Microsoft 365 Administrator MS-102 (MS-102) — Questions 301375

975 questions total · 13pages · All types, answers revealed

Page 4

Page 5 of 13

Page 6
301
MCQeasy

You are implementing Microsoft Entra Verified ID to issue verifiable credentials to employees for proof of employment. Which component is required to issue and verify credentials?

A.Microsoft Entra ID P2 licenses for all users
B.A certificate from a public certificate authority (CA)
C.An Azure AD B2C tenant
D.A decentralized identifier (DID) and a trusted identity system
AnswerD

DIDs are fundamental to Verified ID.

Why this answer

Microsoft Entra Verified ID uses a decentralized identity model where each issuer and verifier has a unique decentralized identifier (DID) and a trusted identity system (such as a blockchain-based ION network or a web-based DID method) to publish and resolve DID documents. The DID and the trusted identity system are the core components required to cryptographically sign verifiable credentials and verify them without relying on a central authority, making option D correct.

Exam trap

The trap here is that candidates often assume a traditional PKI certificate or a premium license is required, but Microsoft Entra Verified ID relies on decentralized identifiers (DIDs) and a trusted identity system, not on CA-issued certificates or specific license tiers.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID P2 licenses provide advanced identity protection and governance features but are not a prerequisite for issuing or verifying verifiable credentials; Verified ID can work with any Azure AD tenant. Option B is wrong because a certificate from a public certificate authority (CA) is used for traditional PKI-based identity systems, but Verified ID uses DIDs and key pairs generated by the issuer, not a CA-issued certificate. Option C is wrong because Azure AD B2C is a customer identity and access management solution for external users, not a required component for Verified ID; Verified ID uses its own decentralized identity infrastructure.

302
MCQmedium

You are a security administrator for a company that uses Microsoft Defender XDR. You need to configure a policy to automatically remediate high-severity incidents involving ransomware on Windows 10 devices. The solution must minimize manual intervention. Which automation level should you configure in the automated investigation and response (AIR) capabilities?

A.Automatically remediate threats
B.Full - automatically remediate threats
C.Semi - require approval for any remediation
D.No automated response
AnswerA

This level allows automatic remediation without human approval, minimizing manual intervention.

Why this answer

Option C is correct because 'Automatically remediate threats' is the highest automation level that allows Defender XDR to take automatic remediation actions without human approval, which matches the requirement to minimize manual intervention. Option A is wrong because 'Full - automatically remediate threats' is the same as option C; note that the correct term is 'Automatically remediate threats' or 'Full automation' depending on the UI. Option B is wrong because 'Semi - require approval for any remediation' requires manual approval, which does not minimize manual intervention.

Option D is wrong because 'No automated response' disables automation entirely.

303
MCQhard

A ransomware alert is confirmed in Microsoft Defender XDR on a user device that is still communicating with other endpoints. What should the administrator do first to reduce spread while preserving the ability to investigate?

A.Isolate the affected device from the network
B.Collect a forensic package before taking containment action
C.Run a full antivirus scan before isolating the device
D.Wait for automated investigation to complete before responding
AnswerA

Device isolation contains the threat quickly while retaining management connectivity for investigation and remediation.

Why this answer

Option A is correct because immediately isolating the affected device from the network stops the ransomware from spreading laterally to other endpoints via SMB, RDP, or other protocols, while preserving the device's state for forensic analysis. Microsoft Defender XDR's device isolation feature blocks all inbound and outbound communication except with the Defender for Endpoint cloud service, allowing investigation to continue without the risk of further infection.

Exam trap

The trap here is that candidates often think they must preserve evidence first (Option B) or let automation run (Option D), but Microsoft explicitly prioritizes containment over collection in active ransomware outbreaks to prevent lateral spread.

How to eliminate wrong answers

Option B is wrong because collecting a forensic package before containment delays the response, allowing ransomware to continue spreading to other endpoints during the collection process. Option C is wrong because running a full antivirus scan before isolation is time-consuming and ineffective against active ransomware that may have already disabled or evaded the scanner, and it does not prevent lateral movement. Option D is wrong because waiting for automated investigation to complete gives the ransomware more time to encrypt files and propagate, whereas manual isolation is the recommended first step in confirmed ransomware incidents to contain the threat immediately.

304
MCQmedium

Your organization uses Microsoft 365 Defender. You need to configure automated investigation and response (AIR) to automatically remediate high-confidence phishing emails. What should you configure?

A.Automated investigation and response for collaboration content
B.Automated investigation and response for identities
C.Automated investigation and response for email
D.Automated investigation and response for devices
AnswerC

Email AIR can automatically remediate phishing emails.

Why this answer

Option C is correct because AIR policies for email handle automated remediation of phishing. Option A is wrong because it's for device. Option B is wrong because it's for user accounts.

Option D is wrong because it's for collaboration.

305
MCQeasy

An organization has just signed up for Microsoft 365 E3 with the initial domain 'contoso.onmicrosoft.com'. They need to create the first user accounts. What will be the default email address format for these new users if no custom domain is added yet?

A.user@contoso.onmicrosoft.com
B.user@contoso.com
C.user@microsoft.com
D.user@contoso.microsoft.com
AnswerA

The default domain is the onmicrosoft.com domain assigned during tenant creation.

Why this answer

When a new Microsoft 365 tenant is created with the initial domain 'contoso.onmicrosoft.com' and no custom domain has been added, the default email address format for new users is user@contoso.onmicrosoft.com. This is because the onmicrosoft.com domain is the default tenant domain provisioned by Azure AD, and all user principal names (UPNs) and email addresses are automatically assigned this suffix until a custom domain is verified and set as the primary domain.

Exam trap

The trap here is that candidates assume the email address will automatically match the organization's public domain name (e.g., contoso.com) without realizing that a custom domain must be explicitly added and verified in the Microsoft 365 admin center before it can be used for user email addresses.

How to eliminate wrong answers

Option B is wrong because 'contoso.com' is a custom domain that must be purchased and verified via DNS TXT records before it can be used for email addresses; it is not automatically available. Option C is wrong because 'microsoft.com' is Microsoft's own corporate domain and cannot be used by any tenant. Option D is wrong because 'contoso.microsoft.com' is not a valid domain format for any Microsoft 365 tenant; the default tenant domain always uses the pattern <tenantname>.onmicrosoft.com.

306
Multi-Selecteasy

Your organization uses Microsoft Entra ID. You need to enable users to securely share documents with external partners. Which TWO features should you use?

Select 2 answers
A.Microsoft Entra B2B collaboration
B.Azure AD B2C
C.Microsoft Purview Information Protection
D.Microsoft Entra entitlement management
E.Microsoft Defender for Cloud Apps
AnswersA, D

B2B collaboration enables external sharing.

Why this answer

Microsoft Entra B2B collaboration is correct because it allows you to securely share documents and collaborate with external partners by inviting them as guest users in your Entra ID tenant. This feature leverages existing identities (e.g., Microsoft, Google, or SAML/WS-Fed providers) without requiring external users to create new accounts, enabling controlled access to resources like SharePoint or Teams.

Exam trap

The trap here is confusing Azure AD B2C (customer-facing) with Microsoft Entra B2B collaboration (partner-facing), as both involve external users but serve fundamentally different scenarios—B2C is for consumer apps, while B2B is for enterprise collaboration.

307
Multi-Selecteasy

Which TWO are prerequisites for implementing Microsoft Entra ID Identity Protection? (Choose two.)

Select 2 answers
A.Microsoft Entra ID P2 license
B.Microsoft Entra ID P1 license
C.Identity Protection administrator role assigned
D.Audit logs enabled for sign-in events
E.Self-service password reset configured
AnswersA, C

P2 includes Identity Protection.

Why this answer

Microsoft Entra ID Identity Protection requires a Microsoft Entra ID P2 license because it uses advanced risk detection and automated remediation capabilities (e.g., risk-based Conditional Access policies, user risk and sign-in risk policies) that are only available in the P2 tier. The P1 license provides basic Conditional Access but lacks the risk detection engine and adaptive policies that Identity Protection relies on.

Exam trap

The trap here is that candidates often confuse the licensing requirement for Identity Protection (P2) with the broader Conditional Access feature (P1), or assume that audit logs or SSPR are mandatory prerequisites when they are not directly required for Identity Protection's core functionality.

308
MCQmedium

Your organization uses Microsoft Defender for Office 365 and wants to simulate a phishing attack to train users. You need to configure a simulation that uses a URL link to a credential harvesting page. Which feature should you use?

A.Attack simulation training
B.Anti-phish policies
C.Safe Links policies
D.Safe Attachments policies
AnswerA

This allows you to create and launch phishing simulations.

Why this answer

Option D is correct because Attack simulation training allows you to create and launch phishing simulations with custom payloads including URLs. Option A is wrong because Safe Links is a protection feature, not simulation. Option B is wrong because Safe Attachments protects against malware in attachments.

Option C is wrong because Anti-phish policies protect against phishing, not simulate it.

309
Multi-Selecthard

A security administrator is configuring Microsoft Defender for Cloud Apps. The administrator needs to discover which cloud apps are being used in the organization and then block usage of unsanctioned apps in real time using a reverse proxy. Which two Defender for Cloud Apps features must be configured? (Select the two correct options.)

Select 2 answers
A.Cloud Discovery
B.App governance
C.Conditional Access App Control
D.OAuth app permissions
AnswersA, C

Cloud Discovery analyzes traffic logs to identify cloud apps used in the organization.

Why this answer

Cloud Discovery is the correct feature because it identifies which cloud apps are in use by analyzing traffic logs from the organization's network. This provides the visibility needed to determine which apps are unsanctioned. Conditional Access App Control is the correct feature because it uses a reverse proxy to enforce real-time access controls, blocking unsanctioned apps at the session level.

Exam trap

The trap here is that candidates confuse App governance (which manages OAuth app permissions) with the reverse proxy functionality of Conditional Access App Control, or assume Cloud Discovery alone is sufficient for blocking, when it only provides visibility.

310
MCQeasy

You run the Azure CLI command shown in the exhibit. What does the output represent?

A.The application ID for Microsoft Entra ID
B.The application ID for Exchange Online
C.The application ID for SharePoint Online
D.The application ID for Microsoft Graph
AnswerD

It is the standard app ID for Microsoft Graph.

Why this answer

The Azure CLI command `az ad sp show --id 00000003-0000-0000-c000-000000000000` retrieves the service principal for the Microsoft Graph API. The GUID `00000003-0000-0000-c000-000000000000` is the well-known application ID for Microsoft Graph in Microsoft Entra ID (formerly Azure AD). This ID is used to grant permissions and consent for Microsoft Graph API access.

Exam trap

The trap here is that candidates confuse the Microsoft Graph application ID with the SharePoint Online application ID because both start with `00000003`, but the middle segment differs (`-0000-0000-c000-` vs `-0000-0ff1-ce00-`), and Microsoft deliberately tests this subtle distinction.

How to eliminate wrong answers

Option A is wrong because the application ID for Microsoft Entra ID (the directory itself) is `00000001-0000-0000-c000-000000000000`, not the one shown. Option B is wrong because Exchange Online has its own application ID (`00000002-0000-0ff1-ce00-000000000000`), which is different from the GUID in the command. Option C is wrong because SharePoint Online uses application ID `00000003-0000-0ff1-ce00-000000000000`, not the Microsoft Graph ID `00000003-0000-0000-c000-000000000000`.

311
Multi-Selecthard

Your organization has Microsoft Defender for Endpoint deployed on all devices. You are investigating an incident where a user received a phishing email containing a link that led to a drive-by download. The download executed a script that attempted to modify registry run keys for persistence. Which THREE advanced hunting tables should you use to investigate this attack chain?

