CCNA Deploy and manage a Microsoft 365 tenant Questions

75 of 248 questions · Page 3/4 · Deploy and manage a Microsoft 365 tenant · Answers revealed

151
Multi-Selecthard

You are planning a Microsoft 365 tenant migration from another tenant. You need to migrate email, OneDrive, and SharePoint content. Which THREE tools or methods can you use to migrate data?

Select 3 answers
A.Microsoft 365 Migration Manager
B.Microsoft Teams admin center
C.Third-party migration tool (e.g., BitTitan MigrationWiz)
D.Exchange Admin Center migration tools
E.PowerShell scripts using Microsoft Graph API
AnswersA, C, E

Supports email, OneDrive, and SharePoint migration.

Why this answer

Microsoft 365 Migration Manager is a native tool within the Microsoft 365 admin center that provides a centralized, guided experience for migrating email, documents, and files from on-premises or other cloud sources. It supports end-to-end migration scenarios, including cross-tenant migrations for Exchange Online, OneDrive, and SharePoint, making it a correct choice for this tenant-to-tenant migration requirement.

Exam trap

The trap here is that candidates often assume the Exchange Admin Center migration tools can handle all content types (email, OneDrive, SharePoint) because they are familiar with mailbox migrations, but they fail to recognize that those tools are strictly for Exchange data and do not cover SharePoint or OneDrive content.

152
MCQeasy

You are deploying a new Microsoft 365 tenant for a company that has a single domain, contoso.com. You need to verify domain ownership to enable email routing. Which DNS record type must you add to the public DNS zone?

A.CNAME record with 'autodiscover' pointing to 'autodiscover.outlook.com'.
B.SPF record including Microsoft 365 IP addresses.
C.MX record pointing to Microsoft 365.
D.TXT record with a verification code provided by Microsoft 365.
AnswerD

Standard method for domain verification in Microsoft 365.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record containing a unique verification code provided by the Microsoft 365 admin center to your public DNS zone. This proves you control the domain, enabling email routing and other services. Other DNS records like CNAME, SPF, or MX are used for service configuration, not ownership verification.

Exam trap

The trap here is that candidates confuse service configuration records (like MX, SPF, or CNAME) with the mandatory verification record, assuming any DNS change proves ownership, but only the TXT record with the specific code satisfies Microsoft 365's domain proof requirement.

How to eliminate wrong answers

Option A is wrong because a CNAME record for 'autodiscover' pointing to 'autodiscover.outlook.com' is used to configure automatic client discovery for Exchange Online, not to verify domain ownership. Option B is wrong because an SPF record specifies authorized sending IP addresses for email authentication and is not used for domain verification. Option C is wrong because an MX record directs email flow to Microsoft 365 but requires prior domain ownership verification to be accepted.

153
MCQhard

A company has 500 users across Sales, Marketing, and IT departments. User objects are synced from on-premises Active Directory to Microsoft Entra ID using Azure AD Connect. Each department requires different Microsoft 365 license plans (e.g., Sales needs E3, Marketing needs Business Premium, IT needs E5). The administrator wants to automatically assign the appropriate license based on the department attribute without manual intervention. Which approach should the administrator use?

A.Create a script that runs daily to sync department values and assign licenses using PowerShell.
B.Configure group-based licensing using Microsoft Entra dynamic groups with rules based on the department attribute.
C.Use Azure AD Connect to filter objects and assign licenses during sync.
D.Manually assign licenses to each user in the Microsoft 365 admin center.
AnswerB

Dynamic groups evaluate membership based on rules using user attributes. When combined with group-based licensing, licenses are automatically applied to all members. This is the recommended Microsoft approach for automated license assignment.

Why this answer

Option B is correct because Microsoft Entra ID supports group-based licensing, which allows automatic license assignment to users based on their membership in dynamic groups. By creating dynamic groups with rules that filter on the department attribute (e.g., 'user.department -eq "Sales"'), the administrator can assign the appropriate license plan (E3, Business Premium, E5) to each group, and licenses are automatically applied or removed as users are added or removed from the group, without any manual or scripted intervention.

Exam trap

The trap here is that candidates may confuse Azure AD Connect's attribute filtering or sync capabilities with license assignment, or assume that a PowerShell script is the only automated method, overlooking the native group-based licensing feature that is designed exactly for this scenario.

How to eliminate wrong answers

Option A is wrong because using a script that runs daily introduces unnecessary complexity, potential delays (up to 24 hours), and administrative overhead; it also does not leverage the built-in, real-time license assignment capabilities of Microsoft Entra ID. Option C is wrong because Azure AD Connect is used for syncing identity objects and attributes, not for assigning licenses; filtering objects during sync controls which users are synced, not how licenses are assigned. Option D is wrong because manually assigning licenses to 500 users across three departments is not scalable, error-prone, and violates the requirement for automatic assignment without manual intervention.

154
MCQhard

Your Microsoft 365 tenant has been configured with Microsoft Entra ID Connect synchronization from on-premises Active Directory. Users are unable to log in to Microsoft 365 services. You check the synchronization status and see that the last sync was successful. What is the most likely cause?

A.The firewall is blocking authentication requests to Microsoft 365.
B.The on-premises Active Directory is not reachable from the sync server.
C.Password hash synchronization is disabled.
D.The user principal name (UPN) suffix for users is not a verified domain in Microsoft Entra ID.
AnswerD

UPN mismatch is a common cause of login failure after successful sync.

Why this answer

The most likely cause is that the UPN suffix for users is not a verified domain in Microsoft Entra ID. Even though password hash synchronization is enabled and the last sync was successful, if the UPN suffix (e.g., @contoso.local) does not match a custom domain verified in Entra ID, users cannot sign in because Entra ID cannot route authentication to the correct tenant. The sync process will complete without error, but login fails because the UPN is not recognized as a valid domain in the cloud.

Exam trap

The trap here is that candidates assume a successful sync means all authentication components are working, but Microsoft deliberately tests the distinction between object synchronization success and domain verification failure, which causes login to fail despite a green sync status.

How to eliminate wrong answers

Option A is wrong because the firewall blocking authentication requests would prevent all connectivity to Microsoft 365 services, not just login after a successful sync; the sync itself would also fail or show errors. Option B is wrong because if the on-premises Active Directory were unreachable from the sync server, the last sync would not have been successful; the sync engine requires a live connection to AD to read objects. Option C is wrong because password hash synchronization being disabled would cause password-related login failures, but the question states users cannot log in at all; if PHS were disabled, users could still log in using federated authentication or pass-through authentication if configured, and the sync status would still show success for object synchronization.

155
Multi-Selecthard

Your organization is deploying Windows 11 using Microsoft Intune. You need to ensure that devices are automatically enrolled in Intune when users sign in with their Microsoft Entra ID credentials. Which THREE prerequisites must be met?

Select 3 answers
A.Devices must run Windows 10/11 Home edition.
B.Microsoft Configuration Manager must be deployed.
C.Microsoft Entra ID P1 or P2 license.
D.Devices must be Microsoft Entra joined or hybrid Microsoft Entra joined.
E.MDM user scope must be set to All or Some in Microsoft Entra ID.
AnswersC, D, E

Correct: Required for automatic MDM enrollment.

Why this answer

Option C is correct because Microsoft Entra ID P1 or P2 licenses are required to enable automatic MDM enrollment via Intune. Without these licenses, the MDM authority cannot be set to Intune, and the automatic enrollment policy in Microsoft Entra ID will not function. This licensing requirement ensures that the tenant has the necessary features for conditional access and device management policies.

Exam trap

The trap here is that candidates often confuse the licensing requirement (Entra ID P1/P2) with the need for a separate MDM license like Intune, or mistakenly think that Windows Home edition or Configuration Manager are required for automatic enrollment.

156
MCQeasy

Your organization has a Microsoft 365 E5 tenant. You need to ensure that users are prompted to register for multifactor authentication (MFA) the first time they sign in. Which Microsoft Entra ID policy should you configure?

A.Enable Security defaults
B.Create a Conditional Access policy requiring MFA and enable Microsoft Entra ID Identity Protection to enforce MFA registration
C.Enable combined registration for SSPR and MFA
D.Configure MFA service settings per-user
AnswerB

This combined approach prompts users to register MFA at first sign-in.

Why this answer

Option B is correct because combining a Conditional Access policy that requires MFA with Identity Protection's MFA registration policy ensures users are prompted to register for MFA at first sign-in. The MFA registration policy in Identity Protection specifically enforces that users must register their authentication methods before accessing applications, which triggers the registration prompt on initial authentication.

Exam trap

The trap here is that candidates often confuse the MFA registration policy in Identity Protection with a standard Conditional Access policy that requires MFA, but the registration policy specifically triggers the registration prompt, not the MFA challenge itself.

How to eliminate wrong answers

Option A is wrong because Security defaults is a baseline security feature that enforces MFA for all users but does not provide a granular registration prompt on first sign-in; it applies MFA automatically after registration, not a registration-only trigger. Option C is wrong because combined registration for SSPR and MFA only consolidates the user registration portal for both features; it does not enforce or prompt registration at sign-in. Option D is wrong because configuring MFA service settings per-user is a legacy method that requires manual enablement and does not automatically prompt users to register on first sign-in; it also lacks the integration with Identity Protection for registration enforcement.

157
MCQhard

Your company recently merged with another company that uses Microsoft 365. Both tenants have the same primary domain, contoso.com. You need to merge the two tenants into a single tenant while preserving user email addresses. What should you do?

A.Use cross-tenant collaboration settings to share the domain.
B.Remove the domain from the source tenant and add it to the target tenant, then migrate users.
C.Configure a domain sharing agreement between both tenants.
D.Set up a federation trust between the two tenants.
AnswerB

Standard approach for tenant consolidation.

Why this answer

Option C is correct because tenant-to-tenant migration with domain consolidation involves adding the domain to the target tenant and then migrating users with their email addresses. Option A is wrong because a federation trust does not allow merging tenants. Option B is wrong because domain sharing is not possible.

Option D is wrong because cross-tenant collaboration does not consolidate domains.

158
MCQmedium

A company needs to migrate several shared mailboxes from on-premises Exchange 2016 to Exchange Online. The company plans to keep some user mailboxes on-premises for now. Which migration strategy should they use for the shared mailboxes?

A.Cutover migration
B.Staged migration
C.IMAP migration
D.Hybrid migration
AnswerD

Hybrid migration uses a hybrid deployment to move shared mailboxes between on-premises and Exchange Online with coexistence.

Why this answer

A hybrid migration is the correct choice because it allows the coexistence of on-premises Exchange 2016 and Exchange Online mailboxes, enabling the selective migration of shared mailboxes while keeping some user mailboxes on-premises. This approach uses the Hybrid Configuration Wizard to establish a secure connection and synchronize directory objects via Azure AD Connect, supporting mailbox moves with the New-MoveRequest cmdlet.

Exam trap

The trap here is that candidates often choose cutover migration because it is simpler, but they overlook the requirement to keep some mailboxes on-premises, which cutover migration cannot accommodate.

How to eliminate wrong answers

Option A is wrong because cutover migration migrates all mailboxes in a single batch and requires all mailboxes to be moved to Exchange Online, which conflicts with the requirement to keep some user mailboxes on-premises. Option B is wrong because staged migration is designed for migrating user mailboxes from on-premises Exchange 2003 or 2007, not Exchange 2016, and it does not support shared mailboxes natively. Option C is wrong because IMAP migration only migrates email data (not calendar, contacts, or tasks) and does not preserve shared mailbox properties or enable coexistence; it is intended for non-Exchange systems.

159
MCQmedium

An administrator needs to delegate the ability to view service health and manage service requests to a helpdesk team, without granting permissions to reset passwords, manage users, or access billing. Which built-in Microsoft 365 admin role should be assigned?

A.Service Support Administrator
B.Helpdesk Administrator
C.Service Administrator
D.Security Reader
AnswerA

This role provides exactly the needed permissions: view service health and manage service requests.

Why this answer

The Service Support Administrator role is the correct built-in role because it grants the specific permissions needed to view service health and manage service requests in the Microsoft 365 admin center, while explicitly excluding permissions to reset passwords, manage users, or access billing. This role is designed for helpdesk teams that need to handle service incidents without broader administrative access.

Exam trap

The trap here is that candidates often confuse 'Service Support Administrator' with 'Helpdesk Administrator' because both sound helpdesk-related, but Helpdesk Administrator includes password reset and user management permissions that are explicitly disallowed in the question.

How to eliminate wrong answers

Option B (Helpdesk Administrator) is wrong because it includes permissions to reset user passwords and manage user accounts, which exceeds the required scope and violates the constraint of not granting password reset or user management abilities. Option C (Service Administrator) is wrong because it is not a built-in Microsoft 365 admin role; the correct role for managing service requests is Service Support Administrator, and Service Administrator is a legacy or misnamed concept. Option D (Security Reader) is wrong because it only provides read-only access to security-related information and policies, and does not include permissions to manage service requests or view service health in the admin center.

160
Multi-Selectmedium

Your organization has a Microsoft 365 E5 subscription. You need to enforce that all users must use multi-factor authentication (MFA) when accessing Microsoft 365 services. Which TWO components should you configure?

Select 2 answers
A.Microsoft Defender for Identity.
B.Security defaults.
C.Azure AD Identity Protection user risk policy.
D.Per-user MFA (legacy).
E.Conditional Access policy.
AnswersB, E

Correct: Security defaults enable MFA for all users.

