CCNA Describe security, compliance, privacy, and trust in Microsoft 365 Questions

75 of 269 questions · Page 1/4 · Describe security, compliance, privacy, and trust in Microsoft 365 · Answers revealed

1
MCQmedium

During a Microsoft 365 planning workshop, provide baseline anti-spam and anti-malware filtering for Exchange Online. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Stream
B.Microsoft Forms
C.Exchange Online Protection
D.Microsoft Planner
AnswerC

Exchange Online Protection filters spam, malware, and email threats.

Why this answer

Exchange Online Protection (EOP) is the cloud-based filtering service built into Exchange Online that provides baseline anti-spam and anti-malware protection. It scans all inbound and outbound messages using heuristics, signature-based detection, and connection filtering to block malicious content before it reaches user mailboxes.

Exam trap

The trap here is that candidates confuse general Microsoft 365 apps (Stream, Forms, Planner) with security services, failing to recognize that Exchange Online Protection is the dedicated anti-spam/anti-malware service for Exchange Online.

How to eliminate wrong answers

Option A is wrong because Microsoft Stream is a video sharing and management service, not a security filtering capability. Option B is wrong because Microsoft Forms is a survey and quiz creation tool, not a messaging security service. Option D is wrong because Microsoft Planner is a task management and project planning application, not a security or compliance feature.

2
MCQmedium

During requirements gathering, an IT manager says the organization must review employee messages for harassment or regulatory policy violations. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Forms
B.Communication Compliance
C.Microsoft Stream
D.Microsoft Planner
AnswerB

Communication Compliance detects and routes potentially inappropriate or regulated communications for review.

Why this answer

Communication Compliance in Microsoft 365 is the correct capability because it is specifically designed to detect, capture, and act on inappropriate messages—such as harassment or regulatory policy violations—across email, Microsoft Teams, and third-party communications. It uses configurable policies with built-in classifiers for harassment, threats, and regulatory compliance, enabling automated review and remediation. This directly addresses the IT manager's requirement to monitor employee messages for policy violations.

Exam trap

The trap here is that candidates may confuse Communication Compliance with other Microsoft 365 tools that have 'communication' in their name (like Microsoft Teams) or assume any Microsoft 365 app can be repurposed for compliance, but only Communication Compliance provides the dedicated policy-based message surveillance and remediation workflow required for harassment and regulatory monitoring.

How to eliminate wrong answers

Option A is wrong because Microsoft Forms is a survey and data collection tool, not a compliance solution for monitoring employee messages. Option C is wrong because Microsoft Stream is a video hosting and sharing platform, lacking any capabilities for scanning text-based communications for harassment or regulatory violations. Option D is wrong because Microsoft Planner is a task and project management tool, with no features for message surveillance or compliance policy enforcement.

3
MCQmedium

A compliance manager wants a dashboard that maps Microsoft 365 controls to regulatory standards and gives recommended improvement actions. Which portal capability should they use?

A.Microsoft Purview Compliance Manager.
B.Microsoft Defender for Endpoint.
C.Exchange admin center message trace.
D.Microsoft Viva Connections.
AnswerA

It provides compliance assessments and recommended improvement actions.

Why this answer

Microsoft Purview Compliance Manager is the correct portal because it provides a centralized dashboard that maps Microsoft 365 controls to regulatory standards (e.g., ISO 27001, NIST, GDPR) and generates recommended improvement actions with implementation steps. It uses built-in assessments and control scoring to track compliance posture, directly meeting the compliance manager's need for a regulatory mapping and action-oriented dashboard.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Compliance Manager with Microsoft Defender for Endpoint, mistakenly thinking a security monitoring tool can also handle compliance mapping, but Defender for Endpoint focuses on threat protection, not regulatory control frameworks or improvement recommendations.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint is a security solution focused on endpoint detection and response (EDR), vulnerability management, and threat hunting—it does not provide a dashboard for mapping controls to regulatory standards or recommending compliance improvement actions. Option C is wrong because the Exchange admin center message trace is a mail flow troubleshooting tool used to track email delivery and routing, not a compliance dashboard for regulatory mapping or improvement recommendations. Option D is wrong because Microsoft Viva Connections is a employee experience platform that aggregates news, resources, and communications in Teams—it has no capability for compliance control mapping or regulatory standard assessments.

4
MCQeasy

South Ridge School District uses Microsoft 365 Education A5. They have 10,000 students and 1,000 staff. The district wants to ensure that student data is protected and that only authorized staff can access student records. They also need to comply with FERPA (Family Educational Rights and Privacy Act). The IT team has created security groups for teachers, administrators, and support staff. They want to restrict access to a specific SharePoint site containing student records to only the teachers group. Additionally, they want to prevent teachers from sharing the site with external users. What should you configure?

A.In the SharePoint site settings, set the site permissions to 'Only members of the Teachers group can access' and set external sharing to 'Only people in your organization'.
B.Apply a sensitivity label to the site that restricts access to the teachers group.
C.Add the teachers group as site collection administrators.
D.Create a private channel in Microsoft Teams for teachers only.
AnswerA

This restricts access to the teachers group and prevents external sharing.

Why this answer

Option A is correct. Sharing controls in SharePoint site settings can be used to limit access to specific groups and disable external sharing. Option B (private channel) is for Teams, not SharePoint.

Option C (sensitivity label) can restrict access but is not site-specific. Option D (site collection admin) does not restrict sharing.

5
MCQmedium

An organization wants to ensure that only compliant devices can access Microsoft 365 resources. They use Microsoft Intune for device management. Which policy should they configure?

A.Enable device enrollment in Intune
B.Create a Conditional Access policy in Microsoft Entra ID
C.Create a compliance policy in Intune
D.Create a device configuration policy in Intune
AnswerB

Conditional Access evaluates device compliance and grants or blocks access accordingly.

Why this answer

Option B is correct. Conditional Access in Microsoft Entra ID uses compliance status from Intune to allow or block access. Option A is wrong because compliance policies define what compliance means, but the access control is done by Conditional Access.

Option C is wrong because configuration policies configure settings, not access. Option D is wrong because device enrollment is the process of joining devices to management.

6
MCQhard

Your organization is adopting Microsoft 365 Copilot and wants to prevent the AI from using internal customer data in its training models. Which data protection option should be enabled?

A.Microsoft Commercial Data Protection
B.Microsoft Defender for Cloud Apps
C.Microsoft Purview Audit
D.Conditional Access policies
AnswerA

This commitment ensures customer data is not used for training.

Why this answer

Microsoft Commercial Data Protection ensures that Copilot does not use customer data for training models. Option D is correct. Options A, B, and C do not address training data usage.

7
MCQmedium

A security team wants to ensure that only devices that are compliant with company security policies (e.g., antivirus enabled, disk encrypted) can access Exchange Online and SharePoint Online. Which feature should they configure in Microsoft 365?

A.Conditional Access policies
B.Data loss prevention (DLP) policies
C.Information Rights Management (IRM)
D.Microsoft Defender for Office 365
AnswerA

Correct. Conditional Access policies can enforce device compliance by checking with Intune before allowing access to cloud apps.

Why this answer

Conditional Access policies in Microsoft Entra ID (formerly Azure AD) allow administrators to enforce device compliance as a condition for granting access to cloud apps like Exchange Online and SharePoint Online. By integrating with Microsoft Intune device compliance policies (e.g., requiring antivirus, disk encryption), Conditional Access can block or allow access based on real-time device health signals, ensuring only compliant devices can connect.

Exam trap

The trap here is that candidates often confuse Conditional Access with DLP or IRM because all three involve security policies, but only Conditional Access can enforce device compliance as a gate before access is granted.

How to eliminate wrong answers

Option B (Data loss prevention policies) is wrong because DLP is designed to identify, monitor, and protect sensitive data (e.g., credit card numbers) in transit or at rest, not to enforce device compliance or block access based on device health. Option C (Information Rights Management) is wrong because IRM protects content through encryption and usage restrictions (e.g., preventing forwarding or printing) after access is granted, but it does not evaluate device compliance before granting access. Option D (Microsoft Defender for Office 365) is wrong because it focuses on threat protection against malicious links, attachments, and phishing in email and collaboration tools, not on device-level compliance checks for access control.

8
MCQmedium

A compliance officer needs to automatically detect documents stored in SharePoint Online that contain sensitive data types (e.g., credit card numbers) and apply a sensitivity label that restricts access to only certain users. The classification should occur without user intervention and the label must be applied to the document. Which Microsoft Purview solution should be configured?

A.Data Loss Prevention (DLP)
B.Sensitivity labels with auto-labeling
C.Retention labels
D.Information barriers
AnswerB

Auto-labeling policies can scan content for sensitive info types and automatically apply a sensitivity label that includes encryption and permissions.

Why this answer

Sensitivity labels with auto-labeling are the correct solution because they can automatically classify documents based on sensitive data types (such as credit card numbers) and apply a sensitivity label that enforces protection actions like restricting access to specific users. This occurs without user intervention, meeting the requirement for automatic classification and labeling in SharePoint Online.

Exam trap

The trap here is that candidates often confuse DLP policies with auto-labeling, but DLP only detects and blocks sharing actions, whereas auto-labeling applies the sensitivity label and its associated protection directly to the document.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies detect and prevent the sharing of sensitive data but do not apply sensitivity labels or enforce access restrictions on documents; they trigger alerts or block actions. Option C is wrong because retention labels are designed to manage data retention and deletion policies, not to classify documents based on sensitive data types or apply access restrictions. Option D is wrong because information barriers are used to restrict communication and collaboration between specific groups or users, not to automatically detect sensitive data or apply labels to documents.

9
MCQhard

A security team needs to ensure that all Microsoft 365 administrative actions—such as creating user accounts or resetting passwords—are logged and searchable for at least 90 days. They also need to create custom alert rules for suspicious admin activity. Which Microsoft Purview solution should they use?

A.Microsoft Purview Audit (Standard)
B.Microsoft Purview Audit (Premium)
C.Microsoft Entra ID sign-in logs
D.Microsoft Defender for Cloud Apps
AnswerA

Correct. Audit (Standard) records admin and user activities with 90-day retention and supports custom alert rules via the Microsoft Purview compliance portal.

Why this answer

Microsoft Purview Audit (Standard) logs and retains all administrative actions (e.g., creating users, resetting passwords) for 90 days by default, meeting the retention requirement. It also supports creating custom alert rules for suspicious admin activity via the Microsoft 365 Defender portal, which queries the audit log. This makes it the correct solution for both logging and alerting on admin actions.

