CCNA Secops Identity Compliance Questions

75 of 231 questions · Page 3/4 · Secops Identity Compliance topic · Answers revealed

151
MCQhard

Your organization is implementing a data loss prevention (DLP) strategy using Microsoft Purview. The compliance team needs to automatically classify and label sensitive data in Microsoft 365, Azure SQL Database, and Amazon S3. Which Purview feature should you use?

A.Microsoft Purview Data Map
B.Microsoft Purview Information Protection
C.Microsoft Purview Records Management
D.Microsoft Defender for Cloud Apps
AnswerA

Data Map scans and classifies data across on-prem, Azure, and other clouds.

Why this answer

Microsoft Purview Data Map is the correct choice because it provides unified data governance across hybrid and multi-cloud environments, including Microsoft 365, Azure SQL Database, and Amazon S3. It automatically scans, classifies, and labels sensitive data using built-in classifiers and sensitivity labels, enabling consistent DLP policies across these disparate data sources.

Exam trap

The trap here is that candidates often confuse the scanning and classification capabilities of Microsoft Purview Data Map with the labeling and protection features of Microsoft Purview Information Protection, but the Data Map is the service that actually discovers and classifies data across multiple clouds, while Information Protection applies the labels after classification.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Information Protection focuses on applying sensitivity labels and encryption to data within Microsoft 365 and Azure, but it does not natively scan or classify data in Amazon S3. Option C is wrong because Microsoft Purview Records Management is designed for managing retention, disposition, and legal hold of records, not for automatic classification and labeling of sensitive data across multi-cloud sources. Option D is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides threat protection and visibility for cloud apps, but it does not perform automatic data classification and labeling across Microsoft 365, Azure SQL, and Amazon S3 as a primary function.

152
MCQeasy

Refer to the exhibit. You are reviewing an Azure Policy definition for GDPR compliance. The policy is intended to audit storage accounts that do not have encryption enabled. However, the policy is not evaluating correctly. What is the most likely reason?

A.The field 'type' should be 'Microsoft.Storage/storageAccounts/encryption'
B.The policy type should be 'Custom'
C.The effect should be 'Audit' instead of 'auditIfNotExists'
D.The policy mode should be 'All' instead of 'Indexed'
AnswerC

Storage account encryption is a property of the account itself, not a separate resource. 'auditIfNotExists' is used for child resources; 'Audit' with a condition on the encryption field would be correct.

Why this answer

Option B is correct because the effect 'auditIfNotExists' requires a resource to audit if a dependent resource does not exist. However, storage account encryption is a property of the storage account itself, not a separate resource. The policy should use 'Audit' effect with a condition that checks if encryption is disabled.

Option A is wrong because 'Indexed' mode is appropriate for storage accounts. Option C is wrong because the policy is built-in but the snippet shows custom properties. Option D is wrong because the field type is correct.

153
MCQeasy

Your organization uses Microsoft Defender for Cloud to manage the security posture of Azure resources. You need to receive alerts when a virtual machine is deployed without just-in-time (JIT) access enabled. What should you do?

A.Create a custom alert rule in Microsoft Sentinel
B.Configure JIT access on the VM and monitor via activity logs
C.Enable JIT access on all VMs
D.Use the built-in Defender for Cloud recommendation for JIT access
AnswerD

The recommendation alerts on non-compliance.

Why this answer

The correct answer is D because Microsoft Defender for Cloud provides a built-in security recommendation specifically for just-in-time (JIT) VM access. This recommendation continuously assesses your VMs and generates an alert when a VM is deployed without JIT enabled, without requiring custom rules or manual configuration. It directly addresses the requirement to receive alerts for non-compliant VMs.

Exam trap

The trap here is that candidates often overcomplicate the solution by thinking they need a custom alert rule in Sentinel (Option A) or manual monitoring (Option B), when Defender for Cloud's built-in recommendation already provides the required alerting capability without additional tools.

How to eliminate wrong answers

Option A is wrong because creating a custom alert rule in Microsoft Sentinel is unnecessary and adds complexity; Defender for Cloud already has a native recommendation for JIT access that can trigger alerts without Sentinel. Option B is wrong because configuring JIT access on the VM and monitoring via activity logs only addresses the VM after it is configured, not alerting when a VM is deployed without JIT; it also requires manual setup and does not provide automated alerts for new deployments. Option C is wrong because enabling JIT access on all VMs is a remediation action, not a method to receive alerts; it does not generate alerts for VMs that are deployed without JIT.

154
MCQmedium

A company uses Microsoft Purview to classify data and enforce retention policies. They need to automatically apply a retention label to all documents containing credit card numbers. Which approach should they use?

A.Configure an auto-labeling policy with a sensitive info type
B.Use a trainable classifier
C.Create a manual labeling policy for users
D.Use a default label for SharePoint libraries
AnswerA

Auto-labeling applies labels based on content.

Why this answer

Option A is correct because Microsoft Purview auto-labeling policies can automatically apply retention labels to documents based on sensitive info types (SITs), such as credit card numbers. This approach uses pattern matching to detect the credit card number format and applies the label without user intervention, meeting the requirement for automatic enforcement.

Exam trap

The trap here is that candidates may confuse trainable classifiers with sensitive info types, thinking that 'intelligent' classification is always better, but SITs are the correct choice for specific, pattern-based data like credit card numbers.

How to eliminate wrong answers

Option B is wrong because trainable classifiers are designed to identify content based on context and patterns (e.g., contracts or resumes), not specific sensitive data like credit card numbers, which are better matched by SITs. Option C is wrong because manual labeling policies require users to apply labels themselves, contradicting the requirement for automatic application. Option D is wrong because a default label for SharePoint libraries applies a label to all documents in the library regardless of content, not selectively to those containing credit card numbers.

155
MCQmedium

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the primary purpose of this query?

A.Identify accounts that have experienced more than 10 failed login attempts from the same IP address within an hour
B.Identify IP addresses that have successfully brute-forced an account
C.Identify users who have logged in from multiple IPs in a short time
D.Identify accounts that have been disabled due to multiple failures
AnswerA

The query does exactly that.

Why this answer

The KQL query uses the `summarize` operator to count failed logon events (EventID 4625) grouped by account and IP address, then filters for counts greater than 10 within a 1-hour time window. This directly identifies accounts that have experienced more than 10 failed login attempts from the same IP address within an hour, which is a classic indicator of a brute-force attack targeting a specific account.

Exam trap

Microsoft often tests the distinction between identifying brute-force attempts (failed logins) and confirming successful brute-force attacks (failed logins followed by a successful login), so candidates may incorrectly choose Option B without checking for a successful logon event.

How to eliminate wrong answers

Option B is wrong because the query does not check for a subsequent successful login (EventID 4624) after the failures, so it cannot confirm that a brute-force attack succeeded. Option C is wrong because the query groups by both account and IP address, not by users logging in from multiple IPs; it focuses on failures from a single IP. Option D is wrong because the query does not query for account lockout events (EventID 4740) or disabled account status; it only counts failed logon attempts.

156
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Defender for Cloud automation resource. You want the automation to trigger a playbook in Microsoft Sentinel when a high-severity security assessment is found. Based on the exhibit, what is the missing configuration?

A.The severity filter should be 'Low' to capture all assessments
B.The action type should be 'LogicApp' instead of 'EventHub'
C.The eventSource should be 'Alerts' instead of 'Assessments'
D.The API version should be '2020-01-01'
AnswerB

To invoke a playbook in Sentinel, the automation action must be of type 'LogicApp' with the playbook's callback URL.

Why this answer

Option B is correct because the exhibit shows the automation sends to EventHub, but to trigger a Sentinel playbook, the action type should be 'LogicApp' with the playbook's trigger URL. Option A is wrong because the source is already set to Assessments. Option C is wrong because the severity filter is correctly set to High.

Option D is wrong because the API version is not the issue; the action type is wrong.

157
MCQmedium

Your organization uses Microsoft Sentinel and wants to correlate security events from multiple sources to detect multi-stage attacks. What should you create?

A.Scheduled query rule
B.NRT rule
C.Anomaly rule
D.Fusion rule
AnswerD

Fusion rules use ML to correlate alerts from multiple sources and detect multi-stage attacks.

Why this answer

Fusion rules in Microsoft Sentinel are specifically designed to correlate security events from multiple sources and detect multi-stage attacks by combining alerts from different detection technologies into a single incident. This matches the requirement to correlate events across sources for complex attack chains, unlike other rule types that focus on single-source or single-event detection.

Exam trap

The trap here is that candidates often confuse scheduled query rules or NRT rules as the primary tool for correlation, but those require manual KQL logic to join data across sources, whereas Fusion provides automated, built-in multi-source correlation for multi-stage attacks.

How to eliminate wrong answers

Option A is wrong because scheduled query rules run queries at regular intervals against a single data source or table, and they cannot natively correlate events from multiple disparate sources to detect multi-stage attacks. Option B is wrong because NRT (Near-Real-Time) rules provide low-latency detection but still operate on a single query against one or more tables, lacking the built-in multi-source correlation logic of Fusion. Option C is wrong because anomaly rules use machine learning to detect deviations from baseline behavior on a single data source, not to correlate events across multiple sources for multi-stage attack detection.

158
MCQmedium

Your organization, Fabrikam Inc., uses Microsoft Intune for device management and Microsoft Entra ID for identity. You need to design a solution to ensure that only compliant and healthy devices can access corporate resources. The solution must require that devices are either enrolled in Intune and compliant, or joined to Azure AD with a health attestation. Additionally, you need to block access from devices that are rooted or jailbroken. You have the following requirements: 1) Enforce conditional access policies to check device compliance and health. 2) Use Microsoft Defender for Endpoint integration for device health signals. 3) Provide a fallback option for unmanaged devices to access only web apps via browser with app protection policies. Which combination of actions should you take?

A.Configure conditional access to require MFA for all devices, and use device filters to exclude non-compliant devices.
B.Configure conditional access to require device compliance, and enable device health attestation via Intune.
C.Configure conditional access to block access from unknown locations, and require device enrollment for all users.
D.Configure conditional access policies: one requiring device compliance or Azure AD joined with health attestation, and another for unmanaged devices requiring app protection policies.
AnswerD

This meets all requirements.

