Microsoft 365 Fundamentals MS-900 (MS-900) — Questions 676750

985 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQhard

Refer to the exhibit. The exhibit shows an auto-labeling policy configuration. What will happen when a document labeled 'EU PII' is shared externally via SharePoint?

A.The document will be automatically labeled as confidential.
B.The document will be shared without encryption.
C.The document will be blocked from sharing.
D.The document will be encrypted before sharing.
AnswerD

The rule encrypts the document when shared externally.

Why this answer

Option C is correct: The policy encrypts the document when shared externally. Option A is incorrect because blockAccess is false. Option B is incorrect because encrypt is true, so it is encrypted.

Option D is incorrect because the policy applies to external sharing, not internal.

677
MCQeasy

A department asks for the Microsoft 365 service best suited for enterprise video publishing and town hall recordings. Which service should they use? The design must avoid adding custom operational scripts.

A.Microsoft Purview Compliance Manager
B.Microsoft Stream on SharePoint
C.Microsoft Entra Privileged Identity Management
D.Microsoft Defender for Endpoint
AnswerB

Stream built on SharePoint supports enterprise video experiences.

Why this answer

Microsoft Stream on SharePoint is the correct service because it provides enterprise-grade video publishing and live event capabilities, including town hall recordings, directly integrated with SharePoint and Microsoft Teams. It leverages SharePoint's storage and permissions model, eliminating the need for custom operational scripts for video management.

Exam trap

The trap here is that candidates may confuse Microsoft Stream (classic) with the new Stream on SharePoint, or incorrectly associate video features with compliance or security services like Purview or Defender.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Compliance Manager is a compliance and risk management tool for assessing regulatory compliance, not a video publishing or recording service. Option C is wrong because Microsoft Entra Privileged Identity Management manages just-in-time privileged access to Azure AD roles, not video content. Option D is wrong because Microsoft Defender for Endpoint is an endpoint security solution for threat detection and response, not a video platform.

678
MCQmedium

A help desk lead is documenting the correct Microsoft 365 approach to review upcoming Microsoft 365 changes and recommended admin actions. Microsoft 365 licensing, admin, or support concept is most relevant?

A.Microsoft Stream
B.Microsoft Forms
C.Microsoft Whiteboard
D.Message center
AnswerD

The Message center provides tenant-relevant change announcements and admin actions.

Why this answer

The Message center in the Microsoft 365 admin center is the dedicated hub for reviewing upcoming changes, new features, and recommended admin actions. It provides official communications from Microsoft about service updates, deprecations, and required administrative steps, making it the correct resource for a help desk lead documenting change management.

Exam trap

The trap here is that candidates confuse collaboration tools (Stream, Forms, Whiteboard) with administrative communication channels, failing to recognize that Message center is the only official source for Microsoft 365 change notifications and admin actions.

How to eliminate wrong answers

Option A is wrong because Microsoft Stream is a video service for recording, sharing, and managing videos, not a channel for reviewing Microsoft 365 changes or admin actions. Option B is wrong because Microsoft Forms is a survey and quiz creation tool, unrelated to service change notifications or admin recommendations. Option C is wrong because Microsoft Whiteboard is a digital canvas for collaboration, not a source for upcoming Microsoft 365 changes or admin guidance.

679
MCQmedium

A department head asks which Microsoft 365 option should be used to review uptime commitments for Microsoft cloud services. Cloud concept or benefit best matches this requirement?

A.Data Loss Prevention (DLP)
B.Microsoft Planner
C.Sensitivity labels
D.Service Level Agreement (SLA)
AnswerD

An SLA describes availability commitments and related service terms.

Why this answer

The Service Level Agreement (SLA) is the correct choice because it is the formal document published by Microsoft that defines the uptime commitments, availability guarantees, and financial remedies for Microsoft cloud services. The department head needs to review uptime commitments, which is exactly what the SLA covers, not a security or project management feature.

Exam trap

The trap here is that candidates often confuse operational features (like DLP or sensitivity labels) with contractual documents, assuming any Microsoft 365 tool that 'protects' or 'manages' something could cover uptime, when only the SLA provides legally binding availability commitments.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) is a security policy that prevents sensitive information from being shared or leaked, not a document that defines uptime commitments. Option B is wrong because Microsoft Planner is a task management and project planning tool within Microsoft 365, not a source of service availability guarantees. Option C is wrong because sensitivity labels are used to classify and protect data based on its sensitivity level, not to provide uptime or service-level commitments.

680
MCQmedium

While preparing a Microsoft 365 adoption plan, a consultant is asked to desktop Office apps plus Intune and enhanced security capabilities for a small or medium business. Microsoft 365 licensing, admin, or support concept is most relevant?

A.Microsoft Stream
B.Microsoft Whiteboard
C.Microsoft 365 Business Premium
D.Microsoft Forms
AnswerC

Business Premium adds security and device management to the business productivity bundle.

Why this answer

Microsoft 365 Business Premium is the correct answer because it bundles desktop Office apps, Microsoft Intune for mobile device management, and advanced security features like Microsoft Defender for Business and Azure AD Plan 1. This plan is specifically designed for small and medium businesses needing comprehensive productivity, management, and security capabilities under a single subscription.

Exam trap

The trap here is that candidates may confuse individual productivity apps (Stream, Whiteboard, Forms) with licensing plans, failing to recognize that only Business Premium bundles the required management and security components.

How to eliminate wrong answers

Option A is wrong because Microsoft Stream is a video sharing and recording service, not a licensing plan that includes desktop Office apps, Intune, or enhanced security. Option B is wrong because Microsoft Whiteboard is a digital canvas collaboration tool, not a subscription that bundles management or security features. Option D is wrong because Microsoft Forms is a survey and quiz creation tool, lacking any device management or advanced security capabilities.

681
MCQhard

A company needs to enforce that all documents marked as 'Confidential' are encrypted and cannot be printed. Which combination of Microsoft Purview features should they use?

A.Microsoft Entra ID Conditional Access and Intune app protection
B.Sensitivity labels with encryption and rights management
C.Data Loss Prevention (DLP) policies and retention labels
D.eDiscovery (Premium) and Audit (Premium)
AnswerB

Sensitivity labels can apply encryption and usage rights like preventing printing.

Why this answer

Sensitivity labels can apply encryption and usage restrictions like 'Do Not Print'. Option D is correct. The other options are incomplete or incorrect.

682
MCQhard

You are configuring Microsoft Entra ID Protection policies for your organization. The exhibit shows a configuration snippet. Which behavior will occur when a user signs in from a known malicious IP address?

A.The user's account will be disabled.
B.The user will be prompted to change their password.
C.The sign-in will be allowed but a multi-factor authentication challenge will be required.
D.The sign-in will be blocked immediately.
AnswerD

Sign-in risk policy blocks high-risk sign-ins.

Why this answer

Option A is correct because the sign-in risk policy is enabled with risk level 'high' and blockAccess set to true, so a sign-in from a malicious IP (high risk) will be blocked. Option B is wrong because the user risk policy does not block (blockAccess false). Option C is wrong because the policy is configured to block, not just require MFA.

Option D is wrong because no password reset is triggered.

683
MCQhard

Refer to the exhibit. The JSON shows compliance scores from Microsoft Purview Compliance Manager. Which action should the organization prioritize to improve its HIPAA compliance score?

A.Deploy Microsoft Defender for Office 365.
B.Enable multifactor authentication for all users.
C.Implement retention labels for medical records.
D.Conduct a data privacy impact assessment.
AnswerB

It is a high-impact open action that will improve compliance.

Why this answer

The recommended action 'Enable MFA for all users' is marked as high impact and open. Implementing MFA would significantly improve the HIPAA score, as it addresses a common control. Option B is correct.

684
MCQeasy

You are the IT administrator for a non-profit organization that uses Microsoft 365 Business Basic. The organization has 50 volunteers who use their own personal devices to access email and SharePoint Online. The board of directors wants to ensure that if a volunteer's device is lost or stolen, the organization's data on that device can be removed remotely. They also want to ensure that volunteers use multi-factor authentication (MFA) to access corporate resources. What should you do?

A.Deploy Microsoft Defender for Cloud Apps and configure session controls.
B.Use Microsoft Purview to label all corporate data and configure a policy to revoke access.
C.Implement a Data Loss Prevention (DLP) policy that blocks access from unmanaged devices.
D.Enroll devices in Microsoft Intune and configure a selective wipe policy. Set up a Conditional Access policy in Microsoft Entra ID to require MFA.
AnswerD

Intune can wipe corporate data; Conditional Access enforces MFA.

Why this answer

Option D is correct because Microsoft Intune can be used to manage mobile devices and perform selective wipe to remove corporate data. Conditional Access in Microsoft Entra ID can enforce MFA. Option A is incorrect because DLP does not wipe devices.

Option B is incorrect because Microsoft Defender for Cloud Apps is for cloud app security, not device wipe. Option C is incorrect because Microsoft Purview does not manage devices.

685
MCQmedium

While preparing a Microsoft 365 adoption plan, a consultant is asked to protect corporate data inside mobile apps without enrolling the whole personal device. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.App protection policies / Mobile Application Management (MAM)
C.Microsoft Forms
D.Microsoft Stream
AnswerB

MAM protects corporate app data without requiring full device enrollment.

Why this answer

App protection policies (APP), also known as Mobile Application Management (MAM), allow administrators to protect corporate data within mobile apps—such as enforcing encryption, preventing copy/paste, or requiring PIN—without enrolling the entire personal device into management. This is the correct capability because it separates data-level controls from device-level management, meeting the requirement to protect corporate data without full device enrollment.

Exam trap

The trap here is that candidates often confuse Mobile Device Management (MDM)—which requires full device enrollment—with Mobile Application Management (MAM), which protects data at the app level without enrolling the device, and they may incorrectly select a non-security tool like Planner or Forms because they see 'mobile' or 'app' in the question.

How to eliminate wrong answers

Option A is wrong because Microsoft Planner is a task management and collaboration tool, not a security or compliance capability; it cannot enforce data protection policies on mobile apps. Option C is wrong because Microsoft Forms is a survey and data collection tool, lacking any native ability to apply conditional access or data loss prevention controls to mobile app usage. Option D is wrong because Microsoft Stream is a video hosting and sharing service, not a security or identity solution; it does not provide app-level protection policies for mobile applications.

686
Multi-Selecthard

Which TWO Microsoft 365 services are primarily used for business process automation?

Select 2 answers
A.Power BI
B.Power Automate
C.Power Virtual Agents
D.Power Apps
E.Microsoft Lists
AnswersB, D

Automates workflows.

Why this answer

Power Automate is correct because it is Microsoft's dedicated low-code workflow automation service that enables users to create automated processes between apps and services, such as triggering actions based on events or scheduling repetitive tasks. It directly addresses business process automation by using triggers and actions to streamline operations without manual intervention.

Exam trap

The trap here is that candidates often confuse Power Automate with Power Apps, but Power Apps is for building custom applications (UI and logic), while Power Automate is specifically for workflow automation; the question asks for business process automation, which is the core function of Power Automate, not Power Apps.

687
MCQmedium

While preparing a Microsoft 365 adoption plan, a consultant is asked to identify risky user behaviour such as unusual downloads or policy violations. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.Microsoft Purview Insider Risk Management
C.Microsoft Stream
D.Microsoft Forms
AnswerB

Insider Risk Management helps detect and investigate risky user activities.

