CCNA Manage the Microsoft Power Platform environment Questions

75 of 164 questions · Page 2/3 · Manage the Microsoft Power Platform environment · Answers revealed

76
MCQhard

A company uses Power Platform with Microsoft Dataverse. The administrator notices that a user can create a new environment without approval. The company wants to enforce a process where all environment creation requires administrator approval. What should the administrator configure?

A.Configure a Data Loss Prevention (DLP) policy
B.Disable the 'Create personal productivity environments' setting in the Power Platform admin center
C.Set a conditional access policy in Microsoft Entra ID
D.Reduce the tenant-level environment capacity limits
AnswerB

Disabling this setting prevents users from creating environments without administrator action.

Why this answer

Option D is correct because disabling the 'Create personal productivity environments' setting in the Power Platform admin center prevents users from creating environments, requiring them to request administrator creation. Option A is wrong because environment capacity limits do not require approval for creation. Option B is wrong because DLP policies do not control environment creation.

Option C is wrong because Microsoft Entra ID conditional access policies control authentication, not environment creation.

77
MCQmedium

An organization uses Power Apps portals to allow external customers to submit support tickets. The portal uses Microsoft Entra ID for authentication. The security team wants to require multi-factor authentication (MFA) for external portal users. What is the best approach?

A.Create a Conditional Access policy in Microsoft Entra ID that requires MFA for the portal application
B.Enable MFA for all Microsoft Entra ID users
C.Use a third-party identity provider that supports MFA
D.Configure MFA in the Power Apps portal authentication settings
AnswerA

This allows granular MFA enforcement for the portal app without affecting other apps.

Why this answer

Option B is correct because MFA can be enforced via a Conditional Access policy targeting the portal application. Option A is wrong because turning on MFA for all Entra ID users would affect internal users. Option C is wrong because portal authentication settings do not include MFA enforcement.

Option D is wrong because MFA enforcement at the identity provider level is not granular for the portal only.

78
MCQeasy

An organization uses Power Automate flows that connect to Microsoft Dataverse and SharePoint. The administrator needs to ensure that only specific connectors can be used together. What should they configure?

A.Enable solution component isolation
B.Configure a Data Loss Prevention (DLP) policy
C.Create an environment security group
D.Turn on auditing for the environment
AnswerB

DLP policies allow administrators to define which connectors can be used together in flows.

Why this answer

Option D is correct because Data Loss Prevention (DLP) policies define which connectors can be used together in the same flow. Option A is wrong because environment security groups control user access, not connector combinations. Option B is wrong because solution component isolation is about solution layers, not connectors.

Option C is wrong because auditing is for tracking changes, not restricting connectors.

79
MCQeasy

Refer to the exhibit. A Power Platform admin views the capacity of a sandbox environment. Based on the exhibit, which statement is true?

A.The environment is a sandbox and thus has reduced capacity limits.
B.The capacity values are unusually low and may indicate a problem.
C.The environment has production-level capacity.
D.The capacity cannot be increased with add-ons.
AnswerA

Sandbox environments have lower default capacity.

Why this answer

Option C is correct because sandbox environments have reduced capacity compared to production. Option A is wrong because the exhibit does not compare to production; sandbox has lower limits by default. Option B is wrong because capacity values shown are not unusually low; they are typical for sandbox.

Option D is wrong because capacity add-ons can increase sandbox capacity.

80
Multi-Selecteasy

A manufacturing company is planning to implement Microsoft Power Platform. The environment strategy must support data isolation for sensitive production data while allowing developers to experiment with new features without affecting the production environment. Which two environment types should the company use?

Select 2 answers
A.Default environment
B.Sandbox environment
C.Production environment
D.Developer environment
E.Trial environment
AnswersB, C

Sandbox environments are isolated from production, ideal for development and testing.

Why this answer

A sandbox environment provides a non-production area for development and testing. A production environment hosts the live apps and data. Together they allow development without affecting production.

81
Multi-Selecteasy

Which TWO of the following are valid environment types in Power Platform?

Select 2 answers
A.Development
B.Production
C.Sandbox
D.Trial
E.Preview
AnswersB, C

Production is a standard environment type.

Why this answer

Production and Sandbox are both valid environment types in Power Platform. Production environments are intended for live, end-user applications and data, while Sandbox environments are isolated, non-production environments used for development, testing, and training. Both support the full set of Power Platform capabilities, including Dataverse, Power Apps, Power Automate, and Power Virtual Agents.

Exam trap

The trap here is that candidates often confuse 'Development' as a separate environment type, but Power Platform only uses Production, Sandbox, Trial, and Preview as environment types, with Sandbox serving the development role.

82
MCQmedium

A company is using Power Automate flows that connect to multiple third-party services. The security administrator wants to ensure that no sensitive data is sent to unauthorized external services. Which feature should be used to enforce this requirement?

A.Create and apply Data Loss Prevention (DLP) policies.
B.Enable audit logging in the Power Platform admin center.
C.Configure environment routing rules.
D.Use the Power Platform Copilot to monitor flows.
AnswerA

DLP policies can block specific connectors from being used in apps and flows.

Why this answer

Data Loss Prevention (DLP) policies allow blocking or restricting connectors to prevent data leakage. Option A is incorrect because audit logs only record activity, not prevent it. Option B is incorrect because environment routing does not control connectors.

Option D is incorrect because Copilot is an AI assistant, not a security feature.

83
MCQmedium

A Power Platform admin needs to ensure that all environments have a backup policy that automatically creates backups every 24 hours. What is the default backup frequency for Dataverse environments?

A.Every 24 hours
B.Only for paid environments, there is no default schedule.
C.Every 12 hours
D.Every 48 hours
AnswerA

Dataverse automatically creates system backups every 24 hours.

Why this answer

Option A is correct because Dataverse environments are backed up every 24 hours by default. Option B is wrong because 12 hours is not default. Option C is wrong because 48 hours is not default.

Option D is wrong because only paid environments have backups, but the frequency is still every 24 hours.

84
MCQmedium

An administrator runs a PowerShell command to check a DLP policy. Based on the output, which connector is allowed to be used in Power Automate flows?

A.Dropbox
B.Google Drive
C.Microsoft Teams
D.Microsoft OneDrive
AnswerC

Teams is in the allowed list.

Why this answer

Option B is correct because the allowedConnectors list includes Microsoft.Teams. Options A, C, and D are in the blocked list.

85
MCQhard

An administrator reviews the JSON output from a Power Platform environment. What should the administrator be concerned about based on the data?

A.The Dataverse URL is incorrect
B.The admin email is not configured
C.The API rate limit is approaching its maximum
D.The environment is out of storage
AnswerC

85% usage indicates potential throttling soon.

Why this answer

Option C is correct because the JSON output shows the 'RateLimitRemaining' field approaching zero, indicating that the API rate limit is nearly exhausted. Power Platform enforces per-tenant and per-user API limits to ensure fair resource usage, and hitting the limit will throttle or block further API calls, disrupting integrations and automated workflows.

Exam trap

The trap here is that candidates often confuse API rate limit warnings with storage capacity issues, overlooking the 'RateLimitRemaining' field in favor of storage-related fields, because both involve resource exhaustion but affect different operational aspects.

How to eliminate wrong answers

Option A is wrong because the JSON includes a valid 'DataverseUrl' field with a correctly formatted URL, and there is no error or mismatch in the URL structure to indicate an incorrect Dataverse URL. Option B is wrong because the JSON output does not contain any field related to admin email configuration; admin email is typically set in the Power Platform admin center, not exposed in API response JSON. Option D is wrong because the JSON shows storage usage fields (e.g., 'StorageUsed' and 'StorageAvailable') with ample remaining capacity, and no storage exhaustion warning is present.

86
MCQhard

The exhibit shows a DLP policy configuration for a Power Platform environment. Which connector is allowed for business use?

A.Outlook
B.Twitter
C.Facebook
D.SharePoint
AnswerD

SharePoint is classified as 'Business'.

Why this answer

SharePoint is classified as 'Business' in the DLP policy because it is a Microsoft-owned enterprise service that supports data loss prevention (DLP) actions like blocking, monitoring, or restricting data flow. The exhibit shows SharePoint under the 'Business' data group, meaning it is allowed for business use without triggering policy violations. In contrast, Outlook, Twitter, and Facebook are placed in the 'Non-Business' group, which blocks their connectors from being used in apps and flows within this environment.

Exam trap

The trap here is that candidates assume all Microsoft-owned connectors (like Outlook) are automatically 'Business' by default, but DLP policies are environment-specific and can be customized by administrators to reclassify connectors into Non-Business groups.

How to eliminate wrong answers

Option A is wrong because Outlook is listed under the 'Non-Business' data group in the exhibit, which means its connector is blocked for business use. Option B is wrong because Twitter is also in the 'Non-Business' group, preventing its connector from being used in business flows. Option C is wrong because Facebook is likewise categorized as 'Non-Business', so its connector is disallowed for business purposes.

87
MCQhard

A large enterprise uses Power Platform with multiple environments. They need to enforce a policy that blocks all Canvas apps from using the 'Twitter' connector, but only in the 'Production' environment. What should the administrator do?

A.Create a DLP policy at the tenant level and set the 'Twitter' connector to 'Blocked'
B.Disable the 'Twitter' connector in the Power Platform admin center for the Production environment
C.Create an environment-level DLP policy for the Production environment and set 'Twitter' to 'Blocked'
D.Use the 'Set Connector' API to disable the connector for the Production environment
AnswerC

An environment-level DLP policy can block specific connectors in a specific environment.

