Microsoft 365 Administrator MS-102 (MS-102) — Questions 451525

975 questions total · 13pages · All types, answers revealed

Page 6

Page 7 of 13

Page 8
451
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Purview Data Lifecycle Management policy. A document labeled 'Personal Data' also contains EU_Deceased_Data. What is the retention outcome for this document?

A.The document is retained for 365 days, then deleted.
B.The document is deleted after 90 days.
C.The document is retained indefinitely because of conflicting rules.
D.The document is deleted immediately because it contains sensitive data.
AnswerA

Retention rules take precedence over deletion rules.

Why this answer

The policy has two rules. The first rule retains for 365 days if the sensitivity label is 'Personal Data'. The second rule deletes after 90 days if content contains EU_Deceased_Data.

When both conditions are met, Microsoft Purview applies the longer retention period (retain 365 days) because retention takes precedence over deletion. Option A is incorrect because the retain rule applies. Option B is incorrect because the retain rule overrides.

Option C is incorrect because the rules are not exclusive; both conditions are evaluated.

452
MCQmedium

Your organization uses Microsoft 365 Defender. You need to ensure that when a user reports a phishing email via the Report Message add-in, the email is automatically submitted to Microsoft for analysis and the user is notified of the analysis result. What should you configure?

A.Configure a mail flow rule to forward reported messages to Microsoft
B.Configure User Reported Settings in the Microsoft 365 Defender portal
C.Create a submission policy in the Microsoft 365 Defender portal
D.Enable Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Teams
AnswerB

This setting enables automatic submission and user notification.

Why this answer

Option B is correct because the User Reported Settings in the portal allow automatic submission and notification. Option A is wrong because it only affects admin submissions. Option C is wrong because ATP is deprecated.

Option D is wrong because it only allows reporting, not auto-submission.

453
MCQhard

Your organization has a hybrid identity setup with Azure AD Connect. You need to ensure that users can reset their passwords from the cloud and have the changes synchronized back to on-premises Active Directory. Which feature must you enable?

A.Password writeback.
B.Seamless single sign-on.
C.Pass-through authentication.
D.Password hash synchronization.
AnswerA

Password writeback enables cloud-originated password resets to sync to on-premises AD.

Why this answer

Password writeback is the Azure AD Connect feature that enables password changes performed in the cloud (e.g., via Azure AD SSPR) to be written back to on-premises Active Directory. This ensures the on-premises password stays synchronized with the cloud, which is required for hybrid identity scenarios where users reset passwords from the cloud.

Exam trap

The trap here is that candidates often confuse password hash synchronization (which only syncs one-way) with password writeback (which enables cloud-to-on-premises password changes), leading them to select password hash synchronization as the answer.

How to eliminate wrong answers

Option B (Seamless single sign-on) is wrong because it provides automatic sign-in for domain-joined devices on the corporate network, not password synchronization or writeback. Option C (Pass-through authentication) is wrong because it validates passwords directly against on-premises AD without storing password hashes in the cloud, and it does not support writing password changes back to on-premises AD. Option D (Password hash synchronization) is wrong because it only synchronizes password hashes from on-premises to Azure AD; it does not write password changes from the cloud back to on-premises AD.

454
Multi-Selecthard

You are designing a Microsoft Entra ID governance strategy. Which THREE features should you use to implement the principle of least privilege for administrative roles?

Select 3 answers
A.Microsoft Entra Lifecycle Workflows
B.Privileged Access Groups
C.Microsoft Entra Entitlement Management
D.Microsoft Entra Privileged Identity Management (PIM)
E.Microsoft Entra Access Reviews
AnswersB, D, E

Privileged Access Groups allow dynamic membership and PIM activation.

Why this answer

Privileged Access Groups (B) enable you to grant just-in-time or time-bound access to Azure AD roles and other resources by assigning users to a group that is eligible for role activation, directly supporting the principle of least privilege by limiting standing administrative access.

Exam trap

The trap here is that candidates often confuse Entitlement Management (which handles access packages for end users) with Privileged Access Groups (which specifically control administrative role activation), leading them to select Option C instead of B.

455
MCQmedium

Refer to the exhibit. You have a Conditional Access policy as shown. A Global Administrator reports that they are not prompted for MFA when accessing the Azure portal. Which is the most likely reason?

A.The Global Administrator role is not included in the policy.
B.The user is accessing from a trusted IP address.
C.The policy does not include the Azure portal as a target cloud app.
D.The policy is in Report-only mode.
AnswerC

The exhibit shows only 'Office 365 Exchange Online' and 'Microsoft Azure Management' but the Azure portal is accessed via 'Microsoft Azure Management'. However, if the policy does not include the correct app ID for Azure portal, it may not apply. In practice, 'Microsoft Azure Management' covers the Azure portal.

Why this answer

The policy includes only Exchange Online and Azure Management applications. Azure portal is accessed via Azure Management application, but the user role is included. However, the most common issue is that the policy excludes the Azure portal app because it is listed as 'Microsoft Azure Management' but the actual app ID for Azure portal might be different or not included.

In this exhibit, the Azure portal is accessed via the Azure Management application, so it should be covered. A more likely reason is that the policy does not include all necessary cloud apps or there is a break-glass account excluded. But the best answer is that the policy applies only to Exchange Online and Azure Management; if the admin accesses the Azure portal via a different app (e.g., Azure CLI), they might not be prompted.

However, the typical mistake is that the policy does not include the correct app for Azure portal. Given the options, the most plausible is that the Azure portal is not listed as a target cloud app.

456
MCQeasy

Your organization needs to create a custom domain in Microsoft 365. You have added the domain 'contoso.com' to the tenant. What is the next step to verify domain ownership?

A.Create user accounts with the custom domain.
B.Configure the email exchange (MX) record.
C.Assign licenses to users with the custom domain.
D.Add a TXT record to the public DNS zone.
AnswerD

Domain verification typically requires adding a TXT record with a verification code.

Why this answer

After adding a custom domain to a Microsoft 365 tenant, the next mandatory step is to prove ownership of the domain by adding a specific TXT record provided by Microsoft to the domain's public DNS zone. Microsoft queries this TXT record to verify that you control the domain before allowing you to use it for services like email or user accounts. This verification step is required by Microsoft's domain onboarding process and must succeed before any other configuration can proceed.

Exam trap

The trap here is that candidates often confuse domain verification (TXT record) with domain configuration (MX record), mistakenly thinking that setting up email routing is the immediate next step after adding the domain.

How to eliminate wrong answers

Option A is wrong because creating user accounts with the custom domain requires the domain to be verified first; attempting to assign a non-verified domain to users will fail. Option B is wrong because configuring the MX record is part of setting up email routing after domain verification, not a step to prove ownership. Option C is wrong because assigning licenses to users with the custom domain also depends on the domain being verified; licenses cannot be applied to unverified domains.

457
MCQmedium

You are reviewing an ARM template that will be used to deploy a storage account for a Microsoft 365 migration project. The template includes 'supportsHttpsTrafficOnly': true. What is the primary benefit of this setting?

A.It enforces secure transfer (HTTPS) for all requests to the storage account.
B.It reduces latency by enabling CDN integration.
C.It enables geo-redundant storage.
D.It minimizes storage costs by reducing bandwidth usage.
AnswerA

This setting blocks HTTP requests, requiring HTTPS.

Why this answer

Setting 'supportsHttpsTrafficOnly' to true enforces secure transfer by requiring all requests to the storage account to use HTTPS (TLS). This ensures data in transit is encrypted, protecting against man-in-the-middle attacks and eavesdropping. It is a critical security control for compliance with standards like PCI-DSS and HIPAA.

Exam trap

The trap here is that candidates may confuse 'supportsHttpsTrafficOnly' with performance or redundancy features, but it is purely a security control for enforcing encrypted transport.

How to eliminate wrong answers

Option B is wrong because enabling HTTPS-only does not reduce latency or enable CDN integration; CDN integration is configured separately via Azure CDN profiles. Option C is wrong because geo-redundant storage (GRS) is controlled by the 'sku.name' property (e.g., Standard_GRS), not by the HTTPS setting. Option D is wrong because HTTPS-only does not minimize storage costs; bandwidth usage is unaffected by the protocol, and HTTPS may add slight overhead due to TLS handshake.

458
Multi-Selectmedium

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a user opens a malicious Office document, which launches a process named cmd.exe from Microsoft Word, and then that cmd.exe process makes an outbound connection to a known malicious IP address. Which two Advanced Hunting tables must be joined in the KQL query?

Select 2 answers
A.EmailEvents and EmailUrlInfo
B.DeviceProcessEvents and DeviceNetworkEvents
C.DeviceEvents and DeviceLogonEvents
D.DeviceProcessEvents and DeviceRegistryEvents
AnswersB, D

DeviceProcessEvents tracks process creation; DeviceNetworkEvents tracks outbound network connections.

Why this answer

Option B is correct because the detection rule requires tracking the process creation (cmd.exe launched from Microsoft Word) and the subsequent network connection from that process to a malicious IP. DeviceProcessEvents captures process creation events, including parent-child relationships, while DeviceNetworkEvents captures outbound network connections initiated by processes. Joining these tables on DeviceId and ProcessId allows correlating the specific cmd.exe instance with its network activity.

Exam trap

The trap here is that candidates may confuse the tables needed for process-level network correlation with those for email or registry events, leading them to select options that capture unrelated telemetry (e.g., email links or registry changes) instead of the precise process-to-network chain.

459
MCQhard

You are analyzing a custom detection rule in Microsoft Defender XDR. The rule is designed to alert on suspicious PowerShell execution. However, you notice that the rule is not triggering alerts even though you know such activity is occurring. What is the most likely reason?

A.The query syntax is invalid; 'has_any' requires a dynamic array.
B.The custom detection rule is not enabled.
C.The severity is set to Medium, which may be suppressed by other policies.
D.The rule only looks back 7 days, and the activity occurred more than 7 days ago.
AnswerA

Correct syntax: 'has_any (dynamic([...]))'.

Why this answer

Option B is correct because the query uses 'has_any' with a list of strings, but the syntax is incorrect. 'has_any' expects a dynamic array, e.g., 'has_any (dynamic(["powershell.exe", "cmd.exe"]))'. The current query will cause a syntax error. Option A (no alerts in 7 days) would not explain if activity is known.

Option C (severity too low) would still trigger alerts. Option D (custom detection not enabled) is possible but less likely given the syntax error.

460
MCQmedium

You need to delegate the ability to reset user passwords in Microsoft Entra ID to a helpdesk team. However, they should not be able to modify other user attributes. What role should you assign?

A.User Administrator
B.Helpdesk Administrator
C.Global Administrator
D.Password Administrator
AnswerB

This role can reset passwords for non-administrators and manage service requests.

Why this answer

The Helpdesk Administrator role is specifically designed to allow password resets and force password changes for non-administrator users and other helpdesk administrators, while explicitly preventing modifications to other user attributes like group membership or profile details. This role provides the least privilege necessary for the helpdesk team's task, aligning with the principle of role-based access control (RBAC) in Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse the Password Administrator role with the Helpdesk Administrator role, not realizing that Password Administrator cannot reset passwords for helpdesk administrators or force password changes, and that Helpdesk Administrator is the correct role for a helpdesk team that needs to reset passwords for a broader set of users including other helpdesk staff.

How to eliminate wrong answers

Option A is wrong because the User Administrator role can reset passwords but also has permissions to modify user attributes, create and delete users, and manage groups, which exceeds the required scope. Option C is wrong because the Global Administrator role has unrestricted access to all administrative features, including modifying any user attribute, which violates the principle of least privilege. Option D is wrong because the Password Administrator role can only reset passwords for non-administrator users and password administrators, but it cannot reset passwords for helpdesk administrators or other privileged roles, and it does not include the ability to force password changes on next sign-in, which the Helpdesk Administrator can do.