Why this answer

Microsoft Purview Insider Risk Management is the correct capability because it is specifically designed to identify, detect, and act on risky user behaviors such as unusual downloads, data leaks, and policy violations. It uses machine learning models and predefined indicators to correlate user activities (e.g., mass file downloads, unauthorized sharing) with risk signals, enabling organizations to investigate and mitigate insider threats. This aligns directly with the consultant's need to monitor and address risky behavior in a Microsoft 365 adoption plan.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Insider Risk Management with general compliance tools like Microsoft Purview Compliance Manager or DLP, but the question specifically targets risky user behavior detection, which is the unique domain of Insider Risk Management.

How to eliminate wrong answers

Option A is wrong because Microsoft Planner is a project management and task-tracking tool, not a security or compliance solution; it cannot detect risky user behaviors like unusual downloads or policy violations. Option C is wrong because Microsoft Stream is a video hosting and sharing platform for enterprise content, lacking any built-in capabilities for monitoring user behavior or enforcing security policies. Option D is wrong because Microsoft Forms is a survey and form creation tool, designed for data collection and feedback, with no functionality to identify insider risks or policy violations.

688
MCQeasy

An organization needs to securely store and manage user identities for Microsoft 365. Which Microsoft service should they use?

A.Microsoft Entra ID
B.Microsoft Purview
C.Microsoft Defender for Cloud Apps
D.Microsoft Intune
AnswerA

Microsoft Entra ID is the identity and access management service for Microsoft 365.

Why this answer

Microsoft Entra ID (formerly Azure AD) is the correct choice because it is Microsoft's cloud-based identity and access management service, specifically designed to store and manage user identities for Microsoft 365. It provides authentication, single sign-on (SSO), and conditional access policies, ensuring secure access to Microsoft 365 resources. Other options focus on data protection, security monitoring, or device management, not identity storage.

Exam trap

The trap here is that candidates often confuse Microsoft Purview (data compliance) or Defender for Cloud Apps (security monitoring) with identity management, but only Microsoft Entra ID provides the core directory service for storing and authenticating user identities in Microsoft 365.

How to eliminate wrong answers

Option B (Microsoft Purview) is wrong because it is a data governance and compliance solution for managing sensitive data across environments, not for storing or managing user identities. Option C (Microsoft Defender for Cloud Apps) is wrong because it is a cloud access security broker (CASB) that monitors and controls cloud app usage, not an identity store. Option D (Microsoft Intune) is wrong because it is a mobile device management (MDM) and mobile application management (MAM) service for managing devices and apps, not for identity management.

689
MCQhard

A company uses Microsoft 365 E5 and wants to automatically classify sensitive emails containing credit card numbers and then apply encryption. Which solution should they use in combination with Microsoft Purview?

A.Microsoft 365 Copilot
B.Microsoft Intune
C.Microsoft Purview Information Protection
D.Microsoft Defender for Office 365
AnswerC

It provides auto-labeling and encryption.

Why this answer

Microsoft Purview Information Protection (formerly Azure Information Protection) enables automatic classification of sensitive data, such as credit card numbers, using built-in sensitive information types and exact data match (EDM) classifiers. When combined with sensitivity labels, it can automatically apply encryption (e.g., via Azure Rights Management) to emails containing that data, meeting the requirement without additional services.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Information Protection with Microsoft Defender for Office 365, assuming threat protection includes data classification, when in fact Defender focuses on inbound/outbound threats and not on content-based sensitivity labels or encryption policies.

How to eliminate wrong answers

Option A is wrong because Microsoft 365 Copilot is an AI-powered productivity assistant that helps with content generation and summarization, not with data classification or encryption policies. Option B is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) solution focused on device compliance and app protection, not on email content classification or encryption. Option D is wrong because Microsoft Defender for Office 365 is a security solution that protects against threats like phishing, malware, and spam, but it does not provide native automatic classification or encryption of sensitive content based on data patterns like credit card numbers.

690
MCQeasy

A company currently has Microsoft 365 E3 licenses for all users. They need to retain all Exchange Online mailbox data for 10 years and place legal holds for litigation. Which add-on license provides these retention and eDiscovery capabilities?

A.Microsoft 365 E5 Compliance
B.Microsoft 365 E5 Security
C.Microsoft 365 E5
D.Office 365 E5
AnswerA

Correct. The E5 Compliance add-on includes advanced data governance, retention policies, and legal hold capabilities needed for this scenario.

Why this answer

Microsoft 365 E5 Compliance is the correct add-on because it includes advanced eDiscovery (e.g., eDiscovery Premium) and retention capabilities such as Preservation Lock and 10-year retention policies via Microsoft Purview. The base E3 license only provides basic retention and eDiscovery, lacking the extended 10-year retention and litigation hold features required for this scenario.

Exam trap

The trap here is that candidates often confuse the full Microsoft 365 E5 suite (which includes compliance) with the add-on license, or mistakenly think E5 Security provides retention and eDiscovery, when in fact only the Compliance add-on specifically unlocks those capabilities for existing E3 tenants.

How to eliminate wrong answers

Option B is wrong because Microsoft 365 E5 Security focuses on security features like Microsoft Defender for Office 365 and Azure Active Directory Premium P2, not on compliance, retention, or eDiscovery capabilities. Option C is wrong because Microsoft 365 E5 is a full suite that includes both security and compliance, but the question asks for an add-on license to existing E3 licenses, and E5 is not an add-on but a full upgrade. Option D is wrong because Office 365 E5 is a legacy plan that includes compliance features, but it is not an add-on to Microsoft 365 E3; it is a separate suite, and the question specifies an add-on license for existing E3 users.

691
MCQmedium

A company deploys Microsoft 365 Business Premium. The IT team wants to enable employees to sign in using a mobile app without passwords. Which app should they configure?

A.Microsoft Intune
B.Microsoft Entra ID
C.Microsoft Copilot
D.Microsoft Authenticator
AnswerD

Correct. Microsoft Authenticator enables passwordless sign-in.

Why this answer

Microsoft Authenticator is the correct app because it enables passwordless sign-in for Microsoft 365 Business Premium users via FIDO2-based phone sign-in or number matching. It allows employees to authenticate using biometrics or a PIN, eliminating the need for a password during sign-in.

Exam trap

The trap here is that candidates may confuse Microsoft Entra ID (the identity provider that enables passwordless authentication) with the actual user-facing app (Microsoft Authenticator) that performs the sign-in, leading them to select Entra ID instead of the correct app.

How to eliminate wrong answers

Option A is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service, not an authentication app; it does not directly provide passwordless sign-in capabilities. Option B is wrong because Microsoft Entra ID (formerly Azure AD) is the identity and access management service that supports passwordless authentication methods, but it is not the app employees use to sign in; the app that facilitates the actual sign-in process is Microsoft Authenticator. Option C is wrong because Microsoft Copilot is an AI-powered productivity assistant integrated into Microsoft 365 apps, not an authentication app; it has no role in passwordless sign-in.

692
MCQhard

An organization needs to enforce that all external emails are automatically encrypted before delivery to recipients. Which feature should they configure in Microsoft 365?

A.S/MIME
B.Microsoft Purview Data Loss Prevention
C.Exchange Online mail flow rules
D.Microsoft Purview sensitivity labels
AnswerC

Mail flow rules can automatically encrypt messages sent to external recipients.

Why this answer

Exchange Online mail flow rules (also known as transport rules) can be configured to automatically encrypt all external emails by applying Office 365 Message Encryption (OME) based on conditions such as recipient domain or sender address. This allows the organization to enforce encryption for all outbound messages without requiring user intervention, meeting the stated requirement.

Exam trap

The trap here is that candidates often confuse Microsoft Purview sensitivity labels or DLP policies as the direct mechanism for automatic encryption, when in fact mail flow rules are the correct transport-level feature to enforce encryption on all external emails without relying on user action or client-side configuration.

How to eliminate wrong answers

Option A is wrong because S/MIME is a client-side encryption method that requires manual certificate management and configuration on each user's device, and it cannot be enforced automatically for all external emails at the transport level. Option B is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to detect and prevent the sharing of sensitive information, but it does not natively encrypt emails; it can trigger encryption via a mail flow rule, but the DLP policy itself does not perform encryption. Option D is wrong because Microsoft Purview sensitivity labels apply classification and protection (including encryption) to content, but they require user or automated labeling and are not designed to automatically encrypt all external emails based solely on the recipient being external; they are typically applied at the client or via auto-labeling policies, not as a blanket transport rule for all external messages.

693
MCQmedium

A help desk lead is documenting the correct Microsoft 365 approach to track compliance assessments and improvement actions. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.Microsoft Forms
C.Microsoft Purview Compliance Manager
D.Microsoft Stream
AnswerC

Compliance Manager provides assessments and improvement actions mapped to standards and regulations.

Why this answer

Microsoft Purview Compliance Manager is the correct tool because it provides a centralized dashboard for tracking compliance assessments, managing improvement actions, and monitoring regulatory compliance posture. It integrates with Microsoft 365 services to automate risk assessments and generate detailed reports for standards like ISO 27001, SOC 2, and GDPR.

Exam trap

The trap here is that candidates may confuse Microsoft Planner's task assignment features with compliance action tracking, but Planner lacks the regulatory framework integration, automated scoring, and audit-ready reporting that Compliance Manager provides.

How to eliminate wrong answers

Option A is wrong because Microsoft Planner is a task management tool for organizing team work and projects, not designed for compliance tracking or assessment management. Option B is wrong because Microsoft Forms is a survey and data collection tool, lacking the compliance-specific features like automated scoring, improvement action tracking, and regulatory framework mapping. Option D is wrong because Microsoft Stream is a video hosting and sharing platform, with no capabilities for compliance assessments or improvement action tracking.

694
MCQmedium

A company wants to run a critical application that requires dedicated hardware to comply with regulatory isolation requirements. However, they want to avoid the upfront cost of building their own data center. Which cloud deployment model meets these needs?

A.Private cloud
B.Public cloud
C.Hybrid cloud
D.Community cloud
AnswerA

A hosted private cloud provides dedicated resources with full control and regulatory compliance, while avoiding the capital expense of building an on-premises data center.

Why this answer

A private cloud is the correct deployment model because it provides dedicated hardware and infrastructure for a single organization, ensuring regulatory isolation without requiring the company to build and maintain its own on-premises data center. In Azure, a private cloud can be implemented via Azure Stack Hub or Azure VMware Solution, which run in the customer's own environment or a dedicated hosted environment, meeting compliance needs while avoiding upfront capital expenditure.

Exam trap

The trap here is that candidates often confuse 'private cloud' with 'on-premises only,' forgetting that a private cloud can be hosted by a third-party provider like Azure Stack Hub, which offers dedicated hardware without the upfront cost of building a data center.

How to eliminate wrong answers

Option B (Public cloud) is wrong because it uses shared multi-tenant infrastructure that cannot guarantee the dedicated hardware isolation required for strict regulatory compliance. Option C (Hybrid cloud) is wrong because it combines public and private clouds but does not inherently provide dedicated hardware; the public cloud portion still lacks isolation. Option D (Community cloud) is wrong because it is shared among several organizations with common concerns, not dedicated to a single company, and thus cannot meet the requirement for exclusive hardware isolation.

695
MCQmedium

A company with 500 users is planning to adopt Microsoft 365. They need to ensure that all users have access to Microsoft Teams, Exchange Online, and SharePoint Online, as well as the latest desktop versions of Office apps. They also require advanced compliance features such as litigation hold and eDiscovery. Which Microsoft 365 licensing plan best meets these requirements?

A.Microsoft 365 E3
B.Microsoft 365 Business Basic
C.Microsoft 365 Business Premium
D.Microsoft 365 E5
AnswerA

E3 includes desktop apps, core services, and compliance capabilities like litigation hold and eDiscovery.

