Microsoft 365 Fundamentals MS-900 (MS-900) — Questions 76150

985 questions total · 14pages · All types, answers revealed

Page 1

Page 2 of 14

Page 3
76
MCQmedium

A financial services company uses Microsoft 365 E5 and wants to implement a data loss prevention (DLP) policy that blocks users from sharing credit card numbers via email and Teams messages. The compliance team also wants to generate reports on policy violations. They are considering using Microsoft Purview. Which approach should they take to meet these requirements with minimum administrative overhead?

A.Create separate DLP policies in Exchange admin center and Teams admin center.
B.Create a unified DLP policy in the Microsoft Purview compliance portal that covers Exchange and Teams.
C.Use Microsoft Sentinel to create analytics rules that detect sharing of credit card numbers.
D.Use Microsoft Defender for Cloud Apps to create session policies for email and Teams.
AnswerB

Purview DLP can apply to multiple workloads from a single policy.

Why this answer

Option A is correct because Microsoft Purview DLP policies can be created in the Microsoft Purview compliance portal to monitor and block sensitive data in Exchange Online and Teams. Option B is wrong because creating individual policies per service is more overhead. Option C is wrong because Microsoft Defender for Cloud Apps is for cloud app security, not primary DLP for email and Teams.

Option D is wrong because Microsoft Sentinel is a SIEM and not designed for DLP policy enforcement.

77
MCQmedium

A project team needs to create a shared workspace to manage tasks, share files, track project milestones, and communicate through conversation threads. They want a single app that integrates with other Microsoft 365 services like Outlook and Teams. Which Microsoft 365 app is best suited for this requirement?

A.Microsoft Planner
B.Microsoft To Do
C.Microsoft Project for the web
D.Microsoft Lists
AnswerA

Correct. Planner offers shared task boards, progress tracking, and seamless integration with Teams and Outlook for team collaboration.

Why this answer

Microsoft Planner is best suited because it provides a shared workspace with buckets and cards for task management, file attachments, milestone tracking via checklists and due dates, and conversation threads on each task. It integrates natively with Outlook for task visibility and with Teams via the Planner tab, meeting the requirement for a single app that combines these capabilities.

Exam trap

The trap here is that candidates confuse Microsoft To Do as a team tool because of its integration with Outlook tasks, but it lacks shared workspaces and team collaboration features, which are core to Planner.

How to eliminate wrong answers

Option B (Microsoft To Do) is wrong because it is a personal task management app focused on individual to-do lists and lacks shared workspaces, file sharing, milestone tracking, and conversation threads for team collaboration. Option C (Microsoft Project for the web) is wrong because it is designed for complex project portfolio management with Gantt charts and resource allocation, not for lightweight task management with conversation threads and file sharing in a single app. Option D (Microsoft Lists) is wrong because it is a data tracking app for creating custom lists (e.g., inventory, issues) and does not include built-in task management features like buckets, checklists, or conversation threads.

78
MCQmedium

A company deploys a custom application on a cloud platform where they manage the operating system and runtime environment, but the cloud provider manages the underlying physical infrastructure, storage, and networking. Which cloud service model is being used?

A.Infrastructure as a Service (IaaS)
B.Platform as a Service (PaaS)
C.Software as a Service (SaaS)
D.Function as a Service (FaaS)
AnswerA

In IaaS, the customer has control over the operating system, storage, and deployed applications, while the provider manages the underlying infrastructure.

Why this answer

The scenario describes a model where the customer manages the operating system and runtime environment, while the cloud provider handles the physical infrastructure, storage, and networking. This aligns precisely with Infrastructure as a Service (IaaS), as IaaS provides virtualized computing resources (e.g., virtual machines) where the customer retains control over the OS, middleware, and applications, but the provider manages the underlying hardware, hypervisor, and physical network.

Exam trap

The trap here is that candidates often confuse IaaS with PaaS because both involve deploying applications, but the key differentiator is who manages the OS and runtime—IaaS gives the customer full control over these layers, whereas PaaS abstracts them away entirely.

How to eliminate wrong answers

Option B (PaaS) is wrong because in PaaS, the provider manages not only the physical infrastructure but also the operating system and runtime environment, leaving the customer only to deploy and manage their application code and data. Option C (SaaS) is wrong because in SaaS, the provider manages the entire application stack, including the OS, runtime, and application, and the customer only uses the software via a web browser or API without any control over the underlying platform. Option D (FaaS) is wrong because FaaS is a subset of serverless computing where the customer only deploys individual functions (code snippets) and the provider dynamically manages the runtime and infrastructure, including the OS, scaling, and execution environment, which contradicts the customer managing the OS and runtime.

79
Multi-Selectmedium

Which of the following are included as part of Microsoft 365 E3 or E5 subscriptions? Choose all that apply. (There are four correct answers.)

Select 4 answers
.Microsoft Teams
.Exchange Online with 100 GB mailbox and unlimited storage via archiving
.Windows 10/11 Enterprise E3
.Microsoft Defender for Office 365
.Azure Active Directory Premium P1 only (not P2)
.Microsoft 365 Personal (single user) license

Why this answer

Microsoft 365 E3 and E5 subscriptions include Microsoft Teams as a core collaboration service, Exchange Online with a 100 GB mailbox and unlimited archive storage via auto-expanding archiving, Windows 10/11 Enterprise E3 for device management and security, and Microsoft Defender for Office 365 (in E5, and as an add-on for E3 but included in the E5 suite). These are standard components of the enterprise-grade plans.

Exam trap

Microsoft often tests the misconception that Azure AD Premium P1 is the only identity tier in E3/E5, but E5 actually includes P2, and that Microsoft 365 Personal is a valid enterprise license, when it is a consumer-only product.

80
MCQmedium

A user with a Microsoft 365 Business Basic subscription needs help with a billing issue. They want immediate assistance without paying extra. What support option is already included in their subscription at no additional cost?

A.24/7 technical phone support
B.Online self-help documentation and community forums
C.Proactive monitoring and advisory services
D.Priority support with fast response times
AnswerB

Business Basic subscribers have access to a comprehensive library of online articles, videos, and community forums where they can get answers from Microsoft experts and other users. This is the no-cost support option.

Why this answer

Microsoft 365 Business Basic subscriptions include access to online self-help documentation, community forums, and web-based support articles at no additional cost. This is the baseline support level for all Microsoft 365 plans, providing users with resources to resolve common issues like billing without requiring a paid support plan.

Exam trap

The trap here is that candidates often assume all Microsoft 365 subscriptions include 24/7 phone support, but Microsoft reserves phone and priority support for paid support plans, while only self-help and community forums are included at no extra cost in Business Basic.

How to eliminate wrong answers

Option A is wrong because 24/7 technical phone support is not included in Microsoft 365 Business Basic; it requires a separate paid support plan (e.g., Microsoft Support for Business or Premier Support). Option C is wrong because proactive monitoring and advisory services are part of Microsoft’s higher-tier support offerings (e.g., Unified Support or Premier Support), not included in Business Basic. Option D is wrong because priority support with fast response times is a feature of paid support plans (e.g., Microsoft Support for Business Pro or Advanced), not the free baseline support included with Business Basic.

81
MCQmedium

You are the compliance officer for Fabrikam, a medium-sized company with 500 users on Microsoft 365 Business Premium. Fabrikam must comply with the California Consumer Privacy Act (CCPA). The legal team has identified that they need to be able to respond to consumer requests to delete personal data within 45 days. They also need to ensure that personal data is not retained longer than necessary. You have been asked to configure Microsoft Purview to meet these requirements. Specifically, you need to search for and delete personal data when a deletion request is received, and set up a data retention policy to automatically delete personal data after 2 years. What should you do?

A.Implement auto-labeling to label personal data and configure a retention label to delete after 2 years.
B.Use Content Search to find personal data, then use eDiscovery to delete it for deletion requests. Create a retention policy with a retention period of 2 years for all SharePoint sites and OneDrive accounts.
C.Create a retention label that deletes data after 2 years and apply it manually to all documents containing personal data.
D.Configure a DLP policy to block sharing of personal data and set a retention policy for 2 years.
AnswerB

Content Search and eDiscovery handle deletion; retention policy handles automatic deletion.

Why this answer

Option B is correct because to delete personal data for a specific user, you need to use Content Search to find the data and then eDiscovery to delete it. A retention policy can be set to automatically delete data after 2 years. Option A is incorrect because a retention label is for manual application, not automatic deletion.

Option C is incorrect because DLP does not delete data. Option D is incorrect because auto-labeling does not delete data.

82
Multi-Selecteasy

Which TWO apps are included in Microsoft Viva?

Select 2 answers
A.Microsoft Stream
B.Microsoft Teams
C.Viva Connections
D.Microsoft Power Automate
E.Viva Insights
AnswersC, E

Viva Connections is part of Microsoft Viva.

Why this answer

Viva Connections is a core app within Microsoft Viva that provides a personalized employee experience dashboard, integrating company news, resources, and tasks directly into Microsoft Teams. Viva Insights is another core app that offers data-driven privacy-protected insights to help employees improve productivity and well-being. Both are explicitly part of the Microsoft Viva employee experience platform.

Exam trap

The trap here is that candidates confuse the platform (Microsoft Teams) with the apps that run on it (Viva Connections, Viva Insights), leading them to select Teams as a Viva app instead of recognizing it as the host environment.

83
MCQhard

A legal team is preparing for litigation. They need to place a hold on all content (emails, documents, Teams messages) related to a specific project across the entire organization. The hold must prevent any deletion or modification of the content. Which Microsoft Purview solution should they use?

A.eDiscovery (Premium) with legal hold
B.Audit log search
C.Data Loss Prevention (DLP)
D.Retention policy
AnswerA

eDiscovery (Premium) allows creating cases, searching for relevant content, and applying legal holds to preserve data across all Microsoft 365 workloads.

Why this answer

Option A is correct because eDiscovery (Premium) with legal hold is the Microsoft Purview solution specifically designed to preserve content in-place for litigation. When a legal hold is applied to a case, it prevents deletion or modification of emails, documents, and Teams messages across the entire organization by placing a hold on the underlying Exchange Online mailboxes, SharePoint sites, and OneDrive accounts. This ensures that all content related to the project is immutable for the duration of the hold, meeting the legal team's requirement.

Exam trap

The trap here is that candidates often confuse retention policies (which are broad, time-based preservation rules) with legal holds (which are case-specific, litigation-driven holds that prevent any modification or deletion), leading them to incorrectly select Option D.

How to eliminate wrong answers

Option B (Audit log search) is wrong because it only records and allows searching of past activities (e.g., who accessed or deleted content) but does not prevent deletion or modification of content; it is a detective control, not a preventive one. Option C (Data Loss Prevention or DLP) is wrong because DLP policies are designed to identify, monitor, and protect sensitive data from being shared or leaked (e.g., via email or Teams), not to place a hold on content for litigation purposes. Option D (Retention policy) is wrong because while retention policies can preserve content for a specified period, they are typically applied based on content type or location and do not provide the granular, case-specific hold required for litigation; retention policies also allow modification of content unless combined with a retention label that blocks editing, which is not the same as a legal hold.

84
MCQeasy

Your organization is migrating from on-premises Exchange to Exchange Online. You need to ensure that email communications comply with regulatory requirements for retention. Which Microsoft 365 feature should you use to define retention periods for emails?

A.Microsoft Purview eDiscovery cases
B.Microsoft Purview retention policies
C.Exchange Online journaling
D.Exchange Online litigation hold
AnswerB

Retention policies define how long content is kept and when to delete.

Why this answer

Option A is correct because retention policies in Microsoft Purview apply to Exchange Online. Option B is incorrect because eDiscovery is for search and hold. Option C is incorrect because Journaling is a legacy feature, not the primary retention tool.

Option D is incorrect because Litigation Hold is for preservation, not defined retention periods.

85
MCQhard

Refer to the exhibit. A Contoso administrator configures a Conditional Access policy as shown. Users report they cannot access email on their Android phones using the default email app. What is the most likely cause?

A.The user is excluded from the policy.
B.The default Android email app uses legacy authentication.
C.The policy requires multi-factor authentication.
D.The policy does not apply to mobile devices.
AnswerB

The policy blocks legacy authentication clients.

