CCNA Secops Identity Compliance Questions

75 of 231 questions · Page 1/4 · Secops Identity Compliance topic · Answers revealed

1
MCQmedium

Refer to the exhibit. You run the PowerShell command in Microsoft Entra ID to find compliance roles. You need to assign the Compliance Administrator role to a user. What is the correct parameter to use in the Add-AzureADMSRoleAssignment cmdlet?

A.-ObjectId "173a97e2-97f2-4c7a-8e7c-7e2f1c1e2f1c"
B.-RoleName "Compliance Administrator"
C.-RoleId "173a97e2-97f2-4c7a-8e7c-7e2f1c1e2f1c"
D.-RoleDefinitionId "173a97e2-97f2-4c7a-8e7c-7e2f1c1e2f1c"
AnswerD

The correct parameter to specify the role ID.

Why this answer

The `Add-AzureADMSRoleAssignment` cmdlet requires the `-RoleDefinitionId` parameter to specify the role by its unique identifier (GUID). The exhibit shows that the Compliance Administrator role has the ObjectId `173a97e2-97f2-4c7a-8e7c-7e2f1c1e2f1c`, which is the role's definition ID, not a user or group object ID. Therefore, option D correctly uses `-RoleDefinitionId` with that GUID.

Exam trap

The trap here is that candidates confuse the `-ObjectId` parameter (which identifies the assignee) with the role's identifier, or assume a friendly `-RoleName` parameter exists, when in fact the cmdlet strictly requires the role's GUID via `-RoleDefinitionId`.

How to eliminate wrong answers

Option A is wrong because `-ObjectId` is used to specify the user or group receiving the role assignment, not the role itself. Option B is wrong because `-RoleName` is not a valid parameter for `Add-AzureADMSRoleAssignment`; the cmdlet does not accept a role name string. Option C is wrong because `-RoleId` is not a parameter of `Add-AzureADMSRoleAssignment`; the correct parameter for the role's GUID is `-RoleDefinitionId`.

2
MCQmedium

Your organization is a large healthcare provider that uses Microsoft 365 and Azure. You need to design a compliance solution that meets HIPAA requirements. The solution must automatically classify and protect electronic protected health information (ePHI) in Exchange Online, SharePoint Online, and OneDrive for Business. It must also provide reports on data access and sharing activities for auditors. The following requirements must be met: (1) Detect ePHI using built-in sensitive info types, (2) Apply encryption automatically to emails containing ePHI, (3) Prevent unauthorized sharing of ePHI in SharePoint, (4) Generate activity reports for auditors, (5) Use machine learning to improve classification accuracy. Which Microsoft Purview capabilities should you use?

A.Information Protection and Insider Risk Management
B.Compliance Manager and eDiscovery
C.eDiscovery and Communication Compliance
D.Data Loss Prevention (DLP) and Audit
AnswerD

DLP detects ePHI, encrypts emails, blocks sharing; Audit provides activity reports.

Why this answer

Option C is correct because Microsoft Purview Data Loss Prevention (DLP) can detect ePHI using HIPAA sensitive info types, automatically encrypt emails, and block unauthorized sharing in SharePoint. Audit logs in Purview provide activity reports. Machine learning in Purview Information Protection improves classification.

Option A is wrong because Compliance Manager is for assessments, not protection. Option B is wrong because Information Protection alone does not prevent sharing. Option D is wrong because eDiscovery is for legal discovery, not real-time protection.

3
MCQmedium

Your company uses Microsoft Defender for Cloud Apps and wants to prevent users from uploading sensitive files to personal cloud storage apps. What should you configure?

A.Activity policy
B.App connector
C.Session policy
D.File policy
AnswerC

Session policies control user activities in real time, including blocking uploads to unsanctioned apps.

Why this answer

Session policy in Microsoft Defender for Cloud Apps allows real-time monitoring and control of user activities based on app and content inspection. By configuring a session policy, you can block or restrict uploads of sensitive files to personal cloud storage apps like Dropbox or Google Drive during the user's session, leveraging reverse proxy capabilities to inspect and intervene in traffic.

Exam trap

The trap here is that candidates confuse 'File policy' (which governs files at rest) with 'Session policy' (which governs files in motion), leading them to select D, even though real-time upload prevention requires session-level control via reverse proxy.

How to eliminate wrong answers

Option A is wrong because Activity policies are used for auditing and generating alerts on specific activities (e.g., multiple failed logins), not for real-time blocking of file uploads. Option B is wrong because App connectors enable API-based visibility and control for connected apps (e.g., retrieving logs), but they cannot intercept and block uploads in real time during a user session. Option D is wrong because File policies are designed for scanning and governing files already stored in cloud apps (e.g., detecting DLP violations in SharePoint), not for preventing uploads at the point of action.

4
MCQeasy

Your company uses Microsoft Purview Data Loss Prevention (DLP). You need to ensure that credit card numbers are not shared externally via email. What should you configure?

A.Create a sensitivity label that applies encryption to emails containing credit card numbers.
B.Create a DLP policy that detects credit card numbers and blocks external sharing.
C.Configure auto-labeling for credit card numbers in Microsoft 365.
D.Create a retention policy for credit card data.
AnswerB

DLP policies can detect sensitive data and enforce actions like block.

Why this answer

Option A is correct because DLP policies can detect sensitive information like credit card numbers and block external sharing. Option B is incorrect because sensitivity labels are for classification, not blocking. Option C is incorrect because retention policies manage retention, not sharing.

Option D is incorrect because auto-labeling applies labels, but DLP enforces actions.

5
Multi-Selecthard

A company uses Microsoft Defender for Cloud to secure multicloud environments. They want to assess compliance with SOC 2. Which THREE steps should they take?

Select 3 answers
A.Enable just-in-time (JIT) VM access
B.Monitor the secure score for SOC 2 recommendations
C.Set up continuous export to send compliance data to a third-party GRC tool
D.Create Azure Policy definitions for SOC 2 controls
E.Enable the SOC 2 regulatory compliance standard in Defender for Cloud
AnswersB, C, E

Secure score reflects compliance posture.

Why this answer

Option A is correct because Defender for Cloud has built-in regulatory compliance standards. Option B is correct because secure score helps track compliance. Option C is correct because continuous export sends data to other tools.

Option D is incorrect because Azure Policy is for Azure resources, not multicloud. Option E is incorrect because JIT is a security control, not compliance assessment.

6
Multi-Selectmedium

Your organization is deploying Microsoft Defender for Cloud Apps. Which THREE capabilities are included in Defender for Cloud Apps? (Select three.)

Select 3 answers
A.Session controls
B.App governance
C.Cloud Discovery
D.Data Loss Prevention (DLP) policies
E.Conditional Access
AnswersA, B, C

Provides real-time monitoring and control of user sessions.

Why this answer

Defender for Cloud Apps provides Cloud Discovery (discover shadow IT), app governance (control app permissions), and session controls (protect data in real time). Conditional Access is an Entra ID feature, and DLP policies are part of Microsoft Purview, though Cloud Apps can integrate with them.

7
Multi-Selecthard

Your organization uses Microsoft Sentinel and wants to improve threat hunting efficiency. Which THREE actions should you take?

Select 3 answers
A.Enable UEBA (User and Entity Behavior Analytics)
B.Integrate Microsoft Defender XDR for cross-domain hunting
C.Create custom hunting queries using KQL
D.Use watchlists to filter out known benign IPs
E.Reduce data retention period to improve query speed
AnswersA, B, C

UEBA helps identify anomalies.

Why this answer

UEBA (User and Entity Behavior Analytics) in Microsoft Sentinel uses machine learning models to establish baseline behavioral patterns for users, hosts, and other entities. It then detects anomalous activities such as unusual logon times, impossible travel, or abnormal data exfiltration, which directly enhances threat hunting by surfacing suspicious behaviors that might otherwise go unnoticed.

Exam trap

The trap here is that candidates often confuse passive data enrichment tools (like watchlists) with active hunting techniques, or mistakenly think reducing data retention improves security operations, when in fact it hinders long-term threat detection and forensic analysis.

8
MCQmedium

Refer to the exhibit. You are reviewing a Microsoft Purview Data Map resource pattern for scanning. What is this pattern intended to do?

A.Scan all resources in the onmicrosoft.com domain for classification.
B.Block access to resources in USGov regions.
C.Automatically apply sensitivity labels to resources matching the pattern.
D.Enforce retention policies on scanned resources.
AnswerC

The pattern specifies sensitivity labels to apply.

Why this answer

Option C is correct because the pattern targets all *.onmicrosoft.com resources in Global and USGov regions and applies sensitivity labels. Option A is wrong because it applies labels, not just scans. Option B is wrong because it does not block access.

Option D is wrong because it does not enforce retention.

9
MCQhard

Your organization uses Microsoft Sentinel as a SIEM. You need to design a solution to detect advanced persistent threats (APTs) by correlating data from multiple sources, including network logs, endpoint data, and threat intelligence feeds. The solution must use machine learning to identify anomalies and reduce false positives. Which analytics rule type should you configure?

A.ML Behavior Analytics
B.Fusion
C.Anomaly detection rules
D.Scheduled query rules
AnswerB

Fusion uses ML to correlate alerts from multiple sources and detect APTs.

Why this answer

Option A is correct because Fusion uses ML to correlate alerts from multiple sources and detect multi-stage attacks, reducing false positives. Option B is wrong because Scheduled query rules are rule-based and do not use ML. Option C is wrong because Anomaly detection rules are for individual data source anomalies.

Option D is wrong because ML Behavior Analytics is not an analytics rule type in Sentinel.

10
Multi-Selecteasy

Which TWO of the following are components of Microsoft Defender XDR (Extended Detection and Response)?

Select 2 answers
A.Microsoft Sentinel
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Office 365
D.Microsoft Intune
E.Microsoft Purview
AnswersB, C

Defender for Endpoint is a core component of Defender XDR.