Why this answer

Option C is correct because environment-level DLP policies allow administrators to apply connector restrictions to specific environments, such as blocking the 'Twitter' connector only in 'Production' while leaving it available in other environments. This granular control is essential for enforcing governance without affecting development or testing environments.

Exam trap

The trap here is that candidates may assume tenant-level policies are the only option or that connectors can be disabled directly in the admin center, but the correct approach requires understanding that environment-level DLP policies provide the necessary granularity.

How to eliminate wrong answers

Option A is wrong because a tenant-level DLP policy applies to all environments, not just the 'Production' environment, which would block the 'Twitter' connector everywhere. Option B is wrong because the Power Platform admin center does not provide a direct toggle to disable a specific connector per environment; connector blocking is managed through DLP policies, not a simple disable switch. Option D is wrong because the 'Set Connector' API is not a supported method for disabling connectors in Power Platform; DLP policies are the intended mechanism for controlling connector usage.

88
Multi-Selecthard

Which THREE components are included in a Power Platform environment?

Select 3 answers
A.Power BI workspaces
B.Dataverse database
C.Microsoft 365 groups
D.Power Apps
E.Power Automate flows
AnswersB, D, E

Dataverse is a core component of environments.

Why this answer

Options A, B, and D are correct. A Power Platform environment includes Dataverse databases, Power Apps, Power Automate flows, and other components. Option C is wrong because Power BI workspaces are separate from Power Platform environments.

Option E is wrong because Microsoft 365 groups are not part of a Power Platform environment.

89
MCQeasy

Refer to the exhibit. An administrator deploys this ARM/Bicep template to create a new Power Platform environment. What type of environment will be created?

A.Developer environment
B.Trial environment
C.Production environment
D.Sandbox environment
AnswerD

The environmentSku is set to 'Sandbox'.

Why this answer

The ARM/Bicep template sets the 'environmentSku' property to 'Sandbox', which directly specifies the environment type as a Sandbox environment. Sandbox environments are non-production instances used for development, testing, and training, isolated from production data and workloads.

Exam trap

The trap here is that candidates may confuse 'Sandbox' with 'Developer' or 'Trial' environments, as all three are non-production types, but the ARM/Bicep template's explicit 'environmentSku' value of 'Sandbox' uniquely identifies the environment type, and the exam tests the ability to distinguish between these SKUs based on the template syntax.

How to eliminate wrong answers

Option A is wrong because a Developer environment is a specific type of Power Platform environment that is created for individual developers with a limited capacity and is not defined by the 'Sandbox' SKU in the template. Option B is wrong because a Trial environment is a temporary environment with a fixed expiration date, typically created through the Power Platform admin center or trial offers, not by specifying 'Sandbox' in an ARM/Bicep template. Option C is wrong because a Production environment is the default environment type when no specific SKU is provided or when 'Production' is explicitly set, but the template explicitly sets 'environmentSku' to 'Sandbox', overriding the default.

90
MCQmedium

The exhibit shows a PowerShell command and its output. What does the EnvironmentState value indicate?

A.The environment is active and can be used
B.The environment is pending creation
C.The environment is disabled
D.The environment has a provisioning error
AnswerA

'Enabled' means the environment is active.

Why this answer

The EnvironmentState value 'Ready' indicates that the environment is fully provisioned, active, and available for use. In the Power Platform admin center and PowerShell cmdlets like Get-AdminPowerAppEnvironment, 'Ready' is the standard status for a healthy environment that can host apps, flows, and other resources.

Exam trap

The trap here is that candidates may confuse 'Ready' with other states like 'PendingCreation' or 'Disabled', assuming any non-error state means the environment is usable, but only 'Ready' confirms full provisioning and availability.

How to eliminate wrong answers

Option B is wrong because 'PendingCreation' is a separate state that appears when an environment is still being provisioned, not when it is already showing 'Ready'. Option C is wrong because a disabled environment would show a state like 'Disabled' or 'NotReady', not 'Ready'. Option D is wrong because a provisioning error would result in a state like 'ProvisioningFailed' or 'Error', not 'Ready'.

91
MCQeasy

A Power Platform administrator needs to ensure that any maker can create environments in the default tenant, but only for development purposes. The administrator wants to enforce a policy that automatically deletes unused environments after 30 days. Which feature should the administrator use?

A.Environment Lifecycle Policies in the Power Platform admin center.
B.Power Platform API to schedule deletion scripts.
C.Capacity management in the Power Platform admin center.
D.Data Loss Prevention (DLP) policies.
AnswerA

These policies can automatically delete inactive environments after a specified period.

Why this answer

The correct answer is the Environment Lifecycle Policies in the Power Platform admin center, which allow setting deletion policies based on inactivity. Option A is incorrect because DLP policies control connectors, not environment lifecycle. Option B is incorrect because capacity management does not delete environments.

Option D is incorrect because the Power Platform API can be used but is not the built-in policy feature.

92
MCQmedium

A company is deploying Power Virtual Agents (now Copilot Studio) chatbots across multiple departments. Each department needs its own environment to manage chatbots independently. However, the company wants to share a common set of entities and workflows across all environments. Which approach should the administrator take?

A.Create a single environment for all departments and use security roles to isolate chatbots
B.Use Power Apps component library to share components across environments
C.Create a shared environment for common components and link each department environment to it
D.Create a separate environment per department and deploy managed solutions containing the common components
AnswerD

Managed solutions enable standardized deployment across environments.

Why this answer

Option D is correct because managed solutions allow you to package common components (entities, workflows) and deploy them to multiple environments, ensuring consistency while maintaining departmental isolation. Each department gets its own environment for independent chatbot management, and the shared components are installed via managed solutions that cannot be modified, preserving the common baseline.

Exam trap

The trap here is that candidates confuse environment-level isolation with component sharing, assuming a single environment with security roles or a linked environment is sufficient, when the correct pattern requires deploying managed solutions to each environment.

How to eliminate wrong answers

Option A is wrong because using a single environment with security roles does not provide true isolation for chatbot management; security roles control data access but not component-level separation, and all chatbots would share the same entities and workflows, leading to potential conflicts. Option B is wrong because Power Apps component libraries are designed for sharing UI components (e.g., controls, screens) across canvas apps, not for deploying backend entities or workflows across environments. Option C is wrong because Power Platform does not support linking environments to a shared environment for common components; the correct mechanism is to use managed solutions to deploy components into each environment, not a runtime link.

93
MCQmedium

A global company with offices in multiple regions wants to ensure that Power Automate flows processing sensitive customer data are only executed in specific geographic regions to comply with data residency requirements. What should the administrator configure?

A.Data loss prevention (DLP) policies
B.Audit log settings
C.Solution checker
D.Environment routing rules
AnswerA

DLP policies control data movement and connector usage.

Why this answer

Data loss prevention (DLP) policies can restrict the use of connectors and data movement across regions. Option A is wrong because environment routing is not a feature. Option B is wrong because solution checkers analyze code, not data residency.

Option D is wrong because audit logs only record events, not enforce residency.

94
MCQmedium

Refer to the exhibit. An administrator is configuring a Data Loss Prevention (DLP) policy. The policy is applied to all environments. What will be the result of this policy?

A.The connectors are allowed but audited
B.The connectors are blocked only in production environments
C.The connectors are blocked in all environments
D.The connectors are blocked except for the default environment
AnswerC

The policy blocks the connectors across all environments.

Why this answer

The policy blocks the specified connectors in all environments. Option A is wrong because the policy targets all environments. Option B is wrong because there is no exclusion.

Option D is wrong because the policy blocks the connectors, not just warns.

95
MCQhard

Refer to the exhibit. The JSON shows Power Platform tenant settings. A user tries to create a new environment with a capacity of 8 GB. What will happen?

A.The environment creation will fail because 8 GB exceeds the default environment capacity of 5 GB.
B.The environment will be created successfully with 8 GB capacity.
C.The environment will be created but the user must have a Power Apps license assigned.
D.The environment creation will fail because UserAllocation mode requires at least 15 GB.
AnswerB

8 GB is within the allowed maximum of 10 GB per environment.

Why this answer

The JSON shows that the tenant settings have 'DisableEnvironmentCreationByNonAdminUsers' set to false, meaning non-admin users can create environments, and 'EnvironmentCapacityAllocationMode' is set to 'UserAllocation', which allows users to allocate capacity from their own user license. Since the user is trying to create an environment with 8 GB, and the default per-user capacity for a Power Apps license is 10 GB (not 5 GB), the creation succeeds because 8 GB is within that limit.

Exam trap

The trap here is that candidates assume a fixed default environment capacity of 5 GB (from older documentation or confusion with the default tenant capacity), but the actual per-user capacity depends on the license type, and 'UserAllocation' mode allows users to use their own license capacity, which is typically 10 GB for Power Apps.

How to eliminate wrong answers

Option A is wrong because the default environment capacity is not 5 GB; for a user with a Power Apps license, the default per-user capacity is 10 GB, so 8 GB is within that limit. Option C is wrong because the user must already have a Power Apps license assigned to attempt environment creation with capacity allocation; the question implies the user has the necessary license, and the creation does not fail due to licensing. Option D is wrong because UserAllocation mode does not require a minimum of 15 GB; it allows users to allocate capacity from their own license, which typically provides 10 GB per user, and 8 GB is well below that threshold.

96
MCQmedium

Refer to the exhibit. The JSON policy shown fails to apply to the production environment. What is the most likely reason?

A.The connector IDs should include the full path with 'shared_twitter' and 'shared_facebook', which they do.
B.The action value should be 'Block' with a capital B, but the JSON uses 'Block' which is correct.
C.The JSON uses 'environment' as a key instead of 'environments'.
D.The policy name is missing a required prefix.
AnswerC

The correct key is 'environments' (plural) for the array of environment names.

