CCNA Deploy and manage a Microsoft 365 tenant Questions

75 of 248 questions · Page 2/4 · Deploy and manage a Microsoft 365 tenant · Answers revealed

76
MCQeasy

An organization has just signed up for Microsoft 365 E3 with the initial domain 'contoso.onmicrosoft.com'. They need to create the first user accounts. What will be the default email address format for these new users if no custom domain is added yet?

A.user@contoso.onmicrosoft.com
B.user@contoso.com
C.user@microsoft.com
D.user@contoso.microsoft.com
AnswerA

The default domain is the onmicrosoft.com domain assigned during tenant creation.

Why this answer

When a new Microsoft 365 tenant is created with the initial domain 'contoso.onmicrosoft.com' and no custom domain has been added, the default email address format for new users is user@contoso.onmicrosoft.com. This is because the onmicrosoft.com domain is the default tenant domain provisioned by Azure AD, and all user principal names (UPNs) and email addresses are automatically assigned this suffix until a custom domain is verified and set as the primary domain.

Exam trap

The trap here is that candidates assume the email address will automatically match the organization's public domain name (e.g., contoso.com) without realizing that a custom domain must be explicitly added and verified in the Microsoft 365 admin center before it can be used for user email addresses.

How to eliminate wrong answers

Option B is wrong because 'contoso.com' is a custom domain that must be purchased and verified via DNS TXT records before it can be used for email addresses; it is not automatically available. Option C is wrong because 'microsoft.com' is Microsoft's own corporate domain and cannot be used by any tenant. Option D is wrong because 'contoso.microsoft.com' is not a valid domain format for any Microsoft 365 tenant; the default tenant domain always uses the pattern <tenantname>.onmicrosoft.com.

77
MCQeasy

A company wants to migrate from on-premises Exchange to Exchange Online. They need to synchronize user mailboxes. Which tool should they use?

A.A: Microsoft 365 admin center
B.B: Exchange Admin Center
C.C: Exchange Online Hybrid Configuration Wizard
D.D: Azure AD Connect
AnswerC

This wizard guides the setup of hybrid deployment, including mailbox move requests and synchronization.

Why this answer

The Exchange Online Hybrid Configuration Wizard (HCW) is the correct tool for migrating on-premises Exchange mailboxes to Exchange Online because it configures the hybrid deployment settings, including the necessary connectors, federation trust, and OAuth authentication, enabling mailbox moves via the New-MigrationBatch cmdlet or the EAC. It orchestrates the synchronization of mailbox data between the on-premises environment and Exchange Online, leveraging the MRS (Mailbox Replication Service) proxy for secure, seamless migration.

Exam trap

The trap here is that candidates often confuse Azure AD Connect (identity synchronization) with mailbox migration, assuming that syncing user objects automatically moves mailboxes, but Azure AD Connect only handles directory data, not mailbox content or hybrid transport configuration.

How to eliminate wrong answers

Option A is wrong because the Microsoft 365 admin center is a management portal for tenant-wide settings, user licensing, and service health, but it does not have the capability to configure hybrid deployment settings or initiate mailbox migrations from on-premises Exchange. Option B is wrong because the Exchange Admin Center (EAC) in Exchange Online can manage migration batches only after the hybrid configuration is established; it cannot perform the initial hybrid setup or configure the required on-premises connectors and federation trust. Option D is wrong because Azure AD Connect synchronizes identity objects (users, groups) and password hashes between on-premises Active Directory and Azure AD, but it does not handle mailbox data migration or the hybrid Exchange configuration needed for mailbox moves.

78
Multi-Selectmedium

Which TWO actions are required to enable Microsoft 365 Copilot for all users in your tenant?

Select 2 answers
A.Run a PowerShell script to enable Copilot in the tenant.
B.Ensure the tenant is on a Microsoft 365 E5 plan.
C.Ensure users have a qualifying Microsoft 365 license (e.g., E3, E5, Business Standard).
D.Assign a Microsoft 365 Copilot license to each user.
E.Provision an Azure subscription for Copilot services.
AnswersC, D

Copilot requires a base Microsoft 365 license.

Why this answer

Option C is correct because Microsoft 365 Copilot requires users to have a qualifying base license such as Microsoft 365 E3, E5, or Business Standard. Without one of these base licenses, the Copilot add-on license cannot be assigned or function properly, as Copilot relies on the underlying Microsoft 365 services (e.g., Exchange Online, SharePoint, Teams) that these plans provide.

Exam trap

The trap here is that candidates assume a tenant-wide setting or a specific plan (like E5) is required, when in fact the key requirement is a qualifying base license per user combined with individual Copilot license assignment.

79
MCQhard

Your organization has a Microsoft 365 tenant with 10,000 users. You are configuring Microsoft Entra ID Identity Protection to detect risky sign-ins. You need to ensure that when a sign-in risk level of 'High' is detected, the user is blocked from signing in and an administrator is notified. What should you configure?

A.Create a Conditional Access policy with 'Sign-in risk' condition set to 'High' and 'Block access', and configure alert notifications in Identity Protection
B.Create a user risk policy in Identity Protection to block high-risk users
C.Create an MFA registration policy in Identity Protection
D.Enable Security defaults and configure notifications
AnswerA

This combination blocks high-risk sign-ins and sends notifications.

Why this answer

Option A is correct because it combines a Conditional Access policy that blocks access when the sign-in risk level is 'High' with an alert notification configured in Identity Protection. The Conditional Access policy enforces the block at the authentication level, while the Identity Protection alert ensures administrators are notified of the high-risk sign-in event. This directly meets the requirement to both block the user and notify an admin.

Exam trap

The trap here is that candidates often confuse user risk policies (which target compromised accounts) with sign-in risk policies (which target risky authentication sessions), leading them to select Option B instead of the correct combination of Conditional Access and alert notifications.

How to eliminate wrong answers

Option B is wrong because a user risk policy in Identity Protection targets user accounts that have been compromised (e.g., leaked credentials) and can block sign-ins or require password reset, but it does not address sign-in risk from a specific session (e.g., anonymous IP address, atypical travel). Option C is wrong because an MFA registration policy in Identity Protection only enforces that users register for multifactor authentication, not that high-risk sign-ins are blocked or that admins are notified. Option D is wrong because Security defaults enforce baseline security policies (like requiring MFA for all users) but do not allow granular control to block only high-risk sign-ins or send targeted admin notifications for such events.

80
MCQhard

You are the Microsoft 365 administrator for a company with a hybrid identity configuration using Azure AD Connect. The company has a custom domain 'contoso.com' federated with Active Directory Federation Services (ADFS). All users are synced from on-premises Active Directory. The security team wants to implement Microsoft Entra ID Protection to detect risky sign-ins. However, they are concerned that federated authentication bypasses some risk detection capabilities. You need to ensure that Microsoft Entra ID Protection can evaluate risk for all sign-ins, including federated ones. What should you do?

A.Switch from federated authentication to Pass-through Authentication (PTA) or Password Hash Sync (PHS).
B.Configure the federated trust in Microsoft Entra ID to use the new claims.
C.Configure ADFS to send the ipaddr and xms_ep claims to Azure AD.
D.Enable Azure AD Application Proxy to publish ADFS internally.
AnswerA

With PTA or PHS, authentication happens in Azure AD, allowing risk evaluation by Identity Protection.

Why this answer

Microsoft Entra ID Protection relies on signals such as IP addresses, device information, and sign-in patterns to calculate risk. In a federated setup with ADFS, the authentication happens on-premises, and Azure AD only receives a token—not the raw sign-in details needed for real-time risk evaluation. Switching to Pass-through Authentication (PTA) or Password Hash Sync (PHS) ensures that the authentication process flows through Azure AD directly, allowing Entra ID Protection to capture and analyze all sign-in events, including those from federated users.

Exam trap

The trap here is that candidates may think adding claims (Option C) or changing the trust configuration (Option B) can compensate for the architectural limitation, but only moving the authentication flow to Azure AD (Option A) gives Entra ID Protection the raw sign-in data it needs for real-time risk evaluation.

How to eliminate wrong answers

Option B is wrong because configuring the federated trust to use new claims does not change the fundamental architecture—ADFS still performs authentication, and Azure AD still lacks the raw sign-in data (e.g., IP address, user agent) required for real-time risk detection. Option C is wrong because while sending ipaddr and xms_ep claims can provide some additional context, it does not enable Entra ID Protection to evaluate risk in real time; the authentication still occurs on-premises, and risk evaluation is limited to post-authentication token analysis. Option D is wrong because enabling Azure AD Application Proxy to publish ADFS internally only changes the access method to ADFS, not the authentication flow—federated authentication still bypasses Azure AD's direct sign-in event collection.

81
MCQmedium

Contoso recently acquired a company with an existing Microsoft 365 tenant. You need to migrate their user accounts and mailboxes to the Contoso tenant. The acquired company uses a custom domain for email. You must ensure minimal disruption and maintain email flow during migration. What should you do first?

A.Perform a cross-tenant mailbox migration using Microsoft 365 migration tools.
B.Disable the acquired company's tenant to force all users to the Contoso tenant.
C.Create new user accounts in the Contoso tenant using the onmicrosoft.com domain.
D.Add the custom domain to the Contoso tenant and verify ownership.
AnswerD

Correct: Domain verification is the first step to enable user creation and email routing.

Why this answer

Before any migration can proceed, the custom domain used by the acquired company must be added and verified in the Contoso tenant. This is a prerequisite for cross-tenant mailbox migrations because the target domain must be recognized and owned by the destination tenant to route email correctly and assign user principal names (UPNs). Without domain verification, migration tools cannot validate the domain and email flow will fail.

Exam trap

The trap here is that candidates often jump to selecting the migration tool (Option A) without realizing that domain verification is a prerequisite step that must be completed first, even before initiating any migration process.

How to eliminate wrong answers

Option A is wrong because performing a cross-tenant mailbox migration without first adding and verifying the custom domain in the Contoso tenant will fail; the migration tools require the domain to be claimed and verified in the target tenant. Option B is wrong because disabling the acquired company's tenant would immediately break all services and email flow, causing major disruption rather than minimal disruption. Option C is wrong because creating new user accounts using the onmicrosoft.com domain would force users to change their email addresses, which disrupts email flow and user experience; the goal is to preserve the custom domain for continuity.

82
MCQeasy

Your organization uses Microsoft 365 Business Premium. You need to ensure that when a user is assigned an Intune license, the device automatically enrolls in Microsoft Intune. What should you configure?

A.Configure Microsoft Entra ID device settings to enable MDM automatic enrollment
B.Create a device compliance policy to require enrollment
C.Create a device enrollment restriction in Intune to block personal devices
D.Deploy a device configuration profile with enrollment settings
AnswerA

This triggers automatic enrollment upon license assignment.

Why this answer

Microsoft Entra ID (formerly Azure AD) device settings include an option to enable automatic MDM enrollment for users assigned an Intune license. When enabled, any device that signs in with a licensed user account will automatically enroll in Microsoft Intune, satisfying the requirement without additional configuration.

Exam trap

The trap here is that candidates often confuse device compliance policies or configuration profiles with the enrollment trigger, but only the Microsoft Entra ID device settings control the automatic MDM enrollment behavior.

How to eliminate wrong answers

Option B is wrong because a device compliance policy checks compliance after enrollment, it does not trigger automatic enrollment. Option C is wrong because enrollment restrictions control which devices can enroll (e.g., blocking personal devices), but they do not enable automatic enrollment. Option D is wrong because a device configuration profile applies settings to already enrolled devices, it does not initiate the enrollment process.

83
Multi-Selecthard

You are designing a Microsoft 365 tenant for a multinational organization. You need to ensure compliance with data residency requirements. Which THREE actions should you take?

Select 3 answers
A.Set data location preferences in the Microsoft 365 admin center.
B.Disable cross-region replication in Exchange Online.
C.Use compliance boundaries for eDiscovery.
D.Create data loss prevention policies for each region.
E.Configure Microsoft 365 Multi-Geo.
AnswersA, C, E

Allows choosing where data is stored during tenant setup.

Why this answer

Option A is correct because setting data location preferences in the Microsoft 365 admin center (under Settings > Org Settings > Organization Information) allows you to specify the primary data residency region for your tenant. This ensures that core data at rest, such as Exchange Online mailboxes and SharePoint sites, is stored in the selected geographic location to meet compliance requirements.

Exam trap

The trap here is that candidates often confuse data residency (where data is stored) with data protection (DLP policies) or replication settings, leading them to select DLP policies or disabling replication instead of the correct Multi-Geo and compliance boundary options.

84
MCQmedium

Your organization uses Microsoft 365 Copilot for Sales. You need to ensure that only licensed users can access Copilot features, and that usage is monitored for compliance. What should you configure?

A.Assign the Copilot Administrator role to users in Microsoft Entra ID
B.Configure a Microsoft Purview compliance policy for Copilot
C.Use PowerShell to assign Copilot licenses and enable audit logging in Microsoft Sentinel
D.Assign Copilot licenses to users in the Microsoft 365 admin center and monitor usage via the Reports dashboard
AnswerD

Licenses are assigned per user, and usage is monitored via admin reports.

Why this answer

Option D is correct because licensing for Microsoft 365 Copilot for Sales is controlled through the Microsoft 365 admin center by assigning Copilot licenses to individual users. Usage monitoring is then available via the Reports dashboard, which provides adoption and usage metrics for licensed users. This ensures only licensed users access Copilot features and allows compliance monitoring without additional configuration.

