Microsoft 365 Administrator MS-102 (MS-102) — Questions 376450

975 questions total · 13pages · All types, answers revealed

Page 5

Page 6 of 13

Page 7
376
MCQmedium

Your organization uses Microsoft 365 Business Premium. You need to configure Windows 365 Cloud PCs for 10 users who require access to a custom line-of-business (LOB) application that is not compatible with Windows 11. The LOB app requires Windows 10 and 8 GB RAM. What is the most cost-effective Cloud PC configuration that meets the requirements?

A.Windows 365 Business Standard license and a custom Windows 10 image.
B.Windows 365 Business Advanced license and a custom Windows 11 image.
C.Windows 365 Enterprise license with GPU.
D.Windows 365 Business Basic license and a custom Windows 10 image.
AnswerA

Standard provides 8 GB RAM, meets requirements.

Why this answer

Option A is correct because Windows 365 Business Standard provides 8 GB RAM and supports custom Windows 10 images, meeting the LOB app's requirements. The Business Standard license is the most cost-effective tier that offers 8 GB RAM, while Basic only offers 4 GB RAM and would not satisfy the app's memory needs. A custom Windows 10 image is necessary since the app is incompatible with Windows 11.

Exam trap

The trap here is that candidates might assume Basic is sufficient for cost savings, overlooking the 8 GB RAM requirement, or incorrectly think that Windows 11 is backward compatible with all Windows 10 apps, leading them to choose a Windows 11 image.

How to eliminate wrong answers

Option B is wrong because it specifies a Windows 11 image, which is incompatible with the LOB application, and the Advanced license is more expensive than Standard without providing additional benefit for this scenario. Option C is wrong because Windows 365 Enterprise with GPU is overkill and significantly more costly; the LOB app does not require GPU acceleration, and Enterprise licensing is unnecessary for only 10 users when Business licenses suffice. Option D is wrong because Windows 365 Business Basic license provides only 4 GB RAM, which does not meet the 8 GB RAM requirement of the LOB application.

377
MCQeasy

You are a compliance administrator. You need to search for emails that contain trade secrets sent by a specific user in the last month. The search must include all mailboxes. What should you use?

A.eDiscovery (Premium) case.
B.Data Loss Prevention reports.
C.Audit log search.
D.Content search in Microsoft Purview.
AnswerD

Content search can search mailboxes for keywords and date ranges.

Why this answer

Content search in Microsoft Purview allows searching across mailboxes for specific keywords and date ranges. Option A is correct. Option B is wrong because eDiscovery (Premium) is for advanced workflows, not basic search.

Option C is wrong because audit log search tracks activities, not content. Option D is wrong because DLP reports show policy matches, not content search.

378
Drag & Dropmedium

Drag and drop the steps to deploy Microsoft Defender for Office 365 policies in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Defender for Office 365 policies are created in the Defender portal, configured with threat protection settings, and applied to recipients.

379
Multi-Selecthard

Your organization uses Microsoft Sentinel for security operations. You need to ensure that Sentinel can ingest logs from Microsoft 365 Defender (XDR) and Microsoft Entra ID. Which THREE data connectors should you enable? (Choose three.)

Select 3 answers
A.Microsoft Defender for Endpoint
B.Microsoft Purview Information Protection
C.Microsoft Entra ID (formerly Azure AD)
D.Microsoft Intune
E.Microsoft Defender for Office 365 (formerly Office 365 ATP)
AnswersA, C, E

This connector ingests endpoint detection logs.

Why this answer

Microsoft Defender for Endpoint is a correct data connector because it ingests endpoint detection and response (EDR) logs from Windows, macOS, and Linux devices into Microsoft Sentinel. This integration allows security operations to correlate endpoint alerts with other signals, enabling advanced hunting and automated incident response across the Microsoft 365 Defender ecosystem.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Information Protection or Intune as security log sources, when in fact they are governance and management tools without native data connectors for Sentinel's security log ingestion.

380
MCQhard

Your company uses Microsoft Defender XDR and Microsoft Defender for Cloud Apps. You have discovered that a user's credentials were compromised and used to access a SaaS application from an unusual location. You need to automatically suspend the user's access to all cloud apps and require a password reset. The suspension should be immediate upon detection. What should you do?

A.In Microsoft Defender for Cloud Apps, create a session policy that uses the 'Suspend user' governance action and configure it to require password reset.
B.Create a playbook in Microsoft Sentinel that disables the user account in Microsoft Entra ID.
C.Set up a conditional access policy in Microsoft Entra ID to block all access from unusual locations.
D.Configure an automated investigation rule in Microsoft Defender XDR to reset the user's password.
AnswerA

Correct: Cloud Apps can suspend user and trigger password reset via integration with Entra ID.

Why this answer

Option D is correct because Microsoft Defender for Cloud Apps can be integrated with Microsoft Entra ID to automatically suspend a user and require password reset via conditional access and session policies. Option A is wrong because manual reset is not automatic. Option B is wrong because disabling the account does not force password reset.

Option C is wrong because that policy only applies to on-premises apps.

381
MCQhard

You are troubleshooting why a user cannot access a SharePoint Online site. The user is assigned a Conditional Access policy that requires compliant device, and the device is enrolled in Microsoft Intune but shows as non-compliant. What is the most likely cause?

A.The device is non-compliant due to missing security updates
B.The device is not enrolled in Microsoft Intune
C.The Conditional Access policy is not applied to SharePoint Online
D.The user does not have an Intune license
AnswerA

Non-compliance blocks access via Conditional Access.

Why this answer

Option C is correct because the device is enrolled but non-compliant, which triggers the Conditional Access block. Option A is wrong because the device is enrolled. Option B is wrong because the user is licensed.

Option D is wrong because the policy is correctly targeting SharePoint Online.

382
MCQeasy

A compliance officer needs to identify documents in SharePoint Online that contain confidential business information by using a machine learning model. Which Microsoft Purview solution should be configured?

A.A: Data Lifecycle Management
B.B: Information Protection (trainable classifiers)
C.C: eDiscovery
D.D: Communication Compliance
AnswerB

Trainable classifiers are machine learning models that identify content patterns and can trigger sensitivity labels or other actions.

Why this answer

Option B is correct because trainable classifiers in Microsoft Purview Information Protection use machine learning models to identify documents containing sensitive or confidential business information based on content patterns and context. Unlike simple keyword matching, trainable classifiers learn from sample documents to accurately detect specific types of confidential data, such as intellectual property or financial reports, in SharePoint Online.

Exam trap

The trap here is that candidates often confuse trainable classifiers with simple keyword-based sensitivity labels or DLP policies, but the question specifically requires a machine learning model, which only trainable classifiers provide.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management focuses on retention and deletion policies for data governance, not on identifying confidential content via machine learning. Option C is wrong because eDiscovery is designed for legal discovery and search of content for litigation or investigation, not for proactive classification using ML models. Option D is wrong because Communication Compliance monitors communications (e.g., email, Teams) for policy violations like harassment or insider trading, not for identifying confidential business documents in SharePoint.

383
MCQeasy

You need to grant a vendor access to a specific SharePoint Online site for a limited time. The vendor does not have an account in your Microsoft Entra ID. What should you use?

A.Create a user account via Microsoft Entra Connect
B.Configure self-service sign-up user flow
C.Assign the vendor a guest user account with no expiration
D.Use Microsoft Entra B2B collaboration and set an expiration for the guest user
AnswerD

B2B collaboration invites external users and can set access expiration.

Why this answer

Microsoft Entra B2B collaboration allows you to invite external users (vendors) as guest users to access your organization's resources, including SharePoint Online sites, without requiring them to have an existing account in your tenant. You can configure an expiration policy for the guest user account to automatically remove access after a specified period, meeting the requirement for limited-time access.

Exam trap

The trap here is that candidates often confuse B2B collaboration with creating a new user account (Option A) or assume that self-service sign-up (Option B) is appropriate for a single vendor, when in fact B2B collaboration is the correct method for granting external users time-limited access without managing their identities.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Connect is used to synchronize on-premises Active Directory identities to Microsoft Entra ID, not to create accounts for external vendors who do not have an existing identity in your organization. Option B is wrong because self-service sign-up user flow is designed for customers or partners to create their own accounts in your tenant for app registration or B2C scenarios, not for granting a specific vendor access to a SharePoint site with controlled expiration. Option C is wrong because assigning a guest user account with no expiration does not meet the requirement for limited-time access; it would grant permanent access unless manually removed, which is not automated or policy-driven.

384
MCQmedium

Your organization uses Microsoft Entra ID and plans to deploy Microsoft Copilot for Microsoft 365. You need to ensure that Copilot respects the conditional access policies you have configured for data access. What should you do?

A.Use Microsoft Defender for Cloud Apps session controls
B.Configure Privileged Identity Management (PIM) for Copilot roles
C.Enable Identity Protection for Copilot users
D.Apply sensitivity labels to data and configure conditional access policies to require labels
AnswerD

Copilot respects sensitivity labels for data access.

Why this answer

Option D is correct because Microsoft Copilot for Microsoft 365 respects conditional access policies only when those policies are configured to require sensitivity labels. Copilot uses Microsoft Purview Information Protection to enforce data access controls based on labels, ensuring that policies like location, device compliance, or sign-in risk are applied to Copilot interactions. Without label-based policies, Copilot may bypass standard conditional access conditions.

Exam trap

The trap here is that candidates assume standard conditional access policies (e.g., MFA, device compliance) automatically apply to Copilot, but Microsoft specifically requires sensitivity labels to be configured as a condition for Copilot to honor those policies.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps session controls are designed for monitoring and controlling user sessions in third-party SaaS apps, not for enforcing conditional access policies on Copilot for Microsoft 365. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time role activation and approval workflows for privileged roles, not the enforcement of conditional access policies on Copilot data access. Option C is wrong because Identity Protection detects and responds to sign-in risks and user risks, but it does not directly enforce conditional access policies on Copilot; it provides risk signals that conditional access policies can use, but the policies themselves must be configured to require sensitivity labels for Copilot to respect them.

385
Multi-Selectmedium

A multinational company uses Microsoft 365 E5 licenses for all employees. Due to a recent cost optimization initiative, the IT department must remove Microsoft Entra ID Plan 2 and Microsoft Defender for Office 365 Plan 2 from a subset of users, while retaining the core Microsoft 365 E5 functionality (Exchange Online, SharePoint Online, Teams, and Microsoft 365 Apps). The company uses group-based licensing with dynamic groups. You need to recommend a licensing strategy that minimizes administrative effort and avoids service disruption. Which three of the following steps should you include in your strategy? (Choose three.)

Select 3 answers
.Create a new Microsoft 365 E5 license SKU that excludes the add-on services and assign this custom SKU to the affected users via a dynamic group.
.Identify the GUIDs of the service plans to be disabled (Microsoft Entra ID Plan 2 and Defender for Office 365 Plan 2) and use the Set-MgUserLicense cmdlet with the -RemoveLicenses parameter to remove specific service plans from existing licenses.
.Use a dynamic group to assign the standard Microsoft 365 E5 license but configure the group’s license assignment to disable the unwanted service plans by specifying the disabled service plan GUIDs in the license assignment configuration.
.Remove the Microsoft 365 E5 license from all users in the affected group and then assign a new, lower-cost license such as Microsoft 365 E3 to those users.
.Use Microsoft Entra ID Governance’s Access Reviews to automatically remove the unwanted service plans from the affected users’ licenses on a recurring basis.
.Use Microsoft Graph PowerShell to bulk-update the existing group-based licensing assignment for the affected dynamic group, specifying the service plans to disable in the -DisabledServicePlans parameter.

