CCNA Design security operations, identity, and compliance capabilities Questions

75 of 231 questions · Page 2/4 · Design security operations, identity, and compliance capabilities · Answers revealed

76
Multi-Selectmedium

Your organization is designing a privileged access strategy using Microsoft Entra ID. Which TWO configurations should be part of the design to protect privileged accounts?

Select 2 answers
A.Require multi-factor authentication for all administrative roles via Conditional Access
B.Enable security defaults
C.Implement Privileged Identity Management (PIM) for just-in-time access
D.Enable self-service password reset for admins
E.Disable multi-factor authentication for emergency admin accounts
AnswersA, C

MFA adds a strong layer of security for privileged accounts.

Why this answer

Options A and C are correct. Option A: Conditional Access with MFA for admin roles reduces risk of credential theft. Option C: Privileged Identity Management (PIM) provides just-in-time access and approval workflows.

Option B is wrong because security defaults enforce MFA for all users but lack granularity for privileged roles. Option D is wrong because self-service password reset is not specific to privileged accounts and does not protect against misuse. Option E is wrong because disabling MFA would weaken security.

77
MCQeasy

You need to design a security operations strategy for a hybrid environment using Microsoft Sentinel. Your environment includes on-premises servers and Azure VMs. Which data connector should you use to collect security events from both sources?

A.Azure Activity log connector
B.Windows Security Events via AMA connector
C.Office 365 connector
D.Syslog connector
AnswerB

AMA can collect from both on-prem and Azure VMs.

Why this answer

Option C is correct because the Windows Security Events via AMA connector works for both on-prem and Azure VMs. Option A is wrong because the Azure Activity log covers Azure resource operations, not security events. Option B is wrong because Syslog is for Linux.

Option D is wrong because Office 365 is for cloud apps.

78
MCQeasy

The exhibit shows a conditional access policy from Microsoft Entra ID Identity Protection. When will this policy require MFA?

A.When user risk is medium or high AND sign-in risk is high
B.When either user risk is medium or sign-in risk is high
C.When user risk is medium or high, regardless of sign-in risk
D.When sign-in risk is high, regardless of user risk
AnswerA

Both conditions are required.

Why this answer

Option A is correct because the conditional access policy shown in the exhibit uses the 'Require MFA' grant control with conditions set for user risk (medium or high) AND sign-in risk (high). In Microsoft Entra ID Identity Protection, when both risk levels are evaluated together with an AND operator, MFA is only triggered when both conditions are met simultaneously. This ensures that MFA is enforced only when the user account itself is compromised (medium/high user risk) and the current sign-in session is also risky (high sign-in risk), providing a layered security response.

Exam trap

The trap here is that candidates often confuse the AND operator with OR, assuming that either risk condition alone would trigger MFA, but the exhibit explicitly shows both conditions must be satisfied simultaneously.

How to eliminate wrong answers

Option B is wrong because it describes an OR condition (either user risk medium OR sign-in risk high), but the policy uses an AND operator, meaning both conditions must be true. Option C is wrong because it ignores the sign-in risk condition entirely, suggesting MFA is required regardless of sign-in risk, which contradicts the policy's explicit requirement for high sign-in risk. Option D is wrong because it ignores the user risk condition, stating MFA is required when sign-in risk is high regardless of user risk, but the policy requires user risk to be medium or high as well.

79
MCQeasy

Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incidents are automatically assigned to the appropriate analyst team based on the type of threat. What should you configure?

A.Use a watchlist to map threat types to teams and trigger a logic app.
B.Modify the analytics rule to include a custom field for the assigned team.
C.Create a playbook that assigns ownership based on incident properties.
D.Configure an automation rule to set the incident owner based on custom conditions.
AnswerD

Automation rules can set the owner of an incident based on conditions like incident tags or properties.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can automatically assign incidents to specific teams based on conditions such as threat type. Option A is incorrect because playbooks require manual or automated triggers but do not directly assign ownership. Option C is incorrect because analytics rules create incidents but do not assign them.

Option D is incorrect because watchlists are for correlation, not assignment.

80
MCQhard

Your organization uses Microsoft Intune to manage devices. You need to ensure that corporate data on personally owned devices is removed when a user leaves the company, but personal data remains intact. What should you use?

A.Selective wipe (retire)
B.Conditional Access policy
C.Full wipe
D.Device compliance policy
AnswerA

Selective wipe removes only corporate data.

Why this answer

Selective wipe (retire) is the correct choice because it removes only corporate data from a personally owned device enrolled in Microsoft Intune, while preserving the user's personal data. This is achieved by targeting managed app data and corporate profiles, leaving personal apps, photos, and settings intact. It aligns with the requirement to protect corporate information upon employee departure without affecting the user's personal property.

Exam trap

The trap here is that candidates often confuse 'selective wipe' with 'full wipe' or assume that a Conditional Access policy can enforce data removal, when in fact only selective wipe provides granular corporate data removal while preserving personal data.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies control access to resources based on conditions like device compliance or location, but they do not perform data removal or wipe operations. Option C is wrong because a full wipe resets the device to factory defaults, erasing both corporate and personal data, which violates the requirement to keep personal data intact. Option D is wrong because device compliance policies enforce security settings (e.g., requiring encryption or a minimum OS version) but do not remove data; they only mark devices as compliant or non-compliant.

81
MCQmedium

A company uses Microsoft Defender XDR and wants to ensure that all devices are reporting to the service. They notice that some devices are not appearing in the device inventory. Which log source should they check first to troubleshoot?

A.Microsoft Defender for Endpoint deployment log (MDEClientAnalyzer)
B.Microsoft Intune enrollment logs
C.Windows Event Log - Microsoft-Windows-Windows Defender/Operational
D.Syslog from the device
AnswerA

This log contains onboarding status and connectivity issues.

Why this answer

Option B is correct because the Microsoft Defender for Endpoint deployment log shows onboarding status and errors. Option A is incorrect because Windows Event Log may not be enabled. Option C is incorrect because Intune enrollment is for MDM, not Defender.

Option D is incorrect because Syslog is for non-Microsoft devices.

82
MCQeasy

Your organization is implementing a zero-trust security model and needs to ensure that all access to cloud resources is verified in real-time. You plan to use Microsoft Entra ID Conditional Access. Which policy component enforces real-time verification of user identity and device compliance before granting access?

A.Enable Microsoft Secure Score
B.Use Azure AD Application Proxy
C.Conditional Access policy with conditions and grant controls
D.Assign users and groups to the policy
AnswerC

Conditions evaluate signals and grant controls enforce real-time access decisions.

Why this answer

Conditional Access policies with conditions and grant controls enforce real-time verification by evaluating signals such as user identity, device compliance (via Microsoft Intune), and location before allowing access to cloud resources. The grant controls block or require multi-factor authentication (MFA) or device compliance, ensuring zero-trust principles of explicit verification and least privilege.

Exam trap

The trap here is that candidates confuse policy assignment (users/groups) with the enforcement mechanism (conditions and grant controls), thinking that merely assigning a policy to a user group enforces real-time verification, when in fact the conditions and grant controls are the components that perform the actual evaluation and access decision.

How to eliminate wrong answers

Option A is wrong because Microsoft Secure Score is a security posture measurement tool, not a policy component that enforces real-time access verification. Option B is wrong because Azure AD Application Proxy provides secure remote access to on-premises web applications, not real-time identity and device compliance checks for cloud resources. Option D is wrong because assigning users and groups to a policy defines scope but does not enforce real-time verification; the conditions and grant controls are the components that perform the actual evaluation and enforcement.

83
MCQeasy

A company uses Microsoft Defender for Cloud Apps to discover and control Shadow IT. They want to block the use of a newly discovered unsanctioned app. What should they do?

A.Create a Conditional Access policy to block the app
B.Use Microsoft Purview Data Loss Prevention to block the app
C.Mark the app as unsanctioned in Defender for Cloud Apps
D.Block the app's domain in Microsoft Intune
AnswerC

Unsanctioning blocks the app's usage.

Why this answer

Option C is correct because marking an app as unsanctioned in Microsoft Defender for Cloud Apps is the direct mechanism to block access to a discovered Shadow IT app. When an app is marked unsanctioned, Defender for Cloud Apps automatically enforces a block by integrating with Conditional Access to prevent users from accessing the app, and it can also generate alerts and session controls. This action is specifically designed for the discovered app governance workflow within Defender for Cloud Apps.

Exam trap

The trap here is that candidates often assume creating a Conditional Access policy directly is the correct action, but the SC-100 exam tests the understanding that marking the app as unsanctioned in Defender for Cloud Apps is the prerequisite step that triggers the automatic Conditional Access policy enforcement.

How to eliminate wrong answers

Option A is wrong because creating a Conditional Access policy to block the app is not the first step; the app must first be marked as unsanctioned in Defender for Cloud Apps, which then automatically creates the necessary Conditional Access policy via the app governance integration. Option B is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to prevent data exfiltration and sensitive data sharing, not to block access to an entire unsanctioned app. Option D is wrong because blocking the app's domain in Microsoft Intune would only affect managed devices and does not address the broader Shadow IT discovery and control workflow that Defender for Cloud Apps provides.

84
Multi-Selecthard

Your organization uses Microsoft Purview and Microsoft Sentinel. You need to design a solution that alerts the security team when a user tries to share a file labeled 'Highly Confidential' with an external email address. The alert should include the file name, user, and external recipient. Which two components should you use? (Choose TWO.)

Select 2 answers
A.Microsoft Purview Information Protection
B.Microsoft Sentinel analytics rule that queries DLP audit logs
C.Microsoft Purview Audit
D.Microsoft Purview auto-labeling policy
E.Microsoft Purview Data Loss Prevention (DLP) policy
AnswersB, E

Sentinel can ingest DLP logs and create alerts for investigation.

Why this answer

Options B and D are correct because Microsoft Purview DLP can detect and alert on sharing of sensitive files, and Microsoft Sentinel can ingest those DLP alerts and provide a central interface for investigation. Option A (auto-labeling) applies labels but does not generate alerts. Option C (Information Protection) is for labeling, not monitoring.

Option E (audit) logs events but does not generate proactive alerts.

