Microsoft 365 Administrator MS-102 (MS-102) — Questions 601675

975 questions total · 13pages · All types, answers revealed

Page 8

Page 9 of 13

Page 10
601
MCQmedium

Contoso uses Microsoft Entra ID P1 licenses and has a dedicated corporate office with static public IP addresses. The company wants to require MFA for all users, but exempt users when they connect from the corporate office. Which configuration should the administrator implement?

A.Create a Conditional Access policy that targets all users, grant access requiring MFA, and include the corporate office location as a condition.
B.Create a Conditional Access policy that targets all users, grant access requiring MFA, and exclude the corporate office location from the policy.
C.Configure a Per-User MFA policy and add the corporate office IPs to a list of trusted IPs in the MFA settings.
D.Create a Conditional Access policy that targets the corporate office location and grant access with MFA for all other locations.
AnswerB

Excluding the corporate office location ensures users connecting from those trusted IPs bypass MFA, while everyone else must satisfy the MFA requirement.

Why this answer

Option B is correct because a Conditional Access policy can target all users, require MFA as a grant control, and exclude the corporate office location (defined by static public IP addresses as a named location). This ensures MFA is enforced for all connections except those originating from the trusted corporate network, aligning with the requirement to exempt users at the office.

Exam trap

The trap here is that candidates often confuse 'include' and 'exclude' in Conditional Access conditions, mistakenly thinking that including the office location will exempt it, when in fact excluding the location is required to bypass MFA for that trusted network.

How to eliminate wrong answers

Option A is wrong because including the corporate office location as a condition would require MFA even when users connect from the office, which contradicts the exemption requirement. Option C is wrong because Per-User MFA is a legacy, less flexible approach that does not support location-based exemptions via Conditional Access; trusted IPs in MFA settings only bypass MFA for the MFA prompt itself but do not integrate with the granular policy controls of Conditional Access. Option D is wrong because targeting the corporate office location and granting access with MFA for all other locations is syntactically incorrect—Conditional Access policies grant access based on conditions, not by targeting a location to grant MFA elsewhere; the correct approach is to exclude the trusted location from the policy that requires MFA.

602
MCQhard

Your organization uses Microsoft Purview Data Lifecycle Management. You need to ensure that after an employee leaves, their OneDrive content is retained for 7 years and then automatically deleted. The retention label must be applied automatically when the employee is marked as inactive in Microsoft Entra ID. What should you configure?

A.Instruct users to manually apply a retention label to their OneDrive.
B.Create an auto-apply retention label with adaptive scope for inactive users.
C.Configure a default retention label on the OneDrive library.
D.Create a retention policy for OneDrive with a 7-year retention period.
AnswerB

Auto-apply with adaptive scope can target inactive users based on accountEnabled attribute.

Why this answer

A retention label auto-applied based on a Microsoft Entra ID attribute can target inactive users. Option D is correct because you can create an adaptive scope for inactive users and apply a retention label. Option A is wrong because retention policies apply to all content, not selectively.

Option B is wrong because default labels apply to new content, not existing. Option C is wrong because manual labels require user action.

603
MCQeasy

You are deploying a new Microsoft 365 tenant for a company that has a single domain, contoso.com. You need to verify domain ownership to enable email routing. Which DNS record type must you add to the public DNS zone?

A.CNAME record with 'autodiscover' pointing to 'autodiscover.outlook.com'.
B.SPF record including Microsoft 365 IP addresses.
C.MX record pointing to Microsoft 365.
D.TXT record with a verification code provided by Microsoft 365.
AnswerD

Standard method for domain verification in Microsoft 365.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record containing a unique verification code provided by the Microsoft 365 admin center to your public DNS zone. This proves you control the domain, enabling email routing and other services. Other DNS records like CNAME, SPF, or MX are used for service configuration, not ownership verification.

Exam trap

The trap here is that candidates confuse service configuration records (like MX, SPF, or CNAME) with the mandatory verification record, assuming any DNS change proves ownership, but only the TXT record with the specific code satisfies Microsoft 365's domain proof requirement.

How to eliminate wrong answers

Option A is wrong because a CNAME record for 'autodiscover' pointing to 'autodiscover.outlook.com' is used to configure automatic client discovery for Exchange Online, not to verify domain ownership. Option B is wrong because an SPF record specifies authorized sending IP addresses for email authentication and is not used for domain verification. Option C is wrong because an MX record directs email flow to Microsoft 365 but requires prior domain ownership verification to be accepted.

604
MCQhard

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive email. You have a DLP policy that blocks emails containing credit card numbers. However, users report that some legitimate emails with credit card numbers are being blocked, while others with similar content are allowed. You need to investigate the discrepancy and ensure consistent enforcement. What should you do first?

A.Use the Exchange admin center message trace to see if the emails were blocked by DLP.
B.Check the audit log for DLP rule matches to identify the specific emails blocked.
C.Review the DLP reports in the Microsoft Purview compliance portal to analyze the blocked emails.
D.Enable policy tips in test mode for the DLP policy and instruct users to report false positives.
AnswerD

This allows you to identify false positives without blocking, then refine the policy.

Why this answer

Option A is correct because DLP policy tips in test mode allow you to see what would be blocked without actually blocking, helping identify false positives. Option B (DLP reports in Purview compliance portal) shows aggregate data but not per-user false positives. Option C (Message trace) does not show DLP policy matches.

Option D (Audit log) records DLP actions but is not the most efficient first step for troubleshooting false positives.

605
MCQeasy

A security administrator wants to ensure that all email attachments are scanned in a sandbox environment and blocked if malicious, with email delivery delayed until scanning completes. Which Microsoft 365 Defender policy should the administrator configure?

A.Safe Links policy
B.Safe Attachments policy
C.Anti-spam policy
D.Anti-phishing policy
AnswerB

Safe Attachments scans email attachments in a virtual sandbox and blocks malicious ones, delaying delivery until analysis is complete.

Why this answer

Safe Attachments policy is the correct choice because it specifically provides time-of-delivery scanning of email attachments in a virtual sandbox environment. When configured with the 'Dynamic Delivery' action, the email body is delivered immediately while the attachment is held and scanned; if the attachment is found malicious, it is blocked and the user is notified. This directly meets the requirement to delay email delivery until scanning completes and block malicious attachments.

Exam trap

The trap here is that candidates often confuse Safe Attachments with Safe Links, assuming both handle attachments, but Safe Links only handles URLs, not file attachments, and the question explicitly requires sandbox scanning of attachments.

How to eliminate wrong answers

Option A is wrong because Safe Links policy protects users from malicious URLs in email messages and Office documents, not from email attachments; it does not perform sandbox scanning of files. Option C is wrong because Anti-spam policy filters inbound and outbound email based on spam, bulk mail, and phishing indicators, but it does not scan attachments in a sandbox environment. Option D is wrong because Anti-phishing policy protects against impersonation and spoofing attacks, not against malicious attachments; it does not include sandbox-based file scanning.

606
Drag & Dropmedium

Drag and drop the steps to configure Microsoft Entra ID (Azure AD) Connect for hybrid identity in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Azure AD Connect is installed, configured with sync options, OUs selected, and then enabled for continuous sync.

607
MCQhard

A company uses Microsoft Purview Data Lifecycle Management. They have a retention policy that retains all documents in a specific SharePoint Online site for 5 years and then automatically deletes them. Some documents in that site have a retention label that retains them for 7 years and then deletes them. What is the effective retention period for those labeled documents?

A.5 years
B.7 years
C.The documents are retained indefinitely due to conflict
D.The documents are retained for 5 years and then archived
AnswerB

The longer retention period (7 years) applies because both policy and label are in effect.

Why this answer

When a retention label is applied to a document, it takes precedence over a retention policy at the item level. The label's retention setting (7 years) overrides the site-level policy (5 years), so the effective retention period for the labeled documents is 7 years, after which they are automatically deleted.

Exam trap

The trap here is that candidates often assume the longest retention period wins or that a conflict causes indefinite retention, but Microsoft Purview's rule is that item-level labels override container-level policies, regardless of which period is longer.

How to eliminate wrong answers

Option A is wrong because it assumes the shorter retention policy overrides the label, but in Microsoft Purview, item-level retention labels always take precedence over broader policies. Option C is wrong because there is no conflict that causes indefinite retention; the label's explicit retention period is applied. Option D is wrong because the label specifies deletion, not archiving, and the retention period is 7 years, not 5.

608
MCQhard

A company has 500 users across Sales, Marketing, and IT departments. User objects are synced from on-premises Active Directory to Microsoft Entra ID using Azure AD Connect. Each department requires different Microsoft 365 license plans (e.g., Sales needs E3, Marketing needs Business Premium, IT needs E5). The administrator wants to automatically assign the appropriate license based on the department attribute without manual intervention. Which approach should the administrator use?

A.Create a script that runs daily to sync department values and assign licenses using PowerShell.
B.Configure group-based licensing using Microsoft Entra dynamic groups with rules based on the department attribute.
C.Use Azure AD Connect to filter objects and assign licenses during sync.
D.Manually assign licenses to each user in the Microsoft 365 admin center.
AnswerB

Dynamic groups evaluate membership based on rules using user attributes. When combined with group-based licensing, licenses are automatically applied to all members. This is the recommended Microsoft approach for automated license assignment.

Why this answer

Option B is correct because Microsoft Entra ID supports group-based licensing, which allows automatic license assignment to users based on their membership in dynamic groups. By creating dynamic groups with rules that filter on the department attribute (e.g., 'user.department -eq "Sales"'), the administrator can assign the appropriate license plan (E3, Business Premium, E5) to each group, and licenses are automatically applied or removed as users are added or removed from the group, without any manual or scripted intervention.

Exam trap

The trap here is that candidates may confuse Azure AD Connect's attribute filtering or sync capabilities with license assignment, or assume that a PowerShell script is the only automated method, overlooking the native group-based licensing feature that is designed exactly for this scenario.

How to eliminate wrong answers

Option A is wrong because using a script that runs daily introduces unnecessary complexity, potential delays (up to 24 hours), and administrative overhead; it also does not leverage the built-in, real-time license assignment capabilities of Microsoft Entra ID. Option C is wrong because Azure AD Connect is used for syncing identity objects and attributes, not for assigning licenses; filtering objects during sync controls which users are synced, not how licenses are assigned. Option D is wrong because manually assigning licenses to 500 users across three departments is not scalable, error-prone, and violates the requirement for automatic assignment without manual intervention.

609
MCQeasy

Your organization uses Microsoft 365 Business Premium with Microsoft Entra ID P1. You have 200 users. You need to enforce multi-factor authentication (MFA) for all users accessing the company's CRM application, which is a third-party SaaS app integrated via SAML. The CRM app does not support modern authentication protocols. You want to use a Microsoft solution that does not require additional licenses. What should you use?

A.Enable security defaults in Microsoft Entra ID.
B.Deploy Microsoft Entra application proxy for the CRM app.
C.Configure per-user MFA for users of the CRM app.
D.Create a Conditional Access policy targeting the CRM application and require MFA.
AnswerD

Conditional Access works with SAML apps and can be scoped to the CRM app.

