CCNA Describe Security Compliance Privacy And Trust In Microsoft 365 Questions

75 of 269 questions · Page 3/4 · Describe Security Compliance Privacy And Trust In Microsoft 365 topic · Answers revealed

151
MCQmedium

Your organization is deploying Microsoft 365 Copilot for sales teams. The compliance team requires that Copilot interactions with customer data in Dynamics 365 Sales be subject to retention policies. Which Microsoft Purview feature should you configure to manage this data?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview Sensitivity Labels
C.Microsoft Purview eDiscovery
D.Microsoft Purview Communication Compliance
AnswerA

Retention policies are managed in Data Lifecycle Management.

Why this answer

Option A is correct because Microsoft Purview Data Lifecycle Management enforces retention policies for Copilot interactions. Option B is incorrect because eDiscovery is for search and export. Option C is incorrect because Communication Compliance is for monitoring inappropriate messages.

Option D is incorrect because Sensitivity labels are for classification.

152
Multi-Selecteasy

Which TWO of the following are required to implement Microsoft Entra ID Conditional Access?

Select 2 answers
A.Microsoft 365 E5 license
B.Multifactor Authentication enabled for all users
C.Microsoft Entra ID P1 or P2 licenses
D.Global Administrator or Conditional Access Administrator role
E.Microsoft Intune subscription
AnswersC, D

Conditional Access requires P1 or P2.

Why this answer

Conditional Access requires Azure AD P1 or P2 licenses and roles that allow policy management. MFA and Intune are not required for all policies.

153
MCQhard

A legal team needs to place a hold on all data belonging to a specific user who is involved in a lawsuit. The hold must preserve Exchange Online email, SharePoint sites, and Teams chat messages. Which Microsoft Purview solution should they use?

A.eDiscovery (Standard)
B.Data Lifecycle Management (retention policies)
C.Communication Compliance
D.Audit log
AnswerA

Correct. eDiscovery cases allow placing holds on content from Exchange, SharePoint, OneDrive, and Teams for a specific user or query.

Why this answer

eDiscovery (Standard) is the correct solution because it allows legal teams to place a hold on a specific user's data across Exchange Online, SharePoint, and Teams. This hold preserves all content, including email, documents, and chat messages, ensuring that data cannot be altered or deleted during litigation. eDiscovery (Standard) is designed for legal holds and integrates with Microsoft Purview to manage custodians and preserve data.

Exam trap

The trap here is that candidates often confuse retention policies (which manage data lifecycle) with legal holds (which preserve data for litigation), leading them to choose Data Lifecycle Management instead of eDiscovery.

How to eliminate wrong answers

Option B (Data Lifecycle Management retention policies) is wrong because retention policies are used for managing data retention and deletion based on time or rules, not for placing a legal hold on a specific user's data in response to a lawsuit. Option C (Communication Compliance) is wrong because it is designed to monitor and detect policy violations in communications (e.g., harassment or insider trading), not to preserve data for legal holds. Option D (Audit log) is wrong because audit logs record user and admin activities for security investigations, but they do not place holds on data or preserve content for litigation.

154
MCQhard

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel to investigate a user's deleted files. The query returns no results even though the user has deleted files. Which of the following is the most likely reason?

A.The query filters by Result column which doesn't exist.
B.The query should use 'where Operation == "FileDeleted"' but the operation is 'DeleteFile'.
C.The UserId field should be replaced with UserPrincipalName.
D.The Microsoft 365 connector is not configured in Sentinel.
AnswerD

Without the connector, Microsoft 365 audit logs are not ingested into Sentinel.

Why this answer

Option C is correct because Sentinel queries the workspace's own AuditLogs table, which may not contain Microsoft 365 audit logs unless the Microsoft 365 connector is configured. Option A is wrong because the query does not filter by Result. Option B is wrong because the query uses correct syntax.

Option D is wrong because the query is not incorrectly formatted.

155
MCQeasy

An organization needs to automatically delete Microsoft Teams chat messages after 90 days to comply with a data minimization policy. Which Microsoft Purview feature should they use?

A.Data Loss Prevention (DLP)
B.Retention policies
C.Communication Compliance
D.Information Barriers
AnswerB

Retention policies allow you to define how long content is retained and when it is automatically deleted.

Why this answer

Retention policies in Microsoft Purview are designed to either retain data for a specified period, delete it after that period, or both. For Microsoft Teams chat messages, a retention policy can be configured to automatically delete messages after 90 days, directly supporting a data minimization policy. This is the correct feature because it provides time-based deletion for compliance requirements.

Exam trap

The trap here is that candidates often confuse retention policies (which manage data lifecycle and deletion) with Data Loss Prevention (DLP), assuming DLP can also delete data after a period, but DLP only blocks or alerts on data in motion, not on scheduled deletion.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies are used to detect and prevent the accidental sharing of sensitive information (e.g., credit card numbers) through rules and actions like blocking or warning users, not for scheduling automatic deletion of messages after a set time. Option C is wrong because Communication Compliance is designed to monitor communications for policy violations (e.g., harassment, insider trading) by analyzing messages and flagging them for review, not for enforcing retention or deletion schedules. Option D is wrong because Information Barriers are used to restrict communication and collaboration between specific groups (e.g., to prevent conflicts of interest), not to manage data lifecycle or deletion timelines.

156
MCQmedium

An organization is concerned about data leakage from sensitive emails. They want to enforce encryption on emails containing financial information automatically. Which Microsoft 365 solution should they configure?

A.Data Loss Prevention (DLP) policies
B.Microsoft Purview Message Encryption
C.Microsoft Purview Information Protection (Microsoft Purview Information Protection)
D.Exchange Online Protection (EOP)
AnswerB

Message Encryption uses rules to encrypt emails based on conditions like sensitive content.

Why this answer

Microsoft Purview Message Encryption (Option B) is the correct solution because it enables organizations to send and receive encrypted email messages, and it can be configured with mail flow rules to automatically encrypt emails containing sensitive financial information. This service leverages Azure Rights Management (Azure RMS) to provide persistent protection that follows the email, ensuring only authorized recipients can decrypt and read the content.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention (DLP) policies with encryption capabilities, assuming DLP can automatically encrypt emails, when in fact DLP only detects and blocks or warns, while Message Encryption is the service that actually applies encryption to outbound emails.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies detect and prevent accidental sharing of sensitive data but do not enforce encryption on emails; they can trigger actions like blocking or warning, but encryption is not a native DLP action. Option C is wrong because Microsoft Purview Information Protection (formerly Azure Information Protection) classifies and labels content but does not automatically encrypt emails in transit; it applies labels that can include encryption, but the automatic encryption of outbound emails based on content is handled by Message Encryption policies. Option D is wrong because Exchange Online Protection (EOP) provides anti-spam, anti-malware, and message hygiene but does not offer encryption capabilities; it focuses on protecting the email infrastructure, not the confidentiality of message content.

157
MCQhard

A compliance officer wants to automatically encrypt outgoing emails containing credit card numbers and also prevent recipients from forwarding or copying the content. Which Microsoft Purview solution should be applied?

A.Data Loss Prevention (DLP) policy with encryption
B.Sensitivity label with encryption and rights management
C.Microsoft Information Bar
D.Azure Information Protection unified labeling client
AnswerB

Sensitivity labels can automatically apply encryption and set usage rights such as 'view only' or 'do not forward', meeting the requirement.

Why this answer

Sensitivity labels with encryption and rights management (Azure Rights Management) allow you to apply persistent protection that encrypts the email and restricts actions like forwarding, copying, or printing. This meets both requirements: automatic detection of credit card numbers via auto-labeling policies and enforcement of usage restrictions through Rights Management templates (e.g., Do Not Forward).

Exam trap

The trap here is that candidates confuse DLP policies with sensitivity labels, thinking DLP alone can enforce usage restrictions like 'prevent forwarding,' when in fact DLP only detects and optionally triggers a label that provides the encryption and rights management.

How to eliminate wrong answers

Option A is wrong because a Data Loss Prevention (DLP) policy can detect credit card numbers and trigger encryption via a sensitivity label, but DLP itself does not apply rights management restrictions (e.g., prevent forwarding or copying); it relies on an associated sensitivity label for that protection. Option C is wrong because Microsoft Information Bar is a deprecated feature that only displayed a visual banner in Office apps; it does not enforce encryption or rights restrictions on outgoing emails. Option D is wrong because the Azure Information Protection unified labeling client is a legacy client-side tool for labeling files and emails on Windows, not a cloud-based policy that automatically encrypts and restricts outgoing emails in Exchange Online.

158
Multi-Selecteasy

Which TWO Microsoft 365 compliance centers provide tools for managing compliance requirements?

Select 2 answers
A.Microsoft Purview compliance portal
B.Microsoft Entra admin center
C.Microsoft Defender XDR portal
D.Microsoft Intune admin center
E.Microsoft 365 admin center
AnswersA, E

Central hub for compliance solutions.

Why this answer

Microsoft Purview compliance portal is the main compliance center; Microsoft 365 admin center includes compliance management features. Defender XDR is security, Intune is device management, Entra ID is identity.

159
MCQmedium

You have the above Microsoft Purview DLP policy JSON. What will this policy do?

A.Block internal sharing of documents labeled Confidential
B.Alert when Confidential documents are shared externally
C.Block external sharing of documents labeled Confidential
D.Apply encryption to documents labeled Confidential when shared externally
AnswerC

Condition matches sensitivity label and external sharing, action is blockAccess.

Why this answer

The policy blocks access when a document with sensitivity label 'Confidential' is shared externally. Option B is correct. It does not block internal sharing, apply encryption, or trigger alert.

160
MCQhard

An organization must comply with GDPR and needs to respond to a data subject access request (DSAR) within 30 days. Which Microsoft Purview solution helps search for personal data across Microsoft 365?

