Microsoft 365 Administrator MS-102 (MS-102) — Questions 226300

975 questions total · 13pages · All types, answers revealed

Page 3

Page 4 of 13

Page 5
226
MCQmedium

A compliance officer needs to retain all documents in a SharePoint Online site associated with the Finance department for 7 years, and after that automatically delete them. During the retention period, users must not be able to edit or delete the documents. Which solution should they use?

A.Create a retention policy scoped to the site with 'Retain as records' action
B.Create a retention label with 'Retain as regulatory records' and publish it to the site, then use auto-apply based on site location
C.Create a sensitivity label with 'Retain as records' and apply it manually
D.Create a litigation hold for the site
AnswerB

A regulatory records label prevents editing and deletion, and auto-apply policies can apply the label to all documents in the site automatically.

Why this answer

Option B is correct because a retention label with 'Retain as regulatory records' locks the document against editing or deletion during the retention period, and auto-applying the label based on site location ensures all documents in the Finance site inherit the 7-year retention and automatic deletion. This meets the compliance officer's requirement for immutable retention and automatic disposal without manual user intervention.

Exam trap

The trap here is confusing 'Retain as records' (which only prevents deletion after the retention period) with 'Retain as regulatory records' (which prevents editing and deletion during the entire retention period), leading candidates to incorrectly choose Option A.

How to eliminate wrong answers

Option A is wrong because a retention policy with 'Retain as records' action does not prevent users from editing or deleting documents during the retention period; it only prevents deletion after the retention period ends. Option C is wrong because a sensitivity label with 'Retain as records' is not a valid construct; sensitivity labels manage sensitivity and protection, not retention, and manual application does not guarantee all documents are covered. Option D is wrong because a litigation hold preserves documents indefinitely (until the hold is released) and does not enforce a specific 7-year retention period or automatic deletion; it also does not prevent editing, only deletion.

227
MCQmedium

Your organization uses Microsoft Purview to manage compliance. You need to ensure that all documents containing 'Project X' are automatically retained for 5 years. Which solution should you use?

A.Microsoft Purview sensitivity labels
B.Microsoft Purview Audit
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview retention policies with adaptive scopes
AnswerD

Retention policies can retain content based on conditions.

Why this answer

Option B is correct because retention policies can automatically retain content based on conditions like sensitive info types. Option A is wrong because DLP prevents data loss, not retention. Option C is wrong because sensitivity labels can trigger retention but the direct tool is retention policy.

Option D is wrong because audit logs track events, not enforce retention.

228
MCQeasy

Your company is implementing Microsoft Purview Records Management. You need to ensure that invoices are retained for seven years after they are paid, and then automatically deleted. Which type of label should you create?

A.Disposition review label assigned to invoices
B.Retention policy applied to all documents in SharePoint
C.Retention label with disposition review after the trigger event
D.Sensitivity label with auto-labeling
AnswerC

Retention labels can start retention from a trigger event and then dispose.

Why this answer

Option C is correct because a retention label that triggers disposition review after seven years meets the requirement. Option A is incorrect because sensitivity labels do not manage retention. Option B is incorrect because a retention policy cannot be scoped to individual items based on metadata like payment date.

Option D is incorrect because a disposition review label is not a standard label type; disposition is a action within a retention label.

229
MCQmedium

A company uses Microsoft Entra ID P2 licenses. They want to ensure that all users are forced to use MFA when accessing a SaaS application from non-corporate networks. Corporate networks are identified by a set of IP ranges. Service accounts must be excluded from this requirement. Which policy should be created?

A.Conditional Access policy with grant controls for MFA, targeting all users, with location condition to exclude trusted IPs, and exclude service accounts
B.An Identity Protection user risk policy requiring MFA for medium and above risk users
C.An Identity Protection sign-in risk policy requiring MFA for medium and above risk sign-ins
D.Per-user MFA settings enabled for all users with trusted IPs configured in MFA service settings
AnswerA

Correct. This configuration enforces MFA for all users from non-corporate networks while excluding trusted locations and service accounts.

Why this answer

A Conditional Access policy is the correct approach because it allows granular control over MFA enforcement based on network location and user exclusions. By targeting all users, excluding trusted IPs (corporate networks) via the location condition, and explicitly excluding service accounts, the policy ensures MFA is required only for non-corporate network access while bypassing service accounts. This aligns with the requirement to use Microsoft Entra ID P2 licenses, which include Conditional Access capabilities.

Exam trap

The trap here is that candidates often confuse Identity Protection risk policies (which are for risk-based conditional access) with location-based Conditional Access policies, or they mistakenly think per-user MFA settings can be scoped to exclude specific users or networks.

How to eliminate wrong answers

Option B is wrong because an Identity Protection user risk policy targets users with a specific risk level (medium and above), not network location, and cannot exclude trusted IPs or service accounts as required. Option C is wrong because an Identity Protection sign-in risk policy targets risky sign-ins based on risk level, not network location, and cannot enforce MFA based on corporate vs. non-corporate networks. Option D is wrong because per-user MFA settings are a legacy approach that does not support excluding service accounts or targeting specific applications; it applies MFA globally to all sign-ins for enabled users, regardless of network location.

230
MCQeasy

Your organization needs to enforce multi-factor authentication (MFA) for all users. You want to use a security default policy. What is the prerequisite?

A.Microsoft Entra ID Privileged Identity Management (PIM) must be enabled
B.The Microsoft Entra ID tenant must be on the Free tier or higher
C.Conditional Access policies must be disabled
D.Azure AD Premium P2 licenses must be assigned
AnswerB

Security defaults are available on all tiers.

Why this answer

Option A is correct because security defaults are available for all Microsoft Entra ID tenants, including Free tier. Option B is wrong because PIM is not required. Option C is wrong because Azure AD Premium P2 is not required.

Option D is wrong because Conditional Access is not used with security defaults.

231
MCQeasy

An administrator wants to configure the company's organization profile in Microsoft 365, including the display name, technical contact, and privacy settings. Where should the administrator go in the Microsoft 365 admin center?

A.User management > Active users
B.Org settings > Organization profile
C.Setup > Onboarding
D.Billing > Licenses
AnswerB

This is the correct location to configure the organization's display name, technical contact, and privacy settings.

Why this answer

The organization profile, which includes the display name, technical contact, and privacy settings, is managed under 'Org settings' in the Microsoft 365 admin center. Specifically, the 'Organization profile' tab within 'Org settings' provides the interface to update these tenant-wide properties, such as the organization's display name (used in Microsoft 365 services and notifications) and the technical contact email (used for service communications). This is the correct location because these settings are tenant-level configurations, not user-specific or billing-related.

Exam trap

The trap here is that candidates often confuse 'Org settings' with 'Setup' or 'User management', mistakenly thinking that tenant-wide profile settings are part of user management or initial onboarding wizards, when in fact they are a distinct configuration area under 'Org settings'.

How to eliminate wrong answers

Option A is wrong because 'User management > Active users' is for managing individual user accounts, passwords, and licenses, not tenant-wide organization profile settings like the display name or technical contact. Option C is wrong because 'Setup > Onboarding' provides guided wizards for initial tenant setup and migration tasks, but does not include the organization profile settings; those are under 'Org settings'. Option D is wrong because 'Billing > Licenses' is for managing subscription licenses and billing details, not for configuring the organization's display name, technical contact, or privacy settings.

232
MCQeasy

You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy is intended to block access to Exchange Online for users with high risk level. However, users with high risk are still able to access Exchange Online. What is the most likely cause?

A.The policy does not include Exchange Online.
B.The policy excludes the affected users.
C.The policy is targeting low risk instead of high risk.
D.The policy is set to report-only mode.
E.The grant control is set to require multi-factor authentication.
AnswerD

Report-only does not enforce; it only logs.

Why this answer

Option B is correct because the policy is in report-only mode, which does not enforce block. Option A is wrong because the risk level is correctly set to high. Option C is wrong because the grant control is block, not require MFA.

Option D is wrong because the policy includes Exchange Online. Option E is wrong because the policy includes all users.

233
MCQmedium

An administrator needs to delegate the ability to manage user licenses, assign admin roles, and reset passwords to a group of users, but these users should not be able to modify tenant-level settings or billing. Which built-in role should be assigned?

A.Global Administrator
B.User Administrator
C.Helpdesk Administrator
D.License Administrator
AnswerB

Correct. This role allows managing user accounts, licenses, passwords, and delegating roles (except Global Admin), without modifying tenant settings or billing.

Why this answer

The User Administrator role is the correct choice because it grants the necessary permissions to manage user licenses, assign admin roles (except for a few high-privilege roles like Global Administrator), and reset passwords, while explicitly excluding access to tenant-level settings and billing. This role is designed for delegated user management without granting broader administrative control.

Exam trap

The trap here is that candidates often confuse the User Administrator role with the Helpdesk Administrator role, mistakenly thinking Helpdesk Administrator can assign admin roles, when in fact it lacks that permission entirely.

How to eliminate wrong answers

Option A is wrong because Global Administrator has unrestricted access to all tenant settings, including billing and tenant-level configurations, which violates the requirement to restrict those capabilities. Option C is wrong because Helpdesk Administrator can reset passwords and manage service requests but cannot assign admin roles or manage licenses, so it lacks the required permissions. Option D is wrong because License Administrator can only manage licenses and cannot assign admin roles or reset passwords, making it insufficient for the full set of tasks.

234
MCQmedium

Your organization's Microsoft Intune environment enforces device compliance policies for iOS devices. You need to ensure that only devices with a passcode that is at least 6 characters and have jailbreak detection enabled are considered compliant. What should you configure?

A.Configure a conditional access policy to require compliant devices.
B.Create a device configuration profile for iOS with the required settings.
C.Create an app protection policy for iOS to require passcode.
D.Create a device compliance policy for iOS with required passcode length and jailbreak detection.
AnswerD

Compliance policies define the conditions devices must meet to be compliant.

Why this answer

Device compliance policies in Microsoft Intune define the rules that devices must meet to be considered compliant, such as minimum OS version, passcode length, and jailbreak detection. Option D correctly specifies creating a compliance policy for iOS that requires a passcode of at least 6 characters and enables jailbreak detection, which directly enforces the stated requirements. Compliance policies are evaluated before granting access, and non-compliant devices can be blocked or marked for remediation.

Exam trap

The trap here is that candidates often confuse device compliance policies (which enforce device-level security requirements) with conditional access policies (which use compliance results to control access) or device configuration profiles (which push settings but do not evaluate compliance).

How to eliminate wrong answers

Option A is wrong because a conditional access policy requires compliant devices but does not define the compliance rules themselves; it references an existing compliance policy. Option B is wrong because a device configuration profile manages device settings (e.g., Wi-Fi, VPN, restrictions) but does not enforce compliance checks like passcode length or jailbreak detection. Option C is wrong because an app protection policy manages data protection at the app level (e.g., requiring a PIN for app access) and does not evaluate device-level compliance attributes such as jailbreak status or system passcode length.

