You are a security administrator for a multinational company that uses Microsoft Defender XDR. You have deployed Microsoft Defender for Endpoint on all devices. The company has a strict policy that any device with a high-severity alert must be isolated from the network immediately. You need to configure an automated response that isolates the device as soon as a high-severity alert is generated. What should you do?
A.Enable 'Automatically investigate alerts' in the Microsoft Defender portal.
B.Use the Action Center to manually isolate devices as alerts come in.
C.Create a device group for high-severity alerts and configure a conditional access policy to block network access.
D.In Microsoft Defender XDR, navigate to Settings > Endpoints > Automated investigation and response, and configure the automation level for high-severity alerts to 'Full - remediate threats automatically'.
AnswerD
Correct: Automation level includes automatic isolation.
Why this answer
Option B is correct because automation levels in incident response rules allow automatic isolation for high-severity alerts. Option A is wrong because device groups are not directly linked to automatic isolation. Option C is wrong because action center is for manual actions.
Option D is wrong because that setting controls automatic investigation, not isolation.
Which TWO are valid methods for adding custom domains to Microsoft 365?
Select 2 answers
A.Using the New-MsolDomain PowerShell cmdlet.
B.Using the Exchange admin center (EAC).
C.Using the Azure AD B2C tenant configuration.
D.Using the 'Add domain' wizard in the Microsoft 365 admin center.
E.Using the Windows DNS Manager console.
AnswersA, D
PowerShell can add and verify domains.
Why this answer
Option A is correct because the `New-MsolDomain` PowerShell cmdlet is a valid method for adding a custom domain to Microsoft 365. This cmdlet, part of the Azure Active Directory Module for Windows PowerShell, registers the domain in the tenant's directory, which is a prerequisite for verifying ownership and configuring services like Exchange Online or SharePoint Online.
Exam trap
The trap here is that candidates confuse the Exchange admin center's ability to manage 'accepted domains' with the initial domain addition process, or they mistakenly think on-premises DNS tools like Windows DNS Manager can directly add domains to Microsoft 365, when in fact they only handle the DNS verification records after the domain is registered in the tenant.
Your organization is using Microsoft Defender for Cloud Apps. You want to generate an alert when a user shares a file containing sensitive information with an external domain. You have configured a file policy with the condition: 'Inspection method: Data Classification Service' and 'Inspection type: Sensitive information type'. However, no alerts are triggered. What is the most likely reason?
A.The file is shared with an internal user only.
B.The policy is not applied to the specific cloud app.
C.The file size is too large for inspection.
D.The sensitive information type is not correctly configured in the data classification service.
E.The user is not licensed for Microsoft Defender for Cloud Apps.
AnswerD
The Data Classification Service must be properly set up with the correct sensitive info types.
Why this answer
Option D is correct because the Data Classification Service requires a Microsoft Purview Information Protection (MIP) scanner or label to be applied. Option A is wrong because the policy applies to all apps, not just one. Option B is wrong because external sharing can be detected.
Option C is wrong because user log is not required. Option E is wrong because file size is not a limiting factor.
An administrator wants to add custom branding to the Microsoft 365 sign-in page, including company logo and colors. Which section of the Microsoft 365 admin center should they navigate to?
A.Users > Active users
B.Settings > Org settings > Organization profile
C.Admin centers > Azure Active Directory
D.Billing > Licenses
AnswerB
Correct. Organization profile contains the custom branding settings for the sign-in page.
Why this answer
The custom branding for the Microsoft 365 sign-in page, including company logo and colors, is configured under Settings > Org settings > Organization profile in the Microsoft 365 admin center. This section provides a dedicated 'Custom branding' tab where administrators can upload a logo, set a background image, and choose accent colors that are applied to the sign-in page for all users in the tenant.
Exam trap
The trap here is that candidates often confuse the Microsoft 365 admin center path with the Azure Active Directory admin center path, both of which have branding settings, but the question explicitly asks for the Microsoft 365 admin center navigation, making the Azure AD path (Option C) a distractor.
How to eliminate wrong answers
Option A is wrong because Users > Active users is used for managing individual user accounts, passwords, and licenses, not for tenant-wide branding settings. Option C is wrong because Admin centers > Azure Active Directory opens the Azure AD portal, which does contain branding settings (under 'Company branding'), but the question specifically asks for the Microsoft 365 admin center navigation path, not the Azure AD portal. Option D is wrong because Billing > Licenses is used to assign and manage subscription licenses, not to configure sign-in page branding.
Your organization uses Microsoft Defender for Cloud Apps. You need to be alerted when a user accesses a cloud app from an anonymous IP address. Which type of policy should you create?
A.Session policy
B.File policy
C.Activity policy
D.App discovery policy
AnswerC
Activity policies can detect access from anonymous IPs.
Why this answer
Option B is correct because an activity policy can detect access from anonymous IP addresses. Option A is wrong because an app discovery policy is for discovering shadow IT. Option C is wrong because a session policy controls sessions.
Option D is wrong because a file policy monitors file sharing.
Your company has a Microsoft 365 E5 tenant with Microsoft Entra ID P2. You are the security administrator. You need to implement a solution that automatically detects and remediates identity risks. Requirements:
- Risky sign-ins (e.g., from anonymous IP addresses) should be automatically blocked.
- Users with confirmed compromised credentials should be forced to reset their password at next sign-in.
- You need to receive alerts when high-risk events occur.
- The solution must minimize false positives.
Which Microsoft Entra ID features should you combine?
A.Set up Microsoft Entra Identity Governance access reviews and enable self-service password reset.
B.Configure Conditional Access policies to block sign-ins from anonymous IP addresses and require password reset for all users.
C.Enable Microsoft Entra Identity Protection, configure a sign-in risk policy to block high-risk sign-ins, and a user risk policy to require password reset for high-risk users. Set up alerts for risk events.
D.Deploy Microsoft Defender for Cloud Apps to detect risky sign-ins and configure session policies.
AnswerC
Identity Protection provides automated risk-based policies and alerts.
Why this answer
Option C uses Identity Protection's risk policies for sign-in risk (block) and user risk (password reset), along with risk detection alerts. Option A (CA policies with generic conditions) does not use risk detection. Option B (identity governance) is about access reviews.
Option D (Defender for Cloud Apps) is more for cloud app discovery.
Your organization uses Microsoft Entra ID and has a hybrid identity setup with password hash synchronization. You need to ensure that when a user's on-premises Active Directory account is disabled, their Microsoft Entra ID account is also disabled within 30 minutes. What should you do?
A.Enable Azure AD Connect cloud sync.
B.Configure password hash synchronization to run every 30 minutes.
C.Configure Azure AD Connect to sync the 'userAccountControl' attribute and set the sync frequency to 30 minutes.
D.Enable password writeback.
AnswerC
By syncing the userAccountControl attribute and setting a short sync interval, account status changes are reflected quickly.
Why this answer
Option D is correct because you need to enable password hash sync (which is already enabled) and also enable Azure AD Connect sync for account status changes. Option A is wrong because that only changes password behavior. Option B is wrong because that does not affect account status.
Option C is wrong because that is for writing back password resets, not sync.
A development team builds a background service that needs to read all users' calendars via Microsoft Graph without a signed-in user. The service will run on a server with a client secret. Which OAuth 2.0 grant flow should the application use?
A.Authorization code grant
B.Device authorization grant
C.Client credentials grant
D.Implicit grant
AnswerC
This flow authenticates the application itself and is ideal for daemon services without user interaction.
Why this answer
The client credentials grant is designed for server-to-server, non-interactive scenarios where an application authenticates as itself (not on behalf of a user) to access resources. Since the background service runs with a client secret and needs to read all users' calendars without a signed-in user, this flow is the correct choice because it uses the application's own identity to obtain an access token from Microsoft Entra ID.
Exam trap
The trap here is that candidates often confuse delegated permissions with application permissions and incorrectly choose the authorization code grant, thinking a user context is always required for accessing user data, but the client credentials grant bypasses the user entirely by using app-only permissions.
How to eliminate wrong answers
Option A is wrong because the authorization code grant requires a signed-in user to authenticate and consent, which contradicts the requirement of no signed-in user. Option B is wrong because the device authorization grant is intended for devices with limited input capabilities (e.g., smart TVs, IoT) and still requires user interaction via a separate browser to sign in. Option D is wrong because the implicit grant is deprecated and was designed for single-page applications (SPAs) using browser-based flows; it also requires a signed-in user and does not support client secrets.
Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. What is the effect of this policy?
A.All users accessing all cloud apps are required to use MFA
B.Access to Office 365 from iOS and Android is blocked
C.All users on iOS or Android devices accessing Office 365 must use MFA and a compliant device
D.Users on mobile devices are required to use hybrid Azure AD joined devices
AnswerC
The policy includes both MFA and compliantDevice controls.
Why this answer
Option C is correct because the policy shown in the exhibit explicitly targets 'All users' and 'Office 365' as the cloud app, with conditions for 'iOS' and 'Android' device platforms. The grant controls require both 'Require multi-factor authentication' and 'Require device to be marked as compliant', meaning any user on an iOS or Android device accessing Office 365 must satisfy both MFA and device compliance. This is a common Conditional Access policy to enforce secure access from mobile devices.
Exam trap
The trap here is that candidates may misinterpret 'Require device to be marked as compliant' as requiring hybrid Azure AD join, but compliance is a separate concept managed by Intune and does not mandate hybrid join.
How to eliminate wrong answers
Option A is wrong because the policy does not apply to 'All cloud apps' — it is scoped specifically to 'Office 365' cloud app, not all cloud apps. Option B is wrong because the policy does not block access; it grants access only if MFA and device compliance are satisfied, which is a conditional grant, not a block. Option D is wrong because the policy does not require hybrid Azure AD joined devices; it requires the device to be marked as compliant, which can be achieved through Intune enrollment and compliance policies, not necessarily hybrid join.
A company uses Azure AD Identity Protection. The security team wants to automatically block sign-ins that are detected as coming from a known malicious IP address. Which policy should be configured?
A.User risk policy
B.Sign-in risk policy
C.MFA registration policy
D.Identity Protection vulnerabilities policy
AnswerB
Sign-in risk policy evaluates the risk of each sign-in and can block access from known malicious IP addresses or high-risk sign-ins.
Why this answer
The Sign-in risk policy in Azure AD Identity Protection is specifically designed to respond to risks detected during the authentication attempt, such as sign-ins from known malicious IP addresses. When a sign-in is flagged as having a high risk level (e.g., from a known malicious IP), the policy can be configured to automatically block the sign-in. This directly addresses the security team's requirement to block sign-ins from malicious IPs.
Exam trap
The trap here is that candidates often confuse the User risk policy (which deals with account compromise) with the Sign-in risk policy (which deals with session-level threats like IP reputation), leading them to select the User risk policy instead of the correct Sign-in risk policy.