Why this answer

Security defaults (option B) is correct because it provides a pre-configured set of security policies that enforce MFA for all users accessing Microsoft 365 services, including requiring MFA registration and blocking legacy authentication. Conditional Access policy (option E) is correct because it allows granular control to require MFA based on specific conditions such as user, location, or device state, which is the modern, recommended approach for enforcing MFA in a Microsoft 365 E5 subscription.

Exam trap

Microsoft often tests the distinction between legacy per-user MFA and modern Conditional Access policies, where candidates mistakenly think per-user MFA is still the recommended method, but the exam emphasizes that Conditional Access is the preferred approach for granular MFA enforcement.

161
MCQmedium

Your organization has 5,000 users and uses Microsoft 365 E3. You are planning to migrate from on-premises Exchange to Exchange Online. You have already synchronized identities using Microsoft Entra Connect. The CIO wants to ensure that users can continue to access their email if the internet connection to Microsoft 365 is temporarily lost. You need to recommend a solution that provides offline access while minimizing cost and administrative overhead. What should you recommend?

A.Configure Outlook to use Cached Exchange Mode.
B.Implement a hybrid deployment and keep some mailboxes on-premises.
C.Deploy a VPN to ensure connectivity.
D.Enable Exchange Online Archiving for all users.
AnswerA

Correct: Cached Exchange Mode provides offline access to synced mailbox data.

Why this answer

Cached Exchange Mode (CEM) downloads a copy of the user's mailbox to a local .ost file, allowing full access to email, calendar, and contacts even when the internet connection to Microsoft 365 is temporarily lost. This meets the CIO's requirement for offline access with zero additional cost and no administrative overhead, as CEM is a built-in feature of Outlook that is already available with Microsoft 365 E3.

Exam trap

The trap here is that candidates often confuse 'offline access' with 'high availability' or 'redundancy,' leading them to choose a hybrid deployment (Option B) or a VPN (Option C), when the simplest and most cost-effective solution is a client-side caching feature already included in the subscription.

How to eliminate wrong answers

Option B is wrong because implementing a hybrid deployment with some mailboxes on-premises increases cost (additional on-premises servers, licensing, and maintenance) and administrative overhead, and does not guarantee offline access for users whose mailboxes are moved to Exchange Online. Option C is wrong because deploying a VPN does not provide offline email access; it only attempts to maintain connectivity, and if the internet is lost, the VPN connection also fails. Option D is wrong because Exchange Online Archiving is a cloud-based feature that stores archived email in the cloud, not locally, so it does not provide offline access and adds cost without solving the stated requirement.

162
MCQmedium

Your organization is preparing to deploy Microsoft 365 for 5,000 users. You need to ensure that all users can authenticate using their existing on-premises Active Directory credentials while minimizing infrastructure changes. You also need to support self-service password reset (SSPR) for cloud-only users. Which authentication method should you recommend?

A.Cloud-only authentication with Microsoft Entra ID
B.Pass-through Authentication (PTA)
C.Password Hash Synchronization (PHS)
D.Federation with AD FS
AnswerC

PHS syncs password hashes to Entra ID, enabling authentication with existing credentials and SSPR for cloud-only users.

Why this answer

Password Hash Synchronization (PHS) is the correct choice because it synchronizes password hashes from on-premises Active Directory to Microsoft Entra ID, allowing users to authenticate with their existing credentials without additional infrastructure. It also enables cloud-only users to use self-service password reset (SSPR) independently, as SSPR relies on cloud-stored hashes and does not require on-premises write-back for cloud-only accounts.

Exam trap

The trap here is that candidates often choose Pass-Through Authentication (PTA) because it validates passwords directly against on-premises AD, but they overlook that PTA requires an on-premises agent and does not support SSPR for cloud-only users without additional configuration, making PHS the simpler and more appropriate choice for minimizing changes.

How to eliminate wrong answers

Option A is wrong because cloud-only authentication with Microsoft Entra ID does not integrate with on-premises Active Directory, so users cannot use their existing on-premises credentials. Option B is wrong because Pass-Through Authentication (PTA) requires an on-premises agent and does not support SSPR for cloud-only users without additional password write-back configuration, increasing infrastructure changes. Option D is wrong because Federation with AD FS requires significant infrastructure (e.g., federation servers, proxies) and does not natively support SSPR for cloud-only users without Azure AD Connect and password write-back, contradicting the goal of minimizing changes.

163
MCQmedium

Your organization uses Microsoft Entra ID. You want to enforce Multi-Factor Authentication (MFA) for all users. You have already configured Conditional Access policies. However, some users are still able to sign in without MFA. What should you check first?

A.Ensure all users have registered for MFA.
B.Verify that the Conditional Access policy is enabled.
C.Confirm that all users are included in the policy's user assignment.
D.Check if there are any exclusions configured.
AnswerC

Users must be assigned to the policy.

Why this answer

Option C is correct because the most common reason a Conditional Access policy fails to enforce MFA is that not all users are included in the policy's user assignment. If the policy targets only a subset of users (e.g., a test group), users outside that scope will bypass MFA entirely. The first troubleshooting step is to verify that the policy's 'Users and groups' assignment includes 'All users' or the specific groups covering all users.

Exam trap

The trap here is that candidates often jump to checking exclusions or MFA registration status first, overlooking the fundamental requirement that the policy must actually apply to the user via its assignment scope.

How to eliminate wrong answers

Option A is wrong because MFA registration is a prerequisite for MFA prompts, but even if users are registered, the Conditional Access policy must be correctly scoped to enforce MFA; unregistered users would simply be blocked or prompted to register, not allowed to sign in without MFA. Option B is wrong because if the policy were disabled, no users would be prompted for MFA, but the question states some users are still able to sign in without MFA, implying the policy is enabled but not applying to those users. Option D is wrong because checking exclusions is a valid step, but it is secondary to verifying that all users are included in the policy's assignment; exclusions only matter if users are already included.

164
MCQeasy

An administrator wants to add a second custom domain, 'contoso-europe.com', to their existing Microsoft 365 tenant. The domain 'contoso.com' is already verified. What is the first step the administrator should take?

A.Add the domain in the Microsoft 365 admin center
B.Create a DNS TXT verification record
C.Update the UPN suffixes for users
D.Create a new Microsoft 365 tenant
AnswerA

The first step is to add the domain; verification comes after.

Why this answer

To add a new domain, the administrator must first add it in the Microsoft 365 admin center under Setup > Domains. After adding it, verification steps (like adding a TXT record) are required. Updating UPN suffixes is done after verification.

Creating a new tenant is unnecessary.

165
MCQhard

Refer to the exhibit. A Conditional Access policy is created in Microsoft Entra ID. The policy targets the Office 365 app (which includes Exchange Online). You have 1000 users assigned. What is the immediate effect of this policy on users who are currently signed in?

A.All high-risk users are immediately blocked from accessing email.
B.No immediate effect; users will be blocked on their next sign-in attempt.
C.The policy is invalid because the Office 365 app does not support block.
D.Only users with a sign-in risk of high are blocked.
AnswerB

Conditional Access evaluates at sign-in, not real-time.

Why this answer

Conditional Access policies in Microsoft Entra ID are evaluated at the time of sign-in. They do not terminate existing sessions. Therefore, users who are already signed in will not be affected until their next authentication attempt, at which point the policy's block action will be enforced.

Exam trap

Microsoft often tests the misconception that Conditional Access policies apply immediately to active sessions, when in fact they only take effect on the next sign-in attempt unless combined with session controls like sign-in frequency or continuous access evaluation.

How to eliminate wrong answers

Option A is wrong because the policy targets all users assigned, not only high-risk users; also, Conditional Access does not immediately terminate active sessions. Option C is wrong because the Office 365 app (which includes Exchange Online) fully supports the block grant control in Conditional Access policies. Option D is wrong because the policy does not specify a sign-in risk condition; it applies to all targeted users regardless of risk level.

166
MCQmedium

An administrator recently added a custom domain 'tailspintoys.com' to their Microsoft 365 tenant and verified it. They now need to configure the domain so that all recipient email addresses for 'info@tailspintoys.com' are delivered to a shared mailbox in Exchange Online. The domain is currently set as internal relay. What should the administrator do first to route email for this domain to Exchange Online?

A.Update the MX record at the DNS registrar to point to Exchange Online
B.Change the domain type from 'Internal relay' to 'Authoritative' in Exchange admin center
C.Create the shared mailbox 'info@tailspintoys.com' in Exchange Online
D.Disable the internal relay option for the domain in the Microsoft 365 admin center
AnswerB

Correct. Setting the domain as authoritative ensures Exchange Online accepts and delivers all emails for this domain.

Why this answer

Option B is correct because when a domain is set to 'Internal relay' in Exchange Online, the service expects to relay messages to an on-premises server for that domain. To have Exchange Online accept and deliver messages directly to a shared mailbox (or any hosted recipient), the domain must be changed to 'Authoritative'. This tells Exchange Online that it is the final destination for all recipients in that domain, enabling local delivery.

Exam trap

The trap here is that candidates often think updating the MX record (Option A) is the first step to route email to Exchange Online, but they overlook that the domain type must be changed to 'Authoritative' first; otherwise, Exchange Online will not deliver messages to cloud recipients even after the MX record is pointed correctly.

How to eliminate wrong answers

Option A is wrong because updating the MX record to point to Exchange Online is necessary for mail flow from the internet, but it does not change how Exchange Online treats the domain internally; if the domain remains 'Internal relay', Exchange Online will still attempt to relay messages for that domain to an on-premises server rather than delivering locally. Option C is wrong because creating the shared mailbox is a subsequent step; the domain must first be set to 'Authoritative' so that Exchange Online recognizes the recipient as local and can deliver to it. Option D is wrong because disabling the internal relay option in the Microsoft 365 admin center is not a valid action; the domain type is configured in the Exchange admin center, not the Microsoft 365 admin center, and simply removing the relay setting does not change the domain to authoritative.

167
MCQmedium

Refer to the exhibit. You are creating a custom role in Microsoft Entra ID for helpdesk staff. What can users assigned this role do?

A.Read user properties and reset passwords
B.Read security groups and reset passwords
C.Create new users and reset passwords
D.Read user properties and assign licenses
AnswerA

Permissions match read and password update.

Why this answer

The custom role shown in the exhibit includes only the 'Users' > 'Basic' > 'Read' permission and the 'Authentication' > 'Passwords' > 'Reset password' permission. This combination allows helpdesk staff to read basic user properties (such as display name, user principal name, and job title) and reset user passwords. It does not grant write access to other user attributes, security groups, or license assignments.

Exam trap

The trap here is that candidates often assume 'reset password' implies full user management or that reading user properties automatically includes reading groups, but Microsoft Entra ID separates these into distinct permission scopes.

How to eliminate wrong answers

Option B is wrong because reading security groups requires the 'Groups' > 'Read' permission, which is not included in this custom role. Option C is wrong because creating new users requires the 'Users' > 'Create' permission, which is not granted here. Option D is wrong because assigning licenses requires the 'Users' > 'Assign license' permission, which is also absent from this role.

168
MCQhard

Your organization uses Microsoft 365 and has enabled Microsoft Entra ID P2 licenses. You need to configure automatic user provisioning for a third-party SaaS application that supports SCIM 2.0. What should you do first in the Microsoft Entra admin center?

A.Add the application from the gallery, then configure provisioning.
B.Configure provisioning in 'App registrations'.
C.Navigate to 'Enterprise applications' and create a new application.
D.Use the 'App registrations' blade to register the app.
AnswerA

Standard procedure for SCIM provisioning.

Why this answer

To configure automatic user provisioning for a third-party SaaS application that supports SCIM 2.0, you must first add the application from the Microsoft Entra gallery. This action creates an enterprise application object in your tenant, which is required to access the provisioning configuration blade. Only after adding the gallery application can you configure the provisioning settings, including the SCIM endpoint URL and token, to enable automated user lifecycle management.

Exam trap

The trap here is that candidates confuse 'App registrations' (for custom app development) with 'Enterprise applications' (for SaaS app provisioning), leading them to choose an option that registers an app instead of adding a gallery application.

How to eliminate wrong answers

Option B is wrong because 'App registrations' is used for custom-developed applications that use OAuth/OpenID Connect, not for provisioning configuration of gallery or non-gallery SaaS apps. Option C is wrong because 'Enterprise applications' does not have a 'create new application' option; you add applications from the gallery or create a non-gallery app via the 'New application' button, but the correct first step is specifically to add from the gallery. Option D is wrong because registering an app in 'App registrations' creates a service principal for a custom app, not the provisioning configuration for a third-party SaaS app that supports SCIM.

169
Multi-Selectmedium

Your organization is using Microsoft 365 Business Premium. You need to ensure that devices are automatically enrolled in Microsoft Intune when users sign in with their work account. Which TWO configurations are required?

Select 2 answers
A.Enable MDM automatic enrollment in Microsoft Entra ID
B.Create a device compliance policy in Intune
C.Set device enrollment restrictions to allow all platforms
D.Assign device categories to users
E.Configure Intune auto-enrollment via Group Policy or Microsoft Entra ID
AnswersA, E

This triggers enrollment on first sign-in.