235
MCQmedium

A company uses Microsoft Entra ID P2 licenses. They want to require multi-factor authentication (MFA) for all users when accessing the Azure Management portal, but only from devices that are not marked as compliant. Additionally, a group named 'BreakGlass' must be excluded from this requirement. Which Conditional Access policy configuration should be applied?

A.Assign to 'All users', condition: 'Device state (preview) is not compliant', grant: 'Require MFA', exclude: 'BreakGlass group'
B.Assign to 'All users', condition: 'Sign-in risk is medium or higher', grant: 'Require MFA', exclude: 'BreakGlass group'
C.Assign to 'All users', condition: 'Client apps: Browser and Mobile apps', grant: 'Block access', exclude: 'BreakGlass group'
D.Assign to 'All users', condition: 'Device platform: Android, iOS, Windows, macOS', grant: 'Require MFA', exclude: 'BreakGlass group'
AnswerA

This configuration correctly uses the device state condition to target non-compliant devices, requires MFA, and excludes the break-glass accounts. The policy applies when a non-compliant device tries to access the Azure Management portal.

Why this answer

Option A is correct because it directly maps the requirement: assign the policy to 'All users', use the 'Device state (preview) is not compliant' condition to target only non-compliant devices, grant 'Require MFA' for the Azure Management portal (selected via the 'Cloud apps' condition), and exclude the 'BreakGlass' group. This ensures MFA is enforced only when accessing the Azure Management portal from non-compliant devices, while break-glass accounts are exempt.

Exam trap

The trap here is confusing 'Device state (preview) is not compliant' with other conditions like 'Sign-in risk' or 'Device platform', leading candidates to pick options that target risk levels or OS types instead of the specific compliance status required.

How to eliminate wrong answers

Option B is wrong because 'Sign-in risk is medium or higher' targets risky sign-ins, not device compliance; this would require Azure AD Identity Protection and does not address the device compliance condition. Option C is wrong because 'Client apps: Browser and Mobile apps' with 'Block access' would block all access from browsers and mobile apps, not just non-compliant devices, and does not enforce MFA. Option D is wrong because 'Device platform: Android, iOS, Windows, macOS' targets specific operating systems, not device compliance; this would apply MFA to all devices of those platforms regardless of compliance status.

236
Multi-Selecteasy

Which TWO features in Microsoft Defender for Office 365 help protect against zero-day malware in email attachments?

Select 2 answers
A.Safe Attachments
B.Mail flow rules
C.Anti-spam policies
D.Anti-phishing policies
E.Zero-hour auto purge (ZAP)
AnswersA, E

Safe Attachments use detonation to detect zero-day malware.

Why this answer

Options B and D are correct because Safe Attachments detonates files in a sandbox, and ZAP retroactively removes malicious messages. Option A is a security policy but does not specifically target zero-day. Option C is a macro security feature.

Option E is not a feature of Office 365.

237
MCQhard

A security administrator needs to create an automated investigation and response (AIR) playbook that automatically isolates a device whenever a high-severity alert from Microsoft Defender for Endpoint is generated. The playbook should run without requiring manual approval. Which capability in Microsoft 365 Defender should the administrator configure?

A.Automated investigation and response (AIR) action policy
B.Custom detection rule
C.Threat analytics
D.Attack simulation training
AnswerA

AIR action policies allow administrators to define automatic responses to specific alert types. By setting the isolation action for high-severity alerts from Microsoft Defender for Endpoint, the device can be isolated automatically without manual intervention.

Why this answer

Option A is correct because Automated Investigation and Response (AIR) action policies in Microsoft 365 Defender allow administrators to define automated remediation actions—such as device isolation—that execute automatically when specific alert conditions are met, without requiring manual approval. The policy can be configured to trigger on high-severity alerts from Microsoft Defender for Endpoint, enabling fully automated containment of compromised devices.

Exam trap

The trap here is that candidates often confuse custom detection rules (Option B) with automated response capabilities, mistakenly thinking that creating a detection rule can also trigger automatic remediation, when in fact custom detection rules only generate alerts and require an AIR policy or manual action to respond.

How to eliminate wrong answers

Option B is wrong because custom detection rules are used to create custom analytics queries (e.g., using KQL) to detect specific threats or behaviors, but they do not directly configure automated response actions like device isolation; they rely on AIR policies or manual steps for remediation. Option C is wrong because Threat Analytics provides threat intelligence reports, vulnerability assessments, and mitigation recommendations, but it does not include the ability to configure automated response actions or playbooks. Option D is wrong because Attack Simulation Training is a tool for running simulated phishing and attack campaigns to test user awareness, not for automating incident response actions like device isolation.

238
Multi-Selecthard

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should fire when a Windows device exhibits this sequence of events within 3 minutes: 1) A PowerShell process runs with an encoded command, 2) A service is created with a random name, and 3) An outbound network connection to a suspicious IP address is observed. Which three Advanced Hunting tables must be joined in the KQL query to create this detection?

Select 3 answers
A.DeviceProcessEvents, DeviceRegistryEvents, DeviceNetworkEvents
B.DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents
C.DeviceProcessEvents, DeviceEvents, DeviceNetworkEvents
D.DeviceProcessEvents, DeviceLogonEvents, DeviceNetworkEvents
AnswersA, B, C

Service creation is not recorded in DeviceRegistryEvents; service creation is in DeviceEvents.

Why this answer

Option C is correct because the three required event types — PowerShell process execution, service creation, and outbound network connection — are captured by DeviceProcessEvents (for process creation), DeviceEvents (for service creation events, such as Event ID 4697 or service install events), and DeviceNetworkEvents (for network connections). DeviceEvents specifically includes security-related events like service creation, which is not covered by DeviceRegistryEvents, DeviceFileEvents, or DeviceLogonEvents.

Exam trap

The trap here is that candidates mistakenly associate service creation with DeviceRegistryEvents (because services have registry keys) or DeviceFileEvents (because service binaries are files), but Microsoft specifically logs service creation as a security event in DeviceEvents, not in those other tables.

239
MCQmedium

A compliance officer needs to ensure that all documents in a SharePoint Online site are retained for 5 years and then automatically deleted. During the retention period, users must be allowed to edit the documents but not delete them. Which Microsoft Purview solution should the officer configure?

A.Create a retention policy with a retention rule for 5 years, configured to retain then delete, and enable the preservation hold setting.
B.Create a retention label with the action to retain for 5 years then delete, and apply it to the site via auto-labeling.
C.Create a sensitivity label with encryption and set an expiration date for 5 years.
D.Place the site on an eDiscovery hold with a custom retention period.
AnswerA

A site-level retention policy with preservation hold blocks deletion while allowing edits, and automatically deletes after 5 years.

Why this answer

Option A is correct because a retention policy with a 'retain then delete' action meets both requirements: it retains documents for 5 years and then automatically deletes them, while the preservation hold setting prevents users from deleting documents during the retention period. This policy applies at the site level, ensuring all content is covered without requiring manual labeling.

Exam trap

The trap here is that candidates often confuse retention labels with retention policies, assuming labels can block user deletion, but only a retention policy with preservation hold provides the deletion prevention required by the scenario.

How to eliminate wrong answers

Option B is wrong because a retention label applied via auto-labeling does not prevent users from deleting documents during the retention period; labels only enforce retention and deletion actions but do not block deletion by users. Option C is wrong because a sensitivity label with encryption and expiration controls data access and encryption, not retention or deletion prevention; it does not ensure documents are retained for 5 years and then deleted. Option D is wrong because an eDiscovery hold preserves content indefinitely for legal purposes and does not automatically delete documents after a set period; it also does not allow editing while blocking deletion in the same way as a retention policy with preservation hold.

240
Matchingmedium

Match each PowerShell command to its function in Microsoft 365.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connects to Azure AD

Connects to Exchange Online

Connects to MS Online (legacy)

Lists mailboxes

Resets a user's password

Why these pairings

PowerShell is used for advanced administration.

241
MCQeasy

A user in your organization receives a 'Message blocked' notification when trying to send an email with a credit card number. The DLP policy is configured to block such emails. The user claims the credit card number is a valid test number used for training. What should you do to allow the email while maintaining security?

A.Configure a policy tip to allow override with a business justification.
B.Exclude the user from the DLP policy.
C.Disable the DLP policy temporarily.
D.Add the user to the DLP policy's super user group.
AnswerA

Allows controlled override with audit.

Why this answer

Option C is correct because configuring a policy tip with override allows the user to justify the override, which is audited. Option A is wrong because adding to a group bypasses all DLP. Option B is wrong because excluding the user removes protection.

Option D is wrong because disabling the policy removes protection for all.

242
Multi-Selectmedium

Your organization has a Microsoft 365 E5 tenant with Microsoft Defender for Cloud Apps. You need to discover and control the use of unsanctioned cloud apps. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Define sanctioned and unsanctioned app categories in Microsoft Defender for Cloud Apps
B.Deploy Microsoft Purview Data Loss Prevention policies
C.Configure Microsoft Entra ID App Registrations to log app usage
D.Use Cloud Discovery in Microsoft Defender for Cloud Apps to analyze traffic logs
E.Create a Conditional Access policy to block all unsanctioned apps
AnswersA, D

After discovery, you categorize apps to control access.

Why this answer

Option A is correct because Microsoft Defender for Cloud Apps allows you to define sanctioned and unsanctioned app categories within the Cloud Discovery dashboard. By categorizing apps, you can apply governance actions such as blocking or monitoring, which directly controls the use of unsanctioned cloud apps. This is a foundational step in managing app usage, as it enables automated policies to enforce your organization's cloud app governance.

Exam trap

The trap here is that candidates often confuse Conditional Access policies with the ability to block unsanctioned apps, but Conditional Access requires the app to be registered in Entra ID and cannot discover or block apps that are not already known to the tenant.

243
MCQeasy

Your organization has Microsoft Defender for Office 365 Plan 2. You want to set up a policy that automatically moves messages containing malware to quarantine and notifies the security team. Which policy should you configure?

A.DKIM policy
B.DMARC policy
C.Anti-Spam policy
D.Anti-Phishing policy
E.Safe Attachments policy
AnswerE

Safe Attachments scans attachments for malware and quarantines them.

Why this answer

Option A is correct because Safe Attachments policy is specifically designed to handle email attachments with malware. Option B is wrong because Anti-Phishing policy deals with phishing attempts. Option C is wrong because Anti-Spam policy handles spam and bulk mail.

Option D is wrong because DMARC policy handles email authentication. Option E is wrong because DKIM policy is for signing emails.

244
Multi-Selecteasy

A security analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when a user receives a phishing email and clicks a malicious link within 10 minutes. Which two tables must be joined in the KQL query?

Select 2 answers
A.EmailEvents and UrlClickEvents
B.EmailEvents and DeviceEvents
C.EmailAttachmentInfo and UrlClickEvents
D.EmailPostDeliveryEvents and DeviceNetworkEvents
AnswersA, B

Correct. EmailEvents for email details, UrlClickEvents for user clicks on URLs.

