Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 175

1411 questions total · 19pages · All types, answers revealed

Page 1 of 19

Page 2
1
MCQhard

A company hosts a line-of-business application on an Azure virtual machine. The IT team is responsible for configuring the operating system, installing security updates, and managing the application code. An auditor asks who is responsible for the physical security of the data center where the virtual machine runs. According to the shared responsibility model for cloud services, who is responsible?

A.The customer
B.Microsoft
C.Both the customer and Microsoft equally
D.Neither – physical security is no longer needed in the cloud
AnswerB

For IaaS, Microsoft is responsible for the physical data center, including physical security, hardware maintenance, and network infrastructure. This is a core tenet of the shared responsibility model.

Why this answer

Under the shared responsibility model, Microsoft is responsible for the physical security of its Azure data centers, including access controls, surveillance, and environmental safeguards. The customer is responsible for securing the virtual machine's operating system, applications, and data, but not the physical infrastructure. Therefore, Microsoft retains responsibility for physical security even when the customer manages the guest OS and application.

Exam trap

The trap here is that candidates mistakenly think the customer is responsible for all security when they manage the OS and application, but physical security always remains the provider's responsibility under the shared responsibility model.

How to eliminate wrong answers

Option A is wrong because the customer is responsible for securing the OS, applications, and data on the VM, not the physical data center infrastructure. Option C is wrong because physical security is not shared equally; Microsoft retains sole responsibility for the physical data center, while the customer manages the virtualized components. Option D is wrong because physical security remains essential in cloud data centers; it is handled by the provider (Microsoft) rather than being eliminated.

2
Multi-Selecteasy

Which TWO scenarios are addressed by Microsoft Entra ID Protection? (Choose two.)

Select 2 answers
A.Detecting leaked credentials on the dark web
B.Reviewing group membership assignments
C.Enforcing device compliance policies
D.Resetting forgotten passwords
E.Blocking sign-ins from anonymous IP addresses
AnswersA, E

ID Protection monitors for credential leaks.

Why this answer

Microsoft Entra ID Protection uses machine learning and heuristic algorithms to detect leaked credentials by monitoring known credential dumps on the dark web. When a user's credentials appear in a breach, ID Protection can automatically force a password reset or block sign-ins to mitigate risk. This is a core risk detection capability within the Identity Protection service.

Exam trap

The trap here is confusing Identity Protection's risk detection and remediation capabilities with other Microsoft Entra features like SSPR, access reviews, or device compliance, leading candidates to select options that are not part of the Identity Protection service.

3
MCQmedium

A company uses Microsoft 365 and wants to protect its users from malicious links and attachments in email, as well as phishing attacks. Which Microsoft security solution is specifically designed for email and collaboration protection?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity
AnswerB

Defender for Office 365 safeguards Microsoft 365 email, Teams, and SharePoint from threats like phishing, malicious links, and attachments.

Why this answer

Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection) is the dedicated security solution for email and collaboration workloads. It provides protection against malicious links (Safe Links), malicious attachments (Safe Attachments), and anti-phishing policies specifically for Exchange Online, SharePoint, OneDrive, and Teams. This directly matches the question's requirement for email and collaboration protection.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Endpoint (device protection) with Microsoft Defender for Office 365 (email and collaboration protection), because both names start with 'Microsoft Defender' and both involve threat detection, but they protect completely different attack surfaces.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint is designed for endpoint devices (Windows, macOS, Linux, Android, iOS) and focuses on preventing, detecting, and responding to threats on those devices, not on email or collaboration content. Option C is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility, data loss prevention, and threat protection for cloud applications (e.g., Shadow IT discovery), not specifically for email and collaboration protection. Option D is wrong because Microsoft Defender for Identity is an on-premises Active Directory security solution that uses signals to detect advanced attacks like Pass-the-Hash and Kerberos Golden Ticket attacks, not email or collaboration threats.

4
MCQmedium

Your organization uses Microsoft Purview to classify data. You need to automatically apply a 'Confidential' label to documents that contain salary information. Which type of sensitivity label configuration should you use?

A.Manual labeling
B.Auto-labeling with sensitive information types
C.Default labeling for SharePoint libraries
D.Mandatory labeling policy
AnswerB

Auto-labeling can detect salary information and apply labels automatically.

Why this answer

Option B is correct because auto-labeling rules can automatically apply labels based on sensitive information types. Option A is wrong because manual labeling requires user action. Option C is wrong because default labeling applies to new documents but not based on content.

Option D is wrong because mandatory labeling requires users to label but does not auto-apply.

5
MCQmedium

A company has been fined for failing to respond to a data subject access request (DSAR) within the required timeframe. The compliance team needs to streamline the process of identifying and exporting personal data when a DSAR is received. Which Microsoft Purview solution should they use?

A.Microsoft Purview Compliance Manager
B.Microsoft Purview Communication Compliance
C.Microsoft Purview eDiscovery (Premium)
D.Microsoft Purview Data Lifecycle Management
AnswerC

eDiscovery (Premium) is designed for legal and regulatory requests, including DSARs.

Why this answer

Microsoft Purview eDiscovery (Premium) provides advanced search, hold, and export capabilities for responding to DSARs. Data Lifecycle Management handles retention. Communication Compliance monitors communications.

Compliance Manager assesses compliance posture but does not handle DSAR workflows.

6
Multi-Selecteasy

Which TWO capabilities are provided by Microsoft Entra External ID? (Choose two.)

Select 2 answers
A.Support for social identity providers like Google
B.Mobile device management
C.Collaboration with external users from partner organizations
D.On-premises server monitoring
E.Identity risk detection
AnswersA, C

Supports Google, Facebook, etc.

Why this answer

Options A and D are correct. External ID allows collaboration with users from other organizations and supports various identity providers. Option B is wrong because device management is Intune.

Option C is wrong because risk detection is Identity Protection.

7
MCQhard

You are a security administrator for Contoso Ltd., which uses Microsoft 365 E5. The company has 10,000 users and uses Microsoft Entra ID for identity. The security team has noticed an increase in sign-in attempts from anonymous IP addresses and from locations outside the company's home country. They want to implement a solution that automatically blocks sign-ins from anonymous IP addresses and requires MFA for sign-ins from outside the home country. They also want to ensure that if a user's risk level is high, they are forced to change their password. The solution must use Microsoft Entra ID Protection and Conditional Access. You have already configured a Conditional Access policy to require MFA for all users. Which of the following is the most efficient way to meet all requirements with minimal administrative overhead?