Why this answer

Microsoft 365 E3 is the correct choice because it includes all required services: Microsoft Teams, Exchange Online, SharePoint Online, and the latest desktop versions of Office apps (Office 365 ProPlus). It also provides advanced compliance features such as litigation hold and eDiscovery (via the Microsoft Purview compliance portal), which are not available in lower-tier plans like Business Basic or Business Premium.

Exam trap

The trap here is that candidates often confuse Microsoft 365 Business Premium with E3, assuming Business Premium includes all E3 features for smaller organizations, but Business Premium has a 300-user limit and lacks the full advanced compliance and eDiscovery capabilities of E3, making it unsuitable for a 500-user company with specific compliance needs.

How to eliminate wrong answers

Option B (Microsoft 365 Business Basic) is wrong because it does not include the desktop versions of Office apps; it only provides web and mobile versions, and it lacks advanced compliance features like litigation hold and eDiscovery. Option C (Microsoft 365 Business Premium) is wrong because while it includes desktop Office apps and some compliance capabilities, it is designed for organizations with up to 300 users, not 500, and its compliance features are limited compared to E3 (e.g., no advanced eDiscovery or litigation hold at the same level). Option D (Microsoft 365 E5) is wrong because it exceeds the requirements; it includes all E3 features plus advanced security and analytics (e.g., Microsoft Defender for Office 365, Power BI Pro), which are not needed, making it a more expensive overprovisioning for the stated needs.

696
MCQhard

A multinational corporation must ensure that all Microsoft 365 admin actions—such as adding a new user or changing a role—are recorded and searchable for at least 90 days. They also need to create custom alert rules to notify the security team when critical events occur, like disabling multi-factor authentication. Which Microsoft Purview solution should they use to meet both requirements?

A.Microsoft Purview Audit (Standard)
B.Microsoft Purview Audit (Premium)
C.Microsoft Purview Compliance Manager
D.Microsoft 365 Defender portal
AnswerB

Audit (Premium) includes longer retention (up to 1 year by default) and supports creating custom alert policies for specific events. It meets both requirements.

Why this answer

Microsoft Purview Audit (Premium) is the correct solution because it provides 1-year default retention of audit logs (extendable to 10 years) and supports custom alert policies that trigger notifications when specific events occur, such as disabling multi-factor authentication. Standard Audit only retains logs for 90 days and lacks the ability to create custom alert rules, making Premium the only option that satisfies both requirements.

Exam trap

The trap here is that candidates often confuse Audit (Standard) with Audit (Premium) because both record admin actions, but they overlook that Standard's 90-day retention and lack of custom alert rules fail the requirement for searchable logs beyond 90 days and proactive notifications.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Audit (Standard) retains audit logs for only 90 days and does not support custom alert rules; it only provides basic search and export capabilities. Option C is wrong because Microsoft Purview Compliance Manager is a compliance management and assessment tool that tracks controls and scores, not a solution for recording admin actions or creating alert rules. Option D is wrong because the Microsoft 365 Defender portal focuses on threat detection, investigation, and response (e.g., security incidents, malware), not on auditing admin actions or compliance-based alerting for events like disabling MFA.

697
MCQeasy

A business stakeholder asks how Microsoft 365 can help them create a short-term test environment and delete it after the pilot. Cloud concept or benefit best matches this requirement?

A.Sensitivity labels
B.Agility
C.Data Loss Prevention (DLP)
D.Microsoft Planner
AnswerB

Cloud agility allows teams to provision and remove resources quickly.

Why this answer

Agility is the correct answer because it refers to the ability to rapidly provision and deprovision resources, such as creating a short-term test environment and deleting it after a pilot. Microsoft 365's cloud-based infrastructure enables on-demand scaling and resource lifecycle management, allowing organizations to spin up environments quickly and tear them down without long-term commitments or hardware procurement delays.

Exam trap

The trap here is that candidates confuse agility with data protection features (sensitivity labels or DLP) or productivity tools (Planner), because the question mentions 'test environment' and 'delete' which superficially sounds like data management or task tracking, but the core cloud concept is rapid provisioning and deprovisioning.

How to eliminate wrong answers

Option A is wrong because sensitivity labels are used to classify and protect data based on sensitivity (e.g., confidential or restricted), not to manage temporary environments. Option C is wrong because Data Loss Prevention (DLP) policies prevent unauthorized sharing or leakage of sensitive data, not environment lifecycle management. Option D is wrong because Microsoft Planner is a task management and collaboration tool for organizing work, not for provisioning or deleting cloud test environments.

698
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. What will this policy do?

A.Allows access but logs the sign-in risk
B.Requires multi-factor authentication for high-risk sign-ins
C.Blocks access to all cloud apps when sign-in risk is high
D.Blocks access to Office 365 apps when the sign-in risk is high
AnswerD

The policy blocks high-risk sign-ins for Office 365.

Why this answer

The exhibit shows a Conditional Access policy configured with the condition 'Sign-in risk: High' and the control 'Block access'. This combination means that when Microsoft Entra ID detects a high-risk sign-in (e.g., from an anonymous IP address or compromised credentials), access to the targeted cloud apps is denied. The policy specifically targets Office 365 apps (as indicated in the 'Cloud apps or actions' assignment), so it blocks access to those apps when the sign-in risk is high.

Exam trap

The trap here is that candidates often confuse 'Block access' with 'Require MFA' or assume the policy applies to all cloud apps, when the exhibit clearly shows the scope is limited to Office 365 apps.

How to eliminate wrong answers

Option A is wrong because the policy is set to 'Block access', not 'Grant access' with a session control to log risk; logging sign-in risk alone does not block access. Option B is wrong because the policy uses 'Block access' as the control, not 'Require multi-factor authentication'; MFA would be a grant control, not a block. Option C is wrong because the policy targets 'Office 365' apps specifically, not 'All cloud apps'; the scope is limited to the selected apps.

699
MCQeasy

A business stakeholder asks how Microsoft 365 can help them use hosted email without managing mail servers. Cloud concept or benefit best matches this requirement?

A.Platform as a Service (PaaS)
B.Community cloud
C.Software as a Service (SaaS)
D.Infrastructure as a Service (IaaS)
AnswerC

SaaS delivers a complete application operated by the provider; Exchange Online is a SaaS example.

Why this answer

Microsoft 365 delivers hosted email (Exchange Online) as a Software as a Service (SaaS) offering, where Microsoft manages the mail servers, patches, and infrastructure. The stakeholder simply uses the service via a web browser or client without any server administration. This aligns with the SaaS model, which provides ready-to-use applications over the internet.

Exam trap

The trap here is that candidates confuse PaaS with SaaS because both involve managed services, but PaaS still requires the customer to deploy and manage the application code (e.g., a custom email server), whereas SaaS delivers the fully functional application itself.

How to eliminate wrong answers

Option A is wrong because PaaS provides a platform (runtime, database, middleware) for developers to build and deploy custom applications, not a ready-to-use hosted email service. Option B is wrong because a community cloud is a deployment model shared by several organizations with common concerns (e.g., compliance), not a service model that delivers hosted email without server management. Option D is wrong because IaaS provides virtualized computing resources (VMs, storage, networking) that still require the customer to manage operating systems and mail server software, contradicting the requirement to avoid managing mail servers.

700
Multi-Selecteasy

Which TWO of the following are examples of security defaults in Microsoft Entra ID? (Choose two.)

Select 2 answers
A.Require multifactor authentication for all users
B.Allow legacy authentication protocols
C.Disable self-service password reset
D.Enable guest user access
E.Block legacy authentication
AnswersA, E

Security defaults enforce MFA registration.

Why this answer

Security defaults enforce basic security policies, including requiring MFA for all users and blocking legacy authentication. Options A and C are correct.

701
MCQeasy

A company runs a virtual machine in Azure that hosts a web application. The company is responsible for configuring the operating system, installing web server software, and managing application updates. The cloud provider is responsible for the physical hardware, networking, and data center security. Which cloud service model does this represent?

A.Software as a Service (SaaS)
B.Platform as a Service (PaaS)
C.Infrastructure as a Service (IaaS)
D.Function as a Service (FaaS)
AnswerC

IaaS provides virtual machines where the customer installs and configures the OS and applications, matching the described responsibilities.

Why this answer

This scenario describes Infrastructure as a Service (IaaS) because the customer manages the operating system, web server software, and application updates, while the cloud provider handles the physical hardware, networking, and data center security. In IaaS, the provider offers virtualized computing resources over the internet, and the customer retains control over the guest OS and installed software, which matches the responsibilities outlined.

Exam trap

The trap here is that candidates confuse PaaS with IaaS because both involve deploying applications, but the key differentiator is whether the customer manages the OS and installed software—PaaS abstracts the OS, while IaaS does not.

How to eliminate wrong answers

Option A is wrong because Software as a Service (SaaS) would have the provider manage the entire application stack, including the OS and software, leaving the customer only to use the application—here the customer configures the OS and installs web server software. Option B is wrong because Platform as a Service (PaaS) abstracts the OS and runtime, with the provider managing the underlying OS and middleware, but the customer is responsible for configuring the OS and installing web server software, which is not typical for PaaS. Option D is wrong because Function as a Service (FaaS) is a serverless compute model where the provider manages all infrastructure and the customer only deploys individual functions, not a full VM with OS and web server management.

702
MCQmedium

A project team uses Microsoft Teams and wants to create a shared space where they can track tasks, deadlines, and assign work items without leaving Teams. Which Microsoft 365 app should be integrated into Teams for this purpose?

A.Microsoft Planner
B.Microsoft Project Online
C.Microsoft To Do
D.Microsoft Lists
AnswerA

Planner provides collaborative task tracking and can be added as a tab in Teams.

Why this answer

Microsoft Planner is the correct choice because it provides a lightweight, Kanban-style task management solution that integrates directly into Microsoft Teams via the Planner tab. This allows the project team to create, assign, and track tasks with deadlines and progress indicators without leaving the Teams interface, fulfilling the requirement for a shared workspace for work items.

Exam trap

The trap here is that candidates often confuse Microsoft To Do (personal tasks) with Planner (team tasks) or assume Microsoft Lists can handle task tracking without realizing it lacks native assignment and Kanban features, leading them to choose an app that does not meet the shared task management requirement.

How to eliminate wrong answers

Option B is wrong because Microsoft Project Online is a full-scale project management tool for complex scheduling, resource management, and Gantt charts, which is overkill for simple task tracking and requires additional licensing and a separate web interface, not a native Teams tab. Option C is wrong because Microsoft To Do is a personal task management app designed for individual productivity and lacks shared team views, assignment capabilities, and deadline tracking across multiple users. Option D is wrong because Microsoft Lists is a data-tracking and information-management app for creating custom lists (e.g., issue trackers, inventories), but it does not provide built-in task assignment, Kanban boards, or deadline tracking out of the box without additional customization.

703
MCQmedium

A company with 75 users needs desktop Office apps and cloud services but has no advanced security requirement. Which option best matches the requirement?

A.Microsoft 365 Business Standard
B.Microsoft Defender for Cloud only
C.Azure Virtual Desktop only
D.A free personal Microsoft account only
AnswerA

Business Standard includes desktop Office apps with core cloud services.

Why this answer

The correct option matches the stated licensing, administration, or support requirement.

704
MCQhard

A multinational company must comply with the General Data Protection Regulation (GDPR). They need to be able to search for and delete personal data of a user upon request (right to erasure). Which Microsoft Purview solution should they use?

A.Microsoft Purview eDiscovery (Premium)
B.Microsoft Purview Audit (Standard)
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Insider Risk Management
AnswerA

eDiscovery Premium can search, collect, and export data, and supports deletion.

Why this answer

Option C is correct because Microsoft Purview eDiscovery (Premium) allows searching for content across Microsoft 365 and can be used to facilitate data deletion. Option A is wrong because Audit (Standard) only logs activities. Option B is wrong because Communication Compliance monitors communications.