Why this answer

Option A is correct because Microsoft Entra ID (formerly Azure AD) provides the MDM automatic enrollment feature that, when enabled, automatically enrolls Windows 10/11 and other supported devices into Intune when a user signs in with their work account. This is the core configuration that triggers the enrollment process at sign-in, leveraging the MDM discovery URL and the user's Entra ID token.

Exam trap

The trap here is that candidates often confuse 'MDM automatic enrollment' (a single toggle in Entra ID) with 'Intune auto-enrollment via Group Policy or Entra ID' (Option E), which is actually a redundant or alternative method for domain-joined devices, but the question specifically asks for the two required configurations, and both A and E are correct as they represent the same underlying mechanism (Entra ID-based enrollment) from different administrative perspectives.

170
MCQeasy

You are the Microsoft 365 administrator for Contoso, a company with 5,000 users. The company recently acquired a subsidiary, Fabrikam, which has 2,000 users currently using on-premises Exchange and Active Directory. The goal is to migrate Fabrikam users to Microsoft 365 and merge their identities into the existing Contoso tenant. The migration must minimize user password changes and preserve existing email addresses. You need to plan the identity migration. What should you do first?

A.Create a new Microsoft 365 tenant for Fabrikam and then perform a cross-tenant migration.
B.Extend the existing Contoso Active Directory to include Fabrikam objects and use a single Azure AD Connect instance.
C.Create a new Active Directory forest for Fabrikam and configure Azure AD Connect to sync to the existing Contoso tenant.
D.Export Fabrikam users to a CSV and use PowerShell to bulk create users in Microsoft Entra ID.
AnswerC

A new forest avoids naming conflicts and allows separate sync, preserving email addresses and passwords.

Why this answer

Option C is correct because creating a new Active Directory forest for Fabrikam and configuring Azure AD Connect to sync to the existing Contoso tenant allows you to merge identities without disrupting the existing Contoso directory. This approach preserves Fabrikam users' existing email addresses (via SMTP matching or custom domain verification) and minimizes password changes by syncing their on-premises passwords to Azure AD. It also avoids the complexity of extending the existing Contoso AD forest, which could cause namespace conflicts or schema issues.

Exam trap

The trap here is that candidates often assume extending the existing Active Directory forest (Option B) is simpler, but they overlook the identity conflicts and the fact that Azure AD Connect can natively handle multiple forests, making a separate forest the correct first step to isolate and preserve Fabrikam's identity namespace.

How to eliminate wrong answers

Option A is wrong because creating a new Microsoft 365 tenant for Fabrikam would result in a separate identity system, requiring cross-tenant migration and potentially breaking email continuity; it does not merge identities into the existing Contoso tenant as required. Option B is wrong because extending the existing Contoso Active Directory to include Fabrikam objects would require a single forest with multiple domains or OUs, which can cause UPN and SMTP address conflicts, and it does not allow preserving Fabrikam's existing email addresses without complex attribute manipulation. Option D is wrong because exporting Fabrikam users to a CSV and using PowerShell to bulk create users in Microsoft Entra ID would create new cloud-only identities, forcing all Fabrikam users to change passwords and losing their existing on-premises password hashes and email addresses.

171
MCQmedium

You need to ensure that guest users who are invited to your Microsoft Entra ID tenant can access resources without needing to accept an invitation. What should you configure?

A.Configure the 'External collaboration settings' to allow invitations to specific domains only.
B.Set the 'Guest invite settings' to 'Anyone in the organization can invite guest users'.
C.Set the 'Guest invite settings' to 'Only users assigned to specific admin roles can invite'.
D.Enable 'Email one-time passcode for guests' and set 'Allow invitations to be sent to any user' to Yes.
AnswerD

This allows guests to redeem without accepting an invitation.

Why this answer

Option D is correct because enabling 'Email one-time passcode for guests' and setting 'Allow invitations to be sent to any user' to Yes allows guest users to redeem an invitation without needing to accept it interactively. This configuration leverages the email one-time passcode (OTP) authentication flow, which bypasses the need for the guest to click an acceptance link, enabling direct resource access after the OTP is verified.

Exam trap

The trap here is that candidates often confuse settings that control who can invite guests (Options B and C) with settings that control the guest acceptance process, leading them to overlook the email one-time passcode feature that directly addresses the requirement to bypass acceptance.

How to eliminate wrong answers

Option A is wrong because configuring 'External collaboration settings' to allow invitations to specific domains only restricts which domains can be invited, but does not eliminate the need for guests to accept the invitation. Option B is wrong because setting 'Guest invite settings' to 'Anyone in the organization can invite guest users' controls who can send invitations, not whether guests must accept them. Option C is wrong because setting 'Guest invite settings' to 'Only users assigned to specific admin roles can invite' restricts invitation permissions to admins, but still requires guests to accept the invitation.

172
MCQhard

Your organization uses Microsoft Purview Information Protection. You need to ensure that when a user applies a sensitivity label to a document in SharePoint, the label is automatically applied to the document when it is downloaded. What should you configure?

A.Use a Data Loss Prevention (DLP) policy to enforce labeling.
B.Create a Conditional Access policy requiring label application.
C.Configure a sensitivity label with client-side labeling.
D.Create an auto-labeling policy in Microsoft Purview.
AnswerD

Auto-labeling can automatically apply labels to documents.

Why this answer

Auto-labeling policies in Purview can apply labels based on conditions. Option C is correct. Option A is wrong because client-side labeling is manual.

Option B is wrong because conditional access does not apply labels. Option D is wrong because DLP policies do not apply labels.

173
Multi-Selecthard

Your organization is deploying Microsoft 365 Copilot for 200 users. You need to ensure that Copilot can access user data from Microsoft Graph to provide personalized responses. Which THREE permissions must be granted?

Select 3 answers
A.Chat.ReadWrite (Microsoft Graph)
B.Calendars.ReadWrite (Microsoft Graph)
C.Files.ReadWrite.All (Microsoft Graph)
D.User.Read.All (Microsoft Graph)
E.Mail.Send (Microsoft Graph)
AnswersA, B, C

Allows Copilot to read and write chat messages.

Why this answer

Option A is correct because Chat.ReadWrite is required for Microsoft 365 Copilot to access and process user chat data from Microsoft Graph, enabling personalized responses based on chat history and context. This permission allows Copilot to read and write chat messages, which is essential for generating context-aware replies.

Exam trap

The trap here is that candidates often assume broad permissions like User.Read.All are needed for personalization, but Microsoft 365 Copilot requires only specific data scopes (chat, calendar, files) and not directory-level read access.

174
Multi-Selectmedium

Your organization is planning to migrate from on-premises Exchange to Exchange Online. You need to choose a migration strategy. Which TWO statements about migration methods are correct?

Select 2 answers
A.A hybrid migration requires that you do not synchronize on-premises Active Directory with Microsoft Entra ID.
B.A minimal hybrid deployment allows you to manage mailboxes in both on-premises and Exchange Online.
C.A staged migration can be used to migrate mailboxes from Exchange 2019 to Exchange Online.
D.A cutover migration is suitable for organizations with fewer than 2000 mailboxes.
E.An IMAP migration migrates email, contacts, and calendar data.
AnswersB, D

Minimal hybrid provides coexistence and migration capabilities.

Why this answer

Options A and D are correct. Option A: Minimal hybrid is a valid migration approach. Option D: Cutover migration is for fewer than 2000 mailboxes.

Option B is wrong because staged migration not supported for Exchange 2019. Option C is wrong because IMAP migration does not migrate calendar data. Option E is wrong because hybrid migration requires AD synchronization.

175
MCQmedium

Your organization uses Microsoft 365 E5 licenses. You need to ensure that all external sharing links for SharePoint Online expire after 30 days by default. You configure this in the SharePoint admin center. However, users report that links created before the change still do not have an expiration. What should you do?

A.Use the Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount parameter.
B.Reconfigure the setting in SharePoint admin center and save again.
C.Run Set-SPOTenant -DefaultSharingLinkExpirationInDays 30.
D.Create a data loss prevention (DLP) policy in Microsoft Purview to block unexpired links.
AnswerA

This parameter forces existing anonymous links to expire after the default number of days.

Why this answer

Option A is correct because the `Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount` parameter, when set to `$true`, forces all external sharing links to require the invited account to match the accepting account, which effectively invalidates any pre-existing links that do not meet this condition. This is the only way to enforce expiration on links created before the policy change, as the SharePoint admin center setting for default link expiration only applies to newly created links, not existing ones.

Exam trap

The trap here is that candidates assume the `-DefaultSharingLinkExpirationInDays` parameter applies retroactively to existing links, when in fact it only affects links created after the setting is applied, leading them to choose Option C instead of the correct retroactive enforcement via `RequireAcceptingAccountMatchInvitedAccount`.

How to eliminate wrong answers

Option B is wrong because simply reconfiguring and saving the same setting in the SharePoint admin center will not retroactively apply the expiration to links created before the change; the setting only affects new links. Option C is wrong because `Set-SPOTenant -DefaultSharingLinkExpirationInDays 30` sets the default expiration for new sharing links but does not expire existing links; it is the same setting available in the admin center, not a retroactive fix. Option D is wrong because a data loss prevention (DLP) policy in Microsoft Purview can block sharing of sensitive content but cannot enforce expiration dates on existing sharing links; DLP policies are for content protection, not link lifecycle management.

176
MCQhard

Your company is migrating from on-premises Exchange to Exchange Online. You have configured a hybrid deployment. During testing, you notice that free/busy information is not being shared between on-premises and cloud users. All other hybrid features work. What is the most likely cause?

A.The organization relationship between the on-premises and cloud tenants is missing or misconfigured.
B.Azure AD Connect has not been configured with the correct synchronization scope.
C.The on-premises firewall is blocking traffic to the Exchange Online endpoints.
D.OAuth authentication is not configured between on-premises and Exchange Online.
AnswerA

The organization relationship is required for free/busy sharing in hybrid.

Why this answer

The organization relationship defines the trust and sharing settings between on-premises Exchange and Exchange Online tenants, specifically for free/busy information. Since all other hybrid features (e.g., mail flow, mailbox moves) work, the issue is isolated to the organization relationship, which must be configured on both sides to enable cross-premises calendar availability queries.

Exam trap

The trap here is that candidates assume OAuth is required for all hybrid features, but Microsoft specifically decouples free/busy sharing from OAuth in hybrid scenarios, making the organization relationship the primary culprit when only calendar availability fails.

How to eliminate wrong answers

Option B is wrong because Azure AD Connect synchronization scope controls identity and attribute sync (e.g., users, groups), not free/busy sharing; incorrect scope would cause missing or mismatched user objects, not a failure of free/busy queries specifically. Option C is wrong because firewall blocks would affect all hybrid traffic (e.g., SMTP, Autodiscover, EWS), not just free/busy; since other features work, a firewall issue is unlikely. Option D is wrong because OAuth authentication is required for modern hybrid features like archive access and eDiscovery, but free/busy sharing can function with legacy organization relationship settings using the AvailabilityAddressSpace or IntraOrganizationConnector; OAuth is not strictly necessary for basic free/busy.

177
MCQeasy

An administrator needs to add a custom domain 'contoso.org' to their Microsoft 365 tenant. They have already purchased the domain and have access to the DNS registrar. What is the first step the administrator should perform in the Microsoft 365 admin center?

A.Add a TXT record in the public DNS zone
B.Add the domain in the Microsoft 365 admin center
C.Configure email routing (MX record)
D.Create user accounts with the new domain
AnswerB

The domain must be added to the tenant first. Then the admin center provides the verification DNS records.

Why this answer

The first step to add a custom domain to a Microsoft 365 tenant is to initiate the domain addition process in the Microsoft 365 admin center. This triggers Microsoft to generate the unique verification TXT record that must be published in the public DNS zone. Without first adding the domain in the admin center, the administrator would not know the specific verification string required for the TXT record.

Exam trap

The trap here is that candidates often confuse the sequence of steps and think that adding a DNS record (like TXT or MX) is the first action, when in reality the domain must first be registered in the admin center to obtain the required verification token.

How to eliminate wrong answers

Option A is wrong because adding a TXT record in the public DNS zone is the second step, performed after the domain has been added in the admin center to obtain the unique verification value. Option C is wrong because configuring email routing (MX record) is a later step that occurs after domain verification is complete and the domain is set as the primary email domain. Option D is wrong because creating user accounts with the new domain requires the domain to first be verified and added to the tenant; otherwise, the domain is not recognized by Azure AD.

178
Multi-Selectmedium

Your organization is planning to migrate from on-premises Active Directory to Microsoft Entra ID using Azure AD Connect. You need to ensure that password synchronization is enabled. Which TWO components are required for password synchronization to work?

Select 2 answers
A.Azure AD Connect with password hash synchronization selected.
B.Active Directory Federation Services (AD FS).
C.Password Writeback enabled.
D.Microsoft Identity Manager (MIM).
E.Microsoft Entra ID service to process synchronization.
AnswersA, E

Azure AD Connect must have password hash synchronization enabled.

Why this answer

Option A is correct because Azure AD Connect with password hash synchronization (PHS) selected is the component that hashes the on-premises Active Directory password and synchronizes it to Microsoft Entra ID. Option E is correct because the Microsoft Entra ID service must process the incoming password hashes and store them in the cloud directory, enabling authentication against Entra ID. Without both the local sync engine (Azure AD Connect) and the cloud-side service, password synchronization cannot function.