Exam trap

The trap here is that candidates confuse licensing and access control with administrative roles or security monitoring, assuming that assigning an admin role or configuring compliance policies is required to restrict or monitor Copilot usage, when in fact license assignment and the built-in Reports dashboard are the correct mechanisms.

How to eliminate wrong answers

Option A is wrong because the Copilot Administrator role in Microsoft Entra ID grants administrative permissions to manage Copilot settings, not user access; it does not license users or monitor usage. Option B is wrong because Microsoft Purview compliance policies are used for data governance, retention, and eDiscovery, not for controlling user access or monitoring Copilot feature usage. Option C is wrong because while PowerShell can assign licenses, enabling audit logging in Microsoft Sentinel is for security monitoring and incident response, not for compliance usage monitoring of Copilot features; the Reports dashboard is the appropriate tool for usage monitoring.

85
MCQeasy

A user reports that they cannot access their Microsoft 365 mailbox via Outlook on the web. Other users can access their mailboxes. What is the most likely cause?

A.The user's password has expired
B.The Exchange Online service is experiencing an outage
C.The user's browser cache needs to be cleared
D.The user does not have an Exchange Online license assigned
AnswerD

Without a license, the user cannot access Exchange Online services.

Why this answer

The most likely cause is that the user does not have an Exchange Online license assigned. Without a valid license, the user's mailbox is not provisioned, and Outlook on the Web (OWA) cannot access it. Other users can access their mailboxes because they have licenses, ruling out a service-wide issue.

Exam trap

The trap here is that candidates confuse authentication issues (password expired) with authorization or licensing issues, assuming that if a user can log in to the Microsoft 365 portal, they automatically have a mailbox.

How to eliminate wrong answers

Option A is wrong because an expired password would prevent authentication entirely, but the user would see a login prompt or password error, not a mailbox access issue after login. Option B is wrong because an Exchange Online outage would affect all users, not just one. Option C is wrong because clearing browser cache resolves display or rendering issues, not access to the mailbox itself; if the mailbox is unlicensed, no amount of cache clearing will help.

86
MCQmedium

Your organization uses Microsoft 365 and has strict compliance requirements. The compliance officer has noticed that some users are able to access sensitive documents from unmanaged devices. You need to ensure that all access to sensitive data from unmanaged devices is blocked, while still allowing access from managed devices. The solution must be implemented using Microsoft Entra ID and Microsoft Intune. You have already deployed Microsoft Intune for mobile device management. What should you do?

A.Enable device compliance rules in Microsoft Entra ID and assign them to all users.
B.Create a device compliance policy in Microsoft Intune that requires a PIN and encryption.
C.Create an app protection policy in Microsoft Intune that requires managed apps to be used on unmanaged devices.
D.Create a conditional access policy in Microsoft Entra ID that requires device to be marked as compliant, and apply it to all cloud apps.
AnswerD

Conditional access with device compliance requirement blocks unmanaged devices from accessing apps.

Why this answer

Option A is correct: a conditional access policy in Microsoft Entra ID can require that devices be marked as compliant with Intune policies, blocking access from unmanaged devices. Option B is wrong because app protection policies in Intune apply to apps, not device-level access. Option C is wrong because a compliance policy defines what compliant means but does not block access; conditional access does.

Option D is wrong because device compliance rules are part of Intune but do not enforce access decisions without conditional access.

87
MCQhard

Your organization uses Microsoft 365 E5 licenses. You need to implement a secure score improvement plan. After reviewing the Secure Score, you notice a recommendation to 'Enable sign-in risk policy' in Microsoft Entra ID. However, you want to ensure that users who sign in from trusted locations are not challenged. What should you configure?

A.Configure named locations in Microsoft Entra ID for trusted IPs.
B.Enable the 'Sign-in risk' policy in Identity Protection and set 'Exclude trusted locations'.
C.Enable the 'Require MFA for all users' conditional access policy.
D.Create a conditional access policy that targets sign-in risk: medium and above, require MFA, and exclude trusted named locations.
AnswerD

This ensures users from trusted locations are not challenged.

Why this answer

Option D is correct because it creates a Conditional Access policy that targets sign-in risk at medium and above, requiring MFA, while excluding trusted named locations. This ensures users from trusted IPs are not challenged, directly addressing the requirement to avoid unnecessary prompts for trusted sign-ins while still enforcing risk-based policies.

Exam trap

The trap here is that candidates confuse Identity Protection's risk policies with Conditional Access policies, assuming exclusions are set directly in Identity Protection rather than through Conditional Access, leading them to select Option B.

How to eliminate wrong answers

Option A is wrong because configuring named locations alone does not enforce a sign-in risk policy; it only defines trusted IPs, which must be referenced in a Conditional Access policy to have effect. Option B is wrong because the 'Sign-in risk' policy in Identity Protection does not have an 'Exclude trusted locations' setting; exclusions are handled via Conditional Access policies, not within Identity Protection itself. Option C is wrong because 'Require MFA for all users' is a blanket policy that does not consider sign-in risk or trusted locations, so it would challenge users from trusted locations unnecessarily.

88
MCQmedium

Your organization has a Microsoft 365 tenant configured with a custom domain. You need to verify domain ownership using a TXT record. Where in the Microsoft 365 admin center would you initiate this process?

A.Settings > Domains
B.Setup > Org-wide settings
C.Users > Active Users
D.Admin centers > Azure Active Directory
AnswerA

Correct path to manage domains and verify ownership.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record provided by Microsoft to your domain's DNS zone. The process is initiated in the Microsoft 365 admin center under Settings > Domains, where you select the domain and click 'Start setup' to receive the verification TXT record value. This is the only location in the admin center that directly manages domain verification and DNS record validation for custom domains.

Exam trap

The trap here is that candidates may confuse domain verification with other domain-related tasks (like setting up email routing or managing user accounts) and select Setup > Org-wide settings or Users > Active Users, but only Settings > Domains provides the guided wizard for adding and verifying a custom domain via TXT records.

How to eliminate wrong answers

Option B is wrong because Setup > Org-wide settings contains organization-wide configuration options like security policies, profiles, and external sharing settings, but does not include domain management or DNS verification tasks. Option C is wrong because Users > Active Users is for managing user accounts, licenses, and permissions, not for domain ownership verification which is a DNS-level process. Option D is wrong because Admin centers > Azure Active Directory opens the Azure AD portal, which can manage custom domains but is not the primary or recommended path in the Microsoft 365 admin center for initiating TXT record verification; the correct path is Settings > Domains within the M365 admin center itself.

89
MCQeasy

An administrator wants to verify ownership of a custom domain 'adatum.com' in their Microsoft 365 tenant. They have already added the domain and received the TXT record value. However, the administrator's DNS hosting provider does not support adding a TXT record. Which alternative record type can be used for domain verification?

A.record
B.MX record
C.SRV record
D.NS record
AnswerB

Correct. Microsoft supports verification using a specific MX record with the value 'msXXXXXX.adatum.com' (where 'X' represents the verification token).

Why this answer

When a DNS hosting provider does not support TXT records, Microsoft 365 allows the use of an MX record as an alternative for domain verification. The administrator creates an MX record with a specific subdomain (e.g., 'adatum-com.mail.protection.outlook.com') and a custom priority value provided in the TXT record value, which Microsoft's verification system checks to confirm domain ownership. This method is supported because MX records are widely available and can carry the necessary verification data in their format.

Exam trap

The trap here is that candidates may assume only TXT records can verify domain ownership, overlooking that Microsoft 365 explicitly supports MX records as an alternative when TXT records are unavailable, which is a common scenario in restrictive DNS environments.

How to eliminate wrong answers

Option A is wrong because 'A record' maps a domain to an IPv4 address and cannot carry the verification string required by Microsoft 365; it is not a supported alternative for domain verification. Option C is wrong because 'SRV record' specifies the location of services (like SIP or LDAP) and is not used for domain ownership verification in Microsoft 365. Option D is wrong because 'NS record' delegates a domain to a set of name servers and does not support embedding a verification token; it would change the domain's authoritative servers rather than prove ownership.

90
MCQmedium

An organization plans to automatically assign Microsoft 365 E3 licenses to all users in the 'Finance' department. The Finance department is identified by the 'Department' attribute in Azure AD. Which method should the administrator use to minimize manual effort?

A.Group-based licensing using a dynamic group with the rule 'user.department -eq "Finance"'
B.Manual assignment using PowerShell
C.Bulk assignment using a CSV file
D.Self-service licensing portal
AnswerA

Dynamic group membership automatically includes Finance users, and group-based licensing assigns the license to all members.

Why this answer

Group-based licensing allows assigning licenses to a security group. By using a dynamic group based on the 'Department' attribute, users are automatically added to the group and receive licenses when they meet the criteria. Manual assignment or bulk upload require ongoing administrative effort.

Self-service portals do not automatically assign licenses.

91
MCQmedium

You have a Microsoft 365 E5 tenant. Users report that they cannot access the Microsoft 365 admin center (https://admin.microsoft.com). You verify that they have the Global Administrator role assigned. You check the sign-in logs in Microsoft Entra ID and see that the sign-in was blocked by a Conditional Access policy. The policy requires MFA and a compliant device. The users are using personal devices that are not enrolled. What should you do to allow access while maintaining security?

A.Disable the Conditional Access policy.
B.Ask users to enroll their personal devices in Microsoft Intune.
C.Remove the Global Administrator role from the users and assign a lower privilege role.
D.Modify the Conditional Access policy to exclude the Microsoft 365 admin center from the device compliance requirement, but keep MFA.
AnswerD

Allows access with MFA only, which is acceptable for admins.

Why this answer

Option D is correct because it allows users to access the Microsoft 365 admin center by removing the device compliance requirement for that specific cloud app while still enforcing MFA. This maintains security through MFA and avoids blocking access for users on personal, unenrolled devices. Disabling the policy entirely or requiring enrollment would either weaken security or be impractical for personal devices.

Exam trap

The trap here is that candidates may think removing the Global Administrator role (Option C) will bypass the Conditional Access policy, but Conditional Access policies apply to all users regardless of role unless explicitly excluded, and the policy's grant controls are evaluated before role-based access is considered.

How to eliminate wrong answers

Option A is wrong because disabling the Conditional Access policy entirely would remove all security controls (MFA and device compliance) for the admin center, exposing the tenant to unauthorized access. Option B is wrong because asking users to enroll personal devices in Intune may not be feasible or desired for personal devices, and it does not address the immediate access issue without policy modification. Option C is wrong because removing the Global Administrator role does not resolve the Conditional Access block; the policy applies to all users regardless of role, and the users need admin privileges to perform their duties.

92
MCQeasy

You are a Microsoft 365 administrator for a small business with 50 users. The company uses Microsoft 365 Business Premium. You need to ensure that all users have multi-factor authentication (MFA) enabled. The company does not have any custom conditional access policies. You want to implement MFA as quickly as possible with minimal configuration. What should you do?

A.Enable security defaults in the Microsoft Entra admin center.
B.Configure MFA registration campaign for all users.
C.Enable per-user MFA for each user.
D.Create a conditional access policy that requires MFA for all users.
AnswerA

Correct: Security defaults enable MFA for all users with minimal effort.

Why this answer

Security defaults provide a pre-configured set of security policies, including requiring MFA for all users, that can be enabled with a single toggle in the Microsoft Entra admin center. This is the fastest and simplest method for a small business with no existing conditional access policies, as it requires minimal configuration and immediately enforces MFA for every user.

Exam trap

The trap here is that candidates often confuse the MFA registration campaign (which only prompts registration) with actual MFA enforcement, or they overcomplicate the solution by choosing per-user MFA or a custom conditional access policy when security defaults are the fastest and simplest answer for a tenant with no existing policies.

How to eliminate wrong answers

Option B is wrong because the MFA registration campaign is a feature that nudges users to register for MFA but does not enforce MFA at sign-in; it only prompts registration, leaving authentication unprotected until users voluntarily comply. Option C is wrong because per-user MFA is a legacy method that requires manually enabling MFA for each of the 50 users individually, which is time-consuming and does not leverage the modern, policy-based approach of security defaults. Option D is wrong because creating a conditional access policy requires additional configuration steps (e.g., excluding break-glass accounts, defining conditions) and is not the fastest option; security defaults are designed for organizations without existing policies to achieve MFA enforcement instantly.

93
MCQmedium

Your organization uses Microsoft 365 E5 licenses for all users. You need to configure role-based access control (RBAC) so that helpdesk staff can reset passwords and manage licenses, but cannot modify user principal names (UPNs) or delete users. Which role assignment should you use?

A.License Administrator
B.Helpdesk Administrator
C.Password Administrator
D.User Administrator
AnswerB

Helpdesk Administrator can reset passwords and manage licenses, but cannot modify UPNs or delete users.

Why this answer

The Helpdesk Administrator role is correct because it grants the specific permissions needed to reset passwords and manage licenses, while explicitly preventing modifications to user principal names (UPNs) and user deletions. This role is designed for tier-1 support staff who require these capabilities without elevated user management rights.

Exam trap

The trap here is that candidates often confuse the Helpdesk Administrator role with the User Administrator role, assuming the latter is required for license management, but User Administrator includes dangerous permissions like UPN modification and user deletion that are explicitly prohibited in the question.

How to eliminate wrong answers

Option A is wrong because the License Administrator role can only manage license assignments and cannot reset passwords, failing the password reset requirement. Option C is wrong because the Password Administrator role can only reset passwords and cannot manage licenses, failing the license management requirement. Option D is wrong because the User Administrator role can modify UPNs and delete users, which violates the restriction against those actions.