Why this answer

Microsoft Defender XDR (Extended Detection and Response) is a unified security operations platform that natively integrates signals from Microsoft Defender for Endpoint (endpoint detection and response) and Microsoft Defender for Office 365 (email and collaboration security). These two components provide the core telemetry for cross-domain threat correlation and automated response within the Defender XDR portal.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) as part of Defender XDR, but Sentinel is a separate Azure service that can ingest Defender XDR alerts, not a component of the XDR platform itself.

11
MCQhard

Refer to the exhibit. You have deployed the automation shown in the exhibit in Microsoft Defender for Cloud. The automation triggers a Logic App when a high-severity alert is generated. Users report that the Logic App is not being triggered for some high-severity alerts. What is the most likely cause?

A.The trigger condition uses 'Equals' instead of 'Contains' for severity.
B.The Logic App resource ID is incorrect.
C.Some high-severity alerts are generated from a different event source not included in the 'sources' array.
D.The automation is configured to trigger on 'Alerts' but should be 'SecurityPolicies'.
AnswerC

Defender for Cloud alerts can come from multiple sources; the automation only includes 'Alerts'.

Why this answer

Option B is correct because the automation is configured to trigger on 'Alerts' source, but Defender for Cloud also generates 'RegulatoryComplianceAssessment' and other sources. Some high-severity alerts may come from a different event source that is not included. Option A is incorrect because the event source is 'Alerts', not 'SecurityPolicies'.

Option C is incorrect because severity value is correct. Option D is incorrect because the trigger condition is correct.

12
Multi-Selectmedium

A company uses Microsoft Purview Data Lifecycle Management. They need to retain financial records for 7 years and then delete them. Which TWO actions should they configure?

Select 2 answers
A.Create a DLP policy that blocks deletion
B.Apply a sensitivity label to the records
C.Create a retention label with a 7-year retention period
D.Use a trainable classifier to identify records
E.Configure a disposition review to approve deletion
AnswersC, E

Retention labels enforce retention.

Why this answer

Option C is correct because Microsoft Purview Data Lifecycle Management uses retention labels to enforce a specific retention period and then automatically delete the data. By creating a retention label with a 7-year retention period, the organization ensures financial records are retained for exactly 7 years and then permanently deleted without manual intervention.

Exam trap

The trap here is confusing sensitivity labels (used for classification and protection) with retention labels (used for lifecycle management), leading candidates to incorrectly select Option B instead of understanding that retention labels are the correct mechanism for timed deletion.

13
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. What should you configure?

A.Create a Conditional Access policy that requires compliant device
B.Set up enrollment restrictions in Intune
C.Create a device configuration policy that blocks non-compliant devices
D.Configure an app protection policy for email apps
AnswerA

Conditional Access can require device compliance as a condition for accessing corporate resources.

Why this answer

Option A is correct because a Conditional Access policy in Microsoft Entra ID (formerly Azure AD) can enforce the requirement that only devices marked as compliant by Intune can access corporate email. This policy evaluates the device compliance status at authentication time and blocks or grants access based on that signal, ensuring that only managed and compliant devices can connect to services like Exchange Online.

Exam trap

The trap here is that candidates often confuse device configuration policies (which set device settings) with Conditional Access (which enforces access control based on compliance), leading them to choose option C instead of the correct policy-based access control.

How to eliminate wrong answers

Option B is wrong because enrollment restrictions in Intune control which devices can enroll into management (e.g., by platform or ownership type), but they do not enforce compliance at the point of access to corporate email. Option C is wrong because device configuration policies in Intune are used to set settings and features on devices (like password policies or restrictions), not to block non-compliant devices from accessing resources; blocking access is done via Conditional Access. Option D is wrong because an app protection policy (MAM) protects data within apps (e.g., preventing copy/paste or requiring PIN) but does not evaluate device compliance; it can be used without device enrollment but does not replace the need for a Conditional Access policy that checks device compliance.

14
MCQhard

Your organization uses Microsoft Defender for Cloud to secure multi-cloud workloads. You need to ensure that Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) resources are assessed against the same security baseline. What should you do?

A.Configure AWS Config and GCP Security Command Center to export findings to Microsoft Sentinel
B.Connect AWS and GCP accounts to Defender for Cloud and use Azure Policy to enforce the Microsoft Cloud Security Benchmark
C.Use regulatory compliance standards for each cloud separately
D.Enable the Cloud Security Posture Management (CSPM) plan and configure AWS and GCP connectors
AnswerB

Connecting multi-cloud accounts allows Defender for Cloud to assess them against Azure Policy initiatives like the Microsoft Cloud Security Benchmark.

Why this answer

Microsoft Defender for Cloud can assess resources from Azure, AWS, and GCP using security policies. By default, Azure Policy is used for Azure resources. To assess AWS and GCP, you need to connect those cloud accounts to Defender for Cloud and then use Azure Policy to enforce standards like Microsoft Cloud Security Benchmark.

Option A is wrong because the CSPM plan assesses posture but does not use a single baseline across clouds. Option C is wrong because regulatory compliance standards apply to specific regulations, not custom baselines. Option D is wrong because AWS Config and GCP Security Command Center are separate tools, not integrated into a single baseline.

15
MCQmedium

Refer to the exhibit. You are analyzing a KQL query in Microsoft Defender XDR advanced hunting. The query is intended to identify the top 10 devices by the number of executable process creations in the last 7 days. However, the results are showing only a few entries with low counts. What is the most likely issue?

A.The 'summarize' statement should include DeviceName in the aggregate
B.The 'take' operator is not appropriate for this aggregation
C.The 'bin' function on Timestamp is incorrect
D.The ActionType filter is likely missing the correct value for process creation
AnswerD

In Defender for Endpoint, the ActionType for process creation is often 'ProcessCreated' or similar, not 'ProcessCreate'. Also, FileName filter may exclude processes launched from paths.

Why this answer

Option C is correct because the query filters on ActionType == "ProcessCreate", but the correct field might be "ProcessCreated" or different enumeration; also, FileName endswith ".exe" might miss processes with full paths. Option A is wrong because the take operator works but the query may not be returning the expected data due to filtering. Option B is wrong because bin(Timestamp, 1h) is valid.

Option D is wrong because the summarize should work on DeviceName.

16
MCQmedium

Your organization uses Microsoft Purview to manage data governance. You need to create a unified data catalog that automatically classifies and labels data across Azure SQL Database, Amazon S3, and on-premises SQL Server. What should you configure?

A.Microsoft Purview account with scans for all data sources.
B.Azure Data Catalog with custom classification.
C.Azure Purview (legacy) with multi-cloud scanning.
D.Microsoft Information Protection scanner on each source.
AnswerA

Microsoft Purview can scan multi-cloud and on-premises sources.

Why this answer

Option A is correct because Microsoft Purview (the unified data governance service) supports scanning and classifying data across multi-cloud and on-premises sources. Option B is wrong because Microsoft Information Protection is for labeling, not scanning. Option C is wrong because Azure Purview (now part of Microsoft Purview) is the correct service.

Option D is wrong because Azure Data Catalog is legacy and limited.

17
MCQmedium

Your organization uses Microsoft Purview and needs to prevent users from copying sensitive data to USB drives. Which solution should you implement?

A.Sensitivity labels with encryption
B.Insider Risk Management
C.Endpoint data loss prevention (DLP)
D.Communication Compliance
AnswerC

Endpoint DLP can block copying of sensitive data to removable devices like USB drives.

Why this answer

Endpoint DLP is the correct solution because it extends data loss prevention policies to endpoints, enabling the detection and blocking of sensitive data being copied to removable USB drives. Unlike other controls, Endpoint DLP can monitor and restrict data exfiltration actions at the device level, such as copying files to USB media, based on the content's sensitivity classification.

Exam trap

The trap here is that candidates often confuse Insider Risk Management (a detective control) with Endpoint DLP (a preventive control), assuming that risk management can block actions, when in fact it only alerts on suspicious behavior after the fact.

How to eliminate wrong answers

Option A is wrong because sensitivity labels with encryption protect data at rest and in transit by restricting access, but they do not block the act of copying labeled data to a USB drive; encryption alone does not prevent data exfiltration via removable media. Option B is wrong because Insider Risk Management is a detection and investigation tool that identifies risky user activities (e.g., unusual file copying) but does not actively block or prevent the copy action in real time. Option D is wrong because Communication Compliance focuses on monitoring and analyzing communications (e.g., email, Teams) for policy violations, not on controlling data movement to USB drives.

18
MCQeasy

You need to audit user activities in Microsoft 365, including who accessed a specific file in SharePoint Online. Which Microsoft Purview solution should you use?

A.Microsoft Purview Information Protection
B.Microsoft Purview Communication Compliance
C.Microsoft Purview Audit
D.Microsoft Purview Data Lifecycle Management
AnswerC

Audit logs user activities, including file access.

Why this answer

Microsoft Purview Audit (specifically Audit (Standard) or Audit (Premium)) is the correct solution because it captures and logs user activities across Microsoft 365 services, including SharePoint Online. When a user accesses a specific file, the audit log records the event with details such as the user, file name, action (e.g., FileAccessed), and timestamp, enabling you to query this data via the Microsoft 365 Defender portal or Search-UnifiedAuditLog cmdlet.

Exam trap

The trap here is that candidates often confuse 'auditing' with 'protection' or 'compliance' solutions, mistakenly choosing Information Protection (A) because they think labeling controls access, or Communication Compliance (B) because they associate 'compliance' with monitoring user actions, when in fact Audit is the dedicated logging service for user activity tracking.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Information Protection focuses on classifying, labeling, and protecting sensitive data (e.g., via sensitivity labels and encryption), not on auditing user activities or file access events. Option B is wrong because Microsoft Purview Communication Compliance is designed to detect and remediate inappropriate communications (e.g., offensive language or insider trading) in Exchange Online, Teams, or Yammer, not to audit file access in SharePoint Online. Option D is wrong because Microsoft Purview Data Lifecycle Management manages retention and deletion policies for data (e.g., automatically archiving or deleting old files), not the logging of user access events.