Why this answer

Option B is correct because the policy blocks legacy authentication clients like the default Android email app. Option A is wrong because the policy does not require MFA. Option C is wrong because the user is not excluded.

Option D is wrong because the policy applies to all users.

86
MCQhard

A company wants to ensure that all Microsoft 365 admin actions are recorded and searchable for at least 180 days. They also need to create custom alert rules to notify the security team when critical events occur, such as a user being added to the Global Admin role. Which Microsoft Purview solution should they use?

A.Microsoft Purview Audit
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview Information Protection
D.Microsoft Purview eDiscovery
AnswerA

Correct. Audit (Premium) can retain logs for up to 1 year and supports custom alert policies for critical events.

Why this answer

Microsoft Purview Audit (specifically Audit (Standard) or Audit (Premium)) is the correct solution because it records all admin actions from Microsoft 365 services into the unified audit log, retains those logs for at least 180 days (Audit Standard) or up to 10 years (Audit Premium), and allows you to create custom alert policies that trigger notifications when specific events like 'Added member to role' (e.g., Global Admin) occur. This directly meets the requirement for recording, searchability, and custom alerting on critical admin events.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Audit with Microsoft Purview eDiscovery, mistakenly thinking eDiscovery is used for monitoring admin actions, when in fact eDiscovery is solely for legal content search and holds, not for real-time auditing or alerting.

How to eliminate wrong answers

Option B (Microsoft Purview Data Loss Prevention) is wrong because DLP is designed to detect and prevent accidental sharing of sensitive data (e.g., credit card numbers) through policies, not to record admin actions or create alerts for role changes. Option C (Microsoft Purview Information Protection) is wrong because it focuses on classifying, labeling, and protecting data at rest and in transit (e.g., sensitivity labels, encryption), not on auditing admin activities or triggering alerts for security events. Option D (Microsoft Purview eDiscovery) is wrong because eDiscovery is used for legal investigations to search, hold, and export content from mailboxes, SharePoint, and Teams, not for real-time monitoring of admin actions or creating custom alert rules.

87
MCQmedium

A company needs to provide external partners with access to a specific SharePoint Online site without granting them access to the entire tenant. Which approach should the administrator use?

A.Configure SharePoint Online external sharing and invite partners as authenticated users
B.Create an Azure AD B2C tenant for partners
C.Use anonymous sharing links for the site
D.Add partners as guests in Microsoft Teams and share the site from Teams
AnswerA

This allows limited, authenticated access to specific sites.

Why this answer

Option A is correct because SharePoint Online external sharing allows administrators to invite external users as authenticated guests who can access only the specific site they are invited to, without gaining access to the entire tenant. This is achieved by configuring site-level sharing settings to 'New and existing guests' and sending an invitation that requires the external partner to authenticate with a Microsoft account or Azure AD credentials, ensuring granular access control.

Exam trap

The trap here is that candidates often confuse Azure AD B2B (guest users) with Azure AD B2C, or assume that anonymous sharing is the simplest way to share externally, overlooking the authentication and access control requirements specified in the question.

How to eliminate wrong answers

Option B is wrong because creating an Azure AD B2C tenant is designed for consumer-facing identity management in custom applications, not for granting external partners access to SharePoint Online sites; it would introduce unnecessary complexity and does not integrate directly with SharePoint Online sharing. Option C is wrong because anonymous sharing links provide access to anyone with the link without authentication, which violates the requirement to grant access only to specific external partners and poses a security risk. Option D is wrong because adding partners as guests in Microsoft Teams and sharing the site from Teams still requires the partners to be invited as Azure AD guests, which grants them access to the entire tenant's Azure AD directory and potentially other resources, not just the specific SharePoint site.

88
MCQmedium

Wide World Importers has 300 users and is currently using Microsoft 365 Business Premium. The company is expanding and expects to hire 50 more employees next quarter. The CFO is concerned that Business Premium has a 300-user limit and wants to ensure a smooth transition without service interruption. The company needs to keep all current services (Exchange, SharePoint, Teams, OneDrive, Microsoft Defender for Business). They also want to add Microsoft Copilot for Microsoft 365 for all users. Which licensing strategy should they implement to accommodate the growth and add Copilot?

A.Keep Business Premium and purchase extra licenses for the new hires
B.Upgrade all users to Microsoft 365 E5
C.Switch to Microsoft 365 E3 and add Copilot licenses
D.Switch to Microsoft 365 F3 and add Copilot
AnswerC

E3 has no user limit, includes required services, and supports Copilot add-on.

Why this answer

Option C is correct because Microsoft 365 Business Premium has a strict 300-user limit, and Wide World Importers will exceed that with 350 users. Switching to Microsoft 365 E3 provides unlimited user licensing and includes all required services (Exchange, SharePoint, Teams, OneDrive, and Defender for Business). Microsoft Copilot for Microsoft 365 is available as an add-on for E3, allowing the company to add it for all users without service interruption.

Exam trap

The trap here is that candidates assume Business Premium can be scaled by purchasing extra licenses, but Microsoft enforces a hard 300-user limit, requiring a migration to an enterprise plan (E3 or E5) for larger organizations.

How to eliminate wrong answers

Option A is wrong because Business Premium cannot exceed 300 users; purchasing extra licenses is not possible due to the hard subscription cap. Option B is wrong because upgrading all users to E5 is unnecessary and more expensive; E5 includes advanced security and analytics features not required here, and Copilot is an add-on for E5 as well, not a cost-saving approach. Option D is wrong because Microsoft 365 F3 is designed for frontline workers with limited functionality (e.g., no full desktop Office apps, reduced mailbox size), and it does not include Microsoft Defender for Business, which the company needs to keep.

89
MCQhard

A multinational corporation needs to ensure that all emails containing a customer's passport number are automatically blocked from being sent externally. Additionally, the sending user should receive a policy tip explaining the block. Which Microsoft Purview solution should be configured?

A.Sensitivity labels
B.Data Loss Prevention (DLP) policies
C.Conditional Access policies
D.eDiscovery
AnswerB

DLP policies can detect passport numbers in emails and block them from being sent, with user notification via policy tips.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft Purview are specifically designed to detect sensitive information, such as passport numbers, in emails and automatically block external transmission while displaying a policy tip to the user. This matches the requirement exactly, as DLP can inspect email content for sensitive data types and enforce actions like blocking and notifying the sender.

Exam trap

The trap here is that candidates often confuse sensitivity labels with DLP, assuming labels can block emails, but labels only apply protection after classification, whereas DLP actively inspects content and enforces rules like blocking and policy tips.

How to eliminate wrong answers

Option A is wrong because sensitivity labels are used for classification and protection (e.g., encryption or visual markings) but do not natively block external email transmission based on content detection or provide policy tips. Option C is wrong because Conditional Access policies control access to resources based on user, device, or location conditions, not content inspection or blocking of outbound emails. Option D is wrong because eDiscovery is designed for searching and exporting content for legal or compliance investigations, not for real-time prevention of data exfiltration or user notifications.

90
MCQeasy

A sales team uses Microsoft 365 and wants to track customer interactions and manage leads from within Outlook. Which app should they use?

A.Microsoft Lists
B.Microsoft Bookings
C.Microsoft Forms
D.Microsoft Dynamics 365 Sales
AnswerD

It is a CRM with Outlook integration.

Why this answer

Microsoft Dynamics 365 Sales is a customer relationship management (CRM) application that integrates directly with Outlook to track customer interactions, manage leads, and automate sales processes. It provides a unified interface within Outlook for viewing contact history, logging emails, and managing opportunities, making it the correct choice for the sales team's requirements.

Exam trap

The trap here is that candidates may confuse Microsoft Lists or Bookings as CRM tools due to their data-tracking or scheduling features, but they lack the lead management, pipeline tracking, and customer interaction history that Dynamics 365 Sales provides.

How to eliminate wrong answers

Option A is wrong because Microsoft Lists is a data-tracking app for creating and sharing lists (e.g., issue trackers, inventory) but lacks CRM capabilities like lead management or customer interaction tracking within Outlook. Option B is wrong because Microsoft Bookings is a scheduling and appointment management tool, not designed for tracking customer interactions or managing sales leads. Option C is wrong because Microsoft Forms is used for creating surveys, quizzes, and polls, and does not provide lead management or customer interaction tracking features.

91
MCQeasy

An administrator needs to ensure that only compliant devices can access Exchange Online. Which Microsoft Entra ID feature should they configure?

A.Privileged Identity Management
B.Conditional Access policies
C.Multi-Factor Authentication
D.Identity Protection
AnswerB

Conditional Access can require compliant devices.

Why this answer

Conditional Access policies can enforce device compliance. Option A is correct. The other options are not used for device access control.

92
MCQmedium

During requirements gathering, an IT manager says the organization must see how many paid licenses are unused. Microsoft 365 licensing, admin, or support concept is most relevant?

A.Available license count
B.Microsoft Stream
C.Microsoft Forms
D.Microsoft Whiteboard
AnswerA

Available license count shows purchased but unassigned licenses.

Why this answer

The Available license count in the Microsoft 365 admin center allows administrators to view how many licenses have been purchased versus how many are assigned, directly revealing unused paid licenses. This is the core licensing management feature under 'Billing > Licenses' that tracks consumption and helps optimize costs.

Exam trap

The trap here is that candidates confuse productivity tools (Stream, Forms, Whiteboard) with administrative licensing features, assuming any Microsoft 365 app might show license counts, when only the admin center's license management section provides that data.

How to eliminate wrong answers

Option B (Microsoft Stream) is wrong because it is a video service for recording and sharing videos, not a licensing or admin tool for tracking license usage. Option C (Microsoft Forms) is wrong because it is a survey and data collection tool, unrelated to license management or admin reporting. Option D (Microsoft Whiteboard) is wrong because it is a collaborative digital canvas app, with no role in monitoring license assignments or availability.

93
MCQhard

Refer to the exhibit. An IT administrator is using Microsoft Intune to assign Microsoft 365 Apps for Enterprise to a group called Contoso-Sales. The exhibit shows a JSON snippet from the Intune deployment configuration. Based on the snippet, what is the most likely outcome?

A.The app will be automatically installed on all devices in the Contoso-Sales group.
B.The app will be excluded from installation for the Contoso-Sales group.
C.The app will be available for users in the group to install from Company Portal.
D.The app will be assigned but requires user approval before installation.
AnswerA

AutoAssignment triggers automatic installation.

Why this answer

The JSON snippet shows an assignment with 'intent' set to 'Required' and 'targetGroupId' pointing to the Contoso-Sales group. In Microsoft Intune, a 'Required' assignment for a mobile app (like Microsoft 365 Apps for Enterprise) triggers automatic installation on all targeted devices without user intervention, making option A correct.

Exam trap

The trap here is that candidates confuse 'Required' intent with 'Available' intent, assuming all assignments require user action, but 'Required' in Intune means mandatory, silent installation, not optional installation from Company Portal.

How to eliminate wrong answers

Option B is wrong because the JSON shows an assignment with 'intent' set to 'Required', not 'Excluded' — exclusion would require a separate 'Exclude' group assignment or an 'excludedGroupIds' property. Option C is wrong because 'Required' intent forces installation silently; making the app available for user-initiated install from Company Portal requires 'Available' intent. Option D is wrong because 'Required' intent does not require user approval — it installs automatically; user approval is only relevant for 'Available' intent or when using 'User must accept license' settings, which are not indicated here.

94
MCQmedium

A department head asks which Microsoft 365 option should be used to reduce email attachments by storing shared team documents in one place and collaborating from conversations. Microsoft 365 app or service is the best fit?

A.Microsoft Teams with SharePoint Online
B.Microsoft Purview Audit
C.Microsoft Planner
D.Microsoft Forms
AnswerA

Teams channel files are stored in SharePoint document libraries, supporting shared collaboration.

Why this answer

Microsoft Teams integrates with SharePoint Online to provide a centralized document repository where team files are stored and managed. This allows users to collaborate on documents directly within Teams conversations, eliminating the need for email attachments. The combination of Teams for chat-based collaboration and SharePoint for file storage and versioning directly addresses the requirement.