94
MCQeasy

A user reports they cannot access Microsoft Teams. They see a message: 'Your account is not enabled for Teams.' You verify the user has a valid Microsoft 365 E3 license assigned. What is the most likely cause?

A.The user does not have the correct Microsoft Entra ID role.
B.The user is not assigned a valid license.
C.The Teams service plan is disabled in the user's license.
D.The user is not a global administrator.
AnswerC

The Teams service plan must be enabled for the user.

Why this answer

The error 'Your account is not enabled for Teams' indicates that the Teams service plan is disabled within the user's assigned Microsoft 365 E3 license. Even with a valid license, each service plan (e.g., Teams, Exchange Online, SharePoint) can be individually toggled on or off via the Microsoft 365 admin center or PowerShell. Since the user has a valid license but cannot access Teams, the most likely cause is that the Teams service plan has been explicitly disabled.

Exam trap

The trap here is that candidates often assume a valid license automatically enables all included services, but Microsoft 365 allows granular control over service plans, so a license assignment does not guarantee Teams is enabled.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID roles (e.g., Global Administrator, Teams Administrator) control administrative permissions, not the ability to use Teams as an end user; a user without any admin role can still access Teams if the service plan is enabled. Option B is wrong because the scenario explicitly states the user has a valid Microsoft 365 E3 license assigned, so the issue is not a missing license. Option D is wrong because being a Global Administrator is not required to use Teams; the error message is about service enablement, not administrative privileges.

95
MCQmedium

Your organization recently deployed Microsoft Defender for Office 365. Users report that some legitimate external emails are being quarantined as phishing attempts. You need to reduce false positives without compromising security. What should you do?

A.Increase the Spam Confidence Level (SCL) threshold to 9
B.Disable the anti-phishing policy and use a custom mail flow rule
C.Add the sender domains to the allowed senders list in the anti-phishing policy
D.Change the spam filtering action to 'Move message to Junk Email folder' instead of quarantine
AnswerC

This allows trusted senders without affecting other protections.

Why this answer

Option C is correct because adding the sender domains to the allowed senders list in the anti-phishing policy explicitly whitelists those domains for phishing checks, reducing false positives while still scanning for other threats. This approach preserves security by not lowering the overall spam filtering threshold or disabling protections, and it targets only the specific domains that are being incorrectly flagged.

Exam trap

The trap here is that candidates often confuse the anti-phishing policy's allowed senders list with the tenant-level allowed/blocked list in the anti-spam policy, or they mistakenly think changing the action to junk email reduces false positives when it only changes the delivery outcome, not the detection logic.

How to eliminate wrong answers

Option A is wrong because increasing the SCL threshold to 9 would make the filter less sensitive, allowing more spam and phishing to reach users, which compromises security. Option B is wrong because disabling the anti-phishing policy removes critical protection against sophisticated phishing attacks, and a custom mail flow rule cannot replicate the advanced heuristics and impersonation detection of the built-in policy. Option D is wrong because changing the action to 'Move message to Junk Email folder' instead of quarantine still applies the same false-positive classification; it only changes the delivery location, not the underlying detection logic, so legitimate emails would still be incorrectly categorized.

96
MCQmedium

Your organization uses Microsoft 365 Business Premium. You need to configure Windows 365 Cloud PCs for 10 users who require access to a custom line-of-business (LOB) application that is not compatible with Windows 11. The LOB app requires Windows 10 and 8 GB RAM. What is the most cost-effective Cloud PC configuration that meets the requirements?

A.Windows 365 Business Standard license and a custom Windows 10 image.
B.Windows 365 Business Advanced license and a custom Windows 11 image.
C.Windows 365 Enterprise license with GPU.
D.Windows 365 Business Basic license and a custom Windows 10 image.
AnswerA

Standard provides 8 GB RAM, meets requirements.

Why this answer

Option A is correct because Windows 365 Business Standard provides 8 GB RAM and supports custom Windows 10 images, meeting the LOB app's requirements. The Business Standard license is the most cost-effective tier that offers 8 GB RAM, while Basic only offers 4 GB RAM and would not satisfy the app's memory needs. A custom Windows 10 image is necessary since the app is incompatible with Windows 11.

Exam trap

The trap here is that candidates might assume Basic is sufficient for cost savings, overlooking the 8 GB RAM requirement, or incorrectly think that Windows 11 is backward compatible with all Windows 10 apps, leading them to choose a Windows 11 image.

How to eliminate wrong answers

Option B is wrong because it specifies a Windows 11 image, which is incompatible with the LOB application, and the Advanced license is more expensive than Standard without providing additional benefit for this scenario. Option C is wrong because Windows 365 Enterprise with GPU is overkill and significantly more costly; the LOB app does not require GPU acceleration, and Enterprise licensing is unnecessary for only 10 users when Business licenses suffice. Option D is wrong because Windows 365 Business Basic license provides only 4 GB RAM, which does not meet the 8 GB RAM requirement of the LOB application.

97
Drag & Dropmedium

Drag and drop the steps to deploy Microsoft Defender for Office 365 policies in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Defender for Office 365 policies are created in the Defender portal, configured with threat protection settings, and applied to recipients.

98
Multi-Selecthard

Your organization uses Microsoft Sentinel for security operations. You need to ensure that Sentinel can ingest logs from Microsoft 365 Defender (XDR) and Microsoft Entra ID. Which THREE data connectors should you enable? (Choose three.)

Select 3 answers
A.Microsoft Defender for Endpoint
B.Microsoft Purview Information Protection
C.Microsoft Entra ID (formerly Azure AD)
D.Microsoft Intune
E.Microsoft Defender for Office 365 (formerly Office 365 ATP)
AnswersA, C, E

This connector ingests endpoint detection logs.

Why this answer

Microsoft Defender for Endpoint is a correct data connector because it ingests endpoint detection and response (EDR) logs from Windows, macOS, and Linux devices into Microsoft Sentinel. This integration allows security operations to correlate endpoint alerts with other signals, enabling advanced hunting and automated incident response across the Microsoft 365 Defender ecosystem.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Information Protection or Intune as security log sources, when in fact they are governance and management tools without native data connectors for Sentinel's security log ingestion.

99
MCQmedium

Your organization is deploying Microsoft 365 and needs to ensure that all new users are automatically assigned a Microsoft 365 Business Basic license. You want to use a group-based licensing strategy with an Azure AD security group. What should you do first?

A.Configure directory synchronization and create the group in on-premises Active Directory.
B.Create a dynamic Azure AD group with a rule for user attributes and enable self-service group management.
C.Assign the license directly to each user via the Microsoft 365 admin center.
D.Create a new Azure AD security group and assign the license to the group.
AnswerD

Group-based licensing requires a security group with the license assignment.

Why this answer

Option D is correct because group-based licensing in Azure AD requires you to first create a security group (which can be cloud-only or synced) and then assign the Microsoft 365 Business Basic license directly to that group. Once the license is assigned to the group, all members automatically receive the license, including new users added to the group. This approach centralizes license management and ensures automatic assignment without manual intervention.

Exam trap

The trap here is that candidates often think they must first configure directory synchronization (Option A) or create a dynamic group (Option B) before assigning a license to a group, but the correct first step is simply to create a security group and assign the license to it, as group-based licensing works with any Azure AD security group, including cloud-only static groups.

How to eliminate wrong answers

Option A is wrong because directory synchronization and creating the group in on-premises Active Directory is not the first step; you can use a cloud-only Azure AD security group without requiring on-premises sync, and the question does not specify a hybrid environment. Option B is wrong because creating a dynamic group with a user attribute rule and enabling self-service group management is not the first step; while dynamic groups can be used for licensing, the initial requirement is to create a security group and assign the license to it, not to configure dynamic membership or self-service. Option C is wrong because assigning licenses directly to each user via the Microsoft 365 admin center is a manual, per-user approach that contradicts the group-based licensing strategy specified in the question.

100
MCQeasy

A newly hired administrator needs to manage user accounts, licenses, and reset passwords. Which portal should they access?

A.Microsoft 365 admin center
B.Microsoft Entra admin center
C.Microsoft 365 Defender
D.Azure Active Directory admin center
AnswerA

This portal centralizes user management, license assignment, and common administrative functions for Microsoft 365.

Why this answer

The Microsoft 365 admin center (admin.microsoft.com) is the primary portal for day-to-day user administration tasks such as creating and managing user accounts, assigning licenses, and resetting passwords. It provides a unified interface for these common identity and license management operations within a Microsoft 365 tenant.

Exam trap

The trap here is that candidates often confuse the Microsoft Entra admin center (formerly Azure AD) with the Microsoft 365 admin center, thinking that all user management must be done in the identity portal, but the exam tests that routine user tasks like license assignment and password resets are performed in the Microsoft 365 admin center.

How to eliminate wrong answers

Option B (Microsoft Entra admin center) is wrong because it is focused on identity and access management (IAM) configuration, including conditional access policies, enterprise apps, and security defaults, not on routine user license assignment or password resets for end users. Option C (Microsoft 365 Defender) is wrong because it is a security operations portal for threat detection, investigation, and response (e.g., incident management, advanced hunting), not for user account or license management. Option D (Azure Active Directory admin center) is wrong because it is the legacy portal for Azure AD directory-level settings and bulk operations; while it can manage users, the Microsoft 365 admin center is the correct modern portal for license and password management in a Microsoft 365 context, and the Azure AD portal is now rebranded as Microsoft Entra admin center.

101
Multi-Selecthard

Your company is deploying Microsoft 365 Copilot for all users. You need to ensure that Copilot responses are grounded only in organizational data that users already have permission to access. Additionally, you must comply with data residency requirements in the European Union. Which THREE actions should you take?

Select 3 answers
A.Apply sensitivity labels to restrict Copilot from accessing specific files.
B.Set the data residency preference for Microsoft 365 Copilot to the European Union in the admin center.
C.Configure Microsoft 365 Copilot to respect existing user permissions via Microsoft Entra ID.
D.Block Copilot for all users outside the EU using conditional access policies.
E.Enable Copilot caching in Microsoft Purview to control data storage locations.
AnswersA, B, C

Sensitivity labels can be configured to prevent Copilot from using labeled content, supporting granular control.

Why this answer

Option A is correct because sensitivity labels can be configured to block Copilot from accessing files with specific labels, ensuring that Copilot responses are grounded only in organizational data that users already have permission to access. This is done by using Microsoft Purview Information Protection to define label-based restrictions that Copilot respects, preventing it from surfacing content from labeled files even if the user has direct access.

Exam trap

The trap here is that candidates may confuse conditional access policies (which control access) with data residency controls (which control data storage and processing location), and may incorrectly think caching in Purview is a real feature for data residency, when in fact Microsoft 365 Copilot does not use Purview caching for this purpose.

102
MCQeasy

An organization wants to receive email notifications for all service health incidents. Which role must an administrator have to configure service health notifications in the Microsoft 365 admin center?

A.Global Administrator
B.Service Support Administrator
C.Helpdesk Administrator
D.Billing Administrator
AnswerA

Global Administrator has full access to all administrative features, including configuring service health notifications.

Why this answer

Only the Global Administrator role has the necessary permissions to access and modify the Service Health section in the Microsoft 365 admin center, including configuring email notifications for service health incidents. This is because the Global Administrator role is the highest privileged role and is required to manage tenant-wide settings such as service health alerts, which are not delegated to lower-level administrative roles.

Exam trap

The trap here is that candidates often assume the Service Support Administrator role, which can view service health, can also configure notifications, but Microsoft deliberately restricts write access to the Global Administrator role to prevent unauthorized changes to critical alerting infrastructure.

How to eliminate wrong answers

Option B (Service Support Administrator) is wrong because this role can only view service health and manage support tickets, but cannot configure notification settings for service health incidents. Option C (Helpdesk Administrator) is wrong because this role is limited to password resets, user management, and basic support tasks, and does not have permission to access or modify service health notification configurations. Option D (Billing Administrator) is wrong because this role is restricted to managing billing accounts, invoices, and payment methods, and has no access to service health or notification settings.

103
Multi-Selectmedium

Your organization uses Microsoft 365 and wants to implement a passwordless authentication strategy. Which TWO methods are supported natively in Microsoft Entra ID for passwordless sign-in?

Select 2 answers
A.Smart cards (physical or virtual)
B.Microsoft Authenticator app (phone sign-in)
C.Temporary Access Pass
D.Certificate-based authentication
E.FIDO2 security keys
AnswersB, E

Supported as a passwordless authentication method.

Why this answer

The Microsoft Authenticator app (phone sign-in) is a native passwordless method in Microsoft Entra ID that uses key-based authentication tied to the user's device. It allows users to sign in by approving a notification or entering a number displayed on the screen, eliminating the need for a password. This method is fully integrated into Entra ID's authentication stack and supports both iOS and Android devices.

Exam trap

The trap here is that candidates often confuse 'supported in Entra ID' with 'supported in the broader Microsoft ecosystem', leading them to select smart cards or certificate-based authentication, which require additional on-premises or hybrid components and are not native passwordless options in cloud-only Entra ID.

104
MCQmedium

Your company has a Microsoft 365 tenant with a custom domain (contoso.com). You need to verify domain ownership before enabling email routing. Which DNS record type should you add?

A.Add a TXT record with the verification code.
B.Add a CNAME record pointing to autodiscover.outlook.com.
C.Add an MX record pointing to contoso-com.mail.protection.outlook.com.
D.Add an SPF record for contoso.com.
AnswerC

MX records direct email to Exchange Online.