Why this answer

Option C is correct because the JSON policy uses 'environment' as a key, but the correct key in Microsoft Power Platform DLP (Data Loss Prevention) policy JSON schema is 'environments' (plural). This mismatch causes the policy to fail validation and not apply to the production environment, as the platform expects an array of environment IDs under the 'environments' key.

Exam trap

The trap here is that candidates may focus on the connector IDs or action values, which appear correct, and overlook the subtle but critical difference between 'environment' and 'environments' in the JSON key, a classic schema validation pitfall in Power Platform DLP policies.

How to eliminate wrong answers

Option A is wrong because the connector IDs in the exhibit do not include the full path with 'shared_twitter' and 'shared_facebook'; they are missing the 'shared_' prefix, which is required for connector references in Power Platform DLP policies. Option B is wrong because the action value 'Block' is correctly capitalized and valid; the issue is not with the action value but with the key name. Option D is wrong because Power Platform DLP policies do not require a specific prefix in the policy name; the name is arbitrary and does not affect policy application.

97
MCQmedium

An organization wants to ensure that all Power Platform solutions in production environments are tracked and changes are approved. What should the administrator implement?

A.Data Loss Prevention (DLP) policies
B.Environment security groups
C.Disable the 'Create personal productivity environments' setting
D.Managed solutions with application lifecycle management (ALM)
AnswerD

Managed solutions and ALM provide controlled deployment and change tracking.

Why this answer

Managed solutions with application lifecycle management (ALM) ensure that all Power Platform solutions in production environments are tracked and changes are approved by enforcing version control, solution layering, and controlled deployment through environments. This approach uses solution components and environment segmentation to prevent unapproved modifications and maintain an audit trail.

Exam trap

The trap here is that candidates often confuse DLP policies or security groups with change management, but only managed solutions with ALM provide the structured tracking and approval workflow required for production governance.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies control data flow between connectors and prevent data exfiltration, but they do not track or approve changes to solutions. Option B is wrong because environment security groups manage user access and permissions to environments, not the tracking or approval of solution changes. Option C is wrong because disabling the 'Create personal productivity environments' setting only prevents users from creating their own environments, but does not enforce change tracking or approval for production solutions.

98
MCQhard

An administrator needs to manage multiple Power Platform environments across several tenants. The administrator wants to use a single tool to view environment details, apply updates, and configure settings for all environments. Which tool should the administrator use?

A.Power Platform Admin Center
B.PowerShell cmdlets
C.Power Apps Maker Portal
D.Microsoft 365 admin center
AnswerA

The Admin Center provides unified management for environments.

Why this answer

The Power Platform Admin Center is the central tool for managing environments across tenants. Option A is wrong because PowerShell is a scripting tool, not a single interface for all tasks. Option B is wrong because Power Apps Maker Portal is for app creation.

Option D is wrong because Microsoft 365 admin center does not manage Power Platform environments fully.

99
MCQmedium

A company uses Power BI to create reports from Dataverse data. The administrator needs to ensure that report creators can only see data from tables they have access to in Dataverse. Which security feature should the administrator configure?

A.Set environment security group to include only report creators
B.Configure table-level permissions in Dataverse
C.Define row-level security (RLS) roles in Power BI and map them to Dataverse roles
D.Assign the 'Environment Maker' role to report creators
AnswerC

RLS restricts data visible to each user in the report.

Why this answer

Option D is correct because row-level security (RLS) in Power BI restricts data access based on user roles. Option A is wrong because it applies to the environment, not specific tables. Option B is wrong because it affects who can create reports, not data visibility.

Option C is wrong because table permissions do not translate to Power BI.

100
Multi-Selectmedium

A company wants to enforce data loss prevention (DLP) policies for Power Automate flows. Which TWO actions can the administrator perform?

Select 2 answers
A.Allow users to bypass DLP policies with administrator approval
B.Block specific connectors from being used in flows
C.Create a custom DLP policy for a specific environment
D.Assign DLP policies to specific users
E.Inherit the tenant-level DLP policy for all environments
AnswersB, C

Blocking connectors is a common DLP action.

Why this answer

Option B is correct because administrators can block specific connectors from being used in Power Automate flows as part of a DLP policy, preventing data from being shared with unauthorized services. Option C is correct because DLP policies can be scoped to a specific environment, allowing granular control over connector usage within that environment. This enables the administrator to enforce data protection rules tailored to different business contexts.

Exam trap

The trap here is that candidates often confuse environment-level DLP policy assignment with user-level assignment, or assume that tenant-level policies are automatically inherited by all environments, when in fact each environment can have its own independent DLP policy.

101
MCQmedium

An organization uses Microsoft Power Platform and wants to enforce data loss prevention (DLP) policies across all environments. They need to block the use of a specific third-party connector in all environments. What should the administrator do?

A.Create a DLP policy for each environment and block the connector
B.Create a custom connector with the same name and block it
C.Remove the connector from the default solution
D.Create a tenant-level DLP policy that blocks the connector
AnswerD

A tenant-level DLP policy applies to all environments.

Why this answer

Option D is correct because DLP policies in Microsoft Power Platform can be configured at the tenant level to apply across all environments. By creating a tenant-level DLP policy and blocking the specific third-party connector, the administrator ensures consistent enforcement without needing to manage individual environment policies. This approach centralizes control and prevents the connector from being used in any environment.

Exam trap

The trap here is that candidates often assume DLP policies must be created per environment, overlooking the tenant-level scope that provides centralized enforcement across all environments.

How to eliminate wrong answers

Option A is wrong because creating a DLP policy for each environment is inefficient and error-prone; it requires manual replication across environments and does not guarantee uniform enforcement if environments are added or missed. Option B is wrong because creating a custom connector with the same name does not block the original third-party connector; custom connectors are separate entities and blocking a custom connector does not affect the built-in or certified connector. Option C is wrong because removing a connector from the default solution does not block its use; connectors are not managed through solutions in that way, and removal from a solution only affects solution components, not connector availability in environments.

102
MCQhard

An organization uses Power Automate flows that connect to Microsoft SharePoint Online and Microsoft Dataverse. The security team requires that all connections to Dataverse use service principal authentication instead of user credentials. The administrator needs to ensure that flows relying on Dataverse connections continue to work after the change. What should the administrator do?

A.Create a new environment and migrate flows there
B.Register a service principal in Microsoft Entra ID and update connection references in the flows' solution
C.Recreate all flows with a shared connection using a service principal
D.Delete existing connections and ask users to create new ones
AnswerB

This allows flows to authenticate using the service principal.

Why this answer

Service principal authentication in Power Automate requires registering an application in Microsoft Entra ID (formerly Azure AD) and using its credentials to authenticate to Dataverse. Updating the connection references in the flows' solution to point to a service principal-based connection ensures all flows continue to work without requiring user credentials, meeting the security team's requirement.

Exam trap

The trap here is that candidates may think recreating flows or migrating environments is necessary, when in fact the solution-level connection reference can be updated to switch authentication methods without rebuilding the flows.

How to eliminate wrong answers

Option A is wrong because creating a new environment and migrating flows does not change the authentication method; the flows would still use user credentials unless the connection references are updated. Option C is wrong because recreating all flows is unnecessary and inefficient; the existing flows can be updated by modifying their connection references to use a service principal connection. Option D is wrong because deleting existing connections and asking users to create new ones would disrupt operations and still rely on user credentials, not service principal authentication.

103
MCQeasy

A user reports they cannot create a new environment in the Power Platform admin center. What is the most likely reason?

A.The tenant has insufficient trial capacity.
B.The user does not have a Power Apps license.
C.The user lacks the Environment Admin or Global Admin role.
D.The user's network blocks the Power Platform admin center.
AnswerC

Only admins can create environments.

Why this answer

Creating a new environment in the Power Platform admin center requires the user to have either the Environment Admin or Global Admin role in Microsoft Entra ID (formerly Azure AD). These roles grant the necessary permissions to provision environments, manage settings, and assign security roles. Without one of these roles, the 'New environment' button will be grayed out or the operation will fail with an access denied error.

Exam trap

The trap here is that candidates often assume a Power Apps license is sufficient to perform all admin tasks, but Microsoft explicitly separates licensing (for using apps) from administrative roles (for managing environments).

How to eliminate wrong answers

Option A is wrong because insufficient trial capacity prevents the creation of a trial environment, but the question does not specify that the user is trying to create a trial environment; the user could be attempting to create a production or sandbox environment, which do not rely on trial capacity. Option B is wrong because a Power Apps license is required to use Power Apps, but creating environments in the admin center is a management task that depends on administrative roles, not on having a Power Apps license assigned. Option D is wrong because while network blocks could prevent accessing the admin center URL, the user reports they cannot create a new environment, implying they can access the admin center but the creation action fails, which points to a permissions issue rather than a connectivity problem.

104
MCQmedium

Refer to the exhibit. The JSON shows a snippet of a DLP policy. Which effect will this policy have on a Power Automate flow that uses Google Sheets and Dropbox connectors?

A.The flow will be blocked because it uses blocked connectors.
B.The flow will run but the connection references will be deleted.
C.The flow will be blocked only if it uses both connectors together.
D.The flow will run normally but will be restricted to the production environment only.
AnswerA

Both connectors are blocked, so any flow using them will not run.

Why this answer

The DLP policy in the exhibit defines a 'Blocked' connector group that includes both Google Sheets and Dropbox. In Power Automate, when a flow uses any connector listed in a blocked group, the flow is prevented from running. Since the flow uses both blocked connectors, it will be blocked entirely, regardless of whether they are used together or separately.