Why this answer

To detect a user receiving a phishing email and clicking a malicious link within 10 minutes, you need to correlate the email delivery event with the click action. The EmailEvents table contains records of email delivery (including sender, recipient, and subject), while the UrlClickEvents table logs when a user clicks a link in an email, including the URL and timestamp. Joining these two tables on a common identifier (such as NetworkMessageId) allows you to filter for clicks that occur within 10 minutes of email delivery, satisfying the detection requirement.

Exam trap

The trap here is that candidates often confuse UrlClickEvents with DeviceEvents or DeviceNetworkEvents, thinking that network-level logs capture link clicks, but UrlClickEvents is the only table that specifically records user clicks on URLs in Microsoft 365 Defender.

245
MCQeasy

An organization wants to authenticate users using their on-premises Active Directory without synchronizing passwords to Microsoft Entra ID. Which identity model should they choose?

A.Federated identity
B.Synchronized identity
C.Cloud-only identity
D.Microsoft-managed identity
AnswerA

Federated identity uses on-premises authentication (e.g., AD FS) and does not require password synchronization to the cloud.

Why this answer

Federated identity allows users to authenticate against on-premises Active Directory using protocols such as WS-Federation, SAML 2.0, or AD FS, without synchronizing password hashes to Microsoft Entra ID. This model relies on a trust relationship between the on-premises identity provider and Entra ID, ensuring passwords never leave the local environment.

Exam trap

Microsoft often tests the distinction between 'synchronized' and 'federated' identity, where candidates mistakenly think pass-through authentication (which still syncs user objects) qualifies as 'without synchronizing passwords'.

How to eliminate wrong answers

Option B is wrong because synchronized identity requires password hash synchronization or pass-through authentication, which either stores password hashes in Entra ID or validates them against on-prem AD but still involves synchronization of user objects. Option C is wrong because cloud-only identity creates and manages all user accounts solely in Entra ID, with no connection to on-premises Active Directory. Option D is wrong because Microsoft-managed identity is not a standard identity model for Microsoft 365; it refers to managed identities for Azure resources, not user authentication.

246
MCQeasy

Your organization needs to prevent users from sharing documents containing personally identifiable information (PII) with external users. You have Microsoft Purview Data Loss Prevention (DLP) deployed. What should you configure?

A.Apply a sensitivity label that blocks external sharing.
B.Create a DLP policy that detects PII and restricts sharing to external users.
C.Configure a conditional access policy in Microsoft Entra ID to block external sharing.
D.Enable auditing for all document sharing activities.
AnswerB

DLP policies can block sharing based on content inspection.

Why this answer

Option A is correct because a DLP policy can be configured to detect PII and block external sharing. Option B is incorrect because sensitivity labels do not block sharing; they classify data. Option C is incorrect because conditional access blocks access based on conditions, not content.

Option D is incorrect because auditing only logs activity, it does not prevent sharing.

247
MCQeasy

You are configuring Microsoft Entra ID to allow external users from a partner organization to access a specific SharePoint Online site. You need to ensure that the external users authenticate using their own corporate credentials and are automatically invited when they first access the resource. What should you configure?

A.Microsoft Entra External ID (B2C)
B.Microsoft Entra B2B direct connect
C.Microsoft Entra entitlement management access packages
D.Microsoft Entra B2B collaboration with manual invitation
AnswerC

Access packages can automate invitations and enforce policies.

Why this answer

Option C is correct because Microsoft Entra entitlement management access packages allow you to create a policy that automatically sends an invitation to external users when they request access to a resource, such as a SharePoint Online site. This policy can be configured to require that external users authenticate using their own corporate credentials (via their home tenant) and be automatically added to the resource upon first access, without manual invitation. Entitlement management integrates with B2B collaboration under the hood, but adds the automation and approval workflows needed for this scenario.

Exam trap

The trap here is that candidates confuse Microsoft Entra B2B collaboration (which requires manual invitation) with entitlement management access packages (which automate the invitation and access lifecycle), or they incorrectly assume B2B direct connect can be used for SharePoint Online site access when it is actually limited to Teams Connect shared channels.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra External ID (B2C) is designed for consumer-facing identity management (social or local accounts), not for enabling partner organizations to use their own corporate credentials for resource access. Option B is wrong because Microsoft Entra B2B direct connect is used for establishing mutual trust between two tenants for real-time collaboration (e.g., Teams Connect shared channels), but it does not support automatic invitation or access package-based provisioning for SharePoint Online sites. Option D is wrong because Microsoft Entra B2B collaboration with manual invitation requires an admin to manually send an invitation email or CSV upload, which does not meet the requirement for automatic invitation when users first access the resource.

248
MCQeasy

A company has registered the custom domain 'contoso.com' and wants to host email for the subdomain 'sales.contoso.com' in Exchange Online. They have already verified the root domain. What additional step is required?

A.No additional step; subdomains are automatically verified after the root domain is verified.
B.Add 'sales.contoso.com' as a custom domain and verify ownership by adding a DNS TXT record.
C.Create a subdomain in Exchange Online using the Exchange admin center.
D.Modify the SPF record for the root domain to include 'sales.contoso.com'.
AnswerB

To use a subdomain, it must be added as a custom domain in the Microsoft 365 admin center and verified via a DNS TXT record or other allowed methods.

Why this answer

In Microsoft 365, verifying a root domain (e.g., contoso.com) does not automatically verify its subdomains. Each subdomain must be added as a separate custom domain in the Microsoft 365 admin center and verified by adding a unique DNS TXT record provided by Microsoft. This ensures that the organization proves ownership of the subdomain before it can be used for services like Exchange Online.

Exam trap

The trap here is that candidates assume domain verification in Microsoft 365 is hierarchical (like DNS delegation), but in reality, each subdomain is treated as an independent domain that must be explicitly added and verified.

How to eliminate wrong answers

Option A is wrong because subdomains are not automatically verified after the root domain is verified; each subdomain requires its own verification process via a DNS TXT record. Option C is wrong because you cannot create a subdomain in Exchange Online using the Exchange admin center; subdomains are managed as custom domains in the Microsoft 365 admin center, not within Exchange-specific tools. Option D is wrong because modifying the SPF record for the root domain is not a required step for hosting email on a subdomain; SPF records are used for sender authentication, not for domain verification.

249
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to generate alerts when a user downloads a large number of files from Microsoft SharePoint Online in a short period. What should you create?

A.App Discovery policy
B.Activity policy
C.Anomaly Detection policy
D.Cloud Discovery policy
AnswerB

Activity policies allow custom detection of specific activities like mass download.

Why this answer

Option B is correct because Activity policies in Defender for Cloud Apps allow you to create custom rules to detect specific activities like mass download. Option A (Anomaly Detection) is for pre-built anomalies. Option C (Cloud Discovery) is for shadow IT.

Option D (App Discovery) is for identifying apps.

250
MCQhard

An organization uses Microsoft Defender for Endpoint and wants to allow only certain applications to run on managed devices. They create a custom indicator (IoA) to allow a specific application by its certificate thumbprint. However, after deployment, the application is still blocked by default Windows Defender Application Control (WDAC) policy. What is the most likely reason?

A.The indicator is not yet active due to propagation delay.
B.The certificate thumbprint is incorrect.
C.The WDAC policy is in enforce mode and does not trust the indicator.
D.Custom indicators cannot override WDAC policies.
AnswerC

WDAC enforce mode blocks unless explicitly allowed by WDAC policy itself.

Why this answer

Custom indicators for allow are prioritized over WDAC only if the WDAC policy trusts the indicator. However, by default, WDAC does not automatically trust Defender for Endpoint indicators; you must configure WDAC to allow indicators or use a WDAC policy that is in audit mode. Option D is correct.

Option A is wrong because indicators do work with WDAC. Option B is wrong because certificate thumbprint is a valid indicator. Option C is wrong because the indicator does not expire quickly.

251
MCQeasy

Your company is implementing Microsoft 365 Copilot for Microsoft 365. You need to ensure that Copilot can access data from across the organization, but only for users who have the appropriate permissions. What is the primary security boundary for Copilot data access?

A.Microsoft 365 permissions and sensitivity labels
B.A dedicated Copilot security group in Microsoft Entra ID
C.Microsoft Purview Information Protection labels
D.The geographic location of the data
AnswerA

Copilot respects existing permissions and labels to determine data access.

Why this answer

Option B is correct because Copilot uses the existing Microsoft 365 permissions model. Users can only access data they have permissions to see. Option A is wrong because there is no separate Copilot security group.

Option C is wrong because Copilot does not use Azure Information Protection labels as the primary boundary. Option D is wrong because Copilot respects user permissions, not data location.

252
MCQhard

Refer to the exhibit. You are reviewing an app registration in Microsoft Entra ID for the Microsoft Teams Admin Center. The permission shown is for another resource. What is the consequence of this permission configuration?

A.The app can access Microsoft Graph data without a signed-in user, and admin consent is required
B.The app can only be used by users who have consented to the permission
C.The app can access Teams data but not other Microsoft 365 data
D.The app can access Microsoft Graph on behalf of the signed-in user only
AnswerA

Application permissions require admin consent and run without a user context.

Why this answer

The exhibit shows an application permission (not a delegated permission) for Microsoft Graph, which means the app can access data without a signed-in user. Admin consent is required because application permissions grant tenant-wide access and cannot be consented to by individual users. This is why option A is correct.

Exam trap

Microsoft often tests the distinction between delegated permissions (requiring user consent and acting on behalf of a user) and application permissions (requiring admin consent and acting without a user), and the trap here is that candidates may confuse the 'signed-in user' requirement with delegated permissions, incorrectly assuming the app needs user consent or can only run with a user present.

How to eliminate wrong answers

Option B is wrong because application permissions do not require per-user consent; they require tenant-wide admin consent, and the app can be used by any user once admin consent is granted. Option C is wrong because the permission is for Microsoft Graph, which provides access to a broad range of Microsoft 365 data beyond just Teams, including Exchange, SharePoint, and more. Option D is wrong because application permissions are not delegated; they allow the app to act as itself without any signed-in user context, unlike delegated permissions which operate on behalf of the signed-in user.

253
Multi-Selecthard

Which THREE conditions must be met for a tenant-to-tenant migration of SharePoint Online content?

Select 3 answers
A.The destination site collection or OneDrive must already exist in the target tenant.
B.Cross-tenant trust must be established or a third-party migration tool must be used.
C.The source user performing the migration must be a global admin in the target tenant.
D.The target tenant must have an active Microsoft 365 subscription.
E.Both tenants must have at least one user with PowerShell access.
AnswersA, B, D

Content can only be migrated to an existing site.

Why this answer

Option A is correct because SharePoint Online tenant-to-tenant migration requires the destination site collection or OneDrive to already exist in the target tenant. The migration process copies content into a pre-provisioned container; it does not create the site or OneDrive automatically. This ensures that the target structure is ready to receive the migrated data without requiring dynamic provisioning during the migration.

Exam trap

The trap here is that candidates often assume global admin privileges are required across both tenants for migration, but in reality, SharePoint admin or site collection admin permissions suffice, and PowerShell access is not a prerequisite.