Option D is wrong because Insider Risk Management identifies risky activities.

705
MCQmedium

A company with 100 users currently has Microsoft 365 Business Standard. The IT department wants to add governance-level security features, including conditional access policies, Microsoft Defender for Office 365, and compliance tools like litigation hold and eDiscovery. Which licensing upgrade should they consider?

A.Microsoft 365 Business Premium
B.Microsoft 365 E3
C.Microsoft 365 F3
D.Office 365 E1
AnswerA

Business Premium is the direct upgrade from Business Standard that adds the required security and compliance features while maintaining the same business-oriented licensing model. It is the most cost-effective choice for this scenario.

Why this answer

Microsoft 365 Business Premium is the correct upgrade because it includes all the governance-level security features requested: Conditional Access (via Azure AD P1), Microsoft Defender for Office 365 (Plan 1), and compliance tools like litigation hold and eDiscovery (via the Microsoft Purview compliance portal). This SKU is designed for organizations with up to 300 users that need enterprise-grade security and compliance on top of the Business Standard productivity apps.

Exam trap

The trap here is that candidates often confuse Microsoft 365 Business Premium with Microsoft 365 E3, assuming E3 is always superior, but Business Premium actually bundles Defender for Office 365 and Azure AD P1 at a lower cost for sub-300-user organizations, while E3 requires separate add-ons for those security features.

How to eliminate wrong answers

Option B (Microsoft 365 E3) is wrong because while it includes Conditional Access and eDiscovery, it does not include Microsoft Defender for Office 365 Plan 1 by default (requires an add-on), and it is an enterprise plan intended for larger organizations, often at a higher per-user cost than Business Premium for the same user count. Option C (Microsoft 365 F3) is wrong because it is a firstline worker plan that lacks full desktop Office apps and does not include Microsoft Defender for Office 365 or advanced compliance tools like litigation hold; it focuses on kiosk/task workers. Option D (Office 365 E1) is wrong because it only provides basic email and web apps with no Conditional Access, no Defender for Office 365, and limited compliance features (no litigation hold or advanced eDiscovery), making it unsuitable for governance-level security.

706
MCQeasy

A user reports that they cannot access their Microsoft 365 email on their mobile device. The user can access Outlook on the web. Which Microsoft 365 app should the administrator check to verify the user's mobile device is compliant?

A.Microsoft Intune
B.Microsoft Defender for Office 365
C.Microsoft Entra ID
D.Microsoft Purview
AnswerA

Intune manages device compliance and can block access if the device is non-compliant.

Why this answer

Microsoft Intune is the correct answer because it is the mobile device management (MDM) and mobile application management (MAM) component within Microsoft 365. When a user cannot access email on a mobile device but can via Outlook on the web, the issue is likely a device compliance policy blocking access. Intune enforces conditional access policies by checking device compliance (e.g., encryption, jailbreak status, minimum OS version) before allowing Exchange Online connectivity.

Exam trap

The trap here is that candidates confuse Microsoft Entra ID (which handles conditional access policies) with Intune (which actually performs the device compliance check and reports the status to Entra ID).

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Office 365 is a security service focused on protecting against email threats like phishing, malware, and spam, not on device compliance or mobile access policies. Option C is wrong because Microsoft Entra ID (formerly Azure AD) provides identity and access management, including conditional access policies, but it does not directly verify device compliance; it relies on Intune to report device compliance status. Option D is wrong because Microsoft Purview is a compliance and data governance solution covering data loss prevention, eDiscovery, and auditing, not device management or compliance enforcement.

707
Multi-Selecthard

Contoso Ltd. is a medium-sized company with 2,000 users. They use Microsoft 365 E5 and have recently deployed Microsoft Teams for collaboration. The IT department has received complaints that external partners (guests) can see internal team names and member lists in the Teams directory. The compliance team requires that external guests must only see teams they are directly added to, and they must not be able to search for other teams or see internal team members who are not members of the same team. Additionally, the HR team wants to use a custom app in Teams that allows employees to submit leave requests, and this app must be available to all employees without requiring them to install anything manually. The IT admin needs to configure Teams settings to meet these requirements. Which two actions should the admin take? (Choose two. Each correct answer is part of the solution.)

Select 2 answers
A.Disable 'Show all teams' in the Teams admin center to prevent guests from seeing teams they are not members of.
B.Create a Teams app setup policy that pins the leave request app for all users.
C.Block all external access in Teams admin center to prevent guests from joining.
D.Configure external sharing settings in SharePoint admin center to limit guest access.
E.Enable external access in Teams admin center to allow guests to communicate with internal users.
AnswersA, B

This setting controls team discovery for guests.

Why this answer

Option A is correct because disabling 'Show all teams' in the Teams admin center (under Teams settings) prevents guests from seeing teams they are not members of in the Teams directory. This directly addresses the compliance requirement that external guests must only see teams they are directly added to and cannot search for other teams or see internal team members outside their own team.

Exam trap

The trap here is confusing 'external access' (federation for chat/calling) with 'guest access' (B2B collaboration for team membership), leading candidates to select options that manage federation settings instead of the specific Teams directory visibility control.

708
MCQhard

A compliance officer needs to set up a policy that automatically monitors and detects activities related to accessing sensitive data from outside the corporate network. When a user from a foreign country accesses a confidential file, the policy should trigger an alert and require additional authentication. Which combination of Microsoft 365 solutions achieves this?

A.Microsoft Purview Data Loss Prevention and Conditional Access
B.Microsoft Purview Audit (Standard) and Microsoft Entra ID Identity Protection
C.Microsoft Purview Insider Risk Management and Microsoft Cloud App Security
D.Microsoft Purview eDiscovery and Privileged Identity Management
AnswerA

DLP monitors sensitive data activities and can generate alerts, while Conditional Access can require additional authentication based on location, meeting both requirements.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) monitors and detects sensitive data access from outside the corporate network, while Conditional Access enforces additional authentication (e.g., MFA) when such access is detected. Together, they meet the requirement for automatic alerting and step-up authentication based on location and data sensitivity.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Insider Risk Management with external access detection, but it is specifically for internal user risk, not foreign country access scenarios.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Audit (Standard) only logs user activities for forensic review, not real-time detection or policy-driven alerts, and Microsoft Entra ID Identity Protection focuses on user risk (e.g., compromised credentials) rather than data access policies. Option C is wrong because Microsoft Purview Insider Risk Management is designed for internal user behavior analytics (e.g., data exfiltration by employees), not external access detection, and Microsoft Cloud App Security provides cloud app visibility but lacks native DLP policy enforcement for on-premises file access. Option D is wrong because Microsoft Purview eDiscovery is for legal discovery and content search, not real-time monitoring, and Privileged Identity Management (PIM) manages just-in-time admin roles, not data access policies.

709
Matchingmedium

Match each Microsoft 365 service to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Email and calendaring

Document management and intranet

Chat, meetings, and collaboration

Personal cloud storage and file sync

Why these pairings

Each service focuses on a specific collaboration or productivity area.

710
MCQeasy

A team of financial analysts needs to collaboratively build a complex budget model that includes data from multiple sources. They require real-time co-authoring, advanced formulas, and the ability to create custom charts. Which Microsoft 365 app is best suited for this task?

A.Microsoft Word
B.Microsoft Excel
C.Microsoft PowerPoint
D.Microsoft OneNote
AnswerB

Correct. Excel offers powerful formulas, charting, and real-time collaboration, making it ideal for budget modeling.

Why this answer

Microsoft Excel is the correct choice because it is designed for complex numerical modeling with advanced formulas, real-time co-authoring via OneDrive or SharePoint, and custom chart creation. The team's requirements for multi-source data integration, collaborative editing, and analytical visualization align directly with Excel's core capabilities, unlike the other apps which lack these features.

Exam trap

The trap here is that candidates may confuse the collaborative editing features of Word or OneNote with the specialized data analysis and formula capabilities required for budget modeling, overlooking Excel's unique strength in handling complex numerical computations and real-time co-authoring for spreadsheets.

How to eliminate wrong answers

Option A is wrong because Microsoft Word is a word processor optimized for document creation and text formatting, not for numerical analysis, advanced formulas, or custom charting. Option C is wrong because Microsoft PowerPoint is a presentation tool for slideshows, lacking the formula engine and data manipulation features needed for budget modeling. Option D is wrong because Microsoft OneNote is a digital note-taking app with limited formula support and no native charting or real-time co-authoring for complex spreadsheets.

711
MCQmedium

A tenant administrator is advising a department that wants to keep services available during a hardware failure. Cloud concept or benefit best matches this requirement?

A.Microsoft Planner
B.Data Loss Prevention (DLP)
C.High availability
D.Sensitivity labels
AnswerC

High availability focuses on keeping services accessible despite component failure.

Why this answer

High availability (C) is the correct answer because it directly addresses the requirement to keep services available during a hardware failure. High availability refers to a system's ability to remain operational and accessible despite component failures, typically achieved through redundancy, failover clustering, and load balancing. In Microsoft 365, this is implemented via redundant infrastructure across multiple datacenters and automatic failover mechanisms, ensuring service continuity without manual intervention.

Exam trap

The trap here is that candidates confuse high availability with disaster recovery or data protection features like DLP, but high availability specifically focuses on minimizing downtime during failures, not on preventing data loss or classifying data.

How to eliminate wrong answers

Option A is wrong because Microsoft Planner is a task management application, not a cloud concept or benefit; it does not provide infrastructure-level availability during hardware failures. Option B is wrong because Data Loss Prevention (DLP) is a security feature that helps prevent sensitive information from being shared inappropriately, but it has no role in maintaining service availability during hardware outages. Option D is wrong because sensitivity labels are used for data classification and protection (e.g., encryption, marking), not for ensuring uptime or resilience against hardware failures.

712
MCQeasy

An HR manager needs to collect feedback from employees about a new wellness program. The manager wants to create a simple survey with multiple-choice questions and have the responses automatically visualized in charts. Which Microsoft 365 app is best suited for this task?

A.Microsoft Excel
B.Microsoft Forms
C.Microsoft Word
D.Microsoft Teams
AnswerB

Forms provides easy survey creation and automatic response visualization.

Why this answer

Microsoft Forms is specifically designed for creating surveys, quizzes, and polls with automatic response collection and built-in chart visualization. It allows the HR manager to quickly add multiple-choice questions and instantly see aggregated results as charts without any manual setup.

Exam trap

The trap here is that candidates may confuse Microsoft Teams as the correct answer because they know surveys can be created within Teams, but the question asks for the app best suited for the task, which is Microsoft Forms—the dedicated survey tool that Teams integrates with.

How to eliminate wrong answers

Option A is wrong because Microsoft Excel is a spreadsheet application for data analysis and manual chart creation, not a survey tool; it lacks native survey creation and automatic response visualization. Option C is wrong because Microsoft Word is a word processing application for document creation, not for building interactive surveys or generating charts. Option D is wrong because Microsoft Teams is a collaboration platform that can host a Forms tab or use the Forms app, but it is not the primary survey creation tool; the best-suited app for creating the survey itself is Microsoft Forms.

713
MCQeasy

Your organization wants to ensure that data sent to Microsoft 365 is encrypted in transit. Which protocol should you enforce for all client connections?

A.IPsec
B.TLS 1.2
C.HTTPS
D.SSH
AnswerB

Microsoft 365 requires TLS 1.2 or later for client connections.

Why this answer

TLS 1.2 is the minimum recommended protocol for encrypting data in transit to Microsoft 365. Option A (IPsec) is used for site-to-site VPNs, not client connections. Option C (HTTPS) is the application-layer protocol that uses TLS underneath.