Exam trap

The trap here is that candidates might confuse Microsoft Teams as a standalone chat app, overlooking its deep integration with SharePoint Online for file storage and collaboration, or mistakenly think Planner or Forms can serve as document repositories.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Audit is a compliance and auditing solution that tracks user activities and events, not a tool for storing shared documents or collaborating from conversations. Option C is wrong because Microsoft Planner is a task management and project planning tool that organizes work into boards and tasks, not a document storage or conversation collaboration platform. Option D is wrong because Microsoft Forms is a survey and quiz creation tool for collecting data, not designed for document storage or team collaboration within conversations.

95
MCQeasy

A company wants to reduce hardware maintenance costs by moving to the cloud. They need to maintain full control over the operating system, applications, and security configurations, but do not want to manage physical servers or data center facilities. Which cloud service model should they choose?

A.Software as a Service (SaaS)
B.Platform as a Service (PaaS)
C.Infrastructure as a Service (IaaS)
D.On-premises
AnswerC

IaaS gives the user control over the operating system, applications, and security configurations while the cloud provider manages the physical hardware.

Why this answer

Infrastructure as a Service (IaaS) provides virtualized computing resources over the internet, allowing the company to deploy and manage their own operating systems, applications, and security configurations while offloading the physical hardware and data center management to the cloud provider. This model gives the highest level of control over the software stack without the burden of maintaining physical servers, aligning perfectly with the requirement to reduce hardware maintenance costs while retaining full administrative access.

Exam trap

The trap here is that candidates often confuse PaaS with IaaS because both are cloud models, but PaaS removes control over the OS and runtime environment, which is the critical distinction when the question explicitly requires maintaining full control over the operating system and security configurations.

How to eliminate wrong answers

Option A is wrong because Software as a Service (SaaS) delivers fully managed applications accessed via a web browser, where the customer has no control over the underlying operating system, runtime, or security configurations—contradicting the need for full control. Option B is wrong because Platform as a Service (PaaS) abstracts the operating system and middleware, providing a managed runtime environment for application development; the customer cannot control the OS or security configurations at the infrastructure level. Option D is wrong because on-premises deployment requires the company to own and manage physical servers and data center facilities, directly conflicting with the goal of reducing hardware maintenance costs.

96
MCQhard

A healthcare organization uses Microsoft 365 E5 and must comply with HIPAA. They need to ensure that all emails containing protected health information (PHI) are encrypted both in transit and at rest. They also need to prevent users from accidentally sending PHI to external recipients. What should they implement?

A.Use Microsoft Entra ID Conditional Access to require MFA for all email access.
B.Implement Microsoft Purview Message Encryption and create DLP policies to detect and block PHI sent externally.
C.Configure Microsoft Defender for Office 365 Safe Attachments and Safe Links policies.
D.Deploy Microsoft Purview Compliance Manager to assess compliance with HIPAA.
AnswerB

Message Encryption encrypts emails; DLP blocks unauthorized sharing of PHI.

Why this answer

Microsoft Purview Message Encryption (MPME) provides the necessary encryption for PHI in transit and at rest by using Azure Rights Management (RMS) to protect emails. Data Loss Prevention (DLP) policies in Microsoft Purview can be configured to detect patterns like social security numbers or medical record numbers and automatically block or warn users before sending such emails externally, preventing accidental PHI exposure.

Exam trap

The trap here is that candidates often confuse DLP with encryption, thinking that encryption alone prevents accidental sharing, or they mistake security features like MFA or Safe Attachments for data protection controls that address content-based compliance requirements.

How to eliminate wrong answers

Option A is wrong because Conditional Access with MFA only enforces multi-factor authentication for access, it does not encrypt email content or prevent accidental sending of PHI. Option C is wrong because Safe Attachments and Safe Links protect against malicious attachments and URLs in email, they do not provide encryption or DLP-based content blocking for PHI. Option D is wrong because Compliance Manager is a risk assessment and reporting tool that helps evaluate compliance posture but does not actively encrypt emails or block PHI in transit.

97
Matchingmedium

Match each Microsoft 365 subscription plan to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Web and mobile versions of Office apps with email and cloud services

Full desktop Office apps with email and cloud services

Includes security and device management in addition to Business Standard

Full desktop Office apps only, no email or cloud services

Why these pairings

These plans differ in features like desktop apps, email, and security.

98
MCQmedium

Your organization uses Microsoft 365 E5 and wants to implement Microsoft Copilot for Microsoft 365. Which licensing prerequisite must be met?

A.Microsoft 365 E5 or E3
B.An active Azure subscription
C.A Power Automate Premium license
D.Microsoft 365 Business Basic
AnswerA

Copilot for Microsoft 365 requires an eligible Microsoft 365 plan (E3, E5, Business Standard, or Business Premium) as a base license.

Why this answer

Microsoft Copilot for Microsoft 365 requires a qualifying Microsoft 365 plan that includes the necessary AI and security features. Microsoft 365 E5 or E3 (with specific add-ons) are the minimum licensing prerequisites because they provide the underlying Microsoft Graph data, Microsoft 365 Apps, and enterprise-grade security (e.g., Microsoft Purview) that Copilot relies on for contextual AI responses. Without an E5 or E3 license, the Copilot service cannot integrate with the user's mailbox, documents, and calendar data.

Exam trap

The trap here is that candidates often confuse the general availability of Copilot (which requires any Microsoft 365 plan) with the specific licensing prerequisite for the full Copilot for Microsoft 365 experience, mistakenly thinking a lower-tier plan like Business Basic is sufficient.

How to eliminate wrong answers

Option B is wrong because an active Azure subscription is not a licensing prerequisite for Microsoft Copilot for Microsoft 365; Azure is used for hosting resources but not required for Copilot's core functionality. Option C is wrong because a Power Automate Premium license is unrelated to Copilot for Microsoft 365; Power Automate is a separate automation tool, and Copilot does not require it. Option D is wrong because Microsoft 365 Business Basic lacks the desktop Office apps and enterprise-grade security features (e.g., Microsoft Purview Information Protection) that Copilot for Microsoft 365 depends on; it is not a qualifying plan.

99
MCQmedium

A department head asks which Microsoft 365 option should be used to manage billing without granting full tenant control. Microsoft 365 licensing, admin, or support concept is most relevant?

A.Microsoft Stream
B.Microsoft Forms
C.Billing Administrator
D.Microsoft Whiteboard
AnswerC

Billing Administrator manages subscriptions, purchases, and billing-related tasks.

Why this answer

The Billing Administrator role in Azure AD allows a user to manage billing accounts, subscriptions, and invoices without having full administrative access to the tenant. This role is specifically designed for scenarios where a department head needs to handle financial operations but should not have permissions to manage users, security, or other tenant-wide settings.

Exam trap

The trap here is that candidates may confuse a functional app (like Stream, Forms, or Whiteboard) with an administrative role, because the question asks for an 'option' to manage billing, leading them to think of a tool rather than a role-based access control concept.

How to eliminate wrong answers

Option A is wrong because Microsoft Stream is a video management service for storing, sharing, and streaming videos, not a role or feature for billing management. Option B is wrong because Microsoft Forms is a survey and quiz creation tool, unrelated to billing administration or tenant access control. Option D is wrong because Microsoft Whiteboard is a collaborative digital canvas application, with no role in managing billing or administrative permissions.

100
MCQhard

An organization uses Microsoft 365 and wants to implement a retention policy for all Exchange Online mailboxes that automatically deletes emails older than 7 years, except for emails from the legal department which must be kept for 10 years. What should the administrator configure?

A.Create a single retention policy with 7-year retention and apply preservation lock.
B.Configure retention tags in Exchange Online for each mailbox.
C.Place the legal department mailboxes on litigation hold and set a 7-year retention for others.
D.Create two retention policies: one for all mailboxes with 7-year retention, and another for the legal department with 10-year retention using adaptive scopes.
AnswerD

Adaptive scopes allow targeting by department attribute.

Why this answer

Option D is correct because Microsoft 365 retention policies can be scoped using adaptive scopes to apply different retention settings to different groups of users. By creating two policies—one with a 7-year deletion rule for all mailboxes and another with a 10-year deletion rule for the legal department—the administrator meets the requirement without conflicting settings. Adaptive scopes allow dynamic membership based on attributes like department, ensuring the legal department's emails are kept longer while others are deleted after 7 years.

Exam trap

The trap here is that candidates often confuse litigation hold or preservation lock with retention policies, thinking they can be used to set different retention periods for different groups, when in fact they are designed for preservation (preventing deletion) rather than scheduled deletion with varying durations.

How to eliminate wrong answers

Option A is wrong because a single retention policy with preservation lock would prevent any changes or deletions, not selectively keep legal emails for 10 years while deleting others after 7; preservation lock is used for regulatory compliance to make the policy immutable, not for differential retention. Option B is wrong because retention tags in Exchange Online are part of the Messaging Records Management (MRM) feature, which is separate from Microsoft 365 retention policies and cannot be used to create a unified organization-wide retention policy that applies to all mailboxes consistently; MRM tags are per-mailbox and require manual assignment or default policies, making them less suitable for this requirement. Option C is wrong because litigation hold places a hold on all content in the mailbox, preventing deletion entirely, which would conflict with the 7-year deletion requirement for other mailboxes; it does not allow a 10-year retention period for legal department emails while still allowing deletion after 7 years for others.

101
Multi-Selectmedium

Which TWO cloud benefits are most directly related to cost savings for an organization moving to Microsoft 365?

Select 2 answers
A.Consumption-based pricing
B.Self-service
C.Global scale
D.Hybrid capabilities
E.Reduced maintenance overhead
AnswersA, E

Only pay for what you use, reducing waste.

Why this answer

Options A and E are correct. Consumption-based pricing reduces upfront costs. Reduced maintenance overhead lowers operational costs.

Option B is wrong because global scale can increase costs. Option C is wrong because self-service may not directly save costs. Option D is wrong because hybrid capabilities may require additional investment.

102
MCQeasy

Adatum Corporation is a small business with 50 employees. They use Microsoft 365 Business Basic and SharePoint Online for document management. Employees frequently share files with external partners via email attachments. The CEO wants to reduce the risk of data leaks and ensure that shared files are protected even after they are sent. Which Microsoft 365 solution should Adatum implement?

A.SharePoint external sharing settings
B.Data Loss Prevention (DLP) policies
C.Sensitivity labels
D.Microsoft Purview Message Encryption
AnswerD

Message Encryption encrypts email content and attachments, and allows control over forwarding and printing.

Why this answer

Option A is correct because Microsoft Purview Message Encryption allows encrypting emails and attachments, and can restrict actions like forwarding. Option B is wrong because SharePoint external sharing controls access to SharePoint, not email attachments. Option C is wrong because DLP policies prevent sharing but do not protect after sending.

Option D is wrong because sensitivity labels can be applied manually but do not automatically protect attachments in transit.

103
MCQmedium

A compliance administrator needs to manage user sign-in risk and require MFA for risky sign-ins. Which Microsoft 365 capability is the best fit?

A.OneDrive sync client
B.Microsoft Bookings
C.Microsoft Entra ID Protection with Conditional Access
D.Microsoft Teams live events
AnswerC

Identity Protection risk signals can be used by Conditional Access policies.

Why this answer

Microsoft Entra ID Protection (formerly Azure AD Identity Protection) detects sign-in risks such as anonymous IP addresses, atypical travel, or leaked credentials. When combined with Conditional Access policies, it can automatically require MFA for risky sign-ins, giving the compliance administrator precise control over user authentication based on real-time risk signals.

Exam trap

The trap here is that candidates may confuse Microsoft Entra ID Protection with basic MFA enforcement in Azure AD, but the question specifically requires managing sign-in risk, which only Identity Protection with Conditional Access can evaluate and respond to in real time.

How to eliminate wrong answers

Option A is wrong because the OneDrive sync client is a file synchronization tool and has no capability to evaluate sign-in risk or enforce MFA. Option B is wrong because Microsoft Bookings is a scheduling application and does not include identity protection or conditional access features. Option D is wrong because Microsoft Teams live events is a broadcast feature for video and presentations, not an identity or security management tool.