Exam trap

The trap here is that candidates often confuse Audit (Premium) as mandatory for any alerting or retention beyond 30 days, but the question's 90-day requirement is exactly met by Audit (Standard), and Premium is only needed for longer retention or specific high-value events.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Audit (Premium) extends retention up to 1 year (or more with add-ons) and provides higher-value events like MailItemsAccessed, but the question specifically requires only 90 days of retention, which Standard already covers. Option C is wrong because Microsoft Entra ID sign-in logs capture authentication events (e.g., user logins, MFA failures), not administrative actions like creating accounts or resetting passwords, and they are retained for 30 days by default (or 30 days with Azure AD P1/P2). Option D is wrong because Microsoft Defender for Cloud Apps focuses on cloud app discovery, session controls, and anomaly detection for SaaS apps, not on logging and alerting for Microsoft 365 administrative actions within the audit log.

10
MCQmedium

A security analyst receives an alert about a user who downloaded a large number of files from a SharePoint document library in a short period. The analyst needs to investigate the user's activities across Exchange, SharePoint, and Teams to determine if data exfiltration is occurring. Which Microsoft Purview solution should the analyst use to review detailed activity logs?

A.Microsoft Purview Audit (Premium)
B.Microsoft Purview eDiscovery (Premium)
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Data Loss Prevention (DLP)
AnswerA

Audit (Premium) captures a comprehensive record of user activities, enabling investigation of potential data exfiltration.

Why this answer

Microsoft Purview Audit (Premium) provides detailed, searchable activity logs for user actions across Exchange, SharePoint, and Teams, including file downloads, access events, and admin operations. The analyst can use the Audit log search to filter by user, date range, and activity type (e.g., 'FileDownloaded') to identify potential data exfiltration patterns. Audit (Premium) also offers longer retention (up to 1 year by default, extendable to 10 years) and higher-bandwidth APIs for large-scale investigations.

Exam trap

The trap here is that candidates confuse the investigative capability of Audit logs with the preventive or content-focused tools like DLP or eDiscovery, assuming that any security-related alert must be handled by DLP or eDiscovery, when in fact Audit (Premium) is the correct tool for reviewing historical activity logs.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview eDiscovery (Premium) is designed for legal discovery and content search (e.g., identifying, preserving, and exporting relevant documents and emails), not for real-time or historical activity log review of user actions like file downloads. Option C is wrong because Microsoft Purview Communication Compliance focuses on monitoring internal and external communications (e.g., email, Teams messages) for policy violations like harassment or insider trading, not on tracking file download activities from SharePoint. Option D is wrong because Microsoft Purview Data Loss Prevention (DLP) is a policy-based solution that prevents data exfiltration by blocking or alerting on sensitive content in transit or at rest, but it does not provide a searchable log of past user activities for forensic investigation.

11
MCQmedium

A financial services firm uses Microsoft 365 and must retain all business communications for 7 years to comply with SEC regulations. They also need to prevent users from permanently deleting emails. Which Microsoft Purview feature should they implement?

A.Retention policies and retention labels
B.Sensitivity labels
C.eDiscovery (Standard)
D.Data Loss Prevention (DLP) policies
AnswerA

Retention policies enforce retention and prevent deletion.

Why this answer

Option C is correct because retention policies and labels can enforce retention periods and prevent permanent deletion. Option A is incorrect because DLP prevents data loss, not retention. Option B is incorrect because eDiscovery is for search and hold, not retention enforcement.

Option D is incorrect because sensitivity labels classify data but do not enforce retention.

12
MCQmedium

A legal department requires that when an employee deletes any email message in Exchange Online that is related to active litigation, the message must be automatically retained for an additional 5 years after deletion. The retention must be applied based on keywords found in the email content. Which Microsoft Purview solution should be configured?

A.Microsoft Purview retention labels with auto-labeling based on keywords
B.Microsoft Purview Data Loss Prevention (DLP) policies
C.Microsoft Purview eDiscovery
D.Microsoft Purview Audit
AnswerA

Correct. Retention labels can automatically detect keyword patterns and retain deleted emails for the specified duration.

Why this answer

Microsoft Purview retention labels with auto-labeling based on keywords can automatically apply a retention label to emails that match specific keywords in their content. When the label is configured to retain items for 5 years after deletion, it ensures that emails related to active litigation are preserved even after the user deletes them. This meets the legal department's requirement for content-based, automatic retention.

Exam trap

The trap here is that candidates often confuse retention labels (which manage lifecycle and deletion) with DLP policies (which prevent data loss) or eDiscovery (which finds and holds data), failing to recognize that auto-labeling based on keywords is the precise mechanism for content-driven retention.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Data Loss Prevention (DLP) policies are designed to prevent data leaks by detecting and blocking sensitive information, not to enforce retention after deletion. Option C is wrong because Microsoft Purview eDiscovery is used to search, hold, and export content for legal cases, but it does not automatically apply retention based on keywords in email content. Option D is wrong because Microsoft Purview Audit logs user and admin activities for compliance investigation, but it does not retain deleted messages or apply retention policies based on content keywords.

13
MCQmedium

A tenant administrator is advising a department that wants to let users sign in once and access connected Microsoft 365 and SaaS apps. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.Microsoft Forms
C.Microsoft Stream
D.Single sign-on (SSO)
AnswerD

SSO allows users to authenticate once and access connected applications.

Why this answer

Single sign-on (SSO) enables users to authenticate once and gain access to multiple applications, including Microsoft 365 and third-party SaaS apps, without re-entering credentials. This is achieved through federation protocols such as SAML 2.0 or OpenID Connect, which allow the identity provider (Azure AD) to issue security tokens to relying party applications. SSO is the correct Microsoft security and identity capability for this requirement.

Exam trap

The trap here is that candidates may confuse productivity tools (Planner, Forms, Stream) with security/identity capabilities, failing to recognize that SSO is the specific feature designed for unified authentication across multiple apps.

How to eliminate wrong answers

Option A is wrong because Microsoft Planner is a task management and project planning tool within Microsoft 365, not an identity or security capability; it cannot provide single sign-on or federated authentication. Option B is wrong because Microsoft Forms is a survey and data collection tool, lacking any identity federation or authentication functionality. Option C is wrong because Microsoft Stream is a video hosting and sharing service; it does not implement SSO or manage user authentication across apps.

14
Multi-Selecthard

Which THREE statements about Microsoft Purview Audit (Standard) are true? (Choose three.)

Select 3 answers
A.Users must be assigned an appropriate license to view audit logs
B.Audit records are retained for 90 days by default
C.All SharePoint and OneDrive events are audited by default
D.Audit records are retained for 180 days by default
E.Exchange Online admin actions are audited by default
AnswersA, B, E

Permissions are required to access the audit log.

Why this answer

Audit (Standard) retains logs for 90 days (A), includes Exchange admin actions (D), and requires appropriate permissions (E). Option B (180 days) is for Audit (Premium). Option C (all SharePoint events) is also Premium.

15
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Purview Information Protection policy created by a colleague. The policy is intended to prevent users from sharing files labeled 'Highly Confidential' with external parties. However, users are still able to share these files externally. Which of the following is the most likely reason?

A.The sensitivity label is not published to the users.
B.The policy is missing the 'blockAccess' action.
C.The action should be set to 'blockAccess' only.
D.The condition should check for file extension instead of sensitivity label.
AnswerA

If the label is not published, the condition cannot match.

Why this answer

Option A is correct because the policy uses sensitivityLabels condition, but the correct property should be 'sensitivityLabelIds' (or equivalent) and the label must be published. Option B is wrong because the condition is based on sensitivity labels, not file extensions. Option C is wrong because the action blockSharing is correctly specified.

Option D is wrong because the policy is not missing an action; the action is present.

16
MCQmedium

During requirements gathering, an IT manager says the organization must classify files as Confidential and apply encryption to the most sensitive content. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Stream
B.Microsoft Planner
C.Sensitivity labels
D.Microsoft Forms
AnswerC

Sensitivity labels classify content and can apply encryption and markings.

Why this answer

Sensitivity labels in Microsoft Purview Information Protection allow organizations to classify files as Confidential and apply encryption automatically or manually. This capability meets the requirement to protect the most sensitive content by enforcing access controls and encryption policies based on the label.

Exam trap

The trap here is that candidates may confuse Microsoft's collaboration tools (Stream, Planner, Forms) with security/compliance features, overlooking that sensitivity labels are the dedicated mechanism for classification and encryption in Microsoft 365.

How to eliminate wrong answers

Option A is wrong because Microsoft Stream is a video hosting and sharing service, not a security or compliance tool for file classification or encryption. Option B is wrong because Microsoft Planner is a task management and collaboration tool, lacking any native classification or encryption features. Option D is wrong because Microsoft Forms is used to create surveys and quizzes, with no capability to classify files or apply encryption.

17
MCQeasy

Your company is subject to the General Data Protection Regulation (GDPR). Which Microsoft 365 compliance feature helps you respond to a Data Subject Request (DSR) to export a user's personal data?

A.Microsoft Information Protection
B.Data Loss Prevention
C.Microsoft Purview eDiscovery
D.Unified audit log
AnswerC

eDiscovery can search and export content to fulfill DSRs.

Why this answer

eDiscovery (D) allows search and export of content. Option A (Audit) logs activities. Option B (MIP) classifies data.

Option C (DLP) prevents leaks.

18
MCQmedium

A compliance-aware administrator is selecting the right Microsoft 365 capability to manage formal records that must be retained and disposed of according to policy. Microsoft security, identity, or compliance capability should it use?

A.Records Management
B.Microsoft Forms
C.Microsoft Planner
D.Microsoft Stream
AnswerA

Records Management supports declaring, retaining, and disposing of records.

Why this answer

Records Management in Microsoft 365 (part of Microsoft Purview) is specifically designed to manage formal records by applying retention labels that enforce retention and disposition policies. It allows administrators to declare records, lock them against modification or deletion, and trigger disposal actions based on regulatory or organizational requirements. This directly addresses the need to retain and dispose of records according to policy.

Exam trap

The trap here is that candidates may confuse general compliance features (like retention policies in Microsoft 365) with the specific Records Management capability, which is the only one designed for formal, policy-driven record declaration and disposition.