Why this answer

The correct approach is to keep the existing Microsoft 365 E5 license but disable specific service plans (Microsoft Entra ID Plan 2 and Defender for Office 365 Plan 2) within the license assignment. This is done by identifying the service plan GUIDs and using either the Set-MgUserLicense cmdlet with the -RemoveLicenses parameter, configuring the dynamic group’s license assignment to disable those service plans, or using Microsoft Graph PowerShell with the -DisabledServicePlans parameter. These methods minimize administrative effort by leveraging group-based licensing and avoid service disruption because the core E5 functionality remains intact.

Exam trap

The trap here is that candidates may think custom SKUs or license downgrades are necessary, but Microsoft 365 E5 licenses are monolithic and must be assigned as-is, with service plan disabling handled at the assignment level rather than by creating new SKUs.

386
MCQmedium

Your organization is deploying Microsoft 365 and needs to ensure that all new users are automatically assigned a Microsoft 365 Business Basic license. You want to use a group-based licensing strategy with an Azure AD security group. What should you do first?

A.Configure directory synchronization and create the group in on-premises Active Directory.
B.Create a dynamic Azure AD group with a rule for user attributes and enable self-service group management.
C.Assign the license directly to each user via the Microsoft 365 admin center.
D.Create a new Azure AD security group and assign the license to the group.
AnswerD

Group-based licensing requires a security group with the license assignment.

Why this answer

Option D is correct because group-based licensing in Azure AD requires you to first create a security group (which can be cloud-only or synced) and then assign the Microsoft 365 Business Basic license directly to that group. Once the license is assigned to the group, all members automatically receive the license, including new users added to the group. This approach centralizes license management and ensures automatic assignment without manual intervention.

Exam trap

The trap here is that candidates often think they must first configure directory synchronization (Option A) or create a dynamic group (Option B) before assigning a license to a group, but the correct first step is simply to create a security group and assign the license to it, as group-based licensing works with any Azure AD security group, including cloud-only static groups.

How to eliminate wrong answers

Option A is wrong because directory synchronization and creating the group in on-premises Active Directory is not the first step; you can use a cloud-only Azure AD security group without requiring on-premises sync, and the question does not specify a hybrid environment. Option B is wrong because creating a dynamic group with a user attribute rule and enabling self-service group management is not the first step; while dynamic groups can be used for licensing, the initial requirement is to create a security group and assign the license to it, not to configure dynamic membership or self-service. Option C is wrong because assigning licenses directly to each user via the Microsoft 365 admin center is a manual, per-user approach that contradicts the group-based licensing strategy specified in the question.

387
MCQmedium

A compliance officer needs to automatically apply a sensitivity label named 'Confidential' to documents stored in SharePoint Online whenever the documents contain social security numbers. Users must be prevented from removing the label. Which configuration should the officer implement?

A.Create a retention label with auto-labeling based on sensitive info types
B.Create a sensitivity label with auto-labeling and set 'Mark content as mandatory'
C.Use Microsoft Information Protection (MIP) unified labeling client to apply labels
D.Configure Data Loss Prevention (DLP) policy to apply the label
AnswerB

This combination automatically labels content and prevents users from removing the label.

Why this answer

Option B is correct because sensitivity labels support auto-labeling based on sensitive info types (e.g., social security numbers) and the 'Mark content as mandatory' setting prevents users from removing the label. This ensures automatic classification and enforced protection, meeting the compliance officer's requirements.

Exam trap

The trap here is confusing retention labels (which handle lifecycle) with sensitivity labels (which handle classification and protection), leading candidates to pick Option A when they see 'auto-labeling' without understanding the label type's purpose.

How to eliminate wrong answers

Option A is wrong because retention labels are designed for data retention and deletion policies, not for classification or protection; they cannot apply sensitivity labels or prevent removal. Option C is wrong because the MIP unified labeling client is a legacy tool for on-premises or hybrid scenarios, not for cloud-native auto-labeling in SharePoint Online; it also does not enforce mandatory labeling. Option D is wrong because DLP policies can detect sensitive data and trigger actions like blocking or notification, but they cannot directly apply sensitivity labels; they rely on labels already being present.

388
MCQhard

Your company uses Microsoft Purview to manage compliance. You need to ensure that only users who have passed a training course can access documents labeled 'Confidential'. The solution must enforce this dynamically without manual intervention. What should you configure?

A.Microsoft Purview Privileged Access Management to require approval for access.
B.A Microsoft Purview DLP policy that blocks access for untrained users.
C.A Microsoft Purview sensitivity label with a custom permission that only allows trained users.
D.Microsoft Entra ID Conditional Access policy with a terms of use requiring training acknowledgment.
AnswerD

Conditional Access can require acceptance of terms of use, which can be linked to training completion.

Why this answer

Option D is correct because Microsoft Entra ID Conditional Access can require terms of use acceptance (which can include training acknowledgment) before accessing labeled content. Option A is wrong because DLP doesn't enforce user training. Option B is wrong because labels don't enforce training.

Option C is wrong because privileged access management is for administrative roles, not document access.

389
Multi-Selectmedium

As a security administrator, you are tuning automated investigation and response (AIR) capabilities in Microsoft Defender XDR. You need to ensure that the system can automatically remediate threats while minimizing false positives. Which three of the following actions can be taken by automated investigation and response in Microsoft Defender XDR? (Choose three.)

Select 3 answers
.Quarantine a file detected as malicious on a device
.Disable a compromised user account temporarily
.Delete an email message from a user's mailbox that was identified as phishing
.Modify a Conditional Access policy to block all external access
.Uninstall an application from all devices in a tenant
.Reset a user's password without administrator approval

Why this answer

Automated investigation and response (AIR) in Microsoft Defender XDR can quarantine a file detected as malicious on a device by using built-in remediation actions that isolate the file from the operating system. It can also disable a compromised user account temporarily through integration with Microsoft Entra ID, applying a conditional account disable action to prevent further access. Additionally, AIR can delete an email message from a user's mailbox that was identified as phishing by leveraging Exchange Online Protection (EOP) and Microsoft Defender for Office 365 to perform mailbox-level remediation.

Exam trap

The trap here is that candidates may assume AIR can perform broad administrative actions like modifying Conditional Access policies or resetting passwords, but Microsoft deliberately restricts AIR to only a specific set of remediation actions that are safe for automated execution without causing widespread disruption.

390
MCQeasy

A newly hired administrator needs to manage user accounts, licenses, and reset passwords. Which portal should they access?

A.Microsoft 365 admin center
B.Microsoft Entra admin center
C.Microsoft 365 Defender
D.Azure Active Directory admin center
AnswerA

This portal centralizes user management, license assignment, and common administrative functions for Microsoft 365.

Why this answer

The Microsoft 365 admin center (admin.microsoft.com) is the primary portal for day-to-day user administration tasks such as creating and managing user accounts, assigning licenses, and resetting passwords. It provides a unified interface for these common identity and license management operations within a Microsoft 365 tenant.

Exam trap

The trap here is that candidates often confuse the Microsoft Entra admin center (formerly Azure AD) with the Microsoft 365 admin center, thinking that all user management must be done in the identity portal, but the exam tests that routine user tasks like license assignment and password resets are performed in the Microsoft 365 admin center.

How to eliminate wrong answers

Option B (Microsoft Entra admin center) is wrong because it is focused on identity and access management (IAM) configuration, including conditional access policies, enterprise apps, and security defaults, not on routine user license assignment or password resets for end users. Option C (Microsoft 365 Defender) is wrong because it is a security operations portal for threat detection, investigation, and response (e.g., incident management, advanced hunting), not for user account or license management. Option D (Azure Active Directory admin center) is wrong because it is the legacy portal for Azure AD directory-level settings and bulk operations; while it can manage users, the Microsoft 365 admin center is the correct modern portal for license and password management in a Microsoft 365 context, and the Azure AD portal is now rebranded as Microsoft Entra admin center.

391
MCQhard

Your company uses Microsoft Entra ID and has enabled Microsoft Entra ID Protection. You notice that a user's sign-in was blocked due to a medium user risk. However, the user claims the sign-in was legitimate. What should you do to allow future sign-ins without lowering security?

A.Create a conditional access policy to bypass MFA for this user
B.Suppress the alert in Microsoft Defender XDR
C.Use the Microsoft Entra ID Protection reports to confirm the user as safe
D.Dismiss the risk in the Risky users report
AnswerC

Confirming safe resets the user's risk and allows sign-ins.

Why this answer

Option C is correct because when a user claims a blocked sign-in was legitimate, the proper action is to confirm the user as safe in the Microsoft Entra ID Protection reports. This action updates the risk state to 'confirmed safe', which resets the user's risk level and allows future sign-ins without lowering security. It also provides feedback to the risk detection algorithm to improve accuracy.

Exam trap

The trap here is confusing 'dismissing the risk' (which only closes the alert) with 'confirming the user as safe' (which actively resets the risk state and provides feedback), leading candidates to incorrectly choose Option D.

How to eliminate wrong answers

Option A is wrong because creating a conditional access policy to bypass MFA for this user would lower security by removing a critical authentication requirement, and it does not address the underlying risk detection. Option B is wrong because suppressing the alert in Microsoft Defender XDR only hides the notification; it does not resolve the risk state or prevent future blocks. Option D is wrong because dismissing the risk in the Risky users report simply closes the alert without confirming the sign-in as legitimate, which could allow the same risk to trigger again and does not provide feedback to the risk engine.

392
Multi-Selecthard

Your company is deploying Microsoft 365 Copilot for all users. You need to ensure that Copilot responses are grounded only in organizational data that users already have permission to access. Additionally, you must comply with data residency requirements in the European Union. Which THREE actions should you take?

Select 3 answers
A.Apply sensitivity labels to restrict Copilot from accessing specific files.
B.Set the data residency preference for Microsoft 365 Copilot to the European Union in the admin center.
C.Configure Microsoft 365 Copilot to respect existing user permissions via Microsoft Entra ID.
D.Block Copilot for all users outside the EU using conditional access policies.
E.Enable Copilot caching in Microsoft Purview to control data storage locations.
AnswersA, B, C

Sensitivity labels can be configured to prevent Copilot from using labeled content, supporting granular control.

Why this answer

Option A is correct because sensitivity labels can be configured to block Copilot from accessing files with specific labels, ensuring that Copilot responses are grounded only in organizational data that users already have permission to access. This is done by using Microsoft Purview Information Protection to define label-based restrictions that Copilot respects, preventing it from surfacing content from labeled files even if the user has direct access.

Exam trap

The trap here is that candidates may confuse conditional access policies (which control access) with data residency controls (which control data storage and processing location), and may incorrectly think caching in Purview is a real feature for data residency, when in fact Microsoft 365 Copilot does not use Purview caching for this purpose.

393
MCQhard

A security administrator needs to block users from running portable executable files (e.g., .exe, .scr) that were downloaded from the internet on Windows devices. Which Attack Surface Reduction (ASR) rule should the administrator enable to meet this requirement?