Why this answer

Option C is correct because when you add a custom domain to Microsoft 365 and need to enable email routing, you must prove domain ownership and configure mail flow. The MX record with the value 'contoso-com.mail.protection.outlook.com' is the specific record that Microsoft 365 requires to route incoming email for your domain to Exchange Online. This record is added after domain ownership is verified (usually via a TXT record), but the question asks which record type enables email routing, which is the MX record.

Exam trap

The trap here is that candidates confuse the domain verification step (TXT record) with the email routing step (MX record), and Microsoft explicitly tests this distinction by asking for the record that 'enables email routing' rather than 'verifies ownership'.

How to eliminate wrong answers

Option A is wrong because a TXT record with a verification code is used to prove domain ownership, not to enable email routing; ownership verification is a prerequisite but does not itself route email. Option B is wrong because a CNAME record pointing to autodiscover.outlook.com is used for Autodiscover service connectivity (client configuration), not for enabling email routing for the domain. Option D is wrong because an SPF record is used to authorize sending servers and prevent spoofing, but it does not enable inbound email routing; it is a separate security measure.

105
MCQeasy

An administrator is managing a Microsoft 365 tenant and needs to delegate the ability to reset user passwords to a group of helpdesk staff. The helpdesk staff should not have any other administrative privileges. Which built-in role should the administrator assign?

A.Global Administrator
B.Password Administrator
C.User Administrator
D.Helpdesk Administrator
AnswerB

Password Administrator can reset passwords for non-administrator users and does not include other administrative capabilities.

Why this answer

The Password Administrator role is the correct choice because it grants the specific ability to reset passwords for non-administrator users and manage service requests, without providing broader administrative privileges like managing users, groups, or licensing. This aligns with the principle of least privilege, ensuring helpdesk staff can perform password resets without accessing other sensitive areas of the tenant.

Exam trap

The trap here is that candidates often confuse the Helpdesk Administrator role (which also resets passwords) as the correct answer, but the Password Administrator role is even more restricted and specifically designed for password-only tasks, making it the precise least-privilege choice.

How to eliminate wrong answers

Option A is wrong because the Global Administrator role grants unrestricted access to all administrative features, including security, compliance, and billing, which far exceeds the requirement to only reset passwords. Option C is wrong because the User Administrator role can create and delete users, manage user licenses, and reset passwords for all users (including admins), which provides more privileges than needed and violates the least-privilege requirement. Option D is wrong because the Helpdesk Administrator role, while limited, includes the ability to reset passwords and manage service requests, but it also grants the ability to manage support tickets and view reports, which is more than the narrow scope of password resets alone; however, the Password Administrator role is even more restricted, making it the precise fit.

106
MCQeasy

You are configuring Microsoft Purview for your organization. You need to ensure that all external emails are automatically tagged with an 'External' label in the subject line. Which feature should you configure?

A.Anti-phishing policy in Defender for Office 365.
B.Mail flow rule (transport rule) to prepend '[External]' to subject lines.
C.Sensitivity label policy to automatically apply an 'External' label.
D.Data loss prevention (DLP) policy for external emails.
AnswerB

Mail flow rules can modify message properties including subject.

Why this answer

To automatically prepend a text tag like '[External]' to the subject line of all incoming external emails, you must use a Mail flow rule (also known as a transport rule) in Exchange Online. This rule can be configured with the condition 'The sender is located outside the organization' and the action 'Prepend the subject line with the string [External]'. This is the only mechanism that directly modifies the subject line of emails in transit.

Exam trap

The trap here is that candidates confuse the ability to add a visual 'External' tag with sensitivity labels or anti-phishing policies, but only a mail flow rule can directly manipulate the subject line of an email in transit.

How to eliminate wrong answers

Option A is wrong because Anti-phishing policies in Defender for Office 365 add headers like 'X-Forefront-Antispam-Report' or modify the message body with safety tips, but they cannot directly prepend text to the subject line. Option C is wrong because Sensitivity label policies apply labels and encryption/watermarking to content, but they do not modify the subject line of an email; they apply metadata and visual markings to the message body or header, not the subject. Option D is wrong because Data loss prevention (DLP) policies monitor and protect sensitive data based on policy rules, but they cannot prepend text to the subject line; they can block, notify, or apply encryption, but not modify the subject.

107
MCQmedium

Your organization is implementing Microsoft 365 Copilot. You need to ensure that users' data is protected from being used for training the underlying AI models. What should you configure?

A.Disable Microsoft 365 Copilot for all users
B.Apply Microsoft Purview sensitivity labels to all documents
C.Enable Conditional Access policies to require compliant devices
D.Configure the Microsoft 365 Copilot data protection policy to prevent data from being used for training
AnswerD

This policy explicitly opts out of training.

Why this answer

Option D is correct because Microsoft 365 Copilot includes a data protection policy specifically designed to prevent organizational data from being used to train the underlying AI models. This policy, configured in the Microsoft 365 admin center under Copilot settings, ensures that user prompts, responses, and associated data are not retained or used by Microsoft for model improvement, aligning with the data residency and privacy commitments outlined in the Microsoft Data Protection Addendum (DPA).

Exam trap

The trap here is that candidates often confuse data protection for AI training with general security controls like Conditional Access or sensitivity labels, assuming any security measure will prevent data leakage, when in fact Microsoft provides a specific toggle in the Copilot settings to opt out of training data usage.

How to eliminate wrong answers

Option A is wrong because disabling Microsoft 365 Copilot for all users would prevent the use of the service entirely, but the question asks how to protect data from being used for training while still allowing users to use Copilot; a more granular data protection policy exists. Option B is wrong because applying Microsoft Purview sensitivity labels to documents controls access and classification but does not affect whether Microsoft uses the data for AI model training; sensitivity labels are about governance and protection, not training data exclusion. Option C is wrong because enabling Conditional Access policies to require compliant devices enforces device security and access controls but has no impact on Microsoft's backend data processing or training data usage; it addresses authentication and device compliance, not data privacy for AI training.

108
Multi-Selecteasy

Your company uses Microsoft 365 Business Premium. You need to configure Microsoft Entra ID Protection to automatically remediate risks. Which TWO risk remediation actions can be configured?

Select 2 answers
A.Block licensing assignments for users with high risk.
B.Configure session timeout for risky sessions.
C.Force password change for users with high user risk.
D.Block sign-in for users with high sign-in risk.
E.Require MFA for sign-in risk above a threshold.
AnswersD, E

Blocking sign-in is a valid remediation.

Why this answer

Option D is correct because Microsoft Entra ID Protection allows you to configure an automated policy to block sign-ins when the sign-in risk level is assessed as high. This policy directly remediates the risk by preventing the authentication attempt from succeeding, thereby protecting the account from potential compromise.

Exam trap

The trap here is that candidates often confuse 'user risk' remediation (which does not have a native automatic action) with 'sign-in risk' remediation, leading them to incorrectly select password change or session timeout options that are not directly configurable as automatic risk remediation actions in Entra ID Protection.

109
MCQhard

Your company is deploying Microsoft 365 Copilot. You need to ensure that users can use Copilot in Word, Excel, and PowerPoint. The licensing is in place. However, you are concerned about data leakage. You want to ensure that Copilot does not use sensitive organizational data when generating content. What should you configure in Microsoft 365?

A.Create and assign sensitivity labels with encryption to sensitive documents, and ensure Copilot respects these labels.
B.Configure a data loss prevention (DLP) policy to block Copilot from accessing sensitive data.
C.Use the Microsoft Purview compliance portal to restrict Copilot data access.
D.Disable Copilot for users who handle sensitive data.
AnswerA

Copilot respects sensitivity labels and will not use labeled content.

Why this answer

Option A is correct because Microsoft 365 Copilot respects sensitivity labels that are applied to documents. By creating and assigning sensitivity labels with encryption to sensitive documents, you can prevent Copilot from using that content as source material when generating responses. This is configured via Microsoft Purview Information Protection, where labels can include encryption settings that Copilot will honor, ensuring data leakage is mitigated without blocking Copilot functionality entirely.

Exam trap

The trap here is that candidates often confuse DLP policies with data access controls, assuming DLP can block Copilot from reading data, when in fact DLP only monitors and prevents data exfiltration, not data consumption by internal services.

How to eliminate wrong answers

Option B is wrong because DLP policies are designed to prevent data from being shared or exfiltrated, but they do not control which data Copilot can access or use as context; DLP policies cannot block Copilot from reading sensitive data within the tenant. Option C is wrong because the Microsoft Purview compliance portal is a management interface for various compliance features, not a specific setting to restrict Copilot data access; there is no single toggle or policy there to directly limit Copilot's data sources. Option D is wrong because disabling Copilot for users who handle sensitive data is an overly broad approach that prevents those users from using Copilot at all, rather than selectively controlling which data Copilot can use, and it does not address the requirement to allow Copilot usage while preventing data leakage.

110
MCQhard

Your Microsoft 365 tenant has 50,000 users. You are planning to migrate mailboxes from on-premises Exchange Server 2019 to Exchange Online using a full hybrid configuration. During the migration, you must ensure that free/busy information is synchronized between on-premises and Exchange Online. Which component is required for free/busy synchronization in a hybrid deployment?

A.Exchange Hybrid Server (or Hybrid Agent)
B.Azure AD Connect
C.Exchange Online connector (Outbound to on-premises)
D.Hybrid Configuration Wizard
AnswerA

The Hybrid Server handles free/busy requests between on-premises and Exchange Online.

Why this answer

In a full hybrid configuration, free/busy synchronization between on-premises Exchange and Exchange Online is handled by the Exchange Hybrid Server (or the newer Hybrid Agent). This component acts as a bridge, using the Exchange Web Services (EWS) and Autodiscover service to securely relay free/busy data between the two organizations. Without it, the Availability service cannot query the remote forest for calendar information.

Exam trap

The trap here is that candidates often confuse Azure AD Connect (which handles identity sync) with the Exchange-specific component needed for calendar data, or they mistakenly think the Hybrid Configuration Wizard itself performs the runtime synchronization rather than just configuring it.

How to eliminate wrong answers

Option B is wrong because Azure AD Connect synchronizes identity objects (users, groups) and passwords, not mailbox-level free/busy data; free/busy requires Exchange-specific service endpoints. Option C is wrong because an Exchange Online connector (Outbound to on-premises) is used for mail flow routing, not for free/busy queries; free/busy relies on the Availability service and EWS, not SMTP connectors. Option D is wrong because the Hybrid Configuration Wizard is a tool that configures the hybrid deployment settings (including the Hybrid Server), but it is not the component that actually performs free/busy synchronization; the wizard enables the necessary configuration, but the Hybrid Server itself handles the runtime data exchange.

111
MCQmedium

A company has a Microsoft 365 tenant with domain contoso.com. They own an additional domain fabrikam.com and have already added and verified it with a TXT record. Now they need to configure email to be routed to Exchange Online for fabrikam.com. Which DNS record must they create?

A.MX record pointing to contoso-com.mail.protection.outlook.com
B.CNAME record for autodiscover
C.TXT record for SPF
D.SRV record for SIP
AnswerA

The MX record directs email for the domain to Exchange Online.

Why this answer

To route email for fabrikam.com to Exchange Online, you must create an MX record that points to the Exchange Online mail exchanger. The correct target is contoso-com.mail.protection.outlook.com, where 'contoso-com' is the hashed version of the primary domain (contoso.com) used by Microsoft 365. This MX record tells the internet's mail servers to deliver messages addressed to @fabrikam.com into the tenant's Exchange Online environment.

Exam trap

The trap here is that candidates often think they need to create an MX record pointing to 'fabrikam-com.mail.protection.outlook.com' (using the added domain), but Microsoft 365 always uses the primary domain's hashed value in the MX target regardless of which domain's email is being routed.

How to eliminate wrong answers

Option B is wrong because a CNAME record for autodiscover is used to automatically configure Outlook clients with Exchange Online settings, not to route email delivery. Option C is wrong because a TXT record for SPF is used to authorize sending servers and prevent spoofing, not to direct inbound email flow. Option D is wrong because an SRV record for SIP is used for VoIP and unified communications (Skype for Business/Teams), not for email routing.

112
MCQeasy

A global administrator wants to track service health issues and configure notifications for service incidents. Which portal should they use to view the current health status and set up email notifications?

A.Microsoft 365 admin center
B.Azure portal
C.Microsoft 365 Defender portal
D.Microsoft Purview compliance portal
AnswerA

The Service Health page in the Microsoft 365 admin center displays the health of Microsoft 365 services and allows configuration of notifications.

Why this answer

The Microsoft 365 admin center provides the Service Health dashboard under Health > Service Health, which displays the current status of all Microsoft 365 services and allows administrators to configure email notifications for service incidents. This is the designated portal for managing tenant-wide service health and notifications, aligning with the role of a global administrator.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 admin center with the Azure portal for service health, because Azure also has a Service Health blade, but it only covers Azure services, not Microsoft 365 services like Exchange Online or Teams.

How to eliminate wrong answers

Option B is wrong because the Azure portal is used for managing Azure services and resources, not for Microsoft 365 service health or email notifications; it lacks the Service Health dashboard for Microsoft 365. Option C is wrong because the Microsoft 365 Defender portal focuses on security threats, incidents, and alerts (e.g., from Microsoft Defender for Office 365), not on service health incidents or email notifications for service availability. Option D is wrong because the Microsoft Purview compliance portal is dedicated to data governance, compliance, and eDiscovery, not to tracking service health or configuring notifications for service incidents.

