CCNA Describe security, compliance, privacy, and trust in Microsoft 365 Questions

44 of 269 questions · Page 4/4 · Describe security, compliance, privacy, and trust in Microsoft 365 · Answers revealed

226
MCQhard

A compliance officer needs to ensure that any document containing passport numbers automatically gets a 'Highly Confidential' label and is encrypted when saved in SharePoint. The labeling should occur without any user interaction. Which Microsoft Purview feature should they configure?

A.Auto-labeling policy for sensitivity labels
B.Manual labeling using the Office apps
C.Retention labels with DLP policy
D.Trainable classifiers
AnswerA

Auto-labeling policies can automatically apply labels based on sensitive information types (e.g., passport numbers) without user intervention.

Why this answer

Option A is correct because auto-labeling policies in Microsoft Purview can automatically apply a sensitivity label (e.g., 'Highly Confidential') to documents containing passport numbers when saved in SharePoint, without any user interaction. This is achieved by configuring a policy that uses sensitive info types (e.g., 'Passport Number') to detect the data and then automatically apply the label and encryption. The labeling occurs at rest, triggered by document upload or modification, meeting the compliance officer's requirement for zero user intervention.

Exam trap

The trap here is that candidates often confuse retention labels (which manage lifecycle) with sensitivity labels (which enforce protection like encryption), leading them to choose Option C, or they mistakenly think trainable classifiers (Option D) can directly apply labels without an auto-labeling policy.

How to eliminate wrong answers

Option B is wrong because manual labeling requires users to actively select a label in Office apps, which contradicts the requirement for automatic labeling without user interaction. Option C is wrong because retention labels are designed for managing data retention and deletion, not for applying encryption or sensitivity classifications; DLP policies can enforce actions but do not automatically apply sensitivity labels with encryption. Option D is wrong because trainable classifiers are used to identify content based on machine learning patterns (e.g., contracts or resumes), but they do not directly apply sensitivity labels or encryption; they can be used as conditions in auto-labeling policies, but the feature itself is not the policy that applies the label.

227
MCQeasy

Your organization is implementing Microsoft Entra ID (formerly Azure AD) for identity management. Users report that they are prompted for multifactor authentication (MFA) every time they sign in, even from trusted devices. What should you configure to reduce MFA prompts while maintaining security?

A.Define trusted IP ranges in Named locations.
B.Configure self-service password reset (SSPR) to require MFA less often.
C.Use Microsoft Entra Privileged Identity Management (PIM) to grant MFA exemption.
D.Modify the Conditional Access policy to set session control 'Sign-in frequency' to a longer period.
AnswerD

This allows users to skip MFA for a set duration on trusted devices.

Why this answer

Option C is correct because Conditional Access policies allow setting session persistence to remember MFA on trusted devices. Option A is incorrect because MFA frequency is not set in Password reset. Option B is incorrect because Named locations are for IP-based trust, not device trust.

Option D is incorrect because Privileged Identity Management (PIM) is for just-in-time admin access.

228
Multi-Selectmedium

Which TWO Microsoft 365 security solutions are included in Microsoft Defender XDR (Extended Detection and Response)? (Choose two.)

Select 2 answers
A.Microsoft Defender for Office 365
B.Microsoft Defender for Identity
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Endpoint
E.Microsoft Sentinel
AnswersA, D

Defender for Office 365 is a component of Microsoft Defender XDR.

Why this answer

Microsoft Defender XDR includes Defender for Office 365 (B) and Defender for Endpoint (C). Option A (Defender for Identity) is separate. Option D (Defender for Cloud Apps) is also separate.

Option E (Azure Sentinel) is a SIEM, not part of Defender XDR.

229
MCQmedium

A law firm uses Microsoft 365 and wants to ensure that only authorized users can access client files stored in SharePoint Online. They also need to track when these files are accessed. Which combination of features should they use?

A.Sensitivity labels with encryption and Microsoft Purview auditing.
B.Conditional Access policies and Privileged Identity Management (PIM).
C.eDiscovery cases and Content search.
D.Data Loss Prevention (DLP) policies and Microsoft Defender for Cloud Apps.
AnswerA

Encryption restricts access, and auditing logs access events.

Why this answer

Option B is correct: Sensitivity labels with encryption restrict access, and auditing tracks access. Option A is incorrect because DLP policies prevent data loss but do not restrict access or track it. Option C is incorrect because Conditional Access controls sign-in but not file-level access.

Option D is incorrect because eDiscovery is for search and hold, not access restriction.

230
MCQeasy

Your company wants to ensure that only managed and compliant devices can access Microsoft 365 resources. Which Microsoft 365 security feature enforces conditional access based on device compliance?

A.Microsoft Purview Compliance Manager
B.Microsoft Defender for Cloud Apps
C.Microsoft Sentinel
D.Microsoft Intune with Conditional Access in Microsoft Entra ID
AnswerD

Intune provides device compliance, and Entra ID Conditional Access enforces it.

Why this answer

Microsoft Intune manages device compliance policies, and when integrated with Conditional Access in Microsoft Entra ID, it enforces access based on compliance. Option C is the correct pairing. Options A, B, and D are not the primary tools for device compliance enforcement.

231
MCQmedium

A legal team is involved in a court case and needs to identify all emails and documents related to a specific project across the entire organization. They need to place these items on hold to prevent deletion or modification. Which Microsoft Purview solution should they use?

A.Data Loss Prevention (DLP)
B.eDiscovery (Standard)
C.Audit (Standard)
D.Communication Compliance
AnswerB

eDiscovery (Standard) enables searching across Microsoft 365 content, placing legal holds, and exporting results. It is the correct tool for this requirement.

Why this answer

Option B, eDiscovery (Standard), is correct because it is specifically designed for legal discovery processes, allowing authorized users to search for content across Exchange Online, SharePoint Online, OneDrive for Business, and Teams. It can place a legal hold on identified items to preserve them from deletion or modification, which directly meets the legal team's requirement to identify and hold all emails and documents related to a specific project.

Exam trap

The trap here is that candidates often confuse eDiscovery with Audit, thinking that logging all activities (Audit) is sufficient for legal holds, but Audit only records events and cannot preserve or search content for litigation purposes.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) is focused on preventing sensitive data from being shared or leaked, not on searching for and preserving content for legal cases. Option C is wrong because Audit (Standard) provides logging and visibility into user and admin activities but does not include search capabilities or the ability to place holds on content. Option D is wrong because Communication Compliance is designed to detect and remediate inappropriate communications (e.g., harassment, insider trading) and does not provide the discovery or hold functionality needed for litigation.