Exam trap

The trap here is that candidates often confuse Password Writeback (a separate feature for cloud-to-on-premises password changes) as a prerequisite for password synchronization, when in fact it is an optional add-on that is not required for the one-way sync of password hashes from on-premises to the cloud.

179
MCQhard

Your company recently deployed Microsoft 365 Copilot. Users report that Copilot occasionally generates responses based on sensitive internal documents that should not be shared broadly. What should you configure to restrict Copilot's access?

A.Create Data Loss Prevention (DLP) policies to block sharing.
B.Remove the sensitive documents from SharePoint Online.
C.Apply sensitivity labels to the documents and configure label scopes to exclude Copilot.
D.Configure Microsoft Search to exclude the sensitive documents.
AnswerC

Sensitivity labels can be scoped to prevent Copilot from using labeled content.

Why this answer

Option C is correct because sensitivity labels can be configured with a label scope that excludes Copilot from accessing the labeled content. By applying a 'Confidential' sensitivity label with the 'Copilot' scope deselected, you instruct Microsoft 365 Copilot to ignore those documents during response generation, preventing it from surfacing sensitive internal information.

Exam trap

The trap here is that candidates confuse DLP policies (which block sharing) with Copilot access controls, or assume that removing documents or excluding them from search is sufficient, when in fact sensitivity labels with the Copilot scope are the precise mechanism to control Copilot’s data access.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies block sharing of sensitive data (e.g., via email or external sharing) but do not restrict Copilot’s internal access to documents for response generation. Option B is wrong because removing sensitive documents from SharePoint Online is a blunt, disruptive approach that breaks user access and collaboration, whereas the requirement is to restrict Copilot’s access while preserving normal user access. Option D is wrong because Microsoft Search exclusion controls search results for users but does not affect Copilot’s ability to index and retrieve content for response generation; Copilot uses its own semantic index, not the search index.

180
MCQeasy

A company has an existing Microsoft 365 tenant with the verified custom domain 'contoso.com'. The administrator now wants to add a second custom domain, 'contoso-europe.com', to the same tenant. What is the first step the administrator should take?

A.Add the domain in the Microsoft 365 admin center.
B.Add a TXT verification record in the public DNS zone for 'contoso-europe.com'.
C.Add an MX record pointing to Exchange Online in the public DNS zone for 'contoso-europe.com'.
D.Contact Microsoft support to enable the domain addition feature.
AnswerA

The domain must first be added to the Microsoft 365 tenant to begin the verification process.

Why this answer

The first step to add a second custom domain to an existing Microsoft 365 tenant is to initiate the domain addition process in the Microsoft 365 admin center. This triggers the system to generate the unique TXT verification record that must be added to the public DNS zone to prove ownership of the domain. Without first adding the domain in the admin center, the administrator would not know the specific verification value required for the DNS record.

Exam trap

The trap here is that candidates often assume the first step is to create a DNS record (like TXT or MX) directly, but the correct sequence requires initiating the domain addition in the admin center first to obtain the necessary verification value.

How to eliminate wrong answers

Option B is wrong because adding a TXT verification record in the public DNS zone is the second step, not the first; the administrator must first add the domain in the admin center to obtain the unique verification string. Option C is wrong because adding an MX record pointing to Exchange Online is a post-verification step used to route email, and it is not required for domain ownership verification. Option D is wrong because Microsoft 365 allows domain addition without contacting support; the feature is enabled by default for all tenants with verified custom domains.

181
MCQmedium

Your organization has a Microsoft 365 E5 tenant with 10,000 users. You need to ensure that when a user is detected as high-risk by Microsoft Entra ID Protection, the user is automatically blocked from accessing sensitive SharePoint sites. The solution should minimize administrative overhead. What should you do?

A.Create a Conditional Access policy targeting high-risk users, apply to SharePoint, and set 'Block access' or 'Use app enforced restrictions'.
B.Create a session policy in Microsoft Defender for Cloud Apps to block high-risk users from accessing SharePoint.
C.Configure a user risk policy in Microsoft Entra ID Protection to block sign-ins for high-risk users.
D.Deploy Microsoft Sentinel and create a custom analytics rule to trigger an automated response via Logic App.
AnswerA

Conditional Access can use user risk as a condition and restrict access to selected cloud apps like SharePoint.

Why this answer

Option A is correct because a Conditional Access (CA) policy can directly target 'High risk' users (via Microsoft Entra ID Protection risk detection) and apply to SharePoint. By setting the grant control to 'Block access' or 'Use app enforced restrictions', you automatically block or restrict access to sensitive SharePoint sites without manual intervention, minimizing administrative overhead. This integrates natively with Microsoft 365 and requires no additional services or custom scripting.

Exam trap

The trap here is that candidates often confuse a user risk policy in Entra ID Protection (which blocks all sign-ins globally) with a Conditional Access policy (which can target specific applications like SharePoint), leading them to choose Option C instead of A.

How to eliminate wrong answers

Option B is wrong because a session policy in Microsoft Defender for Cloud Apps (MCAS) can only monitor or control access in real time after the user is already authenticated; it does not natively block access based on Entra ID Protection risk level without additional configuration, and it introduces extra overhead. Option C is wrong because a user risk policy in Microsoft Entra ID Protection blocks sign-ins globally (i.e., prevents authentication entirely), which is too broad and would block the user from all applications, not just sensitive SharePoint sites. Option D is wrong because deploying Microsoft Sentinel and creating a custom analytics rule with a Logic App is overly complex and introduces significant administrative overhead, violating the 'minimize administrative overhead' requirement; the native CA policy is simpler and more efficient.

182
MCQmedium

The exhibit shows a DLP policy configuration. A user reports that they cannot share a document containing a credit card number from OneDrive for Business. However, the document was shared successfully last week. What is the most likely reason for the change?

A.The DLP policy was recently deployed or updated.
B.The DLP policy requires administrator override for sharing.
C.The DLP policy is applied only to SharePoint Online, not OneDrive.
D.The DLP policy does not include Microsoft Teams.
AnswerA

The policy with block action was likely applied after the previous successful share.

Why this answer

The most likely reason is that the DLP policy was recently deployed or updated. DLP policies in Microsoft 365 are evaluated in near real-time, and a newly deployed or modified policy will immediately enforce its rules on content sharing. Since the document was shared successfully last week, the policy change is the most plausible cause for the sudden block.

Exam trap

The trap here is that candidates may assume DLP policies are static and only apply to new content, but Microsoft 365 DLP policies are dynamic and can affect existing shares when deployed or updated.

How to eliminate wrong answers

Option B is wrong because DLP policies do not require an administrator override for sharing; they either block or allow sharing based on policy rules, and an override is an optional feature that must be explicitly configured. Option C is wrong because DLP policies in Microsoft 365 can be applied to both SharePoint Online and OneDrive for Business, and the exhibit shows a policy that includes OneDrive. Option D is wrong because the question is about sharing from OneDrive for Business, not Microsoft Teams, and the policy's inclusion of Teams is irrelevant to the reported issue.

183
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that automatically blocks downloads of files containing sensitive information from SharePoint Online to unmanaged devices. What type of policy should you create?

A.Session policy
B.Microsoft Purview Data Loss Prevention policy
C.Activity policy
D.File policy
AnswerA

Correct: Session policies can block downloads based on content inspection.

Why this answer

Session policies in Defender for Cloud Apps can monitor and control user sessions in real-time, including blocking downloads based on content inspection. Option A is wrong because file policies are for alerts and governance actions on files at rest. Option B is wrong because activity policies trigger on events but do not control sessions.

Option D is wrong because this is a broader tool, not a specific policy type for this scenario.

184
MCQeasy

Your company is using Microsoft 365 Business Premium. You want to ensure that all company-owned Windows 10 devices are automatically upgraded to Windows 11 when it becomes available through Windows Update. What should you configure?

A.Create a Windows 10 update ring policy in Intune that deploys quality updates.
B.Create a feature update policy for Windows 10 devices in Intune, targeting the Windows 11 version.
C.Create a device compliance policy in Intune that requires Windows 11.
D.Configure a Windows 11 readiness assessment in Microsoft Intune.
AnswerB

Feature update policies allow you to deploy OS feature upgrades.

Why this answer

A feature update policy in Intune is specifically designed to upgrade Windows devices from one version to another, such as from Windows 10 to Windows 11. By targeting the Windows 11 version in this policy, you ensure that eligible Windows 10 devices automatically receive the upgrade when it becomes available via Windows Update. This is the correct mechanism for controlling OS version upgrades in a Microsoft 365 Business Premium environment.

Exam trap

The trap here is that candidates often confuse update ring policies (which handle quality updates and deferral settings) with feature update policies (which are required for OS version upgrades), leading them to select option A instead of B.

How to eliminate wrong answers

Option A is wrong because a Windows 10 update ring policy for quality updates only manages monthly cumulative and security patches, not feature upgrades like moving from Windows 10 to Windows 11. Option C is wrong because a device compliance policy enforces security and configuration requirements on devices that are already enrolled, but it cannot trigger an OS upgrade; it only reports non-compliance if the OS version does not match the policy. Option D is wrong because a Windows 11 readiness assessment in Intune only evaluates hardware compatibility and provides a report, but it does not configure or deploy the actual upgrade to devices.

185
MCQmedium

An administrator needs to delegate the ability to view sign-in logs, audit logs, and security recommendations to a junior admin without granting any other administrative permissions. The junior admin should not be able to reset passwords or modify settings. Which built-in Microsoft Entra role should the administrator assign?

A.Global Reader
B.Security Reader
C.Reports Reader
D.Security Administrator
AnswerB

Security Reader provides targeted read-only access to security features, including Azure AD sign-in logs, audit logs, and Microsoft 365 Defender recommendations. It is designed for monitoring without additional permissions.

Why this answer

The Security Reader role in Microsoft Entra ID is specifically designed to grant read-only access to security-related data, including sign-in logs, audit logs, and security recommendations, without allowing any write operations such as password resets or configuration changes. This makes it the correct choice for delegating visibility into security monitoring without administrative control.

Exam trap

The trap here is that candidates often confuse 'Reports Reader' (a non-existent role in Entra ID) with the actual Security Reader role, or they assume Global Reader includes all read permissions, forgetting that security-specific logs require a dedicated role.

How to eliminate wrong answers

Option A (Global Reader) is wrong because while it provides read-only access to many settings, it does not grant access to sign-in logs or audit logs by default; those require the Security Reader or a more privileged role. Option C (Reports Reader) is wrong because this role does not exist in Microsoft Entra ID; the closest is 'Reports Reader' in Exchange Online, which is unrelated to Entra ID sign-in or audit logs. Option D (Security Administrator) is wrong because it includes write permissions, such as the ability to modify security policies and reset passwords, which violates the requirement to only view logs and recommendations.

186
MCQmedium

Your organization uses Microsoft 365 Defender for Office 365. You need to ensure that phishing emails reported by users are automatically submitted for analysis in Microsoft Defender XDR. What should you configure?

A.Modify the anti-phishing policy to include user-reported submissions.
B.Use the Attack simulation training to collect user reports.
C.Enable Safe Attachments policy to automatically submit reported messages.
D.Configure the User-reported messages settings in the Microsoft 365 Defender portal.
AnswerD

This setting controls how user-reported messages are submitted for analysis.

Why this answer

The User-reported messages settings in the Microsoft 365 Defender portal allow you to configure how user-reported phishing emails are handled. By enabling automatic submission to Microsoft for analysis, you ensure that reported messages are sent directly to the Microsoft security team for threat intelligence and policy tuning. This is the correct setting because it specifically controls the submission behavior for user-reported messages in Defender for Office 365.

Exam trap

The trap here is that candidates often confuse the anti-phishing policy (which handles detection settings) with the User-reported messages settings (which handles submission of user-reported emails), leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because the anti-phishing policy controls protection settings like spoof intelligence and impersonation detection, not the submission of user-reported messages for analysis. Option B is wrong because Attack simulation training is used to create and manage simulated phishing campaigns, not to automatically submit real user-reported emails to Microsoft. Option C is wrong because Safe Attachments policy handles the scanning of email attachments in a sandbox environment, not the submission of user-reported messages for analysis.

187
MCQeasy

Your company has a Microsoft 365 E5 tenant. You need to ensure that all external emails are marked with a warning banner at the top of the email body. What should you configure?

A.A Safe Attachments policy in Microsoft Defender for Office 365.
B.External email tagging in the Microsoft 365 Defender portal.
C.A DLP policy with a sensitive information type.
D.A mail flow rule (transport rule) to add a disclaimer.
AnswerD

Transport rules can append a warning banner to external emails.

Why this answer

Option D is correct because a mail flow rule (transport rule) in Exchange Online can be configured to prepend a disclaimer (warning banner) to the body of all external emails. This is the only mechanism that directly modifies the email body content for inbound or outbound messages based on sender/recipient criteria, such as when the sender is external to the organization.

Exam trap

The trap here is that candidates confuse 'external email tagging' (which adds a header or subject prefix) with adding a visible banner inside the email body, leading them to choose Option B instead of the correct mail flow rule.