A.Configure Identity Protection sign-in risk policy to block anonymous IP addresses, user risk policy to require password change for high-risk users, and create a Conditional Access policy to require MFA for sign-ins from outside the home country.
B.Create a single Conditional Access policy that blocks anonymous IP addresses, requires MFA based on location, and forces password change for high-risk users.
C.Configure Identity Protection to block anonymous IP addresses and require password change for high-risk users. Use Conditional Access to block sign-ins from outside the home country.
D.Configure Identity Protection to block anonymous IP addresses and require password change for high-risk users. Use Conditional Access to require MFA for all users.
AnswerA

This meets all requirements: anonymous IP blocked via risk policy, password change via user risk policy, location-based MFA via Conditional Access.

Why this answer

Correct: D. Using Identity Protection's risk policies for anonymous IP and high risk, plus a Conditional Access policy for location-based MFA, is efficient. Option A: Combining all in one policy is not possible because Conditional Access cannot detect anonymous IP automatically (Identity Protection does).

Option B: Only Conditional Access cannot detect anonymous IP. Option C: Missing location-based MFA requirement.

8
MCQhard

A company deploys a custom application on Azure App Service (PaaS). Which of the following security responsibilities falls completely under the customer's scope according to the shared responsibility model?

A.Applying operating system patches to the virtual machines running the App Service
B.Configuring network security groups to filter traffic to the App Service
C.Managing the application code and its configuration
D.Ensuring physical security of the Azure data centers
AnswerC

Correct. The customer is responsible for securing their application, including code, configuration, authentication, and data handling within the app.

Why this answer

In the shared responsibility model for PaaS like Azure App Service, the customer is responsible for managing the application code and its configuration, including secrets, connection strings, and authentication settings. Microsoft manages the underlying platform, including the OS and runtime, so the customer's scope is limited to what they deploy and configure within the service.

Exam trap

The trap here is that candidates confuse PaaS with IaaS and assume they must manage OS patches or NSGs, but in PaaS, those are abstracted and Microsoft's responsibility, while the customer's focus is on application-level security.

How to eliminate wrong answers

Option A is wrong because applying OS patches to the virtual machines running App Service is Microsoft's responsibility, as the platform is abstracted and the customer has no direct access to the underlying VMs. Option B is wrong because configuring network security groups (NSGs) is not applicable to App Service; traffic filtering is done via App Service access restrictions or Azure Front Door/WAF, not NSGs, which are for IaaS VNets. Option D is wrong because ensuring physical security of Azure data centers is entirely Microsoft's responsibility under the shared model, never the customer's.

9
MCQmedium

A financial services company needs to monitor employee communications in Microsoft Teams and Exchange Online for potential policy violations, such as sharing insider trading tips. They want to automatically detect specific keywords and phrases, and then allow designated reviewers to flag and escalate the messages. Which Microsoft Purview solution should they use?

A.Microsoft Purview Communication Compliance
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Purview Information Barriers
D.Microsoft Purview eDiscovery
AnswerA

Correct. Communication Compliance is designed to monitor and review communications for policy violations, such as insider trading, using customizable policies and automated detection.

Why this answer

Microsoft Purview Communication Compliance is the correct solution because it is specifically designed to detect policy violations in communications like Microsoft Teams chats and Exchange Online emails. It uses customizable policies to automatically scan for sensitive keywords and phrases (e.g., insider trading terms), and then routes flagged messages to designated reviewers for investigation, flagging, and escalation. This aligns directly with the requirement to monitor employee communications for policy violations and enable reviewer workflows.

Exam trap

The trap here is that candidates often confuse Communication Compliance with eDiscovery, assuming eDiscovery can proactively monitor and flag messages, but eDiscovery is reactive and designed for legal holds and searches, not real-time policy violation detection and review workflows.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Data Lifecycle Management focuses on retaining, deleting, and managing data based on lifecycle policies, not on monitoring communications for policy violations or keyword detection. Option C is wrong because Microsoft Purview Information Barriers are used to prevent communication and collaboration between specific groups (e.g., to avoid conflicts of interest), but they do not scan for keywords or provide a review workflow for policy violations. Option D is wrong because Microsoft Purview eDiscovery is designed for legal discovery and litigation support, allowing search and export of content, but it does not proactively monitor communications in real-time or automatically flag policy violations for review.

10
MCQmedium

A company uses Microsoft Entra ID. The security team wants to configure automated actions when user sign-ins are detected as high risk due to anonymized IP addresses or leaked credentials. They need to automatically block the sign-in or force a password change based on risk level. Which Microsoft Entra ID feature should they use?

A.Privileged Identity Management
B.Identity Protection
C.Azure AD Connect
D.Self-service password reset
AnswerB

Identity Protection detects risks like leaked credentials and anonymized IP addresses, and can automatically block sign-ins or require password reset through risk-based policies.

Why this answer

Microsoft Entra ID Protection is the correct feature because it automates the detection and remediation of identity-based risks, including sign-ins from anonymized IP addresses and leaked credentials. It allows administrators to configure conditional access policies that automatically block high-risk sign-ins or force a password change based on the risk level (e.g., low, medium, high). This directly matches the security team's requirement for automated actions tied to risk detection.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based automation with Privileged Identity Management's role-based controls, mistakenly thinking PIM handles all security automation for identities.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is focused on just-in-time privileged role activation, access reviews, and approval workflows—not on detecting or responding to sign-in risks like anonymized IPs or leaked credentials. Option C is wrong because Azure AD Connect is a tool for synchronizing on-premises Active Directory identities to Microsoft Entra ID; it has no capability to evaluate sign-in risk or enforce automated remediation actions. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords but does not automatically trigger a password change based on risk detection; it requires manual initiation and lacks the risk-based automation described.

11
MCQmedium

Your company is implementing a new application that requires users to authenticate using Microsoft Entra ID. The security team wants to enforce multifactor authentication (MFA) for all users accessing this application, but only when they are connecting from an untrusted network. Which conditional access policy should you configure?