232
MCQmedium

A compliance administrator needs to assess compliance posture against standards and improvement actions. Which Microsoft 365 capability is the best fit?

A.OneDrive sync client
B.Microsoft Teams live events
C.Microsoft Purview Compliance Manager
D.Microsoft Bookings
AnswerC

Compliance Manager provides assessments, improvement actions, and compliance scoring.

Why this answer

Microsoft Purview Compliance Manager is the correct choice because it provides a comprehensive dashboard for assessing an organization's compliance posture against standards like ISO 27001, NIST, and GDPR, and it offers actionable improvement actions with step-by-step guidance. It automatically tracks controls, assigns scores, and integrates with Microsoft Secure Score to help administrators prioritize remediation efforts.

Exam trap

The trap here is that candidates may confuse general security or productivity tools (like OneDrive or Teams) with compliance-specific capabilities, overlooking that Compliance Manager is the dedicated solution for assessing and improving compliance posture against standards.

How to eliminate wrong answers

Option A is wrong because the OneDrive sync client is a file synchronization tool that syncs local files with cloud storage; it has no compliance assessment or improvement action capabilities. Option B is wrong because Microsoft Teams live events is a broadcasting feature for large virtual meetings; it does not provide compliance posture evaluation or improvement actions. Option D is wrong because Microsoft Bookings is a scheduling and appointment management tool; it lacks any compliance assessment or remediation functionality.

233
MCQhard

A healthcare organization is using Microsoft 365 and needs to ensure that patient data (protected health information) is not accidentally shared externally. They want to classify all documents containing medical terms and apply automatic encryption when shared outside the organization. Which two Microsoft Purview features should they combine? (Select TWO)

A.Sensitivity labels with auto-labeling based on trainable classifiers
B.Data Loss Prevention (DLP) policies with encryption action
C.Insider Risk Management policies
D.Communication Compliance policies
E.Microsoft Entra ID Conditional Access policies
AnswerA, B

Trainable classifiers can detect medical terms and auto-apply labels.

Why this answer

Options A and C are correct: Sensitivity labels classify data, and auto-labeling with trainable classifiers can detect medical terms. DLP policies then enforce encryption on external sharing. Option B is incorrect because Communication Compliance is for inappropriate messages.

Option D is incorrect because Insider Risk Management addresses internal risky behavior. Option E is incorrect because sensitivity labels alone do not enforce encryption; that requires DLP or label protection actions.

234
MCQeasy

A company wants to ensure that all outgoing emails containing sensitive financial data are encrypted automatically. The encryption should require the recipient to authenticate to read the message. Which Microsoft 365 solution should the administrator configure?

A.Microsoft Defender for Office 365
B.Microsoft Purview Message Encryption
C.Microsoft Purview Data Loss Prevention (DLP)
D.Microsoft Purview Insider Risk Management
AnswerB

This solution provides encrypted email delivery, allowing only authenticated recipients to decrypt and read the message. It can be automated via rules.

Why this answer

Microsoft Purview Message Encryption (MPME) is the correct solution because it allows organizations to send encrypted emails that require recipients to authenticate (via a Microsoft account or a one-time passcode) before they can read the message. This directly meets the requirement for automatic encryption of outgoing emails with sensitive financial data and recipient authentication.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Data Loss Prevention (DLP) with Message Encryption, but DLP only detects and blocks sensitive data, while Message Encryption provides the actual encryption and recipient authentication required by the question.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 is a security solution focused on threat protection (anti-phishing, anti-malware, safe attachments/links), not on encrypting outgoing emails with recipient authentication. Option C is wrong because Microsoft Purview Data Loss Prevention (DLP) can detect and block sensitive data in emails but does not natively encrypt messages with recipient authentication; it can trigger MPME policies but is not the encryption solution itself. Option D is wrong because Microsoft Purview Insider Risk Management is designed to detect and mitigate internal risks (e.g., data theft, policy violations) and does not provide email encryption or recipient authentication.

235
MCQmedium

An organization wants to automatically detect when a user attempts to share a document containing a customer's credit card number via email. The system should block the sharing and display a warning to the user. Which Microsoft Purview solution should they configure?

A.Data Loss Prevention (DLP)
B.Sensitivity labels
C.Retention policies
D.eDiscovery
AnswerA

DLP policies can automatically identify sensitive data like credit card numbers and enforce actions such as blocking and showing policy tips.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is designed to identify, monitor, and automatically protect sensitive information—such as credit card numbers—across Exchange Online, SharePoint, OneDrive, and Teams. When a user attempts to share a document containing a credit card number via email, DLP can inspect the content using built-in sensitive information types (e.g., Credit Card Number), block the email, and display a policy tip warning to the user. This matches the requirement exactly.

Exam trap

The trap here is that candidates confuse sensitivity labels with DLP, assuming labels can block sharing, when in fact labels only apply protection settings (encryption, markings) and rely on DLP or other controls to enforce blocking actions.

How to eliminate wrong answers

Option B (Sensitivity labels) is wrong because sensitivity labels classify and protect data by applying encryption or visual markings, but they do not automatically inspect content for specific patterns like credit card numbers or block sharing actions in real time. Option C (Retention policies) is wrong because retention policies are used to preserve or delete data after a specified period for compliance or legal reasons, not to prevent sharing or detect sensitive content. Option D (eDiscovery) is wrong because eDiscovery is a tool for searching and exporting content for legal or investigative purposes, not for real-time blocking or warning on outbound sharing.

236
MCQhard

Contoso Pharmaceuticals uses Microsoft 365 E5 with Microsoft Purview. They have a requirement to automatically classify and protect documents containing research and development (R&D) data. The R&D data is stored in SharePoint Online and is defined by a custom sensitive info type that matches a specific pattern (e.g., 'R&D-XXXX-XXXX'). They want to apply a sensitivity label called 'Highly Confidential' to any document containing this pattern. The label should encrypt the document and restrict access to members of the R&D team only. Additionally, they want users to be prompted to apply the label when they create a new document in the R&D site. What should you configure?

A.Create a DLP policy that blocks sharing of documents containing the pattern.
B.Configure a default sensitivity label for the R&D SharePoint site.
C.Create an auto-labeling policy in Microsoft Purview that applies the 'Highly Confidential' label to documents containing the custom sensitive info type.
D.Train users to manually apply the 'Highly Confidential' label to R&D documents.
AnswerC

Auto-labeling can automatically apply the label with encryption and access control.

Why this answer

Option A is correct. Auto-labeling policies can automatically apply a sensitivity label based on sensitive info types. The label should be configured with encryption and access restrictions.

Option B (manual labeling) does not meet the automatic requirement. Option C (DLP policy) can detect but not apply labels automatically. Option D (default label) only applies a default label, not based on content.