Select 3 answers
A.DeviceFileEvents
B.EmailEvents
C.DeviceProcessEvents
D.DeviceRegistryEvents
E.DeviceNetworkEvents
AnswersB, C, D

Captures the phishing email event.

Why this answer

Option A (EmailEvents) captures the phishing email. Option C (DeviceProcessEvents) captures the script execution. Option E (DeviceRegistryEvents) captures the registry modification.

Option B is wrong because DeviceNetworkEvents might be used but not as directly relevant for the described chain. Option D is wrong because DeviceFileEvents could capture the download, but the chain is better captured by email, process, and registry.

312
MCQeasy

A company wants to migrate from on-premises Exchange to Exchange Online. They need to synchronize user mailboxes. Which tool should they use?

A.A: Microsoft 365 admin center
B.B: Exchange Admin Center
C.C: Exchange Online Hybrid Configuration Wizard
D.D: Azure AD Connect
AnswerC

This wizard guides the setup of hybrid deployment, including mailbox move requests and synchronization.

Why this answer

The Exchange Online Hybrid Configuration Wizard (HCW) is the correct tool for migrating on-premises Exchange mailboxes to Exchange Online because it configures the hybrid deployment settings, including the necessary connectors, federation trust, and OAuth authentication, enabling mailbox moves via the New-MigrationBatch cmdlet or the EAC. It orchestrates the synchronization of mailbox data between the on-premises environment and Exchange Online, leveraging the MRS (Mailbox Replication Service) proxy for secure, seamless migration.

Exam trap

The trap here is that candidates often confuse Azure AD Connect (identity synchronization) with mailbox migration, assuming that syncing user objects automatically moves mailboxes, but Azure AD Connect only handles directory data, not mailbox content or hybrid transport configuration.

How to eliminate wrong answers

Option A is wrong because the Microsoft 365 admin center is a management portal for tenant-wide settings, user licensing, and service health, but it does not have the capability to configure hybrid deployment settings or initiate mailbox migrations from on-premises Exchange. Option B is wrong because the Exchange Admin Center (EAC) in Exchange Online can manage migration batches only after the hybrid configuration is established; it cannot perform the initial hybrid setup or configure the required on-premises connectors and federation trust. Option D is wrong because Azure AD Connect synchronizes identity objects (users, groups) and password hashes between on-premises Active Directory and Azure AD, but it does not handle mailbox data migration or the hybrid Exchange configuration needed for mailbox moves.

313
MCQeasy

A security administrator needs to view a unified incident queue that correlates alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. Which console should the administrator open?

A.Microsoft 365 Defender portal (security.microsoft.com)
B.Azure Security Center
C.Microsoft Endpoint Manager admin center
D.Microsoft Purview compliance portal
AnswerA

This is the central console for incident management across Defender workloads.

Why this answer

The Microsoft 365 Defender portal (security.microsoft.com) provides a unified incident queue that aggregates and correlates alerts from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. This single-pane-of-glass view enables security administrators to investigate and respond to cross-domain threats without switching between separate consoles.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender portal with Azure Security Center (now Defender for Cloud), mistakenly thinking that all security alerts converge in Azure, when in fact the unified incident queue for Microsoft 365 Defender workloads is exclusive to security.microsoft.com.

How to eliminate wrong answers

Option B is wrong because Azure Security Center (now Microsoft Defender for Cloud) focuses on securing cloud workloads (VMs, containers, SQL) and does not provide a unified incident queue for Microsoft 365 Defender workloads. Option C is wrong because Microsoft Endpoint Manager admin center (intune.microsoft.com) is used for device management, compliance policies, and app deployment, not for security incident correlation. Option D is wrong because the Microsoft Purview compliance portal (compliance.microsoft.com) is dedicated to data governance, eDiscovery, and compliance management, not for real-time threat alert correlation from Defender products.

314
MCQhard

Your company uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You are the security administrator. The company's incident response team receives hundreds of low-severity alerts daily, causing alert fatigue. You need to reduce noise by automatically closing low-severity alerts that are determined to be false positives by Microsoft's threat intelligence. You want to minimize manual effort and ensure that only alerts with high confidence of being false positives are closed. What should you do?

A.Enable the built-in 'Automatic false positive suppression' feature in the Microsoft Defender XDR settings.
B.Configure an automated investigation and response rule for low-severity alerts to automatically close them.
C.Use the Microsoft Defender XDR API to export alerts daily and run a PowerShell script to close low-severity alerts that match a known false positive list.
D.Create a custom detection rule that excludes low-severity alerts from known false positive indicators.
AnswerA

Correct: This feature uses Microsoft's intelligence to close false positives.

Why this answer

Option C is correct because Microsoft Defender XDR includes built-in false positive suppression for alerts with high confidence. Option A is wrong because automatic investigation rules address behavior, not false positives. Option B is wrong because tuning rules require manual input and may close genuine alerts.

Option D is wrong because suppression rules require manual creation.

315
Multi-Selectmedium

Which TWO actions are required to enable Microsoft 365 Copilot for all users in your tenant?

Select 2 answers
A.Run a PowerShell script to enable Copilot in the tenant.
B.Ensure the tenant is on a Microsoft 365 E5 plan.
C.Ensure users have a qualifying Microsoft 365 license (e.g., E3, E5, Business Standard).
D.Assign a Microsoft 365 Copilot license to each user.
E.Provision an Azure subscription for Copilot services.
AnswersC, D

Copilot requires a base Microsoft 365 license.

Why this answer

Option C is correct because Microsoft 365 Copilot requires users to have a qualifying base license such as Microsoft 365 E3, E5, or Business Standard. Without one of these base licenses, the Copilot add-on license cannot be assigned or function properly, as Copilot relies on the underlying Microsoft 365 services (e.g., Exchange Online, SharePoint, Teams) that these plans provide.

Exam trap

The trap here is that candidates assume a tenant-wide setting or a specific plan (like E5) is required, when in fact the key requirement is a qualifying base license per user combined with individual Copilot license assignment.

316
MCQeasy

You are configuring a mail flow rule in Exchange Online. The exhibit shows a snippet. What will this rule do?

A.Quarantine messages sent to example.com
B.Reject messages sent to example.com
C.Block messages from example.com
D.Allow messages to example.com
AnswerA

The action is Quarantine for that domain.

Why this answer

Option B is correct because the rule quarantines messages to example.com. Option A is wrong because it's not rejected. Option C is wrong because it's not blocked.

Option D is wrong because it's only for example.com.

317
Multi-Selecthard

Which THREE are valid methods to protect against password spray attacks in Microsoft Entra ID? (Choose three.)

Select 3 answers
A.Enable password protection to block common passwords
B.Configure smart lockout to lock accounts after failed attempts
C.Enable Identity Protection to detect and remediate password spray
D.Require multi-factor authentication for all users
E.Use conditional access to block sign-ins from untrusted locations
AnswersA, C, E

Password protection blocks weak passwords.

Why this answer

Options A, C, and D are correct. Option B is wrong because MFA does not prevent password spray; it adds another factor. Option E is wrong because smart lockout locks accounts, but it's not a prevention method per se.

318
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to be alerted when a user accesses a cloud app from a risky IP address. What should you configure?

A.Create an anomaly detection policy with the 'Activity from risky IP address' template.
B.Create a session policy to monitor risky IP addresses.
C.Create a file policy to detect access from risky IPs.
D.Create an access policy to block risky IPs.
AnswerA

This template alerts when a user accesses an app from a known risky IP.

Why this answer

Option A is correct because an anomaly detection policy can alert on activities from risky IP addresses. Option B is wrong because session policies control real-time access. Option C is wrong because file policies monitor data.

Option D is wrong because access policies control access based on conditions.

319
MCQhard

You are implementing Microsoft Entra Identity Protection. You need to configure automated responses to medium and high user risk. Which policy should you create?

A.Sign-in risk policy
B.Conditional Access policy with grant controls
C.MFA registration policy
D.User risk policy
AnswerD

User risk policy responds to user risk levels.

Why this answer

User risk policy in Microsoft Entra Identity Protection is specifically designed to automatically respond to user risk levels (low, medium, high) by triggering remediation actions such as requiring a password change or blocking sign-in. Since the question asks for automated responses to medium and high user risk, the correct policy is the User risk policy, which evaluates risk based on user behavior and leaked credentials.

Exam trap

The trap here is confusing User risk policy (which responds to user-level risk like compromised accounts) with Sign-in risk policy (which responds to session-level risk like suspicious sign-in attempts), leading candidates to incorrectly choose the sign-in risk policy for user risk remediation.

How to eliminate wrong answers

Option A is wrong because Sign-in risk policy responds to real-time sign-in risks (e.g., anonymous IP, atypical travel) rather than user risk levels. Option B is wrong because Conditional Access policy with grant controls is a broader policy that can enforce MFA or block access but is not specifically designed to automate responses to user risk from Identity Protection; it can integrate with risk policies but is not the primary policy for user risk remediation. Option C is wrong because MFA registration policy is used to enforce MFA registration for all users, not to respond to user risk levels.

320
MCQhard

Your organization uses Microsoft Defender for Endpoint and Microsoft Defender for Identity. A user reports that their account was used to send a large volume of email messages to internal recipients, which appears to be a potential account compromise. You need to determine if the account is compromised and if any lateral movement occurred. Which data sources should you analyze in Microsoft Defender XDR?

A.EmailEvents and EmailAttachmentInfo
B.DeviceNetworkEvents and DeviceProcessEvents
C.DeviceEvents and DeviceNetworkEvents
D.IdentityLogonEvents, EmailEvents, and DeviceProcessEvents
AnswerD

Combines identity, email, and process events to detect compromise and lateral movement.

Why this answer

Option C is correct because analyzing IdentityLogonEvents (from MDI) and EmailEvents (from MDO) together can correlate the logon activity with email sending, while DeviceProcessEvents can detect lateral movement. Option A is wrong because DeviceEvents are not as useful for email context. Option B is wrong because EmailEvents alone cannot detect lateral movement.

Option D is wrong because DeviceNetworkEvents alone may miss identity context.

321
MCQhard

An organization has multiple Microsoft Entra ID tenants and wants to allow partner users to access internal applications using their own corporate credentials. Which feature should be used to enable this?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra B2C
C.Azure AD Connect
D.Tenant-to-tenant migration
AnswerA

B2B enables external users to use their own credentials (e.g., from another Azure AD tenant) to access resources.

Why this answer

Microsoft Entra B2B collaboration is the correct feature because it allows partner users to access internal applications using their own corporate credentials (their home tenant identity) without requiring any external accounts or local user management. B2B collaboration uses cross-tenant trust relationships, enabling seamless single sign-on (SSO) via SAML/WS-Fed or OIDC protocols, which aligns with the requirement to use existing partner credentials.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B (for business partners) with Microsoft Entra B2C (for customers), leading them to select B2C because both involve external identities, but B2C does not support using the partner's own corporate credentials from another Entra ID tenant.

How to eliminate wrong answers

Option B (Microsoft Entra B2C) is wrong because it is designed for customer-facing applications where users sign up with social or local accounts, not for partner users who need to use their own corporate credentials from another Entra ID tenant. Option C (Azure AD Connect) is wrong because it synchronizes on-premises Active Directory objects to a single Entra ID tenant, and does not enable cross-tenant access for external partner identities. Option D (Tenant-to-tenant migration) is wrong because it is a process for moving data and users between tenants, not a feature for granting ongoing access to partner users with their existing credentials.

322
MCQeasy

A user reports they cannot access SharePoint Online but can access Outlook. The admin verifies the user has an E3 license assigned. What is the most likely cause?