A.Data Loss Prevention (DLP)
B.Records Management
C.Audit (Premium)
D.eDiscovery (Premium)
AnswerD

eDiscovery can search for and export personal data to fulfill DSARs.

Why this answer

eDiscovery (Premium) allows searching across content locations for specific data, including personal data. Option C is correct. DLP and Records Management do not search, and Audit logs only track activities.

161
MCQhard

A compliance administrator needs to ensure that any document containing a patient's health information (e.g., medical record number) is automatically encrypted and restricted to authorized users. The encryption should be enforced regardless of where the document is saved (SharePoint, OneDrive, or email). Which Microsoft Purview feature should they configure?

A.Information Rights Management (IRM)
B.Auto-labeling policies with sensitivity labels
C.Data Loss Prevention (DLP) policies
D.Retention labels
AnswerB

Auto-labeling can automatically detect sensitive data (like health info) and apply a sensitivity label that enforces encryption and access restrictions.

Why this answer

Auto-labeling policies with sensitivity labels are the correct choice because they can automatically apply encryption and access restrictions to documents containing sensitive data like medical record numbers, regardless of where the document is saved (SharePoint, OneDrive, or email). Sensitivity labels support persistent protection that travels with the file, enforcing encryption and authorized user restrictions even when the file is moved or copied. This meets the requirement for automatic, location-independent encryption and access control.

Exam trap

The trap here is that candidates often confuse DLP policies with sensitivity labels, thinking DLP can enforce encryption, but DLP only monitors and blocks actions—it does not apply persistent protection like sensitivity labels do.

How to eliminate wrong answers

Option A is wrong because Information Rights Management (IRM) applies encryption and permissions only at the file level within a specific application (e.g., Word, Outlook) and does not automatically scan for content patterns like medical record numbers; it requires manual or rule-based application and does not integrate with auto-labeling for content-based classification. Option C is wrong because Data Loss Prevention (DLP) policies can detect sensitive information and block or alert on actions, but they do not natively encrypt or restrict access to documents; DLP is about preventing data exfiltration, not applying persistent protection. Option D is wrong because retention labels are designed for managing data lifecycle (retention and deletion), not for encryption or access control; they do not enforce encryption or restrict user access based on content.

162
MCQhard

Your organization has a Microsoft 365 E5 subscription and wants to centrally manage security incidents across identities, endpoints, and cloud apps. Which Microsoft solution provides this capability?

A.Microsoft Entra ID Protection
B.Microsoft Sentinel
C.Microsoft Defender XDR
D.Microsoft Defender for Endpoint
AnswerC

Defender XDR provides a unified incident dashboard across identities, endpoints, and apps.

Why this answer

Microsoft Defender XDR (formerly Microsoft 365 Defender) correlates signals from across the Microsoft 365 ecosystem into a unified incident view. Option A is correct. Option B is SIEM, Option C is for identity, Option D is for endpoints only.

163
MCQmedium

A healthcare organization needs to automatically apply a sensitivity label to any document stored in a SharePoint document library that contains patient diagnosis codes. The label should prevent the document from being shared externally. The classification must happen after the document is saved, not during creation. Which Microsoft Purview solution should be configured?

A.Auto-labeling with sensitivity labels in Microsoft Purview
B.Microsoft Purview Data Loss Prevention (DLP) policies
C.Microsoft Purview retention labels
D.Microsoft Purview Information Barriers
AnswerA

Correct. Auto-labeling can scan SharePoint libraries and apply sensitivity labels based on content, enforcing protection like external sharing restrictions.

Why this answer

Auto-labeling with sensitivity labels in Microsoft Purview is correct because it automatically applies a sensitivity label to documents containing sensitive content (like patient diagnosis codes) after they are saved to SharePoint. This label can enforce protection actions such as preventing external sharing, meeting the requirement for post-save classification.

Exam trap

The trap here is confusing auto-labeling (which applies labels after save) with manual or default labeling (which applies during creation), or mistaking DLP policies for labeling solutions when DLP only detects and blocks sharing without applying persistent labels.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Data Loss Prevention (DLP) policies detect and prevent sharing of sensitive data in transit or at rest but do not automatically apply sensitivity labels to documents. Option C is wrong because retention labels manage data lifecycle (retention and deletion) and do not enforce protection actions like blocking external sharing. Option D is wrong because Information Barriers restrict communication between specific groups but do not classify documents or control external sharing based on content.

164
MCQhard

A legal team at a company needs to preserve all data belonging to a user who is involved in litigation. The preservation must cover Exchange Online email, SharePoint sites, OneDrive for Business files, and Teams chat messages. They also need to be able to search the preserved content and export it. Which Microsoft Purview solution should they use?

A.eDiscovery (Standard) case hold
B.Litigation Hold
C.Auto-apply retention labels
D.Data Loss Prevention (DLP) policy
AnswerA

eDiscovery (Standard) cases can place holds on all Microsoft 365 data sources for a user, including Exchange, SharePoint, OneDrive, and Teams, and provide search and export capabilities.

Why this answer

eDiscovery (Standard) allows you to create a case, place a hold on user mailboxes, SharePoint sites, OneDrive accounts, and Teams chat messages to preserve content relevant to litigation. It also provides built-in search and export capabilities, making it the correct solution for the legal team's requirements.

Exam trap

The trap here is that candidates often confuse Litigation Hold with eDiscovery holds, assuming Litigation Hold covers all data sources, when in reality it only applies to Exchange mailboxes and lacks the search and export features needed for comprehensive eDiscovery.

How to eliminate wrong answers

Option B (Litigation Hold) is wrong because it only preserves mailbox content (Exchange Online) and does not cover SharePoint, OneDrive, or Teams chat messages, nor does it provide search and export functionality. Option C (Auto-apply retention labels) is wrong because it automates retention and deletion policies based on conditions, but it does not create a litigation-specific hold with search and export capabilities. Option D (Data Loss Prevention (DLP) policy) is wrong because it is designed to prevent data leakage by monitoring and blocking sensitive information, not to preserve data for legal discovery.

165
MCQmedium

Your organization uses Microsoft 365 E5 and wants to automatically classify emails containing credit card numbers as 'Sensitive' and apply encryption when sent externally. Which Microsoft Purview feature should you use?

A.Sensitivity labels
B.Retention policies
C.Microsoft Purview Data Loss Prevention (DLP)
D.Microsoft Purview Information Protection
AnswerC

DLP policies can detect sensitive info and apply encryption.

Why this answer

Option D is correct because Microsoft Purview Data Loss Prevention (DLP) can detect sensitive data like credit card numbers and automatically apply actions such as encryption. Option A is wrong because Sensitivity labels are manually applied or auto-classified, but DLP handles the automatic protection. Option B is wrong because Retention policies are for retention, not classification.

Option C is wrong because Information Protection policies include sensitivity labels, but the automatic encryption action is typically configured via DLP.

166
Multi-Selecteasy

Which THREE of the following are key pillars of the Microsoft Trusted Cloud? (Choose three.)

Select 3 answers
A.Cost optimization
B.Performance
C.Security
D.Privacy
E.Compliance
AnswersC, D, E

Security is a core pillar.

Why this answer

Microsoft's Trusted Cloud is built on security, privacy, and compliance. Options A, C, and D are correct.

167
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Purview Information Protection? (Choose three.)

Select 3 answers
A.Auto-classify content based on sensitive data types
B.Apply sensitivity labels to documents and emails
C.Encrypt documents and control access using labels
D.Block sharing of sensitive data via email
E.Define retention policies for mailboxes
AnswersA, B, C

Auto-classification uses trainable classifiers and data types.

Why this answer

Sensitivity labels (A), auto-classification (C), and label-based protection (E) are core capabilities. Option B (retention policies) is part of Purview Records Management. Option D (DLP) is a separate Purview feature.

168
MCQmedium

A help desk lead is documenting the correct Microsoft 365 approach to require users to approve sign-ins with a mobile app after entering a password. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.Multifactor authentication (MFA)
C.Microsoft Forms
D.Microsoft Stream
AnswerB

MFA requires more than one verification factor and reduces risk from stolen passwords.

Why this answer

Multifactor authentication (MFA) is the correct capability because it requires users to provide a second form of verification—such as approving a sign-in via the Microsoft Authenticator mobile app—after entering their password. This aligns with the security best practice of 'something you know' (password) plus 'something you have' (mobile device approval), which is a core MFA scenario in Microsoft Entra ID (formerly Azure AD).

Exam trap

The trap here is that candidates may confuse productivity tools (Planner, Forms, Stream) with security capabilities, mistakenly thinking any Microsoft 365 app can enforce authentication policies, when only identity and access management services like MFA in Microsoft Entra ID can do so.

How to eliminate wrong answers

Option A is wrong because Microsoft Planner is a task management and project planning tool, not a security or identity capability; it cannot enforce sign-in approval workflows. Option C is wrong because Microsoft Forms is a survey and data collection tool, not an identity or authentication service; it has no role in requiring mobile app approval for sign-ins. Option D is wrong because Microsoft Stream is a video hosting and sharing platform, not a security or identity feature; it cannot be used to enforce multifactor authentication policies.

169
Matchingmedium

Match each Microsoft 365 pricing model to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Each user requires a license; most common model

License assigned to a device, not a user

Additional feature purchased on top of a base plan

Single service subscription, e.g., Exchange Online Plan 1

Why these pairings

Different pricing models offer flexibility for various needs.

170
MCQmedium

A company wants to ensure that sensitive documents stored in SharePoint Online are automatically classified and protected if they contain credit card numbers or social security numbers. Which Microsoft Purview feature should they implement?