104
MCQhard

Contoso Ltd. is a medium-sized company with 500 employees using Microsoft 365 E5. They have a mixed environment: 300 Windows 10 devices are managed by Microsoft Intune, and 200 are unmanaged but Azure AD joined. The company uses Microsoft Teams for collaboration and SharePoint Online for document storage. The security team wants to implement the following: restrict access to company data from unmanaged devices, require multi-factor authentication (MFA) for all external users accessing SharePoint, and ensure that sensitive documents labeled 'Highly Confidential' are automatically encrypted when shared via email. Currently, the company has no conditional access policies, no MFA enforced, and no data classification policies. The administrator needs to design a solution using Microsoft 365 built-in capabilities without purchasing additional licenses. What should the administrator do?

A.Configure SharePoint to block access from unmanaged devices, enable MFA for all users, and use Microsoft Purview Data Loss Prevention (DLP) to encrypt sensitive emails.
B.Use Intune app protection policies to restrict data access, enable MFA for SharePoint, and use Microsoft Purview auto-labeling for encryption.
C.Create a conditional access policy to require MFA for all users, use Intune compliance policies to mark devices as compliant, and create a sensitivity label to encrypt documents.
D.Create a conditional access policy to grant access from compliant devices, require MFA for external users, and configure a sensitivity label with auto-labeling for 'Highly Confidential' documents.
AnswerD

This addresses all three requirements: compliant devices, MFA for external users, and auto-encryption.

Why this answer

Option D is correct because it uses Conditional Access policies to require compliant devices for access (addressing unmanaged devices), requires MFA specifically for external users (not all users, aligning with the requirement), and uses a sensitivity label with auto-labeling to automatically encrypt 'Highly Confidential' documents when shared via email. This leverages built-in Microsoft 365 capabilities without additional licenses.

Exam trap

The trap here is that candidates often assume MFA must be enforced for all users or that DLP policies can encrypt emails, but the scenario specifically requires MFA only for external users and encryption via sensitivity labels, not DLP.

How to eliminate wrong answers

Option A is wrong because blocking access from unmanaged devices via SharePoint alone is not granular enough and does not leverage Conditional Access; enabling MFA for all users is overkill and not required by the scenario; DLP policies do not automatically encrypt emails—they block or warn, not encrypt. Option B is wrong because Intune app protection policies require devices to be enrolled in Intune, which the 200 unmanaged Azure AD-joined devices are not; enabling MFA for SharePoint only does not cover external users accessing SharePoint via other apps; auto-labeling in Purview requires a subscription like Microsoft 365 E5 Compliance, which is not explicitly stated as available. Option C is wrong because requiring MFA for all users is unnecessary and does not specifically target external users; Intune compliance policies alone do not grant access—they require a Conditional Access policy to enforce; creating a sensitivity label to encrypt documents does not include auto-labeling, so manual application would be needed.

105
MCQhard

A company with 100 users has Microsoft 365 Business Basic licenses. They want to add Phone System and Audio Conferencing for all users to enable PSTN calling and dial-in capabilities. They wish to minimize additional costs. What is the most cost-effective licensing approach?

A.Upgrade all users to Microsoft 365 E3 and add Phone System and Audio Conferencing.
B.Add the Microsoft 365 Business Voice add-on for each user.
C.Purchase Phone System and Audio Conferencing as standalone add-ons separately.
D.Add the Microsoft Teams Phone Standard add-on.
AnswerB

Business Voice is a cost-effective bundle that provides Phone System, Audio Conferencing, and a calling plan for Business Basic users. It is the recommended way to add these capabilities to Business plans.

Why this answer

Option B is correct because Microsoft 365 Business Voice is a cost-effective add-on specifically designed for Business Basic, Standard, or Premium subscribers to add Phone System and Audio Conferencing capabilities. It bundles both PSTN calling and dial-in features into a single license, avoiding the higher cost of upgrading to E3 or purchasing separate add-ons.

Exam trap

The trap here is that candidates often assume upgrading to a higher-tier plan like E3 is the only way to get advanced voice features, overlooking the purpose-built, lower-cost Business Voice add-on for Business license holders.

How to eliminate wrong answers

Option A is wrong because upgrading all users from Business Basic to Microsoft 365 E3 is significantly more expensive and unnecessary; E3 includes Phone System but still requires Audio Conferencing as an additional add-on, increasing costs. Option C is wrong because purchasing Phone System and Audio Conferencing as standalone add-ons separately costs more per user than the bundled Business Voice add-on, which is designed to minimize expenses for Business license holders. Option D is wrong because the Microsoft Teams Phone Standard add-on provides only Phone System capabilities without Audio Conferencing, so it would require an additional Audio Conferencing license to meet the dial-in requirement, increasing total cost.

106
MCQhard

WideWorldImporters (WWI) is a retail company with 2,000 employees using Microsoft 365 Business Premium. They have a mix of Windows 10 and Windows 11 devices managed by Microsoft Intune. WWI wants to deploy a new line-of-business (LOB) app to all devices. The app is a Win32 app packaged as an .intunewin file. The IT administrator needs to ensure the app is installed automatically on all devices within 24 hours. Which deployment method should the administrator use?

A.Use Azure AD Application Proxy to publish the app
B.Add the app as an available deployment for all users
C.Add the app as a required deployment for all devices
D.Publish the app to Microsoft Store for Business and sync with Intune
AnswerC

Required deployment forces automatic installation on targeted devices.

Why this answer

Option B is correct because Intune's Win32 app deployment with a required assignment ensures automatic installation. Option A is wrong because available deployment requires user action. Option C is wrong because Microsoft Store for Business is for store apps, not LOB Win32 apps.

Option D is wrong because Azure AD application proxy is for remote access, not deployment.

107
MCQhard

Contoso Ltd. is a global manufacturing company with 10,000 users. They are deploying Microsoft 365 E5 and require: (1) All Microsoft 365 data must be encrypted at rest and in transit using customer-managed keys; (2) Email must be archived for 10 years; (3) Users must be able to access files offline on mobile devices and sync changes when online; (4) The IT team must monitor and respond to threats across email, endpoints, and identities from a single console. You need to recommend the appropriate Microsoft 365 services. Which combination should you choose?

A.Microsoft Purview Double Key Encryption, Exchange Online Archiving, SharePoint Online, Microsoft Sentinel
B.Microsoft Purview Customer Key, Exchange Online Archiving, OneDrive, Microsoft Defender XDR
C.Azure Information Protection, Exchange Online Archiving, Windows 365, Microsoft Defender for Endpoint
D.Microsoft Purview Customer Key, Exchange Online In-Place Hold, OneDrive, Microsoft 365 Defender for Cloud Apps
AnswerB

Correct: Customer Key for encryption, Exchange Online Archiving for 10-year retention, OneDrive for offline sync, Defender XDR for unified threat monitoring.

Why this answer

Option B is correct because Microsoft Purview Customer Key provides customer-managed encryption keys for data at rest in Microsoft 365, meeting the first requirement. Exchange Online Archiving with a 10-year retention policy satisfies the email archiving requirement. OneDrive enables offline file access on mobile devices with sync capabilities.

Microsoft Defender XDR (Extended Detection and Response) offers a unified console to monitor and respond to threats across email, endpoints, and identities.

Exam trap

The trap here is confusing Microsoft Purview Customer Key (which encrypts all data at rest with customer-managed keys) with Double Key Encryption (which only protects a subset of data) or Azure Information Protection (which is a labeling solution, not encryption at rest).

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Double Key Encryption (DKE) protects only specific sensitive data with two keys, not all Microsoft 365 data, and Microsoft Sentinel is a SIEM/SOAR tool, not a single console for threat response across email, endpoints, and identities. Option C is wrong because Azure Information Protection is a classification and labeling solution, not a customer-managed encryption key service, and Windows 365 is a cloud PC service, not a file sync solution for offline mobile access. Option D is wrong because Exchange Online In-Place Hold is a litigation hold feature, not a 10-year archiving solution, and Microsoft 365 Defender for Cloud Apps is a CASB, not the unified XDR console that covers email, endpoints, and identities.

108
MCQeasy

Which cloud computing characteristic allows users to be billed only for the resources they consume, such as processing power, storage, or bandwidth?

A.On-demand self-service
B.Broad network access
C.Measured service
D.Resource pooling
AnswerC

Measured service enables metering and billing based on actual usage, allowing pay-as-you-go pricing.

Why this answer

Measured service is the cloud computing characteristic that enables usage-based billing by monitoring, controlling, and reporting resource consumption (e.g., CPU hours, GB of storage, or data transfer) at a granular level. This metering capability allows providers to charge customers only for what they actually use, rather than a flat fee, and is typically implemented via telemetry and billing APIs.

Exam trap

The trap here is that candidates often confuse 'measured service' with 'resource pooling' because both involve dynamic allocation, but measured service specifically refers to the metering and billing aspect, not the multi-tenant sharing of resources.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user's ability to provision computing resources automatically without requiring human interaction with the service provider, not to billing or consumption tracking. Option B is wrong because broad network access describes the availability of resources over the network via standard protocols (e.g., HTTP, HTTPS) from various devices, not the metering or charging mechanism. Option D is wrong because resource pooling involves the provider's multi-tenant model where physical and virtual resources are dynamically assigned and reassigned according to consumer demand, which supports scalability but does not directly enable per-consumption billing.

109
Multi-Selectmedium

Which three of the following are key capabilities of Microsoft 365 Apps for enterprise (formerly Office 365 ProPlus)? (Choose three.)

Select 3 answers
.Always-up-to-date versions of Word, Excel, PowerPoint, and Outlook
.Installation on up to 5 PCs or Macs per user
.Real-time co-authoring in Word, Excel, and PowerPoint
.Unlimited cloud storage per user in OneDrive
.Built-in video conferencing with unlimited meeting duration
.On-premises deployment with perpetual licensing

Why this answer

Microsoft 365 Apps for enterprise provides always-up-to-date versions of core Office applications like Word, Excel, PowerPoint, and Outlook, with updates delivered via the Click-to-Run technology from the cloud. It allows installation on up to 5 PCs or Macs per user, enabling productivity across multiple devices. Real-time co-authoring in Word, Excel, and PowerPoint is a key capability, leveraging OneDrive or SharePoint to allow multiple users to edit the same document simultaneously.

Exam trap

Microsoft often tests the distinction between cloud-based subscription services and perpetual on-premises licensing, leading candidates to incorrectly select on-premises deployment as a capability of Microsoft 365 Apps for enterprise.

110
MCQhard

Refer to the exhibit. A Microsoft Entra ID role assignment is shown. An administrator is assigned the Global Reader role with a condition. What is the effect of the condition?

A.The administrator can create new users.
B.The condition has no practical effect because Global Reader already cannot write role assignments.
C.The administrator can only read security recommendations.
D.The administrator cannot assign roles to other users.
AnswerB

The condition is redundant for Global Reader.

Why this answer

Option D is correct because the condition prevents the Global Reader from writing role assignments, but since Global Reader already cannot write role assignments, the condition is redundant. Option A is incorrect because Global Reader inherently cannot create users. Option B is incorrect because the condition does not restrict read access.

Option C is incorrect because the condition only blocks role assignment write operations.

111
MCQmedium

A compliance officer needs to automatically label and encrypt documents that contain personally identifiable information (PII) when they are saved in SharePoint. The labeling should happen without manual user intervention. Which Microsoft Purview feature should they configure?

A.Sensitivity labels (auto-labeling policy)
B.Data Loss Prevention (DLP) policy
C.Retention labels
D.Communication Compliance
AnswerA

Correct. Auto-labeling policies for sensitivity labels can automatically apply labels (including encryption) to documents containing sensitive content like PII.

Why this answer

Sensitivity labels with auto-labeling policies in Microsoft Purview can automatically detect and classify documents containing PII when they are saved in SharePoint, and apply encryption based on the label configuration. This meets the requirement of automatic, user-intervention-free labeling and encryption by scanning content for sensitive data types (e.g., Social Security numbers) and applying the label at rest.

Exam trap

The trap here is confusing auto-labeling with DLP policies, as both deal with sensitive data, but DLP focuses on preventing data loss during transit or sharing, not on automatic classification and encryption of stored documents.

