Back to Microsoft 365 Fundamentals MS-900 questions

Scenario-based practice

Hard Difficulty Questions

Practise Microsoft 365 Fundamentals MS-900 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
MS-900
exam code
Microsoft
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related MS-900 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

A security administrator needs to automatically restrict access to documents labeled as 'Highly Confidential' when accessed from devices that are not joined to the domain. The restriction should block editing and printing, and apply encryption. Which combination of Microsoft 365 solutions should the administrator use?

Question 2hardmultiple choice
Full question →

A security administrator needs to audit all activities related to a specific user in Exchange Online, SharePoint Online, and Microsoft Entra ID for the past 90 days. They also need to export the audit log as a CSV file. Which Microsoft Purview solution provides this capability without additional licensing beyond Microsoft 365 E3?

Question 3hardmultiple choice
Full question →

A global company needs to ensure that only employees in the 'HR' security group can access a specific set of HR documents stored in SharePoint. If a user outside the group attempts to view or copy the content, it must be blocked. The protection must persist even if someone downloads the files and shares them externally, or if the files are saved to a personal device. Which Microsoft Purview solution should be used?

Question 4hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company must prevent users from accidentally sharing sensitive customer data externally. They want to block sharing of any document containing a credit card number via email or SharePoint. What combination of Microsoft 365 compliance solutions should they use?

Question 5hardmulti select
Read the full NAT/PAT explanation →

A multinational corporation must comply with GDPR. They need to ensure that personal data of EU residents is retained for a specific period and then securely deleted. Additionally, they must be able to respond to data subject access requests (DSARs) within 30 days by finding and exporting relevant data. Which two Microsoft Purview solutions should they use together? (Choose two.)

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A security administrator needs to automatically restrict access to documents that contain 'PII' (personally identifiable information) so that only employees in the 'Data Privacy' security group can view them. Additionally, editing and printing of these documents must be disabled. Which combination of Microsoft Purview features should be used?

Question 7hardmultiple choice
Full question →

A compliance officer wants to proactively prevent users from sending emails that contain sensitive personal data (e.g., credit card numbers) to external recipients. When a user attempts to send such an email, they should see a policy tip explaining the restriction and be blocked from sending. Which Microsoft Purview feature should be configured?

Question 8hardmultiple choice
Full question →

A healthcare organization must ensure that all outgoing emails containing protected health information (PHI) are automatically encrypted. External recipients must be able to read the encrypted messages without installing any software or signing up for a service. Which Microsoft Purview solution should be configured?

Question 9hardmultiple choice
Full question →

A legal team needs to place a hold on all data belonging to a specific user who is involved in a lawsuit. The hold must preserve Exchange Online email, SharePoint sites, and Teams chat messages. Which Microsoft Purview solution should they use?

Question 10hardmultiple choice
Full question →

A legal team at a company needs to preserve all data belonging to a user who is involved in litigation. The preservation must cover Exchange Online email, SharePoint sites, OneDrive for Business files, and Teams chat messages. They also need to be able to search the preserved content and export it. Which Microsoft Purview solution should they use?

Question 11hardmultiple choice
Full question →

A legal firm needs to automatically encrypt and apply access restrictions to all documents that contain case numbers considered highly confidential. The protection must remain enforced even if the document is emailed to external parties or saved to a personal device. Which Microsoft Purview solution should be configured?

Question 12hardmultiple choice
Full question →

A compliance team needs to implement a Data Loss Prevention (DLP) policy to protect credit card information. What is the correct order of steps for a successful implementation?

Question 13hardmultiple choice
Full question →

A security team needs to ensure that all Microsoft 365 administrative actions—such as creating user accounts or resetting passwords—are logged and searchable for at least 90 days. They also need to create custom alert rules for suspicious admin activity. Which Microsoft Purview solution should they use?

Question 14hardmultiple choice
Full question →

An organization wants to prevent employees from sharing sensitive files with external users via SharePoint Online, but they need to allow sharing with a specific external partner for a single project. What is the most efficient configuration?

Question 15hardmultiple choice
Full question →

An organization with 2,000 users currently has Microsoft 365 E3 licenses. They need to implement a policy that automatically deletes all Microsoft Teams chat messages older than 90 days. They also need to retain all Yammer messages for 10 years for legal purposes. Which licensing add-ons are minimally required to achieve both requirements?

Question 16hardmultiple choice
Full question →

A charitable organization with 50 employees wants to use Microsoft 365 for business‑grade email, calendar, and online versions of Office apps. Their budget is extremely limited. What should they do first to obtain licenses at a reduced cost?

Question 17hardmultiple choice
Full question →

A security team needs to monitor all administrative activities in Microsoft 365, including creating users, resetting passwords, and modifying policies. They require that logs be retained for at least 90 days and want to create custom alerts for suspicious admin actions (e.g., multiple password resets in a short time). Which Microsoft Purview solution should they use?

Question 18hardmultiple choice
Full question →

A company wants to ensure that all Microsoft 365 admin actions are recorded and searchable for at least 180 days. They also need to create custom alert rules to notify the security team when critical events occur, such as a user being added to the Global Admin role. Which Microsoft Purview solution should they use?

Question 19hardmultiple choice
Full question →

A company uses Microsoft 365 (a SaaS offering). A security incident occurs where an employee's account is compromised because the employee reused their corporate password on a personal website. According to the shared responsibility model, who is primarily responsible for this security failure?

Question 20hardmultiple choice
Full question →

A company with 100 Microsoft 365 Business Premium users needs to add advanced compliance features: eDiscovery (Premium) and Communication Compliance. They want to keep their existing Business Premium subscriptions to retain current capabilities. What is the most cost-effective licensing approach?

These MS-900 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style MS-900 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.