CCNA Manage the Microsoft Power Platform environment Questions

75 of 164 questions · Page 1/3 · Manage the Microsoft Power Platform environment · Answers revealed

1
MCQhard

An administrator needs to prevent users from creating Power Apps outside of the approved environment (Production). The company has a Development and a Production environment. Users should only be able to create apps in Development. Which configuration should the administrator use?

A.Assign the Environment Maker role to users in both environments
B.Assign the Environment Maker role to users only in the Development environment
C.Create a DLP policy that blocks app creation in Production
D.Remove the Environment Maker role from all users in all environments
AnswerB

This limits creation to Development.

Why this answer

The Environment Maker role grants permission to create apps within a specific environment. By assigning this role only to the Development environment, users can create apps there but are blocked from creating them in Production, where they lack the role. This directly enforces the requirement without affecting other permissions.

Exam trap

The trap here is that candidates often confuse DLP policies with environment-level permissions, incorrectly assuming DLP can block app creation, when in fact DLP only restricts data connectors and sharing, not the ability to create apps.

How to eliminate wrong answers

Option A is wrong because assigning the Environment Maker role to users in both environments would allow app creation in Production, violating the requirement. Option C is wrong because Data Loss Prevention (DLP) policies control data connectors and sharing, not the ability to create apps; they cannot block app creation itself. Option D is wrong because removing the Environment Maker role from all users in all environments would prevent app creation in Development as well, failing to meet the requirement that users should be able to create apps in Development.

2
MCQmedium

The exhibit shows a JSON snippet from a Power Platform environment configuration. What can be inferred from this snippet?

A.The environment has blocked connectors for Twitter and Facebook
B.The environment has used 1024 MB of storage
C.The environment is named 'Production'
D.The environment has a storage limit of 512 MB
AnswerA

BlockedConnectors includes Twitter and Facebook.

Why this answer

The JSON snippet includes a 'blockedConnectors' array containing 'Twitter' and 'Facebook', which explicitly indicates that these connectors are prohibited in the environment. This is a tenant-level or environment-level policy setting used to restrict data movement to or from these services, directly supporting option A as correct.

Exam trap

The trap here is that candidates may focus on the storage values (currentStorageSizeMB and maxStorageMB) or the display name, missing the explicit 'blockedConnectors' array that directly answers the question about what can be inferred from the snippet.

How to eliminate wrong answers

Option B is wrong because the snippet shows 'currentStorageSizeMB: 1024', which is the current storage usage, not a blocked connector. Option C is wrong because the snippet includes 'displayName: Production', but this is just a label; the question asks what can be inferred about the environment configuration, and the blocked connectors are the key inference. Option D is wrong because the snippet shows 'maxStorageMB: 512', which is the storage limit, not a blocked connector; the question specifically targets the blocked connectors inference.

3
MCQhard

A global company uses Power Platform and wants to ensure that data residency requirements are met for users in different regions. What should they configure?

A.In the Power Platform admin center, create environments in the appropriate geographic regions (e.g., Europe, United States).
B.Create data loss prevention (DLP) policies to block data movement between regions.
C.Configure Microsoft Entra ID Conditional Access policies to restrict access based on geographic location.
D.Use Microsoft Purview to tag environments with data residency labels.
AnswerA

Environments are created in specific regions to ensure data stays within the required boundary.

Why this answer

Option A is correct because Power Platform environments are the boundary for data storage and compute. By creating environments in specific geographic regions (e.g., Europe, United States) via the Power Platform admin center, the company ensures that all data for that environment resides in the chosen region, meeting data residency requirements. This is the primary mechanism for controlling data location in Power Platform.

Exam trap

The trap here is that candidates confuse data residency (where data is stored) with data protection policies (DLP) or access control (Conditional Access), leading them to select options that manage data movement or access rather than storage location.

How to eliminate wrong answers

Option B is wrong because data loss prevention (DLP) policies control data movement between connectors and services, not the geographic storage location of data; they cannot enforce data residency. Option C is wrong because Microsoft Entra ID Conditional Access policies control user authentication and access based on location, but they do not affect where data is stored or processed. Option D is wrong because Microsoft Purview is used for data governance, classification, and compliance, but it does not have the capability to tag environments with data residency labels or control data storage location.

4
MCQhard

Refer to the exhibit. A Power Platform administrator applies this DLP policy to the default environment. What is the result?

A.All connectors are allowed
B.All connectors are blocked
C.The policy applies to all environments
D.Microsoft Teams and Twitter connectors are blocked in the default environment
AnswerD

The blockedConnectors list specifies which connectors are blocked.

Why this answer

The exhibit shows a Data Loss Prevention (DLP) policy configured with Microsoft Teams and Twitter connectors in the 'Blocked' group. Since this policy is applied to the default environment, only those two connectors are blocked in that environment. All other connectors remain in the 'Allowed' group by default, so they are permitted.

Therefore, the correct result is that Microsoft Teams and Twitter connectors are blocked in the default environment.

Exam trap

The trap here is that candidates may assume a DLP policy blocks all connectors or applies globally, when in fact only the connectors explicitly placed in the 'Blocked' group are restricted, and the policy scope is limited to the specified environment.

How to eliminate wrong answers

Option A is wrong because not all connectors are allowed; the policy explicitly blocks Microsoft Teams and Twitter connectors. Option B is wrong because only the two blocked connectors are prohibited, not all connectors. Option C is wrong because the policy is scoped to the default environment only, not to all environments; DLP policies can be applied to specific environments or the entire tenant, but the question states it is applied to the default environment.

5
MCQeasy

A Power Platform administrator needs to review which users have accessed a specific environment in the last 30 days. What should they use?

A.Power Platform admin center auditing
B.Power Platform PowerShell cmdlets
C.Power Apps maker portal
D.Microsoft 365 admin center
AnswerA

The admin center provides audit logs for user access.

Why this answer

The Power Platform admin center provides built-in auditing capabilities that allow administrators to view user access logs for specific environments. By navigating to the 'Auditing' section within the admin center, an admin can filter by environment and date range (e.g., last 30 days) to see which users have accessed the environment. This is the correct tool because it is purpose-built for Power Platform governance and does not require additional scripting or external tools.

Exam trap

The trap here is that candidates often confuse the Power Platform admin center with the Microsoft 365 admin center, assuming that all administrative tasks for Power Platform are handled in the Microsoft 365 admin center, but environment-specific auditing is exclusive to the Power Platform admin center.

How to eliminate wrong answers

Option B is wrong because Power Platform PowerShell cmdlets can be used to automate environment management tasks, but they do not provide a direct, built-in auditing view of user access logs for a specific environment over the last 30 days; you would need to export and parse audit logs separately. Option C is wrong because the Power Apps maker portal is designed for creating and editing apps, not for administrative auditing of environment access. Option D is wrong because the Microsoft 365 admin center focuses on user and license management across Microsoft 365 services, not on granular Power Platform environment-level access auditing.

6
MCQeasy

A non-profit organization uses Power Platform to manage donor records. They have a single environment (default). A volunteer accidentally deleted a critical Power App component. The IT coordinator needs to restore the component from a previous version. The environment does not have any backup solution in place. What should the IT coordinator do?

A.Contact Microsoft Support to recover the deleted component.
B.Restore the environment from a backup using the Power Platform Admin Center.
C.Recreate the component manually.
D.Open the app in Power Apps Studio and use the version history feature to restore the previous version.
AnswerD

Version history allows restoring a previous version of the app, including deleted components.

Why this answer

Power Platform includes version history for Power Apps, allowing restoration of previous versions. The coordinator can access the app's version history and restore the component.

7
MCQhard

A company uses a Power Platform environment that contains several production apps. They need to ensure that changes to these apps are reviewed and approved before deployment to the production environment. What should they implement?

A.Create data loss prevention (DLP) policies for the production environment.
B.Use managed solutions and Azure DevOps for application lifecycle management (ALM) with deployment gates.
C.Assign the System Administrator role to all developers.
D.Configure Microsoft Purview to audit changes and require approval.
AnswerB

Managed solutions and ALM pipelines with approval gates enforce review and approval before production deployment.

Why this answer

Option B is correct because managed solutions and Azure DevOps with deployment gates provide a structured Application Lifecycle Management (ALM) process. This allows changes to be reviewed, tested, and approved before deployment to a production environment, ensuring governance and control over modifications.

Exam trap

The trap here is that candidates may confuse data governance (DLP) or auditing (Purview) with the deployment approval process, or mistakenly think that granting admin rights to all developers is a valid way to manage changes, rather than recognizing the need for a formal ALM pipeline with approval gates.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies control data flow between connectors and environments, not the review and approval of app changes. Option C is wrong because assigning the System Administrator role to all developers grants excessive permissions, bypassing the need for review and approval, and violates the principle of least privilege. Option D is wrong because Microsoft Purview is a compliance and auditing tool, not a mechanism for enforcing approval workflows on app deployments.

8
MCQeasy

A company wants to ensure that changes to a Power Platform solution are tracked and can be rolled back if necessary. The development team uses source control. What should the administrator configure to enable solution lifecycle management?

A.Use managed solutions and export to source control
B.Backup the environment daily
C.Share the app with the team
D.Disable sharing to prevent changes
AnswerA

Managed solutions support versioning and deployment pipelines.

Why this answer

Using managed solutions and exporting them to source control enables versioning and rollback. Option A is wrong because backing up the environment is not granular. Option B is wrong because sharing the app does not provide version control.

Option D is wrong because disabling sharing does not help with lifecycle management.

9
MCQmedium

A Power Platform administrator notices that a production environment has exceeded its storage quota. The administrator needs to free up storage without impacting active solutions. Which action should the administrator take first?

A.Analyze storage by entity and delete unused custom tables
B.Increase the storage quota
C.Remove the environment and create a new one
D.Delete all audit logs older than 30 days
AnswerA

This targets specific large tables for cleanup.

Why this answer

Option A is correct because analyzing storage by entity allows the administrator to identify which custom tables consume the most space, and deleting unused custom tables directly frees up storage without affecting active solutions. This is the recommended first step in the Power Platform admin center, as it targets the root cause of storage overage while preserving production functionality.

