microsoft 365 built-in roles via Microsoft Entra ID role-based access control (RBAC)
.Enable Microsoft Entra ID Privileged Identity Management (PIM) for eligible role activations
.Implement Microsoft 365 Defender for Cloud Apps session policies for admins
.Use Microsoft Entra ID Conditional Access to block all external access for admins
.Configure Microsoft Intune to enforce mobile device management (MDM) for all admin devices

Why this answer

Null is correct because creating custom administrative units (AUs) allows you to delegate scoped administrative permissions to specific subsets of users, devices, or groups within a single Microsoft Entra ID tenant. Assigning Microsoft 365 built-in roles via Microsoft Entra ID role-based access control (RBAC) provides granular, least-privilege permissions without granting full global admin access. Enabling Microsoft Entra ID Privileged Identity Management (PIM) for eligible role activations ensures that administrative roles are activated only when needed, with time-bound approvals and just-in-time access, reducing standing privileges.

Exam trap

The trap here is that candidates often confuse security controls (like Conditional Access or MDM) with identity and access management (IAM) role delegation, mistakenly thinking any security feature contributes to least-privilege administrative access, when only role-based scoping and just-in-time activation directly address it.

124
MCQhard

A company has Microsoft Entra ID P2 licenses. They need to implement a conditional access policy that requires multifactor authentication (MFA) when accessing the Microsoft Entra admin center from a non-compliant device. However, they want to allow access from compliant devices without MFA. What is the best approach?

A.Create one conditional access policy with a grant control that combines 'Require compliant device' and 'Require multifactor authentication' as a single control
B.Create one conditional access policy with grant controls set to 'Require one of the selected controls' and select both 'Require compliant device' and 'Require multifactor authentication'
C.Create two conditional access policies: one for compliant devices requiring only compliant device, and one for non-compliant devices requiring MFA and compliant device
D.Create one conditional access policy with grant controls set to 'Require all the selected controls' and select both 'Require compliant device' and 'Require multifactor authentication', and include all devices
AnswerC

This allows MFA only for non-compliant devices, and compliant devices can access without MFA.

Why this answer

Option C is correct because the requirement is to allow access from compliant devices without MFA while requiring MFA from non-compliant devices. This conditional logic cannot be achieved in a single policy with a single grant block because 'Require compliant device' and 'Require multifactor authentication' are both satisfied by compliant devices (which are already compliant), but you need to differentiate behavior based on device compliance state. By creating two policies—one targeting compliant devices with only 'Require compliant device' as a grant, and another targeting non-compliant devices with both 'Require compliant device' and 'Require multifactor authentication'—you can enforce different access requirements based on the device's compliance status.

Exam trap

The trap here is that candidates often think a single policy with 'Require one of the selected controls' can differentiate behavior based on device state, but in reality, a single policy applies the same grant logic to all matching devices, so you must use separate policies to enforce different requirements for compliant vs. non-compliant devices.

How to eliminate wrong answers

Option A is wrong because combining 'Require compliant device' and 'Require multifactor authentication' as a single control (using 'Require all the selected controls') would require both conditions to be met for all devices, meaning compliant devices would still be prompted for MFA, which violates the requirement to allow access without MFA from compliant devices. Option B is wrong because setting grant controls to 'Require one of the selected controls' with both 'Require compliant device' and 'Require multifactor authentication' would allow access if either condition is met, meaning a non-compliant device could bypass MFA by simply being compliant (which it is not), but more critically, it would allow a compliant device to access without MFA (which is desired) but also allow a non-compliant device to access if it provides MFA (which is not desired because the policy requires MFA for non-compliant devices, but the grant logic would let a non-compliant device in with just MFA, which is acceptable per the requirement, but the real issue is that this single policy cannot differentiate behavior based on device state—it applies the same grant logic to all devices, so compliant devices would still be subject to the 'Require one of the selected controls' logic, which could allow them in without MFA if they are compliant, but the policy does not exclude non-compliant devices from accessing without MFA if they provide MFA, which is actually fine, but the core problem is that the policy does not enforce MFA only on non-compliant devices; it applies the same grant to all, so compliant devices could be prompted for MFA if the policy is configured incorrectly, and more importantly, the requirement is to have different behavior based on device compliance, which requires separate policies. Option D is wrong because setting grant controls to 'Require all the selected controls' with both 'Require compliant device' and 'Require multifactor authentication' would require every device (including compliant ones) to satisfy both conditions, meaning compliant devices would still be forced to perform MFA, which contradicts the requirement to allow access from compliant devices without MFA.

125
MCQmedium

Your organization plans to migrate from on-premises Exchange to Exchange Online. You need to ensure minimal disruption during the migration. Which approach should you recommend?

A.Deploy a hybrid configuration and migrate mailboxes in batches.
B.Perform a cutover migration during a weekend.
C.Use IMAP migration to migrate all mailboxes in parallel.
D.Use a third-party migration tool for a one-time bulk migration.
AnswerA

Hybrid migration allows gradual migration with coexistence.