237
MCQmedium

Litware Inc. is a law firm that uses Microsoft 365 E5. They have a requirement to preserve all communications between attorneys and clients as legal hold for ongoing litigation. The legal team needs to identify and preserve all relevant emails and documents from specific users. The preservation should be indefinite until the hold is released. The IT team has enabled Litigation Hold for the mailboxes of the involved users. However, the legal team also needs to preserve documents in SharePoint Online and OneDrive for Business. What should you do to preserve the documents?

A.Create a retention policy in Microsoft Purview to retain all documents in the involved sites for 10 years.
B.Enable Litigation Hold for the users' OneDrive for Business accounts.
C.Create an eDiscovery case and place a hold on the relevant SharePoint sites and OneDrive accounts.
D.Apply a retention label to all documents in the involved sites.
AnswerC

eDiscovery hold can preserve content indefinitely in SharePoint and OneDrive.

Why this answer

Option C is correct. A eDiscovery hold can be placed on specific sites and mailboxes for a specific case. Option A (Litigation Hold) only applies to mailboxes, not SharePoint/OneDrive.

Option B (retention policy) is for time-based retention, not indefinite hold. Option D (label) does not preserve content permanently.

238
MCQhard

Contoso Ltd. is a multinational corporation with 10,000 employees. They have recently adopted Microsoft 365 E5 and want to implement a comprehensive security and compliance strategy. Their requirements include: 1) All sensitive emails must be encrypted in transit and at rest. 2) Access to SharePoint sites containing financial data must be restricted to employees from the finance department only, and only from compliant devices. 3) They need to detect and remediate insider threats involving data exfiltration via email and cloud storage. 4) They must comply with GDPR and be able to respond to DSARs within 30 days. 5) They want to use Microsoft 365 Copilot but ensure that Copilot only accesses data that users already have permission to see. Which combination of Microsoft 365 solutions should Contoso implement?

A.Enable Microsoft Purview Message Encryption, Conditional Access with device compliance, Microsoft Purview Insider Risk Management, Microsoft Purview eDiscovery (Premium), and Copilot with default permissions.
B.Deploy Azure Information Protection for email, Microsoft Entra ID Privileged Identity Management, Microsoft Sentinel, retention policies, and Copilot settings.
C.Implement Microsoft Purview Message Encryption, Microsoft Intune device compliance, Microsoft Defender for Cloud Apps, retention policies, and Copilot configuration.
D.Use Microsoft Purview Message Encryption, Conditional Access with device compliance, Microsoft Purview Insider Risk Management, eDiscovery (Premium), and Copilot's default permissions.
AnswerD

Covers all requirements correctly.

Why this answer

Option D is the best answer because it covers all requirements: Microsoft Purview Message Encryption (email encryption), Conditional Access with device compliance (restrict access), Insider Risk Management (insider threats), eDiscovery (DSARs), and Copilot's built-in permissions (least privilege). Option A lacks device compliance and proper insider threat detection. Option B uses Intune app protection instead of Conditional Access, which is less specific for SharePoint access.

Option C uses retention policies for DSARs, which is incorrect.

239
MCQhard

A compliance officer needs to ensure that all user activities related to sensitive data in Microsoft 365 are recorded and available for forensic investigation. They require detailed logs of who accessed specific files in SharePoint Online, including attempts to access files that were blocked by DLP policies. Which solution should they enable?

A.Microsoft 365 Audit Log
B.Microsoft Defender for Cloud Apps
C.Microsoft Purview Activity Explorer
D.Microsoft 365 Defender
AnswerA

The unified audit log records all user and admin actions, including SharePoint file accesses and DLP actions, meeting forensic requirements.

Why this answer

Microsoft 365 Audit Log (Unified Audit Log) is the correct solution because it captures detailed records of user activities, including file access in SharePoint Online and blocked DLP policy actions. These logs are retained for forensic investigation and can be searched via the Microsoft 365 Purview compliance portal or accessed programmatically.

Exam trap

The trap here is that candidates confuse the real-time monitoring capabilities of Activity Explorer or Defender for Cloud Apps with the historical, searchable audit trail required for forensic investigation, mistakenly thinking those tools replace the Unified Audit Log.

How to eliminate wrong answers

Option B (Microsoft Defender for Cloud Apps) is wrong because it focuses on cloud app discovery, session controls, and anomaly detection, not on providing a comprehensive, searchable audit log of all user activities for forensic investigation. Option C (Microsoft Purview Activity Explorer) is wrong because it shows real-time activity insights and DLP rule matches, but it does not retain historical logs for extended forensic analysis; it relies on the underlying audit log for data. Option D (Microsoft 365 Defender) is wrong because it is a threat protection suite (including Microsoft Defender for Endpoint, Office 365, Identity, and Cloud Apps) designed for detecting and responding to security incidents, not for recording and retaining detailed user activity logs for compliance auditing.

240
MCQmedium

A compliance administrator needs to automatically detect when employees share documents containing a customer's credit card number via email and block such sharing before the email is sent. Which Microsoft Purview solution should they configure?

A.Data Loss Prevention (DLP)
B.Information Rights Management (IRM)
C.Sensitivity labels
D.Microsoft Defender for Office 365 (ATP)
AnswerA

DLP policies can identify sensitive data like credit card numbers in email and block the message from being sent.

Why this answer

Data Loss Prevention (DLP) is the correct solution because it is specifically designed to automatically detect sensitive data, such as credit card numbers, in transit (e.g., email) and enforce policy actions like blocking the email before it is sent. DLP uses deep content analysis, including pattern matching against predefined sensitive information types (e.g., credit card number regex), to inspect email bodies and attachments in real time within Exchange Online.

Exam trap

The trap here is that candidates often confuse Information Rights Management (IRM) with DLP because both involve protecting sensitive data, but IRM controls access after sending while DLP prevents the send action itself.

How to eliminate wrong answers

Option B is wrong because Information Rights Management (IRM) protects content after it is sent by encrypting and restricting permissions (e.g., prevent forwarding or printing), but it does not automatically detect or block sensitive data before transmission. Option C is wrong because sensitivity labels are used to classify and protect data based on manual or automatic labeling, but they do not natively scan for specific patterns like credit card numbers or block emails in transit; DLP policies can leverage labels, but the detection and blocking action is DLP's function. Option D is wrong because Microsoft Defender for Office 365 (formerly ATP) focuses on threat protection against malware, phishing, and malicious links, not on preventing accidental sharing of sensitive data like credit card numbers via content inspection.

241
MCQeasy

Your organization uses Microsoft 365 Business Premium. You need to protect users from phishing attacks by blocking malicious links in real-time when they click them in emails. Which feature provides this capability?