461
MCQmedium

Refer to the exhibit. You run the PowerShell command shown. The output shows no results. The user confirms they downloaded files from SharePoint last week. What is the most likely cause?

A.The UserIds parameter is misspelled.
B.The RecordType parameter is incorrect.
C.Audit logging is not enabled for the user.
D.The Operations parameter is incorrect.
AnswerC

Audit logging must be enabled for the user to capture events.

Why this answer

Audit log search requires audit logging to be enabled and the user must be licensed. Option A is correct because if audit logging is not enabled for the user, no events are recorded. Option B is wrong because Operation is correct.

Option C is wrong because RecordType is correct. Option D is wrong because FileDownloaded is a valid operation.

462
MCQmedium

Your organization uses Microsoft Purview Records Management and has a file plan that categorizes records by department. You need to ensure that HR records are retained for seven years after employee termination, while finance records are retained for ten years after the end of the fiscal year. What is the most efficient way to implement this?

A.Create a single retention label with a trigger event and adjust the retention period using PowerShell.
B.Create two retention labels: one for HR with termination trigger and seven-year retention, and one for Finance with end-of-fiscal-year trigger and ten-year retention.
C.Define the retention settings in the file plan and apply them to both departments.
D.Create two retention policies, one for HR and one for Finance, each with the appropriate retention period.
AnswerB

Retention labels can have different trigger events and periods.

Why this answer

Option C is correct because you can create separate retention labels for each department with different trigger events and retention periods. Option A is incorrect because a single label cannot have multiple retention periods. Option B is incorrect because retention policies apply broadly and cannot easily distinguish between departments for different retention periods.

Option D is incorrect because file plan is used for managing labels, not for setting retention periods directly.

463
MCQeasy

Your organization needs to ensure that all emails containing credit card numbers are automatically encrypted before being sent to external recipients. Which Microsoft Purview solution should you configure?

A.Configure a DLP policy that uses the 'Encrypt email messages' action.
B.Create a sensitivity label that applies encryption and auto-labeling.
C.Set up a retention policy with encryption.
D.Implement a Communication Compliance policy.
AnswerA

This automatically encrypts emails matching sensitive info types.

Why this answer

The requirement is to automatically encrypt emails based on content (credit card numbers). Microsoft Purview Message Encryption can be triggered by a DLP policy that detects sensitive information types. Option B is incorrect because sensitivity labels are manually applied.

Option C is incorrect because Data Lifecycle Management handles retention and deletion. Option D is incorrect because Communication Compliance monitors for policy violations, not encryption.

464
MCQmedium

A company must ensure that all outgoing emails containing credit card numbers are blocked from being sent to external recipients. When a user attempts to send such an email, it should be blocked immediately, and the user should see a policy tip explaining the rule. Which Microsoft Purview solution should the administrator configure?

A.Data Loss Prevention (DLP) policy
B.Sensitivity labels
C.Retention labels
D.Communication compliance
AnswerA

DLP policies can block emails containing sensitive info and display policy tips to users.

Why this answer

A Data Loss Prevention (DLP) policy is the correct solution because it is specifically designed to detect sensitive information, such as credit card numbers, in transit (email) and enforce real-time actions like blocking the message and displaying a policy tip to the user. DLP policies in Microsoft Purview can be configured with conditions that match credit card number patterns using built-in sensitive info types, and the action 'Block messages' with a policy tip notification is available for Exchange Online mail flow. This ensures immediate blocking and user notification without requiring any manual labeling or classification.

Exam trap

The trap here is that candidates often confuse sensitivity labels with DLP because both involve 'protection,' but sensitivity labels require manual or automatic classification and do not perform real-time content inspection or blocking of outbound emails based on sensitive data patterns.

How to eliminate wrong answers

Option B is wrong because sensitivity labels are used to classify and protect data at rest (e.g., documents and emails) by applying encryption or visual markings, but they do not natively detect credit card numbers in real-time during email transmission or enforce blocking with policy tips. Option C is wrong because retention labels are designed to manage data lifecycle and retention policies (e.g., how long to keep or delete data), not to inspect email content for sensitive information or block outbound messages. Option D is wrong because communication compliance is focused on monitoring and reviewing internal and external communications for policy violations (e.g., harassment or insider trading), but it does not provide real-time blocking of emails based on sensitive data patterns or display policy tips to users.

465
MCQmedium

Your organization, Contoso, has a Microsoft Entra ID tenant with 50,000 users. You are implementing a zero-trust security model. The following requirements must be met: 1) All access to SaaS applications must be restricted based on user, device, and location. 2) Users accessing from unmanaged devices must only be allowed browser-based access and must accept terms of use. 3) The IT team must be able to grant temporary access to the Global Administrator role for up to 8 hours. 4) All external users must have their access reviewed every 6 months. Which combination of Microsoft Entra features should you use?

A.Conditional access policies, entitlement management, Privileged Identity Management (PIM), and access reviews
B.Conditional access policies, Privileged Identity Management (PIM), access reviews, and terms of use
C.Conditional access policies, Microsoft Entra B2B, Privileged Identity Management (PIM), and access reviews
D.Conditional access policies, Identity Protection user risk policy, Privileged Identity Management (PIM), and access reviews
AnswerB

Conditional access enforces device/location/browser, terms of use for unmanaged devices, PIM for temporary admin, and access reviews for external users.

Why this answer

Option C is correct because it uses conditional access for granular controls, PIM for temporary admin, and access reviews for external users. Option A is wrong because Identity Protection is for risk, not access control. Option B is wrong because entitlement management is not for direct role assignments.

Option D is wrong because B2B is for inviting guests, not access control.

466
MCQmedium

A company wants to require that all users accessing a critical cloud application for the first time must accept a company terms of use before they are granted access. Which Conditional Access policy grant control should be added?

A.Require multi-factor authentication
B.Require device to be marked as compliant
C.Require terms of use
D.Require approved client app
AnswerC

This grant control presents a terms-of-use document for the user to accept before access is allowed.

Why this answer

Option C is correct because the 'Require terms of use' grant control in a Conditional Access policy is specifically designed to force a user to accept a company's terms of use (TOU) before accessing a cloud application. When this control is enabled, Microsoft Entra ID presents the TOU document to the user on first access, and access is blocked until the user explicitly accepts the terms. This directly meets the requirement of requiring acceptance before granting access.

Exam trap

The trap here is that candidates often confuse 'terms of use' with a general compliance or security requirement, leading them to select 'Require device to be marked as compliant' (Option B) because they think device compliance implies policy acceptance, but Conditional Access grant controls are distinct and the terms of use control is the only one that enforces a user-facing acceptance workflow.

How to eliminate wrong answers

Option A is wrong because Require multi-factor authentication (MFA) enforces an additional authentication factor, not a legal or policy acceptance step; it does not present or require acceptance of a terms of use document. Option B is wrong because Require device to be marked as compliant checks device health and compliance status (e.g., via Intune or MDM), but does not involve any user-facing terms acceptance workflow. Option D is wrong because Require approved client app restricts access to specific client applications (e.g., Microsoft Outlook or Teams), but has no mechanism to display or enforce a terms of use acceptance.

467
MCQeasy

Your organization is planning to deploy Microsoft 365 Copilot. You need to ensure that all prerequisites are met. Which of the following is a mandatory prerequisite for enabling Microsoft 365 Copilot?

A.Microsoft Purview Data Loss Prevention policies.
B.Microsoft Entra ID P2 licenses.
C.An active Azure subscription.
D.Exchange Online Plan 2 licenses.
AnswerB

Microsoft Entra ID P2 is required for Copilot to leverage identity protection and other security features.

Why this answer

Microsoft Entra ID P2 licenses are mandatory because Microsoft 365 Copilot requires Azure AD P2 (now Entra ID P2) for features like identity protection, privileged identity management, and conditional access policies that govern Copilot's data access and security. Without P2, the tenant cannot enforce the necessary identity-based controls for Copilot's AI-driven data retrieval and summarization.

Exam trap

The trap here is that candidates often confuse optional compliance features (like Purview DLP) or unrelated infrastructure (like Azure subscriptions) with the mandatory identity and access management tier required for Copilot's security model.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Loss Prevention policies are not a prerequisite for enabling Copilot; they are an optional compliance feature that can be applied after deployment to control data sharing. Option C is wrong because an active Azure subscription is not required for Microsoft 365 Copilot, which is a SaaS add-on to Microsoft 365 and does not depend on Azure infrastructure for its core functionality. Option D is wrong because Exchange Online Plan 2 licenses are not mandatory; Copilot works with Exchange Online Plan 1 or other mail-enabled plans as long as the user has a valid Microsoft 365 license that includes Exchange Online.

468
MCQmedium

An organization wants to enable users to reset their own passwords using the Microsoft Authenticator app and to prevent reuse of the last five passwords. Which Microsoft Entra ID features should be configured?

A.Microsoft Entra ID Protection and SSPR
B.Self-Service Password Reset (SSPR) and Password Protection
C.Conditional Access and SSPR
D.Identity Governance and SSPR
AnswerB

SSPR enables self-service resets; Password Protection enforces password reuse restrictions and custom ban lists.

Why this answer

The requirement to enable users to reset their own passwords via the Microsoft Authenticator app is fulfilled by Self-Service Password Reset (SSPR), which supports the Authenticator app as an authentication method. The requirement to prevent reuse of the last five passwords is fulfilled by Password Protection, specifically the password reuse policy within the custom banned password list or the enforcement of password history via on-premises integration. Option B correctly pairs these two features.

Exam trap

The trap here is that candidates confuse Password Protection (which handles password complexity, banned lists, and history) with Entra ID Protection (which handles risk-based policies), leading them to select Option A instead of the correct pairing of SSPR and Password Protection.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection is a risk-detection and remediation service (e.g., for leaked credentials or risky sign-ins), not a feature that enforces password history or reuse policies. Option C is wrong because Conditional Access controls access based on conditions (e.g., location, device compliance) but does not enforce password reuse restrictions. Option D is wrong because Identity Governance manages access lifecycle, entitlement reviews, and provisioning, not password history enforcement.

469
MCQhard

You are troubleshooting a user who reports that they cannot access Microsoft Teams. The user has an E3 license assigned, but Teams is grayed out in the app launcher. You verify that the user is assigned the correct license and that the service plan for Teams is enabled. What is the most likely cause?

A.The user has been blocked from signing in to Microsoft Teams in the Microsoft 365 admin center.
B.The user does not have a valid email address.
C.The Teams service plan is disabled in the license.
D.The user's license has expired.
AnswerA

Admins can block specific services for a user under user settings.

Why this answer

Option A is correct because even if the license and service plan are enabled, the user might be blocked from the service via the admin center's user settings. Option B is wrong because the license is assigned. Option C is wrong because the service plan is enabled.

Option D is wrong because the issue is specific to Teams, not all services.

470
MCQhard

A security analyst is investigating a suspected credential theft attack where an attacker attempts to dump credentials from LSASS. Which Attack Surface Reduction (ASR) rule should the administrator enable to block this activity from untrusted processes?

A.Block credential stealing from the Windows local security authority subsystem (lsass.exe)
B.Block Office applications from creating child processes
C.Block executable files from running unless they meet a prevalence, age, or trusted list criterion
D.Block Adobe Reader from creating child processes
AnswerA

This rule prevents untrusted processes from reading LSASS memory, directly blocking credential dumping.