How to eliminate wrong answers
Option A is wrong because the User risk policy responds to risks associated with a user's account (e.g., leaked credentials or anomalous behavior), not to risks detected during a specific sign-in attempt like IP reputation. Option C is wrong because the MFA registration policy enforces that users register for multifactor authentication, but it does not evaluate or block sign-ins based on IP address risk. Option D is wrong because there is no 'Identity Protection vulnerabilities policy' in Azure AD Identity Protection; vulnerabilities are managed via other tools like Microsoft Secure Score, not a policy that blocks sign-ins.
Your organization uses Microsoft 365 E5 and has deployed Microsoft Defender for Cloud Apps. You discover that a user in the finance department is using a personal cloud storage app to store sensitive financial data. The app is unsanctioned. You need to prevent any further uploads of sensitive data to this app. Additionally, you want to automatically alert when users attempt to access this app from unmanaged devices. You must not block access entirely, as some users need to read data already stored there. What should you configure?
A.Configure app governance in Defender for Cloud Apps to revoke the app's permissions.
B.Create an access policy in Defender for Cloud Apps that blocks all access to the app from unmanaged devices and blocks uploads from all devices.
C.Create a file policy in Defender for Cloud Apps that detects sensitive data and automatically applies a DLP label.
D.Create a session policy in Defender for Cloud Apps that blocks uploads for the unsanctioned app and requires conditional access app control for unmanaged devices.
AnswerD
Session policies allow granular control over activities like uploads and can enforce conditional access.
Why this answer
Option A is correct because a session policy can monitor and control activities in the app, blocking uploads while allowing reads, and can apply conditional access for unmanaged devices. Option B is wrong because an access policy would block all access. Option C is wrong because a file policy does not control user sessions.
Option D is wrong because app governance does not provide session-level controls.
Your organization has Microsoft Defender for Office 365 Plan 2. You need to ensure that when a user reports a phishing email using the Report Message add-in, the email is automatically submitted to Microsoft for analysis and the user is notified of the result. What should you configure?
A.Create a Safe Links policy to block the reported email
B.Configure an anti-phishing policy to automatically submit reported emails
C.Use a mail flow rule to send reported emails to a custom mailbox
D.Configure a submission policy in the Microsoft 365 Defender portal
AnswerD
Submission policies define how user-reported messages are handled.
Why this answer
Option B is correct because a submission policy in the Microsoft 365 Defender portal defines the behavior for user-reported messages. Option A is wrong because anti-phishing policies handle detection, not user reporting. Option C is wrong because Safe Links policies protect links.
Option D is wrong because mail flow rules handle routing, not user submissions.
A security administrator needs to block executable files (e.g., .exe, .ps1) from running from the %TEMP% folder on Windows devices to prevent common malware execution. Which attack surface reduction (ASR) rule should be enabled?
A.Block executable files from running unless they meet a prevalence, age, or trusted list criterion
B.Block executable content from email client and webmail
C.Block Office applications from creating child processes
D.Block credential stealing from the Windows local security authority subsystem (lsass.exe)
AnswerA
This rule blocks executables in common writable folders if they are not prevalent or trusted, covering %TEMP%.
Why this answer
ASR rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) is designed specifically to block executables (including .exe, .ps1, .scr, .dll) from launching from locations like %TEMP%, %APPDATA%, and the Windows folder, which are common malware staging areas. This rule uses cloud-delivered reputation (prevalence and age) and a Microsoft-managed trusted list to allow legitimate files while blocking unknown or suspicious ones, directly addressing the requirement to prevent malware execution from %TEMP%.
Exam trap
The trap here is that candidates confuse ASR rules by their generic names — they might pick 'Block executable content from email client and webmail' because it mentions 'executable content,' but the question specifically targets execution from the %TEMP% folder, not email delivery.
How to eliminate wrong answers
Option B is wrong because 'Block executable content from email client and webmail' targets executable attachments and scripts in email/webmail clients (e.g., Outlook, Gmail) to prevent phishing-based malware delivery, not execution from local folders like %TEMP%. Option C is wrong because 'Block Office applications from creating child processes' prevents Office apps (Word, Excel, etc.) from spawning child processes (e.g., cmd.exe, powershell.exe), which stops macro-based attacks but does not restrict executables already in %TEMP%. Option D is wrong because 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' specifically protects LSASS memory from being dumped or accessed by tools like Mimikatz, addressing credential theft, not executable execution from %TEMP%.
A security team wants to automatically investigate and remediate alerts generated from Microsoft Defender for Endpoint, Office 365, and Microsoft Entra ID. Which Microsoft Defender XDR capability should be configured?
A.Threat Analytics
B.Automated Investigation and Response
C.Advanced Hunting
D.Secure Score
AnswerB
AIR automates the investigation and response across multiple domains including endpoints, email, and identities.
Why this answer
Automated Investigation and Response (AIR) in Microsoft Defender XDR is the correct capability because it automatically triggers playbooks to investigate and remediate alerts across Microsoft Defender for Endpoint, Office 365, and Microsoft Entra ID. AIR uses predefined or custom automation rules to correlate signals from these sources, run investigations, and apply remediation actions like isolating devices or blocking accounts without manual intervention.
Exam trap
The trap here is that candidates often confuse Threat Analytics (which provides threat intelligence) with Automated Investigation and Response (which executes automated remediation), leading them to select A when the question explicitly asks for a capability that 'automatically investigates and remediates' alerts.
How to eliminate wrong answers
Option A is wrong because Threat Analytics is a reporting and intelligence feature that provides threat actor profiles, attack techniques, and recommended mitigations, but it does not perform automated investigation or remediation actions. Option C is wrong because Advanced Hunting is a query-based tool using Kusto Query Language (KQL) to manually search for threats across raw data tables, not an automated response mechanism. Option D is wrong because Secure Score is a security posture measurement tool that tracks configuration improvements and recommendations, not a capability for investigating or responding to active alerts.
Which TWO actions can you perform using Microsoft Entra ID Governance? (Choose two.)
Select 2 answers
A.Manage device compliance policies
B.Automate user access reviews
C.Configure single sign-on for SaaS apps
D.Delegate administrative roles
E.Manage entitlement management
AnswersB, E
Access reviews are a core governance feature.
Why this answer
Options B and D are correct. Option A is wrong because managing device compliance is Intune. Option C is wrong because configuring SSO is not governance.
Option E is wrong because delegation is not a primary governance feature.
You are a Microsoft 365 administrator for a multinational company. The security team reports that a large number of failed sign-in attempts are originating from unexpected IP ranges. The company uses Microsoft Entra ID for identity. What should you configure to automatically block these malicious sign-ins?
A.Enable Security defaults in the tenant
B.Configure Identity Protection user risk policy to block high-risk users
C.Enable Azure AD Multi-Factor Authentication for all users
D.Create a Conditional Access policy to block access from those IP ranges
AnswerD
Conditional Access can block sign-ins from specified locations or IP ranges.
Why this answer
The correct solution is a Conditional Access policy with a location condition to block access from those IP ranges. Option A (MFA) does not block by IP. Option B (Identity Protection) can detect risk but does not directly block by IP.
Option D (Security defaults) are basic and may not allow custom IP blocking.
You are investigating a potential security incident in Microsoft Defender XDR. The incident involves a user who received a phishing email and clicked a link that executed a PowerShell script. You need to perform a detailed investigation of the PowerShell script's behavior across all affected devices. Which feature should you use?
A.Advanced hunting in Microsoft Defender XDR.
B.The Action Center in Microsoft Defender XDR.
C.Live Response from Microsoft Defender for Endpoint.
D.The device timeline in the Microsoft 365 Defender portal.
AnswerA
Advanced hunting uses KQL to query data from multiple sources, enabling cross-device investigation.
Why this answer
Option C is correct because advanced hunting in Microsoft Defender XDR allows you to query across devices, emails, and other data sources to investigate the script's execution and impact. Option A is wrong because Live Response is for real-time incident response on a single device. Option B is wrong because the Action Center is for reviewing pending actions.
Option D is wrong because the Microsoft 365 Defender portal's device timeline shows events on one device only.
A compliance officer needs to ensure that all emails containing payment card information (PCI) are automatically encrypted when sent to external recipients. The encryption should occur without user intervention. Which two features should be configured together? (Choose two.)
Select 2 answers
A.Data Loss Prevention (DLP) policy with encryption action
B.Sensitivity label with encryption
C.Microsoft Purview Message Encryption
D.Transport rule with encryption
AnswersA, B
Correct. A DLP policy can be set to automatically apply a sensitivity label that enforces encryption when PCI is detected.
Why this answer
Option A is correct because a Data Loss Prevention (DLP) policy in Microsoft Purview can be configured with an encryption action that automatically encrypts emails containing sensitive information, such as payment card information (PCI), when sent to external recipients. This encryption occurs without user intervention, meeting the compliance officer's requirement. The DLP policy uses built-in sensitive information types (e.g., Credit Card Number) to detect PCI and applies rights management protection via Azure Information Protection.
Exam trap
The trap here is that candidates often confuse sensitivity labels with automatic encryption enforcement, not realizing that a sensitivity label alone cannot automatically encrypt outbound emails based on content detection without a DLP policy or auto-labeling policy to trigger it.
Your company uses Microsoft Entra ID and wants to enforce that all users register for MFA within 14 days of account creation. Which policy should you configure?
A.Authentication methods policy with 'Registration campaign' targeting users
B.Conditional access policy with 'Require multifactor authentication'
C.Microsoft Entra ID Protection sign-in risk policy
D.Microsoft Entra ID Protection user risk policy
AnswerA
The registration campaign forces users to register MFA within a set number of days.
Why this answer
Option B is correct because the Authentication methods policy in Microsoft Entra ID can be used to set a registration campaign that requires users to register for MFA within a specified timeframe. Option A is wrong because conditional access policies enforce MFA during sign-in, not registration. Option C is wrong because Identity Protection policies address risk, not registration.
Option D is wrong because the user risk policy is for risk-based remediation. Option E is wrong because MFA registration policy is part of Authentication methods policy.
You are reviewing a Microsoft Defender for Cloud Apps file policy. The exhibit shows a policy snippet. What is the effect of this policy?
A.It blocks all Office files from the internet
B.It allows all Office files from the internet regardless of size
C.It blocks Office files larger than 10 MB from the internet
D.It allows Office files between 10 MB and 100 MB from the internet
AnswerD
The policy allows files meeting conditions; the name is misleading.
Why this answer
Option C is correct because the policy action is 'Allow' but the name is 'BlockLargeOfficeFiles', which is misleading. Option A is wrong because it allows files. Option B is wrong because it doesn't block.
Which THREE steps are required to enable group-based licensing?
Select 3 answers
A.Configure Azure AD Connect
B.Add members to the group
C.Create a security group
D.Ensure group is mail-enabled
E.Assign a license to the group
AnswersB, C, E
Members inherit license.
Why this answer
Option B is correct because group-based licensing in Azure AD requires that you add members to the security group that will have the license assigned. Without members, the license assignment has no effect, as the license is applied to all users in the group. This step ensures that the intended users receive the license automatically based on group membership.