85
MCQhard

Your organization uses Microsoft Sentinel as a SIEM. The security team wants to use Microsoft Copilot for Security to assist in incident investigation. You need to ensure that Copilot can access Sentinel data while meeting compliance requirements. Which integration should you configure?

A.Deploy a playbook to query Sentinel data
B.Enable Microsoft Copilot for Security plugin for Sentinel
C.Enable Sentinel's Threat Intelligence connectors
D.Use Microsoft Defender for Cloud
AnswerB

The plugin allows Copilot to query Sentinel data securely.

Why this answer

The Microsoft Copilot for Security plugin for Sentinel is the correct integration because it enables Copilot to directly query and analyze Sentinel data through a native, compliant connection. This plugin uses Sentinel's API and role-based access control (RBAC) to ensure that Copilot only accesses data the user is authorized to see, meeting compliance requirements without additional data movement.

Exam trap

The trap here is that candidates often confuse enabling Threat Intelligence connectors (Option C) with granting data access, but those connectors only import external threat data and do not provide Copilot with read access to Sentinel's internal logs or incidents.

How to eliminate wrong answers

Option A is wrong because deploying a playbook to query Sentinel data introduces unnecessary complexity and latency; playbooks are designed for automated response workflows, not for providing real-time, compliant data access to Copilot. Option C is wrong because enabling Sentinel's Threat Intelligence connectors only ingests external threat intelligence feeds into Sentinel, it does not grant Copilot access to Sentinel's existing security data or logs. Option D is wrong because Microsoft Defender for Cloud is a separate cloud security posture management (CSPM) tool that does not natively integrate with Copilot for Security to access Sentinel data; it focuses on workload protection, not SIEM data access.

86
MCQeasy

Your organization uses Microsoft Intune for mobile device management. You need to ensure that only compliant devices can access corporate email. What should you configure?

A.Configure an app protection policy in Intune.
B.Create a device configuration policy in Intune.
C.Create a Conditional Access policy in Microsoft Entra ID that requires compliant device.
D.Create a device compliance policy in Intune.
AnswerC

Conditional Access evaluates compliance and blocks non-compliant devices.

Why this answer

Option C is correct because Conditional Access in Microsoft Entra ID can enforce device compliance for access. Option A is incorrect because configuration policies set settings but don't control access. Option B is incorrect because compliance policies define compliance, but Conditional Access enforces it.

Option D is incorrect because app protection policies protect data within apps, not device access.

87
MCQeasy

Your company uses Microsoft 365 E5 licenses and has deployed Microsoft Defender for Office 365. The security team wants to be alerted when a user reports a phishing email using the built-in report message button in Outlook. The alert should be sent to the security team's email address. You need to configure this in the Microsoft 365 Defender portal. What should you do?

A.Create an anti-phishing policy that notifies users about phishing.
B.Configure the User reported messages settings to send alerts to the security team.
C.Create a Safe Attachments policy to detect phishing attachments.
D.Create a Safe Links policy that alerts on phishing URLs.
AnswerB

User reported messages settings allow you to specify where reports are sent.

Why this answer

Option C is correct because user-reported messages can be configured in the Microsoft 365 Defender portal under Policies & rules > Threat policies > User reported messages settings. Option A is incorrect because Safe Links policies are for URL protection. Option B is incorrect because Safe Attachments policies are for attachments.

Option D is incorrect because anti-phishing policies handle detection, not user submissions.

88
MCQeasy

Your organization uses Microsoft Entra ID. You need to enforce multi-factor authentication (MFA) for all users accessing the Azure portal. What is the simplest way to configure this?

A.Enable per-user MFA for all users.
B.Enable security defaults.
C.Create a conditional access policy targeting the Azure portal app requiring MFA.
D.Configure Microsoft Entra ID MFA registration policy.
AnswerC

Conditional access allows granular enforcement.

Why this answer

Option C is correct because a conditional access policy can be targeted to the Azure portal app and require MFA. Option A is wrong because per-user MFA is legacy and less flexible. Option B is wrong because MFA registration policy ensures registration but does not enforce MFA.

Option D is wrong because security defaults apply to all apps, not just Azure portal, and may be too broad.

89
MCQeasy

You are designing an incident response plan for a company using Microsoft Defender XDR. The team needs to automatically notify the SOC via email when an incident of high severity is created. What should you use?

A.Modify the analytics rule to send an email when an alert fires.
B.Create a playbook that sends an email when an incident is created.
C.Configure an automation rule with an action to send an email notification.
D.Use advanced hunting to query high severity incidents and send email.
AnswerC

Automation rules can trigger actions like email notifications when incidents meet criteria.

Why this answer

Option B is correct because automated investigation and response can be configured to send email notifications. Option A is wrong because playbooks are run manually or via automation rules. Option C is wrong because analytics rules generate alerts.

Option D is wrong because hunting queries are for proactive threat hunting.

90
MCQeasy

Your organization needs to meet regulatory requirements that mandate keeping security audit logs for at least seven years. Which Microsoft Sentinel feature should you configure to comply with this requirement?

A.Configure data connectors to collect logs from all sources.
B.Adjust the data retention settings in the Log Analytics workspace used by Microsoft Sentinel.
C.Develop a playbook to export logs to Azure Blob Storage.
D.Create a workbook to archive logs to a storage account.
AnswerB

Retention settings control how long data is stored.

Why this answer

Option B is correct because retention settings in the Log Analytics workspace allow you to specify how long data is kept, up to seven years (or longer with archive). Option A (data connectors) are for ingestion, not retention. Option C (workbooks) are for visualization.

Option D (playbooks) are for automation.

91
MCQhard

You are a security architect for a global financial services company. The company is adopting Microsoft Sentinel as its primary SIEM and Microsoft Defender XDR for endpoint, email, and identity protection. The company has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. The SOC team needs to be able to investigate incidents that involve lateral movement between on-premises and cloud resources. Additionally, the company must comply with GDPR, requiring that personal data be protected and that data residency requirements are met: all security logs for EU users must remain within the EU. The company already has a Microsoft Sentinel workspace in the West Europe region. You need to design a solution that meets these requirements while minimizing administrative overhead. What should you do?

A.Deploy Azure Arc on on-premises servers and use Azure Policy to enforce log collection to the West Europe workspace.
B.Use the existing West Europe Sentinel workspace and ensure that all EU user logs are sent to that workspace via diagnostic settings.
C.Create a new Sentinel workspace in the EU region for EU logs and a separate workspace for non-EU logs.
D.Deploy a separate Sentinel workspace in each region where you have users.
AnswerB

A single workspace can collect logs from all regions; data residency is achieved by storing logs in the EU region.

Why this answer

Option B is correct because a single Sentinel workspace can handle logs from multiple regions, and using the same workspace across regions is simpler. For GDPR data residency, you can configure diagnostics settings to send logs to the workspace without needing separate workspaces. Option A is incorrect because multiple workspaces increase overhead.

Option C is incorrect because Azure Arc doesn't change data residency. Option D is incorrect because a separate workspace for EU data adds complexity.

92
MCQmedium

Your organization uses Microsoft Entra ID. You need to design a solution that requires users to perform multifactor authentication when accessing a critical application from an untrusted network. The solution should not require additional licensing beyond Microsoft Entra ID P1. What should you use?

A.Create a Conditional Access policy in Microsoft Entra ID.
B.Configure a risk-based policy in Microsoft Entra ID Protection.
C.Enable per-user MFA in Microsoft Entra ID.
D.Deploy a device compliance policy in Microsoft Intune.
AnswerA

Conditional Access policies can enforce MFA based on location and are included in P1.

Why this answer

Option A is correct because Conditional Access policies are included with Microsoft Entra ID P1 and can enforce MFA based on network location. Option B (ID Protection) requires P2 licensing. Option C (Intune) is for device management.

Option D (per-user MFA) is legacy and less flexible.

93
MCQhard

Your organization uses Microsoft Defender XDR for detection and response. You need to create a custom detection rule that alerts when a user performs more than 10 failed sign-ins from different countries within 5 minutes. Which component should you use?

A.Automation rule in Microsoft Sentinel
B.Custom detection rule in Microsoft 365 Defender
C.Analytics rule in Microsoft Sentinel
D.Attack simulation training
AnswerB

Custom detection rules in Microsoft 365 Defender use advanced hunting queries to create alerts.

Why this answer

Custom detection rules in Microsoft 365 Defender allow you to define advanced hunting queries that trigger alerts based on specific event patterns, such as more than 10 failed sign-ins from different countries within 5 minutes. This is the correct component because it operates directly on data within the Defender XDR ecosystem (e.g., AADSignInEventsBeta) without requiring data ingestion into Sentinel.

Exam trap

The trap here is that candidates confuse Microsoft Sentinel analytics rules (which require data ingestion) with Microsoft 365 Defender custom detection rules (which operate natively on Defender XDR data), leading them to choose Sentinel options when the question explicitly states 'Microsoft Defender XDR' as the platform.

How to eliminate wrong answers

Option A is wrong because automation rules in Microsoft Sentinel are used to automate incident response actions (e.g., assigning ownership or running playbooks), not to define detection logic based on raw event patterns. Option C is wrong because analytics rules in Microsoft Sentinel require data to be ingested into the Sentinel workspace first, whereas the question specifies using Microsoft Defender XDR directly for detection and response. Option D is wrong because attack simulation training is a phishing simulation and security awareness tool, not a detection mechanism for sign-in anomalies.

94
MCQhard

An organization uses Microsoft Purview to enforce data loss prevention (DLP) policies. They need to prevent users from pasting sensitive data into AI-powered tools like Microsoft Copilot. Which DLP rule condition should they configure?

A.Cloud app includes Microsoft Copilot
B.Content is shared with external users
C.Access from unmanaged devices
D.File extension is .docx or .pdf
AnswerA

This condition allows targeting specific apps.

Why this answer

To prevent users from pasting sensitive data into AI-powered tools like Microsoft Copilot, you need to configure a DLP rule condition that targets the specific application. The 'Cloud app includes Microsoft Copilot' condition allows the DLP policy to inspect and block sensitive content when it is being pasted into Copilot, as Copilot is a cloud app that can be monitored via Microsoft Purview's endpoint DLP and cloud app discovery capabilities.