Option D (SSH) is for remote administration, not email or general traffic.

714
MCQmedium

A marketing department uses Microsoft 365 Copilot to generate content. The compliance officer is concerned about data leakage when users interact with Copilot. Which Microsoft Purview feature should the admin implement to prevent sensitive data from being used in Copilot prompts?

A.Microsoft Purview Data Loss Prevention (DLP) for Copilot
B.Microsoft Purview Audit (Standard)
C.Microsoft Purview Information Rights Management (IRM)
D.Microsoft Purview Sensitivity labels
AnswerA

DLP policies can scan and block sensitive data in Copilot interactions.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) for Copilot is the correct feature because it specifically inspects and blocks sensitive data (e.g., credit card numbers, PII) from being included in Copilot prompts or generated content. DLP policies can be applied to Copilot interactions to prevent data leakage by evaluating the content in real time against sensitive information types and enforcing actions like blocking or warning the user.

Exam trap

The trap here is that candidates often confuse sensitivity labels (which classify and protect static content) with DLP (which actively monitors and blocks data in motion), leading them to choose Option D instead of the correct preventive control.

How to eliminate wrong answers

Option B (Microsoft Purview Audit (Standard)) is wrong because it only logs user activities for compliance review but does not actively prevent sensitive data from being used in prompts; it is a detective control, not a preventive one. Option C (Microsoft Purview Information Rights Management (IRM)) is wrong because it protects content after it is created by restricting access and usage rights (e.g., preventing forwarding or printing), but it does not inspect or block data at the point of prompt entry in Copilot. Option D (Microsoft Purview Sensitivity labels) is wrong because they classify and protect data by applying encryption or markings, but they do not provide real-time inspection or blocking of sensitive data in Copilot prompts; labels are applied to documents and emails, not to dynamic prompt content.

715
MCQmedium

A company must comply with a regulation that requires all data stored in Microsoft 365 to remain within the European Union. Which Microsoft 365 feature should an administrator configure to enforce this geographic restriction?

A.Data Loss Prevention (DLP)
B.Information Rights Management (IRM)
C.Data Residency policies
D.Customer Lockbox
AnswerC

Data Residency policies ensure that customer data is stored at rest within a specific geographic region, meeting regulatory requirements.

Why this answer

Option C is correct because Data Residency policies in Microsoft 365 allow administrators to define the geographic location where data at rest is stored. By configuring a Data Residency policy for the European Union, the administrator ensures that all data remains within EU data centers, meeting regulatory requirements.

Exam trap

The trap here is that candidates often confuse Data Residency policies with Data Loss Prevention (DLP) or Information Rights Management (IRM), mistakenly thinking those features control data location rather than focusing on data protection or access control.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) is designed to prevent sensitive information from being shared or leaked, not to control where data is stored geographically. Option B is wrong because Information Rights Management (IRM) protects data through encryption and usage restrictions, but does not enforce data residency or storage location constraints. Option D is wrong because Customer Lockbox provides customer approval control over Microsoft engineer access to data during support scenarios, but does not determine or enforce the geographic storage location of data.

716
Multi-Selecthard

Which THREE actions can be performed using Microsoft Purview Data Loss Prevention (DLP) policies?

Select 3 answers
A.Display a policy tip to the user when sensitive data is detected
B.Restrict access to sensitive documents
C.Apply sensitivity labels automatically
D.Audit all access to SharePoint sites
E.Block sharing of sensitive information via email
AnswersA, B, E

Policy tips inform users about policy violations.

Why this answer

Options A, B, and C are correct. DLP policies can block sharing, show tips, and restrict access. Option D is wrong because auditing is separate.

Option E is wrong because sensitivity labels are part of Information Protection, not DLP.

717
MCQmedium

A company wants to ensure that only IT administrators can install browser extensions in Microsoft Edge. Which Microsoft 365 security feature should be used?

A.Conditional Access
B.Microsoft Intune
C.Microsoft Defender for Cloud Apps
D.Microsoft Entra ID Identity Protection
AnswerB

Intune can manage device policies to restrict browser extension installations through configuration profiles.

Why this answer

Microsoft Intune is the correct choice because it provides mobile device management (MDM) and mobile application management (MAM) capabilities that allow administrators to configure Microsoft Edge settings via configuration profiles. Specifically, Intune can enforce the 'Installation of browser extensions' policy to restrict extension installation to IT administrators only, using the Administrative Templates for Edge within the Settings Catalog.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access to resources) with device management policies (which control software behavior on the device), leading them to incorrectly select Conditional Access instead of Intune.

How to eliminate wrong answers

Option A is wrong because Conditional Access is an identity-driven access control feature that enforces policies based on user, device, location, or risk signals at authentication time, but it cannot directly manage or restrict browser extension installation within Edge. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) focused on discovering and controlling cloud app usage, data protection, and threat detection, not on configuring local browser policies like extension installation. Option D is wrong because Microsoft Entra ID Identity Protection is a risk-based protection feature that detects and responds to identity threats (e.g., leaked credentials, sign-in anomalies), but it does not have the capability to enforce device-level configuration policies for browser extensions.

718
MCQeasy

A sales team needs to create a shared workspace where they can store customer documents, collaborate on a lead list, track follow-ups on a shared calendar, and hold video meetings with customers. Which Microsoft 365 service provides all these capabilities in a single, integrated experience?

A.Microsoft Viva Engage
B.Microsoft Teams
C.SharePoint Online
D.OneNote
AnswerB

Teams combines chat, document collaboration (via SharePoint), a shared calendar, and video meetings (via Microsoft Teams Meetings), making it the ideal integrated workspace for sales teams.

Why this answer

Microsoft Teams is the correct answer because it provides a single, integrated workspace that combines persistent chat, file storage (via SharePoint), collaborative editing on lists (via SharePoint or Planner), a shared calendar, and built-in video meetings. This eliminates the need to switch between separate apps for each task, fulfilling all the sales team's requirements in one experience.

Exam trap

The trap here is that candidates often pick SharePoint Online because they associate it with document storage and lists, forgetting that Teams integrates those features with video meetings and a shared calendar, making it the single, integrated solution the question explicitly requires.

How to eliminate wrong answers

Option A is wrong because Microsoft Viva Engage is primarily a social networking and employee engagement tool (formerly Yammer), not designed for document storage, lead list collaboration, shared calendars, or video meetings. Option C is wrong because SharePoint Online provides document storage and list collaboration, but lacks native video meeting capabilities and a shared calendar for tracking follow-ups without additional integration. Option D is wrong because OneNote is a digital note-taking app that supports collaboration on notes but does not offer document storage, lead list management, a shared calendar, or video meeting functionality.

719
MCQmedium

A help desk lead is documenting the correct Microsoft 365 approach to troubleshoot why a licensed user cannot access a specific app. Microsoft 365 licensing, admin, or support concept is most relevant?

A.Microsoft Forms
B.The assigned license and enabled service plans
C.Microsoft Stream
D.Microsoft Whiteboard
AnswerB

Access depends on license assignment and enabled service plans.

Why this answer

When a licensed user cannot access a specific app, the most relevant concept is the assigned license and its enabled service plans. In Microsoft 365, each license (e.g., Microsoft 365 E3) includes multiple service plans (e.g., Exchange Online, SharePoint, Teams), and an admin can disable individual plans. If the required service plan for the app is disabled in the user's license, the user will be blocked from accessing that app despite having a valid license.

This is a core licensing troubleshooting step in the 'Describe Microsoft 365 pricing and support' domain.

Exam trap

The trap here is that candidates confuse the specific app names (Forms, Stream, Whiteboard) with the underlying licensing concept, failing to recognize that the question asks for the 'concept' most relevant to troubleshooting access, not the app itself.

How to eliminate wrong answers

Option A (Microsoft Forms) is wrong because it is a specific application, not a licensing, admin, or support concept; it would be the app the user cannot access, not the troubleshooting approach. Option C (Microsoft Stream) is wrong because it is also a specific application (for video) and not a licensing or support concept; it does not address why a licensed user might be blocked from an app. Option D (Microsoft Whiteboard) is wrong because it is another specific application, not a licensing or admin concept; it would be the target app, not the root cause of access issues.

720
MCQeasy

A company with 200 employees needs to deploy Microsoft 365 Apps for Enterprise. They want to pay monthly and have no annual commitment. Which licensing program should they use?

A.Microsoft 365 Enterprise Agreement
B.Microsoft 365 Business Basic
C.Microsoft 365 Business Premium
D.Microsoft 365 E3
AnswerC

Business Premium includes Microsoft 365 Apps for Enterprise (desktop apps) and can be paid monthly with no annual commitment through the Microsoft 365 Admin Center.

Why this answer

Microsoft 365 Business Premium is the correct choice because it includes Microsoft 365 Apps for Enterprise (e.g., Word, Excel, PowerPoint) and is available as a monthly subscription with no annual commitment for organizations with up to 300 users. This aligns with the company's requirement of 200 employees and the desire for flexible, month-to-month billing.

Exam trap

The trap here is that candidates often confuse Microsoft 365 Business Premium with Microsoft 365 E3, assuming E3 is the only option for desktop Office apps, but Business Premium also includes Microsoft 365 Apps for Enterprise and is designed for smaller organizations with flexible monthly billing.

How to eliminate wrong answers

Option A is wrong because the Microsoft 365 Enterprise Agreement (EA) is a volume licensing program designed for large organizations (typically 250+ users) that requires a 3-year commitment, not monthly billing with no annual commitment. Option B is wrong because Microsoft 365 Business Basic does not include the desktop versions of Microsoft 365 Apps for Enterprise; it only provides web and mobile app access plus cloud services like Exchange Online. Option D is wrong because Microsoft 365 E3 is an enterprise-grade plan that includes Microsoft 365 Apps for Enterprise, but it is typically sold through Enterprise Agreement or CSP with annual commitments, and it is not the most straightforward option for a company of 200 employees seeking a simple monthly subscription without commitment.

721
MCQhard

A global company has a strict policy that any Microsoft 365 administrator who needs to access a user's mailbox for troubleshooting must first obtain explicit approval from the user. The company wants to implement a process that requires approval for such access and logs the activity. Which Microsoft Purview feature should they use?

A.Customer Lockbox
B.Privileged Access Management (PAM)
C.Data Loss Prevention (DLP)
D.Microsoft Purview Audit
AnswerB

PAM provides approval-based, time-limited access for administrative tasks and logs all activities.

Why this answer

Privileged Access Management (PAM) in Microsoft Purview is specifically designed to provide just-in-time access to sensitive administrative roles and tasks, such as accessing a user's mailbox for troubleshooting. It enforces an approval workflow before the privileged operation is executed and logs all access attempts, meeting the company's requirement for explicit user approval and activity logging.

Exam trap

The trap here is confusing Customer Lockbox (which handles Microsoft-initiated access) with Privileged Access Management (which handles admin-initiated access), leading candidates to pick A when the scenario involves internal administrators, not Microsoft support engineers.

How to eliminate wrong answers

Option A (Customer Lockbox) is wrong because it controls access to customer data during Microsoft support requests, not for internal administrators performing mailbox troubleshooting; it requires customer approval for Microsoft engineers, not for the company's own admins. Option C (Data Loss Prevention) is wrong because it focuses on preventing unauthorized sharing or leakage of sensitive data through policies and rules, not on controlling or approving administrative access to mailboxes. Option D (Microsoft Purview Audit) is wrong because it only logs and records activities after they occur, providing visibility but no approval workflow or proactive control over who accesses a mailbox.

722
MCQmedium

A healthcare organization must ensure that electronic protected health information (ePHI) in Microsoft 365 is encrypted both at rest and in transit. Which Microsoft 365 feature provides encryption for data in transit?