113
MCQeasy

You are configuring Microsoft Entra ID for a new organization. You need to ensure that users can self-service reset their passwords. Which licensing is required?

A.Microsoft Entra ID Free
B.Microsoft Entra ID P2
C.Microsoft Entra ID P1
D.Microsoft 365 Business Basic
AnswerC

P1 includes SSPR and password writeback for on-premises users.

Why this answer

Microsoft Entra ID P1 includes the Self-Service Password Reset (SSPR) feature, which allows users to reset their own passwords without administrator intervention. This licensing tier provides the necessary Azure AD Premium P1 capabilities, such as group-based licensing and conditional access, that underpin SSPR. Entra ID Free does not include SSPR, and Entra ID P2, while also including SSPR, is not required for this functionality.

Exam trap

The trap here is that candidates often confuse SSPR availability with Microsoft 365 Business Basic, assuming it includes premium features, or mistakenly think only Entra ID P2 can provide SSPR, overlooking that P1 is sufficient.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Free does not include Self-Service Password Reset; it only supports basic directory features and manual password resets by administrators. Option B is wrong because Microsoft Entra ID P2 includes SSPR but is a higher-tier license that adds advanced features like Identity Protection and Privileged Identity Management, which are not required for SSPR alone. Option D is wrong because Microsoft 365 Business Basic does not include Azure AD Premium P1 or P2 licenses; it only provides Entra ID Free capabilities, so SSPR is not available.

114
MCQhard

Your organization has a hybrid identity setup with Azure AD Connect. You need to ensure that users can reset their passwords from the cloud and have the changes synchronized back to on-premises Active Directory. Which feature must you enable?

A.Password writeback.
B.Seamless single sign-on.
C.Pass-through authentication.
D.Password hash synchronization.
AnswerA

Password writeback enables cloud-originated password resets to sync to on-premises AD.

Why this answer

Password writeback is the Azure AD Connect feature that enables password changes performed in the cloud (e.g., via Azure AD SSPR) to be written back to on-premises Active Directory. This ensures the on-premises password stays synchronized with the cloud, which is required for hybrid identity scenarios where users reset passwords from the cloud.

Exam trap

The trap here is that candidates often confuse password hash synchronization (which only syncs one-way) with password writeback (which enables cloud-to-on-premises password changes), leading them to select password hash synchronization as the answer.

How to eliminate wrong answers

Option B (Seamless single sign-on) is wrong because it provides automatic sign-in for domain-joined devices on the corporate network, not password synchronization or writeback. Option C (Pass-through authentication) is wrong because it validates passwords directly against on-premises AD without storing password hashes in the cloud, and it does not support writing password changes back to on-premises AD. Option D (Password hash synchronization) is wrong because it only synchronizes password hashes from on-premises to Azure AD; it does not write password changes from the cloud back to on-premises AD.

115
MCQeasy

Your organization needs to create a custom domain in Microsoft 365. You have added the domain 'contoso.com' to the tenant. What is the next step to verify domain ownership?

A.Create user accounts with the custom domain.
B.Configure the email exchange (MX) record.
C.Assign licenses to users with the custom domain.
D.Add a TXT record to the public DNS zone.
AnswerD

Domain verification typically requires adding a TXT record with a verification code.

Why this answer

After adding a custom domain to a Microsoft 365 tenant, the next mandatory step is to prove ownership of the domain by adding a specific TXT record provided by Microsoft to the domain's public DNS zone. Microsoft queries this TXT record to verify that you control the domain before allowing you to use it for services like email or user accounts. This verification step is required by Microsoft's domain onboarding process and must succeed before any other configuration can proceed.

Exam trap

The trap here is that candidates often confuse domain verification (TXT record) with domain configuration (MX record), mistakenly thinking that setting up email routing is the immediate next step after adding the domain.

How to eliminate wrong answers

Option A is wrong because creating user accounts with the custom domain requires the domain to be verified first; attempting to assign a non-verified domain to users will fail. Option B is wrong because configuring the MX record is part of setting up email routing after domain verification, not a step to prove ownership. Option C is wrong because assigning licenses to users with the custom domain also depends on the domain being verified; licenses cannot be applied to unverified domains.

116
MCQmedium

You are reviewing an ARM template that will be used to deploy a storage account for a Microsoft 365 migration project. The template includes 'supportsHttpsTrafficOnly': true. What is the primary benefit of this setting?

A.It enforces secure transfer (HTTPS) for all requests to the storage account.
B.It reduces latency by enabling CDN integration.
C.It enables geo-redundant storage.
D.It minimizes storage costs by reducing bandwidth usage.
AnswerA

This setting blocks HTTP requests, requiring HTTPS.

Why this answer

Setting 'supportsHttpsTrafficOnly' to true enforces secure transfer by requiring all requests to the storage account to use HTTPS (TLS). This ensures data in transit is encrypted, protecting against man-in-the-middle attacks and eavesdropping. It is a critical security control for compliance with standards like PCI-DSS and HIPAA.

Exam trap

The trap here is that candidates may confuse 'supportsHttpsTrafficOnly' with performance or redundancy features, but it is purely a security control for enforcing encrypted transport.

How to eliminate wrong answers

Option B is wrong because enabling HTTPS-only does not reduce latency or enable CDN integration; CDN integration is configured separately via Azure CDN profiles. Option C is wrong because geo-redundant storage (GRS) is controlled by the 'sku.name' property (e.g., Standard_GRS), not by the HTTPS setting. Option D is wrong because HTTPS-only does not minimize storage costs; bandwidth usage is unaffected by the protocol, and HTTPS may add slight overhead due to TLS handshake.

117
MCQmedium

You need to delegate the ability to reset user passwords in Microsoft Entra ID to a helpdesk team. However, they should not be able to modify other user attributes. What role should you assign?

A.User Administrator
B.Helpdesk Administrator
C.Global Administrator
D.Password Administrator
AnswerB

This role can reset passwords for non-administrators and manage service requests.

Why this answer

The Helpdesk Administrator role is specifically designed to allow password resets and force password changes for non-administrator users and other helpdesk administrators, while explicitly preventing modifications to other user attributes like group membership or profile details. This role provides the least privilege necessary for the helpdesk team's task, aligning with the principle of role-based access control (RBAC) in Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse the Password Administrator role with the Helpdesk Administrator role, not realizing that Password Administrator cannot reset passwords for helpdesk administrators or force password changes, and that Helpdesk Administrator is the correct role for a helpdesk team that needs to reset passwords for a broader set of users including other helpdesk staff.

How to eliminate wrong answers

Option A is wrong because the User Administrator role can reset passwords but also has permissions to modify user attributes, create and delete users, and manage groups, which exceeds the required scope. Option C is wrong because the Global Administrator role has unrestricted access to all administrative features, including modifying any user attribute, which violates the principle of least privilege. Option D is wrong because the Password Administrator role can only reset passwords for non-administrator users and password administrators, but it cannot reset passwords for helpdesk administrators or other privileged roles, and it does not include the ability to force password changes on next sign-in, which the Helpdesk Administrator can do.

118
MCQeasy

Your organization is planning to deploy Microsoft 365 Copilot. You need to ensure that all prerequisites are met. Which of the following is a mandatory prerequisite for enabling Microsoft 365 Copilot?

A.Microsoft Purview Data Loss Prevention policies.
B.Microsoft Entra ID P2 licenses.
C.An active Azure subscription.
D.Exchange Online Plan 2 licenses.
AnswerB

Microsoft Entra ID P2 is required for Copilot to leverage identity protection and other security features.

Why this answer

Microsoft Entra ID P2 licenses are mandatory because Microsoft 365 Copilot requires Azure AD P2 (now Entra ID P2) for features like identity protection, privileged identity management, and conditional access policies that govern Copilot's data access and security. Without P2, the tenant cannot enforce the necessary identity-based controls for Copilot's AI-driven data retrieval and summarization.

Exam trap

The trap here is that candidates often confuse optional compliance features (like Purview DLP) or unrelated infrastructure (like Azure subscriptions) with the mandatory identity and access management tier required for Copilot's security model.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Loss Prevention policies are not a prerequisite for enabling Copilot; they are an optional compliance feature that can be applied after deployment to control data sharing. Option C is wrong because an active Azure subscription is not required for Microsoft 365 Copilot, which is a SaaS add-on to Microsoft 365 and does not depend on Azure infrastructure for its core functionality. Option D is wrong because Exchange Online Plan 2 licenses are not mandatory; Copilot works with Exchange Online Plan 1 or other mail-enabled plans as long as the user has a valid Microsoft 365 license that includes Exchange Online.

119
MCQeasy

Your organization wants to use Microsoft Intune to manage devices. You need to ensure that only corporate-owned devices can enroll. What configuration should you use?

A.Use a conditional access policy to require device compliance.
B.Configure enrollment restrictions to block personally owned devices.
C.Set a compliance policy requiring devices to be marked as corporate.
D.Create a device type restriction for iOS and Android.
AnswerB

Enrollment restrictions can block personal devices.

Why this answer

Option B is correct because enrollment restrictions in Microsoft Intune allow you to block personally owned devices by setting the 'Allow personally owned devices' option to 'No' for the platform. This ensures that only corporate-owned devices, which are identified by their corporate enrollment token or IMEI/MEID numbers, can enroll. This is the direct and intended method to restrict enrollment to corporate-owned devices only.

Exam trap

The trap here is that candidates often confuse post-enrollment controls (like compliance policies or conditional access) with pre-enrollment restrictions, mistakenly thinking that requiring compliance or marking devices as corporate can block personal devices from enrolling, when in fact only enrollment restrictions can prevent the enrollment process itself.

How to eliminate wrong answers

Option A is wrong because a conditional access policy requiring device compliance does not prevent enrollment; it controls access to cloud apps after enrollment, and non-compliant devices can still enroll but then be blocked from accessing resources. Option C is wrong because a compliance policy requiring devices to be marked as corporate is not a pre-enrollment restriction; compliance policies are evaluated after enrollment and cannot block the enrollment process itself. Option D is wrong because a device type restriction for iOS and Android only blocks specific device models or platforms, not the ownership status (corporate vs. personal), so it cannot ensure that only corporate-owned devices enroll.

120
MCQeasy

An administrator has added a custom domain 'contoso.com' to their Microsoft 365 tenant and verified ownership. However, users are unable to receive emails sent to their custom domain. Which type of DNS record must the administrator add in the public DNS zone to route emails to Exchange Online?

A.TXT record
B.MX record
C.CNAME record
D.SPF record
AnswerB

An MX record specifies the mail exchange server for the domain. For Exchange Online, it must point to the Microsoft mail exchanger.

Why this answer

The MX (Mail Exchange) record is the DNS record type that directs email messages to a specific mail server. For Exchange Online, the MX record must point to the tenant's mail exchanger (e.g., contoso-com.mail.protection.outlook.com) with a priority value (typically 0). Without this record, sending mail servers cannot route inbound emails to the custom domain's mailbox store in Exchange Online.

Exam trap

The trap here is that candidates confuse the purpose of MX records with SPF or TXT records, thinking that SPF alone enables email delivery, when in fact MX records are the fundamental requirement for inbound mail routing.

How to eliminate wrong answers

Option A (TXT record) is wrong because TXT records hold arbitrary text data, such as SPF or DKIM keys, but they do not route email traffic. Option C (CNAME record) is wrong because CNAME records alias one domain to another and are not used for mail routing; MX records are the standard for mail exchange. Option D (SPF record) is wrong because SPF records authorize sending servers to prevent spoofing, but they do not direct inbound email delivery.

121
Multi-Selectmedium

You need to configure Microsoft Purview Data Loss Prevention (DLP) to prevent sensitive data from being shared via email. Which THREE elements can you use to define the policy?

Select 3 answers
A.Actions
B.Locations
C.Sensitivity labels
D.Exceptions
E.Conditions
AnswersA, B, E

Actions define the enforcement (e.g., block, notify).

Why this answer

Actions are a required element in a Microsoft Purview DLP policy because they define what happens when sensitive data is detected—such as blocking the email, sending a notification, or applying encryption. Without specifying actions, the policy would have no enforcement mechanism to prevent data sharing.

Exam trap

The trap here is that candidates confuse sensitivity labels as a top-level policy element instead of recognizing they are merely a condition type, while exceptions are often mistakenly considered a separate core component rather than a refinement of conditions.

122
MCQmedium

Your organization uses Microsoft Defender for Office 365. You need to configure a policy that automatically redirects emails containing malicious attachments to a quarantine folder for admin review. What type of policy should you create?

A.Safe Attachments policy.
B.Anti-malware policy.
C.Anti-spam policy.
D.Safe Links policy.
AnswerB

Anti-malware policies can quarantine messages with malware.

Why this answer

B is correct because the Anti-malware policy in Microsoft Defender for Office 365 is specifically designed to handle malware detected in email messages, including attachments. When configured, it can automatically redirect messages containing malicious attachments to a quarantine folder for admin review, providing a controlled remediation workflow.

Exam trap

Microsoft often tests the distinction between Anti-malware (for attachment malware) and Safe Attachments (for advanced sandbox analysis), leading candidates to mistakenly choose Safe Attachments when the core requirement is simply redirecting known malicious attachments to quarantine.

How to eliminate wrong answers

Option A is wrong because Safe Attachments policy focuses on scanning and detonating attachments in a sandbox environment before delivery, but its primary quarantine action is for messages with malicious attachments detected during that process, not for general malware redirection; the question's requirement for automatic redirection of emails containing malicious attachments is directly met by the Anti-malware policy. Option C is wrong because Anti-spam policy handles spam, phishing, and bulk mail, not malware or malicious attachments. Option D is wrong because Safe Links policy protects users from malicious URLs in messages and Office documents, not from malicious attachments.