19
Multi-Selectmedium

Which TWO of the following are valid methods to protect privileged accounts in Microsoft Entra ID?

Select 2 answers
A.Configure Conditional Access policies for privileged roles
B.Implement Privileged Identity Management (PIM)
C.Enable Identity Protection for all users
D.Enable Self-Service Password Reset (SSPR)
E.Use Azure AD Connect to sync privileged accounts
AnswersA, B

Conditional Access can enforce MFA and other controls for privileged roles.

Why this answer

Conditional Access policies can be configured to require stronger authentication, device compliance, or location-based controls specifically for users assigned to privileged roles (e.g., Global Administrator, Privileged Role Administrator). This directly protects privileged accounts by enforcing additional security requirements before granting access to Entra ID resources.

Exam trap

The trap here is that candidates often confuse general security features (like Identity Protection or SSPR) with dedicated privileged account protection mechanisms, failing to recognize that only PIM and Conditional Access policies for privileged roles directly control and restrict privileged access in Entra ID.

20
MCQhard

You are a security architect for a global financial services company that uses Microsoft 365 E5 and Azure. The company has 50,000 users across 10 regions. The security team needs to detect and respond to identity-based threats in real-time, automate remediation for compromised accounts, and meet regulatory requirements for audit logging. The following requirements must be met: (1) Detect risky sign-ins and user anomalies, (2) Automatically block sign-ins when risk level is high, (3) Provide a centralized dashboard for security analysts to investigate incidents, (4) Retain logs for at least one year for compliance, (5) Minimize false positives by using machine learning. You have the following services available: Microsoft Entra ID P2, Microsoft Sentinel, Microsoft Defender for Identity, Microsoft Purview, and Microsoft Intune. Which combination of services should you use to meet all requirements?

A.Microsoft Intune and Microsoft Defender for Cloud
B.Microsoft Entra ID Protection (P2) and Microsoft Sentinel
C.Microsoft Defender for Identity and Microsoft Purview
D.Microsoft Purview and Microsoft Sentinel
AnswerB

Entra ID Protection detects risks and blocks high-risk sign-ins; Sentinel provides centralized SIEM with long-term retention.

Why this answer

Option D is correct because Microsoft Entra ID Protection (included in P2) detects risky sign-ins and user anomalies, and can automatically block high-risk sign-ins. Microsoft Sentinel ingests logs from Entra ID and other sources, provides a centralized SIEM dashboard for investigation, and retains logs for up to two years. Machine learning in both Entra ID Protection and Sentinel helps minimize false positives.

Option A is wrong because Intune does not provide identity threat detection or centralized SIEM. Option B is wrong because Defender for Identity is for on-premises AD, not cloud-only identity. Option C is wrong because Purview is for data governance, not identity threat detection.

21
MCQmedium

Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can authenticate using their existing on-premises credentials while gradually moving to cloud-only authentication. Which authentication method should you implement first?

A.Azure AD Connect
B.Active Directory Federation Services (AD FS)
C.Pass-through Authentication (PTA)
D.Password Hash Synchronization (PHS) with Seamless SSO
AnswerD

PHS is simple and supports gradual migration to cloud authentication.

Why this answer

Password Hash Synchronization (PHS) quickly syncs password hashes and allows Seamless SSO. Option B is correct. Option A requires more infrastructure.

Option C is for federation. Option D is a broader strategy, not a method.

22
Multi-Selecthard

Your organization uses Microsoft Entra ID and Microsoft Intune. You need to design a solution that allows corporate users to access a sensitive internal application only from managed devices that are compliant with company security policies. The solution should block access from personal devices. Which two components should you use? (Choose TWO.)

Select 2 answers
A.Microsoft Intune app protection policy
B.Microsoft Entra ID Conditional Access policy that requires hybrid Azure AD join
C.Microsoft Intune device enrollment
D.Microsoft Intune device compliance policy
E.Microsoft Entra ID Conditional Access policy that requires a compliant device
AnswersD, E

Defines the compliance requirements for managed devices.

Why this answer

Options A and C are correct because Intune compliance policies define the security requirements (e.g., encryption, OS version), and Conditional Access policies in Entra ID use the device compliance status to grant or block access. Option B (CA policies) is redundant with A. Option D (app protection policy) is for app-level protection, not device management.

Option E (device enrollment) is a prerequisite but not the enforcement mechanism.

23
Multi-Selecthard

Your company uses Microsoft Sentinel to manage security incidents. You need to design a solution that automatically triages low-severity incidents and enriches them with threat intelligence. Which THREE capabilities would you include? (Choose three.)

Select 3 answers
A.Advanced hunting queries to investigate incidents.
B.Analytics rules to generate alerts for low-severity incidents.
C.Playbooks to perform enrichment actions like querying threat intelligence.
D.Automation rules to trigger playbooks on incident creation.
E.Watchlists to store known indicators for correlation.
AnswersC, D, E

Playbooks can enrich incidents with threat intelligence data.

Why this answer

Option A is correct because automation rules can take actions on incident creation. Option B is correct because playbooks can run complex workflows. Option C is correct because watchlists can be used for enrichment data.

Option D is wrong because analytics rules create incidents, not triage. Option E is wrong because hunting queries are for proactive hunting, not triage.

24
MCQeasy

Your organization needs to monitor and respond to threats across email, endpoints, and identities. Which Microsoft solution provides a unified incident response experience?

A.Microsoft Purview
B.Microsoft Intune
C.Microsoft Defender XDR
D.Microsoft Sentinel
AnswerC

Defender XDR unifies incidents across domains.

Why this answer

Microsoft Defender XDR (Extended Detection and Response) is the correct choice because it provides a unified incident response experience by correlating alerts and signals from email (Defender for Office 365), endpoints (Defender for Endpoint), and identities (Defender for Identity) into a single incident queue. This cross-domain correlation enables security teams to investigate and remediate complex multi-stage attacks from a single pane of glass, rather than switching between separate consoles.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with Microsoft Defender XDR (an XDR), but Sentinel ingests logs and requires manual or KQL-based correlation, while Defender XDR provides automatic cross-domain incident correlation out of the box for Microsoft security signals.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview is a compliance and data governance solution focused on data classification, retention, and eDiscovery, not on real-time threat detection or incident response across email, endpoints, and identities. Option B is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service for managing devices and apps, not a security operations tool for monitoring and responding to threats. Option D is wrong because Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) that ingests logs from multiple sources and provides advanced analytics, but it does not natively unify incident response across Microsoft 365 security products; it requires separate data connectors and custom correlation rules to achieve similar cross-domain visibility.

25
MCQmedium

A company uses Microsoft Intune to manage devices. They need to ensure that only devices with a minimum OS version can access corporate email. Which policy type should they implement?

A.Device enrollment restrictions
B.App protection policies
C.Compliance policies combined with conditional access
D.Device configuration profiles
AnswerC

Compliance policy checks OS version; conditional access blocks non-compliant.

Why this answer

Option B is correct because compliance policies define conditions like minimum OS version, and conditional access enforces them. Option A is wrong because configuration profiles set settings, not enforce access. Option C is wrong because apps are not relevant.

Option D is wrong because device enrollment restrictions are for enrollment, not access.

26
Multi-Selecteasy

Your organization uses Microsoft Purview Information Protection to label sensitive emails. You need to ensure that labels are applied automatically based on content. Which THREE methods can you use?

Select 3 answers
A.Manual labeling by users
B.File plan (for records management)
C.Sensitive information types
D.Auto-labeling policies in Microsoft Purview
E.Trainable classifiers
AnswersC, D, E

Sensitive info types detect data like credit cards for automatic labeling.

Why this answer

Sensitive information types (C) are predefined or custom patterns that detect sensitive data such as credit card numbers or social security numbers, enabling automatic label application. Auto-labeling policies in Microsoft Purview (D) apply labels automatically to emails and files based on conditions like sensitive information types or trainable classifiers. Trainable classifiers (E) use machine learning to identify content patterns and automatically apply labels without requiring explicit pattern definitions.

Exam trap

The trap here is that candidates may confuse manual labeling or records management tools (like file plans) with automatic content-based labeling mechanisms, but only sensitive information types, auto-labeling policies, and trainable classifiers directly support automatic label application based on content analysis.

27
MCQeasy

You are designing identity security for a hybrid organization using Microsoft Entra ID. You need to enforce multi-factor authentication (MFA) for all users accessing sensitive applications. What is the recommended approach?

A.Create a Conditional Access policy that requires MFA for the sensitive applications
B.Enable Security defaults
C.Enable per-user MFA in Entra ID
D.Use Azure AD Identity Protection user risk policy
AnswerA

Granular and recommended method.

Why this answer

Conditional Access policies in Entra ID are the recommended method to require MFA for specific applications. The other options are less granular or outdated: per-user MFA is legacy, Security defaults apply to all apps and cannot be scoped, and Azure AD Identity Protection focuses on risk-based policies.

28
Multi-Selectmedium

Which TWO actions should you take to implement a zero-trust identity strategy in Microsoft Entra ID?

Select 2 answers
A.Enable single sign-on for all applications
B.Require multi-factor authentication for all users
C.Implement passwordless authentication for all users
D.Synchronize all on-premises identities to the cloud
E.Configure Conditional Access policies based on user risk and device compliance
AnswersB, E

MFA is a key zero-trust principle.

Why this answer

A is correct because MFA is a core zero-trust control. D is correct because Conditional Access enforces policies based on signals. B is wrong because passwordless authentication is recommended but not a specific zero-trust action.

C is wrong because single sign-on is convenience, not zero-trust. E is wrong because synchronization is for hybrid identity, not zero-trust.

29
MCQhard

Refer to the exhibit. You are deploying this Bicep template to enable Microsoft Defender for Cloud's VM protection. After deployment, you notice that Agentless VM scanning is not enabled for existing VMs. What is the most likely reason?