A.Data Lifecycle Management (DLM)
B.Information Protection (Sensitivity labels)
C.Data Loss Prevention (DLP) policies
D.Insider Risk Management
AnswerC

DLP policies scan for sensitive data types and can automatically prevent sharing or encrypt content, meeting the requirement perfectly.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft Purview are specifically designed to automatically detect, classify, and protect sensitive information such as credit card numbers and social security numbers. When a DLP policy is configured with sensitive information types (e.g., Credit Card Number, U.S. Social Security Number), it can scan documents in SharePoint Online and automatically apply protective actions like blocking access or triggering notifications.

This makes DLP the correct feature for the described requirement.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention (DLP) with Information Protection (Sensitivity labels), but DLP is the correct choice because it is designed for automatic content-based detection of sensitive data patterns, whereas sensitivity labels are primarily for manual or rule-based classification without native pattern matching for specific data types like credit card numbers.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management (DLM) focuses on retaining or deleting content based on age or compliance requirements, not on detecting or protecting sensitive data patterns. Option B is wrong because Information Protection (Sensitivity labels) are used to classify and protect documents based on manual or automatic labeling rules, but they do not natively scan for specific data patterns like credit card numbers; they rely on label-based classification rather than content-based detection of sensitive information types. Option D is wrong because Insider Risk Management is designed to detect and mitigate risky user behaviors (e.g., data exfiltration by insiders) rather than automatically classifying and protecting documents based on their content.

171
MCQhard

A security administrator needs to automatically restrict access to documents that contain 'PII' (personally identifiable information) so that only employees in the 'Data Privacy' security group can view them. Additionally, editing and printing of these documents must be disabled. Which combination of Microsoft Purview features should be used?

A.Sensitivity labels with auto-labeling and encryption that restricts permissions to the 'Data Privacy' group
B.Data Loss Prevention (DLP) policy with a block action
C.Retention policy with a restrict action
D.Privileged Identity Management (PIM)
AnswerA

Sensitivity labels can automatically classify documents containing PII and enforce encryption, allowing only authorized users with view-only rights.

Why this answer

Option A is correct because sensitivity labels in Microsoft Purview can be configured with auto-labeling to automatically detect and classify documents containing PII, and then apply encryption that restricts access to only the 'Data Privacy' security group. Additionally, the label can enforce usage rights such as 'View Only' to disable editing and printing, meeting all requirements.

Exam trap

The trap here is that candidates often confuse DLP policies with sensitivity labels, not realizing that DLP blocks data in motion or at rest but cannot enforce persistent document-level permissions like disabling editing or printing.

How to eliminate wrong answers

Option B is wrong because a DLP policy with a block action can prevent sharing or transmission of PII data but cannot restrict access to documents already stored or disable editing/printing within the document itself. Option C is wrong because a retention policy is designed to preserve or delete data based on timeframes, not to restrict access or control permissions on documents. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role assignments and does not classify, label, or restrict access to documents based on content.

172
MCQmedium

Your organization is deploying Microsoft 365 and needs to ensure that data stored in SharePoint Online and OneDrive for Business is protected against accidental deletion by end users. The compliance team requires that deleted files be recoverable for at least 90 days. What should you implement?

A.Enable versioning on all document libraries.
B.Create a Microsoft Purview retention policy with a retention period of 90 days.
C.Increase the SharePoint Online recycle bin retention to 90 days.
D.Configure a Microsoft Purview Data Loss Prevention (DLP) policy for SharePoint.
AnswerB

A retention policy preserves data for the specified period, including deleted items.

Why this answer

Option C is correct because the Microsoft Purview retention policy with a retention action of 'Keep items for 90 days' preserves deleted items for the specified period. Option A is wrong because versioning only keeps previous versions, not deleted items. Option B is wrong because recycle bin default retention is 93 days but can be changed, but a retention policy provides a guaranteed 90-day retention.

Option D is wrong because DLP policies do not retain deleted items.

173
MCQhard

A security administrator needs to automatically restrict access to documents labeled as 'Highly Confidential' when accessed from devices that are not joined to the domain. The restriction should block editing and printing, and apply encryption. Which combination of Microsoft 365 solutions should the administrator use?

A.Microsoft Purview Information Protection + Microsoft Entra ID Conditional Access
B.Microsoft Purview Data Loss Prevention + Microsoft Entra ID Identity Protection
C.Microsoft Defender for Office 365 + Microsoft 365 Business Premium
D.Microsoft Purview Audit + Microsoft Entra ID Privileged Identity Management
AnswerA

Sensitivity labels defined in MIP can enforce encryption and usage restrictions. Conditional Access policies can require domain-joined devices for access, creating a layered approach.

Why this answer

Option A is correct because Microsoft Purview Information Protection (MIP) allows you to create sensitivity labels that apply encryption, restrict editing, and block printing on documents. Microsoft Entra ID Conditional Access can then enforce that these labels are automatically applied based on device compliance (e.g., devices not joined to the domain). Together, they provide the automated, policy-driven restriction described.

Exam trap

The trap here is that candidates confuse Microsoft Purview Data Loss Prevention (DLP) with Information Protection, not realizing DLP only monitors and blocks data in transit (e.g., email) and cannot enforce encryption or usage restrictions on documents at rest.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Data Loss Prevention (DLP) detects and prevents accidental sharing of sensitive data but does not apply encryption or restrict editing/printing on documents; it blocks transmission via email or apps. Microsoft Entra ID Identity Protection focuses on user risk and sign-in anomalies, not device-based access control. Option C is wrong because Microsoft Defender for Office 365 protects against email threats (phishing, malware) and does not enforce document-level restrictions like encryption or editing/printing.

Microsoft 365 Business Premium is a licensing bundle, not a specific solution for this scenario. Option D is wrong because Microsoft Purview Audit logs user and admin activities but does not enforce access restrictions. Microsoft Entra ID Privileged Identity Management (PIM) manages just-in-time privileged role assignments, not document-level encryption or device-based access control.

174
MCQmedium

A company wants to prevent users from sharing documents that contain credit card numbers via email. When a user attempts to share such a document, they should see a policy tip explaining the restriction and the share should be blocked. Which Microsoft Purview solution should the compliance team configure?

A.Retention policy
B.Data Loss Prevention (DLP) policy
C.Sensitivity label
D.Information Barriers
AnswerB

DLP policies can detect sensitive information such as credit card numbers and enforce actions like blocking the email and displaying a policy tip to the user.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policies are specifically designed to detect sensitive information types—such as credit card numbers—in documents and emails, and then automatically block sharing while displaying a policy tip to the user. This matches the requirement exactly: DLP can inspect content for credit card patterns using built-in sensitive info types (e.g., Credit Card Number), enforce actions like 'Block' with an overridable policy tip, and apply to Exchange Online, SharePoint, OneDrive, and Teams. Retention policies only manage data lifecycle, not content-based blocking.

Exam trap

Microsoft often tests the distinction between DLP (which inspects content for sensitive data and blocks actions) and Sensitivity labels (which apply classification and protection but do not natively scan for specific data patterns like credit card numbers to enforce blocking with policy tips).

How to eliminate wrong answers

Option A is wrong because a Retention policy is used to preserve or delete data based on age or legal requirements, not to inspect content for sensitive information or block sharing in real time. Option C is wrong because a Sensitivity label applies classification and protection (e.g., encryption, visual markings) but does not natively scan for specific data patterns like credit card numbers or enforce block actions with policy tips; it relies on manual or automatic labeling, not content inspection for predefined sensitive types. Option D is wrong because Information Barriers are designed to restrict communication and collaboration between specific groups (e.g., to prevent conflicts of interest), not to scan content for sensitive data or block sharing based on data patterns.

175
Multi-Selectmedium

An organization wants to block sharing of documents containing credit card numbers. Which two statements are accurate about the Microsoft 365 capability involved?

Select 2 answers
A.Data Loss Prevention policies
B.It replaces the need for identity and access management
C.It requires every document to be made public
D.The policy should be tested with a limited group before broad rollout
AnswersA, D

DLP detects sensitive information types and can restrict sharing across Microsoft 365 locations.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft 365 are specifically designed to detect and block the sharing of sensitive information, such as credit card numbers, by scanning content for predefined or custom sensitive information types. When a match is found, DLP can enforce actions like blocking the share or sending a notification, directly addressing the organization's requirement. This capability operates across Exchange Online, SharePoint, OneDrive, and Teams, providing comprehensive protection against accidental or malicious data leaks.

Exam trap

The trap here is that candidates may confuse DLP with identity and access management (IAM) or assume DLP requires public exposure of documents, when in fact DLP is a content-aware security control that operates independently of access permissions and typically restricts sharing rather than requiring it.

176
MCQeasy

A user needs to sign in to Microsoft 365 from an untrusted device. The company requires multifactor authentication (MFA) for all external access. Which Microsoft Entra ID feature enforces this requirement?

A.Microsoft Entra ID Protection
B.Security defaults
C.Microsoft Entra ID Password Protection
D.Conditional Access
AnswerD

Conditional Access can require MFA based on location, device, and other conditions.

Why this answer

Option C is correct. Conditional Access policies can require MFA based on conditions like device trust. Option A is wrong because Password protection prevents weak passwords.

Option B is wrong because identity protection detects risks, not enforces MFA. Option D is wrong because security defaults provide baseline security but are not customizable like Conditional Access.

177
MCQmedium

A company is subject to GDPR and needs to respond to a data subject request to delete a user's personal data from Microsoft 365. Which Microsoft Purview solution should be used?

A.Microsoft Purview Information Protection
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Purview eDiscovery
D.Microsoft Purview Audit
AnswerB

It includes retention labels and policies to manage DSRs.

Why this answer

Microsoft Purview Data Lifecycle Management (formerly Records Management) includes capabilities to manage data subject requests under GDPR. Option C is correct. Options A, B, and D are not designed for DSR management.