Why this answer

Option B is correct because it covers all requirements: conditional access policies for compliance/health, Defender for Endpoint integration for health signals, and app protection policies for unmanaged devices. Option A is incorrect because it uses MFA only, not device compliance. Option C is incorrect because it relies on device compliance only, not health attestation.

Option D is incorrect because it uses location-based policy, which does not address device health.

159
MCQhard

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. The query returns a list of users and IP addresses with failed sign-ins due to 'User Account Disabled' (ResultType 50057). The analyst wants to create a scheduled analytics rule that generates an incident when a user exceeds 5 such failures from the same IP in an hour. Which setting is missing from the query to meet the requirement?

A.Add a 'let' statement to define the threshold.
B.Add a 'project' to select columns.
C.Add a 'bin' or 'bin_at' to group by time windows.
D.Add a 'where' clause to filter by ResultType.
AnswerC

Without binning, the count is over the entire 1-hour window, but for scheduled rules, you need to bin to avoid double-counting across runs.

Why this answer

The query currently returns all failed sign-ins due to 'User Account Disabled' but does not aggregate them into time-based windows. To meet the requirement of generating an incident when a user exceeds 5 failures from the same IP in an hour, the query must group the results into 1-hour time buckets using 'bin' or 'bin_at' on the timestamp column, then count the failures per user and IP per bucket, and filter for counts greater than 5. Without this time-windowing, the query cannot enforce the 'in an hour' condition.

Exam trap

Microsoft often tests the candidate's understanding that time-based analytics rules require explicit time-windowing in the query (via bin or bin_at) rather than relying on the rule's run frequency or lookback period alone.

How to eliminate wrong answers

Option A is wrong because a 'let' statement defines a variable or threshold, but the threshold (5 failures) can be applied directly in a 'where' clause after aggregation; the missing piece is time-based grouping, not variable definition. Option B is wrong because 'project' selects or renames columns, which is useful for output but does not affect the aggregation or time-windowing required to count failures per hour. Option D is wrong because the query already filters by ResultType 50057 using a 'where' clause; adding another 'where' for ResultType would be redundant and does not address the missing time-window grouping.

160
MCQeasy

Your organization uses Microsoft Sentinel. You need to design a solution that automatically responds to a detected ransomware incident by isolating the affected device in Microsoft Defender for Endpoint. Which tool should you use to create the automated response?

A.Create a workbook in Microsoft Sentinel.
B.Create a playbook in Microsoft Sentinel using Azure Logic Apps.
C.Create an automation rule in Microsoft Sentinel.
D.Create a hunting query in Microsoft Sentinel.
AnswerB

Playbooks contain the logic to execute automated responses like device isolation.

Why this answer

Option C is correct because a playbook in Microsoft Sentinel (based on Azure Logic Apps) can automate responses like device isolation. Option A (automation rule) triggers the playbook but does not contain the logic. Option B (hunting query) is for detection.

Option D (workbook) is for visualization.

161
MCQmedium

Your company uses Microsoft 365 Copilot for Security. You need to ensure that only users in the 'SecurityAnalysts' group can access the Copilot for Security portal. All other users should not see the portal in their Microsoft 365 app launcher. What should you configure?

A.Remove the Copilot for Security license from all users and assign only to the group.
B.Create a Conditional Access policy to block access to Copilot for Security for users not in the group.
C.Configure an Entra ID administrative unit to restrict access.
D.In the Copilot for Security settings, restrict access to the 'SecurityAnalysts' group.
AnswerD

Copilot for Security allows restricting access to specific security groups.

Why this answer

Option D is correct because Copilot for Security has a licensing and access control that can be restricted to specific groups. Option A is incorrect because Conditional Access controls sign-in but does not hide the app launcher. Option B is incorrect because SharePoint permissions are irrelevant.

Option C is incorrect because Entra ID groups can be used for licensing assignment, which controls visibility.

162
MCQeasy

Your organization is a small business with 200 users using Microsoft 365 Business Premium. You need to secure user identities against common attacks like phishing and password spray. The solution must be easy to deploy and manage with minimal overhead. Requirements: (1) Enable multi-factor authentication (MFA) for all users, (2) Block legacy authentication protocols, (3) Detect and block risky sign-ins, (4) Provide security recommendations to users, (5) Integrate with Microsoft Defender for Office 365 for email protection. Which Microsoft security service should you primarily use?

A.Microsoft Purview Insider Risk Management
B.Microsoft Entra ID P2
C.Microsoft Entra ID P1 with Conditional Access and Identity Protection
D.Microsoft Defender for Cloud
AnswerC

P1 provides MFA, blocking legacy auth, and risk detection; easy to deploy.

Why this answer

Option B is correct because Microsoft Entra ID P1 (included in Business Premium) provides Conditional Access for MFA and blocking legacy authentication, Identity Protection for risky sign-ins, and security defaults for easy deployment. Option A is wrong because Entra ID P2 is overkill for small business. Option C is wrong because Microsoft Defender for Cloud is for cloud workloads.

Option D is wrong because Microsoft Purview is for data governance.

163
Multi-Selecteasy

Your organization needs to comply with GDPR. You need to design a data protection strategy using Microsoft Purview. Which THREE capabilities should you include?

Select 3 answers
A.Azure Policy
B.eDiscovery
C.Data classification and labeling
D.Data subject request management
E.Data Loss Prevention (DLP) policies
AnswersC, D, E

Classification and labeling help identify and protect personal data covered by GDPR.

Why this answer

Options B, C, and D are correct. Option B: Data classification and labeling helps identify personal data. Option C: Data Loss Prevention (DLP) prevents unauthorized sharing of personal data.

Option D: Data subject requests (DSR) management is a GDPR requirement. Option A is wrong because eDiscovery is for legal holds, not GDPR specifically. Option E is wrong because Azure Policy is for Azure resource compliance, not data protection.

164
MCQmedium

Your organization uses Microsoft Entra ID and needs to ensure that external partners can access only specific applications for 30 days. What should you configure?

A.Entitlement management and create an access package with an expiration of 30 days
B.B2B direct connect
C.Self-service group management
D.Conditional Access policy with session control
AnswerA

Access packages in entitlement management allow you to grant time-limited access to applications for external users.

Why this answer

Option A is correct because entitlement management in Microsoft Entra ID allows you to create access packages that govern external partner access to specific applications. By configuring an access package with a 30-day expiration, you enforce time-limited access, ensuring partners can only access the designated applications for the required duration. This directly meets the requirement of restricting access to specific apps with a defined expiry.

Exam trap

The trap here is that candidates often confuse Conditional Access session controls (which manage sign-in frequency or app restrictions) with the ability to grant and expire access to specific applications, overlooking that entitlement management is the correct identity governance solution for time-limited external access.

How to eliminate wrong answers

Option B (B2B direct connect) is wrong because it is designed for mutual two-way access between organizations, typically for Teams Connect shared channels, and does not provide granular control over application-specific access or automatic expiration. Option C (self-service group management) is wrong because it allows users to create and manage their own groups, but it does not enforce time-bound access to specific applications or support external partner lifecycle management. Option D (Conditional Access policy with session control) is wrong because while it can enforce session restrictions like sign-in frequency, it cannot grant or expire access to specific applications for external users; it only controls access conditions for users who already have access.

165
Multi-Selectmedium

Your organization uses Microsoft Defender for Cloud and Microsoft Sentinel. You need to design a solution that automates incident response for critical security alerts. Which THREE components should you include?

Select 3 answers
A.Playbooks built on Azure Logic Apps
B.Microsoft Intune compliance policies
C.Sentinel automation rules
D.Microsoft Teams connector for collaboration
E.Conditional Access policies
AnswersA, C, D

Playbooks automate response actions.

Why this answer

Option B, Option C, and Option D are correct. Automation rules in Sentinel trigger playbooks (Azure Logic Apps) for incident response. Microsoft Teams can be used for communication during response.

Option A is wrong because Conditional Access is for identity, not incident response automation. Option E is wrong because Microsoft Intune is for device management.

166
MCQeasy

Your organization needs to enforce multi-factor authentication (MFA) for all users accessing sensitive applications. You plan to use Microsoft Entra ID Conditional Access. Which grant control should you configure?

B.Require authentication strength (e.g., phishing-resistant MFA)
C.Require device to be marked as compliant
D.Use app enforced restrictions
AnswerA

This grant control directly enforces MFA.

Why this answer

The question specifies a requirement to enforce MFA for all users accessing sensitive applications. In Microsoft Entra ID Conditional Access, the 'Require multi-factor authentication' grant control directly enforces Azure AD MFA (e.g., via Microsoft Authenticator, OATH tokens, or SMS) as the primary authentication method. This is the simplest and most direct control to meet the stated goal of requiring MFA, without adding additional constraints like device compliance or authentication strength levels.

Exam trap

The trap here is that candidates often confuse 'Require authentication strength' (which is a newer, more specific control for phishing-resistant MFA) with the general 'Require multi-factor authentication' control, leading them to select the more complex option when the question simply asks for MFA enforcement.

How to eliminate wrong answers

Option B is wrong because 'Require authentication strength' is a more granular control that enforces a specific MFA method (e.g., phishing-resistant MFA via FIDO2 or certificate-based authentication), which is overkill for a general 'enforce MFA' requirement and may not be supported by all users. Option C is wrong because 'Require device to be marked as compliant' enforces device health (e.g., Intune compliance) but does not inherently require MFA; a user could satisfy this control with a compliant device and password only. Option D is wrong because 'Use app enforced restrictions' is a control that delegates MFA enforcement to the application itself (e.g., Exchange Online or SharePoint Online), which may not support MFA natively or may have inconsistent behavior, and it does not guarantee MFA at the identity provider level.

167
MCQmedium

Your organization uses Microsoft Entra ID and wants to implement a passwordless authentication strategy. Users have smartphones. Which method should you recommend as the primary authentication method?

A.FIDO2 security keys
B.Microsoft Authenticator app with passwordless sign-in
C.SMS-based authentication
D.Windows Hello for Business
AnswerB

Microsoft Authenticator supports passwordless sign-in using phone, making it suitable for users with smartphones.