A.License not assigned
B.MFA challenge failing
C.User account is disabled
D.SharePoint Online service plan is disabled
AnswerD

A service plan can be disabled per user.

Why this answer

The user can access Outlook (Exchange Online) but not SharePoint Online, which indicates that the user's E3 license is assigned and the account is active. The most likely cause is that the SharePoint Online service plan within the E3 license is disabled. Each Microsoft 365 license includes multiple service plans (e.g., Exchange Online, SharePoint Online, Teams), and an admin can disable individual plans while keeping the license assigned.

If the SharePoint Online service plan is disabled, the user will be blocked from accessing SharePoint Online despite having a valid license.

Exam trap

The trap here is that candidates assume a licensed user has full access to all services included in the license, overlooking that individual service plans can be disabled independently.

How to eliminate wrong answers

Option A is wrong because the user can access Outlook, which requires a valid license; if no license were assigned, the user would be blocked from all services, not just SharePoint Online. Option B is wrong because an MFA challenge failure would block access to all Microsoft 365 services, including Outlook, not just SharePoint Online. Option C is wrong because a disabled user account would prevent access to all services, including Outlook, but the user can access Outlook, so the account is active.

323
MCQmedium

A company's security team needs to investigate a suspicious email that was reported by a user. The email was not blocked by Exchange Online Protection (EOP) and was delivered to the user's inbox. The security team wants to use Microsoft Defender XDR to analyze the email and its attachments. Which feature should they use to submit the email for automated investigation?

A.Submissions
B.Advanced Hunting
C.Threat Explorer
D.Attack Simulator
AnswerA

Submissions allow security teams to submit emails, URLs, and attachments for analysis.

Why this answer

Option C is correct because Submissions in Microsoft 365 Defender allow security teams to submit emails, URLs, and attachments to Microsoft for analysis and automated investigation. Option A is wrong because Threat Explorer is used for investigating threats after they have been detected, not for manual submission. Option B is wrong because Attack Simulator is used for simulating phishing attacks.

Option D is wrong because Advanced Hunting is a query-based tool for threat detection, not for submitting emails.

324
MCQhard

Your organization has a Microsoft 365 tenant with 10,000 users. You are configuring Microsoft Entra ID Identity Protection to detect risky sign-ins. You need to ensure that when a sign-in risk level of 'High' is detected, the user is blocked from signing in and an administrator is notified. What should you configure?

A.Create a Conditional Access policy with 'Sign-in risk' condition set to 'High' and 'Block access', and configure alert notifications in Identity Protection
B.Create a user risk policy in Identity Protection to block high-risk users
C.Create an MFA registration policy in Identity Protection
D.Enable Security defaults and configure notifications
AnswerA

This combination blocks high-risk sign-ins and sends notifications.

Why this answer

Option A is correct because it combines a Conditional Access policy that blocks access when the sign-in risk level is 'High' with an alert notification configured in Identity Protection. The Conditional Access policy enforces the block at the authentication level, while the Identity Protection alert ensures administrators are notified of the high-risk sign-in event. This directly meets the requirement to both block the user and notify an admin.

Exam trap

The trap here is that candidates often confuse user risk policies (which target compromised accounts) with sign-in risk policies (which target risky authentication sessions), leading them to select Option B instead of the correct combination of Conditional Access and alert notifications.

How to eliminate wrong answers

Option B is wrong because a user risk policy in Identity Protection targets user accounts that have been compromised (e.g., leaked credentials) and can block sign-ins or require password reset, but it does not address sign-in risk from a specific session (e.g., anonymous IP address, atypical travel). Option C is wrong because an MFA registration policy in Identity Protection only enforces that users register for multifactor authentication, not that high-risk sign-ins are blocked or that admins are notified. Option D is wrong because Security defaults enforce baseline security policies (like requiring MFA for all users) but do not allow granular control to block only high-risk sign-ins or send targeted admin notifications for such events.

325
MCQhard

You are the Microsoft 365 administrator for a company with a hybrid identity configuration using Azure AD Connect. The company has a custom domain 'contoso.com' federated with Active Directory Federation Services (ADFS). All users are synced from on-premises Active Directory. The security team wants to implement Microsoft Entra ID Protection to detect risky sign-ins. However, they are concerned that federated authentication bypasses some risk detection capabilities. You need to ensure that Microsoft Entra ID Protection can evaluate risk for all sign-ins, including federated ones. What should you do?

A.Switch from federated authentication to Pass-through Authentication (PTA) or Password Hash Sync (PHS).
B.Configure the federated trust in Microsoft Entra ID to use the new claims.
C.Configure ADFS to send the ipaddr and xms_ep claims to Azure AD.
D.Enable Azure AD Application Proxy to publish ADFS internally.
AnswerA

With PTA or PHS, authentication happens in Azure AD, allowing risk evaluation by Identity Protection.

Why this answer

Microsoft Entra ID Protection relies on signals such as IP addresses, device information, and sign-in patterns to calculate risk. In a federated setup with ADFS, the authentication happens on-premises, and Azure AD only receives a token—not the raw sign-in details needed for real-time risk evaluation. Switching to Pass-through Authentication (PTA) or Password Hash Sync (PHS) ensures that the authentication process flows through Azure AD directly, allowing Entra ID Protection to capture and analyze all sign-in events, including those from federated users.

Exam trap

The trap here is that candidates may think adding claims (Option C) or changing the trust configuration (Option B) can compensate for the architectural limitation, but only moving the authentication flow to Azure AD (Option A) gives Entra ID Protection the raw sign-in data it needs for real-time risk evaluation.

How to eliminate wrong answers

Option B is wrong because configuring the federated trust to use new claims does not change the fundamental architecture—ADFS still performs authentication, and Azure AD still lacks the raw sign-in data (e.g., IP address, user agent) required for real-time risk detection. Option C is wrong because while sending ipaddr and xms_ep claims can provide some additional context, it does not enable Entra ID Protection to evaluate risk in real time; the authentication still occurs on-premises, and risk evaluation is limited to post-authentication token analysis. Option D is wrong because enabling Azure AD Application Proxy to publish ADFS internally only changes the access method to ADFS, not the authentication flow—federated authentication still bypasses Azure AD's direct sign-in event collection.

326
MCQmedium

Contoso recently acquired a company with an existing Microsoft 365 tenant. You need to migrate their user accounts and mailboxes to the Contoso tenant. The acquired company uses a custom domain for email. You must ensure minimal disruption and maintain email flow during migration. What should you do first?

A.Perform a cross-tenant mailbox migration using Microsoft 365 migration tools.
B.Disable the acquired company's tenant to force all users to the Contoso tenant.
C.Create new user accounts in the Contoso tenant using the onmicrosoft.com domain.
D.Add the custom domain to the Contoso tenant and verify ownership.
AnswerD

Correct: Domain verification is the first step to enable user creation and email routing.

Why this answer

Before any migration can proceed, the custom domain used by the acquired company must be added and verified in the Contoso tenant. This is a prerequisite for cross-tenant mailbox migrations because the target domain must be recognized and owned by the destination tenant to route email correctly and assign user principal names (UPNs). Without domain verification, migration tools cannot validate the domain and email flow will fail.

Exam trap

The trap here is that candidates often jump to selecting the migration tool (Option A) without realizing that domain verification is a prerequisite step that must be completed first, even before initiating any migration process.

How to eliminate wrong answers

Option A is wrong because performing a cross-tenant mailbox migration without first adding and verifying the custom domain in the Contoso tenant will fail; the migration tools require the domain to be claimed and verified in the target tenant. Option B is wrong because disabling the acquired company's tenant would immediately break all services and email flow, causing major disruption rather than minimal disruption. Option C is wrong because creating new user accounts using the onmicrosoft.com domain would force users to change their email addresses, which disrupts email flow and user experience; the goal is to preserve the custom domain for continuity.

327
MCQeasy

You are a security administrator for a company that uses Microsoft Defender XDR. You need to generate a report that shows the number of incidents closed as true positive, false positive, and benign in the last 30 days. You want to use built-in features without writing custom queries. What should you do?

A.Use the Microsoft Defender for Endpoint reports section.
B.Use the Device health report in Microsoft Defender XDR.
C.Navigate to Threat analytics in the Defender XDR portal.
D.In the Microsoft Defender XDR portal, go to Reports > General > Incident summary.
AnswerD

Correct: Built-in report shows classification breakdown.

Why this answer

Option A is correct because the Microsoft Defender XDR portal has built-in reports for incidents classification. Option B is wrong because that is for endpoints, not all incidents. Option C is wrong because that's for threat analytics.

Option D is wrong because that's for attack surface reduction.

328
Multi-Selectmedium

Your company is implementing Microsoft Entra Conditional Access. You need to require multifactor authentication (MFA) for all users except those accessing from the corporate office. Which TWO components do you need?

Select 2 answers
A.Microsoft Intune compliance policies
B.Conditional Access policy configured with grant control requiring MFA and excluding Named Locations
C.Named Locations configuration
D.Microsoft Entra multifactor authentication registration policy
E.Microsoft Entra Identity Protection
AnswersB, C

The policy enforces MFA except from the corporate office.

Why this answer

To require MFA for all users except those accessing from the corporate office, you need a Conditional Access policy that grants access only if MFA is completed, and you must exclude the corporate office location. The 'Named Locations' configuration defines the corporate office IP ranges or trusted locations, and the Conditional Access policy uses that exclusion. Together, these two components enforce the requirement.

Exam trap

The trap here is that candidates often think a separate MFA registration policy (Option D) or Identity Protection (Option E) can handle location-based exclusions, but neither supports excluding Named Locations; only a Conditional Access policy with the 'Exclude' condition on Named Locations can achieve this.

329
MCQeasy

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the built-in anti-phishing policy. You need to analyze the email headers to determine why it was not detected. What should you use?

A.Attack Simulator in Microsoft Defender for Office 365
B.Threat Explorer in Microsoft Defender for Office 365
C.Message trace in Exchange admin center
D.Quarantine page in Microsoft Defender for Office 365
AnswerB

Threat Explorer provides deep analysis of email threats.

Why this answer

Option B is correct because Threat Explorer allows you to search for emails and view detailed headers and detection details. Option A is wrong because the email trace tool is for transport flow, not security analysis. Option C is wrong because the Quarantine page shows quarantined items, not delivered emails.

Option D is wrong because the Attack Simulator is for training, not analysis.

330
MCQhard

Your organization, Contoso Ltd., has a Microsoft 365 E5 tenant with Microsoft Entra ID P2. You have 10,000 users and 500 applications. You are planning to implement a comprehensive identity security strategy. Your requirements are: 1. All users must use phishing-resistant MFA for accessing business-critical applications. 2. Users accessing sensitive HR data must be required to use a compliant device. 3. Any authentication attempt from an anonymous IP address or from a country where Contoso has no business operations must be blocked. 4. All external collaboration must be governed by access reviews that require sponsor approval. 5. You need to monitor and respond to identity risks in real time. You need to design a solution using Microsoft Entra ID features. Which combination of features should you implement?

A.Deploy Microsoft Entra ID authentication strengths for phishing-resistant MFA. Create Conditional Access policies requiring compliant device for HR apps and blocking anonymous IPs and non-business countries. Use Microsoft Entra Identity Protection for risk detection and automated response. Implement entitlement management with connected organizations and access reviews requiring sponsor approval.
B.Configure Conditional Access policies with MFA and trusted locations. Use Identity Protection for risk monitoring. Set up access reviews with group owner approval.
C.Enable security defaults for all users. Use Microsoft Defender for Cloud Apps to block anonymous IPs. Configure Azure AD access reviews for external users.
D.Use certificate-based authentication for all users. Create Conditional Access policies for device compliance. Set up identity protection. Use self-service access reviews for external users.
AnswerA

Meets all requirements.