A.The pricing tier must be 'Free' to enable agentless scanning.
B.Agentless scanning is only enabled for new VMs; existing VMs require rescanning.
C.The resource name 'VirtualMachines' is incorrect; it should be 'virtualMachines'.
D.The extension 'AgentlessVmScanning' must be defined outside the pricing resource.
AnswerB

The setting applies to new VMs; existing VMs need a manual rescan.

Why this answer

Option D is correct because the Bicep template sets pricing for 'VirtualMachines' but the extension for agentless scanning must be enabled at the subscription level or per VM; the extension in the pricing resource only enables the feature for new VMs, not existing ones. Option A is wrong because the name 'VirtualMachines' is correct. Option B is wrong because the pricing tier is Standard, which is correct.

Option C is wrong because the extension syntax is correct for Bicep.

30
MCQeasy

Your organization uses Microsoft Sentinel and wants to automatically respond to high-severity incidents. Which feature should you configure?

A.Configure an automation rule to run a playbook automatically
B.Create a playbook and run it manually for each incident
C.Set up an analytics rule with automatic response
D.Use a workbook to trigger a playbook
AnswerA

Automation rules can automatically run playbooks based on incident properties such as severity.

Why this answer

Automation rules in Microsoft Sentinel allow you to define automated responses that trigger when an incident is created or updated, including running playbooks (Azure Logic Apps workflows) automatically. This is the correct approach for automatically responding to high-severity incidents because it eliminates manual intervention and ensures consistent, immediate action based on incident properties like severity.

Exam trap

The trap here is confusing analytics rule automated responses (which run on alerts before incident creation) with automation rules (which run on incidents after creation), leading candidates to incorrectly select Option C for incident-level automation.

How to eliminate wrong answers

Option B is wrong because running a playbook manually for each incident defeats the purpose of automation and does not scale for high-severity incidents that require immediate response. Option C is wrong because analytics rules generate alerts, not incidents, and while they can have automated responses, those responses run on alerts before incidents are created; for incident-level automated response, you need automation rules. Option D is wrong because workbooks are visualization and reporting tools, not triggers for playbooks; they cannot initiate automated response actions.

31
MCQmedium

A company uses Microsoft Defender for Cloud Apps to discover and control cloud apps. They want to receive alerts when a user accesses a sanctioned app from an unusual location. Which feature should they configure?

A.Session policies
B.File policies
C.Anomaly detection policies
D.App discovery policies
AnswerC

Detect unusual user activities.

Why this answer

Option C is correct because anomaly detection policies in Microsoft Defender for Cloud Apps are specifically designed to identify behavioral deviations, such as a user accessing a sanctioned app from an unusual geographic location. These policies leverage machine learning to establish a baseline of normal user activity and trigger alerts when access patterns deviate from that baseline, enabling detection of potential account compromise or insider threats.

Exam trap

The trap here is that candidates often confuse anomaly detection policies with session policies, assuming that location-based alerts are enforced via real-time session controls, but session policies only act on traffic after access is granted, whereas anomaly detection policies are the correct detection mechanism for unusual location access.

How to eliminate wrong answers

Option A is wrong because session policies control real-time user actions within a cloud app (e.g., blocking downloads or requiring multi-factor authentication) but do not generate alerts based on location anomalies; they are reactive controls, not detection mechanisms. Option B is wrong because file policies monitor and enforce rules on file content and metadata (e.g., detecting sensitive data or malware in files), not user access patterns or location-based anomalies. Option D is wrong because app discovery policies identify and categorize cloud apps in use (sanctioned vs. unsanctioned) but do not monitor user behavior or location anomalies for already sanctioned apps; they focus on app inventory and risk assessment.

32
Multi-Selecthard

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that investigates and responds to a ransomware incident. Which three actions should you take? (Choose THREE.)

Select 3 answers
A.Isolate affected devices using Microsoft Defender for Endpoint.
B.Review the incident timeline in Microsoft Defender XDR.
C.Create a new workbook to visualize the incident.
D.Delete all log data older than 24 hours to improve performance.
E.Run a hunting query in Microsoft Sentinel to identify affected devices.
AnswersA, B, E

Isolation prevents the ransomware from spreading.

Why this answer

Options A, C, and D are correct because running a hunting query can identify the scope, isolating devices prevents further spread, and reviewing the incident timeline in Defender XDR provides context. Option B (new workbook) is for reporting, not investigation. Option E (delete log data) would destroy evidence.

33
Multi-Selecthard

Which TWO components are required to enable Microsoft Sentinel to ingest data from Amazon Web Services (AWS) CloudTrail?

Select 2 answers
A.An Azure Function to pull logs from AWS.
B.An AWS S3 bucket to store CloudTrail logs.
C.An AWS Lambda function to process logs.
D.An AWS Simple Queue Service (SQS) queue to trigger ingestion.
E.An Azure Event Hubs namespace to receive logs.
AnswersB, D

The connector reads logs from S3.

Why this answer

Option B is correct because AWS CloudTrail logs must be delivered to an S3 bucket as a prerequisite for ingestion into Microsoft Sentinel. Sentinel's AWS CloudTrail data connector reads log files directly from the S3 bucket using the S3 REST API, making the bucket the required storage and access point for the logs.

Exam trap

The trap here is that candidates often assume an Azure Function or Event Hubs is needed for cross-cloud ingestion, but Sentinel's native AWS connector uses S3 and SQS directly, eliminating the need for intermediary compute or messaging services.

34
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to design a compliance policy that requires devices to have a minimum OS version and be encrypted. Which policy type should you use?

A.Create a device configuration profile in Microsoft Intune.
B.Create a Conditional Access policy in Microsoft Entra ID.
C.Create an app protection policy in Microsoft Intune.
D.Create a device compliance policy in Microsoft Intune.
AnswerD

Compliance policies enforce conditions like OS version and encryption.

Why this answer

Option A is correct because compliance policies in Intune define the rules devices must meet to be considered compliant, such as minimum OS version and encryption. Option B (configuration policy) is for settings like Wi-Fi. Option C (conditional access) is a separate Entra ID feature.

Option D (app protection policy) is for app-level data protection.

35
MCQmedium

Your organization uses Microsoft Defender for Endpoint (MDE) and wants to implement automated investigation and response (AIR) for ransomware. You need to ensure that when a suspicious file is detected, the investigation is automatically started and the file is contained. What should you configure?

A.Configure the automated investigation and response capabilities in MDE.
B.Create a custom detection rule in Microsoft 365 Defender.
C.Enable attack surface reduction rules.
D.Add the file hash to the indicators of compromise list.
AnswerA

AIR automates investigation and containment actions.

Why this answer

Option B is correct because AIR automates investigation and containment actions. Option A is wrong because attack surface reduction rules prevent but don't automate response. Option C is wrong because indicators of compromise are for blocking known threats.

Option D is wrong because custom detections create alerts but don't automate response.

36
MCQhard

Your organization, Contoso Ltd., uses Microsoft 365 E5 licenses and has deployed Microsoft Sentinel in Azure. The security operations center (SOC) receives thousands of alerts daily from Microsoft Defender for Cloud, Microsoft Defender for Office 365, and Microsoft Defender for Endpoint. The SOC team is overwhelmed and needs to prioritize incidents effectively. You need to design a solution that uses Microsoft Sentinel to automatically classify incidents as true positive, false positive, or benign positive based on threat intelligence and analytics. Additionally, the solution should automatically close low-confidence false positive incidents after 24 hours if no analyst interaction occurs. You must minimize manual effort and ensure that critical incidents are escalated immediately. What should you do?

A.Build a workbook that displays incident classification and assign analysts to review and close low-confidence incidents.
B.Create automation rules that trigger on incident creation to classify incidents using custom properties and run a playbook for escalation.
C.Use watchlists to define known false positive indicators and configure a playbook to run hourly to close matching incidents.
D.Modify the analytics rules to automatically close incidents based on a threshold of false positive indicators.
AnswerB

Automation rules can set incident properties and trigger playbooks for complex actions like escalation.

Why this answer

Option A is correct because automation rules with incident creation triggers can automatically classify and close incidents based on conditions, and playbooks can handle escalation. Option B is incorrect because workbooks are for visualization, not automated response. Option C is incorrect because analytics rules create incidents, not manage them.

Option D is incorrect because watchlists are for reference, not automation.

37
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You need to detect and block data exfiltration from sanctioned cloud apps to personal devices. What should you configure?

A.Create an OAuth app policy to revoke permissions.
B.Create an app discovery policy to identify unsanctioned apps.
C.Create a file policy to detect sensitive data in sanctioned apps.
D.Create a session policy with app governance to block download.
AnswerD

Session policies can block data exfiltration in real time.

Why this answer

Option C is correct because session policies with app governance can monitor and control data transfer in real time. Option A is wrong because discovery policies identify unsanctioned apps, not block actions. Option B is wrong because file policies are for static compliance.

Option D is wrong because OAuth app policies manage permissions, not data exfiltration.

38
MCQeasy

Your organization has Microsoft Entra ID (Azure AD) and uses Privileged Identity Management (PIM). You need to ensure that when a user activates a privileged role, they must provide a reason and a ticket number. What should you configure?

A.PIM role settings requiring justification and approval on activation
B.Conditional Access policy requiring multi-factor authentication
C.An access review for the privileged role
D.Microsoft Entra Identity Protection user risk policy
AnswerA

PIM settings enforce justification and ticket number.

Why this answer

Option A is correct because PIM role settings allow you to configure activation requirements, including mandatory justification (reason) and ticket number. By editing the role settings in PIM, you can enforce that users provide both a reason and a ticket number when activating a privileged role, ensuring auditability and compliance.

Exam trap

The trap here is that candidates confuse PIM activation settings (which control what users must provide when activating a role) with Conditional Access policies (which control sign-in conditions) or Identity Protection policies (which handle risk-based responses), leading them to select a policy that does not enforce the specific activation-time inputs.