A.Session control: 'Use app enforced restrictions' to block access from untrusted networks.
B.Grant control: 'Require multifactor authentication' with a condition on 'Locations' set to 'All trusted locations' as exclusion.
C.Assignments: 'Users and groups' including all users, then grant control: 'Require multifactor authentication' without conditions.
D.Grant control: 'Require device to be marked as compliant' with a condition on 'Client apps'.
AnswerB

This correctly targets untrusted networks by requiring MFA for all locations except trusted ones.

Why this answer

Option B is correct because it configures a Conditional Access policy that grants access only when MFA is performed, and excludes trusted network locations. This ensures that MFA is enforced only when users connect from untrusted networks, meeting the security team's requirement.

Exam trap

The trap here is that candidates often confuse 'Grant control' with 'Session control' or overlook the need to exclude trusted locations, leading them to select an option that either enforces MFA everywhere or uses an inappropriate control like device compliance.

How to eliminate wrong answers

Option A is wrong because session control 'Use app enforced restrictions' does not enforce MFA; it relies on the application itself to enforce restrictions, which is not the same as requiring MFA via Conditional Access. Option C is wrong because it requires MFA for all access attempts without any location condition, which would enforce MFA even from trusted networks, violating the requirement to only enforce MFA from untrusted networks. Option D is wrong because it requires device compliance rather than MFA, and the condition on 'Client apps' does not address the location-based requirement for MFA enforcement.

12
MCQmedium

A company uses Microsoft 365 and needs to identify and protect sensitive data, such as credit card numbers, stored in SharePoint Online and OneDrive for Business. They also want to prevent users from sharing this data externally. Which Microsoft Purview solution should they use?

A.Data Loss Prevention (DLP)
B.Data Lifecycle Management (DLM)
C.Information Protection (sensitivity labels)
D.Audit (Standard)
AnswerA

Correct. DLP policies can identify sensitive data such as credit card numbers and automatically block actions like sharing externally. It also provides policy tips to educate users.

Why this answer

Data Loss Prevention (DLP) in Microsoft Purview is the correct solution because it is specifically designed to identify, monitor, and automatically protect sensitive data like credit card numbers (using built-in sensitive information types such as Credit Card Number) across Microsoft 365 services, including SharePoint Online and OneDrive for Business. DLP policies can enforce rules to block or restrict external sharing of such data, directly meeting the requirement to prevent users from sharing sensitive data externally.

Exam trap

The trap here is that candidates often confuse Information Protection (sensitivity labels) with DLP, assuming labels alone can prevent external sharing, but labels require DLP policies to enforce sharing restrictions based on the label's classification.

How to eliminate wrong answers

Option B (Data Lifecycle Management) is wrong because it focuses on retaining, deleting, or archiving data based on lifecycle policies (e.g., retention tags, expiration dates), not on identifying or preventing the sharing of sensitive content. Option C (Information Protection with sensitivity labels) is wrong because while sensitivity labels can classify and protect data with encryption or visual markings, they do not natively include the ability to scan for specific data patterns like credit card numbers or enforce external sharing blocks without being combined with DLP policies. Option D (Audit Standard) is wrong because it only provides logging and visibility into user activities (e.g., who accessed or shared a file), but does not actively identify sensitive data or prevent sharing.

13
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps to monitor cloud app usage. You discover that a user is accessing a sanctioned app from an unmanaged device. You need to ensure that when users access this app from unmanaged devices, they are prompted for additional authentication and their session is monitored. What should you configure?

A.Enable Microsoft Entra ID Identity Protection and configure a sign-in risk policy.
B.Create a Conditional Access policy that requires device compliance and block access for non-compliant devices.
C.Create a session policy in Microsoft Defender for Cloud Apps that blocks downloads for all devices.
D.Create a Conditional Access policy that uses the 'Require session control' grant and target 'All cloud apps' and 'Unmanaged devices' as conditions.
AnswerD

This redirects the session to Defender for Cloud Apps for monitoring and control.

Why this answer

Option D is correct because you need to use a Conditional Access policy with the 'Require session control' grant, targeting 'All cloud apps' and 'Unmanaged devices' as conditions. This integrates with Microsoft Defender for Cloud Apps to enforce additional authentication (via Microsoft Entra ID) and enable session monitoring, such as real-time activity logging and download blocking, for the sanctioned app when accessed from unmanaged devices.

Exam trap

The trap here is confusing session control (which allows conditional access with monitoring) with device compliance policies (which block or allow based on device state) or Identity Protection (which focuses on risk-based sign-in detection).

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Identity Protection's sign-in risk policy detects risky sign-ins (e.g., anonymous IP addresses) but does not specifically target unmanaged devices or provide session monitoring for cloud apps. Option B is wrong because requiring device compliance and blocking non-compliant devices would deny access entirely, not prompt for additional authentication and monitor the session as required. Option C is wrong because a session policy in Defender for Cloud Apps that blocks downloads for all devices does not enforce additional authentication or session monitoring for unmanaged devices specifically; it only restricts a single action (downloads) globally.

14
MCQhard

Your organization uses Microsoft Entra ID. You need to allow external users from a specific partner tenant to access a single internal application, but only after they provide a phone number for verification. What should you configure?

A.Cross-tenant access settings for the partner tenant
B.B2B collaboration invitation settings
C.Conditional Access policy for the application
D.Identity Protection policy
AnswerA

Cross-tenant access settings allow you to trust MFA from the partner tenant and enforce requirements.

Why this answer

Cross-tenant access settings allow you to trust MFA and device compliance from external tenants. By configuring inbound access settings, you can require that the partner tenant's users meet your MFA requirements (phone verification). Option B is incorrect because B2B collaboration settings control invitation, not authentication requirements.

Option C is incorrect because Conditional Access policies apply to your tenant but cannot directly enforce MFA on external users without cross-tenant trust. Option D is incorrect because identity protection is for risk detection, not MFA enforcement.

15
MCQhard

Refer to the exhibit. You are a security administrator for a company using Azure Virtual Network Manager. You have deployed the security admin configuration shown. What is the impact of this rule?