Why this answer

Option B correctly addresses all requirements: Phishing-resistant MFA (FIDO2/WHfB) via authentication strengths, compliant device via Conditional Access device condition, location-based blocking via Conditional Access location condition, external governance via Entitlement Management and access reviews, and risk monitoring via Identity Protection. Option A uses default MFA which is not phishing-resistant. Option C lacks device compliance.

Option D uses self-service access reviews instead of sponsor approval.

331
MCQeasy

Your organization uses Microsoft 365 Business Premium. You need to ensure that when a user is assigned an Intune license, the device automatically enrolls in Microsoft Intune. What should you configure?

A.Configure Microsoft Entra ID device settings to enable MDM automatic enrollment
B.Create a device compliance policy to require enrollment
C.Create a device enrollment restriction in Intune to block personal devices
D.Deploy a device configuration profile with enrollment settings
AnswerA

This triggers automatic enrollment upon license assignment.

Why this answer

Microsoft Entra ID (formerly Azure AD) device settings include an option to enable automatic MDM enrollment for users assigned an Intune license. When enabled, any device that signs in with a licensed user account will automatically enroll in Microsoft Intune, satisfying the requirement without additional configuration.

Exam trap

The trap here is that candidates often confuse device compliance policies or configuration profiles with the enrollment trigger, but only the Microsoft Entra ID device settings control the automatic MDM enrollment behavior.

How to eliminate wrong answers

Option B is wrong because a device compliance policy checks compliance after enrollment, it does not trigger automatic enrollment. Option C is wrong because enrollment restrictions control which devices can enroll (e.g., blocking personal devices), but they do not enable automatic enrollment. Option D is wrong because a device configuration profile applies settings to already enrolled devices, it does not initiate the enrollment process.

332
Multi-Selecthard

You are designing a Microsoft 365 tenant for a multinational organization. You need to ensure compliance with data residency requirements. Which THREE actions should you take?

Select 3 answers
A.Set data location preferences in the Microsoft 365 admin center.
B.Disable cross-region replication in Exchange Online.
C.Use compliance boundaries for eDiscovery.
D.Create data loss prevention policies for each region.
E.Configure Microsoft 365 Multi-Geo.
AnswersA, C, E

Allows choosing where data is stored during tenant setup.

Why this answer

Option A is correct because setting data location preferences in the Microsoft 365 admin center (under Settings > Org Settings > Organization Information) allows you to specify the primary data residency region for your tenant. This ensures that core data at rest, such as Exchange Online mailboxes and SharePoint sites, is stored in the selected geographic location to meet compliance requirements.

Exam trap

The trap here is that candidates often confuse data residency (where data is stored) with data protection (DLP policies) or replication settings, leading them to select DLP policies or disabling replication instead of the correct Multi-Geo and compliance boundary options.

333
MCQmedium

Your organization uses Microsoft 365 Copilot for Sales. You need to ensure that only licensed users can access Copilot features, and that usage is monitored for compliance. What should you configure?

A.Assign the Copilot Administrator role to users in Microsoft Entra ID
B.Configure a Microsoft Purview compliance policy for Copilot
C.Use PowerShell to assign Copilot licenses and enable audit logging in Microsoft Sentinel
D.Assign Copilot licenses to users in the Microsoft 365 admin center and monitor usage via the Reports dashboard
AnswerD

Licenses are assigned per user, and usage is monitored via admin reports.

Why this answer

Option D is correct because licensing for Microsoft 365 Copilot for Sales is controlled through the Microsoft 365 admin center by assigning Copilot licenses to individual users. Usage monitoring is then available via the Reports dashboard, which provides adoption and usage metrics for licensed users. This ensures only licensed users access Copilot features and allows compliance monitoring without additional configuration.

Exam trap

The trap here is that candidates confuse licensing and access control with administrative roles or security monitoring, assuming that assigning an admin role or configuring compliance policies is required to restrict or monitor Copilot usage, when in fact license assignment and the built-in Reports dashboard are the correct mechanisms.

How to eliminate wrong answers

Option A is wrong because the Copilot Administrator role in Microsoft Entra ID grants administrative permissions to manage Copilot settings, not user access; it does not license users or monitor usage. Option B is wrong because Microsoft Purview compliance policies are used for data governance, retention, and eDiscovery, not for controlling user access or monitoring Copilot feature usage. Option C is wrong because while PowerShell can assign licenses, enabling audit logging in Microsoft Sentinel is for security monitoring and incident response, not for compliance usage monitoring of Copilot features; the Reports dashboard is the appropriate tool for usage monitoring.

334
Multi-Selectmedium

You are the Microsoft 365 Administrator for a multinational organization. You need to manage user accounts, groups, licensing, and support. Which four of the following actions are valid and recommended practices? (Choose four.)

Select 4 answers
.Assign licenses to a security group to automatically license all current and future members.
.Use Microsoft Entra ID (formerly Azure AD) dynamic group membership rules to automatically add or remove users based on department or job title attributes.
.Create a Microsoft 365 group in the Exchange admin center to provide a shared mailbox and calendar for a project team.
.Enable self-service password reset (SSPR) for all users and require registration of authentication methods.
.Permanently delete a user account immediately after the user leaves the company to free up the license.
.Convert a distribution group to a security group by editing its properties in the Microsoft 365 admin center.

Why this answer

Assigning licenses to a security group is a valid and recommended practice because it automates license assignment for all current and future members of the group, reducing manual overhead and ensuring compliance. This leverages group-based licensing in Microsoft Entra ID, which supports both direct and dynamic group membership.

Exam trap

The trap here is that candidates may think permanently deleting a user account immediately is the fastest way to free a license, but Microsoft recommends a phased approach (block sign-in, convert mailbox, then delete after 30 days) to avoid data loss and compliance issues.

335
MCQmedium

Your organization uses Microsoft Purview Audit (Standard) for auditing user activity. You receive an alert that a user accessed sensitive files in SharePoint Online. You need to investigate the exact actions performed by the user. Which action should you take?

A.Run the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell.
B.Navigate to the Microsoft Purview portal and use the Audit Log Search tab.
C.Enable Audit (Premium) licensing for the user and then search the audit log.
D.Access Microsoft Purview Compliance Manager and review the user's activity.
AnswerC

Audit (Premium) provides detailed file-level audit records.

Why this answer

Option C is correct because Audit (Standard) only retains audit logs for 90 days and does not include detailed file-level operations like item access. You would need to upgrade to Audit (Premium) to get those details. Option A is incorrect because the Search-UnifiedAuditLog cmdlet works with both editions but may not show item-level details in Standard.

Option B is incorrect because the Compliance Manager does not store audit logs. Option D is incorrect because there is no 'Audit Log Search' tab in Purview; the correct tool is the Audit solution.

336
MCQeasy

A user reports that they cannot access their Microsoft 365 mailbox via Outlook on the web. Other users can access their mailboxes. What is the most likely cause?

A.The user's password has expired
B.The Exchange Online service is experiencing an outage
C.The user's browser cache needs to be cleared
D.The user does not have an Exchange Online license assigned
AnswerD

Without a license, the user cannot access Exchange Online services.

Why this answer

The most likely cause is that the user does not have an Exchange Online license assigned. Without a valid license, the user's mailbox is not provisioned, and Outlook on the Web (OWA) cannot access it. Other users can access their mailboxes because they have licenses, ruling out a service-wide issue.

Exam trap

The trap here is that candidates confuse authentication issues (password expired) with authorization or licensing issues, assuming that if a user can log in to the Microsoft 365 portal, they automatically have a mailbox.

How to eliminate wrong answers

Option A is wrong because an expired password would prevent authentication entirely, but the user would see a login prompt or password error, not a mailbox access issue after login. Option B is wrong because an Exchange Online outage would affect all users, not just one. Option C is wrong because clearing browser cache resolves display or rendering issues, not access to the mailbox itself; if the mailbox is unlicensed, no amount of cache clearing will help.

337
MCQhard

A compliance officer needs to ensure that no user can permanently delete a document from a specific SharePoint Online site. The document must be kept for at least 5 years. Which Microsoft Purview solution should the officer configure?

A.A: Sensitivity label with a retention period of 5 years.
B.B: Retention policy for the site with retention period of 5 years and action set to 'Retain'.
C.C: DLP policy to prevent deletion of documents.
D.D: eDiscovery hold on the site.
AnswerB

A retention policy applied at the site level prevents permanent deletion of content during the retention period, meeting the requirement.

Why this answer

A retention policy with the 'Retain' action ensures that documents in the SharePoint site are preserved for the specified period and cannot be permanently deleted by users or system processes. This meets the compliance requirement of a 5-year minimum retention and prevents permanent deletion, as retained items are moved to the Preservation Hold library.

Exam trap

The trap here is that candidates often confuse retention policies with sensitivity labels or eDiscovery holds, assuming that any retention setting or legal hold prevents deletion, but only a retention policy with the 'Retain' action provides the specific immutable retention and deletion prevention required for a fixed period like 5 years.

How to eliminate wrong answers

Option A is wrong because a sensitivity label with a retention period of 5 years applies retention settings at the item level based on classification, but it does not prevent permanent deletion by users; sensitivity labels primarily enforce protection and classification, not immutable retention. Option C is wrong because a DLP policy prevents data loss by blocking sharing or exfiltration of sensitive data, not by preventing deletion of documents; DLP policies do not enforce retention or deletion prevention. Option D is wrong because an eDiscovery hold preserves content for legal or investigative purposes but is designed for temporary holds, not for a fixed 5-year retention period, and it does not prevent permanent deletion by users in the same way as a retention policy with 'Retain' action.

338
Multi-Selecthard

Which THREE features are included in Microsoft Defender for Office 365 Plan 2 but NOT in Plan 1? (Choose three.)

Select 3 answers
A.Anti-phishing policies
B.Safe Links
C.Automated Investigation and Response (AIR)
D.Threat Explorer
E.Attack Simulation Training
AnswersC, D, E

AIR is a Plan 2 feature.

Why this answer

Options A, C, and D are correct. Plan 2 includes Threat Explorer (A), Automated Investigation and Response (C), and Attack Simulation Training (D). Option B (Safe Links) is included in Plan 1.

Option E (Anti-phishing) is included in Plan 1.

339
MCQmedium

A company wants to require MFA for all users when they access Office 365 from any network location that is not the company's trusted IP ranges. Which Conditional Access policy configuration should be applied?

A.A: Include all users, exclude none, grant access require MFA with condition 'Location not in trusted locations'.
B.B: Include all users, exclude none, block access with condition 'Location not in trusted locations'.
C.C: Include all users, exclude trusted locations as a group, grant access require MFA.
D.D: Include all users, exclude all locations, grant access require MFA.
AnswerA

This correctly triggers MFA only when the user is not coming from a trusted location.

Why this answer

Option A correctly configures a Conditional Access policy that targets all users and applies the 'Require MFA' grant control when the location condition is set to 'Any location' except the company's trusted IP ranges. This ensures MFA is enforced for all access attempts originating from outside the trusted network, meeting the requirement precisely.

Exam trap

The trap here is that candidates often confuse excluding a group (like 'All trusted users') with using the location condition to exclude trusted IP ranges, leading them to choose Option C, which incorrectly removes the location-based trigger entirely.