A.Block executable files from running unless they meet a prevalence, age, or trusted list criterion
B.Block credential stealing from the Windows local security authority subsystem (lsass.exe)
C.Block Adobe Reader from creating child processes
D.Block persistence through WMI event subscription
AnswerA

This ASR rule blocks executables that are not trusted based on Microsoft's reputation and prevalence data.

Why this answer

Option A is correct because the ASR rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) specifically targets executable files (e.g., .exe, .scr) that have been downloaded from the internet by checking their Mark-of-the-Web (MoTW) attribute. When enabled, this rule prevents execution of such files unless they meet criteria like high prevalence, sufficient age, or inclusion in a trusted list, directly addressing the requirement to block internet-downloaded portable executables.

Exam trap

The trap here is that candidates often confuse ASR rules focused on execution control (like blocking downloaded executables) with rules that block specific attack techniques (like credential theft or persistence), leading them to select a rule that addresses a different threat vector entirely.

How to eliminate wrong answers

Option B is wrong because the ASR rule 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) protects against credential theft via LSASS access, not against running internet-downloaded executables. Option C is wrong because the ASR rule 'Block Adobe Reader from creating child processes' (GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c) only restricts Adobe Reader from spawning child processes, which is unrelated to blocking execution of downloaded .exe or .scr files. Option D is wrong because the ASR rule 'Block persistence through WMI event subscription' (GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b) targets WMI-based persistence techniques, not the execution of internet-downloaded portable executables.

394
MCQeasy

An organization wants to receive email notifications for all service health incidents. Which role must an administrator have to configure service health notifications in the Microsoft 365 admin center?

A.Global Administrator
B.Service Support Administrator
C.Helpdesk Administrator
D.Billing Administrator
AnswerA

Global Administrator has full access to all administrative features, including configuring service health notifications.

Why this answer

Only the Global Administrator role has the necessary permissions to access and modify the Service Health section in the Microsoft 365 admin center, including configuring email notifications for service health incidents. This is because the Global Administrator role is the highest privileged role and is required to manage tenant-wide settings such as service health alerts, which are not delegated to lower-level administrative roles.

Exam trap

The trap here is that candidates often assume the Service Support Administrator role, which can view service health, can also configure notifications, but Microsoft deliberately restricts write access to the Global Administrator role to prevent unauthorized changes to critical alerting infrastructure.

How to eliminate wrong answers

Option B (Service Support Administrator) is wrong because this role can only view service health and manage support tickets, but cannot configure notification settings for service health incidents. Option C (Helpdesk Administrator) is wrong because this role is limited to password resets, user management, and basic support tasks, and does not have permission to access or modify service health notification configurations. Option D (Billing Administrator) is wrong because this role is restricted to managing billing accounts, invoices, and payment methods, and has no access to service health or notification settings.

395
Multi-Selecthard

You are configuring Microsoft Defender for Office 365 to protect against sophisticated phishing attacks. You need to ensure that users are warned about potentially malicious messages that bypass other filters. Which two policies should you configure?

Select 2 answers
A.Safe Attachments policy
B.Safe Links policy
C.Anti-malware policy
D.Anti-spam policy: Spoof intelligence
E.Anti-phishing policy: Impersonation protection settings
AnswersD, E

Correct: Spoof intelligence can show warnings for spoofed senders.

Why this answer

To warn users about potentially malicious messages, you should configure anti-phishing policy's impersonation protection and spoof intelligence. Spam filter policies do not provide user warnings. Safe Attachments and Safe Links policies block or detonate attachments/links but do not warn users.

396
MCQhard

Your organization uses Microsoft Entra ID with P2 licenses. You need to identify and remediate users who are at risk due to leaked credentials or anomalous sign-in activity. You want to automate the response to high-risk users by requiring a password change. Which feature should you use?

A.Microsoft Entra Identity Protection
B.Microsoft Defender for Cloud Apps
C.Microsoft Entra Identity Governance
D.Microsoft Entra Privileged Identity Management (PIM)
AnswerA

Identity Protection detects risks and can enforce password change via conditional access.

Why this answer

Option B is correct because Identity Protection provides risk-based conditional access policies to automatically remediate high-risk users. Option A is wrong because Privileged Identity Management (PIM) manages privileged roles, not user risk. Option C is wrong because Identity Governance handles access reviews and entitlement management.

Option D is wrong because Microsoft Defender for Cloud Apps focuses on cloud app security, not identity risk.

397
MCQhard

A security administrator needs to block executable files from running from the %TEMP% folder on Windows devices to prevent common malware execution. Which attack surface reduction (ASR) rule should be enabled?

A.Block executable files from running unless they meet a prevalence, age, or trusted list criteria
B.Block credential stealing from the Windows local security authority subsystem
C.Block all Office applications from creating child processes
D.Block JavaScript or VBScript from launching downloaded executable content
AnswerA

Correct. This ASR rule specifically blocks executables in writable directories unless they have been around long enough or are commonly seen.

Why this answer

Option A is correct because the ASR rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criteria' (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) specifically targets executables launched from locations commonly used by malware, such as the %TEMP% folder. This rule uses cloud-delivered reputation data to allow only executables that are prevalent, have sufficient age, or are on a trusted list, effectively blocking unknown or suspicious binaries from running in temporary directories.

Exam trap

The trap here is that candidates often confuse ASR rules focused on script-based attacks (Option D) or credential theft (Option B) with the specific rule designed to block executables in low-reputation locations like %TEMP%, leading them to choose a rule that addresses a different attack vector.

How to eliminate wrong answers

Option B is wrong because 'Block credential stealing from the Windows local security authority subsystem' (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) protects against credential theft via LSASS, not against executable execution from %TEMP%. Option C is wrong because 'Block all Office applications from creating child processes' (GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a) prevents Office apps from spawning child processes (e.g., PowerShell or cmd.exe), which is unrelated to blocking executables in the %TEMP% folder. Option D is wrong because 'Block JavaScript or VBScript from launching downloaded executable content' (GUID: e22096a2-2f8a-4e6c-8f3a-7a5f1c5b0c3d) targets scripts that launch downloaded executables, not the direct execution of executables from the %TEMP% folder.

398
Multi-Selecthard

Which THREE of the following are required to implement Microsoft Entra ID Identity Governance for access reviews? (Choose three.)

Select 3 answers
A.Microsoft Entra ID P1 license
B.The access review must be configured to apply results automatically
C.Microsoft Entra ID P2 license
D.Global Administrator or Identity Governance Administrator role
E.All users being reviewed must be guest users
AnswersB, C, D

Required for automatic remediation.

Why this answer

Option B is correct because for an access review to enforce its decisions (e.g., removing a user's access), the review must be configured to 'Apply results automatically'. Without this setting, the review only generates recommendations, and an administrator must manually apply the results. This automatic application is a required step to complete the identity governance lifecycle.

Exam trap

The trap here is that candidates often assume a P1 license is sufficient for access reviews, but Microsoft specifically requires P2 for the reviewer and the users under review, making P1 an incorrect choice.

399
MCQmedium

Refer to the exhibit. You run the Get-RetentionCompliancePolicy cmdlet and see the output. Your organization wants to retain all ProjectX documents for 10 years and then allow users to delete them. However, users complain that documents are being deleted automatically. What is the issue?

A.The retention action is set to Delete instead of NoAction.
B.The policy is disabled, so it should not be enforcing.
C.The mode is set to Enable, which means the policy is in test mode.
D.The retention trigger is set to DateCreated, which is incorrect.
AnswerA

Delete automatically removes content; NoAction would allow manual deletion.

Why this answer

Option C is correct because the RetentionAction is set to 'Delete', which means after 3650 days, the content is deleted automatically. The requirement is to allow manual deletion after retention. Option A is wrong because the policy is disabled (Enabled: False) so it is not enforcing, but the RetentionAction still shows Delete.

Option B is wrong because Mode is Enable, which means the policy is active. Option D is wrong because the trigger is DateCreated, which is appropriate.

400
MCQeasy

Your organization needs to implement a Microsoft Purview data classification solution that scans data in Microsoft 365, Azure SQL Database, and Amazon S3. Which Microsoft Purview feature should you use?

A.Microsoft Purview Data Loss Prevention
B.Microsoft Purview Information Protection sensitivity labels
C.Microsoft Purview eDiscovery
D.Microsoft Purview Data Map
AnswerD

Data Map can scan and classify data across various sources including AWS S3 and Azure SQL.

Why this answer

Option C is correct because Microsoft Purview Data Map supports scanning on-premises and multi-cloud data sources. Option A is wrong because DLP policies are for data loss prevention, not scanning all data sources. Option B is wrong because sensitivity labels apply labels, but the scanning is done by Data Map.

Option D is wrong because eDiscovery is for legal discovery, not automated scanning.

401
MCQhard

A security analyst needs to create a custom detection rule in Microsoft Defender XDR that triggers when a device communicates with a new, unclassified IP address flagged by Microsoft threat intelligence as potentially malicious. The rule must run every hour and create an incident if the count of such communications exceeds 10 in a 24-hour window. Which type of rule should the analyst create?

A.custom detection rule using advanced hunting
B.scheduled alert rule in Microsoft Sentinel
C.An incident creation rule in Microsoft Defender for Cloud Apps
D.custom remediation action rule
AnswerA

Defender XDR custom detections use advanced hunting queries that can be scheduled and trigger incidents when thresholds are exceeded.

Why this answer

A custom detection rule using advanced hunting is the correct choice because Microsoft Defender XDR allows you to create custom detection rules based on Kusto Query Language (KQL) queries that run on a scheduled interval (e.g., every hour). This rule can query the `DeviceNetworkEvents` table to identify communications with IP addresses flagged as malicious by Microsoft threat intelligence, aggregate the count over a 24-hour sliding window, and trigger an incident when the threshold of 10 is exceeded. This directly meets the requirement for a scheduled, threshold-based detection within Defender XDR.

Exam trap

The trap here is that candidates often confuse the scope of Microsoft Defender XDR custom detections with Microsoft Sentinel scheduled alert rules, assuming any scheduled query must be in Sentinel, but Defender XDR's advanced hunting custom detections natively support scheduled queries and incident creation without requiring Sentinel.

How to eliminate wrong answers

Option B is wrong because a scheduled alert rule in Microsoft Sentinel is designed for Azure-based SIEM and SOAR capabilities, not for native custom detection within Microsoft Defender XDR; Sentinel operates on a different data ingestion pipeline and is not the correct tool for creating rules that run directly in the Defender XDR portal. Option C is wrong because an incident creation rule in Microsoft Defender for Cloud Apps focuses on app-level anomalies and cloud application behaviors, not on device-level network communications with IP addresses flagged by threat intelligence. Option D is wrong because a custom remediation action rule is used to define automated response actions (e.g., isolating a device or running a script) after a detection occurs, not to define the detection logic or scheduling itself.

402
MCQmedium

Your organization uses Microsoft Entra Connect Sync. You need to ensure that specific on-premises Active Directory groups are synchronized to Microsoft Entra ID. What should you configure?

A.Set the sync scope to 'Synchronize selected groups'
B.Configure attribute-based filtering in Microsoft Entra Connect
C.Create a security group in Microsoft Entra ID and add members
D.Use the Synchronization Service Manager to select groups
AnswerA

Microsoft Entra Connect supports filtering by groups.