Exam trap

The trap here is that candidates may think DLP policies only block flows when multiple connectors from different groups are combined (cross-group sharing), but in reality, any connector placed in the 'Blocked' group alone is sufficient to block the flow entirely.

How to eliminate wrong answers

Option B is wrong because DLP policies do not delete connection references; they block the execution of flows that use blocked connectors. Option C is wrong because the policy blocks any flow that uses a blocked connector individually; it does not require both connectors to be used together. Option D is wrong because DLP policies apply across all environments unless specifically scoped, and the policy does not restrict the flow to a production environment—it blocks it entirely.

105
Multi-Selecthard

Which THREE components are part of the Power Platform environment lifecycle management?

Select 3 answers
A.Environment creation
B.Environment deletion
C.Creating users in Microsoft Entra ID
D.Environment backup and restore
E.Publishing Power BI reports
AnswersA, B, D

Creating environments is a key lifecycle operation.

Why this answer

Environment creation is a core component of Power Platform environment lifecycle management because it establishes the isolated container where apps, flows, and data reside. The lifecycle begins when an administrator provisions a new environment, which sets up a dedicated Dataverse database, security boundaries, and resource limits. Without creation, no subsequent lifecycle operations (backup, restore, deletion) can occur.

Exam trap

The trap here is that candidates confuse operational tasks (like creating users or publishing reports) with environment lifecycle management, which strictly covers the creation, deletion, backup, and restore of the environment itself, not activities that occur within it.

106
MCQmedium

A multinational corporation uses Power Platform extensively. They have multiple environments: DEV, TEST, UAT, STAGING, and PROD. A developer accidentally published a Power App that connects to a SQL Server database using an unapproved connector in the PROD environment. The organization has strict data governance policies that require all connections to use approved connectors only. The admin needs to block this connector in PROD while still allowing it in other environments. What should the admin do?

A.Create a tenant-level DLP policy that blocks the connector for all environments.
B.Remove the developer's permissions to the PROD environment.
C.Delete the Power App from PROD.
D.Create an environment-level DLP policy for PROD that blocks the connector.
AnswerD

Environment-level policies can block connectors in specific environments without affecting others.

Why this answer

Environment-level DLP policies allow blocking connectors in specific environments. The admin should create an environment-level DLP policy for PROD that blocks the unapproved connector. This overrides the tenant-level policy that might allow it elsewhere.

107
MCQmedium

A company uses Microsoft Power Platform and requires that all environment creation requests go through an approval process. The security team wants to prevent non-admins from creating trial environments. What should the administrator configure?

A.In Power Platform Admin Center, set 'Disable trial environments created by non-admins' to Yes
B.Assign users to an environment group with restricted permissions
C.In Power Apps settings, disable 'Allow users to create environments'
D.Create a Data Loss Prevention (DLP) policy that blocks trial environments
AnswerA

This setting prevents non-admins from creating trial environments.

Why this answer

Option A is correct because the Power Platform Admin Center provides a dedicated tenant-level setting called 'Disable trial environments created by non-admins' that, when set to 'Yes', prevents users without administrative privileges from creating trial environments. This directly addresses the security team's requirement to block non-admins from creating trial environments, as it enforces an approval-based control at the environment creation level.

Exam trap

The trap here is that candidates often confuse DLP policies with environment lifecycle controls, assuming DLP can block environment creation, when in reality DLP only governs data connectors and policies across environments, not provisioning actions.

How to eliminate wrong answers

Option B is wrong because environment groups (or environment routing groups) do not exist in Power Platform; this is a fabricated concept and cannot restrict environment creation permissions. Option C is wrong because the setting 'Allow users to create environments' in Power Apps settings is a legacy control that only applies to the default environment and does not specifically block trial environments; it also does not enforce an approval process. Option D is wrong because Data Loss Prevention (DLP) policies control data movement and connector usage across environments, not environment creation or trial environment provisioning; DLP policies cannot block the creation of environments.

108
MCQmedium

A company needs to ensure that all Power Apps and Power Automate flows in the 'Development' environment are automatically backed up daily. What should the administrator configure?

A.Enable Dataverse backups for the Development environment
B.Enable the 'Backup Policy' in the Power Platform admin center for the Development environment
C.Schedule a daily export of all solutions using the Power Platform admin center
D.Use the 'Solution Backup' feature in the Power Platform admin center
AnswerA

Dataverse backups include data, but apps and flows are stored as solutions; however, backups cover the database, and solutions can be exported separately.

Why this answer

Option A is correct because Dataverse backups are automatically enabled for all environments, including Development, and they occur daily without additional configuration. The Power Platform admin center provides the ability to restore these backups, but the backup itself is managed by the Dataverse service, not through a separate backup policy or manual export. This ensures that all Power Apps and Power Automate flows stored in Dataverse are protected by default.

Exam trap

The trap here is that candidates may confuse the automatic Dataverse backup with a manual export or a configurable backup policy, leading them to select options that require manual intervention or do not exist in the Power Platform admin center.

How to eliminate wrong answers

Option B is wrong because there is no 'Backup Policy' feature in the Power Platform admin center; backups are automatic and not configurable via a policy setting. Option C is wrong because scheduling a daily export of all solutions is not an automated backup mechanism—it is a manual or custom process that requires additional tooling and does not cover all data (e.g., Dataverse tables). Option D is wrong because there is no 'Solution Backup' feature in the Power Platform admin center; solutions can be exported manually, but this is not an automatic daily backup solution.

109
MCQmedium

An organization wants to allow external partners to access specific Power Apps and data without granting them full access to the tenant. What should they configure?

A.Use Microsoft Intune to manage partner devices.
B.Create a data loss prevention (DLP) policy that allows external sharing.
C.Invite partners as guest users in Microsoft Entra ID and assign them appropriate security roles in the Power Platform environment.
D.Share the app URL with the partners and ask them to sign in with their own accounts.
AnswerC

Guest users (B2B) can be assigned security roles to access specific resources.

Why this answer

Option C is correct because inviting external partners as guest users in Microsoft Entra ID (formerly Azure AD) and assigning them appropriate security roles in the Power Platform environment is the standard method for providing controlled, least-privilege access to specific Power Apps and their underlying data sources. This approach leverages Microsoft Entra B2B collaboration to create guest identities, which can then be granted access to specific environments and resources without giving them full tenant-level permissions.

Exam trap

The trap here is that candidates often confuse sharing the app URL (Option D) with a valid access method, not realizing that Power Apps requires authenticated users with appropriate permissions in the environment, and simply providing a URL does not grant access unless the user is already a guest or member of the tenant.

How to eliminate wrong answers

Option A is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) solution for managing devices and apps, not a mechanism for granting external users access to Power Apps or data. Option B is wrong because a data loss prevention (DLP) policy controls how data can be shared between connectors and prevents data exfiltration, but it does not provide authentication or authorization for external users to access Power Apps. Option D is wrong because sharing the app URL and asking partners to sign in with their own accounts would require those accounts to be recognized by the tenant (e.g., as guest users) or the app to be publicly accessible, which would bypass security controls and is not a supported method for secure external access.

110
Multi-Selecthard

An organization has multiple Power Platform environments and wants to enforce consistent data loss prevention (DLP) policies across all environments. Which THREE steps should the administrator take?

Select 3 answers
A.Remove all existing environment-level DLP policies.
B.Enable audit logging to track DLP policy violations.
C.Create a DLP policy at the tenant level with the desired default rules.
D.Assign the DLP policies to each environment explicitly to override any conflicting defaults.
E.Use DLP policy profiles to define different policies for different environment types (e.g., production, development).
AnswersC, D, E

Tenant-level policies apply to all environments by default.

Why this answer

To enforce consistent DLP policies, create a policy at the tenant level, use policy profiles for different environment types, and assign policies to specific environments. Option D is incorrect because auditing does not enforce. Option E is incorrect because it does not ensure consistency.

111
MCQhard

A company has multiple Power Platform environments. They want to automatically apply consistent settings (e.g., DLP policies, audit settings) to all new environments. What should they do?

A.Use PowerShell scripts to configure each environment after creation.
B.Use Azure Blueprints to define and apply a set of Azure resources.
C.Create an environment group in the Power Platform admin center and assign policies to the group.
D.Use Microsoft Intune to enforce settings on Power Platform environments.
AnswerC

Environment groups allow central management of policies that apply to all environments in the group.

Why this answer

Option C is correct because environment groups allow applying policies to multiple environments. Option A is wrong because PowerShell can configure environments individually but not automatically for new ones. Option B is wrong because Microsoft Intune does not manage Power Platform settings.

Option D is wrong because Azure Blueprints are for Azure resources.

112
MCQhard

A financial services company uses Power Automate to process loan applications. The flow uses the ‘When a new email arrives’ trigger from a shared mailbox. The flow recently stopped working after an admin changed the mailbox permissions. What is the most likely cause?

A.The mailbox exceeded its storage limit
B.The mailbox connection lost permissions to access the mailbox
C.The flow owner's Power Automate license was deleted
D.The flow was transferred to another owner
AnswerB

Permission changes can invalidate the existing connection, causing the trigger to fail.

Why this answer

Option D is correct because the connection used by the trigger may have been invalidated due to permission changes. Option A is wrong because mailbox size does not affect the trigger if permissions changed. Option B is wrong because license deletion would affect all flows, not just this one.

Option C is wrong because flow owner change does not necessarily impact permissions.

113
Multi-Selecthard

Which THREE factors determine the capacity limits (database, file, log) of a Power Platform environment? (Choose three.)

Select 3 answers
A.Environment type (production vs. sandbox)
B.Number of licensed users in the tenant
C.Environment geographic region
D.Base license type (Power Apps, Power Automate, Dynamics 365)
E.Purchased capacity add-ons
AnswersA, D, E

Sandbox environments have reduced capacity limits.