How to eliminate wrong answers

Option B is wrong because blocking access entirely for untrusted locations would prevent users from working remotely, which is not the requirement; the requirement is to require MFA, not block. Option C is wrong because excluding trusted locations as a group from the policy scope would mean the policy does not evaluate those locations at all, but the requirement is to apply MFA to all users when they are not in trusted locations, which is best handled by the location condition, not by excluding a group. Option D is wrong because excluding all locations would mean the policy never evaluates any location condition, effectively disabling the location-based trigger, so MFA would not be enforced based on network location.

340
MCQmedium

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. Users report that they are unable to share files containing credit card numbers via email. You need to allow sharing with specific business partners while maintaining protection for all other recipients. What should you configure?

A.Configure the DLP policy to allow users to override the action with a business justification.
B.Create a separate DLP policy with lower priority that allows sharing with the partners.
C.Assign a custom sensitivity label to emails sent to the partners.
D.Configure a file policy in Microsoft Purview Information Protection to exempt the partners.
AnswerA

DLP policies can be configured to allow override with justification.

Why this answer

Option B is correct because DLP policies support overriding with business justification when the policy is configured to allow it. Option A is incorrect because file policies focus on file properties, not content inspection for credit cards. Option C is incorrect because sensitivity labels do not override DLP actions.

Option D is incorrect because the DLP policy itself must enable the override, not a separate policy.

341
MCQmedium

Your organization uses Microsoft 365 and has strict compliance requirements. The compliance officer has noticed that some users are able to access sensitive documents from unmanaged devices. You need to ensure that all access to sensitive data from unmanaged devices is blocked, while still allowing access from managed devices. The solution must be implemented using Microsoft Entra ID and Microsoft Intune. You have already deployed Microsoft Intune for mobile device management. What should you do?

A.Enable device compliance rules in Microsoft Entra ID and assign them to all users.
B.Create a device compliance policy in Microsoft Intune that requires a PIN and encryption.
C.Create an app protection policy in Microsoft Intune that requires managed apps to be used on unmanaged devices.
D.Create a conditional access policy in Microsoft Entra ID that requires device to be marked as compliant, and apply it to all cloud apps.
AnswerD

Conditional access with device compliance requirement blocks unmanaged devices from accessing apps.

Why this answer

Option A is correct: a conditional access policy in Microsoft Entra ID can require that devices be marked as compliant with Intune policies, blocking access from unmanaged devices. Option B is wrong because app protection policies in Intune apply to apps, not device-level access. Option C is wrong because a compliance policy defines what compliant means but does not block access; conditional access does.

Option D is wrong because device compliance rules are part of Intune but do not enforce access decisions without conditional access.

342
MCQmedium

A company uses Azure AD Connect with password hash synchronization. They want to allow users to reset their on-premises Active Directory passwords from the cloud Self-Service Password Reset (SSPR) portal. Which additional configuration is required in Azure AD Connect?

A.Enable password writeback
B.Enable self-service password reset in Azure AD
C.Configure Federation Services (AD FS)
D.Install Azure AD Application Proxy
AnswerA

Password writeback synchronizes password changes from Azure AD to on-premises AD, allowing cloud-initiated resets to update the on-premises password.

Why this answer

Password writeback is the specific feature in Azure AD Connect that enables password changes performed in the cloud (via SSPR) to be written back to the on-premises Active Directory. Without this feature enabled and configured, the SSPR portal can only reset cloud-only passwords, not synchronized on-premises passwords. Therefore, enabling password writeback is the additional configuration required beyond the existing password hash synchronization.

Exam trap

The trap here is that candidates often confuse enabling SSPR in Azure AD (a tenant-level setting) with the specific Azure AD Connect feature (password writeback) that is required to make SSPR work for synchronized users, leading them to select Option B instead of A.

How to eliminate wrong answers

Option B is wrong because enabling self-service password reset in Azure AD is a prerequisite for the SSPR portal itself, not the additional configuration required in Azure AD Connect to write the reset password back to on-premises AD. Option C is wrong because Federation Services (AD FS) is not required for password writeback; password writeback works with password hash synchronization and does not require federation. Option D is wrong because Azure AD Application Proxy is used for publishing on-premises web applications externally, not for password synchronization or writeback.

343
MCQmedium

A security analyst runs the above KQL query in Microsoft 365 Defender. The query returns an empty result set. Which is the most likely reason?

A.The time range is too wide and the query times out.
B.No antivirus detection events for files with 'ransomware' or 'encrypt' in the filename occurred in the last 7 days.
C.The 'has_any' operator is used incorrectly; it should be 'contains' for each condition.
D.The DeviceEvents table does not contain antivirus detection events.
AnswerB

The filter is too restrictive.

Why this answer

The query uses 'has_any' to match filenames containing 'ransomware' or 'encrypt'. If no detections match those strings, the result is empty. Option B is correct.

Option A is wrong because the query uses the correct table. Option C is wrong because the syntax is valid. Option D is wrong because the time range is 7 days, which is typical.

344
Multi-Selecthard

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that detects when a user shares a file containing sensitive data with an external domain. Which three components must you configure in the policy? (Choose three.)

Select 3 answers
A.A content inspection method (e.g., DLP)
B.A governance action (e.g., alert, block)
C.A filter to specify the sharing type (e.g., external)
D.A session control action
E.An access token condition
AnswersA, B, C

Content inspection detects sensitive data.

Why this answer

Options A, B, and D are correct because a file policy requires a filter (e.g., sharing with external users), a content inspection method to detect sensitive data, and a governance action (e.g., alert or block). Option C is wrong because session policies are separate. Option E is wrong because access token is not a component of a file policy.

345
Multi-Selectmedium

A compliance officer needs to implement a policy that automatically marks emails containing a specific custom sensitive information type as a regulatory record upon sending. The regulatory record must be retained for 10 years and cannot be deleted by users. Which two components must be configured to achieve this?

Select 2 answers
A.Create a custom sensitive information type and configure an auto-apply retention label policy that applies a regulatory record label
B.Create a default retention label for emails and assign it to all mailboxes via a retention policy
C.Create a retention label with record marking and publish it to all users, then train users to apply it manually
D.Create a Data Loss Prevention (DLP) policy that detects the custom pattern and blocks the email until it is labeled
AnswersA, B

Correct. The custom SIT detects the pattern, and the auto-labeling policy applies the label that marks the item as a regulatory record with the 10-year retention.

Why this answer

To automatically mark emails containing a specific custom sensitive information type as a regulatory record upon sending, you need both a custom sensitive information type (to define the data pattern) and an auto-apply retention label policy (to automatically apply a regulatory record label based on that pattern). The regulatory record label enforces the 10-year retention and prohibits user deletion, meeting the compliance officer's requirements without manual user action.

Exam trap

The trap here is that candidates often confuse auto-apply retention label policies with DLP policies, thinking DLP can both detect and label, but DLP only detects and blocks—it cannot apply retention labels or enforce retention periods.

346
MCQmedium

A security administrator wants to prevent Microsoft Office applications (Word, Excel, PowerPoint) from creating child processes, which is a common technique used by malware to execute malicious code. Which attack surface reduction (ASR) rule should be enabled?

A.Block all Office applications from creating child processes
B.Block executable files from running unless they meet a prevalence, age, or trusted list criteria
C.Block Office applications from creating executable content
D.Block Win32 API calls from Office macros
AnswerA

This rule directly addresses the described behavior by blocking Office apps from creating child processes.

Why this answer

Option A is correct because the ASR rule 'Block all Office applications from creating child processes' (GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A) specifically prevents Word, Excel, and PowerPoint from spawning child processes such as cmd.exe, PowerShell, or wscript.exe. This directly mitigates a common malware technique where Office macros or exploits launch malicious executables. The rule is part of Microsoft Defender for Endpoint's attack surface reduction capabilities and is designed to stop process injection and lateral movement without blocking legitimate Office functionality.

Exam trap

The trap here is that candidates confuse 'creating child processes' with 'creating executable content' or 'blocking Win32 API calls,' leading them to choose options that address file writes or macro restrictions rather than the specific process spawning behavior.

How to eliminate wrong answers

Option B is wrong because 'Block executable files from running unless they meet a prevalence, age, or trusted list criteria' is an ASR rule that targets executable files (e.g., .exe, .dll) based on reputation, not Office child process creation. Option C is wrong because 'Block Office applications from creating executable content' prevents Office apps from writing executable files (e.g., .exe, .scr) to disk, but does not block the spawning of child processes. Option D is wrong because 'Block Win32 API calls from Office macros' disables macros from calling Win32 APIs (e.g., via VBA), which is a different attack vector; it does not prevent Office apps from creating child processes through other means like OLE or DDE.

347
MCQhard

Your organization uses Microsoft 365 E5 licenses. You need to implement a secure score improvement plan. After reviewing the Secure Score, you notice a recommendation to 'Enable sign-in risk policy' in Microsoft Entra ID. However, you want to ensure that users who sign in from trusted locations are not challenged. What should you configure?

A.Configure named locations in Microsoft Entra ID for trusted IPs.
B.Enable the 'Sign-in risk' policy in Identity Protection and set 'Exclude trusted locations'.
C.Enable the 'Require MFA for all users' conditional access policy.
D.Create a conditional access policy that targets sign-in risk: medium and above, require MFA, and exclude trusted named locations.
AnswerD

This ensures users from trusted locations are not challenged.

Why this answer

Option D is correct because it creates a Conditional Access policy that targets sign-in risk at medium and above, requiring MFA, while excluding trusted named locations. This ensures users from trusted IPs are not challenged, directly addressing the requirement to avoid unnecessary prompts for trusted sign-ins while still enforcing risk-based policies.

Exam trap

The trap here is that candidates confuse Identity Protection's risk policies with Conditional Access policies, assuming exclusions are set directly in Identity Protection rather than through Conditional Access, leading them to select Option B.

How to eliminate wrong answers

Option A is wrong because configuring named locations alone does not enforce a sign-in risk policy; it only defines trusted IPs, which must be referenced in a Conditional Access policy to have effect. Option B is wrong because the 'Sign-in risk' policy in Identity Protection does not have an 'Exclude trusted locations' setting; exclusions are handled via Conditional Access policies, not within Identity Protection itself. Option C is wrong because 'Require MFA for all users' is a blanket policy that does not consider sign-in risk or trusted locations, so it would challenge users from trusted locations unnecessarily.

348
MCQmedium

Your organization has a Microsoft 365 tenant configured with a custom domain. You need to verify domain ownership using a TXT record. Where in the Microsoft 365 admin center would you initiate this process?

A.Settings > Domains
B.Setup > Org-wide settings
C.Users > Active Users
D.Admin centers > Azure Active Directory
AnswerA

Correct path to manage domains and verify ownership.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record provided by Microsoft to your domain's DNS zone. The process is initiated in the Microsoft 365 admin center under Settings > Domains, where you select the domain and click 'Start setup' to receive the verification TXT record value. This is the only location in the admin center that directly manages domain verification and DNS record validation for custom domains.

Exam trap

The trap here is that candidates may confuse domain verification with other domain-related tasks (like setting up email routing or managing user accounts) and select Setup > Org-wide settings or Users > Active Users, but only Settings > Domains provides the guided wizard for adding and verifying a custom domain via TXT records.

How to eliminate wrong answers

Option B is wrong because Setup > Org-wide settings contains organization-wide configuration options like security policies, profiles, and external sharing settings, but does not include domain management or DNS verification tasks. Option C is wrong because Users > Active Users is for managing user accounts, licenses, and permissions, not for domain ownership verification which is a DNS-level process. Option D is wrong because Admin centers > Azure Active Directory opens the Azure AD portal, which can manage custom domains but is not the primary or recommended path in the Microsoft 365 admin center for initiating TXT record verification; the correct path is Settings > Domains within the M365 admin center itself.

349
MCQmedium

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a user clicks a malicious link in an email, the endpoint is automatically isolated. What should you configure?