A.Microsoft Defender for Office 365 Safe Attachments
B.Microsoft Defender for Office 365 Safe Links
C.Exchange Online Protection (EOP) anti-spam policy
D.Microsoft Defender XDR
AnswerB

Safe Links protects users by checking URLs at click time.

Why this answer

Option A is correct because Microsoft Defender for Office 365 Safe Links provides time-of-click protection against malicious URLs. Option B is wrong because Safe Attachments scans attachments. Option C is wrong because Anti-spam policies filter spam.

Option D is wrong because Microsoft Defender XDR is a broader security suite.

242
MCQmedium

While preparing a Microsoft 365 adoption plan, a consultant is asked to let users report suspicious phishing messages from Outlook for investigation. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Defender for Office 365 user submissions
B.Microsoft Planner
C.Microsoft Forms
D.Microsoft Stream
AnswerA

Defender for Office 365 supports user submissions and investigation workflows for suspicious email.

Why this answer

Microsoft Defender for Office 365 user submissions (Option A) is the correct capability because it allows users to report suspicious phishing messages directly from Outlook, which are then routed to the Microsoft 365 Defender portal for investigation and analysis. This feature integrates with the built-in Report Message or Report Phishing add-ins, enabling security teams to review and act on user-reported threats within the unified security operations framework.

Exam trap

The trap here is that candidates may confuse Microsoft Forms (a generic survey tool) with a legitimate reporting mechanism, overlooking that Microsoft 365 provides a dedicated, integrated security solution (Defender for Office 365) for phishing submissions.

How to eliminate wrong answers

Option B (Microsoft Planner) is wrong because it is a task management and project planning tool, not a security or compliance feature for reporting phishing messages. Option C (Microsoft Forms) is wrong because it is a survey and data collection tool that lacks the automated integration with Microsoft 365 Defender required for phishing investigation workflows. Option D (Microsoft Stream) is wrong because it is a video sharing and management platform, with no capability to process or analyze email security threats.

243
MCQhard

A healthcare organization must ensure that all outgoing emails containing protected health information (PHI) are automatically encrypted. External recipients must be able to read the encrypted messages without installing any software or signing up for a service. Which Microsoft Purview solution should be configured?

A.Data Loss Prevention (DLP)
B.Sensitivity labels
C.Microsoft Purview Message Encryption
D.Information protection policies
AnswerC

Message Encryption provides the ability to encrypt emails and allow external recipients to read them securely. It integrates with DLP for automatic encryption.

Why this answer

Microsoft Purview Message Encryption (C) is the correct solution because it enables automatic encryption of outgoing emails based on rules (e.g., detecting PHI) and allows external recipients to read encrypted messages via a secure web portal or inline rendering in supported email clients, without requiring any software installation or account sign-up. This directly meets the requirement for seamless, no-friction decryption by external parties.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention (DLP) with encryption, assuming DLP automatically encrypts outgoing emails, when in fact DLP only detects and blocks or alerts, while Microsoft Purview Message Encryption is the specific service that provides automatic encryption with external-reader access.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies can detect and block or warn about sensitive data like PHI in emails, but they do not natively encrypt the message content for external recipients; DLP alone cannot provide the required encryption and seamless reading experience. Option B is wrong because Sensitivity labels can apply encryption to emails, but they require the recipient to have an Azure AD account or use a Microsoft account to decrypt the message, which violates the requirement that external recipients must read without signing up for a service. Option D is wrong because Information protection policies are a broad category that includes sensitivity labels and DLP, but they do not directly provide the specific automatic encryption and external-reader experience that Microsoft Purview Message Encryption offers.

244
MCQhard

A company is deploying Microsoft 365 Copilot and wants to ensure that only users with the appropriate sensitivity labels can access Copilot-generated content. What should the administrator configure to enforce this requirement?

A.Create a retention label policy in Microsoft Purview
B.Create a Conditional Access policy in Microsoft Entra ID
C.Configure a data loss prevention (DLP) policy in Microsoft Purview
D.Enable auto-labeling for sensitivity labels in Microsoft Purview Information Protection
AnswerD

Auto-labeling can apply sensitivity labels to Copilot-generated content, and Copilot respects these labels for access control.

Why this answer

Option C is correct. Microsoft Purview Information Protection sensitivity labels can be automatically applied to content based on classification, and Copilot respects these labels. Option A is wrong because data loss prevention policies prevent sharing but do not automatically label content.

Option B is wrong because retention labels manage retention, not access. Option D is wrong because Conditional Access controls access to apps, not labeling.

245
MCQmedium

A compliance administrator needs to investigate emails that may be part of a phishing campaign. Which Microsoft 365 capability is the best fit?

A.Microsoft Bookings
B.Microsoft Teams live events
C.OneDrive sync client
D.Threat Explorer in Microsoft Defender for Office 365
AnswerD

Threat Explorer supports investigation of email threats, campaigns, and delivery actions.

Why this answer

Threat Explorer in Microsoft Defender for Office 365 is the correct tool because it provides security teams with a powerful, real-time investigation interface to search, filter, and analyze email threats, including phishing campaigns. It allows administrators to view detailed email metadata, delivery actions, and threat types (e.g., phishing, malware) across the organization, making it the best fit for investigating suspected phishing emails.

Exam trap

The trap here is that candidates may confuse general Microsoft 365 admin tools (like Bookings or Teams) with security-specific capabilities, failing to recognize that only Threat Explorer provides the granular email investigation features required for phishing analysis.

How to eliminate wrong answers

Option A is wrong because Microsoft Bookings is a scheduling and appointment management tool, not a security or email investigation capability. Option B is wrong because Microsoft Teams live events is a broadcast and meeting feature for large audiences, with no email threat analysis or phishing investigation functionality. Option C is wrong because the OneDrive sync client is designed for file synchronization and offline access, and it cannot be used to investigate email threats or phishing campaigns.

246
MCQmedium

A compliance-aware administrator is selecting the right Microsoft 365 capability to delete content automatically after a defined retention period. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Forms
B.Microsoft Planner
C.Microsoft Stream
D.Retention policy or retention label
AnswerD

Retention policies and labels can retain content and then delete it according to policy.

Why this answer

Retention policies and retention labels are the Microsoft 365 compliance capabilities designed to automatically delete content after a defined retention period. They enforce data lifecycle management by applying rules to content in Exchange, SharePoint, OneDrive, and Teams, ensuring compliance with regulatory requirements. Microsoft Forms, Planner, and Stream are productivity or collaboration tools, not compliance capabilities for automated deletion.