Why this answer

The ASR rule 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) is specifically designed to prevent untrusted processes from accessing LSASS memory and dumping credentials, such as with tools like Mimikatz. This directly addresses the described attack scenario of credential theft from LSASS, making it the correct choice.

Exam trap

The trap here is that candidates may confuse generic credential theft prevention rules (like Windows Defender Credential Guard) with ASR rules, or mistakenly think that blocking child processes (Option B or D) would stop LSASS dumping, when in fact the attack often involves a direct process handle to lsass.exe rather than spawning a child process.

How to eliminate wrong answers

Option B is wrong because 'Block Office applications from creating child processes' prevents Office apps (e.g., Word, Excel) from spawning child processes like PowerShell or cmd.exe, which is a common technique for lateral movement or payload execution, not specifically for dumping credentials from LSASS. Option C is wrong because 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' is a cloud-delivered protection rule that restricts unknown executables based on reputation, not a targeted ASR rule for LSASS credential theft. Option D is wrong because 'Block Adobe Reader from creating child processes' prevents Adobe Reader from launching other executables, which is a defense against PDF-based exploits, not a rule designed to block credential dumping from LSASS.

471
MCQmedium

You are a security analyst. You need to create a custom detection rule in Microsoft Defender XDR that triggers an alert when a user account is created and then added to a privileged role within 24 hours. Which advanced hunting table should you primarily use?

A.EmailEvents
B.IdentityLogonEvents
C.DeviceEvents
D.CloudAppEvents
AnswerB

IdentityLogonEvents captures identity-related events, including account creation and role changes.

Why this answer

Option B is correct because the IdentityLogonEvents table captures identity events including user account creation and role changes. Option A is wrong because DeviceEvents focuses on device-level events. Option C is wrong because EmailEvents is for email events.

Option D is wrong because CloudAppEvents is for cloud app events, not identity events in Defender for Identity.

472
MCQmedium

An admin needs to bulk assign licenses to 200 users based on department. Which method is most efficient?

A.Use Azure AD PowerShell script
B.Use Azure admin center bulk operations
C.Use group-based licensing in Azure AD
D.Assign licenses one by one in admin center
AnswerC

Automatically assigns licenses to group members.

Why this answer

Group-based licensing in Azure AD is the most efficient method for bulk-assigning licenses to 200 users based on department because it automates license assignment and removal based on group membership. Once a user is added to or removed from a department-specific group, Azure AD automatically applies or revokes the corresponding license, eliminating manual intervention and ensuring consistency across large-scale deployments.

Exam trap

The trap here is that candidates often choose PowerShell (Option A) because they assume scripting is always the most efficient for bulk operations, but they overlook that group-based licensing is a fully automated, policy-driven solution that requires no ongoing script execution or manual triggers.

How to eliminate wrong answers

Option A is wrong because using an Azure AD PowerShell script, while automated, requires manual execution, maintenance, and error handling for 200 users, making it less efficient than a fully managed, policy-driven approach like group-based licensing. Option B is wrong because the Azure admin center bulk operations (e.g., CSV upload) are a one-time manual process that does not scale well for ongoing changes in department membership or license requirements. Option D is wrong because assigning licenses one by one in the admin center is highly inefficient and error-prone for 200 users, violating the principle of least effort and automation for bulk tasks.

473
MCQhard

A security administrator is configuring Microsoft Defender for Office 365 to protect against zero-day malware in attachments. The administrator wants to use dynamic delivery so that users can view the email body while the attachment is being analyzed. However, the administrator is concerned about false positives and wants to ensure that if a benign attachment is later found to be malicious, it is removed from the user's inbox. What should the administrator configure?

A.Configure a Safe Attachments policy with dynamic delivery and enable ZAP.
B.Configure a Safe Links policy with URL detonation.
C.Configure an anti-phishing policy with mailbox intelligence.
D.Configure an anti-malware policy with common attachments filter.
AnswerA

Safe Attachments with dynamic delivery and ZAP meets the requirement.

Why this answer

Option D is correct because Safe Attachments policies with dynamic delivery can be set to allow email body delivery while the attachment is scanned, and if later found malicious, the attachment can be removed using the 'Zero-hour auto purge' (ZAP) feature. Option A is wrong because Anti-phishing policies do not handle attachments. Option B is wrong because Safe Links policies handle URLs, not attachments.

Option C is wrong because Anti-malware policies do not provide dynamic delivery.

474
MCQmedium

A compliance officer needs to prevent users from sharing confidential documents with external users outside the organization. The policy should block sharing via email attachments or sharing links from SharePoint Online. Which Microsoft Purview solution should be configured?

A.Sensitivity labels
B.Data Loss Prevention (DLP)
C.Retention policies
D.Information barriers
AnswerB

DLP policies can detect sensitive content and automatically block sharing via email or SharePoint links. They can also display policy tips to educate users.

Why this answer

Data Loss Prevention (DLP) in Microsoft Purview is designed to identify, monitor, and automatically protect sensitive information across Exchange Online, SharePoint Online, and OneDrive for Business. By creating a DLP policy with a rule that blocks sharing of confidential documents via email attachments or sharing links to external users, the compliance officer can enforce the required restriction. DLP policies can inspect content for sensitive data types (e.g., credit card numbers, custom confidential labels) and apply actions such as blocking the sharing action or sending a notification.

Exam trap

The trap here is that candidates often confuse sensitivity labels (which apply protection) with DLP policies (which enforce actions like blocking), leading them to choose Option A, but labels alone cannot block sharing; they require a DLP policy to enforce the block action.

How to eliminate wrong answers

Option A is wrong because sensitivity labels are used to classify and protect data by applying encryption, markings, or access restrictions, but they do not natively block sharing actions based on external user detection; DLP policies are required to enforce such blocking rules. Option C is wrong because retention policies are designed to preserve or delete content after a specified period, not to prevent real-time sharing of documents with external users. Option D is wrong because information barriers restrict communication and collaboration between specific internal groups or users (e.g., to avoid conflicts of interest), but they do not block sharing with external users outside the organization.

475
MCQeasy

Refer to the exhibit. You run the KQL query in Microsoft Sentinel. The query returns zero results even though you know user@contoso.com has had failed sign-in attempts in the last 30 days. What is the most likely reason?

A.The query uses ago(30d) but the data retention is only 7 days
B.The summarize statement is incorrect
C.The query filters on UserPrincipalName incorrectly
D.The query excludes successful sign-ins
AnswerC

The field might be named differently, e.g., UserId or UPN.

Why this answer

Option D is correct because the query filters by UserPrincipalName, which may not match the actual data field (e.g., it could be UserId or different format). Option A is wrong because the query uses ago(30d). Option B is wrong because the query includes all results.

Option C is wrong because the query uses summarize correctly.

476
MCQmedium

A company uses Microsoft Entra ID P2 licenses. They want to block all authentication attempts from an internal app that uses legacy authentication protocols (POP3, IMAP, SMTP) because these protocols cannot enforce multi-factor authentication. Which Conditional Access policy setting should be used?

A.Grant access requiring multi-factor authentication
B.Block access for apps using legacy authentication
C.Require compliant device
D.Require approved client app
AnswerB

Under 'Client apps', you can select 'Exchange ActiveSync clients' and 'Other clients' to block legacy authentication protocols.

Why this answer

Option B is correct because the scenario explicitly requires blocking authentication attempts from an internal app using legacy protocols (POP3, IMAP, SMTP) that cannot enforce multi-factor authentication. The 'Block access for apps using legacy authentication' Conditional Access setting targets client apps that use legacy authentication protocols, effectively preventing any authentication from those apps regardless of user or device compliance.

Exam trap

The trap here is that candidates often confuse 'Require MFA' (which still allows legacy apps to attempt authentication and fail silently) with 'Block legacy authentication' (which explicitly prevents the authentication attempt at the protocol level), leading them to choose Option A instead of B.

How to eliminate wrong answers

Option A is wrong because 'Grant access requiring multi-factor authentication' would still allow the legacy app to attempt authentication; legacy protocols cannot pass MFA claims, so the policy would either fail or be bypassed, not block the attempt. Option C is wrong because 'Require compliant device' only checks device health (e.g., Intune compliance) and does not address the protocol-level vulnerability of legacy authentication; the app could still authenticate from a compliant device using POP3/SMTP without MFA. Option D is wrong because 'Require approved client app' enforces the use of specific modern authentication apps (e.g., Microsoft Authenticator) but does not block legacy protocols; an approved client app could still use legacy authentication if not explicitly restricted.

477
MCQeasy

Your organization wants to use Microsoft Intune to manage devices. You need to ensure that only corporate-owned devices can enroll. What configuration should you use?

A.Use a conditional access policy to require device compliance.
B.Configure enrollment restrictions to block personally owned devices.
C.Set a compliance policy requiring devices to be marked as corporate.
D.Create a device type restriction for iOS and Android.
AnswerB

Enrollment restrictions can block personal devices.

Why this answer

Option B is correct because enrollment restrictions in Microsoft Intune allow you to block personally owned devices by setting the 'Allow personally owned devices' option to 'No' for the platform. This ensures that only corporate-owned devices, which are identified by their corporate enrollment token or IMEI/MEID numbers, can enroll. This is the direct and intended method to restrict enrollment to corporate-owned devices only.

Exam trap

The trap here is that candidates often confuse post-enrollment controls (like compliance policies or conditional access) with pre-enrollment restrictions, mistakenly thinking that requiring compliance or marking devices as corporate can block personal devices from enrolling, when in fact only enrollment restrictions can prevent the enrollment process itself.

How to eliminate wrong answers

Option A is wrong because a conditional access policy requiring device compliance does not prevent enrollment; it controls access to cloud apps after enrollment, and non-compliant devices can still enroll but then be blocked from accessing resources. Option C is wrong because a compliance policy requiring devices to be marked as corporate is not a pre-enrollment restriction; compliance policies are evaluated after enrollment and cannot block the enrollment process itself. Option D is wrong because a device type restriction for iOS and Android only blocks specific device models or platforms, not the ownership status (corporate vs. personal), so it cannot ensure that only corporate-owned devices enroll.

478
MCQeasy

You are a security administrator. You need to investigate a suspicious logon from an anonymous IP address. Which Microsoft Defender XDR data source should you query first?

A.Identity and authentication events
B.Cloud app events
C.Endpoint device events
D.Vulnerability and compliance events
E.Email & collaboration events
AnswerA

Logon events are part of identity and authentication.

Why this answer

Option B is correct because Identity and authentication events are the primary source for logon investigations in Defender XDR. Option A is wrong because email events are for phishing. Option C is wrong because endpoint events are for device-level activities.

Option D is wrong because cloud app events are for app usage. Option E is wrong because vulnerability data is for device vulnerabilities.

479
MCQmedium

Contoso frequently collaborates with a partner company (Fabrikam) via B2B collaboration. Contoso uses Microsoft Entra ID P2 licenses and wants to require Fabrikam's guest users to authenticate using Contoso's MFA policies, ignoring any MFA claims from the Fabrikam home tenant. Fabrikam already has MFA enabled for its users. What configuration should Contoso make in their cross-tenant access settings?

A.Configure outbound access settings to require MFA for Fabrikam users
B.Configure inbound trust settings to uncheck 'Trust multi-factor authentication from Microsoft Entra tenants' for Fabrikam
C.Create a Conditional Access policy targeting all guest users from Fabrikam that requires MFA
D.Configure B2B direct connect for Fabrikam and require MFA
AnswerB

By default, Contoso trusts MFA claims from external tenants. Unchecking this setting for Fabrikam forces Contoso to re-evaluate MFA requirements for those guest users.