Why this answer

Option A is correct because environment type (production vs. sandbox) directly determines the default capacity limits for database, file, and log storage. Production environments receive higher default entitlements, while sandbox environments are capped at 1 GB of database capacity, ensuring that testing does not consume production resources.

Exam trap

The trap here is that candidates often confuse tenant-wide capacity pooling with per-environment limits, mistakenly thinking the number of licensed users directly sets each environment's cap, when in fact the environment type and base license type are the primary determinants.

114
MCQmedium

You are a Power Platform administrator for a medium-sized business. The company uses Power Apps and Power Automate extensively. The development team has requested the ability to create their own sandbox environments for testing without waiting for IT. However, the security team requires that all environments be subject to data loss prevention (DLP) policies and that environment creation be tracked. You need to design a solution that allows developers to self-service environment creation while maintaining governance. The developers currently have Power Apps Plan 2 licenses. What should you do?

A.Assign the Power Platform Administrator role to all developers.
B.Disable environment creation for non-admins and have developers submit requests to IT.
C.Install the CoE Starter Kit and configure the environment creation policy to allow all users.
D.Create a security group in Microsoft Entra ID, add developers, and configure tenant settings to allow only members of that group to create environments. Enable audit logging.
AnswerD

This enables self-service while restricting creation to approved users and tracking activity.

Why this answer

The best approach is to create a security group in Microsoft Entra ID, add developers to it, and then configure the tenant settings to allow that group to create environments. Additionally, enable audit logging to track creation. Option A is incorrect because assigning the Power Platform Administrator role gives too much privilege.

Option B is incorrect because disabling creation for non-admins prevents self-service. Option C is incorrect because the CoE Starter Kit is for governance but does not directly enable self-service creation.

115
MCQeasy

An organization wants to enable Microsoft Copilot Studio (formerly Power Virtual Agents) to answer questions from employees about company policies. The chatbot must only use internal company documents stored in SharePoint as its knowledge source. Which configuration should the administrator use?

A.Enable the 'Use generative AI' feature in the Power Platform admin center
B.Deploy a custom connector to SharePoint
C.Create a Power Automate flow to fetch data from SharePoint and pass it to the chatbot
D.Add a SharePoint knowledge source in Copilot Studio and configure authentication to use the company's Microsoft Entra ID
AnswerD

This allows the chatbot to access SharePoint documents securely.

Why this answer

Option D is correct because Microsoft Copilot Studio allows administrators to add SharePoint as a knowledge source directly, enabling the chatbot to retrieve answers from internal documents without custom development. Configuring authentication with Microsoft Entra ID ensures that only authorized users can access the company policies, maintaining security and compliance.

Exam trap

The trap here is that candidates may overcomplicate the solution by thinking a custom connector or Power Automate flow is required, when in fact Copilot Studio's native SharePoint integration handles the connection directly.

How to eliminate wrong answers

Option A is wrong because the 'Use generative AI' feature in the Power Platform admin center is a tenant-level setting that enables AI capabilities across environments, but it does not directly connect a chatbot to SharePoint documents as a knowledge source. Option B is wrong because deploying a custom connector to SharePoint is unnecessary and overly complex; Copilot Studio natively supports SharePoint as a knowledge source without requiring custom connectors. Option C is wrong because creating a Power Automate flow to fetch data from SharePoint and pass it to the chatbot introduces unnecessary latency and complexity, whereas Copilot Studio can directly query SharePoint using its built-in integration.

116
MCQhard

A Power Platform administrator is configuring data loss prevention (DLP) policies. The company uses Power Automate flows that connect to Microsoft SharePoint and Microsoft Teams. The security team wants to block any flow from sending data from SharePoint to unsanctioned third-party services. Which DLP policy configuration should the administrator apply?

A.Create a policy that only applies to non-production environments
B.Classify SharePoint as Business and all third-party services as Blocked
C.Classify SharePoint as Business and all third-party services as Non-Business
D.Classify all connectors as Blocked
AnswerB

Blocked group prevents any connection to those services.

Why this answer

Option B is correct because DLP policies in Power Platform allow administrators to classify connectors into Business, Non-Business, and Blocked categories. By classifying SharePoint as Business and all third-party services as Blocked, the administrator ensures that no flow can send data from SharePoint to unsanctioned third-party connectors, as blocked connectors cannot be used in any flow that also uses a Business connector. This directly enforces the security team's requirement to prevent data exfiltration to unsanctioned services.

Exam trap

The trap here is that candidates often confuse 'Non-Business' with 'Blocked', not realizing that Non-Business connectors can still be used in flows alongside Business connectors, whereas only the Blocked category prevents data from being sent to those services entirely.

How to eliminate wrong answers

Option A is wrong because applying a policy only to non-production environments would not protect production flows that connect SharePoint to unsanctioned third-party services, leaving the security requirement unmet. Option C is wrong because classifying third-party services as Non-Business would still allow flows to use both Business (SharePoint) and Non-Business connectors in the same flow, which does not block data from being sent to those services—only the 'Blocked' category prevents connector usage entirely. Option D is wrong because classifying all connectors as Blocked would prevent all flows from using any connector, including SharePoint and Teams, which would break legitimate business flows and is not the targeted restriction the security team requires.

117
MCQeasy

A hospital uses Power Apps to manage patient intake forms. The app stores data in Microsoft Dataverse. The security policy requires that patient health information (PHI) be encrypted at rest and in transit. The environment is already configured with default Dataverse settings. The IT admin needs to ensure compliance. What should the admin do?

A.Enable customer-managed encryption keys for Dataverse.
B.No further action is needed; Dataverse encrypts data at rest and in transit by default.
C.Configure a VPN for all access to the environment.
D.Use Power Automate to encrypt data before storing it in Dataverse.
AnswerB

Dataverse provides encryption by default, meeting the requirements.

Why this answer

Dataverse provides encryption at rest by default (using Microsoft-managed keys) and encryption in transit (TLS). No additional configuration is needed unless the organization requires customer-managed keys, which is not mentioned.

118
MCQhard

An organization has multiple Power Platform environments. The security team mandates that all environments must use Microsoft Entra ID conditional access policies to enforce multi-factor authentication. However, one environment hosts a service account that cannot perform interactive logins. What should the administrator do to comply without breaking the service account?

A.Create a new environment for the service account
B.Change the service account to use interactive login
C.Exclude the service account from the conditional access policy
D.Disable MFA for that environment
AnswerC

This allows MFA for users while exempting the service account.

Why this answer

Excluding the service account from the conditional access policy is the correct approach because service accounts cannot perform MFA. Option A is wrong because disabling MFA for the entire environment weakens security. Option B is wrong because changing the service account to interactive login is not feasible.

Option D is wrong because creating a new environment does not resolve the policy conflict.

119
MCQhard

A Power Platform administrator needs to move a canvas app and its associated Dataverse data from a development environment to a test environment. The solution must preserve data and configuration. Which approach should the administrator use?

A.Create a managed solution containing the app and Dataverse data using configuration data export
B.Export the canvas app as a managed solution and import it into test
C.Recreate the app in test and manually re-enter data
D.Use the 'Copy environment' feature in Power Platform Admin Center
AnswerA

Managed solutions can include data via configuration data export.

Why this answer

Option C is correct because managed solutions allow exporting and importing with data via configuration data. Option A is incorrect because copy environment copies the entire environment, which may not be desired. Option B is incorrect because exporting as a package without data loses data.

Option D is incorrect because manual recreation is error-prone and not recommended.

120
MCQmedium

You are the Power Platform administrator for a retail company. The company has a single default environment that all employees use to build and run Power Apps and Power Automate flows. Recently, the IT department noticed that some users are accidentally deleting shared flows that are critical to business operations. To prevent this, you need to implement a solution that allows users to create and edit their own flows, but prevents them from deleting flows owned by others. Additionally, you want to ensure that only approved connectors are used to protect sensitive data. You have been granted permissions to manage environments and security roles. What should you do?

A.Remove the delete permission for all flows from all users
B.Create a new environment, assign users the Environment Maker role, and implement a DLP policy
C.Enable audit logging and rely on manual review of deletions
D.Share all critical flows with read-only access to all users
AnswerB

This provides control over permissions and connectors.

Why this answer

Creating a new environment with appropriate security roles allows you to control permissions. Assigning the Environment Maker role allows users to create and edit their own flows, but they cannot delete others' flows. Implementing a DLP policy restricts connectors.

Option B is wrong because sharing does not prevent deletion. Option C is wrong because removing delete permission for all flows also prevents legitimate cleanup. Option D is wrong because changing the default environment settings does not provide granular control.

121
Multi-Selectmedium

Which TWO actions can a Power Platform admin perform in the Power Platform admin center to manage environments? (Choose two.)

Select 2 answers
A.Modify Dataverse table schemas.
B.Create and delete environments.
C.Manage environment security roles.
D.Assign Power Apps licenses to users.
E.Create Microsoft Entra ID security groups.
AnswersB, C

Environment management is a core function in the admin center.

Why this answer

Options A and D are correct. Admin can create and delete environments, and manage environment security roles. Option B is wrong because assigning licenses is done in Microsoft 365 admin center.

Option C is wrong because creating Microsoft Entra ID groups is done in Entra admin center. Option E is wrong because modifying Dataverse schema is done in Power Apps maker portal.

122
Multi-Selecteasy

Which TWO roles can manage Power Platform environments at the tenant level?

Select 2 answers
A.Environment Admin
B.Power Platform Administrator
C.Dynamics 365 Administrator
D.System Administrator
E.Global Administrator
AnswersB, C

This role has tenant-level admin access to Power Platform.