How to eliminate wrong answers

Option B (Data Loss Prevention policy) is wrong because DLP policies are designed to prevent unauthorized sharing or leakage of sensitive data by blocking or warning users, not to automatically label and encrypt documents at rest in SharePoint. Option C (Retention labels) is wrong because retention labels are used to manage data lifecycle (retention and deletion) and do not inherently apply encryption or classification based on PII content. Option D (Communication Compliance) is wrong because it focuses on monitoring and reviewing communications (e.g., email, Teams) for policy violations, not on automatically labeling and encrypting documents stored in SharePoint.

112
MCQhard

A company uses Microsoft 365 E5 and wants to implement a zero-trust security model. They need to ensure that all external file sharing requires multi-factor authentication (MFA) and that sensitive documents are automatically labeled. Which combination of services should they use?

A.Microsoft Defender XDR and Microsoft Purview Audit
B.Microsoft Intune and Microsoft Defender for Cloud Apps
C.Microsoft Defender for Cloud Apps and Microsoft Purview Data Lifecycle Management
D.Microsoft Entra Conditional Access and Microsoft Purview Information Protection
AnswerD

Conditional Access enforces MFA; Information Protection auto-labels sensitive content.

Why this answer

Microsoft Entra Conditional Access can enforce MFA for external file sharing by requiring MFA as a condition for accessing SharePoint/OneDrive resources. Microsoft Purview Information Protection provides automatic sensitivity labeling for documents based on content or context, ensuring sensitive data is labeled without manual intervention. Together, these services directly address the zero-trust requirements of MFA for external sharing and automatic document labeling.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud Apps (a CASB) with Entra Conditional Access for MFA enforcement, or assume Purview Data Lifecycle Management handles labeling instead of Information Protection, leading them to select options that address only one requirement or use the wrong service for the task.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender XDR focuses on threat detection and response across endpoints, email, and identities, not on enforcing MFA for external sharing or automatic labeling; Microsoft Purview Audit only provides logging and auditing of activities, not labeling or access control. Option B is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service, not designed to enforce MFA on external file sharing or apply sensitivity labels; Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that can apply session policies but does not natively handle automatic labeling of documents. Option C is wrong because while Microsoft Defender for Cloud Apps can enforce access policies, it does not directly integrate with MFA enforcement for external sharing as a primary function; Microsoft Purview Data Lifecycle Management manages retention and deletion policies, not automatic sensitivity labeling.

113
Matchingmedium

Match each Microsoft 365 workload to its associated AI feature.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Intelligent recap and meeting transcripts

Microsoft Editor for grammar and style suggestions

Designer for slide layout recommendations

Focused Inbox and suggested replies

Why these pairings

AI enhances productivity across Microsoft 365 apps.

114
MCQmedium

A company is deploying Microsoft 365 Apps for Enterprise to 500 users. The IT team wants to minimize network traffic during installation by downloading only the apps that users need, instead of the full Office suite. Which deployment tool should they use?

A.Microsoft Store for Business
B.Microsoft Configuration Manager
C.Microsoft Intune
D.Office Deployment Tool (ODT)
AnswerD

ODT allows selecting specific apps and downloading only those, minimizing bandwidth.

Why this answer

The Office Deployment Tool (ODT) allows IT administrators to download and deploy only the specific Microsoft 365 Apps (e.g., Word, Excel) needed by users, using an XML configuration file to control which products and languages are installed. This minimizes network traffic by avoiding the download of the full suite, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates may confuse the ODT with broader management tools like Intune or Configuration Manager, but the question specifically asks for the tool that directly controls which apps are downloaded, which is the ODT.

How to eliminate wrong answers

Option A is wrong because Microsoft Store for Business is designed for purchasing and distributing apps from the Store, not for customizing or selectively deploying Microsoft 365 Apps components. Option B is wrong because Microsoft Configuration Manager (formerly SCCM) can deploy Office, but it relies on the ODT under the hood for customization; it is a broader management tool and not the specific tool for minimizing traffic by selecting only needed apps. Option C is wrong because Microsoft Intune is a cloud-based MDM/MAM service that can deploy Office apps, but it also uses the ODT for customization; it is not the direct tool for granular control over which apps are downloaded during installation.

115
MCQeasy

Your organization is a non-profit. How can you obtain Microsoft 365 licenses at a reduced cost?

A.Purchase Microsoft 365 Business Basic from the Microsoft 365 admin center
B.Purchase Microsoft 365 Nonprofit Business Basic from the Microsoft 365 admin center
C.Apply for Microsoft’s non-profit program and purchase Microsoft 365 Business Premium at a discounted rate
D.Use volume licensing through a Microsoft partner
AnswerC

Microsoft offers significant discounts to eligible non-profits.

Why this answer

Option C is correct because Microsoft offers a Nonprofit Program that provides eligible organizations with discounted or donated Microsoft 365 licenses. After applying and being approved, nonprofits can purchase Microsoft 365 Business Premium at a significantly reduced rate, which includes advanced security and compliance features beyond the basic plans.

Exam trap

The trap here is that candidates may assume any 'Nonprofit' labeled SKU (like Option B) is automatically available at a discount, when in reality the discount is contingent on prior enrollment in the Microsoft Nonprofit Program, not on selecting a specific product name.

How to eliminate wrong answers

Option A is wrong because purchasing Microsoft 365 Business Basic from the admin center at standard retail pricing does not provide the nonprofit discount; the organization must first be enrolled in the Microsoft Nonprofit Program to access reduced-cost licensing. Option B is wrong because Microsoft 365 Nonprofit Business Basic is not a valid product name; the correct nonprofit plan is called Microsoft 365 Business Basic (Nonprofit Staff Pricing) or similar, but the key is that the discount applies only after program approval, not by selecting a specific SKU directly. Option D is wrong because volume licensing through a Microsoft partner does not inherently offer nonprofit discounts; the nonprofit discount is tied to the Microsoft Nonprofit Program, not volume licensing agreements, and partners typically resell standard or volume licensing without the nonprofit benefit unless the organization is already enrolled.

116
MCQhard

Your organization uses Microsoft 365 E5 and wants to implement a solution that automatically detects and protects sensitive data in SharePoint Online, OneDrive, and Exchange Online. Which Microsoft 365 service should you configure?

A.Microsoft Defender for Cloud Apps
B.Microsoft 365 Copilot
C.Microsoft Intune
D.Microsoft Purview Information Protection
AnswerD

It enables automatic classification and protection of sensitive data across M365.

Why this answer

Option B is correct because Microsoft Purview Information Protection includes data classification and labeling that applies across these workloads. Option A is wrong because Microsoft Defender for Cloud Apps is for cloud app security, not direct data protection in these services. Option C is wrong because Microsoft Intune is for device management.

Option D is wrong because Microsoft 365 Copilot is an AI assistant, not a data protection tool.

117
MCQmedium

A business stakeholder asks how Microsoft 365 can help them determine which apps a licensed user can access. Microsoft 365 licensing, admin, or support concept is most relevant?

A.Microsoft Stream
B.Enabled service plans within the assigned license
C.Microsoft Forms
D.Microsoft Whiteboard
AnswerB

Individual service plans inside a license can be enabled or disabled.

Why this answer

Option B is correct because enabled service plans within a Microsoft 365 license define which specific applications and services a user can access. Administrators can view and manage these service plans via the Microsoft 365 admin center under 'Licenses' > 'Assignments', allowing granular control over app availability per user.

Exam trap

The trap here is that candidates confuse individual Microsoft 365 apps (like Stream or Forms) with the licensing admin tools that control app access, leading them to select a product name instead of the underlying licensing concept.

How to eliminate wrong answers

Option A is wrong because Microsoft Stream is a video service, not a tool for determining which apps a licensed user can access. Option C is wrong because Microsoft Forms is a survey and quiz application, unrelated to license management or service plan visibility. Option D is wrong because Microsoft Whiteboard is a collaborative canvas app, not a licensing or admin tool for app access control.

118
MCQhard

A company with 100 Microsoft 365 E3 users needs to add cloud access security broker capabilities to monitor and control user access to SaaS applications and shadow IT. They want the most cost-effective add-on. What should they purchase?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Microsoft 365 Plan 2
C.Microsoft Entra ID Premium P2
D.Microsoft 365 E5 Compliance
AnswerA

Correct. Defender for Cloud Apps is the CASB solution that provides monitoring and control over SaaS applications and shadow IT.

Why this answer

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility into shadow IT, controls over user access to SaaS applications, and data protection policies. It is the most cost-effective add-on for this specific requirement because it can be licensed standalone without requiring higher-tier Microsoft 365 or Entra ID plans, and it directly addresses the need to monitor and control SaaS app usage.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Microsoft 365 Plan 2, assuming the latter is required for CASB functionality, when in fact the standalone Defender for Cloud Apps license provides the same CASB capabilities at a lower cost.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Microsoft 365 Plan 2 includes Defender for Cloud Apps but bundles it with additional endpoint, email, and identity protection features at a higher cost, making it less cost-effective when only CASB capabilities are needed. Option C is wrong because Microsoft Entra ID Premium P2 provides identity governance and privileged identity management, not CASB functionality for monitoring and controlling SaaS applications or shadow IT. Option D is wrong because Microsoft 365 E5 Compliance focuses on data governance, eDiscovery, and compliance management, not on cloud access security broker capabilities for SaaS app access control.

119
MCQhard

A company uses Microsoft Forms to collect customer feedback. They want to automatically analyze sentiment from the responses using AI. Which Microsoft 365 service can integrate with Forms for this purpose?

A.Power BI
B.SharePoint Online
C.Azure Logic Apps
D.Power Automate
AnswerD

Power Automate can use AI Builder to analyze sentiment from Forms responses.

Why this answer

Power Automate (D) is the correct service because it can connect Microsoft Forms to Azure AI services (e.g., Azure Cognitive Services Text Analytics) to automatically analyze sentiment from form responses. When a new response is submitted, a Power Automate flow triggers, sends the response text to the AI sentiment analysis API, and stores or reports the result—all without manual intervention.

Exam trap

The trap here is that candidates may confuse Power Automate with Azure Logic Apps, but the question explicitly asks for a 'Microsoft 365 service,' and Power Automate is the correct Microsoft 365 offering, while Azure Logic Apps is an Azure service.

How to eliminate wrong answers

Option A is wrong because Power BI is a data visualization and business analytics tool, not a workflow automation or AI integration service; it can display sentiment data but cannot directly trigger AI analysis from a Forms submission. Option B is wrong because SharePoint Online is a document management and collaboration platform; it can store form responses but lacks built-in AI sentiment analysis or workflow triggers to process them automatically. Option C is wrong because Azure Logic Apps is a cloud-based integration service that could technically perform this task, but it is not a Microsoft 365 service—it is an Azure service—and the question specifically asks for a Microsoft 365 service that integrates with Forms; Power Automate is the correct Microsoft 365 service for this purpose.

120
MCQmedium

A company is planning to purchase Microsoft 365 subscriptions. They want to follow the recommended process. Which of the following sequences correctly represents the order of steps from start to finish?

A.Choose subscription, Assess needs, Assign licenses, Add licenses
B.Assess needs, Choose subscription, Add licenses, Assign licenses
C.Add licenses, Assign licenses, Assess needs, Choose subscription
D.Assess needs, Add licenses, Choose subscription, Assign licenses
AnswerB

This order reflects the logical process: understand requirements, select a plan, purchase licenses, then allocate them to users.

Why this answer

The recommended process begins with assessing organizational needs (e.g., number of users, required features), then choosing the appropriate subscription plan, adding the required number of licenses to the tenant, assigning those licenses to individual users, and finally provisioning the services (which happens automatically after license assignment). The correct order is: Assess needs, Choose subscription, Add licenses, Assign licenses.

121
MCQmedium

A tenant administrator is advising a department that wants to grant temporary, approved privileged administrator access. Microsoft security, identity, or compliance capability should it use?

A.Privileged Identity Management (PIM)
B.Microsoft Forms
C.Microsoft Stream
D.Microsoft Planner
AnswerA

PIM provides just-in-time, time-bound privileged role activation with approval and auditing.