123
MCQeasy

An organization has just purchased Microsoft 365 subscriptions and wants to add their custom domain 'fabrikam.com' to the tenant. Which record must they add to their DNS provider to verify domain ownership?

A.MX record
B.TXT record
C.CNAME record
D.SRV record
AnswerB

A TXT record containing a verification token provided by Microsoft is the standard method to prove domain ownership.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record provided by the Microsoft 365 admin center to your DNS hosting provider. This TXT record contains a unique verification string that Microsoft checks to confirm you control the domain. MX, CNAME, and SRV records are used for mail routing, service aliasing, and service location, respectively, but they do not serve the purpose of domain ownership verification.

Exam trap

The trap here is that candidates often confuse the TXT record used for verification with the MX record required for email routing, mistakenly thinking they can skip verification by adding an MX record directly.

How to eliminate wrong answers

Option A is wrong because an MX record is used to specify the mail exchange server for a domain, not to prove domain ownership; adding an MX record would only affect email routing. Option C is wrong because a CNAME record creates an alias from one domain name to another and is used for service redirection, not for domain verification. Option D is wrong because an SRV record defines the location (hostname and port) of specific services like SIP or LDAP, and it is not used for domain ownership validation.

124
MCQeasy

An administrator is onboarding a new custom domain for email in a Microsoft 365 tenant. Which step should be performed first?

A.Add the domain in the Microsoft 365 admin center
B.Verify domain ownership by adding a TXT record
C.Configure DNS records for Microsoft services
D.Set the domain as the primary email domain
AnswerA

The initial step is to register the domain with Microsoft 365 so it can be associated with the tenant.

Why this answer

Before you can use a custom domain for email or any other service in Microsoft 365, you must first add the domain to the tenant in the Microsoft 365 admin center. This creates the domain object in Azure Active Directory and initiates the verification process. Only after the domain is added can you proceed to verify ownership and configure DNS records.

Exam trap

The trap here is that candidates often confuse the order of operations, thinking DNS verification (Option B) is the first step, but Microsoft 365 requires the domain to be added to the tenant first to generate the verification token.

How to eliminate wrong answers

Option B is wrong because verifying domain ownership by adding a TXT record is a subsequent step that cannot be performed until the domain has been added to the tenant. Option C is wrong because configuring DNS records for Microsoft services (e.g., MX, CNAME, TXT) is done after verification, not before. Option D is wrong because setting the domain as the primary email domain is a final step that requires the domain to be added, verified, and DNS records configured first.

125
MCQeasy

An administrator adds the custom domain 'adatum.com' to a new Microsoft 365 tenant. In the Microsoft 365 admin center, the domain status shows 'Pending verification'. Which type of DNS record must the administrator add to the public DNS zone to complete the domain ownership verification?

A.TXT record
B.MX record
C.CNAME record
D.SPF record
AnswerA

Correct. A TXT record with the verification code proves ownership of the domain.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record containing a unique verification string provided by the Microsoft 365 admin center to the public DNS zone. The DNS provider checks for this TXT record, and when found, Microsoft 365 confirms you control the domain. This is a standard domain verification method defined in RFC 1035 and used by many cloud services.

Exam trap

The trap here is that candidates confuse the TXT record used for domain verification with the TXT record used for SPF or DKIM, or assume an MX record is required because email is involved, but Microsoft 365 uses a dedicated verification TXT record separate from any email-related records.

How to eliminate wrong answers

Option B is wrong because an MX record routes email to a mail server, not for domain ownership verification; it is used later for mail flow configuration. Option C is wrong because a CNAME record aliases one domain to another and is not used for domain verification; it is typically used for services like autodiscover. Option D is wrong because an SPF record is a TXT record used for email authentication (anti-spoofing), not for domain ownership verification; it is configured after verification is complete.

126
MCQeasy

You run the PowerShell command shown in the exhibit for a Microsoft 365 tenant. The output shows DisplayName as 'Contoso', DefaultDomainName as 'contoso.onmicrosoft.com', and InitialDomain as 'contoso.onmicrosoft.com'. What does this indicate about the tenant?

A.The command requires global admin privileges.
B.The tenant is using the initial .onmicrosoft.com domain as the default domain.
C.The tenant has not been verified.
D.The tenant has a custom domain set as the default.
AnswerB

DefaultDomainName equals InitialDomain, both are .onmicrosoft.com.

Why this answer

The output shows DefaultDomainName and InitialDomain both set to 'contoso.onmicrosoft.com', which means the tenant is using its initial Microsoft-provided domain as the default domain. The Get-MgDomain cmdlet retrieves domain objects, and the DefaultDomainName property indicates which domain is used by default for new users and services. Since no custom domain is set as default, the initial .onmicrosoft.com domain remains the default.

Exam trap

The trap here is that candidates may assume the DefaultDomainName property reflects a custom domain that has been set as default, but the output explicitly shows it is the initial .onmicrosoft.com domain, indicating no custom domain has been promoted to default.

How to eliminate wrong answers

Option A is wrong because the Get-MgDomain cmdlet does not require global admin privileges; it can be run by any user with appropriate read permissions (e.g., Domain Reader or Global Reader). Option C is wrong because the presence of a DisplayName, DefaultDomainName, and InitialDomain in the output indicates the domain is verified and active; unverified domains would not appear in the domain list or would show a different status. Option D is wrong because the DefaultDomainName is 'contoso.onmicrosoft.com', not a custom domain; if a custom domain were set as default, that custom domain name would appear in the DefaultDomainName property.

127
MCQhard

You are the Microsoft 365 administrator for a large enterprise with 50,000 users. The company is deploying Microsoft 365 Copilot for all users. You need to ensure that the data used by Copilot is protected and that Copilot does not inadvertently expose sensitive information. The company has strict data residency requirements: all data must remain within the European Union (EU). You have already configured data boundaries in Microsoft 365 to keep data in the EU. However, you are concerned about Copilot's AI model training. You need to implement additional controls. The company uses Microsoft Purview Information Protection with sensitivity labels. You have created a sensitivity label "Highly Confidential" that applies encryption and a "Confidential" label that applies visual markings. You also have a DLP policy that prevents sharing of "Highly Confidential" data externally. You need to ensure that when a user uses Copilot with a document labeled "Highly Confidential", the Copilot response does not include any of the sensitive content from that document. What should you do?

A.Exclude users who handle Highly Confidential data from Copilot licensing.
B.Ensure that the Highly Confidential sensitivity label includes encryption when applied.
C.Create a DLP policy that blocks Copilot from accessing documents labeled Highly Confidential.
D.Configure Microsoft 365 data boundaries to restrict Copilot data processing to the EU.
AnswerB

Encryption prevents Copilot from using the content.

Why this answer

Option B is correct because the 'Highly Confidential' sensitivity label already applies encryption, which prevents Microsoft 365 Copilot from accessing the document's content. Copilot cannot process or include encrypted content in its responses, as encryption blocks the AI model from reading the underlying data. This ensures that sensitive information from encrypted documents is not inadvertently exposed in Copilot outputs.

Exam trap

The trap here is that candidates may think DLP policies can block Copilot's internal access to documents, but DLP only controls external sharing and data loss prevention, not internal AI processing, and encryption is the only mechanism that prevents Copilot from reading content.

How to eliminate wrong answers

Option A is wrong because excluding users from Copilot licensing does not prevent Copilot from accessing documents labeled 'Highly Confidential' when used by other licensed users; it also disrupts productivity for those users. Option C is wrong because DLP policies cannot block Copilot from accessing documents; DLP policies monitor and control sharing actions, not internal AI processing within the tenant. Option D is wrong because data boundaries already ensure data residency in the EU but do not control Copilot's access to encrypted content or prevent exposure of sensitive data.

128
MCQhard

Your organization uses Microsoft Defender for Office 365. You have configured a safe attachment policy that should automatically detonate attachments in a sandbox before delivery. However, some users still receive malicious attachments. What should you check first?

A.Check whether a mail flow rule (transport rule) is bypassing Safe Attachments.
B.Check the Safe Links policy configuration.
C.Review the mailbox audit log for each affected user.
D.Verify that the Safe Attachments policy is applied to the affected users and that the action is set to 'Dynamic Delivery' or 'Replace' (not 'Monitor').
AnswerD

The policy must be applied and set to detonate attachments.

Why this answer

Safe Attachments require the policy to be enabled and applied to the correct recipients. Option C is correct because the policy might not be applied to all users, or it may be set to 'Monitor' which does not detonate. Option A is incorrect because Safe Links is a different feature.

Option B is incorrect because the mailbox audit log does not show policy configuration. Option D is incorrect because a transport rule could override, but first check the policy itself.

129
Multi-Selecteasy

An administrator needs to open a Microsoft 365 support request because a critical service issue is affecting all users. Which two pieces of information should the administrator have readily available before contacting support? (Choose two.)

Select 2 answers
A.Tenant ID
B.User principal names of affected users
C.Current service health status
D.Billing contact information
AnswersA, C

The Tenant ID is required to verify the organization and locate the tenant in support systems.

Why this answer

The Tenant ID (A) is a unique, immutable identifier for the Microsoft 365 tenant, required by Microsoft Support to locate the tenant in their systems and verify administrative access. The current service health status (C) is critical because the support engineer will first check the Microsoft 365 Service Health Dashboard (admin.microsoft.com/Adminportal/Home?source=applauncher#/servicehealth) to confirm the issue is a known service incident; having this information ready avoids redundant troubleshooting and speeds up the creation of a service request.

Exam trap

The trap here is that candidates often assume user principal names (UPNs) are needed for any support request, but Microsoft Support requires the Tenant ID and service health status for tenant-wide issues, not individual user identifiers.

130
Multi-Selectmedium

Your organization uses Microsoft 365 E5 licenses. You need to implement a solution to protect against ransomware attacks. Which TWO features should you configure?

Select 2 answers
A.Enable Microsoft Entra ID Protection.
B.Implement Microsoft Purview Information Protection.
C.Configure Microsoft Defender for Office 365 policies.
D.Deploy Microsoft Defender for Cloud Apps.
E.Use Microsoft Intune to enforce device compliance.
AnswersC, D

Protects against phishing and malware in email.

Why this answer

Option C is correct because Microsoft Defender for Office 365 includes anti-phishing, anti-spam, anti-malware, and Safe Attachments/Safe Links policies that directly block ransomware delivery vectors such as malicious email attachments and URLs. Option D is correct because Microsoft Defender for Cloud Apps provides visibility into cloud app usage, anomaly detection, and the ability to apply session policies (e.g., block download of sensitive files) to prevent ransomware from exfiltrating or encrypting data stored in SaaS apps.

Exam trap

The trap here is that candidates often confuse data protection (Purview Information Protection) or identity protection (Entra ID Protection) with the specific anti-ransomware capabilities of Defender for Office 365 and Defender for Cloud Apps, which are the two services explicitly designed to block ransomware at the email and cloud app layers.

131
Multi-Selectmedium

Which TWO actions are required to enable Microsoft 365 Copilot for your organization?

Select 2 answers
A.Deploy a third-party AI gateway.
B.Assign the Global Administrator role to all users.
C.Disable legacy authentication protocols.
D.Ensure users have a Microsoft 365 E3 or E5 license with the Copilot add-on.
E.Enable Microsoft Graph connectivity for the tenant.
AnswersD, E

Copilot requires the appropriate license.

Why this answer

Microsoft 365 Copilot requires users to have a qualifying license such as Microsoft 365 E3 or E5, plus the Copilot add-on license. Without this specific licensing, the Copilot features cannot be activated or used within the tenant.

Exam trap

The trap here is that candidates may confuse general security hardening (like disabling legacy auth) with a specific prerequisite for Copilot, or assume that any Microsoft 365 license is sufficient without the dedicated Copilot add-on.

132
MCQeasy

An organization has just purchased Microsoft 365 Business Standard licenses and has added the custom domain 'contoso.com' to the tenant. The administrator wants all new user email addresses to use '@contoso.com' instead of the default '@contoso.onmicrosoft.com'. How can this be achieved?

A.Set the default domain in the Microsoft 365 admin center to contoso.com
B.Change the primary SMTP address for each user manually after creation
C.Remove the onmicrosoft.com domain from the tenant
D.Edit the user creation PowerShell script to specify the domain
AnswerA

Correct. Changing the default domain ensures new users use @contoso.com automatically.

Why this answer

Setting the default domain to 'contoso.com' in the Microsoft 365 admin center ensures that all newly created users automatically receive an email address with the custom domain as their primary SMTP address. This is the standard method because the default domain setting controls the domain appended to new user accounts during creation, eliminating the need for manual changes.

Exam trap

The trap here is that candidates may think they must manually update each user or use PowerShell because they overlook the simple default domain configuration in the admin center, which automatically applies to all new user creations.

How to eliminate wrong answers

Option B is wrong because manually changing the primary SMTP address for each user after creation is inefficient and does not address the requirement for all new users to automatically use '@contoso.com'; it is a workaround, not a configuration. Option C is wrong because removing the 'onmicrosoft.com' domain from the tenant is not possible—it is a reserved default domain that cannot be deleted and is required for internal routing and Azure AD operations. Option D is wrong because editing a PowerShell script to specify the domain is a valid but unnecessary approach when the default domain setting in the admin center achieves the same result more simply; the question asks how to achieve this, and the admin center method is the direct, supported way.