Why this answer

Option B (Conditional Access) can enforce MFA for SAML apps even if they don't support modern auth, because the authentication happens via Entra ID. Security defaults (Option A) would apply MFA to all apps but cannot be customized. Option C (app proxy) is for on-premises apps.

Option D (third-party MFA) is not a Microsoft solution and may require additional cost.

610
MCQhard

Your organization has a hybrid identity deployment using Microsoft Entra Connect Sync. You need to ensure that password writeback is enabled so that users can reset their own passwords from the cloud. Which prerequisite must be met?

A.Self-Service Password Reset (SSPR) must be enabled in Microsoft Entra ID
B.Password hash synchronization must be enabled
C.Azure MFA must be enabled for all users
D.Microsoft Entra ID P2 licenses must be assigned
AnswerA

SSPR is the cloud service that triggers writeback.

Why this answer

Password writeback requires that Self-Service Password Reset (SSPR) is enabled in Microsoft Entra ID because writeback is a feature of SSPR that allows password changes initiated in the cloud to be written back to the on-premises Active Directory. Without SSPR enabled, the cloud tenant has no mechanism to trigger the writeback operation, even if the Entra Connect Sync configuration is correct.

Exam trap

The trap here is that candidates often assume password hash synchronization must be enabled for any password-related feature, but password writeback is a separate SSPR function that does not depend on hash sync and can be used with other authentication methods.

How to eliminate wrong answers

Option B is wrong because password hash synchronization is not a prerequisite for password writeback; writeback works independently of hash sync and can be used with federation or pass-through authentication. Option C is wrong because Azure MFA is not a prerequisite for password writeback; MFA can be used as an additional security layer for SSPR but is not required for the writeback feature itself. Option D is wrong because Microsoft Entra ID P2 licenses are not required for password writeback; SSPR with writeback is available with Microsoft Entra ID P1 licenses, though P2 adds additional identity protection features.

611
MCQmedium

You are investigating an incident in Microsoft Defender XDR where a user received a phishing email that contained a link to a malicious site. The user clicked the link but did not enter credentials. Which actions would be most effective to remediate the incident?

A.Block the user's account from signing in.
B.Use Threat Explorer to delete the phishing email from all mailboxes.
C.Initiate an automated investigation on the user's device.
D.Block the URL in the Tenant Allow/Block List.
E.Reset the user's password immediately.
AnswerB, C

Removing the email prevents further exposure.

Why this answer

Option B is correct because soft-deleting the email from all mailboxes removes the threat. Option D is correct because investigating the user's device for any post-click activity is crucial. Option A is wrong because blocking the user's sign-in is not necessary since credentials were not compromised.

Option C is wrong because resetting password is not needed. Option E is wrong because blocking the URL is good but not sufficient as the email remains in other users' inboxes.

612
MCQmedium

A company wants to require that all users accessing a critical internal application must be on a compliant device (managed by Intune) and must have authenticated with multi-factor authentication in the last 30 minutes. Which Conditional Access configurations are needed?

A.Grant control 'Require multi-factor authentication' and 'Require device to be marked as compliant' with session control 'Sign-in frequency' set to 30 minutes
B.Grant control 'Require multi-factor authentication' and 'Require device to be marked as compliant' and 'Require all the selected controls'
C.Grant control 'Require multi-factor authentication' and 'Require hybrid Azure AD joined device' with session control 'App enforced restrictions'
D.Grant control 'Block access' for non-compliant devices and separate policy for MFA
AnswerA

This combination ensures both MFA and device compliance are required, and the sign-in frequency session control forces MFA reauthentication every 30 minutes.

Why this answer

Option A is correct because it combines the required grant controls ('Require multi-factor authentication' and 'Require device to be marked as compliant') with the session control 'Sign-in frequency' set to 30 minutes. The sign-in frequency session control enforces reauthentication after the specified time window, ensuring MFA was performed within the last 30 minutes. The grant controls ensure both MFA and device compliance are satisfied simultaneously.

Exam trap

The trap here is that candidates often confuse 'Require all the selected controls' (which is a logical AND operator for grant controls) with session controls, and fail to realize that time-based MFA reauthentication requires a separate session control setting, not just a grant control.

How to eliminate wrong answers

Option B is wrong because it includes 'Require all the selected controls' but omits the session control 'Sign-in frequency', which is necessary to enforce the 30-minute MFA reauthentication window; without it, MFA is only required at initial sign-in. Option C is wrong because it requires a 'hybrid Azure AD joined device' instead of a device 'marked as compliant', and uses 'App enforced restrictions' which does not enforce a 30-minute MFA reauthentication interval. Option D is wrong because using a separate policy for MFA and a 'Block access' policy for non-compliant devices cannot enforce the 30-minute MFA reauthentication requirement; session controls like 'Sign-in frequency' are needed for time-based reauthentication, and blocking non-compliant devices alone does not ensure MFA freshness.

613
Drag & Dropmedium

Drag and drop the steps to configure Microsoft 365 audit log search in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Audit log search is performed in Defender with date range, activities, and optional filters, then results can be exported.

614
MCQhard

Your organization uses Microsoft 365 E5 licenses. You need to configure retention labels to automatically retain emails related to ongoing litigation for 5 years and then delete them. The labels must be applied based on specific keywords in the email subject. What should you use?

A.Configure a default retention label on the mailbox.
B.Deploy a sensitivity label with auto-labeling for Exchange.
C.Create a retention policy applied to Exchange email.
D.Use an auto-apply retention label with a trainable classifier.
AnswerD

Auto-apply labels can use trainable classifiers to match keywords.

Why this answer

Auto-apply retention labels with a trainable classifier can apply labels based on keywords. Option C is correct because trainable classifiers can be configured to match subject keywords. Option A is wrong because retention policies apply to all content in a location, not based on keywords.

Option B is wrong because default labels apply to all items in a library or folder. Option D is wrong because sensitivity labels focus on protection, not retention.

615
MCQhard

Your organization has Microsoft Defender for Cloud Apps deployed. You need to be alerted when a user performs more than 50 failed login attempts in an hour from a non-corporate IP address. Which type of policy should you create?

A.Session policy
B.Anomaly detection policy
C.File policy
D.Access policy
AnswerB

Anomaly detection policies can detect unusual login patterns.

Why this answer

Option C is correct because an anomaly detection policy in Defender for Cloud Apps can detect unusual login patterns, such as multiple failed attempts. Option A is wrong because a session policy controls access in real-time, not detection. Option B is wrong because an access policy enforces conditional access.

Option D is wrong because a file policy monitors file activities.

616
MCQmedium

You are the identity administrator for a multinational company with 50,000 users. The company uses Microsoft Entra ID P2 and has recently acquired a small subsidiary with 300 users that uses a different identity provider (Okta). You need to integrate the subsidiary's identities into your Microsoft Entra tenant. Requirements: - The subsidiary's users must be able to access Microsoft 365 applications using their existing Okta credentials. - You must minimize changes to the subsidiary's existing infrastructure. - All access to Microsoft 365 must be governed by your Conditional Access policies. - Passwords must not be stored in Microsoft Entra ID. What should you implement?

A.Create B2B collaboration invitations for each subsidiary user.
B.Configure federation between Microsoft Entra ID and Okta so that the subsidiary users authenticate with Okta.
C.Set up password hash synchronization from Okta to Microsoft Entra ID using provisioning agents.
D.Deploy Microsoft Identity Manager (MIM) to sync identities from Okta to on-premises AD and then to Microsoft Entra ID.
AnswerB

Federation allows using existing credentials, no password sync, and CA policies can be applied.

Why this answer

Option A (federation with Okta) allows subsidiary users to use their existing credentials, meet password sync avoidance, and allows CA policies to be applied (though CA still applies to Entra ID side, but federation works). Option B (B2B collaboration) would create guest accounts, not ideal for full users. Option C (password hash sync) stores passwords in cloud.

Option D (MIM sync) requires on-premises infrastructure and changes.

617
MCQeasy

A compliance officer needs to automatically apply a retention label to all documents in a SharePoint Online site that have not been modified for more than 3 years. The label should retain the documents for an additional 5 years, then trigger a disposition review. Which action should the officer configure in the auto-apply retention label policy?

A.Configure a condition that detects 'Last Modified Date' is older than 3 years
B.Configure a condition that detects 'Created Date' is older than 3 years
C.Select the retention label and manually publish to the site, then use a Power Automate flow to apply the label
D.Create a data lifecycle management policy using a query for documents created before a certain date
AnswerA

Correct. The auto-apply rule can use the 'Last Modified Date' property to identify documents not modified in 3 years.

Why this answer

Option A is correct because the auto-apply retention label policy in Microsoft Purview can use a KQL-based condition to detect documents where the 'Last Modified Date' is older than 3 years. This triggers the label to retain the documents for 5 additional years and then initiate a disposition review, meeting the compliance officer's requirement exactly.

Exam trap

The trap here is that candidates confuse 'Created Date' with 'Last Modified Date' or think a manual publishing approach (Option C) is equivalent to an auto-apply policy, but the exam tests the precise condition needed for inactivity-based labeling.

How to eliminate wrong answers

Option B is wrong because using 'Created Date' would apply the label to documents that were created more than 3 years ago, even if they were recently modified, which does not match the requirement to target documents not modified for over 3 years. Option C is wrong because manually publishing a label and using Power Automate is not an auto-apply policy; it requires manual or flow-based application, which is not automatic and does not use the built-in auto-labeling engine. Option D is wrong because a data lifecycle management policy (e.g., Microsoft 365 retention policy) applies retention at the container level (site or library) and cannot apply a specific retention label with a disposition review trigger; it also uses a query for created date, not last modified date.

618
MCQhard

Your Microsoft 365 tenant has been configured with Microsoft Entra ID Connect synchronization from on-premises Active Directory. Users are unable to log in to Microsoft 365 services. You check the synchronization status and see that the last sync was successful. What is the most likely cause?

A.The firewall is blocking authentication requests to Microsoft 365.
B.The on-premises Active Directory is not reachable from the sync server.
C.Password hash synchronization is disabled.
D.The user principal name (UPN) suffix for users is not a verified domain in Microsoft Entra ID.
AnswerD

UPN mismatch is a common cause of login failure after successful sync.

Why this answer

The most likely cause is that the UPN suffix for users is not a verified domain in Microsoft Entra ID. Even though password hash synchronization is enabled and the last sync was successful, if the UPN suffix (e.g., @contoso.local) does not match a custom domain verified in Entra ID, users cannot sign in because Entra ID cannot route authentication to the correct tenant. The sync process will complete without error, but login fails because the UPN is not recognized as a valid domain in the cloud.

Exam trap

The trap here is that candidates assume a successful sync means all authentication components are working, but Microsoft deliberately tests the distinction between object synchronization success and domain verification failure, which causes login to fail despite a green sync status.

How to eliminate wrong answers

Option A is wrong because the firewall blocking authentication requests would prevent all connectivity to Microsoft 365 services, not just login after a successful sync; the sync itself would also fail or show errors. Option B is wrong because if the on-premises Active Directory were unreachable from the sync server, the last sync would not have been successful; the sync engine requires a live connection to AD to read objects. Option C is wrong because password hash synchronization being disabled would cause password-related login failures, but the question states users cannot log in at all; if PHS were disabled, users could still log in using federated authentication or pass-through authentication if configured, and the sync status would still show success for object synchronization.