Exam trap

The trap here is that candidates may think DLP only applies to file sharing or external sharing, but Microsoft Purview DLP can also monitor and block clipboard-based paste actions into specific cloud apps like Copilot using the 'Cloud app includes' condition.

How to eliminate wrong answers

Option B is wrong because 'Content is shared with external users' controls data sharing outside the organization, but does not target the specific action of pasting into an AI tool like Copilot, which may be an internal app. Option C is wrong because 'Access from unmanaged devices' restricts data access based on device compliance, not the destination application or the paste action. Option D is wrong because 'File extension is .docx or .pdf' filters by file type, which is irrelevant to the action of pasting data into an AI tool; DLP policies for paste actions require app-based conditions, not file extension conditions.

95
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to design a solution that automatically creates an incident in Sentinel when a high-severity alert is generated in Defender for Cloud. What should you configure?

A.Enable the Microsoft Defender for Cloud data connector and create an analytics rule
B.Create a workbook to track alerts
C.Create a playbook in Microsoft Sentinel
D.Use a watchlist to import alerts
AnswerA

Data connector ingests alerts; analytics rule creates incidents.

Why this answer

The Microsoft Defender for Cloud data connector ingests security alerts from Defender for Cloud into Microsoft Sentinel. Once ingested, you create an analytics rule with a rule query that triggers on high-severity alerts and configures the rule to automatically create an incident. This is the standard method to convert a Defender for Cloud alert into a Sentinel incident without manual intervention.

Exam trap

The trap here is that candidates often confuse a playbook (which automates responses) with the analytics rule that actually creates the incident, or they think a workbook or watchlist can trigger incident creation, but only an analytics rule with the proper data connector can automatically generate incidents from ingested alerts.

How to eliminate wrong answers

Option B is wrong because a workbook is a visualization tool for dashboards and reports, not a mechanism to create incidents from alerts. Option C is wrong because a playbook automates response actions (e.g., sending emails or blocking IPs) after an incident is created, but it does not itself generate the incident from a Defender for Cloud alert. Option D is wrong because a watchlist is a collection of static data (e.g., IP addresses or hostnames) used for correlation or enrichment in analytics rules, not a method to import live alerts and create incidents.

96
Multi-Selectmedium

Which TWO actions should you take to implement a Zero Trust security strategy for identity and access? (Choose two.)

Select 2 answers
A.Require Multi-Factor Authentication for all users.
B.Use VPN for remote access to the corporate network.
C.Implement Conditional Access policies that evaluate user, device, and location.
D.Rely on strong passwords only.
E.Create shared accounts for temporary workers.
AnswersA, C

MFA is a key Zero Trust control.

Why this answer

Options A and D are correct. Option A is correct because Multi-Factor Authentication is a fundamental Zero Trust control. Option D is correct because Conditional Access enforces policies based on signals.

Option B is incorrect because VPN is a perimeter-based approach, not Zero Trust. Option C is incorrect because shared accounts violate the principle of least privilege. Option E is incorrect because passwords alone are not sufficient.

97
MCQmedium

Refer to the exhibit. You create this conditional access policy in Microsoft Entra ID. What is the result?

A.Requires MFA for medium and high risk users for all applications
B.Blocks sign-ins from medium and high risk users for all applications
C.Blocks sign-ins from low risk users for all applications
D.Blocks sign-ins from medium and high risk users only for selected applications
AnswerB

The policy applies to all applications and blocks sign-ins for medium or high user risk levels.

Why this answer

The conditional access policy shown assigns the 'Block access' control to the 'Medium and High' risk levels for 'All cloud apps'. This means any sign-in from a user or session detected as medium or high risk will be blocked, regardless of the application. Option B correctly identifies this outcome.

Exam trap

The trap here is that candidates often confuse 'Block access' with 'Require MFA' when they see risk levels, assuming the policy will prompt for MFA instead of outright blocking the sign-in.

How to eliminate wrong answers

Option A is wrong because the policy uses 'Block access', not 'Grant access' with MFA, so it does not require MFA. Option C is wrong because the policy targets 'Medium and High' risk levels, not 'Low' risk. Option D is wrong because the policy applies to 'All cloud apps', not only selected applications.

98
MCQhard

A global enterprise uses Microsoft Entra ID with Privileged Identity Management (PIM) and Conditional Access. They need to ensure that all privileged role activations require an approval workflow, and that the approval process is documented for compliance. What configuration should they implement?

A.Create a Conditional Access policy requiring an Authentication Strength
B.In PIM, edit the role settings to require approval for activation
C.Configure an access review for the privileged roles
D.Create a role-assignable group and assign the privileged role to the group
AnswerB

This enforces approval each time a role is activated.

Why this answer

Option C is correct because PIM approvals require configuring role settings with approval required. Option A is incorrect because role-assignable groups are for group-based assignments, not approval workflows. Option B is incorrect because access reviews are for periodic review, not per-activation approval.

Option D is incorrect because Authentication Strengths control MFA, not approval.

99
Multi-Selectmedium

Your organization uses Microsoft 365 and wants to protect against phishing attacks. Which TWO configurations should you recommend?

Select 2 answers
A.Enable anti-spoofing protection in Exchange Online Protection.
B.Configure DMARC policy to reject spoofed emails.
C.Enable Safe Links and Safe Attachments in Microsoft Defender for Office 365.
D.Require MFA for all external email access.
E.Configure DLP policies to detect sensitive data in email.
AnswersA, C

Anti-spoofing helps detect phishing emails.

Why this answer

Option A is correct because Safe Links and Safe Attachments in Defender for Office 365 protect against malicious links and attachments. Option C is correct because anti-spoofing protection in Exchange Online Protection helps prevent phishing. Option B is wrong because DMARC is for email authentication, not phishing protection.

Option D is wrong because MFA is for authentication, not phishing. Option E is wrong because DLP is for data protection.

100
MCQhard

Your company uses Microsoft Defender for Cloud Apps (MDA). You need to create a policy that automatically suspends a user's access to a cloud app if the user is confirmed as compromised by Microsoft Entra ID Protection. Which policy type should you use?

A.Session policy
B.Access policy
C.App permissions policy
D.Anomaly detection policy
AnswerA

Session policies can use risk from Microsoft Entra ID Protection to block access.

Why this answer

A session policy in Microsoft Defender for Cloud Apps can be configured to take real-time actions based on risk signals from Microsoft Entra ID Protection. When a user is confirmed as compromised, a session policy can enforce automatic suspension of access to cloud apps by blocking the session or requiring reauthentication, directly addressing the requirement.

Exam trap

The trap here is that candidates often confuse session policies with access policies, assuming access policies handle user risk-based suspension, but access policies lack the real-time session control and direct Entra ID Protection integration that session policies provide.

How to eliminate wrong answers

Option B (Access policy) is wrong because access policies in Defender for Cloud Apps control access based on device, location, or app permissions, but they do not natively integrate with Entra ID Protection's user risk signals to trigger automatic suspension upon compromise confirmation. Option C (App permissions policy) is wrong because it governs OAuth app permissions (e.g., revoking app consent) rather than user-level access suspension based on identity risk. Option D (Anomaly detection policy) is wrong because it detects unusual behavior patterns (e.g., impossible travel) but does not directly respond to a confirmed compromise signal from Entra ID Protection; it generates alerts rather than enforcing automatic access suspension.

101
MCQmedium

Refer to the exhibit. You receive an alert from Microsoft Defender for Cloud Apps. You need to investigate this alert in Microsoft Sentinel. Which Microsoft Sentinel feature should you use to visualize the relationship between the user account and the IP address?

A.Configure an automation rule to trigger a playbook.
B.Run a hunting query to search for similar alerts.
C.Use the Investigation graph to explore the entities involved.
D.Create a new workbook to display the alert details.
AnswerC

The investigation graph visually maps entities and their connections.

Why this answer

Option B is correct because the investigation graph in Microsoft Sentinel provides a visual representation of entities and their relationships, which is ideal for understanding connections between a user and an IP address. Option A (workbook) is for dashboards. Option C (hunting query) is for proactive threat hunting.

Option D (automation rule) is for automated responses.

102
MCQmedium

Your organization uses Microsoft Sentinel for security operations. You need to ensure that an attacker cannot disable data collection by deleting the diagnostic settings on the Sentinel workspace. What should you configure?

A.Enable Sentinel's workspace deletion protection.
B.Assign the Log Analytics Contributor role only to specific users.
C.Apply a CanNotDelete resource lock on the Log Analytics workspace.
D.Create an Azure Policy to audit diagnostic settings.
AnswerC

Resource locks block deletion of the workspace and its diagnostic settings.

Why this answer

Option C is correct because applying a CanNotDelete resource lock on the Log Analytics workspace prevents any user or process, including an attacker, from deleting the workspace or its diagnostic settings. This lock overrides all role-based permissions, ensuring that even if an attacker gains high-privileged access, they cannot remove the diagnostic settings that stream telemetry to Microsoft Sentinel. Sentinel's data collection relies entirely on these diagnostic settings, so protecting them with a resource lock is the most direct and effective defense against deletion attacks.

Exam trap

The trap here is that candidates confuse workspace deletion protection (which only prevents workspace deletion) with diagnostic settings deletion protection, or they assume that RBAC alone (Option B) is sufficient to block a privileged attacker, when in fact a resource lock is the only control that enforces a hard deny on deletion regardless of permissions.

How to eliminate wrong answers

Option A is wrong because Sentinel's workspace deletion protection only prevents the accidental deletion of the Sentinel workspace itself, not the deletion of diagnostic settings on that workspace; an attacker could still remove the diagnostic settings and stop data ingestion without deleting the workspace. Option B is wrong because assigning the Log Analytics Contributor role only to specific users limits who can modify the workspace, but it does not prevent an attacker with compromised credentials or a privileged user from deleting diagnostic settings; role-based access control (RBAC) alone is insufficient against a determined attacker with elevated permissions. Option D is wrong because creating an Azure Policy to audit diagnostic settings only reports on compliance (e.g., whether settings exist) but does not block deletion; it provides no preventive control and cannot stop an attacker from removing the settings in real time.