A.Azure Information Protection
B.TLS/SSL encryption
C.BitLocker Drive Encryption
D.Microsoft Purview Information Protection
AnswerB

TLS encrypts data in transit.

Why this answer

Microsoft 365 uses TLS to encrypt data in transit between clients and Microsoft servers. Option A is correct. BitLocker encrypts at rest, Purview is for governance, and Rights Management is for access control.

723
MCQhard

Your organization, Contoso Ltd., uses Microsoft 365 E5 licenses and has 10,000 users. The company is planning to deploy Microsoft Copilot for Microsoft 365 to all users. The IT department has identified the following requirements: 1. Users must be able to use Copilot across Microsoft Teams, Word, Excel, PowerPoint, and Outlook. 2. Copilot must be able to access user data from Exchange Online, SharePoint Online, and Microsoft Graph. 3. The deployment must comply with the company's data residency policy, which requires that all data processed by Copilot remains within the European Union (EU). 4. The company wants to use a phased rollout, starting with a pilot group of 500 users. Which configuration should the IT administrator implement to meet these requirements?

A.Assign Microsoft Copilot for Microsoft 365 licenses to the pilot group, and in Microsoft Purview, create a data residency policy that restricts data to the EU.
B.Enable Microsoft Copilot for Microsoft 365 in the Microsoft 365 admin center for all users, then ask each user to customize their Copilot permissions in Graph.
C.Assign Microsoft Copilot for Microsoft 365 licenses to the pilot group, and in the Microsoft 365 admin center, configure the data storage location to 'EU'.
D.Create a separate Microsoft 365 tenant in the EU region, move pilot users to that tenant, and assign Copilot licenses there.
AnswerC

Correct approach: licenses + data residency setting in admin center.

Why this answer

Option C is correct because the Microsoft 365 admin center provides a tenant-level setting to configure the data storage location for Microsoft Copilot for Microsoft 365, ensuring all processed data remains within the EU. Assigning licenses to the pilot group enables the phased rollout, while the data residency setting satisfies the compliance requirement without needing a separate tenant or manual user configuration.

Exam trap

The trap here is that candidates may confuse Microsoft Purview's compliance features with the Copilot-specific data residency setting in the Microsoft 365 admin center, or assume that a separate tenant is required for regional data residency, when in fact a single tenant can enforce EU data residency via the admin center configuration.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview does not offer a data residency policy for Copilot; data residency for Copilot is configured in the Microsoft 365 admin center, not Purview. Option B is wrong because enabling Copilot for all users violates the phased rollout requirement, and asking users to customize permissions in Graph is impractical and not how Copilot data access is controlled—access is managed via Microsoft Graph permissions at the tenant level. Option D is wrong because creating a separate tenant is unnecessary and overly complex; the data residency requirement can be met within the existing tenant by configuring the storage location in the admin center, and moving users to a new tenant disrupts operations and licensing.

724
Multi-Selecthard

Which TWO are valid data classification labels in Microsoft Purview?

Select 2 answers
A.Secret
B.Confidential
C.Classified
D.Highly Confidential
E.Public
AnswersB, D

This is a built-in sensitivity label.

Why this answer

Options A and C are correct. Microsoft Purview includes built-in labels like 'Highly Confidential' and 'Confidential'. Options B, D, and E are not standard labels.

725
Multi-Selecthard

Which THREE Microsoft 365 services can be used to enforce data classification and protection?

Select 3 answers
A.Microsoft Defender for Cloud Apps
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview Information Protection
D.Microsoft Intune
E.Microsoft Entra ID
AnswersA, B, C

It can apply classification labels and enforce DLP policies on cloud apps.

Why this answer

Microsoft Defender for Cloud Apps (A) is correct because it acts as a Cloud Access Security Broker (CASB) that can enforce data classification and protection by applying policies to control data in transit and at rest across cloud applications. It can automatically classify sensitive data using built-in DLP engines and enforce actions like blocking downloads or applying encryption based on content inspection.

Exam trap

The trap here is that candidates often confuse Microsoft Intune's device compliance policies with data classification and protection, or mistakenly think Entra ID's conditional access policies enforce data protection directly, when in fact they only control access based on identity and device state.

726
MCQmedium

A compliance officer needs to automatically retain all SharePoint documents that contain a specific project code for exactly 5 years. The retention must be applied automatically when the document is uploaded, without any user interaction. Which Microsoft Purview feature should they configure?

A.Data Loss Prevention (DLP) policy
B.Sensitivity labels
C.Retention labels with an auto-apply policy
D.eDiscovery (Premium)
AnswerC

Retention labels can be configured with auto-apply rules that trigger when documents contain specific keywords, ensuring automatic retention without user action.

Why this answer

Retention labels with an auto-apply policy are the correct choice because they allow you to automatically assign a retention label to SharePoint documents based on specific conditions, such as the presence of a project code, and enforce a fixed retention period (e.g., 5 years) without any user interaction. This feature is designed for automated, policy-driven retention based on content properties or sensitive information types.

Exam trap

The trap here is that candidates often confuse retention labels (which enforce retention actions) with sensitivity labels (which focus on classification and protection), leading them to choose Option B when the requirement is purely about automated retention duration.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies are designed to prevent unauthorized sharing or leakage of sensitive data, not to enforce retention or deletion schedules. Option B is wrong because sensitivity labels primarily classify and protect data with encryption or visual markings, and while they can trigger retention, they require manual application or user interaction unless combined with auto-labeling, which is not the primary mechanism for automated retention based on a project code. Option D is wrong because eDiscovery (Premium) is used for searching, holding, and exporting data for legal or investigative purposes, not for automatically retaining documents for a fixed period upon upload.

727
MCQhard

Your company is deploying Microsoft 365 Copilot and wants to ensure that sensitive data in emails and documents is not inadvertently exposed via Copilot responses. Which Microsoft 365 capability should you implement?

A.Microsoft Purview Sensitivity Labels
B.Microsoft Defender for Cloud Apps
C.Microsoft Purview Customer Lockbox
D.Microsoft Purview Data Loss Prevention
AnswerD

DLP policies can prevent sensitive data from being included in Copilot responses.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is the correct choice because it is specifically designed to identify, monitor, and automatically protect sensitive data (e.g., credit card numbers, PII, or custom patterns) across Microsoft 365 services, including emails and documents. When integrated with Microsoft 365 Copilot, DLP policies can prevent Copilot from including sensitive information in its responses by enforcing real-time content checks and blocking or warning users before exposure occurs.

Exam trap

The trap here is that candidates often confuse Sensitivity Labels (which apply persistent protection) with DLP (which enforces real-time actions), leading them to choose A, even though labels alone cannot block Copilot from surfacing sensitive data in responses.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Sensitivity Labels classify and protect data with encryption and visual markings, but they do not actively monitor or block data in Copilot responses—they require user or automated labeling, not real-time content inspection. Option B is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) focused on shadow IT discovery, app permissions, and session controls for third-party cloud apps, not on preventing data leakage within Microsoft 365 Copilot responses. Option C is wrong because Microsoft Purview Customer Lockbox provides a controlled access approval process for Microsoft support engineers to access your data, but it has no role in scanning or blocking sensitive content in Copilot outputs.

728
MCQmedium

A service owner is comparing Microsoft 365 capabilities and needs to maintain a personal checklist that syncs across devices and integrates with Outlook tasks. Microsoft 365 app or service is the best fit?

A.Microsoft Forms
B.Microsoft To Do
C.Microsoft Purview Audit
D.Microsoft Planner
AnswerB

To Do is designed for personal task lists and integrates with Outlook tasks.

Why this answer

Microsoft To Do is the best fit because it provides a personal checklist that syncs across devices via Exchange Online and integrates natively with Outlook tasks. This allows the service owner to manage tasks from any device and see them directly within the Outlook task pane, fulfilling both requirements precisely.

Exam trap

The trap here is that candidates often confuse Microsoft Planner with Microsoft To Do because both involve tasks, but Planner is designed for team collaboration and lacks personal checklist sync with Outlook tasks, while To Do is the correct personal task management tool with direct Outlook integration.

How to eliminate wrong answers

Option A is wrong because Microsoft Forms is a survey and quiz creation tool, not a task management or checklist app; it lacks sync with Outlook tasks. Option C is wrong because Microsoft Purview Audit is a compliance and auditing solution for tracking user and admin activities, not a personal task or checklist tool. Option D is wrong because Microsoft Planner is a team-based project management app that organizes work into plans and buckets, but it does not provide a personal checklist that syncs with Outlook tasks; it focuses on collaborative assignments rather than individual task lists.

729
MCQmedium

A department head asks which Microsoft 365 option should be used to desktop Office apps plus Intune and enhanced security capabilities for a small or medium business. Microsoft 365 licensing, admin, or support concept is most relevant?

A.Microsoft Stream
B.Microsoft Whiteboard
C.Microsoft 365 Business Premium
D.Microsoft Forms
AnswerC

Business Premium adds security and device management to the business productivity bundle.

Why this answer

Microsoft 365 Business Premium is the correct choice because it bundles desktop Office apps (e.g., Word, Excel, PowerPoint) with Microsoft Intune for mobile device and app management, plus advanced security features like Microsoft Defender for Office 365, Azure Information Protection, and Conditional Access. This plan is specifically designed for small and medium businesses (up to 300 users) that need enterprise-grade security and management without requiring Enterprise-level licensing.

Exam trap

The trap here is that candidates confuse individual Microsoft 365 apps (like Stream, Whiteboard, Forms) with licensing plans, assuming any app can provide the bundled capabilities of desktop Office, Intune, and security, when only Business Premium (or Enterprise plans) offers that combination.

How to eliminate wrong answers

Option A is wrong because Microsoft Stream is a video hosting and sharing service within Microsoft 365, not a licensing plan that includes desktop Office apps, Intune, or enhanced security. Option B is wrong because Microsoft Whiteboard is a digital canvas collaboration tool, not a licensing plan that provides desktop Office apps, Intune, or security capabilities. Option D is wrong because Microsoft Forms is a survey and quiz creation tool, not a licensing plan that offers desktop Office apps, Intune, or enhanced security features.

730
MCQeasy

A colleague says, 'The public cloud is cheaper because you only pay for the resources you use, like compute hours or storage space.' Which cloud computing characteristic directly supports this pay-as-you-go model?

A.Rapid elasticity
B.Broad network access
C.Measured service
D.On-demand self-service
AnswerC

Measured service allows the provider to meter usage and charge only for what is consumed, enabling the pay-as-you-go model.

Why this answer

Option C is correct because measured service is the cloud computing characteristic that enables a pay-as-you-go model by metering resource usage (e.g., compute hours, storage GB-months, outbound data transfer) and providing transparent billing based on actual consumption. This allows providers like Azure to charge only for what is used, directly supporting the colleague's statement that the public cloud is cheaper because you pay only for resources consumed.

Exam trap

The trap here is that candidates often confuse on-demand self-service (the ability to provision resources without waiting) with the billing model, but on-demand self-service does not inherently include usage metering or pay-as-you-go pricing.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to automatically scale resources up or down quickly based on demand, not to the metering or billing mechanism that supports pay-as-you-go. Option B is wrong because broad network access describes the ability to access cloud services over the network via standard protocols (e.g., HTTPS, SSH), which enables connectivity but does not involve usage tracking or cost allocation. Option D is wrong because on-demand self-service allows users to provision resources without human interaction (e.g., via the Azure portal or CLI), but it does not inherently include the metering or billing logic that makes pay-as-you-go possible.

731
MCQhard

A multinational corporation needs to design a cloud strategy that allows them to keep sensitive financial data on-premises while using public cloud for customer-facing apps. Which deployment model should they adopt?