Why this answer

A hybrid migration allows you to gradually move mailboxes while maintaining coexistence, minimizing disruption. Option A is wrong because a cutover migration is disruptive and only suitable for small orgs. Option B is wrong because IMAP migration does not migrate calendar/contacts fully.

Option D is wrong because a third-party tool is unnecessary for standard migrations.

126
MCQeasy

A security analyst identifies a malicious file hash on one endpoint. They need to ensure that file is blocked from executing on all other endpoints in the organization immediately. Which Microsoft Defender for Endpoint feature should be used?

A.Indicators of compromise (IOCs)
B.Attack surface reduction rules
C.Automated investigation and response
D.Custom detection rules
AnswerA

IOCs allow creating custom policy to block file hashes across all endpoints.

Why this answer

Indicators of compromise (IOCs) in Microsoft Defender for Endpoint allow security analysts to create custom indicators (e.g., file hashes, IPs, URLs) that are enforced across all endpoints in near real-time. By adding the malicious file hash as an IOC with an 'Alert and Block' action, the file is immediately prevented from executing on any managed device, providing a rapid, organization-wide block without waiting for signature updates.

Exam trap

The trap here is that candidates confuse 'Indicators of compromise (IOCs)' with 'Custom detection rules,' because both involve custom definitions, but IOCs are for immediate blocking of known artifacts while custom detection rules are for behavioral detection over time.

How to eliminate wrong answers

Option B is wrong because Attack surface reduction rules are pre-configured policies that reduce common attack vectors (e.g., blocking Office apps from creating child processes), but they cannot block a specific file hash on demand. Option C is wrong because Automated investigation and response (AIR) automatically investigates and remediates alerts after detection, but it does not proactively block a known malicious hash from executing; it reacts to incidents already triggered. Option D is wrong because Custom detection rules use Advanced Hunting queries to detect suspicious behavior over time, but they are not designed for immediate, hash-based execution blocking across all endpoints.

127
MCQhard

An organization wants to allow only specific company-approved USB devices (e.g., those with a specific hardware ID) on managed Windows devices. All other USB devices must be blocked. Which Microsoft 365 Defender feature should be configured?

A.Attack surface reduction rules
B.Microsoft Defender for Endpoint device control
C.Microsoft Defender for Cloud Apps session policy
D.Conditional Access device compliance
AnswerB

Device control policies in Defender for Endpoint can restrict USB devices based on hardware IDs.

Why this answer

Microsoft Defender for Endpoint device control is the correct feature because it provides granular control over peripheral devices, including USB devices, based on hardware IDs. It allows administrators to create allow/block policies that enforce restrictions on managed Windows devices, ensuring only company-approved USB devices can be used.

Exam trap

The trap here is that candidates often confuse Attack surface reduction rules with device control because both are part of Microsoft Defender for Endpoint, but ASR rules focus on process behaviors, not hardware device access.

How to eliminate wrong answers

Option A is wrong because Attack surface reduction rules are designed to mitigate common malware behaviors (e.g., blocking Office apps from creating child processes) and do not include USB device control capabilities. Option C is wrong because Microsoft Defender for Cloud Apps session policies are used to monitor and control user sessions in cloud apps (e.g., blocking downloads from SharePoint) and have no effect on local USB device access. Option D is wrong because Conditional Access device compliance policies evaluate device health (e.g., requiring BitLocker or antivirus) for cloud app access but do not enforce USB device restrictions on the endpoint itself.

128
Multi-Selectmedium

Your organization uses Microsoft Defender XDR. You need to ensure that when an incident is created, it is automatically assigned to the appropriate analyst team based on the incident category. Which TWO actions should you configure? (Choose two.)

Select 2 answers
A.Use the incident page's 'Assign to' option.
B.Create automation rules in Microsoft Defender XDR to assign incidents based on criteria.
C.Configure the default assignment rule to assign all incidents to a specific team.
D.Use tags to categorize incidents and then manually assign.
E.Define custom incident fields to capture the team assignment.
AnswersB, E

Automation rules can assign incidents to a group automatically.

Why this answer

A and D are correct. Automation rules can be used to assign incidents based on conditions. Custom incident fields can categorize incidents.

B is wrong because not all incidents are assigned automatically. C is wrong because tags help with classification but not assignment. E is wrong because the main incident page does not automate assignment.

129
MCQhard

Your organization uses Microsoft Defender XDR and Microsoft Sentinel in a hybrid deployment. You are the security operations lead. A new regulation requires that all security alerts be automatically enriched with threat intelligence indicators from an external feed before being sent to Sentinel. You need to implement this enrichment with minimal latency and without writing custom code. What should you do?