Why this answer

Option B is correct because Contoso wants to ignore MFA claims from Fabrikam's home tenant and enforce its own MFA policies on Fabrikam guest users. In cross-tenant access settings, the 'Trust multi-factor authentication from Microsoft Entra tenants' checkbox controls whether inbound MFA claims from the external tenant are accepted. By unchecking this for Fabrikam, Contoso ensures that Fabrikam's MFA claims are ignored, and Contoso's Conditional Access policies (including MFA requirements) apply to those guest users.

Exam trap

The trap here is that candidates often confuse inbound trust settings with outbound settings or Conditional Access policies, assuming that a Conditional Access policy alone can override MFA claims from the home tenant, when in fact the trust setting must be explicitly disabled to ignore those claims.

How to eliminate wrong answers

Option A is wrong because outbound access settings control how Contoso's users access Fabrikam resources, not how Fabrikam's guest users authenticate into Contoso. Option C is wrong because while a Conditional Access policy can require MFA for guest users, it does not override or ignore MFA claims from the home tenant; if the inbound trust setting trusts Fabrikam's MFA, the Conditional Access policy may not re-prompt for MFA. Option D is wrong because B2B direct connect is used for Teams Connect shared channels, not for standard B2B collaboration guest user access, and it does not provide the granular control over MFA trust needed here.

480
MCQeasy

Your organization needs to automatically detect and classify documents containing passport numbers in SharePoint Online. Which Microsoft Purview feature should you use?

A.eDiscovery (Premium).
B.Auto-labeling with sensitivity labels.
C.Data Lifecycle Management (DLM) policy.
D.Data Loss Prevention (DLP) policy.
AnswerB

Auto-labeling scans and classifies content automatically.

Why this answer

Auto-labeling in Microsoft Purview can automatically apply sensitivity labels to documents that contain sensitive information types like passport numbers. Option B is incorrect because DLP policies detect and protect but don't classify. Option C is incorrect because Data Lifecycle Management is for retention.

Option D is incorrect because eDiscovery is for search and export.

481
MCQhard

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Cloud Apps. You need to configure a policy that automatically blocks downloads of sensitive files from a specific cloud app if the user's risk score is high. Which integration and policy type should you use?

A.Create a session policy in Microsoft Defender for Cloud Apps using Conditional Access App Control.
B.Use the Cloud Discovery dashboard to block the app.
C.Create an attack surface reduction rule in MDE.
D.Create a Conditional Access policy in Microsoft Entra ID to block access to the app.
E.Create a device compliance policy in Microsoft Intune.
AnswerA

Session policies can monitor and block downloads based on risk in real-time.

Why this answer

Option D is correct because the session policy in Microsoft Defender for Cloud Apps can use Microsoft Entra ID Conditional Access app control to monitor and block downloads in real-time based on risk. Option A is wrong because MDE device policies do not control cloud app downloads. Option B is wrong because Cloud Discovery is for identifying shadow IT.

Option C is wrong because MDE policy does not integrate with cloud app download blocking. Option E is wrong because Conditional Access policies do not have per-file download controls.

482
MCQhard

You are the identity administrator for Contoso Ltd., a multinational company with 10,000 employees. The company uses Microsoft Entra ID P2 licenses for all users. The security team has mandated the following requirements: 1) All users must use multi-factor authentication (MFA) when accessing any cloud app from untrusted networks. 2) Users who are detected as high risk by Identity Protection must be automatically blocked from signing in until an administrator reviews the risk. 3) Guest users from partner organizations must have their access reviewed every 90 days. 4) The IT department must be able to grant temporary administrative access to specific roles for up to 4 hours without requiring approval from a manager. You need to design a solution that meets all requirements with minimal administrative effort. Which combination of actions should you take?

A.Create a conditional access policy requiring MFA from untrusted networks, create a sign-in risk policy to block high-risk users, schedule quarterly access reviews for guests, and configure PIM for time-bound role assignments
B.Create a conditional access policy requiring MFA from untrusted networks, create a user risk policy to block high-risk users, schedule quarterly access reviews for guests, and configure PIM for time-bound role assignments
C.Enable Identity Protection to automatically block high-risk users, schedule quarterly access reviews for guests, configure PIM for temporary admin access, and enforce MFA via conditional access
D.Create a conditional access policy requiring MFA from untrusted networks, create a user risk policy to block high-risk users, schedule quarterly access reviews for guests, and configure entitlement management for temporary admin access
AnswerB

All requirements are met: MFA, block high-risk, guest reviews, temporary admin.

Why this answer

Option B is correct because it combines conditional access for MFA, user risk policy for blocking, access reviews for guests, and PIM for temporary assignments. Option A is wrong because sign-in risk policy is not for user risk. Option C is wrong because entitlement management is for access packages, not temporary admin roles.

Option D is wrong because identity Protection alone cannot block high-risk users and does not cover guest reviews.

483
MCQeasy

An administrator has added a custom domain 'contoso.com' to their Microsoft 365 tenant and verified ownership. However, users are unable to receive emails sent to their custom domain. Which type of DNS record must the administrator add in the public DNS zone to route emails to Exchange Online?

A.TXT record
B.MX record
C.CNAME record
D.SPF record
AnswerB

An MX record specifies the mail exchange server for the domain. For Exchange Online, it must point to the Microsoft mail exchanger.

Why this answer

The MX (Mail Exchange) record is the DNS record type that directs email messages to a specific mail server. For Exchange Online, the MX record must point to the tenant's mail exchanger (e.g., contoso-com.mail.protection.outlook.com) with a priority value (typically 0). Without this record, sending mail servers cannot route inbound emails to the custom domain's mailbox store in Exchange Online.

Exam trap

The trap here is that candidates confuse the purpose of MX records with SPF or TXT records, thinking that SPF alone enables email delivery, when in fact MX records are the fundamental requirement for inbound mail routing.

How to eliminate wrong answers

Option A (TXT record) is wrong because TXT records hold arbitrary text data, such as SPF or DKIM keys, but they do not route email traffic. Option C (CNAME record) is wrong because CNAME records alias one domain to another and are not used for mail routing; MX records are the standard for mail exchange. Option D (SPF record) is wrong because SPF records authorize sending servers to prevent spoofing, but they do not direct inbound email delivery.

484
Multi-Selectmedium

You need to configure Microsoft Purview Data Loss Prevention (DLP) to prevent sensitive data from being shared via email. Which THREE elements can you use to define the policy?

Select 3 answers
A.Actions
B.Locations
C.Sensitivity labels
D.Exceptions
E.Conditions
AnswersA, B, E

Actions define the enforcement (e.g., block, notify).

Why this answer

Actions are a required element in a Microsoft Purview DLP policy because they define what happens when sensitive data is detected—such as blocking the email, sending a notification, or applying encryption. Without specifying actions, the policy would have no enforcement mechanism to prevent data sharing.

Exam trap

The trap here is that candidates confuse sensitivity labels as a top-level policy element instead of recognizing they are merely a condition type, while exceptions are often mistakenly considered a separate core component rather than a refinement of conditions.

485
MCQmedium

Your organization uses Microsoft Defender for Office 365. You need to configure a policy that automatically redirects emails containing malicious attachments to a quarantine folder for admin review. What type of policy should you create?

A.Safe Attachments policy.
B.Anti-malware policy.
C.Anti-spam policy.
D.Safe Links policy.
AnswerB

Anti-malware policies can quarantine messages with malware.

Why this answer

B is correct because the Anti-malware policy in Microsoft Defender for Office 365 is specifically designed to handle malware detected in email messages, including attachments. When configured, it can automatically redirect messages containing malicious attachments to a quarantine folder for admin review, providing a controlled remediation workflow.

Exam trap

Microsoft often tests the distinction between Anti-malware (for attachment malware) and Safe Attachments (for advanced sandbox analysis), leading candidates to mistakenly choose Safe Attachments when the core requirement is simply redirecting known malicious attachments to quarantine.

How to eliminate wrong answers

Option A is wrong because Safe Attachments policy focuses on scanning and detonating attachments in a sandbox environment before delivery, but its primary quarantine action is for messages with malicious attachments detected during that process, not for general malware redirection; the question's requirement for automatic redirection of emails containing malicious attachments is directly met by the Anti-malware policy. Option C is wrong because Anti-spam policy handles spam, phishing, and bulk mail, not malware or malicious attachments. Option D is wrong because Safe Links policy protects users from malicious URLs in messages and Office documents, not from malicious attachments.

486
MCQeasy

An administrator needs to allow external users from a partner company to sign up for access to a SharePoint Online site using their own Azure AD accounts. Which configuration should the administrator enable?

A.Enable 'Email one-time passcode authentication' for guests
B.Enable 'External identities' > 'Self-service sign-up' in Azure AD
C.Configure a cross-tenant access policy for the partner tenant
D.Create guest user accounts manually in Azure AD
AnswerB

This setting allows external users to sign up for access to resources using their own Azure AD or Microsoft account identities.

Why this answer

Option B is correct because enabling 'Self-service sign-up' in Azure AD External Identities allows external users to sign up for access to applications (including SharePoint Online sites) using their own Azure AD accounts without manual admin intervention. This feature creates guest user objects automatically when the external user completes the sign-up flow, which satisfies the requirement for partner users to sign up using their existing Azure AD credentials.

Exam trap

The trap here is that candidates often confuse 'self-service sign-up' with 'cross-tenant access policies' or 'email OTP,' thinking that any guest authentication method enables self-service sign-up, but only the explicit self-service sign-up feature creates the automated user provisioning flow.

How to eliminate wrong answers

Option A is wrong because 'Email one-time passcode authentication' is an authentication method for guests who do not have an Azure AD or Microsoft account, not a mechanism for external users to sign up using their own Azure AD accounts. Option C is wrong because a cross-tenant access policy controls inbound and outbound access settings between tenants (e.g., B2B collaboration or B2B direct connect), but it does not enable self-service sign-up; it governs how existing guest users authenticate or access resources. Option D is wrong because manually creating guest user accounts in Azure AD requires administrative effort and does not allow external users to sign up on their own, which contradicts the requirement for self-service sign-up.

487
Multi-Selectmedium

You are a Microsoft 365 Administrator for a large enterprise that uses Microsoft Entra ID. The company's security team requires you to implement identity and access management solutions. Which four of the following statements accurately describe features or capabilities of Microsoft Entra ID? Choose all that apply. (There are four correct answers.)

Select 4 answers
.Microsoft Entra ID Conditional Access policies can enforce multi-factor authentication (MFA) based on user, device, location, and application signals.
.Microsoft Entra ID Identity Protection can automatically remediate risky sign-ins by enforcing password change or blocking access based on risk levels.
.Microsoft Entra ID Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access by activating roles for a limited time with approval workflows.
.Microsoft Entra ID Application Proxy enables secure access to on-premises web applications without needing a VPN, using pre-authentication in Entra ID.
.Microsoft Entra ID External Identities supports B2B collaboration but does not support B2C scenarios such as customer-facing sign-up and sign-in.
.Microsoft Entra ID Permissions Management (CIEM) can only be used to manage permissions in Microsoft Azure, not in other cloud providers like AWS or GCP.

Why this answer

Microsoft Entra ID Conditional Access policies evaluate signals such as user identity, device compliance, location, and application to enforce MFA, providing granular access control. This is a core capability for identity-driven security.

Exam trap

The trap here is that candidates may think External Identities only covers B2B, but it also includes Azure AD B2C for customer-facing scenarios, and that Permissions Management is Azure-only, whereas it supports AWS and GCP as well.

488
MCQeasy

Your organization uses Microsoft Defender for Office 365. Users report that some phishing emails are still reaching inboxes despite the anti-phish policy being enabled. You need to reduce the number of phishing emails that bypass the filter. What should you configure?