A.Hybrid cloud
B.Private cloud
C.Public cloud
D.Multi-cloud
AnswerA

Hybrid cloud enables keeping sensitive data on-premises while using public cloud for customer apps.

Why this answer

Option B is correct because hybrid cloud combines on-premises (private) and public cloud, allowing sensitive data to remain on-premises while leveraging public cloud for other apps. Option A (Public cloud) stores everything in public cloud, violating data residency. Option C (Private cloud) only uses on-premises, missing public cloud benefits.

Option D (Multi-cloud) uses multiple public clouds but not necessarily on-premises.

732
MCQhard

A security analyst runs the above KQL query in Microsoft 365 Defender. What is the primary purpose of this query?

A.Show the number of phishing clicks per user.
B.Identify the top 10 sender domains that were blocked in the last week.
C.List all emails that were allowed despite containing malware.
D.Count emails that failed SPF/DKIM/DMARC.
AnswerB

Correct. The query summarizes blocked emails by domain and shows top 10.

Why this answer

The KQL query uses `EmailEvents` and summarizes by `SenderMailFromDomain`, then sorts by `Count` descending and takes the top 10. The `where Timestamp > ago(7d)` filters for the last week, and the query does not filter on any action like `Phish` or `Allowed`; it simply counts all email events grouped by sender domain. The primary purpose is to identify the top 10 sender domains that were blocked (or processed) in the last week, as the query counts all events without a specific action filter, but in the context of Microsoft 365 Defender, this is typically used to surface high-volume domains that may be blocked or suspicious.

Exam trap

The trap here is that candidates assume the query is filtering for blocked or malicious emails, but without a `where` clause on `Action` or `Verdict`, it counts all email events, so the primary purpose is simply to show the top sender domains by volume in the last week.

How to eliminate wrong answers

Option A is wrong because the query does not filter on `Phish` or `ClickAction`; it counts all email events by sender domain, not phishing clicks per user. Option C is wrong because the query does not filter on `Allowed` or `Malware` verdicts; it counts all email events without any verdict filter. Option D is wrong because the query does not reference `AuthenticationDetails` or `SPF`, `DKIM`, `DMARC` fields; it only uses `SenderMailFromDomain` and `Timestamp`.

733
MCQeasy

Refer to the exhibit. You are reviewing a Conditional Access policy configuration. What is the effect of this policy on a user who signs in from a known device but with medium sign-in risk?

A.The user is required to reset their password.
B.The user is blocked from signing in.
C.The user is allowed without any additional prompts because the device is known.
D.The user is prompted for multifactor authentication.
AnswerD

The grant control is MFA when risk >= medium.

Why this answer

The policy requires MFA when the sign-in risk level is medium or higher. Since the condition is met (medium risk), the user will be prompted for MFA. Option B is correct.

734
MCQeasy

Your organization uses Microsoft 365 Copilot and wants to ensure that sensitive data is not exposed through AI-powered features. Which Microsoft Purview capability should be configured?

A.Microsoft Intune app protection policies
B.Microsoft Defender for Cloud Apps
C.Microsoft Purview Data Loss Prevention policies for Copilot
D.Microsoft Entra Conditional Access
AnswerC

DLP can be configured to protect sensitive data in Copilot interactions.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) can be extended to Copilot interactions to prevent sensitive data from being shared. Additionally, sensitivity labels can be used. Option A is correct because Purview DLP policies can apply to Copilot.

735
MCQhard

A hospital uses Microsoft 365 E5. They need to archive patient emails for 7 years and enable legal hold for ongoing litigation. Which two Microsoft Purview features should they use? (Select TWO.)

A.Sensitivity labels
B.Retention policies
C.Litigation hold
D.Data Lifecycle Management
E.eDiscovery
AnswerB, C

Correct. Retention policies can archive emails for 7 years.

Why this answer

Retention policies (B) are correct because they allow the organization to define rules that preserve patient emails for a specific duration, such as 7 years, to meet regulatory compliance requirements. Litigation hold (C) is correct because it preserves all mailbox content, including deleted items, in its original state for the duration of ongoing litigation, preventing any alteration or deletion.

Exam trap

The trap here is that candidates often confuse 'Litigation hold' with 'eDiscovery hold' or think that 'Data Lifecycle Management' is a standalone feature in Microsoft Purview, when in fact the correct feature for time-based retention is 'Retention policies' and for legal preservation is 'Litigation hold'.

How to eliminate wrong answers

Option A is wrong because sensitivity labels are used to classify and protect data based on sensitivity (e.g., confidentiality), not to enforce time-based retention or legal holds. Option D is wrong because Data Lifecycle Management is a broader concept that includes retention and deletion policies, but in Microsoft 365, the specific feature for setting retention durations is 'Retention policies' (part of Microsoft Purview), not a separate feature named 'Data Lifecycle Management'. Option E is wrong because eDiscovery is used to search, hold, and export content for legal or investigative purposes, but it does not itself enforce a fixed 7-year retention period; it relies on holds and retention policies to preserve data.

736
MCQmedium

Your company is moving to Microsoft 365 and wants to reduce capital expenditure (CapEx) on hardware and software licenses. Which cloud benefit is most directly related to this goal?

A.Scalability
B.Consumption-based pricing
C.Agility
D.Security
AnswerB

Consumption-based pricing converts capital expenditure to operational expenditure.

Why this answer

Option B is correct because moving from CapEx to OpEx is a key financial benefit of cloud. Option A is wrong because agility is about speed, not cost structure. Option C is wrong because scalability is about adjusting resources.

Option D is wrong because security is about protection.

737
MCQhard

A legal firm needs to automatically encrypt and apply access restrictions to all documents that contain case numbers considered highly confidential. The protection must remain enforced even if the document is emailed to external parties or saved to a personal device. Which Microsoft Purview solution should be configured?

A.Data Loss Prevention (DLP)
B.Sensitivity Labels with encryption
C.Microsoft Purview Audit
D.Customer Lockbox
AnswerB

Sensitivity labels can apply automatic encryption and usage restrictions that follow the document, meeting the requirement for persistent protection.

Why this answer

Sensitivity Labels with encryption are the correct solution because they allow the legal firm to classify documents containing confidential case numbers and enforce persistent protection (encryption and access restrictions) that travels with the document, even when emailed externally or saved to a personal device. This is achieved by applying Azure Rights Management (Azure RMS) encryption directly to the file, ensuring the protection is embedded in the document itself, not just at the network or service boundary.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention (DLP) with persistent protection, mistakenly thinking DLP can encrypt documents and enforce access controls after they leave the organization, when in fact DLP only monitors and blocks data in transit or at rest within the tenant, not after it is shared externally.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies can detect and block the sharing of sensitive data (like case numbers) but do not automatically encrypt or apply persistent access restrictions to documents; DLP operates at the transport and endpoint level to prevent data exfiltration, not to enforce ongoing protection after the document leaves the organization. Option C is wrong because Microsoft Purview Audit provides logging and investigation of user and admin activities, not automatic encryption or access control on documents. Option D is wrong because Customer Lockbox is a control that requires explicit approval for Microsoft support engineers to access customer data, and it does not provide document-level encryption or access restrictions.

738
Drag & Dropmedium

Drag and drop the steps to perform an eDiscovery content search in the Microsoft 365 compliance center into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

eDiscovery content search involves creating a search, specifying locations, query, and reviewing results.

739
Multi-Selecteasy

A business wants to use a cloud solution where they can scale computing resources up or down automatically based on demand and only pay for what they use. The cloud provider manages the underlying hardware. Which two cloud characteristics are being described? (Choose two.)

Select 2 answers
A.Elasticity
B.Measured service
C.Scalability
D.High availability
AnswersA, B

Correct. Elasticity allows automatic scaling of resources to match demand, which is described in the scenario.

Why this answer

Elasticity is correct because it describes the ability to automatically scale computing resources up or down based on demand, which is a key characteristic of cloud computing. The scenario explicitly states that resources scale automatically, which aligns with elasticity rather than just the ability to scale (scalability). Measured service is correct because the business pays only for what they use, which is the pay-per-use billing model enabled by metering resource consumption.

Exam trap

The trap here is that candidates confuse scalability (the ability to scale) with elasticity (automatic scaling based on demand), and they overlook measured service as a distinct characteristic because they focus only on the scaling aspect rather than the pay-per-use billing model explicitly stated in the question.

740
MCQmedium

An organization uses Microsoft Viva Learning to provide training content. They want to ensure that only employees in the Sales department see sales-specific courses. Which feature should they use?

A.Set permissions on the SharePoint site hosting the courses.
B.Configure Viva Connections dashboard to show only Sales courses.
C.Create learning paths and assign them to the Sales department group in Viva Learning.
D.Use Viva Topics to tag courses and let users discover them.
AnswerC

Learning paths can be assigned to specific groups.

Why this answer

Option C is correct because Viva Learning allows administrators to create learning paths and assign them to specific Microsoft 365 groups, such as the Sales department group. This ensures that only members of that group see the assigned sales-specific courses, providing targeted content delivery without affecting other users' views.

Exam trap

The trap here is that candidates often confuse SharePoint permissions (Option A) with Viva Learning's group-based targeting, not realizing that Viva Learning controls visibility through learning path assignments rather than underlying site permissions.

How to eliminate wrong answers

Option A is wrong because setting permissions on the SharePoint site hosting the courses would control access to the site itself, but Viva Learning aggregates content from multiple sources and permissions on the underlying SharePoint site do not directly control visibility within the Viva Learning interface; users could still see the courses listed but be denied access when trying to open them, which is not the same as controlling visibility. Option B is wrong because the Viva Connections dashboard is a personalized entry point to employee resources and news, but it does not have the capability to filter or restrict which courses appear in Viva Learning; it can surface links but cannot enforce course visibility by department. Option D is wrong because Viva Topics uses AI to automatically tag and surface knowledge content, but it is designed for discovery and knowledge management, not for controlling visibility or access to training courses; it cannot restrict who sees specific courses based on department membership.

741
MCQhard

Refer to the exhibit. An admin creates a Microsoft Purview Data Loss Prevention (DLP) policy rule as shown. When will the rule block access?

A.When a credit card number is detected with high confidence
B.When the document is shared externally
C.When any sensitive information type is detected
D.Never, because the rule is not applied to any location
AnswerA

The condition specifies credit card number with high confidence.

Why this answer

The rule is configured with a condition that triggers when a credit card number is detected with a confidence level of 'high'. The action 'Block access' is set to execute when this condition is met. Therefore, the rule blocks access specifically when a credit card number is detected with high confidence, making option A correct.

Exam trap

The trap here is that candidates may assume the rule blocks access whenever a sensitive information type is detected, overlooking the specific confidence level requirement, or they might think the rule is not applied to any location without verifying the exhibit's location configuration.

How to eliminate wrong answers

Option B is wrong because the rule does not include a condition for external sharing; the condition is solely based on detecting a credit card number, not on the sharing context. Option C is wrong because the rule specifies a particular sensitive information type (credit card number) with a high confidence level, not 'any sensitive information type'. Option D is wrong because the rule is applied to locations (as indicated by the 'Locations' section in the exhibit, which is assumed to be configured, even if not fully shown), and the question states the admin creates the rule, implying it is applied to at least one location.

742
MCQmedium

A company with 500 users currently has Microsoft 365 Business Basic licenses. They need to provide all users with the desktop versions of Office apps and increase email storage to 100 GB per user. What is the most cost-effective licensing upgrade from the options below?