619
MCQmedium

Your organization uses Microsoft Purview Records Management. You need to ensure that when a document is declared a record, it cannot be edited or deleted by users. Which type of record should you use?

A.Regular record
B.Standard record
C.Retention label with record setting
D.Regulatory record
AnswerD

Regulatory records are immutable.

Why this answer

Regulatory records are locked and cannot be edited or deleted, even by admins. Standard records can be edited by admins or users with certain permissions. Option A is incorrect because standard records can be edited.

Option C is incorrect because retention labels don't make records. Option D is incorrect because there is no distinction between regular and regulatory in that way.

620
Multi-Selecthard

A security analyst wants to create a custom detection rule that triggers when a user receives a phishing email that bypassed Exchange Online Protection, and then clicks a link that leads to a known malicious domain. Which two advanced hunting tables should the analyst combine to detect this chain of events?

Select 2 answers
A.EmailEvents and DeviceNetworkEvents
B.EmailEvents and UrlClickEvents
C.EmailEvents and IdentityLogonEvents
D.UrlClickEvents and DeviceNetworkEvents
AnswersB, D

EmailEvents tracks email delivery and UrlClickEvents tracks when users click URLs in email. Combining them allows correlation.

Why this answer

Option B is correct because the detection requires correlating the email receipt (EmailEvents) with the user's click on a malicious link (UrlClickEvents). EmailEvents captures email delivery details, while UrlClickEvents records user clicks on URLs in email messages, including those that bypassed Exchange Online Protection. Combining these two tables allows the analyst to identify the specific chain: a user received a phishing email and then clicked a link to a known malicious domain.

Exam trap

The trap here is that candidates often confuse DeviceNetworkEvents with user click events, assuming network-level logs can replace UrlClickEvents, but DeviceNetworkEvents does not capture the user's click action on an email link or the email context (e.g., NetworkMessageId).

621
Multi-Selecthard

Your organization is deploying Windows 11 using Microsoft Intune. You need to ensure that devices are automatically enrolled in Intune when users sign in with their Microsoft Entra ID credentials. Which THREE prerequisites must be met?

Select 3 answers
A.Devices must run Windows 10/11 Home edition.
B.Microsoft Configuration Manager must be deployed.
C.Microsoft Entra ID P1 or P2 license.
D.Devices must be Microsoft Entra joined or hybrid Microsoft Entra joined.
E.MDM user scope must be set to All or Some in Microsoft Entra ID.
AnswersC, D, E

Correct: Required for automatic MDM enrollment.

Why this answer

Option C is correct because Microsoft Entra ID P1 or P2 licenses are required to enable automatic MDM enrollment via Intune. Without these licenses, the MDM authority cannot be set to Intune, and the automatic enrollment policy in Microsoft Entra ID will not function. This licensing requirement ensures that the tenant has the necessary features for conditional access and device management policies.

Exam trap

The trap here is that candidates often confuse the licensing requirement (Entra ID P1/P2) with the need for a separate MDM license like Intune, or mistakenly think that Windows Home edition or Configuration Manager are required for automatic enrollment.

622
MCQmedium

Your organization is migrating from on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can use their existing on-premises passwords to log in to cloud services, while maintaining password policy enforcement on-premises. Which feature should you implement?

A.Password Hash Synchronization (PHS)
B.Pass-through Authentication with Seamless SSO
C.Active Directory Federation Services (AD FS)
D.Install Azure AD Connect with default settings
AnswerA

PHS synchronizes password hashes to Entra ID, enabling same-password use.

Why this answer

Password Hash Synchronization (PHS) synchronizes the hash of on-premises Active Directory user passwords to Microsoft Entra ID, enabling users to log in to cloud services with the same password. It enforces password policies on-premises because the on-premises domain controller remains the authoritative source for password complexity, expiration, and lockout rules. PHS does not require additional infrastructure beyond Azure AD Connect and works even if the on-premises network is temporarily unavailable.

Exam trap

The trap here is that candidates often confuse Pass-through Authentication with Seamless SSO as the only way to avoid storing passwords in the cloud, but the question does not require avoiding cloud storage—it only requires using existing passwords and maintaining on-premises policy enforcement, which PHS achieves with less complexity.

How to eliminate wrong answers

Option B is wrong because Pass-through Authentication with Seamless SSO validates passwords directly against on-premises Active Directory without storing password hashes in the cloud, but it does not maintain password policy enforcement on-premises in a way that differs from PHS—it still relies on on-premises policy, but the question specifically asks for a feature that ensures users can use existing passwords while maintaining on-premises policy enforcement, and PHS is the simplest and most direct solution. Option C is wrong because Active Directory Federation Services (AD FS) is a federation service that redirects authentication to on-premises servers, which adds complexity and requires high-availability infrastructure; it is not the simplest or most appropriate choice when the goal is to use existing passwords without additional federation overhead. Option D is wrong because installing Azure AD Connect with default settings does not automatically enable password synchronization; the default settings only synchronize directory objects, and you must explicitly select the Password Hash Synchronization option to achieve the described goal.

623
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You discover that a user is accessing a sanctioned cloud app from an unknown IP address. You want to require multi-factor authentication (MFA) for this access. What should you configure?

A.Create a file policy
B.Create an access policy
C.Create a session policy
D.Create an app discovery policy
AnswerB

Access policies can require MFA based on location, device, etc.

Why this answer

Option A is correct because an access policy can require MFA based on conditions like IP address. Option B is wrong because session policies control real-time access but are for monitoring. Option C is wrong because app discovery policies identify apps.

Option D is wrong because file policies control file sharing.

624
MCQmedium

A compliance officer needs to retain all documents in a SharePoint Online site for 7 years and then automatically delete them. During the retention period, users must be able to edit the documents but not delete them. Which Microsoft Purview solution should the officer configure?

A.retention policy configured with a retention period of 7 years and an action to delete items automatically
B.retention label configured with a retention period and an action to delete after 7 years
C.data lifecycle management policy
D.An eDiscovery hold
AnswerA

Retention policies apply to entire sites or mailboxes, retain content for the specified period, prevent deletion during retention, and can automatically delete after the period.

Why this answer

A retention policy in Microsoft Purview can be applied at the site level to enforce a 7-year retention period with automatic deletion, while allowing users to edit documents during that time. The policy prevents deletion by users because the retention lock overrides user permissions, ensuring compliance with the requirement to block deletion but permit edits.

Exam trap

The trap here is that candidates confuse retention labels with retention policies, assuming labels can enforce site-wide deletion and edit permissions, but labels are item-level and require manual application or auto-labeling, whereas policies apply broadly and include the necessary deletion prevention.

How to eliminate wrong answers

Option B is wrong because a retention label requires manual or auto-classification and is typically applied to individual items, not an entire site, and it does not inherently prevent user deletion during the retention period unless combined with a retention policy. Option C is wrong because a data lifecycle management policy focuses on managing data across its lifecycle (e.g., archiving or moving to cold storage) but does not enforce a retention period with deletion prevention and automatic deletion in the same way as a retention policy. Option D is wrong because an eDiscovery hold preserves content for legal or investigative purposes but does not automatically delete items after a set period; it is designed for indefinite holds until released, not scheduled deletion.

625
MCQeasy

Your organization has a Microsoft 365 E5 tenant. You need to ensure that users are prompted to register for multifactor authentication (MFA) the first time they sign in. Which Microsoft Entra ID policy should you configure?

A.Enable Security defaults
B.Create a Conditional Access policy requiring MFA and enable Microsoft Entra ID Identity Protection to enforce MFA registration
C.Enable combined registration for SSPR and MFA
D.Configure MFA service settings per-user
AnswerB

This combined approach prompts users to register MFA at first sign-in.

Why this answer

Option B is correct because combining a Conditional Access policy that requires MFA with Identity Protection's MFA registration policy ensures users are prompted to register for MFA at first sign-in. The MFA registration policy in Identity Protection specifically enforces that users must register their authentication methods before accessing applications, which triggers the registration prompt on initial authentication.

Exam trap

The trap here is that candidates often confuse the MFA registration policy in Identity Protection with a standard Conditional Access policy that requires MFA, but the registration policy specifically triggers the registration prompt, not the MFA challenge itself.

How to eliminate wrong answers

Option A is wrong because Security defaults is a baseline security feature that enforces MFA for all users but does not provide a granular registration prompt on first sign-in; it applies MFA automatically after registration, not a registration-only trigger. Option C is wrong because combined registration for SSPR and MFA only consolidates the user registration portal for both features; it does not enforce or prompt registration at sign-in. Option D is wrong because configuring MFA service settings per-user is a legacy method that requires manual enablement and does not automatically prompt users to register on first sign-in; it also lacks the integration with Identity Protection for registration enforcement.

626
MCQmedium

You need to configure Microsoft Entra ID to allow users to authenticate using their existing social media accounts. Which identity provider type should you add?

A.OpenID Connect identity provider
B.Google identity provider
C.Microsoft account identity provider
D.SAML/WS-Fed identity provider
AnswerB

Google is a social identity provider that can be added.

Why this answer

To allow users to authenticate using their existing social media accounts, you need to add a Google identity provider in Microsoft Entra ID. Google is explicitly supported as a social identity provider (IdP) for B2B guest user scenarios, enabling users to sign in with their Gmail accounts. This is configured under External Identities > All identity providers, where you select Google and configure the OAuth 2.0 client ID and secret from the Google API Console.

Exam trap

The trap here is that candidates confuse the generic 'OpenID Connect identity provider' option with the pre-configured social providers, not realizing that Microsoft provides dedicated Google and Facebook identity providers for social authentication, while OpenID Connect is for custom OIDC-compliant IdPs.

How to eliminate wrong answers

Option A is wrong because OpenID Connect is a protocol, not a specific social identity provider; adding a generic OpenID Connect provider requires custom configuration and is not the pre-built option for social accounts like Google. Option C is wrong because Microsoft account is already a built-in identity provider in Entra ID for Microsoft personal accounts (e.g., Outlook.com), not for third-party social media accounts like Google or Facebook. Option D is wrong because SAML/WS-Fed identity providers are used for enterprise federation with on-premises or cloud directories (e.g., ADFS, Okta), not for consumer social media authentication.

627
MCQhard

Your company recently merged with another company that uses Microsoft 365. Both tenants have the same primary domain, contoso.com. You need to merge the two tenants into a single tenant while preserving user email addresses. What should you do?

A.Use cross-tenant collaboration settings to share the domain.
B.Remove the domain from the source tenant and add it to the target tenant, then migrate users.
C.Configure a domain sharing agreement between both tenants.
D.Set up a federation trust between the two tenants.
AnswerB

Standard approach for tenant consolidation.

Why this answer

Option C is correct because tenant-to-tenant migration with domain consolidation involves adding the domain to the target tenant and then migrating users with their email addresses. Option A is wrong because a federation trust does not allow merging tenants. Option B is wrong because domain sharing is not possible.

Option D is wrong because cross-tenant collaboration does not consolidate domains.