178
MCQeasy

Your organization is deploying Microsoft 365 for a healthcare company that must comply with HIPAA. Which Microsoft 365 compliance feature should you use to prevent sensitive patient data from being shared externally via email?

A.Microsoft Purview Message Encryption
B.Microsoft Purview eDiscovery
C.Microsoft Purview Audit
D.Microsoft Purview Data Loss Prevention (DLP)
AnswerD

DLP policies can detect and block sharing of sensitive data.

Why this answer

Data Loss Prevention (DLP) policies are designed to detect and prevent sharing of sensitive data such as health information. Options A and B are not directly about preventing data leakage, and Option D is about encryption but not policy-based prevention.

179
Multi-Selectmedium

Which TWO of the following are key benefits of using Microsoft Purview Information Protection? (Choose two.)

Select 2 answers
A.It automatically detects and blocks phishing emails.
B.It enables organizations to meet compliance requirements by applying protection.
C.It manages device compliance with Conditional Access.
D.It provides backup and recovery for SharePoint Online.
E.It helps classify and protect sensitive data across Microsoft 365.
AnswersB, E

It assists in meeting compliance obligations.

Why this answer

Option A is correct because Information Protection helps classify and protect sensitive data. Option B is correct because it helps meet compliance requirements by applying protection. Option C is incorrect because it does not directly detect phishing.

Option D is incorrect because Information Protection is not a backup solution. Option E is incorrect because it does not manage device compliance.

180
MCQmedium

Refer to the exhibit. An administrator configured a sensitivity label with auto-labeling for credit card numbers. What happens when a user creates a document containing a credit card number and saves it to SharePoint Online?

A.The label is applied only when the user manually selects it.
B.The label is automatically applied, and the document is encrypted.
C.The document is blocked from being saved.
D.The label is applied, but encryption is not enforced because the user can override.
AnswerB

Auto-labeling detects credit card numbers and applies the label with encryption.

Why this answer

The auto-labeling rule will automatically apply the label, which then encrypts the document and sets an expiration date. Option C is correct.

181
MCQhard

Refer to the exhibit. The exhibit shows an auto-labeling policy configuration. What will happen when a document labeled 'EU PII' is shared externally via SharePoint?

A.The document will be automatically labeled as confidential.
B.The document will be shared without encryption.
C.The document will be blocked from sharing.
D.The document will be encrypted before sharing.
AnswerD

The rule encrypts the document when shared externally.

Why this answer

Option C is correct: The policy encrypts the document when shared externally. Option A is incorrect because blockAccess is false. Option B is incorrect because encrypt is true, so it is encrypted.

Option D is incorrect because the policy applies to external sharing, not internal.

182
MCQhard

A company needs to enforce that all documents marked as 'Confidential' are encrypted and cannot be printed. Which combination of Microsoft Purview features should they use?

A.Microsoft Entra ID Conditional Access and Intune app protection
B.Sensitivity labels with encryption and rights management
C.Data Loss Prevention (DLP) policies and retention labels
D.eDiscovery (Premium) and Audit (Premium)
AnswerB

Sensitivity labels can apply encryption and usage rights like preventing printing.

Why this answer

Sensitivity labels can apply encryption and usage restrictions like 'Do Not Print'. Option D is correct. The other options are incomplete or incorrect.

183
MCQhard

Refer to the exhibit. The JSON shows compliance scores from Microsoft Purview Compliance Manager. Which action should the organization prioritize to improve its HIPAA compliance score?

A.Deploy Microsoft Defender for Office 365.
B.Enable multifactor authentication for all users.
C.Implement retention labels for medical records.
D.Conduct a data privacy impact assessment.
AnswerB

It is a high-impact open action that will improve compliance.

Why this answer

The recommended action 'Enable MFA for all users' is marked as high impact and open. Implementing MFA would significantly improve the HIPAA score, as it addresses a common control. Option B is correct.

184
MCQeasy

You are the IT administrator for a non-profit organization that uses Microsoft 365 Business Basic. The organization has 50 volunteers who use their own personal devices to access email and SharePoint Online. The board of directors wants to ensure that if a volunteer's device is lost or stolen, the organization's data on that device can be removed remotely. They also want to ensure that volunteers use multi-factor authentication (MFA) to access corporate resources. What should you do?

A.Deploy Microsoft Defender for Cloud Apps and configure session controls.
B.Use Microsoft Purview to label all corporate data and configure a policy to revoke access.
C.Implement a Data Loss Prevention (DLP) policy that blocks access from unmanaged devices.
D.Enroll devices in Microsoft Intune and configure a selective wipe policy. Set up a Conditional Access policy in Microsoft Entra ID to require MFA.
AnswerD

Intune can wipe corporate data; Conditional Access enforces MFA.

Why this answer

Option D is correct because Microsoft Intune can be used to manage mobile devices and perform selective wipe to remove corporate data. Conditional Access in Microsoft Entra ID can enforce MFA. Option A is incorrect because DLP does not wipe devices.

Option B is incorrect because Microsoft Defender for Cloud Apps is for cloud app security, not device wipe. Option C is incorrect because Microsoft Purview does not manage devices.

185
MCQmedium

While preparing a Microsoft 365 adoption plan, a consultant is asked to protect corporate data inside mobile apps without enrolling the whole personal device. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.App protection policies / Mobile Application Management (MAM)
C.Microsoft Forms
D.Microsoft Stream
AnswerB

MAM protects corporate app data without requiring full device enrollment.

Why this answer

App protection policies (APP), also known as Mobile Application Management (MAM), allow administrators to protect corporate data within mobile apps—such as enforcing encryption, preventing copy/paste, or requiring PIN—without enrolling the entire personal device into management. This is the correct capability because it separates data-level controls from device-level management, meeting the requirement to protect corporate data without full device enrollment.

Exam trap

The trap here is that candidates often confuse Mobile Device Management (MDM)—which requires full device enrollment—with Mobile Application Management (MAM), which protects data at the app level without enrolling the device, and they may incorrectly select a non-security tool like Planner or Forms because they see 'mobile' or 'app' in the question.

How to eliminate wrong answers

Option A is wrong because Microsoft Planner is a task management and collaboration tool, not a security or compliance capability; it cannot enforce data protection policies on mobile apps. Option C is wrong because Microsoft Forms is a survey and data collection tool, lacking any native ability to apply conditional access or data loss prevention controls to mobile app usage. Option D is wrong because Microsoft Stream is a video hosting and sharing service, not a security or identity solution; it does not provide app-level protection policies for mobile applications.

186
MCQmedium

While preparing a Microsoft 365 adoption plan, a consultant is asked to identify risky user behaviour such as unusual downloads or policy violations. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.Microsoft Purview Insider Risk Management
C.Microsoft Stream
D.Microsoft Forms
AnswerB

Insider Risk Management helps detect and investigate risky user activities.

Why this answer

Microsoft Purview Insider Risk Management is the correct capability because it is specifically designed to identify, detect, and act on risky user behaviors such as unusual downloads, data leaks, and policy violations. It uses machine learning models and predefined indicators to correlate user activities (e.g., mass file downloads, unauthorized sharing) with risk signals, enabling organizations to investigate and mitigate insider threats. This aligns directly with the consultant's need to monitor and address risky behavior in a Microsoft 365 adoption plan.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Insider Risk Management with general compliance tools like Microsoft Purview Compliance Manager or DLP, but the question specifically targets risky user behavior detection, which is the unique domain of Insider Risk Management.

How to eliminate wrong answers

Option A is wrong because Microsoft Planner is a project management and task-tracking tool, not a security or compliance solution; it cannot detect risky user behaviors like unusual downloads or policy violations. Option C is wrong because Microsoft Stream is a video hosting and sharing platform for enterprise content, lacking any built-in capabilities for monitoring user behavior or enforcing security policies. Option D is wrong because Microsoft Forms is a survey and form creation tool, designed for data collection and feedback, with no functionality to identify insider risks or policy violations.

187
MCQmedium

A help desk lead is documenting the correct Microsoft 365 approach to track compliance assessments and improvement actions. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.Microsoft Forms
C.Microsoft Purview Compliance Manager
D.Microsoft Stream
AnswerC

Compliance Manager provides assessments and improvement actions mapped to standards and regulations.

Why this answer

Microsoft Purview Compliance Manager is the correct tool because it provides a centralized dashboard for tracking compliance assessments, managing improvement actions, and monitoring regulatory compliance posture. It integrates with Microsoft 365 services to automate risk assessments and generate detailed reports for standards like ISO 27001, SOC 2, and GDPR.

Exam trap

The trap here is that candidates may confuse Microsoft Planner's task assignment features with compliance action tracking, but Planner lacks the regulatory framework integration, automated scoring, and audit-ready reporting that Compliance Manager provides.

How to eliminate wrong answers

Option A is wrong because Microsoft Planner is a task management tool for organizing team work and projects, not designed for compliance tracking or assessment management. Option B is wrong because Microsoft Forms is a survey and data collection tool, lacking the compliance-specific features like automated scoring, improvement action tracking, and regulatory framework mapping. Option D is wrong because Microsoft Stream is a video hosting and sharing platform, with no capabilities for compliance assessments or improvement action tracking.

188
MCQhard

A multinational corporation must ensure that all Microsoft 365 admin actions—such as adding a new user or changing a role—are recorded and searchable for at least 90 days. They also need to create custom alert rules to notify the security team when critical events occur, like disabling multi-factor authentication. Which Microsoft Purview solution should they use to meet both requirements?

A.Microsoft Purview Audit (Standard)
B.Microsoft Purview Audit (Premium)
C.Microsoft Purview Compliance Manager
D.Microsoft 365 Defender portal
AnswerB

Audit (Premium) includes longer retention (up to 1 year by default) and supports creating custom alert policies for specific events. It meets both requirements.