A.Upgrade all users to Microsoft 365 Business Standard
B.Upgrade all users to Microsoft 365 Business Premium
C.Keep Business Basic and purchase Exchange Online Plan 2 add-on for each user
D.Upgrade to Microsoft 365 E3
AnswerD

Microsoft 365 E3 includes desktop versions of Office apps and provides a 100 GB mailbox per user, satisfying both requirements with a single license.

Why this answer

Microsoft 365 Business Basic provides only web and mobile versions of Office apps and 50 GB of email storage. The requirement for desktop Office apps and 100 GB email storage per user is met by Microsoft 365 E3, which includes both the full desktop Office suite and Exchange Online Plan 2 (100 GB mailbox). Among the options, E3 is the most cost-effective upgrade because it bundles these features without the additional security and device management costs of Business Premium or the inefficiency of stacking add-ons on Business Basic.

Exam trap

The trap here is that candidates often assume Business Standard or Business Premium already includes 100 GB mailboxes, but they only include Exchange Online Plan 1 (50 GB), and the question specifically requires 100 GB per user, which forces the upgrade to an Enterprise plan like E3.

How to eliminate wrong answers

Option A is wrong because Microsoft 365 Business Standard includes desktop Office apps but only provides 50 GB of email storage per user (Exchange Online Plan 1), not the required 100 GB. Option B is wrong because Microsoft 365 Business Premium also includes only 50 GB email storage per user and adds unnecessary security and device management features that increase cost without addressing the 100 GB requirement. Option C is wrong because keeping Business Basic and adding Exchange Online Plan 2 per user would provide the 100 GB storage but still lacks desktop Office apps, requiring an additional purchase (e.g., Office 365 E1 or separate Office licenses), making it less cost-effective than a single E3 license that bundles both.

743
Multi-Selecthard

Which TWO of the following are requirements for implementing Microsoft Purview Customer Key? (Choose two.)

Select 2 answers
A.Microsoft Entra ID Premium P2 licenses
B.An Azure subscription with Azure Key Vault
C.A Microsoft 365 E5 license
D.Microsoft Defender for Cloud Apps
E.An on-premises Hardware Security Module (HSM)
AnswersB, C

Azure Key Vault is used to store your keys.

Why this answer

Option B is correct: Customer Key requires a Microsoft 365 E5 license. Option D is correct: Customer Key uses Azure Key Vault to store keys. Option A is wrong because Customer Key does not require an on-premises HSM; it uses Azure Key Vault.

Option C is wrong because Customer Key does not require Entra ID P2; E5 license suffices. Option E is wrong because Customer Key does not require Microsoft Defender for Cloud Apps.

744
MCQmedium

A company wants to provide employees with a personal cloud storage solution that syncs files across devices and allows sharing with external partners. Which Microsoft 365 service should they use?

A.Exchange Online
B.OneDrive for Business
C.Microsoft Teams
D.SharePoint Online
AnswerB

OneDrive for Business provides personal cloud storage with sync capabilities and external sharing.

Why this answer

OneDrive for Business provides personal cloud storage that syncs files across devices via the OneDrive sync client and enables secure sharing with external partners through granular permission controls. This directly meets the requirement for individual file storage, cross-device synchronization, and external sharing.

Exam trap

The trap here is that candidates often confuse SharePoint Online's team-based document libraries with OneDrive for Business's personal storage, overlooking that the question explicitly asks for 'personal cloud storage' and 'syncs files across devices'—features unique to OneDrive for Business.

How to eliminate wrong answers

Option A is wrong because Exchange Online is an email and calendaring service, not a cloud storage solution; it lacks file sync and external file-sharing capabilities. Option C is wrong because Microsoft Teams is a collaboration hub for chat, meetings, and channels, not a personal storage service; while files can be shared in Teams, it does not provide per-user personal sync storage. Option D is wrong because SharePoint Online is a document management and collaboration platform for team sites, not a personal cloud storage solution; it is designed for shared team libraries rather than individual file sync across devices.

745
MCQeasy

A help desk lead is documenting the correct Microsoft 365 approach to use hosted email without managing mail servers. Cloud concept or benefit best matches this requirement?

A.Platform as a Service (PaaS)
B.Community cloud
C.Software as a Service (SaaS)
D.Infrastructure as a Service (IaaS)
AnswerC

SaaS delivers a complete application operated by the provider; Exchange Online is a SaaS example.

Why this answer

Option C is correct because Microsoft 365's Exchange Online delivers hosted email as a Software as a Service (SaaS) offering. This means Microsoft manages the mail servers, software updates, and infrastructure, while the help desk lead simply configures user mailboxes and policies via the admin center. SaaS is the cloud model where the provider hosts and manages the entire application, aligning perfectly with the requirement to avoid managing mail servers.

Exam trap

The trap here is that candidates confuse PaaS with SaaS because both involve managed services, but PaaS requires you to manage the application code and runtime, whereas SaaS delivers a fully finished application like Exchange Online, eliminating all server management tasks.

How to eliminate wrong answers

Option A is wrong because Platform as a Service (PaaS) provides a runtime environment for deploying custom applications, not a ready-to-use hosted email service; you would still need to build and manage the email application code. Option B is wrong because Community cloud is a deployment model where infrastructure is shared among several organizations with common concerns (e.g., compliance), not a service model that delivers hosted email without server management. Option D is wrong because Infrastructure as a Service (IaaS) provides virtualized servers, storage, and networking, requiring the customer to install, configure, and manage the email server software (e.g., Exchange Server) themselves, which contradicts the 'without managing mail servers' requirement.

746
MCQmedium

An HR manager needs to collect employee feedback on a new policy. They want to create a short survey that anonymizes responses and provides automatic charts summarizing the results. Which Microsoft 365 app is best suited for this task?

A.Microsoft Lists
B.Microsoft Forms
C.Microsoft Sway
D.Microsoft Excel
AnswerB

Forms allows creating surveys quickly, supports anonymous responses, and automatically generates summary charts and real-time results, making it ideal for this scenario.

Why this answer

Microsoft Forms is the correct choice because it is specifically designed for creating surveys and quizzes with built-in anonymous response settings and automatic chart generation. The HR manager can enable 'Record name' to be off for anonymity, and Forms automatically visualizes results with pie charts, bar graphs, and summary data without manual setup.

Exam trap

The trap here is that candidates may confuse Microsoft Lists as a survey tool because it can collect data via forms, but Lists lacks anonymous response settings and automatic charting, which are core to Forms.

How to eliminate wrong answers

Option A is wrong because Microsoft Lists is a data tracking and organization app for managing structured information like inventory or issues, not for creating surveys with automatic chart summaries. Option C is wrong because Microsoft Sway is a digital storytelling and presentation tool for interactive reports and newsletters, lacking survey creation and anonymous response collection. Option D is wrong because Microsoft Excel is a spreadsheet application that requires manual data entry and chart creation, and it does not natively support anonymous survey distribution or automatic result visualization.

747
Multi-Selectmedium

Which THREE of the following are valid data subject rights under GDPR? (Choose three.)

Select 3 answers
A.Right to data portability
B.Right to erasure (right to be forgotten)
C.Right of access
D.Right to perpetual storage
E.Right to monetization of data
AnswersA, B, C

Individuals can request to transfer their data.

Why this answer

GDPR grants individuals rights such as the right to erasure, portability, and access. Options B, C, and D are correct.

748
MCQmedium

Your company has 50 users on Microsoft 365 Business Premium. You need to provide phone system and audio conferencing capabilities. What should you do?

A.Purchase Microsoft 365 Business Voice
B.Purchase a Microsoft 365 Calling Plan subscription for each user
C.Upgrade all users to Microsoft 365 E5
D.Add the Phone System and Audio Conferencing add-ons to the existing Business Premium licenses
AnswerD

These add-ons provide the needed capabilities.

Why this answer

Microsoft 365 Business Premium includes the rights to add Phone System and Audio Conferencing as add-ons. Option D is correct because you simply purchase the Phone System and Audio Conferencing add-on licenses for each user who needs those capabilities, without changing the base subscription. This is the most cost-effective and straightforward path to enable PSTN calling and dial-in conferencing for Business Premium users.

Exam trap

The trap here is that candidates often confuse the need for a Calling Plan with the Phone System and Audio Conferencing capabilities, or they mistakenly think Business Voice is still available, when in fact the correct path is to add the Phone System and Audio Conferencing add-ons to the existing Business Premium licenses.

How to eliminate wrong answers

Option A is wrong because Microsoft 365 Business Voice was a legacy bundle that has been retired; it is no longer available for purchase. Option B is wrong because a Calling Plan subscription is an add-on that requires the Phone System license first; you cannot purchase a Calling Plan alone without first having Phone System assigned. Option C is wrong because upgrading all users to Microsoft 365 E5 is unnecessary and more expensive; Business Premium already includes the rights to add Phone System and Audio Conferencing as add-ons, so a full E5 upgrade is overkill.

749
Multi-Selecthard

Which THREE Microsoft 365 services are part of the Microsoft Viva employee experience platform?

Select 3 answers
A.Viva Insights
B.Microsoft SharePoint
C.Viva Connections
D.Microsoft Teams
E.Viva Learning
AnswersA, C, E

Viva Insights is a part of Microsoft Viva.

Why this answer

Options A, B, and E are correct. Microsoft Viva includes Viva Connections (employee portal), Viva Insights (wellbeing and productivity analytics), and Viva Learning (learning hub). Option C is wrong because Microsoft Teams is the platform that hosts Viva apps, not a Viva service itself.

Option D is wrong because Microsoft SharePoint is a content management platform, not a Viva service.

750
MCQhard

An organization with 150 users currently uses Microsoft 365 Business Standard. They need advanced compliance features (litigation hold and eDiscovery Standard) for all users, and Microsoft Defender for Office 365 Plan 1 for the 50 users in the finance department. What is the most cost-effective licensing approach?

A.Upgrade all users to Microsoft 365 Business Premium
B.Upgrade all users to Microsoft 365 E3 and add Microsoft Defender for Office 365 Plan 1 for the finance department
C.Purchase Microsoft 365 E5 for all users
D.Keep Business Standard and purchase Microsoft 365 E5 Compliance add-on for all users plus Exchange Online Protection for finance
AnswerB

E3 includes the needed compliance features. Defender for Office 365 Plan 1 is an add-on that can be assigned to only the finance users, making this cost-effective.

Why this answer

Option B is the most cost-effective because it upgrades all users to Microsoft 365 E3, which includes the required advanced compliance features (litigation hold and eDiscovery Standard) natively, and then adds Microsoft Defender for Office 365 Plan 1 only for the 50 finance users who need it. This avoids the higher per-user cost of Business Premium (which lacks E3's compliance depth) or E5 (which includes unnecessary advanced features), while still meeting all stated requirements.

Exam trap

The trap here is that candidates often assume Microsoft 365 Business Premium includes all compliance features of E3, but it lacks litigation hold and eDiscovery Standard, leading them to incorrectly choose Option A as a simpler upgrade path.

How to eliminate wrong answers

Option A is wrong because Microsoft 365 Business Premium does not include the full advanced compliance capabilities (litigation hold and eDiscovery Standard) required for all users; it offers only basic eDiscovery and retention policies, not the full Standard eDiscovery or litigation hold features. Option C is wrong because Microsoft 365 E5 is overkill and not cost-effective; it includes advanced compliance and security features (e.g., eDiscovery Advanced, Microsoft Defender for Office 365 Plan 2) that are not required, leading to unnecessary expense. Option D is wrong because Microsoft 365 E5 Compliance add-on is not a standalone SKU for Business Standard; compliance add-ons require an E3 or E5 base license, and Exchange Online Protection is already included in Business Standard, not a separate purchase for Defender for Office 365 Plan 1.

Page 9

Page 10 of 14

Page 11