Exam trap
The trap here is that candidates often think Azure AD Connect is required for any group-based operation, but group-based licensing is a cloud-native feature that does not require hybrid synchronization; the only prerequisites are an Azure AD tenant, a security group, and a valid license SKU.
You are a Microsoft 365 administrator. Your organization uses Microsoft Entra ID and Microsoft Intune for device management. You need to ensure that only compliant devices can access corporate email via Microsoft Outlook on mobile devices. What should you configure?
A.Create a Conditional Access policy with 'Require device to be marked as compliant'
B.Deploy app protection policies (MAM) for Outlook
C.Enable Microsoft Entra device registration
D.Create a device compliance policy in Intune
AnswerA
This enforces that only compliant devices can access.
Why this answer
Option A is correct because Conditional Access policies in Microsoft Entra ID can enforce 'Require device to be marked as compliant' as a grant control. This ensures that only devices meeting your Intune compliance policies (e.g., encryption, OS version, threat level) are allowed to access corporate email via Outlook on mobile devices. The policy evaluates device compliance status reported by Intune and blocks access if the device is non-compliant.
Exam trap
The trap here is that candidates often confuse device compliance policies (which define rules) with Conditional Access policies (which enforce access decisions), or they assume MAM policies alone can block non-compliant devices, but MAM does not evaluate device compliance status.
How to eliminate wrong answers
Option B is wrong because app protection policies (MAM) manage data protection at the app level (e.g., prevent copy-paste, require PIN) but do not enforce device-level compliance; they can be applied to unmanaged devices but do not check Intune compliance status. Option C is wrong because enabling Microsoft Entra device registration is a prerequisite for device-based Conditional Access but alone does not enforce compliance; it merely creates a device identity in Entra ID. Option D is wrong because a device compliance policy in Intune defines the compliance rules (e.g., require BitLocker, minimum OS) but does not enforce access control; it must be paired with a Conditional Access policy to block non-compliant devices.
An administrator wants to add a custom domain 'contoso.com' to a new Microsoft 365 tenant. The domain is already registered and available. What is the first step the administrator should perform in the Microsoft 365 admin center?
A.Add the domain and verify ownership by creating a TXT record
B.Create user accounts with the new domain
C.Configure email routing with MX records
D.Set up SharePoint Online with the new domain
AnswerA
Correct. Domain verification is required before using the domain for services.
Why this answer
The first step when adding a custom domain to a Microsoft 365 tenant is to add the domain in the admin center and then verify ownership by creating a TXT record in the domain's DNS zone. This proves you control the domain before any services (like email or SharePoint) can be configured. Without verification, Microsoft 365 will not allow further domain-related setup.
Exam trap
The trap here is that candidates may think MX record configuration is the first step because they associate domains primarily with email, but Microsoft 365 requires ownership verification via TXT record before any service-specific DNS changes are allowed.
How to eliminate wrong answers
Option B is wrong because user accounts cannot be created with the new domain until the domain is verified; attempting to do so will fail. Option C is wrong because configuring email routing with MX records is a later step that requires the domain to be verified first. Option D is wrong because setting up SharePoint Online with the new domain also depends on prior domain verification and is not the initial step.
Your organization uses Microsoft Entra ID Governance. You need to ensure that access reviews are automatically created for all guest users in the tenant and that reviews are sent to the guest users' managers for approval. You configure an access review policy. Which identity governance feature should you use?
A.Terms of Use
B.Entitlement Management
C.Access Reviews
D.Privileged Identity Management
AnswerB
Entitlement Management automates access reviews for guest users.
Why this answer
B is correct because Entitlement Management in Microsoft Entra ID Governance allows you to configure access review policies that automatically create reviews for guest users and assign them to the guest users' managers for approval. This feature integrates with access reviews to enforce governance over external identities, ensuring that guest access is periodically recertified by the appropriate authority.
Exam trap
The trap here is that candidates confuse the Access Reviews feature (which is the review execution engine) with the policy configuration layer (Entitlement Management) that actually automates the creation and assignment of reviews for guest users.
How to eliminate wrong answers
Option A is wrong because Terms of Use is a feature for presenting legal or policy documents to users before granting access, not for creating automated access reviews or routing them to managers. Option C is wrong because Access Reviews is the underlying mechanism for reviewing access, but it does not by itself automatically create reviews for all guest users or send them to managers; it requires configuration through Entitlement Management or another policy to define the scope and reviewer assignment. Option D is wrong because Privileged Identity Management (PIM) is focused on just-in-time privileged role activation and approval workflows for elevated roles, not on recurring access reviews for guest users or manager-based approvals.
A company uses Microsoft Entra ID P1 licenses. They want to enforce multi-factor authentication (MFA) for all users when accessing any cloud application from networks that are not trusted corporate locations. A group named 'Emergency' must be excluded from MFA requirements. Which Conditional Access policy configuration should the administrator use?
A.Assign the policy to all users, exclude the Emergency group, include all cloud apps, grant access (not MFA), and set location condition to trusted networks only.
B.Assign the policy to all users, exclude the Emergency group, include all cloud apps, grant MFA, and set location condition to any network or location.
C.Assign the policy to all users, exclude the Emergency group, include all cloud apps, grant MFA, and set location condition to any network or location except trusted networks.
D.Assign the policy to all users, exclude the Emergency group, include all cloud apps, grant MFA, and set location condition to trusted networks only.
AnswerC
This correctly requires MFA only from untrusted networks and excludes the Emergency group.
Why this answer
Option C is correct because the requirement is to enforce MFA for all users from untrusted networks, while excluding the Emergency group. The Conditional Access policy must be assigned to all users, exclude the Emergency group, include all cloud apps, require MFA as a grant control, and use a location condition set to 'any network or location except trusted networks' to target only untrusted locations. This configuration ensures MFA is triggered only when access originates from networks not defined as trusted corporate locations.
Exam trap
The trap here is that candidates often confuse the location condition logic, mistakenly selecting 'trusted networks only' (Option D) thinking it applies MFA to trusted networks, when in fact it applies the policy only when the user is on a trusted network, which is the opposite of the requirement.
How to eliminate wrong answers
Option A is wrong because it grants access without MFA and sets the location condition to trusted networks only, which would allow access from trusted networks without MFA but would not enforce MFA from untrusted networks, completely missing the requirement. Option B is wrong because it sets the location condition to 'any network or location', which would require MFA even from trusted corporate locations, violating the requirement to enforce MFA only from untrusted networks. Option D is wrong because it sets the location condition to trusted networks only, which would require MFA only when users access from trusted networks, the opposite of the requirement to enforce MFA from untrusted networks.
A compliance officer needs to prevent users from sharing protected health information (PHI) with external users in Microsoft Teams chat messages. When a user attempts to send a message containing a known PHI data type (e.g., medical record numbers), the message should be blocked and the sender should see a policy tip. Which Microsoft Purview solution should the officer configure?
A.Communication compliance policy
B.Data Loss Prevention (DLP) policy for Teams
C.Sensitivity labels applied to Teams
D.Information barriers
AnswerB
DLP policies can be applied to Teams chat and channels, detecting sensitive info and blocking the message with a policy tip.
Why this answer
Option B is correct because a Data Loss Prevention (DLP) policy for Microsoft Teams can be configured to detect and block sensitive information types, such as medical record numbers (a PHI data type), in chat messages. When a match occurs, the policy can block the message and display a policy tip to the sender, meeting the compliance officer's requirement.
Exam trap
The trap here is that candidates often confuse Communication compliance (which reviews sent messages) with DLP (which blocks messages in transit), leading them to select Option A despite the requirement for real-time blocking and policy tips.
How to eliminate wrong answers
Option A is wrong because Communication compliance policies are designed to detect and review inappropriate or policy-violating communications (e.g., harassment, insider trading) after they are sent, not to block messages in real-time or enforce data loss prevention rules. Option C is wrong because sensitivity labels applied to Teams control access and protection (e.g., encryption, visual markings) at the container or file level, not the content of individual chat messages. Option D is wrong because Information barriers are used to prevent specific groups of users from communicating with each other (e.g., to avoid conflicts of interest), not to scan message content for sensitive data types like PHI.
Refer to the exhibit. You are reviewing an anti-phishing policy configuration in Microsoft Defender for Office 365. The policy is applied to all users. A user reports that a legitimate email from a known vendor (domain contoso.com) was quarantined. The email contained a link to a rarely visited website. The link was not malicious. Which setting in the policy is most likely causing the false positive?
A.EnableMailboxIntelligence: true
B.EnableSimilarDomainsSafetyTips: true
C.PhishThresholdLevel: 2
D.EnableUnusualCharactersSafetyTips: false
AnswerB
Similar domains safety tips can cause false positives when a known domain is similar to a flagged domain.
Why this answer
Option D is correct because EnableSimilarDomainsSafetyTips can cause false positives when a known domain is similar to a potentially dangerous domain. The vendor's domain contoso.com might be flagged as similar to a domain that is impersonated. Option A is wrong because PhishThresholdLevel set to 2 is the default and not restrictive.
Option B is wrong because MailboxIntelligence uses machine learning to reduce false positives. Option C is wrong because EnableUnusualCharactersSafetyTips only flags unusual characters in the sender's name or domain, not a link.
You are configuring Microsoft Defender for Identity to monitor on-premises Active Directory. You need to ensure that honeytoken accounts are configured to detect attackers attempting to use them. What is a honeytoken account?
A.A service account used for application authentication
B.A disabled user account that cannot be used for sign-in
C.A fake user account created to attract attackers
D.A real user account with high privileges used for monitoring
AnswerC
Honeytoken accounts are decoys to detect lateral movement.
Why this answer
Option B is correct because honeytoken accounts are fake accounts used to detect attackers. Option A is wrong because they are not real. Option C is wrong because they are not service accounts.
Your organization is implementing Microsoft Purview Data Loss Prevention (DLP) policies to protect sensitive data in Microsoft Teams. You need to ensure that DLP policies apply to both chat and channel messages. What should you configure?
A.Configure a DLP policy for Exchange Online to cover Teams messages.
B.Assign a sensitivity label to the Teams with a DLP policy attached.
C.Create two separate DLP policies: one for chat and one for channels.
D.Create a single DLP policy with the Teams location selected.
AnswerD
Selecting Teams location automatically applies to both chat and channel messages.
Why this answer
Option D is correct because Microsoft Purview DLP policies can be configured to include the Teams location, which automatically covers both chat and channel messages. When you select the Teams location in a single DLP policy, it applies to all Teams communications, including 1:1 chats, group chats, and channel conversations, without needing separate policies.
Exam trap
The trap here is that candidates often think chat and channel messages require separate DLP policies due to their different storage locations, but Microsoft Purview abstracts this complexity by allowing a single Teams location selection that covers both.
How to eliminate wrong answers
Option A is wrong because Exchange Online DLP policies only cover email and Teams messages that are stored in Exchange mailboxes (e.g., chat messages), but they do not cover channel messages, which are stored in SharePoint and OneDrive. Option B is wrong because sensitivity labels can be used to classify and protect content, but they are not directly attached to DLP policies; DLP policies can use sensitivity labels as conditions, but assigning a label to a team does not enforce DLP. Option C is wrong because creating two separate DLP policies for chat and channels is unnecessary and inefficient; a single DLP policy with the Teams location selected covers both chat and channel messages automatically.