Why this answer

The Microsoft Authenticator app with passwordless sign-in is the correct primary method because it leverages the user's smartphone to provide a seamless, phishing-resistant authentication experience using public/private key cryptography (FIDO2/WebAuthn). This method aligns with the organization's goal of eliminating passwords while utilizing existing smartphone hardware, and it supports a simple user experience by requiring only a biometric or PIN verification on the phone.

Exam trap

The trap here is that candidates often confuse 'passwordless' with 'MFA' and select SMS-based authentication, not realizing that SMS still relies on a shared secret (the code) and is not truly passwordless or phishing-resistant.

How to eliminate wrong answers

Option A is wrong because FIDO2 security keys are hardware tokens that require additional procurement and distribution, making them less practical as a primary method for all users who already have smartphones. Option C is wrong because SMS-based authentication is not passwordless (it still relies on a one-time code sent via text) and is vulnerable to SIM-swapping and phishing attacks, failing to meet the passwordless strategy's security goals. Option D is wrong because Windows Hello for Business is tied to Windows devices and does not leverage smartphones, so it cannot serve as the primary method for users who may not always have access to a Windows PC.

168
MCQhard

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. Based on the JSON snippet, what is the most likely outcome when a user with high user risk attempts to sign in?

A.The sign-in is blocked because user risk is high
B.The sign-in is blocked only if sign-in risk is also high
C.The sign-in is allowed because sign-in risk is not high
D.The user is prompted for multi-factor authentication
AnswerA

High user risk triggers block grant control.

Why this answer

Option B is correct because the policy blocks sign-ins when user risk level is high. Option A is wrong because sign-in risk is not evaluated (empty array). Option C is wrong because there is no MFA requirement.

Option D is wrong because the policy blocks regardless of sign-in risk.

169
Multi-Selecteasy

Your organization needs to comply with regulatory requirements for data retention and deletion. Which TWO Microsoft Purview features should you use?

Select 2 answers
A.Retention policies
B.Data Loss Prevention (DLP) policies
C.Audit logs
D.Retention labels
E.eDiscovery
AnswersA, D

Define retention periods for locations.

Why this answer

Retention policies (A) are the correct choice because they allow you to define automated rules for retaining or deleting data at the container level (e.g., entire SharePoint sites, Exchange mailboxes, or OneDrive accounts) to meet regulatory requirements. Retention labels (D) are also correct because they provide granular, item-level control (e.g., specific documents or emails) for retention and deletion, and can be applied manually or automatically via trainable classifiers or sensitive information types. Together, they form the core of Microsoft Purview's data lifecycle management, ensuring compliance with data retention and deletion mandates.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention (DLP) policies with retention policies because both involve data governance, but DLP focuses on preventing data exfiltration, not on lifecycle management of data retention and deletion.

170
MCQmedium

Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incidents related to a specific critical asset are automatically assigned to the senior SOC analyst. The assignment should occur as soon as the incident is created. What should you configure?

A.Modify the analytics rule to include a custom details field for owner.
B.Create an automation rule that sets the incident owner to the senior SOC analyst.
C.Create a playbook and trigger it from an automation rule.
D.Configure a workbook to display incidents and manually assign them.
AnswerB

Automation rules can set incident owner, status, and tags upon creation.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can be used to assign incidents to specific owners automatically upon creation. Option A is incorrect because playbooks can automate responses but are not the simplest method for assignment. Option C is incorrect because analytics rules create alerts, not assign incidents.

Option D is incorrect because workbooks are for visualization.

171
MCQhard

Refer to the exhibit. An organization uses Microsoft Entra ID Governance. This access review policy is intended to review guest users created after January 1, 2025. The reviewers are users with job title 'Manager'. However, the review is not starting automatically. What is the most likely cause?

A.The reviewer query returns no users.
B.The recurrence is not configured.
C.The autoReviewEnabled setting is false.
D.The scope query syntax is incorrect.
AnswerB

Without recurrence, the review does not start.

Why this answer

Option C is correct because the scope query filters guests by creation date, but the review is not starting automatically because there is no recurrence defined. The policy snippet does not include recurrence settings; access reviews need a recurrence to start. Option A is wrong because the query is valid.

Option B is wrong because autoReviewEnabled is false but that affects decision application, not starting. Option D is wrong because the reviewer query is valid.

172
MCQeasy

Your organization is required to retain all Microsoft Teams chat messages for 7 years due to regulatory compliance. You need to design a solution that automatically retains and, if needed, e-discovery searches these messages. What should you configure?

A.Microsoft Purview retention policies and eDiscovery
B.Microsoft Purview Data Loss Prevention policies
C.Azure Policy
D.Sensitivity labels auto-labeling
AnswerA

Retention policies preserve Teams chat data for 7 years; eDiscovery allows searching and exporting the data for compliance purposes.

Why this answer

Option A is correct because Microsoft Purview retention policies can be applied to Teams chats to retain them for a specified period, and eDiscovery can search retained messages. Option B is wrong because sensitivity labels classify but do not enforce retention. Option C is wrong because DLP policies prevent data loss, not retention.

Option D is wrong because Azure Policy applies to Azure resources, not Microsoft 365 data.

173
MCQhard

Your organization uses Microsoft Entra ID and plans to implement a Zero Trust architecture. You need to ensure that all access requests to internal applications are verified continuously, not just at the initial sign-in. What should you configure?

A.Microsoft Defender for Cloud Apps session policy
B.Privileged Identity Management (PIM)
C.Conditional Access policies with session controls
D.Continuous Access Evaluation (CAE)
AnswerD

CAE provides real-time token validation for critical events.

Why this answer

Continuous Access Evaluation (CAE) is the correct choice because it enables real-time token validation and policy enforcement for critical events (e.g., user risk elevation, device compliance change, or IP address change) without requiring a new authentication request. This aligns with the Zero Trust principle of 'verify explicitly and continuously' by revoking access mid-session when conditions change, rather than only at initial sign-in.

Exam trap

The trap here is that candidates often confuse Conditional Access session controls (which enforce periodic reauthentication) with true continuous verification, but CAE is the only mechanism that provides event-driven, real-time session revocation without waiting for token expiry or user reauthentication.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps session policies are used for app-level session monitoring and control (e.g., preventing data exfiltration) but do not provide continuous token-level verification of identity or device state across all applications. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not continuous verification of all access requests. Option C is wrong because Conditional Access policies with session controls (e.g., sign-in frequency, persistent browser session) still rely on periodic reauthentication or token refresh, not real-time, event-driven revocation of active sessions as CAE does.

174
MCQhard

Your organization is a multi-national corporation that uses Microsoft 365 E5 and Azure. You need to design a security operations center (SOC) to detect and respond to threats across identities, endpoints, and cloud apps. The SOC team will use a single pane of glass for incident management. Requirements: (1) Centralize alerts from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps, (2) Automate incident response playbooks, (3) Use advanced hunting across all data sources, (4) Integrate with external threat intelligence feeds, (5) Provide role-based access control for SOC analysts. Which Microsoft solution should you implement?

A.Microsoft 365 Defender portal
B.Microsoft Sentinel
C.Microsoft Purview Compliance Manager
D.Microsoft Defender for Cloud
AnswerB

Sentinel provides centralized SIEM/SOAR with advanced hunting and threat intelligence.

Why this answer

Option B is correct because Microsoft Sentinel is a cloud-native SIEM/SOAR that ingests alerts from all Microsoft Defender products, supports automation playbooks, advanced hunting via KQL, threat intelligence connectors, and RBAC. Option A is wrong because Defender for Cloud is for cloud workload protection, not unified SIEM. Option C is wrong because Microsoft 365 Defender portal provides visibility but limited automation and external TI integration.

Option D is wrong because Microsoft Purview is for data governance.

175
MCQeasy

Your organization uses Microsoft Sentinel and has enabled User and Entity Behavior Analytics (UEBA). The security team receives an alert for a user who has failed authentication 10 times in 5 minutes. What should you configure to reduce false positives while ensuring legitimate brute-force attacks are still detected?

A.Customize the anomaly threshold in UEBA
B.Disable UEBA for that user
C.Modify the analytics rule that triggered the alert
D.Create a playbook to auto-acknowledge the alert
AnswerA

Adjusting sensitivity reduces false positives while keeping detection.

Why this answer

Customizing the anomaly threshold in UEBA allows you to adjust the sensitivity of the behavioral baseline, reducing false positives for users who legitimately fail authentication multiple times while still detecting true brute-force attacks. UEBA learns normal behavior patterns and flags deviations; by raising the threshold, you require a higher deviation from the baseline before an alert fires, preserving detection of actual attacks.

Exam trap

The trap here is that candidates assume modifying the analytics rule (Option C) is the correct tuning mechanism, but UEBA-specific thresholds are configured separately from the underlying analytics rule, and adjusting the rule itself would affect all users and all detection logic, not just the behavioral anomaly component.

How to eliminate wrong answers

Option B is wrong because disabling UEBA for that user would stop all behavioral analytics for that user, preventing detection of any future anomalous activity, including legitimate brute-force attacks. Option C is wrong because modifying the analytics rule that triggered the alert would change the detection logic for all users, potentially missing real attacks or increasing noise across the board, rather than tuning the behavioral sensitivity for this specific pattern. Option D is wrong because creating a playbook to auto-acknowledge the alert does not reduce false positives; it merely automates ignoring the alert, which could cause a real brute-force attack to be overlooked.

176
Multi-Selectmedium

Which THREE are valid sources for ingesting data into Microsoft Sentinel? (Choose three.)

Select 3 answers
A.AWS CloudTrail
B.Microsoft 365 Defender
C.Adobe Analytics
D.Azure Activity log
E.Google BigQuery
AnswersA, B, D

AWS CloudTrail connector is available.

Why this answer

Options A, B, and D are correct. Option A is correct because Azure Activity logs are a built-in connector. Option B is correct because Microsoft 365 Defender is a connector.

Option D is correct because AWS CloudTrail can be ingested via connector. Option C is incorrect because Google BigQuery is not a direct connector. Option E is incorrect because Adobe Analytics is not supported.

177
MCQhard

Your organization is planning to use Microsoft Entra ID for identity management. You need to design a solution that enforces conditional access policies for sensitive applications while minimizing user friction. The solution must support offline access for mobile devices and require step-up authentication only when accessing high-risk data. What should you recommend?