How to eliminate wrong answers

Option B (Microsoft Forms) is wrong because it is a survey and data collection tool, not a compliance capability for managing records retention or disposition. Option C (Microsoft Planner) is wrong because it is a task management and collaboration tool for organizing work, with no built-in features for formal records management or policy-based retention. Option D (Microsoft Stream) is wrong because it is a video hosting and sharing platform; while it may have some retention policies via broader Microsoft 365 compliance, it is not a dedicated records management capability.

19
MCQmedium

A compliance officer needs to automatically encrypt any outgoing email that contains a customer's credit card number. The solution should work without requiring the sender to take any manual action. Which Microsoft Purview feature should be configured?

A.Data Loss Prevention (DLP) policy
B.Microsoft Purview Message Encryption
C.Sensitivity labels
D.Retention policies
AnswerA

Correct. DLP policies can be configured to detect credit card numbers and automatically apply encryption when sending emails containing that data.

Why this answer

A Data Loss Prevention (DLP) policy in Microsoft Purview can be configured to automatically detect sensitive information types, such as credit card numbers, in outgoing email. When a match is found, the policy can enforce an action like 'Encrypt the message' without requiring any manual action from the sender, fulfilling the compliance officer's requirement for automatic, sender-transparent encryption.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Message Encryption (a manual or rule-triggered encryption method) with a DLP policy's ability to automatically detect and encrypt content, leading them to select Message Encryption as the direct solution instead of the policy that orchestrates the detection and action.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Message Encryption is a feature that provides encryption capabilities, but it requires manual action by the sender (e.g., selecting 'Encrypt' in Outlook) or must be triggered by a DLP policy; it is not a policy itself that automatically detects and encrypts based on content. Option C is wrong because sensitivity labels are used to classify and protect data based on user-applied or automatic labeling, but they do not natively scan for specific patterns like credit card numbers in transit; they rely on DLP or auto-labeling policies for such detection. Option D is wrong because retention policies are designed to preserve or delete data after a specified period, not to inspect content in real-time for sensitive information or enforce encryption on outgoing messages.

20
MCQmedium

Refer to the exhibit. You are reviewing a sensitivity label policy configuration in Microsoft Purview. What is the outcome of this configuration?

A.The 'Confidential' label is disabled and cannot be applied.
B.Users are required to apply a sensitivity label to all documents.
C.Users can manually change the label, but the default label is 'Public'.
D.No default label is applied to documents.
AnswerC

The default label is 'Public', and since not mandatory, users can change it.

Why this answer

Option C is correct. The default label is 'Public' with MandatoryLabelType set to 'none', meaning labels are not mandatory. Users can apply labels manually, but documents will have the default label unless changed.

Option A is wrong because mandatory is not required. Option B is wrong because the default label is applied, not none. Option D is wrong because labels are enabled.

21
MCQmedium

You are the compliance officer for Fabrikam, a medium-sized company with 500 users on Microsoft 365 Business Premium. Fabrikam must comply with the California Consumer Privacy Act (CCPA). The legal team has identified that they need to be able to respond to consumer requests to delete personal data within 45 days. They also need to ensure that personal data is not retained longer than necessary. You have been asked to configure Microsoft Purview to meet these requirements. Specifically, you need to search for and delete personal data when a deletion request is received, and set up a data retention policy to automatically delete personal data after 2 years. What should you do?

A.Implement auto-labeling to label personal data and configure a retention label to delete after 2 years.
B.Use Content Search to find personal data, then use eDiscovery to delete it for deletion requests. Create a retention policy with a retention period of 2 years for all SharePoint sites and OneDrive accounts.
C.Create a retention label that deletes data after 2 years and apply it manually to all documents containing personal data.
D.Configure a DLP policy to block sharing of personal data and set a retention policy for 2 years.
AnswerB

Content Search and eDiscovery handle deletion; retention policy handles automatic deletion.

Why this answer

Option B is correct because to delete personal data for a specific user, you need to use Content Search to find the data and then eDiscovery to delete it. A retention policy can be set to automatically delete data after 2 years. Option A is incorrect because a retention label is for manual application, not automatic deletion.

Option C is incorrect because DLP does not delete data. Option D is incorrect because auto-labeling does not delete data.

22
MCQhard

A legal team is preparing for litigation. They need to place a hold on all content (emails, documents, Teams messages) related to a specific project across the entire organization. The hold must prevent any deletion or modification of the content. Which Microsoft Purview solution should they use?

A.eDiscovery (Premium) with legal hold
B.Audit log search
C.Data Loss Prevention (DLP)
D.Retention policy
AnswerA

eDiscovery (Premium) allows creating cases, searching for relevant content, and applying legal holds to preserve data across all Microsoft 365 workloads.

Why this answer

Option A is correct because eDiscovery (Premium) with legal hold is the Microsoft Purview solution specifically designed to preserve content in-place for litigation. When a legal hold is applied to a case, it prevents deletion or modification of emails, documents, and Teams messages across the entire organization by placing a hold on the underlying Exchange Online mailboxes, SharePoint sites, and OneDrive accounts. This ensures that all content related to the project is immutable for the duration of the hold, meeting the legal team's requirement.

Exam trap

The trap here is that candidates often confuse retention policies (which are broad, time-based preservation rules) with legal holds (which are case-specific, litigation-driven holds that prevent any modification or deletion), leading them to incorrectly select Option D.

How to eliminate wrong answers

Option B (Audit log search) is wrong because it only records and allows searching of past activities (e.g., who accessed or deleted content) but does not prevent deletion or modification of content; it is a detective control, not a preventive one. Option C (Data Loss Prevention or DLP) is wrong because DLP policies are designed to identify, monitor, and protect sensitive data from being shared or leaked (e.g., via email or Teams), not to place a hold on content for litigation purposes. Option D (Retention policy) is wrong because while retention policies can preserve content for a specified period, they are typically applied based on content type or location and do not provide the granular, case-specific hold required for litigation; retention policies also allow modification of content unless combined with a retention label that blocks editing, which is not the same as a legal hold.

23
MCQeasy

Your organization is migrating from on-premises Exchange to Exchange Online. You need to ensure that email communications comply with regulatory requirements for retention. Which Microsoft 365 feature should you use to define retention periods for emails?

A.Microsoft Purview eDiscovery cases
B.Microsoft Purview retention policies
C.Exchange Online journaling
D.Exchange Online litigation hold
AnswerB

Retention policies define how long content is kept and when to delete.

Why this answer

Option A is correct because retention policies in Microsoft Purview apply to Exchange Online. Option B is incorrect because eDiscovery is for search and hold. Option C is incorrect because Journaling is a legacy feature, not the primary retention tool.

Option D is incorrect because Litigation Hold is for preservation, not defined retention periods.

24
MCQhard

A company wants to ensure that all Microsoft 365 admin actions are recorded and searchable for at least 180 days. They also need to create custom alert rules to notify the security team when critical events occur, such as a user being added to the Global Admin role. Which Microsoft Purview solution should they use?

A.Microsoft Purview Audit
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview Information Protection
D.Microsoft Purview eDiscovery
AnswerA

Correct. Audit (Premium) can retain logs for up to 1 year and supports custom alert policies for critical events.

Why this answer

Microsoft Purview Audit (specifically Audit (Standard) or Audit (Premium)) is the correct solution because it records all admin actions from Microsoft 365 services into the unified audit log, retains those logs for at least 180 days (Audit Standard) or up to 10 years (Audit Premium), and allows you to create custom alert policies that trigger notifications when specific events like 'Added member to role' (e.g., Global Admin) occur. This directly meets the requirement for recording, searchability, and custom alerting on critical admin events.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Audit with Microsoft Purview eDiscovery, mistakenly thinking eDiscovery is used for monitoring admin actions, when in fact eDiscovery is solely for legal content search and holds, not for real-time auditing or alerting.

How to eliminate wrong answers

Option B (Microsoft Purview Data Loss Prevention) is wrong because DLP is designed to detect and prevent accidental sharing of sensitive data (e.g., credit card numbers) through policies, not to record admin actions or create alerts for role changes. Option C (Microsoft Purview Information Protection) is wrong because it focuses on classifying, labeling, and protecting data at rest and in transit (e.g., sensitivity labels, encryption), not on auditing admin activities or triggering alerts for security events. Option D (Microsoft Purview eDiscovery) is wrong because eDiscovery is used for legal investigations to search, hold, and export content from mailboxes, SharePoint, and Teams, not for real-time monitoring of admin actions or creating custom alert rules.

25
MCQhard

A multinational corporation needs to ensure that all emails containing a customer's passport number are automatically blocked from being sent externally. Additionally, the sending user should receive a policy tip explaining the block. Which Microsoft Purview solution should be configured?

A.Sensitivity labels
B.Data Loss Prevention (DLP) policies
C.Conditional Access policies
D.eDiscovery
AnswerB

DLP policies can detect passport numbers in emails and block them from being sent, with user notification via policy tips.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft Purview are specifically designed to detect sensitive information, such as passport numbers, in emails and automatically block external transmission while displaying a policy tip to the user. This matches the requirement exactly, as DLP can inspect email content for sensitive data types and enforce actions like blocking and notifying the sender.

Exam trap

The trap here is that candidates often confuse sensitivity labels with DLP, assuming labels can block emails, but labels only apply protection after classification, whereas DLP actively inspects content and enforces rules like blocking and policy tips.

How to eliminate wrong answers

Option A is wrong because sensitivity labels are used for classification and protection (e.g., encryption or visual markings) but do not natively block external email transmission based on content detection or provide policy tips. Option C is wrong because Conditional Access policies control access to resources based on user, device, or location conditions, not content inspection or blocking of outbound emails. Option D is wrong because eDiscovery is designed for searching and exporting content for legal or compliance investigations, not for real-time prevention of data exfiltration or user notifications.

26
MCQeasy

An administrator needs to ensure that only compliant devices can access Exchange Online. Which Microsoft Entra ID feature should they configure?

A.Privileged Identity Management
B.Conditional Access policies
C.Multi-Factor Authentication
D.Identity Protection
AnswerB

Conditional Access can require compliant devices.

Why this answer

Conditional Access policies can enforce device compliance. Option A is correct. The other options are not used for device access control.

27
MCQmedium

A compliance administrator needs to manage user sign-in risk and require MFA for risky sign-ins. Which Microsoft 365 capability is the best fit?