You are the Microsoft 365 administrator for Contoso Ltd. The compliance team needs to implement data lifecycle management and records management using Microsoft Purview. Which three of the following actions should you take to meet these requirements? (Choose three.)
Select 3 answers
.Create retention labels that automatically apply a retention policy to documents containing personally identifiable information (PII).
.Configure a file plan for records management to define retention schedules and disposal reviews.
.Publish retention labels so that users can manually apply them to items in SharePoint and OneDrive.
.Use data loss prevention (DLP) policies to automatically delete emails containing credit card numbers after 30 days.
.Deploy Microsoft Purview Compliance Manager to automate the deletion of stale data in Exchange Online.
.Enable audit logging to automatically enforce retention periods for all Microsoft 365 workloads.
Why this answer
Retention labels that automatically apply a retention policy based on sensitive information types (like PII) allow you to implement data lifecycle management by automatically classifying and retaining or deleting content without user intervention. This meets the compliance team's requirement for automated lifecycle management.
Exam trap
The trap here is confusing the purpose of DLP policies (data loss prevention) with retention policies (data lifecycle management), leading candidates to incorrectly select DLP for deletion tasks.
Refer to the exhibit. You have a DLP policy in test mode as shown. A user reports that they received a notification that sharing credit card numbers is blocked, but they were still able to share them. What is the most likely reason?
A.The rule action 'BlockAccess' is not included in the policy.
B.The policy is in test mode, which does not enforce actions.
C.The condition 'SensitiveInformation' is not configured correctly.
D.The notification is not enabled in the policy.
AnswerB
Test mode allows you to see what would be blocked without actually blocking.
Why this answer
Option B is correct because when a DLP policy is in test mode, it notifies users but does not actually block the action. Option A is wrong because the rule includes the action BlockAccess, but test mode overrides it. Option C is wrong because the condition is valid.
Option D is wrong because the notification is enabled in the rule and policy.
Your organization has a hybrid identity with Microsoft Entra Connect. You need to migrate from federation to password hash synchronization with seamless single sign-on (SSO). The migration must have minimal user impact. Which tool should you use?
A.Microsoft Entra Connect migration tool (Convert domain from federated to managed)
B.IdFix tool
C.AD FS Management console
D.Azure AD Connect wizard
AnswerA
This tool performs the conversion with minimal user impact.
Why this answer
The Microsoft Entra Connect migration tool (Convert domain from federated to managed) is the correct choice because it automates the conversion of federated domains to managed domains while enabling password hash synchronization (PHS) and seamless SSO. This tool minimizes user impact by allowing a staged migration where users can continue authenticating via federation until the conversion is complete, and it handles the necessary configuration changes in Azure AD and on-premises Active Directory.
Exam trap
The trap here is that candidates may confuse the Azure AD Connect wizard (which can enable PHS) with the dedicated migration tool, not realizing that the wizard lacks the specific domain conversion and staged rollback capabilities needed for a low-impact migration from federation.
How to eliminate wrong answers
Option B is wrong because IdFix is a data cleanup tool for synchronizing on-premises Active Directory objects to Azure AD, not a tool for converting authentication methods from federation to PHS. Option C is wrong because the AD FS Management console is used to manage and configure AD FS servers and trusts, not to convert a federated domain to managed authentication in Azure AD. Option D is wrong because the Azure AD Connect wizard (now Microsoft Entra Connect wizard) is used for initial setup and configuration of synchronization, including enabling PHS, but it does not provide a dedicated migration path from federation to managed domains with minimal user impact; the separate migration tool is designed specifically for that purpose.
A company has recently acquired a smaller organization and needs to consolidate both Microsoft 365 tenants. They want to minimize user disruption and retain existing email addresses. Which approach should they use?
A.Configure a hybrid deployment with Exchange Server
B.Perform a cross-tenant mailbox migration
C.Delete all users from the acquired tenant and recreate them in the parent tenant
D.Set up a federation trust between the tenants
AnswerB
Cross-tenant migration moves mailboxes and retains email addresses, minimizing disruption.
Why this answer
Option B is correct because cross-tenant mailbox migration allows you to move mailboxes between two Microsoft 365 tenants while preserving the users' existing email addresses and minimizing disruption. This approach uses the Microsoft 365 native migration capabilities, specifically the cross-tenant mailbox migration feature, which supports moving mailboxes with their primary SMTP addresses and associated data without requiring on-premises Exchange Server.
Exam trap
The trap here is that candidates often confuse cross-tenant mailbox migration with federation trust or hybrid deployment, assuming that any inter-tenant connectivity solution can consolidate mailboxes, but only the cross-tenant migration feature directly moves mailbox data while preserving email addresses.
How to eliminate wrong answers
Option A is wrong because configuring a hybrid deployment with Exchange Server is unnecessary and adds complexity; it is designed for integrating on-premises Exchange with a single tenant, not for migrating mailboxes between two separate Microsoft 365 tenants. Option C is wrong because deleting all users from the acquired tenant and recreating them in the parent tenant would cause significant user disruption, loss of mailbox data, and require new email addresses unless manually reassigned, which contradicts the goal of minimizing disruption and retaining existing email addresses. Option D is wrong because setting up a federation trust between tenants enables authentication and sharing features but does not migrate mailboxes or consolidate tenants; it is used for cross-tenant collaboration, not for moving user data.
A compliance officer needs to automatically apply a 'Highly Confidential' sensitivity label to any email in Exchange Online that contains social security numbers. The labeling must happen automatically without user interaction. Which two Microsoft Purview components must be configured? (Select the option that correctly identifies both required components.)
Select 2 answers
A.sensitivity label with auto-labeling rule and a Data Loss Prevention policy
B.retention label and a Communication Compliance policy
C.sensitivity label with auto-labeling rule and an auto-labeling policy
D.unified labeling client and a custom sensitive info type
AnswersA, C
DLP policies can detect and protect data but do not apply sensitivity labels automatically.
Why this answer
Option C is correct because automatically applying a sensitivity label to emails containing social security numbers requires both a sensitivity label configured with an auto-labeling rule (to define the label and conditions) and an auto-labeling policy (to scope the rule to Exchange Online and enable automatic enforcement without user interaction). The auto-labeling policy triggers the label based on sensitive info types, meeting the compliance officer's requirement for fully automated labeling.
Exam trap
The trap here is that candidates confuse a DLP policy (which can detect and block but not label) with an auto-labeling policy (which is specifically designed for automatic label application), or they mistakenly think a client-side component like the unified labeling client can achieve server-side automatic labeling in Exchange Online.
As a Microsoft 365 administrator, you need to manage tenant health and adoption effectively. Which three of the following tools or features should you use to monitor and improve your Microsoft 365 tenant's performance and user engagement? (Choose three.)
Select 3 answers
.Microsoft 365 admin center dashboard to view service health, message center posts, and usage reports.
.Microsoft 365 usage analytics in Power BI to gain deeper insights into adoption trends.
.Azure AD Identity Protection to detect sign-in risks and block compromised accounts.
.Microsoft 365 network connectivity test tool to evaluate network performance for Microsoft 365 services.
.Microsoft 365 Adoption Score (formerly Productivity Score) to track user engagement with Microsoft 365 apps.
.Microsoft Purview compliance portal to enforce data loss prevention policies.
Why this answer
The Microsoft 365 admin center dashboard provides a centralized view of service health, message center posts, and usage reports, enabling administrators to monitor service availability, planned changes, and user activity. This is a core tool for maintaining tenant health and tracking adoption.
Exam trap
The trap here is that candidates may confuse security or compliance tools (like Azure AD Identity Protection or Purview) with health and adoption monitoring tools, or select the network connectivity test tool thinking it measures overall tenant performance rather than just network latency.
Your organization uses Microsoft Purview Records Management. You need to ensure that records are marked as regulatory records and cannot be deleted or modified by any user, including administrators. The records must be retained for 10 years. What should you do?
A.Use a retention label marked as a regulatory record.
B.Create a retention policy with a preservation lock.
C.Use a retention label marked as a record.
D.Apply a default retention label to the SharePoint library.
AnswerA
Regulatory records are tamper-proof and cannot be modified or deleted.
Why this answer
Regulatory records provide the highest level of restriction, making content tamper-proof. Option D is correct. Option A is wrong because preservation lock applies to retention policies, not individual records.
Option B is wrong because default labels can be changed. Option C is wrong because manual labels are not as restrictive.
You are configuring Microsoft Defender for Identity (MDI) to monitor for lateral movement attacks. Which of the following activities would MDI alert on as a potential lateral movement?
A.A user logging into multiple servers using a compromised account.
B.A user performing a DCSync attack.
C.A user conducting a password spray attack.
D.A user executing a privilege escalation tool on their workstation.
E.A user performing a brute force attack on a domain controller.
AnswerA
Multiple remote logons from a compromised account indicate lateral movement.
Why this answer
Option D is correct because using a compromised account to connect to multiple machines is a classic lateral movement technique. Option A is wrong because brute force is a separate attack. Option B is wrong because privilege escalation is different.
Option C is wrong because DCSync is a domain replication attack. Option E is wrong because password spray is a type of brute force.
A compliance officer wants to automatically apply a 'Confidential' sensitivity label to documents in SharePoint Online that contain credit card numbers. Which two Microsoft Purview features must be configured together? (Choose two.)
Select 2 answers
A.Data Loss Prevention (DLP) policy
B.Sensitivity label with auto-labeling
C.Retention label policy
D.Microsoft Purview Information Protection scanner
AnswersA, B
Correct. A DLP policy can be configured to automatically apply a sensitivity label when sensitive information is detected in SharePoint Online.
Why this answer
To automatically apply a 'Confidential' sensitivity label to documents containing credit card numbers in SharePoint Online, you must configure a sensitivity label with auto-labeling (client-side or service-side) to detect the sensitive content, and a Data Loss Prevention (DLP) policy to enforce the labeling action. The DLP policy can be set to automatically apply the sensitivity label when credit card patterns are matched, using the same sensitive info types as auto-labeling. Together, they ensure that content is both classified and protected at rest.
Exam trap
The trap here is that candidates often confuse the on-premises Information Protection scanner (Option D) with the cloud-based auto-labeling feature, or they mistakenly think a retention label policy (Option C) can apply sensitivity labels, when in fact retention labels and sensitivity labels serve entirely different purposes.
Your organization plans to use Microsoft Entra ID as the identity provider for a third-party SaaS application that supports SAML 2.0. You need to configure single sign-on (SSO) for the application. What should you create in Microsoft Entra ID?
A.An enterprise application with SAML-based sign-on
B.An Application Proxy connector group
C.A service principal for Microsoft Graph
D.An app registration with OpenID Connect
AnswerA
Enterprise applications support SAML 2.0 federation.