A.Implement Microsoft Entra ID Protection to automatically remediate risky users
B.Use Conditional Access session controls with app-enforced restrictions and grant controls for high-risk sign-ins
C.Configure risk-based Conditional Access policies with user risk and sign-in risk
D.Require device compliance via Intune and block non-compliant devices
AnswerB

Session controls allow step-up authentication and support offline via app-based policies.

Why this answer

Option B is correct because session controls in Conditional Access allow for continuous access evaluation (CAE) and step-up authentication based on risk, while app-based conditional access provides offline access. Option A is wrong because device compliance policies do not support offline access natively. Option C is wrong because risk-based policies alone do not handle offline scenarios.

Option D is wrong because identity protection requires online connectivity.

178
MCQmedium

Your company is deploying Microsoft Intune for mobile device management. You need to ensure that corporate data on personally owned devices is protected without affecting the user's personal data. Which Intune feature should you use?

A.Device compliance policies
B.Conditional Access for app control
C.Windows Autopilot
D.App Protection Policies (MAM)
AnswerD

MAM policies protect corporate data in apps without device management.

Why this answer

App Protection Policies (MAM) are the correct choice because they allow you to manage and protect corporate data within applications on personally owned devices without requiring device enrollment. This ensures that corporate data is encrypted, can be selectively wiped, and is prevented from being copied to personal apps, while leaving the user's personal data untouched.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access to resources) with App Protection Policies (which protect data within apps), leading them to select Conditional Access for app control when the question specifically asks about protecting corporate data without affecting personal data.

How to eliminate wrong answers

Option A is wrong because Device Compliance Policies evaluate the security configuration of the entire device (e.g., jailbreak detection, encryption status) and require the device to be enrolled in Intune, which would give the organization visibility and control over the entire device, affecting personal data. Option B is wrong because Conditional Access for app control (e.g., using Azure AD Conditional Access with app-based policies) can restrict access based on app-level conditions but does not provide the granular data protection and selective wipe capabilities that MAM offers for corporate data within apps. Option C is wrong because Windows Autopilot is a device provisioning and deployment tool for Windows devices, not a mobile device management feature for protecting corporate data on personally owned devices.

179
MCQeasy

You are designing a compliance solution for your organization that must enforce retention policies for documents stored in SharePoint Online. Which Microsoft Purview solution should you use?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview eDiscovery
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Insider Risk Management
AnswerA

This manages retention and deletion of content.

Why this answer

Microsoft Purview Data Lifecycle Management (formerly Microsoft 365 Retention) is the correct solution because it is specifically designed to enforce retention policies for documents in SharePoint Online. It allows you to apply retention labels and policies that automatically retain or delete content based on compliance requirements, without user intervention.

Exam trap

The trap here is that candidates often confuse 'retention' with 'eDiscovery holds' or 'compliance monitoring,' leading them to select eDiscovery or Communication Compliance, but Data Lifecycle Management is the only solution that directly enforces retention schedules for content in SharePoint Online.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview eDiscovery is used for searching, holding, and exporting content for legal or investigative purposes, not for enforcing retention policies. Option C is wrong because Microsoft Purview Communication Compliance is designed to detect and manage inappropriate communications (e.g., harassment, sensitive info sharing), not to apply retention schedules. Option D is wrong because Microsoft Purview Insider Risk Management focuses on identifying and mitigating internal security risks (e.g., data theft, policy violations), not on lifecycle retention of documents.

180
Multi-Selecthard

Your organization uses Microsoft Intune for mobile device management. You need to configure a compliance policy for iOS devices that requires the device to be jailbreak-detected and have a minimum OS version. Which two settings should you configure in the compliance policy? (Choose two.)

Select 2 answers
A.Require passcode
B.Minimum OS version
C.Device encryption
D.Jailbreak detection
AnswersB, D

Ensures the device runs at least a specified version.

Why this answer

B is correct because the compliance policy must specify a minimum OS version to ensure iOS devices meet the required security baseline, preventing outdated devices with known vulnerabilities from accessing corporate resources. D is correct because jailbreak detection is a specific compliance setting that identifies compromised devices, which are a significant security risk as they bypass iOS security controls.

Exam trap

The trap here is that candidates may confuse 'jailbreak detection' with 'device encryption' or 'passcode requirements,' but the question explicitly asks for the two settings that directly address jailbreak detection and minimum OS version, not general security settings.

181
MCQhard

Your organization uses Microsoft Sentinel and wants to reduce alert fatigue by grouping related alerts into incidents. Which configuration should you use?

A.Configure incident creation in the analytics rule properties
B.Use a workbook to aggregate alerts
C.Use a playbook to create incidents
D.Create an automation rule to group alerts
AnswerA

Analytics rules can be configured to create incidents from alerts and group related alerts into a single incident.

Why this answer

Option A is correct because in Microsoft Sentinel, incident creation is configured directly within the analytics rule properties. When you create or edit a scheduled or Microsoft Security analytics rule, the 'Incident settings' tab allows you to enable incident creation and define how alerts are grouped into incidents. This is the native mechanism for reducing alert fatigue by automatically grouping related alerts into a single incident based on criteria such as entity matching or time window.

Exam trap

The trap here is that candidates often confuse automation rules with incident grouping logic, assuming that automation rules can create or group incidents, when in fact automation rules only manage incidents after they are created by analytics rules.

How to eliminate wrong answers

Option B is wrong because workbooks in Microsoft Sentinel are visualization tools that display data from queries; they do not create or group incidents. Option C is wrong because playbooks are automated workflows triggered by incidents or alerts (using Azure Logic Apps) and can perform response actions, but they are not designed to initially group alerts into incidents; incident creation is a function of the analytics rule. Option D is wrong because automation rules in Sentinel are used to automate incident management tasks (e.g., assigning, tagging, or running playbooks) after an incident is created, not to group alerts into incidents at creation time.

182
MCQmedium

Your organization uses Microsoft Intune and Microsoft Defender for Endpoint. You need to design a solution that ensures all Windows 10 devices are running the latest security updates and have real-time protection enabled. If a device is non-compliant, it should be blocked from accessing corporate resources. You have already created a Conditional Access policy that requires compliant devices. You need to configure the compliance requirements and automatic remediation. What should you do?

A.Create an Intune device configuration profile that enforces the minimum OS version and enables real-time protection.
B.Create an Intune app protection policy that requires the device to have the latest updates and real-time protection.
C.Create an Intune device compliance policy that requires minimum OS version and real-time protection, and create a remediation policy that automatically enables real-time protection if disabled.
D.Create an Intune device compliance policy that requires minimum OS version and real-time protection, and use the Conditional Access policy to block non-compliant devices.
AnswerC

The remediation policy can automatically fix the non-compliant setting.

Why this answer

Option B is correct because Intune compliance policies can check for minimum OS version and require Defender for Endpoint health status, and remediation policies can automatically enforce settings. Option A is incorrect because it does not address automatic remediation. Option C is incorrect because configuration profiles deploy settings but do not enforce compliance.

Option D is incorrect because app protection policies are for app-level data.

183
Multi-Selectmedium

Your organization uses Microsoft Purview to comply with regulatory requirements. Which TWO features should you use to manage data retention and deletion?

Select 2 answers
A.Data lifecycle management policies (retention policies).
B.Sensitivity labels.
C.Records management (retention labels and disposition).
D.Data Loss Prevention (DLP) policies.
E.Trainable classifiers.
AnswersA, C

Retention policies manage retention and deletion.

Why this answer

Data lifecycle management policies (retention policies) in Microsoft Purview allow you to automatically retain or delete data at the container level (e.g., SharePoint sites, Exchange mailboxes, Teams channel messages) based on regulatory requirements. They enforce retention and deletion actions without user intervention, making them essential for compliance with data governance mandates.

Exam trap

The trap here is that candidates often confuse sensitivity labels (which handle classification and protection) with retention labels (which handle retention and deletion), leading them to incorrectly select sensitivity labels as a retention feature.

184
MCQhard

You are analyzing a custom detection rule in Microsoft 365 Defender. Based on the exhibit, what is a potential operational issue with this rule?

A.The threshold is too low, leading to alert fatigue.
B.The query syntax is invalid.
C.The severity should be Medium instead of High.
D.The rule does not cover PowerShell 7 (pwsh.exe).
AnswerA

A threshold of 5 with high severity will cause many alerts, overwhelming analysts.

Why this answer

Option D is correct because high severity with a low threshold (5) will generate many alerts. Option A is wrong because the query is valid. Option B is wrong because the severity is set to High.

Option C is wrong because the query includes both powershell.exe and pwsh.exe.

185
Multi-Selecthard

Your organization is implementing Microsoft Entra ID governance. Which THREE capabilities should you include to manage the identity lifecycle and access reviews?

Select 3 answers
A.Microsoft Entra Identity Protection.
B.Microsoft Entra Access Reviews.
C.Microsoft Entra Entitlement Management.
D.Microsoft Entra Lifecycle Workflows.
E.Privileged Identity Management (PIM).
AnswersB, C, D

Reviews access periodically.

Why this answer

Option B is correct because Entitlement Management automates access requests and lifecycle. Option D is correct because Access Reviews allow periodic review of access. Option E is correct because Lifecycle Workflows automate joiner/mover/leaver processes.

Option A is wrong because Privileged Identity Management is for privileged access. Option C is wrong because Identity Protection is for risk detection.

186
Multi-Selectmedium

Your organization is implementing Microsoft Entra ID Governance. You need to design a solution that automates user access reviews for cloud applications. Which TWO capabilities should you include?

Select 2 answers
A.Identity Protection
B.Entitlement Management with access packages
C.Terms of Use
D.Access Reviews
E.Privileged Identity Management (PIM)
AnswersB, D

Entitlement Management automates access lifecycle and can require reviews.

Why this answer

Option A and Option C are correct because Access Reviews automate periodic review of access, and Entitlement Management provides automated assignment and removal of access packages, which can trigger reviews. Option B is wrong because Privileged Identity Management (PIM) is for privileged roles, not general access reviews. Option D is wrong because Identity Protection is for risk detection.

Option E is wrong because Terms of Use is for consent.