Why this answer

Option A is correct because Microsoft Entra Connect Sync allows you to scope synchronization to specific groups by selecting 'Synchronize selected groups' in the Azure AD Connect configuration. This setting, available during installation or via the 'Customize synchronization options' task, restricts synchronization to only the on-premises Active Directory groups you explicitly choose, ensuring that only those groups are synced to Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse attribute-based filtering (Option B) with group-specific scoping, not realizing that attribute-based filtering applies to all object types and cannot be used to select individual groups for synchronization.

How to eliminate wrong answers

Option B is wrong because attribute-based filtering in Microsoft Entra Connect filters objects based on their attributes (e.g., department or country), not specifically for selecting which groups to synchronize; it is a broader filtering mechanism that can exclude objects but does not provide a group-specific selection. Option C is wrong because creating a security group in Microsoft Entra ID and adding members does not control which on-premises groups are synchronized; it creates a cloud-only group that is not linked to the on-premises synchronization process. Option D is wrong because the Synchronization Service Manager is used to manage synchronization operations (e.g., run profiles, connectors, and metaverse objects) but does not provide a configuration option to select specific groups for synchronization; group selection is done during the Azure AD Connect configuration wizard.

403
MCQhard

You need to implement a solution that allows external partners to access specific SharePoint Online sites without creating guest user objects in Microsoft Entra ID. The partners will authenticate using their own identity provider. What should you use?

A.Microsoft Entra B2B collaboration with the partner's identity provider
B.Microsoft Entra B2B direct connect for SharePoint Online
C.Microsoft Entra External ID for the partner organization
D.SharePoint Online external sharing with one-time passcode authentication
AnswerD

One-time passcode authentication does not require guest user objects.

Why this answer

Option D is correct because SharePoint Online external sharing with one-time passcode authentication allows external partners to access SharePoint sites without creating guest user objects in Microsoft Entra ID. When the partner's identity provider is not federated with Entra ID, the one-time passcode feature sends a code to their email for authentication, bypassing the need for a guest account. This meets the requirement of no guest user objects while enabling access from an external identity provider.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration (which always creates guest objects) with SharePoint external sharing features that can bypass guest object creation, leading them to select A or B instead of D.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2B collaboration requires creating guest user objects in Microsoft Entra ID for each external partner, which directly contradicts the requirement to avoid guest objects. Option B is wrong because Microsoft Entra B2B direct connect for SharePoint Online is designed for cross-tenant access with mutual trust and still creates a B2B direct connect user object in the resource tenant, not meeting the 'no guest objects' condition. Option C is wrong because Microsoft Entra External ID is a customer-facing identity solution for external apps, not for granting access to SharePoint Online sites without guest objects; it also typically involves creating user objects in the external tenant.

404
Multi-Selectmedium

Your company is implementing Microsoft Purview Information Protection to classify and protect sensitive documents. You need to ensure that all documents containing personally identifiable information (PII) are automatically labeled. Which TWO actions should you take? (Select TWO.)

Select 2 answers
A.Define a custom sensitive info type in Microsoft Purview that matches your organization's PII patterns.
B.Train users to manually apply a sensitivity label to documents containing PII.
C.Configure a sensitivity label to encrypt documents containing PII.
D.Create a retention label for documents containing PII.
E.Create an auto-labeling policy in Microsoft Purview that applies a sensitivity label to documents containing PII.
AnswersA, E

Custom sensitive info types can detect specific PII patterns for automatic labeling.

Why this answer

Option A is correct because automatic labeling policies can apply sensitivity labels based on sensitive info types. Option D is correct because creating a sensitive info type for PII (e.g., using custom patterns) ensures the policy can detect the data. Option B is wrong because encryption is a protection action, not a labeling requirement.

Option C is wrong because manual labeling does not meet the requirement for automatic labeling. Option E is wrong because retention labels are for retention, not classification.

405
MCQeasy

A user receives an email from an unknown sender with a .zip attachment. The attachment contains a potentially malicious executable file. Microsoft Defender for Office 365 is enabled. Which feature dynamically detonates the attachment in a sandbox environment and blocks it if malicious behavior is detected?

A.Safe Attachments
B.Safe Links
C.Anti-phishing
D.Anti-spam
AnswerA

Safe Attachments uses behavioral analysis and sandboxing to detect and block malicious attachments in email messages.

Why this answer

Safe Attachments is the correct feature because it specifically detonates email attachments in a dynamic sandbox environment, analyzing behavior in real time. If the .zip file contains a malicious executable, Safe Attachments will block the email before delivery, preventing the user from accessing the threat. This is distinct from other Defender for Office 365 features that focus on URLs, phishing content, or spam filtering.

Exam trap

The trap here is that candidates confuse Safe Attachments with Safe Links, assuming both handle attachments, but Safe Links only rewrites and checks URLs, not file payloads.

How to eliminate wrong answers

Option B is wrong because Safe Links protects against malicious URLs within emails or Office documents, not file attachments. Option C is wrong because Anti-phishing policies detect impersonation and spoofing attempts, not executable file analysis. Option D is wrong because Anti-spam policies filter bulk or junk email based on sender reputation and content, not dynamic file detonation.

406
MCQmedium

A compliance administrator needs to preserve all documents in a SharePoint Online site that were created before a specific date for a legal hold. The hold should prevent any modification or deletion of those documents. What should the administrator configure?

A.Retention label applied automatically
B.eDiscovery hold
C.Data loss prevention policy
D.Sensitivity label with encryption
AnswerB

An eDiscovery hold preserves content in its current state and prevents edits or deletions until the hold is removed.

Why this answer

An eDiscovery hold (also known as a litigation hold) preserves all content in a SharePoint Online site by preventing modification or deletion of documents that match the hold criteria, including those created before a specific date. This hold applies at the site level and ensures that even if users edit or delete documents, the original versions are retained in the Preservation Hold library. It is the correct mechanism for legal holds that require immutable preservation of existing documents.

Exam trap

The trap here is that candidates often confuse retention labels or policies with eDiscovery holds, not realizing that retention labels only ensure content is kept after deletion but do not prevent modification, whereas an eDiscovery hold actively blocks modification and deletion by preserving the original content in a hidden library.

How to eliminate wrong answers

Option A is wrong because a retention label applied automatically can retain documents for a specified period but does not prevent users from modifying or deleting them; it only ensures the content is kept after deletion or modification, not that it remains unaltered. Option C is wrong because a Data Loss Prevention (DLP) policy is designed to detect and prevent the sharing of sensitive information, not to preserve documents from modification or deletion for legal hold purposes. Option D is wrong because a sensitivity label with encryption protects content by restricting access and usage, but it does not prevent modification or deletion by authorized users and is not designed for legal hold preservation.

407
MCQmedium

A compliance officer needs to automatically retain documents in a SharePoint Online document library for 7 years and then automatically delete them. The retention must be applied based on when the document is created. Which Microsoft Purview feature should be configured?

A.Data Lifecycle Management
B.Records Management
C.eDiscovery
D.Communication Compliance
AnswerA

Correct. Data Lifecycle Management includes retention labels and policies to retain and then delete content based on age.

Why this answer

Data Lifecycle Management (DLM) in Microsoft Purview allows you to create retention labels that automatically retain content for a specified period (e.g., 7 years) based on the date the document was created, and then trigger a disposal action such as deletion. This feature is designed specifically for managing the lifecycle of data in SharePoint Online, including automatic retention and deletion based on metadata like creation date.

Exam trap

The trap here is that candidates often confuse Records Management with Data Lifecycle Management, assuming that any retention policy must involve records, when in fact DLM handles automated retention and deletion without requiring the content to be declared a record.

How to eliminate wrong answers

Option B (Records Management) is wrong because Records Management is focused on declaring content as records (immutable, auditable) and applying retention that prevents deletion or modification, not on automatically deleting content after a set period. Option C (eDiscovery) is wrong because eDiscovery is used for searching, holding, and exporting content for legal or investigative purposes, not for automated retention and deletion policies. Option D (Communication Compliance) is wrong because Communication Compliance is designed to detect and remediate inappropriate communications (e.g., harassment, sensitive info) in Microsoft Teams, Exchange, and Yammer, not for managing document lifecycle retention or deletion.

408
MCQhard

You are hunting for malicious activity in Microsoft 365 Defender. The exhibit shows a KQL query. What is the query searching for?

A.PowerShell processes with standard command line arguments
B.Processes that created PowerShell processes
C.PowerShell processes that were downloaded from the internet
D.PowerShell processes with encoded command line arguments
AnswerD

The command line contains '-EncodedCommand'.

Why this answer

Option B is correct because it hunts for PowerShell with encoded commands. Option A is wrong because it's not about powershell.exe from internet. Option C is wrong because it's not about standard commands.

Option D is wrong because it's not about processes creating powershell.exe.

409
Multi-Selectmedium

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a device makes an outbound connection to a known malicious IP address, and within 10 minutes, a process with suspicious command-line arguments is started on the same device. Which two Advanced Hunting tables must be joined using a KQL query to create this detection?

Select 2 answers
A.DeviceNetworkEvents and DeviceProcessEvents.
B.DeviceEvents and DeviceLogonEvents.
C.DeviceProcessEvents and DeviceFileEvents.
D.DeviceNetworkEvents and DeviceRegistryEvents.
AnswersA, C

DeviceNetworkEvents contains outbound connections with remote IPs; DeviceProcessEvents contains process start details including command line. Joining on DeviceId and timestamp enables correlation.

Why this answer

Option A is correct because the detection rule requires correlating outbound network connections (DeviceNetworkEvents) with process creation events (DeviceProcessEvents) on the same device within a 10-minute window. The KQL query would join these two tables on the DeviceId field and use a time filter to ensure the process event occurs within 10 minutes after the network event, enabling the detection of post-connection malicious activity.

Exam trap

Microsoft often tests the misconception that DeviceEvents (which includes security alerts) can substitute for DeviceNetworkEvents, but DeviceEvents lacks the granular outbound connection details needed for IP-based detection rules.

410
MCQmedium

Your company uses Microsoft Entra ID. You need to restrict access to a critical application to only users who are in a specific security group and are signing in from a trusted location. You configure a conditional access policy with the following conditions: users (the security group), cloud apps (the critical application), conditions (locations: trusted IP ranges). However, users in the security group are still able to access the app from untrusted locations. What is the most likely reason?

A.The policy is configured as a block policy but is overridden by another policy
B.The cloud app is not correctly assigned to the policy
C.The policy uses session controls instead of grant controls
D.The policy is in report-only mode
AnswerD

Report-only mode does not enforce; it only logs.

Why this answer

When a Conditional Access policy is in report-only mode, it evaluates the conditions and logs the result but does not enforce any access controls (grant or block). This explains why users in the security group can still access the app from untrusted locations—the policy is not actively blocking or requiring MFA/location compliance. Report-only mode is commonly used for testing before enabling enforcement.

Exam trap

The trap here is that candidates often assume a Conditional Access policy automatically enforces its conditions once configured, overlooking the critical distinction between report-only mode (evaluation only) and on/enforce mode (evaluation + enforcement).

How to eliminate wrong answers

Option A is wrong because if the policy were a block policy, it would actively block access when conditions match; the issue here is that no enforcement occurs at all, not that another policy overrides it. Option B is wrong because the cloud app assignment is correctly configured per the scenario; if it were incorrect, the policy wouldn't apply to the app at all, but users are still accessing it, indicating the policy is not enforcing. Option C is wrong because session controls (e.g., sign-in frequency) do not prevent access from untrusted locations; only grant controls (e.g., require trusted location) can block or allow access based on location.