Why this answer

Microsoft Purview Audit (Premium) is the correct solution because it provides 1-year default retention of audit logs (extendable to 10 years) and supports custom alert policies that trigger notifications when specific events occur, such as disabling multi-factor authentication. Standard Audit only retains logs for 90 days and lacks the ability to create custom alert rules, making Premium the only option that satisfies both requirements.

Exam trap

The trap here is that candidates often confuse Audit (Standard) with Audit (Premium) because both record admin actions, but they overlook that Standard's 90-day retention and lack of custom alert rules fail the requirement for searchable logs beyond 90 days and proactive notifications.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Audit (Standard) retains audit logs for only 90 days and does not support custom alert rules; it only provides basic search and export capabilities. Option C is wrong because Microsoft Purview Compliance Manager is a compliance management and assessment tool that tracks controls and scores, not a solution for recording admin actions or creating alert rules. Option D is wrong because the Microsoft 365 Defender portal focuses on threat detection, investigation, and response (e.g., security incidents, malware), not on auditing admin actions or compliance-based alerting for events like disabling MFA.

189
Multi-Selecteasy

Which TWO of the following are examples of security defaults in Microsoft Entra ID? (Choose two.)

Select 2 answers
A.Require multifactor authentication for all users
B.Allow legacy authentication protocols
C.Disable self-service password reset
D.Enable guest user access
E.Block legacy authentication
AnswersA, E

Security defaults enforce MFA registration.

Why this answer

Security defaults enforce basic security policies, including requiring MFA for all users and blocking legacy authentication. Options A and C are correct.

190
MCQhard

A multinational company must comply with the General Data Protection Regulation (GDPR). They need to be able to search for and delete personal data of a user upon request (right to erasure). Which Microsoft Purview solution should they use?

A.Microsoft Purview eDiscovery (Premium)
B.Microsoft Purview Audit (Standard)
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Insider Risk Management
AnswerA

eDiscovery Premium can search, collect, and export data, and supports deletion.

Why this answer

Option C is correct because Microsoft Purview eDiscovery (Premium) allows searching for content across Microsoft 365 and can be used to facilitate data deletion. Option A is wrong because Audit (Standard) only logs activities. Option B is wrong because Communication Compliance monitors communications.

Option D is wrong because Insider Risk Management identifies risky activities.

191
MCQhard

A compliance officer needs to set up a policy that automatically monitors and detects activities related to accessing sensitive data from outside the corporate network. When a user from a foreign country accesses a confidential file, the policy should trigger an alert and require additional authentication. Which combination of Microsoft 365 solutions achieves this?

A.Microsoft Purview Data Loss Prevention and Conditional Access
B.Microsoft Purview Audit (Standard) and Microsoft Entra ID Identity Protection
C.Microsoft Purview Insider Risk Management and Microsoft Cloud App Security
D.Microsoft Purview eDiscovery and Privileged Identity Management
AnswerA

DLP monitors sensitive data activities and can generate alerts, while Conditional Access can require additional authentication based on location, meeting both requirements.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) monitors and detects sensitive data access from outside the corporate network, while Conditional Access enforces additional authentication (e.g., MFA) when such access is detected. Together, they meet the requirement for automatic alerting and step-up authentication based on location and data sensitivity.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Insider Risk Management with external access detection, but it is specifically for internal user risk, not foreign country access scenarios.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Audit (Standard) only logs user activities for forensic review, not real-time detection or policy-driven alerts, and Microsoft Entra ID Identity Protection focuses on user risk (e.g., compromised credentials) rather than data access policies. Option C is wrong because Microsoft Purview Insider Risk Management is designed for internal user behavior analytics (e.g., data exfiltration by employees), not external access detection, and Microsoft Cloud App Security provides cloud app visibility but lacks native DLP policy enforcement for on-premises file access. Option D is wrong because Microsoft Purview eDiscovery is for legal discovery and content search, not real-time monitoring, and Privileged Identity Management (PIM) manages just-in-time admin roles, not data access policies.

192
MCQeasy

Your organization wants to ensure that data sent to Microsoft 365 is encrypted in transit. Which protocol should you enforce for all client connections?

B.TLS 1.2
D.SSH
AnswerB

Microsoft 365 requires TLS 1.2 or later for client connections.

Why this answer

TLS 1.2 is the minimum recommended protocol for encrypting data in transit to Microsoft 365. Option A (IPsec) is used for site-to-site VPNs, not client connections. Option C (HTTPS) is the application-layer protocol that uses TLS underneath.

Option D (SSH) is for remote administration, not email or general traffic.

193
MCQmedium

A company must comply with a regulation that requires all data stored in Microsoft 365 to remain within the European Union. Which Microsoft 365 feature should an administrator configure to enforce this geographic restriction?

A.Data Loss Prevention (DLP)
B.Information Rights Management (IRM)
C.Data Residency policies
D.Customer Lockbox
AnswerC

Data Residency policies ensure that customer data is stored at rest within a specific geographic region, meeting regulatory requirements.

Why this answer

Option C is correct because Data Residency policies in Microsoft 365 allow administrators to define the geographic location where data at rest is stored. By configuring a Data Residency policy for the European Union, the administrator ensures that all data remains within EU data centers, meeting regulatory requirements.

Exam trap

The trap here is that candidates often confuse Data Residency policies with Data Loss Prevention (DLP) or Information Rights Management (IRM), mistakenly thinking those features control data location rather than focusing on data protection or access control.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) is designed to prevent sensitive information from being shared or leaked, not to control where data is stored geographically. Option B is wrong because Information Rights Management (IRM) protects data through encryption and usage restrictions, but does not enforce data residency or storage location constraints. Option D is wrong because Customer Lockbox provides customer approval control over Microsoft engineer access to data during support scenarios, but does not determine or enforce the geographic storage location of data.

194
Multi-Selecthard

Which THREE actions can be performed using Microsoft Purview Data Loss Prevention (DLP) policies?

Select 3 answers
A.Display a policy tip to the user when sensitive data is detected
B.Restrict access to sensitive documents
C.Apply sensitivity labels automatically
D.Audit all access to SharePoint sites
E.Block sharing of sensitive information via email
AnswersA, B, E

Policy tips inform users about policy violations.

Why this answer

Options A, B, and C are correct. DLP policies can block sharing, show tips, and restrict access. Option D is wrong because auditing is separate.

Option E is wrong because sensitivity labels are part of Information Protection, not DLP.

195
MCQmedium

A company wants to ensure that only IT administrators can install browser extensions in Microsoft Edge. Which Microsoft 365 security feature should be used?

A.Conditional Access
B.Microsoft Intune
C.Microsoft Defender for Cloud Apps
D.Microsoft Entra ID Identity Protection
AnswerB

Intune can manage device policies to restrict browser extension installations through configuration profiles.

Why this answer

Microsoft Intune is the correct choice because it provides mobile device management (MDM) and mobile application management (MAM) capabilities that allow administrators to configure Microsoft Edge settings via configuration profiles. Specifically, Intune can enforce the 'Installation of browser extensions' policy to restrict extension installation to IT administrators only, using the Administrative Templates for Edge within the Settings Catalog.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access to resources) with device management policies (which control software behavior on the device), leading them to incorrectly select Conditional Access instead of Intune.

How to eliminate wrong answers

Option A is wrong because Conditional Access is an identity-driven access control feature that enforces policies based on user, device, location, or risk signals at authentication time, but it cannot directly manage or restrict browser extension installation within Edge. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) focused on discovering and controlling cloud app usage, data protection, and threat detection, not on configuring local browser policies like extension installation. Option D is wrong because Microsoft Entra ID Identity Protection is a risk-based protection feature that detects and responds to identity threats (e.g., leaked credentials, sign-in anomalies), but it does not have the capability to enforce device-level configuration policies for browser extensions.

196
MCQhard

A global company has a strict policy that any Microsoft 365 administrator who needs to access a user's mailbox for troubleshooting must first obtain explicit approval from the user. The company wants to implement a process that requires approval for such access and logs the activity. Which Microsoft Purview feature should they use?

A.Customer Lockbox
B.Privileged Access Management (PAM)
C.Data Loss Prevention (DLP)
D.Microsoft Purview Audit
AnswerB

PAM provides approval-based, time-limited access for administrative tasks and logs all activities.

Why this answer

Privileged Access Management (PAM) in Microsoft Purview is specifically designed to provide just-in-time access to sensitive administrative roles and tasks, such as accessing a user's mailbox for troubleshooting. It enforces an approval workflow before the privileged operation is executed and logs all access attempts, meeting the company's requirement for explicit user approval and activity logging.

Exam trap

The trap here is confusing Customer Lockbox (which handles Microsoft-initiated access) with Privileged Access Management (which handles admin-initiated access), leading candidates to pick A when the scenario involves internal administrators, not Microsoft support engineers.

How to eliminate wrong answers

Option A (Customer Lockbox) is wrong because it controls access to customer data during Microsoft support requests, not for internal administrators performing mailbox troubleshooting; it requires customer approval for Microsoft engineers, not for the company's own admins. Option C (Data Loss Prevention) is wrong because it focuses on preventing unauthorized sharing or leakage of sensitive data through policies and rules, not on controlling or approving administrative access to mailboxes. Option D (Microsoft Purview Audit) is wrong because it only logs and records activities after they occur, providing visibility but no approval workflow or proactive control over who accesses a mailbox.

197
MCQmedium

A healthcare organization must ensure that electronic protected health information (ePHI) in Microsoft 365 is encrypted both at rest and in transit. Which Microsoft 365 feature provides encryption for data in transit?

A.Azure Information Protection
B.TLS/SSL encryption
C.BitLocker Drive Encryption
D.Microsoft Purview Information Protection
AnswerB

TLS encrypts data in transit.

Why this answer

Microsoft 365 uses TLS to encrypt data in transit between clients and Microsoft servers. Option A is correct. BitLocker encrypts at rest, Purview is for governance, and Rights Management is for access control.