187
Multi-Selecteasy

Your organization needs to meet compliance requirements for GDPR. You need to design a solution that uses Microsoft Purview to classify and protect personal data. Which TWO capabilities should you include?

Select 2 answers
A.Data Subject Requests (DSR) tool
B.Data Classification and labeling
C.eDiscovery (Premium)
D.Insider Risk Management
E.Communication Compliance
AnswersA, B

DSR tool helps manage GDPR data subject requests.

Why this answer

Option A and Option D are correct. Data Classification in Purview helps identify personal data, and Data Subject Requests (DSR) tool helps respond to GDPR requests. Option B is wrong because Insider Risk Management is for insider threats, not GDPR.

Option C is wrong because Communication Compliance is for communication monitoring. Option E is wrong because eDiscovery is for legal discovery, not GDPR-specific classification.

188
Multi-Selectmedium

Which TWO actions should you take to implement a least-privilege identity security model using Microsoft Entra ID? (Choose two.)

Select 2 answers
A.Create conditional access policies to restrict access based on user, device, and location.
B.Enable Azure AD Identity Governance for guest user access reviews.
C.Use Privileged Identity Management (PIM) for just-in-time role activation.
D.Require multi-factor authentication for all users.
E.Assign global administrator role to all IT staff for simplicity.
AnswersA, C

Conditional access policies enforce context-based access, adhering to least-privilege.

Why this answer

Option A is correct because PIM provides just-in-time privileged access. Option C is correct because conditional access policies enforce access controls. Option B is wrong because permanent assignment contradicts least-privilege.

Option D is wrong because guest review is about governance, not least-privilege directly. Option E is wrong because MFA is a security control, not least-privilege.

189
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to design a solution that collects security events from Azure virtual machines and sends them to Microsoft Sentinel. The solution must minimize cost and management overhead. Which data connector should you use?

A.Windows Security Events via the Log Analytics agent (AMA)
B.Microsoft Defender for Cloud data connector
C.Azure Activity data connector
D.Microsoft Entra ID (Azure AD) data connector
AnswerA

This connector collects security events from VMs efficiently.

Why this answer

Option C is correct because the Azure Windows VM (or Linux VM) connector via the Log Analytics agent is the standard, cost-effective way to collect security events. Option A (Azure Activity) is for subscription-level logs. Option B (Defender for Cloud) requires additional licensing.

Option D (Azure AD) is for identity logs.

190
Multi-Selectmedium

Your organization is implementing Microsoft Defender for Office 365 to protect against phishing attacks. Which TWO features can be used to simulate phishing attacks and train users?

Select 2 answers
A.Campaign simulations
B.Safe Attachments
C.Attack simulation training
D.Safe Links
E.Anti-phish policies
AnswersA, C

Part of attack simulation training.

Why this answer

Option A and D are correct because Attack simulation training in Defender for Office 365 allows creating simulation campaigns and training users. Option B is wrong because Safe Links protect against malicious URLs in real-time. Option C is wrong because Safe Attachments scans attachments.

Option E is wrong because Anti-phish policies protect against phishing, not simulate.

191
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy appears to block all legacy authentication. However, some users report that they can still access Exchange Online using Outlook 2010 (which uses basic authentication). What is the most likely reason the policy is not blocking these connections?

A.The policy is configured in 'report-only' mode
B.The policy excludes all users in the 'Global Administrators' group
C.The clientAppTypes condition does not include 'mobileAppsAndDesktopClients'
D.The policy state is 'disabled'
AnswerA

Report-only mode logs but does not enforce block actions.

Why this answer

Option B is correct because the policy is in 'report-only' mode, which logs but does not block connections. The exhibit shows 'enabled' but not 'enabledForReportingButNotEnforced'. However, the question implies the policy is not blocking, so the most common reason is that it's in report-only mode.

Option A is wrong because 'otherClients' covers Outlook 2010. Option C is wrong because the policy is enabled. Option D is wrong because there is no exclusion for specific users.

192
Multi-Selecteasy

Which THREE are valid methods to secure privileged access in Microsoft Entra ID? (Choose three.)

Select 3 answers
A.Use privileged access groups to manage elevated access to resources.
B.Require device enrollment via Microsoft Intune.
C.Use Privileged Identity Management (PIM) for just-in-time access.
D.Configure conditional access policies to require MFA for admins.
E.Enable self-service password reset for all users.
AnswersA, C, D

Privileged access groups allow time-based group membership.

Why this answer

Option A is correct because PIM enables just-in-time access. Option B is correct because conditional access can enforce MFA for admins. Option D is correct because privileged access groups manage group membership elevation.

Option C is wrong because self-service password reset is for end users. Option E is wrong because device enrollment is for device management, not privileged access.

193
MCQhard

You are designing a security operations solution for a multinational organization using Microsoft Sentinel. The organization has multiple Azure subscriptions, each with its own Log Analytics workspace. You need to centralize incident management while minimizing data egress costs. What should you recommend?

A.Deploy a Sentinel workspace in each region and use cross-workspace views.
B.Export all logs to a third-party SIEM using Azure Event Hubs.
C.Configure Azure Monitor cross-workspace queries to correlate incidents.
D.Use a single Log Analytics workspace for all subscriptions and configure Sentinel in that workspace.
AnswerD

Centralizes incidents and avoids egress costs within the same region.

Why this answer

Option C is correct because using a single workspace for all subscriptions centralizes data and incidents, and Microsoft Sentinel does not charge for cross-workspace querying within the same region. Option A is wrong because separate workspaces per region would not centralize incidents. Option B is wrong because a third-party SIEM adds complexity and cost.

Option D is wrong because Azure Monitor cross-workspace queries are for analysis, not incident centralization.

194
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to protect users from malicious links in emails. What should you configure?

A.Anti-malware policy
B.Safe Links policy
C.Anti-phishing policy
D.Safe Attachments policy
AnswerB

Safe Links protects users by scanning and blocking malicious links at the time of click.

Why this answer

Safe Links policy is the correct answer because it specifically protects users from malicious links in emails by scanning URLs at the time of click, checking against Microsoft's threat intelligence, and optionally rewriting links to route clicks through the Safe Links service. This is the dedicated Defender for Office 365 feature designed to mitigate link-based attacks in email messages.

Exam trap

The trap here is that candidates often confuse Safe Links with Safe Attachments, but Safe Attachments handles file payloads (attachments) while Safe Links handles URL payloads (links) — a common misconception that leads to selecting the wrong policy for link protection.

How to eliminate wrong answers

Option A is wrong because Anti-malware policy focuses on scanning email attachments and messages for malware signatures, not on protecting against malicious links. Option C is wrong because Anti-phishing policy primarily protects against impersonation attacks (e.g., spoofed domains, user impersonation) and does not directly scan or rewrite URLs in emails. Option D is wrong because Safe Attachments policy is designed to detonate and analyze email attachments in a sandbox environment, not to handle hyperlinks within the message body.

195
MCQmedium

Refer to the exhibit. You are troubleshooting a KQL query in Microsoft Sentinel that is supposed to return alerts for ransomware detections in the last day. The query returns no results, but you know there were ransomware alerts. What is the most likely cause?

A.The ThreatFamily field is an integer, not a string.
B.The AlertName filter is too specific and does not match the actual alert name.
C.The TimeGenerated filter uses the wrong time range.
D.The parse_json function is failing due to malformed JSON.
AnswerB

Alert names may have prefixes or variations.

Why this answer

Option B is correct because the query's `AlertName` filter is likely too specific (e.g., using a hardcoded string like 'RansomwareAlert') and does not match the actual alert name generated by Microsoft Sentinel's analytics rules. Ransomware alerts often have dynamic naming conventions that include variant names or suffixes, so an exact match filter fails to return results even though alerts exist. The query otherwise appears syntactically correct, and the `TimeGenerated` filter is set to the last day, which aligns with the known presence of alerts.

Exam trap

The trap here is that candidates assume a simple string comparison will match all alerts of a given category, overlooking that Microsoft Sentinel alert names often include variant-specific suffixes or prefixes, making exact-match filters too restrictive.

How to eliminate wrong answers

Option A is wrong because the `ThreatFamily` field in Microsoft Sentinel's alert schema is a string type, not an integer, and comparing it to a string literal would work correctly; an integer mismatch would cause a type error or implicit conversion, not a silent empty result. Option C is wrong because the `TimeGenerated` filter using `ago(1d)` is a standard and correct way to query the last 24 hours, and if alerts existed within that window, this filter would not suppress them. Option D is wrong because the `parse_json` function failing due to malformed JSON would typically produce an error or null value in the output, not an empty result set, and the query would still return rows with null fields rather than zero rows.

196
MCQmedium

Your organization uses Microsoft Defender XDR. You need to configure automatic attack disruption for ransomware attacks. Which action should you take?

A.Enable the 'Automatically investigate and respond to alerts' feature in Defender for Cloud Apps
B.Configure an automation rule in Microsoft Sentinel
C.Enable 'Automatic attack disruption' in the Microsoft 365 Defender portal
D.Disable 'Automated investigation and response' in Defender for Endpoint
AnswerC

This feature automatically contains assets during active attacks.

Why this answer

Automatic attack disruption is a feature of Microsoft Defender XDR that can be enabled to automatically contain attacks. It is configured in the Microsoft 365 Defender portal under Settings > Endpoints > Advanced features. The other options are not correct: disabling automated investigation reduces response, and the other portals are not for this setting.

197
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy JSON in Microsoft Entra ID. The policy is not blocking any sign-ins even though there are high-risk users. What is the most likely reason?

A.The signInRiskLevels condition is empty, so no sign-ins match.
B.The policy does not include any users or groups in the conditions.
C.The policy only applies to specific applications, but the exhibit shows 'All'.
D.The grant controls operator should be 'AND' instead of 'OR'.
AnswerB

The JSON lacks a user assignment, so the policy applies to no one.

Why this answer

Option C is correct because the policy only includes user risk levels but not sign-in risk levels; however, the exhibit shows signInRiskLevels is empty, which is fine. The issue is that the policy is in 'Report-only' mode (not shown) or the conditions are not met. But the most likely reason based on the exhibit is that the policy does not include any users or groups; the conditions do not specify users.

Option A is wrong because the exhibit does not show assignment of users. Option B is wrong because the policy blocks all apps, not just specific ones. Option D is wrong because signInRiskLevels empty means no filter, but that doesn't prevent blocking.