Why this answer
To configure SSO for a third-party SaaS application that supports SAML 2.0, you must create an enterprise application in Microsoft Entra ID and configure it with SAML-based sign-on. Enterprise applications are designed for integrating third-party applications, and SAML-based sign-on allows Entra ID to act as the identity provider, exchanging SAML assertions for authentication.
Exam trap
The trap here is that candidates often confuse app registrations (used for OIDC/OAuth apps) with enterprise applications (used for SAML-based SSO), leading them to choose Option D, even though SAML 2.0 requires the enterprise application gallery or custom enterprise app configuration.
How to eliminate wrong answers
Option B is wrong because an Application Proxy connector group is used for publishing on-premises applications to external users via reverse proxy, not for configuring SSO with a cloud-based SaaS application that supports SAML. Option C is wrong because a service principal for Microsoft Graph is used to grant permissions for programmatic access to Microsoft Graph APIs, not for configuring SAML-based SSO with a third-party SaaS app. Option D is wrong because an app registration with OpenID Connect is used for applications that use OIDC (an OAuth 2.0 extension) for authentication, not for SAML 2.0, which requires a different protocol and configuration in enterprise applications.
A compliance officer needs to automatically detect documents in SharePoint Online that contain a custom pattern (e.g., employee ID in the format EMP-12345). The pattern will be used to apply a sensitivity label. Which Microsoft Purview feature should the officer use to define the pattern?
A.Sensitive information types
B.Data Loss Prevention (DLP) policies
C.Content search
D.Data classification reports
AnswerA
Custom sensitive information types can be created to define patterns like employee IDs, which can then be used for automatic labeling or DLP.
Why this answer
Sensitive information types (SITs) in Microsoft Purview are specifically designed to define custom patterns, such as regular expressions for employee IDs like EMP-12345. Once defined, these SITs can be used in sensitivity labels to automatically classify and protect documents in SharePoint Online. This is the correct feature because it directly supports pattern-based detection for labeling.
Exam trap
The trap here is that candidates often confuse DLP policies with pattern definition, but DLP policies only consume pre-defined sensitive information types and cannot create them.
How to eliminate wrong answers
Option B is wrong because Data Loss Prevention (DLP) policies enforce rules to prevent data exfiltration but do not define the pattern itself; they use existing sensitive information types. Option C is wrong because Content Search is a query tool for finding content based on keywords or metadata, not for defining reusable patterns for automatic labeling. Option D is wrong because Data classification reports provide visibility into classified data but do not allow creation of custom patterns.
A company has an on-premises Active Directory environment and wants to sync user identities to Microsoft Entra ID while avoiding storing password hashes in the cloud. The company wants to provide seamless single sign-on (SSO) for domain-joined devices. Which authentication method should be chosen?
A.Password Hash Synchronization (PHS)
B.Pass-Through Authentication (PTA) with Seamless SSO
C.Federation with Active Directory Federation Services (AD FS)
D.Cloud-only authentication
AnswerB
PTA authenticates users on-premises and does not store password hashes in the cloud. Seamless SSO provides automatic sign-in for domain-joined devices.
Why this answer
Pass-Through Authentication (PTA) with Seamless SSO is the correct choice because it validates user passwords directly against on-premises Active Directory without storing any password hashes in the cloud. Seamless SSO provides automatic sign-in for domain-joined devices using Kerberos delegation, meeting the requirement for a seamless SSO experience without password hash storage.
Exam trap
The trap here is that candidates often choose Password Hash Synchronization (PHS) because it is simpler and supports Seamless SSO, but they overlook the explicit requirement to avoid storing password hashes in the cloud, which PHS inherently does.
How to eliminate wrong answers
Option A is wrong because Password Hash Synchronization (PHS) stores password hashes in Microsoft Entra ID, which directly violates the requirement to avoid storing password hashes in the cloud. Option C is wrong because Federation with AD FS requires storing a federation trust and typically involves password hash synchronization or a separate identity store, and it introduces unnecessary complexity and infrastructure overhead compared to PTA with Seamless SSO for this specific requirement. Option D is wrong because cloud-only authentication does not integrate with on-premises Active Directory, so it cannot sync user identities or provide SSO for domain-joined devices.
You are investigating an incident in Microsoft 365 Defender. The incident involves a user who received a malware attachment. Which THREE actions can you take from the incident page?
Select 3 answers
A.Start an automated investigation
B.Isolate the user's device
C.Reset the user's password
D.Delete the email from the user's mailbox
E.Block the malicious URL globally
AnswersA, B, D
Automated investigation can be triggered from incident.
Why this answer
Options A, B, and E are correct because you can isolate device, delete email, and investigate. Option C is wrong because resetting password is not in incident page. Option D is wrong because blocking URL is not directly in incident page.
Which TWO of the following are benefits of using Microsoft Entra ID Provisioning for cloud HR applications like Workday? (Choose two.)
Select 2 answers
A.Automatic license assignment
B.Support for attribute-based provisioning
C.Automatic password reset for new users
D.Automated user lifecycle management based on HR events
E.Automatic creation of user mailboxes in Exchange Online
AnswersB, D
Provisioning can map attributes from HR to Entra ID.
Why this answer
Option B is correct because Microsoft Entra ID Provisioning for cloud HR applications like Workday supports attribute-based provisioning, which allows mapping of HR attributes (e.g., department, location) to Entra ID user attributes using an expression-based mapping engine. This enables dynamic filtering and transformation of user data during synchronization, ensuring that only users meeting specific criteria (e.g., employment status) are provisioned.
Exam trap
The trap here is that candidates often confuse the capabilities of Entra ID Provisioning with those of Microsoft Identity Manager (MIM) or Exchange Online hybrid management, assuming provisioning handles tasks like license assignment or mailbox creation, which are separate downstream processes.
A compliance officer wants to automatically apply a retention label to documents that contain SWIFT codes (financial identifiers) when uploaded to SharePoint Online. Which two Microsoft Purview features are required for this configuration? (Choose two.)
Select 2 answers
A.Sensitivity label
B.Trainable classifier
C.Auto-apply retention label policy
D.Data Loss Prevention (DLP) policy
AnswersB, C
A trainable classifier can be trained to detect SWIFT codes in documents.
Why this answer
Option B is correct because a trainable classifier is required to identify content containing SWIFT codes based on pattern recognition and machine learning. Option C is correct because an auto-apply retention label policy is the mechanism that automatically assigns the retention label to documents when the classifier detects SWIFT codes in SharePoint Online.
Exam trap
The trap here is that candidates often confuse sensitivity labels with retention labels, or mistakenly think a DLP policy can directly apply retention labels, when in fact DLP policies only trigger alerts or block actions, not label assignment.
A compliance officer needs to retain all documents in a SharePoint Online site associated with the Finance department for 10 years, after which the documents must be automatically deleted. During the retention period, users must be allowed to edit the documents but not delete them. Which Microsoft Purview solution should the officer configure?
A.retention policy with a retention period of 10 years and an action to delete at the end of the period
B.retention label auto-applied to all documents in the site
C.Litigation hold on the site
D.Data Loss Prevention (DLP) policy with a retention action
AnswerA
A retention policy applied to the SharePoint site will preserve documents for 10 years, allow editing, block deletion, and automatically delete after the period.
Why this answer
A retention policy can be applied to a SharePoint site to enforce a 10-year retention period with a deletion action at the end, while allowing users to edit documents during that period. This meets the compliance requirement because retention policies preserve content from deletion by users, but still permit editing. The 'delete at end of retention period' action ensures automatic removal after 10 years.
Exam trap
The trap here is that candidates often confuse retention labels with retention policies, thinking labels are required for site-wide retention, but policies are the correct tool for applying uniform retention and deletion to an entire site without manual labeling.
How to eliminate wrong answers
Option B is wrong because a retention label auto-applied to all documents would also work for retention and deletion, but the question asks for a 'solution' that is simpler and more appropriate for a site-wide requirement; retention labels are typically used for granular, item-level classification rather than blanket site-wide retention. Option C is wrong because Litigation hold preserves content indefinitely (no automatic deletion) and prevents editing in some configurations, which does not meet the 10-year deletion requirement. Option D is wrong because Data Loss Prevention (DLP) policies are designed to prevent data leakage and enforce security rules, not to manage retention or deletion of documents.
A compliance administrator needs to ensure that all documents in a SharePoint library are retained for exactly 7 years and then allow users to manually dispose of them sooner after a review. What should they configure in Microsoft Purview?
A.Create a retention label with a retention period of 7 years and enable disposition review
B.Create a retention label with a retention period of 7 years and no additional action
C.Create a sensitivity label that restricts access
D.Create a record label
AnswerA
Disposition review provides a manual review step before deletion, allowing users to dispose items early if approved.
Why this answer
Option A is correct because the requirement specifies a fixed 7-year retention period followed by user-initiated disposal after a review. A retention label with a retention period of 7 years and disposition review enabled allows content to be retained for exactly 7 years, after which a disposition review triggers a manual approval process for disposal. This matches the need for both mandatory retention and manual disposal after review.
Exam trap
The trap here is that candidates often confuse retention labels with record labels, assuming that any label with a retention period automatically supports manual disposal, but only retention labels with disposition review enabled provide the specific workflow for user-initiated disposal after review.
How to eliminate wrong answers
Option B is wrong because a retention label with no additional action will automatically delete the content after 7 years without any user review or manual disposal option, which violates the requirement to allow users to manually dispose of items sooner after a review. Option C is wrong because a sensitivity label is designed to classify and protect data through encryption or access restrictions, not to enforce retention or disposition workflows; it does not provide any retention period or disposal review capability. Option D is wrong because a record label marks content as a record (immutable) and typically prevents deletion or modification, which contradicts the requirement to allow manual disposal after review; records require a disposition review but are not designed for flexible user-initiated disposal.
Which TWO actions can you perform using Microsoft Defender XDR's Advanced Hunting? (Choose two.)
Select 2 answers
A.Deploy EDR sensors to endpoints.
B.Configure data retention policies for logs.
C.Create custom detection rules based on query results.
D.Manage the status of incidents.
E.Run KQL queries to hunt for threats across email, endpoints, identities, and apps.
AnswersC, E
Custom detections can be created from Advanced Hunting queries.
Why this answer
Options A and C are correct. Advanced Hunting allows you to run KQL queries across data from various Defender products (A) and create custom detection rules based on query results (C). Option B (manage incident status) is done in the Incidents queue, not Advanced Hunting.
Option D (configure data retention) is a tenant setting. Option E (deploy EDR sensors) is done via GPO or Intune.
Your organization uses Microsoft Purview to enforce data loss prevention (DLP) policies. Users report that a DLP policy blocks legitimate sharing of a document containing sensitive financial data. You need to allow the sharing while still protecting the data. What should you do?
A.Disable the DLP policy and create a new one with broader conditions.
B.Add the user to the DLP policy's super user group.
C.Modify the DLP policy to exclude the specific document type.
D.Configure a policy tip to allow override with a business justification.
AnswerD
Allows controlled override with audit.