Why this answer

Privileged Identity Management (PIM) is the correct choice because it provides just-in-time privileged access, allowing the tenant administrator to grant temporary, approved administrator roles with time-bound activation and approval workflows. PIM is part of Microsoft Entra ID Governance and directly addresses the requirement for temporary privileged access with oversight.

Exam trap

The trap here is that candidates may confuse PIM with other Microsoft 365 tools that have 'management' or 'planning' in their names, but only PIM provides the specific privileged access governance required for temporary administrator roles.

How to eliminate wrong answers

Option B (Microsoft Forms) is wrong because it is a survey and data collection tool, not designed for identity or access management. Option C (Microsoft Stream) is wrong because it is a video hosting and sharing platform, unrelated to privileged access control. Option D (Microsoft Planner) is wrong because it is a task management and planning tool, lacking any security or identity governance capabilities.

122
MCQmedium

A customer has 100 users on Microsoft 365 Business Basic and wants to add Microsoft Defender for Office 365 Plan 1. Which licensing approach should they use?

A.Purchase a separate Microsoft Defender for Office 365 Plan 1 subscription without underlying Microsoft 365 licenses
B.Upgrade all users to Microsoft 365 E3
C.Purchase Microsoft Defender for Office 365 Plan 1 as an add-on for each user
D.Upgrade to Microsoft 365 E5
AnswerC

Defender for Office 365 Plan 1 is an add-on to Microsoft 365 Business Basic.

Why this answer

Microsoft Defender for Office 365 Plan 1 is an add-on that can be purchased for users who already have a qualifying subscription like Microsoft 365 Business Basic. It provides advanced threat protection features such as Safe Attachments and Safe Links, and it must be assigned per user on top of an existing Microsoft 365 license. Option C is correct because it directly describes this additive licensing model.

Exam trap

The trap here is that candidates often assume Defender for Office 365 Plan 1 is a standalone product or that it is included in E3, when in fact it is an add-on that requires a qualifying base license and is not bundled with E3.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 Plan 1 is an add-on and cannot function without an underlying Microsoft 365 subscription (e.g., Business Basic, E3, or E5) that provides the base Exchange Online mailbox and core services. Option B is wrong because upgrading all users to Microsoft 365 E3 is unnecessary and more expensive; E3 includes Exchange Online but not Defender for Office 365 Plan 1 by default, so the customer would still need to purchase the add-on or a higher plan. Option D is wrong because upgrading to Microsoft 365 E5 is overkill; E5 includes Defender for Office 365 Plan 2 (which supersedes Plan 1) but is significantly more costly than simply adding Plan 1 to the existing Business Basic licenses.

123
Multi-Selecthard

A legal team needs to ensure that all documents related to an ongoing case are retained for exactly 7 years and then automatically deleted. During the retention period, no user should be able to permanently delete these documents. Which two Microsoft Purview features should be used together to meet this requirement? (Choose two.)

Select 2 answers
A.Retention policy
B.Retention label
C.Litigation hold
D.Data loss prevention (DLP) policy
AnswersA, B

A retention policy can auto-apply a retention label to content and enforce the retention and deletion settings across locations.

Why this answer

A retention policy is correct because it can be applied at the site or folder level to enforce a mandatory 7-year retention period for all documents in a location, such as a SharePoint site for the legal case. It prevents users from permanently deleting documents during the retention period by blocking deletion actions and preserving the content in a preservation hold library.

Exam trap

The trap here is that candidates often confuse Litigation hold with a time-based retention policy, not realizing that Litigation hold is indefinite and requires manual release, whereas a retention policy can enforce a specific duration with automatic deletion.

124
Multi-Selecthard

A multinational corporation must comply with GDPR. They need to ensure that personal data of EU residents is retained for a specific period and then securely deleted. Additionally, they must be able to respond to data subject access requests (DSARs) within 30 days by finding and exporting relevant data. Which two Microsoft Purview solutions should they use together? (Choose two.)

Select 2 answers
A.Retention policies
B.Data Lifecycle Management (via sensitivity labels)
C.eDiscovery (Premium)
D.Audit (Standard)
AnswersA, C

Retention policies can automatically retain personal data for a defined period and then delete it, meeting GDPR retention and erasure obligations.

Why this answer

Retention policies (A) are correct because they allow organizations to define rules that retain personal data for a specific period and then automatically delete it, meeting GDPR retention and secure deletion requirements. eDiscovery (Premium) (C) is correct because it enables searching, collecting, and exporting data from various Microsoft 365 workloads to fulfill data subject access requests (DSARs) within the 30-day regulatory timeframe.

Exam trap

The trap here is that candidates confuse Data Lifecycle Management (via sensitivity labels) with retention policies, not realizing that sensitivity labels handle classification and protection, not automated time-based retention and deletion, while retention policies are the correct tool for that purpose.

125
MCQmedium

Your company has deployed Microsoft Defender XDR. A security analyst needs to investigate a suspicious email that was reported by a user. Which Microsoft 365 service should the analyst use to view the email's details and analyze threats?

A.Microsoft Sentinel
B.Microsoft Defender XDR
C.Microsoft Intune
D.Microsoft Purview
AnswerB

Unified security operations platform that includes email security.

Why this answer

Microsoft Defender XDR (Extended Detection and Response) is the correct service because it provides a unified investigation and response experience across email, endpoints, identities, and cloud apps. The security analyst can use the Microsoft Defender portal (security.microsoft.com) to view the full email details, including headers, attachments, URLs, and threat analysis results from automated investigation and advanced hunting queries.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with Microsoft Defender XDR (an XDR solution), not realizing that email investigation is a core function of Defender for Office 365 within Defender XDR, not Sentinel.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) that aggregates logs and alerts from multiple sources, but it is not the primary tool for investigating individual suspicious emails within Microsoft 365; that function belongs to Defender XDR. Option C is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service focused on managing devices and apps, not on email threat investigation. Option D is wrong because Microsoft Purview is a compliance and data governance solution (including data loss prevention, eDiscovery, and insider risk management), not a tool for analyzing email threats; email threat analysis is handled by Defender for Office 365, which is part of Defender XDR.

126
MCQmedium

A security administrator needs to ensure that all users accessing Microsoft 365 resources from unmanaged devices are prompted to sign in using multi-factor authentication (MFA) and are blocked from downloading sensitive files. Which conditional access policy should be configured?

A.Require MFA for all users
B.Block access from unknown locations
C.App protection policies
D.Conditional Access policy with device compliance and session controls
AnswerD

This allows you to require MFA for unmanaged devices and apply session policies to block download of sensitive files, meeting both requirements.

Why this answer

Option D is correct because a Conditional Access policy with device compliance and session controls allows the administrator to require MFA for sign-ins from unmanaged devices and use session controls (e.g., Microsoft Defender for Cloud Apps session policies) to block downloading sensitive files. This policy targets specific conditions (unmanaged devices) and applies granular access controls, meeting both requirements precisely.

Exam trap

The trap here is that candidates confuse App Protection Policies (MAM) with Conditional Access session controls, not realizing that MAM policies manage app-level data protection without controlling sign-in MFA or blocking downloads based on device compliance, while Conditional Access with session controls can enforce both conditions in a single policy.

How to eliminate wrong answers

Option A is wrong because requiring MFA for all users does not differentiate between managed and unmanaged devices, nor does it block file downloads; it only enforces MFA globally. Option B is wrong because blocking access from unknown locations restricts access based on geographic IP addresses, not device management status, and does not control file downloads. Option C is wrong because App Protection Policies (MAM) manage data protection within apps on devices (e.g., preventing copy/paste or save-as), but they do not enforce MFA at sign-in or block downloads based on device compliance; they are applied to apps, not sign-in conditions.

127
MCQmedium

A department head asks which Microsoft 365 option should be used to search, review, and export content for a legal investigation. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Forms
B.Microsoft Stream
C.Microsoft Purview eDiscovery
D.Microsoft Planner
AnswerC

eDiscovery supports identifying, preserving, collecting, reviewing, and exporting content.

Why this answer

Microsoft Purview eDiscovery is the correct choice because it is the dedicated Microsoft 365 compliance solution for searching, reviewing, and exporting content in legal investigations. It provides advanced search capabilities across Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams, and supports legal hold, review sets, and export workflows to meet eDiscovery requirements.

Exam trap

The trap here is that candidates may confuse general productivity tools (Forms, Stream, Planner) with compliance capabilities, failing to recognize that only Microsoft Purview eDiscovery is designed for legal content search and export within the Microsoft 365 security and compliance center.

How to eliminate wrong answers

Option A is wrong because Microsoft Forms is a survey and data collection tool, not a compliance or security solution for legal content search and export. Option B is wrong because Microsoft Stream is a video hosting and sharing platform, lacking any eDiscovery or legal investigation capabilities. Option D is wrong because Microsoft Planner is a task management and project planning tool, with no features for searching, reviewing, or exporting content for legal purposes.

128
MCQmedium

Refer to the exhibit. What is the purpose of the 'classification' property in this Microsoft Purview sensitivity label policy?

A.To set the retention period for the labeled content
B.To define encryption settings for the label
C.To specify the sensitivity level of the content
D.To define user permissions for accessing the content
AnswerC

Classification indicates the sensitivity level, which determines protection actions.

Why this answer

Option B is correct. The 'classification' property defines the sensitivity level of the content, such as 'Confidential'. It is used to apply appropriate protection actions.

Option A is incorrect because encryption is configured separately. Option C is incorrect because retention is set by 'retentionDays'. Option D is incorrect because user permissions are not defined here.

129
MCQeasy

Your organization has 500 users and uses Microsoft 365 Business Basic. The sales team frequently works remotely and needs to access their work files on mobile devices. They also need to conduct video meetings with customers. The IT department has been asked to recommend additional Microsoft 365 services to meet these needs without upgrading the existing plan if possible. Which action should the IT department take?

A.Subscribe to a Microsoft Teams Rooms license for each user.
B.Upgrade all users to Microsoft 365 Business Standard to get desktop Office and additional features.
C.Deploy a third-party VPN solution to secure remote access to files.
D.Use the existing OneDrive and SharePoint mobile apps for file access and use Microsoft Teams for video meetings.
AnswerD

Business Basic includes mobile Office apps with file access and Teams for meetings.

Why this answer

Option D is correct because Microsoft 365 Business Basic already includes OneDrive and SharePoint for mobile file access via their respective apps, and Microsoft Teams for video meetings. These services meet the sales team's requirements without any additional licensing or plan upgrade, as Teams supports video conferencing and OneDrive/SharePoint provide secure remote file access on mobile devices.

Exam trap

The trap here is that candidates often assume remote file access requires a VPN or that video meetings need a higher-tier plan like Business Standard, overlooking that Business Basic already includes Teams and OneDrive/SharePoint mobile apps for these exact scenarios.

How to eliminate wrong answers

Option A is wrong because a Microsoft Teams Rooms license is designed for dedicated meeting room hardware (e.g., cameras, microphones, displays), not for individual users' mobile devices or remote work scenarios; it would be an unnecessary cost and does not address file access. Option B is wrong because upgrading to Business Standard is not required; the existing Business Basic plan already includes Teams for video meetings and OneDrive/SharePoint for file access via mobile apps, and the question explicitly asks to avoid upgrading if possible. Option C is wrong because a third-party VPN is unnecessary; OneDrive and SharePoint already provide secure remote access to files using HTTPS and Azure AD authentication, and deploying a VPN adds complexity and cost without addressing the video meeting requirement.

130
MCQmedium

A company has 150 users with Microsoft 365 Business Basic licenses. They now need to manage mobile devices using Microsoft Intune for all users. They want to keep costs as low as possible and do not want to upgrade to a more expensive plan if an add-on is available. What is the most cost-effective licensing strategy?

A.Add Microsoft Intune licenses for all users
B.Upgrade all users to Microsoft 365 Business Premium
C.Upgrade all users to Microsoft 365 E3
D.Purchase Microsoft 365 Enterprise Mobility + Security E3 add-on
AnswerA

Microsoft Intune can be added as a standalone license to Business Basic, providing the needed device management at the lowest additional cost.