How to eliminate wrong answers

Option A is wrong because Safe Attachments policies in Microsoft Defender for Office 365 are designed to detect and block malicious attachments, not to add visual warning banners to email bodies. Option B is wrong because External email tagging in the Microsoft 365 Defender portal adds an external tag to the email subject line or as a header, not a banner within the email body. Option C is wrong because a DLP policy with a sensitive information type is used to detect and protect sensitive data (e.g., credit card numbers) and can apply actions like blocking or notifying, but it cannot add a custom warning banner to the top of the email body.

188
MCQhard

Your company is planning to adopt Microsoft Copilot for Microsoft 365. The security team is concerned about data leakage. What must you implement to ensure that Copilot respects your organization's sensitivity labels and data classification?

A.Use Microsoft Defender for Cloud Apps to control Copilot
B.Configure Data Loss Prevention (DLP) policies
C.Deploy Microsoft Purview Information Protection with sensitivity labels
D.Enable Customer Lockbox
AnswerC

Copilot respects sensitivity labels to prevent data leakage.

Why this answer

Microsoft Purview Information Protection with sensitivity labels is the correct answer because Copilot for Microsoft 365 uses these labels to enforce data governance at the content level. When a sensitivity label is applied to a document or email, Copilot respects that label's encryption, marking, and access restrictions, preventing the model from generating responses that leak classified data. This is the foundational mechanism for ensuring Copilot adheres to your organization's data classification policies.

Exam trap

The trap here is that candidates often confuse DLP policies (which monitor and block data in transit or at rest) with sensitivity labels (which define and enforce data classification at the content level), leading them to choose DLP as the solution for controlling Copilot's behavior.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps is a CASB (Cloud Access Security Broker) that provides visibility and control over cloud app usage, but it does not directly enforce sensitivity labels within Copilot's processing pipeline. Option B is wrong because Data Loss Prevention (DLP) policies detect and prevent sharing of sensitive data after it is created, but they do not control how Copilot accesses or uses labeled content at the time of generation. Option D is wrong because Customer Lockbox provides a control mechanism for Microsoft support personnel to access your data, but it has no role in governing how Copilot respects sensitivity labels or classification.

189
MCQeasy

Your organization is deploying Microsoft 365 for a multinational company. You need to ensure users in different regions authenticate against the nearest Microsoft Entra ID endpoint for performance. What should you configure?

A.Add the appropriate regional subdomain (e.g., us.contoso.com) as a custom domain.
B.No additional configuration is required; Microsoft Entra ID automatically routes to the nearest endpoint.
C.Create a conditional access policy to route authentication to the nearest region.
D.Configure a traffic manager profile in Azure to route authentication requests.
AnswerB

Microsoft Entra ID uses global load balancing to direct users to the closest endpoint.

Why this answer

Microsoft Entra ID (formerly Azure AD) uses a global anycast network to automatically route authentication requests to the nearest available endpoint based on DNS resolution and network latency. No additional configuration is required because Entra ID's infrastructure is designed to provide optimal performance globally without manual traffic management.

Exam trap

The trap here is that candidates often overthink performance optimization and assume manual configuration (like custom domains or traffic managers) is needed, when Microsoft Entra ID's built-in anycast routing automatically handles regional proximity without any tenant-side setup.

How to eliminate wrong answers

Option A is wrong because adding a regional subdomain as a custom domain does not affect authentication routing; custom domains are used for user principal name (UPN) suffixes and email addresses, not for directing traffic to regional endpoints. Option C is wrong because Conditional Access policies control access based on conditions like location or device state, not the physical routing of authentication traffic to a nearest region. Option D is wrong because Azure Traffic Manager is used for load-balancing traffic to custom endpoints (e.g., web apps), but Microsoft Entra ID's authentication endpoints are managed by Microsoft and cannot be redirected via a Traffic Manager profile.

190
MCQmedium

An organization has registered the domain contoso.com and added it to their Microsoft 365 tenant. What is the next step to use this domain for user email addresses?

A.Add a DNS TXT record provided by Microsoft to the domain registrar
B.Create user accounts with the new domain
C.Configure Exchange Online connectors
D.Set up MX records for email routing
AnswerA

Domain verification requires adding a specific TXT record to prove ownership of the domain.

Why this answer

After adding a custom domain to Microsoft 365, the domain's ownership must be verified by adding a specific DNS TXT record provided by Microsoft at the domain registrar. This verification proves you control the domain and is a prerequisite before you can assign user email addresses or configure other DNS records like MX. Without this step, Microsoft 365 will not trust the domain for email routing.

Exam trap

The trap here is that candidates often confuse domain verification (TXT record) with mail routing (MX record) and assume MX records are the immediate next step, but Microsoft 365 requires ownership proof before any DNS-based services can be configured.

How to eliminate wrong answers

Option B is wrong because creating user accounts with the new domain before verification will fail; Microsoft 365 rejects unverified domains for user creation. Option C is wrong because configuring Exchange Online connectors is an advanced step for hybrid or third-party mail flow, not the immediate next step after adding a domain. Option D is wrong because setting up MX records for email routing is done after domain verification, as MX records are used to direct incoming mail and require a verified domain to function correctly.

191
MCQeasy

An administrator needs to configure the default anti-spam policy for all users in the Microsoft 365 Defender portal. Where should the administrator navigate to find these settings?

A.Email & collaboration > Policies & rules > Threat policies > Anti-spam
B.Email & collaboration > Policies & rules > Threat policies > Anti-phishing
C.Email & collaboration > Policies & rules > Threat policies > Anti-malware
D.Email & collaboration > Policies & rules > Threat policies > Safe Attachments
AnswerA

This is the correct location to manage anti-spam policies.

Why this answer

The default anti-spam policy is configured under Email & collaboration > Policies & rules > Threat policies > Anti-spam in the Microsoft 365 Defender portal. This is the correct location because anti-spam settings, including the default policy that applies to all users, are managed specifically within the Anti-spam section of Threat policies. The other options address different threat protection areas (anti-phishing, anti-malware, Safe Attachments) that do not contain spam filtering configurations.

Exam trap

The trap here is that candidates often confuse the Anti-spam policy with Anti-phishing or Anti-malware policies because all are under Threat policies, but each addresses a distinct security layer, and the question specifically asks for spam configuration.

How to eliminate wrong answers

Option B is wrong because Anti-phishing policies handle protection against phishing attacks, not spam filtering, and include settings like impersonation protection and spoof intelligence. Option C is wrong because Anti-malware policies manage malware detection and quarantine actions for malicious files, not spam classification. Option D is wrong because Safe Attachments policies are part of Microsoft Defender for Office 365 and focus on scanning email attachments in a sandbox environment, not on spam filtering.

192
MCQmedium

You are the Microsoft 365 administrator for a multinational company. The company has deployed Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. Recently, the security team detected that a user's credentials were compromised and used to access SharePoint Online from an unusual location. You need to investigate the incident and determine the full scope of the breach. The solution must use Microsoft 365 Defender to correlate events. What should you do first?

A.Use the Microsoft Purview compliance portal to search for the user's activity in audit logs.
B.Use advanced hunting in Microsoft 365 Defender portal to query for events related to the user across workloads.
C.Use Microsoft Defender for Cloud Apps to investigate the user's activity log.
D.Use Microsoft Sentinel to query the user's events from the workspace.
AnswerB

Advanced hunting allows correlation of events from Defender for Office 365, Defender for Cloud Apps, and Microsoft Entra ID.

Why this answer

Option B is correct because advanced hunting in the Microsoft 365 Defender portal allows you to query raw, cross-workload telemetry (e.g., from Identity, Exchange Online, SharePoint Online, and Defender for Cloud Apps) in a single Kusto Query Language (KQL) query. This is the most efficient first step to correlate events such as sign-ins, mailbox access, file downloads, and app sessions related to the compromised user, enabling you to determine the full scope of the breach across all Microsoft 365 services.

Exam trap

The trap here is that candidates often default to the audit log (Option A) because it is familiar from compliance scenarios, but the question explicitly requires correlation across workloads using Microsoft 365 Defender, which is only possible with advanced hunting's cross-table queries.

How to eliminate wrong answers

Option A is wrong because the Microsoft Purview compliance portal audit log search provides a limited, filtered view of audit records and does not natively correlate events across workloads like Identity, Defender for Cloud Apps, or advanced threat signals; it also lacks the raw telemetry and cross-query capabilities of advanced hunting. Option C is wrong because Microsoft Defender for Cloud Apps activity logs are scoped to cloud app sessions and do not include identity, mailbox, or endpoint events from other Defender workloads, making it insufficient for a full cross-workload investigation. Option D is wrong because Microsoft Sentinel is a separate SIEM that requires additional licensing, configuration, and data ingestion from Microsoft 365 Defender; it is not the first tool to use when the goal is to correlate events within the Microsoft 365 Defender portal itself.

193
Multi-Selecthard

Your company uses Microsoft Defender for Endpoint and wants to perform a live response on a device. Which THREE prerequisites must be met?

Select 3 answers
A.The user must be assigned a role that includes live response permissions
B.The device must be running a supported operating system (e.g., Windows 10 or newer)
C.The device must be managed by Microsoft Intune
D.The device must have Microsoft Defender Antivirus as the primary antivirus solution
E.The device must be onboarded to Microsoft Defender for Endpoint
AnswersA, B, E

Permissions are required to initiate live response sessions.

Why this answer

Option A is correct because live response in Microsoft Defender for Endpoint requires the user to be assigned a role that includes specific live response permissions, such as 'Live response' or 'Live response advanced' under the Microsoft 365 Defender role-based access control (RBAC). Without these permissions, the user cannot initiate a live response session, regardless of other configurations.

Exam trap

The trap here is that candidates often assume Intune management is required for live response, but Microsoft only requires the device to be onboarded to Defender for Endpoint and running a supported OS, with the user having the correct RBAC permissions.

194
MCQeasy

An administrator wants to restrict which users in the organization can create Microsoft 365 groups. The requirement is that only members of the IT department (identified by the department attribute in Azure AD) should be able to create groups. Which configuration should the administrator use?

A.Azure AD > Groups > Group settings > Group creation settings.
B.Azure AD Identity Governance > Access reviews.
C.Azure AD > Groups > Naming policy.
D.Microsoft 365 admin center > Groups > Add group.
AnswerA

This setting allows you to restrict group creation to specific security groups.

Why this answer

Option A is correct because the Azure AD 'Group settings' blade includes a 'Group creation settings' option that allows administrators to restrict group creation to specific security groups. By configuring this setting, the administrator can limit group creation to only members of the IT department, identified by the department attribute in Azure AD, by placing those users into a designated security group.

Exam trap

The trap here is that candidates often confuse the 'Naming policy' (which controls group names) with the 'Group creation settings' (which controls who can create groups), or they mistakenly think that Access Reviews can enforce creation restrictions when it only reviews existing access.

How to eliminate wrong answers

Option B is wrong because Azure AD Identity Governance > Access reviews is used for periodic review and certification of access to groups, applications, and roles, not for controlling who can create groups. Option C is wrong because Azure AD > Groups > Naming policy enforces naming conventions and blocked words for groups, but does not restrict which users can create groups. Option D is wrong because the Microsoft 365 admin center > Groups > Add group is a manual creation interface for administrators and does not provide a tenant-wide policy to restrict group creation to specific users or departments.

195
MCQeasy

You are planning a Microsoft 365 tenant migration from an on-premises Exchange environment. You need to minimize the impact on end users during the migration. Which migration approach should you use?

A.Perform a staged migration to move mailboxes in batches.
B.Deploy a hybrid Exchange configuration.
C.Perform a cutover migration to move all mailboxes at once.
D.Use an IMAP migration to migrate only email data.
AnswerA

Staged migration moves users in batches, minimizing impact.

Why this answer

A staged migration allows you to move mailboxes in batches, which minimizes end-user disruption by spreading the migration workload over time and enabling you to test and validate each batch before proceeding. This approach is ideal for organizations with many mailboxes that need to maintain continuity, as users in later batches remain fully functional in the on-premises environment until their turn.

Exam trap

The trap here is that candidates often confuse 'hybrid configuration' as a migration method rather than a coexistence state, or they assume 'cutover' is faster and thus less impactful, when in reality it causes the most disruption due to the all-at-once cutover.

How to eliminate wrong answers

Option B is wrong because deploying a hybrid Exchange configuration is not a migration method itself; it establishes coexistence between on-premises and Exchange Online, which can be used with other migration types but adds complexity and is unnecessary if the goal is simply to minimize user impact during a full migration. Option C is wrong because a cutover migration moves all mailboxes at once, which causes a hard cutover with potential downtime and user disruption, making it unsuitable for minimizing impact. Option D is wrong because an IMAP migration only migrates email data (not calendar, contacts, or tasks) and does not support mailbox batching, leading to a less seamless user experience and missing critical mailbox items.

196
Multi-Selecteasy

Your company is planning to use Microsoft 365 Copilot for Microsoft 365. Which THREE prerequisites are required for Copilot to function? (Choose three.)

Select 3 answers
A.Microsoft Entra ID (formerly Azure AD)
B.Microsoft Sentinel for security monitoring
C.Microsoft Intune for mobile device management
D.A Copilot for Microsoft 365 license assigned to each user
E.An active Microsoft 365 subscription (E3, E5, Business Premium, etc.)
AnswersA, D, E

Entra ID provides identity and authentication.