Exam trap

The trap here is that candidates may confuse productivity tools (Forms, Planner, Stream) with compliance capabilities, assuming they have built-in retention features, when in fact only retention policies and labels provide automated deletion based on a defined period.

How to eliminate wrong answers

Option A is wrong because Microsoft Forms is a survey and quiz creation tool, not a compliance capability; it lacks native features to automatically delete content after a retention period. Option B is wrong because Microsoft Planner is a task management and project planning tool, not a compliance capability; it does not provide retention or deletion policies for content. Option C is wrong because Microsoft Stream is a video hosting and sharing service, not a compliance capability; while it integrates with retention policies, it is not the tool used to define or manage retention periods.

247
MCQhard

A security team needs to monitor all administrative activities in Microsoft 365, including creating users, resetting passwords, and modifying policies. They require that logs be retained for at least 90 days and want to create custom alerts for suspicious admin actions (e.g., multiple password resets in a short time). Which Microsoft Purview solution should they use?

A.Microsoft Purview Audit (Premium)
B.Microsoft Purview Audit (Standard)
C.Microsoft Defender for Cloud Apps
D.Microsoft Entra ID reporting
AnswerA

Audit (Premium) offers up to 1 year log retention and allows creation of custom alert policies for specific admin activities, meeting both requirements.

Why this answer

Microsoft Purview Audit (Premium) is the correct solution because it provides extended log retention of up to one year (or more with add-ons), which meets the 90-day requirement, and it supports custom alert policies via the Microsoft 365 Defender portal to detect suspicious admin activities like multiple password resets. Standard Audit only retains logs for 90 days but lacks the advanced alerting and investigation capabilities needed for custom alerts on admin actions.

Exam trap

The trap here is that candidates often confuse Audit (Standard) with Audit (Premium) because both provide logging, but they overlook that only Premium supports custom alert policies and extended retention beyond 90 days, which is explicitly required for monitoring suspicious admin actions.

How to eliminate wrong answers

Option B (Microsoft Purview Audit (Standard)) is wrong because while it retains logs for 90 days, it does not support custom alert policies for suspicious admin actions; it only provides basic log search and export. Option C (Microsoft Defender for Cloud Apps) is wrong because it focuses on cloud app discovery, session controls, and anomaly detection for SaaS apps, not on auditing and alerting for Microsoft 365 administrative activities like user creation or password resets. Option D (Microsoft Entra ID reporting) is wrong because it provides sign-in and audit logs for Azure AD objects but lacks the 90-day retention guarantee (default is 30 days for free tier) and does not offer custom alerting for admin actions within Microsoft 365; it is limited to directory-level events.

248
Multi-Selectmedium

You are responsible for securing identities in Microsoft 365. Which THREE actions should you take to improve the security posture of user accounts? (Choose three.)

Select 3 answers
A.Enable multifactor authentication (MFA) for all users
B.Require complex passwords with a minimum length of 16 characters
C.Disable legacy authentication protocols
D.Enable self-service password reset (SSPR)
E.Configure Conditional Access policies to block risky sign-ins
AnswersA, D, E

MFA significantly reduces the risk of account compromise.

Why this answer

Options A, B, and E are correct. Enforcing MFA, enabling self-service password reset (SSPR), and using Conditional Access policies are key identity security measures. Requiring strong passwords (C) is basic but less effective than MFA.

Disabling legacy authentication (D) is also a good practice, but the correct three are A, B, and E.

249
MCQmedium

A business stakeholder asks how Microsoft 365 can help them periodically review group memberships and application access. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.Access reviews
C.Microsoft Stream
D.Microsoft Forms
AnswerB

Access reviews help remove unnecessary access.

Why this answer

Access reviews in Microsoft Entra ID (formerly Azure AD) allow administrators to periodically review and certify group memberships and application access. This capability directly addresses the stakeholder's requirement by automating recurring attestation workflows, ensuring that only authorized users retain access. It is part of Microsoft's identity governance framework, not a general productivity or media tool.

Exam trap

The trap here is confusing general productivity tools (Planner, Stream, Forms) with identity governance capabilities, leading candidates to pick a familiar-sounding option instead of recognizing Access Reviews as the specific Entra ID feature for periodic access certification.

How to eliminate wrong answers

Option A is wrong because Microsoft Planner is a task management and collaboration tool for organizing work, not an identity governance or access review feature. Option C is wrong because Microsoft Stream is a video hosting and sharing service for enterprise content, with no capability to review group memberships or application access. Option D is wrong because Microsoft Forms is a survey and quiz creation tool, lacking any identity or access review functionality.

250
MCQmedium

Your company is deploying Microsoft Purview to manage data subject requests (DSRs) under GDPR. Users need to submit requests to access or delete their personal data. Which Microsoft Purview solution should you use?

A.Microsoft Purview Data Subject Requests
B.Microsoft Purview Records Management
C.Microsoft Purview Audit (Premium)
D.Microsoft Purview Data Loss Prevention (DLP)
AnswerA

Data Subject Requests solution is designed to manage GDPR DSRs.

Why this answer

Microsoft Purview eDiscovery (Standard) is used for content searches and exports, but for managing DSRs, the Data Subject Requests solution is part of Microsoft Purview Compliance Manager or specifically the Privacy Management module. However, note that as of 2025, Microsoft Purview includes a dedicated DSR management tool. Option D is the correct answer.

Option A (DLP) is for prevention, Option B (Audit) is for logging, and Option C (Records Management) is for retention.

251
MCQmedium

During a Microsoft 365 planning workshop, show security recommendations and a score for Microsoft 365 posture. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Secure Score
B.Microsoft Forms
C.Microsoft Planner
D.Microsoft Stream
AnswerA

Secure Score provides recommendations and a score reflecting security posture.

Why this answer

Microsoft Secure Score is the correct tool because it provides a numerical score and actionable security recommendations based on your tenant's security posture. It analyzes configurations across Microsoft 365 services (e.g., Exchange Online, Azure AD, Intune) and suggests improvements to reduce risk, directly matching the workshop requirement for showing recommendations and a score.

Exam trap

The trap here is that candidates may confuse Microsoft Secure Score with other Microsoft 365 tools that have 'score' or 'recommendations' in their names, but only Secure Score is specifically designed for security posture assessment and scoring.

How to eliminate wrong answers

Option B (Microsoft Forms) is wrong because it is a survey and data collection tool, not a security posture assessment tool. Option C (Microsoft Planner) is wrong because it is a task management and project planning application, unrelated to security scoring. Option D (Microsoft Stream) is wrong because it is a video hosting and sharing service, with no capability to evaluate security configurations or generate a posture score.