Exam trap

The trap here is that candidates may assume deleting audit logs is the quickest fix, but the question emphasizes 'without impacting active solutions,' and audit logs are often not the largest storage consumer, making analysis of custom tables the correct first step.

How to eliminate wrong answers

Option B is wrong because increasing the storage quota does not free up existing storage; it only adds capacity, which may incur additional costs and does not resolve the underlying issue of excessive data consumption. Option C is wrong because removing the environment and creating a new one would destroy all solutions, data, and configurations, severely impacting active solutions and causing data loss. Option D is wrong because deleting audit logs older than 30 days may free some storage, but audit logs are typically a small fraction of total storage; this action is not the first step and may not address the primary storage consumer, which is often custom table data.

10
MCQeasy

You are the Power Platform administrator for your organization. A user reports that they cannot create a new environment. What is the most likely cause?

A.The environment creation feature is disabled in the tenant settings.
B.The user is trying to create a production environment without a valid default environment.
C.The tenant has reached its maximum number of environments.
D.The user does not have the appropriate license or role to create environments.
AnswerD

Users need the Power Platform admin role or appropriate license to create environments.

Why this answer

Option D is correct because creating environments in the Power Platform requires either a Power Apps, Power Automate, or Dynamics 365 license, and the user must be assigned the Environment Admin or Global Admin role. Without the appropriate license or role, the 'New environment' button is disabled, and the user cannot proceed with environment creation.

Exam trap

The trap here is that candidates often assume environment creation is limited by tenant quotas or disabled settings, but the PL-900 exam emphasizes that the most common cause is insufficient licensing or role assignment, not configuration limits.

How to eliminate wrong answers

Option A is wrong because there is no tenant-level setting to disable environment creation; environment creation is controlled by licensing and roles, not a toggle in tenant settings. Option B is wrong because a default environment always exists in a tenant (created automatically for each user), and production environments can be created independently of the default environment. Option C is wrong because the default environment limit per tenant is 3, but this limit can be increased by Microsoft support upon request, and reaching the limit would not prevent creation of a new environment if the user has the correct role and license.

11
MCQeasy

A small business wants to adopt Power Apps to create a custom inventory management app. They have a single Microsoft 365 Business Basic subscription which includes Power Apps and Power Automate capabilities. The IT manager, who is not a dedicated administrator, needs to set up the environment. They want to ensure that the app's data is stored securely and that only authorized employees can access it. The IT manager plans to create a new environment for the app. What should the IT manager do first to ensure proper governance and security?

A.Purchase additional Power Apps licenses for each user before creating the environment.
B.Use the default environment and configure data loss prevention (DLP) policies to restrict data sharing.
C.Create a trial environment to test the app before deploying to production.
D.Create a new production environment in the Power Platform Admin Center.
AnswerB

The default environment is sufficient; DLP policies help secure data.

Why this answer

Because the organization has a single Microsoft 365 Business Basic subscription, the default environment already exists. Creating a new environment is not necessary and could complicate management. The best course is to use the default environment with appropriate data policies and sharing settings.

12
MCQmedium

An organization has multiple Power Platform environments. They need to ensure that all environments have consistent DLP policies and that any changes are tracked. What should the administrator implement?

A.Export DLP policies as solutions and import them into each environment
B.Use the Power Platform Center of Excellence (CoE) Starter Kit to manage and monitor policies
C.Enable audit logging in each environment
D.Create environment groups and assign DLP policies to the group
AnswerB

The CoE Starter Kit includes tools for governance and monitoring.

Why this answer

Option A is correct because Power Platform Center of Excellence (CoE) Starter Kit provides governance and monitoring capabilities. Option B is incorrect because environment groups do not enforce DLP consistency. Option C is incorrect because audit logs only track changes, not enforce consistency.

Option D is incorrect because solution export/import does not apply DLP policies.

13
MCQmedium

A manufacturing company is deploying Microsoft Power Platform for its sales team. The environment must be segregated from production to allow experimentation without affecting live data. The solution must also support automated deployment pipelines. What should the administrator create?

A.A production environment with Dataverse
B.A Dataverse for Teams environment
C.A developer environment
D.A trial environment
AnswerC

Developer environments are isolated and support automated deployment.

Why this answer

A developer environment is designed for isolated development and testing, and it can be used with automated deployment pipelines via solutions. Option A is wrong because a production environment is for live use. Option B is wrong because Dataverse for Teams is limited in scope.

Option D is wrong because a trial environment expires.

14
MCQeasy

An administrator is reviewing an ARM template for deploying a Power Platform environment. Based on the exhibit, what type of environment will be created?

A.Trial environment
B.Developer environment
C.Production environment
D.Sandbox environment
AnswerB

The SKU value is Developer.

Why this answer

Option B is correct because 'environmentSku' is set to 'Developer', indicating a Developer environment. Option A is wrong because Production is not specified. Option C is wrong because Sandbox is not specified.

Option D is wrong because Trial is not specified.

15
MCQhard

A financial services firm uses Power Platform in a highly regulated environment. They have a production environment that contains sensitive customer data. The compliance officer requires that all changes to apps and flows in production be approved before deployment. The development team uses a separate sandbox environment. The admin needs to implement a change management process that ensures only approved solutions are deployed to production. What should the admin do?

A.Use Power Automate approval flows to send notifications when a change is made.
B.Restrict permissions so only the admin can deploy solutions to production.
C.Enable Managed Environments for the production environment and configure the deployment pipeline with approval gates.
D.Manually review and approve changes by checking version history in the sandbox.
AnswerC

Managed Environments with deployment pipelines enforce approval before deployment.

Why this answer

Managed Environments in Power Platform provide governance rules, including deployment pipelines that require approval before solutions are deployed to production. This meets the compliance requirement.

16
MCQeasy

A company is implementing Microsoft Power Platform. The administrator needs to prevent users from creating personal productivity environments. What should they configure?

A.Configure a Data Loss Prevention (DLP) policy
B.Set a conditional access policy in Microsoft Entra ID
C.Disable the 'Create personal productivity environments' setting in the Power Platform admin center
D.Reduce the tenant-level environment capacity limits
AnswerC

This setting directly controls whether users can create personal environments.

Why this answer

Option C is correct because the Power Platform admin center includes a tenant-wide setting specifically named 'Create personal productivity environments' that, when disabled, prevents users from creating their own personal environments. This setting directly controls the ability to create environments for personal productivity, which is distinct from other environment creation permissions.

Exam trap

The trap here is that candidates may confuse environment creation controls with capacity limits or security policies, but the PL-900 exam specifically tests the knowledge that a dedicated admin setting exists for disabling personal productivity environments.

How to eliminate wrong answers

Option A is wrong because a Data Loss Prevention (DLP) policy controls data movement between connectors and services, not the ability to create environments. Option B is wrong because a conditional access policy in Microsoft Entra ID governs authentication and access to applications, not environment creation within Power Platform. Option D is wrong because reducing tenant-level environment capacity limits restricts the total storage or number of environments but does not specifically prevent users from creating personal productivity environments; users could still create them until capacity is exhausted.

17
MCQeasy

A Power Platform administrator wants to delegate the responsibility of managing environments to regional leads without granting them full admin privileges. Which role should the administrator assign?

A.Environment Admin role.
B.Dynamics 365 Administrator role.
C.System Customizer role.
D.Power Platform Administrator role.
AnswerA

This role provides full management of a specific environment.

Why this answer

The Environment Admin role allows a user to manage all aspects of a specific environment, including security and settings, without tenant-wide privileges. Option A is incorrect because System Customizer only customizes, not manages. Option C is incorrect because Power Platform Administrator is a tenant-wide role.

Option D is incorrect because Dynamics 365 Administrator is broader and not specific to Power Platform environments.

18
MCQeasy

A company has a Power Platform environment that contains several unmanaged solutions. The administrator wants to promote a solution to production. Which action should the administrator take to ensure the solution can be deployed to other environments?

A.Export the solution as a managed solution
B.Use the 'Backup' feature in the admin center
C.Apply a solution patch and export it
D.Clone the solution and export as unmanaged
AnswerA

Managed solutions are designed for deployment to other environments.

Why this answer

Exporting a solution as a managed solution is the correct action because managed solutions are designed for deployment to production and other non-development environments. They prevent direct customization of components, enforce solution layering, and allow for proper lifecycle management, including upgrades and patching. Unmanaged solutions, by contrast, are intended for development and cannot be reliably deployed to production without breaking the component ownership model.

Exam trap

The trap here is that candidates confuse the 'Backup' feature with solution deployment, or assume that exporting as unmanaged is acceptable for production because it preserves all components, but they overlook the critical requirement for managed solutions to enforce lifecycle control and prevent direct customization.

How to eliminate wrong answers

Option B is wrong because the 'Backup' feature in the admin center creates a full environment backup, not a portable solution package; it cannot be selectively deployed to another environment and does not support solution lifecycle management. Option C is wrong because applying a solution patch and exporting it creates a patch that depends on the parent managed solution; patches are intended for minor updates to an already-deployed managed solution, not for initial deployment to production. Option D is wrong because cloning a solution and exporting it as unmanaged preserves the unmanaged state, which allows direct customization in the target environment, breaking the managed solution deployment model and causing future upgrade conflicts.

19
MCQeasy

A company is implementing Microsoft Power Platform and needs to ensure that only licensed users can create environments. Which setting should be enabled?

A.Enable 'Create database' in the tenant settings
B.Enable 'Create solutions' in the Power Platform admin center
C.Enable 'Create environments' in the Power Platform admin center tenant settings
D.Enable 'Create apps' in the Power Platform admin center
AnswerC

This setting controls whether users can create environments.

Why this answer

Option C is correct because the 'Create environments' setting in the Power Platform admin center tenant settings is the specific control that restricts environment creation to licensed users only. By default, this setting is enabled for all users, but administrators can disable it to limit creation to users with a Power Platform license (e.g., Power Apps per user plan, Power Automate per user plan, or Dynamics 365 licenses). This ensures compliance with licensing requirements and prevents unlicensed users from consuming capacity.