Why this answer

Microsoft Entra ID (formerly Azure AD) is required because Copilot for Microsoft 365 relies on Entra ID for authentication, identity management, and policy enforcement. Without Entra ID, Copilot cannot verify user identities, apply conditional access policies, or access Microsoft Graph to retrieve user and organizational data.

Exam trap

The trap here is that candidates confuse optional security or management services (Sentinel, Intune) with mandatory infrastructure (Entra ID), leading them to select non-essential components as prerequisites.

197
Multi-Selectmedium

You are a Microsoft 365 administrator. You need to ensure that users can reset their own passwords without contacting the help desk. Which TWO components must be configured?

Select 2 answers
A.Configure Microsoft Entra ID Protection user risk policy
B.Microsoft Entra ID P1 or P2 licenses assigned to users
C.Azure AD Connect with password hash synchronization
D.Enable SSPR in the Microsoft Entra admin center
E.Enable password writeback in Azure AD Connect
AnswersB, D

SSPR requires P1 or P2 licensing.

Why this answer

Options A and C are correct. SSPR requires Microsoft Entra ID P1 or P2 licensing and the SSPR feature must be enabled. Option B is wrong because Azure AD Connect syncs identities but is not required for SSPR.

Option D is wrong because MFA is not mandatory for SSPR, though it can be configured. Option E is wrong because password writeback is for password changes to sync back to on-premises, not required for cloud-only users.

198
MCQeasy

A company has purchased 1000 Microsoft 365 E5 licenses and wants to automatically assign licenses to users based on their department attribute, which is synchronized from on-premises Active Directory. The department attribute is stored in Azure AD. Which automated method should the administrator use to achieve this?

A.Group-based licensing with dynamic groups
B.scheduled PowerShell script that runs daily
C.Manual license assignment via the Microsoft 365 admin center
D.Bulk assign licenses using the admin center import feature
AnswerA

Correct. Dynamic groups automatically include users based on rules (e.g., department equals 'Sales'), and licenses assigned to the group are automatically applied.

Why this answer

Group-based licensing with dynamic groups is the correct method because it allows automatic license assignment based on user attributes like department, which is synchronized from on-premises Active Directory via Azure AD Connect. Dynamic groups evaluate membership rules in Azure AD, and when a user's department attribute matches the rule, the group-based licensing policy automatically assigns or removes the Microsoft 365 E5 license without manual intervention.

Exam trap

The trap here is that candidates often choose a scheduled PowerShell script (Option B) thinking it is more flexible or reliable, but they overlook that group-based licensing is the native, fully automated, and supported method for attribute-driven license assignment in Azure AD.

How to eliminate wrong answers

Option B is wrong because a scheduled PowerShell script that runs daily introduces latency (up to 24 hours) and requires ongoing maintenance, whereas group-based licensing provides near-real-time assignment and revocation. Option C is wrong because manual license assignment via the Microsoft 365 admin center is not automated and does not scale to 1000 users based on a dynamic attribute. Option D is wrong because bulk assign licenses using the admin center import feature is a one-time, static assignment based on a CSV file, not an automated method that responds to changes in the department attribute.

199
MCQeasy

An administrator runs the PowerShell command shown in the exhibit. What is the immediate effect on the user?

A.The user is disabled after 90 days of inactivity.
B.The user is blocked from signing in immediately.
C.The user is deleted after 90 days of inactivity.
D.The user's password is reset.
AnswerB

Setting blockSignIn to $true blocks sign-in.

Why this answer

The PowerShell command `Set-MgUser -UserId user@domain.com -BlockCredential $true` immediately blocks the user from signing in by setting the `BlockCredential` property to true. This prevents any new authentication attempts, effectively locking the account without changing the password or deleting the user.

Exam trap

The trap here is that candidates confuse `BlockCredential` with disabling the account or setting an inactivity policy, but the command only blocks sign-in immediately without any time-based or deletion behavior.

How to eliminate wrong answers

Option A is wrong because the command does not set any inactivity-based disablement; that would require a different cmdlet like `Set-MgUser` with `-SignInActivity` or a conditional access policy. Option C is wrong because the command does not delete the user; deletion requires `Remove-MgUser`. Option D is wrong because the command does not reset the password; password reset requires `Update-MgUserPassword` or the admin portal.

200
MCQeasy

A company has just signed up for Microsoft 365 Business Standard without adding a custom domain. An administrator needs to create the first user accounts. What will be the default email address format for these new users?

A.username@contoso.com
B.username@onmicrosoft.com
C.username@<tenantname>.onmicrosoft.com
D.username@microsoftonline.com
AnswerC

By default, new users get email addresses using the initial domain, which is tenantname.onmicrosoft.com.

Why this answer

When a Microsoft 365 tenant is created without adding a custom domain, the default domain is the `<tenantname>.onmicrosoft.com` domain. New user accounts are automatically assigned an email address in the format `username@<tenantname>.onmicrosoft.com`, as this is the initial domain provisioned for the tenant. Option C correctly reflects this default behavior.

Exam trap

The trap here is that candidates often confuse the default `onmicrosoft.com` domain with the generic `microsoftonline.com` domain used for Azure AD authentication, or assume a custom domain like `contoso.com` is automatically assigned, leading them to select A or D instead of recognizing the tenant-specific subdomain format.

How to eliminate wrong answers

Option A is wrong because `contoso.com` is a custom domain that must be explicitly added and verified in the tenant; it is not the default domain when no custom domain is configured. Option B is wrong because `onmicrosoft.com` is a Microsoft-owned domain used for services like Outlook, but the tenant-specific subdomain (e.g., `contoso.onmicrosoft.com`) is required; a bare `@onmicrosoft.com` address is not valid for a tenant. Option D is wrong because `microsoftonline.com` is the domain used for Azure AD authentication endpoints (e.g., login.microsoftonline.com), not for user email addresses.

201
MCQhard

You are a Microsoft 365 administrator. Your tenant has a Microsoft Entra ID P2 license. You need to create a dynamic group for all users whose department is 'Engineering' and who are located in the United States. Which rule syntax should you use?

A.user.department -eq "Engineering" and user.country -eq "US"
B.user.department -eq "Engineering" And user.country -eq "United States"
C.user.department -eq "Engineering" and user.country -eq "United States"
D.user.department -eq "Engineering" AND user.country -eq "United States"
AnswerC

Correct syntax using lower case 'and' and proper property values.

Why this answer

Option C is correct because dynamic group rules in Microsoft Entra ID require the use of lowercase 'and' as the logical operator, and the country attribute value must match the display name 'United States' as stored in the directory. The rule syntax must follow the property -operator 'value' format exactly, with no capitalization of 'and'.

Exam trap

The trap here is that candidates often confuse the country attribute value with the two-letter ISO code 'US' or incorrectly capitalize the logical operator 'and', leading them to choose options that would fail validation or produce incorrect membership results.

How to eliminate wrong answers

Option A is wrong because it uses 'US' as the country value, but Microsoft Entra ID stores the country attribute as the full display name 'United States', not the two-letter ISO code. Option B is wrong because it capitalizes 'And' as 'And', but dynamic group rules require the logical operator to be all lowercase 'and'. Option D is wrong because it capitalizes 'AND' as 'AND', but the rule syntax mandates the lowercase 'and' operator.

202
Multi-Selecthard

You are implementing Microsoft Defender for Office 365. You need to configure anti-phishing policies to protect against user impersonation. Which THREE settings should you configure?

Select 3 answers
A.Enable impersonation protection for domains you own.
B.Enable mailbox intelligence to detect impersonation based on user behavior.
C.Set the bulk email threshold.
D.Enable impersonation protection for users who are defined as protected users.
E.Configure spoof intelligence to allow or block senders.
AnswersA, B, D

Protects against impersonation of your own domains.

Why this answer

Option A is correct because enabling impersonation protection for domains you own allows Defender for Office 365 to detect and act on attempts to spoof your organization's domain in the From address. This setting ensures that emails claiming to be from your domain are inspected for impersonation patterns, such as lookalike domains or display name spoofing, and can be automatically quarantined or have safety tips applied.

Exam trap

The trap here is that candidates confuse anti-phishing settings with anti-spam or spoof intelligence settings, mistakenly selecting bulk email threshold or spoof intelligence when the question explicitly targets user impersonation protection.

203
Multi-Selecteasy

You are implementing Microsoft Purview Data Lifecycle Management. You need to retain all emails for a minimum of 5 years but automatically delete them after 7 years. Which TWO actions should you configure?

Select 2 answers
A.Use Messaging Records Management (MRM) retention policies.
B.Create a retention policy with 'Delete items after 7 years'.
C.Create a retention tag for emails with 'Keep for 5 years'.
D.Configure a sensitivity label for the emails.
E.Place the mailbox on litigation hold.
AnswersB, C

Correct: This deletes emails after 7 years.

Why this answer

A retention tag with 'Keep for 5 years' and a retention policy with 'Delete after 7 years' together define a minimum retention of 5 years and maximum of 7 years. Option C is wrong because litigation hold prevents deletion. Option D is wrong because this is not related to retention.

Option E is wrong because MRM policies are for on-premises, not Purview.

204
MCQhard

An administrator creates a Conditional Access policy as shown in the exhibit. A user reports that they can still access Exchange Online using Outlook (modern authentication). Why does the policy not block the user?

A.The policy is not assigned to any users or groups.
B.The grant control is set to 'Require multi-factor authentication' instead of 'Block'.
C.The client app type for modern authentication is not specified in the policy.
D.Exchange ActiveSync is not included in the policy.
AnswerC

Modern authentication client app type (e.g., 'browser' or 'mobileAppsAndDesktopClients') is not included; only legacy protocols are blocked.

Why this answer

Option C is correct because the Conditional Access policy does not include the 'Modern authentication clients' client app type. Without this selection, the policy does not apply to modern authentication protocols like OAuth 2.0, which Outlook (modern authentication) uses. The policy only targets the default 'Browser' and 'Mobile apps and desktop clients' categories, but the specific 'Modern authentication clients' toggle must be enabled to enforce controls on apps using modern auth.

Exam trap

The trap here is that candidates assume selecting 'Mobile apps and desktop clients' automatically covers all non-browser apps, including those using modern authentication, but Microsoft requires the explicit 'Modern authentication clients' toggle to enforce policies on OAuth 2.0-based traffic.

How to eliminate wrong answers

Option A is wrong because the exhibit shows the policy is assigned to 'All users', so user/group assignment is not the issue. Option B is wrong because the grant control is set to 'Block', not 'Require multi-factor authentication', as shown in the exhibit. Option D is wrong because Exchange ActiveSync is a separate client app type that is not relevant here; the policy already includes 'Exchange ActiveSync clients' in the exhibit, but the issue is that modern authentication clients are not explicitly targeted.

205
MCQeasy

Your organization has a Microsoft 365 E5 tenant. You need to set up a shared mailbox for the IT help desk (helpdesk@contoso.com). The help desk team needs to monitor the mailbox and respond to emails. What is the recommended way to grant access to the shared mailbox?

A.Assign an Exchange Online license to each help desk user and grant them Full Access via PowerShell.
B.Create a security group and add it to the shared mailbox permissions.
C.Add the help desk users as members of the shared mailbox from the Exchange admin center.
D.Create a distribution group containing the help desk users and grant the group access to the mailbox.
AnswerC

Members automatically get Full Access and Send As permissions.

Why this answer

Option C is correct because the recommended method to grant access to a shared mailbox in Exchange Online is to add users as members directly from the Exchange admin center (EAC). This automatically assigns the necessary Full Access and Send As permissions without requiring licenses for each user, as shared mailboxes can be accessed by licensed users without needing a separate license for the mailbox itself.

Exam trap

The trap here is that candidates often confuse distribution groups with security groups or assume that licensing is required for each user accessing a shared mailbox, leading them to select PowerShell or group-based options instead of the straightforward member addition in the Exchange admin center.

How to eliminate wrong answers

Option A is wrong because assigning an Exchange Online license to each help desk user is unnecessary and costly; shared mailboxes do not require licenses for users to access them, and granting Full Access via PowerShell is not the recommended approach when the EAC provides a simpler method. Option B is wrong because security groups cannot be directly added to shared mailbox permissions in Exchange Online; shared mailbox permissions must be granted to individual user accounts or mail-enabled security groups, but the latter is not a standard supported method for shared mailboxes. Option D is wrong because distribution groups are designed for email distribution, not for granting access permissions to a mailbox; they cannot be assigned Full Access or Send As permissions to a shared mailbox.

206
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a custom Line-of-Business (LOB) app to a group of devices. The app is not in the Microsoft Store. What is the recommended method to deploy the app?

A.Add the app as a Microsoft Store app (business) in Intune.
B.Use Group Policy to deploy the app via a network share.
C.Publish the app to the Microsoft Store for Business and assign it.
D.Upload the app package to Intune as a Line-of-Business app and assign it to the device group.
AnswerD

Correct: This is the standard method for deploying LOB apps via Intune.

Why this answer

Option D is correct because Intune natively supports deploying custom Line-of-Business (LOB) apps by uploading the app package (e.g., .msi, .exe, .appx) directly into the Intune console and assigning it to a device group. This method is the recommended approach for apps not available in the Microsoft Store, as it leverages Intune's mobile device management (MDM) capabilities to push the app to Windows 10 devices without requiring external infrastructure like Group Policy or the Microsoft Store for Business.