Why this answer

Microsoft Intune is available as a standalone add-on license for Microsoft 365 Business Basic, Business Standard, and other plans. By purchasing the Microsoft Intune license per user, the company can add device management capabilities to their existing Business Basic subscriptions without paying for other unnecessary features. Upgrading to Business Premium or E3 would include Intune but also many other features, increasing cost.

131
MCQhard

A multinational company uses Microsoft 365 E5 and needs to meet data residency requirements in the EU and Asia. They plan to use Microsoft Purview Data Loss Prevention (DLP) to prevent sensitive data from leaving approved geographic boundaries. Which action should they take to enforce this policy?

A.Apply sensitivity labels to all data and configure auto-labeling.
B.Enable Microsoft Purview Customer Lockbox to restrict data access.
C.Configure Conditional Access policies to block access from unauthorized regions.
D.Create a DLP policy that detects sensitive data and blocks sharing outside approved regions.
AnswerD

DLP policies can block sharing based on geographic location.

Why this answer

Option B is correct because DLP policies can be scoped to specific locations using conditions like 'Content contains sensitive info type' and 'Location'. Option A is incorrect because Conditional Access controls access, not data movement. Option C is incorrect because Sensitivity labels alone do not block transfer.

Option D is incorrect because Customer Lockbox is for access control, not data location enforcement.

132
MCQmedium

Your company uses Microsoft Defender for Office 365 and wants to prevent users from clicking malicious links in email. A user reports that a known phishing link was not blocked. Which step should you take to investigate?

A.Check the Microsoft Secure Score for recommendations.
B.Review the Safe Links policy to ensure it is enabled.
C.Search in Threat Explorer for the URL and review the verdict.
D.Run an attack simulation to test the link.
AnswerC

Threat Explorer provides details on why a link was allowed or blocked.

Why this answer

Option B is correct because Threat Explorer allows searching for specific URLs and email messages to analyze threats. Option A is incorrect because Attack simulation training is for creating phishing simulations, not investigating past emails. Option C is incorrect because Safe Links policies are configured in the portal.

Option D is incorrect because the Security posture score is for overall maturity, not specific incidents.

133
Multi-Selectmedium

A company is choosing a Microsoft 365 plan for 150 users who need email, file storage, and Teams. They also need basic compliance features such as data retention policies and eDiscovery. Which TWO plans meet these requirements?

Select 2 answers
A.Microsoft 365 E1
B.Microsoft 365 E3
C.Microsoft 365 Business Premium
D.Microsoft 365 E5
E.Microsoft 365 Business Basic
AnswersB, C

E3 includes all required features and is suitable for any size.

Why this answer

Microsoft 365 E3 includes Exchange Online, SharePoint Online, and Teams, plus advanced compliance features like data retention policies and eDiscovery (Standard). Microsoft 365 Business Premium also includes these core services and compliance capabilities, making both suitable for 150 users needing email, file storage, Teams, and basic compliance.

Exam trap

The trap here is that candidates often assume only E3 or E5 can provide compliance features, forgetting that Microsoft 365 Business Premium also includes data retention policies and eDiscovery (Standard) for organizations under 300 users.

134
MCQhard

Your organization uses Microsoft Teams and wants to allow external partners to participate in shared channels without giving them full tenant access. Which identity solution should you configure?

A.Microsoft Teams guest access
B.Microsoft Entra External ID
C.Active Directory Federation Services
D.Microsoft Entra ID B2C
AnswerB

External ID enables secure collaboration with external partners with controlled access.

Why this answer

Microsoft Entra External ID (formerly Azure AD External Identities) is the correct solution because it allows external partners to authenticate and access shared Teams channels without granting them full tenant access. Unlike guest access, which creates a B2B collaboration user object in the tenant, External ID enables cross-tenant access policies that limit partner identities to specific resources like shared channels, preserving tenant isolation.

Exam trap

The trap here is that candidates often confuse Microsoft Teams guest access (which creates a guest user in the tenant) with the more restrictive B2B direct connect for shared channels, leading them to select guest access when the question explicitly requires 'without giving them full tenant access.'

How to eliminate wrong answers

Option A is wrong because Microsoft Teams guest access creates a guest user object in your tenant, which grants broader directory access and is not scoped solely to shared channels. Option C is wrong because Active Directory Federation Services (AD FS) is an on-premises identity federation solution for internal users, not designed for external partner access to Microsoft 365 shared channels. Option D is wrong because Microsoft Entra ID B2C is a customer-facing identity service for consumer applications, not for business-to-business partner collaboration in Teams.

135
MCQmedium

A company has 100 Microsoft 365 E3 users. They need to add advanced threat protection (Microsoft Defender for Office 365 Plan 2) and advanced compliance (eDiscovery Premium) for all users. They want to minimize additional costs while keeping their existing E3 subscriptions. What is the most cost-effective licensing strategy?

A.Purchase both the Microsoft 365 E5 Compliance add-on and the Microsoft 365 E5 Security add-on
B.Upgrade all users to Microsoft 365 E5
C.Purchase only the Microsoft 365 E5 Compliance add-on
D.Purchase only the Microsoft 365 E5 Security add-on
AnswerA

These add-ons provide exactly the advanced compliance and security features needed without upgrading to E5.

Why this answer

Option A is correct because Microsoft 365 E5 Security and E5 Compliance add-ons provide exactly the required capabilities (Defender for Office 365 Plan 2 and eDiscovery Premium) without upgrading the base E3 license. This approach avoids the cost of a full E5 upgrade while still covering both advanced threat protection and advanced compliance needs.

Exam trap

The trap here is that candidates often assume a full E5 upgrade is the only way to get both advanced security and compliance features, not realizing that targeted add-ons can be purchased separately to minimize cost.

How to eliminate wrong answers

Option B is wrong because upgrading all users to Microsoft 365 E5 would include many extra features (e.g., Power BI Pro, Audio Conferencing) that are not required, resulting in unnecessary additional cost. Option C is wrong because purchasing only the E5 Compliance add-on provides eDiscovery Premium but does not include Defender for Office 365 Plan 2, leaving the advanced threat protection requirement unmet. Option D is wrong because purchasing only the E5 Security add-on provides Defender for Office 365 Plan 2 but does not include eDiscovery Premium, failing to meet the advanced compliance requirement.

136
MCQeasy

A company's CFO is pleased that they only pay for the compute and storage resources consumed each month, with no upfront hardware costs. This billing model is a direct result of which cloud computing characteristic?

A.On-demand self-service
B.Broad network access
C.Measured service
D.Resource pooling
AnswerC

Measured service is the cloud characteristic that provides metering and billing based on usage. This allows customers to pay only for what they consume, with no upfront costs.

Why this answer

The CFO's observation that the company only pays for consumed compute and storage resources with no upfront hardware costs directly reflects the 'measured service' characteristic of cloud computing. Measured service means cloud providers meter resource usage (e.g., CPU hours, GB-months of storage) and bill based on actual consumption, typically using a pay-as-you-go model. This eliminates the need for capital expenditure on hardware, as costs are operational and tied to usage metrics.

Exam trap

The trap here is that candidates often confuse 'measured service' with 'resource pooling' because both involve multi-tenancy and efficiency, but measured service is specifically about usage metering and billing, not the underlying resource sharing architecture.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user's ability to provision resources automatically without requiring human interaction with the provider, not to the billing or cost model. Option B is wrong because broad network access describes the availability of resources over the network via standard protocols (e.g., HTTP, HTTPS) and accessed by various devices, not the consumption-based pricing. Option D is wrong because resource pooling involves the provider's multi-tenant model where physical and virtual resources are dynamically assigned to serve multiple customers, which enables efficiency but does not directly result in pay-per-use billing.

137
MCQeasy

Your organization is using Microsoft 365 and wants to ensure that services remain accessible even if one datacenter experiences an outage. Which concept should they rely on?

A.Scalability
B.Disaster recovery
C.High availability
D.Elasticity
AnswerC

High availability uses redundancy to maintain service during failures.

Why this answer

Option A is correct because high availability ensures uptime through redundancy. Option B is wrong because disaster recovery focuses on restoring after major disaster. Option C is wrong because scalability is about handling load.

Option D is wrong because elasticity is about automatic scaling.

138
MCQmedium

A compliance team needs to prevent employees from copying sensitive data (such as financial records or customer PII) to USB drives and other removable media from their Windows 10/11 devices. When a user attempts to copy data to an unapproved USB device, the action should be blocked and an alert should be generated. Which Microsoft Purview solution should they configure?

A.Microsoft Purview Data Lifecycle Management (retention policies)
B.Microsoft Purview Information Protection (sensitivity labels)
C.Microsoft Purview Data Loss Prevention (DLP) with device policies
D.Microsoft Purview eDiscovery (Standard or Premium)
AnswerC

Endpoint DLP policies can detect and block attempts to copy sensitive data to removable media, providing real-time protection and alerts.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) with device policies is the correct solution because it is specifically designed to monitor and control actions like copying sensitive data to removable media on Windows 10/11 endpoints. DLP device policies can block the copy action to unapproved USB devices and generate alerts when a policy violation occurs, directly addressing the compliance team's requirement to prevent data exfiltration via USB drives.

Exam trap

The trap here is that candidates often confuse sensitivity labels (which classify and protect data) with DLP policies (which enforce actions like blocking copy to USB), but sensitivity labels alone cannot block endpoint-level copy actions without DLP device policies.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Lifecycle Management (retention policies) governs how long data is retained and when it is deleted, not real-time blocking of copy actions to removable media. Option B is wrong because Microsoft Purview Information Protection (sensitivity labels) classifies and protects data with encryption or visual markings but does not enforce endpoint-level controls like blocking USB copy actions. Option D is wrong because Microsoft Purview eDiscovery (Standard or Premium) is used for legal discovery and search of content, not for preventing data exfiltration via removable media.

139
MCQmedium

A manager needs to create a custom dashboard that visualizes sales data from multiple data sources in real-time. Which service should they use?

A.Excel
B.Power Apps
C.Power BI
D.SharePoint
AnswerC

Power BI allows you to connect to various data sources, create interactive dashboards, and share them in real-time.

Why this answer

Power BI is the correct choice because it is specifically designed for creating interactive, real-time dashboards that aggregate data from multiple sources, including databases, cloud services, and streaming data. It provides live tile updates and direct query capabilities, enabling real-time visualization of sales data without manual refresh.

Exam trap

The trap here is that candidates often confuse Power Apps with Power BI, assuming both are for dashboards, but Power Apps is for building apps, not for data visualization or real-time analytics.

How to eliminate wrong answers

Option A is wrong because Excel is a spreadsheet application for static data analysis and lacks native real-time data connectivity and live dashboard capabilities. Option B is wrong because Power Apps is a low-code platform for building custom business applications, not for data visualization or real-time dashboards. Option D is wrong because SharePoint is a document management and collaboration platform that does not support real-time data aggregation or interactive dashboard creation from multiple sources.

140
MCQeasy

A user needs to collaborate on a document with colleagues in real time, but the document must be stored on a local network server due to regulatory requirements. Which Microsoft 365 app should the user use?

A.Microsoft SharePoint
B.Microsoft Word (desktop)
C.Microsoft OneDrive
D.Microsoft Teams
AnswerC

Syncs files to the cloud, enabling collaboration while maintaining a local copy.

Why this answer

Option C is correct because Microsoft OneDrive supports real-time co-authoring via its sync client and web interface, but crucially, when used with 'Files On-Demand' and local sync, the actual file can be stored on a local network server if the user syncs a SharePoint document library that resides on-premises via a cloud hybrid configuration. However, the question specifies the document must be stored on a local network server due to regulatory requirements; OneDrive for Business can sync files from a local server if the organization uses a cloud hybrid setup with SharePoint Server, but the core scenario is that OneDrive allows offline access and real-time collaboration while the authoritative copy remains on-premises. This meets the regulatory need for local storage while enabling real-time co-authoring.

Exam trap

The trap here is that candidates assume OneDrive is exclusively a cloud-only service, but Microsoft 365 allows hybrid configurations where OneDrive syncs with on-premises SharePoint Server, enabling local storage while still providing real-time co-authoring capabilities.