The core problem is that the policy is not enforcing any controls, which points to report-only mode.

411
Multi-Selectmedium

Your organization uses Microsoft 365 and wants to implement a passwordless authentication strategy. Which TWO methods are supported natively in Microsoft Entra ID for passwordless sign-in?

Select 2 answers
A.Smart cards (physical or virtual)
B.Microsoft Authenticator app (phone sign-in)
C.Temporary Access Pass
D.Certificate-based authentication
E.FIDO2 security keys
AnswersB, E

Supported as a passwordless authentication method.

Why this answer

The Microsoft Authenticator app (phone sign-in) is a native passwordless method in Microsoft Entra ID that uses key-based authentication tied to the user's device. It allows users to sign in by approving a notification or entering a number displayed on the screen, eliminating the need for a password. This method is fully integrated into Entra ID's authentication stack and supports both iOS and Android devices.

Exam trap

The trap here is that candidates often confuse 'supported in Entra ID' with 'supported in the broader Microsoft ecosystem', leading them to select smart cards or certificate-based authentication, which require additional on-premises or hybrid components and are not native passwordless options in cloud-only Entra ID.

412
MCQmedium

Your company has a Microsoft 365 tenant with a custom domain (contoso.com). You need to verify domain ownership before enabling email routing. Which DNS record type should you add?

A.Add a TXT record with the verification code.
B.Add a CNAME record pointing to autodiscover.outlook.com.
C.Add an MX record pointing to contoso-com.mail.protection.outlook.com.
D.Add an SPF record for contoso.com.
AnswerC

MX records direct email to Exchange Online.

Why this answer

Option C is correct because when you add a custom domain to Microsoft 365 and need to enable email routing, you must prove domain ownership and configure mail flow. The MX record with the value 'contoso-com.mail.protection.outlook.com' is the specific record that Microsoft 365 requires to route incoming email for your domain to Exchange Online. This record is added after domain ownership is verified (usually via a TXT record), but the question asks which record type enables email routing, which is the MX record.

Exam trap

The trap here is that candidates confuse the domain verification step (TXT record) with the email routing step (MX record), and Microsoft explicitly tests this distinction by asking for the record that 'enables email routing' rather than 'verifies ownership'.

How to eliminate wrong answers

Option A is wrong because a TXT record with a verification code is used to prove domain ownership, not to enable email routing; ownership verification is a prerequisite but does not itself route email. Option B is wrong because a CNAME record pointing to autodiscover.outlook.com is used for Autodiscover service connectivity (client configuration), not for enabling email routing for the domain. Option D is wrong because an SPF record is used to authorize sending servers and prevent spoofing, but it does not enable inbound email routing; it is a separate security measure.

413
MCQeasy

A security administrator wants to review email messages that were blocked due to a malware detection in Microsoft Defender for Office 365. Which report should they use?

A.Submissions report
B.Spoof intelligence report
C.Mailflow map report
D.Threat Protection Status report
AnswerD

This report includes malware detections.

Why this answer

The Threat Protection Status report shows malware detections in email. Option A is correct. Option B is wrong because the Mailflow report shows message routing.

Option C is wrong because the Submission report shows user-reported messages. Option D is wrong because the Spoof Intelligence report shows spoofed senders.

414
MCQhard

A company uses Microsoft Entra ID P2 licenses. The security team wants to automatically block sign-ins for users with high sign-in risk, but only when the sign-in originates from outside the corporate network. For sign-ins from the corporate network, they want to require a password change for medium sign-in risk. A group of emergency access accounts (break-glass) must be excluded from all policies. What should the administrator implement?

A.single Conditional Access policy that blocks access for high risk from external locations and requires password change for medium risk from internal locations, excluding the break-glass group.
B.Two Conditional Access policies: one for external locations that blocks high risk, and one for internal locations that requires password change for medium risk. Both exclude the break-glass group.
C.An Identity Protection user risk policy that blocks high-risk users and prompts for password change for medium-risk users, configured to exclude the break-glass group.
D.Conditional Access policy that requires multi-factor authentication for all users except break-glass, and a separate sign-in risk policy for blocking high risk from external locations.
AnswerB

This meets all requirements: separate policies for different location + risk combinations, and the break-glass group is excluded from both.

Why this answer

Option B is correct because Conditional Access policies evaluate conditions like location and sign-in risk separately, and combining both conditions (external vs. internal) with different grant controls (block vs. require password change) in a single policy is not supported. Two separate policies are required: one for external locations with high risk to block, and one for internal locations with medium risk to require password change. Both must exclude the break-glass group to ensure emergency access is never blocked.

Exam trap

The trap here is that candidates often assume a single Conditional Access policy can handle multiple condition-to-control mappings, but Microsoft Entra ID requires separate policies for each unique combination of conditions and grant controls.

How to eliminate wrong answers

Option A is wrong because a single Conditional Access policy cannot apply different grant controls (block vs. require password change) based on different location conditions within the same policy; each policy can only have one set of grant controls. Option C is wrong because an Identity Protection user risk policy applies to user risk (compromised accounts), not sign-in risk (compromised session), and does not evaluate location (corporate network vs. external). Option D is wrong because it suggests a single Conditional Access policy requiring MFA for all users, which does not address the specific sign-in risk and location requirements, and a separate sign-in risk policy cannot be combined with location-based conditions in the way described.

415
MCQmedium

Your organization uses Microsoft Defender for Endpoint. A security analyst reports that a critical file was quarantined on several devices, but the file is a trusted application. You need to restore the file and prevent future false positives. What should you do?

A.Add the file to the allowed list in Microsoft Defender Antivirus exclusions.
B.Disable real-time protection on affected devices.
C.Add the file to the trusted list in Windows Defender Firewall.
D.Create a custom indicator for the file hash with the action 'Allow and alert'.
AnswerD

Custom indicators in Defender for Endpoint allow you to override detection and prevent false positives.

Why this answer

Option C is correct because adding an indicator for the file hash allows and alerts on the file, preventing future quarantines. Option A is wrong because adding the file to the trusted list in Windows Defender Firewall does not affect Defender for Endpoint. Option B is wrong because allowing the file in Microsoft Defender Antivirus does not prevent it from being blocked by cloud protection.

Option D is wrong because excluding the file from real-time protection is a temporary workaround that can be bypassed.

416
MCQeasy

Refer to the exhibit. You are configuring auto-labeling for sensitivity labels. The JSON snippet is part of the policy configuration. When a document containing a credit card number is detected, what will happen?

A.The document will be automatically encrypted.
B.The document will be retained for a default period.
C.The document will be marked as a record.
D.The document will be blocked from sharing.
AnswerA

The action field specifies encrypt.

Why this answer

The rule specifies an action to encrypt when a credit card number is detected. Option B is correct because the action is 'encrypt'. Option A is wrong because the action includes encrypt.

Option C is wrong because no retention action is specified. Option D is wrong because it does not block sharing.

417
MCQhard

Your organization is implementing Microsoft Defender for Cloud Apps. You need to configure anomaly detection policies to alert when a user downloads an unusually large number of files from SharePoint Online. Which data source should you connect to enable this detection?

A.API connector for custom apps
B.App connector for SharePoint Online
C.Microsoft 365 Defender portal
D.Microsoft Entra ID logs
AnswerB

This provides activity logs from SharePoint for anomaly detection.

Why this answer

Option B is correct because anomaly detection policies in Defender for Cloud Apps require app connector for SharePoint to analyze user activity logs. Option A is wrong because Microsoft 365 Defender portal is the management interface, not a data source. Option C is wrong because Microsoft Entra ID provides sign-in logs but not file download activity.

Option D is wrong because the API connector is used for custom applications, not native SaaS apps like SharePoint.

418
MCQmedium

Your organization uses Microsoft 365 E5 and has Microsoft Defender for Office 365 enabled. Users report that legitimate external emails are being quarantined as phishing attempts. You need to reduce false positives while maintaining security. What should you do?

A.Create a transport rule to allow all emails from external domains
B.Configure user-reported message settings in Microsoft Defender for Office 365
C.Disable the anti-phishing policy
D.Increase the Spam Confidence Level (SCL) threshold for incoming mail
AnswerB

User reporting helps improve filter accuracy over time.

Why this answer

Option C is correct because configuring user-reported phishing settings allows users to report false positives, which feeds into Microsoft's machine learning and reduces future false positives. Option A is wrong because allowing all external emails bypasses security. Option B is wrong because disabling phishing detection removes protection.

Option D is wrong because increasing spam confidence threshold may not address phishing false positives specifically.

419
MCQmedium

Your organization receives a data subject request (DSR) to export personal data of a user. Which Microsoft Purview solution should you use to search for and export the data?

A.Microsoft Purview retention policies
B.Microsoft Purview Audit
C.Microsoft Purview eDiscovery
D.Microsoft Purview Data Loss Prevention
AnswerC

eDiscovery can search and export content for DSRs.

Why this answer

Option A is correct because Microsoft Purview eDiscovery can search for content across Microsoft 365 and export it. Option B is wrong because audit logs only track activities, not content search. Option C is wrong because DLP is for preventing data loss, not exporting.

Option D is wrong because retention policies do not export data.

420
MCQhard

Refer to the exhibit. You are configuring an auto-labeling policy in Microsoft Purview. The policy is set to apply the 'Confidential' label to documents that contain a specific sensitive info type. However, when a document is auto-labeled, users report that the footer and header are not applied. The label 'Confidential' itself does not have marking configurations. What is the most likely reason?

A.The label is not published to users.
B.The Microsoft 365 Apps client is not configured to apply markings.
C.The marking defaults are defined in the policy but the label does not have markings configured.
D.The policy settings override the label settings, causing markings to be ignored.
AnswerC

Markings must be on the label itself for auto-labeling to apply them.

Why this answer

Option A is correct because the MarkingDefaults in the policy settings apply to all labels if the label itself does not have markings. However, the exhibit shows MarkingDefaults are defined, but they are part of the policy settings, not the label. The auto-labeling policy applies the label, but the markings are not applied because the label does not have them.

Option B is wrong because the marking defaults are for the policy, but they might not be applied during auto-labeling. Option C is wrong because client settings are not relevant for auto-labeling. Option D is wrong because the label is published.

421
Multi-Selecthard

Which TWO components are part of Microsoft Defender XDR?

Select 2 answers
A.Microsoft Defender for Office 365
B.Microsoft Purview
C.Microsoft Defender for Endpoint
D.Microsoft Intune
E.Microsoft Sentinel
AnswersA, C

Defender for Office 365 is a core component of Defender XDR.

Why this answer

Options A and D are correct. Microsoft Defender XDR includes Microsoft Defender for Endpoint and Microsoft Defender for Office 365. Option B is wrong because Microsoft Sentinel is a separate SIEM.

Option C is wrong because Microsoft Purview is for compliance. Option E is wrong because Microsoft Intune is for device management.

422
MCQeasy

An administrator is managing a Microsoft 365 tenant and needs to delegate the ability to reset user passwords to a group of helpdesk staff. The helpdesk staff should not have any other administrative privileges. Which built-in role should the administrator assign?