Exam trap

The trap here is that candidates confuse environment-level permissions (like 'Create database' or 'Create apps') with the tenant-level setting that controls environment creation, leading them to select a granular permission that does not address the licensing requirement.

How to eliminate wrong answers

Option A is wrong because 'Create database' is a setting within a specific environment (not tenant-wide) that controls whether users can add a Dataverse database to an existing environment; it does not govern who can create new environments. Option B is wrong because 'Create solutions' is a permission related to building and managing solutions within an environment, not a tenant-level setting for environment creation. Option D is wrong because 'Create apps' is a permission that controls the ability to create canvas or model-driven apps within an environment, not the ability to provision new environments.

20
MCQhard

A company has multiple Power Platform environments. The administrator notices that a production environment is running low on storage. The administrator needs to free up space without disrupting active users. What should the administrator do FIRST?

A.Delete old audit logs
B.Disable unused plugins
C.Identify large or unused solutions and remove them
D.Add more storage to the environment
AnswerC

Removing unused solutions frees storage without disrupting active users.

Why this answer

Identifying large or unused solutions helps target cleanup. Option A is wrong because deleting audit logs may not free significant space. Option B is wrong because adding storage is a cost, not cleanup.

Option D is wrong because disabling plugins may break functionality.

21
MCQhard

An organization has multiple Power Platform environments. The administrator needs to move a solution from a development environment to a production environment. The solution includes custom connectors and environment variables. What is the correct process?

A.Copy the entire development environment to production
B.Export an unmanaged solution from development and import it into production
C.Manually re-create all components in production
D.Export a managed solution from development and import it into production
AnswerD

Managed solutions are the standard for deploying between environments.

Why this answer

Option D is correct because managed solutions are the standard mechanism for deploying customizations (including custom connectors and environment variables) from a development environment to a production environment. Exporting a managed solution from development and importing it into production ensures that components are packaged as a single, deployable unit, and it prevents accidental modifications in production by making the solution layers read-only after import.

Exam trap

The trap here is that candidates often confuse unmanaged and managed solutions, mistakenly thinking that exporting an unmanaged solution (Option B) is acceptable for production deployment, when in fact only managed solutions enforce the intended lifecycle and prevent unauthorized edits in production.

How to eliminate wrong answers

Option A is wrong because copying the entire development environment to production would overwrite production data and configurations, and it is not a supported method for solution deployment—Power Platform does not allow direct environment cloning for production use. Option B is wrong because exporting an unmanaged solution from development and importing it into production would leave all components editable in production, which violates change management best practices and can lead to configuration drift; unmanaged solutions are intended for development work, not production deployment. Option C is wrong because manually re-creating all components in production is error-prone, time-consuming, and defeats the purpose of using solutions for lifecycle management; it also introduces a high risk of inconsistencies between environments.

22
MCQmedium

A company uses Power BI to visualize sales data from Dynamics 365 Sales. A new policy requires that all data must be stored in the US region only. The Power BI tenant is currently in the default region (home region). What should the admin do to comply with the policy?

A.Change the Microsoft Entra ID location to US
B.Apply a data classification label to restrict storage
C.Set the workspace region to US in Power BI settings
D.Provision Power BI Premium capacity in the US region
AnswerD

Premium capacity can be assigned to a specific region, enforcing data residency.

Why this answer

Option C is correct because Power BI Premium capacity can be assigned to a specific region, ensuring data residency. Option A is wrong because Microsoft Entra ID region does not control Power BI data storage. Option B is wrong because Power BI service itself does not allow per-workspace region selection without Premium.

Option D is wrong because data classification labels do not enforce physical data location.

23
MCQhard

A Power Platform administrator needs to ensure that only users from specific Microsoft Entra ID security groups can access a production environment. The solution must automatically update membership when the Entra ID group is modified. Which approach should the administrator use?

A.Use PowerShell cmdlets to assign the Entra ID group as an environment user
B.Add users individually to the environment's role assignments
C.In Power Platform Admin Center, add the Entra ID group as a security group for the environment
D.Share the environment with the Entra ID group using the 'Share' button
AnswerC

Group-based access control automatically syncs membership changes.

Why this answer

Option C is correct because the Power Platform Admin Center allows an administrator to link a Microsoft Entra ID security group directly to a production environment. When the group is added as a security group for the environment, membership is automatically synchronized with the Entra ID group, so any changes to the group (additions or removals) are reflected in the environment without manual intervention.

Exam trap

The trap here is that candidates often confuse sharing an environment (which is not a supported operation) with sharing individual apps or resources, or they assume that adding a group as a user via PowerShell will automatically sync membership, when in fact only the security group assignment in the Admin Center provides automatic synchronization.

How to eliminate wrong answers

Option A is wrong because PowerShell cmdlets can assign an Entra ID group as an environment user, but this does not automatically update membership when the group is modified; it only adds the group as a user at a point in time. Option B is wrong because adding users individually to role assignments is manual and does not scale or automatically synchronize with Entra ID group changes. Option D is wrong because the 'Share' button is used for sharing canvas apps or other resources with specific users or groups, not for managing environment-level access or security group membership.

24
MCQhard

Refer to the exhibit. The environment 'Contoso Production' was created on January 15, 2023. You need to restore this environment to a state from January 20, 2023. What is the first step you must take?

A.Enable point-in-time restore in the environment settings.
B.Check if a backup from January 20, 2023, exists in the environment's backup list.
C.Convert the environment to a sandbox environment.
D.Copy the environment to a new environment using the date parameter.
AnswerB

You need to verify backup availability before restoring.

Why this answer

Option B is correct because the first step in restoring a Power Platform environment to a specific past date is to verify that a backup exists for that date. Microsoft Power Platform automatically creates daily backups for production environments, but you must check the backup list to confirm that a backup from January 20, 2023, is available before proceeding with the restore operation.

Exam trap

The trap here is that candidates might assume point-in-time restore must be enabled first (Option A), but in reality, it is automatically available for production environments, and the critical first step is verifying backup availability.

How to eliminate wrong answers

Option A is wrong because point-in-time restore is not a configurable setting in environment settings; it is a feature that is automatically enabled for production environments, and you do not need to enable it manually. Option C is wrong because converting the environment to a sandbox is not required for restoring from a backup; sandbox environments have different backup retention policies and are not necessary for this operation. Option D is wrong because copying the environment with a date parameter is not a supported method for restoring to a specific point in time; the correct approach is to use the 'Restore' operation from an existing backup.

25
Multi-Selectmedium

A Power Platform administrator needs to monitor usage and performance of environments. Which TWO actions should the administrator take? (Choose two.)

Select 2 answers
A.Enable capacity alerts for storage
B.Enable audit logging in Microsoft Purview compliance portal
C.Set up Microsoft Defender XDR for Power Platform
D.Configure DLP policies to block high-risk connectors
E.Use the Power Platform admin analytics center to view usage reports
AnswersB, E

Audit logs track user actions and changes.

Why this answer

Option B is correct because enabling audit logging in the Microsoft Purview compliance portal captures user and admin activities across Power Platform environments, which is essential for monitoring usage and performance. Audit logs provide a detailed record of events such as environment creation, solution imports, and data access, enabling administrators to track changes and diagnose performance issues. This aligns with the requirement to monitor usage and performance, as audit data can be analyzed to identify patterns and anomalies.

Exam trap

The trap here is that candidates often confuse monitoring usage and performance with security or governance actions, such as enabling Defender XDR or configuring DLP policies, which serve different purposes and do not provide the usage analytics required.

26
MCQmedium

Refer to the exhibit. { "name": "Environment Usage Report", "type": "Power BI report", "dataset": { "name": "Power Platform Admin View", "tables": [ { "name": "Environments", "columns": [ { "name": "EnvironmentName", "dataType": "string" }, { "name": "TotalActiveUsers", "dataType": "int" }, { "name": "TotalAppUsage", "dataType": "int" }, { "name": "TotalFlowRuns", "dataType": "int" } ] } ] } } An admin runs a report to see total active users per environment. The report shows zero active users for a production environment that is actively used. What is the most likely reason?

A.The environment is not included in the Power Platform Admin View dataset
B.The report uses a canvas app connector that is blocked
C.The TotalActiveUsers column is missing from the dataset
D.The admin does not have permission to view the dataset
AnswerA

The Admin View dataset only includes environments that are explicitly added to the admin view.

Why this answer

Option B is correct because the Power Platform Admin View dataset may not include the production environment if it is not an admin-managed environment (e.g., default environment). Option A is wrong because the dataset uses the Admin View, which is designed for admin analytics. Option C is wrong because the report is a Power BI report, not a canvas app.

Option D is wrong because the columns are present in the dataset.

27
MCQeasy

Refer to the exhibit. You run the Azure CLI command to create a DLP policy. The command fails with an error that the resource type is invalid. What is the most likely cause?

A.The --location parameter should be 'global' instead of 'eastus'.
B.The --name parameter is missing the policy prefix.
C.The resource type should be 'Microsoft.PowerPlatform/dlpPolicies'.
D.The --properties parameter should reference a URL instead of a file.
AnswerC

The correct resource type is 'dlpPolicies'.

Why this answer

The Azure CLI command for creating a DLP policy in Power Platform requires the correct resource type identifier. The error 'resource type is invalid' indicates that the resource type specified in the command does not match the expected Azure Resource Manager (ARM) resource type. The correct resource type for Power Platform DLP policies is 'Microsoft.PowerPlatform/dlpPolicies', not a generic or incorrect type like 'Microsoft.PowerPlatform/dlpPolicies' (note the exact casing and spelling).

Option C correctly identifies this as the most likely cause.

Exam trap

The trap here is that candidates may confuse the resource type for DLP policies with other Power Platform resource types (e.g., 'Microsoft.PowerPlatform/enterprisePolicies') or assume the error is due to location or naming conventions, when the actual issue is the exact ARM resource type string.