103
Multi-Selectmedium

An organization uses Microsoft Purview to classify and protect sensitive data. Which THREE capabilities can be used to discover sensitive data? (Choose three.)

Select 3 answers
A.Trainable classifiers
B.Data loss prevention policies
C.Retention labels
D.Data classification rules
E.Sensitive information types
AnswersA, D, E

Machine learning models to identify content.

Why this answer

Trainable classifiers use machine learning to identify content based on patterns and context, not just exact matches. They can be trained on sample data to recognize custom sensitive information, such as specific contract clauses or internal project codes, enabling discovery of sensitive data that predefined sensitive information types might miss.

Exam trap

Microsoft often tests the distinction between discovery capabilities (which identify sensitive data) and enforcement or lifecycle management capabilities (which act on already-discovered data), causing candidates to mistakenly select DLP policies or retention labels as discovery tools.

104
MCQhard

Your organization uses Microsoft Sentinel with the Microsoft 365 Defender connector. You need to create an analytics rule that generates an incident when a user is reported as compromised by Microsoft Defender for Identity. The rule should use the most efficient method to get this data. What should you use as the data source?

A.The SecurityAlert table with a filter for Defender for Identity.
B.The DeviceEvents table from Advanced Hunting.
C.The OfficeActivity table.
D.The IdentityInfo table.
AnswerA

Defender for Identity alerts are stored in SecurityAlert table.

Why this answer

Option B is correct because Defender for Identity alerts are ingested via the Microsoft 365 Defender connector and can be queried using the SecurityAlert table. Option A is incorrect because IdentityInfo does not contain alerts. Option C is incorrect because the Advanced Hunting schema is not directly available in Sentinel tables.

Option D is incorrect because the OfficeActivity table is for audit logs, not security alerts.

105
MCQmedium

Your organization uses Microsoft Defender for Cloud to secure a multi-cloud environment including Azure, AWS, and GCP. You need to design a solution that centralizes security alerts and automates remediation across all clouds. Which security operations capability should you prioritize?

A.Configure Microsoft Purview Compliance Manager for regulatory assessments
B.Enable Microsoft Defender for Cloud's multi-cloud connector to aggregate alerts
C.Use Microsoft Sentinel as a single SIEM and SOAR platform with connectors for AWS and GCP
D.Deploy Microsoft Defender for Identity to monitor hybrid identities
AnswerC

Sentinel ingests alerts from multiple clouds and can automate remediation via playbooks.

Why this answer

Option D is correct because Microsoft Sentinel provides a centralized SIEM and SOAR solution that ingests security alerts from multiple clouds and can automate remediation. Option A is wrong because Defender for Cloud does not natively ingest alerts from AWS/GCP into a single SIEM. Option B is wrong because Defender for Identity is focused on on-premises identity threats.

Option C is wrong because Microsoft Purview is for data governance, not security operations.

106
Multi-Selectmedium

Which THREE capabilities are provided by Microsoft Defender for Cloud Apps (MDA) when integrated with Microsoft Defender XDR?

Select 3 answers
A.Email protection against phishing and malware.
B.Discovery of shadow IT cloud apps.
C.App permissions and OAuth app governance.
D.Endpoint detection and response (EDR) for devices.
E.Conditional access session controls for cloud apps.
AnswersB, C, E

MDA discovers apps used in the organization.

Why this answer

Microsoft Defender for Cloud Apps (MDA) integrates with Microsoft Defender XDR to provide shadow IT discovery by analyzing traffic logs from network devices and cloud app catalogs, identifying unsanctioned cloud applications used in the organization. This capability is core to MDA's Cloud Discovery feature, which uses log parsing and machine learning to detect and classify shadow IT.

Exam trap

The trap here is that candidates often confuse the capabilities of Microsoft Defender for Cloud Apps with those of other Microsoft Defender XDR components, such as Defender for Office 365 (email security) or Defender for Endpoint (EDR), leading them to select options that are valid security features but not provided by MDA.

107
MCQhard

A company uses Microsoft Entra ID with P2 licenses and wants to implement a zero-trust identity security model. They need to require multi-factor authentication (MFA) for all external users accessing internal applications. The solution should not require external users to have Entra ID licenses. What should you configure?

A.Configure Privileged Identity Management (PIM) for external users.
B.Create a conditional access policy for external users requiring MFA.
C.Enable identity protection for external users.
D.Use Entra ID B2B collaboration and configure MFA enforcement.
AnswerB

Conditional access policies can target external users and require MFA without additional licenses for the external user.

Why this answer

Option C is correct because Entra ID B2B collaboration allows external users to use their own identities and MFA can be enforced via conditional access. Option A is wrong because external identities feature includes B2B collaboration. Option B is wrong because identity protection is for risk detection.

Option D is wrong because PIM manages privileged access, not external user authentication.

108
MCQhard

Your organization uses Microsoft Defender XDR to correlate alerts across endpoints, email, and identities. You need to create a custom detection rule that triggers when a user receives a phishing email and then attempts to log in from a new location. Which approach should you use?

A.Use Advanced Hunting to create a custom detection rule
B.Create a custom detection rule in Microsoft Defender for Endpoint
C.Use an automation rule in Microsoft Defender XDR
D.Create an analytics rule in Microsoft Sentinel
AnswerA

Advanced Hunting allows cross-domain queries in Defender XDR.

Why this answer

Option A is correct because Advanced Hunting in Microsoft Defender XDR allows you to write Kusto Query Language (KQL) queries that correlate events across multiple data tables (e.g., EmailEvents, IdentityLogonEvents). You can then create a custom detection rule from that query, which will trigger an alert when a user receives a phishing email and subsequently logs in from a new location, enabling cross-domain correlation within Defender XDR.

Exam trap

The trap here is that candidates often confuse the scope of custom detection rules in Defender for Endpoint (endpoint-only) with the cross-domain capability of Advanced Hunting in Defender XDR, or they mistakenly think automation rules can create new detection logic rather than just automate responses to existing alerts.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint custom detection rules are limited to endpoint data (e.g., DeviceEvents, DeviceProcessEvents) and cannot query email or identity events, so they cannot correlate a phishing email with a login from a new location. Option C is wrong because automation rules in Microsoft Defender XDR are designed to automate responses (e.g., isolate a device, block an IP) based on existing alerts, not to create new detection logic that correlates raw events across different data sources. Option D is wrong because analytics rules in Microsoft Sentinel are used for SIEM-style detection across multiple data sources ingested into Sentinel, but the question specifies using Microsoft Defender XDR (not Sentinel) to correlate alerts, and Sentinel requires separate licensing and data ingestion pipelines.

109
MCQeasy

Your organization uses Microsoft Defender for Office 365 and wants to block malicious links in email messages in real time. Which policy should you configure?

A.Anti-phishing policy
B.Safe Attachments policy
C.Safe Links policy
D.Anti-spam policy
AnswerC

Safe Links provides real-time scanning and blocking of malicious URLs in email.

Why this answer

Safe Links policy in Microsoft Defender for Office 365 provides real-time URL scanning and rewriting at the time of click, enabling the blocking of malicious links in email messages. This policy wraps URLs to route clicks through Microsoft's threat intelligence service, which checks the link against current threat data and blocks access if malicious content is detected.

Exam trap

The trap here is that candidates often confuse Safe Links with Safe Attachments, mistakenly thinking that attachment scanning covers embedded links, but Safe Attachments only handles file payloads, not URLs.

How to eliminate wrong answers

Option A is wrong because Anti-phishing policy is designed to protect against impersonation attacks and phishing attempts by analyzing sender identity and message content, not by scanning or blocking individual URLs in real time. Option B is wrong because Safe Attachments policy focuses on scanning email attachments for malware using detonation in a sandbox environment, not on inspecting links within the message body. Option D is wrong because Anti-spam policy filters messages based on bulk mail, spam, and spoofing criteria, and does not perform real-time URL blocking or rewriting.

110
MCQmedium

A company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They want to prevent users from sharing credit card numbers in email but allow sharing via encrypted email. What should they configure?

A.Assign a sensitivity label that encrypts the email automatically
B.Create a Microsoft Purview Message Encryption policy
C.Configure a DLP rule that blocks sharing unless the email is encrypted, with user override
D.Use Exchange mail flow rules to block unencrypted credit card data
AnswerC

DLP can allow encrypted emails as an exception.

Why this answer

Option A is correct because the DLP rule can be set to block with override allowing encrypted email. Option B is wrong because encryption policies don't block unencrypted sharing. Option C is wrong because sensitivity labels are for classification, not DLP enforcement.

Option D is wrong because mail flow rules are separate from DLP.

111
MCQeasy

You are designing a security operations strategy for a multinational organization. The SOC team needs to correlate alerts from multiple sources including Microsoft Defender for Cloud, Microsoft Sentinel, and third-party firewalls. Which solution should you use as the primary platform for correlation?

A.Microsoft Defender for Cloud
B.Microsoft 365 Defender
C.Azure Monitor
D.Microsoft Sentinel
AnswerD

Sentinel is a SIEM that can ingest and correlate data from various sources.

Why this answer

Option B is correct because Microsoft Sentinel is a SIEM that can ingest logs from multiple sources and correlate alerts. Option A is incorrect because Defender for Cloud is a CSPM, not a SIEM. Option C is incorrect because Microsoft 365 Defender is for endpoint and email, not for third-party firewalls.

Option D is incorrect because Azure Monitor is for infrastructure monitoring, not SIEM.

112
MCQmedium

Your organization uses Microsoft Entra ID. You need to ensure that when a user's risk level is assessed as high by Identity Protection, the user is automatically blocked from signing in. The block should apply immediately. What should you configure?

A.Configure a Conditional Access policy that blocks access when sign-in risk is high.
B.Enable self-service password reset for high-risk users.
C.Create an access review to require re-certification of high-risk users.
D.Configure a user risk policy in Identity Protection to block sign-in.
AnswerA

Conditional Access policies can use sign-in risk as a condition and block access.

Why this answer

Option A is correct because a Conditional Access policy with a session control can block access based on sign-in risk. Option B is incorrect because Identity Protection user risk policy can block sign-in, but Conditional Access is the more common method. Option C is incorrect because an access review does not block sign-ins.