198
MCQmedium

Your company uses Microsoft Sentinel for security operations. You need to design a solution to automatically respond to a confirmed ransomware incident by isolating affected devices and blocking malicious IPs. What should you use?

A.Azure Policy
B.Sentinel automation rules with playbooks
C.Microsoft Defender for Cloud Apps
D.Microsoft Intune
AnswerB

Automation rules trigger playbooks built on Azure Logic Apps, which can execute actions such as isolating devices via Microsoft Defender for Endpoint or blocking IPs via firewalls.

Why this answer

Option D is correct because Microsoft Sentinel automation rules can trigger playbooks (based on Azure Logic Apps) to perform actions like device isolation and IP blocking. Option A is wrong because Microsoft Defender for Cloud Apps is more focused on SaaS app security. Option B is wrong because Azure Policy is for compliance, not automated response.

Option C is wrong because Microsoft Intune supports device management but would require additional orchestration.

199
MCQhard

Your organization uses Microsoft Sentinel as its SIEM. You receive a large number of low-severity alerts from various sources, overwhelming the security operations team. You need to design a solution to reduce alert fatigue while ensuring that critical incidents are not missed. The solution should also automatically collect feedback from analysts when they close an incident. What should you implement?

A.Tune analytics rules to generate incidents only for high-fidelity alerts and use automation rules to collect feedback on incident closure
B.Create a separate analytics rule for each severity level
C.Implement a playbook that automatically closes low-severity alerts and collects feedback
D.Increase the severity threshold for all analytics rules
AnswerA

Tuning reduces noise; automation rules can trigger a playbook to collect analyst feedback when an incident is closed.

Why this answer

Option D is correct because Sentinel's analytics rules can be configured to create incidents only for high-fidelity alerts, and automation rules can be used to prompt analysts for feedback when closing incidents. Option A is wrong because simply increasing severity thresholds may miss critical events. Option B is wrong because creating incidents for all alerts would increase fatigue.

Option C is wrong because a playbook for feedback is useful but does not reduce alert volume.

200
Multi-Selecthard

Which THREE conditions can trigger a Microsoft Entra ID Protection user risk policy to require a password change?

Select 3 answers
A.Leaked credentials detected on the dark web.
B.User has not registered for multi-factor authentication.
C.Device is marked as non-compliant by Intune.
D.Impossible travel to atypical locations.
E.Sign-ins from anonymous IP addresses.
AnswersA, D, E

Leaked credentials indicate user compromise.

Why this answer

Option A is correct because Microsoft Entra ID Protection's user risk policy can be triggered by leaked credentials detected on the dark web. When Microsoft's threat intelligence services find a user's credentials exposed in a known data breach, the user's risk level is elevated, and the policy can be configured to require a password change as a remediation action to mitigate the compromised account.

Exam trap

The trap here is that candidates confuse user risk policy triggers (leaked credentials, impossible travel, anonymous IPs) with sign-in risk policy triggers (e.g., atypical travel, unfamiliar sign-in properties) or with unrelated Conditional Access conditions like device compliance or MFA registration.

201
MCQhard

Your organization has Microsoft Sentinel. You need to create an analytics rule that detects when a user account is created outside of business hours (9 AM to 5 PM, Monday-Friday). Which KQL query should you use as the rule query?

A.... | where dayofweek(TimeGenerated) between (1 .. 5) and datetime_part("hour", TimeGenerated) !between (9 .. 17)
B.... | where dayofweek(TimeGenerated) between (2 .. 6) and datetime_part("hour", TimeGenerated) !between (9 .. 17)
C.... | where dayofweek(TimeGenerated) between (2 .. 6) and datetime_part("hour", TimeGenerated) between (9 .. 17)
D.... | where dayofweek(TimeGenerated) !between (2 .. 6) or datetime_part("hour", TimeGenerated) between (9 .. 17)
AnswerB

Correctly identifies weekdays and outside business hours.

Why this answer

The query filters for events where the time is not between 9 AM and 5 PM on weekdays. The correct condition uses dayofweek() and datetimepart functions to check the hour. Option B uses the correct logic: dayofweek between 2 and 6 (Monday-Friday) and hour not between 9 and 17.

Option A is incorrect for weekdays, C and D have wrong hour ranges.

202
MCQeasy

Your organization has a Microsoft 365 E5 subscription and wants to detect insider data exfiltration attempts. You need to design a solution that can identify users copying sensitive data to personal cloud storage services. Which Microsoft Purview capability should you use?

A.Data Loss Prevention (DLP) policies
B.eDiscovery (Premium)
C.Communication Compliance
D.Insider Risk Management
AnswerD

Insider Risk Management identifies risks like data exfiltration to personal cloud storage.

Why this answer

Option A is correct because Insider Risk Management in Microsoft Purview is designed to detect insider data exfiltration scenarios, including copying data to personal cloud storage. Option B is wrong because Data Loss Prevention (DLP) prevents data from being shared but does not detect exfiltration attempts from user activities. Option C is wrong because Communication Compliance focuses on inappropriate communications.

Option D is wrong because eDiscovery is for legal discovery.

203
MCQmedium

A company is implementing a zero-trust security model. They need to enforce conditional access policies that require device compliance from Microsoft Intune. However, some users report being blocked when using personal devices that are not enrolled. What is the best approach to allow access while maintaining security?

A.Allow all devices but monitor with Defender for Cloud Apps
B.Require app protection policies via Microsoft Intune
C.Block all non-compliant devices
D.Require device enrollment for all devices
AnswerB

App protection policies protect data without full enrollment.

Why this answer

Option B is correct because Microsoft Intune app protection policies (APP) can enforce data protection and access controls on personal devices without requiring full enrollment. This allows the company to maintain a zero-trust posture by applying conditional access policies that check for app-level compliance, such as requiring a managed browser or blocking copy/paste, while still permitting access from unenrolled personal devices. This approach aligns with the zero-trust principle of 'never trust, always verify' by verifying device health at the application layer rather than the device layer.

Exam trap

The trap here is that candidates often assume device compliance (via Intune enrollment) is the only way to enforce zero-trust access, overlooking that app protection policies can achieve similar security controls on unmanaged devices without requiring full device enrollment.

How to eliminate wrong answers

Option A is wrong because merely monitoring with Defender for Cloud Apps does not enforce any access control; it only provides visibility, leaving the organization vulnerable to non-compliant devices accessing sensitive data. Option C is wrong because blocking all non-compliant devices would deny access to all personal devices, which contradicts the requirement to allow access while maintaining security. Option D is wrong because requiring device enrollment for all devices would force users to enroll personal devices, which is often impractical and violates privacy, and does not address the scenario where users need to use unenrolled personal devices.

204
Multi-Selecthard

Your organization uses Microsoft 365 and wants to implement a data loss prevention (DLP) strategy. You need to ensure that sensitive data is protected both at rest and in transit, and that incidents are automatically reported to the security team. Which THREE actions should you take?

Select 3 answers
A.Deploy Microsoft Intune to control app permissions on mobile devices
B.Implement Conditional Access policies to block external sharing of sensitive data
C.Enable Endpoint DLP for Windows 10/11 devices
D.Configure Microsoft Purview DLP policies for Exchange, SharePoint, and OneDrive
E.Configure DLP incident reports to be sent to the security team via email or Teams
AnswersC, D, E

Endpoint DLP protects data in use on devices and can generate alerts.

Why this answer

Option A, Option C, and Option D are correct. DLP policies in Microsoft Purview can scan data in Exchange, SharePoint, and OneDrive (at rest) and in emails (in transit). Endpoint DLP covers data in use on devices.

Incident reports can be sent to the security team. Option B is wrong because Microsoft Intune is for device management, not DLP. Option E is wrong because Conditional Access controls access but does not report DLP incidents.

205
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. You need to identify users who are downloading large amounts of data from a sanctioned cloud app in a short period. What should you configure?

A.Create an anomaly detection policy for impossible travel or unusual activity.
B.Create an app permission policy to block downloads.
C.Create an activity policy to monitor downloads.
D.Create a file policy to detect mass download.
AnswerA

Anomaly detection can detect unusual download patterns.

Why this answer

Option B is correct because anomaly detection policies in Defender for Cloud Apps can detect unusual download activity. Option A is incorrect because file policies are for specific file attributes, not volume. Option C is incorrect because app permissions are about OAuth apps.

Option D is incorrect because activity policies can be used, but anomaly detection is more specific for this scenario.

206
MCQhard

Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM). You need to design a role activation policy that requires approval from a security group for global administrator roles, but allows self-activation for other roles. What is the correct configuration?

A.Create a single PIM policy for all roles with approver group
B.Configure separate PIM settings per role: Global Administrator requires approval, others self-activate
C.Enable just-in-time access in Azure AD Identity Protection
D.Use Azure AD entitlement management with access packages
AnswerB

PIM supports per-role activation settings.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID allows you to configure role-specific activation settings. By creating separate PIM policies per role, you can require approval for the Global Administrator role while allowing self-activation for other roles. This granular control ensures that high-privilege roles have additional oversight, while lower-privilege roles remain agile.

Exam trap

The trap here is that candidates confuse PIM role-specific policies with broader identity governance tools like entitlement management or Identity Protection, failing to recognize that PIM's granular per-role settings are the correct mechanism for mixed approval requirements.

How to eliminate wrong answers

Option A is wrong because a single PIM policy applies uniformly to all roles, making it impossible to require approval for only Global Administrators while allowing self-activation for others. Option C is wrong because Azure AD Identity Protection focuses on risk-based policies for user sign-ins and sessions, not role activation approval workflows. Option D is wrong because Azure AD entitlement management manages access packages and resource access, not the activation approval process for built-in directory roles like Global Administrator.

207
MCQeasy

A company uses Microsoft Purview to enforce Data Loss Prevention (DLP) policies. They want to prevent users from sharing credit card numbers via email. Which action should they configure in the DLP policy?

A.Audit only.
B.Block with override.
C.Notify only.
D.Block.
AnswerB

Prevents sharing but allows override with justification.