Exam trap

The trap here is that candidates may confuse the Microsoft Store for Business (now Microsoft Store) as a viable publishing platform for custom LOB apps, not realizing that the store only accepts apps that meet Microsoft's submission requirements and is not designed for internal, proprietary applications.

How to eliminate wrong answers

Option A is wrong because adding the app as a Microsoft Store app (business) in Intune is intended for apps that are already available in the Microsoft Store for Business, not for custom LOB apps that are not in the store. Option B is wrong because Group Policy deployment via a network share is a traditional on-premises method that does not integrate with Intune's cloud-based MDM, and it requires devices to be domain-joined and connected to the corporate network, which is not recommended for modern, cloud-managed environments. Option C is wrong because publishing a custom LOB app to the Microsoft Store for Business is not supported; the store only accepts apps that meet specific submission criteria and are not intended for internal, proprietary line-of-business applications.

207
Drag & Dropmedium

Drag and drop the steps to configure role-based access control (RBAC) in Microsoft 365 Defender in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

RBAC roles are created/edited in Defender, permissions assigned, and then assigned to users/groups.

208
Multi-Selecteasy

Your organization needs to manage guest access to Microsoft Teams. Which TWO methods can you use to control guest access?

Select 2 answers
A.Use sensitivity labels to restrict guest access.
B.Configure SharePoint Online external sharing settings.
C.Enable guest access in the Teams admin center.
D.Set conditional access policies for guest users.
E.Configure external collaboration settings in Microsoft Entra ID.
AnswersC, E

This allows guests to be added to teams.

Why this answer

Option C is correct because enabling guest access in the Teams admin center is a required step to allow guest users to join Teams. Without this toggle enabled, guest access is blocked at the Teams level regardless of other settings. This setting works in conjunction with Microsoft Entra ID external collaboration settings to control guest access.

Exam trap

The trap here is that candidates often confuse the separate layers of control—Teams-specific settings (admin center) versus tenant-wide identity settings (Entra ID)—and may think that only one of these two correct options is needed, or that SharePoint settings (Option B) are sufficient for Teams guest access.

209
MCQeasy

An administrator adds the custom domain 'fabrikam.com' to a new Microsoft 365 tenant. After adding the domain, the status shows 'Pending verification'. Which type of DNS record must be added to the public DNS zone to complete domain ownership verification?

A.MX record
B.TXT record
C.CNAME record
D.SPF record
AnswerB

A TXT record with the verification string is added to the domain's DNS zone to confirm ownership.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record with a specific verification value provided by the Microsoft 365 admin center to the public DNS zone. This proves you control the domain because only the domain owner can modify DNS records. Other record types like MX, CNAME, or SPF are used for mail routing or service configuration, not for ownership verification.

Exam trap

The trap here is that candidates confuse the verification TXT record with other TXT-based records like SPF or DKIM, or assume any DNS record type can be used for verification, but Microsoft specifically requires a TXT record with a unique token for domain ownership proof.

How to eliminate wrong answers

Option A is wrong because MX records are used to specify mail exchange servers for email routing, not for domain ownership verification. Option C is wrong because CNAME records alias one domain name to another and are not used for verification; they are typically used for service-specific configurations like autodiscover. Option D is wrong because SPF records are a type of TXT record used to authorize sending servers for email authentication, but the verification process requires a specific TXT record with a unique token, not an SPF record.

210
MCQeasy

An organization has just purchased Microsoft 365 Business Standard licenses. The administrator adds a new user through the admin center. By default, does the new user receive a welcome email with sign-in instructions?

A.Yes, always, regardless of how the user is created.
B.Yes, if the administrator does not clear the 'Send welcome email' checkbox during user creation.
C.No, the administrator must manually send the welcome email using a script.
D.No, welcome emails are only sent when using the 'Add multiple users' option.
AnswerB

The admin center has a checkbox labeled 'Send welcome email in email' that is checked by default. Unchecking it will suppress the email.

Why this answer

When an administrator adds a new user through the Microsoft 365 admin center, the default behavior is to send a welcome email containing the user's sign-in name and temporary password. The administrator can opt out by clearing the 'Send welcome email in email' checkbox during the creation process. Therefore, the user receives the email unless the administrator explicitly deselects that option.

Exam trap

The trap here is that candidates may assume the welcome email is always sent or never sent, overlooking the specific checkbox control that allows the administrator to suppress the email during user creation.

How to eliminate wrong answers

Option A is wrong because the welcome email is not always sent; it depends on the checkbox state during user creation, and if the user is created via other methods (e.g., PowerShell, bulk CSV import), the email may not be sent by default. Option C is wrong because the administrator does not need to manually send the email using a script; the admin center provides a built-in checkbox to control sending, and the email is sent automatically unless the checkbox is cleared. Option D is wrong because the welcome email is sent for single user creation as well, not only when using the 'Add multiple users' option; the checkbox exists in both single and bulk creation flows.

211
MCQhard

You have a Microsoft 365 E5 tenant with Microsoft Defender for Cloud Apps. You need to discover unsanctioned cloud apps used by users. What should you configure?

A.Conditional Access App Control
B.Microsoft Purview Data Loss Prevention
C.Microsoft Defender for Endpoint App Control
D.Microsoft Defender for Cloud Apps Cloud Discovery
AnswerD

Cloud Discovery identifies unsanctioned apps from traffic logs.

Why this answer

Microsoft Defender for Cloud Apps Cloud Discovery is the correct feature for identifying unsanctioned cloud apps used in your environment. It analyzes traffic logs from your network or endpoints to discover all cloud app usage, categorizes them by risk, and allows you to sanction or unsanction them. This directly fulfills the requirement to discover unsanctioned cloud apps.

Exam trap

The trap here is that candidates confuse Conditional Access App Control (a policy enforcement mechanism for sanctioned apps) with Cloud Discovery (the actual discovery and risk assessment feature), leading them to select Option A instead of the correct answer.

How to eliminate wrong answers

Option A is wrong because Conditional Access App Control is a session-level policy enforcement feature that works with sanctioned apps to control access and data exfiltration, not a discovery tool for finding unsanctioned apps. Option B is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to prevent sensitive data from being shared or leaked, not to discover or inventory cloud app usage. Option C is wrong because Microsoft Defender for Endpoint App Control (Windows Defender Application Control) is a host-based security feature that controls which executables can run on Windows devices, not a cloud app discovery mechanism.

212
MCQmedium

The exhibit shows a KQL query used in Microsoft 365 Defender. The query returns no results for admin@contoso.com. What is the most likely reason?

A.The user does not have the Global Administrator role.
B.The KQL query syntax is invalid.
C.The role name in the query is misspelled.
D.Microsoft Defender for Identity is not enabled for the tenant.
AnswerD

The IdentityInfo table relies on Defender for Identity data.

Why this answer

The KQL query uses the `IdentityLogonEvents` table, which is populated by Microsoft Defender for Identity (MDI). If MDI is not enabled for the tenant, this table contains no data, so the query returns no results regardless of the user's role or query syntax. The query itself is syntactically correct and the role name 'GlobalAdministrator' is valid, but without MDI being provisioned, the table is empty.

Exam trap

The trap here is that candidates often assume a query returning no results must have a syntax error or a misspelled value, when in fact the underlying data source (Defender for Identity) may not be provisioned, causing the table to be empty.

How to eliminate wrong answers

Option A is wrong because the query filters on the `AccountUpn` field, not on administrative roles; even if the user lacks the Global Administrator role, the query would still return logon events for that user if MDI were enabled. Option B is wrong because the KQL syntax is valid: it correctly uses the `where` operator with a string comparison and a logical `and` to filter on `ActionType`. Option C is wrong because 'GlobalAdministrator' is the correct role name as stored in the `AccountSid` or related fields in Defender for Identity; a misspelling would cause a syntax error or no match, but the query returns no results for a valid user, indicating the data source itself is missing.

213
MCQmedium

A Global Administrator signs in to the Microsoft 365 admin center but is not prompted for MFA. The policy in the exhibit is the only Conditional Access policy. What is the most likely reason?

A.The Microsoft 365 admin center is not included in the policy.
B.The administrator is connecting from a trusted IP address that is excluded from MFA.
C.The policy does not include the Global Administrator role.
D.The policy is in 'report-only' mode.
AnswerB

If the admin is on a trusted network, MFA might be bypassed if the policy has location exclusions.

Why this answer

The policy targets 'All' applications, but the Microsoft 365 admin center might be considered a 'browser' app, which should be covered. However, if the administrator has configured trusted IPs or location-based exclusion, MFA might be skipped. Option D is a common reason.

Option A is incorrect because the policy includes Global Administrator. Option B is incorrect because the policy is enabled. Option C is incorrect because the admin center is included via 'All' applications.

214
MCQmedium

A company is planning to migrate from on-premises Exchange to Exchange Online and needs to ensure that mail flow can coexist between the two environments during the transition. Which tool should the administrator use to configure this hybrid deployment?

A.Azure AD Connect
B.Exchange Hybrid Configuration Wizard
C.Microsoft 365 Admin Center
D.Exchange Admin Center
AnswerB

This wizard guides through the steps to establish a hybrid relationship between on-premises Exchange and Exchange Online, including mail flow and free/busy sharing.

Why this answer

The Exchange Hybrid Configuration Wizard (HCW) is the correct tool because it automates the configuration of coexistence features between on-premises Exchange and Exchange Online, including mail flow routing, free/busy sharing, and OAuth authentication. It generates the necessary connectors and settings to support a hybrid deployment, ensuring seamless mail flow during migration.

Exam trap

The trap here is that candidates often confuse Azure AD Connect's directory synchronization role with hybrid mail flow configuration, assuming it handles all hybrid setup, when in fact it only syncs objects and does not configure Exchange-specific routing or coexistence.

How to eliminate wrong answers

Option A is wrong because Azure AD Connect synchronizes directory objects (users, groups) but does not configure mail flow or hybrid coexistence settings between Exchange environments. Option C is wrong because the Microsoft 365 Admin Center provides high-level tenant management and licensing but lacks the granular Exchange-specific hybrid configuration capabilities. Option D is wrong because the Exchange Admin Center (EAC) in Exchange Online or on-premises can manage individual connectors and settings but does not provide the guided, automated workflow of the HCW for establishing a full hybrid deployment.

215
MCQeasy

A new administrator needs to automatically assign Microsoft 365 E5 licenses to all users in the Sales department. The Sales department is identified by the 'department' attribute in Azure AD. Which licensing method should the administrator use to minimize manual effort?

A.Manual license assignment per user
B.Group-based licensing using a dynamic group
C.PowerShell script to assign licenses
D.Bulk license assignment via CSV file
AnswerB

Dynamic groups automatically update membership based on attributes, and group-based licensing assigns licenses to all members.

Why this answer

Group-based licensing using a dynamic group is the correct method because it automatically assigns Microsoft 365 E5 licenses to all users in the Sales department based on the 'department' attribute in Azure AD. Dynamic groups evaluate membership rules in real time, so when a user's department attribute is set to 'Sales', the license is assigned without manual intervention. This minimizes administrative effort by eliminating the need for per-user or batch operations.

Exam trap

The trap here is that candidates often choose PowerShell scripting (Option C) thinking it is the most automated method, but they overlook that group-based licensing provides true zero-touch, attribute-driven automation without requiring custom code or scheduled tasks.

How to eliminate wrong answers

Option A is wrong because manual license assignment per user requires an administrator to individually assign licenses to each Sales department user, which is labor-intensive and does not scale. Option C is wrong because a PowerShell script, while automatable, still requires manual execution or scheduling and does not provide real-time, attribute-based automatic assignment like group-based licensing does. Option D is wrong because bulk license assignment via CSV file is a one-time operation that does not automatically handle new users or attribute changes, requiring repeated manual exports and imports.

216
MCQhard

You are a Microsoft 365 administrator. Users report that they cannot create Microsoft Teams meetings using the Teams desktop client. They receive an error: 'Meeting creation is disabled by your IT administrator.' You need to enable meeting creation. You check the Teams admin center and find that meeting policies are set to 'Off' for 'Allow private meeting scheduling'. However, after changing it to 'On', users still get the error. What is the most likely cause?

A.The user does not have an OAuth 2.0 token.
B.The global meeting policy is overriding the user-level policy.
C.The user's mailbox is still on-premises and not migrated to Exchange Online.
D.The user does not have a Microsoft Teams license assigned.
AnswerC

Teams meeting scheduling relies on Exchange Online mailbox; if mailbox is on-premises, the Teams policy cannot be enforced.

Why this answer

The error persists because the user's mailbox is still on-premises and not migrated to Exchange Online. Microsoft Teams relies on Exchange Online for scheduling features, including private meeting creation. Even with the meeting policy set to 'On', if the mailbox is on-premises, the Teams client cannot communicate with Exchange Online to create the meeting, resulting in the error.

Exam trap

The trap here is that candidates often assume changing the meeting policy in the Teams admin center is sufficient, overlooking the critical dependency on Exchange Online for Teams calendar features, which is a common misconfiguration in hybrid environments.

How to eliminate wrong answers

Option A is wrong because OAuth 2.0 tokens are used for authentication and authorization, not for enabling or disabling meeting creation; the error is policy-related, not token-related. Option B is wrong because the global meeting policy only applies if no user-level policy is assigned; if a user-level policy is explicitly set to 'On', it should override the global policy, so this would not cause the error. Option D is wrong because if the user lacked a Teams license, they would not be able to access the Teams desktop client at all, or would see a different error about licensing, not a specific meeting creation disabled error.