Option D is incorrect because MFA registration does not block based on risk.

113
MCQhard

Your organization uses Microsoft Sentinel to aggregate logs from on-premises and cloud sources. You need to reduce the cost of data ingestion while ensuring security-critical logs are retained for at least one year. What should you do?

A.Archive all logs to Azure Storage after 90 days
B.Ingress security-critical logs to the Analytics logs tier with 365-day retention, and other logs to the Auxiliary logs tier with shorter retention
C.Use the Basic logs tier for all logs and set retention to 365 days
D.Set the default retention to 30 days and export logs to Log Analytics Workspace
AnswerB

Auxiliary logs tier is for verbose logs at lower cost, while Analytics logs provide full capabilities and longer retention for critical data.

Why this answer

Option B is correct because it leverages the Analytics logs tier for security-critical logs, which supports full KQL query capabilities and allows setting a 365-day retention period to meet compliance requirements. Other logs can be sent to the Auxiliary logs tier (formerly Basic logs), which offers lower ingestion costs and shorter retention, reducing overall data ingestion expenses while still retaining necessary logs for security analysis.

Exam trap

The trap here is that candidates often confuse the Basic logs tier (now Auxiliary logs) with a cost-saving measure for all logs, not realizing that security-critical logs require the Analytics tier for full functionality, and that tiered retention policies can be applied per table to balance cost and compliance.

How to eliminate wrong answers

Option A is wrong because archiving all logs to Azure Storage after 90 days would remove them from Sentinel's queryable workspace, preventing real-time security monitoring and alerting on older logs, and does not guarantee one-year retention for security-critical logs. Option C is wrong because using the Basic logs tier for all logs limits query capabilities (no full KQL support) and incurs higher costs for security-critical logs that require Analytics-tier features; setting retention to 365 days on Basic logs does not address cost optimization for non-critical logs. Option D is wrong because setting default retention to 30 days and exporting logs to Log Analytics Workspace is redundant (Log Analytics Workspace is the same as Sentinel workspace) and does not reduce ingestion costs; it also fails to ensure security-critical logs are retained for one year without additional configuration.

114
MCQmedium

A company uses Microsoft Intune and wants to ensure that devices are compliant before accessing corporate resources. They create a Conditional Access policy that requires devices to be marked as compliant. However, some users report that they are blocked even though their device shows as compliant in Intune. What is the most likely cause?

A.The user's location is blocked by a location-based policy
B.The policy also requires MFA, and users haven't registered for MFA
C.The device is not registered in Microsoft Entra ID
D.The policy requires an app protection policy, which is not applied
AnswerC

Compliance check requires device registration.

Why this answer

Option B is correct because the device must be registered in Entra ID for the Conditional Access policy to evaluate its compliance status. Option A is incorrect because the policy is for compliant devices, not MFA. Option C is incorrect because the policy is for compliance, not app protection.

Option D is incorrect because location is not mentioned.

115
MCQmedium

A company uses Microsoft Defender for Cloud to assess the security posture of their hybrid environment. They need to ensure that all Azure subscriptions are evaluated against the same set of regulatory compliance standards. What should they configure?

A.Assign the standard to each subscription individually
B.Create an Azure Policy initiative and assign it to the management group
C.Assign the regulatory compliance standard to the management group containing all subscriptions
D.Use Microsoft Defender for Cloud's default policy
AnswerC

Management group scope applies to all child subscriptions.

Why this answer

Option C is correct because regulatory compliance standards in Microsoft Defender for Cloud are assigned at the management group scope, which automatically applies the standard to all subscriptions within that management group. This ensures consistent evaluation across the entire hybrid environment without needing per-subscription configuration. The assignment inherits down the hierarchy, so all subscriptions under the management group are assessed against the same compliance framework.

Exam trap

The trap here is that candidates confuse Azure Policy initiatives (used for custom compliance enforcement) with Defender for Cloud's regulatory compliance standards (which are pre-built frameworks assigned directly to management groups or subscriptions), leading them to select Option B instead of C.

How to eliminate wrong answers

Option A is wrong because assigning the standard to each subscription individually is inefficient and error-prone, and does not guarantee consistent application across all subscriptions; it also violates the principle of centralized management. Option B is wrong because Azure Policy initiatives are used to enforce custom policies and compliance rules, not to assign regulatory compliance standards in Defender for Cloud; Defender for Cloud uses its own built-in compliance standards (e.g., CIS, PCI DSS) that are assigned at the management group or subscription level, not via Azure Policy initiatives. Option D is wrong because Defender for Cloud's default policy only provides basic security recommendations and does not include regulatory compliance standards; you must explicitly assign a specific compliance standard (e.g., SOC 2, ISO 27001) to meet regulatory requirements.

116
MCQmedium

A company uses Microsoft Sentinel for security operations. The SOC team needs to automatically respond to a specific type of incident involving a known malicious IP address. They want to create an automated response that blocks the IP at the firewall and creates a Teams notification. Which feature should they use?

A.UEBA to detect anomalous behavior
B.Watchlist to correlate IP addresses
C.Automation rule with a playbook
D.Analytics rule with scheduled query
AnswerC

Automation rules can trigger playbooks that perform automated actions.

Why this answer

Automation rules in Microsoft Sentinel allow you to trigger automated responses when incidents are created or updated. By associating a playbook (an Azure Logic Apps workflow) with the automation rule, you can execute actions such as blocking an IP at a firewall via a connector and posting a Teams notification. This directly meets the requirement for a two-step automated response triggered by a specific incident type.

Exam trap

The trap here is that candidates confuse the role of analytics rules (which generate incidents) with automation rules (which respond to incidents), leading them to choose option D, thinking a scheduled query can directly execute actions, whereas it only creates alerts or incidents.

How to eliminate wrong answers

Option A is wrong because UEBA (User and Entity Behavior Analytics) is used to detect anomalous behavior based on historical baselines, not to trigger automated responses to known malicious IPs. Option B is wrong because a Watchlist is a static or dynamic list of data (e.g., IP addresses) used for correlation in analytics rules or queries, but it does not itself execute automated actions like blocking or notifications. Option D is wrong because an analytics rule with a scheduled query generates alerts or incidents based on log data, but it cannot directly run multi-step automated responses; it requires an automation rule or playbook to act on the incident.

117
Multi-Selecthard

A security operations center (SOC) uses Microsoft Sentinel. They want to automate incident response for common alerts. Which THREE components are required to build an automated response? (Choose three.)

Select 3 answers
A.Connectors
B.Workbooks
C.Playbooks
D.Watchlists
E.Automation rules
AnswersA, C, E

Connect to external services.

Why this answer

Connectors are required to ingest security events and alerts into Microsoft Sentinel from various data sources (e.g., Microsoft 365 Defender, Azure Active Directory, third-party SIEMs). Without connectors, there would be no alerts to trigger automated responses, making them a foundational component for any automated incident response workflow.

Exam trap

The trap here is that candidates often confuse Workbooks (visualization) or Watchlists (data enrichment) as components of automation, when in fact they are passive tools that do not execute response actions.

118
Multi-Selecteasy

Which TWO configurations are required to enable Microsoft Defender for Cloud Apps to monitor cloud app usage?

Select 2 answers
A.Add app connectors for the cloud apps you want to monitor
B.Configure Microsoft Intune device compliance policies
C.Deploy Azure Information Protection scanner
D.Synchronize with Microsoft Entra ID
E.Enable Conditional Access App Control
AnswersA, E

App connectors enable API-based monitoring.

Why this answer

A is correct because Microsoft Defender for Cloud Apps requires app connectors to establish API-based connections with cloud applications (e.g., Office 365, Salesforce, AWS). These connectors enable the service to ingest activity logs, file metadata, and user sessions for monitoring and threat detection. Without app connectors, Defender for Cloud Apps cannot access the cloud app's data plane to perform its core monitoring functions.

Exam trap

The trap here is that candidates often confuse prerequisites (like Microsoft Entra ID sync) with the actual enabling configurations, or they assume device compliance policies (Intune) are required for cloud app monitoring when they are only relevant for conditional access grant controls.

119
MCQmedium

Your organization uses Microsoft Sentinel for security operations. You need to ensure that incident investigations automatically enrich alerts with relevant user and device information from Microsoft Defender XDR and Microsoft Entra ID. What should you configure?

A.Enable Fusion detection for multistage attacks.
B.Create watchlists for user and device information and reference them in analytics rules.
C.Configure automation rules to trigger a playbook on alert creation.
D.Enable User and Entity Behavior Analytics (UEBA) and configure entity behavior settings.
AnswerD

UEBA enriches alerts by correlating user and device activities across data sources.

Why this answer

Option B is correct because Microsoft Sentinel's UEBA analytics with entity behavior settings can automatically enrich alerts by linking entities like users and devices to threat intelligence and activity data. Option A is wrong because automation rules primarily handle incident orchestration, not enrichment. Option C is wrong because watchlists are for static reference data.

Option D is wrong because Fusion is for advanced multistage attack detection.

120
MCQeasy

A company wants to monitor and respond to threats across their entire digital estate, including on-premises servers, cloud workloads, and identities. Which Microsoft solution should they use as a central security information and event management (SIEM) and extended detection and response (XDR) platform?

A.Microsoft Intune
B.Microsoft Defender for Cloud
C.Microsoft Sentinel and Microsoft Defender XDR
D.Microsoft Purview
AnswerC

Sentinel provides SIEM, Defender XDR provides XDR.

Why this answer

Option D is correct because Microsoft Sentinel is the SIEM and SOAR solution, while Microsoft Defender XDR provides XDR capabilities. The question asks for a central SIEM and XDR platform; Microsoft Sentinel integrates with Defender XDR. Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection (CWP) tool, not a SIEM.

Option B is wrong because Microsoft Intune is for device management. Option C is wrong because Microsoft Purview is for data governance and compliance.

121
MCQhard

The exhibit shows a conditional access policy in Microsoft Entra ID. What will be the effect of this policy?

A.Allow all applications except Office365
B.Block all applications including Office365
C.Allow all applications including Office365
D.Block all applications except Office365
AnswerD

Excluded Office365 is not blocked.