Why this answer

Options A and D are correct. Power Platform Administrator and Dynamics 365 Administrator have tenant-level admin access to Power Platform. Option B is wrong because Environment Admin can only manage specific environments.

Option C is wrong because System Administrator is a Dataverse role, not tenant-level. Option E is wrong because Global Admin has too broad access but is not specifically a Power Platform role.

123
MCQeasy

You are a Power Platform administrator. A user reports that they are unable to share a canvas app with external users. What is the most likely cause?

A.The environment is not enabled for external sharing.
B.The environment is a sandbox environment, which does not support external sharing.
C.The environment has a data loss prevention (DLP) policy that blocks sharing.
D.External users must have a Power Apps license to access the app.
AnswerA

External sharing must be enabled in the environment settings.

Why this answer

The correct answer is B because sharing canvas apps with external users requires that the environment is enabled for external sharing and the user has the appropriate permissions. Option A is incorrect because DLP policies do not affect sharing. Option C is incorrect because external users do not need a Power Apps license if the app is shared with them and they have appropriate access.

Option D is incorrect because the environment type does not determine sharing capabilities; sandbox and production environments both support external sharing if configured.

124
MCQmedium

Your organization uses Power Automate to automate business processes. A flow that runs daily fails intermittently with 'HTTP 429 - Too Many Requests' errors. What should you do to resolve this issue?

A.Increase the frequency of the flow to run more often.
B.Change the flow trigger from a schedule to an instant trigger.
C.Set up an on-premises data gateway to bypass the throttling limits.
D.Configure retry policies with exponential backoff in the flow actions.
AnswerD

Retry policies with backoff help manage throttling by spacing out retries.

Why this answer

The correct answer is C because HTTP 429 errors indicate throttling. Implementing retry policies with exponential backoff allows the flow to retry after a delay, reducing the request rate. Option A is incorrect because increasing the flow run frequency would increase the number of requests, worsening the issue.

Option B is incorrect because changing the trigger type does not address throttling. Option D is incorrect because using an on-premises data gateway does not affect throttling limits.

125
Multi-Selectmedium

A global consulting firm uses Power Platform with environments in multiple regions. They need to enforce data loss prevention (DLP) policies that are consistent across all environments, but allow exceptions for specific connectors in a single environment used for a high-security client project. Which three components should they configure?

Select 3 answers
A.Power Apps component library
B.Environment-level DLP policy
C.Power Automate Cloud Flow
D.Tenant-level DLP policy
E.Connector classification
AnswersB, D, E

Environment-level policies can override tenant policies for specific environments to allow exceptions.

Why this answer

Environment-level DLP policies can be created to override tenant-level policies for specific environments. The tenant-level DLP policy provides a baseline. Connector classification (e.g., Blocked, Business, Non-business) is part of DLP policy configuration.

126
MCQeasy

A company uses Power Automate flows that access Microsoft SharePoint and Microsoft Dataverse. They want to prevent data from leaving the organization. What should they configure?

A.Configure Microsoft Purview to automatically classify and protect data in Power Automate.
B.Enable Microsoft Defender XDR to monitor for suspicious data transfers.
C.Create a data loss prevention (DLP) policy in the Power Platform admin center that blocks sharing data with external connectors.
D.Apply Microsoft Entra ID Conditional Access policies to require managed devices.
AnswerC

DLP policies can restrict connectors to prevent data exfiltration.

Why this answer

Option C is correct because Data Loss Prevention (DLP) policies in the Power Platform admin center are specifically designed to prevent data from leaving the organization by controlling which connectors can share data. By blocking external connectors, the policy ensures that SharePoint and Dataverse data cannot be sent to unauthorized external services, directly addressing the requirement.

Exam trap

The trap here is that candidates often confuse data loss prevention with broader security tools like Microsoft Purview or Conditional Access, not realizing that DLP policies are the specific Power Platform feature for controlling connector-level data flow.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview focuses on data classification and protection (e.g., labeling and encryption) but does not block data transfers between connectors in Power Automate flows. Option B is wrong because Microsoft Defender XDR is a threat detection and response tool for monitoring security incidents, not a mechanism to prevent data exfiltration via Power Automate connectors. Option D is wrong because Microsoft Entra ID Conditional Access policies control access based on device compliance or location, but they do not restrict how data flows between connectors within Power Automate.

127
MCQhard

An organization uses Microsoft Power Platform and wants to implement a governance strategy that automatically blocks the creation of environments in specific regions to comply with company policy. What should the administrator do?

A.Create a support ticket with Microsoft to block regions.
B.Implement capacity limits that prevent creation in disallowed regions.
C.Use the Power Platform admin center to define allowed data locations for environment creation.
D.Set the default environment region in tenant settings to the allowed region.
AnswerC

This policy restricts environment creation to specified geographic regions.

Why this answer

Power Platform admin center allows setting location policies to restrict environment creation to specific regions. Option A is incorrect because the tenant default region is not a restriction. Option B is incorrect because capacity limits do not block by region.

Option D is incorrect because they do not want to allow all regions.

128
MCQhard

An organization has multiple Power Platform environments including production, development, and test. They want to ensure that changes made in development are promoted to test and then to production, with approval gates. Which feature should they use?

A.Use Power Apps check-in feature and version history.
B.Use unmanaged solutions and export/import manually between environments.
C.Use managed solutions with environment variables and configure deployment pipelines.
D.Export solutions to a SharePoint document library and import from there.
AnswerC

Managed solutions and deployment pipelines enable staged promotions with approvals.

Why this answer

Option D is correct because managed solutions with environment variables and ALM (Application Lifecycle Management) using pipelines or Azure DevOps provide structured promotion with approvals. Option A is wrong because simply using unmanaged solutions does not enforce approval gates. Option B is wrong because Power Apps check-in is not part of ALM.

Option C is wrong because exporting to a SharePoint library lacks approval controls.

129
Multi-Selectmedium

Which TWO actions can a Power Platform administrator perform in the Power Platform admin center?

Select 2 answers
A.Manage SharePoint Online site collections
B.Manage Exchange Online mailboxes
C.Create and delete environments
D.Create data loss prevention policies
E.Manage Microsoft Entra ID roles
AnswersC, D

This is a core function of the Power Platform admin center.

Why this answer

Option C is correct because the Power Platform admin center provides administrators with the ability to create and delete environments, which are isolated containers for managing apps, flows, and data. This is a core administrative function that directly controls the lifecycle of Power Platform resources.

Exam trap

The trap here is that candidates may confuse the Power Platform admin center with the broader Microsoft 365 admin center, assuming it can manage all Microsoft 365 workloads like SharePoint and Exchange, when in reality it is scoped to Power Platform-specific tasks such as environment management and DLP policies.

130
MCQeasy

A Power Platform administrator wants to see the capacity usage of all environments in the tenant. Where should they look?

A.Power Platform admin center > Environments
B.Power Platform admin center > Capacity
C.Power Platform admin center > Analytics
D.Power Platform admin center > Billing
AnswerB

The Capacity page shows storage and add-on capacity usage across all environments.

Why this answer

The Capacity page in the Power Platform admin center provides a tenant-level view of all capacity entitlements (database, file, log) and their consumption across environments. This is the dedicated location for monitoring capacity usage, including add-ons and storage overages, as documented in Microsoft's capacity management guidance.

Exam trap

The trap here is that candidates confuse the Environments list (where you manage individual environment settings) with the Capacity page (which is the sole location for tenant-wide storage monitoring), leading them to select the more familiar Environments option.

How to eliminate wrong answers

Option A is wrong because the Environments page lists individual environments and their details but does not aggregate capacity usage across the tenant. Option C is wrong because Analytics provides usage and adoption metrics (e.g., active users, API calls) rather than raw capacity consumption. Option D is wrong because Billing handles subscription, licensing, and invoice information, not the technical capacity allocation or usage tracking.

131
Multi-Selecteasy

Which TWO are best practices for managing Power Platform environments in a large enterprise?

Select 2 answers
A.Give all users the ability to create environments
B.Assign the System Administrator role to all users
C.Use a single environment for all apps
D.Use separate environments for development, test, and production
E.Apply DLP policies to control data flow between connectors
AnswersD, E

This follows ALM best practices.

Why this answer

Options B and C are correct because using separate environments for development, test, and production (B) and implementing DLP policies (C) are best practices. Option A is incorrect because giving all users environment creation rights can lead to sprawl. Option D is incorrect because assigning System Administrator role to all users is a security risk.

Option E is incorrect because using a single environment is not recommended for enterprise governance.

132
MCQhard

Your organization has a Power Apps portal that allows external users to submit support tickets. You need to ensure that only authenticated external users from specific domains can access the portal. What should you configure?

A.Create a data loss prevention (DLP) policy that blocks external users.
B.Restrict access to the portal by IP address using a web application firewall.
C.Share the portal URL only with users from the allowed domains.
D.Configure the portal to use Microsoft Entra ID authentication and set up domain restrictions.
AnswerD

Microsoft Entra ID allows domain-based access restrictions.

Why this answer

Option D is correct because Power Apps portals can be configured to use Microsoft Entra ID (formerly Azure AD) as the identity provider, and within the portal settings you can restrict sign-in to users from specific domains. This ensures that only authenticated external users whose email domain matches the allowed list can access the portal, meeting the requirement without relying on IP filtering or obscurity.

Exam trap

The trap here is that candidates often confuse DLP policies (which control data connectors) with access control mechanisms, or they mistakenly believe that simply sharing a URL (security by obscurity) or using IP restrictions (which don't authenticate users) can satisfy domain-based authentication requirements.