A.OneDrive sync client
B.Microsoft Bookings
C.Microsoft Entra ID Protection with Conditional Access
D.Microsoft Teams live events
AnswerC

Identity Protection risk signals can be used by Conditional Access policies.

Why this answer

Microsoft Entra ID Protection (formerly Azure AD Identity Protection) detects sign-in risks such as anonymous IP addresses, atypical travel, or leaked credentials. When combined with Conditional Access policies, it can automatically require MFA for risky sign-ins, giving the compliance administrator precise control over user authentication based on real-time risk signals.

Exam trap

The trap here is that candidates may confuse Microsoft Entra ID Protection with basic MFA enforcement in Azure AD, but the question specifically requires managing sign-in risk, which only Identity Protection with Conditional Access can evaluate and respond to in real time.

How to eliminate wrong answers

Option A is wrong because the OneDrive sync client is a file synchronization tool and has no capability to evaluate sign-in risk or enforce MFA. Option B is wrong because Microsoft Bookings is a scheduling application and does not include identity protection or conditional access features. Option D is wrong because Microsoft Teams live events is a broadcast feature for video and presentations, not an identity or security management tool.

28
MCQhard

Refer to the exhibit. A Microsoft Entra ID role assignment is shown. An administrator is assigned the Global Reader role with a condition. What is the effect of the condition?

A.The administrator can create new users.
B.The condition has no practical effect because Global Reader already cannot write role assignments.
C.The administrator can only read security recommendations.
D.The administrator cannot assign roles to other users.
AnswerB

The condition is redundant for Global Reader.

Why this answer

Option D is correct because the condition prevents the Global Reader from writing role assignments, but since Global Reader already cannot write role assignments, the condition is redundant. Option A is incorrect because Global Reader inherently cannot create users. Option B is incorrect because the condition does not restrict read access.

Option C is incorrect because the condition only blocks role assignment write operations.

29
MCQmedium

A compliance officer needs to automatically label and encrypt documents that contain personally identifiable information (PII) when they are saved in SharePoint. The labeling should happen without manual user intervention. Which Microsoft Purview feature should they configure?

A.Sensitivity labels (auto-labeling policy)
B.Data Loss Prevention (DLP) policy
C.Retention labels
D.Communication Compliance
AnswerA

Correct. Auto-labeling policies for sensitivity labels can automatically apply labels (including encryption) to documents containing sensitive content like PII.

Why this answer

Sensitivity labels with auto-labeling policies in Microsoft Purview can automatically detect and classify documents containing PII when they are saved in SharePoint, and apply encryption based on the label configuration. This meets the requirement of automatic, user-intervention-free labeling and encryption by scanning content for sensitive data types (e.g., Social Security numbers) and applying the label at rest.

Exam trap

The trap here is confusing auto-labeling with DLP policies, as both deal with sensitive data, but DLP focuses on preventing data loss during transit or sharing, not on automatic classification and encryption of stored documents.

How to eliminate wrong answers

Option B (Data Loss Prevention policy) is wrong because DLP policies are designed to prevent unauthorized sharing or leakage of sensitive data by blocking or warning users, not to automatically label and encrypt documents at rest in SharePoint. Option C (Retention labels) is wrong because retention labels are used to manage data lifecycle (retention and deletion) and do not inherently apply encryption or classification based on PII content. Option D (Communication Compliance) is wrong because it focuses on monitoring and reviewing communications (e.g., email, Teams) for policy violations, not on automatically labeling and encrypting documents stored in SharePoint.

30
MCQmedium

A tenant administrator is advising a department that wants to grant temporary, approved privileged administrator access. Microsoft security, identity, or compliance capability should it use?

A.Privileged Identity Management (PIM)
B.Microsoft Forms
C.Microsoft Stream
D.Microsoft Planner
AnswerA

PIM provides just-in-time, time-bound privileged role activation with approval and auditing.

Why this answer

Privileged Identity Management (PIM) is the correct choice because it provides just-in-time privileged access, allowing the tenant administrator to grant temporary, approved administrator roles with time-bound activation and approval workflows. PIM is part of Microsoft Entra ID Governance and directly addresses the requirement for temporary privileged access with oversight.

Exam trap

The trap here is that candidates may confuse PIM with other Microsoft 365 tools that have 'management' or 'planning' in their names, but only PIM provides the specific privileged access governance required for temporary administrator roles.

How to eliminate wrong answers

Option B (Microsoft Forms) is wrong because it is a survey and data collection tool, not designed for identity or access management. Option C (Microsoft Stream) is wrong because it is a video hosting and sharing platform, unrelated to privileged access control. Option D (Microsoft Planner) is wrong because it is a task management and planning tool, lacking any security or identity governance capabilities.

31
Multi-Selecthard

A legal team needs to ensure that all documents related to an ongoing case are retained for exactly 7 years and then automatically deleted. During the retention period, no user should be able to permanently delete these documents. Which two Microsoft Purview features should be used together to meet this requirement? (Choose two.)

Select 2 answers
A.Retention policy
B.Retention label
C.Litigation hold
D.Data loss prevention (DLP) policy
AnswersA, B

A retention policy can auto-apply a retention label to content and enforce the retention and deletion settings across locations.

Why this answer

A retention policy is correct because it can be applied at the site or folder level to enforce a mandatory 7-year retention period for all documents in a location, such as a SharePoint site for the legal case. It prevents users from permanently deleting documents during the retention period by blocking deletion actions and preserving the content in a preservation hold library.

Exam trap

The trap here is that candidates often confuse Litigation hold with a time-based retention policy, not realizing that Litigation hold is indefinite and requires manual release, whereas a retention policy can enforce a specific duration with automatic deletion.

32
Multi-Selecthard

A multinational corporation must comply with GDPR. They need to ensure that personal data of EU residents is retained for a specific period and then securely deleted. Additionally, they must be able to respond to data subject access requests (DSARs) within 30 days by finding and exporting relevant data. Which two Microsoft Purview solutions should they use together? (Choose two.)

Select 2 answers
A.Retention policies
B.Data Lifecycle Management (via sensitivity labels)
C.eDiscovery (Premium)
D.Audit (Standard)
AnswersA, C

Retention policies can automatically retain personal data for a defined period and then delete it, meeting GDPR retention and erasure obligations.

Why this answer

Retention policies (A) are correct because they allow organizations to define rules that retain personal data for a specific period and then automatically delete it, meeting GDPR retention and secure deletion requirements. eDiscovery (Premium) (C) is correct because it enables searching, collecting, and exporting data from various Microsoft 365 workloads to fulfill data subject access requests (DSARs) within the 30-day regulatory timeframe.

Exam trap

The trap here is that candidates confuse Data Lifecycle Management (via sensitivity labels) with retention policies, not realizing that sensitivity labels handle classification and protection, not automated time-based retention and deletion, while retention policies are the correct tool for that purpose.

33
MCQmedium

A security administrator needs to ensure that all users accessing Microsoft 365 resources from unmanaged devices are prompted to sign in using multi-factor authentication (MFA) and are blocked from downloading sensitive files. Which conditional access policy should be configured?

A.Require MFA for all users
B.Block access from unknown locations
C.App protection policies
D.Conditional Access policy with device compliance and session controls
AnswerD

This allows you to require MFA for unmanaged devices and apply session policies to block download of sensitive files, meeting both requirements.

Why this answer

Option D is correct because a Conditional Access policy with device compliance and session controls allows the administrator to require MFA for sign-ins from unmanaged devices and use session controls (e.g., Microsoft Defender for Cloud Apps session policies) to block downloading sensitive files. This policy targets specific conditions (unmanaged devices) and applies granular access controls, meeting both requirements precisely.

Exam trap

The trap here is that candidates confuse App Protection Policies (MAM) with Conditional Access session controls, not realizing that MAM policies manage app-level data protection without controlling sign-in MFA or blocking downloads based on device compliance, while Conditional Access with session controls can enforce both conditions in a single policy.

How to eliminate wrong answers

Option A is wrong because requiring MFA for all users does not differentiate between managed and unmanaged devices, nor does it block file downloads; it only enforces MFA globally. Option B is wrong because blocking access from unknown locations restricts access based on geographic IP addresses, not device management status, and does not control file downloads. Option C is wrong because App Protection Policies (MAM) manage data protection within apps on devices (e.g., preventing copy/paste or save-as), but they do not enforce MFA at sign-in or block downloads based on device compliance; they are applied to apps, not sign-in conditions.

34
MCQmedium

A department head asks which Microsoft 365 option should be used to search, review, and export content for a legal investigation. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Forms
B.Microsoft Stream
C.Microsoft Purview eDiscovery
D.Microsoft Planner
AnswerC

eDiscovery supports identifying, preserving, collecting, reviewing, and exporting content.

Why this answer

Microsoft Purview eDiscovery is the correct choice because it is the dedicated Microsoft 365 compliance solution for searching, reviewing, and exporting content in legal investigations. It provides advanced search capabilities across Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams, and supports legal hold, review sets, and export workflows to meet eDiscovery requirements.

Exam trap

The trap here is that candidates may confuse general productivity tools (Forms, Stream, Planner) with compliance capabilities, failing to recognize that only Microsoft Purview eDiscovery is designed for legal content search and export within the Microsoft 365 security and compliance center.

How to eliminate wrong answers

Option A is wrong because Microsoft Forms is a survey and data collection tool, not a compliance or security solution for legal content search and export. Option B is wrong because Microsoft Stream is a video hosting and sharing platform, lacking any eDiscovery or legal investigation capabilities. Option D is wrong because Microsoft Planner is a task management and project planning tool, with no features for searching, reviewing, or exporting content for legal purposes.

35
MCQhard

A multinational company uses Microsoft 365 E5 and needs to meet data residency requirements in the EU and Asia. They plan to use Microsoft Purview Data Loss Prevention (DLP) to prevent sensitive data from leaving approved geographic boundaries. Which action should they take to enforce this policy?

A.Apply sensitivity labels to all data and configure auto-labeling.
B.Enable Microsoft Purview Customer Lockbox to restrict data access.
C.Configure Conditional Access policies to block access from unauthorized regions.
D.Create a DLP policy that detects sensitive data and blocks sharing outside approved regions.
AnswerD

DLP policies can block sharing based on geographic location.

Why this answer

Option B is correct because DLP policies can be scoped to specific locations using conditions like 'Content contains sensitive info type' and 'Location'. Option A is incorrect because Conditional Access controls access, not data movement. Option C is incorrect because Sensitivity labels alone do not block transfer.