628
MCQmedium

A company needs to migrate several shared mailboxes from on-premises Exchange 2016 to Exchange Online. The company plans to keep some user mailboxes on-premises for now. Which migration strategy should they use for the shared mailboxes?

A.Cutover migration
B.Staged migration
C.IMAP migration
D.Hybrid migration
AnswerD

Hybrid migration uses a hybrid deployment to move shared mailboxes between on-premises and Exchange Online with coexistence.

Why this answer

A hybrid migration is the correct choice because it allows the coexistence of on-premises Exchange 2016 and Exchange Online mailboxes, enabling the selective migration of shared mailboxes while keeping some user mailboxes on-premises. This approach uses the Hybrid Configuration Wizard to establish a secure connection and synchronize directory objects via Azure AD Connect, supporting mailbox moves with the New-MoveRequest cmdlet.

Exam trap

The trap here is that candidates often choose cutover migration because it is simpler, but they overlook the requirement to keep some mailboxes on-premises, which cutover migration cannot accommodate.

How to eliminate wrong answers

Option A is wrong because cutover migration migrates all mailboxes in a single batch and requires all mailboxes to be moved to Exchange Online, which conflicts with the requirement to keep some user mailboxes on-premises. Option B is wrong because staged migration is designed for migrating user mailboxes from on-premises Exchange 2003 or 2007, not Exchange 2016, and it does not support shared mailboxes natively. Option C is wrong because IMAP migration only migrates email data (not calendar, contacts, or tasks) and does not preserve shared mailbox properties or enable coexistence; it is intended for non-Exchange systems.

629
MCQhard

A security analyst needs to create a custom detection rule in Microsoft Defender XDR that triggers when a user's device establishes a network connection to a known malicious IP address on a port commonly used by a specific malware. The rule must also include process information such as the filename of the process that initiated the connection. Which advanced hunting table should be the primary data source for this rule?

A.DeviceNetworkEvents
B.DeviceProcessEvents
C.DeviceFileEvents
D.IdentityLogonEvents
AnswerA

Correct. This table includes network connection events with details like remote IP, port, and initiating process filename, allowing direct rule creation.

Why this answer

The DeviceNetworkEvents table in Microsoft Defender XDR captures network connection events, including source and destination IP addresses, ports, and the initiating process's filename and ID. This makes it the ideal primary data source for a custom detection rule that must trigger on a specific malicious IP and port combination while also providing process information.

Exam trap

The trap here is that candidates often confuse DeviceProcessEvents (which includes process command lines) as sufficient for network detection, overlooking that it lacks the network-specific fields (RemoteIP, RemotePort) required to match a malicious IP and port combination.

How to eliminate wrong answers

Option B (DeviceProcessEvents) is wrong because it logs process creation and termination events, not network connections; it lacks the destination IP and port fields needed for this rule. Option C (DeviceFileEvents) is wrong because it tracks file creation, modification, and deletion events, which are irrelevant to network connections. Option D (IdentityLogonEvents) is wrong because it captures authentication and logon events from Azure AD, not network-level activities on devices.

630
MCQeasy

You are configuring Microsoft Entra ID Protection. You want to automatically respond to a specific risk level by requiring the user to change their password. Which risk policy should you configure?

A.MFA registration policy
B.Sign-in risk policy
C.Session risk policy
D.User risk policy
AnswerD

User risk policy can require a password change when risk is detected.

Why this answer

Option C is correct because the user risk policy can be configured to require a password change when user risk is elevated. Sign-in risk policy typically triggers MFA or block. Options A and D are not standard risk policies.

631
MCQeasy

You are a security administrator for a company that uses Microsoft Defender XDR. You need to investigate a suspicious email that was reported by a user. You want to see the full email details, including headers, attachments, and URLs. Where should you look?

A.Use the Threat analytics dashboard to find the email.
B.Go to the user entity page and view their email activity.
C.In the Microsoft Defender XDR portal, search for the email message ID or subject to open the email entity page.
D.Open the incident related to the email and view the alert details.
AnswerC

Correct: Email entity page shows full details.

Why this answer

Option A is correct because the email entity page in Microsoft Defender XDR provides detailed information about a specific email. Option B is wrong because that page shows alerts, not email details. Option C is wrong because it shows attack patterns.

Option D is wrong because it shows user activity, not email details.

632
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage role activations. They have an Azure AD Premium P2 license. The security team wants to require that any activation of the Exchange Administrator role must be approved by a specific group named 'Exchange Approvers'. Additionally, activations must require a ticket number and expire after 6 hours. Which PIM configuration should the administrator modify?

A.Configure the 'Role settings' for the Exchange Administrator role to require approval and set the approvers group
B.Add the Exchange Administrator role to the 'Exchange Approvers' group's eligible assignments
C.Create a PIM alert for activations without a ticket number and set a 6-hour alert threshold
D.Define an access review for the Exchange Administrator role with a 6-hour review duration
AnswerA

Correct. The activation settings include toggle for approval, approver selection, justification requirements (ticket number), and maximum activation duration.

Why this answer

Option A is correct because in Azure AD PIM, the 'Role settings' for a specific role (like Exchange Administrator) allow you to configure activation requirements, including requiring approval, specifying approvers (such as the 'Exchange Approvers' group), requiring a ticket number, and setting a maximum activation duration (e.g., 6 hours). This directly meets all the security team's requirements.

Exam trap

The trap here is confusing 'eligible assignments' (who can activate a role) with 'approvers' (who must approve activations), leading candidates to incorrectly select Option B.

How to eliminate wrong answers

Option B is wrong because adding the Exchange Administrator role to the 'Exchange Approvers' group's eligible assignments would make members of that group eligible to activate the role, not approve activations of the role. Option C is wrong because PIM alerts can notify about suspicious activities but cannot enforce a ticket number requirement or set a 6-hour activation duration; those are configured in role settings. Option D is wrong because access reviews are for periodic recertification of role assignments, not for controlling activation duration or requiring approval during activation.

633
MCQmedium

Your organization uses Microsoft Purview Communication Compliance to detect inappropriate messages in Microsoft Teams. You need to define policies that automatically detect and review messages containing profanity or harassment. Which built-in classifier should you use?

A.Harassment classifier
B.Sensitive info types classifier
C.Profanity classifier
D.Threat classifier
AnswerA

Harassment classifier detects threatening or abusive language.

Why this answer

Option B is correct because the 'Harassment' classifier is specifically designed to detect harassing or threatening language. Option A is incorrect because the 'Profanity' classifier only detects swear words, not harassment. Option C is incorrect because the 'Sensitive info types' classifier detects sensitive data like credit cards, not harassment.

Option D is incorrect because the 'Threat' classifier detects threats, which is narrower than harassment.

634
MCQhard

You create a custom detection rule in Microsoft Defender XDR using the KQL query shown in the exhibit. The rule is intended to detect lateral movement via SMB. After deploying the rule, you notice that it generates many false positives from legitimate administrative activity. What is the most effective way to reduce false positives?

A.Filter for only inbound SMB connections
B.Remove the join with DeviceProcessEvents
C.Add a filter to exclude specific administrative accounts or IP ranges
D.Increase the time window of the query
AnswerC

Excluding known good activity reduces false positives.

Why this answer

Option D is correct because adding a filter to exclude known administrative accounts or devices can reduce false positives. Option A is wrong because increasing the time window would include more events, potentially increasing false positives. Option B is wrong because removing the join would eliminate the correlation between SMB connections and PowerShell, which is key to detecting lateral movement.

Option C is wrong because focusing only on inbound connections may miss the lateral movement scenario.

635
MCQeasy

Your organization uses Microsoft Defender for Endpoint (MDE). A security analyst needs to investigate a file that was detected as malicious on several devices. The analyst wants to see the file's prevalence across the organization and other related events. Which feature in MDE should the analyst use?

A.File page
B.Alert page
C.Device page
D.Investigation page
AnswerA

File page shows file prevalence, devices, and related events.

Why this answer

Option B is correct because the File page in MDE provides details about the file, including prevalence, device list, and related events. Option A is wrong because the Device page focuses on a specific device. Option C is wrong because the Alert page focuses on alerts.

Option D is wrong because the Investigation page is for automated investigations.

636
Drag & Dropmedium

Drag and drop the steps to configure Microsoft 365 Groups expiration policy in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Groups expiration policy is set in the admin center with a duration, notification owner, and deletion behavior.

637
MCQmedium

An administrator needs to delegate the ability to view service health and manage service requests to a helpdesk team, without granting permissions to reset passwords, manage users, or access billing. Which built-in Microsoft 365 admin role should be assigned?

A.Service Support Administrator
B.Helpdesk Administrator
C.Service Administrator
D.Security Reader
AnswerA

This role provides exactly the needed permissions: view service health and manage service requests.

Why this answer

The Service Support Administrator role is the correct built-in role because it grants the specific permissions needed to view service health and manage service requests in the Microsoft 365 admin center, while explicitly excluding permissions to reset passwords, manage users, or access billing. This role is designed for helpdesk teams that need to handle service incidents without broader administrative access.

Exam trap

The trap here is that candidates often confuse 'Service Support Administrator' with 'Helpdesk Administrator' because both sound helpdesk-related, but Helpdesk Administrator includes password reset and user management permissions that are explicitly disallowed in the question.

How to eliminate wrong answers

Option B (Helpdesk Administrator) is wrong because it includes permissions to reset user passwords and manage user accounts, which exceeds the required scope and violates the constraint of not granting password reset or user management abilities. Option C (Service Administrator) is wrong because it is not a built-in Microsoft 365 admin role; the correct role for managing service requests is Service Support Administrator, and Service Administrator is a legacy or misnamed concept. Option D (Security Reader) is wrong because it only provides read-only access to security-related information and policies, and does not include permissions to manage service requests or view service health in the admin center.

638
Multi-Selecthard

Your company uses Microsoft Entra ID with P2 licenses. You need to configure Privileged Identity Management (PIM) for Azure AD roles. Which THREE actions are possible with PIM?

Select 3 answers
A.Automatically assign a role to all users in a security group
B.Schedule start and end times for role assignments
C.Require Azure MFA during role activation
D.Require approval from a specified group before activating a role
E.Limit role activation to a specific device
AnswersB, C, D

PIM allows time-bound assignments.

Why this answer

Option B is correct because PIM allows you to configure time-bound role assignments with specific start and end dates, enabling just-in-time access and reducing standing privileges. This is a core feature of PIM for Azure AD roles, supporting both eligible and active assignments with scheduled durations.

Exam trap

The trap here is that candidates may confuse PIM's role activation restrictions with Conditional Access policies, assuming device-based limitations are possible, when in fact PIM only supports MFA, approval, and time-bound settings for activation.

639
Multi-Selectmedium

Your organization has a Microsoft 365 E5 subscription. You need to enforce that all users must use multi-factor authentication (MFA) when accessing Microsoft 365 services. Which TWO components should you configure?

Select 2 answers
A.Microsoft Defender for Identity.
B.Security defaults.
C.Azure AD Identity Protection user risk policy.
D.Per-user MFA (legacy).
E.Conditional Access policy.
AnswersB, E

Correct: Security defaults enable MFA for all users.