How to eliminate wrong answers

Option A is wrong because a Data Loss Prevention (DLP) policy controls which connectors can be used in Power Apps and Power Automate flows, not who can access a portal; it cannot block external users from accessing the portal itself. Option B is wrong because restricting by IP address using a web application firewall (WAF) would block or allow traffic based on network location, not on user authentication or domain membership, and external users may have dynamic IPs. Option C is wrong because sharing the portal URL only with allowed domains relies on security through obscurity and does not enforce authentication; anyone who obtains the URL can access the portal unless additional authentication and domain restrictions are configured.

133
MCQhard

You are the Power Platform administrator for a large financial services organization. The organization has three environments: Dev, Test, and Prod. The Dev environment is used by a team of 10 developers who frequently create and test solutions. The Test environment is for quality assurance, and Prod is for live applications. Recently, the compliance team has mandated that all environments must have audit logging enabled to track changes and user activities. Additionally, the organization wants to implement a policy that prevents the use of connectors that transmit data outside the organization's Azure region. The compliance team also requires that any new environment created in the future automatically inherits these audit and DLP policies. You need to configure the environment settings to meet these requirements. What should you do?

A.Enable audit logging and create a tenant-level DLP policy that applies to all environments
B.Configure audit logging and DLP policies individually for each environment
C.Create a tenant-level DLP policy that warns users about data transmission
D.Enable audit logging in the Prod environment and create a DLP policy for Dev and Test only
AnswerA

Tenant-level settings apply to current and future environments.

Why this answer

Enabling audit logging and creating a DLP policy at the tenant level ensures all environments inherit these settings. Option A is wrong because enabling audit only in Prod does not meet the mandate for all environments. Option C is wrong because configuring each environment individually is inefficient and does not automatically apply to new environments.

Option D is wrong because a tenant-level policy with a warning does not block data transmission as required.

134
MCQmedium

An organization is using Power Virtual Agents (now Copilot Studio) to create a customer service chatbot. The chatbot must be available only to users inside the organization, not to external customers. What should the administrator do?

A.Configure authentication in the chatbot
B.Publish the chatbot to a public website
C.Create a new environment for the chatbot
D.Disable analytics for the chatbot
AnswerA

Authentication restricts access to authenticated internal users.

Why this answer

Configuring authentication in the chatbot ensures only internal users can access it. Option A is wrong because creating a new environment does not restrict access. Option B is wrong because publishing to a public website would make it accessible externally.

Option D is wrong because disabling analytics does not affect access.

135
MCQhard

A government agency uses Power Platform with strict compliance requirements. They need to retain all audit logs of user activities within Power Platform for at least 7 years. The agency uses Microsoft Purview for compliance and Microsoft Sentinel for security monitoring. The admin needs to ensure that all Power Platform audit events are captured and retained for the required period. What should the admin do?

A.Export audit logs to Azure Blob Storage and set a retention policy there.
B.Use Microsoft Sentinel to store and retain the logs for 7 years.
C.Configure a retention policy in Microsoft Purview for the Power Platform audit logs.
D.Enable audit logging in each Power Platform environment's settings.
AnswerC

Purview allows setting retention policies for audit logs to meet the 7-year requirement.

Why this answer

Power Platform audit logs are routed to the Microsoft 365 Audit log, which can be integrated with Microsoft Purview for retention policies. The admin should configure a retention policy in Microsoft Purview to retain audit logs for 7 years.

136
MCQhard

A company is migrating their Power Platform environments from one tenant to another. They need to ensure that all solution components, including Canvas apps and flows, are moved. Which tool should be used?

A.Manual export and import of solutions
B.Power Platform CLI
C.Configuration Migration tool
D.Solution Checker
AnswerC

This tool is designed for moving solution components and data across environments or tenants.

Why this answer

The Configuration Migration tool is the correct choice because it is specifically designed to move solution components, including Canvas apps and flows, along with their configuration data across environments or tenants. Manual export/import of solutions would not handle data dependencies, and the Power Platform CLI is more suited for automation and development tasks rather than tenant-to-tenant migrations. The Configuration Migration tool ensures that all solution artifacts and their associated data are transferred intact.

Exam trap

The trap here is that candidates confuse the Configuration Migration tool (for data and component migration) with the Solution Checker (a validation tool) or the Power Platform CLI (a development automation tool), leading them to pick a wrong answer based on familiarity with the tool name rather than its specific purpose.

How to eliminate wrong answers

Option A is wrong because manual export and import of solutions only moves solution metadata and components, but does not migrate configuration data or handle tenant-to-tenant data dependencies, leading to incomplete migration. Option B is wrong because the Power Platform CLI is primarily used for development automation, building pipelines, and managing environments, not for tenant-to-tenant migration of solution components with data. Option D is wrong because the Solution Checker is a static analysis tool that validates solutions against best practices and performance rules, not a migration tool.

137
Multi-Selecthard

Which THREE actions can a Power Platform administrator perform in the Power Platform admin center to manage environments?

Select 3 answers
A.Create a new environment
B.Create a new Microsoft Entra ID security group
C.Install a managed solution from AppSource
D.Delete an environment
E.Back up and restore an environment
AnswersA, D, E

Admins can create environments.

Why this answer

Option A is correct because the Power Platform admin center provides administrators with the ability to create new environments, which are containers for managing apps, flows, and data. This action is a core administrative task for organizing and isolating resources within a tenant.

Exam trap

The trap here is that candidates may confuse environment-level actions (like installing solutions) with tenant-level administrative actions, or assume that security group creation is part of Power Platform administration when it is actually a separate Entra ID task.

138
MCQmedium

A company is deploying Microsoft Power Platform to multiple departments. The security team requires that all environment creation be restricted to a specific group of administrators. Which two actions should the Power Platform administrator take?

A.Create a security group in Microsoft Entra ID that includes the allowed administrators.
B.Disable environment creation for all users in the Power Platform admin center.
C.Install the CoE Starter Kit and configure environment creation policies.
D.Assign the Environment Admin role to the security group in the Power Platform admin center.
AnswerA

This group is used to identify who can create environments.

Why this answer

To restrict environment creation, the administrator should create a security group in Microsoft Entra ID for allowed creators and then configure the tenant settings to restrict creation to that group. Option A is wrong because disabling creation for everyone is too restrictive and not granular. Option B is wrong because assigning the Environment Admin role does not control creation.

Option D is wrong because CoE Starter Kit does not restrict creation.

139
MCQeasy

A non-profit organization uses Power Platform to manage donor information. The organization wants to ensure that only users in the ‘Donor Managers’ security group can edit records in the ‘Donations’ table. What is the best way to achieve this?

A.Create a DLP policy to restrict edit connectors
B.Use a business process flow to require approval
C.Share the canvas app only with the security group
D.Assign a custom security role that grants edit permissions on the Donations table to the security group
AnswerD

This ensures only members of that group can edit the table.

Why this answer

Option D is correct because the most direct and secure method to control record-level permissions in Dataverse is to assign a custom security role with specific edit privileges on the Donations table to the 'Donor Managers' security group. This leverages Dataverse role-based security, which governs CRUD operations at the table level, ensuring that only members of that group can edit records without affecting other tables or users.

Exam trap

The trap here is that candidates confuse app-level sharing (Option C) with data-level security, forgetting that a canvas app's sharing settings only control access to the app interface, not the underlying Dataverse record permissions.

How to eliminate wrong answers

Option A is wrong because DLP policies control which connectors can be used in apps and flows, not who can edit records in a Dataverse table; they are for data loss prevention, not access control. Option B is wrong because a business process flow guides users through a sequence of stages and steps but does not enforce edit permissions; it requires additional logic (e.g., Power Automate) to check security group membership and cannot natively restrict editing. Option C is wrong because sharing a canvas app only controls who can open the app, not who can edit records in the underlying Dataverse table; a user could still edit records through other interfaces (e.g., model-driven app, API) if they have the appropriate security role.

140
MCQeasy

Refer to the exhibit. { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "type": "Microsoft.PowerPlatform/enterprisePolicies", "apiVersion": "2021-01-01", "name": "myDlpPolicy", "location": "eastus", "properties": { "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.PowerPlatform/policyDefinitions/2021-01-01/schema.json#", "rules": [ { "name": "Block SharePoint", "action": "Block", "connectors": [ "shared_sharepointonline" ] } ] } } } ] } An admin deploys this ARM template to create a DLP policy. After deployment, users report they can still use the SharePoint connector in Power Automate. What is the most likely reason?

A.The resource type should be 'Microsoft.PowerPlatform/dlpPolicies'
B.The policy was not applied to the environment where users are working
C.The policy name does not match the connector name
D.The policy is applied at the tenant level and does not affect individual environments
AnswerA

The ARM resource type for DLP policies is different; the template uses an incorrect type.

Why this answer

Option A is correct because the resource type 'Microsoft.PowerPlatform/enterprisePolicies' is used for creating policies, but the API version and properties may not be correct for DLP policies. The correct resource type for DLP policies is 'Microsoft.PowerPlatform/dlpPolicies'. Option B is wrong because the environment might not have the policy applied, but the template attempts to create a policy.

Option C is wrong because the policy is created at the tenant level, not per environment. Option D is wrong because the policy name is set correctly.

141
MCQeasy

A company has a Power Apps app that uses Microsoft Dataverse. They need to ensure that only users with a specific security role can access the app. Where should the administrator configure this?

A.App-level permissions in the Power Apps app settings
B.Environment-level security roles in Power Platform Admin Center
C.Dataverse security roles in the 'Roles' area of the environment
D.Share the app with users directly from the Power Apps maker portal
AnswerA

You can assign security roles to control access to the app.