254
Matchingmedium

Match each Microsoft 365 threat scenario to the appropriate protection.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Anti-phishing policy in Defender for Office 365

Safe Attachments policy

Safe Links policy

Identity Protection and Conditional Access

Data Loss Prevention policy

Why these pairings

These protections are part of Microsoft 365 Defender and compliance.

255
MCQhard

You manage a Microsoft 365 tenant for a multinational corporation. You need to implement Microsoft Purview Information Protection to automatically classify and protect documents containing credit card numbers. The solution must apply encryption automatically when a document is saved to SharePoint Online. What should you do?

A.Create an auto-labeling policy in Microsoft Purview that uses a sensitivity label configured with encryption.
B.Create a DLP policy in Microsoft Purview that blocks sharing of documents containing credit card numbers.
C.Configure client-side labeling via Microsoft 365 Apps to prompt users to label documents.
D.Set a default sensitivity label for SharePoint Online document libraries.
AnswerA

Auto-labeling can automatically apply a label with encryption based on sensitive info types.

Why this answer

Option B is correct because auto-labeling policies in Microsoft Purview can scan documents for sensitive information types (e.g., credit card numbers) and automatically apply a sensitivity label with encryption. Option A is wrong because DLP policies can block sharing but do not label documents. Option C is wrong because the client-side labeling requires user interaction.

Option D is wrong because the default label applies to all documents without specific conditions.

256
MCQmedium

An organization wants to configure Self-Service Password Reset (SSPR) for all users. The administrator must ensure that users register two authentication methods: one from the mobile app category (e.g., notification or code) and one from the phone call category (e.g., office phone or mobile phone). Which combination of methods should the administrator select in the SSPR settings?

A.Mobile app notification and Office phone
B.Mobile app code and Security questions
C.Email and Mobile phone
D.Security questions and Office phone
AnswerA

Mobile app notification is from the mobile app category; Office phone is a phone call method. This meets the requirement.

Why this answer

Option A is correct because the SSPR policy requires users to register two authentication methods from distinct categories. The mobile app notification (from the mobile app category) and office phone (from the phone call category) satisfy this requirement. This combination ensures that users have one method from the mobile app category and one from the phone call category, as specified in the question.

Exam trap

The trap here is that candidates often confuse the 'mobile app' category with 'email' or 'security questions', or assume that 'mobile phone' (which is in the phone call category) counts as a mobile app method, leading them to select combinations that do not meet the category requirement.

How to eliminate wrong answers

Option B is wrong because security questions are not in the phone call category; they belong to the security questions category, so this combination does not include a method from the phone call category. Option C is wrong because email is not in the mobile app category; it belongs to the email category, and mobile phone is in the phone call category, so this combination lacks a method from the mobile app category. Option D is wrong because security questions are not in the mobile app category, and office phone is in the phone call category, so this combination lacks a method from the mobile app category.

257
Multi-Selectmedium

A compliance officer needs to automatically apply a sensitivity label that encrypts documents in SharePoint Online when the documents contain a custom regex pattern (e.g., employee ID). The labeling must occur automatically without requiring user interaction. Which two Microsoft Purview components must be configured? (Select the option that correctly identifies both components.)

Select 2 answers
A.An auto-labeling policy and a sensitivity label with encryption configured
B.Data Loss Prevention (DLP) policy and a sensitivity label
C.retention label and an auto-labeling policy
D.sensitive info type and a sensitivity label
AnswersA, D

Auto-labeling policies automatically apply sensitivity labels based on conditions; the label must have encryption to meet the requirement.

Why this answer

Option A is correct because an auto-labeling policy in Microsoft Purview can automatically apply sensitivity labels to documents in SharePoint Online based on conditions such as the presence of a custom regex pattern. The sensitivity label must have encryption configured to enforce protection, and the auto-labeling policy triggers the labeling without user interaction.

Exam trap

The trap here is that candidates often confuse auto-labeling policies with DLP policies, thinking DLP can apply labels, but DLP only detects and blocks—it does not automatically apply sensitivity labels with encryption.

258
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You want to set up a policy that automatically suspends a user if they download more than 100 files from SharePoint Online within 10 minutes. Which type of policy should you create?

A.Session policy
B.Activity policy
C.File policy
D.App discovery policy
AnswerB

Activity policies can detect anomalies and trigger governance actions like user suspension.

Why this answer

An Activity policy in Microsoft Defender for Cloud Apps monitors user activities across connected apps and can trigger automated actions, such as suspending a user, when a specific threshold of downloads from SharePoint Online is exceeded within a defined time window. This policy type is designed to detect anomalous behavior patterns like mass file downloads, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates often confuse Activity policies with Session policies, mistakenly thinking session-level controls can enforce download limits, but session policies only act on real-time actions within a single session and cannot trigger user suspension based on aggregated activity history.

How to eliminate wrong answers

Option A is wrong because a Session policy controls real-time user actions during a session (e.g., blocking uploads or requiring authentication) but does not evaluate historical activity counts or trigger user suspension based on past downloads. Option C is wrong because a File policy focuses on scanning files for content, metadata, or sharing permissions, not on monitoring the volume of download activities by a user. Option D is wrong because an App discovery policy analyzes cloud app usage and shadow IT, not user-specific download thresholds within a single app like SharePoint Online.

259
MCQmedium

A compliance officer needs to monitor employee communications across Microsoft Teams and Outlook for potential insider trading, using predefined policies. The solution must detect keywords like 'insider tip' and 'stock' and allow designated reviewers to take action. Which Microsoft Purview solution should the officer use?

A.Communication Compliance
B.Data Loss Prevention
C.eDiscovery (Premium)
D.Records Management
AnswerA

Communication Compliance is designed to detect and manage potential policy violations in communications, including insider trading.

Why this answer

Communication Compliance is the correct Microsoft Purview solution because it is specifically designed to detect sensitive keywords (e.g., 'insider tip' and 'stock') in Microsoft Teams chats, channel messages, and Outlook emails using predefined or customizable policies. It enables designated reviewers to investigate and take remediation actions such as removing messages or escalating for legal review, directly addressing the insider trading monitoring requirement.

Exam trap

The trap here is that candidates confuse Communication Compliance with Data Loss Prevention because both involve policy-based detection, but DLP is about preventing data exfiltration, not monitoring for insider trading keywords with reviewer workflows.

How to eliminate wrong answers

Option B (Data Loss Prevention) is wrong because DLP focuses on preventing unauthorized sharing of sensitive data (e.g., credit card numbers or PII) by blocking or alerting on outbound content, not on monitoring communications for insider trading keywords or enabling reviewer actions. Option C (eDiscovery Premium) is wrong because eDiscovery is used for legal hold, search, and export of content as evidence in litigation or investigations, not for real-time policy-based monitoring and remediation of communications. Option D (Records Management) is wrong because Records Management deals with classifying, retaining, and disposing of records based on regulatory requirements, not with detecting specific keywords in live communications or enabling reviewer workflows.

260
MCQeasy

You need to configure Microsoft Defender for Identity to alert when a user account is assigned a high number of group memberships in Active Directory. Which attack type does this correspond to?

A.Golden Ticket attack
B.Overpass-the-Hash attack
C.DCSync attack
D.Skeleton Key attack
AnswerA

Golden Ticket attacks forge Kerberos tickets and may involve modifying group memberships to escalate privileges.

Why this answer

Option D is correct because Golden Ticket attacks often involve modifying group memberships to gain elevated privileges. Option A is wrong because DCSync attacks replicate domain credentials. Option B is wrong because Overpass-the-Hash uses Kerberos tickets.

Option C is wrong because Skeleton Key attacks inject a backdoor.

261
MCQmedium

A company has a hybrid identity with password hash synchronization. They want to ensure that any user whose account is disabled in on-premises Active Directory is automatically prevented from signing in to Microsoft 365. How can this be achieved?

A.Ensure Microsoft Entra Connect is configured to synchronize the disabled status; this happens automatically.
B.Create a dynamic group based on accountEnabled attribute and apply a Conditional Access policy to block access.
C.Run a PowerShell script daily to disable matching accounts in Microsoft Entra ID.
D.Enable cloud HR provisioning.
AnswerA

Correct. The sync of the accountEnabled attribute is automatic, and disabling the on-premises account will propagate to the cloud, blocking sign-in.

Why this answer

Option A is correct because Microsoft Entra Connect (formerly Azure AD Connect) by default synchronizes the `userAccountControl` attribute from on-premises Active Directory, which includes the disabled status (bit 2, ACCOUNTDISABLE). When an on-premises user account is disabled, the corresponding `accountEnabled` attribute in Microsoft Entra ID is set to `false`, preventing sign-in to Microsoft 365 without additional configuration.

Exam trap

The trap here is that candidates may overthink the solution and assume additional configuration or scripting is required, when in fact Entra Connect automatically synchronizes the disabled status as part of its default attribute mapping.

How to eliminate wrong answers

Option B is wrong because a dynamic group based on `accountEnabled` attribute cannot be used in a Conditional Access policy to block access; Conditional Access policies apply to users or groups, but the `accountEnabled` attribute is not directly evaluated by Conditional Access, and disabling the account in Entra ID already blocks sign-in. Option C is wrong because running a PowerShell script daily to disable matching accounts in Microsoft Entra ID is unnecessary and introduces latency and potential inconsistency; Entra Connect already synchronizes the disabled status in near real-time (every 30 minutes by default). Option D is wrong because cloud HR provisioning (e.g., Workday or SuccessFactors) is designed for creating and managing user identities from HR systems, not for synchronizing the disabled status from on-premises Active Directory to Microsoft Entra ID.

262
MCQmedium

You are the compliance administrator for Contoso Ltd., a multinational corporation with 10,000 users. The company uses Microsoft 365 E5 licenses and has deployed Microsoft Purview Compliance Manager. The legal department requires that all contracts be retained for 10 years after the contract ends, and then be permanently deleted. Contracts are stored in a SharePoint Online site named 'Contracts'. The site already has a retention policy that retains all documents for 5 years. You need to configure additional retention settings to meet the legal requirement without disrupting existing retention. What should you do?

A.Create a retention label with a retention period of 10 years after contract end, and automatically apply it to contract documents using a sensitive info type or a custom condition.
B.Create a file plan in Microsoft Purview Records Management and attach it to the Contracts site.
C.Modify the existing retention policy to retain content for 10 years instead of 5.
D.Apply a preservation hold to the Contracts site to prevent deletion until 10 years.
AnswerA

The label will override the policy's 5-year retention and retain for 10 years, then delete.

Why this answer

Option A is correct because a retention label can be applied automatically or manually to contracts, and it can have a longer retention period than the policy; the policy still applies for 5 years, but the label's retention takes precedence and extends to 10 years. Option B is wrong because creating a new policy would conflict and might cause unintended retention. Option C is wrong because a file plan is used for records management, not for extending retention.

Option D is wrong because preservation lock prevents deletion but does not set retention period.

263
Multi-Selecteasy

Which TWO types of content can be reviewed using Microsoft Purview Communication Compliance? (Choose two.)

Select 2 answers
A.Exchange Online emails
B.Microsoft Teams chat messages
C.Files stored in SharePoint Online
D.Yammer private messages
E.Viva Engage conversations
AnswersA, B

Email is a supported communication channel.