A.It blocks inbound SMB traffic from the internet to the subnet.
B.It blocks outbound traffic from the subnet to the internet.
C.It denies all traffic from the internet to the subnet.
D.It blocks inbound RDP traffic from the internet.
AnswerA

SMB uses port 445; the rule denies internet-to-subnet traffic on that port.

Why this answer

The rule denies inbound TCP traffic on port 445 (SMB) from the Internet to the subnet 10.0.0.0/24. This blocks external SMB access, preventing common ransomware propagation. Option A is incorrect because port 445 is SMB, not RDP (3389).

Option C is incorrect because direction is inbound. Option D is incorrect because it denies all traffic only on port 445, not all ports.

16
MCQmedium

Your organization uses Microsoft Defender for Cloud to secure Azure resources. You need to ensure that all storage accounts have soft delete enabled to protect against accidental deletion. Which policy should you implement?

A.Azure Blueprints
B.Azure Policy with a built-in policy for storage accounts
C.Azure role-based access control (RBAC)
D.Defender for Cloud security recommendations
AnswerB

Azure Policy can enforce soft delete configuration on storage accounts.

Why this answer

Option A is correct because Azure Policy can audit or enforce configurations on resources, including enabling soft delete on storage accounts. Option B is wrong because Defender for Cloud recommendations suggest actions but do not enforce them automatically. Option C is wrong because Azure RBAC controls permissions, not configurations.

Option D is wrong because Azure Blueprints package resources but do not enforce individual settings.

17
MCQmedium

Refer to the exhibit. You run the PowerShell command to search the unified audit log for file deletions. The command returns no results, but you know a file was deleted last week. What is the most likely reason?

A.The operation name 'FileDeleted' is incorrect
B.Audit logging is not enabled for the organization
C.Audit logs are only retained for 90 days
D.The StartDate and EndDate are incorrect
AnswerB

If audit logging is not enabled, no audit records are captured.

Why this answer

Option B is correct because Audit (Standard) only retains audit logs for 90 days, but the issue here is that the command uses -Operations FileDeleted, which may not be the correct operation name; however, the most likely reason is that Audit (Premium) is required for certain operations. Actually, FileDeleted is a valid operation. The correct answer is that Audit logging must be enabled.

Option A is wrong because the command is correct. Option C is wrong because 7 days is within retention. Option D is wrong because the operation name is correct.

18
MCQhard

A company uses Microsoft Purview to classify and label data. The compliance team needs to automatically apply a 'Highly Confidential' sensitivity label to any document containing a passport number that is stored in SharePoint Online. The label should also encrypt the document. What should the compliance team configure?

A.Create a retention label with a retention rule
B.Create an auto-labeling policy for sensitivity labels
C.Create a data loss prevention (DLP) policy
D.Create a manual sensitivity label and train users
AnswerB

Auto-labeling policies can automatically apply labels with encryption based on sensitive info types.

Why this answer

Option D is correct because an auto-labeling policy can be set to scan SharePoint for content containing a passport number and apply a label with encryption. Option A is wrong because manual labeling is not automatic. Option B is wrong because a DLP policy blocks sharing but does not apply labels.

Option C is wrong because a retention label is for retention, not encryption.

19
MCQmedium

Refer to the exhibit. You are reviewing a risk detection report in Microsoft Entra Identity Protection. The report shows a user with high risk level and two risk events. What does the status 'remediated' indicate?

A.The risk is still active and requires investigation.
B.The risk has been resolved by a remediation action such as password reset.
C.The user's account has been confirmed as compromised.
D.The risk was dismissed by an administrator as false positive.
AnswerB

Remediated indicates the risk was mitigated.

Why this answer

In Microsoft Entra Identity Protection, the 'remediated' status indicates that the risk associated with the user has been resolved through an automated or manual remediation action, such as a password reset or completion of a multi-factor authentication (MFA) challenge. This means the detected risk event is no longer considered active, and the user's account has been brought back to a secure state. Option B correctly identifies that the risk was resolved by a remediation action.

Exam trap

The trap here is that candidates often confuse 'remediated' with 'dismissed as false positive', not realizing that 'remediated' implies a corrective action was taken (like password reset), while 'dismissed' means the risk was deemed invalid by an admin.

How to eliminate wrong answers

Option A is wrong because 'remediated' explicitly means the risk is no longer active; an active risk would be labeled 'at risk' or 'active', not 'remediated'. Option C is wrong because 'remediated' does not confirm compromise; it indicates the risk was mitigated, whereas a confirmed compromise would be shown as 'confirmed compromised' in the report. Option D is wrong because 'remediated' is distinct from 'dismissed as false positive'; a false positive dismissal would be labeled 'dismissed' or 'false positive', not 'remediated'.

20
MCQmedium

A company uses Azure virtual machines and also has physical servers in their on-premises datacenter. The security team needs a single dashboard to view security recommendations, detect misconfigurations, and get a secure score for both environments. They also want to integrate with Microsoft Defender for Cloud for threat protection. Which Microsoft security solution provides this unified visibility across hybrid workloads?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Endpoint
D.Microsoft Security Center
AnswerA

Defender for Cloud provides a unified dashboard for security posture management (secure score, recommendations) and integrated threat protection across hybrid workloads.

Why this answer

Microsoft Defender for Cloud provides a unified dashboard that delivers security recommendations, misconfiguration detection, and a secure score across both Azure virtual machines and on-premises physical servers. It natively integrates with Microsoft Defender for Cloud's threat protection capabilities, enabling hybrid workload coverage without additional licensing or complex setup.

Exam trap

Microsoft often tests the distinction between Microsoft Defender for Cloud (unified posture management and threat protection) and Microsoft Sentinel (SIEM/SOAR), causing candidates to confuse the two due to overlapping security monitoring capabilities.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) solution focused on log ingestion, threat hunting, and incident response, not a unified dashboard for security posture recommendations and secure scores. Option C is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution for devices, not a cross-environment dashboard for security recommendations and secure scores across hybrid workloads. Option D is wrong because Microsoft Security Center is a legacy name; the current unified solution is Microsoft Defender for Cloud, which replaced Azure Security Center and Azure Defender.