How to eliminate wrong answers

Option A is wrong because the --location parameter for a Power Platform DLP policy should be set to the geographic region where the policy is stored (e.g., 'eastus'), not 'global'; DLP policies are tenant-level resources but are associated with a specific region in Azure. Option B is wrong because DLP policy names do not require a specific prefix; the --name parameter can be any valid string, and the error is about the resource type, not the naming convention. Option D is wrong because the --properties parameter for a DLP policy expects a JSON file containing the policy definition, not a URL; referencing a URL would cause a different error related to file path or content retrieval.

28
Multi-Selectmedium

Which TWO settings can you configure in a Power Platform environment to control data loss prevention?

Select 2 answers
A.Connector sharing settings
B.Environment security roles
C.Audit logging configuration
D.Default action for connectors
E.Environment-specific DLP policies
AnswersD, E

The default action (block or allow) is a DLP setting.

Why this answer

Option D is correct because the 'Default action for connectors' setting in a Power Platform environment allows administrators to define the default behavior (e.g., Block, Allow, or Audit) for connectors that are not explicitly covered by a DLP policy. This setting directly controls data loss prevention by preventing data from being shared with unmanaged or risky connectors. Option E is correct because environment-specific DLP policies enable granular control over which connectors can be used together, preventing data from flowing between business and non-business connectors within that environment.

Exam trap

The trap here is that candidates often confuse 'connector sharing settings' (which control access and sharing permissions) with DLP policies (which control data flow and connector grouping), leading them to incorrectly select Option A.

29
MCQmedium

Refer to the exhibit. A Power Platform administrator is reviewing a JSON export of an environment configuration. Which statement is true based on the exhibit?

A.The environment was created from a trial
B.The environment uses French language
C.Security groups are assigned to the environment
D.The environment is a sandbox environment
AnswerC

The JSON includes securityGroups with ids and roles.

Why this answer

Option C is correct because the JSON export includes a 'securityGroups' property with an array of group IDs, indicating that one or more Microsoft Entra ID (formerly Azure AD) security groups are explicitly linked to the environment. This configuration restricts environment access to members of those security groups, which is a common practice for controlling access in production or shared environments.

Exam trap

The trap here is that candidates often assume an environment is a trial or sandbox based on the presence of security groups or a non-English language setting, but the JSON explicitly shows 'language': 'en-us' and 'environmentType': 'Production', which directly disproves those assumptions.

How to eliminate wrong answers

Option A is wrong because the JSON does not contain a 'trial' property or any indicator such as 'environmentType': 'Trial' — trial environments are typically marked with a specific type or expiration date, which is absent here. Option B is wrong because the JSON shows 'language': 'en-us' (English - United States), not French (fr-fr), so the environment uses English, not French. Option D is wrong because the JSON includes 'environmentType': 'Production' (or lacks a 'Sandbox' designation), and sandbox environments are explicitly marked with 'environmentType': 'Sandbox' or a similar property; this environment is not a sandbox.

30
MCQeasy

A company wants to allow users to build Power Apps and Power Automate flows using prebuilt templates and connectors, but without the ability to create custom connectors or access the Dataverse. Which environment type should be assigned to these users?

A.Developer environment
B.Dataverse for Teams environment
C.Production environment with Dataverse
D.Default environment
AnswerB

This environment restricts custom connectors and Dataverse customization.

Why this answer

A Dataverse for Teams environment provides basic capabilities with templates and standard connectors, but restricts custom connectors and Dataverse customization. Option A is wrong because a production environment with Dataverse gives full access. Option B is wrong because a developer environment is for development.

Option D is wrong because a default environment is similar to production.

31
MCQeasy

A company wants to grant a user the ability to manage environments in Power Platform, including creating and deleting environments, but without full tenant admin access. Which role should be assigned?

A.Global Administrator
B.Environment Admin
C.Power Platform Administrator
D.System Administrator
AnswerB

This role allows managing environments, including creating and deleting them.

Why this answer

Option A is correct because the Environment Admin role allows managing environments within the tenant. Option B is wrong because System Administrator is a Dataverse role, not for environment management. Option C is wrong because Power Platform Admin has broader tenant-level permissions.

Option D is wrong because Global Admin has full access to all services.

32
MCQmedium

A company uses Power Automate flows that connect to SharePoint and Microsoft Entra ID. The administrator needs to ensure that the flows can access data only from approved data sources. What should the administrator configure?

A.Define SharePoint site permissions for the flows
B.Create a Data Loss Prevention (DLP) policy that restricts connectors to approved data sources
C.Configure data policies in Power Apps settings
D.Set connector sharing permissions to limit access
AnswerB

DLP policies control which connectors can be used together and with what endpoints.

Why this answer

Data Loss Prevention (DLP) policies in the Power Platform allow administrators to control which connectors can be used together in flows and apps, effectively restricting flows to approved data sources like SharePoint and Microsoft Entra ID. By classifying connectors as Business or Non-Business, DLP policies prevent unauthorized data sharing between environments, which directly addresses the requirement to limit data access to approved sources.

Exam trap

The trap here is that candidates often confuse DLP policies with SharePoint permissions or connector sharing, thinking that restricting user access to SharePoint sites is sufficient to control flow data sources, when in fact DLP policies are the only mechanism that can restrict which connectors a flow can use at the environment level.

How to eliminate wrong answers

Option A is wrong because SharePoint site permissions control user access to SharePoint content, not the data sources that Power Automate flows can connect to; flows run under their own service principal or user context and are not governed by site-level permissions alone. Option C is wrong because data policies in Power Apps settings are a legacy concept that has been replaced by the unified DLP policy management in the Power Platform admin center, and they do not provide the granular connector-level restriction needed for flows. Option D is wrong because connector sharing permissions control which users or groups can use a specific connector instance, not which data sources (connectors) are allowed or blocked across the entire environment.

33
Multi-Selectmedium

Which TWO actions can an administrator perform in the Power Platform admin center to manage environments?

Select 2 answers
A.Assign security roles to users within an environment.
B.Configure SharePoint site permissions.
C.Create and delete environments.
D.Manage Power BI Premium capacity.
E.Configure Microsoft Entra ID Conditional Access policies.
AnswersA, C

Security roles are managed per environment in the Power Platform admin center.

Why this answer

Option A is correct because the Power Platform admin center allows administrators to assign security roles to users within an environment, controlling their access to resources like apps, flows, and data. This is a core administrative task for managing environment-level permissions. Option C is correct because creating and deleting environments is a fundamental capability of the Power Platform admin center, enabling administrators to provision and remove isolated workspaces for development, testing, or production.

Exam trap

The trap here is that candidates may confuse the Power Platform admin center with other Microsoft 365 admin centers, mistakenly thinking tasks like SharePoint permissions or Power BI capacity management are handled within the same interface.

34
Multi-Selecteasy

Which TWO are valid ways to distribute a Power App to end users? (Select 2)

Select 2 answers
A.Add the app to Microsoft Teams
B.Email the app as an attachment
C.Share the app directly with users or groups
D.Export the app and send it as a .msapp file
E.Publish the app to Microsoft AppSource
AnswersA, C

Apps can be added to Teams for easy access.

Why this answer

Option A is correct because Power Apps can be added directly to Microsoft Teams as a tab or personal app, allowing end users to access the app within the Teams interface without leaving the collaboration environment. This leverages the Teams integration capabilities of Power Apps, which uses the Teams manifest and the Power Apps app for Teams to provide seamless access.

Exam trap

The trap here is that candidates often confuse exporting a .msapp file (a developer artifact) with a distribution method, or think emailing an app as an attachment is possible, when in reality Power Apps must be shared through the platform's sharing mechanism or embedded in a supported host like Teams or SharePoint.

35
MCQeasy

A university uses Power Apps for student registration. The app is built on Dataverse and shared with all students. Recently, a student reported that they cannot access the app and receive an error that they do not have permission. The app was working earlier. The admin checks the environment and finds that the app's sharing settings have been changed. The admin needs to restore access for all students quickly. What should the admin do?

A.Contact Microsoft Support to restore the previous sharing settings.
B.Assign the 'Environment Maker' role to all students.
C.Re-create the app from a backup.
D.Share the app with the 'All Students' security group in the Power Apps maker portal.
AnswerD

This restores access for all students immediately.

Why this answer

The admin can share the app again with the appropriate security group (e.g., All Students) in the Power Apps maker portal. This is the fastest way to restore access.

36
MCQeasy

You need to grant a user the ability to manage environments in the Power Platform admin center, but not to manage other aspects of the tenant. Which role should you assign?

A.Environment administrator
B.Global administrator
C.Power Platform administrator
D.Dynamics 365 administrator
AnswerC

Power Platform admin can manage all environments and settings.

Why this answer

The Power Platform administrator role grants full administrative access to Power Platform environments, including the ability to manage environments in the admin center, without granting broader tenant-level permissions like user management or directory settings. This role is scoped specifically to Power Platform resources, making it the correct choice for the described requirement.

Exam trap

The trap here is that candidates often confuse the Power Platform administrator role with the Environment administrator role, mistakenly thinking the latter can manage all environments when it is actually limited to a single environment.

How to eliminate wrong answers

Option A is wrong because the Environment administrator role is scoped to a single environment and cannot manage environments across the tenant in the Power Platform admin center. Option B is wrong because the Global administrator role has unrestricted access to all tenant settings, including user management and security, which exceeds the requirement to only manage environments. Option D is wrong because the Dynamics 365 administrator role is primarily focused on Dynamics 365 instances and settings, not on managing Power Platform environments broadly.

37
MCQhard

Refer to the exhibit. Get-MgDirectoryRole | Where-Object {$_.DisplayName -eq "Power Platform Administrator"} | Select-Object Id An admin runs this Microsoft Graph PowerShell command and gets no output. What does this indicate?

A.The admin does not have permission to run the command
B.The Power Platform Administrator role is not activated in the tenant
C.There are no directory roles in the tenant
D.The command syntax is incorrect
AnswerB

The role must be activated (assigned to someone) to appear in Get-MgDirectoryRole.