A.Enable network protection in block mode.
B.Configure an automated investigation and response (AIR) playbook for device isolation.
C.Configure attack surface reduction rules to block the link.
D.Create a custom detection rule to trigger isolation.
AnswerB

AIR can automatically isolate a device when an alert like 'malicious link clicked' is triggered.

Why this answer

Option C is correct because automated investigation and response (AIR) can be configured to isolate a device when a malicious link is clicked. Option A is wrong because attack surface reduction rules reduce vulnerability but do not automatically isolate. Option B is wrong because network protection blocks connections but does not isolate.

Option D is wrong because custom detection rules can trigger isolation but require additional configuration; AIR is the built-in automation.

350
MCQmedium

A company uses Microsoft Entra ID P2 licenses and wants to block all authentication attempts from an internal legacy application that uses POP3 and SMTP protocols. The application cannot be updated and must be blocked from accessing Exchange Online. Which Conditional Access policy setting should the administrator configure?

A.Under 'Grant', select 'Block access'
B.Under 'Conditions' > 'Client apps', configure to block 'Exchange ActiveSync clients and other clients'
C.Under 'Conditions' > 'Device platforms', select 'Android' and 'iOS' and block them
D.Under 'Conditions' > 'Locations', select 'All trusted locations' and block
AnswerB

This setting explicitly targets legacy authentication clients (including POP3/SMTP). By setting the action to block, all attempts from those clients are denied.

Why this answer

Option B is correct because the legacy application uses POP3 and SMTP, which are non-modern authentication protocols. In Conditional Access, the 'Client apps' condition includes a setting to block 'Exchange ActiveSync clients and other clients', which specifically targets legacy authentication protocols like POP3, SMTP, and IMAP. This allows the administrator to block all authentication attempts from such clients without affecting modern authentication flows.

Exam trap

The trap here is that candidates often confuse 'Client apps' with device or location conditions, mistakenly thinking that blocking a device platform or location will stop legacy protocol traffic, when in fact legacy authentication bypasses those controls entirely because it does not use modern token-based authentication.

How to eliminate wrong answers

Option A is wrong because 'Block access' under 'Grant' is a coarse control that blocks all access for the targeted users or apps, but it does not specifically target legacy protocols like POP3/SMTP; it would block all authentication methods, including modern ones, which is not the requirement. Option C is wrong because 'Device platforms' controls access based on the operating system (e.g., Android, iOS), not the authentication protocol; blocking Android and iOS would not affect a legacy application running on a server or desktop using POP3/SMTP. Option D is wrong because 'Locations' controls access based on network location (e.g., trusted IP ranges), not the authentication protocol; blocking trusted locations would not block the legacy application if it originates from an untrusted location, and it does not address the protocol-specific requirement.

351
Multi-Selectmedium

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a user receives a phishing email containing a malicious URL and then clicks that URL within 10 minutes. Which two Advanced Hunting tables must be joined in the KQL query?

Select 2 answers
A.EmailEvents and UrlClickEvents
B.EmailEvents and DeviceProcessEvents
C.EmailUrlInfo and UrlClickEvents
D.EmailAttachmentInfo and UrlClickEvents
AnswersA, C

EmailEvents tracks email delivery but not URL-specific details; joining directly to UrlClickEvents is not straightforward without URL info.

Why this answer

The rule requires detecting when a user receives a phishing email with a malicious URL and then clicks that URL within 10 minutes. The EmailUrlInfo table contains the URL extracted from the email (including the verdict), and the UrlClickEvents table records user clicks on URLs in Microsoft Defender for Office 365 Safe Links. Joining these two tables on the URL hash (SHA256) allows correlation of the email-delivered URL with the user's click event, enabling the time-based trigger.

Exam trap

The trap here is that candidates often assume EmailEvents is needed to capture the email reception, but the URL-to-click correlation requires the URL-specific table (EmailUrlInfo) rather than the email metadata table, and UrlClickEvents is the only table that records the click action.

352
MCQhard

Your organization uses Microsoft Entra ID and has a custom role that grants 'microsoft.directory/applications/credentials/update' permission. A security audit reveals that a user assigned this role has modified credentials for an application. You need to prevent such actions while allowing other application updates. What should you do?

A.Assign the user the built-in Application Administrator role instead.
B.Enable multi-factor authentication for the user.
C.Remove the user from the custom role and assign them another role with fewer permissions.
D.Create a custom role that excludes the 'microsoft.directory/applications/credentials/update' permission and assign it to the user.
AnswerD

A custom role can be defined to exclude specific permissions.

Why this answer

The custom role currently includes the 'microsoft.directory/applications/credentials/update' permission, which allows modifying application credentials. To prevent credential updates while still permitting other application updates, you must create a new custom role that explicitly excludes this permission and assign it to the user. This approach preserves granular control without granting unnecessary privileges, unlike built-in roles that would either over-scope or under-scope permissions.

Exam trap

The trap here is that candidates may think removing the user from the custom role and assigning a different role (Option C) is the simplest fix, but that would likely revoke all application update permissions, failing the requirement to allow other updates.

How to eliminate wrong answers

Option A is wrong because assigning the built-in Application Administrator role grants broader permissions, including the ability to update credentials, which does not solve the problem. Option B is wrong because enabling multi-factor authentication enhances security but does not restrict the user's existing permissions to modify credentials. Option C is wrong because removing the user from the custom role and assigning another role with fewer permissions would likely remove all application update capabilities, which is too restrictive and does not allow other application updates.

353
Matchingmedium

Match each Microsoft 365 Defender portal component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protects email and collaboration tools

Protects devices from threats

Protects on-premises Active Directory

Protects cloud applications

Unified threat protection dashboard

Why these pairings

These are the five pillars of Microsoft 365 Defender.

354
MCQhard

Your company uses Microsoft Purview to manage compliance. You need to set up a process that allows users to request permission to access a document labeled 'Confidential' and automatically grants access if the user's manager approves. Which feature should you use?

A.Microsoft Purview Privileged Access Management
B.Microsoft Purview Data Loss Prevention with a custom policy
C.Microsoft Entra ID Access Reviews with a connected organization
D.Microsoft Purview sensitivity label with a custom permission
AnswerC

Access Reviews can set up recurring reviews or ad-hoc requests with manager approval.

Why this answer

Option C is correct because Microsoft Entra ID Access Reviews can be integrated with Microsoft Purview to manage access requests with approval workflows. Option A is wrong because DLP doesn't handle access requests. Option B is wrong because labels don't include approval workflows.

Option D is wrong because Privileged Access Management is for elevated admin roles, not document access.

355
MCQeasy

An administrator wants to verify ownership of a custom domain 'adatum.com' in their Microsoft 365 tenant. They have already added the domain and received the TXT record value. However, the administrator's DNS hosting provider does not support adding a TXT record. Which alternative record type can be used for domain verification?

A.record
B.MX record
C.SRV record
D.NS record
AnswerB

Correct. Microsoft supports verification using a specific MX record with the value 'msXXXXXX.adatum.com' (where 'X' represents the verification token).

Why this answer

When a DNS hosting provider does not support TXT records, Microsoft 365 allows the use of an MX record as an alternative for domain verification. The administrator creates an MX record with a specific subdomain (e.g., 'adatum-com.mail.protection.outlook.com') and a custom priority value provided in the TXT record value, which Microsoft's verification system checks to confirm domain ownership. This method is supported because MX records are widely available and can carry the necessary verification data in their format.

Exam trap

The trap here is that candidates may assume only TXT records can verify domain ownership, overlooking that Microsoft 365 explicitly supports MX records as an alternative when TXT records are unavailable, which is a common scenario in restrictive DNS environments.

How to eliminate wrong answers

Option A is wrong because 'A record' maps a domain to an IPv4 address and cannot carry the verification string required by Microsoft 365; it is not a supported alternative for domain verification. Option C is wrong because 'SRV record' specifies the location of services (like SIP or LDAP) and is not used for domain ownership verification in Microsoft 365. Option D is wrong because 'NS record' delegates a domain to a set of name servers and does not support embedding a verification token; it would change the domain's authoritative servers rather than prove ownership.

356
MCQmedium

An organization plans to automatically assign Microsoft 365 E3 licenses to all users in the 'Finance' department. The Finance department is identified by the 'Department' attribute in Azure AD. Which method should the administrator use to minimize manual effort?

A.Group-based licensing using a dynamic group with the rule 'user.department -eq "Finance"'
B.Manual assignment using PowerShell
C.Bulk assignment using a CSV file
D.Self-service licensing portal
AnswerA

Dynamic group membership automatically includes Finance users, and group-based licensing assigns the license to all members.

Why this answer

Group-based licensing allows assigning licenses to a security group. By using a dynamic group based on the 'Department' attribute, users are automatically added to the group and receive licenses when they meet the criteria. Manual assignment or bulk upload require ongoing administrative effort.

Self-service portals do not automatically assign licenses.

357
MCQhard

Your organization, Fabrikam Inc., uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Microsoft Teams. You have a DLP policy that blocks sharing of credit card numbers in Teams messages. Recently, users have reported that they cannot share legitimate credit card numbers for business purposes, even with customers. You need to allow users to override the block for legitimate sharing, but require them to provide a business justification. What should you configure?

A.Create a second DLP policy with a lower priority that allows credit card sharing, and assign it to a security group containing authorized users.
B.Add the users to an exempt group in the DLP policy so they are not blocked.
C.Configure the DLP policy to show a policy tip that allows users to override the block with a business justification, and enable audit logging for overrides.
D.Configure the DLP policy to allow overrides without justification, and monitor usage.
AnswerC

This allows legitimate sharing while maintaining oversight.

Why this answer

Option B is correct because policy tips with override options allow users to override the block and provide justification, and the admin can review the override in audit logs. Option A is wrong because allowing all overrides without justification defeats the purpose. Option C is wrong because a separate policy for exceptions would be complex and not user-friendly.

Option D is wrong because exempting specific users does not allow per-message override.

358
MCQmedium

A user reports that after changing their department in HR system, the change did not reflect in Azure AD dynamic group membership. The sync from HR to Azure AD is working. What is the most likely issue?

A.License not assigned
B.Group is a mail-enabled security group
C.Dynamic group membership evaluation delay
D.Attribute not synced to Azure AD
AnswerC

Membership update can take up to 24 hours.

Why this answer

Dynamic group membership in Azure AD is not updated in real time; it can take up to 30 minutes for a user attribute change to trigger a membership reevaluation. Since the HR-to-Azure AD sync is confirmed working, the delay is the most likely cause, not a failure in attribute synchronization or licensing.

Exam trap

The trap here is that candidates assume a working HR sync means group membership should update instantly, overlooking the built-in evaluation delay that Azure AD enforces for dynamic groups.

How to eliminate wrong answers

Option A is wrong because a license assignment is not required for dynamic group membership evaluation; licenses affect service access, not group rule processing. Option B is wrong because mail-enabled security groups can be dynamic groups in Azure AD; the group type does not inherently block membership updates. Option D is wrong because the question states the sync from HR to Azure AD is working, meaning the attribute change has already been synced; the issue is the subsequent evaluation delay, not a missing attribute.

359
Multi-Selectmedium

Your organization uses Microsoft Entra ID. You need to implement a solution that allows users to sign in without a password using their smartphone. Which TWO authentication methods can be used?

Select 2 answers
A.Temporary Access Pass
B.Windows Hello for Business
C.Text message (SMS) verification code
D.Microsoft Authenticator app (phone sign-in)
E.FIDO2 security keys
AnswersD, E

Authenticator app supports passwordless sign-in.