21
MCQmedium

A company wants to improve its security awareness program by periodically sending simulated phishing emails to employees to test their ability to identify malicious messages. The results should be tracked in a dashboard that shows which employees clicked the links. Which Microsoft 365 Defender capability should they use?

A.Attack Simulation Training
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft 365 Defender Incident Response
AnswerA

Correct. Attack Simulation Training is specifically designed for creating and managing simulated phishing attacks to train employees.

Why this answer

Attack Simulation Simulation Training is the correct answer because it is the specific Microsoft 365 Defender capability designed to create and launch simulated phishing campaigns, track employee interactions (e.g., clicks on malicious links), and report results in a dashboard. This feature is part of Microsoft Defender for Office 365 but is a distinct workload focused on security awareness training and measurement.

Exam trap

The trap here is that candidates confuse the broader Microsoft Defender for Office 365 (which includes anti-phishing policies) with the specific Attack Simulation Training feature, assuming the entire suite is needed for simulation, when in fact the simulation tool is a discrete component with its own dashboard and configuration portal.

How to eliminate wrong answers

Option B (Microsoft Defender for Office 365) is wrong because while it provides the underlying protection (e.g., anti-phishing, Safe Links, Safe Attachments) and hosts Attack Simulation Training, the question specifically asks for the capability to simulate phishing and track clicks, which is a separate feature within the suite, not the entire service. Option C (Microsoft Defender for Cloud Apps) is wrong because it is a Cloud Access Security Broker (CASB) focused on shadow IT discovery, app permissions, and data protection across SaaS applications, not on simulating phishing attacks against users. Option D (Microsoft 365 Defender Incident Response) is wrong because it is a workflow for investigating and remediating real security incidents (e.g., automated investigation and response), not for proactively testing user awareness with simulated attacks.

22
Drag & Dropmedium

Sequence the steps to set up Microsoft Sentinel for a new workspace.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Setting up Sentinel requires a Log Analytics workspace, enabling Sentinel, connecting sources, creating rules, and automating responses.

23
MCQhard

A multinational corporation has data stored across multiple clouds (Azure, AWS) and on-premises. The data governance team needs to create a single inventory of all data assets, automatically classify sensitive data (e.g., credit card numbers) across these sources, and track how data moves and transforms (lineage). Which Microsoft Purview solution should they use?

A.Microsoft Purview Data Map
B.Microsoft Purview Compliance Manager
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview eDiscovery
AnswerA

Data Map creates a unified inventory of data assets, enables automated classification, and tracks lineage across multi-cloud and on-premises sources.

Why this answer

Microsoft Purview Data Map is the correct solution because it provides a unified map of data assets across multi-cloud (Azure, AWS) and on-premises sources, supports automated sensitive data classification (e.g., credit card numbers via built-in classifiers), and tracks data lineage to show how data moves and transforms. This directly meets the requirements for a single inventory, classification, and lineage tracking.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Data Map with Data Lifecycle Management, thinking both handle data classification, but Data Map specifically provides the unified inventory and lineage tracking across hybrid and multi-cloud environments, while Data Lifecycle Management only handles retention and deletion policies.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Compliance Manager is a risk assessment and compliance management tool that helps track regulatory compliance posture, not a solution for data inventory, classification, or lineage. Option C is wrong because Microsoft Purview Data Lifecycle Management focuses on retention policies, deletion, and data governance for lifecycle stages, not on creating a data map or tracking lineage. Option D is wrong because Microsoft Purview eDiscovery is designed for legal discovery and search of content in Microsoft 365, not for multi-cloud data inventory, classification, or lineage tracking.

24
MCQeasy

Your organization is adopting a Zero Trust security model. You are tasked with implementing identity protection. The requirements are: enforce multi-factor authentication (MFA) for all users when accessing cloud applications, ensure that risky sign-ins are detected and blocked automatically, and provide administrators with a dashboard showing user risk levels. You have Microsoft Entra ID P2 licenses. What should you configure?

A.Configure Microsoft Sentinel to collect sign-in logs and create custom alerts for risky sign-ins.
B.Configure a Conditional Access policy to require MFA for all cloud apps, enable Identity Protection to detect and automatically block risky sign-ins, and use the Identity Protection dashboard.
C.Configure Privileged Identity Management for all users and enable MFA.
D.Configure Microsoft Defender for Cloud Apps to require MFA and detect risky sign-ins.
AnswerB

This combination meets all requirements.

Why this answer

Option A is correct because Conditional Access policy enforces MFA, Identity Protection detects and blocks risky sign-ins, and the Identity Protection dashboard shows risk. Option B is incorrect because Privileged Identity Management manages roles. Option C is incorrect because Microsoft Defender for Cloud Apps is for cloud app security, not identity risk.

Option D is incorrect because Microsoft Sentinel is a SIEM, not for identity protection.

25
MCQeasy

A security administrator is explaining authentication and authorization to new IT staff. Which statement correctly describes the difference between these two processes?

A.Authentication verifies what a user can do; authorization verifies who the user is.
B.Authentication verifies who the user is; authorization verifies what the user can do.
C.Both authentication and authorization verify the user's identity.
D.Authorization is always performed before authentication.
AnswerB

Authentication confirms the user's identity (e.g., password, biometric). Authorization determines what resources and actions the user is allowed to access.

Why this answer

Authentication is the process of verifying the identity of a user, device, or other entity, typically through credentials like a password, biometric, or certificate. Authorization determines what an authenticated entity is permitted to do, such as accessing specific resources or performing certain actions, often enforced via access control lists (ACLs) or role-based access control (RBAC). In Microsoft Entra ID, authentication occurs first (e.g., via OAuth 2.0 or SAML), and then authorization is evaluated using claims or directory roles.

Exam trap

The trap here is confusing the sequence and purpose of authentication versus authorization, leading candidates to reverse the definitions or assume authorization can occur without prior authentication.

How to eliminate wrong answers

Option A is wrong because it reverses the definitions: authentication verifies identity, not permissions, and authorization verifies permissions, not identity. Option C is wrong because authorization does not verify the user's identity; it only determines access rights after identity has been established. Option D is wrong because authentication must always be performed before authorization; you cannot authorize an unknown entity.