How to eliminate wrong answers

Option B is wrong because a Conditional Access policy requiring multi-factor authentication enforces MFA during sign-in, not during role activation, and does not capture a reason or ticket number. Option C is wrong because an access review for the privileged role periodically reviews membership or active assignments, but does not enforce input of justification or ticket number at activation time. Option D is wrong because Microsoft Entra Identity Protection user risk policy detects and responds to risky user behavior (e.g., leaked credentials), not role activation requirements like reason or ticket number.

39
MCQmedium

Refer to the exhibit. You are analyzing a Microsoft Sentinel analytics rule. What does this rule detect?

A.Multiple successful logons for the same account
B.Brute-force attack against a single account
C.Multiple failed logons from the same source IP address
D.Overall number of failed logons across all accounts
AnswerB

The rule alerts when an account has >10 failed logons in 5 minutes.

Why this answer

This rule detects a brute-force attack against a single account by triggering when the number of failed logons for a specific user exceeds a threshold within a given time window, followed by a successful logon. The condition `FailedLogons > 5` and `SuccessfulLogon > 0` for the same account indicates that the attacker has guessed the correct password after multiple failed attempts, which is a classic sign of a successful brute-force attack.

Exam trap

The trap here is that candidates often confuse a brute-force attack against a single account (detected by failed logons followed by a success for the same user) with a password spray attack (where many accounts are targeted with a few passwords), leading them to incorrectly select an option focused on source IP or overall failure counts.

How to eliminate wrong answers

Option A is wrong because the rule explicitly requires a high number of failed logons (FailedLogons > 5) before the successful logon, not just multiple successful logons for the same account. Option C is wrong because the rule aggregates failed logons by account (AccountName), not by source IP address, so it does not detect multiple failed logons from the same source IP. Option D is wrong because the rule filters on a specific account (AccountName) and requires a successful logon after failures, whereas an overall count of failed logons across all accounts would not identify a targeted brute-force attack on a single account.

40
MCQmedium

Your company uses Microsoft Defender for Cloud to manage security posture across hybrid workloads. You need to ensure that critical vulnerabilities found on Azure VMs are automatically remediated without manual intervention. Which feature should you enable?

A.Enable 'Remediate' for security recommendations in Defender for Cloud
B.File Integrity Monitoring (FIM)
C.Microsoft Defender for Cloud's Regulatory Compliance dashboard
D.Azure Automation Update Management
AnswerA

Defender for Cloud can automatically remediate recommendations via Azure Policy.

Why this answer

Option A is correct because Microsoft Defender for Cloud's 'Remediate' feature allows you to automatically apply the necessary configuration changes or deploy the required patches to fix critical vulnerabilities on Azure VMs without manual intervention. This is achieved by enabling the 'Remediate' option on specific security recommendations, which triggers an automated workflow (often using Azure Policy or a custom script) to resolve the identified issue. This directly addresses the requirement for automatic remediation of critical vulnerabilities.

Exam trap

The trap here is that candidates often confuse the 'Remediate' feature with Azure Automation Update Management, assuming that update management is the only way to automatically patch VMs, but Defender for Cloud's remediation is specifically designed to act on its own security recommendations, including non-patch vulnerabilities like misconfigurations.

How to eliminate wrong answers

Option B is wrong because File Integrity Monitoring (FIM) is a security feature that monitors changes to critical files, registries, and system configurations, but it does not automatically remediate vulnerabilities; it only alerts on changes. Option C is wrong because the Regulatory Compliance dashboard provides a view of your compliance posture against standards like CIS or NIST, but it does not perform any automated remediation actions. Option D is wrong because Azure Automation Update Management is used to manage and schedule OS updates and patches, but it is not integrated with Defender for Cloud's vulnerability assessment findings and does not automatically remediate critical vulnerabilities identified by Defender for Cloud's security recommendations.

41
MCQhard

Your organization uses Microsoft Intune to manage devices and wants to ensure that only compliant devices can access corporate email. Which conditional access policy setting should you configure?

A.Require device to be marked as compliant
B.Require approved client app
D.Require domain join
AnswerA

This grant control ensures only Intune compliant devices can access corporate resources.

Why this answer

Option A is correct because the 'Require device to be marked as compliant' setting in a Conditional Access policy enforces that only devices meeting your Intune compliance policies (e.g., encryption, OS version, threat level) can access corporate email. This setting checks the device's compliance status reported by Intune to Azure AD during authentication, blocking non-compliant devices before they reach Exchange Online.

Exam trap

The trap here is that candidates often confuse 'Require approved client app' (which controls app-level access) with device compliance, thinking that restricting the app is sufficient to secure email, but it does not enforce device health or configuration.

How to eliminate wrong answers

Option B is wrong because 'Require approved client app' controls which client applications (e.g., Outlook mobile, Teams) can access data, not the device's compliance state; it does not enforce device health or configuration. Option C is wrong because 'Require Multi-Factor Authentication' adds an authentication factor but does not evaluate device compliance; a compromised but MFA-enabled device could still access email. Option D is wrong because 'Require domain join' is for Windows devices joined to on-premises Active Directory, not for mobile or BYOD devices managed by Intune; it does not check Intune compliance policies.

42
Multi-Selecteasy

A company uses Microsoft Sentinel as its SIEM. They want to minimize storage costs for verbose logs that are rarely accessed but must be retained for one year for compliance. Which TWO actions should they take?

Select 2 answers
A.Archive the logs to Azure Storage after 30 days
B.Increase the retention period to one year
C.Configure the verbose logs to use Basic Logs tier
D.Remove the data sources that generate verbose logs
E.Set up continuous export to an event hub
AnswersA, C

Archiving reduces storage costs.

Why this answer

Option B is correct because basic logs are cheaper than analytics logs. Option C is correct because archiving long-term data to Azure Storage reduces costs. Option A is incorrect because removing data sources reduces visibility.

Option D is incorrect because continuous export does not reduce cost. Option E is incorrect because increasing retention increases cost.

43
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only devices with a TPM (Trusted Platform Module) version 2.0 can access corporate resources. What should you configure?

A.Create a device compliance policy that requires TPM 2.0 and use Conditional Access to block non-compliant devices
B.Use Windows Update for Business to ensure TPM firmware is updated
C.Configure device enrollment restrictions to require TPM 2.0
D.Deploy a device configuration profile that enables TPM 2.0
AnswerA

Compliance policy with Conditional Access enforces access.

Why this answer

A device compliance policy in Microsoft Intune can check for TPM 2.0 presence and version. When combined with a Conditional Access policy that blocks non-compliant devices, only devices meeting the TPM 2.0 requirement can access corporate resources. This is the correct approach because Conditional Access enforces the compliance check at the authentication and authorization layer.

Exam trap

The trap here is that candidates confuse enrollment restrictions (which only apply at enrollment time) with ongoing compliance enforcement, or they think a configuration profile can block access, when only Conditional Access can enforce the block based on compliance.

How to eliminate wrong answers

Option B is wrong because Windows Update for Business manages firmware updates but cannot enforce a TPM version requirement for resource access; it only ensures the TPM firmware is current. Option C is wrong because device enrollment restrictions control which devices can enroll in Intune, but they do not enforce ongoing compliance for resource access after enrollment. Option D is wrong because a device configuration profile can enable or configure TPM features but cannot block access to corporate resources based on TPM version; it lacks the enforcement mechanism provided by Conditional Access.

44
Multi-Selecthard

Which THREE capabilities does Microsoft Purview provide for compliance management?

Select 3 answers
A.Identity protection and risk detection
B.Information protection with sensitivity labels
C.Data classification and labeling
D.Endpoint detection and response
E.eDiscovery and audit
AnswersB, C, E

Purview provides sensitivity labels.

Why this answer

Microsoft Purview provides compliance management capabilities including information protection with sensitivity labels, which allow organizations to classify and protect sensitive data across Microsoft 365 services, endpoints, and third-party apps. Sensitivity labels enforce encryption, visual markings, and access restrictions based on policy, directly supporting data loss prevention and governance.

Exam trap

The trap here is that candidates confuse Microsoft Purview's compliance-focused capabilities (like eDiscovery, audit, and sensitivity labels) with security operations tools (like identity protection and endpoint detection), which belong to separate Microsoft 365 security solutions.

45
MCQmedium

Your organization uses Microsoft Entra ID for identity management and wants to implement a least-privilege access model for administrators. You need to reduce standing privileges and ensure that admin roles are activated only when needed with approval workflow. Requirements: (1) Require approval for activation of Global Administrator role, (2) Set activation duration to 4 hours maximum, (3) Require Azure MFA for activation, (4) Receive notifications when roles are activated, (5) Audit all activations for compliance. Which Microsoft Entra ID capability should you use?

A.Access Reviews
B.Privileged Identity Management (PIM)
C.Identity Protection
D.Conditional Access
AnswerB

PIM provides just-in-time activation with approval, MFA, and audit.

Why this answer

Option C is correct because Privileged Identity Management (PIM) in Microsoft Entra ID P2 provides just-in-time role activation with approval, MFA, time limits, notifications, and audit. Option A is wrong because Conditional Access does not manage role activation. Option B is wrong because Identity Protection is for risk detection.

Option D is wrong because Access Reviews are for periodic reviews, not activation workflows.

46
MCQmedium

Your company uses Microsoft Entra ID. You need to implement a policy that requires all guest users to complete a terms-of-use acceptance before accessing applications. Which two components must be configured?

A.Multifactor authentication registration policy
B.Conditional access policy
C.Entitlement Management access packages
D.Identity Protection policy
E.Terms-of-use document in Microsoft Entra ID
AnswerB, E

Conditional access policies can require terms-of-use acceptance.

Why this answer

Option A and D are correct. A conditional access policy can enforce terms-of-use acceptance, and the terms-of-use document must be configured in Microsoft Entra ID. Option B is incorrect because identity protection is for risk detection.