A.Configure the Microsoft Defender XDR connector in Sentinel to receive alerts, and use the Threat Intelligence API to add indicators to Defender XDR.
B.Create a Logic App that runs on a schedule to pull alerts from Defender XDR, enrich them using external TI, and push to Sentinel.
C.Create an Azure Function that uses the Microsoft Graph API to get alerts, enrich them, and send to Sentinel.
D.Use the Microsoft Sentinel data connector for Microsoft Defender XDR and configure automatic enrichment in the data connector settings.
AnswerA

Correct: Defender XDR can enrich alerts with external TI via API, and Sentinel connector pulls enriched alerts.

Why this answer

Option A is correct because Microsoft Defender XDR can ingest external threat intelligence via the API and then forward enriched alerts to Sentinel using the built-in connector. Option B is wrong because Logic Apps require custom code and may introduce latency. Option C is wrong because Azure Functions require custom code.

Option D is wrong because the data connector does not support enrichment.

130
MCQhard

Refer to the exhibit. You run the KQL query in advanced hunting. What is the primary purpose of this query?

A.Identify devices with outbound connections to malicious IPs
B.Identify devices with PowerShell execution policy set to bypass
C.Identify devices where a user deleted system files using cmd
D.Identify devices with high use of encoded commands, which may indicate malicious activity
AnswerD

Encoded commands are often used to hide malicious intent.

Why this answer

Option C is correct because the query looks for PowerShell or cmd.exe processes using -EncodedCommand, which is a common technique for obfuscating malicious commands. Option A is wrong because the query doesn't filter by execution policy. Option B is wrong because the query doesn't look for files being deleted.

Option D is wrong because the query doesn't look for outbound connections.

131
MCQhard

Your company recently acquired a subsidiary that uses a different Microsoft 365 tenant. You are tasked with merging the two tenants into one. The subsidiary has 1,500 users with unique email domains. You need to migrate all users, mailboxes, and SharePoint data while minimizing downtime and preserving data integrity. You have access to both tenants as global admin. What should you do first?

A.Add the subsidiary's domain to the primary tenant, then delete the subsidiary tenant and recreate users
B.Use the Microsoft 365 Merger Center in the admin portal
C.Use a third-party migration tool such as BitTitan MigrationWiz to perform the migration
D.Use Microsoft's native tenant-to-tenant migration by moving mailboxes via PowerShell and exporting SharePoint content
AnswerC

Third-party tools are designed for cross-tenant migrations with minimal downtime and data integrity.

Why this answer

Option C is correct because Microsoft does not provide a native tool for merging two tenants; third-party tools like BitTitan MigrationWiz are designed specifically for cross-tenant migrations, supporting mailbox, SharePoint, and user data migration with minimal downtime and data integrity. These tools handle directory synchronization, mailbox rehydration, and SharePoint content mapping, which are critical for a 1,500-user migration with unique domains.

Exam trap

The trap here is that candidates assume Microsoft provides a native 'merger' tool or that PowerShell alone can handle a full tenant merge, overlooking the lack of built-in cross-tenant SharePoint migration capabilities and the need for specialized third-party solutions.

How to eliminate wrong answers

Option A is wrong because deleting the subsidiary tenant and recreating users would cause permanent data loss (mailboxes, SharePoint content) and cannot preserve data integrity; domain addition alone does not migrate data. Option B is wrong because there is no 'Microsoft 365 Merger Center' in the admin portal; this is a fabricated feature that does not exist. Option D is wrong because native tenant-to-tenant migration via PowerShell is limited to mailbox moves (using New-MoveRequest with cross-tenant prerequisites) and does not support SharePoint data migration; exporting and importing SharePoint content via PowerShell is complex, error-prone, and not designed for large-scale migrations with minimal downtime.

132
MCQmedium

An organization with Microsoft Entra ID P2 licenses wants to require multi-factor authentication (MFA) for all users but allow them to register their authentication methods before being forced to use MFA. Which configuration should they implement?

A.Conditional Access policy with MFA grant and a registration campaign
B.Security defaults
C.Per-user MFA
D.Identity Protection user risk policy
AnswerA

The registration campaign prompts users to register MFA methods before the MFA requirement is enforced, meeting the scenario.

Why this answer

Conditional Access policies can include a registration campaign for combined security info registration, allowing users to preregister MFA methods before the policy requiring MFA is enforced. This provides a smooth user experience. Security defaults enforce MFA immediately without a pre-registration period.

Per-user MFA requires enabling MFA per user and does not include a registration campaign. Identity Protection user risk policy triggers MFA based on risk, not a blanket requirement.

133
MCQmedium

A compliance officer needs to discover and review documents in SharePoint Online that contain driver's license numbers, but the officer does not want to apply any protection actions automatically. Which Microsoft Purview solution should be used?

A.Data Lifecycle Management
B.Records Management
C.Data Classification
D.Information Protection
AnswerC

Data Classification includes Content Explorer, which enables browsing and reviewing items containing sensitive info without applying protection.