26
MCQeasy

A company operates an e-commerce website that must remain accessible during high-traffic holiday seasons. The IT team deploys additional web servers and implements automatic failover to a secondary data center if the primary site goes down. Which security principle is the company primarily addressing?

A.Confidentiality
B.Integrity
C.Availability
D.Authorization
AnswerC

Availability ensures that systems and data are accessible to authorized users when needed. The described measures (additional servers, failover) directly support high availability.

Why this answer

The company is ensuring that the e-commerce website remains operational even during high-traffic periods or after a primary site failure. Deploying additional web servers and implementing automatic failover to a secondary data center directly supports the availability principle, which ensures that systems and data are accessible when needed. This is a core tenet of the CIA triad, and in this scenario, the focus is on uptime and resilience, not on protecting data from unauthorized access or modification.

Exam trap

The trap here is that candidates often confuse availability with authorization, mistakenly thinking that controlling who can access the site (authorization) is the same as ensuring the site is up and running (availability).

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized access to data (e.g., encryption, access controls), not on maintaining system uptime or failover. Option B is wrong because integrity ensures data is not tampered with or altered in an unauthorized manner (e.g., hashing, checksums), which is unrelated to deploying redundant servers or automatic failover. Option D is wrong because authorization determines what authenticated users are allowed to do (e.g., role-based access control), not the operational continuity of the infrastructure.

27
MCQhard

A company wants to proactively detect and investigate potential insider security risks, such as a departing employee copying large amounts of data to a personal USB drive or sharing confidential files with unauthorized individuals. Which Microsoft Purview solution should they use?

A.Data Lifecycle Management
B.Insider Risk Management
C.Communication Compliance
D.eDiscovery (Standard)
AnswerB

Insider Risk Management is designed to detect, triage, and respond to potentially risky activities by users inside the organization.

Why this answer

Insider Risk Management in Microsoft Purview is specifically designed to detect, investigate, and act on risky user activities that may lead to data security incidents, such as unauthorized data exfiltration by departing employees. It uses predefined and customizable policies to correlate signals from Microsoft 365 logs (e.g., copying files to USB, sharing with external users) and applies risk-scoring to prioritize alerts. This makes it the correct solution for proactively identifying potential insider threats like bulk data copying or unauthorized file sharing.

Exam trap

The trap here is that candidates often confuse Communication Compliance (which monitors communications) with Insider Risk Management (which monitors risky user behavior and data actions), leading them to select Communication Compliance when the scenario explicitly describes data exfiltration actions rather than communication violations.

How to eliminate wrong answers

Option A (Data Lifecycle Management) is wrong because it focuses on retaining, deleting, and managing data based on compliance or business requirements, not on detecting user behavior or insider threats. Option C (Communication Compliance) is wrong because it is designed to monitor communications (emails, Teams chats) for policy violations like harassment or inappropriate sharing, but it does not detect data exfiltration actions such as copying to USB drives. Option D (eDiscovery Standard) is wrong because it is used for searching and exporting content for legal or investigative purposes after an incident has been identified, not for proactive detection of risky user behavior.

28
Multi-Selecthard

An organization uses Microsoft Purview Information Protection to classify and protect data. Which TWO methods can be used to apply sensitivity labels automatically?

Select 2 answers
A.Auto-labeling policies in Microsoft 365 compliance center
B.Client-side automatic classification via the unified labeling client
C.Default labeling policy for Microsoft 365 Apps
D.Manual labeling by end users
E.PowerShell scripts to apply labels on export
AnswersA, B

Correct: Can automatically apply labels.

Why this answer

Auto-labeling policies can apply labels based on conditions. Client-side labeling via the Azure Information Protection unified labeling client also supports automatic classification. Manual labeling is not automatic.

Labeling in Microsoft 365 Apps is default but not automatic. PowerShell cannot directly apply labels automatically without scripts.

29
MCQeasy

A security manager explains that the company's security strategy relies on multiple layers of controls, such as firewalls, antivirus software, and multi-factor authentication, so that if one layer fails, another can still prevent an attack. Which security principle does this strategy best represent?

A.Defense in depth
B.Least privilege
C.Zero Trust
D.Separation of duties
AnswerA

Defense in depth uses multiple overlapping layers of security controls to provide redundancy.

Why this answer

Defense in depth is the correct answer because it explicitly describes a layered security strategy where multiple independent controls (firewalls, antivirus, MFA) are deployed so that if one layer is bypassed or fails, subsequent layers still provide protection. This principle is foundational to modern security architecture and directly matches the scenario of using diverse controls to prevent a single point of failure.

Exam trap

The trap here is that candidates often confuse Zero Trust with defense in depth because both involve multiple controls, but Zero Trust is specifically about verifying every access request regardless of origin, whereas defense in depth is about layering independent controls to provide redundancy and depth.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on granting users only the minimum permissions needed to perform their tasks, not on layering multiple controls. Option C (Zero Trust) is wrong because, while it incorporates multiple verification points, its core principle is 'never trust, always verify' and assumes no implicit trust based on network location, rather than simply layering controls for redundancy. Option D (Separation of duties) is wrong because it divides critical tasks among multiple people to prevent fraud or error, not to provide overlapping security layers.

30
MCQeasy

Your organization uses Microsoft Entra ID. You want to provide external partners with access to a SharePoint site using their own identity providers (e.g., Google, Facebook). Which feature should you use?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra Identity Protection
C.Microsoft Entra External ID (B2C)
D.Conditional Access policies
AnswerC

External ID B2C supports social identity providers.

Why this answer

Option C is correct because Microsoft Entra External ID (B2C) is specifically designed for customer-facing applications where external users authenticate using social identity providers like Google, Facebook, or Microsoft accounts. It supports OAuth 2.0 and OpenID Connect protocols to allow partners to sign in with their own identity providers, and it can be integrated with SharePoint sites via custom policies or app registrations. This feature provides the necessary federation and user self-service capabilities for external partner access with social identities.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration (designed for enterprise guest users) with Microsoft Entra External ID (B2C) (designed for consumer/social identity scenarios), leading them to select Option A when the question explicitly requires support for social identity providers like Google and Facebook.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2B collaboration is intended for business-to-business scenarios where external partners are invited as guest users in the tenant, but it does not natively support social identity providers like Google or Facebook for direct sign-in; it relies on the partner's existing Microsoft Entra ID or other enterprise identity providers. Option B is wrong because Microsoft Entra Identity Protection is a security tool that detects and responds to identity-based risks (e.g., leaked credentials, anomalous sign-ins) and does not provide any mechanism for external user authentication or federation with social identity providers. Option D is wrong because Conditional Access policies are used to enforce access controls (e.g., MFA, location, device compliance) after authentication, but they do not enable external users to authenticate with their own identity providers; they require an existing identity and authentication flow.