252
MCQmedium

A legal team needs to preserve all data related to a specific user involved in litigation, including Exchange emails, SharePoint documents, OneDrive files, and Teams chats. They require a hold that cannot be removed by the user and must allow for later searching and export. Which Microsoft Purview solution should they use?

A.eDiscovery (Standard)
B.Retention policies
C.Communication Compliance
D.Data Loss Prevention (DLP)
AnswerA

eDiscovery (Standard) places legal holds on mailboxes and sites, preserving content from deletion, and allows search and export.

Why this answer

eDiscovery (Standard) is the correct solution because it allows legal teams to place a hold on all content relevant to a specific user, including Exchange emails, SharePoint documents, OneDrive files, and Teams chats. This hold is enforced at the service level, preventing the user from deleting or modifying the data, and it preserves the content in its original location for later searching and export via Content Search or eDiscovery export tools.

Exam trap

The trap here is that candidates often confuse retention policies with litigation holds, not realizing that retention policies are scheduled and policy-based, whereas eDiscovery holds are user-specific, immediate, and designed for legal preservation with full search and export capabilities.

How to eliminate wrong answers

Option B is wrong because retention policies are designed to retain or delete data based on a fixed schedule, not to place a litigation hold on a specific user's content; they cannot be applied ad hoc for a single user in a legal case and do not provide the same search and export capabilities. Option C is wrong because Communication Compliance is focused on detecting and remediating policy violations (e.g., inappropriate language or sensitive information) in communications, not on preserving all data for litigation; it does not offer a hold mechanism or export for legal discovery. Option D is wrong because Data Loss Prevention (DLP) is used to prevent unauthorized sharing or leakage of sensitive data through policies and alerts, not to preserve data for legal holds; it cannot place a hold on content or allow for later searching and export of all user data.

253
MCQmedium

Your organization is deploying Microsoft 365 and needs to ensure that data stored in Exchange Online is protected against accidental deletion. You need to implement a solution that allows users to recover deleted emails for up to 30 days, but also enables administrators to recover items for up to 90 days. Which feature should you configure?

A.In-Place Hold
B.Single Item Recovery
C.Retention Policy
D.Litigation Hold
AnswerD

Litigation Hold preserves all mailbox content indefinitely or for a specified period, enabling recovery for up to 90 days.

Why this answer

Option B is correct because the Litigation Hold feature allows administrators to preserve mailbox items for a specified period, enabling recovery for up to 90 days. Single Item Recovery (A) only allows recovery within the deleted item retention period (default 14 days). In-Place Hold (C) is for eDiscovery holds, not general recovery.

Retention Policy (D) manages retention but not recovery.

254
MCQmedium

A help desk lead is documenting the correct Microsoft 365 approach to preserve relevant mailboxes and SharePoint content during a legal case. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Stream
B.Microsoft Forms
C.Microsoft Planner
D.Microsoft Purview eDiscovery hold
AnswerD

eDiscovery holds preserve relevant content for legal investigations.

Why this answer

Microsoft Purview eDiscovery hold is the correct capability because it allows organizations to place legal holds on mailboxes, SharePoint sites, and other content sources to preserve data relevant to a legal case. This ensures that content cannot be altered or deleted until the hold is released, meeting compliance and eDiscovery requirements.

Exam trap

The trap here is that candidates may confuse general productivity tools like Stream, Forms, or Planner with compliance capabilities, mistakenly thinking they can be used for legal preservation when they lack the necessary retention and hold features.

How to eliminate wrong answers

Option A is wrong because Microsoft Stream is a video hosting and sharing service, not designed for legal hold or content preservation. Option B is wrong because Microsoft Forms is used for creating surveys and quizzes, with no capability to place holds on mailboxes or SharePoint content. Option C is wrong because Microsoft Planner is a task management tool for organizing work, lacking any compliance or eDiscovery hold functionality.

255
MCQmedium

A compliance-aware administrator is selecting the right Microsoft 365 capability to encrypt email messages sent to internal or external recipients. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Stream
B.Microsoft Purview Message Encryption
C.Microsoft Planner
D.Microsoft Forms
AnswerB

Message Encryption protects email content.

Why this answer

Microsoft Purview Message Encryption (B) is the correct choice because it is the dedicated Microsoft 365 service that provides encryption for email messages sent to both internal and external recipients. It leverages Azure Rights Management (Azure RMS) to protect messages, ensuring only intended recipients can decrypt and read them, which directly meets the compliance requirement for email encryption.

Exam trap

The trap here is that candidates might confuse Microsoft Purview Message Encryption with other Microsoft 365 security features like Microsoft Defender for Office 365 or Azure Information Protection, but the question specifically asks for an email encryption capability, not a broader security or compliance tool.

How to eliminate wrong answers

Option A is wrong because Microsoft Stream is a video sharing and management service, not an email encryption capability. Option C is wrong because Microsoft Planner is a task management and collaboration tool, unrelated to email security or encryption. Option D is wrong because Microsoft Forms is used for creating surveys and quizzes, and does not provide any email encryption functionality.

256
Multi-Selectmedium

Which TWO of the following are key capabilities of Microsoft Purview Communication Compliance? (Choose two.)

Select 2 answers
A.Detect and respond to inappropriate messages
B.Enforce multifactor authentication
C.Configure retention labels
D.Monitor communications for regulatory compliance
E.Block external email forwarding
AnswersA, D

Communication Compliance can detect offensive language.

Why this answer

Communication Compliance helps detect policy violations in communications, such as inappropriate content and regulatory compliance. Options B and C are correct.

257
MCQmedium

A service owner is comparing Microsoft 365 capabilities and needs to detect exact customer records rather than only generic data patterns. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Stream
B.Microsoft Planner
C.Exact Data Match sensitive information type
D.Microsoft Forms
AnswerC

Exact Data Match detects sensitive data by matching against uploaded structured values.

Why this answer

Exact Data Match (EDM) sensitive information types allow a service owner to define custom sensitive information types based on exact database records, such as customer names or account numbers, rather than relying on generic pattern matching like regular expressions. This capability is part of Microsoft Purview compliance and enables precise detection of specific customer data in Microsoft 365 environments.

Exam trap

The trap here is that candidates may confuse generic data classification (e.g., built-in sensitive info types like Social Security numbers) with the need for exact record matching, leading them to overlook EDM as the precise solution for custom, database-driven detection.

How to eliminate wrong answers

Option A is wrong because Microsoft Stream is a video sharing and management service, not a security, identity, or compliance capability for detecting exact customer records. Option B is wrong because Microsoft Planner is a project management and task tracking tool, lacking any data classification or exact match detection features. Option D is wrong because Microsoft Forms is a survey and form creation tool, not designed for sensitive information detection or exact data matching.