Why this answer

The exhibit shows a Conditional Access policy that includes 'All cloud apps' in the target resources and is configured with a 'Block access' grant control. The 'Exclude' list contains 'Office365', meaning the policy applies to all applications except Office365. Therefore, the effect is to block access to all applications except Office365, making option D correct.

Exam trap

The trap here is that candidates often overlook the 'Exclude' list and assume that selecting 'All cloud apps' with 'Block access' blocks everything, but the exclusion of Office365 means it is not blocked.

How to eliminate wrong answers

Option A is wrong because the policy blocks access, not allows it; 'Allow all applications except Office365' would require an 'Allow' grant control, not 'Block'. Option B is wrong because Office365 is explicitly excluded from the policy, so it is not blocked; 'Block all applications including Office365' would require no exclusion for Office365. Option C is wrong because the policy blocks access, not allows it; 'Allow all applications including Office365' would require an 'Allow' grant control and no block action.

122
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to automatically create incidents in Sentinel for high-severity alerts from Defender XDR. You also want to suppress low-severity alerts to reduce noise. What should you configure?

A.Configure the Microsoft Defender XDR connector to create incidents only for high severity.
B.Configure an automation rule to create incidents for all alerts.
C.Create a playbook that triggers on alerts and creates incidents.
D.Create a scheduled analytics rule that queries Defender XDR alerts with severity filter and creates incidents.
AnswerD

Scheduled rules can create incidents from alerts with severity filtering.

Why this answer

Option B is correct because you can create an analytics rule that filters by severity and maps alerts to incidents. Option A is wrong because automation rules can create incidents but are not the primary method for ingesting alerts. Option C is wrong because a playbook would be reactive.

Option D is wrong because the incident creation rule is not a thing.

123
MCQmedium

Your company uses Microsoft Intune to manage corporate devices. You need to design a compliance policy that requires devices to have a minimum OS version, be encrypted, and not be jailbroken or rooted. Additionally, you want to automatically block non-compliant devices from accessing corporate email. What should you configure?

A.Intune compliance policies and Conditional Access
B.Device configuration profiles and Azure AD join
C.App protection policies and Microsoft Defender for Endpoint
D.Device enrollment restrictions
AnswerA

Compliance policies evaluate device health; Conditional Access blocks non-compliant devices from accessing corporate resources.

Why this answer

Option C is correct because Intune compliance policies define device requirements (OS version, encryption, jailbreak status), and Conditional Access policies can block access to corporate resources like email for non-compliant devices. Option A is wrong because configuration profiles set settings but do not enforce access control. Option B is wrong because device enrollment restrictions limit which devices can enroll, not access after enrollment.

Option D is wrong because app protection policies protect data at the app level, not device-level compliance.

124
MCQhard

Your company is deploying a new line-of-business application in Azure that must comply with PCI DSS. The application uses Azure SQL Database. You need to design a solution to encrypt sensitive data at rest and in transit, and to audit access to sensitive columns. Which combination of Microsoft security capabilities should you recommend?

A.Dynamic Data Masking and Azure SQL Firewall rules
B.Transparent Data Encryption, Always Encrypted, and Azure SQL Auditing
C.Azure Policy and Microsoft Defender for Cloud
D.Azure Storage Service Encryption and Azure Key Vault
AnswerB

TDE encrypts the entire database at rest, Always Encrypted protects specific columns with client-side keys, and auditing logs access to sensitive data.

Why this answer

Option B is correct because Transparent Data Encryption (TDE) encrypts the SQL database at rest, Always Encrypted protects sensitive columns in transit and at rest by ensuring encryption keys are never exposed to the database engine, and Azure SQL Auditing logs all access to sensitive columns for compliance with PCI DSS requirements.

Exam trap

The trap here is that candidates often confuse Dynamic Data Masking with encryption, but masking does not protect data at rest or in transit and can be bypassed by privileged users, whereas Always Encrypted and TDE provide true encryption required by PCI DSS.

How to eliminate wrong answers

Option A is wrong because Dynamic Data Masking only obfuscates data at query time for unauthorized users but does not encrypt data at rest or in transit, and Azure SQL Firewall rules control network access but do not provide encryption or auditing. Option C is wrong because Azure Policy enforces compliance rules and Microsoft Defender for Cloud provides threat detection, but neither directly encrypts data at rest or in transit nor audits column-level access. Option D is wrong because Azure Storage Service Encryption applies only to Azure Blob and File storage, not to Azure SQL Database, and Azure Key Vault is a key management service that must be paired with an encryption mechanism like TDE or Always Encrypted to actually encrypt data.

125
Multi-Selecthard

A company wants to implement hybrid identity with Microsoft Entra ID. Which TWO components are required for password hash synchronization? (Choose two.)

Select 2 answers
A.Microsoft Entra Connect
B.Microsoft Entra Domain Services
C.Password hash synchronization feature enabled in Entra Connect
D.Microsoft Entra ID Protection
E.Azure AD Application Proxy
AnswersA, C

Synchronization tool.

Why this answer

Microsoft Entra Connect is the on-premises tool that orchestrates synchronization between Active Directory and Microsoft Entra ID. It is required because password hash synchronization (PHS) is a feature within Entra Connect that reads password hashes from on-premises AD and syncs them to Entra ID, enabling seamless authentication without federated services.

Exam trap

The trap here is that candidates often confuse 'Microsoft Entra Domain Services' (a managed domain service) with 'Microsoft Entra Connect' (the sync tool), or they think enabling the feature alone is sufficient without the sync engine, but both the tool and the feature toggle are required.

126
MCQhard

A multinational company uses Microsoft Purview for data governance. They need to automatically classify sensitive data in Microsoft 365 and apply retention labels. The solution must use pattern-based detection for credit card numbers and support custom keywords. What should they configure?

A.Use a trainable classifier for credit card numbers.
B.Create a custom sensitive info type with a regex pattern and keyword list.
C.Configure a DLP policy with a rule for credit card numbers.
D.Create a retention label with auto-labeling policy.
AnswerB

Custom sensitive info types allow pattern-based detection and custom keywords.

Why this answer

Option D is correct because sensitive info types can be custom-defined with patterns and keywords. Option A is wrong because retention labels are applied after classification. Option B is wrong because trainable classifiers use machine learning, not fixed patterns.

Option C is wrong because DLP policies enforce actions but don't classify.

127
MCQeasy

A company uses Microsoft Sentinel and wants to use a built-in connector to ingest logs from Amazon Web Services (AWS). Which connector should they use?

A.ServiceNow connector
B.Azure Policy for AWS
C.Office 365 connector
D.Amazon Web Services S3 connector
AnswerD

This is the built-in connector for AWS logs.

Why this answer

The Amazon Web Services (AWS) S3 connector is the correct built-in connector in Microsoft Sentinel for ingesting logs from AWS. It works by configuring AWS to send logs (such as CloudTrail, VPC Flow Logs, or GuardDuty findings) to an S3 bucket, which Sentinel then polls via the S3 REST API using an IAM role for secure, cross-account access. This is the native, supported method for log ingestion from AWS into Sentinel.

Exam trap

The trap here is that candidates may confuse Azure Policy for AWS (which is a governance tool, not a log ingestion connector) with a valid data source, or assume that a generic connector like ServiceNow could be adapted for AWS log ingestion, when only the AWS S3 connector is the built-in, purpose-built option.

How to eliminate wrong answers

Option A is wrong because the ServiceNow connector is designed to ingest security incidents and IT service management data from ServiceNow, not logs from AWS. Option B is wrong because Azure Policy for AWS is a governance and compliance feature that applies Azure Policy definitions to AWS resources via Azure Arc, not a log ingestion connector for Sentinel. Option C is wrong because the Office 365 connector ingests audit logs and activity data from Microsoft 365 services, not from AWS.

128
Multi-Selecthard

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a unified security operations platform. Which THREE capabilities should you enable?

Select 3 answers
A.Azure Policy for security controls
B.Microsoft Purview Information Protection
C.Microsoft Defender XDR incident integration with Sentinel
D.Microsoft Sentinel SIEM
E.Microsoft Sentinel UEBA (User and Entity Behavior Analytics)
AnswersC, D, E

Integrating Defender XDR incidents into Sentinel provides a unified view.

Why this answer

Option C is correct because Microsoft Defender XDR incident integration with Sentinel creates a unified security operations platform by automatically synchronizing high-fidelity alerts and incidents from Defender XDR into Sentinel. This enables security teams to correlate endpoint, email, identity, and cloud app signals within a single SIEM, reducing alert fatigue and accelerating incident response through automated orchestration.

Exam trap

The trap here is that candidates may confuse Azure Policy (a compliance tool) or Purview Information Protection (a data protection tool) with core security operations capabilities, when the question specifically asks for capabilities that unify detection and response across a SIEM and XDR platform.

129
MCQhard

Refer to the exhibit. An administrator runs this Microsoft Graph PowerShell command to retrieve an access review policy. The review is set to run quarterly but no recurrence is shown in the output. The review has not started. What is the most likely cause?

A.The reviewer is a single user, which is not allowed.
B.The autoReviewEnabled setting is false, preventing the review from starting.
C.The recurrence property is null, so the review is not scheduled.
D.The scope query is for groups, but the review should be for users.
AnswerC

Recurrence must be set for scheduled reviews.

Why this answer

The output shows the recurrence property as null, which means the review is not configured with a recurrence schedule. Even though the administrator intended a quarterly review, without a valid recurrence object (including type, durationInDays, and startDate), the review will not be scheduled to run automatically. This is the most direct cause of the missing recurrence in the output.

Exam trap

The trap here is that candidates may confuse the autoReviewEnabled setting with scheduling or recurrence, or assume that a single-user reviewer is invalid, when in fact the absence of a properly defined recurrence object is the root cause.

How to eliminate wrong answers

Option A is wrong because a single user can be a reviewer in an access review; there is no restriction that prevents a single user from being assigned as a reviewer. Option B is wrong because autoReviewEnabled controls whether the review applies decisions automatically after the review duration ends, not whether the review starts or is scheduled. Option D is wrong because the scope query for groups is valid for access reviews that target group memberships; the review can be scoped to groups without requiring the scope to be for individual users.