Option D is incorrect because Customer Lockbox is for access control, not data location enforcement.

36
MCQmedium

Your company uses Microsoft Defender for Office 365 and wants to prevent users from clicking malicious links in email. A user reports that a known phishing link was not blocked. Which step should you take to investigate?

A.Check the Microsoft Secure Score for recommendations.
B.Review the Safe Links policy to ensure it is enabled.
C.Search in Threat Explorer for the URL and review the verdict.
D.Run an attack simulation to test the link.
AnswerC

Threat Explorer provides details on why a link was allowed or blocked.

Why this answer

Option B is correct because Threat Explorer allows searching for specific URLs and email messages to analyze threats. Option A is incorrect because Attack simulation training is for creating phishing simulations, not investigating past emails. Option C is incorrect because Safe Links policies are configured in the portal.

Option D is incorrect because the Security posture score is for overall maturity, not specific incidents.

37
MCQmedium

A compliance team needs to prevent employees from copying sensitive data (such as financial records or customer PII) to USB drives and other removable media from their Windows 10/11 devices. When a user attempts to copy data to an unapproved USB device, the action should be blocked and an alert should be generated. Which Microsoft Purview solution should they configure?

A.Microsoft Purview Data Lifecycle Management (retention policies)
B.Microsoft Purview Information Protection (sensitivity labels)
C.Microsoft Purview Data Loss Prevention (DLP) with device policies
D.Microsoft Purview eDiscovery (Standard or Premium)
AnswerC

Endpoint DLP policies can detect and block attempts to copy sensitive data to removable media, providing real-time protection and alerts.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) with device policies is the correct solution because it is specifically designed to monitor and control actions like copying sensitive data to removable media on Windows 10/11 endpoints. DLP device policies can block the copy action to unapproved USB devices and generate alerts when a policy violation occurs, directly addressing the compliance team's requirement to prevent data exfiltration via USB drives.

Exam trap

The trap here is that candidates often confuse sensitivity labels (which classify and protect data) with DLP policies (which enforce actions like blocking copy to USB), but sensitivity labels alone cannot block endpoint-level copy actions without DLP device policies.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Lifecycle Management (retention policies) governs how long data is retained and when it is deleted, not real-time blocking of copy actions to removable media. Option B is wrong because Microsoft Purview Information Protection (sensitivity labels) classifies and protects data with encryption or visual markings but does not enforce endpoint-level controls like blocking USB copy actions. Option D is wrong because Microsoft Purview eDiscovery (Standard or Premium) is used for legal discovery and search of content, not for preventing data exfiltration via removable media.

38
MCQmedium

A company uses Microsoft Purview Communication Compliance to detect inappropriate messages. Which action can an administrator take after reviewing a flagged message?

A.Apply a retention policy to the message
B.Create a DLP policy based on the message
C.Resolve the case with a notification to the sender
D.Recall the message from the recipient
AnswerC

The administrator can notify the sender of the policy violation and close the case.

Why this answer

Option A is correct. Communication Compliance allows administrators to resolve cases with actions like 'Resolve with notification' or escalate. Option B is wrong because retention policies are separate.

Option C is wrong because DLP policies are not automatically created from Communication Compliance. Option D is wrong because message recall is not a direct action in Communication Compliance.

39
Multi-Selecteasy

Which TWO of the following are examples of Microsoft's commitments to data privacy as outlined in the Microsoft Privacy Statement and related agreements? (Choose two.)

Select 2 answers
A.Microsoft uses customer data to train AI models by default.
B.Microsoft may share customer data with third parties for marketing purposes.
C.Customers can access and export their data.
D.Microsoft allows third parties to access customer data without consent.
E.Customer data is not used for advertising.
AnswersC, E

Data portability is a key privacy commitment.

Why this answer

Option A is correct: Microsoft does not use customer data for advertising. Option C is correct: Microsoft provides data portability. Option B is wrong because Microsoft does share data with third parties for marketing.

Option D is wrong because Microsoft does not use customer data for AI training without consent. Option E is wrong because Microsoft does not allow third-party access without customer consent.

40
Multi-Selecteasy

Which THREE are core pillars of the Microsoft Trust Center?

Select 3 answers
A.Compliance
B.Reliability
C.Transparency
D.Security
E.Privacy
AnswersA, D, E

Compliance is a core pillar.

Why this answer

Options A, B, and D are correct. The Trust Center pillars are Security, Privacy, and Compliance. Options C and E are not core pillars.

41
MCQhard

Refer to the exhibit. The exhibit shows a Conditional Access policy. Which requirement does this policy enforce?

A.Users from trusted IPs are blocked.
B.Users must provide MFA only.
C.Users must provide MFA and use a compliant device.
D.Users must provide MFA or use a compliant device.
AnswerC

Grant controls include MFA and compliant device with AND operator.

Why this answer

Option B is correct because the policy requires both MFA and compliant device (AND operator). Option A is incorrect because it requires both, not either. Option C is incorrect because it enforces both controls.

Option D is incorrect because it includes all locations except Trusted IPs, but Trusted IPs are excluded, so the policy does not apply to them; it does not block access.

42
MCQmedium

A user reports receiving a phishing email that bypassed Exchange Online Protection (EOP). What should you configure to add a second layer of defense against sophisticated phishing attacks?

A.Purchase and assign Microsoft Defender for Office 365 Plan 2 licenses
B.Block all external images in email
C.Enable Safe Attachments in Exchange Online Protection
D.Configure DKIM signing for your domain
AnswerA

Defender for Office 365 Plan 2 includes advanced anti-phishing, impersonation, and automated investigation.

Why this answer

Microsoft Defender for Office 365 Plan 2 provides advanced anti-phishing policies, including impersonation protection and automated investigation. Option A (Safe Attachments in EOP) is basic. Option B (DKIM) is email authentication.

Option D (blocking all external images) is not a standard anti-phishing measure.

43
MCQeasy

A company needs to audit user activities in Microsoft 365 for compliance. Which tool should they use?

A.Microsoft Defender XDR
B.Microsoft Sentinel
C.Microsoft Purview Audit (Premium)
D.Microsoft Intune
AnswerC

Audit logs user and admin activities for compliance.

Why this answer

Microsoft Purview Audit (Premium) provides comprehensive auditing of user and admin activities. Option B is correct. The other options are for other purposes.

44
MCQeasy

Your company uses Microsoft 365 and wants to ensure that when employees share sensitive documents externally, access is automatically revoked after 30 days. Which solution should you use?

A.Microsoft Intune
B.Microsoft Defender for Cloud Apps
C.Microsoft Entra ID Conditional Access
D.Microsoft Information Protection (MIP)
AnswerC

Conditional Access policies can require session timeouts and revoke access after a defined period.

Why this answer

Azure AD (Entra ID) Conditional Access policies can enforce access time limits. Option A (MIP) classifies data. Option C (Defender for Cloud Apps) provides session control.

Option D (Intune) manages devices, not access duration.

45
MCQhard

A company uses Microsoft 365 (a SaaS offering). A security incident occurs where an employee's account is compromised because the employee reused their corporate password on a personal website. According to the shared responsibility model, who is primarily responsible for this security failure?

A.The customer (the company using Microsoft 365)
B.Microsoft, because they provide the SaaS platform
C.Both Microsoft and the customer share equal responsibility
D.It depends on the contract terms with Microsoft
AnswerA

Correct. The customer is responsible for managing user identities, credentials, and access policies. The breach was due to weak password practices.

Why this answer

In the Microsoft 365 shared responsibility model, the customer is responsible for securing user identities, including password hygiene and multi-factor authentication (MFA). Since the employee reused their corporate password on a personal website, this is a customer-side identity management failure, not a platform vulnerability. Microsoft secures the SaaS infrastructure, but customer-managed credentials fall under the customer's responsibility.

Exam trap

The trap here is that candidates often assume SaaS means Microsoft handles all security, but the shared responsibility model clearly places identity and credential management on the customer, especially for user-caused password reuse incidents.

How to eliminate wrong answers

Option B is wrong because Microsoft is responsible for the security of the SaaS platform itself (e.g., physical data centers, network infrastructure, and service-level controls), not for how customers manage their own user credentials or enforce password policies. Option C is wrong because the shared responsibility model does not assign equal responsibility for all incidents; identity and access management (IAM) tasks like password policies and user training are explicitly customer obligations. Option D is wrong because the shared responsibility model is a standard framework defined by Microsoft for all Microsoft 365 tenants, not a negotiable contract term; while specific contractual clauses may add details, the core division of responsibilities is fixed.

46
MCQmedium

A business stakeholder asks how Microsoft 365 can help them protect Windows endpoints with endpoint detection and response capabilities. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.Microsoft Forms
C.Microsoft Stream
D.Microsoft Defender for Endpoint
AnswerD

Defender for Endpoint provides endpoint protection, detection, and response.

Why this answer

Microsoft Defender for Endpoint is the correct choice because it provides endpoint detection and response (EDR) capabilities specifically designed to protect Windows endpoints. It uses behavioral sensors, cloud analytics, and threat intelligence to detect, investigate, and respond to advanced threats in real time, aligning directly with the stakeholder's request.

Exam trap

The trap here is that candidates may confuse general productivity tools (Planner, Forms, Stream) with security capabilities, failing to recognize that only Microsoft Defender for Endpoint is purpose-built for endpoint detection and response (EDR) in Microsoft 365.

How to eliminate wrong answers

Option A is wrong because Microsoft Planner is a project management tool for task assignment and scheduling, not a security capability. Option B is wrong because Microsoft Forms is a survey and data collection tool, lacking any endpoint detection or response functionality. Option C is wrong because Microsoft Stream is a video hosting and sharing platform, unrelated to endpoint security or threat detection.

47
MCQeasy

Your company wants to run a phishing simulation to test employee awareness. Which Microsoft 365 tool can you use to create and launch a simulated phishing campaign?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Office 365 Attack Simulation Training
C.Microsoft Intune
D.Microsoft Purview Compliance Manager
AnswerB

Attack Simulation Training is designed for phishing simulations.

Why this answer

Microsoft Defender for Office 365 includes Attack Simulation Training, which allows you to create and launch simulated phishing attacks. Option A is correct. Option B (Defender for Cloud Apps) is a CASB, Option C (Microsoft Intune) is for device management, and Option D (Microsoft Purview) is for compliance.