Option C is incorrect because Entitlement Management is for access packages. Option E is incorrect because MFA is separate.

47
MCQeasy

Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incident investigations are automatically captured for compliance reporting. Which feature should you enable?

A.Use Microsoft Purview Compliance Manager
B.Configure Azure Policy for Sentinel
C.Enable Microsoft Sentinel audit logging
D.Enable Microsoft Defender for Cloud Apps
AnswerC

Audit logging captures investigation actions for compliance.

Why this answer

Microsoft Sentinel audit logging captures all actions performed within the Sentinel environment, including incident investigations, queries run, and configuration changes. Enabling this feature ensures that every investigation step is logged and can be used for compliance reporting, as it records user activities and system events in the Azure Activity Log or Log Analytics workspace.

Exam trap

The trap here is that candidates may confuse compliance features like Purview Compliance Manager or Azure Policy with the operational audit trail needed for incident investigation tracking, overlooking that Sentinel's own audit logging is the direct mechanism for capturing investigation activities.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Compliance Manager is a compliance management tool that assesses and manages compliance posture, but it does not automatically capture incident investigation activities within Sentinel. Option B is wrong because Azure Policy enforces organizational standards and assesses compliance at the Azure resource level, but it does not log or capture the detailed audit trail of Sentinel incident investigations. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that focuses on securing cloud applications, not on auditing Sentinel's internal investigation workflows.

48
Multi-Selectmedium

Your organization uses Microsoft Purview to classify sensitive data. You need to automatically apply a sensitivity label to documents that contain personally identifiable information (PII). Which TWO components should you configure?

Select 2 answers
A.Auto-labeling policy
B.Retention label
C.Data Loss Prevention (DLP) policy
D.Sensitivity label
E.Trainable classifier
AnswersA, D

Auto-labeling policies automatically apply sensitivity labels based on conditions.

Why this answer

Auto-labeling policy (A) is correct because it automatically applies sensitivity labels to documents based on conditions such as the presence of sensitive data types (e.g., PII). Sensitivity label (D) is correct because it defines the classification and protection settings (e.g., encryption, markings) that are applied to the content. Together, they enable automatic classification of PII documents without manual user intervention.

Exam trap

The trap here is that candidates often confuse DLP policies (which detect and block data exfiltration) with auto-labeling policies (which apply classification labels), leading them to incorrectly select DLP policy as a component for automatic labeling.

49
MCQmedium

An organization uses Microsoft Intune to manage devices. They need to ensure that only devices compliant with security baselines can access corporate email via Microsoft Outlook. The solution should use existing Microsoft 365 security features. What should they implement?

A.Configure an app protection policy in Microsoft Intune.
B.Create a Conditional Access policy in Microsoft Entra ID that requires compliant device.
C.Create a device compliance policy in Microsoft Intune.
D.Configure a device configuration profile in Microsoft Intune.
AnswerB

Integrates with Intune compliance to block non-compliant devices.

Why this answer

Option B is correct because Conditional Access policies in Microsoft Entra ID evaluate device compliance status before granting access to cloud apps like Exchange Online. By requiring a compliant device, the policy enforces that only devices meeting security baselines can access corporate email via Outlook, leveraging existing Microsoft 365 identity and access management capabilities.

Exam trap

The trap here is that candidates confuse device compliance policies (which only define rules) with Conditional Access policies (which enforce access decisions), leading them to pick Option C without realizing a separate policy is needed to block access.

How to eliminate wrong answers

Option A is wrong because app protection policies manage data within apps (e.g., preventing copy/paste) but do not enforce device-level compliance requirements like security baselines. Option C is wrong because a device compliance policy defines the compliance rules (e.g., requiring encryption) but does not itself block access; it must be paired with a Conditional Access policy to enforce the block. Option D is wrong because device configuration profiles apply settings (e.g., Wi-Fi, VPN) but do not evaluate or enforce compliance for access control.

50
Multi-Selecteasy

Your organization is implementing Microsoft Entra ID governance. Which TWO features are part of Microsoft Entra ID Governance? (Select two.)

Select 2 answers
A.Privileged Identity Management
B.Authentication methods policy
C.Conditional Access
D.Entitlement management
E.Access reviews
AnswersD, E

Manages access packages and resource access.

Why this answer

Entitlement management and access reviews are core features of Entra ID Governance. Conditional Access is an identity protection feature, Privileged Identity Management (PIM) is part of Identity Governance, but the question asks for two of the governance features. Entitlement management and access reviews are correct.

PIM is also governance, but the question limits to two. Authentication methods policy is not governance.

51
MCQeasy

Your organization uses Microsoft Purview to manage data governance. The compliance team needs to be able to search for and investigate whether any sensitive data (e.g., credit card numbers) is stored in Microsoft Teams messages. They also need to place a legal hold on specific user's Teams messages for eDiscovery. You need to design the solution. What should you configure?

A.Configure a sensitivity label for credit card numbers and apply it to Teams messages.
B.Create a Data Loss Prevention policy that monitors Teams messages for credit card numbers.
C.Use Microsoft Purview eDiscovery (Premium) to create a case, search for credit card numbers in Teams messages, and place a hold on the user's mailbox and Teams data.
D.Enable Microsoft Purview Audit to search the audit log for Teams messages containing credit card numbers.
AnswerC

eDiscovery supports content search and legal hold across Microsoft 365 services.

Why this answer

Option A is correct because Microsoft Purview eDiscovery (Premium) can search across Teams messages and place legal holds. Option B (audit) logs activities but does not allow content search. Option C (DLP) prevents sharing but does not search.

Option D (Information Protection) applies labels but does not provide eDiscovery capabilities.

52
MCQeasy

Your company needs to automatically classify and label sensitive documents in Microsoft 365 based on their content. Which Microsoft Purview solution should you implement?

A.Microsoft Purview Audit
B.Microsoft Purview Information Protection
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview Insider Risk Management
AnswerB

This includes auto-labeling based on content.

Why this answer

Microsoft Purview Information Protection (formerly Azure Information Protection) enables automatic classification and labeling of sensitive documents based on content, using trainable classifiers, exact data match (EDM), and sensitive information types. This solution applies sensitivity labels to documents in Microsoft 365 (e.g., SharePoint, Exchange, OneDrive) via client-side labeling or auto-labeling policies, meeting the requirement to classify and label by content.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Information Protection with Data Lifecycle Management, because both involve labels, but Data Lifecycle Management handles retention and deletion, not content-based classification and sensitivity labeling.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Audit focuses on logging and investigating user and admin activities, not on classifying or labeling content. Option C is wrong because Microsoft Purview Data Lifecycle Management (formerly Records Management) handles retention and deletion policies, not content-based classification and labeling. Option D is wrong because Microsoft Purview Insider Risk Management detects risky user behaviors (e.g., data exfiltration) using analytics, but does not automatically classify or label documents based on content.

53
MCQeasy

You need to design a solution to synchronize on-premises Active Directory users to Microsoft Entra ID for hybrid identity. Which tool should you use?

A.Microsoft Identity Manager (MIM)
B.Microsoft Entra Connect
C.Microsoft Entra Connect Cloud Sync
D.Active Directory Federation Services (AD FS)
AnswerB

Microsoft Entra Connect is the primary tool for synchronizing on-premises AD to Entra ID.

Why this answer

Microsoft Entra Connect is the correct tool for synchronizing on-premises Active Directory users to Microsoft Entra ID for hybrid identity because it provides a comprehensive, full-featured synchronization engine that supports password hash synchronization, pass-through authentication, and federation integration. It is the primary tool for hybrid identity scenarios where you need to synchronize a single on-premises AD forest to a single Entra ID tenant, handling attributes, password writeback, and device synchronization.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Connect Cloud Sync with the full Entra Connect tool, assuming the 'Cloud Sync' name implies it is the primary or newer replacement, but in reality, Entra Connect Cloud Sync is a lighter agent for specific multi-forest or limited scenarios, while Entra Connect remains the standard for full hybrid identity synchronization.

How to eliminate wrong answers

Option A is wrong because Microsoft Identity Manager (MIM) is an identity management and governance tool for managing on-premises identities and synchronization between multiple identity stores, not the primary tool for synchronizing a single on-premises AD to Entra ID for hybrid identity; it is more complex and typically used for advanced scenarios like cross-forest synchronization or identity lifecycle management. Option C is wrong because Microsoft Entra Connect Cloud Sync is a lightweight agent designed for synchronizing users from multiple on-premises AD forests to Entra ID, but it lacks full feature parity with Entra Connect (e.g., no device writeback, no pass-through authentication with seamless SSO, and limited attribute filtering) and is intended for specific scenarios like merging multiple forests or replacing older sync tools, not as the default for standard hybrid identity. Option D is wrong because Active Directory Federation Services (AD FS) is a federation service that provides single sign-on and claims-based authentication, not a synchronization tool; it does not synchronize user objects or attributes from on-premises AD to Entra ID.

54
MCQmedium

Your organization uses Microsoft Purview to manage data governance. You need to design a solution that allows data owners to classify sensitive data in their Microsoft SharePoint Online sites and generate a data catalog. Which Purview tool should you use?

A.Microsoft Purview Information Protection
B.Microsoft Purview Audit
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview Data Map
AnswerD

Data Map scans and catalogs data, enabling classification and discovery.

Why this answer

Option A is correct because Microsoft Purview Data Map is used to scan data sources, classify sensitive information, and build a data catalog. Option B (Data Loss Prevention) is for policy enforcement, not cataloging. Option C (Information Protection) is for labeling and protection.

Option D (Audit) is for logging activities.

55
MCQhard

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

A.To summarize Mimikatz alerts by account.
B.To create an automation rule based on the query.
C.To enrich Mimikatz alerts with user account names.
D.To detect lateral movement after a Mimikatz alert.
AnswerC

Joins alert with identity to get account name.