Why this answer

Data Classification in Microsoft Purview allows you to identify and label sensitive content, such as driver's license numbers, across SharePoint Online without automatically applying protection actions like encryption or access restrictions. This solution is ideal for discovery and review scenarios where the compliance officer needs to locate sensitive data but does not want to enforce automated policies.

Exam trap

Microsoft often tests the distinction between discovery-only solutions (Data Classification) and enforcement solutions (Information Protection), so the trap here is assuming that any sensitive data solution must automatically apply protection, leading candidates to choose Information Protection instead of Data Classification.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management focuses on retaining or deleting content based on age or compliance requirements, not on discovering or reviewing specific sensitive data types. Option B is wrong because Records Management is designed to mark content as records for legal or regulatory retention, not for scanning or classifying content for sensitive information like driver's license numbers. Option D is wrong because Information Protection applies automatic protection actions (e.g., encryption, access restrictions) via sensitivity labels, which the compliance officer explicitly does not want to apply.

134
MCQhard

Your organization has Microsoft Defender for Endpoint (Plan 2) and Microsoft Defender for Identity. A critical server is showing signs of a ransomware attack. You need to contain the threat while preserving forensic evidence for analysis. What should you do first?

A.Run a Live Response session to collect forensic data
B.Isolate the server from the network immediately
C.Run a full antivirus scan on the server
D.Initiate an automated investigation in Microsoft Defender XDR
AnswerD

Automated investigation collects evidence and contains threat.

Why this answer

Option D is correct because initiating an automated investigation will collect and analyze evidence while containing the threat. Option A is wrong because machine isolation is immediate but may not preserve evidence. Option B is wrong because live response is manual and may be slower.

Option C is wrong because full scan is slow and may not contain.

135
MCQmedium

A company uses Azure AD Connect with password hash synchronization. They want to enable Azure AD Seamless Single Sign-On (SSO) for users accessing Microsoft 365 from domain-joined devices on the corporate network. Which configuration is required on the on-premises Active Directory?

A.Create a computer account named AZUREADSSOACC in each AD forest
B.Install Azure AD Connect on a separate server
C.Enable Passthrough Authentication
D.Set the service connection point in Active Directory
AnswerA

This account is used by Azure AD Connect to sign users in silently.

Why this answer

Azure AD Seamless SSO requires a computer account named AZUREADSSOACC to be created in each on-premises AD forest. This account is used by Azure AD to sign Kerberos tickets for users accessing Microsoft 365 resources, enabling automatic sign-in without password prompts. The account must be created in the root domain of each forest and its password is managed automatically by Azure AD Connect.

Exam trap

The trap here is that candidates often confuse Seamless SSO with Passthrough Authentication or think a separate server is required, but the key requirement is the specific computer account AZUREADSSOACC in each forest, which is a unique Kerberos-based mechanism.

How to eliminate wrong answers

Option B is wrong because installing Azure AD Connect on a separate server is not a specific requirement for Seamless SSO; Azure AD Connect can be installed on any server, but the Seamless SSO feature itself does not mandate a separate server. Option C is wrong because Passthrough Authentication is an alternative authentication method that does not use password hash synchronization; enabling it would conflict with the stated requirement of using password hash synchronization. Option D is wrong because setting a service connection point in Active Directory is used for discovering Azure AD Connect or other services, not for enabling Seamless SSO; Seamless SSO relies on the AZUREADSSOACC computer account and Kerberos delegation, not an SCP.

136
MCQhard

You are reviewing a Conditional Access policy JSON for your Microsoft Entra ID tenant. The first policy blocks access from high-risk IP addresses. The second policy requires MFA for all users from trusted locations. You notice that users from high-risk IP addresses are still prompted for MFA instead of being blocked. What is the most likely cause?

A.The block policy does not specify MFA, so it is ignored.
B.The block policy is set to report-only mode, so it is not enforced.
C.The block policy has a lower priority than the grant policy.
D.The grant policy requires MFA for all users, overriding the block.
AnswerB

If report-only, the policy logs but doesn't block, so the grant policy applies.

Why this answer

Option B is correct because Conditional Access policies are evaluated in priority order; if the block policy has a lower priority than the grant policy, the grant policy could apply first. However, in this exhibit, the block policy has priority 1 and the grant policy has priority 2, so the block should apply first. But the issue is that the grant policy's condition includes locations 'AllTrusted', and the block policy's condition includes 'HighRiskIP'.

If a user is from a high-risk IP that is also considered 'trusted'? That is unlikely. Another possibility: the block policy action is 'BlockAccess' but if the user is not meeting the conditions? Actually, the exhibit shows that the block policy has priority 1, which is lower number (higher priority). So the block should apply.

But the user is getting MFA prompt instead of block. This could happen if the block policy is in report-only mode, but the JSON doesn't show a state. In real exam, they might expect that the block policy has a higher priority (lower number) but the grant policy might be evaluated first due to scope? Actually, Conditional Access evaluates all policies that apply.