Why this answer

Options B and E are correct because Communication Compliance can review Microsoft Teams messages and email messages. Option A is incorrect because SharePoint files are not directly reviewed by Communication Compliance; they are covered by DLP. Option C is incorrect because Yammer is not currently supported.

Option D is incorrect because Viva Engage messages may be reviewed if they are part of Teams or email, but not as a standalone source.

264
Multi-Selectmedium

A global administrator at Fabrikam Inc. plans to implement Microsoft Purview to manage compliance for sensitive information. The solution must include the ability to discover, classify, and protect sensitive data across Microsoft 365 services. Which three of the following should the administrator configure? (Choose three.)

Select 3 answers
.Create a sensitive information type to detect custom data patterns, such as employee IDs.
.Enable auto-labeling policies in Microsoft Purview to automatically apply sensitivity labels to documents containing trade secrets.
.Configure a trainable classifier to identify and label content that matches specific organizational patterns, such as legal contracts.
.Set up a data loss prevention (DLP) policy to block external sharing of files labeled as 'Highly Confidential'.
.Deploy Microsoft Purview eDiscovery to automatically classify all content in Microsoft Teams chats.
.Enable Microsoft Purview Insider Risk Management to scan and label all historical email data.

Why this answer

Creating a sensitive information type is correct because it allows the administrator to define custom patterns (e.g., employee IDs) that Microsoft Purview can use to discover and classify sensitive data across Microsoft 365 services. This is a foundational step for building compliance policies tailored to the organization's specific data.

Exam trap

The trap here is that candidates often confuse the roles of DLP, eDiscovery, and Insider Risk Management as classification tools, when in fact they are enforcement, search, and risk detection tools respectively, not designed for automatic discovery and labeling of sensitive data.

265
MCQmedium

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. You have a DLP policy that blocks sharing of documents containing personally identifiable information (PII) with external users. However, the HR department needs to share PII with a third-party benefits administrator for open enrollment. They request an exception that allows sharing only with the specific external domain 'benefits.contoso.com'. You need to implement the exception without weakening the overall policy. The solution must be centrally managed and auditable. What should you do?

A.Create a separate DLP policy with a lower priority that allows sharing with the external domain.
B.Remove the HR department from the scope of the DLP policy.
C.Modify the sensitivity label used by HR to remove the encryption requirement.
D.Configure the existing DLP policy to allow override for the specific external domain by using an allow list.
AnswerD

DLP policies support allow lists for specific domains.

Why this answer

Option B is correct because you can create a DLP policy override that allows sharing with the specific domain by configuring an allow list. Option A is incorrect because creating a separate policy with lower priority does not create an exception; all policies apply. Option C is incorrect because modifying the sensitivity label does not affect DLP.

Option D is incorrect because excluding HR from the policy would remove protection for all HR data, not just for the specific scenario.

266
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You want to detect when a user accesses a sanctioned cloud app from an anonymous IP address. What should you configure?

A.Configure an app discovery policy
B.Set up a session policy to block access from anonymous IPs
C.Enable the cloud discovery shadow IT report
D.Create an activity policy in Defender for Cloud Apps
AnswerD

Activity policies can trigger alerts based on conditions like anonymous IP.

Why this answer

Option A is correct because an activity policy can detect access from anonymous IP addresses. Option B is wrong because app discovery identifies cloud apps, not detect anomalous access. Option C is wrong because session policies control access, not generate alerts.

Option D is wrong because cloud discovery shadow IT reports show discovered apps.

267
MCQhard

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos authentication attempt from a domain controller. You need to determine if the account was compromised by checking for lateral movement. What should you do in the Microsoft 365 Defender portal?

A.Review the incident graph for the related alert.
B.Review the identity timeline for the affected user account.
C.Run an advanced hunting query for IdentityLogonEvents.
D.Review the device timeline for the domain controller.
AnswerB

Identity timeline provides a chronological view of user activities, including logons and resource access, to detect lateral movement.

Why this answer

Option B is correct because the identity timeline in Defender for Identity shows the sequence of activities for a user, helping to identify lateral movement. Option A is wrong because the device timeline shows events on a device, not user identity activities across multiple devices. Option C is wrong because the incident graph shows related alerts but not the detailed user activity timeline.

Option D is wrong because the advanced hunting schema for IdentityLogonEvents can be used, but the identity timeline is the most direct tool for investigating lateral movement.

268
MCQmedium

Your organization uses Microsoft Entra ID and has a Conditional Access policy that requires MFA for all external users. However, guest users from a partner organization are being blocked when they try to access a SharePoint Online site. You need to ensure that guest users can access the site without being prompted for MFA if they have already satisfied MFA in their home tenant. What should you configure?

A.Disable MFA requirement for guest users in Conditional Access
B.Configure authentication methods policy to accept MFA from external identities
C.Enable the trust MFA for external users setting in cross-tenant access settings
D.Use B2B direct connect instead of B2B collaboration
AnswerC

This allows guest users to use MFA from their home tenant.

Why this answer

Option C is correct because the cross-tenant access settings in Microsoft Entra ID include a 'Trust MFA from external tenants' option. When enabled, this setting allows guest users who have already satisfied MFA in their home tenant to access resources in your tenant without being prompted for MFA again. This respects the partner's MFA claims and avoids redundant authentication, which directly resolves the blocking issue caused by the Conditional Access policy requiring MFA for all external users.

Exam trap

The trap here is that candidates often confuse the 'authentication methods policy' (which governs allowed MFA methods in your tenant) with the cross-tenant trust setting, leading them to choose Option B, when in fact the correct solution is to enable the trust setting in cross-tenant access settings.

How to eliminate wrong answers

Option A is wrong because disabling MFA for guest users in Conditional Access would remove the security requirement entirely, which violates the organization's policy and exposes resources to unauthenticated access. Option B is wrong because the authentication methods policy controls which methods are allowed for MFA in your tenant, not whether MFA claims from external identities are trusted; it does not accept or reject MFA from other tenants. Option D is wrong because B2B direct connect is designed for real-time, unmanaged collaboration (e.g., Teams shared channels) and does not support SharePoint Online site access via invitations; B2B collaboration is the correct model for granting guest users access to SharePoint sites.

269
MCQeasy

As a Microsoft 365 administrator, you need to ensure that sensitive data is not shared externally via email. You configure Data Loss Prevention (DLP) policies in Microsoft Purview. What is the primary purpose of a DLP policy?

A.Prevent users from sending any external email.
B.Block all inbound emails from untrusted domains.
C.Encrypt all outgoing emails automatically.
D.Detect and prevent the sharing of sensitive information via email and other channels.
AnswerD

DLP policies identify, monitor, and protect sensitive data across Microsoft 365 services.

Why this answer

Option A is correct because DLP policies are designed to detect and prevent accidental or intentional sharing of sensitive information. Option B is wrong because email encryption is provided by Azure Information Protection or Office 365 Message Encryption. Option C is wrong because malware protection is handled by Defender for Office 365.

Option D is wrong because DLP does not block all external emails.

270
MCQmedium

Your organization uses Microsoft Defender for Office 365. You need to ensure that users are warned before opening potentially malicious attachments in Outlook on the web. Which policy setting should you configure?

A.Attachments in email are blocked
B.Open in protected view
C.Attachments are held and scanned
D.Dynamic Delivery
AnswerB

This displays a warning before opening a file in a sandboxed view.

Why this answer

Option C is correct because the 'Open in protected view' option displays a warning before opening a file in a sandboxed view. Option A is wrong because dynamic delivery delivers the email but replaces attachments with placeholders until scan completes. Option B is wrong because 'Attachments in email are blocked' completely blocks delivery.

Option D is wrong because 'Attachments are held and scanned' delays delivery until scan completes.

271
Multi-Selecthard

Which THREE of the following are valid permissions in Microsoft Entra ID custom roles? (Choose three.)

Select 2 answers
A.microsoft.directory/applications/delete
B.microsoft.directory/applications/credentials/update
C.microsoft.directory/users/update
D.microsoft.directory/roles/assign
E.microsoft.directory/groups/members/update
AnswersA, C

Valid permission to delete applications.

Why this answer

Option A is correct because 'microsoft.directory/applications/delete' is a valid permission in Microsoft Entra ID custom roles. Custom roles allow granular permissions defined by the 'microsoft.directory' namespace, and deleting applications is a supported action under the 'applications' resource type.

Exam trap

The trap here is that candidates often confuse valid permission strings with invalid ones, such as assuming 'microsoft.directory/roles/assign' is valid when role assignment permissions actually fall under 'microsoft.directory/roleAssignments'.

272
MCQmedium

Your organization uses Microsoft Entra ID P2 licenses. You need to configure a Conditional Access policy that requires phishing-resistant multifactor authentication (MFA) for all users accessing sensitive applications. Which authentication strength should you select in the policy?

A.Phishing-resistant MFA
B.Passwordless MFA
C.Multifactor authentication
D.No authentication strength
AnswerA

Phishing-resistant MFA requires FIDO2 or certificate-based authentication.

Why this answer

Option B is correct because phishing-resistant MFA requires a certificate-based or FIDO2 security key. Option A is wrong because passwordless MFA with Microsoft Authenticator is not considered phishing-resistant. Option C is wrong because it is a weaker strength.

Option D is wrong because it does not enforce phishing resistance.

273
Multi-Selectmedium

Your organization is implementing a zero-trust security model. Which TWO Microsoft Entra ID features should you enable to enforce least-privilege access and continuous verification?

Select 2 answers
A.Conditional Access
B.Self-service password reset (SSPR)
C.Privileged Identity Management (PIM)
D.Application Proxy
E.Microsoft Entra Join
AnswersA, C

Conditional Access enforces policies based on signals for continuous verification.

Why this answer

Conditional Access enables continuous verification, and Privileged Identity Management enforces just-in-time access. Option B is wrong because SSPR is for password reset. Option D is wrong because Microsoft Entra Join is a device identity method.

Option E is wrong because Application Proxy is for remote access.

274
MCQhard

A company (Contoso) frequently collaborates with a partner company (Fabrikam) via B2B collaboration. Contoso wants to require Fabrikam's guest users to perform MFA using Contoso's MFA policies, ignoring any MFA claims from the Fabrikam home tenant. However, Fabrikam's users already have MFA enabled in their home tenant. What should Contoso configure in their cross-tenant access settings?

A.Set the inbound trust settings to accept MFA claims from Fabrikam
B.Set the inbound trust settings to accept compliant device claims
C.Set the inbound trust settings to block MFA and require Contoso's MFA
D.Disable trust for MFA from the external tenant in the cross-tenant access settings
AnswerD

By disabling trust for MFA claims from the external tenant, Contoso ensures that its own MFA policies apply to guest users.

Why this answer

Option D is correct because Contoso wants to ignore MFA claims from Fabrikam's home tenant and enforce its own MFA policies on Fabrikam's guest users. In cross-tenant access settings, disabling trust for MFA from the external tenant ensures that Contoso does not honor any MFA claims issued by Fabrikam, thereby requiring Fabrikam's users to perform MFA again according to Contoso's conditional access policies.