A.Add the phishing domains to the Tenant Allow/Block List
B.Enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
C.Configure spoof intelligence in the anti-phish policy
D.Enable DKIM signing for your custom domains
AnswerC

Spoof intelligence analyzes sender reputation and blocks spoofed senders, reducing phishing.

Why this answer

Option B is correct because spoof intelligence allows you to analyze and block spoofed senders. Option A is wrong because Safe Attachments scans attachments, not the email body. Option C is wrong because Tenant Allow/Block List is for manual overrides.

Option D is wrong because DKIM is an authentication method, not a filtering setting.

489
MCQeasy

You are configuring Microsoft Entra ID for a new organization. The CIO wants to ensure that all external users who are invited to collaborate via Microsoft Entra B2B must go through an approval process before gaining access. Which setting should you configure?

A.Create a Conditional Access policy requiring approval for external users
B.Set 'External collaboration settings' to restrict invitations to specific admins
C.Enable guest self-service sign-up via user flows
D.Enable Identity Protection for guest users
AnswerB

By restricting who can invite, you ensure only authorized admins send invitations, effectively requiring approval.

Why this answer

Option B is correct because the 'External collaboration settings' in Microsoft Entra ID allow you to restrict who can invite external users. By setting the invitation restriction to 'Only users assigned to specific admin roles can invite', you ensure that all B2B collaboration invitations must be initiated by authorized admins, effectively requiring an approval process before external users gain access.

Exam trap

The trap here is confusing post-authentication access controls (Conditional Access) with pre-invitation approval workflows (External collaboration settings), leading candidates to incorrectly select a Conditional Access policy.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies control access after authentication (e.g., requiring MFA or device compliance), not the invitation or approval process for B2B guest users. Option C is wrong because enabling guest self-service sign-up via user flows allows external users to sign up without any admin approval, which directly contradicts the requirement for an approval process. Option D is wrong because Identity Protection for guest users monitors risk signals (e.g., leaked credentials) but does not control the invitation or approval workflow for B2B collaboration.

490
MCQmedium

Your company has a Microsoft Entra tenant with 5,000 users. You need to delegate the ability to reset user passwords to the helpdesk team, but only for users in the Sales department. What is the most efficient way to achieve this?

A.Create an administrative unit for Sales, add Sales users, then assign a custom role scoped to that administrative unit
B.Create a security group for Sales, then assign a custom role to the group
C.Create a custom role with password reset permissions and assign it to helpdesk
D.Add helpdesk users to the Global Administrator role
AnswerA

This scopes the password reset permission to Sales only.

Why this answer

Option C is correct because administrative units allow scoping administrative roles to a subset of users, such as a department. Option A is wrong because assigning the global admin role grants too much permission. Option B is wrong because assigning a custom role without scope would apply to all users.

Option D is wrong because creating a new group and assigning role to the group still applies to all users in the group, not scoped by department.

491
MCQmedium

Your company uses Microsoft Defender for Cloud Apps. You notice that a user is downloading large amounts of data from a sanctioned cloud app from an unusual location. You need to automatically suspend the user's access when such activity is detected. What should you configure?

A.Configure an access policy in Defender for Cloud Apps.
B.Configure a file policy in Defender for Cloud Apps.
C.Configure a session policy in Defender for Cloud Apps.
D.Configure an anomaly detection alert in Defender for Cloud Apps.
AnswerC

Session policies can monitor user sessions and take actions like suspending access or blocking downloads.

Why this answer

Option B is correct because session policies in Defender for Cloud Apps can monitor and control user activities in real time and take actions like suspending access. Option A is wrong because access policies are for conditional access, not real-time session control. Option C is wrong because file policies govern file sharing, not user sessions.

Option D is wrong because anomaly detection alerts but does not automatically suspend access.

492
MCQeasy

A company wants to receive alerts when a user account is used from an unauthorized location. They have Microsoft Defender for Cloud Apps (MDA). Which policy type should they create?

A.Create a session policy.
B.Create an app permissions policy.
C.Create a file policy.
D.Create an anomaly detection policy.
AnswerD

Anomaly detection policies identify impossible travel and other anomalies.

Why this answer

Anomaly detection policies in MDA detect user behavior anomalies such as impossible travel. Option A is correct. Option B is wrong because session policies control real-time access.

Option C is wrong because file policies monitor file sharing. Option D is wrong because app permissions policies manage OAuth apps.

493
Multi-Selectmedium

A compliance officer needs to automatically apply a 'Highly Confidential' sensitivity label that encrypts documents in SharePoint Online when they contain credit card numbers. The labeling must happen automatically without user interaction. Which two Microsoft Purview components must be configured? (Select the option that correctly identifies both required components.)

Select 2 answers
A.Sensitivity label and auto-labeling policy
B.DLP policy and retention label
C.Sensitivity label and DLP policy
D.Auto-labeling policy and retention label
AnswersA, C

The sensitivity label defines encryption; the auto-labeling policy scans content and applies the label automatically.

Why this answer

To automatically apply a 'Highly Confidential' sensitivity label that encrypts documents in SharePoint Online when credit card numbers are detected, you must configure both a sensitivity label (which defines the encryption and protection settings) and an auto-labeling policy (which specifies the conditions, such as sensitive info types like credit card numbers, and triggers automatic labeling without user interaction). The auto-labeling policy applies the sensitivity label to documents that match the defined rules, enabling automated enforcement.

Exam trap

The trap here is that candidates often confuse DLP policies (which only detect and act on data in motion or at rest without applying labels) with auto-labeling policies, or they forget that a sensitivity label must be configured first to define the encryption, leading them to select option C incorrectly.

494
MCQeasy

An organization has just purchased Microsoft 365 subscriptions and wants to add their custom domain 'fabrikam.com' to the tenant. Which record must they add to their DNS provider to verify domain ownership?

A.MX record
B.TXT record
C.CNAME record
D.SRV record
AnswerB

A TXT record containing a verification token provided by Microsoft is the standard method to prove domain ownership.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record provided by the Microsoft 365 admin center to your DNS hosting provider. This TXT record contains a unique verification string that Microsoft checks to confirm you control the domain. MX, CNAME, and SRV records are used for mail routing, service aliasing, and service location, respectively, but they do not serve the purpose of domain ownership verification.

Exam trap

The trap here is that candidates often confuse the TXT record used for verification with the MX record required for email routing, mistakenly thinking they can skip verification by adding an MX record directly.

How to eliminate wrong answers

Option A is wrong because an MX record is used to specify the mail exchange server for a domain, not to prove domain ownership; adding an MX record would only affect email routing. Option C is wrong because a CNAME record creates an alias from one domain name to another and is used for service redirection, not for domain verification. Option D is wrong because an SRV record defines the location (hostname and port) of specific services like SIP or LDAP, and it is not used for domain ownership validation.

495
MCQeasy

An administrator is onboarding a new custom domain for email in a Microsoft 365 tenant. Which step should be performed first?

A.Add the domain in the Microsoft 365 admin center
B.Verify domain ownership by adding a TXT record
C.Configure DNS records for Microsoft services
D.Set the domain as the primary email domain
AnswerA

The initial step is to register the domain with Microsoft 365 so it can be associated with the tenant.

Why this answer

Before you can use a custom domain for email or any other service in Microsoft 365, you must first add the domain to the tenant in the Microsoft 365 admin center. This creates the domain object in Azure Active Directory and initiates the verification process. Only after the domain is added can you proceed to verify ownership and configure DNS records.

Exam trap

The trap here is that candidates often confuse the order of operations, thinking DNS verification (Option B) is the first step, but Microsoft 365 requires the domain to be added to the tenant first to generate the verification token.

How to eliminate wrong answers

Option B is wrong because verifying domain ownership by adding a TXT record is a subsequent step that cannot be performed until the domain has been added to the tenant. Option C is wrong because configuring DNS records for Microsoft services (e.g., MX, CNAME, TXT) is done after verification, not before. Option D is wrong because setting the domain as the primary email domain is a final step that requires the domain to be added, verified, and DNS records configured first.

496
MCQhard

Your organization uses Microsoft Defender for Office 365. You need to configure a policy that automatically moves emails containing malicious attachments to quarantine and notifies the security team. Additionally, you want to allow users to release their own quarantined messages if they are false positives. What should you do?

A.Create a new anti-malware policy and use the default quarantine policy.
B.Create a new anti-malware policy and set 'User release' to 'False' in the quarantine policy.
C.Create a new anti-malware policy and configure the quarantine policy to use 'LimitedAccess' or 'FullAccess'.
D.Modify the anti-malware policy to set 'Quarantine' as the action and assign a custom quarantine policy with user release enabled.
AnswerC

Allows users to release their own quarantined messages.

Why this answer

Option B is correct because the 'AdminOnlyAccessPolicy' for the quarantine policy allows only admins to release messages. To allow users to release their own quarantined messages, you must change the policy to 'LimitedAccess' or 'FullAccess'. Option A (use default policy) would not allow user release.

Option C (modify anti-malware policy) does not control quarantine release permissions. Option D (set user release to false) prevents user release.

497
MCQhard

Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM) to manage administrative roles. You need to ensure that when a user activates the Global Administrator role, they must provide a justification and the activation is time-bound. Additionally, you want to require approval from the security team for this activation. What should you configure?

A.Configure an Identity Protection user risk policy for Global Administrators
B.Create an Access Review for Global Administrator role
C.Configure a Conditional Access policy requiring MFA for Global Administrator activation
D.Modify the PIM role settings for Global Administrator to require justification, set maximum activation duration, and require approval
AnswerD

PIM settings allow these configurations.

Why this answer

Option D is correct because Privileged Identity Management (PIM) role settings allow you to enforce activation requirements such as justification, maximum activation duration, and approval. These settings are configured directly in the PIM role settings for the Global Administrator role, ensuring that every activation request is justified, time-bound, and requires approval from designated approvers (e.g., the security team).

Exam trap

The trap here is that candidates often confuse Conditional Access policies (which control authentication) with PIM role settings (which control role activation), leading them to select Option C even though Conditional Access cannot enforce approval workflows or activation duration limits.

How to eliminate wrong answers

Option A is wrong because Identity Protection user risk policies are designed to detect and respond to user account compromise risks (e.g., leaked credentials), not to control PIM role activation workflows. Option B is wrong because Access Reviews are used for periodic recertification of role assignments (e.g., confirming who still needs the role), not for enforcing activation-time requirements like justification, duration, or approval. Option C is wrong because Conditional Access policies can require MFA during sign-in, but they cannot enforce PIM-specific activation requirements such as justification, time-bound activation, or approval workflow; those are managed exclusively within PIM role settings.

498
MCQhard

Your organization uses Microsoft Purview Compliance Manager. You need to assign a control to a specific user for implementation. What should you do?

A.Assign the user the Compliance Manager role.
B.Edit the control and assign a new owner.
C.Create a DLP policy to enforce the control.
D.Modify the assessment to include the user.
AnswerB

Controls have an owner field for assignment.

Why this answer

In Compliance Manager, controls can be assigned to users for implementation and testing. This is done by editing the control details and assigning an owner. Option A is incorrect because DLP policies are not used for assignment.

Option B is incorrect because assessments are for scoring, not assignment. Option C is incorrect because roles are not assigned to controls directly.

499
MCQeasy

An administrator adds the custom domain 'adatum.com' to a new Microsoft 365 tenant. In the Microsoft 365 admin center, the domain status shows 'Pending verification'. Which type of DNS record must the administrator add to the public DNS zone to complete the domain ownership verification?