Why this answer

Security defaults (option B) is correct because it provides a pre-configured set of security policies that enforce MFA for all users accessing Microsoft 365 services, including requiring MFA registration and blocking legacy authentication. Conditional Access policy (option E) is correct because it allows granular control to require MFA based on specific conditions such as user, location, or device state, which is the modern, recommended approach for enforcing MFA in a Microsoft 365 E5 subscription.

Exam trap

Microsoft often tests the distinction between legacy per-user MFA and modern Conditional Access policies, where candidates mistakenly think per-user MFA is still the recommended method, but the exam emphasizes that Conditional Access is the preferred approach for granular MFA enforcement.

640
MCQhard

Your organization uses Microsoft Defender for Endpoint (Plan 2) and Microsoft Defender for Identity. A security analyst reports that several domain controllers are generating alerts for anomalous logon activity. You need to investigate the scope of the potential compromise across the entire environment, including endpoints, identities, and cloud apps. What is the most efficient approach?

A.Check each workload portal individually and correlate manually
B.Review the alerts in Microsoft Defender for Identity only
C.Review the alerts in Microsoft Defender for Endpoint only
D.Use the Microsoft Defender XDR portal to view the unified incident
AnswerD

Unified incident view correlates all workload alerts.

Why this answer

Option D is correct because Microsoft Defender XDR provides a unified incident view that correlates alerts from all workloads. Option A is wrong because checking only endpoints misses identity and cloud app alerts. Option B is wrong because checking only identities misses endpoints.

Option C is wrong because using multiple portals is inefficient.

641
MCQmedium

Your organization uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You need to ensure that when a user is determined to be compromised (e.g., due to a leaked credential), all active sessions are terminated and the user is required to re-authenticate with multi-factor authentication (MFA). You want to automate this process as much as possible. What should you do?

A.In Microsoft Defender for Cloud Apps, create a session policy with the 'Suspend user' governance action and configure it to revoke sessions and require re-authentication.
B.Disable the user account in Microsoft Entra ID.
C.Create a conditional access policy that requires MFA for all users.
D.Manually reset the user's password and sign out of all sessions.
AnswerA

Correct: Automatically terminates sessions and forces MFA re-authentication.

Why this answer

Option D is correct because Microsoft Defender for Cloud Apps can use the 'Suspend user' governance action and integrate with Microsoft Entra ID to revoke sessions and require re-authentication with MFA. Option A is wrong because conditional access alone does not terminate existing sessions. Option B is wrong because manual reset does not terminate active sessions.

Option C is wrong because disabling the account terminates sessions but does not require MFA re-authentication.

642
MCQmedium

A compliance officer needs to prevent users from copying sensitive data (e.g., credit card numbers) from a finance application into personal email or documents. The solution must inspect the content in real-time and block the action if sensitive data is detected. Which Microsoft Purview feature should the officer configure?

A.Data Loss Prevention (DLP) policies
B.Sensitivity labels
C.Retention labels
D.eDiscovery
AnswerA

DLP policies are designed to detect sensitive information and can block actions like copying to unauthorized locations.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policies are designed to inspect content in real-time as users attempt to copy, paste, or share sensitive data (e.g., credit card numbers) from applications like finance apps into personal email or documents. DLP uses deep content analysis via sensitive information types and policy tips to block the action before the data leaves the controlled environment, meeting the compliance officer's requirement for real-time blocking.

Exam trap

The trap here is that candidates often confuse sensitivity labels (which protect data at rest) with DLP policies (which enforce real-time action blocking), leading them to select sensitivity labels because they think labeling alone prevents copying, but labels do not block user actions in real-time.

How to eliminate wrong answers

Option B is wrong because sensitivity labels classify and protect data at rest (e.g., encryption or visual markings) but do not perform real-time content inspection or block copy/paste actions; they require user or automated labeling after data is created. Option C is wrong because retention labels manage data lifecycle (retention and deletion) based on policies, not real-time content inspection or blocking of data exfiltration. Option D is wrong because eDiscovery is used for searching, preserving, and exporting data for legal or investigative purposes, not for preventing data loss in real-time.

643
MCQhard

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. A user receives an email with a link that leads to a malicious website. The user clicks the link, but the browser is protected by Microsoft Defender SmartScreen. However, the user is still able to download a file from the site. What should you configure to prevent this?

A.Enable Attack Surface Reduction rules.
B.Enable network protection in Microsoft Defender for Endpoint.
C.Enable Safe Attachments in Microsoft Defender for Office 365.
D.Configure an Anti-Phishing policy.
E.Enable Safe Links in Microsoft Defender for Office 365.
AnswerE

Safe Links blocks malicious URLs at the time of click, preventing access to the malicious site.

Why this answer

Option A is correct because Safe Links protects users by scanning URLs in emails and blocking malicious links at time of click. Option B is wrong because Safe Attachments is for email attachments, not links. Option C is wrong because Anti-Phishing policies deal with impersonation.

Option D is wrong because Attack Surface Reduction rules apply to processes, not web downloads. Option E is wrong because network protection blocks connections to malicious IPs, but the download may occur if the site is allowed.

644
MCQmedium

Your organization has 5,000 users and uses Microsoft 365 E3. You are planning to migrate from on-premises Exchange to Exchange Online. You have already synchronized identities using Microsoft Entra Connect. The CIO wants to ensure that users can continue to access their email if the internet connection to Microsoft 365 is temporarily lost. You need to recommend a solution that provides offline access while minimizing cost and administrative overhead. What should you recommend?

A.Configure Outlook to use Cached Exchange Mode.
B.Implement a hybrid deployment and keep some mailboxes on-premises.
C.Deploy a VPN to ensure connectivity.
D.Enable Exchange Online Archiving for all users.
AnswerA

Correct: Cached Exchange Mode provides offline access to synced mailbox data.

Why this answer

Cached Exchange Mode (CEM) downloads a copy of the user's mailbox to a local .ost file, allowing full access to email, calendar, and contacts even when the internet connection to Microsoft 365 is temporarily lost. This meets the CIO's requirement for offline access with zero additional cost and no administrative overhead, as CEM is a built-in feature of Outlook that is already available with Microsoft 365 E3.

Exam trap

The trap here is that candidates often confuse 'offline access' with 'high availability' or 'redundancy,' leading them to choose a hybrid deployment (Option B) or a VPN (Option C), when the simplest and most cost-effective solution is a client-side caching feature already included in the subscription.

How to eliminate wrong answers

Option B is wrong because implementing a hybrid deployment with some mailboxes on-premises increases cost (additional on-premises servers, licensing, and maintenance) and administrative overhead, and does not guarantee offline access for users whose mailboxes are moved to Exchange Online. Option C is wrong because deploying a VPN does not provide offline email access; it only attempts to maintain connectivity, and if the internet is lost, the VPN connection also fails. Option D is wrong because Exchange Online Archiving is a cloud-based feature that stores archived email in the cloud, not locally, so it does not provide offline access and adds cost without solving the stated requirement.

645
MCQeasy

A compliance officer needs to automatically apply a retention label to all documents in SharePoint Online that contain the exact phrase 'Contract'. The label must retain the documents for 10 years. Which Microsoft Purview feature should the officer configure?

A.retention policy applied to the entire site
B.Data Loss Prevention (DLP) policy
C.An auto-apply retention label using a trainable classifier
D.An auto-apply retention label using a content query (KQL)
AnswerD

Auto-apply retention labels can be configured with a Keyword Query Language (KQL) condition to match documents containing the exact phrase 'Contract'. This meets the requirement precisely and automatically applies the retention label.

Why this answer

Option D is correct because an auto-apply retention label using a content query (KQL) allows you to define a specific keyword or phrase (e.g., 'Contract') to automatically label documents in SharePoint Online that contain that exact text. This meets the requirement to retain documents for 10 years by applying the label based on content matching, without needing a pre-trained classifier.

Exam trap

The trap here is that candidates often confuse auto-apply labels with trainable classifiers, thinking a machine learning model is needed for any content-based labeling, when in fact a simple KQL query is sufficient for exact phrase matching.

How to eliminate wrong answers

Option A is wrong because a retention policy applied to the entire site retains all content in the site, not just documents containing the exact phrase 'Contract', and it does not use a label—it applies retention settings directly without the granularity of label-based auto-application. Option B is wrong because a Data Loss Prevention (DLP) policy is designed to prevent data exfiltration or leakage by blocking or alerting on sensitive content, not to automatically apply retention labels for compliance purposes. Option C is wrong because a trainable classifier uses machine learning to identify patterns or categories (e.g., contracts in general), not an exact phrase match, and requires training and tuning, making it unsuitable for a simple keyword-based requirement.

646
MCQmedium

Your organization is preparing to deploy Microsoft 365 for 5,000 users. You need to ensure that all users can authenticate using their existing on-premises Active Directory credentials while minimizing infrastructure changes. You also need to support self-service password reset (SSPR) for cloud-only users. Which authentication method should you recommend?

A.Cloud-only authentication with Microsoft Entra ID
B.Pass-through Authentication (PTA)
C.Password Hash Synchronization (PHS)
D.Federation with AD FS
AnswerC

PHS syncs password hashes to Entra ID, enabling authentication with existing credentials and SSPR for cloud-only users.

Why this answer

Password Hash Synchronization (PHS) is the correct choice because it synchronizes password hashes from on-premises Active Directory to Microsoft Entra ID, allowing users to authenticate with their existing credentials without additional infrastructure. It also enables cloud-only users to use self-service password reset (SSPR) independently, as SSPR relies on cloud-stored hashes and does not require on-premises write-back for cloud-only accounts.

Exam trap

The trap here is that candidates often choose Pass-Through Authentication (PTA) because it validates passwords directly against on-premises AD, but they overlook that PTA requires an on-premises agent and does not support SSPR for cloud-only users without additional configuration, making PHS the simpler and more appropriate choice for minimizing changes.

How to eliminate wrong answers

Option A is wrong because cloud-only authentication with Microsoft Entra ID does not integrate with on-premises Active Directory, so users cannot use their existing on-premises credentials. Option B is wrong because Pass-Through Authentication (PTA) requires an on-premises agent and does not support SSPR for cloud-only users without additional password write-back configuration, increasing infrastructure changes. Option D is wrong because Federation with AD FS requires significant infrastructure (e.g., federation servers, proxies) and does not natively support SSPR for cloud-only users without Azure AD Connect and password write-back, contradicting the goal of minimizing changes.

647
MCQmedium

A security administrator wants to automatically isolate a device in Microsoft Defender for Endpoint whenever a high-severity alert is triggered. The isolation should occur without manual intervention. Which Microsoft Defender XDR feature should be configured?

A.Attack surface reduction rules
B.Automated investigation and response
C.Threat analytics
D.Vulnerability management
AnswerB

Correct. AIR automates investigation and can take response actions like device isolation based on alert severity.

Why this answer

Automated Investigation and Response (AIR) in Microsoft Defender XDR is designed to automatically respond to threats by running playbooks that can take remediation actions, such as isolating a device, without manual intervention. When a high-severity alert triggers, AIR evaluates the alert and, if configured, executes the isolation action as part of its automated response, meeting the requirement for zero-touch isolation.

Exam trap

The trap here is that candidates often confuse proactive prevention features (like ASR rules) with automated post-breach response capabilities, assuming any security feature that 'blocks' something can also isolate a device automatically.