If both apply, block takes precedence. However, if the block policy's condition does not match (e.g., the location is not recognized as HighRiskIP), then only the grant policy applies. So the most likely cause is that the location condition in the block policy is not correctly matching the user's IP.

But option B says the block policy is set to report-only mode, which is a common reason for not enforcing. Since the JSON does not include a state, it could be report-only. Option A (priority) is wrong because priority 1 is higher than 2.

Option C (MFA required) is not the cause. Option D (block policy missing MFA) is irrelevant. So B is plausible.

However, in real scenario, if the block policy is in report-only, it won't block. So I'll go with B.

137
MCQmedium

A company uses Microsoft Entra ID P1 licenses. They want to allow access to a sensitive cloud application only from the company's trusted office IP ranges (10.0.0.0/24). However, the executive team (group "Execs") must be able to access the app from any location. Which Conditional Access policy configuration should the administrator use?

A.A: Include all users, exclude Execs group, and grant access with condition 'Location not in trusted locations'.
B.B: Include all users, exclude Execs group, and block access with condition 'Location not in trusted locations'.
C.C: Include Execs group, exclude all others, and grant access with condition 'Location in trusted locations'.
D.D: Include all users, include Execs group as an additional condition, and grant access with condition 'Location in trusted locations'.
AnswerB

This blocks non-Execs from accessing the app when they are not from trusted locations, while Execs are excluded and thus allowed from anywhere.

Why this answer

Option B is correct because the requirement is to block access from untrusted locations for all users except the Execs group. By including all users, excluding the Execs group, and setting a block control with the condition 'Location not in trusted locations', the policy ensures that only non-Exec users are blocked when accessing from outside the trusted IP range, while Execs remain unrestricted. This aligns with the principle of explicitly blocking unwanted access rather than granting access with conditions that could be bypassed.

Exam trap

The trap here is that candidates often confuse 'grant access with a condition' with 'block access with a condition', mistakenly thinking that granting access from trusted locations will automatically block access from untrusted locations, but in Conditional Access, grant controls only allow access when conditions are met—they do not implicitly deny access when conditions are not met unless a block control is explicitly configured.

How to eliminate wrong answers

Option A is wrong because granting access with a condition 'Location not in trusted locations' would allow access from untrusted locations, which is the opposite of the requirement to block such access. Option C is wrong because including only the Execs group and granting access from trusted locations would allow Execs to access the app only from trusted locations, contradicting the requirement that Execs must be able to access from any location. Option D is wrong because including Execs as an additional condition (not as an exclusion) and granting access from trusted locations would force Execs to also be restricted to trusted locations, again failing the requirement for Execs to have unrestricted access.

138
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a custom PowerShell script that runs in the user context after every device restart. Which Intune policy type should you use?

A.Compliance policy
B.PowerShell script as a 'Run this script using the logged on credentials' assignment.
C.Microsoft Intune PowerShell scripts (Devices > Scripts)
D.Device configuration profile
AnswerC

Intune PowerShell scripts can run in user context and on restart.

Why this answer

Option C is correct because Microsoft Intune PowerShell scripts (Devices > Scripts) allow you to deploy custom PowerShell scripts that run in the user context on Windows 10 devices. By configuring the script with 'Run this script using the logged on credentials' and setting the schedule to 'Run once per device' or 'Run on every device restart', you can ensure the script executes after every restart. This is the only Intune policy type designed specifically for deploying and managing custom PowerShell scripts with user context and restart-triggered execution.

Exam trap

The trap here is that candidates confuse the 'Run this script using the logged on credentials' setting (a configuration option within the PowerShell scripts feature) with a separate policy type, leading them to select Option B instead of recognizing that the correct policy type is 'Microsoft Intune PowerShell scripts (Devices > Scripts)'.

How to eliminate wrong answers

Option A is wrong because Compliance policies evaluate device settings against compliance rules and cannot run custom PowerShell scripts; they are used for conditional access and remediation actions, not script deployment. Option B is wrong because 'PowerShell script as a 'Run this script using the logged on credentials' assignment' is not a standalone policy type; it is a configuration option within the Intune PowerShell scripts feature (Devices > Scripts), and the question asks for the policy type, not a setting. Option D is wrong because Device configuration profiles manage settings via CSPs (Configuration Service Providers) and cannot execute arbitrary PowerShell scripts; they are limited to predefined settings and policies.

139
Multi-Selectmedium

You are the Microsoft 365 administrator for a large enterprise. You need to ensure that only users with a valid business justification can access sensitive data stored in SharePoint Online. The solution must enforce access reviews and provide detailed reports for auditors. Which TWO actions should you take?

Select 2 answers
A.Configure access reviews in Microsoft Entra ID Governance for the SharePoint site.
B.Deploy Microsoft Defender for Cloud Apps and create a session policy to monitor access.
C.Enable audit logging in Microsoft Purview and generate detailed access reports.
D.Apply a sensitivity label to the SharePoint site and require justification for label change.
E.Create a data loss prevention (DLP) policy to block unauthorized sharing.
AnswersA, C

Access reviews enable periodic attestation of access, meeting the requirement for business justification and audit reports.