217
MCQeasy

Your company is deploying Microsoft 365 for a new subsidiary with 500 users. You need to configure the initial tenant with a custom domain (contoso.com) and verify ownership. What is the first step you must perform?

A.Delegate the contoso.com zone to Microsoft 365 DNS servers.
B.Create user accounts with the custom domain before verification.
C.Add a TXT record provided by Microsoft 365 to the contoso.com DNS zone.
D.Set contoso.com as the default domain in the Microsoft 365 admin center.
AnswerC

Verification requires adding a DNS record provided by the domain setup wizard.

Why this answer

To verify ownership of a custom domain in Microsoft 365, you must prove you control the domain's DNS zone. Microsoft provides a unique TXT record value that you add to the public DNS zone of contoso.com. Once the TXT record propagates, Microsoft queries it and confirms ownership, allowing you to proceed with domain configuration.

Exam trap

The trap here is that candidates may confuse the order of operations, thinking they can set the domain as default or create users first, but Microsoft 365 strictly requires domain ownership verification before any domain-based configuration can proceed.

How to eliminate wrong answers

Option A is wrong because delegating the entire contoso.com zone to Microsoft 365 DNS servers is not the first step; delegation is optional and only performed after domain verification if you want Microsoft to manage your DNS records. Option B is wrong because you cannot create user accounts with a custom domain before the domain is verified; Microsoft 365 will reject the domain until ownership is proven. Option D is wrong because setting contoso.com as the default domain requires the domain to already be verified; attempting to set it before verification will fail.

218
MCQeasy

A company wants to prevent their Microsoft 365 tenant from allowing external users to be invited by default. Only specific administrators should be able to invite guests. Which setting should be changed?

A.External Identities – External collaboration settings
B.Conditional Access policy to block external users
C.Tenant restrictions
D.B2B direct connect
AnswerA

This setting controls who can invite guest users; it can be changed to restrict invitations to administrators.

Why this answer

The correct setting is under External Identities – External collaboration settings, specifically the 'Guest invite settings' option. By default, this is set to 'Anyone in the organization can invite guest users including guests and non-admins'. Changing it to 'Only users assigned to specific admin roles can invite guest users' restricts guest invitations to designated administrators, meeting the requirement to prevent default external user invitations.

Exam trap

The trap here is that candidates often confuse 'blocking external users' via Conditional Access (Option B) with controlling the invitation process, but Conditional Access only applies after the user is already in the directory, not to the invitation permission itself.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies control access conditions (like location or device compliance) after a user is already in the tenant, not the ability to invite external users. Option C is wrong because Tenant restrictions control inbound/outbound access to external tenants via HTTP headers, not the invitation process within the same tenant. Option D is wrong because B2B direct connect is a feature for Teams Connect shared channels that allows external users to access resources without being invited as guests; it does not control guest invitation settings.

219
MCQmedium

Your organization has a Microsoft 365 tenant with 5,000 users. You need to plan for tenant migration from an on-premises Exchange environment. You have a limited maintenance window and want to minimize user impact. Which approach should you recommend?

A.Perform a staged migration.
B.Perform an IMAP migration.
C.Perform a cutover migration.
D.Use a hybrid configuration.
AnswerA

Staged migration allows batch migration with minimal user impact and is suitable for organizations with up to 5,000 users.

Why this answer

A staged migration is the best choice because it allows you to move mailboxes in batches over a limited maintenance window, minimizing user impact by keeping the majority of users on-premises until their specific batch is migrated. This approach supports up to 2,000 mailboxes per batch and requires a cutover period of only a few hours per batch, making it ideal for an organization with 5,000 users where a single cutover window is not feasible.

Exam trap

The trap here is that candidates often confuse 'cutover migration' with 'staged migration' because both involve a final cutover step, but cutover requires all mailboxes to be migrated at once, while staged allows batching to fit a limited maintenance window.

How to eliminate wrong answers

Option B is wrong because an IMAP migration only migrates email data (not calendar, contacts, or tasks) and requires users to reconfigure their Outlook profiles, causing significant user impact and no support for a limited maintenance window. Option C is wrong because a cutover migration requires migrating all 5,000 mailboxes in a single synchronization window (typically up to 72 hours) and a final cutover period, which exceeds a limited maintenance window and causes downtime for all users simultaneously. Option D is wrong because a hybrid configuration is not a migration method but a long-term coexistence architecture that requires ongoing directory synchronization and Exchange Hybrid Server setup, which is overkill for a simple migration and does not directly address the limited maintenance window requirement.

220
MCQhard

Contoso is a multinational company with 50,000 users. They have a Microsoft 365 E5 subscription and use Microsoft Entra ID for identity. They recently deployed Microsoft Copilot for Microsoft 365 to 10,000 users. The security team wants to ensure that Copilot responses do not expose sensitive information. They also need to monitor Copilot usage for unusual activity. The company uses Microsoft Purview Information Protection and Microsoft Defender for Cloud Apps. You need to configure the environment to meet these requirements. Which action should you take?

A.Create a Microsoft Purview DLP policy that includes Copilot as a location.
B.Configure a Conditional Access policy to restrict Copilot to managed devices.
C.Enable session monitoring in Microsoft Defender for Cloud Apps for Copilot.
D.Create sensitivity labels and auto-labeling policies for Copilot.
AnswerA

Correct: DLP policies can monitor and block sensitive data in Copilot interactions.

Why this answer

Option A is correct because Microsoft Purview Data Loss Prevention (DLP) policies can include Microsoft Copilot for Microsoft 365 as a location, allowing the security team to detect and prevent sensitive information from being exposed in Copilot responses. This directly addresses the requirement to ensure Copilot responses do not expose sensitive data by scanning and blocking content based on sensitivity labels or sensitive info types.

Exam trap

The trap here is that candidates often confuse monitoring (Defender for Cloud Apps session monitoring) with prevention (DLP), or assume that sensitivity labels alone can block sensitive data in Copilot responses without a DLP policy explicitly targeting Copilot as a location.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies restrict access based on device compliance or location, but they do not prevent sensitive information from appearing in Copilot responses; they only control who can access Copilot, not what data is exposed. Option C is wrong because session monitoring in Microsoft Defender for Cloud Apps provides visibility into user sessions and can detect anomalous behavior, but it does not proactively block sensitive data in Copilot responses; it is more about monitoring usage for unusual activity, which is a separate requirement. Option D is wrong because creating sensitivity labels and auto-labeling policies for Copilot helps classify and protect data, but without a DLP policy that includes Copilot as a location, the labels alone do not enforce blocking or warning actions when sensitive data is shared via Copilot responses.

221
MCQmedium

A company adds and verifies the custom domain 'contoso.com' in their Microsoft 365 tenant. However, emails sent to new users at user@contoso.com bounce back. The existing MX record for contoso.com points to the on-premises mail server. What is the most likely cause of the bounce?

A.The domain verification failed and needs to be repeated
B.The MX record must be updated to point to Exchange Online
C.Users must be added to the domain in the admin center
D.The SPF record is missing or misconfigured
AnswerB

The MX record determines where incoming emails are sent. It must point to Exchange Online for delivery to Microsoft 365 mailboxes.

Why this answer

B is correct because the MX record for contoso.com still points to the on-premises mail server. When a user is created in Exchange Online with the domain contoso.com, inbound email is routed according to the MX record. Since the MX record directs mail to the on-premises server, which does not have a mailbox for the new user, the message bounces.

To deliver mail to Exchange Online, the MX record must be updated to point to Exchange Online (e.g., contoso-com.mail.protection.outlook.com).

Exam trap

The trap here is that candidates often confuse domain verification (a one-time DNS check) with ongoing mail routing (MX record), leading them to think verification failure is the cause, when in fact the MX record is the direct culprit.

How to eliminate wrong answers

Option A is wrong because domain verification is a one-time DNS TXT record check; once verified, it remains valid and does not cause email bounces for new users. Option C is wrong because users are already added to the domain in the admin center (the question states 'adds and verifies the custom domain'), and adding users does not affect mail routing. Option D is wrong because a missing or misconfigured SPF record can cause email to be rejected or marked as spam, but it does not cause a bounce due to the MX record pointing to the wrong server; the immediate cause is the MX record destination.

222
Multi-Selecteasy

Which TWO tools can be used to manage Microsoft 365 tenant settings and configurations?

Select 2 answers
A.Microsoft 365 admin center
B.Exchange admin center (EAC)
C.SharePoint admin center
D.Microsoft 365 PowerShell
E.Microsoft Intune admin center
AnswersA, D

The admin center manages tenant-wide settings.

Why this answer

The Microsoft 365 admin center is the primary web-based portal for managing tenant-wide settings such as user licensing, domain management, service health, and security policies. It provides a unified dashboard for configuring core tenant configurations without requiring role-specific consoles.

Exam trap

The trap here is that candidates often confuse role-specific admin centers (like EAC or SharePoint admin center) with the tenant-wide Microsoft 365 admin center, assuming any admin center can manage all tenant settings, whereas each is scoped to its own service.

223
MCQeasy

A company has recently signed up for Microsoft 365 Business Premium. They want to change the default domain from onmicrosoft.com to a custom domain they own. Which step must be completed first before the custom domain can be used for user email addresses?

A.Add the custom domain in the Microsoft 365 admin center
B.Verify domain ownership by adding a TXT record to the domain's DNS
C.Create user accounts with the new domain as their primary email
D.Configure email exchange records (MX)
AnswerA

Adding the domain is the first step; verification follows.

Why this answer

Before a custom domain can be used for user email addresses in Microsoft 365, the domain must first be added to the tenant in the Microsoft 365 admin center. This step creates a domain object in Azure AD that allows Microsoft to associate the domain with your tenant and prepare for ownership verification. Without adding the domain first, subsequent steps like DNS verification or user creation cannot proceed because the system has no record of the domain.

Exam trap

The trap here is that candidates often confuse the order of operations, assuming DNS verification (Option B) is the first step, but Microsoft 365 requires the domain to be added to the tenant as a prerequisite before any DNS records can be validated.

How to eliminate wrong answers

Option B is wrong because verifying domain ownership by adding a TXT record is a required step, but it must occur after the domain is added in the admin center; you cannot verify a domain that hasn't been registered in the tenant. Option C is wrong because creating user accounts with the new domain as their primary email is a later step that requires the domain to be both added and verified first. Option D is wrong because configuring MX records is part of the final DNS configuration for mail routing, which depends on the domain being verified and the tenant ready to accept mail.

224
MCQhard

Your company has implemented Microsoft Entra ID tenant restrictions to prevent data exfiltration. You need to ensure that external users from a partner organization can access a SharePoint Online site without being blocked by tenant restrictions. What should you do?

A.Add the partner tenant ID to the AllowedTenants list in the tenant restrictions policy.
B.Create a Conditional Access policy to exclude partner users from tenant restriction evaluation.
C.Configure Azure AD B2B collaboration and invite partner users as guests.
D.Configure cross-tenant access settings in Microsoft Entra ID to allow partner tenant.
AnswerA

Adding the partner tenant ID to the AllowedTenants list allows users from that tenant to access resources without being blocked.

Why this answer

Tenant restrictions use the X-MS-Cloud-Extension header to allow or block access. To allow partner users, you need to add their tenant ID to the 'AllowedTenants' list in the tenant restrictions policy. Option D is the correct approach.

Option A (Azure AD B2B) is about inviting external users but does not bypass tenant restrictions. Option B (cross-tenant access settings) is for inbound/outbound access but not for tenant restrictions. Option C (Conditional Access) can be used to control access but does not override tenant restrictions.

225
MCQmedium

Refer to the exhibit. You run the PowerShell commands shown. The output displays 10 mailboxes with various RecipientTypeDetails, including UserMailbox, SharedMailbox, and RoomMailbox. You need to ensure that only user mailboxes are returned. What should you modify?

A.Use the -Properties parameter to specify additional attributes
B.Change RecipientTypeDetails to RecipientType in the Select-Object
C.Add the parameter -Filter "RecipientTypeDetails -eq 'UserMailbox'"
D.Remove the -ShowProgress parameter
AnswerC

This filters the results to user mailboxes only.

Why this answer

The correct answer is C because the Get-Mailbox cmdlet returns all mailbox types by default. To filter only user mailboxes, you must use the -Filter parameter with the condition 'RecipientTypeDetails -eq 'UserMailbox''. This ensures that only mailboxes with RecipientTypeDetails set to UserMailbox are returned, excluding shared, room, and other mailbox types.

Exam trap

The trap here is that candidates often assume RecipientTypeDetails is a property that can be filtered by simply selecting it in Select-Object, but Select-Object only controls output columns, not which objects are retrieved; filtering must be done at the query level with -Filter.

How to eliminate wrong answers

Option A is wrong because the -Properties parameter is used to specify additional attributes to return in the output, not to filter results; it does not limit which mailboxes are retrieved. Option B is wrong because RecipientType is a broader classification that does not differentiate between user, shared, or room mailboxes; changing to RecipientType would not filter to only user mailboxes. Option D is wrong because the -ShowProgress parameter controls whether progress is displayed during command execution and has no effect on the filtering of mailbox types.

← PreviousPage 3 of 4 · 248 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Deploy and manage a Microsoft 365 tenant questions.