31
MCQmedium

Your organization uses Microsoft Defender for Cloud to protect hybrid workloads. A security administrator needs to ensure that all Azure subscriptions are automatically covered by Defender for Cloud's security policies. What should the administrator configure?

A.Assign the Azure Security Benchmark initiative to each resource group.
B.Assign the Azure Security Benchmark initiative to the root management group.
C.Enable Defender for Cloud on each subscription individually.
D.Install the Log Analytics agent on all VMs.
AnswerB

Assigning to the root management group automatically applies policies to all subscriptions.

Why this answer

Defender for Cloud's default policy initiative is automatically assigned to all subscriptions in a management group, ensuring consistent coverage. Option A is incorrect because assigning at the resource group level does not apply to other groups. Option B is incorrect because Azure Policy must be assigned, not just enabled.

Option D is incorrect because manual onboarding is not automatic.

32
MCQmedium

An organization uses Microsoft Intune to manage devices. The security team wants to ensure that only devices with a minimum OS version and antivirus enabled can access corporate email. What should they configure?

A.Conditional Access policy referencing device compliance
B.Device enrollment restrictions
C.App protection policies in Microsoft Defender for Cloud Apps
D.A device compliance policy
AnswerA

Conditional Access uses compliance status to allow or block access.

Why this answer

Conditional Access with device compliance policies evaluates device health and enforces access controls. Option A is incorrect because compliance policies alone do not enforce access. Option C is incorrect because app protection policies manage data within apps, not device-level access.

Option D is incorrect because device enrollment is a prerequisite, not enforcement.

33
MCQeasy

An organization uses Microsoft Purview Communication Compliance. They need to monitor Microsoft Teams messages for potential insider trading language. What should they configure?

A.An eDiscovery case
B.A Communication Compliance policy
C.A Data Loss Prevention policy
D.A sensitivity label policy
AnswerB

Communication Compliance monitors communications for policy violations.

Why this answer

Option D is correct because Communication Compliance policies can monitor Teams messages for specific conditions like keywords. Option A is wrong because DLP is for data loss prevention. Option B is wrong because eDiscovery is for search.

Option C is wrong because sensitivity labels are for classification.

34
MCQeasy

An organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They need to prevent users from sharing credit card numbers via email outside the company. Which type of DLP rule action should they configure?

A.Block
B.Notify
C.Audit only
D.Encrypt
AnswerA

Block prevents the email from being sent and can provide user notification.

Why this answer

The 'Block' action prevents the email from being sent and can optionally notify the user and admin. Option A is wrong because 'Audit only' logs the event but does not block. Option C is wrong because 'Encrypt' is a separate action but not the primary block mechanism.

Option D is wrong because 'Notify' only sends an alert without blocking.

35
MCQeasy

A company uses Microsoft Entra ID for identity management. They want to allow employees to sign in using their existing Facebook credentials. Which feature should they configure?

A.Microsoft Entra Privileged Identity Management
B.Microsoft Entra External Identities
C.Microsoft Entra Conditional Access
D.Microsoft Entra Identity Protection
AnswerB

External Identities allows federation with social identity providers like Facebook.

Why this answer

Microsoft Entra External Identities (B) is the correct feature because it allows organizations to configure identity providers for external users, including social identity providers like Facebook. By enabling Facebook as an identity provider in the External Identities settings, employees can sign in using their existing Facebook credentials, which are federated via OAuth 2.0 and OpenID Connect protocols.

Exam trap

The trap here is that candidates often confuse External Identities (which handles external and social identity providers) with Conditional Access or Identity Protection, mistakenly thinking those features can directly enable social login, when in fact they only enforce policies or detect risks after authentication is configured.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Privileged Identity Management (PIM) is used for managing, controlling, and monitoring access to privileged roles in Microsoft Entra ID, not for configuring external identity providers like Facebook. Option C is wrong because Microsoft Entra Conditional Access enforces policies based on signals such as user location or device compliance, but it does not configure or enable social identity providers for authentication. Option D is wrong because Microsoft Entra Identity Protection detects and remediates identity-based risks (e.g., leaked credentials or anomalous sign-ins), but it does not allow integration with external identity providers like Facebook.

36
MCQhard

You run the above KQL query in Microsoft Sentinel. What is the purpose of this query?

A.To detect potential brute-force attacks against a specific user account
B.To find all users who signed in from multiple IP addresses
C.To identify sign-ins that failed multi-factor authentication
D.To list all IP addresses that accessed the tenant
AnswerA

A high number of sign-ins from a single IP suggests a brute-force attempt.

Why this answer

Option B is correct because the query counts sign-ins per IP address for a specific user in the last day and filters for IPs with more than 10 sign-ins, which could indicate a brute-force attempt. Option A is wrong because it groups by user, not IP. Option C is wrong because it does not check for MFA failures.

Option D is wrong because it focuses on a single user, not all users.

37
MCQeasy

A security administrator configures user accounts so that employees have only the permissions necessary to perform their job functions and no more. Which security concept is being applied?

A.Defense in depth
B.Least privilege
C.Separation of duties
D.Zero Trust
AnswerB

Least privilege is the practice of granting only the minimum necessary permissions required for a user or system to perform a function, directly matching the administrator's action.

Why this answer

The principle of least privilege dictates that users should be granted only the permissions necessary to perform their specific job functions and no more. By configuring accounts with minimal access rights, the administrator directly applies this concept to reduce the attack surface and limit potential damage from compromised credentials.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'separation of duties' because both involve limiting access, but separation of duties focuses on splitting tasks across multiple people to prevent collusion, not on minimizing individual permissions.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption) to protect assets, not a principle for assigning user permissions. Option C is wrong because separation of duties divides critical tasks among multiple users to prevent fraud (e.g., one person requests access, another approves), not limiting permissions per user. Option D is wrong because Zero Trust is a security model that assumes no implicit trust and requires continuous verification of every access request, not a specific permission-assignment principle.