Why this answer

Option A is correct because access reviews in Microsoft Entra ID Governance allow you to require users to attest to their continued need for access. Option C is correct because enabling audit logging in Microsoft Purview captures all access events and generates reports for auditors. Option B is wrong because Microsoft Defender for Cloud Apps is for cloud access security broker (CASB) capabilities, not directly for access reviews.

Option D is wrong because sensitivity labels are for classification and protection, not access reviews. Option E is wrong because data loss prevention (DLP) policies prevent data exfiltration but do not perform access reviews.

140
Multi-Selectmedium

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should detect when a user receives a malicious email attachment and then opens the attachment, resulting in a process being created (e.g., .exe file). Which two Advanced Hunting tables must be joined to correlate the email attachment with the resulting process?

Select 2 answers
A.EmailEvents and DeviceProcessEvents
B.EmailAttachmentInfo and DeviceProcessEvents
C.EmailAttachmentInfo and DeviceFileEvents
D.DeviceProcessEvents and IdentityLogonEvents
AnswersA, B

EmailEvents provides email metadata but not attachment-specific details like file hash needed for correlation with processes.

Why this answer

Option B is correct because correlating email attachment information with process creation requires joining the EmailAttachmentInfo table (which contains details about attachments like file name and SHA256 hash) with the DeviceProcessEvents table (which logs process creation events). This join allows the analyst to match the attachment's hash or file name to the process that was created when the user opened the attachment, directly linking the malicious email to the resulting executable.

Exam trap

The trap here is that candidates often confuse DeviceFileEvents with DeviceProcessEvents, thinking that file events (like saving an attachment) are sufficient, but the question explicitly requires detecting a process being created (execution), which only DeviceProcessEvents captures.

141
MCQmedium

Your organization uses Microsoft Purview Information Protection. You need to ensure that when users manually apply a 'Confidential' label to a document in Word, the document is automatically marked with a footer 'CONFIDENTIAL' and encrypted. What must you configure?

A.Modify the sensitivity label policy to include the footer.
B.Create a DLP rule that applies the footer and encryption.
C.Set up auto-labeling to apply the footer and encryption.
D.Configure the sensitivity label's settings to include the footer and encryption.
AnswerD

Sensitivity labels can define markings and encryption.

Why this answer

Sensitivity labels include settings for marking (footer) and encryption. These are configured in the label itself. Option A is incorrect because DLP policies do not apply markings.

Option C is incorrect because auto-labeling is for automatic application, not manual. Option D is incorrect because the sensitivity label policy publishes labels but doesn't define their actions.

142
MCQeasy

Your organization is migrating from on-premises Exchange to Exchange Online. You need to ensure that users can access their mailboxes during the migration with minimal interruption. Which migration method should you use?

A.Minimal hybrid migration.
B.Cutover migration.
C.Staged migration.
D.IMAP migration.
AnswerA

Allows moving mailboxes in batches with minimal user impact.

Why this answer

Option B is correct because a minimal hybrid migration allows you to move mailboxes in batches with minimal downtime. Option A is wrong because cutover migration requires all mailboxes to be moved at once, causing interruption. Option C is wrong because an IMAP migration does not preserve calendar and contacts.

Option D is wrong because a staged migration is for multiple batches but requires coexistence.

143
Multi-Selectmedium

Your organization uses Microsoft Defender XDR. You are configuring a custom detection rule to detect a specific behavior: a user runs a PowerShell script that connects to a known malicious IP address. Which TWO advanced hunting tables should you use in your KQL query to detect this behavior?

Select 2 answers
A.DeviceProcessEvents
B.DeviceRegistryEvents
C.DeviceLogonEvents
D.DeviceFileEvents
E.DeviceNetworkEvents
AnswersA, E

Captures process creation, including PowerShell.

Why this answer

Option A (DeviceProcessEvents) captures PowerShell process creation. Option D (DeviceNetworkEvents) captures network connections to IP addresses. Together they can correlate the script execution with the connection.

Option B is wrong because DeviceFileEvents captures file events not processes. Option C is wrong because DeviceRegistryEvents captures registry changes. Option E is wrong because DeviceLogonEvents captures logon events.

144
Multi-Selecthard

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should detect when a user opens a malicious email attachment, which launches a PowerShell process, and then that PowerShell process makes an outbound connection to a known malicious IP address. Which three Advanced Hunting tables must be joined in the KQL query?

Select 3 answers
A.EmailEvents, DeviceProcessEvents, DeviceNetworkEvents
B.EmailAttachmentInfo, DeviceProcessEvents, DeviceNetworkEvents
C.EmailEvents, DeviceProcessEvents, DeviceFileEvents
D.EmailAttachmentInfo, DeviceProcessEvents, DeviceLogonEvents
AnswersA, B, C

EmailEvents does not contain attachment-specific information such as file names; EmailAttachmentInfo is required.