Exam trap

The trap here is that candidates may think they need to explicitly 'block MFA' (Option C) rather than understanding that disabling trust for MFA claims achieves the same effect by ignoring the external tenant's MFA, forcing Contoso's own MFA policies to apply.

How to eliminate wrong answers

Option A is wrong because accepting MFA claims from Fabrikam would honor Fabrikam's MFA claims, which is the opposite of what Contoso wants. Option B is wrong because accepting compliant device claims is unrelated to MFA enforcement; it controls device trust, not authentication strength. Option C is wrong because there is no setting to 'block MFA and require Contoso's MFA' in cross-tenant trust settings; the correct mechanism is to disable trust for MFA from the external tenant, which effectively forces Contoso's MFA to be evaluated.

275
Multi-Selecthard

A company experiences a ransomware attack that encrypts files on several endpoints. The security team wants to use automated investigation and response (AIR) capabilities in Microsoft Defender XDR to contain the threat. Which TWO actions can be taken automatically by AIR? (Select TWO.)

Select 2 answers
A.Block the sender's email domain in Defender for Office 365.
B.Remove malicious files detected by Defender for Endpoint.
C.Isolate an affected device from the network.
D.Disable user accounts associated with the attack.
E.Reset user passwords for affected accounts.
AnswersB, C

AIR can remove files automatically.

Why this answer

AIR in Defender XDR can automatically isolate devices and remove malicious files. Option A and Option D are correct. Option B is wrong because disabling user accounts is not automatic; it requires a playbook.

Option C is wrong because password reset is not automatic. Option E is wrong because blocking email domains is not automatic.

276
MCQhard

Your Microsoft 365 tenant contains sensitive financial data that must be retained for 7 years. You configure a retention policy in Microsoft Purview compliance portal. After 7 years, the data is still accessible to users. What is the most likely reason?

A.The retention policy does not include a deletion action.
B.A litigation hold is applied to the data.
C.The retention policy is configured to retain data for 7 years and then delete it.
D.The data is marked as a record and requires disposition review.
AnswerA

If the policy only retains data without deleting it, the data remains after the retention period.

Why this answer

Option A is correct because a retention policy in Microsoft Purview can be configured to only retain data without a deletion action. If the policy lacks a deletion action, data will be preserved for the specified period but will not be automatically removed after that period expires, leaving it accessible to users. The scenario describes data still being accessible after 7 years, which directly indicates that no deletion action was configured to remove the data at the end of the retention period.

Exam trap

The trap here is that candidates often assume a retention policy automatically deletes data after the retention period ends, but Microsoft Purview requires an explicit deletion action to be configured for automatic removal; otherwise, the data is retained indefinitely.

How to eliminate wrong answers

Option B is wrong because a litigation hold preserves data indefinitely and prevents deletion, but it does not cause data to remain accessible after a retention period ends if the retention policy itself lacks a deletion action; the hold would keep the data, but the core issue is the missing deletion action. Option C is wrong because if the retention policy were configured to retain data for 7 years and then delete it, the data would be automatically removed after 7 years and would not remain accessible to users. Option D is wrong because marking data as a record and requiring disposition review means the data must be manually reviewed and approved before deletion, but this does not automatically keep the data accessible after the retention period; disposition review can delay deletion but does not explain why data remains accessible without any deletion action.

277
MCQmedium

A security operations team wants to receive real-time alerts when a user is at high risk of having their account compromised based on unusual sign-in patterns. Which Microsoft Defender XDR component should they configure?

A.Microsoft Defender for Identity
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Endpoint
AnswerA

Defender for Identity uses behavioral analytics to detect sign-in anomalies and user compromise risks.

Why this answer

Microsoft Defender for Identity (MDI) is the correct component because it is specifically designed to detect and alert on identity-based threats, including unusual sign-in patterns that indicate a high risk of account compromise. MDI uses behavioral analytics and machine learning to monitor on-premises Active Directory and Azure AD sign-in logs for anomalies such as impossible travel, unusual login times, or suspicious credential usage, triggering real-time alerts. This directly matches the requirement for real-time alerts on user risk from unusual sign-in patterns.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps (option C) as the tool for sign-in anomaly detection, but its primary focus is on cloud app usage and data protection, not real-time identity risk alerts based on sign-in patterns—that is the domain of Defender for Identity.

How to eliminate wrong answers

Option B (Microsoft Defender for Office 365) is wrong because it focuses on protecting email and collaboration tools (e.g., phishing, malware in attachments) rather than analyzing user sign-in patterns for identity compromise. Option C (Microsoft Defender for Cloud Apps) is wrong because it primarily monitors cloud application usage and data exfiltration, not real-time sign-in risk alerts; its anomaly detection is broader and often requires additional configuration for identity-focused alerts. Option D (Microsoft Defender for Endpoint) is wrong because it is designed for endpoint threat detection and response (e.g., malware, fileless attacks) and does not analyze sign-in logs or user authentication patterns.

278
MCQeasy

You need to ensure that only users from your organization can access a SharePoint Online site. Which setting should you configure?

A.Set the SharePoint Online external sharing setting to 'Only people in your organization'
B.Create a Conditional Access policy to block external users
C.Configure the Microsoft Entra ID external collaboration settings
D.Modify the site permissions to remove external users
AnswerA

This restricts access to internal users only.

Why this answer

Option A is correct because the SharePoint Online external sharing setting 'Only people in your organization' explicitly restricts all sharing and access to users who have a valid identity in your Microsoft Entra ID tenant. This setting prevents any external user (including guests) from accessing the site, regardless of how they were invited or authenticated. It is the most direct and effective control for limiting access to internal users only.

Exam trap

The trap here is that candidates often confuse tenant-level external collaboration settings (Microsoft Entra ID) with site-level external sharing settings (SharePoint Online), assuming that blocking external users in Entra ID automatically restricts access to SharePoint sites, which is not the case because SharePoint has its own independent sharing controls.

How to eliminate wrong answers

Option B is wrong because a Conditional Access policy can block external users from signing in, but it does not prevent external users who are already guests from accessing the site if they have been granted permissions through sharing. Option C is wrong because configuring the Microsoft Entra ID external collaboration settings controls the overall guest invitation behavior for the tenant, but it does not override the per-site external sharing setting; a site could still be shared externally if its own sharing setting allows it. Option D is wrong because modifying site permissions to remove external users is a manual, reactive approach that does not prevent future external sharing or access; it does not enforce a policy that blocks external users from being added or accessing the site.

279
MCQhard

A security analyst wants to create a custom detection rule that triggers when a device communicates with a new, unclassified IP address that has been flagged by Microsoft threat intelligence as potentially malicious. The rule should run every hour and create an incident if more than 5 such communications from the same device occur within a 24-hour window. Which advanced hunting tables should be joined in the KQL query for this rule?

A.DeviceNetworkEvents and IPReputation
B.DeviceProcessEvents and AlertInfo
C.DeviceFileEvents and DeviceIPInfo
D.EmailEvents and DeviceNetworkEvents
AnswerA

DeviceNetworkEvents records network connections including remote IPs. IPReputation provides Microsoft's threat intelligence score for IP addresses, allowing the rule to filter for connections to flagged IPs. These tables can be joined on the RemoteIP column.

Why this answer

Option A is correct because the rule requires detecting network communications to potentially malicious IP addresses, which involves joining `DeviceNetworkEvents` (which logs network connections from devices) with `IPReputation` (which contains Microsoft's threat intelligence classifications for IP addresses). This join allows the query to filter for communications where the destination IP is flagged as malicious and then aggregate by device to trigger an incident when the count exceeds 5 within a 24-hour window.

Exam trap

The trap here is that candidates often confuse `DeviceNetworkEvents` with `DeviceProcessEvents` or `DeviceFileEvents`, mistakenly thinking process or file events can indicate network communication patterns, or they overlook that `IPReputation` is the specific table providing threat intelligence classification for IP addresses.

How to eliminate wrong answers

Option B is wrong because `DeviceProcessEvents` logs process creation events, not network communications, and `AlertInfo` contains metadata about alerts, not IP reputation data; this combination cannot detect communications with malicious IPs. Option C is wrong because `DeviceFileEvents` logs file creation/modification events, not network connections, and `DeviceIPInfo` provides IP configuration details (like DHCP leases) rather than threat intelligence reputation scores. Option D is wrong because `EmailEvents` tracks email delivery and phishing events, not device-level network communications, and joining it with `DeviceNetworkEvents` would not provide the required IP reputation data from Microsoft threat intelligence.

280
MCQmedium

A company wants to implement just-in-time (JIT) privileged access for the Security Administrator role. Users must be able to activate the role with a business justification, and the activation must be approved by a designated group of approvers. The role activation should expire after 4 hours. Which Privileged Identity Management (PIM) configuration should the administrator modify?

A.Role settings for the Security Administrator role
B.Assignments (Eligible) for the Security Administrator role
C.Assignments (Active) for the Security Administrator role
D.Notifications settings under PIM
AnswerA

Role settings control activation requirements, including approval, justification, and maximum activation duration.

Why this answer

To configure just-in-time (JIT) privileged access with approval, expiration, and justification requirements, you must modify the Role settings for the Security Administrator role in Privileged Identity Management (PIM). Role settings control activation parameters such as maximum activation duration (4 hours), whether approval is required, and whether justification is mandatory. This is the only place where these activation policies are defined.

Exam trap

The trap here is that candidates confuse 'assignments' (who can use the role) with 'role settings' (how the role can be activated), leading them to choose Eligible assignments instead of Role settings when asked about activation policies like duration, approval, or justification.

How to eliminate wrong answers

Option B is wrong because Eligible assignments define which users are allowed to activate the role, not the activation policies like duration, approval, or justification. Option C is wrong because Active assignments grant permanent, always-on access without requiring activation, which defeats the purpose of JIT and approval. Option D is wrong because Notifications settings only control who receives email alerts for PIM events (e.g., activation, approval), not the activation rules themselves.

281
MCQhard

Contoso uses Microsoft Defender XDR and has a Microsoft 365 E5 license. The security team wants to automate incident response when a user is compromised. They create a custom automation rule in the Microsoft 365 Defender portal. The rule should automatically isolate the user's device, disable the user account, and reset the user's password. Which action type should they configure in the rule?

A.Create a playbook that performs all three actions and run it as the automation rule action.
B.Select 'Isolate device' as the incident action.
C.Configure a webhook to call an external API that performs the actions.
D.Use the 'Run script' action and provide a PowerShell script.
AnswerA

A playbook can orchestrate multiple steps.

Why this answer

In Microsoft Defender XDR automation rules, you can define actions that trigger playbooks. To perform multiple actions like isolate device, disable account, and reset password, you need to use Microsoft Sentinel playbooks (or Logic Apps) because Defender XDR automation rules only support a single action per trigger. However, with a custom playbook, you can combine multiple steps.

Option B is correct because a playbook can include multiple actions. Option A is wrong because an automation rule only supports one action. Option C is wrong because incident actions are limited.

Option D is wrong because a webhook would require external orchestration.