A.TXT record
B.MX record
C.CNAME record
D.SPF record
AnswerA

Correct. A TXT record with the verification code proves ownership of the domain.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record containing a unique verification string provided by the Microsoft 365 admin center to the public DNS zone. The DNS provider checks for this TXT record, and when found, Microsoft 365 confirms you control the domain. This is a standard domain verification method defined in RFC 1035 and used by many cloud services.

Exam trap

The trap here is that candidates confuse the TXT record used for domain verification with the TXT record used for SPF or DKIM, or assume an MX record is required because email is involved, but Microsoft 365 uses a dedicated verification TXT record separate from any email-related records.

How to eliminate wrong answers

Option B is wrong because an MX record routes email to a mail server, not for domain ownership verification; it is used later for mail flow configuration. Option C is wrong because a CNAME record aliases one domain to another and is not used for domain verification; it is typically used for services like autodiscover. Option D is wrong because an SPF record is a TXT record used for email authentication (anti-spoofing), not for domain ownership verification; it is configured after verification is complete.

500
MCQeasy

You run the PowerShell command shown in the exhibit for a Microsoft 365 tenant. The output shows DisplayName as 'Contoso', DefaultDomainName as 'contoso.onmicrosoft.com', and InitialDomain as 'contoso.onmicrosoft.com'. What does this indicate about the tenant?

A.The command requires global admin privileges.
B.The tenant is using the initial .onmicrosoft.com domain as the default domain.
C.The tenant has not been verified.
D.The tenant has a custom domain set as the default.
AnswerB

DefaultDomainName equals InitialDomain, both are .onmicrosoft.com.

Why this answer

The output shows DefaultDomainName and InitialDomain both set to 'contoso.onmicrosoft.com', which means the tenant is using its initial Microsoft-provided domain as the default domain. The Get-MgDomain cmdlet retrieves domain objects, and the DefaultDomainName property indicates which domain is used by default for new users and services. Since no custom domain is set as default, the initial .onmicrosoft.com domain remains the default.

Exam trap

The trap here is that candidates may assume the DefaultDomainName property reflects a custom domain that has been set as default, but the output explicitly shows it is the initial .onmicrosoft.com domain, indicating no custom domain has been promoted to default.

How to eliminate wrong answers

Option A is wrong because the Get-MgDomain cmdlet does not require global admin privileges; it can be run by any user with appropriate read permissions (e.g., Domain Reader or Global Reader). Option C is wrong because the presence of a DisplayName, DefaultDomainName, and InitialDomain in the output indicates the domain is verified and active; unverified domains would not appear in the domain list or would show a different status. Option D is wrong because the DefaultDomainName is 'contoso.onmicrosoft.com', not a custom domain; if a custom domain were set as default, that custom domain name would appear in the DefaultDomainName property.

501
Drag & Dropmedium

Drag and drop the steps to configure a custom sensitivity label in Microsoft Purview into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Sensitivity labels are created in the Purview portal, configured with protection settings, and then published via a label policy.

502
MCQmedium

An organization is involved in litigation and needs to search for all communications containing a specific keyword across Exchange Online, SharePoint Online, and OneDrive for Business. The results must be preserved as evidence without allowing deletion. Which Microsoft Purview solution should the compliance officer use?

A.Data Loss Prevention
B.eDiscovery (Premium)
C.Communication Compliance
D.Retention Labels
AnswerB

eDiscovery (Premium) enables search and legal hold across multiple Microsoft 365 workloads.

Why this answer

eDiscovery (Premium) is the correct solution because it provides end-to-end workflow for identifying, preserving, collecting, reviewing, and exporting content across Exchange Online, SharePoint Online, and OneDrive for Business. It supports legal hold to preserve data in-place, preventing deletion or alteration, and can search all communications for specific keywords using advanced query capabilities.

Exam trap

The trap here is that candidates often confuse eDiscovery (Premium) with Retention Labels or Communication Compliance because all three involve content management, but only eDiscovery (Premium) provides the legal hold and cross-workload search capabilities required for litigation evidence preservation.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) is designed to prevent accidental sharing of sensitive data through policies and alerts, not to search, preserve, or hold content for litigation. Option C is wrong because Communication Compliance focuses on monitoring and detecting policy violations (e.g., harassment, insider trading) in communications, not on preserving evidence or placing legal holds. Option D is wrong because Retention Labels are used to classify and apply retention or deletion rules to content, but they do not provide the search, hold, or export capabilities required for litigation discovery.

503
MCQmedium

Your organization uses Microsoft Purview Data Loss Prevention (DLP) policies to protect sensitive data. A user reports that they can still send credit card numbers via email despite the DLP policy being enabled. You verify that the policy is applied to the correct users and the rule includes the 'Credit Card Number' sensitive info type. What should you check next?

A.Check the priority of the DLP policy to ensure it is not overridden by a lower-priority policy that allows the action.
B.Disable and re-enable the DLP policy to refresh its rules.
C.Add the 'Credit Card Number' sensitive info type to the policy rule again.
D.Configure end-user notifications for the DLP policy.
AnswerA

Correct. Priority determines which policy is applied; if a lower-priority policy blocks the action, a higher-priority policy might allow it.

Why this answer

Option A is correct because DLP policies often fail due to incorrect priority order; the policy with the highest priority (lowest number) is applied first. Option B is wrong because the condition is already present. Option C is wrong because the policy is already enabled.

Option D is wrong because end-user notifications are for policy tips, not enforcement.

504
MCQhard

A security analyst wants to automatically create a Microsoft Teams message in a dedicated security channel whenever a Microsoft 365 Defender incident with severity 'High' is created. Which automation approach should the analyst use?

A.Power Automate
B.Automation rules in Defender
C.Microsoft Graph API
D.Action Center
AnswerA

A Power Automate flow can be triggered by new incidents and post messages to a Teams channel using the 'Post message in a chat or channel' action.

Why this answer

Power Automate is the correct choice because it provides a no-code/low-code workflow that can be triggered by Microsoft 365 Defender's 'When an incident is created or updated' connector, filter for severity 'High', and then post a message to a dedicated Teams channel via the 'Post a message in a chat or channel' action. This directly meets the requirement for automatic, event-driven notification without custom code.

Exam trap

The trap here is that candidates confuse 'automation rules' in Defender (which handle response actions like isolation) with external notification workflows, leading them to choose Option B instead of recognizing that Power Automate is the correct integration tool for sending Teams messages.

How to eliminate wrong answers

Option B is wrong because Automation rules in Defender are designed for automated response actions (e.g., isolating a device, blocking an IP) within the Defender portal itself, not for sending external notifications like Teams messages. Option C is wrong because while Microsoft Graph API can technically achieve this, it requires custom scripting, authentication setup, and manual polling or webhook configuration, making it less straightforward than Power Automate for a security analyst without developer resources. Option D is wrong because Action Center is a centralized interface for reviewing and approving pending remediation actions from Defender, not a tool for creating automated notifications or workflows.

505
MCQeasy

Your organization uses Microsoft Entra ID to manage user identities. You need to ensure that users can sign in using their existing social media accounts, such as Microsoft, Google, or Facebook. What should you configure?

A.Configure Conditional Access policies for social identity providers
B.Configure External Identities and add identity providers for social networks
C.Configure Microsoft Entra Connect to sync social account attributes
D.Configure self-service password reset (SSPR)
AnswerB

External Identities supports adding social identity providers like Google and Facebook.

Why this answer

Option B is correct because Microsoft Entra ID supports External Identities, which allow you to add social identity providers (Microsoft, Google, Facebook) as external authentication sources. This enables users to sign in with their existing social accounts by configuring federation with those providers using OAuth 2.0 or OpenID Connect protocols, without needing to create separate Entra ID accounts.

Exam trap

The trap here is that candidates often confuse Conditional Access policies with identity provider configuration, thinking policies can add or manage external authentication sources, when in fact Conditional Access only enforces rules on already-configured providers.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies evaluate sign-in risks and enforce access controls after authentication, but they cannot add or configure social identity providers; they only work with already-configured identity providers. Option C is wrong because Microsoft Entra Connect is used to synchronize on-premises Active Directory objects to Entra ID, not to sync social account attributes—social identity providers are external and not synced via directory synchronization. Option D is wrong because self-service password reset (SSPR) allows users to reset their own passwords for their Entra ID accounts, but it does not enable sign-in with social media accounts; SSPR is unrelated to external identity provider configuration.

506
MCQhard

You are the Microsoft 365 administrator for a large enterprise with 50,000 users. The company is deploying Microsoft 365 Copilot for all users. You need to ensure that the data used by Copilot is protected and that Copilot does not inadvertently expose sensitive information. The company has strict data residency requirements: all data must remain within the European Union (EU). You have already configured data boundaries in Microsoft 365 to keep data in the EU. However, you are concerned about Copilot's AI model training. You need to implement additional controls. The company uses Microsoft Purview Information Protection with sensitivity labels. You have created a sensitivity label "Highly Confidential" that applies encryption and a "Confidential" label that applies visual markings. You also have a DLP policy that prevents sharing of "Highly Confidential" data externally. You need to ensure that when a user uses Copilot with a document labeled "Highly Confidential", the Copilot response does not include any of the sensitive content from that document. What should you do?

A.Exclude users who handle Highly Confidential data from Copilot licensing.
B.Ensure that the Highly Confidential sensitivity label includes encryption when applied.
C.Create a DLP policy that blocks Copilot from accessing documents labeled Highly Confidential.
D.Configure Microsoft 365 data boundaries to restrict Copilot data processing to the EU.
AnswerB

Encryption prevents Copilot from using the content.

Why this answer

Option B is correct because the 'Highly Confidential' sensitivity label already applies encryption, which prevents Microsoft 365 Copilot from accessing the document's content. Copilot cannot process or include encrypted content in its responses, as encryption blocks the AI model from reading the underlying data. This ensures that sensitive information from encrypted documents is not inadvertently exposed in Copilot outputs.

Exam trap

The trap here is that candidates may think DLP policies can block Copilot's internal access to documents, but DLP only controls external sharing and data loss prevention, not internal AI processing, and encryption is the only mechanism that prevents Copilot from reading content.

How to eliminate wrong answers

Option A is wrong because excluding users from Copilot licensing does not prevent Copilot from accessing documents labeled 'Highly Confidential' when used by other licensed users; it also disrupts productivity for those users. Option C is wrong because DLP policies cannot block Copilot from accessing documents; DLP policies monitor and control sharing actions, not internal AI processing within the tenant. Option D is wrong because data boundaries already ensure data residency in the EU but do not control Copilot's access to encrypted content or prevent exposure of sensitive data.

507
MCQmedium

Your organization uses Microsoft Defender for Identity (MDI) and Microsoft Defender for Cloud Apps. You receive an alert about a user account that is exhibiting suspicious behavior: unusual login times from an IP address that is not in the user's typical location. The alert recommends action. You need to determine if the account is compromised. What is the best next step?

A.Initiate an automated investigation in Microsoft Defender XDR
B.Configure a conditional access policy in Microsoft Entra ID to block the IP
C.Immediately disable the user account
D.Reset the user's password
AnswerA

Automated investigation will analyze signals and determine if compromised.

Why this answer

Option B is correct because initiating an automated investigation in Microsoft Defender XDR will correlate signals across MDI, Defender for Cloud Apps, and other Microsoft 365 services to determine if the account is compromised. Option A is wrong because disabling the account immediately might be premature and could disrupt legitimate access. Option C is wrong because resetting password alone without investigation may not detect other malicious activity.

Option D is wrong because configuring an access policy in Microsoft Entra ID is a longer-term fix, not immediate investigation.

508
MCQmedium

Your organization has Microsoft 365 E5 and uses Microsoft Defender for Cloud Apps. You want to block downloads from an unsanctioned cloud app that is used by some employees. What should you configure?