48
MCQmedium

A company wants to ensure that all administrative actions in Microsoft 365 are logged and that any changes to roles and permissions are reviewed on a monthly basis. Which Microsoft Purview solution should the compliance team use?

A.Audit (Standard)
B.Audit (Premium)
C.Privileged Access Management
D.Privileged Identity Management
AnswerD

PIM enables recurring access reviews of privileged roles, ensuring that changes to roles and permissions are reviewed monthly.

Why this answer

Privileged Identity Management (PIM) is the correct solution because it provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions. PIM also generates audit logs for role activations and changes, and supports periodic access reviews (e.g., monthly reviews of role assignments) through Microsoft Entra ID access reviews, directly meeting the requirement to review changes to roles and permissions on a monthly basis.

Exam trap

The trap here is that candidates often confuse Privileged Access Management (PAM) with Privileged Identity Management (PIM), but PAM is for task-level just-in-time access while PIM is for role-level lifecycle management and recurring reviews.

How to eliminate wrong answers

Option A is wrong because Audit (Standard) only captures basic events like user sign-ins and mailbox access, not the detailed role activation or permission change logs needed for monthly review of administrative roles. Option B is wrong because Audit (Premium) provides more detailed logging (e.g., when admin users access sensitive items) but does not include the ability to schedule or enforce monthly access reviews of role assignments. Option C is wrong because Privileged Access Management (PAM) is focused on just-in-time access for specific high-risk tasks (e.g., changing a mailbox permission) and does not provide the role assignment lifecycle management or recurring review capabilities that PIM offers.

49
MCQhard

Adventure Works is a global manufacturing company with 10,000 employees using Microsoft 365 E3. They have a hybrid identity setup with Microsoft Entra Connect syncing on-premises Active Directory to Microsoft Entra ID. The company wants to implement a zero-trust security model and has identified that many users still use weak passwords and do not use MFA. They want to enforce MFA for all users, but they also want to allow users to register for MFA on their own using the Microsoft Authenticator app. The security team is concerned about phishing attacks and wants to use a more secure MFA method. Additionally, they want to ensure that any new user created in on-premises AD is automatically enabled for MFA within 24 hours. What should you recommend?

A.Configure Identity Protection to enforce MFA for risky sign-ins.
B.Enable per-user MFA in the Microsoft 365 admin center for all users.
C.Enable self-service password reset (SSPR) and require MFA for password changes.
D.Create a Conditional Access policy that requires MFA for all users and configure authentication methods policy to allow only Microsoft Authenticator.
AnswerD

This enforces MFA for all sign-ins and uses a secure method. New users are automatically covered.

Why this answer

Option D is correct. A Conditional Access policy with 'Require multifactor authentication' for all users is the best approach. Combined with a 'Security Defaults' or MFA registration policy, users can self-register.

Using 'Microsoft Authenticator' as the authentication method can be enforced via authentication methods policy. For new users, the Conditional Access policy will apply automatically when they sign in. Option A (per-user MFA) is outdated and not scalable.

Option B (identity protection) is for risk-based policies, not blanket MFA. Option C (SSPR) does not enforce MFA.

50
Multi-Selectmedium

Which THREE of the following are security features included in Microsoft 365 Business Premium? (Choose three.)

Select 3 answers
A.Microsoft Entra ID Plan 1
B.Microsoft Sentinel
C.Microsoft Purview Data Loss Prevention
D.Microsoft Defender for Business
E.Microsoft Defender for Cloud Apps
AnswersA, C, D

Entra ID P1 is included for identity management.

Why this answer

Option A is correct: Microsoft Defender for Business is included. Option B is correct: Microsoft Entra ID Plan 1 is included. Option D is correct: Microsoft Purview DLP is included.

Option C is wrong because Microsoft Sentinel is not included in Business Premium. Option E is wrong because Microsoft Defender for Cloud Apps (Cloud App Security) is not included as a full feature; some capabilities are included but not the full product.

51
MCQmedium

A user accidentally shared a file containing credit card numbers with a partner organization. You need to prevent similar incidents and detect when such data is shared externally. What should you configure?

A.Azure Information Protection (AIP)
B.Microsoft Purview eDiscovery
C.Microsoft 365 Data Loss Prevention (DLP) policy
D.Information Rights Management (IRM)
AnswerC

DLP policies detect sensitive data like credit card numbers and block sharing.

Why this answer

A DLP policy (B) can detect credit card numbers and block external sharing. Option A (IRM) protects files after sharing. Option C (AIP) is now part of MIP.

Option D (eDiscovery) is for search, not prevention.

52
Multi-Selectmedium

Which THREE are features of Microsoft Purview Information Protection?

Select 3 answers
A.Auto-labeling for sensitive data
B.Encryption for emails and documents
C.Data loss prevention policies
D.Retention policies
E.Sensitivity labels
AnswersA, B, E

Auto-labeling automatically applies labels based on content.

Why this answer

Options A, B, and D are correct. Information Protection includes sensitivity labels, auto-labeling, and encryption. Option C is wrong because DLP is a separate solution.

Option E is wrong because retention policies are part of Data Lifecycle Management.

53
Multi-Selectmedium

Which TWO of the following are features of Microsoft Purview Information Protection?

Select 2 answers
A.Sensitivity labels
B.Data Loss Prevention (DLP) policies
C.Encryption for emails and documents
D.eDiscovery (Premium)
E.Azure Information Protection (AIP) scanner
AnswersA, C

Sensitivity labels are a core part of Information Protection.

Why this answer

Information Protection includes sensitivity labels and encryption. AIP scanner is for on-premises, DLP is separate, and eDiscovery is also separate.

54
MCQhard

A compliance officer wants to proactively prevent users from sending emails that contain sensitive personal data (e.g., credit card numbers) to external recipients. When a user attempts to send such an email, they should see a policy tip explaining the restriction and be blocked from sending. Which Microsoft Purview feature should be configured?

A.Microsoft Purview Data Loss Prevention (DLP) policy
B.Microsoft Purview Information Barriers
C.Microsoft Purview Records Management
D.Microsoft Purview Communication Compliance
AnswerA

DLP policies can scan email content for sensitive information (e.g., credit card numbers), block the message from being sent, and display a customizable policy tip to educate the user. This matches the requirement exactly.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policy is the correct feature because it is specifically designed to detect sensitive data (e.g., credit card numbers) in transit and enforce actions such as showing a policy tip and blocking the email. DLP policies use sensitive information types (e.g., Credit Card Number) and conditions to inspect email content in Exchange Online, triggering a block action with an end-user notification when a match occurs.

Exam trap

The trap here is that candidates often confuse Communication Compliance (which reviews messages after they are sent) with DLP (which proactively blocks messages in transit), leading them to select Communication Compliance when the question explicitly requires proactive blocking with a policy tip.

How to eliminate wrong answers

Option B (Microsoft Purview Information Barriers) is wrong because Information Barriers are used to prevent communication between specific groups or users (e.g., to avoid conflicts of interest), not to scan for sensitive data patterns like credit card numbers. Option C (Microsoft Purview Records Management) is wrong because Records Management focuses on classifying, retaining, and disposing of records based on regulatory requirements, not on real-time content inspection and blocking of outbound emails. Option D (Microsoft Purview Communication Compliance) is wrong because Communication Compliance is designed to detect policy violations in communications (e.g., harassment, insider trading) by reviewing messages after they are sent, not to proactively block emails based on sensitive data patterns.

55
MCQmedium

A company is preparing for a merger and wants to prevent communication between the Human Resources and Research departments regarding sensitive salary data during the due diligence period. They need a Microsoft Purview solution that can block all email and chat between users in these two groups, as well as prevent file sharing in Teams and SharePoint. Which solution should they configure?

A.Information Barriers
B.Data Loss Prevention (DLP)
C.Sensitivity Labels
D.eDiscovery (Premium)
AnswerA

Correct. Information Barriers enforce policies to prevent communication and collaboration between defined segments, covering email, Teams chat, file sharing, and more.

Why this answer

Information Barriers (IB) in Microsoft Purview are specifically designed to prevent communication and collaboration between defined user groups, such as HR and Research, by blocking email, Teams chat, and SharePoint/OneDrive file sharing. This solution enforces policies at the transport and service level, ensuring that sensitive salary data is not inadvertently shared during the merger due diligence period.

Exam trap

The trap here is that candidates often confuse Information Barriers with DLP, assuming that blocking sensitive data patterns is equivalent to blocking all communication between groups, but DLP cannot enforce department-wide communication restrictions—it only acts on content matches.

How to eliminate wrong answers

Option B (Data Loss Prevention) is wrong because DLP policies monitor and prevent the sharing of sensitive data (e.g., credit card numbers) based on content inspection, but they do not block all communication between two entire departments—they only act on specific data patterns. Option C (Sensitivity Labels) is wrong because labels classify and protect data with encryption or visual markings, but they do not enforce communication blocks between groups; they require users to apply them and do not prevent chat or email between departments. Option D (eDiscovery Premium) is wrong because eDiscovery is used for searching, preserving, and exporting content for legal or investigative purposes, not for proactively blocking real-time communication or file sharing.

56
Multi-Selectmedium

Which TWO of the following are features of Microsoft Purview that help organizations meet compliance requirements for data lifecycle management? (Choose two.)

Select 2 answers
A.Retention policies
B.eDiscovery (Premium)
C.Records management
D.Insider Risk Management
E.Data Loss Prevention (DLP) policies
AnswersA, C

Retention policies define how long data is kept.

Why this answer

Option A is correct: Retention policies manage data lifecycle. Option D is correct: Records management helps manage records retention. Option B is wrong because DLP is for data loss prevention, not lifecycle.

Option C is wrong because eDiscovery is for search and export. Option E is wrong because Insider Risk Management is for risk detection.

57
Multi-Selectmedium

An organisation wants to identify documents containing credit card numbers and prevent users from sharing them externally from SharePoint Online and Exchange Online. Which two Microsoft Purview capabilities are most relevant? (Choose 2.)

Select 2 answers
A.Sensitive information types.
B.Data Loss Prevention policies.
C.Microsoft Bookings.
D.Windows Autopilot.
AnswersA, B

They detect patterns such as credit card numbers.

Why this answer

Sensitive information types (A) are predefined or custom patterns that detect sensitive data like credit card numbers using regex and checksum validation. Data Loss Prevention policies (B) use these sensitive information types to enforce rules that block external sharing of documents containing credit card numbers in SharePoint Online and Exchange Online. Together, they identify the sensitive content and prevent its unauthorized external distribution.