282
MCQhard

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Entra ID. You need to block access to a third-party cloud app that is not sanctioned. The app uses OAuth and users have already granted consent. What should you configure?

A.Create a Conditional Access policy in Microsoft Entra ID to block the app.
B.Create a session policy in Microsoft Defender for Cloud Apps.
C.Create an OAuth app policy in Microsoft Defender for Cloud Apps to revoke the app.
D.Create an app discovery policy in Microsoft Defender for Cloud Apps.
AnswerC

OAuth app policies revoke permissions and block the app.

Why this answer

Option A is correct because an OAuth app policy in Defender for Cloud Apps can revoke permissions and block access. Option B is wrong because a Conditional Access policy can block access but does not revoke OAuth permissions. Option C is wrong because an app discovery policy only identifies apps.

Option D is wrong because a session policy controls usage but does not block access after consent.

283
MCQmedium

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a device establishes a network connection to an IP address that has been recently observed in threat intelligence feeds as a new, malicious command-and-control server. The rule should analyze network communication events. Which advanced hunting table should be the primary data source for the Kusto Query Language (KQL) query?

A.DeviceProcessEvents
B.DeviceNetworkEvents
C.EmailEvents
D.AlertEvidence
AnswerB

This table records network connection events such as TCP, UDP, and ICMP traffic, making it suitable for IP-based detection.

Why this answer

DeviceNetworkEvents is the correct primary data source because it captures network connection events, including source and destination IP addresses, ports, and protocols. To detect a device connecting to a newly observed malicious command-and-control server, the KQL query must analyze network communication events, which are stored exclusively in this table.

Exam trap

Microsoft often tests the confusion between process-level and network-level tables, leading candidates to choose DeviceProcessEvents because they mistakenly think process creation is the primary indicator of malicious network activity.

How to eliminate wrong answers

Option A is wrong because DeviceProcessEvents logs process creation and execution events, not network connections; it cannot provide IP address or port information. Option C is wrong because EmailEvents tracks email delivery and phishing events, not device-level network connections to external IPs. Option D is wrong because AlertEvidence contains evidence linked to existing alerts, not raw network communication logs; it is used for investigating alerts, not as a primary source for custom detection rules.

284
MCQmedium

You are reviewing a conditional access policy in Microsoft Entra ID as shown in the exhibit. The policy is intended to block sign-ins that are considered risky. However, some high-risk users are still able to sign in. What is the most likely reason?

A.The policy requires user risk and sign-in risk to both be high
B.The policy requires multi-factor authentication instead of blocking
C.The policy does not include sign-in risk levels
D.The policy requires both user risk and sign-in risk to be at specified levels simultaneously
AnswerD

The conditions use AND logic; if sign-in risk is low, the policy does not trigger.

Why this answer

Option A is correct because the policy only blocks when both user risk is high AND sign-in risk is medium or high. If user risk is high but sign-in risk is low, the policy does not apply. Option B is wrong because the policy does not require both risk levels to be high; it requires user risk high and sign-in risk medium or high.

Option C is wrong because the policy includes sign-in risk levels medium and high. Option D is wrong because the policy does not require multi-factor authentication.

285
MCQmedium

A company uses Microsoft Entra ID with Pass-through Authentication. The security team wants to block all sign-ins from countries that are not approved (e.g., high-risk regions). Which feature should they use?

A.Conditional Access policy with country location condition
B.Identity Protection sign-in risk policy
C.Identity Protection user risk policy
D.Named locations with blocked countries
AnswerA

Correct. Conditional Access allows blocking or allowing access based on country using Named Locations.

Why this answer

Conditional Access policies in Microsoft Entra ID can include a location condition that uses IP addresses to determine the country of origin. By configuring a policy to block access from specific countries (e.g., high-risk regions), the security team can enforce this requirement. This is the correct feature because it directly evaluates the geographic location of the sign-in request and applies an access control (block) accordingly.

Exam trap

The trap here is that candidates confuse Named locations (which are just definitions) with the actual enforcement mechanism, forgetting that a Conditional Access policy is required to apply the block action based on those locations.

How to eliminate wrong answers

Option B is wrong because Identity Protection sign-in risk policy evaluates the probability that a sign-in is compromised based on signals like anonymous IP addresses or atypical travel, not the geographic country of the sign-in. Option C is wrong because Identity Protection user risk policy assesses the likelihood that a user's identity has been compromised (e.g., leaked credentials), not the location of the sign-in. Option D is wrong because Named locations define a set of IP address ranges or countries/regions for use in Conditional Access policies, but they cannot directly block sign-ins; they must be referenced within a Conditional Access policy to enforce a block action.

286
MCQmedium

A company uses Microsoft Entra ID with password hash synchronization. The security team wants to prevent users from setting passwords that include their username or common terms from a custom dictionary (e.g., company name, product names). Which feature should be configured?

A.Enable Azure AD Identity Protection with user risk policies.
B.Configure a custom banned passwords list in Microsoft Entra ID Password Protection.
C.Set a fine-grained password policy in on-premises Active Directory and sync it to Azure AD.
D.Enable MFA registration campaign to force users to register for MFA.
AnswerB

This allows adding a custom list of banned passwords that users cannot use, meeting the requirement.

Why this answer

Option B is correct because Microsoft Entra ID Password Protection allows administrators to enforce custom banned password lists that prevent users from including specific terms (e.g., company name, product names) or their username in passwords. This feature works with password hash synchronization to block weak passwords at the cloud level, directly addressing the security team's requirement.

Exam trap

The trap here is that candidates often confuse password policies (which are set in on-premises AD and cannot be synced to Azure AD) with password protection features (which are configured directly in Microsoft Entra ID), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because Azure AD Identity Protection with user risk policies detects and responds to compromised credentials or risky sign-ins, but it does not enforce password content restrictions like banning specific terms. Option C is wrong because fine-grained password policies in on-premises Active Directory cannot be synced to Azure AD; password hash synchronization only syncs password hashes, not password policies, and Azure AD does not support on-premises password policy enforcement. Option D is wrong because the MFA registration campaign forces users to register for multifactor authentication, which adds a second layer of security but does not prevent users from setting weak passwords that include banned terms.

287
MCQhard

A security administrator wants to prevent users from uploading files to unsanctioned cloud storage apps (e.g., personal Dropbox or Google Drive) from managed Windows devices. The solution must use a reverse proxy to control file uploads in real time. Which Microsoft Defender for Cloud Apps feature should the administrator configure?

A.App discovery policy
B.Access policy
C.Session policy
D.Activity policy
AnswerC

Session policies use reverse proxy to control activities within a session, such as blocking uploads, downloads, or copy-paste.

Why this answer

Session policy in Microsoft Defender for Cloud Apps uses reverse proxy capabilities to monitor and control user activities in real time. When configured with the 'Control file upload' action, it can block or restrict uploads to unsanctioned cloud storage apps like personal Dropbox or Google Drive from managed Windows devices, meeting the requirement exactly.

Exam trap

The trap here is confusing session policies (real-time reverse proxy control) with access policies (pre-session conditional access), leading candidates to choose access policy because it also uses Conditional Access, but it cannot inspect or block file uploads within an active session.

How to eliminate wrong answers

Option A is wrong because App discovery policy identifies cloud apps in use but does not enforce real-time controls via reverse proxy. Option B is wrong because Access policy controls access based on user/device context but does not inspect or block file uploads within a session. Option D is wrong because Activity policy detects and alerts on specific activities (e.g., uploads) but cannot block them in real time using a reverse proxy; it is reactive, not proactive.

288
Multi-Selectmedium

Your organization is implementing Microsoft Defender XDR. Which TWO actions should you take to ensure that alerts from different workloads are correlated into incidents?

Select 2 answers
A.Enable unified role-based access control (RBAC) in Microsoft 365 Defender.
B.Verify that all workloads are onboarded and sending data to Microsoft 365 Defender.
C.Ensure that all workloads are configured to use the same data retention policy.
D.Configure each workload to send alerts to Microsoft Sentinel.
E.Assign Microsoft 365 E5 licenses to all users.
AnswersA, B

Unified RBAC is required for incident correlation across workloads.

Why this answer

Options A and D are correct because enabling unified roles and ensuring all workloads send data to Microsoft 365 Defender are prerequisites for incident correlation. Option B is not required because RBAC is separate. Option C is not required because data storage is independent.

Option E is wrong because licensing is per workload.

289
Multi-Selectmedium

Your organization uses Microsoft Entra ID and wants to implement Identity Protection to detect risky users. Which THREE risk types can be detected by Identity Protection? (Choose three.)

Select 3 answers
A.Impossible travel
B.Password spray
C.Leaked credentials
D.Anonymous IP address
E.Malware
AnswersA, C, D

Detects sign-ins from distant locations in short time.

Why this answer

Impossible travel is a risk detection in Microsoft Entra ID Identity Protection that identifies sign-ins originating from geographically distant locations within a time frame that makes physical travel between them impossible. This detection uses the user's previous sign-in locations and the time between sign-ins to calculate the probability of a compromised account being used from a different region.

Exam trap

The trap here is that candidates confuse attack types (like password spray or malware) with the specific risk detection types that Identity Protection actually reports, leading them to select options that describe attack methods rather than the built-in risk detections.

290
MCQeasy

A new employee has been hired and their account already exists in the on-premises Active Directory. The administrator needs to provide the employee with access to Microsoft 365 services as quickly as possible. What is the most efficient way to enable the user?

A.Create a new cloud-only user in the Microsoft 365 admin center and assign a license.
B.Sync the on-premises user using Azure AD Connect and then assign the license.
C.Manually create a user in Microsoft Entra ID with the same name and assign license.
D.Use Azure AD B2B collaboration to invite the on-premises user as a guest.
AnswerB

This leverages existing identity, synchronizes to the cloud, and then a license is assigned to enable services.

Why this answer

Option B is correct because the user already exists in on-premises Active Directory, and the fastest way to enable Microsoft 365 access is to synchronize that identity using Azure AD Connect. Once synchronized, the user object appears in Microsoft Entra ID (formerly Azure AD), and the administrator can immediately assign a license without re-creating the account. This avoids the delays of manual creation or guest invitations and leverages the existing identity lifecycle.

Exam trap

The trap here is that candidates often confuse the speed of creating a new cloud user (Option A) with the efficiency of leveraging an existing synchronized identity, failing to recognize that synchronization is the intended and fastest path for hybrid environments.

How to eliminate wrong answers

Option A is wrong because creating a new cloud-only user would result in a duplicate identity that is not linked to the on-premises AD account, breaking password sync and future management. Option C is wrong because manually creating a user in Microsoft Entra ID with the same name does not establish a source-of-authority connection to the on-premises object, leading to conflicts and no automatic attribute synchronization. Option D is wrong because Azure AD B2B collaboration is designed for external guest access, not for enabling an internal employee with full Microsoft 365 services; it would create a separate guest identity without proper license assignment or directory integration.

291
Multi-Selectmedium

You are planning the initial deployment of a new Microsoft 365 tenant for Contoso Ltd. Which three of the following actions are required or recommended as part of the tenant provisioning and initial configuration process? (Choose three.)