Why this answer

Option B is correct because configuring 'Block with override' allows the DLP policy to block the email containing credit card numbers while permitting users to override the block with a business justification. This balances security with operational flexibility, ensuring sensitive data is not shared without authorization while avoiding unnecessary disruption.

Exam trap

The trap here is that candidates often confuse 'Block' with 'Block with override', assuming that simply blocking is sufficient, but Microsoft Purview DLP policies are designed to support user overrides with justification to avoid business disruption, making 'Block with override' the recommended action for scenarios requiring both security and flexibility.

How to eliminate wrong answers

Option A is wrong because 'Audit only' merely logs the activity without taking any enforcement action, failing to prevent the sharing of credit card numbers. Option C is wrong because 'Notify only' sends an alert to the user but does not block the email, allowing the data to be shared. Option D is wrong because 'Block' completely prevents the email from being sent without any option for override, which can hinder legitimate business needs and is less flexible than 'Block with override'.

208
MCQeasy

Your company uses Microsoft Purview to protect sensitive data. You need to automatically apply a retention label to documents containing credit card numbers detected in SharePoint Online. What should you configure?

A.Configure a Data Loss Prevention (DLP) policy to apply the label.
B.Create a sensitivity label with auto-labeling for SharePoint.
C.Use a trainable classifier to detect credit card numbers and apply the label.
D.Create an auto-labeling policy for retention labels targeting sensitive info types.
AnswerD

Auto-labeling policies can automatically apply retention labels based on sensitive info types.

Why this answer

Option D is correct because auto-labeling policies in Microsoft Purview can automatically apply retention labels to documents based on sensitive info types, such as credit card numbers. This allows you to enforce retention rules without manual intervention, directly targeting the detected sensitive data in SharePoint Online.

Exam trap

The trap here is that candidates confuse retention labels with sensitivity labels, or assume DLP policies can apply retention labels directly, when in fact DLP applies sensitivity labels and auto-labeling policies are the correct mechanism for retention labels.

How to eliminate wrong answers

Option A is wrong because DLP policies are designed to prevent data loss by blocking or alerting on sensitive data, not to apply retention labels; they can apply sensitivity labels but not retention labels. Option B is wrong because sensitivity labels with auto-labeling are for classification and protection (e.g., encryption), not for retention; retention labels are a separate concept in Purview. Option C is wrong because trainable classifiers are used to identify content based on patterns or machine learning, but they do not directly apply retention labels; they can be used in auto-labeling policies, but the policy itself must be configured for retention labels targeting sensitive info types.

209
MCQhard

Your organization plans to use Microsoft Sentinel and Microsoft Defender XDR to manage security incidents. You need to design a solution that ensures all Defender for Cloud Apps alerts are automatically synchronized to Microsoft Sentinel as incidents with the least administrative effort. What should you configure?

A.Enable the Microsoft Defender for Cloud Apps data connector in Microsoft Sentinel.
B.Create a custom Azure Function that polls the Defender for Cloud Apps API and sends alerts to Sentinel via a custom Log Analytics table.
C.Enable the Microsoft Entra ID (Azure AD) data connector in Microsoft Sentinel.
D.Enable the Microsoft Defender XDR data connector in Microsoft Sentinel and set incident creation to 'All alerts'.
AnswerD

This is the simplest and most efficient method; it automatically synchronizes all Defender alerts as incidents.

Why this answer

Option D is correct because enabling the Microsoft Defender XDR connector in Sentinel automatically ingests alerts from all Defender workloads, including Defender for Cloud Apps, and creates incidents. Option A (manual API) is not minimal effort. Option B (Defender for Cloud Apps connector) is legacy and duplicates effort.

Option C (Azure AD connector) does not include Defender for Cloud Apps alerts.

210
MCQmedium

A company plans to implement Microsoft Purview to enforce data loss prevention (DLP) policies. They need to prevent users from sharing credit card numbers via email. What should they configure?

A.Create a sensitivity label and apply it to emails
B.Enable communication compliance policies
C.Create a DLP policy that detects and blocks credit card numbers in Exchange Online
D.Configure a retention policy for email
AnswerC

DLP policies in Microsoft Purview can detect sensitive info types like credit card numbers and block sharing via email.

Why this answer

Option C is correct because Microsoft Purview Data Loss Prevention (DLP) policies can be configured to detect sensitive data types, such as credit card numbers, in Exchange Online emails. When a DLP policy is created with a rule that identifies credit card numbers and blocks the email from being sent, it directly prevents users from sharing that data via email. This is the native mechanism for enforcing DLP on email traffic in Microsoft 365.

Exam trap

The trap here is that candidates often confuse sensitivity labels (which classify data) with DLP policies (which enforce actions on data in motion), leading them to select Option A instead of the correct DLP policy.

How to eliminate wrong answers

Option A is wrong because sensitivity labels are used to classify and protect data based on sensitivity, but they do not inherently detect or block specific sensitive information like credit card numbers in transit; they require manual or automatic labeling and rely on other controls (like DLP) for enforcement. Option B is wrong because communication compliance policies are designed to detect and remediate inappropriate or policy-violating communications (e.g., harassment, insider trading), not to block the sharing of specific sensitive data patterns like credit card numbers. Option D is wrong because retention policies control how long data is kept or deleted, not how data is shared or blocked in real-time; they have no effect on preventing the transmission of credit card numbers via email.

211
Multi-Selectmedium

A company uses Microsoft Purview to classify and label sensitive data. They want to automatically apply a sensitivity label to documents containing a specific custom sensitive information type. Which TWO components are required for this?

Select 2 answers
A.Data loss prevention (DLP) policy
B.Retention label
C.Custom sensitive information type
D.Auto-labeling policy
E.Trainable classifier
AnswersC, D

Custom types define the pattern to match.

Why this answer

Option C is correct because a custom sensitive information type defines the specific data pattern (e.g., a proprietary employee ID format) that Microsoft Purview can detect in documents. Option D is correct because an auto-labeling policy uses that custom sensitive information type as a condition to automatically apply a sensitivity label to matching content, without requiring user intervention.

Exam trap

The trap here is that candidates often confuse the role of a DLP policy (which enforces actions like blocking) with an auto-labeling policy (which applies labels), or they mistakenly think a trainable classifier is needed when a custom sensitive information type already provides deterministic pattern matching.

212
MCQeasy

Your organization uses Microsoft Defender XDR to detect and respond to threats. The SOC team wants to automatically isolate a device when a high-severity incident is confirmed. Which automation feature should you configure?

A.Microsoft Defender for Office 365 Safe Attachments policy
B.Automated investigation and response (AIR)
C.Manual device isolation from Microsoft 365 Defender portal
D.Microsoft Defender for Endpoint's endpoint detection and response (EDR)
AnswerB

AIR can automatically isolate devices based on incident severity.

Why this answer

Automated investigation and response (AIR) in Microsoft Defender XDR is designed to automatically respond to confirmed high-severity incidents, including isolating devices, without manual intervention. This feature leverages playbooks and machine learning to contain threats rapidly, aligning with the SOC's requirement for automatic isolation upon incident confirmation.

Exam trap

The trap here is that candidates confuse EDR's detection capabilities with automated response, forgetting that AIR is the specific feature that orchestrates and executes automatic containment actions like device isolation.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 Safe Attachments policy is a email security feature that scans attachments for malware, not a device isolation mechanism. Option C is wrong because manual device isolation from the Microsoft 365 Defender portal requires human action, contradicting the requirement for automatic isolation. Option D is wrong because Microsoft Defender for Endpoint's endpoint detection and response (EDR) provides detection and investigation capabilities but does not include automated response actions like device isolation; that is handled by AIR.

213
MCQhard

Refer to the exhibit. You are reviewing a Conditional Access policy JSON. The policy is intended to block legacy authentication. However, users are still able to access email using Outlook (modern auth). What is the most likely reason?

A.The policy does not include 'Microsoft Office 365' in applications
B.The clientAppTypes list does not include 'modernAuth'
C.The grant control should be 'require MFA' instead of 'block'
D.The policy state is set to 'enabled' incorrectly
AnswerB

Modern Outlook uses modernAuth client app type, which is not blocked.

Why this answer

Option B is correct because the 'clientAppTypes' list in the Conditional Access policy must include 'modernAuth' to explicitly target and block modern authentication clients. Without this entry, the policy only applies to legacy authentication protocols (e.g., POP, IMAP, SMTP), leaving modern auth flows (like Outlook using OAuth 2.0) unaffected. The JSON snippet shows 'clientAppTypes': ['exchangeActiveSync', 'other'], which omits 'modernAuth', so Outlook (modern auth) bypasses the block.

Exam trap

The trap here is that candidates assume a 'block' policy on legacy authentication implicitly blocks modern auth, but Conditional Access requires explicit inclusion of 'modernAuth' in clientAppTypes to affect modern authentication clients.

How to eliminate wrong answers

Option A is wrong because 'Microsoft Office 365' is a cloud app that includes Exchange Online, and the policy's 'applications' field likely already includes it (or the policy is scoped to 'All cloud apps'), so missing it is not the issue. Option C is wrong because the grant control 'block' is correct for blocking access; 'require MFA' would allow access after MFA, not block legacy auth. Option D is wrong because the policy state being 'enabled' is correct for an active policy; setting it to 'disabled' would make the policy ineffective, but the issue is misconfiguration, not the enabled state.

214
Multi-Selecthard

Your organization is designing a Zero Trust architecture using Microsoft 365 security features. You need to ensure that all access requests are verified and least-privilege principles are applied. Which TWO capabilities should you implement?

Select 2 answers
A.Privileged Identity Management (PIM)
B.Microsoft Defender for Cloud Apps
C.Microsoft Entra ID
D.Microsoft Purview
E.Conditional Access
AnswersA, E

PIM enforces least-privilege with just-in-time access.

Why this answer

Option B and Option D are correct. Conditional Access verifies access requests based on conditions, and Privileged Identity Management (PIM) provides just-in-time access for least privilege. Option A is wrong because Microsoft Entra ID is the identity provider, not a specific verification mechanism.

Option C is wrong because Microsoft Defender for Cloud Apps is a CASB, not primarily for identity verification. Option E is wrong because Microsoft Purview is for data governance.

215
MCQmedium

A company is implementing Microsoft Purview Compliance Manager to manage compliance activities. They need to assign a specific control action to a compliance officer. Which role should be assigned to the user in Purview Compliance Manager?