133
MCQeasy

An administrator wants to customize the Microsoft 365 sign-in page to display the company logo and custom sign-in text. Where in the Microsoft 365 admin center should the administrator go to configure this?

A.Settings > Org settings > Organization profile
B.Microsoft Entra admin center > User settings > Company branding
C.Security & Compliance center > Data classification
D.Exchange admin center > Mail flow > Accepted domains
AnswerB

Company branding for sign-in pages is configured in Microsoft Entra ID. From the Microsoft 365 admin center, you can access this via the 'Azure Active Directory' tile. The specific settings are under User settings > Company branding.

Why this answer

Option B is correct because company branding for the Microsoft 365 sign-in page, including the company logo and custom sign-in text, is configured in the Microsoft Entra admin center under User settings > Company branding. This setting applies Azure AD tenant-wide branding that appears on the sign-in page for all users, including custom logos, background images, and sign-in text.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 admin center's Organization profile settings with the actual sign-in page branding, which is exclusively managed in the Microsoft Entra admin center under Company branding.

How to eliminate wrong answers

Option A is wrong because Settings > Org settings > Organization profile in the Microsoft 365 admin center is used to configure organization information like address, technical contact, and privacy profile, not sign-in page branding. Option C is wrong because the Security & Compliance center > Data classification is used for sensitive information types, data loss prevention policies, and retention labels, not for customizing the sign-in page. Option D is wrong because Exchange admin center > Mail flow > Accepted domains is used to manage email domains that are accepted by the Exchange organization, not for sign-in page branding.

134
MCQhard

Your organization uses Microsoft Defender for Identity and has enabled Microsoft Secure Score. You notice that the Secure Score for Identity has dropped significantly after a recent configuration change. Which action is most likely to have caused the decrease?

A.Changing password expiration policy to 180 days.
B.Enabling MFA for all users.
C.Disabling password hash synchronization in Microsoft Entra Connect.
D.Implementing a conditional access policy blocking legacy authentication.
AnswerC

Correct: This reduces visibility for identity threat detection, lowering Secure Score.

Why this answer

Disabling password hash synchronization (PHS) in Microsoft Entra Connect removes the ability for Microsoft Defender for Identity to correlate on-premises Active Directory credential exposure events with cloud authentication attempts. Without PHS, Defender for Identity cannot detect when leaked credentials are used against Azure AD, causing the Secure Score for Identity to drop because key detection capabilities are no longer available.

Exam trap

The trap here is that candidates often assume disabling password hash synchronization is a security improvement (to avoid storing hashes in the cloud), but they overlook that Defender for Identity requires it for critical leaked credential detection, and Secure Score penalizes its absence.

How to eliminate wrong answers

Option A is wrong because changing password expiration policy to 180 days does not directly affect Defender for Identity's detection capabilities or Secure Score; it may even reduce risk by encouraging longer passwords, but Secure Score for Identity focuses on configuration and detection health, not password age. Option B is wrong because enabling MFA for all users improves security posture and typically increases Secure Score, not decreases it. Option D is wrong because implementing a conditional access policy blocking legacy authentication reduces attack surface and improves security, which would raise Secure Score for Identity, not lower it.

135
MCQhard

Your company is deploying Microsoft Defender for Office 365. The security team wants to automatically remove messages identified as malware from all mailboxes after delivery. What should you configure?

A.Configure an anti-malware policy with a high-confidence verdict.
B.Enable Zero-hour auto purge (ZAP) in the anti-malware policy.
C.Set up a mailbox intelligence policy.
D.Create an anti-phishing policy to block spoofed senders.
AnswerB

ZAP automatically removes malware after delivery.

Why this answer

Zero-hour auto purge (ZAP) is the correct feature because it automatically detects and removes messages that are identified as malware after they have already been delivered to a user's mailbox. By enabling ZAP in the anti-malware policy, the system retroactively moves malicious messages to the user's Junk Email folder or quarantines them, ensuring post-delivery protection without manual intervention.

Exam trap

The trap here is that candidates often confuse ZAP with initial filtering policies, assuming that configuring a high-confidence verdict in the anti-malware policy alone will handle post-delivery removal, when in fact ZAP must be explicitly enabled for that purpose.

How to eliminate wrong answers

Option A is wrong because configuring an anti-malware policy with a high-confidence verdict only affects the initial filtering and delivery decision; it does not automatically remove messages that were already delivered. Option C is wrong because a mailbox intelligence policy is part of Exchange Online Protection (EOP) for detecting unusual sending patterns and user compromise, not for removing malware after delivery. Option D is wrong because an anti-phishing policy targets spoofed senders and phishing attempts, not malware removal, and does not provide post-delivery cleanup.

136
MCQhard

Your Microsoft 365 tenant has a Microsoft Entra ID tenant with custom B2B collaboration settings. You need to allow external users from a specific domain (partner.com) to self-service sign up, but block all other external domains. What should you configure?

A.Configure SharePoint Online external sharing settings to allow partner.com only.
B.Set guest user access permissions to 'Guest user access is restricted'.
C.Configure cross-tenant access settings for partner.com with inbound access enabled and block other domains by default.
D.Add partner.com to the B2B collaboration allowlist in Microsoft Entra ID.
AnswerC

Cross-tenant access settings control inbound B2B collaboration, including self-service sign-up.

Why this answer

Option C is correct because cross-tenant access settings in Microsoft Entra ID allow you to configure inbound access for specific external domains (partner.com) while blocking all others by default. This granular control enables self-service sign-up for allowed domains and prevents external users from unauthorized domains from signing up, directly meeting the requirement.

Exam trap

The trap here is that candidates often confuse SharePoint external sharing settings (which control content sharing) with Microsoft Entra ID B2B collaboration settings (which control identity and access for external users), leading them to select Option A instead of the correct cross-tenant access configuration.

How to eliminate wrong answers

Option A is wrong because SharePoint Online external sharing settings control sharing of SharePoint content (sites, documents) with external users, not the self-service sign-up process for B2B collaboration in Microsoft Entra ID. Option B is wrong because 'Guest user access is restricted' limits what guest users can do after they are invited (e.g., restrict directory browsing), but does not control which domains can self-service sign up. Option D is wrong because there is no 'B2B collaboration allowlist' in Microsoft Entra ID; the correct mechanism is cross-tenant access settings, which provide domain-level allow/block lists for inbound and outbound B2B collaboration.

137
MCQmedium

Your company uses Microsoft 365 and has recently deployed Microsoft Intune for mobile device management. You need to ensure that corporate data on iOS devices is protected by preventing users from copying data from managed apps to unmanaged apps. What should you configure?

A.Mobile application management (MAM) without enrollment.
B.Device compliance policies.
C.Conditional Access policies.
D.App protection policies.
AnswerD

App protection policies manage data sharing between managed and unmanaged apps.

Why this answer

App protection policies (APP) are the correct choice because they provide mobile application management (MAM) controls that specifically prevent data transfer between managed and unmanaged apps on iOS devices. Unlike device-level policies, APP operates at the application layer, allowing you to restrict copy/paste, cut, and data sharing actions without requiring device enrollment. This directly addresses the requirement to protect corporate data on iOS devices by blocking data leakage to unmanaged apps.

Exam trap

The trap here is that candidates confuse the deployment model (MAM without enrollment) with the actual policy configuration (app protection policies), or they mistakenly think device compliance or Conditional Access can control app-level data sharing, which they cannot.

How to eliminate wrong answers

Option A is wrong because MAM without enrollment (also known as MAM-WE) is a deployment model, not a specific policy configuration; while it can use app protection policies, the question asks what to configure, and the correct configuration is the app protection policy itself, not the deployment model. Option B is wrong because device compliance policies enforce device-level security requirements (e.g., jailbreak detection, passcode compliance) but do not control data transfer between apps at the application layer. Option C is wrong because Conditional Access policies control access to resources based on signals like device compliance or location, but they do not directly restrict copy/paste or data sharing between managed and unmanaged apps.

138
MCQmedium

Refer to the exhibit. You are reviewing a Microsoft Entra ID Governance access review. The JSON shows an access review scope for a SharePoint site. What does the 'isExternallyAccessible': false setting indicate about the site?

A.The site's external sharing settings are not reviewed.
B.External users cannot access the site.
C.The site is configured to allow sharing with anyone.
D.External users are automatically granted access.
AnswerB

The setting blocks external access.

Why this answer

The 'isExternallyAccessible': false setting in the access review scope JSON indicates that the SharePoint site is not configured to allow external sharing. This means external users cannot access the site, making option B correct. The setting directly controls whether the site is visible to external identities in the access review, not the review process itself.

Exam trap

The trap here is that candidates confuse 'isExternallyAccessible' with the access review's review scope filtering, thinking it means the site is excluded from review, when it actually indicates the site's external sharing state.

How to eliminate wrong answers

Option A is wrong because 'isExternallyAccessible' controls the site's external sharing configuration, not whether the sharing settings are reviewed; access reviews always evaluate the site's sharing state. Option C is wrong because 'isExternallyAccessible': false explicitly means the site does not allow sharing with anyone (including 'Anyone' links), which would require the setting to be true. Option D is wrong because external users are not automatically granted access when the setting is false; they are explicitly blocked from accessing the site.

139
MCQeasy

A newly hired Microsoft 365 administrator needs to receive email notifications for all service health incidents. The administrator wants to ensure they have the necessary permissions to configure these notifications. Which role is the minimum role required to manage service health notifications in the Microsoft 365 admin center?

A.Global Administrator
B.Service Administrator
C.User Administrator
D.Security Reader
AnswerB

Service Administrator can manage service health and notifications, and is the least privileged role for this task.

Why this answer

The Service Administrator role is the minimum built-in role that grants permission to manage service health notifications in the Microsoft 365 admin center. This role allows the administrator to view and configure service health alerts and notifications without the broader privileges of the Global Administrator role, aligning with the principle of least privilege.

Exam trap

The trap here is that candidates often assume the Global Administrator role is required for any configuration task, but Microsoft 365 RBAC includes dedicated service management roles that allow granular delegation without full administrative access.

How to eliminate wrong answers

Option A is wrong because the Global Administrator role has full access to all administrative features, including service health notifications, but it is not the minimum role required; using it would violate least privilege. Option C is wrong because the User Administrator role is limited to managing users, groups, and licensing, and does not include permissions to manage service health notifications. Option D is wrong because the Security Reader role provides read-only access to security-related features and reports, but it cannot configure or manage service health notifications.

140
Matchingmedium

Match each Microsoft 365 plan to its included services.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Web and mobile apps only

Desktop apps plus web and mobile

Business Standard plus security features

Full enterprise features without advanced security

E3 plus advanced security and analytics

Why these pairings

These plans differ in app availability and security capabilities.

141
MCQeasy

A company has just purchased Microsoft 365 Business Standard and added the custom domain 'fabrikam.com' to the tenant. They want to verify domain ownership. Which DNS record type must they add to their DNS provider?

A.MX record
B.CNAME record
C.TXT record
D.SPF record
AnswerC

A TXT record with the verification string is the standard method for domain ownership verification.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record containing a unique verification string provided by the Microsoft 365 admin center. The TXT record is the standard DNS record type used for domain validation because it can store arbitrary text data without affecting email routing or other services. Microsoft 365 checks for this specific TXT record to confirm you control the domain.

Exam trap

The trap here is that candidates often confuse the TXT record used for domain verification with the SPF record, which is also a TXT record type, but SPF is specifically for email authentication and not for proving domain ownership.

How to eliminate wrong answers

Option A is wrong because an MX record specifies the mail server for the domain and is used for email routing, not domain ownership verification. Option B is wrong because a CNAME record aliases one domain name to another and is not used for domain validation; it is typically used for services like autodiscover. Option D is wrong because an SPF record is a TXT record subtype that authorizes email senders and is not used for domain ownership verification; adding an SPF record alone does not prove domain control.

142
MCQmedium

Your organization uses Microsoft Intune for mobile device management (MDM). You need to enforce that all iOS and Android devices must have a screen lock password of at least 6 characters before they can access corporate email. What should you configure?

A.Create an app protection policy in Microsoft Intune targeting iOS and Android with a minimum PIN length of 6
B.Create a Conditional Access policy requiring compliant devices
C.Create a device configuration profile to set a passcode policy of 6 characters
D.Create a device compliance policy requiring a password length of 6
AnswerA

App protection policies enforce app-level PIN for corporate data access.

Why this answer

Option A is correct because an app protection policy (APP) in Microsoft Intune can enforce a minimum PIN length of 6 characters at the application layer, specifically for accessing corporate email in apps like Outlook. This policy applies regardless of device enrollment status and works on both iOS and Android, meeting the requirement to control access to corporate email without needing device-level management.

Exam trap

The trap here is that candidates often confuse device-level passcode enforcement (via compliance or configuration profiles) with app-level PIN enforcement (via app protection policies), not realizing that the question specifically targets access to corporate email in apps, which is controlled by MAM policies, not MDM device settings.

How to eliminate wrong answers

Option B is wrong because a Conditional Access policy requiring compliant devices enforces device-level compliance (e.g., device is marked compliant via Intune), but it does not directly set a screen lock password length; it relies on a separate compliance policy to define that requirement. Option C is wrong because a device configuration profile sets device-level passcode settings, but it only applies to enrolled devices and does not guarantee enforcement for unmanaged or BYOD devices accessing corporate email via apps. Option D is wrong because a device compliance policy can require a password length of 6, but it only marks devices as non-compliant; it does not block access to corporate email at the app layer unless combined with a Conditional Access policy—and even then, it does not enforce the PIN length directly within the app itself.