Why this answer

Option B is correct because the detection requires tracking the attachment that initiated the process (EmailAttachmentInfo), the PowerShell process execution (DeviceProcessEvents), and the outbound network connection to a malicious IP (DeviceNetworkEvents). EmailAttachmentInfo provides the link between the email and the file, while EmailEvents lacks file-level details needed for this chain.

Exam trap

The trap here is that candidates often choose EmailEvents (Option A) thinking it captures attachment details, but EmailEvents lacks the file hash and name fields needed to join to process events, while EmailAttachmentInfo is the correct table for attachment-to-process correlation.

145
MCQeasy

Your organization uses Microsoft 365 Business Premium. You need to ensure that all Windows 10 devices are enrolled in Microsoft Intune and comply with a device compliance policy that requires BitLocker encryption and a minimum OS version. What should you do first?

A.Configure automatic enrollment in Microsoft Entra ID for Windows 10 devices.
B.Install the Intune Connector for Active Directory on a domain controller.
C.Deploy a configuration profile to enable BitLocker.
D.Create a device compliance policy in Microsoft Intune.
AnswerA

Automatic enrollment ensures devices are enrolled in Intune when they join Microsoft Entra ID.

Why this answer

To enforce Intune compliance policies on Windows 10 devices, the devices must first be enrolled in Intune. Automatic enrollment in Microsoft Entra ID (formerly Azure AD) is the prerequisite step that enables Windows 10 devices to automatically enroll in Intune when they join or are registered with Entra ID. Without this enrollment configured, no Intune policies—including compliance policies—can be applied to the devices.

Exam trap

The trap here is that candidates often jump to creating a compliance policy or deploying a configuration profile first, forgetting that without automatic enrollment enabled, Intune has no management relationship with the devices to apply those policies.

How to eliminate wrong answers

Option B is wrong because the Intune Connector for Active Directory is used for on-premises AD-joined devices to synchronize with Entra ID and enable hybrid Azure AD join, but it is not the first step required for Intune enrollment and compliance; automatic enrollment must be configured first. Option C is wrong because deploying a configuration profile to enable BitLocker is a subsequent step that can only be applied after devices are enrolled in Intune; it does not cause enrollment itself. Option D is wrong because creating a device compliance policy is also a later step that requires devices to already be enrolled in Intune; the policy cannot be assigned or evaluated until enrollment is established.

146
MCQhard

You are reviewing a conditional access policy in Microsoft Entra ID. The policy is intended to block legacy authentication. However, users are still able to connect using Exchange ActiveSync without modern authentication. What is the most likely reason?

A.The policy does not include the 'All' client apps condition; it only includes specific client app types.
B.The policy is not assigned to the affected users.
C.The grant control 'Block' is not supported for legacy authentication.
D.The policy is in report-only mode.
AnswerA

The policy only blocks 'exchangeActiveSync' and 'otherClients', but some legacy clients (like Outlook for iOS using basic auth) fall under 'mobile apps and desktop clients', which are not blocked.

Why this answer

Option A is correct because Conditional Access policies that block legacy authentication must include the 'All' client apps condition to cover Exchange ActiveSync (EAS). If the policy only targets specific client app types (e.g., browser or mobile apps and desktop clients) but omits 'All', EAS traffic using legacy authentication bypasses the policy. EAS is a separate client app type that requires explicit inclusion via the 'All' option to enforce blocking.

Exam trap

The trap here is that candidates assume selecting 'Mobile apps and desktop clients' covers all non-browser clients, but Exchange ActiveSync is a distinct legacy protocol that requires the 'All' client apps condition to be blocked.

How to eliminate wrong answers

Option B is wrong because if the policy were not assigned to the affected users, no users would be blocked, but the question states users are still able to connect, implying the policy is assigned but not covering EAS. Option C is wrong because the 'Block' grant control is fully supported for legacy authentication protocols, including EAS, when the policy is correctly configured. Option D is wrong because report-only mode would log the policy evaluation but not block access; however, the question states users are still able to connect, which could happen in report-only mode, but the most likely reason given the specific scenario is the missing 'All' client apps condition, not the mode.

147
MCQmedium

Your organization, Fabrikam Inc., uses Microsoft Entra ID with a hybrid identity configuration. You have 500 cloud-only users and 5,000 synced users from on-premises Active Directory. The company wants to implement a passwordless authentication strategy. The following requirements must be met: 1) All users must be able to sign in without a password on Windows 10/11 devices that are Microsoft Entra joined. 2) Users who are not assigned a mobile phone must be able to use a security key (FIDO2). 3) The solution must work for both cloud-only and synced users. 4) The passwordless method should require the lowest administrative overhead for enrollment. Which passwordless authentication method should you recommend?