Why this answer

Option B is correct because the command filters for a role with DisplayName exactly 'Power Platform Administrator', but the actual role name is 'Power Platform Administrator' (case-sensitive). If the command returns no output, the role may not be activated in the tenant. Option A is wrong because no output means no matching role found, not that the admin lacks permissions.

Option C is wrong because no output does not indicate no roles exist; it indicates no matching role. Option D is wrong because the command is valid PowerShell.

38
Multi-Selecthard

A company is migrating a complex Power Apps solution from a development environment to production. The solution includes custom connectors, flows, and Dataverse tables. Which THREE steps should the administrator take to ensure a successful migration?

Select 3 answers
A.Test the solution in a staging environment first
B.Delete the development environment after export
C.Export the solution as a managed solution
D.Manually recreate the solution in production
E.Run the solution checker to identify issues
AnswersA, C, E

Staging allows validation without affecting production.

Why this answer

Exporting as managed solution, using solution checker, and testing in a staging environment are essential steps. Option D is wrong because manually recreating is error-prone. Option E is wrong because deleting the development environment after export is risky.

39
Multi-Selecthard

Which TWO actions can a Power Platform administrator perform in the Power Platform Admin Center to manage environments?

Select 2 answers
A.Increase the storage limit of an environment
B.Change an environment from production to sandbox
C.Add a custom connector to an environment
D.Backup an environment
E.Copy an environment
AnswersD, E

You can back up environments in the admin center.

Why this answer

Option D is correct because the Power Platform Admin Center provides a built-in backup feature that allows administrators to create manual backups of environments. This is essential for disaster recovery and data preservation before making significant changes. Backups can be triggered on-demand and are stored for a limited retention period.

Exam trap

The trap here is that candidates may confuse environment-level administrative actions (like backup and copy) with development or configuration tasks (like adding custom connectors or changing environment types), which are not available in the Power Platform Admin Center.

40
MCQhard

Your organization uses Power Platform environments for development, test, and production. A developer accidentally deleted a managed solution from the production environment. You need to restore the solution without affecting other components. What should you do?

A.Reimport the solution from the source-controlled repository using Azure DevOps.
B.Use the Power Platform admin center to recover the solution from the recycle bin.
C.Restore the environment from a backup taken before the deletion.
D.Reimport the managed solution from a backup file.
AnswerC

Environment restore brings back the entire environment to a previous state.

Why this answer

The correct answer is C because restoring the environment to a previous point in time using backup/restore will bring back the solution and all other components as they were. Option A is incorrect because reimporting the solution may cause data loss or conflicts. Option B is incorrect because solutions cannot be recovered from the recycle bin.

Option D is incorrect because solutions cannot be recovered from the source-controlled repository automatically; you would need to deploy again, which may cause issues.

41
MCQeasy

A manufacturing company uses Power Automate flows to process inventory updates. The flows use standard connectors. The company needs to ensure that the flows can be run by users in their own context without requiring the flow owner's credentials. Which authentication type should be used for the connections?

A.Owner-provided credentials
B.User-provided credentials
C.Anonymous authentication
D.Service principal authentication
AnswerB

This allows each user to authenticate with their own identity, enabling context-based execution.

Why this answer

User-provided credentials (option B) are correct because they allow each user who runs the flow to authenticate with their own identity, enabling the flow to execute in the user's context without requiring the flow owner's credentials. This is essential when flows are shared with multiple users and need to respect individual permissions and data access.

Exam trap

The trap here is that candidates often confuse 'owner-provided credentials' with the default behavior of shared flows, not realizing that user-provided credentials are required to run flows in each user's own context rather than the owner's context.

How to eliminate wrong answers

Option A is wrong because owner-provided credentials would force all users to run the flow under the flow owner's identity, which violates the requirement that users run flows in their own context and introduces security risks. Option C is wrong because anonymous authentication is not supported for standard connectors in Power Automate; all connectors require some form of authenticated identity. Option D is wrong because service principal authentication is used for server-to-server or automated scenarios, not for flows triggered or run by individual users in their own context.

42
MCQmedium

An organization uses Power Automate flows that connect to Microsoft Dataverse. The flows need to run under a service account with specific permissions. What is the best practice to manage the connection?

A.Use the flow owner's credentials and share the flow with the service account
B.Create a connection reference that uses the service account's connection
C.Create a service account connection type in the Power Platform admin center
D.Hardcode the service account credentials in the flow
AnswerB

Connection references allow managing connections centrally.

Why this answer

Connection references decouple the connection details from the flow definition, allowing you to configure a service account's connection once and reuse it across multiple flows. When you create a connection reference and set it to use a service account's connection (e.g., a pre-created Dataverse connection authenticated with the service account), the flow runs under that account's permissions without exposing credentials or requiring the flow owner to share their identity. This is the recommended pattern for service principal or application user scenarios in Power Automate.

Exam trap

The trap here is that candidates confuse 'sharing a flow' with 'changing the runtime identity,' assuming that sharing with a service account grants it execution permissions, when in reality the flow always runs under the connection owner's identity unless a connection reference is used to swap the connection.

How to eliminate wrong answers

Option A is wrong because sharing a flow with a service account does not change the runtime identity; the flow still executes under the original owner's credentials, not the service account's permissions. Option C is wrong because there is no 'service account connection type' in the Power Platform admin center; connection types are defined by connectors, not created in the admin center. Option D is wrong because hardcoding credentials violates security best practices, exposes secrets in plaintext, and breaks when passwords rotate or policies change.

43
MCQeasy

A company is deploying Microsoft Power Platform across multiple departments. They want to ensure that only licensed users can create environments. What should they configure?

A.In the Power Platform admin center, assign the Environment Maker security role to specific users.
B.Disable environment creation for all users in the Microsoft 365 admin center.
C.Use Microsoft Entra ID roles to control environment creation permissions.
D.Configure the Dynamics 365 admin center to restrict environment creation to administrators only.
AnswerA

The Environment Maker role allows users to create environments; this is configured in the Power Platform admin center.

Why this answer

Option A is correct because the Environment Maker security role in the Power Platform admin center is the specific permission that allows users to create environments. By assigning this role to licensed users, administrators can control who has the ability to create new environments, ensuring only authorized individuals can do so. This is the standard method for managing environment creation permissions within Power Platform.

Exam trap

The trap here is that candidates may confuse the Environment Maker role with other roles like System Administrator or Global Administrator, or think that environment creation can be controlled through Microsoft Entra ID or the Microsoft 365 admin center, when in fact it is a Power Platform-specific permission managed in the Power Platform admin center.

How to eliminate wrong answers

Option B is wrong because disabling environment creation in the Microsoft 365 admin center does not exist; environment creation permissions are managed within the Power Platform admin center, not the Microsoft 365 admin center. Option C is wrong because Microsoft Entra ID roles do not directly control environment creation permissions in Power Platform; they manage broader identity and access management, but environment creation is governed by Power Platform-specific roles. Option D is wrong because the Dynamics 365 admin center is used for managing Dynamics 365 applications, not for controlling environment creation permissions across Power Platform; environment creation is managed in the Power Platform admin center.

44
MCQmedium

Your organization has a Power Platform environment that contains several canvas apps and flows. You need to ensure that only users from your Microsoft Entra ID tenant can access the environment. What should you configure?

A.Assign a security group to the environment in the Power Platform admin center.
B.Change the environment URL to include the tenant name.
C.Modify the tenant-level environment creation settings.
D.Configure a data loss prevention (DLP) policy for the environment.
AnswerA

Security group assignment restricts environment access to group members.

Why this answer

Assigning a security group to the environment in the Power Platform admin center restricts access to only members of that group, who must be from your Microsoft Entra ID tenant. This ensures that only authenticated users within your tenant can access the environment, effectively blocking external users.

Exam trap

The trap here is that candidates often confuse environment creation settings (Option C) with environment access control, not realizing that creation settings only affect who can provision new environments, not who can use an existing one.

How to eliminate wrong answers

Option B is wrong because changing the environment URL to include the tenant name does not enforce access control; it only modifies the URL format and does not prevent external users from accessing the environment. Option C is wrong because tenant-level environment creation settings control who can create environments, not who can access an existing environment. Option D is wrong because a data loss prevention (DLP) policy governs data sharing and connector usage, not user authentication or tenant-level access restrictions.

45
Multi-Selectmedium

An administrator is planning the environment strategy for a large enterprise. Which TWO considerations should the administrator include to ensure proper governance?

Select 2 answers
A.Use only the default environment to simplify management
B.Establish environment naming conventions
C.Disable environment monitoring to reduce overhead
D.Implement data loss prevention (DLP) policies
E.Allow all connectors to maximize flexibility
AnswersB, D

Naming conventions help organize environments.

Why this answer

Environment naming conventions and DLP policies are key governance considerations. Option A is wrong because using only the default environment is not recommended for governance. Option D is wrong because allowing all connectors is not secure.

Option E is wrong because disabling monitoring is counterproductive.

46
Multi-Selectmedium

Which THREE are valid components of a Microsoft Power Platform environment?

Select 3 answers
A.Custom connector
B.Dataverse database
C.Power BI workspace
D.Microsoft 365 Group
E.Power Automate flow
AnswersA, B, E

Custom connectors are stored in environments.

Why this answer

A custom connector is a valid component of a Microsoft Power Platform environment because it allows you to extend the platform by creating your own API connectors to external services. Custom connectors are stored and managed within an environment, enabling makers to build apps and flows that interact with systems not covered by out-of-the-box connectors.

Exam trap

The trap here is that candidates confuse shared Microsoft 365 resources (like Groups or Power BI workspaces) with Power Platform environment components, but only items directly managed within the environment's scope—such as custom connectors, Dataverse databases, and Power Automate flows—are valid components.

47
MCQmedium

A company wants to restrict the ability to create Power Apps and Power Automate flows in the default environment to only a specific security group. What is the recommended approach?

A.Create a DLP policy that blocks creation of apps and flows.
B.Assign the security group to the Environment Maker role for the default environment.
C.Disable the default environment and create a new one with restricted access.
D.Remove the Environment Maker role from all users and add the security group as co-admins.
AnswerB

The Environment Maker role can be scoped to a specific environment and assigned to a security group.