198
Multi-Selecthard

Which TWO are valid data classification labels in Microsoft Purview?

Select 2 answers
A.Secret
B.Confidential
C.Classified
D.Highly Confidential
E.Public
AnswersB, D

This is a built-in sensitivity label.

Why this answer

Options A and C are correct. Microsoft Purview includes built-in labels like 'Highly Confidential' and 'Confidential'. Options B, D, and E are not standard labels.

199
MCQmedium

A compliance officer needs to automatically retain all SharePoint documents that contain a specific project code for exactly 5 years. The retention must be applied automatically when the document is uploaded, without any user interaction. Which Microsoft Purview feature should they configure?

A.Data Loss Prevention (DLP) policy
B.Sensitivity labels
C.Retention labels with an auto-apply policy
D.eDiscovery (Premium)
AnswerC

Retention labels can be configured with auto-apply rules that trigger when documents contain specific keywords, ensuring automatic retention without user action.

Why this answer

Retention labels with an auto-apply policy are the correct choice because they allow you to automatically assign a retention label to SharePoint documents based on specific conditions, such as the presence of a project code, and enforce a fixed retention period (e.g., 5 years) without any user interaction. This feature is designed for automated, policy-driven retention based on content properties or sensitive information types.

Exam trap

The trap here is that candidates often confuse retention labels (which enforce retention actions) with sensitivity labels (which focus on classification and protection), leading them to choose Option B when the requirement is purely about automated retention duration.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies are designed to prevent unauthorized sharing or leakage of sensitive data, not to enforce retention or deletion schedules. Option B is wrong because sensitivity labels primarily classify and protect data with encryption or visual markings, and while they can trigger retention, they require manual application or user interaction unless combined with auto-labeling, which is not the primary mechanism for automated retention based on a project code. Option D is wrong because eDiscovery (Premium) is used for searching, holding, and exporting data for legal or investigative purposes, not for automatically retaining documents for a fixed period upon upload.

200
MCQeasy

Refer to the exhibit. You are reviewing a Conditional Access policy configuration. What is the effect of this policy on a user who signs in from a known device but with medium sign-in risk?

A.The user is required to reset their password.
B.The user is blocked from signing in.
C.The user is allowed without any additional prompts because the device is known.
D.The user is prompted for multifactor authentication.
AnswerD

The grant control is MFA when risk >= medium.

Why this answer

The policy requires MFA when the sign-in risk level is medium or higher. Since the condition is met (medium risk), the user will be prompted for MFA. Option B is correct.

201
MCQeasy

Your organization uses Microsoft 365 Copilot and wants to ensure that sensitive data is not exposed through AI-powered features. Which Microsoft Purview capability should be configured?

A.Microsoft Intune app protection policies
B.Microsoft Defender for Cloud Apps
C.Microsoft Purview Data Loss Prevention policies for Copilot
D.Microsoft Entra Conditional Access
AnswerC

DLP can be configured to protect sensitive data in Copilot interactions.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) can be extended to Copilot interactions to prevent sensitive data from being shared. Additionally, sensitivity labels can be used. Option A is correct because Purview DLP policies can apply to Copilot.

202
MCQhard

A legal firm needs to automatically encrypt and apply access restrictions to all documents that contain case numbers considered highly confidential. The protection must remain enforced even if the document is emailed to external parties or saved to a personal device. Which Microsoft Purview solution should be configured?

A.Data Loss Prevention (DLP)
B.Sensitivity Labels with encryption
C.Microsoft Purview Audit
D.Customer Lockbox
AnswerB

Sensitivity labels can apply automatic encryption and usage restrictions that follow the document, meeting the requirement for persistent protection.

Why this answer

Sensitivity Labels with encryption are the correct solution because they allow the legal firm to classify documents containing confidential case numbers and enforce persistent protection (encryption and access restrictions) that travels with the document, even when emailed externally or saved to a personal device. This is achieved by applying Azure Rights Management (Azure RMS) encryption directly to the file, ensuring the protection is embedded in the document itself, not just at the network or service boundary.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention (DLP) with persistent protection, mistakenly thinking DLP can encrypt documents and enforce access controls after they leave the organization, when in fact DLP only monitors and blocks data in transit or at rest within the tenant, not after it is shared externally.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies can detect and block the sharing of sensitive data (like case numbers) but do not automatically encrypt or apply persistent access restrictions to documents; DLP operates at the transport and endpoint level to prevent data exfiltration, not to enforce ongoing protection after the document leaves the organization. Option C is wrong because Microsoft Purview Audit provides logging and investigation of user and admin activities, not automatic encryption or access control on documents. Option D is wrong because Customer Lockbox is a control that requires explicit approval for Microsoft support engineers to access customer data, and it does not provide document-level encryption or access restrictions.

203
Multi-Selecthard

Which TWO of the following are requirements for implementing Microsoft Purview Customer Key? (Choose two.)

Select 2 answers
A.Microsoft Entra ID Premium P2 licenses
B.An Azure subscription with Azure Key Vault
C.A Microsoft 365 E5 license
D.Microsoft Defender for Cloud Apps
E.An on-premises Hardware Security Module (HSM)
AnswersB, C

Azure Key Vault is used to store your keys.

Why this answer

Option B is correct: Customer Key requires a Microsoft 365 E5 license. Option D is correct: Customer Key uses Azure Key Vault to store keys. Option A is wrong because Customer Key does not require an on-premises HSM; it uses Azure Key Vault.

Option C is wrong because Customer Key does not require Entra ID P2; E5 license suffices. Option E is wrong because Customer Key does not require Microsoft Defender for Cloud Apps.

204
Multi-Selectmedium

Which THREE of the following are valid data subject rights under GDPR? (Choose three.)

Select 3 answers
A.Right to data portability
B.Right to erasure (right to be forgotten)
C.Right of access
D.Right to perpetual storage
E.Right to monetization of data
AnswersA, B, C

Individuals can request to transfer their data.

Why this answer

GDPR grants individuals rights such as the right to erasure, portability, and access. Options B, C, and D are correct.

205
MCQeasy

A healthcare organization stores patient records in SharePoint Online. They need to ensure that the data is encrypted at rest and in transit. Which statement is true regarding Microsoft 365 encryption?

A.Microsoft provides default encryption for data at rest and in transit.
B.Customers must enable encryption at rest manually for each workload.
C.Encryption only applies to Exchange Online, not SharePoint or OneDrive.
D.Encryption is optional and can be turned off if a customer chooses.
AnswerA

Microsoft 365 encrypts all data at rest using disk and file encryption, and all data in transit using industry-standard protocols like TLS.

Why this answer

Microsoft 365 provides default encryption for data at rest and in transit across all workloads, including SharePoint Online, Exchange Online, and OneDrive for Business. For data at rest, Microsoft uses BitLocker Drive Encryption and service-side encryption with per-file keys, while data in transit is secured using TLS 1.2+ and IPSec. This means the healthcare organization's patient records in SharePoint Online are automatically encrypted without any manual configuration.

Exam trap

The trap here is that candidates often assume encryption must be manually configured or is optional, but Microsoft 365 enforces encryption by default across all workloads, and customers cannot disable it.

How to eliminate wrong answers

Option B is wrong because encryption at rest is enabled by default for all Microsoft 365 workloads, including SharePoint Online, and does not require manual enablement per workload. Option C is wrong because encryption applies to all Microsoft 365 services, not just Exchange Online; SharePoint Online and OneDrive for Business also use BitLocker and service-side encryption for data at rest and TLS for data in transit. Option D is wrong because encryption is mandatory and cannot be turned off by customers; Microsoft enforces encryption as a core security feature to protect data.

206
MCQmedium

A user reports receiving a phishing email that bypassed Exchange Online Protection (EOP). You need to investigate the threat and automate a response across email, endpoints, and identities. Which Microsoft 365 security solution should you use?

A.Microsoft Sentinel
B.Microsoft Defender for Office 365
C.Microsoft Defender for Endpoint
D.Microsoft Defender XDR
AnswerD

Defender XDR correlates signals across email, endpoints, and identities and automates response.

Why this answer

Microsoft Defender XDR (formerly Microsoft 365 Defender) provides unified detection and automated response across email, endpoints, and identities. Option C is correct. Option A (Defender for Office 365) focuses only on email, Option B (Defender for Endpoint) only on endpoints, and Option D (Sentinel) is a SIEM that could be used but is not the primary automated response tool for this scenario.

207
MCQmedium

A business stakeholder asks how Microsoft 365 can help them allow sign-in using biometrics or FIDO2 security keys. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.Microsoft Entra ID passwordless authentication
C.Microsoft Stream
D.Microsoft Forms
AnswerB

Microsoft Entra ID supports passwordless methods such as Windows Hello for Business and FIDO2 security keys.

Why this answer

Microsoft Entra ID passwordless authentication (Option B) is the correct capability because it directly supports sign-in using biometrics (Windows Hello, Microsoft Authenticator) and FIDO2 security keys. This feature eliminates the need for passwords by leveraging public-key cryptography and the WebAuthn standard, aligning with the stakeholder's request for passwordless sign-in methods.

Exam trap

The trap here is that candidates may confuse productivity tools (Planner, Stream, Forms) with identity and access management capabilities, failing to recognize that passwordless authentication is a core feature of Microsoft Entra ID, not a standalone app.

How to eliminate wrong answers

Option A (Microsoft Planner) is wrong because it is a task management and project planning tool, not an identity or authentication service. Option C (Microsoft Stream) is wrong because it is a video sharing and management platform, unrelated to authentication mechanisms. Option D (Microsoft Forms) is wrong because it is a survey and data collection tool, with no capability to handle biometric or FIDO2 sign-in.