A.Create a DLP policy to block sharing of sensitive data with the app.
B.Create a conditional access policy to require the use of managed apps.
C.Block the app by its IP addresses in the firewall.
D.Configure the app as unsanctioned in Defender for Cloud Apps and create a session policy to block downloads.
AnswerD

Unsanctioning an app and applying session policies allows you to block downloads and control usage.

Why this answer

Option A is correct because you can unsanction the app in Defender for Cloud Apps, which will block access and provide controls like session policies. Option B is wrong because blocking by IP address is not effective for cloud apps with dynamic IPs. Option C is wrong because a conditional access policy can require controls but does not directly block an unsanctioned app.

Option D is wrong because a DLP policy protects data but does not block app usage.

509
MCQhard

Your organization uses Microsoft Defender for Office 365. You have configured a safe attachment policy that should automatically detonate attachments in a sandbox before delivery. However, some users still receive malicious attachments. What should you check first?

A.Check whether a mail flow rule (transport rule) is bypassing Safe Attachments.
B.Check the Safe Links policy configuration.
C.Review the mailbox audit log for each affected user.
D.Verify that the Safe Attachments policy is applied to the affected users and that the action is set to 'Dynamic Delivery' or 'Replace' (not 'Monitor').
AnswerD

The policy must be applied and set to detonate attachments.

Why this answer

Safe Attachments require the policy to be enabled and applied to the correct recipients. Option C is correct because the policy might not be applied to all users, or it may be set to 'Monitor' which does not detonate. Option A is incorrect because Safe Links is a different feature.

Option B is incorrect because the mailbox audit log does not show policy configuration. Option D is incorrect because a transport rule could override, but first check the policy itself.

510
MCQmedium

An organization wants to enforce that all administrators use a phishing-resistant authentication method (e.g., FIDO2 security keys or Windows Hello for Business) when accessing Microsoft 365 admin portals. Which Microsoft Entra ID feature should be used?

A.Conditional Access authentication strength
B.Security defaults
C.Per-user MFA
D.Identity Protection
AnswerA

Authentication strength policies let you require specific MFA methods; configuring a policy for admins with a phishing-resistant strength ensures compliance.

Why this answer

Option A is correct because Conditional Access authentication strength allows administrators to define and enforce specific authentication methods, such as FIDO2 security keys or Windows Hello for Business, which are phishing-resistant. By creating a policy that targets admin roles and requires an authentication strength policy that mandates these methods, the organization can ensure that only phishing-resistant credentials are accepted when accessing Microsoft 365 admin portals. This granular control goes beyond simple MFA enforcement by specifying the exact authentication method required.

Exam trap

The trap here is that candidates often confuse the generic MFA enforcement of Security defaults or Per-user MFA with the ability to specify a particular authentication method, not realizing that only Conditional Access authentication strength provides the granularity to mandate phishing-resistant methods like FIDO2.

How to eliminate wrong answers

Option B is wrong because Security defaults enforces a baseline set of security policies, including requiring MFA for all users, but it does not allow customization to mandate a specific phishing-resistant method like FIDO2; it uses a generic MFA requirement that could be satisfied by less secure methods such as SMS or OTP. Option C is wrong because Per-user MFA enables or disables MFA on a per-user basis but cannot enforce a specific authentication method; it only requires the user to complete MFA using any method they have registered, including non-phishing-resistant ones. Option D is wrong because Identity Protection is a risk-based detection and remediation tool that identifies suspicious sign-ins and user risks, but it does not enforce specific authentication methods; it can trigger MFA via Conditional Access but cannot mandate a particular method like FIDO2.

511
MCQhard

A multinational company uses Microsoft Entra ID with Conditional Access policies. They have a policy that requires multi-factor authentication (MFA) for all users when accessing the company's custom SaaS application. However, users from the European branch are reporting that they are prompted for MFA every time, even though they have already authenticated via a compliant device. What is the most likely cause?

A.The user's device is not marked as compliant
B.The user has per-user MFA enabled
C.The Conditional Access policy has a session control that requires sign-in frequency
D.The policy includes a location condition that is not met
AnswerC

Sign-in frequency forces re-authentication after a set time, even on compliant devices.

Why this answer

Option C is correct because the Conditional Access policy includes a session control that requires sign-in frequency, which forces users to re-authenticate with MFA at a specified interval regardless of device compliance or previous authentication. Even if the device is compliant and the user has already authenticated, the sign-in frequency control overrides session persistence and prompts for MFA again based on the configured time period (e.g., every hour). This explains why European branch users are repeatedly prompted for MFA despite having authenticated via a compliant device.

Exam trap

The trap here is that candidates confuse device compliance with session persistence, assuming that a compliant device automatically prevents repeated MFA prompts, but Conditional Access session controls like sign-in frequency explicitly override that behavior.

How to eliminate wrong answers

Option A is wrong because if the device were not marked as compliant, the policy would block access or require additional controls, but the users are still able to access the application after MFA, indicating the device compliance condition is satisfied. Option B is wrong because per-user MFA is a legacy setting that applies globally to all applications and would not cause repeated prompts only for this specific SaaS application; it would also be overridden by Conditional Access policies. Option D is wrong because a location condition that is not met would typically block access or require additional authentication, not cause repeated MFA prompts after successful authentication from a compliant device.

512
MCQhard

A company wants to require approval for any activation of the Global Administrator role in Privileged Identity Management (PIM). The approvers are predefined as members of a security group named 'GA-Approvers'. Activations must require a business justification and expire after 4 hours. Which PIM configuration should the administrator modify to meet these requirements?

A.Edit the role settings of the Global Administrator role in PIM.
B.Create an access review for the Global Administrator role.
C.Configure Azure AD Identity Protection to require MFA for Global Administrator.
D.Assign the Global Administrator role directly to the users temporarily.
AnswerA

Role settings control activation approval, approvers, duration, and justification. Changing these settings meets all requirements.

Why this answer

Option A is correct because the requirement to require approval, enforce a business justification, and set a 4-hour expiration for Global Administrator activations is configured in the role settings of the Global Administrator role within Privileged Identity Management (PIM). These settings control activation parameters such as approval requirements, justification, and maximum activation duration, which directly map to the stated needs.

Exam trap

The trap here is that candidates confuse PIM role settings (which control activation policies) with access reviews (which audit existing assignments) or Azure AD Identity Protection (which handles sign-in risk), leading them to select options that address different aspects of identity governance.

How to eliminate wrong answers

Option B is wrong because an access review is used to periodically review and confirm role assignments, not to configure activation approval, justification, or expiration settings. Option C is wrong because Azure AD Identity Protection's MFA requirement for Global Administrator enforces authentication at sign-in, not activation approval or duration within PIM. Option D is wrong because directly assigning the Global Administrator role bypasses PIM activation workflows entirely, removing the ability to require approval, justification, or expiration.

513
MCQhard

A compliance officer needs to automatically detect and apply a sensitivity label to documents in SharePoint Online that contain a custom sensitive information type (e.g., employee ID pattern). The label must be applied automatically, and users must be prompted to provide a justification when attempting to remove the label. Which combination of configurations should the officer implement?

A.Create a sensitivity label with an auto-labeling policy that uses a custom sensitive info type, and configure the label's protection settings to require user justification to remove the label.
B.Create a retention label and publish it to the site via auto-labeling policy.
C.Use a Data Loss Prevention (DLP) policy to apply the label and configure the policy to block removal.
D.Deploy the Azure Information Protection scanner to scan SharePoint Online documents.
AnswerA

This allows automatic detection and application of the label, and the justification requirement prevents easy removal.

Why this answer

Option A is correct because Microsoft Purview sensitivity labels support auto-labeling policies that can automatically apply a label based on custom sensitive information types (e.g., employee ID patterns). Additionally, the label's protection settings include an option to require user justification when removing the label, which meets the compliance officer's requirement for both automatic detection and removal justification.

Exam trap

The trap here is that candidates confuse retention labels (which handle lifecycle) with sensitivity labels (which handle classification and protection), or they mistakenly think DLP policies can enforce label removal justification, which is a sensitivity label property, not a DLP rule action.

How to eliminate wrong answers

Option B is wrong because retention labels are designed for data lifecycle management (retention and deletion), not for sensitivity classification or protection settings like requiring justification for removal. Option C is wrong because DLP policies can apply sensitivity labels via auto-labeling, but they cannot enforce a 'block removal' of a label; removal justification is a property of the sensitivity label itself, not a DLP action. Option D is wrong because the Azure Information Protection (AIP) scanner is used for on-premises file shares and on-premises SharePoint, not for SharePoint Online; SharePoint Online uses built-in auto-labeling policies in Purview.

514
Multi-Selectmedium

A security analyst wants to search for instances where a user received a phishing email that was delivered to their inbox, and then later clicked a link within that email that led to a known malicious domain. Which two advanced hunting tables should be joined to identify both the email delivery and the link click events? (Choose the option that correctly identifies the primary table pair.)

Select 2 answers
A.EmailEvents and DeviceEvents
B.EmailPostDeliveryEvents and DeviceNetworkEvents
C.EmailUrlInfo and DeviceProcessEvents
D.EmailEvents and DeviceLogonEvents
AnswersA, B

Correct. EmailEvents tracks email delivery and DeviceEvents (specifically URL click events) tracks link clicks from user devices.

Why this answer

To correlate a phishing email that was delivered to a user's inbox with a subsequent link click to a known malicious domain, you need to join the EmailEvents table (which records email delivery events, including the delivery action and the unique NetworkMessageId) with the DeviceEvents table (which captures user actions such as clicking a URL, including the ActionType 'PhishClick' or 'UrlClick'). This join allows you to match the email's NetworkMessageId with the click event's NetworkMessageId, linking the delivered email to the specific link click.

Exam trap

The trap here is that candidates often confuse DeviceNetworkEvents (which logs network connections) with DeviceEvents (which logs user actions like URL clicks), leading them to choose Option B, but DeviceNetworkEvents lacks the NetworkMessageId field required to correlate with the email delivery event.

515
MCQeasy

A company has a hybrid identity setup. A new employee is created in on-premises AD but does not appear in Azure AD after sync. What should the admin check first?

A.Organizational unit filtering
B.DNS configuration
C.License assignment
D.Azure AD Connect synchronization status
AnswerD

Sync may be failing or not scheduled.

Why this answer

When a new user is created in on-premises Active Directory but does not appear in Azure AD after synchronization, the first troubleshooting step is to check the Azure AD Connect synchronization status. This is because Azure AD Connect is the service responsible for synchronizing objects from on-premises AD to Azure AD, and any sync failure, delay, or misconfiguration (such as a stopped sync cycle or filtering rules) would prevent the user from appearing. Checking the sync status via the Azure AD Connect wizard or the Synchronization Service Manager can immediately reveal whether the object was exported, skipped, or errored.

Exam trap

The trap here is that candidates often jump to license assignment (Option C) because they think a user must have a license to appear in Azure AD, but in reality, unlicensed users still appear in Azure AD after sync; the license only enables service access, not directory presence.

How to eliminate wrong answers

Option A is wrong because organizational unit (OU) filtering is a configuration within Azure AD Connect that controls which OUs are synchronized, but it is not the first thing to check; if the user's OU is excluded, the user would never sync, but the admin should first verify the sync status to see if the user is being processed at all. Option B is wrong because DNS configuration is unrelated to user synchronization; DNS is used for name resolution in network connectivity, but Azure AD Connect communicates over HTTPS and does not rely on DNS for object-level sync issues. Option C is wrong because license assignment is a post-sync step; a user must first appear in Azure AD before licenses can be assigned, so checking licenses would be premature and irrelevant if the user has not synced.