A.Certificate-based authentication
B.Microsoft Authenticator app
C.FIDO2 security keys
D.Windows Hello for Business
AnswerD

Works on joined devices, supports all users, and can be deployed via policy.

Why this answer

Option C is correct because Windows Hello for Business works on Microsoft Entra joined devices and supports both cloud-only and synced users, and can be deployed with minimal enrollment effort. Option A is wrong because FIDO2 security keys require key distribution and enrollment. Option B is wrong because Microsoft Authenticator requires a mobile device.

Option D is wrong because certificate-based authentication requires PKI infrastructure.

148
MCQmedium

Your company uses Microsoft Entra ID and has an application that requires users to consent to permissions. You want to allow users to consent to low-risk permissions but require admin approval for high-risk permissions. What should you configure?

A.Set user consent to 'Do not allow user consent'.
B.Set user consent to 'Allow user consent for apps'.
C.Configure the 'Admin consent settings' to allow user consent for low-risk permissions and require admin consent for high-risk permissions.
D.Create a Conditional Access policy that blocks high-risk consent.
AnswerC

This enables differentiated consent based on risk.

Why this answer

Option C is correct because Microsoft Entra ID's admin consent settings allow you to configure a policy that permits user consent for low-risk permissions (e.g., those with no admin-restricted scopes) while requiring admin approval for high-risk permissions (e.g., those requiring admin consent). This granular control is achieved through the 'Admin consent settings' blade, where you can enable 'Allow user consent for apps' and then define a permission classification policy to categorize permissions as low or high risk.

Exam trap

The trap here is that candidates often confuse the 'Admin consent settings' with the 'User consent settings' or 'Conditional Access policies', mistakenly thinking that blocking all user consent or using a Conditional Access policy can achieve granular permission-level control, when in fact only the permission classification combined with admin consent settings provides this capability.

How to eliminate wrong answers

Option A is wrong because setting user consent to 'Do not allow user consent' would block all user consent, including low-risk permissions, which contradicts the requirement to allow users to consent to low-risk permissions. Option B is wrong because setting user consent to 'Allow user consent for apps' would permit users to consent to all permissions, including high-risk ones, without requiring admin approval, which fails to meet the requirement for admin approval on high-risk permissions. Option D is wrong because Conditional Access policies cannot directly block high-risk consent; they can control access based on risk but not the consent process itself, which is managed through consent and permission settings.

149
MCQhard

A compliance officer needs to ensure that all emails containing sensitive information (e.g., passport numbers) are automatically encrypted when sent to external recipients. The encryption should be enforced without requiring users to manually select an option. Which Microsoft Purview feature should they configure?

A.Data Loss Prevention (DLP) policy with encryption action
B.Sensitivity labels with auto-labeling
C.Message Encryption (OME) policies
D.Communication Compliance
AnswerA

DLP policies can be configured to automatically encrypt emails that contain sensitive data by using Rights Management.

Why this answer

A Data Loss Prevention (DLP) policy with encryption action is correct because it automatically detects sensitive information (e.g., passport numbers) using sensitive info types and enforces encryption via Microsoft Purview Message Encryption (OME) as a rule action. This ensures that when an email containing such data is sent to an external recipient, the email is automatically encrypted without requiring user intervention, meeting the compliance officer's requirement.

Exam trap

The trap here is that candidates often confuse sensitivity labels with auto-labeling as the solution for automatic encryption, but auto-labeling only applies labels based on conditions and does not enforce encryption unless the label itself is configured for encryption and the DLP policy triggers the action.

How to eliminate wrong answers

Option B is wrong because sensitivity labels with auto-labeling can classify and protect content but do not directly enforce encryption on outbound emails based on content detection; they require a DLP policy to trigger the encryption action. Option C is wrong because Message Encryption (OME) policies define encryption rules but are typically configured within DLP policies or mail flow rules; standalone OME policies do not automatically detect sensitive data and enforce encryption without additional conditions. Option D is wrong because Communication Compliance is designed to detect and investigate policy violations (e.g., harassment, insider trading) and does not provide automatic encryption of emails based on sensitive content.

150
MCQhard

Refer to the exhibit. You run a Content Search in Microsoft Purview eDiscovery (Standard) for emails containing a specific keyword. The result shows one item in the DeletedItems folder. What is the most likely reason this email appears?

A.The email was permanently deleted but retained by a retention policy.
B.The email is in the Recoverable Items folder.
C.The search includes deleted items by default.
D.The email is under an in-place hold.
AnswerB

Deleted items are moved to Recoverable Items.

Why this answer

Content Search searches all mailboxes, including the Recoverable Items folder (which contains soft-deleted items). The DeletedItems folder is searched by default. Option A is incorrect because the item is in DeletedItems, not in-place hold.

Option B is incorrect because retention policies preserve items but the item is still in DeletedItems. Option D is incorrect because the search includes DeletedItems by default.

Page 1

Page 2 of 13

Page 3