258
MCQmedium

Your organization uses Microsoft Purview to manage data governance. A data owner needs to classify sensitive data across SharePoint, OneDrive, and Exchange automatically based on content patterns. Which Microsoft Purview feature should they use?

A.Sensitivity labels with auto-labeling
B.eDiscovery (Premium)
C.Data Loss Prevention (DLP) policies
D.Audit (Standard)
AnswerA

Auto-labeling can apply sensitivity labels based on pattern matching.

Why this answer

Sensitivity labels with auto-labeling policies can automatically classify data based on patterns. Option B is correct. Option A (DLP) prevents sharing but does not classify.

Option C (eDiscovery) is for search and legal hold. Option D (Audit) is for logging.

259
MCQeasy

A compliance officer needs to automatically retain all emails in Exchange Online for exactly 7 years, and then permanently delete them. Which Microsoft Purview solution should they configure?

A.Data Loss Prevention (DLP) policy
B.Retention policy
C.Sensitivity label
D.eDiscovery case
AnswerB

Retention policies allow you to define retention rules that can automatically retain data for a specified period and then delete it, meeting the requirement.

Why this answer

A retention policy in Microsoft Purview is designed to retain data for a specified period and then automatically delete it. By configuring a retention policy with a retention period of 7 years and an action to permanently delete the content at the end of that period, the compliance officer can meet the requirement for Exchange Online emails. This policy applies at the mailbox level and ensures that all emails are retained for exactly 7 years before being irreversibly removed.

Exam trap

The trap here is that candidates often confuse retention policies (which automate lifecycle management) with DLP policies (which prevent data leaks) or sensitivity labels (which classify data), leading them to select an option that addresses a different compliance goal.

How to eliminate wrong answers

Option A is wrong because a Data Loss Prevention (DLP) policy is used to detect and prevent the sharing of sensitive information (e.g., credit card numbers) via rules and actions like blocking or warning, not to enforce time-based retention and deletion. Option C is wrong because a sensitivity label is used to classify and protect data based on sensitivity (e.g., encryption, visual markings), and while it can be part of a retention label, it does not independently enforce a fixed retention and deletion schedule without being published as a retention label policy. Option D is wrong because an eDiscovery case is used for legal holds and content searches for litigation or investigation purposes, not for automated, scheduled retention and deletion of all emails.

260
Multi-Selectmedium

An organization wants to investigate emails that may be part of a phishing campaign. Which two statements are accurate about the Microsoft 365 capability involved?

Select 2 answers
A.Threat Explorer in Microsoft Defender for Office 365
B.It replaces the need for identity and access management
C.It requires every document to be made public
D.The policy should be tested with a limited group before broad rollout
AnswersA, D

Threat Explorer supports investigation of email threats, campaigns, and delivery actions.

Why this answer

Threat Explorer in Microsoft Defender for Office 365 is a powerful tool for investigating phishing campaigns. It allows security analysts to view and filter email threat data, including malware, phishing, and spam, in near real-time. This enables the organization to identify, analyze, and remediate malicious emails that are part of a phishing campaign, making option A correct.

Exam trap

The trap here is that candidates may confuse Threat Explorer with a general security solution that replaces IAM, or assume it requires public document access, when in fact it is a specialized email threat investigation tool that operates within the existing security boundaries.

261
Multi-Selecthard

Which THREE of the following are included in Microsoft 365 E5 compliance features?

Select 3 answers
A.Microsoft Purview Audit (Premium)
B.Microsoft Purview eDiscovery (Premium)
C.Microsoft Purview Data Loss Prevention (DLP)
D.Microsoft Purview Records Management
E.Microsoft Purview Communication Compliance
AnswersA, B, E

Advanced Audit is an E5 feature.

Why this answer

E5 includes Advanced Audit, eDiscovery Premium, and Microsoft Purview Communication Compliance. DLP is in E3, and Records Management is in E3.

262
MCQmedium

An organization uses Microsoft 365 and wants to automatically classify and protect sensitive data in SharePoint Online based on content patterns. Which Microsoft Purview solution should they implement?

A.Auto-labeling policies
B.Retention policies
C.Data Loss Prevention (DLP) policies
D.Trainable classifiers
AnswerA

Auto-labeling can automatically apply labels based on content patterns.

Why this answer

Option C is correct because auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels based on sensitive information types or patterns. Option A is incorrect because trainable classifiers require training, not automatic pattern detection. Option B is incorrect because DLP policies prevent data loss but do not automatically classify.

Option D is incorrect because retention policies are for retention, not classification.

263
MCQeasy

Your organization wants to ensure that users can only access Microsoft 365 resources from compliant devices. Which security feature should you implement?

A.Microsoft Entra Conditional Access
B.Microsoft Purview Data Loss Prevention
C.Microsoft Defender for Cloud Apps
D.Microsoft Intune
AnswerA

Conditional Access policies can require compliant devices.

Why this answer

Conditional Access in Microsoft Entra ID allows you to enforce policies that require devices to be compliant (e.g., managed by Intune) before granting access. Option B is correct. Options A, C, and D are not primarily for device compliance enforcement.

264
MCQhard

A compliance officer needs to ensure that all outgoing emails containing a customer's credit card number are automatically encrypted before delivery. External recipients must be able to reply with the same level of encryption without a separate signing-up process. Which Microsoft Purview solution should be configured?

A.Office 365 Message Encryption (OME) with a DLP policy
B.Sensitivity labels with automatic marking
C.Azure Information Protection (AIP)
D.Microsoft Defender for Office 365
AnswerA

DLP policies can detect credit card numbers and trigger OME encryption automatically. OME allows external recipients to reply encrypted via a secure portal.

Why this answer

Office 365 Message Encryption (OME) with a Data Loss Prevention (DLP) policy is the correct solution because OME provides automatic encryption for emails based on sensitive information types (e.g., credit card numbers) detected by DLP rules. It also supports the 'encrypt-only' option, which allows external recipients to reply with the same level of encryption without requiring a separate sign-up or certificate exchange, leveraging the Microsoft 365 message encryption infrastructure.

Exam trap

The trap here is that candidates often confuse sensitivity labels (Option B) with DLP-based encryption, not realizing that sensitivity labels require explicit configuration for automatic encryption and do not inherently handle reply encryption without additional setup, whereas OME with DLP provides the seamless, policy-driven encryption and reply capability described.