Exam trap

The trap here is that candidates may confuse Microsoft Purview capabilities with unrelated Microsoft 365 services like Bookings or Autopilot, failing to recognize that only sensitive information types and DLP policies directly address content inspection and sharing controls for compliance scenarios.

58
MCQmedium

A compliance administrator needs to retain mailbox content for legal investigation. Which Microsoft 365 capability is the best fit?

A.Microsoft Teams live events
B.Microsoft Bookings
C.OneDrive sync client
D.eDiscovery and retention capabilities in Microsoft Purview
AnswerD

Purview eDiscovery and retention help preserve and search content for investigations.

Why this answer

eDiscovery and retention capabilities in Microsoft Purview are designed specifically for legal investigations, allowing compliance administrators to preserve mailbox content via legal holds, search across mailboxes, and export data for litigation. This directly meets the requirement to retain mailbox content for legal investigation, unlike the other options which serve unrelated business functions.

Exam trap

The trap here is that candidates may confuse general data storage or communication tools (like OneDrive or Teams) with compliance-specific features, overlooking that only Purview provides the legal hold and search capabilities required for retaining mailbox content in investigations.

How to eliminate wrong answers

Option A is wrong because Microsoft Teams live events is a broadcast and meeting feature for large audiences, not a compliance tool for retaining mailbox content. Option B is wrong because Microsoft Bookings is a scheduling and appointment management app, lacking any data retention or eDiscovery functionality. Option C is wrong because the OneDrive sync client is for synchronizing files between a local device and cloud storage, not for preserving or searching mailbox content for legal purposes.

59
MCQmedium

A compliance officer needs to automatically detect when an employee attempts to send an email containing a social security number (SSN) to an external recipient. The solution should block the email from being sent and notify the employee with a policy tip. Which Microsoft Purview solution should be configured?

A.Microsoft Purview Data Loss Prevention (DLP)
B.Microsoft Purview Information Protection
C.Microsoft Purview eDiscovery
D.Microsoft Purview Audit
AnswerA

DLP policies can identify sensitive data like SSNs and block the email, providing a policy tip to the user.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is the correct solution because it is specifically designed to detect sensitive information (such as social security numbers) in emails and other data in transit. When a DLP policy is configured with a rule that matches the SSN condition and an action to block the message, it automatically prevents the email from being sent and displays a policy tip to the user, notifying them of the violation. This aligns directly with the requirement to both block the email and provide real-time user notification.

Exam trap

The trap here is that candidates often confuse Information Protection (labeling) with Data Loss Prevention (enforcement), assuming that applying a sensitivity label automatically blocks data exfiltration, when in fact DLP policies are required to enforce actions like blocking and policy tips.

How to eliminate wrong answers

Option B (Microsoft Purview Information Protection) is wrong because it focuses on classifying and labeling sensitive data (e.g., applying sensitivity labels) but does not include the ability to block email transmission or enforce real-time actions like policy tips; it is a classification and protection layer, not a blocking enforcement mechanism. Option C (Microsoft Purview eDiscovery) is wrong because it is used for searching and exporting content for legal or investigative purposes, not for preventing data exfiltration or providing user notifications during email composition. Option D (Microsoft Purview Audit) is wrong because it logs user and admin activities for forensic review but cannot block emails or display policy tips; it is a passive logging tool, not an active enforcement solution.

60
MCQmedium

A legal firm needs to send a confidential document to a client via email. The firm requires that the client cannot forward or print the email and that the email expires after seven days. Which Microsoft Purview solution should they use?

A.Microsoft Purview Message Encryption
B.Data Loss Prevention (DLP) policies
C.Sensitivity labels
D.eDiscovery (Premium)
AnswerA

Correct. Message Encryption with IRM enables restrictions like preventing forwarding/printing and setting an expiration date on email messages.

Why this answer

Microsoft Purview Message Encryption (A) is the correct solution because it allows the legal firm to apply usage restrictions such as preventing forwarding and printing, and to set an expiration period of seven days on the email. This is achieved through Azure Rights Management (Azure RMS) templates that enforce these controls directly on the encrypted message, ensuring the client cannot bypass the restrictions.

Exam trap

The trap here is that candidates often confuse sensitivity labels with Message Encryption, not realizing that while labels can apply encryption, they do not natively support per-message expiration or granular usage restrictions like 'do not forward' and 'do not print' without additional configuration via Azure RMS templates, which is exactly what Message Encryption provides out-of-the-box.

How to eliminate wrong answers

Option B (Data Loss Prevention (DLP) policies) is wrong because DLP policies are designed to detect and prevent the accidental sharing of sensitive information (e.g., credit card numbers) by blocking or warning users, but they do not provide granular post-delivery controls like 'do not forward' or 'expire after 7 days'. Option C (Sensitivity labels) is wrong because while sensitivity labels can apply encryption and visual markings, they do not natively support per-message expiration or specific usage restrictions like 'do not forward' or 'do not print' without being combined with Azure RMS templates; the question asks for a solution that directly provides these controls, which is Message Encryption. Option D (eDiscovery Premium) is wrong because eDiscovery is used for legal hold, search, and export of content for litigation or investigation, not for controlling how an email is used after it is sent.

61
Multi-Selectmedium

Which four of the following are key components of the Microsoft 365 defense-in-depth security strategy? (Choose all that apply. There are four correct answers.)

Select 4 answers
.Physical security of datacenters, including biometric access controls and 24/7 monitoring.
.User identity protection via Azure AD Multi-Factor Authentication (MFA) and Conditional Access.
.Data encryption at rest and in transit, using technologies like BitLocker and TLS.
.Automated rollback of all user changes to previous versions within 24 hours.
.Advanced Threat Protection (ATP) for email, SharePoint, and Teams, including anti-malware and anti-phishing.
.Unrestricted access for Microsoft engineers to all customer data for continuous security scanning.

Why this answer

The Microsoft 365 defense-in-depth strategy relies on multiple layers of security controls. Physical security of datacenters (biometric access, 24/7 monitoring) is the foundational layer. User identity protection via Azure AD MFA and Conditional Access secures the authentication layer.

Data encryption at rest (BitLocker) and in transit (TLS) protects data confidentiality. Advanced Threat Protection (ATP) for email, SharePoint, and Teams defends against malware and phishing at the workload layer. These four components collectively implement a layered security model.

Exam trap

The trap here is that candidates may confuse operational features like versioning or backup with core security layers, or mistakenly believe Microsoft has unrestricted access to customer data, when in fact the shared responsibility model and strict access controls are fundamental to the defense-in-depth strategy.

62
MCQmedium

During a Microsoft 365 planning workshop, allow access to Exchange Online only from compliant devices. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Forms
B.Microsoft Intune compliance policies with Conditional Access
C.Microsoft Stream
D.Microsoft Planner
AnswerB

Intune evaluates compliance and Conditional Access enforces access decisions.

Why this answer

Microsoft Intune compliance policies define the security requirements (e.g., device encryption, jailbreak detection, minimum OS version) that a device must meet. When combined with Conditional Access in Azure AD, you can create a policy that blocks access to Exchange Online unless the device is marked as compliant by Intune. This ensures only compliant devices can connect, directly meeting the requirement.

Exam trap

The trap here is that candidates confuse productivity apps (Forms, Stream, Planner) with security services, failing to recognize that only Intune compliance policies combined with Conditional Access can enforce device-based access controls for Exchange Online.

How to eliminate wrong answers

Option A is wrong because Microsoft Forms is a survey and data collection tool, not a security or compliance capability—it cannot enforce device compliance or control access to Exchange Online. Option C is wrong because Microsoft Stream is a video hosting and sharing service; it has no role in device compliance enforcement or Conditional Access policies. Option D is wrong because Microsoft Planner is a task management and project planning tool; it provides no security controls for device-based access restrictions.

63
MCQmedium

A service owner is comparing Microsoft 365 capabilities and needs to prevent communication and collaboration between two business groups. Microsoft security, identity, or compliance capability should it use?

A.Information Barriers
B.Microsoft Forms
C.Microsoft Planner
D.Microsoft Stream
AnswerA

Information Barriers restrict communication and collaboration between defined groups.

Why this answer

Information Barriers (IB) in Microsoft 365 are specifically designed to prevent communication and collaboration between defined user groups, such as two business groups that must not interact. IB policies use segment-based rules to block chat, email, and file sharing across groups, enforced at the Exchange Online, Teams, and SharePoint levels. This directly meets the service owner's requirement to isolate groups, unlike the other options which are general-purpose tools without such isolation capabilities.

Exam trap

The trap here is that candidates may confuse Information Barriers with other compliance features like Data Loss Prevention (DLP) or sensitivity labels, but the question specifically asks for a capability that prevents communication and collaboration between groups, which is the exact purpose of Information Barriers, not data protection or classification.

How to eliminate wrong answers

Option B (Microsoft Forms) is wrong because it is a survey and data collection tool, not a security or compliance feature for blocking communication between groups. Option C (Microsoft Planner) is wrong because it is a task management and project planning tool, lacking any capability to enforce communication barriers. Option D (Microsoft Stream) is wrong because it is a video hosting and sharing platform, not designed for access control between business groups; it does not provide the required segmentation or policy enforcement.

64
MCQhard

An administrator configures the SharePoint Online sharing policy as shown in the exhibit. What is the result of this configuration?

A.External users from any domain can access content without accepting an invitation.
B.Only guests from any domain can access, but external users must be added manually.
C.External users and guests from fabrikam.com can access content after accepting an invitation.
D.External sharing is blocked for all domains except fabrikam.com.
AnswerC

The policy allows external user and guest sharing, restricts to fabrikam.com, and requires acceptance.

Why this answer

Option D is correct. The policy allows sharing with external users and guests, but only from fabrikam.com, and requires them to accept the sharing invitation. Option A is wrong because the capability is ExternalUserAndGuestSharing, not just guest sharing.

Option B is wrong because the allowed domain list permits fabrikam.com. Option C is wrong because the blocked domain list is empty.

65
MCQmedium

A security administrator needs to ensure that all guest users who access Microsoft Teams are required to accept a terms of use agreement before accessing any company resources. Which Microsoft 365 identity protection feature should they configure?

A.Conditional Access policy with session control
B.Microsoft Entra ID Identity Protection
C.Terms of Use in Microsoft Entra ID
D.Privileged Identity Management
AnswerC

Microsoft Entra ID Terms of Use allows you to create and enforce agreements that users must accept before accessing applications, including Microsoft Teams for guest users.