Why this answer

Option A is correct because default environment can be restricted by assigning the security group to the Environment Maker role. Option B is wrong because DLP does not control creation. Option C is wrong because disabling the default environment is not possible.

Option D is wrong because the maker role applies to all environments unless scoped.

48
Multi-Selecteasy

Which TWO are valid ways to access the Power Platform admin center? (Choose two.)

Select 2 answers
A.Through the Power Apps maker portal under 'Admin'
B.Through the Microsoft Entra admin center under 'Power Platform'
C.Through the Microsoft 365 admin center under 'All admin centers'
D.Navigating to https://admin.powerplatform.com
E.Through the Azure portal under 'Power Platform'
AnswersC, D

The Power Platform admin center is listed among other admin centers.

Why this answer

Option C is correct because the Microsoft 365 admin center includes a link to 'All admin centers,' which provides direct access to the Power Platform admin center. Option D is correct because the Power Platform admin center can be accessed directly via its dedicated URL, https://admin.powerplatform.com, which is the primary entry point for managing environments, data policies, and settings.

Exam trap

The trap here is that candidates may confuse the Power Apps maker portal's 'Admin center' link (which is a valid access method) with a non-existent 'Admin' tab, or assume that the Azure portal or Entra admin center includes Power Platform administration, when in fact only the dedicated URL and the Microsoft 365 admin center's 'All admin centers' list are correct.

49
MCQhard

An administrator notices that a Power Apps environment has exceeded its Dataverse storage capacity. The company wants to free up storage without losing data. Which action should the administrator take first?

A.Delete unused apps and flows from the environment
B.Purchase additional Dataverse storage capacity
C.Archive old flows to reduce storage usage
D.Run the storage capacity analysis in Power Platform Admin Center
AnswerD

This identifies what is consuming storage, allowing targeted cleanup.

Why this answer

Option D is correct because the first step when addressing Dataverse storage capacity issues is to run the storage capacity analysis in the Power Platform Admin Center. This analysis provides a detailed breakdown of storage usage by entity, environment, and solution, enabling the administrator to identify the largest consumers and take targeted actions to free up space without data loss. Deleting apps or flows (Option A) does not reclaim Dataverse storage, as these items consume minimal storage compared to data tables.

Exam trap

The trap here is that candidates confuse 'freeing up storage' with deleting apps or flows, not realizing that Dataverse storage is dominated by data rows and files, not solution components.

How to eliminate wrong answers

Option A is wrong because deleting unused apps and flows frees up only solution-related metadata, not the actual Dataverse data (rows, files, logs) that consume the bulk of storage capacity. Option B is wrong because purchasing additional storage is a reactive cost-incurring measure, not the first diagnostic step; the administrator should first analyze usage to see if existing storage can be optimized. Option C is wrong because archiving old flows does not reduce Dataverse storage—flows themselves store minimal data, and archiving only affects flow run history, not database or file storage.

50
MCQeasy

A company wants to allow external partners to access a Power Apps portal without requiring a Microsoft Entra ID account. What should the administrator configure?

A.Create Microsoft Entra ID guest accounts for each partner
B.Configure the portal to use local authentication with username and password
C.Share the Power Apps app directly with the partners
D.Enable Microsoft Entra ID B2B collaboration and invite partners
AnswerB

Power Apps portals support local authentication for external users without Microsoft Entra ID.

Why this answer

Option B is correct because Power Apps portals support local authentication, which allows external users to sign up and sign in using a username and password without requiring a Microsoft Entra ID account. This is the appropriate method when the goal is to grant access to partners who do not have or need Microsoft Entra ID credentials.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID B2B collaboration (which still requires an external identity provider) with the ability to have completely independent local accounts, leading them to select option D instead of B.

How to eliminate wrong answers

Option A is wrong because creating Microsoft Entra ID guest accounts still requires each partner to have or create a Microsoft Entra ID identity, which contradicts the requirement of not requiring a Microsoft Entra ID account. Option C is wrong because sharing a Power Apps app directly with partners is designed for internal users with Microsoft Entra ID accounts and does not provide external portal access without authentication. Option D is wrong because Microsoft Entra ID B2B collaboration requires partners to have an existing Microsoft Entra ID or Microsoft account, which again does not meet the requirement of no Microsoft Entra ID account.

51
MCQmedium

Refer to the exhibit. An administrator runs this PowerShell command against a Power Platform environment. What can the administrator conclude?

A.The environment is accessible only to members of the ContosoUsers security group
B.The environment creation failed
C.The environment has no security group assigned
D.The environment is a personal productivity environment
AnswerA

The environmentSecurityGroupName property indicates the security group assigned to the environment.

Why this answer

The PowerShell command `Get-AdminPowerAppEnvironment` returns the environment details, including the `SecurityGroupId` property. If this property is populated with a GUID, it indicates a security group is assigned to the environment, restricting access to its members. Since the exhibit shows a non-null `SecurityGroupId` for the ContosoUsers group, the environment is accessible only to members of that security group.

Exam trap

The trap here is that candidates assume a populated `SecurityGroupId` field means the environment is restricted to that group, but they may confuse it with other properties like `EnvironmentSku` or `Permissions`, or incorrectly think a null value indicates failure rather than no group assignment.

How to eliminate wrong answers

Option B is wrong because the command successfully returned environment details, including a `SecurityGroupId`, which indicates the environment was created and exists. Option C is wrong because the `SecurityGroupId` field is populated with a GUID, meaning a security group is assigned; an empty or null value would indicate no security group. Option D is wrong because a personal productivity environment (e.g., from a Power Apps license) does not have a security group assigned; the presence of a `SecurityGroupId` confirms this is a standard environment with access control.

52
MCQeasy

A Power Platform administrator receives a report that a user is unable to create a new environment. The user has a Power Apps per user license and is a member of the global admin group. What is the most likely cause?

A.The user does not have the Environment Admin role.
B.The user does not have a Power Apps Plan 2 license or Environment Creation add-on.
C.A DLP policy is blocking environment creation.
D.The tenant has reached its environment capacity limit.
AnswerB

A Power Apps per user license (Plan 1) does not include environment creation rights.

Why this answer

Environment creation requires a Power Apps Plan 2 license or an Environment Creation add-on. Having only a per user license is insufficient. Option A is incorrect because the user has global admin rights.

Option C is incorrect because capacity is not the issue. Option D is incorrect because DLP policies do not prevent environment creation.

53
MCQhard

A global organization has multiple environments in Power Platform. The security team wants to prevent users from sharing canvas apps with external users. What is the most effective way to enforce this restriction?

A.Set environment-level sharing to ‘Only specific security groups’
B.Disable ‘Share with external users’ in the Power Platform admin center tenant settings
C.Assign a custom security role that denies the ‘Share’ privilege
D.Create a Data Loss Prevention (DLP) policy that blocks connectors used by external users
AnswerB

This setting explicitly blocks sharing canvas apps and other resources with external users.

Why this answer

Option A is correct because the tenant-level setting to block sharing with external users is the most direct and comprehensive control. Option B is wrong because DLP policies do not control sharing permissions. Option C is wrong because environment-level sharing settings can be overridden by tenant settings, and external sharing control is at tenant level.

Option D is wrong because assigning a custom security role does not prevent external sharing by default.

54
Multi-Selecthard

Which THREE features are available in Power Platform managed environments? (Select 3)

Select 3 answers
A.Data loss prevention (DLP) policies
B.Weekly analytics digests
C.Solution checker integration
D.Sharing limits for canvas apps
E.Data policies enforcement
AnswersB, C, D

Managed environments provide weekly email digests with analytics.

Why this answer

Option A is correct because managed environments support weekly analytics digests. Option B is correct because solution checker integration is a feature. Option D is correct because sharing limits for canvas apps can be configured.

Option C is wrong because data policies are part of standard environment management. Option E is wrong because data loss prevention is a separate feature, not exclusive to managed environments.

55
MCQhard

A company has a Power Platform environment that is running low on storage. The administrator needs to free up storage without deleting important data. What should they do first?

A.Disable auditing for all environments
B.Review storage analytics in the Power Platform admin center to identify large entities
C.Delete all audit logs
D.Purchase additional storage capacity
AnswerB

Storage analytics help pinpoint where storage is used, enabling targeted cleanup.

Why this answer

Option B is correct because the first step in freeing up storage without deleting important data is to identify which entities consume the most space. The Power Platform admin center provides storage analytics that break down storage usage by entity, allowing administrators to make informed decisions about data cleanup or archiving. This approach ensures that only non-essential data is targeted, preserving critical business data.

Exam trap

The trap here is that candidates often jump to disabling auditing or deleting logs as a quick fix, not realizing that storage analytics must be reviewed first to avoid accidentally removing critical data.

How to eliminate wrong answers

Option A is wrong because disabling auditing stops the creation of new audit logs but does not reclaim existing storage; audit logs must be explicitly deleted to free space. Option C is wrong because deleting all audit logs indiscriminately removes potentially important compliance and security records, which violates the requirement to not delete important data. Option D is wrong because purchasing additional storage does not free up existing storage; it only increases capacity, which may not address the root cause of storage inefficiency.

56
Multi-Selecteasy

Which TWO are valid methods to create a new Power Platform environment?

Select 2 answers
A.Using the Power Platform admin center web interface.
B.Using the Power Platform API.
C.Using the Microsoft Teams admin center.
D.Using the Power Apps mobile app.
E.Using the SharePoint admin center.
AnswersA, B

This is the primary administrative interface.

Why this answer

Environments can be created through the Power Platform admin center and via the Power Platform API. Option B is incorrect because SharePoint is not used. Option C is incorrect because the Teams admin center does not create environments.

Option E is incorrect because the Power Apps mobile app does not create environments.

57
MCQeasy

A user reports they cannot create a new Power Apps app in the default environment. They have a Power Apps license. What is the most likely cause?