Why this answer

Option B is correct because app-level permissions in Power Apps are managed via security roles in the app's settings. Option A is incorrect because environment-level permissions control access to environments, not specific apps. Option C is incorrect because the Power App share dialog is for sharing with individuals, not roles.

Option D is incorrect because Dataverse roles are broader; the app itself should have role-based access.

142
MCQmedium

Your organization has multiple Power Platform environments. You need to ensure that a specific connector (e.g., SQL Server) is blocked in the production environment but allowed in the development environment. What should you configure?

A.Set the connector's API rate limits to zero in the production environment.
B.Modify the connector's sharing settings in the environment.
C.Configure environment-level security roles to restrict connector usage.
D.Create a data loss prevention (DLP) policy and assign it to the production environment.
AnswerD

DLP policies can block specific connectors in specific environments.

Why this answer

Data loss prevention (DLP) policies in Power Platform allow administrators to classify connectors as Blocked, Business Data Only, or No Business Data Allowed. By creating a DLP policy and assigning it to the production environment, you can specifically block the SQL Server connector in that environment while leaving it available in the development environment, which is not assigned the same policy.

Exam trap

The trap here is that candidates often confuse environment security roles (which manage user permissions) with DLP policies (which manage connector availability), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because setting API rate limits to zero does not block a connector; it only throttles the number of requests, and the connector would still be available for use, just limited in throughput. Option B is wrong because connector sharing settings control who can share the connector with others, not whether the connector itself is available for use in an environment. Option C is wrong because environment-level security roles control user permissions (e.g., who can create or use resources), but they do not provide a mechanism to block specific connectors; DLP policies are the dedicated feature for connector classification and restriction.

143
Multi-Selectmedium

A Power Platform administrator is planning to implement environment lifecycle management. Which TWO actions should the administrator take to ensure unused environments are automatically cleaned up?

Select 2 answers
A.Assign the Environment Admin role to all makers so they can delete their own environments.
B.Use the Power Platform Copilot to identify unused environments.
C.Manually review environments each month.
D.Create a Power Automate flow that runs periodically and deletes environments that have not been accessed in 30 days.
E.Set an environment retention policy in the Power Platform admin center to delete environments after a period of inactivity.
AnswersD, E

This provides a custom automatic solution.

Why this answer

Setting an environment retention policy and creating a Power Automate flow to check inactivity are two valid approaches. Option A is not automatic. Option D is not automatic.

Option E is not directly related to cleanup.

144
MCQhard

A company uses Power Virtual Agents (now Copilot Studio) to build a customer service chatbot. The bot needs to securely escalate to a live agent when it cannot resolve the issue. The escalation must pass the conversation context to the agent. What should the bot use?

A.HTTP request to a webhook
B.Transfer conversation action
C.Power Automate flow trigger
D.Custom connector for the live agent system
AnswerB

This built-in action passes context to the assigned live agent.

Why this answer

Option C is correct because the 'Transfer conversation' action in Copilot Studio passes context to the next agent. Option A is wrong because HTTP requests do not inherently pass conversation context to a human agent. Option B is wrong because a custom connector is overkill and does not directly manage escalation.

Option D is wrong because a Power Automate flow can be used but the built-in transfer action is simpler and designed for this purpose.

145
MCQhard

Your organization uses Power Virtual Agents (now Copilot Studio) for customer service. You need to ensure that the bot can access customer data from a Dataverse table that contains sensitive information. What is the best approach to secure the data?

A.Configure a data loss prevention (DLP) policy to block the bot from accessing the table.
B.Use the bot's authentication settings to require multi-factor authentication.
C.Assign appropriate security roles and field-level security to the bot's service principal.
D.Restrict access to the environment to only the bot's service account.
AnswerC

Security roles and field-level security can restrict data access for the bot.

Why this answer

The correct answer is B because using Dataverse security roles and field-level security allows you to control access to the sensitive data within the bot. Option A is incorrect because DLP policies do not control data access within Dataverse. Option C is incorrect because environment-level security roles affect all users, not just the bot.

Option D is incorrect because the bot's authentication settings control user identity, not data access.

146
MCQmedium

A company uses Microsoft Power Platform and wants to enforce data loss prevention (DLP) policies for all environments. The admin needs to block the use of SharePoint connector in all default environments. Which action should the admin take?

A.Create a DLP policy and assign it to the default environment only.
B.Use Microsoft Entra ID conditional access to block the SharePoint connector.
C.Create a DLP policy that applies to all environments and block the SharePoint connector.
D.Configure connector sharing settings in Power Apps to block SharePoint.
AnswerC

A DLP policy can be scoped to all environments and block specific connectors.

Why this answer

Option C is correct because DLP policies in Microsoft Power Platform are designed to control connector usage across environments. By creating a DLP policy that applies to all environments and blocking the SharePoint connector, the admin ensures that the connector is prohibited in every environment, including all default environments. This action directly enforces the data loss prevention requirement at the tenant level.

Exam trap

The trap here is that candidates may confuse DLP policies with other security controls like conditional access or connector sharing settings, mistakenly thinking those can block connector usage at the environment level.

How to eliminate wrong answers

Option A is wrong because assigning a DLP policy to the default environment only would not block the SharePoint connector in other environments, leaving them unprotected. Option B is wrong because Microsoft Entra ID conditional access controls user authentication and access to applications, not connector-level data policies within Power Platform; it cannot block a specific connector like SharePoint. Option D is wrong because connector sharing settings in Power Apps control who can share apps using a connector, not whether the connector itself can be used; blocking the connector requires a DLP policy, not sharing settings.

147
MCQhard

A company uses Microsoft Copilot Studio to create a custom copilot. The copilot needs to access customer data stored in a Dataverse table that contains sensitive information. The compliance team requires that data accessed by the copilot must be audited. What should the admin configure?

A.Deploy Microsoft Sentinel to monitor copilot behavior.
B.Configure a DLP policy to block non-compliant data access.
C.Enable auditing in Microsoft Purview and log copilot interactions.
D.Use Copilot Studio analytics to track usage.
AnswerC

Microsoft Purview provides audit logging for Power Platform and Copilot Studio.

Why this answer

Option C is correct because Microsoft Purview auditing captures detailed logs of user and admin activities, including interactions with custom copilots built in Copilot Studio. By enabling auditing in Purview and logging copilot interactions, the admin can meet the compliance requirement to audit all data accessed by the copilot, ensuring a traceable record of sensitive customer data access.

Exam trap

The trap here is that candidates often confuse analytics (usage metrics) with auditing (compliance logging), or assume that a DLP policy alone satisfies audit requirements, when in fact auditing must be explicitly enabled in Microsoft Purview to capture detailed interaction logs.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a SIEM tool used for threat detection and response, not for auditing specific copilot data access logs; it can ingest audit logs but does not replace the need to enable auditing in Purview. Option B is wrong because a DLP policy prevents data leakage by blocking non-compliant actions but does not generate audit logs or provide a historical record of data access. Option D is wrong because Copilot Studio analytics tracks usage metrics like session counts and user satisfaction, not detailed audit trails of data access required for compliance.

148
Multi-Selectmedium

A Power Platform administrator needs to delegate environment administration to a team member without granting full tenant-level admin rights. Which TWO roles can the administrator assign?

Select 2 answers
A.Power Platform Service Admin
B.Environment Admin
C.Microsoft Entra ID Admin
D.Dynamics 365 Admin
E.Global Admin
AnswersA, B

Service Admin can manage environments without full tenant access.

Why this answer

Option A and Option C are correct. Environment Admin has full control over a specific environment. Service Admin (Power Platform) can manage environments but not tenant-level settings.

Option B (Global Admin) has full tenant-level rights. Option D (Microsoft Entra ID Admin) does not have Power Platform environment management. Option E (Dynamics 365 Admin) is similar to Service Admin but specific to Dynamics 365.

149
MCQhard

A Power Platform administrator needs to ensure that only certain users can create Power Apps in the 'Production' environment. What is the recommended approach?

A.Create a DLP policy that blocks app creation for unauthorized users
B.Disable 'Create apps' in the Power Platform admin center for the tenant
C.Use Microsoft Entra ID to create a role that blocks 'Create Apps'
D.Assign a custom security role in Dataverse that excludes 'Create App' privilege for the Production environment
AnswerD

Custom security roles can control app creation at the environment level.

Why this answer

Option C is correct because environment security roles can be customized to restrict app creation. Option A is wrong because the DLP policy does not control who can create apps. Option B is wrong because tenant-level settings affect all environments.

Option D is wrong because there is no 'Create Apps' role in Entra ID.

150
MCQmedium

The exhibit shows a JSON snippet used to create a Power Platform environment via the Power Platform API. The administrator runs the script but the environment is created with the default language and currency instead of the specified values. What is the most likely reason?

A.The JSON syntax is invalid because of the empty securityGroupId.
B.The API version used does not support specifying language and currency.
C.The environment name "ContosoSales" is already in use.
D.The location "eastus" is not a valid Azure region for Power Platform.
AnswerA

An empty GUID may cause the API to ignore the dataverse configuration and apply defaults.

Why this answer

The JSON uses "securityGroupId" as an empty GUID (all zeros). The correct property for Dataverse settings is "securityGroupId" but an empty GUID may be interpreted as null, causing the default to be used. However, the more likely issue is that the JSON structure is incorrect: the properties should be nested under "dataverse" properly, but the exhibit shows correct nesting.

Another possibility: the API version used does not support these properties. But the most common cause is that the securityGroupId is invalid (empty) and the API ignores the entire dataverse block. Option A is incorrect because the location is correct.

Option B is incorrect because the environment name is correct. Option C is incorrect because the syntax is valid.

← PreviousPage 2 of 3 · 164 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage the Microsoft Power Platform environment questions.