Why this answer

Option B is correct because the query joins security alerts with identity info to get the account name for alerts about Mimikatz detection. Option A is wrong because it does not investigate lateral movement. Option C is wrong because it does not trigger an automation rule.

Option D is wrong because it does not summarize data.

56
MCQeasy

Your organization is planning to migrate from on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can use the same passwords for both on-premises and cloud resources without having to change them. What should you implement?

A.Microsoft Entra Cloud Sync.
B.Federation with on-premises AD FS.
C.Microsoft Entra Connect password hash synchronization.
D.Microsoft Entra Connect pass-through authentication.
AnswerC

PHS syncs password hashes, enabling same password use.

Why this answer

Option B is correct because password hash synchronization (PHS) syncs password hashes to Entra ID, allowing users to use the same passwords. Option A is wrong because pass-through authentication does not sync passwords. Option C is wrong because federation does not sync passwords.

Option D is wrong because AD FS is for federation, not password sync.

57
MCQhard

Your organization uses Microsoft Sentinel as a SIEM. You need to reduce the cost of data ingestion while ensuring that security-relevant events are retained. You have identified that Windows Event ID 4624 (successful logon) produces a high volume of logs. What should you do?

A.Reduce the retention period for all logs to 30 days
B.Ingest the events into a separate Log Analytics workspace with a shorter retention
C.Filter out Event ID 4624 at the source using Windows Event Forwarding
D.Configure the analytics connector to ingest these events as basic logs
AnswerD

Basic logs cost less than analytics logs.

Why this answer

Option D is correct because Microsoft Sentinel supports 'basic logs' ingestion, which is a lower-cost tier designed for high-volume, verbose logs like Windows Event ID 4624. Basic logs are stored in a separate table with a reduced retention period (default 30 days) but still retain security-relevant metadata, enabling cost savings while preserving the ability to query for security incidents. This approach avoids the need to filter or drop events entirely, ensuring compliance with security monitoring requirements.

Exam trap

The trap here is that candidates often confuse 'reducing retention' with 'reducing ingestion cost,' not realizing that ingestion cost is based on data volume, not retention length, and that basic logs provide a separate, cheaper ingestion tier specifically for high-volume, low-value logs.

How to eliminate wrong answers

Option A is wrong because reducing the retention period for all logs to 30 days would indiscriminately delete security-critical logs (e.g., Event ID 4625 for failed logons) that may be needed for longer investigations or compliance. Option B is wrong because ingesting events into a separate Log Analytics workspace with a shorter retention does not reduce ingestion costs; it only shifts storage costs and still incurs the same per-GB ingestion charges for the high-volume Event ID 4624 data. Option C is wrong because filtering out Event ID 4624 at the source using Windows Event Forwarding would permanently discard the events, preventing any future analysis of successful logon patterns, which are essential for detecting lateral movement or brute-force attacks.

58
MCQmedium

Refer to the exhibit. You are reviewing a conditional access policy JSON in Microsoft Entra ID. What does this policy accomplish?

A.Requires MFA for high-risk sign-ins.
B.Blocks external users from high-risk sign-ins.
C.Blocks all users when sign-in risk is high.
D.Blocks sign-ins from specific applications.
AnswerC

Correct interpretation.

Why this answer

Option C is correct because the policy blocks all users when sign-in risk is high. Option A is wrong because it does not require MFA. Option B is wrong because it does not target specific apps.

Option D is wrong because it blocks all users, not just external.

59
MCQeasy

A company uses Microsoft Defender for Identity (MDI) to monitor on-premises Active Directory. They want to integrate MDI alerts into Microsoft Sentinel. Which data connector should they use?

A.Syslog connector
B.Azure Active Directory connector
C.Microsoft Defender for Identity connector
D.Windows Security Events via AMA
AnswerC

This connector specifically ingests MDI alerts.

Why this answer

Option C is correct because the Microsoft Defender for Identity connector ingests MDI alerts into Sentinel. Option A is incorrect because Windows Security Events connector ingests raw events, not MDI alerts. Option B is incorrect because Azure AD connector is for cloud identity logs.

Option D is incorrect because Syslog is for non-Microsoft devices.

60
MCQeasy

Your organization uses Microsoft Sentinel and wants to automatically respond to high-severity incidents without human intervention. Which feature should you configure?

A.Automation rule
B.Analytics rule
C.Workbook
D.Watchlist
AnswerA

Automation rules can automatically respond to incidents by triggering playbooks or other actions.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically respond to incidents based on criteria such as severity. Option C is correct because automation rules can trigger playbooks. Option A is wrong because analytics rules create alerts, not automated responses.

Option B is wrong because workbooks are for visualization. Option D is wrong because watchlists are for correlation.

61
MCQhard

Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What is the primary purpose?

A.Correlate alerts across different data sources
B.Identify new high-severity alerts in the last 7 days
C.Detect entities that have been repeatedly targeted by high-severity alerts
D.Find entities with fewer than 5 high-severity alerts
AnswerC

The query groups by CompromisedEntity and counts alerts, then filters for more than 5, indicating repeated targeting.

Why this answer

The KQL query uses the `make_set` function to aggregate distinct alert names per entity (e.g., host or user) and then filters for entities that have been hit by more than 5 distinct high-severity alerts. This directly identifies entities repeatedly targeted by high-severity alerts, which is the primary purpose.

Exam trap

Microsoft often tests the distinction between counting total alerts versus counting distinct alert types, so candidates may mistakenly think the query counts all alerts (including duplicates) and pick option D, when in fact `make_set` deduplicates by alert name.

How to eliminate wrong answers

Option A is wrong because the query does not join or correlate alerts from different data sources; it only filters alerts by severity and aggregates by entity. Option B is wrong because the query does not identify new alerts; it counts distinct alert names over the last 7 days, not the recency of individual alerts. Option D is wrong because the query uses `array_length(make_set(...)) > 5`, which finds entities with more than 5 distinct high-severity alerts, not fewer than 5.

62
MCQhard

Your company uses Microsoft Purview Compliance Manager to track compliance with regulatory standards. You need to generate a report that shows the percentage of controls that are not yet implemented for the PCI DSS standard. What should you do?

A.In Compliance Manager, open the PCI DSS assessment and view the control status.
B.Create a Data Lifecycle Management policy for PCI DSS.
C.Create a custom risk assessment in Compliance Manager for PCI DSS.
D.Configure a Communication Compliance policy to monitor PCI DSS compliance.
AnswerA

Compliance Manager includes pre-built assessments with control status tracking.

Why this answer

Option C is correct because Compliance Manager provides pre-built assessments for standards like PCI DSS, and you can view the control status. Option A is incorrect because Data Lifecycle Management is for retention policies. Option B is incorrect because Communication Compliance is for internal risk detection.

Option D is incorrect because risk assessments in Compliance Manager are built-in, not created manually for this purpose.

63
MCQeasy

Your organization uses Microsoft Intune for mobile device management. Employees report they cannot access corporate email on their personal iOS devices. The helpdesk confirms devices are enrolled and compliant. What should you check first?

A.Confirm the device configuration profile includes email settings.
B.Verify the conditional access policy for Exchange Online includes iOS devices.
C.Review the app protection policy for Outlook.
D.Ensure the compliance policy allows iOS devices.
AnswerB

Conditional access policies control access to cloud apps based on device state.

Why this answer

Option A is correct because conditional access policies in Entra ID enforce access rules for cloud apps like Exchange Online. Option B is wrong because compliance policies define device requirements, not access. Option C is wrong because app protection policies manage data within apps.

Option D is wrong because device configuration profiles set device settings but not access.

64
MCQhard

Your organization uses Microsoft Sentinel. You need to design a solution to detect and automatically respond to a potential brute-force attack against an on-premises application that is published via Azure AD Application Proxy. The solution should block the attacker's IP address in Azure AD Conditional Access for one hour after detecting more than 10 failed login attempts within 5 minutes. What should you implement?

A.Create a Microsoft Purview Data Loss Prevention policy to block the IP address based on the login pattern.
B.Create a Microsoft Sentinel analytics rule that triggers on a KQL query detecting the failed logins, then use a playbook to add the IP to a Conditional Access block list via the Azure AD API.
C.Deploy a web application firewall (WAF) in front of the application and configure rate limiting to block the IP.
D.Configure a Microsoft Entra ID Protection sign-in risk policy to automatically block the user's sign-in after detecting anomalous activity.
AnswerB

This custom approach allows specific thresholds and automated blocking via Conditional Access.

Why this answer

Option C is correct because you can create a Microsoft Sentinel analytics rule to detect the suspicious activity, and then use a playbook that invokes the Azure AD Conditional Access custom control (block action) to block the IP. Option A is incorrect because Microsoft Entra ID Protection does not cover on-premises apps published via App Proxy with custom logic. Option B is incorrect because a DLP policy is not for authentication.

Option D is incorrect because a WAF operates at the network layer and does not integrate directly with Conditional Access.

65
MCQmedium

Your organization uses Microsoft Purview. You need to design a solution that automatically detects and classifies sensitive data such as passport numbers stored in Microsoft OneDrive. The solution should apply a 'Highly Confidential' sensitivity label without user intervention. What should you configure?

A.Create an auto-labeling policy in Microsoft Purview that targets OneDrive and includes the 'Passport Number' sensitive info type.
B.Create a Data Loss Prevention (DLP) policy that blocks sharing of files with passport numbers.
C.Enable auditing in Microsoft Purview to track where passport numbers are stored.
D.Configure a manual sensitivity label and train users to apply it.
AnswerA

Auto-labeling policies automatically apply labels based on content inspection.

Why this answer

Option B is correct because auto-labeling policies in Microsoft Purview can scan content for sensitive info types and automatically apply labels. Option A (manual labeling) requires user action. Option C (DLP) blocks sharing but does not label.

Option D (audit) only logs.

66
MCQmedium

A global organization uses Microsoft Entra ID with Conditional Access policies. They want to enforce multifactor authentication (MFA) for all users accessing sensitive apps from outside the corporate network, but allow access without MFA from trusted IPs. What should they configure?