Why this answer
Option B is correct because creating a policy override with a business justification allows users to bypass the policy with a reason, which is audited. Option A is wrong because disabling the policy would remove protection. Option C is wrong because adding the user to a super user group would completely bypass DLP.
Option D is wrong because modifying the condition would change the policy for all users.
An organization uses Microsoft Defender for Cloud Apps to monitor shadow IT. They want to enforce policies that block downloads from risky cloud apps. Which Microsoft Defender XDR component provides this capability?
A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Defender for Office 365
AnswerA
Defender for Cloud Apps provides app discovery, session controls, and policies to block unauthorized activities in cloud apps.
Why this answer
Microsoft Defender for Cloud Apps is the correct component because it is specifically designed to provide visibility into shadow IT and enforce policies on cloud applications. Its 'Governance' actions include blocking downloads from risky apps by integrating with the cloud app's API to prevent data exfiltration, which directly addresses the requirement.
Exam trap
The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Office 365, assuming that Office 365's data loss prevention (DLP) covers all cloud apps, but DLP in Office 365 is limited to Microsoft 365 services, not third-party shadow IT apps.
How to eliminate wrong answers
Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR), antivirus, and vulnerability management on devices, not on controlling downloads from cloud apps. Option C is wrong because Microsoft Defender for Identity monitors on-premises Active Directory for identity-based attacks (e.g., lateral movement, privilege escalation) and does not manage cloud app policies. Option D is wrong because Microsoft Defender for Office 365 protects email and collaboration tools (Exchange Online, SharePoint, Teams) from threats like phishing and malware, but it does not enforce download blocks across a broad set of cloud apps discovered via shadow IT.
An organization has a legal requirement to preserve certain contracts as immutable records. Once a contract is declared as a record, it must not be editable or deletable by users, including administrators. Which Microsoft Purview solution should be configured?
A.Data Loss Prevention
B.eDiscovery (Premium)
C.Communication Compliance
D.Records Management
AnswerD
Records Management enables the declaration of records, making them immutable.
Why this answer
Records Management in Microsoft Purview is designed to declare items as immutable records, locking them against editing or deletion by any user, including administrators. This satisfies the legal requirement for preserving contracts as unchangeable records by applying retention labels that enforce strict regulatory compliance.
Exam trap
The trap here is that candidates confuse Records Management with eDiscovery holds, thinking a legal hold provides immutability, but eDiscovery holds only prevent deletion during litigation and do not prevent editing or permanent record locking.
How to eliminate wrong answers
Option A is wrong because Data Loss Prevention (DLP) policies prevent unauthorized sharing or leakage of sensitive data but do not enforce immutability or prevent editing/deletion of records. Option B is wrong because eDiscovery (Premium) is used for legal hold, search, and export of content for litigation, not for making records permanently immutable. Option C is wrong because Communication Compliance monitors and analyzes communications for policy violations (e.g., harassment, insider trading) and does not provide record locking or immutability features.
Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. You need to configure automatic investigation and response (AIR) to handle a phishing email that was delivered to a user's inbox and the user clicked a link that downloaded a malicious file. What should you configure?
A.Configure the unified automated investigation and response playbook in Microsoft Defender XDR.
B.Configure separate automated investigation playbooks in each workload.
C.Set the automation level for each playbook to 'Full – remediate automatically'.
D.Enable manual investigation triggers in Microsoft Defender XDR.
AnswerA
The unified playbook coordinates actions across workloads.
Why this answer
Option C is correct because the unified AIR playbook in Microsoft Defender XDR coordinates automated actions across Defender for Office 365 and Defender for Endpoint, handling the email and the file in one playbook. Option A is wrong because separate playbooks do not coordinate. Option B is wrong because manual triggers are not automated.
Option D is wrong because automation levels apply to individual playbooks.
Your organization uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You need to ensure that when a user reports a phishing email using the Microsoft Report Message add-in, the email is automatically submitted to Microsoft for analysis and the user is notified of the analysis result. You want to minimize administrative effort. What should you do?
A.Create a mail flow rule that forwards reported messages to a security team mailbox.
B.Configure the Microsoft Report Message add-in for all users.
C.Use the Microsoft 365 Defender portal to manually submit the email for analysis whenever a user reports it.
D.In Microsoft Defender XDR, go to Settings > Email & collaboration > User reported messages, and enable 'Send reported messages to Microsoft' and 'Notify users when analysis completes'.
AnswerD
Correct: This automates submission and notification.
Why this answer
Option C is correct because user-reported messages settings in Microsoft Defender XDR allow automatic submission and notification. Option A is wrong because that only enables reporting, not automated submission to Microsoft. Option B is wrong because that's for security team analysis, not Microsoft analysis.
Option D is wrong because that's for admins to submit, not users.
You are investigating an alert in Microsoft Defender XDR that indicates a user clicked a malicious link in an email. You need to gather additional information to determine the scope of the attack. Which three sources should you examine?
Select 3 answers
A.Incidents page
B.Email entity page
C.Alert timeline
D.Device timeline
E.User entity page
AnswersB, C, E
Correct: Provides email details like sender, links, and attachments.
Why this answer
To fully investigate a phishing incident, you should examine the alert timeline for related events, the email entity page for email details, and the user entity page for user actions. Device timeline may not be relevant if the user only clicked a link without further action. The incidents page provides a summary but not detailed scope.
Which THREE conditions can be used in a dynamic group rule for a device?
Select 3 answers
A.deviceModel
B.deviceCategory
C.deviceOSVersion
D.lastLogonTimestamp
E.passwordLastSet
AnswersA, B, C
Valid device attribute.
Why this answer
Option A is correct because `deviceModel` is a valid attribute that can be used in a dynamic group rule for devices in Microsoft Entra ID (formerly Azure AD). Dynamic group rules for devices support attributes such as `deviceModel`, `deviceCategory`, and `deviceOSVersion` to automatically include or exclude devices based on their hardware or software characteristics.
Exam trap
The trap here is that candidates confuse user attributes (like `lastLogonTimestamp` and `passwordLastSet`) with device attributes, leading them to incorrectly select options that are valid only for user-based dynamic groups.
You are a Microsoft 365 administrator. You need to allow external users to access a SharePoint Online site without requiring them to sign in. Which sharing setting should you enable?
A.Set the sharing option to 'Existing guests' and send an invitation.
B.Set the sharing option to 'Only people in your organization' and use a direct link.
C.Set the sharing option to 'New and existing guests' and require guest sign-in.
D.Set the sharing option to 'Anyone' (Anonymous) for the site.
AnswerD
This allows anyone with the link to access without sign-in.
Why this answer
Option D is correct because setting the SharePoint Online site sharing option to 'Anyone' (Anonymous) allows external users to access the site without signing in. This creates an anonymous access link that bypasses authentication, meeting the requirement of no sign-in for external users.
Exam trap
The trap here is that candidates often confuse 'Anyone' (anonymous) sharing with guest sharing options, mistakenly thinking that 'New and existing guests' allows anonymous access, but it actually requires sign-in for all external users.
How to eliminate wrong answers
Option A is wrong because 'Existing guests' requires recipients to have a guest account and sign in, which contradicts the 'without requiring them to sign in' requirement. Option B is wrong because 'Only people in your organization' restricts access to internal users only, blocking external users entirely. Option C is wrong because 'New and existing guests' requires all external users to sign in with a Microsoft account or Azure AD guest identity, which does not meet the no-sign-in condition.
Your organization is planning to deploy Microsoft 365 for 500 users. You need to ensure that all users can authenticate using their on-premises Active Directory credentials while also enabling self-service password reset (SSPR) in the cloud. Which configuration should you implement?
A.Pass-through authentication with Microsoft Entra Connect
B.Cloud-only identities with Microsoft Entra ID
C.Federated identity with Active Directory Federation Services (ADFS)
D.Password hash synchronization with Microsoft Entra Connect and SSPR enabled
AnswerD
Password hash sync allows cloud SSPR while using on-premises credentials.
Why this answer
Password hash synchronization (PHS) with Microsoft Entra Connect synchronizes on-premises AD password hashes to Microsoft Entra ID, enabling users to authenticate with their on-premises credentials in the cloud. When SSPR is enabled in Microsoft Entra ID, users can reset their cloud passwords, and with password writeback enabled, the new password is written back to on-premises AD, ensuring both environments remain in sync. This combination meets the requirement for on-premises authentication and cloud SSPR without the complexity of federation.
Exam trap
The trap here is that candidates often assume federated identity (ADFS) is required for on-premises authentication, but password hash synchronization with SSPR and password writeback provides a simpler, fully supported solution that meets both requirements without the overhead of federation.
How to eliminate wrong answers
Option A is wrong because pass-through authentication validates passwords directly against on-premises AD without storing password hashes in the cloud, which prevents SSPR from functioning since Microsoft Entra ID has no password hash to reset. Option B is wrong because cloud-only identities do not use on-premises Active Directory credentials, failing the requirement to authenticate with on-premises AD credentials. Option C is wrong because federated identity with ADFS relies on on-premises authentication and does not inherently support cloud-based SSPR; while SSPR can be configured with federation, it requires additional components like password writeback and is more complex than the PHS solution, making it not the recommended configuration for this straightforward scenario.
Which THREE settings must be configured to set up a hybrid identity deployment using password hash synchronization?
Select 3 answers
A.Install and configure Microsoft Entra Connect.
B.Configure Seamless Single Sign-On (SSO).
C.Enable password hash synchronization in Entra Connect.
D.Deploy Active Directory Federation Services (AD FS).
E.Configure Pass-Through Authentication.
AnswersA, B, C
Entra Connect synchronizes directories.
Why this answer
Option A is correct because Microsoft Entra Connect (formerly Azure AD Connect) is the essential tool that bridges on-premises Active Directory with Microsoft Entra ID. It must be installed and configured to enable directory synchronization, which is the foundation for any hybrid identity deployment, including password hash synchronization.
Exam trap
The trap here is that candidates often confuse password hash synchronization with Pass-Through Authentication or AD FS, thinking all three are required for hybrid identity, when in fact password hash sync is a standalone method that only needs Entra Connect and the sync feature enabled.
A company recently added the custom domain 'contoso.com' to their Microsoft 365 tenant. Users report that they cannot receive external email sent to their new domain addresses. The administrator confirmed that the domain status shows 'Active' in the Microsoft 365 admin center. What is the most likely cause of this issue?
A.The domain was not verified with a TXT record.
B.The MX record for the domain is missing or points to an incorrect mail server.
C.The SPF record for the domain is missing or incorrectly configured.
D.The custom domain was not added to the user's primary email address.
AnswerB
The MX record directs email to the correct mail server. If it is missing or incorrectly configured, external email will not reach Exchange Online mailboxes.
Why this answer
The domain status 'Active' in the Microsoft 365 admin center indicates that the domain has been successfully verified and added to the tenant. However, for external email to be delivered to users at that domain, the public MX record in DNS must point to Microsoft 365's mail servers (e.g., contoso-com.mail.protection.outlook.com). If the MX record is missing or points to an incorrect server, external senders cannot route email to the tenant, even though the domain is verified and active.