A.Global Administrator
B.Password Administrator
C.User Administrator
D.Helpdesk Administrator
AnswerB

Password Administrator can reset passwords for non-administrator users and does not include other administrative capabilities.

Why this answer

The Password Administrator role is the correct choice because it grants the specific ability to reset passwords for non-administrator users and manage service requests, without providing broader administrative privileges like managing users, groups, or licensing. This aligns with the principle of least privilege, ensuring helpdesk staff can perform password resets without accessing other sensitive areas of the tenant.

Exam trap

The trap here is that candidates often confuse the Helpdesk Administrator role (which also resets passwords) as the correct answer, but the Password Administrator role is even more restricted and specifically designed for password-only tasks, making it the precise least-privilege choice.

How to eliminate wrong answers

Option A is wrong because the Global Administrator role grants unrestricted access to all administrative features, including security, compliance, and billing, which far exceeds the requirement to only reset passwords. Option C is wrong because the User Administrator role can create and delete users, manage user licenses, and reset passwords for all users (including admins), which provides more privileges than needed and violates the least-privilege requirement. Option D is wrong because the Helpdesk Administrator role, while limited, includes the ability to reset passwords and manage service requests, but it also grants the ability to manage support tickets and view reports, which is more than the narrow scope of password resets alone; however, the Password Administrator role is even more restricted, making it the precise fit.

423
Multi-Selecthard

A compliance officer needs to ensure that all documents containing a custom sensitive info type (Employee ID with pattern EMP-####) are automatically labeled with a retention label that retains the documents for 3 years. Which two Microsoft Purview components must be configured? (Choose two.)

Select 2 answers
A.sensitivity label
B.retention label
C.data loss prevention (DLP) policy
D.An auto-labeling policy for retention labels
AnswersB, D

Retention labels define the retention and deletion rules for content.

Why this answer

A retention label is required to specify the retention period (3 years) for the documents. An auto-labeling policy for retention labels is needed to automatically apply that retention label based on the detection of the custom sensitive info type (Employee ID pattern EMP-####). Together, these two components enable automatic classification and retention without manual user intervention.

Exam trap

The trap here is that candidates often confuse sensitivity labels with retention labels, or think a DLP policy can apply retention labels, but Microsoft Purview separates these functions: DLP controls data movement, while auto-labeling policies for retention labels handle automatic retention label assignment.

424
MCQmedium

The legal department is investigating a potential data breach involving a specific user. The compliance officer needs to place a hold on all content in the user's Exchange Online mailbox and OneDrive for Business to prevent deletion until the investigation is complete. Which Microsoft Purview solution should the officer use?

A.Content Search
B.eDiscovery (Standard)
C.eDiscovery (Premium)
D.Audit log
AnswerB

eDiscovery (Standard) allows creating cases and placing legal holds on user mailboxes and OneDrive accounts to preserve content.

Why this answer

eDiscovery (Standard) allows you to place a hold on Exchange Online mailboxes and OneDrive for Business sites to preserve content from deletion during an investigation. This hold prevents users and automated processes from permanently deleting items, ensuring data integrity for legal or compliance reviews.

Exam trap

The trap here is that candidates often confuse the search-only capability of Content Search with the preservation functionality of eDiscovery (Standard), or mistakenly think eDiscovery (Premium) is required for holds, when in fact holds are a standard feature of eDiscovery (Standard).

How to eliminate wrong answers

Option A is wrong because Content Search is used to search for content across Microsoft 365 but cannot place a hold to preserve data; it only returns search results. Option C is wrong because eDiscovery (Premium) extends eDiscovery (Standard) with advanced analytics and review sets, but placing a hold is a core feature of eDiscovery (Standard) and does not require Premium. Option D is wrong because Audit log records user and admin activities for forensic analysis but does not prevent deletion of content; it only logs what happened.

425
MCQeasy

You are implementing Microsoft Entra Verified ID. Which identity verification method uses a decentralized identity standard?

A.Decentralized identifiers (DIDs)
B.SAML 2.0
C.OAuth 2.0
D.Federation with Azure AD
AnswerA

DIDs are the core of Verified ID.

Why this answer

Microsoft Entra Verified ID is built on open standards for decentralized identity, specifically using Decentralized Identifiers (DIDs) as defined by the W3C. DIDs enable verifiable, self-sovereign identity without relying on a central authority, which is the core requirement for a decentralized identity verification method. This allows users to control their own identifiers and present verifiable credentials that can be cryptographically verified.

Exam trap

The trap here is that candidates confuse decentralized identity with federation or token-based protocols (SAML, OAuth), which are centralized by design, and fail to recognize that DIDs are the specific W3C standard enabling self-sovereign identity in Verified ID.

How to eliminate wrong answers

Option B is wrong because SAML 2.0 is a centralized federation protocol that relies on a single identity provider (IdP) to assert identity, not a decentralized standard. Option C is wrong because OAuth 2.0 is an authorization framework for token-based access delegation, not an identity verification method or decentralized identity standard. Option D is wrong because federation with Azure AD is a centralized identity management approach that depends on a trusted authority (Azure AD) to manage identities, which contradicts the decentralized, user-controlled model of Verified ID.

426
Multi-Selectmedium

Your organization uses Microsoft Purview Compliance Manager to manage compliance activities. Which TWO actions can be performed directly from Compliance Manager?

Select 2 answers
A.Assign an improvement action to a user.
B.Upload evidence for an improvement action.
C.View and manage DLP alerts.
D.Create a retention policy for Exchange Online.
E.Create a sensitivity label.
AnswersA, B

Assignment is done within Compliance Manager.

Why this answer

Compliance Manager is a solution within Microsoft Purview that provides a centralized dashboard for managing compliance activities. It allows you to assign improvement actions to specific users to track responsibility and progress, and to upload evidence files directly to an improvement action to demonstrate compliance with a control. These are core, direct functions of the Compliance Manager interface.

Exam trap

The trap here is that candidates confuse the Microsoft Purview compliance portal's overall capabilities with the specific, limited set of actions that can be performed directly within the Compliance Manager solution, leading them to select actions that are available elsewhere in the portal but not inside Compliance Manager.

427
MCQmedium

Refer to the exhibit. A user reports that they cannot activate Microsoft 365 Apps. The user has an E3 license assigned and the UsageLocation is set to US. The output shows the license details. What is the most likely cause of the issue?

A.The user's UsageLocation is set to a region where Microsoft 365 Apps is not available.
B.The user's license does not include the Microsoft 365 Apps for enterprise service plan.
C.The tenant has exceeded the maximum number of licensed users.
D.The user has not been assigned a license.
AnswerB

The exhibit does not show that the license includes the Office service plan (e.g., OFFICESUBSCRIPTION).

Why this answer

The exhibit shows that the user has an E3 license assigned, but the license details indicate that the Microsoft 365 Apps for enterprise service plan (commonly represented as 'O365_PRO_PLUS' or 'OFFICESUBSCRIPTION') is not enabled or included in the assigned SKU. Without this specific service plan, the user cannot activate Microsoft 365 Apps, even though the base E3 license is present. The UsageLocation being set to US is valid and does not block activation.

Exam trap

Microsoft often tests the misconception that any E3 license automatically includes all service plans, but in reality, admins can disable individual service plans, and the exam expects you to recognize that the missing service plan is the root cause.

How to eliminate wrong answers

Option A is wrong because the user's UsageLocation is set to US, where Microsoft 365 Apps is fully available, and the exhibit does not indicate any regional restriction. Option C is wrong because the tenant license count is unrelated to an individual user's activation failure; the error would be a global provisioning issue, not a per-user activation problem. Option D is wrong because the exhibit clearly shows that a license is assigned to the user; the issue is that the required service plan within that license is missing.

428
MCQmedium

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious LDAP query from a domain controller. After investigating, you determine the query is legitimate. How should you prevent future alerts for this activity?

A.Create a suppression rule for that alert type and entity.
B.Create a custom detection rule to allow the LDAP query.
C.Disable the Defender for Identity sensor on the domain controller.
D.Change the alert severity to Low.
AnswerA

Suppression rules prevent future alerts for that specific activity.

Why this answer

Option C is correct because creating a suppression rule for the specific alert type and entity prevents future false positives. Option A is wrong because disabling the sensor would stop all monitoring. Option B is wrong because modifying the alert severity does not suppress the alert.

Option D is wrong because creating a detection rule is for custom detections, not suppression.

429
MCQeasy

You need to integrate Microsoft Defender XDR with Microsoft Sentinel for centralized monitoring. Which data connector should you use?

A.Microsoft Defender for Cloud connector
B.Azure Security Center connector
C.Microsoft 365 Defender connector
D.Microsoft Defender XDR connector
AnswerD

This connector ingests incidents from all Defender products.

Why this answer

Option A is correct because the Microsoft Defender XDR connector in Sentinel ingests incidents and alerts from all Defender products. Option B (Microsoft 365 Defender connector) is the same as A but named differently; the official name is Microsoft Defender XDR. Option C (Azure Security Center) is for Azure resources.

Option D (Microsoft Defender for Cloud) is for cloud security posture.

430
MCQeasy

You are configuring Microsoft Purview for your organization. You need to ensure that all external emails are automatically tagged with an 'External' label in the subject line. Which feature should you configure?

A.Anti-phishing policy in Defender for Office 365.
B.Mail flow rule (transport rule) to prepend '[External]' to subject lines.
C.Sensitivity label policy to automatically apply an 'External' label.
D.Data loss prevention (DLP) policy for external emails.
AnswerB

Mail flow rules can modify message properties including subject.

Why this answer

To automatically prepend a text tag like '[External]' to the subject line of all incoming external emails, you must use a Mail flow rule (also known as a transport rule) in Exchange Online. This rule can be configured with the condition 'The sender is located outside the organization' and the action 'Prepend the subject line with the string [External]'. This is the only mechanism that directly modifies the subject line of emails in transit.

Exam trap

The trap here is that candidates confuse the ability to add a visual 'External' tag with sensitivity labels or anti-phishing policies, but only a mail flow rule can directly manipulate the subject line of an email in transit.

How to eliminate wrong answers

Option A is wrong because Anti-phishing policies in Defender for Office 365 add headers like 'X-Forefront-Antispam-Report' or modify the message body with safety tips, but they cannot directly prepend text to the subject line. Option C is wrong because Sensitivity label policies apply labels and encryption/watermarking to content, but they do not modify the subject line of an email; they apply metadata and visual markings to the message body or header, not the subject. Option D is wrong because Data loss prevention (DLP) policies monitor and protect sensitive data based on policy rules, but they cannot prepend text to the subject line; they can block, notify, or apply encryption, but not modify the subject.

431
MCQhard

You are the security administrator for a multinational organization using Microsoft 365 E5. The organization has 10,000 users across three regions: North America, Europe, and Asia. You have deployed Microsoft Defender for Endpoint on all Windows devices and enabled Microsoft Defender for Office 365. Recently, a sophisticated phishing campaign targeted executives in Europe, using a custom domain that closely resembles your legitimate domain (e.g., contoso.com vs. contos0.com). The emails bypassed anti-spam and anti-phishing policies. You need to configure protection to block these impersonation attempts without affecting legitimate emails from the actual domain. You must also ensure that any similar future attempts using different variations are automatically detected. What should you do?