How to eliminate wrong answers

Option A is wrong because Attack Surface Reduction (ASR) rules are proactive policies that block specific behaviors (e.g., Office apps creating child processes) but do not perform post-breach automated isolation actions. Option C is wrong because Threat Analytics provides intelligence reports on active threats and vulnerabilities but does not execute any automated remediation or device isolation. Option D is wrong because Vulnerability Management identifies and prioritizes software vulnerabilities but lacks the capability to automatically isolate a device in response to an alert.

648
MCQmedium

Your organization uses Microsoft Entra ID. You want to enforce Multi-Factor Authentication (MFA) for all users. You have already configured Conditional Access policies. However, some users are still able to sign in without MFA. What should you check first?

A.Ensure all users have registered for MFA.
B.Verify that the Conditional Access policy is enabled.
C.Confirm that all users are included in the policy's user assignment.
D.Check if there are any exclusions configured.
AnswerC

Users must be assigned to the policy.

Why this answer

Option C is correct because the most common reason a Conditional Access policy fails to enforce MFA is that not all users are included in the policy's user assignment. If the policy targets only a subset of users (e.g., a test group), users outside that scope will bypass MFA entirely. The first troubleshooting step is to verify that the policy's 'Users and groups' assignment includes 'All users' or the specific groups covering all users.

Exam trap

The trap here is that candidates often jump to checking exclusions or MFA registration status first, overlooking the fundamental requirement that the policy must actually apply to the user via its assignment scope.

How to eliminate wrong answers

Option A is wrong because MFA registration is a prerequisite for MFA prompts, but even if users are registered, the Conditional Access policy must be correctly scoped to enforce MFA; unregistered users would simply be blocked or prompted to register, not allowed to sign in without MFA. Option B is wrong because if the policy were disabled, no users would be prompted for MFA, but the question states some users are still able to sign in without MFA, implying the policy is enabled but not applying to those users. Option D is wrong because checking exclusions is a valid step, but it is secondary to verifying that all users are included in the policy's assignment; exclusions only matter if users are already included.

649
Multi-Selecthard

Which TWO of the following are valid methods to enforce device compliance in a Conditional Access policy? (Select two.)

Select 2 answers
A.Require Microsoft Authenticator
B.Require session persistence
C.Require approved client app
D.Require Microsoft Entra hybrid joined device
E.Require device to be marked as compliant
AnswersD, E

This checks if the device is hybrid joined to on-premises AD.

Why this answer

Option D is correct because requiring a Microsoft Entra hybrid joined device ensures the device is joined to both on-premises Active Directory and Microsoft Entra ID, which allows Conditional Access to enforce compliance based on the device's identity and configuration. Option E is correct because requiring the device to be marked as compliant relies on Microsoft Intune (or another MDM) to evaluate device health and policy adherence, and then Conditional Access blocks access if the device is not compliant.

Exam trap

The trap here is that candidates confuse authentication controls (like MFA or app restrictions) with device compliance controls, leading them to select 'Require approved client app' or 'Require Microsoft Authenticator' instead of the correct device-based grants.

650
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to ensure that emails containing malicious attachments are automatically removed from users' inboxes after detection. What should you configure?

A.Configure a Safe Links policy
B.Configure an anti-spam policy to delete the email
C.Configure a Safe Attachments policy
D.Use the attack simulation training to report the email
AnswerC

Safe Attachments can automatically remove malicious attachments.

Why this answer

Option B is correct because Safe Attachments policies can automatically remove detected malicious attachments. Option A is wrong because anti-spam policies handle spam, not malware. Option C is wrong because Safe Links policies handle URLs.

Option D is wrong because phishing simulation is for training.

651
MCQmedium

A company wants to block access to Exchange Online from devices that are not compliant with Intune compliance policies. Which Conditional Access grant control should be used?

A.Require device to be marked as compliant
B.Require MFA
C.Require approved client app
D.Require all conditions
AnswerA

This grant control checks device compliance status and blocks non-compliant devices.

Why this answer

To block access to Exchange Online from non-compliant devices, you need to enforce a Conditional Access policy that evaluates device compliance status. The 'Require device to be marked as compliant' grant control checks the device's compliance state reported by Microsoft Intune before granting access. If the device is not compliant, access to Exchange Online is blocked, ensuring only managed and compliant devices can connect.

Exam trap

The trap here is that candidates often confuse 'Require device to be marked as compliant' with 'Require approved client app' or 'Require MFA', thinking any of these can block non-compliant devices, but only the device compliance grant directly evaluates Intune compliance policies.

How to eliminate wrong answers

Option B is wrong because Require MFA only enforces multi-factor authentication, not device compliance; a non-compliant device could still access Exchange Online after MFA. Option C is wrong because Require approved client app restricts access to specific apps (e.g., Outlook mobile) but does not check device compliance; a non-compliant device could use an approved app. Option D is wrong because Require all conditions is not a valid grant control; it is a conceptual option that would require all other controls simultaneously, which is not a specific setting in Conditional Access.

652
MCQhard

A security analyst is using Microsoft 365 Defender Advanced Hunting to investigate a potential malware outbreak. The analyst needs to find all devices where a specific signed executable (known to be malicious) was created in the past 24 hours. Which Advanced Hunting table should be queried to detect the creation of the executable file?

A.DeviceFileEvents
B.DeviceProcessEvents
C.DeviceNetworkEvents
D.DeviceRegistryEvents
AnswerA

This table logs file creation, modification, and other file events, including the file name and path, which is needed to find the malicious executable.

Why this answer

The DeviceFileEvents table in Microsoft 365 Defender Advanced Hunting captures file creation, modification, and deletion events. Since the question specifically asks for detecting the creation of a signed executable file, this table provides the necessary data, including file name, path, and timestamp, to identify when and where the malicious executable was created.

Exam trap

The trap here is that candidates often confuse file creation with process execution, mistakenly selecting DeviceProcessEvents because they think of the executable running, but the question explicitly asks for the creation event, which is only captured in DeviceFileEvents.

How to eliminate wrong answers

Option B is wrong because DeviceProcessEvents logs process creation and execution events, not file creation; it would show the executable running but not its initial creation. Option C is wrong because DeviceNetworkEvents records network connections and communications, which are unrelated to local file creation. Option D is wrong because DeviceRegistryEvents tracks registry key modifications, not file system operations like file creation.

653
MCQeasy

An administrator wants to add a second custom domain, 'contoso-europe.com', to their existing Microsoft 365 tenant. The domain 'contoso.com' is already verified. What is the first step the administrator should take?

A.Add the domain in the Microsoft 365 admin center
B.Create a DNS TXT verification record
C.Update the UPN suffixes for users
D.Create a new Microsoft 365 tenant
AnswerA

The first step is to add the domain; verification comes after.

Why this answer

To add a new domain, the administrator must first add it in the Microsoft 365 admin center under Setup > Domains. After adding it, verification steps (like adding a TXT record) are required. Updating UPN suffixes is done after verification.

Creating a new tenant is unnecessary.

654
MCQhard

Refer to the exhibit. A Conditional Access policy is created in Microsoft Entra ID. The policy targets the Office 365 app (which includes Exchange Online). You have 1000 users assigned. What is the immediate effect of this policy on users who are currently signed in?

A.All high-risk users are immediately blocked from accessing email.
B.No immediate effect; users will be blocked on their next sign-in attempt.
C.The policy is invalid because the Office 365 app does not support block.
D.Only users with a sign-in risk of high are blocked.
AnswerB

Conditional Access evaluates at sign-in, not real-time.

Why this answer

Conditional Access policies in Microsoft Entra ID are evaluated at the time of sign-in. They do not terminate existing sessions. Therefore, users who are already signed in will not be affected until their next authentication attempt, at which point the policy's block action will be enforced.

Exam trap

Microsoft often tests the misconception that Conditional Access policies apply immediately to active sessions, when in fact they only take effect on the next sign-in attempt unless combined with session controls like sign-in frequency or continuous access evaluation.

How to eliminate wrong answers

Option A is wrong because the policy targets all users assigned, not only high-risk users; also, Conditional Access does not immediately terminate active sessions. Option C is wrong because the Office 365 app (which includes Exchange Online) fully supports the block grant control in Conditional Access policies. Option D is wrong because the policy does not specify a sign-in risk condition; it applies to all targeted users regardless of risk level.

655
MCQeasy

You are a security administrator. You need to ensure that email messages containing malicious attachments are automatically removed from all mailboxes in your organization after delivery. Which Microsoft Defender for Office 365 feature should you configure?

A.Safe Links
B.Zero-hour auto purge (ZAP)
C.Anti-phishing
D.Safe Attachments
AnswerB

ZAP retroactively removes malicious messages from mailboxes.

Why this answer

Option D is correct because Zero-hour auto purge (ZAP) automatically removes malicious messages that have already been delivered to mailboxes. Option A is wrong because Safe Attachments scans attachments before delivery. Option B is wrong because Safe Links scans URLs.

Option C is wrong because anti-phishing policies protect against phishing, not necessarily remove malicious attachments after delivery.

656
Multi-Selectmedium

Your organization is deploying Microsoft Purview Data Lifecycle Management to manage data retention and deletion. You need to design a retention policy for SharePoint Online sites that automatically deletes documents after 7 years, but allows users to manually delete documents earlier if needed. Which THREE actions should you take? (Select THREE.)

Select 3 answers
A.Create a retention policy with a retention rule that retains content for 7 years and then deletes it.
B.Set a default retention label for the SharePoint document library.
C.Use preservation lock to prevent users from modifying the retention policy.
D.Create a file plan in Microsoft Purview Records Management for the documents.
E.Configure a retention label that allows manual deletion and publish it to SharePoint.
AnswersA, C, E

This policy meets the 7-year requirement.

Why this answer

Option A is correct because a retention policy with a retention rule set to 7 years and then delete meets the requirement. Option C is correct because using preservation lock prevents changes to the policy. Option D is correct because enabling a retention label for manual application allows users to override the policy by applying a label that allows deletion.

Option B is wrong because a file plan is used for records management, not for this scenario. Option E is wrong because a default label would apply automatically, conflicting with the manual override requirement.

657
MCQmedium

You have a hybrid identity environment with Microsoft Entra ID and Active Directory Domain Services (AD DS). You need to ensure that user passwords are synchronized to Microsoft Entra ID without any hashing of passwords. Which tool should you use?

A.Active Directory Federation Services (AD FS)
B.Microsoft Entra Cloud Sync
C.Microsoft Identity Manager
D.Microsoft Entra Connect Sync with password hash synchronization
AnswerD

Password hash synchronization syncs password hashes from AD DS to Entra ID.

Why this answer

Microsoft Entra Connect Sync with password hash synchronization (PHS) is the correct choice because it synchronizes a hash of the user's password hash from on-premises AD DS to Microsoft Entra ID, not the plaintext password. The question states 'without any hashing of passwords,' which is technically impossible for password synchronization—PHS always hashes the password hash. However, among the options, only PHS performs password synchronization; the others do not synchronize passwords at all.

The key nuance is that PHS synchronizes a hash of the hash (i.e., the password hash is hashed again), so the original plaintext password is never stored or transmitted.