A.A data loss prevention (DLP) policy is blocking app creation.
B.The user has not been assigned the Environment Maker security role for the default environment.
C.The environment has reached its maximum number of apps.
D.The user does not have a Power Apps license.
AnswerB

The Environment Maker role is required to create apps in an environment.

Why this answer

The most likely cause is that the user has not been assigned the Environment Maker security role for the default environment. Even with a Power Apps license, a user must be explicitly granted the Environment Maker role in a specific environment (including the default environment) to create apps. Without this role, the user can only run apps, not create or edit them.

Exam trap

The trap here is that candidates often assume having a Power Apps license alone is sufficient to create apps, but the PL-900 exam tests the understanding that environment-level security roles (specifically Environment Maker) are required for app creation, even in the default environment.

How to eliminate wrong answers

Option A is wrong because a data loss prevention (DLP) policy controls which connectors can be used in apps and flows, but it does not block the creation of a new app itself. Option C is wrong because Power Apps environments do not have a hard maximum limit on the number of apps; the limit is on storage and API calls, not app count. Option D is wrong because the question explicitly states the user has a Power Apps license, so lack of license is not the issue.

58
MCQmedium

Refer to the exhibit. An admin runs the PowerShell command and gets the output shown. How many environments are in the tenant?

A.1
B.3
C.4
D.6
AnswerB

The output shows three environments.

Why this answer

Option B is correct because the output lists three environments: Contoso Sales, Contoso Dev, Contoso Test. Option A is wrong because there are three, not one. Option C is wrong because there are not four.

Option D is wrong because there are not six.

59
MCQhard

Refer to the exhibit. A Power Platform administrator runs a PowerShell command to check the status of an environment. What does the output indicate?

A.The environment is a sandbox
B.The environment has been deleted
C.The environment is disabled
D.The environment is active and usable
AnswerD

State Enabled indicates the environment is active.

Why this answer

The PowerShell command output shows the environment's state as 'Ready' and its provisioning status as 'Succeeded', which together indicate the environment is fully provisioned and operational. In Power Platform, a 'Ready' state means the environment is active and available for use, confirming option D is correct.

Exam trap

The trap here is that candidates may confuse the 'State' field with environment type (sandbox vs. production) or assume any non-error output implies deletion, but the 'Ready' and 'Succeeded' values specifically indicate an active, usable environment.

How to eliminate wrong answers

Option A is wrong because a sandbox environment would be indicated by the 'EnvironmentType' property (e.g., 'Sandbox'), not by the 'State' or 'ProvisioningState' fields shown in the output. Option B is wrong because a deleted environment would not return any output or would show an error; the presence of a 'State' of 'Ready' confirms the environment exists. Option C is wrong because a disabled environment would have a 'State' of 'Disabled' or 'Suspended', not 'Ready'.

60
MCQmedium

A company has a Power Platform environment used for development. The development team needs to deploy a solution to a test environment. What is the recommended approach?

A.Export an unmanaged solution from the development environment and import it into the test environment
B.Manually recreate all components in the test environment
C.Copy the entire development environment to the test environment
D.Export a managed solution from the development environment and import it into the test environment
AnswerD

Managed solutions are the standard for deploying between environments.

Why this answer

Option D is correct because managed solutions are the recommended approach for deploying to non-development environments (e.g., test, UAT, production). A managed solution locks components to prevent direct editing in the target environment, supports lifecycle management (upgrades, patches, and removal), and ensures that only the intended customizations are deployed. Exporting an unmanaged solution (Option A) would leave components editable in the test environment, breaking the managed lifecycle pattern.

Exam trap

The trap here is that candidates often confuse unmanaged and managed solutions, thinking that exporting an unmanaged solution (Option A) is sufficient for deployment, when in fact managed solutions are required for proper lifecycle management and to prevent accidental edits in test/production environments.

How to eliminate wrong answers

Option A is wrong because exporting an unmanaged solution from development and importing it into test would create editable components in the test environment, which violates the recommended managed-solution deployment pattern and can lead to configuration drift. Option B is wrong because manually recreating all components is error-prone, time-consuming, and not a scalable or repeatable approach for environment promotion. Option C is wrong because copying the entire development environment would duplicate all data, settings, and unmanaged customizations, which is not a clean or controlled way to promote a specific solution and can introduce unwanted artifacts.

61
Multi-Selecteasy

A company wants to use Microsoft Copilot Studio to build a chatbot that helps employees reset their passwords. Which TWO components are required? (Choose two.)

Select 2 answers
A.Power Automate to connect to the password reset system
B.Power Virtual Agents (classic)
C.Microsoft Copilot Studio to build and deploy the chatbot
D.Power Apps to create the user interface
E.AI Builder to process natural language
AnswersA, C

Automation is needed to perform the reset.

Why this answer

Option A is correct because Power Automate is required to create a flow that connects the chatbot to the password reset system, enabling automated execution of the reset process. Without this integration, the chatbot cannot perform the backend action of resetting the password.

Exam trap

The trap here is that candidates may think AI Builder is required for natural language processing, but Copilot Studio has built-in NLU, making AI Builder unnecessary for this scenario.

62
MCQmedium

A retail company uses Power Platform for inventory and sales apps. They have multiple environments: Development, Test, and Production. The Development environment is running low on storage capacity due to many test records. The admin needs to free up storage without affecting the Test and Production environments. The admin also wants to maintain data integrity for ongoing development. What should the admin do?

A.Reset the Development environment using the Admin Center.
B.Delete the Development environment and create a new one.
C.Increase the storage capacity of the Development environment by purchasing add-ons.
D.Manually delete all test records from the Dataverse database.
AnswerA

Resetting clears all data and customizations, freeing storage, and allows a fresh start.

Why this answer

The Development environment can be reset (wiped clean) using the Power Platform Admin Center. This removes all data and customizations, freeing storage. The admin can then import the latest solution from source control to restore necessary apps and flows without test data.

63
MCQeasy

A user reports that they cannot create a new Power App in the default environment. The administrator checks that the user has a Power Apps license, but the user still cannot create apps. What is the most likely cause?

A.The user does not have a Power Apps license
B.The user does not have a mobile device
C.The environment is not enabled for app creation
D.The user is using an unsupported browser
AnswerC

Environment settings control who can create apps.

Why this answer

If the environment is not enabled for app creation, users cannot create apps even with a license. Option A is wrong because the user has a license. Option B is wrong because browser issues would not prevent creation entirely.

Option D is wrong because mobile access is not required for creation.

64
MCQmedium

An organization wants to manage all Power Platform environments from a single pane of glass, including capacity monitoring and assignment of user roles. Which tool should they use?

A.Microsoft 365 admin center
B.Microsoft Intune
C.Power Platform admin center
D.Azure portal
AnswerC

The Power Platform admin center is the dedicated tool for managing environments, capacity, and roles.

Why this answer

The Power Platform admin center (admin.powerplatform.microsoft.com) is the dedicated management portal for all Power Platform environments, providing a single pane of glass for tasks such as capacity monitoring (storage usage per environment), environment lifecycle management, and assignment of user roles via Data Loss Prevention (DLP) policies and environment security roles. It centralizes administration across Power Apps, Power Automate, Power Virtual Agents, and Dataverse, which aligns directly with the organization's requirement.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 admin center (which handles user licensing and service settings) with the Power Platform admin center, assuming all admin tasks are centralized in one portal, but the PL-900 exam specifically tests that Power Platform environment management requires the dedicated admin center.

How to eliminate wrong answers

Option A is wrong because the Microsoft 365 admin center manages user licenses, Microsoft 365 services (Exchange, SharePoint, Teams), and tenant-level settings, but it does not provide granular capacity monitoring or environment-specific role assignment for Power Platform environments. Option B is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) tool focused on device compliance, app protection policies, and conditional access, not on managing Power Platform environments or capacity. Option D is wrong because the Azure portal manages Azure resources (VMs, storage accounts, Azure Active Directory) and does not include the Power Platform environment management features like capacity monitoring or environment role assignment, which are specific to the Power Platform admin center.

65
MCQeasy

A user reports that a Power Automate flow stopped working after a co-owner modified the flow. The user is the original owner. What is the most likely reason for the failure?

A.The flow requires manual approval to run
B.The user lost ownership of the flow
C.The co-owner changed the connection references used by the flow
D.The co-owner deleted the user's permissions
AnswerC

Changed connections may break the flow if the new connections are not valid for the original owner.

Why this answer

Option B is correct because if the co-owner changed the connection references, the flow may lose access to required data sources or services. Option A is wrong because the original owner still retains ownership. Option C is wrong because co-owners can modify flows.

Option D is wrong because flow runs do not require manual approval unless configured.

66
MCQhard

An organization uses Power Automate flows that connect to Microsoft Teams and SharePoint. They want to ensure that if a flow is accidentally deleted, it can be recovered within 30 days. What should they do?

A.Store the flow in a solution and export it regularly.
B.Enable version history for the flow.
C.Configure a backup policy in the Power Platform admin center.
D.No action needed; deleted flows are automatically retained in the recycle bin for 30 days.
AnswerD

Power Automate preserves deleted flows in the recycle bin for 30 days.

Why this answer

Option A is correct because deleted flows are retained in the recycle bin for 30 days. Option B is wrong because backup policy is for Dataverse, not flows. Option C is wrong because solutions do not protect against deletion.

Option D is wrong because version history is for changes, not deletion recovery.

67
MCQeasy

You are a Power Platform administrator for a non-profit organization. The organization has a single environment used by volunteers and staff. A new volunteer needs to be able to run a specific Power App that manages event registrations, but should not be able to modify the app or access any other resources in the environment. The volunteer has a valid Power Apps license. You need to provide the volunteer with the minimum permissions necessary. What should you do?

A.Share the app directly with the volunteer
B.Create a new environment and add the volunteer there
C.Assign the volunteer the Environment Maker role and share the app
D.Add the volunteer to the System Administrator role
AnswerA

Sharing the app with the Basic User role (implied) gives run access.

Why this answer

Sharing the app with the volunteer and assigning the Basic User role gives them run access without modification rights. Option A is wrong because the Environment Maker role allows creation and editing. Option C is wrong because the System Administrator role gives full control.