How to eliminate wrong answers

Option B is wrong because sensitivity labels with automatic marking can apply visual markings or encryption, but they do not natively trigger encryption based on DLP-sensitive information types like credit card numbers; they require manual or policy-based labeling and do not inherently enable seamless encrypted replies without recipient sign-up. Option C is wrong because Azure Information Protection (AIP) is a classification and labeling solution that can apply encryption via rights management, but it is not primarily designed for automatic email encryption based on DLP policies and often requires the recipient to have an Azure RMS-enabled client or sign in for decryption. Option D is wrong because Microsoft Defender for Office 365 focuses on threat protection (e.g., anti-phishing, anti-malware, safe attachments) and does not provide automatic email encryption based on content inspection for compliance purposes.

265
Drag & Dropmedium

Drag and drop the steps to deploy Microsoft 365 Apps for enterprise to a Windows device using the Microsoft 365 Apps admin center into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Deploying Office uses the admin center to create a config, then ODT to install based on that config.

266
MCQmedium

A compliance officer needs to ensure that all emails and documents in Exchange Online and SharePoint are automatically retained for five years. After five years, the data should be automatically deleted. Which Microsoft Purview solution should they configure?

A.Retention policies
B.Data loss prevention (DLP) policies
C.Sensitivity labels
D.eDiscovery (Standard)
AnswerA

Correct. Retention policies are the appropriate solution to automatically retain and then delete content based on a defined schedule.

Why this answer

Retention policies in Microsoft Purview are designed to automatically retain data for a specified period and then delete it, meeting the compliance officer's requirement for Exchange Online and SharePoint. This solution applies at the container level (e.g., mailboxes, sites) and can enforce a five-year retention followed by automatic deletion without user intervention.

Exam trap

The trap here is that candidates often confuse retention policies with DLP policies, mistakenly thinking DLP can enforce time-based retention and deletion, when DLP is solely focused on preventing data loss through content inspection and action rules.

How to eliminate wrong answers

Option B is wrong because Data Loss Prevention (DLP) policies focus on preventing unauthorized sharing or leakage of sensitive data through rules and actions (e.g., blocking emails), not on automated retention and deletion schedules. Option C is wrong because Sensitivity labels classify and protect data with encryption or visual markings, but they do not inherently enforce time-based retention or deletion; they can be used with retention policies but are not the primary solution for automated lifecycle management. Option D is wrong because eDiscovery (Standard) is used for searching and exporting content for legal or investigative purposes, not for configuring automatic retention and deletion policies.

267
MCQeasy

Your company, Contoso Ltd., has a Microsoft 365 E5 subscription with 500 users. The IT department recently discovered that some employees are sharing sensitive customer data via email with external parties. You need to implement a solution that automatically detects and prevents the sharing of credit card numbers and social security numbers in emails. The solution should notify the sender when a potential violation occurs and allow them to override the block by providing a business justification. The compliance team must be able to review these overrides. What should you configure?

A.Enable Microsoft Defender for Office 365 Safe Attachments and Safe Links.
B.Create a Microsoft Purview Data Loss Prevention (DLP) policy in the Microsoft Purview compliance portal.
C.Create a sensitivity label with auto-labeling for emails containing sensitive data.
D.Create an Exchange mail flow rule to block emails containing sensitive data and send a non-delivery report.
AnswerB

DLP policies can detect sensitive data, block transmission, notify users, and allow overrides with justification.

Why this answer

Option B is correct. A Microsoft Purview Data Loss Prevention (DLP) policy can be configured to detect sensitive info types like credit card numbers and SSNs, with actions to block and notify the sender with an override option. Option A (Exchange mail flow rules) is less flexible and doesn't provide the override with justification.

Option C (sensitivity labels) is for classification, not blocking. Option D (Microsoft Defender for Office 365) focuses on threats, not data protection.

268
MCQmedium

During requirements gathering, an IT manager says the organization must discover where sensitive information is stored across Microsoft 365. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.Microsoft Stream
C.Microsoft Forms
D.Data classification / Content explorer
AnswerD

Data classification and content explorer help identify sensitive information across locations.

Why this answer

Data classification and Content explorer in Microsoft 365 Purview allow organizations to discover, classify, and monitor sensitive information across Exchange, SharePoint, OneDrive, and Teams. This capability uses trainable classifiers and sensitive information types to identify data like credit card numbers or PII, providing a unified view in Content explorer for compliance administrators. It directly meets the requirement to discover where sensitive information is stored.

Exam trap

The trap here is that candidates may confuse productivity tools (Planner, Stream, Forms) with compliance capabilities, assuming any Microsoft 365 app can discover sensitive data, when only Purview features like Data classification and Content explorer are designed for this purpose.

How to eliminate wrong answers

Option A is wrong because Microsoft Planner is a task management tool for organizing work, not a security or compliance discovery tool. Option B is wrong because Microsoft Stream is a video hosting and sharing service, with no native capability to scan or classify sensitive data. Option C is wrong because Microsoft Forms is used to create surveys and quizzes, and lacks any data classification or content scanning features.

269
MCQhard

A compliance officer wants to ensure that all data in Microsoft 365 is encrypted using a key that the organization manages and stores in their own Azure Key Vault. Microsoft will not have access to the key. Which solution should they implement?

A.Customer Lockbox
B.Double Key Encryption (DKE)
C.Information Rights Management (IRM)
D.Microsoft Purview Data Lifecycle Management
AnswerB

DKE enables customers to provide a second encryption key that Microsoft does not possess, ensuring that no one (including Microsoft) can access the protected data without both keys.

Why this answer

Double Key Encryption (DKE) is the correct solution because it allows an organization to use their own key stored in Azure Key Vault for encrypting sensitive Microsoft 365 data, while ensuring that Microsoft cannot access the key. With DKE, the encryption key is split into two parts: one managed by Microsoft and one managed by the customer in their own Azure Key Vault, so both parties must be compromised to decrypt the data. This meets the compliance officer's requirement for exclusive control over the encryption key.

Exam trap

The trap here is that candidates often confuse Customer Lockbox with encryption key control, but Customer Lockbox only controls access requests, not the encryption keys themselves.

How to eliminate wrong answers

Option A is wrong because Customer Lockbox provides a process for approving or denying Microsoft support access to your data during service requests, but it does not involve managing encryption keys or encrypting data with a customer-controlled key. Option C is wrong because Information Rights Management (IRM) uses Azure Rights Management (Azure RMS) to protect files and emails by restricting actions like copying or forwarding, but the encryption keys are managed by Microsoft by default, not by the customer in their own Azure Key Vault. Option D is wrong because Microsoft Purview Data Lifecycle Management focuses on data retention, deletion, and classification policies, not on encryption key management or customer-controlled encryption.

← PreviousPage 4 of 4 · 269 questions total

Ready to test yourself?

Try a timed practice session using only Describe security, compliance, privacy, and trust in Microsoft 365 questions.