How to eliminate wrong answers

Option A is wrong because Microsoft SharePoint stores documents in the cloud (or on-premises via SharePoint Server), but the question explicitly requires the document to be stored on a local network server; SharePoint Online is cloud-only, and SharePoint Server requires a separate on-premises deployment that does not natively support real-time co-authoring with the same seamless experience as OneDrive sync. Option B is wrong because Microsoft Word (desktop) can open and edit documents stored locally, but it does not provide real-time co-authoring unless the document is saved to a cloud location like OneDrive or SharePoint; storing the document on a local network server without a sync mechanism prevents real-time collaboration. Option D is wrong because Microsoft Teams stores files in SharePoint Online or OneDrive for Business by default, not on a local network server; while Teams allows real-time co-authoring, the underlying storage is cloud-based, violating the regulatory requirement for local storage.

141
MCQmedium

A company uses Microsoft Purview Communication Compliance to detect inappropriate messages. Which action can an administrator take after reviewing a flagged message?

A.Apply a retention policy to the message
B.Create a DLP policy based on the message
C.Resolve the case with a notification to the sender
D.Recall the message from the recipient
AnswerC

The administrator can notify the sender of the policy violation and close the case.

Why this answer

Option A is correct. Communication Compliance allows administrators to resolve cases with actions like 'Resolve with notification' or escalate. Option B is wrong because retention policies are separate.

Option C is wrong because DLP policies are not automatically created from Communication Compliance. Option D is wrong because message recall is not a direct action in Communication Compliance.

142
MCQmedium

A department asks for the Microsoft 365 service best suited for interactive business dashboards. Which service should they use?

A.Microsoft Purview Compliance Manager
B.Power BI
C.Microsoft Defender for Endpoint
D.Microsoft Entra Privileged Identity Management
AnswerB

Power BI provides reporting, semantic models, and dashboards.

Why this answer

Power BI is the correct choice because it is Microsoft's dedicated business analytics service that enables users to create interactive dashboards and reports from various data sources. It provides real-time data visualization, drill-down capabilities, and natural language querying, making it ideal for business intelligence needs within Microsoft 365.

Exam trap

The trap here is that candidates may confuse Microsoft Purview Compliance Manager's dashboard-like compliance score interface with a business dashboard, but it is strictly for compliance posture assessment, not interactive business analytics.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Compliance Manager is a compliance management tool that helps organizations assess and manage regulatory compliance, not for building interactive dashboards. Option C is wrong because Microsoft Defender for Endpoint is a security solution for endpoint protection, threat detection, and response, unrelated to dashboard creation. Option D is wrong because Microsoft Entra Privileged Identity Management is an identity governance service for managing, controlling, and monitoring privileged access to Azure AD resources, not for data visualization or dashboards.

143
MCQeasy

An organization wants to provide employees with a personalized news feed from internal and external sources. Which Microsoft 365 app should they use?

A.Microsoft Viva Insights
B.Microsoft Viva Engage
C.Microsoft Stream
D.Microsoft SharePoint
AnswerB

Viva Engage provides a social news feed from internal and external sources.

Why this answer

Microsoft Viva Engage (formerly Yammer) is the correct app because it provides a personalized news feed that aggregates content from both internal sources (e.g., company announcements, community posts) and external sources (e.g., RSS feeds, external news). It enables employees to discover relevant updates in a social-style feed, aligning with the requirement for a unified internal and external news experience.

Exam trap

The trap here is that candidates often confuse Microsoft Viva Insights (which sounds like it provides personalized content) with Viva Engage, or they assume SharePoint’s news web part can aggregate external sources, but SharePoint lacks the social feed and external aggregation capabilities that Viva Engage offers.

How to eliminate wrong answers

Option A is wrong because Microsoft Viva Insights focuses on personal productivity and well-being analytics (e.g., focus time, meeting habits), not on delivering a personalized news feed from internal and external sources. Option C is wrong because Microsoft Stream is a video hosting and sharing platform for enterprise video content, not a news aggregation feed. Option D is wrong because Microsoft SharePoint is a document management and collaboration platform that can display news via web parts, but it lacks the built-in social feed and external source aggregation that Viva Engage provides for a personalized news experience.

144
Multi-Selecteasy

Which TWO of the following are examples of Microsoft's commitments to data privacy as outlined in the Microsoft Privacy Statement and related agreements? (Choose two.)

Select 2 answers
A.Microsoft uses customer data to train AI models by default.
B.Microsoft may share customer data with third parties for marketing purposes.
C.Customers can access and export their data.
D.Microsoft allows third parties to access customer data without consent.
E.Customer data is not used for advertising.
AnswersC, E

Data portability is a key privacy commitment.

Why this answer

Option A is correct: Microsoft does not use customer data for advertising. Option C is correct: Microsoft provides data portability. Option B is wrong because Microsoft does share data with third parties for marketing.

Option D is wrong because Microsoft does not use customer data for AI training without consent. Option E is wrong because Microsoft does not allow third-party access without customer consent.

145
MCQmedium

A compliance-aware administrator is selecting the right Microsoft 365 capability to check known incidents affecting Microsoft 365 services. Microsoft 365 licensing, admin, or support concept is most relevant?

A.Microsoft Forms
B.Microsoft Whiteboard
C.Microsoft Stream
D.Service health
AnswerD

Service health shows incidents and advisories for Microsoft 365 services.

Why this answer

Service health in the Microsoft 365 admin center provides real-time status and historical incident information for all Microsoft 365 services, including known incidents, advisories, and post-incident reports. This is the correct tool for a compliance-aware administrator to check known incidents affecting services, as it directly aligns with monitoring service availability and reliability under the support domain.

Exam trap

The trap here is that candidates may confuse productivity tools (Forms, Whiteboard, Stream) with support or monitoring capabilities, overlooking that Service health is the dedicated feature under the 'Support' domain for tracking known incidents and service status.

How to eliminate wrong answers

Option A is wrong because Microsoft Forms is a survey and data collection tool, not a service health monitoring or incident-checking capability. Option B is wrong because Microsoft Whiteboard is a digital canvas for collaboration and has no function for tracking service incidents or health status. Option C is wrong because Microsoft Stream is a video hosting and sharing service, not a tool for checking service health or known incidents affecting Microsoft 365.

146
Multi-Selecteasy

Which THREE are core pillars of the Microsoft Trust Center?

Select 3 answers
A.Compliance
B.Reliability
C.Transparency
D.Security
E.Privacy
AnswersA, D, E

Compliance is a core pillar.

Why this answer

Options A, B, and D are correct. The Trust Center pillars are Security, Privacy, and Compliance. Options C and E are not core pillars.

147
MCQmedium

A department head asks which Microsoft 365 option should be used to assign licenses automatically when users join a department group. Microsoft 365 licensing, admin, or support concept is most relevant?

A.Microsoft Stream
B.Microsoft Forms
C.Microsoft Whiteboard
D.Group-based licensing
AnswerD

Group-based licensing assigns licenses based on group membership.

Why this answer

Group-based licensing in Microsoft 365 allows you to automatically assign or remove licenses when users are added to or removed from a security group. This is the correct solution for the department head's requirement because it directly ties license assignment to group membership, eliminating manual intervention.

Exam trap

The trap here is that candidates may confuse Microsoft 365 group types (e.g., distribution groups, security groups) or think that a collaboration tool like Stream or Whiteboard can somehow manage licensing, when only Azure AD security groups with group-based licensing can automate this task.

How to eliminate wrong answers

Option A is wrong because Microsoft Stream is a video service for recording, sharing, and managing videos, not a licensing or group management tool. Option B is wrong because Microsoft Forms is used to create surveys, quizzes, and polls, and has no capability to assign licenses based on group membership. Option C is wrong because Microsoft Whiteboard is a digital canvas for collaboration and brainstorming, and it does not handle license assignment or group-based automation.

148
MCQmedium

A department head asks which Microsoft 365 option should be used to access cloud resources from laptops, tablets, and phones over the internet. Cloud concept or benefit best matches this requirement?

A.Sensitivity labels
B.Microsoft Planner
C.Data Loss Prevention (DLP)
D.Broad network access
AnswerD

Broad network access means cloud services are reachable over standard networks from different client platforms.

Why this answer

Broad network access is a core NIST cloud characteristic that enables resources to be accessed over the internet by standard protocols (e.g., HTTPS, TLS) from a wide range of client devices such as laptops, tablets, and phones. This directly matches the requirement for accessing cloud resources from multiple device types over the internet.

Exam trap

The trap here is that candidates confuse operational features (like sensitivity labels or DLP) with foundational cloud characteristics, failing to recognize that 'broad network access' is the specific NIST-defined term for multi-device internet-based access.

How to eliminate wrong answers

Option A is wrong because sensitivity labels are a Microsoft Purview Information Protection feature used to classify and protect data based on sensitivity, not to enable network access from devices. Option B is wrong because Microsoft Planner is a task management and collaboration tool within Microsoft 365, not a cloud concept or benefit for device access. Option C is wrong because Data Loss Prevention (DLP) is a security policy mechanism to prevent unauthorized sharing of sensitive data, not a cloud characteristic for broad device connectivity.

149
MCQeasy

A company uses a cloud provider that bills them based on the exact amount of storage and compute hours they consume each month. They can increase or decrease their usage at any time without signing a long-term contract. Which cloud computing characteristic is most directly demonstrated by the billing model?

A.Scalability
B.Elasticity
C.Measured service
D.On-demand self-service
AnswerC

Measured service enables pay-per-use billing by tracking resource consumption.

Why this answer

The billing model described—paying for exactly the amount of storage and compute hours consumed, with no long-term contract—directly demonstrates the measured service characteristic. Measured service means that cloud resource usage is metered, monitored, and reported, allowing providers to charge customers based on actual consumption (pay-as-you-go). This is a core attribute of cloud computing as defined by NIST SP 800-145, where usage is tracked and billed transparently.

Exam trap

The trap here is that candidates confuse elasticity (the ability to scale dynamically) with measured service (the metering and billing of that usage), because both involve variable resource consumption, but measured service is specifically about the tracking and charging mechanism.

How to eliminate wrong answers

Option A is wrong because scalability refers to the ability to handle increased workload by adding resources, not to the billing model itself. Option B is wrong because elasticity is the ability to automatically scale resources up or down in response to demand, which is a separate operational characteristic from how usage is measured and billed. Option D is wrong because on-demand self-service means a user can provision resources without human interaction with the provider, which is about provisioning capability, not the metering and billing mechanism.

150
MCQmedium

A project team needs a centralized workspace that includes a shared calendar for deadlines, a document library for storing deliverables, and a task list with assignments. They also want threaded discussions about each item. Which Microsoft 365 service provides this integrated experience out of the box?

A.Microsoft Teams
B.SharePoint Online
C.Microsoft 365 Groups
D.Microsoft Outlook
AnswerC

A Microsoft 365 Group automatically provisions a shared mailbox and calendar (Outlook), a SharePoint site for documents, and a Planner plan for tasks, with threaded conversations available in the group inbox.

Why this answer

Microsoft 365 Groups is the correct answer because it provides a unified, out-of-the-box workspace that includes a shared calendar, document library (via connected SharePoint), task list (via Planner or To Do), and a group mailbox with threaded conversations. Unlike standalone services, a Microsoft 365 Group bundles these resources together automatically when created, offering the integrated experience described without requiring manual configuration.

Exam trap

The trap here is that candidates often confuse Microsoft Teams as the integrated workspace, but Teams is actually a client that surfaces the underlying Microsoft 365 Group resources, not the service that provides them out of the box.

How to eliminate wrong answers

Option A is wrong because Microsoft Teams is a chat-based collaboration hub that relies on a Microsoft 365 Group for its underlying calendar, document library, and task list; Teams itself does not natively provide a shared calendar or threaded discussions about each item without the group's resources. Option B is wrong because SharePoint Online provides document libraries and lists but lacks a built-in shared calendar and threaded discussions; it requires integration with other services like Outlook or Teams to achieve the full integrated experience. Option D is wrong because Microsoft Outlook is an email and calendar client that can display group resources but does not natively create or manage the document library, task list, or threaded discussions as a centralized workspace; it consumes the group's resources rather than providing them.

Page 1

Page 2 of 14

Page 3