Select 3 answers
.Register a custom domain name (e.g., contoso.com) and verify ownership via DNS TXT record.
.Assign Microsoft 365 licenses to all user accounts before creating the accounts.
.Configure the default tenant-level password expiration policy to 90 days using the Microsoft 365 admin center.
.Create the initial global administrator account with a strong, unique password and enable multi-factor authentication.
.Set up a secondary domain as the default email domain to avoid conflicts with the initial onmicrosoft.com domain.
.Configure tenant-wide service settings such as external sharing for SharePoint and OneDrive.

Why this answer

Registering and verifying a custom domain (e.g., contoso.com) via a DNS TXT record is a required step to use your own domain for email and user identities instead of the default onmicrosoft.com domain. Creating the initial global administrator account with a strong password and enabling multi-factor authentication (MFA) is a critical security best practice and is recommended by Microsoft to protect the highest-privileged role. Configuring tenant-wide service settings, such as external sharing for SharePoint and OneDrive, is recommended during initial setup to align with organizational security and collaboration policies before users begin working.

Exam trap

The trap here is that candidates may think password expiration policies are still relevant in Microsoft 365, but Microsoft deprecated them in favor of modern authentication and MFA, making the 90-day policy option a distractor.

292
MCQeasy

A company wants to use Microsoft Defender XDR to automatically investigate and remediate threats across email, endpoints, and identities. Which role is required to configure automation settings in the Microsoft 365 Defender portal?

A.Global Reader
B.Compliance Administrator
C.Security Administrator
D.Security Reader
AnswerC

Security Administrator can configure automation settings.

Why this answer

The Security Administrator role can manage automation settings. Option A is correct. Option B is wrong because Global Reader is read-only.

Option C is wrong because Security Reader is read-only. Option D is wrong because Compliance Administrator is for compliance.

293
Multi-Selectmedium

Which TWO of the following are valid authentication methods in Microsoft Entra ID that can be used as part of a Conditional Access policy? (Select two.)

Select 2 answers
A.SMS sign-in
B.Password
C.Certificate-based authentication
D.Hardware OATH token
E.FIDO2 security key
AnswersB, C

Password is a valid authentication method in Conditional Access policies via authentication strength.

Why this answer

The correct answers are A and C. Password can be used as authentication method in Conditional Access policies (e.g., require MFA). Certificate-based authentication is also a valid method.

SMS sign-in is not a method; it's for MFA. FIDO2 security key is a method, but the question says 'used as part of a Conditional Access policy' – actually, Conditional Access can grant access based on authentication strength that includes FIDO2. But the official list of authentication methods in Conditional Access includes password, certificate, and others.

Option E (Hardware OATH token) is also valid. The question says 'Select two', so the most common are A and C. However, I need to be precise: In Conditional Access, you can require 'Password' as an authentication method? Actually, you can require 'Multi-factor authentication' or 'Passwordless authentication'.

But the grant controls include 'Require multi-factor authentication', not individual methods. However, the authentication strength policy can include password. Given the exam, typical correct answers are password and certificate.

Let me go with A and C.

294
Multi-Selecthard

You are investigating a security incident in Microsoft 365 Defender. The incident involves a user who received a phishing email that contained a link to a malicious website. The user clicked the link and entered credentials. Which THREE components of Microsoft Defender XDR would generate alerts that contribute to this incident?

Select 3 answers
A.Microsoft Sentinel
B.Microsoft Defender for Office 365
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Cloud Apps
E.Microsoft Defender for Identity
AnswersB, C, E

Defender for Office 365 detects the phishing email.

Why this answer

Options A, B, and C are correct because all three detect different aspects of the attack: endpoint (malicious website access), Office 365 (phishing email), and identity (credential compromise). Option D is not directly relevant to this incident. Option E is not part of Microsoft Defender XDR; it's a SIEM.

295
MCQhard

Your organization uses Microsoft Defender for Identity (MDI) and Microsoft Defender for Cloud Apps. You receive an alert about a user who is performing an unusual number of failed logon attempts from a non-corporate IP address. The user is a member of the Finance group. What is the recommended first step?

A.Reset the user's password and require MFA.
B.Contact the user to verify if the activity is legitimate.
C.Disable the user account immediately.
D.Block the IP address in the firewall.
E.Close the alert as a false positive.
AnswerB

User confirmation is the quickest way to determine if it's a false positive.

Why this answer

Option D is correct because the first step is to verify with the user whether the activity is legitimate before taking any action. Option A is wrong because immediately disabling the account may cause unnecessary disruption. Option B is wrong because resetting password without verification may not be necessary.

Option C is wrong because blocking the IP may be premature. Option E is wrong because closing the alert without investigation is not appropriate.

296
MCQhard

Contoso Ltd. uses Microsoft Purview to manage compliance for sensitive data across Microsoft 365 and Azure. They need to ensure that all documents containing personally identifiable information (PII) are automatically labeled with a 'Highly Confidential' sensitivity label. The solution must also require users to justify access to these labeled documents. Which two actions should you configure?

A.Configure a retention label to mark documents as 'Highly Confidential'.
B.Create a Microsoft Purview auto-labeling policy for sensitivity labels.
C.Create a DLP policy that blocks sharing of unlabeled documents.
D.Enable Microsoft Purview Audit (Standard) to log access to sensitive documents.
E.Configure the sensitivity label to have rights management protection with 'Justify access' option.
AnswerB, E

Auto-labeling can automatically apply labels based on sensitive info types.

Why this answer

Option A is correct because auto-labeling policies can apply sensitivity labels automatically. Option D is correct because Microsoft Purview Information Protection supports rights management protection that can enforce justification on access. Option B is wrong because DLP policies block actions, not enforce justification.

Option C is wrong because retention labels are for retention, not access justification. Option E is wrong because audit logs track events but don't enforce justification.

297
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You discover that a user is accessing sensitive data from an unmanaged device. You need to automatically restrict the user's access to sensitive data until the device is compliant. What should you configure?

A.Create a session policy that monitors and controls access to sensitive data
B.Create a Conditional Access App Control policy for all apps
C.Create an anomaly detection policy
D.Create an app discovery policy
AnswerA

Session policies can block access from non-compliant devices.

Why this answer

Option D is correct because session control can block access based on device compliance. Option A is wrong because it doesn't restrict access. Option B is wrong because it's for conditional access to apps.

Option C is wrong because it's for discovery.

298
MCQeasy

An administrator has added the custom domain 'fabrikam.com' to their Microsoft 365 tenant and is now ready to verify ownership. Which type of DNS record should the administrator create in the public DNS zone to complete the verification?

A.MX record
B.TXT record
C.CNAME record
D.record
AnswerB

TXT records are used to store text data; Microsoft uses them for domain verification.

Why this answer

To verify domain ownership in Microsoft 365, the administrator must create a TXT record in the public DNS zone containing a specific verification string provided by the Microsoft 365 admin center. The TXT record is the standard DNS record type used for domain ownership verification because it can store arbitrary text data without affecting email routing or other services, and Microsoft 365 checks for this record to confirm the domain is under the administrator's control.

Exam trap

The trap here is that candidates may confuse domain verification with email routing or service configuration, leading them to choose MX or CNAME records, but Microsoft 365 explicitly requires a TXT record for ownership proof and uses a unique verification string that must be entered exactly as provided.

How to eliminate wrong answers

Option A is wrong because MX records are used for mail routing, not for domain ownership verification; creating an MX record would not prove control over the domain and could disrupt email flow. Option C is wrong because CNAME records are used to alias one domain to another, such as for autodiscover or www redirection, and Microsoft 365 does not use CNAME records for domain verification; the verification process specifically requires a TXT record. Option D is wrong because 'record' is not a valid DNS record type; the correct record type for verification is TXT, and the answer is incomplete without specifying the type.

299
MCQhard

A compliance officer needs to preserve all communications (email and Teams messages) for employees in the legal department for a minimum of 7 years. Additionally, any deletion (by users or system) must be blocked, and after the retention period, the items must be disposed of automatically. The solution must also ensure that the communications are marked as 'records' to prevent tampering. Which Microsoft Purview solution should the officer configure?

A.Litigation hold on the legal department's mailboxes and Teams
B.retention label configured with 'Mark items as a record' and a retention period of 7 years, then delete automatically
C.Preservation hold library in SharePoint Online
D.Data Loss Prevention (DLP) policy with retention action
AnswerB

Retention labels with record marking make content immutable and block deletion. The retention period can be set to 7 years with automatic disposal after that.

Why this answer

Option B is correct because a retention label with 'Mark items as a record' enforces immutability (prevents tampering) and, when configured with a 7-year retention period followed by automatic deletion, meets the compliance officer's requirements for preservation, blocking deletion, and automatic disposal. This label can be applied to both Exchange Online mailboxes (email) and Teams messages via auto-labeling policies, covering all communications for the legal department.

Exam trap

The trap here is that candidates often confuse Litigation Hold (which preserves indefinitely without automatic deletion) with a retention label that includes both a fixed retention period and record marking, failing to recognize that Litigation Hold does not meet the 'dispose automatically after 7 years' requirement.

How to eliminate wrong answers

Option A is wrong because a Litigation Hold preserves content indefinitely (or until manually removed) but does not enforce automatic deletion after a specific period, nor does it mark items as 'records' to prevent tampering. Option C is wrong because the Preservation Hold Library is a SharePoint Online feature that applies to document libraries, not to Exchange Online mailboxes or Teams messages, and it does not provide record marking or automatic deletion scheduling. Option D is wrong because a Data Loss Prevention (DLP) policy is designed to detect and prevent sensitive data leakage, not to enforce retention, record marking, or automatic disposal; it lacks the ability to block deletion or mark items as records.

300
MCQeasy

A company needs to ensure that only users from specific IP ranges can access Exchange Online. Which tool should be used?

A.Azure AD Conditional Access with Named Locations
B.Security & Compliance Center
C.Multi-factor authentication
D.Azure AD Connect
AnswerA

Named locations define trusted IPs.

Why this answer

Azure AD Conditional Access with Named Locations is the correct tool because it allows administrators to define trusted IP ranges as named locations and then enforce access policies that restrict Exchange Online access to only those IP ranges. This integrates directly with Azure AD authentication, evaluating the user's IP address during sign-in to grant or block access based on the policy.

Exam trap

The trap here is that candidates often confuse the Security & Compliance Center's transport rules or mailbox policies with network-level access control, or they assume MFA alone can restrict access by IP, when in fact Conditional Access is the dedicated feature for location-based policies.

How to eliminate wrong answers

Option B is wrong because the Security & Compliance Center is used for data governance, threat management, and compliance features like retention policies and eDiscovery, not for controlling network-level access to Exchange Online. Option C is wrong because Multi-Factor Authentication (MFA) adds a second verification factor but does not restrict access based on source IP addresses; it can be combined with Conditional Access but alone does not enforce IP range restrictions. Option D is wrong because Azure AD Connect is a tool for synchronizing on-premises directory objects to Azure AD and enabling hybrid identity, not for configuring access policies based on IP ranges.

Page 3

Page 4 of 13

Page 5