130
MCQeasy

A company uses Microsoft Sentinel for security operations. The security team wants to automatically create an incident in Microsoft Sentinel when Microsoft Defender for Cloud detects a high-severity vulnerability on a virtual machine. What should the security team configure?

A.Create an automation rule in Microsoft Sentinel.
B.Create a playbook in Microsoft Sentinel.
C.Create a watchlist in Microsoft Sentinel.
D.Create an analytics rule with a rule template that maps to the Defender for Cloud alert.
AnswerD

Analytics rules generate incidents from alerts.

Why this answer

Option D is correct because Microsoft Sentinel can ingest high-severity vulnerability alerts from Microsoft Defender for Cloud via the SecurityAlert analytics rule template. When you enable this built-in rule template, Sentinel automatically creates an incident for each Defender for Cloud alert that matches the configured severity (e.g., High). This is the native, out-of-the-box method to convert Defender for Cloud alerts into Sentinel incidents without requiring custom logic or external orchestration.

Exam trap

The trap here is that candidates confuse automation rules (which act on existing incidents) with analytics rules (which generate incidents from raw data), leading them to pick Option A instead of D.

How to eliminate wrong answers

Option A is wrong because automation rules in Sentinel execute actions (e.g., assign owner, change status) on incidents that already exist; they cannot create incidents from external alerts. Option B is wrong because a playbook is a workflow of automated responses (e.g., sending an email, triggering a ticket) that runs after an incident is created, not a mechanism to generate the incident itself. Option C is wrong because a watchlist is a static reference table (e.g., list of high-value assets) used for correlation or enrichment in analytics rules; it does not create incidents from Defender for Cloud alerts.

131
Multi-Selecteasy

A company needs to ensure that only authorized users can access sensitive data in Microsoft SharePoint Online. Which TWO controls can be used? (Choose two.)

Select 2 answers
A.Sensitivity labels
B.Retention policies
C.Microsoft Entra ID Governance access reviews
D.Conditional Access policies
E.Data loss prevention policies
AnswersC, D

Review and certify access.

Why this answer

Options A and C are correct: Conditional Access policies restrict access based on conditions, and Microsoft Entra ID governance (access reviews) ensures authorized access. Option B is wrong because sensitivity labels are for classification and protection, not access control. Option D is wrong because retention policies are for data retention, not access.

Option E is wrong because DLP policies prevent data loss, not control access.

132
MCQhard

Your organization uses Microsoft Sentinel to centralize security logs from multiple clouds. The security team needs a solution that automatically investigates low-fidelity alerts and creates incidents only when confirmed malicious. Which Microsoft Sentinel feature should you configure?

A.Automation rules with playbooks
B.Entity behavior analytics (UEBA) with automated investigation
C.Machine Learning (ML) based anomaly detection
D.Custom analytic rules
AnswerB

UEBA profiles entities and can trigger automated investigation for low-fidelity alerts.

Why this answer

Entity behavior analytics (UEBA) with automated investigation is the correct choice because it profiles normal user and entity behavior, then automatically investigates low-fidelity alerts by correlating them with historical baselines. When the investigation confirms malicious activity, it escalates to an incident, reducing noise and manual triage.

Exam trap

The trap here is that candidates often confuse automation rules (which respond after an incident) with the automated investigation capability (which runs before incident creation), leading them to choose Option A instead of B.

How to eliminate wrong answers

Option A is wrong because automation rules with playbooks are designed to trigger automated responses (e.g., blocking an IP) after an incident is created, not to perform the initial investigation and confirmation of low-fidelity alerts. Option C is wrong because ML-based anomaly detection identifies unusual patterns but does not include the automated investigation workflow that confirms maliciousness before incident creation. Option D is wrong because custom analytic rules create incidents directly from log queries without the built-in investigation and confirmation step that UEBA with automated investigation provides.

133
MCQeasy

Your organization wants to use Microsoft Defender XDR to automatically investigate and respond to alerts. You need to ensure that the solution can autonomously remediate confirmed threats on endpoints, such as quarantining files and isolating devices. What should you enable?

A.Microsoft Defender for Identity
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Office 365
AnswerC

Defender for Endpoint provides automated investigation and remediation, including file quarantine and device isolation.

Why this answer

Option B is correct because Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can quarantine files and isolate devices. Option A is wrong because Microsoft Defender for Office 365 focuses on email and collaboration threats. Option C is wrong because Microsoft Defender for Cloud Apps is for SaaS app security.

Option D is wrong because Microsoft Defender for Identity is for on-premises AD threats.

134
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Purview Information Protection?

Select 3 answers
A.Preventing data loss via DLP policies
B.Classifying data using trainable classifiers
C.Detecting risky user activities with Insider Risk Management
D.Automatically classifying and labeling data based on conditions
E.Applying sensitivity labels to documents and emails
AnswersB, D, E

Trainable classifiers can identify data patterns for classification.

Why this answer

Option B is correct because Microsoft Purview Information Protection includes trainable classifiers that use machine learning to intelligently identify sensitive content based on patterns and context, not just keywords. These classifiers can be trained with sample data to improve accuracy, enabling automated classification of documents and emails without requiring manual rule creation.

Exam trap

The trap here is that candidates confuse the overlapping capabilities of Microsoft Purview solutions—specifically, they attribute DLP enforcement (Option A) or Insider Risk Management (Option C) to Information Protection, when those belong to separate Purview modules.

135
Multi-Selecthard

Your organization uses Microsoft Purview Information Protection and Microsoft Defender for Cloud Apps. You need to design a solution that automatically applies a 'Confidential' sensitivity label to documents that contain credit card numbers and are shared externally. The solution should also generate an alert when this occurs. Which two configurations should you implement? (Choose TWO.)

Select 2 answers
A.Configure a Microsoft Sentinel analytics rule that queries audit logs for external sharing of labeled documents and generates an incident.
B.Create a Conditional Access policy in Microsoft Entra ID that requires device compliance when accessing documents labeled 'Confidential'.
C.Configure a Microsoft Purview Data Loss Prevention (DLP) policy that blocks the sharing of documents containing credit card numbers.
D.Create a Microsoft Purview auto-labeling policy that includes the 'Credit Card Number' sensitive info type and specifies the 'Confidential' label.
E.Create a Microsoft Defender for Cloud Apps app governance policy that monitors file sharing and triggers an alert when a document with a 'Confidential' label is shared externally.
AnswersD, E

Auto-labeling policies can automatically apply labels based on content inspection.

Why this answer

Options A and B are correct because an auto-labeling policy in Microsoft Purview can scan for sensitive info types (credit card numbers) and apply labels; an app governance policy in Defender for Cloud Apps can detect sharing to external domains and trigger alerts. Option C (data loss prevention) is for blocking, not labeling. Option D (conditional access) controls access, not labeling.

Option E (Microsoft Sentinel analytics rule) could generate alerts but is not the primary mechanism for labeling.

136
MCQmedium

Your organization uses Microsoft Purview Information Protection to label sensitive documents. You need to ensure that documents containing personally identifiable information (PII) are automatically labeled when saved in SharePoint Online. What should you configure?

A.Create a retention label with auto-labeling rule.
B.Publish a sensitivity label with auto-labeling for SharePoint.
C.Configure an auto-labeling policy for sensitivity labels targeting SharePoint.
D.Set up a DLP policy to detect PII and apply a label.
AnswerC

Auto-labeling policies can automatically apply sensitivity labels to documents in SharePoint.

Why this answer

Option C is correct because auto-labeling policies can scan content in SharePoint and apply labels automatically. Option A is wrong because sensitivity labels require manual application or client-side auto-labeling. Option B is wrong because retention labels are for retention, not sensitivity.

Option D is wrong because DLP policies enforce actions but don't label.

137
MCQhard

Your organization uses Microsoft Purview and needs to automatically apply a retention label to all documents containing personally identifiable information (PII) in SharePoint Online. What should you configure?

A.Auto-labeling policy
B.Data loss prevention (DLP) policy
C.Service-side sensitivity label
D.Trainable classifier
AnswerA

Auto-labeling policies can automatically apply retention labels based on sensitive info types, such as PII.

Why this answer

Auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels or retention labels based on sensitive info types. Option C is correct. Option A is wrong because data loss prevention (DLP) policies prevent sharing, they do not apply labels.

Option B is wrong because trainable classifiers require custom training. Option D is wrong because service-side sensitivity labels apply labels based on the label of the parent site or document library.

138
MCQhard

Your organization uses Microsoft Defender for Cloud to secure multi-cloud resources. You need to ensure that security recommendations are automatically remediated for non-compliant resources without manual intervention. What should you configure?

A.Azure Policy initiatives with remediation tasks
B.Set a Secure Score target and alert on changes
C.Use Quick Fix remediation for security recommendations and enable automation
D.Enable automatic provisioning of Log Analytics agent
AnswerC

Quick Fix allows one-click remediation, and automation can trigger it automatically.

Why this answer

Option D is correct because Quick Fix remediation combined with automation can auto-remediate recommendations. Option A is incorrect because Azure Policy can enforce but requires additional setup. Option B is incorrect because Defender for Cloud's automatic provisioning is for agents.

Option C is incorrect because Secure Score does not remediate.

139
MCQmedium

The exhibit shows a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

A.Find alerts that were not investigated
B.Analyze entities associated with alerts
C.Identify the most frequent high-severity alerts over the past week
D.Correlate alerts by time and alert name
AnswerC

Summarizes counts and orders by highest count.

Why this answer

The query uses `summarize` with `count()` and `top 5 by count_ desc` to rank alert names by frequency, filtered to `AlertSeverity == 'High'` and `TimeGenerated > ago(7d)`. This directly identifies the most common high-severity alerts over the past week, making option C correct.

Exam trap

The trap here is that candidates may misinterpret the `bin(TimeGenerated, 1h)` as correlating alerts by time and name (option D), but the query only aggregates counts per alert name, not correlating alerts across different time windows or names.