A.Create a Safe Links policy with a block action for URLs containing 'contos0.com'.
B.Enable mailbox intelligence in anti-phishing policies to detect unusual sender behavior.
C.Add the spoofed domain 'contos0.com' to the Tenant Allow/Block List in the Defender for Office 365 portal.
D.Configure an anti-phishing policy to protect against impersonation of your domain, enabling the 'Protect against impersonation of domains I own' setting and adding your legitimate domain to the list of domains to protect.
AnswerD

This leverages Defender's impersonation protection and AI to detect similar domains automatically.

Why this answer

Option C is correct because adding the legitimate domain to the impersonation protection list in anti-phishing policies will protect against variations, and the policy's intelligence will detect similar domains automatically. Option A is wrong because adding the spoofed domain to the Tenant Allow/Block List would block that specific domain but not future variations. Option B is wrong because a Safe Links policy does not protect against impersonation.

Option D is wrong because a mailbox intelligence policy is for user-specific phishing detection, not domain impersonation.

432
MCQmedium

Your organization is implementing Microsoft 365 Copilot. You need to ensure that users' data is protected from being used for training the underlying AI models. What should you configure?

A.Disable Microsoft 365 Copilot for all users
B.Apply Microsoft Purview sensitivity labels to all documents
C.Enable Conditional Access policies to require compliant devices
D.Configure the Microsoft 365 Copilot data protection policy to prevent data from being used for training
AnswerD

This policy explicitly opts out of training.

Why this answer

Option D is correct because Microsoft 365 Copilot includes a data protection policy specifically designed to prevent organizational data from being used to train the underlying AI models. This policy, configured in the Microsoft 365 admin center under Copilot settings, ensures that user prompts, responses, and associated data are not retained or used by Microsoft for model improvement, aligning with the data residency and privacy commitments outlined in the Microsoft Data Protection Addendum (DPA).

Exam trap

The trap here is that candidates often confuse data protection for AI training with general security controls like Conditional Access or sensitivity labels, assuming any security measure will prevent data leakage, when in fact Microsoft provides a specific toggle in the Copilot settings to opt out of training data usage.

How to eliminate wrong answers

Option A is wrong because disabling Microsoft 365 Copilot for all users would prevent the use of the service entirely, but the question asks how to protect data from being used for training while still allowing users to use Copilot; a more granular data protection policy exists. Option B is wrong because applying Microsoft Purview sensitivity labels to documents controls access and classification but does not affect whether Microsoft uses the data for AI model training; sensitivity labels are about governance and protection, not training data exclusion. Option C is wrong because enabling Conditional Access policies to require compliant devices enforces device security and access controls but has no impact on Microsoft's backend data processing or training data usage; it addresses authentication and device compliance, not data privacy for AI training.

433
Multi-Selectmedium

A security analyst wants to create a custom detection rule in Microsoft 365 Defender that triggers when a PowerShell process with suspicious command-line arguments is detected on a device, and within 5 minutes, an outbound network connection to a known malicious IP occurs. Which two advanced hunting tables must be joined in the KQL query?

Select 2 answers
A.DeviceProcessEvents and DeviceNetworkEvents
B.EmailEvents and DeviceNetworkEvents
C.DeviceEvents and DeviceProcessEvents
D.IdentityLogonEvents and DeviceNetworkEvents
AnswersA, C

Correct. These two tables contain the necessary process and network connection data for the scenario.

Why this answer

Option A is correct because the detection rule requires correlating a PowerShell process event (stored in DeviceProcessEvents) with a subsequent outbound network connection to a known malicious IP (stored in DeviceNetworkEvents). Joining these two tables on the device ID and timestamp within a 5-minute window allows the KQL query to identify the specific sequence of process execution followed by network activity, which is the core behavior being monitored.

Exam trap

The trap here is that candidates may confuse DeviceEvents (which sounds like it covers all events) with the specific process and network tables, or incorrectly assume EmailEvents or IdentityLogonEvents are relevant to endpoint-based detection rules, when in fact only DeviceProcessEvents and DeviceNetworkEvents contain the precise telemetry needed for process-to-network correlation.

434
Multi-Selecthard

Which THREE of the following are required to configure Microsoft Entra ID Governance for automated user provisioning to a third-party SaaS application? (Select three.)

Select 3 answers
A.Assign the access package to a catalog
B.Create an access package in entitlement management
C.Set up Microsoft Entra Connect Sync for the application
D.Migrate from Azure AD Connect to Azure AD Connect cloud sync
E.Install and configure a provisioning agent in your on-premises environment
AnswersA, B, E

Catalogs organize access packages.

Why this answer

Option A is correct because access packages must be assigned to a catalog in Microsoft Entra ID Governance to define which resources (like the third-party SaaS application) are available for automated provisioning. The catalog acts as a container that groups related resources and access policies, enabling entitlement management to govern provisioning requests.

Exam trap

The trap here is that candidates confuse directory synchronization tools (like Entra Connect Sync or cloud sync) with the provisioning service used for SaaS applications, mistakenly thinking that syncing on-premises users is required for cloud app provisioning, when in fact the provisioning service works independently of the sync method.

435
Multi-Selecteasy

Your company uses Microsoft 365 Business Premium. You need to configure Microsoft Entra ID Protection to automatically remediate risks. Which TWO risk remediation actions can be configured?

Select 2 answers
A.Block licensing assignments for users with high risk.
B.Configure session timeout for risky sessions.
C.Force password change for users with high user risk.
D.Block sign-in for users with high sign-in risk.
E.Require MFA for sign-in risk above a threshold.
AnswersD, E

Blocking sign-in is a valid remediation.

Why this answer

Option D is correct because Microsoft Entra ID Protection allows you to configure an automated policy to block sign-ins when the sign-in risk level is assessed as high. This policy directly remediates the risk by preventing the authentication attempt from succeeding, thereby protecting the account from potential compromise.

Exam trap

The trap here is that candidates often confuse 'user risk' remediation (which does not have a native automatic action) with 'sign-in risk' remediation, leading them to incorrectly select password change or session timeout options that are not directly configurable as automatic risk remediation actions in Entra ID Protection.

436
MCQhard

Your company is deploying Microsoft 365 Copilot. You need to ensure that users can use Copilot in Word, Excel, and PowerPoint. The licensing is in place. However, you are concerned about data leakage. You want to ensure that Copilot does not use sensitive organizational data when generating content. What should you configure in Microsoft 365?

A.Create and assign sensitivity labels with encryption to sensitive documents, and ensure Copilot respects these labels.
B.Configure a data loss prevention (DLP) policy to block Copilot from accessing sensitive data.
C.Use the Microsoft Purview compliance portal to restrict Copilot data access.
D.Disable Copilot for users who handle sensitive data.
AnswerA

Copilot respects sensitivity labels and will not use labeled content.

Why this answer

Option A is correct because Microsoft 365 Copilot respects sensitivity labels that are applied to documents. By creating and assigning sensitivity labels with encryption to sensitive documents, you can prevent Copilot from using that content as source material when generating responses. This is configured via Microsoft Purview Information Protection, where labels can include encryption settings that Copilot will honor, ensuring data leakage is mitigated without blocking Copilot functionality entirely.

Exam trap

The trap here is that candidates often confuse DLP policies with data access controls, assuming DLP can block Copilot from reading data, when in fact DLP only monitors and prevents data exfiltration, not data consumption by internal services.

How to eliminate wrong answers

Option B is wrong because DLP policies are designed to prevent data from being shared or exfiltrated, but they do not control which data Copilot can access or use as context; DLP policies cannot block Copilot from reading sensitive data within the tenant. Option C is wrong because the Microsoft Purview compliance portal is a management interface for various compliance features, not a specific setting to restrict Copilot data access; there is no single toggle or policy there to directly limit Copilot's data sources. Option D is wrong because disabling Copilot for users who handle sensitive data is an overly broad approach that prevents those users from using Copilot at all, rather than selectively controlling which data Copilot can use, and it does not address the requirement to allow Copilot usage while preventing data leakage.

437
MCQhard

Your Microsoft 365 tenant has 50,000 users. You are planning to migrate mailboxes from on-premises Exchange Server 2019 to Exchange Online using a full hybrid configuration. During the migration, you must ensure that free/busy information is synchronized between on-premises and Exchange Online. Which component is required for free/busy synchronization in a hybrid deployment?

A.Exchange Hybrid Server (or Hybrid Agent)
B.Azure AD Connect
C.Exchange Online connector (Outbound to on-premises)
D.Hybrid Configuration Wizard
AnswerA

The Hybrid Server handles free/busy requests between on-premises and Exchange Online.

Why this answer

In a full hybrid configuration, free/busy synchronization between on-premises Exchange and Exchange Online is handled by the Exchange Hybrid Server (or the newer Hybrid Agent). This component acts as a bridge, using the Exchange Web Services (EWS) and Autodiscover service to securely relay free/busy data between the two organizations. Without it, the Availability service cannot query the remote forest for calendar information.

Exam trap

The trap here is that candidates often confuse Azure AD Connect (which handles identity sync) with the Exchange-specific component needed for calendar data, or they mistakenly think the Hybrid Configuration Wizard itself performs the runtime synchronization rather than just configuring it.

How to eliminate wrong answers

Option B is wrong because Azure AD Connect synchronizes identity objects (users, groups) and passwords, not mailbox-level free/busy data; free/busy requires Exchange-specific service endpoints. Option C is wrong because an Exchange Online connector (Outbound to on-premises) is used for mail flow routing, not for free/busy queries; free/busy relies on the Availability service and EWS, not SMTP connectors. Option D is wrong because the Hybrid Configuration Wizard is a tool that configures the hybrid deployment settings (including the Hybrid Server), but it is not the component that actually performs free/busy synchronization; the wizard enables the necessary configuration, but the Hybrid Server itself handles the runtime data exchange.

438
MCQmedium

A company has a Microsoft 365 tenant with domain contoso.com. They own an additional domain fabrikam.com and have already added and verified it with a TXT record. Now they need to configure email to be routed to Exchange Online for fabrikam.com. Which DNS record must they create?

A.MX record pointing to contoso-com.mail.protection.outlook.com
B.CNAME record for autodiscover
C.TXT record for SPF
D.SRV record for SIP
AnswerA

The MX record directs email for the domain to Exchange Online.

Why this answer

To route email for fabrikam.com to Exchange Online, you must create an MX record that points to the Exchange Online mail exchanger. The correct target is contoso-com.mail.protection.outlook.com, where 'contoso-com' is the hashed version of the primary domain (contoso.com) used by Microsoft 365. This MX record tells the internet's mail servers to deliver messages addressed to @fabrikam.com into the tenant's Exchange Online environment.

Exam trap

The trap here is that candidates often think they need to create an MX record pointing to 'fabrikam-com.mail.protection.outlook.com' (using the added domain), but Microsoft 365 always uses the primary domain's hashed value in the MX target regardless of which domain's email is being routed.

How to eliminate wrong answers

Option B is wrong because a CNAME record for autodiscover is used to automatically configure Outlook clients with Exchange Online settings, not to route email delivery. Option C is wrong because a TXT record for SPF is used to authorize sending servers and prevent spoofing, not to direct inbound email flow. Option D is wrong because an SRV record for SIP is used for VoIP and unified communications (Skype for Business/Teams), not for email routing.

439
Multi-Selecteasy

Your organization uses Microsoft Defender for Office 365. You need to protect users from malicious links in email messages. Which TWO features should you configure?