Why this answer

The Microsoft Authenticator app supports phone sign-in, which allows users to authenticate by approving a notification or entering a number displayed on the screen, eliminating the need for a password. FIDO2 security keys enable passwordless authentication using hardware-based public/private key cryptography, meeting the requirement for smartphone-based sign-in when the key is connected via USB or NFC. Both methods are supported by Microsoft Entra ID for passwordless authentication.

Exam trap

The trap here is that candidates often confuse SMS verification codes (a multi-factor authentication method) with a primary passwordless authentication method, but SMS codes require a password first and are not passwordless.

360
MCQeasy

Your organization is required to retain all financial records for seven years. Which Microsoft Purview solution should you use to enforce this requirement?

A.Microsoft Purview Data Loss Prevention
B.Microsoft Purview Records Management
C.Microsoft Purview retention policies
D.Microsoft Purview Audit
AnswerC

Retention policies can keep data for a specified duration.

Why this answer

Option B is correct because retention policies in Microsoft Purview ensure data is kept for a specified period. Option A is wrong because DLP is for preventing data loss, not retention. Option C is wrong because records management is a broader capability but retention policies are the specific tool.

Option D is wrong because audit logs track events, not enforce retention.

361
MCQhard

A security analyst has identified a new malware sample with SHA256 hash 'abc123...'. They need to immediately block this file from executing on any managed endpoint across the organization. Which Microsoft Defender for Endpoint capability should they use?

A.Attack surface reduction rules
B.Indicators (IoC)
C.Automated investigation and response
D.Threat analytics
AnswerB

Correct. Indicators allow you to create allow/block actions based on file hashes, IPs, or domains.

Why this answer

Option B is correct because Indicators of Compromise (IoC) in Microsoft Defender for Endpoint allow security analysts to create custom indicators (such as file hashes, IPs, or URLs) that are immediately enforced across all managed endpoints. This capability enables blocking execution of a specific SHA256 hash at the kernel level via the Microsoft Defender Antivirus driver, providing near-instant protection without requiring a signature update or policy change.

Exam trap

The trap here is that candidates confuse Indicators (IoC) with Attack Surface Reduction rules, mistakenly thinking ASR rules can block specific file hashes, when in fact ASR rules only block behavioral patterns and cannot target individual file hashes.

How to eliminate wrong answers

Option A is wrong because Attack Surface Reduction (ASR) rules are policy-based rules that target specific behaviors (e.g., blocking Office apps from creating child processes), not individual file hashes; they cannot block a single SHA256 hash on demand. Option C is wrong because Automated Investigation and Response (AIR) is a post-breach remediation workflow that triggers after detection, not a proactive blocking mechanism for a known IoC. Option D is wrong because Threat Analytics is a reporting and intelligence feature that provides threat summaries and mitigations, not a direct enforcement action to block file execution.

362
MCQmedium

You have a Microsoft 365 E5 tenant. Users report that they cannot access the Microsoft 365 admin center (https://admin.microsoft.com). You verify that they have the Global Administrator role assigned. You check the sign-in logs in Microsoft Entra ID and see that the sign-in was blocked by a Conditional Access policy. The policy requires MFA and a compliant device. The users are using personal devices that are not enrolled. What should you do to allow access while maintaining security?

A.Disable the Conditional Access policy.
B.Ask users to enroll their personal devices in Microsoft Intune.
C.Remove the Global Administrator role from the users and assign a lower privilege role.
D.Modify the Conditional Access policy to exclude the Microsoft 365 admin center from the device compliance requirement, but keep MFA.
AnswerD

Allows access with MFA only, which is acceptable for admins.

Why this answer

Option D is correct because it allows users to access the Microsoft 365 admin center by removing the device compliance requirement for that specific cloud app while still enforcing MFA. This maintains security through MFA and avoids blocking access for users on personal, unenrolled devices. Disabling the policy entirely or requiring enrollment would either weaken security or be impractical for personal devices.

Exam trap

The trap here is that candidates may think removing the Global Administrator role (Option C) will bypass the Conditional Access policy, but Conditional Access policies apply to all users regardless of role unless explicitly excluded, and the policy's grant controls are evaluated before role-based access is considered.

How to eliminate wrong answers

Option A is wrong because disabling the Conditional Access policy entirely would remove all security controls (MFA and device compliance) for the admin center, exposing the tenant to unauthorized access. Option B is wrong because asking users to enroll personal devices in Intune may not be feasible or desired for personal devices, and it does not address the immediate access issue without policy modification. Option C is wrong because removing the Global Administrator role does not resolve the Conditional Access block; the policy applies to all users regardless of role, and the users need admin privileges to perform their duties.

363
MCQmedium

Your company uses Microsoft Intune for mobile device management. You need to ensure that only compliant devices can access corporate email in Microsoft 365. Which Microsoft Entra ID feature should you combine with Intune compliance policies?

A.Conditional Access
B.Microsoft Entra Application Proxy
C.Microsoft Entra Identity Protection
D.Microsoft Entra Privileged Identity Management
AnswerA

Conditional Access policies can check device compliance from Intune.

Why this answer

Conditional Access is the correct answer because it is the Microsoft Entra ID feature that enforces access controls based on signals such as device compliance. When combined with Intune compliance policies, Conditional Access can block or allow access to corporate email in Microsoft 365 based on whether the device is marked as compliant by Intune. This integration ensures that only devices meeting your organization's security requirements can access corporate resources.

Exam trap

The trap here is that candidates often confuse Identity Protection (which handles risk-based access) with Conditional Access (which enforces policies like device compliance), leading them to select Option C instead of A.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Application Proxy provides secure remote access to on-premises web applications, not device compliance enforcement for cloud services. Option C is wrong because Microsoft Entra Identity Protection detects and responds to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs), but it does not evaluate device compliance status. Option D is wrong because Microsoft Entra Privileged Identity Management manages, controls, and monitors access to privileged roles in Microsoft Entra ID, not device compliance or access policies for corporate email.

364
MCQhard

A company uses Microsoft Entra ID P2 licenses and wants to implement just-in-time (JIT) privileged access for administrators. Security requirements state that Global Administrator role members must request approval and provide a business justification before their role activation expires after 4 hours. Which Microsoft Entra feature should be configured?

A.Conditional Access
B.Privileged Identity Management (PIM)
C.Identity Protection
D.Self-Service Password Reset (SSPR)
AnswerB

PIM allows configuring role activation with approval, justification, and duration settings, fulfilling the JIT requirement.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides just-in-time (JIT) privileged access, requiring approval and a business justification for role activation, with configurable maximum activation durations (e.g., 4 hours). This directly meets the security requirement for Global Administrator role members to request approval and provide justification before activation expires after 4 hours.

Exam trap

The trap here is that candidates often confuse Conditional Access with PIM because both involve 'access control,' but Conditional Access cannot enforce time-bound role activation with approval and justification workflows.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces access policies based on signals like location or device compliance, but it does not provide time-bound role activation with approval workflows or business justification. Option C is wrong because Identity Protection detects and remediates identity-based risks (e.g., compromised accounts) but does not manage privileged role activation or approval processes. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords without administrator intervention, and it has no capability to control privileged role activation with approval and expiration.

365
MCQeasy

You are a Microsoft 365 administrator for a small business with 50 users. The company uses Microsoft 365 Business Premium. You need to ensure that all users have multi-factor authentication (MFA) enabled. The company does not have any custom conditional access policies. You want to implement MFA as quickly as possible with minimal configuration. What should you do?

A.Enable security defaults in the Microsoft Entra admin center.
B.Configure MFA registration campaign for all users.
C.Enable per-user MFA for each user.
D.Create a conditional access policy that requires MFA for all users.
AnswerA

Correct: Security defaults enable MFA for all users with minimal effort.

Why this answer

Security defaults provide a pre-configured set of security policies, including requiring MFA for all users, that can be enabled with a single toggle in the Microsoft Entra admin center. This is the fastest and simplest method for a small business with no existing conditional access policies, as it requires minimal configuration and immediately enforces MFA for every user.

Exam trap

The trap here is that candidates often confuse the MFA registration campaign (which only prompts registration) with actual MFA enforcement, or they overcomplicate the solution by choosing per-user MFA or a custom conditional access policy when security defaults are the fastest and simplest answer for a tenant with no existing policies.

How to eliminate wrong answers

Option B is wrong because the MFA registration campaign is a feature that nudges users to register for MFA but does not enforce MFA at sign-in; it only prompts registration, leaving authentication unprotected until users voluntarily comply. Option C is wrong because per-user MFA is a legacy method that requires manually enabling MFA for each of the 50 users individually, which is time-consuming and does not leverage the modern, policy-based approach of security defaults. Option D is wrong because creating a conditional access policy requires additional configuration steps (e.g., excluding break-glass accounts, defining conditions) and is not the fastest option; security defaults are designed for organizations without existing policies to achieve MFA enforcement instantly.

366
MCQeasy

You are a security administrator for a Microsoft 365 E5 organization. You need to configure a policy that automatically blocks execution of files that have a low reputation score in Microsoft Defender for Endpoint. Which policy type should you configure?

A.Attack surface reduction rule in Microsoft Defender for Endpoint
B.Device control policy in Microsoft Intune
C.Anti-malware policy in Exchange Online Protection
D.Cloud App Security policy in Microsoft Defender for Cloud Apps
AnswerA

ASR rules can block executables based on reputation.

Why this answer

Option D is correct because Attack Surface Reduction rules can block execution of files with low reputation. Option A is wrong because it's for email. Option B is wrong because it's for device control.

Option C is wrong because it's for cloud apps.

367
MCQmedium

A company plans to enable Self-Service Password Reset (SSPR) for all users. The administrator must ensure that users are required to register at least two authentication methods: one from the 'mobile app' category and one from the 'phone call' category. Which combination of methods should the administrator select in the SSPR registration settings?

A.Mobile app notification and office phone
B.Mobile app notification and mobile app code
C.Office phone and mobile phone
D.Mobile phone and email
AnswerA

Mobile app notification is from the mobile app category, and office phone is from the phone call category, satisfying both requirements.

Why this answer

Option A is correct because the SSPR registration policy requires users to select at least two distinct authentication methods from the allowed list. By choosing 'Mobile app notification' (from the mobile app category) and 'Office phone' (from the phone call category), the administrator satisfies the requirement of one method from each specified category. The 'Office phone' option is classified under the 'phone call' category in Microsoft Entra ID SSPR settings.

Exam trap

The trap here is that candidates often assume 'Mobile phone' and 'Office phone' are different categories, but both are classified under the 'phone call' category in SSPR, so selecting both does not satisfy the requirement for a method from the 'mobile app' category.

How to eliminate wrong answers

Option B is wrong because both 'Mobile app notification' and 'Mobile app code' belong to the same 'mobile app' category, failing the requirement to have one method from the 'phone call' category. Option C is wrong because 'Office phone' and 'Mobile phone' are both in the 'phone call' category, not covering the 'mobile app' category. Option D is wrong because 'Mobile phone' is in the 'phone call' category and 'Email' is a separate category (not 'mobile app' or 'phone call'), so it does not include a method from the 'mobile app' category.

368
MCQhard

Your company has deployed Microsoft Defender for Endpoint on all Windows devices. You are investigating an alert for a suspicious PowerShell command that was blocked by Attack Surface Reduction (ASR) rules. The alert shows the command was executed from a script embedded in a Word document. You need to identify the ASR rule that blocked this activity. Which rule is most likely responsible?

A.Block Office applications from creating child processes
B.Block Office applications from making Win32 API calls
C.Block Office applications from injecting code into other processes
D.Block Office applications from creating executable content
AnswerA

This rule prevents Word from launching PowerShell.