How to eliminate wrong answers

Option A is wrong because the query does not include any field or filter related to investigation status (e.g., `Status == 'New'` or `InvestigationState`), so it cannot find alerts that were not investigated. Option B is wrong because the query only aggregates `AlertName` and does not expand or analyze entity fields (e.g., `Entities`, `Account`, `IP`), so it cannot analyze entities associated with alerts. Option D is wrong because the query does not group or correlate by both time and alert name; it uses `bin(TimeGenerated, 1h)` only for time bucketing but does not correlate alerts across time windows or alert names—it simply counts occurrences per alert name.

140
MCQmedium

Your organization uses Microsoft Purview to protect sensitive data. You need to create a sensitivity label that automatically encrypts documents containing credit card numbers when they are shared externally. Which configuration should you use?

A.Create a trainable classifier to detect credit cards
B.Create an auto-labeling policy that applies a label with encryption for external sharing
C.Create a default label policy for SharePoint
D.Create a manual sensitivity label that users apply
AnswerB

Automatically detects credit card numbers and applies encryption when shared externally.

Why this answer

Auto-labeling in Purview can be configured to apply a sensitivity label based on sensitive info types like credit card numbers. The label should have encryption enabled for external sharing. The other options describe different scenarios: manual labeling, default labeling, or classification without encryption.

141
MCQmedium

Your organization uses Microsoft Intune and Microsoft Defender for Endpoint. You need to design a solution that automatically remediates non-compliant devices by running a remediation script. Which Intune component should you use?

A.Remediation policy in Microsoft Intune
B.Device compliance policy
C.App protection policy
D.Device configuration profile
AnswerA

Remediation policies automatically run scripts to fix non-compliance.

Why this answer

Option D is correct because Intune remediation policies (part of device management) allow you to automatically run scripts to fix non-compliant settings. Option A (compliance policy) sets rules but does not run scripts. Option B (configuration profile) deploys settings.

Option C (app protection policy) is for app data.

142
Multi-Selectmedium

You need to design a compliance solution using Microsoft Purview that automatically detects and protects credit card numbers in emails and documents. Which TWO features should you include? (Choose two.)

Select 2 answers
A.Data Loss Prevention (DLP) policies to detect and block credit card numbers.
B.Retention labels to retain credit card data for a specified period.
C.Auto-labeling policies to apply sensitivity labels to credit card data.
D.Trainable classifiers to identify credit card numbers.
E.eDiscovery to search for credit card numbers.
AnswersA, C

DLP can detect sensitive data and enforce protective actions.

Why this answer

Option A is correct because DLP policies can detect sensitive data and enforce actions. Option B is correct because auto-labeling can apply sensitivity labels. Option C is wrong because retention labels are for retention, not protection.

Option D is wrong because trainable classifiers are for pattern detection, but DLP and auto-labeling are more direct. Option E is wrong because eDiscovery is for search and legal hold.

143
Multi-Selecthard

Which THREE capabilities are part of Microsoft Purview's insider risk management solution? (Choose three.)

Select 3 answers
A.Communication compliance policies for monitoring emails.
B.Forensic evidence capturing user activity on devices.
C.Data Loss Prevention policies that block sensitive data.
D.Policy templates for data theft by departing users.
E.Indicators that detect unauthorized data exfiltration.
AnswersB, D, E

Forensic evidence is part of insider risk management.

Why this answer

Options A, C, and E are correct. Option A is correct because indicators for data leaks are core. Option C is correct because forensic evidence captures user activity.

Option E is correct because policy templates exist for data theft. Option B is incorrect because DLP is separate. Option D is incorrect because communication compliance is a different solution.

144
MCQmedium

Your organization uses Microsoft Purview to govern sensitive data. You need to design a solution that automatically detects and protects credit card numbers in emails and documents stored in Microsoft 365. The solution should also provide data loss prevention (DLP) policy tips to users when they try to share such data externally. What should you configure?

A.Sensitivity labels with auto-classification
B.Microsoft Purview Data Loss Prevention policies
C.Microsoft 365 compliance center
D.Microsoft Information Protection unified labeling
AnswerB

DLP policies can detect sensitive data and display policy tips to users when they attempt to share it externally.

Why this answer

Option A is correct because Microsoft Purview DLP policies can detect sensitive info types (e.g., credit card numbers) and show policy tips to users. Option B is wrong because sensitivity labels are for classification and protection but do not provide real-time DLP policy tips. Option C is wrong because Microsoft Information Protection (MIP) unified labeling is part of Purview but not specifically for DLP tips.

Option D is wrong because Microsoft 365 compliance center is the portal, not a specific feature.

145
MCQeasy

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only compliant devices can access Exchange Online. Which Microsoft Entra ID feature should you use?

A.Azure AD device registration
B.Conditional Access with the 'Require device to be marked as compliant' grant
C.Multi-factor authentication
D.Intune device compliance policy
AnswerB

Enforces compliance before access to Exchange Online.

Why this answer

Conditional Access policies in Entra ID can require that devices be marked as compliant with Intune compliance policies before granting access to cloud apps like Exchange Online. The other options are not correct: Device Compliance is a policy in Intune, not an Entra feature; MFA is authentication; and Azure AD Join is for device identity.

146
Multi-Selecthard

Your organization is using Microsoft Sentinel to detect advanced threats. You need to ensure that alerts from Microsoft Defender XDR are automatically synchronized with Sentinel and that incidents are created. Which THREE components are required?

Select 3 answers
A.Entity behavior analytics (UEBA)
B.Microsoft Defender XDR data connector
C.Automation rule to trigger playbook
D.Analytic rule to create incidents from alerts
E.Automation rule to set incident severity
AnswersB, D, E

Data connector ingests alerts and incidents from Defender XDR.

Why this answer

The Microsoft Defender XDR data connector (Option B) is required because it is the specific integration point that ingests alerts and raw signals from Microsoft 365 Defender into Microsoft Sentinel. Without this connector, there is no automated synchronization of Defender XDR alerts into the Sentinel workspace.

Exam trap

The trap here is that candidates often confuse the data connector (which brings in the raw alerts) with the analytic rule (which creates incidents from those alerts), and mistakenly think that UEBA or a playbook automation rule is mandatory for the synchronization process.

147
MCQmedium

Refer to the exhibit. You are reviewing a conditional access policy in Microsoft Entra ID. The policy is enabled but users report they can still sign in from high-risk sessions. What is the most likely reason?

A.The policy is not applied to all cloud apps.
B.The policy is in report-only mode.
C.The grant control operator is set to 'OR' instead of 'AND' with multiple controls.
D.The policy excludes guest users by default.
AnswerC

With 'OR' and only 'block', it still blocks if risk conditions are met, but real-time risk evaluation may not be immediate.

Why this answer

Option A is correct because the policy uses 'OR' for grant controls, meaning only one condition must be met. 'Block' is the only control, but risk levels must be evaluated. If risk levels are not computed in real-time, the policy may not trigger. Option B is incorrect because the policy includes guest users.

Option C is incorrect because 'All' apps includes all. Option D is incorrect because state is enabled.

148
Multi-Selecthard

Your company is deploying Microsoft Defender XDR. You need to design a solution that uses advanced hunting to proactively search for threats. Which THREE data sources should be included in the advanced hunting schema to enable comprehensive threat hunting across endpoints, identities, and cloud apps?

Select 3 answers
A.EmailEvents
B.AzureActivity
C.CloudAppEvents
D.IdentityInfo
E.DeviceEvents
AnswersC, D, E

Captures events from Microsoft Defender for Cloud Apps, covering SaaS app activity.

Why this answer

Options A, B, and D are correct because they represent key data sources in Defender XDR advanced hunting. Option A: IdentityInfo provides identity context. Option B: DeviceEvents captures endpoint activities.

Option D: CloudAppEvents provides cloud app activity. Option C is wrong because EmailEvents is part of Defender for Office 365 but not a core advanced hunting table in Defender XDR; it is available in Microsoft 365 Defender advanced hunting but the question asks for core sources. Option E is wrong because AzureActivity is not part of Defender XDR schema; it is in Azure Monitor.

149
MCQhard

Your organization is implementing a zero-trust security model. You need to design a solution that continuously verifies user identity, device compliance, and access context before granting access to corporate resources. The solution should also support risk-based policies. Which Microsoft security capability should be at the core of this design?

A.Microsoft Defender for Identity
B.Microsoft Entra ID Conditional Access
C.Microsoft Sentinel
D.Microsoft Intune
AnswerB

Conditional Access is the central policy engine that incorporates user, device, location, and risk signals to enforce zero-trust access.

Why this answer

Option C is correct because Microsoft Entra ID Conditional Access is the core policy engine that evaluates signals (user, device, location, risk) to enforce access decisions. Option A is wrong because Microsoft Defender for Identity is a threat detection solution for on-premises AD, not a policy engine. Option B is wrong because Microsoft Intune manages devices but does not enforce conditional access policies.

Option D is wrong because Microsoft Sentinel is a SIEM/SOAR, not an access control engine.

150
MCQmedium

Your organization uses Microsoft Intune for mobile device management and Microsoft Entra ID for identity. You are designing a solution to ensure that only devices that are compliant with security policies can access corporate resources. The requirements are: 1) Devices must have a minimum OS version. 2) Devices must have encryption enabled. 3) Devices must not be jailbroken or rooted. 4) Access to corporate apps must be blocked if the device is non-compliant. 5) The solution should automatically remediate non-compliant devices when possible. You need to recommend the minimum configuration. What should you do?

A.Configure Microsoft Purview Compliance Manager to assess compliance and block access.
B.Create an app protection policy in Intune that requires minimum OS and encryption.
C.Create a device compliance policy in Intune with the required settings, and create a Conditional Access policy that requires compliant devices.
D.Create a device configuration policy in Intune for the settings, and use Azure AD Identity Protection to block access.
AnswerC

Compliance policies define requirements; Conditional Access enforces them.

Why this answer

Option A is correct because Intune compliance policies define the requirements, and Conditional Access enforces access. Automatic remediation can be configured in compliance policies for some settings. Option B is incorrect because app protection policies do not enforce device-level compliance.

Option C is incorrect because configuration policies do not enforce compliance. Option D is incorrect because only using Compliance Manager does not enforce access.

← PreviousPage 2 of 4 · 231 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design security operations, identity, and compliance capabilities questions.