A.Create a Conditional Access policy that grants access, requiring MFA for all locations.
B.Create a Conditional Access policy that requires MFA for all users and all locations.
C.Create a Conditional Access policy that blocks access from all locations except trusted IPs.
D.Create a Conditional Access policy that includes 'All users' and 'All cloud apps', with conditions for locations: include 'All trusted' and exclude 'All trusted'? Wait, correct approach: include 'All locations' and exclude 'Trusted IPs', and require MFA.
AnswerD

Correct: Include 'Any location' and exclude 'Trusted IPs', then require MFA.

Why this answer

Option D is correct because it configures a Conditional Access policy that includes 'All locations' as a condition and excludes 'Trusted IPs' (defined as named locations in Entra ID), then requires MFA as a grant control. This enforces MFA for all access attempts from outside the corporate network while allowing access without MFA from trusted IPs, precisely matching the requirement.

Exam trap

The trap here is that candidates often confuse 'include all locations and exclude trusted IPs' with 'include only trusted IPs' or 'block untrusted locations', leading them to pick options that either block all untrusted access or fail to exclude trusted IPs from the MFA requirement.

How to eliminate wrong answers

Option A is wrong because it requires MFA for all locations, including trusted IPs, which does not allow access without MFA from trusted IPs. Option B is wrong because it applies to all users and all locations without any location-based exclusion, forcing MFA even from trusted IPs. Option C is wrong because it blocks access from all locations except trusted IPs, which would prevent any access from untrusted locations entirely rather than allowing it with MFA.

67
MCQeasy

Refer to the exhibit. You are configuring a Microsoft Purview sensitivity label. When a user applies this label to an email, what happens?

A.The email is encrypted and cannot be forwarded, printed, or copied
B.The email is encrypted but can be forwarded
C.The email is not encrypted but cannot be forwarded
D.The email is encrypted and the recipient cannot reply
AnswerA

Do Not Forward restricts these actions.

Why this answer

Option A is correct because the sensitivity label is configured with encryption that includes the 'Do Not Forward' option. This applies Azure Rights Management (Azure RMS) protection, which encrypts the email and restricts the recipient from forwarding, printing, or copying the content. The label enforces these restrictions at the message level, regardless of the email client used.

Exam trap

The trap here is that candidates often assume encryption alone prevents forwarding, but encryption only protects confidentiality; the 'Do Not Forward' template is a separate usage restriction that must be explicitly configured in the sensitivity label.

How to eliminate wrong answers

Option B is wrong because a label with encryption and 'Do Not Forward' explicitly prevents forwarding, not just encryption. Option C is wrong because the label applies encryption, so the email is encrypted, and the 'Do Not Forward' restriction also blocks forwarding. Option D is wrong because the 'Do Not Forward' option does not prevent the recipient from replying; it only blocks forwarding, printing, and copying.

68
Multi-Selectmedium

Which TWO actions should you take to meet a compliance requirement that all emails containing credit card numbers must be encrypted before delivery?

Select 2 answers
A.Create a sensitivity label with encryption and apply it via auto-labeling.
B.Create a Microsoft Purview Data Loss Prevention (DLP) policy that detects credit card numbers and applies encryption.
C.Enable Microsoft Purview Information Protection auto-labeling for credit card data.
D.Create a mail flow rule in Exchange Online to encrypt emails with credit card numbers.
E.Configure Microsoft Purview Message Encryption as part of the DLP policy.
AnswersB, E

DLP can automatically protect sensitive data in transit.

Why this answer

Option B is correct because a Microsoft Purview Data Loss Prevention (DLP) policy can detect sensitive data types like credit card numbers and automatically apply encryption via Information Rights Management (IRM) as an action. This ensures that any email containing credit card data is encrypted before delivery, meeting the compliance requirement directly through policy enforcement.

Exam trap

The trap here is that candidates often confuse auto-labeling with DLP actions, thinking that applying a sensitivity label automatically encrypts the email, when in fact DLP policies are required to enforce encryption as a protective action on outbound messages.

69
Multi-Selecthard

A company wants to automate incident response in Microsoft 365 Defender. Which THREE actions can be automated using automated investigation and response (AIR) capabilities? (Choose three.)

Select 3 answers
A.Block a file hash across the organization.
B.Reset a user's password.
C.Isolate a device from the network.
D.Create a new user account.
E.Delete a malicious email from all mailboxes.
AnswersA, C, E

AIR can block indicators of compromise.

Why this answer

Option A is correct because AIR can isolate devices automatically. Option B is correct because AIR can delete malicious emails. Option C is correct because AIR can block file hashes.

Option D is wrong because resetting passwords is not an AIR action; it requires a playbook. Option E is wrong because creating users is not a security response action.

70
MCQhard

Your organization uses Microsoft Entra ID with external identities. You need to design a solution that allows partners to self-service sign up using their existing Azure AD or Microsoft account credentials, while preventing them from accessing other resources. What should you use?

A.Microsoft Entra B2C
B.Microsoft Entra Identity Protection
C.Microsoft Entra B2B collaboration
D.Direct federation with partner's IdP
AnswerC

B2B allows self-service sign-up with existing credentials.

Why this answer

Option A is correct because Entra ID B2B collaboration allows external users to use their own credentials and you can control access via conditional access or directory roles. Option B is wrong because B2C is for customer-facing apps. Option C is wrong because guest users are already part of B2B.

Option D is wrong because identity protection is for risk detection.

71
Multi-Selectmedium

Your organization is implementing a privileged access strategy using Microsoft Entra ID. You need to provide just-in-time (JIT) access to Azure resources for administrators. Which TWO features should you use?

Select 2 answers
A.Identity Protection user risk policy
B.Privileged Identity Management (PIM) for Azure AD roles
C.Azure RBAC roles
D.Access reviews
E.Privileged Access Groups (PAG)
AnswersB, E

PIM provides JIT and time-bound access for Azure AD roles.

Why this answer

Privileged Identity Management (PIM) for Azure AD roles enables just-in-time (JIT) activation of Azure AD roles, providing time-bound approval-based elevated access to Azure resources. Privileged Access Groups (PAG) extend JIT capabilities by allowing Azure AD roles and Azure RBAC roles to be assigned to groups, enabling JIT membership activation for granular resource access.

Exam trap

The trap here is that candidates often confuse Azure RBAC roles (which are static permission definitions) with the JIT activation mechanism provided by PIM, or they overlook that Privileged Access Groups can bridge Azure AD roles and Azure RBAC roles for JIT access.

72
MCQmedium

Your organization uses Microsoft Intune for mobile device management. You need to ensure that users can access corporate email on their personal iOS devices only if the device is enrolled in Intune and compliant with security policies. What should you configure?

A.Configure a device configuration policy to enforce passcode and encryption.
B.Create an app protection policy for iOS requiring managed apps to be enrolled and compliant.
C.Configure a conditional access policy in Microsoft Entra ID requiring compliant device.
D.Create a device compliance policy for iOS and assign it to all users.
AnswerB

App protection policies can require device enrollment and compliance.

Why this answer

Option A is correct because an app protection policy with conditional launch settings can require device enrollment and compliance before allowing access. Option B is wrong because conditional access policies in Entra ID require device compliance, but they do not enforce app-level protection. Option C is wrong because a compliance policy alone does not block access.

Option D is wrong because a device configuration policy sets settings but does not enforce access.

73
MCQhard

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy is enabled but users who are detected as high risk are still able to sign in. What is the most likely reason?

A.No users or groups are assigned to the policy
B.The policy state is set to 'enabled' but not 'enforced'
C.The user risk level is set to 'high' but sign-in risk is 'medium'
D.The grant control is set to 'block' but should be 'require MFA'
AnswerA

The exhibit does not show user assignment; if none, the policy won't apply.

Why this answer

Option C is correct because the exhibit does not show a session control or require MFA; a common reason is that the policy may require user assignment, but if no users are assigned, it won't apply. Option A is incorrect because the policy is enabled. Option B is incorrect because the risk levels are set.

Option D is incorrect because the block control is set.

74
Multi-Selecteasy

A company wants to implement a Zero Trust security model. Which TWO principles are fundamental to Zero Trust? (Choose two.)

Select 2 answers
A.Verify explicitly.
B.Use perimeter-based security.
C.Trust internal network.
D.Trust but verify.
E.Assume breach.
AnswersA, E

Core Zero Trust principle.

Why this answer

Option A is correct because Zero Trust mandates that every access request must be authenticated and authorized based on all available data points, including user identity, location, device health, and data sensitivity, regardless of the network location. This 'verify explicitly' principle eliminates implicit trust and enforces continuous validation for every transaction, aligning with Microsoft's Zero Trust deployment guidance for identity and access management.

Exam trap

The trap here is that candidates often confuse 'trust but verify' (Option D) with Zero Trust, but Microsoft explicitly defines Zero Trust as 'never trust, always verify,' making 'trust but verify' a legacy approach that still assumes initial trust.

75
Multi-Selectmedium

Your organization uses Microsoft Entra ID and Microsoft Intune. You need to design a solution that allows only hybrid Azure AD joined devices to access a sensitive application. The solution must also require that the device is compliant with company policies. Which two components should you configure? (Choose TWO.)

Select 2 answers
A.Intune app protection policy
B.Conditional Access policy with 'Require multifactor authentication'
C.Conditional Access policy with 'Require hybrid Azure AD joined device'
D.Intune device enrollment
E.Intune device compliance policy
AnswersC, E

This ensures only hybrid Azure AD joined devices can access the application.

Why this answer

Options A and C are correct because Conditional Access policies can require hybrid Azure AD join as a grant control, and Intune compliance policies define the compliance rules. Option B (MFA) is not required by the scenario. Option D (app protection) is for app-level protection.

Option E (device enrollment) is a prerequisite but not an access control.

Page 1 of 4 · 231 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Secops Identity Compliance questions.