208
Multi-Selectmedium

A healthcare organization must encrypt outbound email automatically when a message contains passport numbers. Which two Microsoft Purview capabilities are commonly combined? (Choose two.)

Select 2 answers
A.Microsoft Planner
B.Data Loss Prevention (DLP)
C.Microsoft Purview Message Encryption
D.Microsoft Viva Engage
AnswersB, C

DLP detects sensitive information and can trigger actions.

Why this answer

Data Loss Prevention (DLP) is the correct answer because it provides the policy engine that detects sensitive information, such as passport numbers, in outbound email. When a DLP rule matches, it can trigger automatic encryption of the message using Microsoft Purview Message Encryption, ensuring the email is protected before leaving the organization.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Message Encryption as a standalone solution, forgetting that it requires a DLP policy to automatically detect and trigger the encryption action.

209
MCQhard

An organization wants to prevent employees from sharing sensitive files with external users via SharePoint Online, but they need to allow sharing with a specific external partner for a single project. What is the most efficient configuration?

A.Disable external sharing at the tenant level and enable it only for the specific project site
B.Change the default sharing link type to 'Specific people' and add the partner's domain to an allow list
C.Apply sensitivity labels with encryption to all files
D.Configure a DLP policy to block external sharing except for the partner domain
AnswerA

This approach uses the granular sharing settings in SharePoint Online: a tenant-wide restriction prevents all external sharing by default, and exceptions can be made on a per-site basis, providing a clear, manageable security model.

Why this answer

Option A is correct because it allows the organization to disable external sharing globally at the tenant level via the SharePoint admin center, which prevents all users from sharing with external users by default. Then, by enabling external sharing only for the specific project site (site-level override), the organization can grant the necessary access to the external partner while maintaining the broad restriction. This is the most efficient approach because it uses a single configuration change at the tenant level and a targeted exception at the site level, avoiding complex policies or labels.

Exam trap

The trap here is that candidates often confuse DLP policies or sensitivity labels as the primary method to control sharing, when in fact SharePoint sharing settings at the tenant and site level are the direct and most efficient configuration for this scenario.

How to eliminate wrong answers

Option B is wrong because changing the default sharing link type to 'Specific people' does not block external sharing; it only changes the default link behavior, and adding the partner's domain to an allow list (via cross-tenant access settings) still permits external sharing broadly, not just for the single project. Option C is wrong because applying sensitivity labels with encryption protects files but does not prevent sharing; users can still share encrypted files with external users, and encryption does not enforce sharing restrictions. Option D is wrong because configuring a DLP policy to block external sharing except for the partner domain is overly complex and less efficient; DLP policies are designed for data loss prevention (e.g., blocking sensitive info in emails or documents) and are not the primary tool for controlling SharePoint sharing settings, which are managed via sharing permissions.

210
MCQeasy

A security administrator needs to review all sign-in attempts and identify suspicious login patterns for the past 30 days. Which Microsoft 365 portal should they use to access this information?

A.Microsoft Purview compliance portal
B.Microsoft 365 admin center
C.Microsoft Entra ID sign-in logs
D.Microsoft Defender for Cloud Apps
AnswerC

Microsoft Entra ID Sign-ins logs (in the Azure portal or Entra admin center) provide comprehensive sign-in activity data for analysis and investigation.

Why this answer

Microsoft Entra ID sign-in logs provide a detailed record of all sign-in attempts, including successful and failed logins, IP addresses, applications used, and risk detections. This data can be filtered and analyzed to identify suspicious patterns such as multiple failed attempts or sign-ins from unusual locations over the past 30 days, making it the correct choice for a security administrator.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 admin center (which shows basic sign-in activity under 'Health' > 'Sign-in logs') with the full-featured Microsoft Entra ID sign-in logs, but the admin center only provides a limited view and lacks the detailed filtering, risk analysis, and 30-day retention needed for security investigations.

How to eliminate wrong answers

Option A is wrong because the Microsoft Purview compliance portal focuses on data governance, retention, eDiscovery, and compliance management, not on real-time sign-in logs or authentication patterns. Option B is wrong because the Microsoft 365 admin center is used for managing users, licenses, and service settings, but it does not provide detailed sign-in logs or security analysis of login attempts. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that provides visibility into cloud app usage and anomalies, but the primary source for raw sign-in logs and authentication events is Microsoft Entra ID sign-in logs.

211
MCQmedium

During requirements gathering, an IT manager says the organization must make document protection persist after a file is downloaded or emailed. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.Microsoft Forms
C.Microsoft Stream
D.Sensitivity labels with encryption
AnswerD

Sensitivity labels can apply persistent encryption and access restrictions.

Why this answer

Sensitivity labels can apply persistent encryption and access restrictions.

Exam trap

Candidates might be tempted by other Microsoft 365 services if they don't understand the 'persistent protection' requirement.

212
Multi-Selecteasy

Your organization is planning to use Microsoft Purview to meet compliance requirements. Which TWO capabilities are part of Microsoft Purview? (Choose two.)

Select 2 answers
A.Data Classification
B.Advanced Threat Analytics
C.Data Loss Prevention (DLP)
D.Data Lifecycle Management
E.Insider Risk Management
AnswersC, D

DLP is a key component of Microsoft Purview for preventing data leaks.

Why this answer

Option A and D are correct. Data Loss Prevention (DLP) and Data Lifecycle Management are core Purview capabilities. Advanced Threat Analytics (B) is part of Microsoft Defender.

Insider Risk Management (C) is a Purview capability, but it's not listed as correct because the question asks for two. Data Classification (E) is also part of Purview, but the correct set is A and D. Note: Insider Risk Management is also a Purview capability; however, the question expects DLP and Data Lifecycle Management.

Since exactly two correct, we pick A and D.

213
MCQmedium

A legal firm must ensure that all documents containing a specific project code are automatically retained for 7 years after the project ends. After the 7-year period, the documents should be permanently deleted. The firm already uses sensitivity labels to classify documents. Which Microsoft Purview solution should they configure?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview Records Management
C.Microsoft Purview Sensitivity Labels
D.Microsoft Purview Data Loss Prevention
AnswerB

Records Management enables retention labels that can be auto-applied based on sensitive info types. These labels can enforce retention and deletion. It is the correct solution for this scenario.

Why this answer

Microsoft Purview Records Management is the correct solution because it provides the ability to mark documents as records (or regulatory records) and apply retention labels that enforce a specific retention period—in this case, 7 years after the project ends—followed by automatic deletion. Unlike Data Lifecycle Management, Records Management includes disposition review and the ability to trigger deletion based on an event (e.g., project end date), which aligns with the legal firm's requirement for event-based retention and permanent deletion.

Exam trap

The trap here is that candidates often confuse Data Lifecycle Management (which handles general retention policies) with Records Management (which adds record declaration and event-based retention), and they may incorrectly choose Sensitivity Labels because the firm already uses them, not realizing that sensitivity labels alone cannot enforce retention or deletion schedules.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Lifecycle Management (formerly Microsoft 365 Retention) can apply retention and deletion policies, but it does not natively support event-based retention triggered by a custom event (like project end) without additional configuration via PowerShell or third-party tools, and it lacks the record declaration and disposition review capabilities required for legal compliance. Option C is wrong because Sensitivity Labels are designed for classification and protection (encryption, marking) of content based on sensitivity, not for enforcing retention or deletion schedules; they do not provide the event-based retention or automatic deletion after a specific period. Option D is wrong because Microsoft Purview Data Loss Prevention (DLP) is focused on preventing unauthorized sharing or leakage of sensitive data through policies that block or warn users, not on managing retention or deletion of documents after a project ends.

214
Drag & Dropmedium

Drag and drop the steps to configure a data loss prevention (DLP) policy in the Microsoft 365 compliance center into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DLP policies are created in the compliance center by selecting a template, locations, and rules.

215
MCQhard

A global company needs to ensure that only employees in the 'HR' security group can access a specific set of HR documents stored in SharePoint. If a user outside the group attempts to view or copy the content, it must be blocked. The protection must persist even if someone downloads the files and shares them externally, or if the files are saved to a personal device. Which Microsoft Purview solution should be used?

A.Data Loss Prevention (DLP) policy
B.Sensitivity labels with encryption and permission settings
C.Microsoft Entra ID Conditional Access
D.Microsoft Defender for Cloud Apps session policy
AnswerB

Encryption via sensitivity labels protects the file regardless of where it is stored, and permissions ensure only the 'HR' group can access it.

Why this answer

Sensitivity labels with encryption and permission settings are the correct solution because they allow you to apply persistent protection that travels with the file, regardless of where it is stored or shared. By configuring a sensitivity label to restrict access to only members of the 'HR' security group and enabling encryption, the protection remains intact even if the file is downloaded, saved to a personal device, or shared externally. This meets the requirement for persistent access control that blocks unauthorized viewing or copying.

Exam trap

The trap here is that candidates often confuse DLP policies (which only monitor and block sharing at the transport layer) with sensitivity labels (which provide persistent encryption and access control that stays with the file), leading them to choose DLP when the question explicitly requires protection that persists after download or external sharing.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies are designed to detect and prevent accidental sharing of sensitive information based on content inspection, but they do not apply persistent encryption or access control that travels with the file after it is downloaded or saved to a personal device. Option C is wrong because Microsoft Entra ID Conditional Access controls access at the authentication and session level for cloud apps, but it does not provide persistent protection that remains with the file once it is downloaded or shared outside the controlled environment. Option D is wrong because Microsoft Defender for Cloud Apps session policies can monitor and control access in real-time within the browser session, but they cannot enforce persistent encryption or access restrictions on files that have been downloaded or saved locally.

216
MCQmedium

A tenant administrator is advising a department that wants to automatically apply a label when sensitive customer identifiers are detected. Microsoft security, identity, or compliance capability should it use?