Why this answer

Option C is correct because Microsoft Entra ID Terms of Use is the specific feature designed to present a terms-of-use agreement to users before they can access resources. When combined with a Conditional Access policy that targets guest users and requires acceptance of the terms, it ensures that guests must accept the agreement before accessing Microsoft Teams or any other company resource.

Exam trap

The trap here is confusing the general concept of 'Conditional Access' (which is the policy engine) with the specific grant control 'Terms of Use' that must be configured within it, leading candidates to pick Option A instead of C.

How to eliminate wrong answers

Option A is wrong because a Conditional Access policy with session control enforces restrictions like sign-in frequency or app control, not the presentation and acceptance of a terms-of-use agreement. Option B is wrong because Microsoft Entra ID Identity Protection is focused on detecting and responding to identity risks (e.g., leaked credentials, anomalous sign-ins), not on requiring user acceptance of legal agreements. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role assignments and access reviews, not the enforcement of terms-of-use acceptance for guest users.

66
Multi-Selecthard

Which THREE of the following are included in Microsoft 365 E5 compliance features? (Choose three.)

Select 3 answers
A.Privileged Access Management
B.Microsoft Intune
C.Customer Key
D.Basic audit log search
E.Communication Compliance
AnswersA, C, E

E5 feature to control privileged administrative access.

Why this answer

E5 includes advanced compliance features such as Communication Compliance, Customer Key, and Privileged Access Management. Options A, B, and D are correct. Option C is an E3 feature; option E is not specific to compliance.

67
MCQmedium

A department head asks which Microsoft 365 option should be used to provide a cloud identity platform for Microsoft 365 and approved SaaS applications. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.Microsoft Forms
C.Microsoft Entra ID
D.Microsoft Stream
AnswerC

Microsoft Entra ID is Microsoft’s cloud identity and access management service.

Why this answer

Microsoft Entra ID (formerly Azure Active Directory) is the correct choice because it is the cloud-based identity and access management service that provides authentication, single sign-on (SSO), and conditional access for Microsoft 365 and thousands of pre-integrated SaaS applications. It acts as the identity platform, managing user identities and controlling access to resources, which directly aligns with the department head's requirement for a cloud identity platform.

Exam trap

The trap here is that candidates often confuse productivity tools (like Planner, Forms, or Stream) with security or identity services, mistakenly thinking any Microsoft 365 app can serve as an identity platform, when only Microsoft Entra ID provides the required cloud identity and access management capabilities.

How to eliminate wrong answers

Option A is wrong because Microsoft Planner is a task management and planning tool within Microsoft 365, not an identity platform; it cannot provide authentication or access control for SaaS applications. Option B is wrong because Microsoft Forms is a survey and data collection tool, used for creating forms and quizzes, with no identity or access management capabilities. Option D is wrong because Microsoft Stream is a video hosting and sharing service for enterprise video content, lacking any identity or security features for managing access to SaaS applications.

68
MCQhard

An administrator is assigned the Global Reader role in Microsoft Entra ID as shown in the exhibit. What can this administrator do?

A.View all user and group properties in the directory
B.Reset user passwords
C.Assign administrative roles to other users
D.Create new users in the directory
AnswerA

The Global Reader role grants read permissions to directory objects.

Why this answer

Option A is correct. Global Reader has read-only access to all Azure AD configuration. Option B is wrong because Global Reader cannot create users.

Option C is wrong because Global Reader cannot assign roles. Option D is wrong because the role does not include write permissions.

69
MCQmedium

A company is deploying Microsoft 365 and needs to ensure that external sharing of sensitive documents is blocked. Which Microsoft Purview feature should they configure?

A.Data Loss Prevention (DLP) policies
B.Sensitivity labels
C.Information Barriers
D.Retention policies
AnswerA

DLP policies can detect and block sharing of sensitive information.

Why this answer

Information Barriers prevent communication and collaboration between specific groups, but DLP policies detect and block sharing of sensitive content. Sensitivity labels and retention policies do not block sharing. Option B is correct because DLP can block sharing of sensitive data.

70
MCQmedium

A user reports that they cannot access a SharePoint site that contains sensitive data. The administrator confirms the user is licensed and the site permissions are correct. What should the administrator check next?

A.Microsoft Defender for Office 365 Safe Attachments
B.Microsoft Purview retention policies
C.Microsoft Intune device compliance policies
D.Conditional Access policies in Microsoft Entra ID
AnswerD

Conditional Access can block access to SharePoint based on policy conditions.

Why this answer

Conditional Access policies in Microsoft Entra ID can block access based on conditions like device compliance or location. Option D is correct. The other options are less likely given the scenario.

71
MCQmedium

A compliance administrator needs to apply encryption and usage restrictions to confidential documents. Which Microsoft 365 capability is the best fit?

A.OneDrive sync client
B.Sensitivity labels
C.Microsoft Bookings
D.Microsoft Teams live events
AnswerB

Sensitivity labels classify and protect content, including encryption and access restrictions.

Why this answer

Sensitivity labels from Microsoft Purview Information Protection are the correct choice because they allow the compliance administrator to apply both encryption and usage restrictions (such as 'Do Not Forward' or custom permissions) directly to confidential documents. This capability integrates with Microsoft 365 apps to enforce protection persistently, even when the document is shared outside the organization.

Exam trap

The trap here is that candidates often confuse the OneDrive sync client's ability to sync encrypted files with the ability to apply encryption itself, or they mistakenly think Microsoft Teams live events can restrict document usage because it is a 'live' feature with attendee controls.

How to eliminate wrong answers

Option A is wrong because the OneDrive sync client is a file synchronization tool that syncs files between cloud and local devices; it does not apply encryption or usage restrictions to documents. Option C is wrong because Microsoft Bookings is a scheduling and appointment management tool, with no capability to enforce document-level encryption or usage restrictions. Option D is wrong because Microsoft Teams live events is a broadcast and streaming feature for large audiences; it does not provide document-level encryption or usage restriction controls.

72
MCQmedium

An administrator is reviewing a request from users who need to detect risky users and suspicious sign-ins. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Entra ID Protection
B.Microsoft Planner
C.Microsoft Stream
D.Microsoft Forms
AnswerA

Microsoft Entra ID Protection detects identity risks such as risky users and risky sign-ins.

Why this answer

Microsoft Entra ID Protection is the correct choice because it is specifically designed to detect risky users and suspicious sign-ins by analyzing signals such as leaked credentials, anonymous IP addresses, and atypical travel patterns. It uses risk-based conditional access policies to automatically block or require multi-factor authentication for high-risk sign-ins, directly addressing the administrator's requirement.

Exam trap

The trap here is that candidates may confuse Microsoft Entra ID Protection with other Microsoft 365 security tools like Defender for Cloud Apps or Azure AD Identity Governance, but the question specifically asks for the capability that detects risky users and suspicious sign-ins, which is uniquely Entra ID Protection's core function.

How to eliminate wrong answers

Option B (Microsoft Planner) is wrong because it is a task management and project planning tool, not a security or identity capability; it cannot detect risky users or sign-ins. Option C (Microsoft Stream) is wrong because it is a video sharing and management service for enterprise content, lacking any identity protection or risk detection features. Option D (Microsoft Forms) is wrong because it is a survey and data collection tool, with no capability to analyze sign-in risks or user behavior for security purposes.

73
MCQmedium

A tenant administrator is advising a department that wants to investigate incidents across identities, email, endpoints, and cloud apps in one experience. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Stream
B.Microsoft Defender XDR
C.Microsoft Forms
D.Microsoft Planner
AnswerB

Microsoft Defender XDR correlates alerts and incidents across multiple Defender workloads.

Why this answer

Microsoft Defender XDR (Extended Detection and Response) is the correct choice because it provides a unified, cross-domain security operations platform that correlates alerts and incidents across identities (Azure AD), email (Exchange Online), endpoints (Microsoft Defender for Endpoint), and cloud apps (Microsoft Defender for Cloud Apps). This single-pane-of-glass experience allows a tenant administrator to investigate incidents holistically without switching between separate consoles.

Exam trap

The trap here is that candidates often confuse Microsoft 365 compliance or productivity tools (like Stream, Forms, or Planner) with security investigation capabilities, failing to recognize that only Defender XDR provides the unified incident investigation experience across identities, email, endpoints, and cloud apps.

How to eliminate wrong answers

Option A is wrong because Microsoft Stream is a video management and sharing service within Microsoft 365, not a security investigation tool; it lacks any incident correlation or cross-domain detection capabilities. Option C is wrong because Microsoft Forms is a survey and data collection tool used for creating quizzes and forms, with no role in security incident investigation or threat detection. Option D is wrong because Microsoft Planner is a task management and project planning application integrated with Microsoft Teams and To Do, and it does not provide any security monitoring, alerting, or incident investigation features.

74
Multi-Selectmedium

Which TWO are key capabilities of Microsoft Defender for Cloud Apps? (Choose two.)

Select 2 answers
A.Email encryption and secure messaging
B.Device compliance policy enforcement
C.On-device malware scanning
D.Cloud Discovery to identify shadow IT
E.Session control to monitor and control app access in real-time
AnswersD, E

Cloud Discovery identifies apps and users in your environment.

Why this answer

Defender for Cloud Apps provides Cloud Discovery (A) to identify cloud apps in use, and session control (B) to monitor and control app sessions. Option C (malware scanning) is for Defender for Endpoint. Option D (device compliance) is for Intune.

Option E (email encryption) is for Office 365.

75
Multi-Selecthard

Which THREE of the following are included in Microsoft Defender XDR? (Choose three.)

Select 3 answers
A.Microsoft Defender for Endpoint
B.Microsoft Purview
C.Microsoft Sentinel
D.Microsoft Defender for Office 365
E.Microsoft Defender for Identity
AnswersA, D, E

Part of Defender XDR.

Why this answer

Option A is correct because Microsoft Defender for Office 365 is part of Defender XDR. Option B is correct because Microsoft Defender for Endpoint is included. Option C is correct because Microsoft Defender for Identity is part of Defender XDR.

Option D is incorrect because Microsoft Sentinel is a separate SIEM. Option E is incorrect because Microsoft Purview is a compliance solution.

Page 1 of 4 · 269 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Describe security, compliance, privacy, and trust in Microsoft 365 questions.