516
MCQeasy

An administrator needs to grant a user the ability to reset passwords for other users in Microsoft Entra ID. Which role should be assigned?

A.Password Administrator
B.Global Administrator
C.User Administrator
D.Helpdesk Administrator
AnswerD

Helpdesk Administrators can reset passwords for non-admin users.

Why this answer

The Helpdesk Administrator role can reset passwords for non-administrators and limited administrators.

517
Multi-Selecteasy

An administrator needs to open a Microsoft 365 support request because a critical service issue is affecting all users. Which two pieces of information should the administrator have readily available before contacting support? (Choose two.)

Select 2 answers
A.Tenant ID
B.User principal names of affected users
C.Current service health status
D.Billing contact information
AnswersA, C

The Tenant ID is required to verify the organization and locate the tenant in support systems.

Why this answer

The Tenant ID (A) is a unique, immutable identifier for the Microsoft 365 tenant, required by Microsoft Support to locate the tenant in their systems and verify administrative access. The current service health status (C) is critical because the support engineer will first check the Microsoft 365 Service Health Dashboard (admin.microsoft.com/Adminportal/Home?source=applauncher#/servicehealth) to confirm the issue is a known service incident; having this information ready avoids redundant troubleshooting and speeds up the creation of a service request.

Exam trap

The trap here is that candidates often assume user principal names (UPNs) are needed for any support request, but Microsoft Support requires the Tenant ID and service health status for tenant-wide issues, not individual user identifiers.

518
MCQmedium

Your organization uses Microsoft Entra ID and has enabled Microsoft Entra ID Protection. You notice that the number of 'Leaked Credentials' detections is high. What action should you take to automatically remediate this risk?

A.Use Microsoft Entra ID Protection to automatically reset passwords for all users with leaked credentials
B.Configure a conditional access policy to block access for users with high user risk
C.Configure a user risk policy in Microsoft Entra ID Protection to require a password change for high-risk users
D.Enable Microsoft Entra ID Multifactor Authentication for all users
AnswerC

This automatically triggers a password change when a user is considered high risk due to leaked credentials.

Why this answer

Option C is correct because a user risk policy in Microsoft Entra ID Protection can be configured to automatically trigger a password change when a user is detected as high risk, such as when leaked credentials are identified. This policy directly remediates the risk by forcing the user to update their compromised credentials, effectively invalidating the leaked password. The other options either do not address the root cause or require manual intervention.

Exam trap

The trap here is that candidates often confuse 'automatic password reset' (which is not supported) with 'requiring a password change' (which is supported via a user risk policy), leading them to select Option A instead of C.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection does not support automatic password reset; it can only trigger a password change via a user risk policy, not directly reset passwords. Option B is wrong because blocking access with a conditional access policy does not remediate the leaked credentials; it only prevents access until the risk is manually resolved, leaving the compromised password still active. Option D is wrong because enabling MFA for all users adds an extra layer of security but does not address the fact that the user's password is already leaked; the compromised credential remains valid and could still be used.

519
Multi-Selecthard

Your organization uses Microsoft Defender for Identity. You need to configure honeytoken accounts. Which THREE attributes should you ensure are NOT set for honeytoken accounts?

Select 3 answers
A.Description field
B.Last logon timestamp
C.Group memberships
D.Email address
E.Account enabled status
AnswersB, C, D

Honeytoken accounts should have no recent logons; any logon is suspicious.

Why this answer

Options A, C, and D are correct because honeytoken accounts should not have email, group memberships, or recent logins. Option B is wrong because they should be enabled. Option E is wrong because description can be anything.

520
Multi-Selecthard

A compliance officer needs to automatically apply a sensitivity label to all documents in SharePoint Online that contain a credit card number. The label must mark the document as 'Confidential' and encrypt it. Which two Microsoft Purview components must be configured to achieve automatic labeling based on sensitive content? (Choose two.)

Select 2 answers
A.Sensitivity label
B.Auto-labeling policy
C.Data Loss Prevention (DLP) policy
D.Retention label policy
AnswersA, B

The sensitivity label must be created with the desired protection settings (e.g., 'Confidential' and encryption).

Why this answer

Sensitivity labels define the classification and protection settings (e.g., 'Confidential' marking and encryption). Auto-labeling policies automatically apply those labels to documents containing sensitive information types, such as credit card numbers, without requiring user intervention. Together, they enable automatic labeling based on sensitive content in SharePoint Online.

Exam trap

The trap here is that candidates often confuse DLP policies with auto-labeling policies, but DLP policies only monitor and block data movement, while auto-labeling policies are the correct mechanism to automatically apply sensitivity labels based on content detection.

521
Multi-Selectmedium

Your organization uses Microsoft 365 E5 licenses. You need to implement a solution to protect against ransomware attacks. Which TWO features should you configure?

Select 2 answers
A.Enable Microsoft Entra ID Protection.
B.Implement Microsoft Purview Information Protection.
C.Configure Microsoft Defender for Office 365 policies.
D.Deploy Microsoft Defender for Cloud Apps.
E.Use Microsoft Intune to enforce device compliance.
AnswersC, D

Protects against phishing and malware in email.

Why this answer

Option C is correct because Microsoft Defender for Office 365 includes anti-phishing, anti-spam, anti-malware, and Safe Attachments/Safe Links policies that directly block ransomware delivery vectors such as malicious email attachments and URLs. Option D is correct because Microsoft Defender for Cloud Apps provides visibility into cloud app usage, anomaly detection, and the ability to apply session policies (e.g., block download of sensitive files) to prevent ransomware from exfiltrating or encrypting data stored in SaaS apps.

Exam trap

The trap here is that candidates often confuse data protection (Purview Information Protection) or identity protection (Entra ID Protection) with the specific anti-ransomware capabilities of Defender for Office 365 and Defender for Cloud Apps, which are the two services explicitly designed to block ransomware at the email and cloud app layers.

522
MCQeasy

You are configuring Microsoft Entra ID provisioning for a SaaS application that supports SCIM 2.0. The app requires the 'manager' attribute to be mapped. However, the manager attribute is not populated for all users. What should you do to avoid provisioning failures?

A.Configure the attribute mapping to 'Ignore it if null' for the manager attribute
B.Modify the SCIM schema in the application to make manager optional
C.Use the expression language to set a default value for the manager attribute
D.Delete the manager attribute mapping from the provisioning configuration
AnswerA

This ensures provisioning does not fail if manager is missing.

Why this answer

Option A is correct because when the 'manager' attribute is not populated for all users, configuring the attribute mapping to 'Ignore it if null' prevents provisioning failures by allowing the provisioning service to skip the attribute when its value is null, rather than attempting to send an empty or invalid value that the SCIM 2.0 endpoint might reject. This setting ensures that only users with a manager value trigger the mapping, avoiding errors for users without a manager.

Exam trap

The trap here is that candidates often confuse 'Ignore it if null' with setting a default value or removing the mapping, but the correct approach is to gracefully skip the null attribute rather than force a value or delete the mapping entirely.

How to eliminate wrong answers

Option B is wrong because modifying the SCIM schema in the application to make manager optional is typically not under your control—the SaaS application defines its SCIM schema, and you cannot alter it from Microsoft Entra ID. Option C is wrong because using expression language to set a default value for the manager attribute would assign a static value (e.g., 'Unknown') to users without a manager, which could cause incorrect data or provisioning failures if the application expects a valid manager reference. Option D is wrong because deleting the manager attribute mapping entirely would remove the attribute from provisioning, which might violate the application's required schema or business logic, and it does not address the need to handle null values gracefully.

523
Multi-Selectmedium

Which TWO Microsoft Purview solutions can be used to detect and prevent the unauthorized sharing of sensitive information in Microsoft Teams messages?

Select 2 answers
A.Communication Compliance
B.eDiscovery (Premium)
C.Sensitivity labels
D.Information Barriers
E.Data Loss Prevention (DLP)
AnswersA, E

Communication Compliance monitors for policy violations.

Why this answer

DLP policies can scan Teams messages for sensitive content and block sharing. Communication Compliance can monitor messages for policy violations and take action. Sensitivity labels are for classification, not detection.

Information Barriers restrict communication between groups. eDiscovery is for investigation after the fact.

524
MCQmedium

A company uses Azure AD and SharePoint Online. They want to allow users from a partner organization (which also uses Azure AD) to access a specific SharePoint Online site using their existing partner credentials. The partner users should not require new accounts to be created. Which Azure AD feature should be configured?

A.Azure AD B2B collaboration
B.Azure AD B2C
C.Azure AD Domain Services
D.Organizational Relationships
AnswerA

B2B collaboration allows external users to use their own identities, including Azure AD accounts.

Why this answer

Azure AD B2B collaboration allows you to invite external users from a partner organization to access your Azure AD-integrated applications, such as SharePoint Online, using their own existing Azure AD credentials. This feature leverages cross-tenant trust and does not require creating new user accounts in your tenant, fulfilling the requirement exactly.

Exam trap

The trap here is that candidates often confuse Azure AD B2B collaboration with Azure AD B2C, mistakenly thinking both are for external users, but B2C is designed for consumer-facing apps with local identities, not for partner organizations using their existing Azure AD credentials.

How to eliminate wrong answers

Option B (Azure AD B2C) is wrong because it is a customer-facing identity management service for external consumers (e.g., app users) and does not support using existing partner Azure AD credentials for access; it requires users to sign up with social or local accounts. Option C (Azure AD Domain Services) is wrong because it provides managed domain services (e.g., LDAP, Kerberos) for legacy applications and has nothing to do with inviting external users or cross-tenant access. Option D (Organizational Relationships) is wrong because while it is a related concept in SharePoint on-premises for federated trust, it is not an Azure AD feature and does not enable partner users to authenticate with their existing Azure AD credentials in a cloud-only SharePoint Online scenario.

525
MCQeasy

Your organization is implementing a hybrid identity solution. You want to synchronize on-premises Active Directory users to Microsoft Entra ID. Which tool should you use?

A.Microsoft Identity Manager
B.Microsoft Entra Cloud Sync
C.Microsoft Entra Connect Sync
D.Microsoft Entra Connect
AnswerD

It is the correct tool for hybrid sync.

Why this answer

Microsoft Entra Connect (formerly Azure AD Connect) is the correct tool for synchronizing on-premises Active Directory users to Microsoft Entra ID in a hybrid identity solution. It supports both password hash synchronization, pass-through authentication, and federation with Active Directory Federation Services (AD FS), making it the primary and most feature-rich sync tool for complex hybrid environments.

Exam trap

The trap here is that candidates confuse 'Microsoft Entra Connect Sync' (the sync engine component) with the full 'Microsoft Entra Connect' tool, or they incorrectly assume 'Cloud Sync' is sufficient for all hybrid scenarios despite its missing writeback and federation capabilities.

How to eliminate wrong answers

Option A is wrong because Microsoft Identity Manager (MIM) is an on-premises identity management solution for managing identities across heterogeneous systems, not a dedicated sync tool for Microsoft Entra ID; it requires additional configuration and is not the recommended tool for standard hybrid sync. Option B is wrong because Microsoft Entra Cloud Sync is a lightweight agent designed for syncing from a single on-premises forest to Entra ID, but it lacks support for advanced features like device writeback, group writeback, and hybrid Azure AD join, making it unsuitable for a full hybrid identity implementation. Option C is wrong because Microsoft Entra Connect Sync is not a distinct product; it is the sync engine component within Microsoft Entra Connect, and the question asks for the tool itself, not a subcomponent.

Page 6

Page 7 of 13

Page 8