A.Microsoft Planner
B.Auto-labeling for sensitivity labels
C.Microsoft Forms
D.Microsoft Stream
AnswerB

Auto-labeling can apply sensitivity labels based on configured conditions.

Why this answer

Auto-labeling can apply sensitivity labels based on configured conditions.

217
MCQmedium

A compliance officer needs to automatically detect when employees share customers' personal data (e.g., social security numbers) via email and block such sharing. Which Microsoft Purview solution should they configure?

A.Microsoft Purview Data Loss Prevention (DLP)
B.Microsoft Purview Insider Risk Management
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Audit
AnswerA

DLP policies scan emails for sensitive data and can automatically block the message from being sent, with notifications to the user and administrator.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is the correct solution because it is specifically designed to identify, monitor, and automatically protect sensitive data—such as social security numbers—across Microsoft 365 services, including Exchange Online. DLP policies can be configured with conditions that detect sensitive information types (e.g., U.S. Social Security Number) in email messages and apply actions like blocking the email from being sent.

This directly meets the compliance officer's requirement to automatically detect and block sharing of customers' personal data via email.

Exam trap

The trap here is that candidates often confuse Communication Compliance (which reviews communications for policy violations) with DLP (which actively blocks sensitive data), leading them to select option C because they think 'compliance' implies blocking, but Communication Compliance only detects and flags, not blocks.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Insider Risk Management focuses on identifying, analyzing, and remediating internal risks (e.g., data theft, policy violations) by correlating signals from various sources, but it does not provide real-time blocking of sensitive data in email. Option C is wrong because Microsoft Purview Communication Compliance is designed to detect and review inappropriate or policy-violating communications (e.g., harassment, insider trading) but does not have the capability to automatically block data sharing based on sensitive content like social security numbers. Option D is wrong because Microsoft Purview Audit provides logging and investigation of user and admin activities, but it is a passive auditing tool that cannot automatically detect or block data sharing in real time.

218
MCQmedium

A compliance administrator needs to block sharing of documents containing credit card numbers. Which Microsoft 365 capability is the best fit?

A.Data Loss Prevention policies
B.Microsoft Teams live events
C.Microsoft Bookings
D.OneDrive sync client
AnswerA

DLP detects sensitive information types and can restrict sharing across Microsoft 365 locations.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft 365 are specifically designed to identify, monitor, and automatically protect sensitive information—such as credit card numbers—across Exchange Online, SharePoint, OneDrive, and Teams. By configuring a DLP policy with a built-in sensitive info type for credit card numbers, the administrator can block users from sharing documents containing that data, either by preventing the action or triggering a notification. This directly addresses the compliance requirement to block sharing of documents with credit card numbers.

Exam trap

The trap here is that candidates may confuse the OneDrive sync client with the OneDrive cloud service, thinking the sync client can enforce DLP policies locally, when in fact DLP policies are applied at the cloud service layer and the sync client simply replicates cloud-side restrictions.

How to eliminate wrong answers

Option B is wrong because Microsoft Teams live events is a broadcast and meeting feature for streaming video to large audiences; it has no capability to scan or block documents based on sensitive content like credit card numbers. Option C is wrong because Microsoft Bookings is a scheduling and appointment management tool; it does not include any data classification or policy enforcement to block sharing of sensitive information. Option D is wrong because the OneDrive sync client is a desktop application that synchronizes files between a local device and OneDrive; it does not natively enforce DLP policies or block sharing of documents containing credit card numbers—DLP policies are enforced at the cloud service level, not by the sync client.

219
MCQmedium

A compliance-aware administrator is selecting the right Microsoft 365 capability to require MFA only for sign-ins from outside trusted locations. Microsoft security, identity, or compliance capability should it use?

A.Conditional Access
B.Microsoft Stream
C.Microsoft Planner
D.Microsoft Forms
AnswerA

Conditional Access evaluates signals such as location and enforces controls such as MFA.

Why this answer

Conditional Access is the correct Microsoft 365 capability because it allows administrators to create policies that enforce MFA based on specific conditions, such as sign-in location. By configuring a Conditional Access policy with a 'location' condition that includes trusted IP ranges (defined via named locations), you can require MFA only when users sign in from outside those trusted locations. This directly addresses the requirement for location-aware MFA enforcement without affecting sign-ins from trusted networks.

Exam trap

Microsoft often tests the misconception that any Microsoft 365 workload can enforce MFA, but only Conditional Access (an Azure AD feature) provides the granular, location-based policy control needed for this scenario.

How to eliminate wrong answers

Option B (Microsoft Stream) is wrong because it is a video management and sharing service, not a security or identity capability; it cannot enforce MFA or evaluate sign-in locations. Option C (Microsoft Planner) is wrong because it is a task management and planning tool within Microsoft 365, lacking any identity or access control features to require MFA based on location. Option D (Microsoft Forms) is wrong because it is a survey and data collection tool; it has no mechanism to enforce authentication policies or evaluate sign-in locations.

220
MCQmedium

Your organization is required to retain all communications related to a legal case for 5 years. Emails and Teams messages must be preserved immutably. Which Microsoft 365 feature should you use?

A.Litigation Hold
B.Data Loss Prevention (DLP) policies
C.Retention policies and tags
D.eDiscovery (Standard)
AnswerA

Litigation Hold preserves mailbox items immutably until removed.

Why this answer

Litigation Hold preserves all mailbox content immutably. Option A is correct. Option B (Retention tags) can delete or archive but not preserve immutably.

Option C (DLP) is for prevention. Option D (eDiscovery) is for search, not preservation.

221
MCQhard

You are the security administrator for Contoso, a global consulting firm with 10,000 employees. Contoso uses Microsoft 365 E5 and Microsoft Entra ID P2. The company has a strict policy that all sensitive client data must be encrypted at rest and in transit. Additionally, the legal team requires that any document labeled as 'Highly Confidential' must be automatically encrypted and cannot be printed or forwarded. You have created a sensitivity label called 'Highly Confidential' with encryption and a protection setting that restricts actions like printing. However, you notice that users are still able to print documents that have the label applied. After investigation, you find that the label is correctly configured but users are manually applying the label. What should you do to ensure the label is consistently applied and printing is blocked?

A.Create a Data Loss Prevention (DLP) policy that blocks printing of documents with the 'Highly Confidential' label.
B.Configure a Conditional Access policy that blocks printing for users accessing documents from unmanaged devices.
C.Modify the sensitivity label's encryption settings to require user authentication before printing.
D.Create an auto-labeling policy that automatically applies the 'Highly Confidential' label to documents that contain certain sensitive information types, and ensure the label's protection settings block printing.
AnswerD

Auto-labeling ensures consistent application, and protection blocks printing.

Why this answer

Option C is correct because auto-labeling policies can automatically apply the sensitivity label based on conditions, ensuring consistent application. Additionally, the label's protection settings should block printing. Option A is incorrect because creating a DLP policy that blocks printing may not respect the sensitivity label's settings.

Option B is incorrect because the label already has protection settings, but the issue is manual application. Option D is incorrect because Conditional Access does not control document actions like printing.

222
MCQeasy

A user reports receiving a phishing email in their Outlook inbox. The organization uses Microsoft Defender for Office 365. Which feature should the user use to report the email to the security team?

A.Use the Report Message add-in in Outlook
B.Block the sender in Outlook
C.Submit the email to the Microsoft 365 Defender portal
D.Enable Safe Links in Outlook
AnswerA

The Report Message add-in allows users to report phishing and junk emails to Microsoft and the organization for analysis.

Why this answer

Option B is correct. The Report Message add-in allows users to report phishing emails directly to Microsoft and the organization. Option A is wrong because blocking the sender is a local action.

Option C is wrong because Safe Links protects against malicious URLs, not reporting. Option D is wrong because the admin center is for administrators.

223
MCQhard

You are reviewing an Azure Policy assignment in the exhibit. The policy set definition ID corresponds to the 'Microsoft cloud security benchmark' initiative. The effect is set to 'Deny'. What is the most likely outcome of this policy assignment?

A.Creation of non-compliant resources will be blocked
B.Non-compliant resources will automatically be remediated
C.The policy will only apply to resources with specific tags
D.Resources that are non-compliant will be audited and logged
AnswerA

The 'Deny' effect blocks non-compliant resource creation.

Why this answer

The 'Deny' effect (C) will block any resource creation that does not meet the benchmark. Option A (audit) would require 'Audit' effect. Option B (deploy) would require 'DeployIfNotExists'.

Option D (exempt) is a different feature.

224
MCQmedium

Your organization is using Microsoft 365 Copilot. You want to ensure that Copilot uses only data that users have permission to access. Which principle does this enforce?

A.Zero Trust
B.Least privilege
C.Defense in depth
D.Need-to-know
AnswerB

Copilot respects user permissions, enforcing least privilege access to data.

Why this answer

Least privilege (B) ensures users only access data they need. Option A (zero trust) is broader. Option C (defense in depth) has multiple layers.

Option D (need-to-know) is similar but less formal in Microsoft 365.

225
Multi-Selecteasy

Which THREE statements about the Microsoft Service Trust Portal are true?

Select 3 answers
A.It includes the Compliance Manager tool.
B.It is accessible to authenticated users with an Azure AD account.
C.It provides independent audit reports and compliance documentation.
D.It allows real-time tracking of data location.
E.It provides downloads of Microsoft software patches.
AnswersA, B, C

Compliance Manager is part of the Service Trust Portal.

Why this answer

Options A, B, and D are correct: The Service Trust Portal provides audit reports, compliance guides, and is accessible to authenticated users. Option C is incorrect because it does not provide real-time data location; data residency is shown in other tools. Option E is incorrect because it does not allow downloading Microsoft software; only compliance documents.

← PreviousPage 3 of 4 · 269 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Describe Security Compliance Privacy And Trust In Microsoft 365 questions.