A.Security Operator
B.Compliance Manager
C.Global Administrator
D.Compliance Administrator
AnswerB

Specifically allows users to manage compliance assessments and control actions.

Why this answer

The Compliance Manager role provides permissions to manage compliance assessments and actions. The other roles do not have the necessary permissions to assign control actions within Compliance Manager.

216
MCQeasy

Your organization wants to enforce that all users authenticate using Microsoft Authenticator app for Microsoft Entra ID. Which authentication method should you configure as the primary?

A.FIDO2 security keys
B.Email one-time passcode
C.Microsoft Authenticator passwordless phone sign-in
D.SMS-based verification
AnswerC

Authenticator app provides passwordless sign-in.

Why this answer

The question requires that all users authenticate using the Microsoft Authenticator app. The Microsoft Authenticator passwordless phone sign-in (option C) is the only method that both uses the Microsoft Authenticator app and provides a passwordless primary authentication experience. This method leverages FIDO2-based key attestation within the app, allowing users to sign in with a biometric or PIN gesture without entering a password.

Exam trap

The trap here is that candidates often confuse the Microsoft Authenticator app's TOTP mode (which requires a password) with its passwordless phone sign-in mode, leading them to incorrectly select SMS or email OTP as primary methods when the question explicitly mandates the Authenticator app as the sole authentication method.

How to eliminate wrong answers

Option A is wrong because FIDO2 security keys are hardware-based external devices, not the Microsoft Authenticator app, and while they support passwordless authentication, they do not meet the requirement of using the Authenticator app. Option B is wrong because Email one-time passcode is a passwordless method for users without a strong authentication method, but it does not use the Microsoft Authenticator app and is typically used as a fallback for unregistered users. Option D is wrong because SMS-based verification is a legacy multi-factor authentication method that requires a password first and does not use the Microsoft Authenticator app; it also does not support passwordless primary authentication.

217
Multi-Selecteasy

Your organization uses Microsoft Purview. You need to design a solution that discovers and classifies sensitive data across Microsoft 365 services. Which two services should you include in your data map? (Choose TWO.)

Select 2 answers
A.Power BI
B.SharePoint Online
C.Azure SQL Database
D.OneDrive for Business
E.Azure Blob Storage
AnswersB, D

SharePoint is a key source for sensitive documents.

Why this answer

Options A and C are correct because Microsoft Purview Data Map can scan SharePoint Online and OneDrive for sensitive data. Option B (Azure SQL Database) is not a Microsoft 365 service. Option D (Azure Blob Storage) is not Microsoft 365.

Option E (Power BI) is a Microsoft 365 service but is not typically scanned for sensitive data classification in the same way; however, it can be included, but the question asks for data across Microsoft 365 services, and SharePoint and OneDrive are the primary sources.

218
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that automatically creates an incident in Microsoft Sentinel when a Defender for Endpoint alert of severity 'High' is triggered for any device. The solution should minimize latency and administrative overhead. What should you configure?

A.Enable the Azure AD Identity Protection connector in Microsoft Sentinel to ingest sign-in and user risk alerts.
B.Enable the Microsoft Defender XDR data connector in Microsoft Sentinel and ensure the 'Create incidents' toggle is enabled.
C.Configure a scheduled analytics rule in Microsoft Sentinel that runs every hour and queries the Defender for Endpoint logs via API.
D.Create a custom Azure Logic App that queries the Microsoft Defender for Endpoint APIs and pushes alerts to a custom log table in Log Analytics.
AnswerB

This connector automatically ingests alerts and creates incidents with low latency and minimal effort.

Why this answer

Option B is correct because Microsoft Sentinel has a built-in data connector for Microsoft Defender XDR that enables automatic incident creation with low latency and minimal configuration. Option A (custom logic app) would add latency and complexity. Option C (manual ingestion) would not be automatic.

Option D (Azure AD Identity Protection) is for identity-based alerts, not device alerts.

219
MCQeasy

Your organization uses Microsoft Sentinel to centralize security events. You need to ensure that alerts from Microsoft Defender for Cloud are automatically ingested into Sentinel. Which data connector should you enable?

A.DNS connector
B.Office 365 connector
C.Microsoft Defender for Cloud connector
D.Azure Activity connector
AnswerC

Directly ingests alerts and recommendations from Defender for Cloud.

Why this answer

The Microsoft Defender for Cloud connector (formerly Azure Security Center) is specifically designed to ingest alerts and recommendations from Defender for Cloud into Sentinel. The other options are unrelated: Office 365 connector ingests Office logs, Azure Activity logs track Azure resource operations, and DNS connector ingests DNS queries.

220
Multi-Selecthard

Your organization uses Microsoft Sentinel. You need to design a solution to detect and respond to threats across on-premises and cloud workloads. Which TWO components are essential for this? (Select two.)

Select 2 answers
A.UEBA
B.Workbooks
C.Analytics rules
D.Data connectors
E.Playbooks
AnswersC, D

Define detection logic for threats.

Why this answer

Data connectors ingest logs from various sources, and analytics rules detect threats. Playbooks automate response, but are not essential for detection. Workbooks visualize data, and UEBA enriches analytics but is not a separate essential component.

221
Multi-Selectmedium

An organization uses Microsoft Defender XDR to detect and respond to threats. Which THREE data sources does Defender XDR ingest? (Choose three.)

Select 3 answers
A.Microsoft Defender for Identity
B.Microsoft Defender for Endpoint
C.Microsoft Sentinel
D.Microsoft Defender for Office 365
E.Microsoft Intune
AnswersA, B, D

Identity-based threat signals.

Why this answer

Microsoft Defender XDR ingests signals from Microsoft Defender for Identity to correlate on-premises Active Directory activities with cloud-based threats. This integration allows Defender XDR to detect identity-based attacks like Kerberoasting or pass-the-hash by analyzing domain controller logs and authentication events.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel as a data source for Defender XDR, when in reality Sentinel is a SIEM that consumes data from Defender XDR, not the reverse.

222
MCQeasy

Your organization needs to enforce multi-factor authentication (MFA) for all users accessing Microsoft Entra ID integrated applications. However, users in the finance department should be exempted from MFA when accessing a specific legacy financial app that does not support modern authentication. What should you design?

A.Enable security defaults for all users
B.Enable per-user MFA and exclude the finance department
C.Use Microsoft Entra Identity Protection to require MFA based on risk
D.Create a Conditional Access policy that requires MFA for all cloud apps except the legacy app
AnswerD

Conditional Access policy can be scoped to exclude specific applications, allowing the finance department to access the legacy app without MFA.

Why this answer

Option B is correct because Conditional Access policies allow granular control, including exemption for specific applications. Option A is wrong because security defaults would apply MFA to all users and apps with no exemption. Option C is wrong because per-user MFA is outdated and does not offer app-based exemptions.

Option D is wrong because Identity Protection is for risk-based policies, not app exemptions.

223
MCQmedium

Your organization deploys Microsoft Sentinel and wants to automatically respond to phishing emails reported by users. You need to recommend a solution that creates an incident in Sentinel and blocks the email sender in Exchange Online. What should you configure?

A.Use a watchlist to store known phishing senders.
B.Create an automation rule that runs a playbook when an incident is created.
C.Enable UEBA to detect anomalous email behavior.
D.Create an analytics rule that queries user-reported phishing data.
AnswerB

Automation rules trigger playbooks on incident creation, which can then block the sender via Exchange Online actions.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel can trigger playbooks when an incident is created. Option B is wrong because analytics rules create incidents from data, not from existing incidents. Option C is wrong because watchlists are for reference data, not automation.

Option D is wrong because UEBA is for user behavior analytics.

224
MCQhard

A company uses Microsoft Defender for Cloud Apps to monitor SaaS apps. They discover that a user is downloading large volumes of data from SharePoint Online from an atypical IP address. The security team wants to automatically suspend the user's access to all cloud apps. What is the most efficient way to achieve this?

A.Tag the user as suspicious using an app tag.
B.Create a file policy that triggers when a user downloads many files.
C.Create a session policy that blocks the user's session based on the anomaly.
D.Create an OAuth app policy to revoke permissions.
AnswerC

Session policies provide real-time access control and can block sessions.

Why this answer

Option B is correct because session policies enforce real-time controls and can block access. Option A is wrong because file policies control data at rest, not access. Option C is wrong because app tags categorize apps.

Option D is wrong because OAuth app policies manage third-party app permissions.

225
MCQmedium

Refer to the exhibit. A KQL query is used in Microsoft Sentinel to detect brute-force attacks. The query returns no results despite known brute-force attempts. What is the most likely issue?

A.The EventID 4625 may not cover all authentication failures
B.The query lacks a time filter
C.The 'IPAddress' field does not exist in SecurityEvent
D.The 'count()' aggregation is incorrect
AnswerA

Some authentication failures use other EventIDs.

Why this answer

EventID 4625 in Windows Security logs specifically records failed logon attempts, but brute-force attacks may target other authentication protocols (e.g., RDP, SMB, or network-level authentication) that generate different EventIDs (such as 4648, 4776, or 5156). Additionally, some brute-force attempts might be blocked at the network layer or use non-Windows authentication methods, so relying solely on EventID 4625 will miss those events. Therefore, the query returns no results because it does not capture all authentication failure scenarios.

Exam trap

Microsoft often tests the misconception that a single EventID (like 4625) covers all authentication failures, when in reality different protocols and authentication methods generate distinct EventIDs, and candidates must consider the broader log source landscape.

How to eliminate wrong answers

Option B is wrong because the absence of a time filter would cause the query to return results from all available data, not zero results; a missing time filter might cause performance issues or overly broad results, but it would not suppress known brute-force attempts. Option C is wrong because if the 'IPAddress' field did not exist in the SecurityEvent table, the query would fail with a schema error or return no results for that field, but the question states the query returns no results at all, implying the field exists but the filter is too narrow. Option D is wrong because the 'count()' aggregation is syntactically correct and commonly used in KQL to count events; an incorrect aggregation would cause a syntax error or unexpected counts, but it would not cause the query to return zero results for known brute-force attempts.

← PreviousPage 3 of 4 · 231 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Secops Identity Compliance questions.