Exam trap
The trap here is that candidates see 'Active' domain status and assume all DNS configurations are correct, but Microsoft 365 separates domain verification (TXT record) from mail routing (MX record), so a verified domain can be 'Active' yet still unreachable for inbound email if the MX record is misconfigured.
How to eliminate wrong answers
Option A is wrong because the domain status shows 'Active', which means the TXT verification record was successfully validated; a missing TXT record would prevent the domain from reaching 'Active' status. Option C is wrong because an SPF record affects sender authentication and deliverability of outbound email, but does not prevent inbound email from being received; missing or incorrect SPF would not block external email from arriving at the mailbox. Option D is wrong because adding the custom domain to a user's primary email address is a separate step that affects the user's email address format, but even if not yet assigned, the domain can still receive email for any alias or accepted domain; the core issue is DNS routing, not user assignment.
An organization is implementing Microsoft Entra Verified ID for verifiable credentials. They want to issue credentials to employees that can be used to prove employment status to third parties. Which component must be created first?
A.A presentation request policy
B.A distributed ledger network
C.A credential manifest in the Microsoft Entra admin center
D.A decentralized identifier (DID) for the organization
AnswerC
The credential manifest defines the claims and rules for issuance.
Why this answer
The credential manifest defines the rules for issuing a verifiable credential, including the claims schema, display information, and issuance policies. In Microsoft Entra Verified ID, you must create the credential manifest in the Entra admin center before any credentials can be issued, as it serves as the template that governs the credential's structure and validation. Without a manifest, there is no definition for what the credential contains or how it should be presented.
Exam trap
The trap here is that candidates often confuse the order of setup steps, assuming the DID must be manually created first, when in fact the DID is automatically generated during the Verified ID service initialization, and the credential manifest is the first component that requires explicit user configuration in the admin center.
How to eliminate wrong answers
Option A is wrong because a presentation request policy is used by verifiers to request proof of a credential from a holder, not to define the credential itself; it is created after the credential manifest. Option B is wrong because Microsoft Entra Verified ID uses a distributed ledger (ION) to anchor DIDs, but the organization does not create or manage a ledger network—it is an existing infrastructure that Microsoft manages. Option D is wrong because the decentralized identifier (DID) for the organization is automatically created when you set up the Verified ID service in the Entra admin center, and it is a prerequisite step that occurs before creating the credential manifest, but the question asks which component must be created first, and the DID is created as part of the initial setup, not as a separate manual creation step; the credential manifest is the first user-defined component after the DID is established.
A company plans to migrate their email from an on-premises Exchange server to Exchange Online. They want to ensure that during the migration, mail sent to users who have already been migrated is delivered to Exchange Online, while mail for non-migrated users is delivered to on-premises. Which type of domain configuration should they use?
A.Coexistence domain
B.Shared domain
C.Split domain
D.Forwarding domain
AnswerC
Split domain configuration allows the same domain to have mailboxes both on-premises and in Exchange Online, with mail routed appropriately.
Why this answer
A split domain configuration is required when some mailboxes reside on-premises and others in Exchange Online during a migration. It uses MX records pointing to Exchange Online Protection (EOP) and internal mail flow connectors to route messages for migrated users to Exchange Online and non-migrated users to on-premises, ensuring each mailbox receives mail at its current location.
Exam trap
The trap here is that candidates confuse 'split domain' with 'hybrid deployment' or 'coexistence,' but the question specifically asks for the domain configuration type, not the overall migration method; Microsoft often tests the exact terminology for mail flow scenarios during phased migrations.
How to eliminate wrong answers
Option A is wrong because a coexistence domain is not a standard Exchange domain type; coexistence is a state achieved through hybrid configuration, not a specific domain configuration. Option B is wrong because a shared domain is not a recognized Exchange domain configuration; it might be confused with a shared mailbox or shared namespace, but it does not describe the routing logic needed for a phased migration. Option D is wrong because a forwarding domain is not a valid Exchange domain type; forwarding is a mailbox-level or transport rule action, not a domain-level configuration for split mail flow.
The PowerShell command `Get-ExchangeNotification` retrieves the email addresses configured to receive service health notifications for the Microsoft 365 tenant. The output shown lists these notification recipients, which are separate from administrative roles or billing contacts. Option B correctly identifies this as the set of email addresses that receive service health alerts.
Exam trap
The trap here is that candidates confuse the output of `Get-ExchangeNotification` with the Global Administrator role list or the default Office 365 group members, because service health notifications are often sent to admins, but the cmdlet specifically returns configured notification email addresses, not role assignments.
How to eliminate wrong answers
Option A is wrong because `Get-ExchangeNotification` does not query directory roles; it retrieves notification recipients for service health, not users with the Global Administrator role. Option C is wrong because the default Office 365 group (e.g., all users or a specific distribution group) is not the target of this cmdlet; `Get-ExchangeNotification` specifically returns service health notification settings, not group membership. Option D is wrong because billing inquiries are handled by separate billing contacts or subscriptions, not by the service health notification recipients returned by this cmdlet.
Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You plan to use Microsoft Entra Connect Sync to synchronize user accounts. The security team requires that all cloud-only users must be blocked from syncing to on-premises AD. What should you do to meet this requirement?
A.Configure attribute mapping to filter out cloud-only users from writeback
B.Use the cloudFilter attribute to mark cloud-only users as false
C.Disable directory writeback in Microsoft Entra Connect Sync
D.Configure Selective Password Hash Sync to exclude cloud-only users
AnswerA
Attribute filtering can prevent cloud-only users from being written back.
Why this answer
Option D is correct because using attribute mapping to filter cloud-only users (e.g., by source anchor) prevents them from being written back. Option A is wrong because disabling directory writeback would block all writeback, not just cloud-only users. Option B is wrong because Selective Password Hash Sync only affects password sync.
Option C is wrong because the cloud filter is for filtering objects from cloud to on-premises, not the other way.
You need to ensure that only users from your organization's on-premises Active Directory can access Microsoft 365 services. You have Microsoft Entra Connect configured. What is the simplest way to prevent cloud-only user accounts from signing in?
A.Configure a conditional access policy that blocks all users.
B.Delete the cloud-only users from Microsoft Entra ID.
C.Set the 'Block sign in' option to 'Yes' for all cloud-only users in the Microsoft Entra admin center.
D.Remove all licenses from cloud-only users.
AnswerC
Correct: This prevents sign-in for cloud-only users while allowing synced users.
Why this answer
Blocking cloud sign-in for cloud-only users through the user's Sign-in settings directly prevents them from accessing services. Option B is wrong because removing licenses doesn't block sign-in, only access to services. Option C is wrong because disabling the user is a manual process and not scalable.
Option D is wrong because this would block all users.
You are the Microsoft 365 Administrator for a multinational organization that must comply with various regulatory requirements, including GDPR, SOX, and internal data retention policies. You are deploying Microsoft Purview compliance solutions. Which four of the following actions are valid steps when managing compliance using Microsoft Purview? (Choose all that apply. There are four correct answers.)
Select 4 answers
.Create a DLP policy that prevents users from sharing credit card numbers via email with external recipients.
.Use a retention label to automatically delete documents containing trade secrets after 7 years.
.Configure a sensitivity label with sublabels that apply different markings (e.g., 'Confidential' and 'Highly Confidential') to the same document.
.Enable auditing in the Microsoft 365 compliance portal to track user activities such as file downloads and mailbox access.
.Assign a retention policy to a user's mailbox that deletes all emails immediately after they are sent.
.Apply a sensitivity label to a SharePoint site that blocks all external sharing of documents stored in that site.
Why this answer
Creating a DLP policy that prevents sharing credit card numbers via email with external recipients is a valid step because Microsoft Purview Data Loss Prevention (DLP) policies can detect sensitive information types (e.g., credit card numbers) and enforce actions such as blocking external sharing. This directly supports compliance with regulations like GDPR and SOX by preventing unauthorized data exfiltration.
Exam trap
Microsoft often tests the misconception that sensitivity labels can directly control external sharing of documents within a site, when in reality they control site-level settings (e.g., privacy) while external sharing is governed by SharePoint sharing policies.
A company is experiencing a significant number of phishing attempts that target high-level executives by impersonating their email addresses. The security team wants to configure protection against user impersonation in Microsoft Defender for Office 365. Which setting must be enabled in the anti-phishing policy to protect these specific users?
A.Enable users to protect against impersonation
B.Enable domains to protect against impersonation
C.Mailbox intelligence
D.Spoofed sender posture
AnswerA
This setting allows you to define a list of specific users (e.g., executives) whose email addresses are protected from being impersonated in inbound emails. When impersonation is detected, the action defined in the policy is applied.
Why this answer
Option A is correct because the 'Enable users to protect against impersonation' setting in an anti-phishing policy allows you to specify a list of users (such as high-level executives) whose email identities will be monitored for impersonation attempts. When enabled, Defender for Office 365 analyzes inbound messages for display name and email address matches against the protected users, and if a match is found with a suspicious sender, the message is flagged or quarantined. This directly addresses the scenario of attackers spoofing executive email addresses.
Exam trap
The trap here is that candidates often confuse 'user impersonation protection' with 'domain impersonation protection' or 'spoof intelligence,' but the question specifically asks for protection against impersonation of individual users, which requires the user-based setting, not domain-level or spoof-based controls.
How to eliminate wrong answers
Option B is wrong because 'Enable domains to protect against impersonation' protects against impersonation of entire domains (e.g., contoso.com), not specific individual user mailboxes, so it would not target the high-level executives as individuals. Option C is wrong because 'Mailbox intelligence' is a feature that learns normal sending patterns for users in your organization to detect anomalies, but it does not provide a static list of protected users; it relies on behavioral baselines rather than explicit user protection. Option D is wrong because 'Spoofed sender posture' is part of the spoof intelligence feature that evaluates the authentication status of the sending domain (SPF, DKIM, DMARC), not the impersonation of a specific user's display name or email address.
Your organization uses Microsoft Defender for Identity. You receive an alert about a potential DCSync attack. What should you do to investigate this alert in Microsoft Defender XDR?
A.Review the IdentityDirectoryEvents table for replication-related events.
B.Use IdentityQueryEvents to find LDAP queries related to replication.
C.Check the IdentityAlertEvents table to see if the alert has additional context.
D.Run a KQL query in Advanced Hunting against IdentityLogonEvents to identify suspicious replication attempts.
AnswerD
IdentityLogonEvents contains logon events that can show replication attempts.
Why this answer
Option C is correct because in Microsoft Defender XDR, you can use Advanced Hunting to run a KQL query against the IdentityLogonEvents table to look for replication attempts. Option A (review IdentityDirectoryEvents) contains directory service events, but logon events are more relevant for DCSync. Option B (use IdentityQueryEvents) is for query events.
Option D (check IdentityAlertEvents) shows alerts but not raw logon data.
You need to configure Microsoft Teams to allow external access for federation with another organization. The other organization uses a different domain. Which setting must you enable in the Teams admin center?
A.Network roaming policy for the external users.