Select 2 answers
A.Anti-phish policy
B.Safe Links
C.Safe Attachments
D.Spam filter policy
E.Safe Links for Office 365 apps
AnswersB, E

Protects users from malicious links.

Why this answer

Options B and C are correct because Safe Links protects users from malicious links in email and Office apps. Option A is wrong because Safe Attachments protects attachments, not links. Option D is wrong because Anti-phish policy protects against phishing attempts, but not specifically links.

Option E is wrong because Spam filter deals with spam, not malicious links.

440
MCQeasy

A global administrator wants to track service health issues and configure notifications for service incidents. Which portal should they use to view the current health status and set up email notifications?

A.Microsoft 365 admin center
B.Azure portal
C.Microsoft 365 Defender portal
D.Microsoft Purview compliance portal
AnswerA

The Service Health page in the Microsoft 365 admin center displays the health of Microsoft 365 services and allows configuration of notifications.

Why this answer

The Microsoft 365 admin center provides the Service Health dashboard under Health > Service Health, which displays the current status of all Microsoft 365 services and allows administrators to configure email notifications for service incidents. This is the designated portal for managing tenant-wide service health and notifications, aligning with the role of a global administrator.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 admin center with the Azure portal for service health, because Azure also has a Service Health blade, but it only covers Azure services, not Microsoft 365 services like Exchange Online or Teams.

How to eliminate wrong answers

Option B is wrong because the Azure portal is used for managing Azure services and resources, not for Microsoft 365 service health or email notifications; it lacks the Service Health dashboard for Microsoft 365. Option C is wrong because the Microsoft 365 Defender portal focuses on security threats, incidents, and alerts (e.g., from Microsoft Defender for Office 365), not on service health incidents or email notifications for service availability. Option D is wrong because the Microsoft Purview compliance portal is dedicated to data governance, compliance, and eDiscovery, not to tracking service health or configuring notifications for service incidents.

441
MCQmedium

Your organization uses Microsoft Entra ID P2 licensing. You need to ensure that when a user's risk level is detected as 'high' by Identity Protection, the user is automatically required to perform a password change during their next sign-in. Which conditional access policy configuration should you use?

A.Assign 'Sign-in risk policy' with session control 'Sign-in frequency'
B.Assign 'User risk policy' with grant 'Require password change'
C.Assign 'User risk policy' with grant 'Require multifactor authentication'
D.Assign 'User risk policy' with grant 'Block access'
AnswerB

The 'Require password change' control forces the user to change their password.

Why this answer

Option B is correct because the 'Require password change' grant control is the specific control for high-risk users to change their password. Option A is wrong because 'Require multifactor authentication' does not force a password change. Option C is wrong because 'Require password change' is not a session control.

Option D is wrong because blocking sign-in does not allow a password change.

442
MCQeasy

Your organization uses Microsoft Entra ID to manage user identities. You need to ensure that users can sign in using their existing social media accounts, such as Google or Facebook. Which identity solution should you configure?

A.External identities
B.Microsoft Entra B2B collaboration
C.Managed identities
D.Microsoft Entra Identity Protection
AnswerA

External identities support social identity providers like Google and Facebook.

Why this answer

External identities in Microsoft Entra ID allow you to configure identity providers such as Google and Facebook, enabling users to sign in with their existing social media accounts. This is achieved by setting up federation with OAuth 2.0 and OpenID Connect protocols, which is the correct solution for the scenario described.

Exam trap

The trap here is that candidates often confuse 'External identities' (which includes social identity providers) with 'B2B collaboration' (which is for guest users from other organizations), leading them to select B2B collaboration incorrectly.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra B2B collaboration is specifically for inviting external business partners (guests) from other Azure AD tenants or email domains, not for federating with social identity providers like Google or Facebook. Option C is wrong because managed identities are used to provide Azure resources with an automatically managed identity in Azure AD for authenticating to other Azure services, not for external user sign-in. Option D is wrong because Microsoft Entra Identity Protection is a risk-based security tool that detects and responds to identity threats, not a federation solution for social identity providers.

443
MCQmedium

A company has a Microsoft 365 E5 subscription. The security team requires that all guest users must have terms of use acceptance before accessing resources. Which Azure AD feature should be configured?

A.Azure AD Terms of Use
B.Conditional Access policy
C.Azure AD Identity Protection
D.Self-service password reset
AnswerA

Azure AD Terms of Use allows creating and requiring acceptance.

Why this answer

Azure AD Terms of Use (ToU) is the correct feature because it allows administrators to present a document to guest users that they must accept before accessing resources. This directly meets the security team's requirement for mandatory terms of use acceptance. Conditional Access policies can enforce ToU acceptance, but the ToU document itself is created and managed under the Azure AD Terms of Use blade.

Exam trap

The trap here is that candidates often confuse the 'Terms of Use' feature with 'Conditional Access policies' because Conditional Access is the enforcement mechanism, but the question specifically asks which feature should be configured to have the terms of use document itself, not the policy that enforces it.

How to eliminate wrong answers

Option B (Conditional Access policy) is wrong because while a Conditional Access policy can enforce the requirement to accept Terms of Use, it is not the feature that creates or hosts the terms of use document; the Terms of Use feature is the prerequisite. Option C (Azure AD Identity Protection) is wrong because it is designed to detect and respond to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs), not to enforce terms of use acceptance. Option D (Self-service password reset) is wrong because it allows users to reset their own passwords and does not involve presenting or accepting terms of use.

444
Multi-Selecthard

A security administrator is configuring Microsoft Defender for Endpoint (MDE) to automatically remediate threats. The administrator wants to ensure that when a high-severity alert is triggered, the affected device is isolated from the network. Which three components must be configured to achieve this? (Choose three.)

Select 3 answers
A.Alert severity
B.Automation level
C.Device tag
D.Indicator of compromise (IoC)
E.Device isolation action
AnswersA, B, E

Alert severity triggers the automation.

Why this answer

Options B, C, and D are correct. Automation levels define the response action. Device isolation is an action that can be automated.

Alert severity sets the trigger. Option A is wrong because indicator of compromise (IoC) is for blocking, not automation. Option E is wrong because a tag is for grouping, not automation.

445
MCQhard

Your company uses Microsoft Defender XDR and Microsoft Defender for Identity. You have detected that a domain controller is communicating with a known malicious IP address. You need to immediately contain the threat by isolating the domain controller from the network while preserving forensic data. However, you cannot afford downtime for authentication services. What should you do?

A.Create a conditional access policy to block the domain controller.
B.Use Microsoft Defender for Endpoint to isolate the domain controller.
C.In Microsoft Defender for Identity, configure a network protection policy to block communication to the malicious IP.
D.Block the IP address at the network firewall.
AnswerC

Correct: Blocks only malicious traffic, preserving authentication.

Why this answer

Option B is correct because Microsoft Defender for Identity can automatically suspend the domain controller's communications to the malicious IP via network protection policies without isolating the entire device. Option A is wrong because isolation would block all network traffic, including authentication. Option C is wrong because blocking in the firewall may not be immediate and could affect other services.

Option D is wrong because conditional access does not apply to domain controllers.

446
Multi-Selecthard

Your organization uses Microsoft Entra ID and has a hybrid identity configuration with Active Directory Federation Services (AD FS). You are migrating to cloud authentication using Pass-through Authentication (PTA). Which TWO components are required for a PTA deployment?

Select 2 answers
A.Service Bus endpoints in Azure
B.Password Hash Synchronization agent
C.Azure AD Connect Health agent
D.Seamless Single Sign-On
E.Pass-through Authentication Agent
AnswersA, E

The PTA Agent uses Service Bus to communicate with Azure AD.

Why this answer

Pass-through Authentication (PTA) requires the PTA Agent to be installed on-premises to validate user passwords against Active Directory. It also uses Azure Service Bus endpoints to establish a secure, persistent connection between the on-premises agent and Microsoft Entra ID, enabling authentication requests to flow without storing passwords in the cloud.

Exam trap

The trap here is that candidates often confuse the required components for PTA with those for PHS or Seamless SSO, mistakenly including the Password Hash Synchronization agent or Seamless SSO as mandatory for PTA.

447
MCQeasy

Your company is implementing Microsoft Purview Audit (Standard). You need to search for activities performed by a specific user in Exchange Online. Which log should you query?

A.Unified audit log.
B.DLP incident reports.
C.Azure AD audit logs.
D.Mailbox audit logs only.
AnswerA

The unified audit log contains all service activities.

Why this answer

Audit (Standard) records all user and admin activities in Exchange Online. The unified audit log is the correct source. Option A is incorrect because Azure AD audit logs are for identity activities.

Option C is incorrect because DLP reports are for DLP matches. Option D is incorrect because Mailbox audit logs are a subset but unified audit log is the comprehensive source.

448
MCQeasy

You are configuring Microsoft Entra ID for a new organization. You need to ensure that users can self-service reset their passwords. Which licensing is required?

A.Microsoft Entra ID Free
B.Microsoft Entra ID P2
C.Microsoft Entra ID P1
D.Microsoft 365 Business Basic
AnswerC

P1 includes SSPR and password writeback for on-premises users.

Why this answer

Microsoft Entra ID P1 includes the Self-Service Password Reset (SSPR) feature, which allows users to reset their own passwords without administrator intervention. This licensing tier provides the necessary Azure AD Premium P1 capabilities, such as group-based licensing and conditional access, that underpin SSPR. Entra ID Free does not include SSPR, and Entra ID P2, while also including SSPR, is not required for this functionality.

Exam trap

The trap here is that candidates often confuse SSPR availability with Microsoft 365 Business Basic, assuming it includes premium features, or mistakenly think only Entra ID P2 can provide SSPR, overlooking that P1 is sufficient.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Free does not include Self-Service Password Reset; it only supports basic directory features and manual password resets by administrators. Option B is wrong because Microsoft Entra ID P2 includes SSPR but is a higher-tier license that adds advanced features like Identity Protection and Privileged Identity Management, which are not required for SSPR alone. Option D is wrong because Microsoft 365 Business Basic does not include Azure AD Premium P1 or P2 licenses; it only provides Entra ID Free capabilities, so SSPR is not available.

449
Matchingmedium

Match each Microsoft 365 compliance feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevents sensitive data from being shared

Searches and exports content for legal cases

Keeps or deletes content based on rules

Classifies and protects data

Records user and admin activities

Why these pairings

These are key compliance features in Microsoft 365.

450
MCQhard

Your organization has deployed Microsoft Defender for Cloud Apps. You need to ensure that all external file sharing to untrusted domains is automatically blocked. The solution must not affect internal sharing. What should you configure?

A.Create an access policy in Microsoft Defender for Cloud Apps to block access from untrusted domains.
B.Create a file policy in Microsoft Defender for Cloud Apps with a governance action to remove external users.
C.Configure an app connector for the cloud app to enforce DLP policies.
D.Create a session policy in Microsoft Defender for Cloud Apps to monitor external sharing.
AnswerB

File policies can automatically remove external users from shared files based on domain conditions.

Why this answer

Option A is correct because file policies in Defender for Cloud Apps can detect and automatically block sharing to untrusted domains. Option B is wrong because session policies control real-time access but do not automatically block file sharing. Option C is wrong because access policies control access conditions but not file sharing actions.

Option D is wrong because app connectors provide visibility but do not enforce automatic blocking of file sharing.

Page 5

Page 6 of 13

Page 7