Exam trap

The trap here is that candidates may misinterpret 'without any hashing of passwords' as meaning no hashing occurs at all, but password hash synchronization always involves hashing—the phrase refers to the fact that the original plaintext password is never hashed directly; instead, the existing AD hash is re-hashed, so the cloud never sees the plaintext password.

How to eliminate wrong answers

Option A is wrong because Active Directory Federation Services (AD FS) provides federated authentication and does not synchronize passwords; it redirects authentication to on-premises AD DS without storing any password hash in the cloud. Option B is wrong because Microsoft Entra Cloud Sync is designed for syncing users, groups, and contacts from AD DS to Microsoft Entra ID but does not support password hash synchronization; it relies on other methods like pass-through authentication or federation for password validation. Option C is wrong because Microsoft Identity Manager (MIM) is an on-premises identity management solution that can synchronize identities but does not natively synchronize password hashes to Microsoft Entra ID; it requires additional components like the Password Change Notification Service and does not perform direct password hash sync to the cloud.

658
MCQhard

Your organization deploys Microsoft Defender XDR and wants to use advanced hunting to detect lateral movement by an attacker who uses RDP from a compromised workstation to a domain controller. Which KQL query should you use in advanced hunting?

A.DeviceNetworkEvents | where RemotePort == 3389 and RemoteIP == '10.0.0.10' and InitiatingProcessAccountName == 'compromised_user'
B.DeviceLogonEvents | where RemoteIP == '10.0.0.10' and LogonType == '10'
C.IdentityLogonEvents | where AccountUpn == 'compromised_user@contoso.com' and Application == 'Microsoft Remote Desktop'
D.DeviceProcessEvents | where ProcessCommandLine contains 'mstsc.exe' and AccountName == 'compromised_user'
AnswerA

This query shows RDP connections from a compromised user to the DC.

Why this answer

Option B is correct because DeviceNetworkEvents captures network connections, and filtering for RDP (port 3389) from a compromised device to a domain controller identifies lateral movement. Option A is wrong because DeviceLogonEvents shows logons but not the network direction. Option C is wrong because DeviceProcessEvents shows processes, not network connections.

Option D is wrong because IdentityLogonEvents is for cloud identities, not endpoint network events.

659
MCQmedium

Refer to the exhibit. You are configuring a session policy in Microsoft Defender for Cloud Apps. The policy must block downloads when both the app risk is high and the user risk is high. Based on the exhibit, which additional condition should you add to ensure the policy only applies to unsanctioned apps?

A.Add a condition for app risk score to be medium or low.
B.Add a condition for user risk score to be medium.
C.Add a condition for activity to include upload.
D.Add a condition for app tag to be 'unsanctioned'.
AnswerD

Adding a condition for the app tag unsanctioned ensures the policy only applies to unsanctioned apps.

Why this answer

Option D is correct because the policy currently applies to all apps with high risk; to limit to unsanctioned apps, you need to add a condition for the app tag. Option A is wrong because the policy already checks app risk score. Option B is wrong because the policy already checks user risk.

Option C is wrong because the policy already checks the activity.

660
MCQeasy

Your company has a hybrid identity configuration with Microsoft Entra Connect Sync. You need to enable password hash synchronization (PHS) for hybrid users. What is the prerequisite?

A.Pass-through authentication agent installed
B.Password writeback enabled
C.Hybrid Identity Administrator role in Microsoft Entra ID
D.Federation with AD FS
AnswerC

This role is needed to configure PHS.

Why this answer

Option A is correct because PHS requires the Hybrid Identity Administrator role to configure. Option B is wrong because PHS does not require federation. Option C is wrong because PHS does not require password writeback.

Option D is wrong because PHS does not require pass-through authentication.

661
MCQmedium

An administrator wants to configure automated investigation and response (AIR) in Microsoft 365 Defender so that when a high-severity malware alert is generated for a device from Microsoft Defender for Endpoint, the device is automatically isolated from the network without requiring a security analyst to approve the action. Which configuration step is required?

A.Set the automation level for device isolation to 'Semi - require approval for any remediation'
B.Set the automation level for device isolation to 'Full - remediate threats automatically'
C.Create a custom detection rule that automatically isolates the device
D.Enable 'Automated device isolation' in the Microsoft 365 Defender settings
AnswerB

Full automation means the system automatically takes action (including device isolation) without waiting for approval.

Why this answer

Option B is correct because setting the automation level for device isolation to 'Full - remediate threats automatically' in Microsoft Defender for Endpoint's automated investigation and response (AIR) configuration allows the system to automatically isolate a device when a high-severity malware alert is triggered, without requiring analyst approval. This automation level is specifically designed to execute remediation actions like device isolation immediately based on the alert's severity and the device's risk level.

Exam trap

The trap here is that candidates often confuse the 'Full' automation level with requiring approval for all actions, or they mistakenly think a separate toggle like 'Automated device isolation' exists, when in fact the automation level controls all remediation actions including isolation.

How to eliminate wrong answers

Option A is wrong because 'Semi - require approval for any remediation' means that any remediation action, including device isolation, will wait for a security analyst to manually approve it, which contradicts the requirement for automatic isolation without approval. Option C is wrong because creating a custom detection rule is not the standard or recommended method for configuring automated device isolation; AIR automation levels are the native mechanism to control automatic remediation actions. Option D is wrong because 'Automated device isolation' is not a standalone setting in Microsoft 365 Defender; the correct configuration is done through the automation level settings within the device group's AIR policies.

662
MCQhard

Your organization uses Microsoft Entra ID and has a custom role that includes the permission 'microsoft.directory/applications/credentials/update'. You need to create a new role that includes all permissions of the existing role except the credential update permission. What is the best approach?

A.Use the 'Copy role' option from the existing role and then remove the credential update permission.
B.Assign the existing role to the user and create a Conditional Access policy that blocks credential update.
C.Assign the built-in Application Administrator role instead.
D.Create a new custom role and manually add all permissions except credential update.
AnswerA

Copying the role and editing is efficient and accurate.

Why this answer

Option B is correct because you can copy the existing role and remove the unwanted permission. Option A is wrong because you would need to specify all permissions manually. Option C is wrong because you cannot assign a role and then deny a specific permission.

Option D is wrong because there is no built-in role that matches.

663
MCQmedium

Your company uses Microsoft Entra ID and has an app named App1 that requires permissions to read all user profiles. You need to grant admin consent for App1 to read profiles without requiring each user to consent. What should you do?

A.Create a Conditional Access policy that requires consent for App1.
B.Register a new application in App registrations and assign the required permissions.
C.From Microsoft Entra ID, go to Enterprise applications, select App1, and grant admin consent.
D.Configure the user consent settings to allow users to consent for themselves.
AnswerC

Admin consent can be granted from the Enterprise applications blade.

Why this answer

Option C is correct because granting admin consent for an enterprise application in Microsoft Entra ID allows a tenant administrator to pre-approve permissions for all users, eliminating the need for individual user consent. This is done by navigating to Enterprise applications, selecting App1, and using the 'Grant admin consent' option, which sends an OAuth 2.0 authorization request with the required permissions (e.g., User.Read.All) on behalf of the entire organization.

Exam trap

The trap here is that candidates often confuse 'granting admin consent' with 'configuring user consent settings' or 'creating a new app registration', not realizing that admin consent is a specific action on the existing enterprise application's permissions blade.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies control access conditions (e.g., location, device state) and cannot be used to grant or require consent for an application; consent is managed via application permissions and consent settings. Option B is wrong because registering a new application would create a separate app identity, not modify App1's existing permissions; the required permissions must be assigned to App1 itself, and admin consent must be granted for that specific app. Option D is wrong because configuring user consent settings to allow self-consent would require each user to individually consent, which contradicts the goal of granting admin consent to avoid user-by-user approval.

664
MCQmedium

An administrator recently added a custom domain 'tailspintoys.com' to their Microsoft 365 tenant and verified it. They now need to configure the domain so that all recipient email addresses for 'info@tailspintoys.com' are delivered to a shared mailbox in Exchange Online. The domain is currently set as internal relay. What should the administrator do first to route email for this domain to Exchange Online?

A.Update the MX record at the DNS registrar to point to Exchange Online
B.Change the domain type from 'Internal relay' to 'Authoritative' in Exchange admin center
C.Create the shared mailbox 'info@tailspintoys.com' in Exchange Online
D.Disable the internal relay option for the domain in the Microsoft 365 admin center
AnswerB

Correct. Setting the domain as authoritative ensures Exchange Online accepts and delivers all emails for this domain.

Why this answer

Option B is correct because when a domain is set to 'Internal relay' in Exchange Online, the service expects to relay messages to an on-premises server for that domain. To have Exchange Online accept and deliver messages directly to a shared mailbox (or any hosted recipient), the domain must be changed to 'Authoritative'. This tells Exchange Online that it is the final destination for all recipients in that domain, enabling local delivery.

Exam trap

The trap here is that candidates often think updating the MX record (Option A) is the first step to route email to Exchange Online, but they overlook that the domain type must be changed to 'Authoritative' first; otherwise, Exchange Online will not deliver messages to cloud recipients even after the MX record is pointed correctly.

How to eliminate wrong answers

Option A is wrong because updating the MX record to point to Exchange Online is necessary for mail flow from the internet, but it does not change how Exchange Online treats the domain internally; if the domain remains 'Internal relay', Exchange Online will still attempt to relay messages for that domain to an on-premises server rather than delivering locally. Option C is wrong because creating the shared mailbox is a subsequent step; the domain must first be set to 'Authoritative' so that Exchange Online recognizes the recipient as local and can deliver to it. Option D is wrong because disabling the internal relay option in the Microsoft 365 admin center is not a valid action; the domain type is configured in the Exchange admin center, not the Microsoft 365 admin center, and simply removing the relay setting does not change the domain to authoritative.

665
MCQmedium

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. A user reports receiving a suspicious email with a link to a known phishing site. You need to prevent other users from clicking similar links in the future. What should you configure?

A.Use the attack simulation training to educate users
B.Create a Safe Attachments policy to block the attachment
C.Configure a spam filter policy to block the sender
D.Add the URL to the Tenant Allow/Block List in Microsoft 365 Defender
AnswerD

Block list prevents users from accessing the URL.

Why this answer

Option A is correct because creating a block list in the Tenant Allow/Block List will block the URL across the organization. Option B is wrong because spam filter settings are for spam, not specific URLs. Option C is wrong because Safe Attachments policies handle attachments, not URLs.

Option D is wrong because phishing simulation is for training, not blocking.

666
MCQmedium

A security administrator wants to automatically block a file that is detected as malware on one endpoint from being executed on all other endpoints in the organization. Which Microsoft Defender for Endpoint capability provides this?

A.Attack surface reduction rules
B.Network protection
C.Tamper protection
D.Automated investigation and remediation
AnswerD

Automated investigation can take actions such as blocking a file and containing it across the organization.

Why this answer

Automated investigation and remediation (AIR) in Microsoft Defender for Endpoint is designed to automatically respond to detected threats by containing or blocking malicious files across the organization. When malware is detected on one endpoint, AIR can trigger a remediation action (e.g., blocking the file hash) that is propagated to all other endpoints via the Microsoft Defender security center, preventing execution elsewhere.