B.Guest access in Teams settings.
C.Emergency calling policies.
D.External access with the domain of the other organization.
AnswerD
Correct: You enable federation by adding the external domain to the allowed list.
Why this answer
Option D is correct because to enable federation with another organization that uses a different domain, you must configure External access (also known as federation) in the Teams admin center. Specifically, you need to add the external domain to the allowed domain list under Teams > External access. This allows users in your tenant to communicate with users in the other organization via Teams, using the Session Initiation Protocol (SIP) federation protocol.
Exam trap
The trap here is that candidates often confuse Guest access (Azure AD B2B) with External access (federation), leading them to select Option B, but Guest access is for individual external users, not for domain-level federation with another organization.
How to eliminate wrong answers
Option A is wrong because Network roaming policy controls network configuration settings (such as bandwidth and IP ranges) for users when they are on different networks; it does not control cross-tenant federation. Option B is wrong because Guest access is for inviting external users as guests within your tenant (using Azure AD B2B), not for federating with another organization's entire domain. Option C is wrong because Emergency calling policies define how emergency calls (e.g., to 911) are handled and are unrelated to external federation settings.
A security administrator wants to configure Microsoft Defender for Cloud Apps so that when a user accesses a sensitive file in a sanctioned cloud app from an unmanaged device, the user is blocked from downloading the file and a block action is logged in real time. Which type of policy should the administrator configure?
A.Create a session policy with the action 'Block' on the download action for files with a specific sensitivity label
B.Create a file policy that monitors for sensitive files being accessed from unmanaged devices and generates an alert
C.Configure an access policy that blocks access to the cloud app from unmanaged devices
D.Configure an activity policy that monitors download activities from unmanaged devices and triggers automatic remediation
AnswerA
Correct. Session policies can inspect and control user actions in real time through the reverse proxy, including blocking downloads based on device context.
Why this answer
A session policy in Microsoft Defender for Cloud Apps allows real-time control over user activities within a sanctioned cloud app. By configuring the action 'Block' on the download action for files with a specific sensitivity label, the administrator can block the download when the session is initiated from an unmanaged device, and the block action is logged in real time. This meets the requirement of blocking the download and logging the action simultaneously.
Exam trap
The trap here is that candidates confuse session policies with access policies or file policies, mistakenly thinking that blocking access to the entire app (Option C) or monitoring after the fact (Option B) achieves the same real-time blocking of a specific download action, when only a session policy provides the required granular, in-session control.
How to eliminate wrong answers
Option B is wrong because a file policy is designed for monitoring and alerting on files that match certain criteria (e.g., sensitivity labels) but does not provide real-time blocking of user actions like downloads; it generates alerts after the fact. Option C is wrong because an access policy blocks entire access to the cloud app from unmanaged devices, which is too broad—it would prevent any access, not just the download of sensitive files, and does not log the specific block action on the download. Option D is wrong because an activity policy monitors activities and can trigger automatic remediation (e.g., suspending a user), but it does not support real-time blocking of a specific download action within a session; it typically acts after the activity has occurred.
Your organization uses Microsoft Defender XDR. You need to configure a policy that automatically blocks high-risk user activities in Microsoft Defender for Cloud Apps. Which feature should you configure?
A.Session policy
B.App governance policy
C.Access policy
D.Anomaly detection policy
AnswerA
Session policies can block risky activities in real time.
Why this answer
Option A is correct because session policies in Defender for Cloud Apps allow real-time control over user sessions, enabling blocking of risky activities. Option B is wrong because access policies control access based on conditions, but not real-time activity blocking. Option C is wrong because app governance policies focus on app permissions.
Option D is wrong because anomaly detection policies generate alerts but do not automatically block.
A security administrator wants to simulate a realistic phishing attack to train users and measure their susceptibility. The simulation should be run from within Microsoft Defender XDR and provide detailed reporting. Which feature should the administrator use?
A.Advanced Hunting
B.Attack Simulation Training
C.Automated Investigation and Response
D.Threat Analytics
AnswerB
This feature is designed for simulating phishing attacks and training users.
Why this answer
Attack Simulation Training in Microsoft Defender XDR allows security administrators to create and launch realistic phishing campaigns directly from the Microsoft 365 Defender portal. It provides detailed reporting on user interactions, such as who clicked the link or entered credentials, enabling measurement of user susceptibility and targeted training follow-ups.
Exam trap
The trap here is that candidates often confuse Attack Simulation Training with Advanced Hunting, thinking that hunting queries can simulate attacks, but Advanced Hunting is purely a read-only data exploration tool with no simulation or user training features.
How to eliminate wrong answers
Option A is wrong because Advanced Hunting is a query-based tool for proactively searching for threats across raw data, not for simulating attacks or training users. Option C is wrong because Automated Investigation and Response (AIR) automatically responds to detected incidents by running playbooks and remediating threats, but it does not create or manage phishing simulations. Option D is wrong because Threat Analytics provides intelligence reports on active threats and adversary techniques, but it does not include simulation or user training capabilities.
Your organization, Contoso Ltd., has a Microsoft 365 E5 tenant with Microsoft Entra ID P2. You are the Global Administrator. The security team reports that several users have been compromised due to weak passwords. You need to implement a solution that enforces strong password policies and blocks common passwords. The solution must also provide users with the ability to reset their own passwords securely if they forget them, without requiring help desk intervention. Additionally, you need to configure risk-based Conditional Access policies to block sign-ins from anonymous IP addresses and require MFA for high-risk sign-ins. You have the following options: A. Configure password protection in Microsoft Entra ID to enforce a custom banned password list and enable self-service password reset (SSPR) with MFA. Then create Conditional Access policies for sign-in risk and anonymous IP. B. Enable password hash sync and configure pass-through authentication. Create a Conditional Access policy to require MFA for all users. C. Implement Microsoft Entra ID Protection and enable MFA registration policy. Configure password expiration to 90 days. D. Use security defaults in Microsoft Entra ID and enable automatic password rollback. Which option should you choose?
A.Configure password protection with custom banned list, SSPR with MFA, and risk-based Conditional Access policies
B.Enable password hash sync, pass-through authentication, and require MFA for all
C.Implement Identity Protection, enable MFA registration policy, set password expiration to 90 days
D.Use security defaults and enable automatic password rollback
AnswerA
Meets all requirements.
Why this answer
Option A is correct because it covers all requirements: custom banned password list, SSPR, and risk-based Conditional Access policies. Option B is wrong because it does not address common passwords or SSPR. Option C is wrong because password expiration is not effective and no SSPR.
Option D is wrong because security defaults do not allow custom banned password list and risk-based policies.
A new helpdesk administrator needs to be able to reset user passwords and manage user account properties, but should not be able to manage licenses or assign administrative roles. Which built-in role should be assigned?
A.Global Administrator
B.User Administrator
C.License Administrator
D.Helpdesk Administrator
AnswerB
The User Administrator can manage users and groups, reset passwords, and manage user licenses, but not administrative roles. This matches the requirement.
Why this answer
The User Administrator role in Microsoft Entra ID (formerly Azure AD) is the correct choice because it grants permissions to reset passwords and manage user account properties (such as display name, job title, and department) while explicitly excluding the ability to manage licenses or assign administrative roles. This role is designed for helpdesk staff who need to perform user management tasks without elevated privileges over licensing or role assignments.
Exam trap
The trap here is that the Helpdesk Administrator role sounds like the obvious choice for a helpdesk administrator, but it includes license management permissions, which the question explicitly prohibits, making the User Administrator the correct answer.
How to eliminate wrong answers
Option A is wrong because the Global Administrator role has unrestricted access to all administrative features, including managing licenses and assigning administrative roles, which violates the requirement to restrict those actions. Option C is wrong because the License Administrator role can only manage license assignments and subscriptions, but it cannot reset passwords or manage user account properties like job titles or department. Option D is wrong because the Helpdesk Administrator role can reset passwords and manage user properties, but it also includes the ability to manage licenses (via the Microsoft 365 admin center), which exceeds the required restrictions.
Contoso has a hybrid identity environment with Microsoft Defender for Identity deployed. They suspect a compromised account is being used to perform reconnaissance against domain controllers. Which Defender for Identity alert type would most likely trigger?
A.Brute Force attack
B.Suspicious service creation
C.DCSync attack
D.Golden Ticket activity
AnswerB
Service creation can be used for reconnaissance.
Why this answer
Reconnaissance attacks are often detected by 'Suspicious service creation' or 'Directory services enumeration'. Option A is correct. Option B is wrong because Golden Ticket is for persistence.
Option C is wrong because DCSync is for credential dumping. Option D is wrong because Brute Force is for password attacks.
Which TWO actions are required to configure a custom domain for your Microsoft 365 tenant?
Select 2 answers
A.Add an SPF TXT record in the public DNS zone.
B.Add a CNAME record for autodiscover.
C.Add an MX record in the public DNS zone.
D.Add the domain name in the Microsoft 365 admin center.
E.Verify domain ownership by adding a TXT record provided by Microsoft.
AnswersD, E
You must first register the domain in the admin center.
Why this answer
Option D is correct because adding the custom domain name in the Microsoft 365 admin center is the first step to register the domain with the tenant. Option E is correct because Microsoft requires you to prove ownership of the domain by adding a specific TXT record (or sometimes a CNAME or MX record) to the public DNS zone; this verification step ensures only the domain owner can configure it for the tenant.
Exam trap
The trap here is that candidates often confuse optional service-specific DNS records (like SPF, MX, or autodiscover CNAME) with the mandatory domain ownership verification record, leading them to select A, B, or C instead of the correct verification TXT record option.
Your organization wants to use Microsoft Defender for Office 365 to protect against malicious links and attachments in email. Which Defender plan is required?
A.Microsoft Defender for Office 365 Plan 1.
B.Exchange Online Protection.
C.Microsoft Defender for Endpoint.
D.Microsoft Defender for Office 365 Plan 2.
AnswerA
Plan 1 includes Safe Links and Safe Attachments for email protection.
Why this answer
Microsoft Defender for Office 365 Plan 1 includes Safe Links and Safe Attachments, which are the specific features required to protect against malicious links and attachments in email. These features scan URLs and attachments in real time to block malicious content before it reaches users.
Exam trap
The trap here is that candidates often assume Plan 2 is required for any advanced protection, but Microsoft specifically designed Plan 1 to cover Safe Links and Safe Attachments, while Plan 2 adds post-breach investigation and automation features.
How to eliminate wrong answers
Option B is wrong because Exchange Online Protection (EOP) provides baseline anti-malware and anti-spam protection but does not include Safe Links or Safe Attachments, which are the advanced protections needed for malicious links and attachments. Option C is wrong because Microsoft Defender for Endpoint is designed to protect devices (endpoints) from threats, not to scan email links and attachments within Microsoft 365. Option D is wrong because Microsoft Defender for Office 365 Plan 2 includes all features of Plan 1 plus additional capabilities like threat investigation and automated response, but Plan 1 alone is sufficient for the stated requirement of protecting against malicious links and attachments.