Why this answer

Option B is correct because the ASR rule 'Block Office applications from creating child processes' specifically prevents Office apps like Word from launching child processes such as PowerShell. Option A is wrong because that rule blocks macros from making Win32 API calls, not launching processes. Option C is wrong because that rule blocks Office apps from injecting code into other processes.

Option D is wrong because that rule blocks Office apps from executable content creation.

369
MCQmedium

Your organization uses Microsoft 365 E5 licenses for all users. You need to configure role-based access control (RBAC) so that helpdesk staff can reset passwords and manage licenses, but cannot modify user principal names (UPNs) or delete users. Which role assignment should you use?

A.License Administrator
B.Helpdesk Administrator
C.Password Administrator
D.User Administrator
AnswerB

Helpdesk Administrator can reset passwords and manage licenses, but cannot modify UPNs or delete users.

Why this answer

The Helpdesk Administrator role is correct because it grants the specific permissions needed to reset passwords and manage licenses, while explicitly preventing modifications to user principal names (UPNs) and user deletions. This role is designed for tier-1 support staff who require these capabilities without elevated user management rights.

Exam trap

The trap here is that candidates often confuse the Helpdesk Administrator role with the User Administrator role, assuming the latter is required for license management, but User Administrator includes dangerous permissions like UPN modification and user deletion that are explicitly prohibited in the question.

How to eliminate wrong answers

Option A is wrong because the License Administrator role can only manage license assignments and cannot reset passwords, failing the password reset requirement. Option C is wrong because the Password Administrator role can only reset passwords and cannot manage licenses, failing the license management requirement. Option D is wrong because the User Administrator role can modify UPNs and delete users, which violates the restriction against those actions.

370
MCQhard

You are reviewing the following Conditional Access policy JSON in Microsoft Entra ID. What does this policy do?

A.Requires MFA for all users accessing all apps from any client type
B.Blocks access for all users except Admin@contoso.com when accessing from mobile apps
C.Requires MFA for all users except Admin@contoso.com when accessing any app from mobile apps or desktop clients
D.Requires MFA for all users accessing all apps from any device
AnswerC

Matches the policy conditions and grant controls.

Why this answer

Option C is correct because the Conditional Access policy JSON targets all users except a specific group containing Admin@contoso.com, applies to all cloud apps, and requires MFA for the 'Browser' and 'Mobile apps and desktop clients' client app types. This effectively enforces MFA for all users except the excluded admin when accessing any app from either web browsers or native/mobile clients, as defined by the 'clientAppTypes' condition.

Exam trap

The trap here is that candidates often overlook the 'ExcludeUsers' array and assume the policy applies to all users, or they misinterpret 'clientAppTypes' as applying to all devices rather than specific client application types like browser and mobile/desktop apps.

How to eliminate wrong answers

Option A is wrong because the policy explicitly excludes a user (Admin@contoso.com) via the 'users' condition with an 'ExcludeUsers' array, so it does not require MFA for all users. Option B is wrong because the policy does not block access; it grants access with MFA, and it applies to both 'Mobile apps and desktop clients' and 'Browser' client types, not exclusively mobile apps. Option D is wrong because the policy does not apply to all devices; it applies to specific client app types (Browser and Mobile apps/desktop clients), and it excludes a specific user, so it is not universal for all users or all devices.

371
MCQmedium

A compliance officer needs to prevent users from sending emails that contain social security numbers to external recipients. When a user attempts to send such an email from Outlook, the email should be blocked and a policy tip should be displayed explaining why the email was blocked. Which Microsoft Purview solution should the officer configure?

A.Data Loss Prevention (DLP) policy
B.Sensitivity labels
C.Communication compliance
D.eDiscovery
AnswerA

Correct. DLP policies in Exchange Online can block emails containing sensitive data and show policy tips in Outlook.

Why this answer

A Data Loss Prevention (DLP) policy in Microsoft Purview is designed to detect sensitive information, such as social security numbers, in emails and enforce actions like blocking the message and displaying a policy tip. This meets the compliance officer's requirement to prevent external sending of sensitive data while providing user notification.

Exam trap

Microsoft often tests the distinction between DLP (which can block and notify in real-time) and sensitivity labels (which apply protection but do not block sending based on content detection), leading candidates to confuse classification with enforcement.

How to eliminate wrong answers

Option B is wrong because sensitivity labels classify and protect data through encryption and visual markings but do not natively block outbound emails based on content detection or display policy tips. Option C is wrong because communication compliance focuses on monitoring and reviewing internal/external communications for policy violations (e.g., harassment or insider trading) rather than real-time blocking of specific sensitive data patterns. Option D is wrong because eDiscovery is used for searching and exporting content for legal or investigative purposes, not for preventing data exfiltration or enforcing real-time email restrictions.

372
MCQmedium

A compliance officer needs to ensure that all outbound emails containing credit card numbers sent to external recipients are automatically encrypted without requiring user intervention. Which Microsoft Purview feature should be configured?

A.Data Loss Prevention (DLP) policy with a rule that encrypts the message when credit card numbers are detected.
B.Sensitivity label with auto-labeling based on credit card numbers.
C.Retention policy for Exchange Online.
D.eDiscovery case for content search.
AnswerA

DLP can detect sensitive info and enforce encryption using Rights Management, all without user action.

Why this answer

Option A is correct because a Data Loss Prevention (DLP) policy in Microsoft Purview can be configured with a rule that automatically detects credit card numbers (using a built-in sensitive info type) and applies encryption via Transport Layer Security (TLS) or Information Rights Management (IRM) to outbound emails sent to external recipients. This meets the compliance officer's requirement for automatic encryption without user intervention, as the DLP rule triggers encryption at the transport level in Exchange Online.

Exam trap

The trap here is that candidates often confuse auto-labeling with sensitivity labels (Option B) as a direct encryption mechanism, but auto-labeling does not automatically encrypt outbound emails at the transport layer—it only applies labels, and encryption requires additional configuration (e.g., via a DLP policy or a label's protection settings) that may not trigger without user action or client-side processing.

How to eliminate wrong answers

Option B is wrong because sensitivity labels with auto-labeling can classify and protect content based on credit card numbers, but they do not automatically encrypt outbound emails at the transport level; they apply protection at the item level (e.g., file or email) and require user interaction or client-side auto-labeling, which may not encrypt messages in transit to external recipients without manual steps. Option C is wrong because a retention policy for Exchange Online is used to retain or delete emails based on age or criteria, not to encrypt outbound messages; it does not provide real-time encryption triggered by content detection. Option D is wrong because an eDiscovery case for content search is used to search, hold, and export content for legal or investigative purposes, not to enforce encryption on outbound emails; it is a discovery tool, not a protection mechanism.

373
MCQeasy

A user reports they cannot access Microsoft Teams. They see a message: 'Your account is not enabled for Teams.' You verify the user has a valid Microsoft 365 E3 license assigned. What is the most likely cause?

A.The user does not have the correct Microsoft Entra ID role.
B.The user is not assigned a valid license.
C.The Teams service plan is disabled in the user's license.
D.The user is not a global administrator.
AnswerC

The Teams service plan must be enabled for the user.

Why this answer

The error 'Your account is not enabled for Teams' indicates that the Teams service plan is disabled within the user's assigned Microsoft 365 E3 license. Even with a valid license, each service plan (e.g., Teams, Exchange Online, SharePoint) can be individually toggled on or off via the Microsoft 365 admin center or PowerShell. Since the user has a valid license but cannot access Teams, the most likely cause is that the Teams service plan has been explicitly disabled.

Exam trap

The trap here is that candidates often assume a valid license automatically enables all included services, but Microsoft 365 allows granular control over service plans, so a license assignment does not guarantee Teams is enabled.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID roles (e.g., Global Administrator, Teams Administrator) control administrative permissions, not the ability to use Teams as an end user; a user without any admin role can still access Teams if the service plan is enabled. Option B is wrong because the scenario explicitly states the user has a valid Microsoft 365 E3 license assigned, so the issue is not a missing license. Option D is wrong because being a Global Administrator is not required to use Teams; the error message is about service enablement, not administrative privileges.

374
MCQmedium

Your organization recently deployed Microsoft Defender for Office 365. Users report that some legitimate external emails are being quarantined as phishing attempts. You need to reduce false positives without compromising security. What should you do?

A.Increase the Spam Confidence Level (SCL) threshold to 9
B.Disable the anti-phishing policy and use a custom mail flow rule
C.Add the sender domains to the allowed senders list in the anti-phishing policy
D.Change the spam filtering action to 'Move message to Junk Email folder' instead of quarantine
AnswerC

This allows trusted senders without affecting other protections.

Why this answer

Option C is correct because adding the sender domains to the allowed senders list in the anti-phishing policy explicitly whitelists those domains for phishing checks, reducing false positives while still scanning for other threats. This approach preserves security by not lowering the overall spam filtering threshold or disabling protections, and it targets only the specific domains that are being incorrectly flagged.

Exam trap

The trap here is that candidates often confuse the anti-phishing policy's allowed senders list with the tenant-level allowed/blocked list in the anti-spam policy, or they mistakenly think changing the action to junk email reduces false positives when it only changes the delivery outcome, not the detection logic.

How to eliminate wrong answers

Option A is wrong because increasing the SCL threshold to 9 would make the filter less sensitive, allowing more spam and phishing to reach users, which compromises security. Option B is wrong because disabling the anti-phishing policy removes critical protection against sophisticated phishing attacks, and a custom mail flow rule cannot replicate the advanced heuristics and impersonation detection of the built-in policy. Option D is wrong because changing the action to 'Move message to Junk Email folder' instead of quarantine still applies the same false-positive classification; it only changes the delivery location, not the underlying detection logic, so legitimate emails would still be incorrectly categorized.

375
MCQhard

Your organization uses Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps. You need to protect a custom SaaS application that uses SAML-based SSO. The application does not support Conditional Access. You want to enforce session controls such as blocking downloads of sensitive files. What should you implement?

A.Deploy Microsoft Defender for Cloud Apps Conditional Access App Control and route the application through Defender for Cloud Apps.
B.Implement a reverse proxy from a third-party vendor.
C.Create a custom application registration and set app roles.
D.Configure the application to use Microsoft Entra ID as the identity provider and enable Conditional Access policies.
AnswerA

App Control provides session-level controls.

Why this answer

Option A is correct because Microsoft Defender for Cloud Apps Conditional Access App Control acts as a reverse proxy that can enforce session policies—such as blocking downloads of sensitive files—on any SAML-based SaaS application, even if the application itself does not support Conditional Access. By routing the application's traffic through Defender for Cloud Apps, you can apply granular session controls at the proxy layer without modifying the application.

Exam trap

The trap here is that candidates often assume that enabling Entra ID as the identity provider and applying Conditional Access policies is sufficient, but they overlook that the application must support Conditional Access (i.e., be capable of enforcing the resulting controls) for those policies to work; when the app does not, a proxy-based solution like Defender for Cloud Apps App Control is required.

How to eliminate wrong answers

Option B is wrong because while a third-party reverse proxy could theoretically provide similar controls, the question specifically asks for a solution within the Microsoft ecosystem (Entra ID P2 and Defender for Cloud Apps), and Microsoft's own solution is the recommended and integrated approach. Option C is wrong because creating a custom application registration and setting app roles only manages authentication and authorization within Entra ID, but does not provide session-level controls like blocking file downloads. Option D is wrong because the application does not support Conditional Access, so configuring it to use Entra ID as the identity provider and enabling Conditional Access policies would have no effect—Conditional Access requires the application to be capable of interpreting and enforcing the resulting claims or tokens.

Page 4

Page 5 of 13

Page 6