Exam trap

The trap here is that candidates often confuse automated investigation and remediation with proactive controls like attack surface reduction rules, but AIR is specifically the reactive, automated response capability that can block a detected file across all endpoints.

How to eliminate wrong answers

Option A is wrong because attack surface reduction rules are proactive policies that reduce exploit entry points (e.g., blocking Office apps from creating child processes), not a reactive mechanism to block a file already detected as malware across endpoints. Option B is wrong because network protection blocks outbound connections to malicious IPs/domains using the Windows Filtering Platform, not the execution of a specific file hash on endpoints. Option C is wrong because tamper protection prevents unauthorized changes to security settings (e.g., disabling real-time protection), but does not automatically block a detected malware file from running on other machines.

667
Multi-Selecthard

Which THREE conditions can be used in a Microsoft Entra Conditional Access policy to target specific sign-in scenarios?

Select 3 answers
A.Device platform
B.User risk
C.Location
D.Sign-in risk
E.Client apps
AnswersA, D, E

Device platform is a condition (e.g., iOS, Android).

Why this answer

Option A is correct because the 'Device platform' condition in a Microsoft Entra Conditional Access policy allows targeting specific operating systems (e.g., Windows, iOS, Android) to control access based on the device type. This is commonly used to enforce policies like requiring compliant devices for mobile platforms while allowing broader access from managed Windows devices.

Exam trap

The trap here is that candidates often confuse 'User risk' (a user-level risk from Identity Protection) with 'Sign-in risk' (a session-level risk), and may also mistakenly think 'Location' is not a valid condition, when in fact it is a valid condition but not one of the three correct answers for this specific question.

668
MCQmedium

Refer to the exhibit. You are creating a custom role in Microsoft Entra ID for helpdesk staff. What can users assigned this role do?

A.Read user properties and reset passwords
B.Read security groups and reset passwords
C.Create new users and reset passwords
D.Read user properties and assign licenses
AnswerA

Permissions match read and password update.

Why this answer

The custom role shown in the exhibit includes only the 'Users' > 'Basic' > 'Read' permission and the 'Authentication' > 'Passwords' > 'Reset password' permission. This combination allows helpdesk staff to read basic user properties (such as display name, user principal name, and job title) and reset user passwords. It does not grant write access to other user attributes, security groups, or license assignments.

Exam trap

The trap here is that candidates often assume 'reset password' implies full user management or that reading user properties automatically includes reading groups, but Microsoft Entra ID separates these into distinct permission scopes.

How to eliminate wrong answers

Option B is wrong because reading security groups requires the 'Groups' > 'Read' permission, which is not included in this custom role. Option C is wrong because creating new users requires the 'Users' > 'Create' permission, which is not granted here. Option D is wrong because assigning licenses requires the 'Users' > 'Assign license' permission, which is also absent from this role.

669
Multi-Selecteasy

You are designing a tenant restriction policy using Microsoft Entra ID. Which TWO components are required?

Select 2 answers
A.Tenant ID of the allowed tenant
B.Public key certificate
C.Conditional Access policy
D.Custom DNS records
E.Restriction policy JSON
AnswersA, E

Identifies which tenant is allowed.

Why this answer

Option B (Tenant ID) is correct to identify the allowed tenant. Option D (Restriction policy JSON) is correct to define the policy. Option A (DNS records) is incorrect.

Option C (Certificates) is incorrect. Option E (Conditional Access policy) is separate.

670
MCQhard

Your organization uses Microsoft 365 and has enabled Microsoft Entra ID P2 licenses. You need to configure automatic user provisioning for a third-party SaaS application that supports SCIM 2.0. What should you do first in the Microsoft Entra admin center?

A.Add the application from the gallery, then configure provisioning.
B.Configure provisioning in 'App registrations'.
C.Navigate to 'Enterprise applications' and create a new application.
D.Use the 'App registrations' blade to register the app.
AnswerA

Standard procedure for SCIM provisioning.

Why this answer

To configure automatic user provisioning for a third-party SaaS application that supports SCIM 2.0, you must first add the application from the Microsoft Entra gallery. This action creates an enterprise application object in your tenant, which is required to access the provisioning configuration blade. Only after adding the gallery application can you configure the provisioning settings, including the SCIM endpoint URL and token, to enable automated user lifecycle management.

Exam trap

The trap here is that candidates confuse 'App registrations' (for custom app development) with 'Enterprise applications' (for SaaS app provisioning), leading them to choose an option that registers an app instead of adding a gallery application.

How to eliminate wrong answers

Option B is wrong because 'App registrations' is used for custom-developed applications that use OAuth/OpenID Connect, not for provisioning configuration of gallery or non-gallery SaaS apps. Option C is wrong because 'Enterprise applications' does not have a 'create new application' option; you add applications from the gallery or create a non-gallery app via the 'New application' button, but the correct first step is specifically to add from the gallery. Option D is wrong because registering an app in 'App registrations' creates a service principal for a custom app, not the provisioning configuration for a third-party SaaS app that supports SCIM.

671
MCQeasy

A company uses hybrid identity with Azure AD Connect and password hash synchronization. They want to enable Self-Service Password Reset (SSPR) with password writeback so that users can reset their on-premises Active Directory passwords. Which Azure AD license is required?

A.Azure AD Free
B.Azure AD Premium P1
C.Azure AD Premium P2
D.Microsoft 365 E3
AnswerB

Premium P1 includes password writeback and SSPR with on-premises integration.

Why this answer

Azure AD Premium P1 is required for Self-Service Password Reset (SSPR) with password writeback. Password writeback is a premium feature that enables password changes in Azure AD to be written back to on-premises Active Directory via Azure AD Connect. Azure AD Free does not include SSPR with writeback, and Azure AD Premium P2 includes additional features like Identity Protection but is not necessary for this scenario.

Exam trap

The trap here is that candidates often assume Microsoft 365 E3 includes Azure AD Premium P1 features, but it only includes Azure AD Free; password writeback specifically requires a Premium P1 or higher license.

How to eliminate wrong answers

Option A is wrong because Azure AD Free does not include Self-Service Password Reset (SSPR) with password writeback; it only supports basic SSPR for cloud-only users without writeback. Option C is wrong because Azure AD Premium P2 includes all P1 features plus Identity Protection and Privileged Identity Management, but the extra capabilities are not required for password writeback; P1 is sufficient. Option D is wrong because Microsoft 365 E3 includes Azure AD Free, not Premium P1, and therefore does not support password writeback; a separate Azure AD Premium P1 license or an equivalent E5 plan is needed.

672
MCQhard

Your organization is implementing Microsoft Purview Communication Compliance to detect potential insider trading. You need to scan internal emails for specific patterns and assign reviewers from the legal team. What is the minimum number of policies required?

A.One policy with multiple conditions.
B.Three policies: one for patterns, one for reviewers, and one for storage.
C.Zero, as Communication Compliance does not support custom policies.
D.Two policies: one for each pattern.
AnswerA

A single policy can include multiple patterns and reviewers.

Why this answer

Option B is correct because a single Communication Compliance policy can contain multiple conditions (e.g., multiple keywords) and assign reviewers. Option A is wrong because one policy can handle multiple patterns. Option C is wrong because multiple policies are not needed.

Option D is wrong because one policy is sufficient.

673
MCQmedium

An organization wants to allow users to sign in to Microsoft 365 using their on-premises Active Directory credentials but does not want to synchronize password hashes to the cloud. They also want to eliminate the need for users to re-enter their credentials when accessing cloud resources from domain-joined devices. Which combination of authentication methods should they implement?

A.Pass-through Authentication (PTA) with Seamless Single Sign-On (SSO)
B.Federation with Active Directory Federation Services (AD FS)
C.Password Hash Sync (PHS) with Seamless SSO
D.Cloud-only authentication with MFA
AnswerA

PTA validates passwords on-premises without storing hashes, and Seamless SSO provides automatic sign-in for domain-joined devices.

Why this answer

Pass-through Authentication (PTA) validates user passwords directly against on-premises Active Directory without storing password hashes in the cloud, satisfying the requirement to avoid hash synchronization. Seamless SSO eliminates the need for users to re-enter credentials on domain-joined devices by using Kerberos delegation to silently authenticate against Microsoft Entra ID, meeting both stated needs.

Exam trap

The trap here is that candidates often confuse Seamless SSO as being exclusive to Password Hash Sync, but it is also fully supported with Pass-through Authentication, and the key differentiator is the requirement to avoid password hash synchronization.

How to eliminate wrong answers

Option B (Federation with AD FS) is wrong because it requires deploying and maintaining additional federation infrastructure and does not inherently avoid password hash synchronization; AD FS still relies on password validation against on-premises AD but introduces complexity and potential single points of failure. Option C (PHS with Seamless SSO) is wrong because Password Hash Sync explicitly synchronizes password hashes to the cloud, which the organization wants to avoid. Option D (Cloud-only authentication with MFA) is wrong because it does not use on-premises Active Directory credentials at all, requiring users to have separate cloud identities and failing the requirement to authenticate against on-premises AD.

674
MCQeasy

Your organization is a small business with 200 users. You use Microsoft 365 Business Premium, which includes Microsoft Defender for Business (the small business version of Defender for Endpoint) and Microsoft Defender for Office 365 Plan 1. You want to protect against ransomware by blocking malicious processes and behaviors on endpoints. You also need to enable automated investigation and response for common threats. However, your IT team has limited security expertise and wants a simple configuration that provides out-of-the-box protection without custom policies. What should you do?

A.Configure Safe Attachments policies in Microsoft Defender for Office 365 to block ransomware attachments.
B.Enable the default security baseline in Microsoft Defender for Business, which includes attack surface reduction rules and automated investigation.
C.Create custom attack surface reduction rules in Microsoft Defender for Business to block ransomware behaviors.
D.Deploy a third-party endpoint detection and response (EDR) solution alongside Microsoft Defender for Business.
AnswerB

Out-of-the-box protection with minimal configuration.

Why this answer

Option B is correct because Defender for Business provides default security baselines that include attack surface reduction rules and automated investigation, requiring minimal configuration. Option A is wrong because creating custom policies is complex and not necessary. Option C is wrong because third-party EDR adds complexity and cost.

Option D is wrong because Safe Attachments is for email, not endpoint behavior.

675
MCQeasy

A user reports that they cannot access a cloud app that requires MFA. The user's mobile phone is lost. They have no other registered MFA methods. What should the administrator do?

A.Temporarily disable MFA for the user in the Authentication methods policy
B.Instruct the user to register a new MFA method using the Microsoft Entra admin center
C.Block the user's account until they recover their phone
D.Instruct the user to use the Microsoft Authenticator app to reset their MFA
AnswerA

This allows the user to sign in temporarily and register a new MFA method.

Why this answer

Option C is correct because an administrator can temporarily disable MFA for the user in the Authentication methods policy, allowing them to sign in without MFA until they register a new method. Option A is wrong because the user cannot reset MFA themselves without the authenticator app. Option B is wrong because the user cannot register a new method without access.

Option D is wrong because the user should not be blocked permanently. Option E is wrong because resetting the user's password does not help with MFA.

Page 8

Page 9 of 13

Page 10