Option D is wrong because creating a new environment is unnecessary and complex.

68
MCQmedium

A company uses Microsoft Power Platform and wants to allow external users (guests) to access a canvas app. The app connects to a Dataverse database that contains sensitive customer information. The security team is concerned about data leakage. What should the administrator do to minimize risk?

A.Disable sharing of the app with external users.
B.Create a new environment specifically for external users with only the required data.
C.Add external users as guests in Microsoft Entra ID and grant them access to the existing environment.
D.Use DLP policies to block all connectors except the canvas app.
AnswerB

This isolates the sensitive data and provides controlled access.

Why this answer

The best approach is to create a separate environment for external users and restrict access to only necessary data. Option A is incorrect because disabling sharing altogether prevents the business need. Option B is incorrect because B2B collaboration does not isolate data.

Option D is incorrect because DLP policies do not restrict data within Dataverse.

69
MCQeasy

An admin needs to view the capacity add-ons purchased for a tenant, including AI Builder credits. Where should the admin go?

A.Power Platform admin center > Billing > Licenses
B.Microsoft 365 admin center > Billing > Licenses
C.Power Platform admin center > Resources > Capacity
D.Azure portal > Cost Management + Billing
AnswerC

Capacity section displays add-ons like AI Builder credits.

Why this answer

The Power Platform admin center is the dedicated management interface for Power Platform resources, including capacity add-ons and AI Builder credits. Under Resources > Capacity, admins can view detailed breakdowns of capacity entitlements, such as database, file, log, and add-on credits like AI Builder service credits. This is the correct location because it provides tenant-level capacity monitoring specific to Power Platform, not general licensing or Azure billing.

Exam trap

The trap here is that candidates confuse the Power Platform admin center's Billing > Licenses (which shows license assignments) with Resources > Capacity (which shows add-on credits), or mistakenly think the Microsoft 365 admin center or Azure portal handles Power Platform capacity management.

How to eliminate wrong answers

Option A is wrong because the Power Platform admin center > Billing > Licenses shows license assignments and subscription details, not capacity add-ons or AI Builder credits. Option B is wrong because the Microsoft 365 admin center > Billing > Licenses manages Microsoft 365 product licenses (e.g., Office 365, Enterprise Mobility + Security), not Power Platform capacity add-ons. Option D is wrong because the Azure portal > Cost Management + Billing handles Azure subscription costs and resource consumption, not Power Platform tenant-level capacity add-ons or AI Builder credits.

70
MCQeasy

A company plans to deploy Power Apps for field service technicians. The IT department requires that all users authenticate using their corporate credentials and that access to the Power Apps environment is restricted to users from the company's tenant only. Which configuration should the administrator use?

A.Enable 'Allow users from other tenants' in environment settings
B.Set the environment security group to 'All users' and enable external sharing
C.Assign a security group that includes only specific technicians
D.Set the environment security group to 'Only internal users' and disable external sharing
AnswerD

This ensures only tenant users can access.

Why this answer

Option D is correct because setting the environment security group to 'Only internal users' and disabling external sharing ensures that only authenticated users from the company's own Microsoft Entra ID (formerly Azure AD) tenant can access the Power Apps environment. This meets the IT requirement of restricting access to corporate credentials and the company's tenant only, preventing any external guest or user from another tenant from signing in.

Exam trap

The trap here is that candidates often confuse user-level security groups with tenant-level access controls, mistakenly thinking that assigning a specific security group (Option C) alone is sufficient to block external users, when in fact the environment's tenant restriction setting is required to prevent cross-tenant authentication entirely.

How to eliminate wrong answers

Option A is wrong because enabling 'Allow users from other tenants' would explicitly permit external users from different Microsoft Entra ID tenants to access the environment, violating the requirement to restrict access to the company's tenant only. Option B is wrong because setting the security group to 'All users' includes both internal and external users (if external sharing is enabled), and enabling external sharing further opens the environment to guest accounts, which contradicts the restriction policy. Option C is wrong because while assigning a security group with only specific technicians limits access to those users, it does not inherently prevent users from other tenants from being added to that group or from authenticating if external sharing is enabled; the environment-level tenant restriction is still needed to block cross-tenant access.

71
Multi-Selecthard

An organization is preparing for a Power Platform rollout. They need to ensure that only licensed users can create new environments, and that environment creation is audited. Additionally, they want to restrict which connectors can be used in production environments. Which THREE capabilities should they use?

Select 3 answers
A.Data Loss Prevention (DLP) policies
B.Microsoft 365 admin center to assign Power Platform licenses
C.Power Platform Admin Center environment creation settings
D.Power Virtual Agents bot
E.Power Apps mobile app
AnswersA, B, C

DLP policies can block specific connectors in production environments.

Why this answer

Power Platform Admin Center provides environment creation controls. Licensing must be managed in Microsoft 365 admin center to restrict creation to licensed users. DLP policies block unwanted connectors.

72
MCQmedium

A Power Platform administrator needs to restrict data loss prevention (DLP) policies to prevent sensitive data from being shared with non-approved connectors. Which scope should the administrator apply?

A.Group-level
B.Tenant-level
C.Environment-level
D.User-level
AnswerC

Environment-level policies can be applied to specific environments, allowing precise control over connector use.

Why this answer

Environment-level DLP policies allow administrators to apply data loss prevention rules to specific environments, ensuring that sensitive data is not shared with non-approved connectors within that environment. This granular control is necessary when different environments have different compliance requirements, such as separating development from production data flows.

Exam trap

The trap here is that candidates often confuse environment-level with tenant-level scope, assuming that a single tenant-wide policy is sufficient, but the question specifically requires restricting only certain environments, making environment-level the precise answer.

How to eliminate wrong answers

Option A is wrong because group-level DLP policies do not exist in Power Platform; DLP policies can be scoped to environments or tenants, not to security groups. Option B is wrong because tenant-level DLP policies apply to all environments in the tenant, which is too broad if the administrator needs to restrict only specific environments while allowing others to use non-approved connectors. Option D is wrong because user-level DLP policies are not supported; DLP policies are scoped to environments or tenants, not individual users.

73
MCQhard

Refer to the exhibit. A Power Platform admin creates a DLP policy with this JSON configuration. What is the effect?

A.The SharePoint connector is blocked in all production environments.
B.The policy blocks all SharePoint Online and SharePoint on-premises connectors.
C.The SharePoint connector is restricted to the business data group.
D.The SharePoint connector is blocked only in the default environment.
AnswerA

The policy applies to environments with type Production and blocks the SharePoint connector.

Why this answer

Option D is correct because the JSON shows a DLP policy that blocks the SharePoint connector in all environments of type Production. Option A is wrong because the policy does not specify a specific environment. Option B is wrong because the policy blocks SharePoint, not restricts it.

Option C is wrong because the policy does not mention SharePoint Online vs on-premises.

74
MCQhard

You are the Power Platform administrator for a large multinational corporation. The company has a single Microsoft Entra ID tenant with users in North America, Europe, and Asia. Due to data residency regulations, each region must store its data within its geographic boundaries. The company has three production environments: NA-Prod (East US), EU-Prod (West Europe), and ASIA-Prod (Southeast Asia). Each production environment has a corresponding sandbox environment for development. Recently, the security team discovered that a developer in Europe accidentally accessed customer data from the NA-Prod environment by using a connection reference that pointed to the North American Dataverse instance. To prevent cross-region data access, you need to implement a solution that blocks any Power Automate flow or Power Apps canvas app from connecting to Dataverse instances in other regions. You must also ensure that developers can still use non-Dataverse connectors (e.g., SharePoint, Office 365) that may be global. What should you do?

A.Create environment-level DLP policies that block the Dataverse connector in each environment, then add the Dataverse connector back as a business connector only for the local instance using endpoint filtering.
B.Use Microsoft Entra ID Conditional Access policies to block cross-region access to Dataverse.
C.Create a tenant-level DLP policy that blocks the Dataverse connector for all environments.
D.Enable audit logging and create a Power Automate flow to notify administrators when cross-region access is detected.
AnswerA

Endpoint filtering allows specifying allowed URLs, restricting connections to the local Dataverse instance.

Why this answer

Data Loss Prevention (DLP) policies can be configured at the environment level to block the Dataverse connector in environments where it is not allowed. However, since each environment needs Dataverse for its own region, you need to create DLP policies that block the Dataverse connector for cross-region connections. But DLP policies block connectors entirely, not specific instances.

A better approach is to use environment routing rules to restrict traffic to specific Dataverse instances. Option B is incorrect because DLP policies block the connector entirely. Option C is incorrect because conditional access controls user access but not app connections.

Option D is incorrect because audit logs only detect, not prevent.

75
MCQeasy

Refer to the exhibit. A Power Platform administrator creates a DLP policy as shown. What is the effect of this policy?

A.Facebook, Twitter, and LinkedIn connectors are allowed in all environments
B.All social media connectors are blocked in all environments
C.Facebook, Twitter, and LinkedIn connectors are blocked tenant-wide
D.The policy only applies to production environments
AnswerC

The policy blocks these three connectors at the tenant level.

Why this answer

The exhibit shows a Data Loss Prevention (DLP) policy configured with the 'Social media' category set to 'Blocked' for all environments. This means the Facebook, Twitter, and LinkedIn connectors are explicitly blocked tenant-wide, preventing their use in any environment (production, sandbox, or default). Option C correctly identifies this outcome.

Exam trap

The trap here is that candidates may confuse 'Blocked' with 'Non-Business' or assume the policy only applies to production environments, when the exhibit explicitly shows 'All environments' selected.

How to eliminate wrong answers

Option A is wrong because the policy blocks these connectors in all environments, not allows them. Option B is wrong because the policy only blocks the specific social media connectors listed (Facebook, Twitter, LinkedIn), not all social media connectors (e.g., Instagram or YouTube are not included). Option D is wrong because the policy is set to apply to 'All environments' (as shown in the exhibit), not just production environments.

Page 1 of 3 · 164 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage the Microsoft Power Platform environment questions.