143
MCQhard

Your organization is planning to deploy Microsoft 365 Copilot for all users. The compliance team has concerns about data leakage through Copilot responses. Specifically, they want to ensure that Copilot does not generate responses based on highly confidential data labeled with the 'Highly Confidential' sensitivity label. Additionally, users must be able to use Copilot for general productivity tasks. You need to configure Microsoft 365 Copilot to meet these requirements. The solution must use Microsoft Purview Information Protection. What should you do?

A.Remove the 'Highly Confidential' label from data that needs to be accessed by Copilot.
B.Configure sensitivity labels to apply encryption to 'Highly Confidential' data and use Microsoft Purview DLP to prevent Copilot from using that content.
C.Block Copilot for all users who have access to 'Highly Confidential' data.
D.Create a conditional access policy to require multi-factor authentication for Copilot access.
AnswerB

Encryption and DLP policies can restrict Copilot from accessing protected content.

Why this answer

Option B is correct because it uses Microsoft Purview Information Protection to apply encryption via sensitivity labels to 'Highly Confidential' data, and then leverages Microsoft Purview Data Loss Prevention (DLP) policies to block Copilot from accessing or generating responses based on that encrypted content. This ensures that Copilot cannot use the protected data as a source for its responses, while still allowing users to use Copilot for general productivity tasks with non-protected data.

Exam trap

The trap here is that candidates often confuse blocking user access (Option C) with blocking data usage, or they think removing a label (Option A) is a valid compliance control, when in fact the correct approach is to use DLP policies to enforce restrictions on how Copilot can use labeled data.

How to eliminate wrong answers

Option A is wrong because removing the 'Highly Confidential' label from data does not prevent Copilot from accessing that data; it simply removes the classification, which could lead to data leakage and violates the compliance team's requirement to protect that specific data. Option C is wrong because blocking Copilot for all users who have access to 'Highly Confidential' data would prevent those users from using Copilot for general productivity tasks, which is explicitly required, and it does not address the data itself—only user access. Option D is wrong because a conditional access policy requiring multi-factor authentication for Copilot access controls authentication, not data usage; it does not prevent Copilot from generating responses based on 'Highly Confidential' data.

144
MCQeasy

An administrator needs to update the organization's display name, technical contact, and privacy statement URL in the Microsoft 365 admin center. Which page should they navigate to?

A.Settings > Org settings > Organization profile
B.Users > Active users > More actions > Edit contact info
C.Billing > Billing accounts > Edit organization info
D.Admin centers > Azure AD > Properties
AnswerA

This is the correct location to edit the organization's display name, technical contact, privacy statement, and other global settings.

Why this answer

Option A is correct because the 'Settings > Org settings > Organization profile' page in the Microsoft 365 admin center is the dedicated location for modifying tenant-wide metadata, including the organization's display name, technical contact email, and privacy statement URL. These settings are stored in the Microsoft 365 tenant's directory properties and are distinct from user-level or billing-level configurations.

Exam trap

The trap here is that candidates confuse the Azure AD tenant Properties blade (which shows the organization name and technical contact) with the Microsoft 365 admin center's Organization profile page, overlooking that the privacy statement URL is a Microsoft 365-specific setting not available in Azure AD.

How to eliminate wrong answers

Option B is wrong because 'Users > Active users > More actions > Edit contact info' modifies individual user contact details, not tenant-wide organization properties like the display name or privacy statement URL. Option C is wrong because 'Billing > Billing accounts > Edit organization info' manages billing-related account information (e.g., invoice address, payment method) and does not include the technical contact or privacy statement URL fields. Option D is wrong because 'Admin centers > Azure AD > Properties' opens the Azure AD tenant properties blade, which allows editing the organization name and technical contact but lacks the privacy statement URL field; the privacy statement URL is configured exclusively in the Microsoft 365 admin center's Organization profile page, not in Azure AD.

145
MCQmedium

Your organization has a Microsoft 365 tenant with a custom domain contoso.com. You have configured Exchange Online to accept emails for contoso.com. You now need to add a subdomain sales.contoso.com and ensure that email sent to sales.contoso.com is delivered to a specific shared mailbox. What should you do?

A.Add sales.contoso.com as a custom domain in the Microsoft 365 admin center and verify ownership.
B.Add sales.contoso.com as an accepted domain in Exchange Online and create a transport rule to redirect emails to the shared mailbox.
C.Configure an auto-expanding archive for the shared mailbox.
D.Create a distribution group named sales@contoso.com and add the shared mailbox as a member.
AnswerB

Accepted domains allow receiving email for the subdomain, and a transport rule can redirect.

Why this answer

Option B is correct because to route email for a subdomain to a specific mailbox, you must first add the subdomain as an accepted domain in Exchange Online (not as a custom domain in the admin center, since the parent domain is already verified). Then, you create a transport rule that matches recipients in that accepted domain and redirects the messages to the target shared mailbox. This ensures that all emails sent to sales.contoso.com are delivered to the designated mailbox without requiring additional MX records or domain verification.

Exam trap

The trap here is that candidates confuse adding a subdomain as a custom domain (which requires unnecessary DNS verification) with adding it as an accepted domain in Exchange Online, which is the correct approach for routing email to a specific mailbox without altering the parent domain's verification status.

How to eliminate wrong answers

Option A is wrong because adding sales.contoso.com as a custom domain in the Microsoft 365 admin center would require DNS verification (e.g., TXT record) for the subdomain, which is unnecessary and incorrect—the parent domain contoso.com is already verified, and subdomains inherit that verification; instead, you should add it as an accepted domain in Exchange Online. Option C is wrong because configuring an auto-expanding archive for the shared mailbox addresses storage capacity, not email routing for a subdomain. Option D is wrong because creating a distribution group with the shared mailbox as a member would not route emails sent to sales.contoso.com to that mailbox; it would only allow the group to receive emails sent to the group's address, and the subdomain routing is not configured.

146
MCQeasy

A company has purchased Microsoft 365 Business Standard and added the custom domain 'fabrikam.com' to the tenant. The company wants all new users to have 'fabrikam.com' as their default email domain instead of the onmicrosoft.com domain. How should the administrator achieve this?

A.Update the MX record in the DNS to point to Microsoft 365 with the custom domain.
B.In the admin center, go to Settings > Domains, select the custom domain, and click 'Set as default'.
C.Use the Exchange admin center to set the default email address policy to use the custom domain.
D.For each new user, manually add an email alias with the custom domain and remove the onmicrosoft.com alias.
AnswerB

This changes the default domain for new users to the custom domain.

Why this answer

Option B is correct because the Microsoft 365 admin center provides a dedicated setting under Settings > Domains to mark a custom domain as the default email domain. Once set as default, all new users will automatically receive a primary email address using that domain instead of the initial onmicrosoft.com domain, without requiring manual changes or additional configuration.

Exam trap

The trap here is that candidates often confuse DNS record management (like MX records) with tenant-level domain configuration, or assume that Exchange email address policies are the only way to control default domains, when in fact the admin center's 'Set as default' option is the correct and simplest method for new users.

How to eliminate wrong answers

Option A is wrong because updating the MX record only controls mail routing (where incoming emails are delivered), not the default email domain assigned to new users. Option C is wrong because the Exchange admin center's email address policy applies to existing mailboxes and can set domain preferences, but the default domain for new users is controlled at the tenant level in the Microsoft 365 admin center, not via an email address policy. Option D is wrong because manually adding and removing aliases for each new user is inefficient and unnecessary; the default domain setting automates this process for all new users.

147
MCQmedium

Your organization plans to use Microsoft 365 Copilot. To ensure compliance, you need to prevent Copilot from accessing sensitive content in SharePoint Online document libraries that are labeled as 'Highly Confidential'. What should you configure?

A.Configure a retention policy to prevent Copilot from accessing older content.
B.Create a conditional access policy to block Copilot from accessing SharePoint.
C.Create a DLP policy to block Copilot from processing 'Highly Confidential' content.
D.Configure a sensitivity label with encryption and apply it to the documents.
AnswerD

Copilot respects sensitivity labels with encryption and will not access encrypted content.

Why this answer

Option D is correct because sensitivity labels with encryption can restrict access to documents based on their classification. When a document is labeled 'Highly Confidential' and encrypted, Microsoft 365 Copilot cannot process it because Copilot respects the encryption applied by the label, effectively preventing it from accessing the sensitive content. This is the only configuration that directly controls Copilot's ability to read the content at the file level.

Exam trap

The trap here is that candidates often confuse DLP policies (which control data sharing) with sensitivity labels (which control access and usage), leading them to choose option C, but DLP does not block internal processing by Copilot.

How to eliminate wrong answers

Option A is wrong because retention policies are designed to preserve or delete content based on time, not to control access or processing by Copilot; they do not block Copilot from reading current or older content. Option B is wrong because conditional access policies control user authentication and device access to SharePoint, not the behavior of Copilot as a service principal; Copilot operates under its own service identity and is not subject to user-level conditional access policies. Option C is wrong because DLP policies are used to detect and prevent the sharing of sensitive information, not to block internal processing by Copilot; DLP does not prevent Copilot from reading or summarizing content within the tenant.

148
MCQmedium

An administrator has added the custom domain 'contoso.co.uk' to their Microsoft 365 tenant and verified ownership. Users now need to receive email at @contoso.co.uk. Which DNS record must the administrator add in the public DNS zone to route emails to Exchange Online?

A.Add an MX record pointing to <tenant>.mail.protection.outlook.com
B.Add a CNAME record for autodiscover
C.Add an SPF record
D.Add a DKIM record
AnswerA

The MX record directs incoming email to the Exchange Online mail servers.

Why this answer

To route email for a custom domain to Exchange Online, you must add an MX record in the public DNS zone that points to the Exchange Online mail exchanger. The correct target is <tenant>.mail.protection.outlook.com, where <tenant> is your initial tenant name (e.g., contoso-com). This MX record tells sending mail servers to deliver messages for @contoso.co.uk to Microsoft's email infrastructure.

Exam trap

The trap here is that candidates confuse DNS records required for email routing (MX) with records required for email security or client discovery (SPF, DKIM, Autodiscover), leading them to select a record that does not actually deliver inbound messages.

How to eliminate wrong answers

Option B is wrong because a CNAME record for autodiscover is used to configure client connectivity (Outlook auto-configuration), not to route inbound email. Option C is wrong because an SPF record is a TXT record that authorizes sending servers and helps prevent spoofing, but it does not direct email delivery. Option D is wrong because a DKIM record is a TXT record used to sign outgoing emails for cryptographic verification, not to route inbound messages.

149
MCQeasy

Your company has a Microsoft 365 E5 subscription. You need to configure multi-factor authentication (MFA) for all users. However, the CEO insists that he should not be prompted for MFA when connecting from the corporate office. What should you do?

A.Use per-user MFA and set the CEO's account to bypass.
B.Disable MFA for the CEO's account.
C.Configure trusted IPs in the MFA service settings.
D.Create a Conditional Access policy that excludes the corporate office named location from requiring MFA.
AnswerD

Named locations can define trusted IP ranges and exclude them from MFA.

Why this answer

Option D is correct because named locations in Microsoft Entra ID Conditional Access allow you to define trusted IP ranges (e.g., corporate office) and exclude them from MFA requirements. Option A is wrong because disabling MFA for the CEO violates the requirement to have MFA for all users. Option B is wrong because per-user MFA does not support location-based exclusions.

Option C is wrong because trusted IPs in MFA settings apply to all users and cannot be scoped to a single user.

150
MCQeasy

Your company has a Microsoft 365 E3 tenant. You need to enable Microsoft Purview Data Loss Prevention (DLP) to prevent sensitive data from being shared externally via email. What must you do first?

A.Create a DLP policy in Microsoft Defender XDR
B.Navigate to the Microsoft Purview compliance portal and create a DLP policy
C.Use Exchange Online PowerShell to configure DLP rules
D.Upgrade to Microsoft 365 E5 or purchase a DLP add-on
AnswerD

E5 or an add-on is required for DLP.

Why this answer

Microsoft 365 E3 does not include the advanced DLP capabilities required to prevent sensitive data from being shared externally via email. The correct first step is to upgrade to Microsoft 365 E5 or purchase a DLP add-on license, as DLP policies for Exchange Online in E3 are limited to basic rule-based protection and cannot enforce the full Purview DLP policy set. Without the appropriate license, any attempt to create or apply a DLP policy will fail or be non-functional.

Exam trap

The trap here is that candidates assume the Microsoft Purview compliance portal is accessible and functional for DLP policy creation in any Microsoft 365 plan, but Microsoft enforces licensing requirements at the service level, so without E5 or a DLP add-on, the DLP policy creation and enforcement features are disabled.

How to eliminate wrong answers

Option A is wrong because creating a DLP policy in Microsoft Defender XDR is not the first step; Defender XDR policies focus on security incidents and threat protection, not data loss prevention, and the tenant lacks the required license. Option B is wrong because navigating to the Microsoft Purview compliance portal and creating a DLP policy is not possible without the E5 or DLP add-on license; the portal will block policy creation or enforcement due to licensing restrictions. Option C is wrong because using Exchange Online PowerShell to configure DLP rules is ineffective without the proper license; PowerShell cannot bypass licensing requirements, and the underlying DLP engine will not enforce the rules.

← PreviousPage 2 of 4 · 248 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Deploy and manage a Microsoft 365 tenant questions.