38
Multi-Selectmedium

A cybersecurity analyst uses Microsoft Sentinel to detect threats. Which THREE types of analytics rules can be created?

Select 3 answers
A.Scheduled query rules
B.Near-real-time (NRT) rules
C.Hunting rules
D.Fusion rules
E.Machine learning rules
AnswersA, B, D

Correct: Standard rule type.

Why this answer

Scheduled, NRT, and Fusion are analytics rule types in Sentinel. Hunting rules are not analytics; they are queries. Machine learning rules are often part of Fusion or built-in.

39
MCQeasy

Which of the following is a primary purpose of Microsoft Entra ID Identity Protection?

A.Detect and remediate identity risks
B.Manage privileged roles
C.Classify and protect sensitive data
D.Manage device compliance policies
AnswerA

Identity Protection uses signals to detect risky sign-ins and users.

Why this answer

Option C is correct because Identity Protection detects and remediates identity-based risks. Option A is wrong because device management is Intune. Option B is wrong because privileged access is PIM.

Option D is wrong because data classification is Purview.

40
MCQhard

A company uses Microsoft Entra ID and has multiple departments with separate organizational units (OUs) in its on-premises Active Directory. The help desk team needs to be able to reset passwords for users only in the Finance department. What feature should be used to delegate this administrative scope?

A.Dynamic groups
B.Administrative Units
C.Conditional Access policies
D.Privileged Identity Management (PIM)
AnswerB

Administrative Units enable scoped administration by defining a subset of users or devices, allowing delegated access to resources within that scope only.

Why this answer

Administrative Units (AUs) in Microsoft Entra ID allow you to delegate administrative permissions over a subset of users, groups, or devices without granting broader tenant-wide access. By creating an AU for the Finance department and assigning the Helpdesk Administrator role scoped to that AU, the help desk team can reset passwords only for Finance users, matching the on-premises OU structure.

Exam trap

The trap here is confusing delegation of administrative scope (Administrative Units) with membership automation (Dynamic groups) or access control (Conditional Access), leading candidates to pick a feature that manages users rather than one that limits administrative permissions.

How to eliminate wrong answers

Option A is wrong because Dynamic groups are used for automatic membership based on user attributes (e.g., department), not for delegating administrative permissions or scoping role assignments. Option C is wrong because Conditional Access policies control access to resources based on conditions like location or device state, not for delegating password reset capabilities. Option D is wrong because Privileged Identity Management (PIM) provides just-in-time activation and approval workflows for privileged roles, but it does not by itself create a scoped administrative boundary; it requires an Administrative Unit or other scope to limit the role's effective permissions.

41
MCQhard

A company uses Microsoft Defender for Endpoint. An alert indicates that a device is communicating with a known malicious IP address. The security team wants to automatically block the IP address on all devices. Which action should they configure?

A.Custom detection rule
B.Automated investigation
C.Indicator of compromise (IoC)
D.Threat analytics report
AnswerC

IoC allows blocking IP addresses, domains, or URLs across devices.

Why this answer

Option B is correct because an indicator of compromise (IoC) in Defender for Endpoint can be used to block IP addresses. Option A is wrong because an automated investigation can resolve alerts but does not block IPs. Option C is wrong because a custom detection rule is for query-based detections.

Option D is wrong because a threat analytics report provides threat intelligence but does not take action.

42
Multi-Selecteasy

Which TWO of the following are Microsoft Purview solutions that help protect sensitive data?

Select 2 answers
A.Communication Compliance
B.eDiscovery
C.Data Loss Prevention (DLP)
D.Sensitivity labels
E.Insider Risk Management
AnswersC, D

DLP prevents unauthorized sharing of sensitive data.

Why this answer

Sensitivity labels and Data Loss Prevention (DLP) are both Purview solutions that protect sensitive data. Insider Risk Management detects risks but does not directly protect data. Communication Compliance monitors communications. eDiscovery is for discovery.

So correct: A and B.

43
MCQhard

A law firm uses Microsoft 365. They must retain all client communication records for 10 years due to regulatory requirements. After 10 years, the records must be permanently deleted. Additionally, they need to ensure that users cannot permanently delete these records before the retention period ends. Which Microsoft Purview solution should they configure?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview Records Management
C.Microsoft Purview eDiscovery
D.Microsoft Purview Audit
AnswerB

Correct. Records Management allows you to declare items as records, which locks them against deletion and editing, and then apply retention and disposition settings.

Why this answer

Microsoft Purview Records Management is the correct solution because it allows the law firm to apply retention labels that mark content as a regulatory record, which prevents users from permanently deleting the records before the retention period ends. It also supports disposition review and permanent deletion after the specified 10-year retention period, meeting both the retention and deletion requirements.

Exam trap

The trap here is that candidates often confuse Data Lifecycle Management (which handles general retention and deletion) with Records Management (which adds the critical 'regulatory record' lock to prevent user deletion), so they incorrectly choose Option A.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Lifecycle Management focuses on managing the lifecycle of data (e.g., automatically deleting or archiving content based on retention policies) but does not provide the ability to lock records as regulatory records to prevent user deletion; it lacks the 'records declaration' capability. Option C is wrong because Microsoft Purview eDiscovery is designed for searching, holding, and exporting content for legal or investigative purposes, not for enforcing retention or deletion schedules. Option D is wrong because Microsoft Purview Audit provides logging and monitoring of user activities (e.g., who deleted a record) but does not prevent deletion or enforce retention periods.

44
MCQhard

You need to implement a solution that allows users to access cloud applications without entering a password, using Windows Hello for Business. Which Microsoft Entra feature integrates with Windows Hello for Business?

A.Conditional Access
B.Microsoft Entra ID
C.FIDO2 security keys
D.Microsoft Authenticator
AnswerB

Entra ID supports Windows Hello for Business as a credential.

Why this answer

Option B is correct because Microsoft Entra ID supports Windows Hello for Business as a strong credential. Option A is incorrect because Microsoft Authenticator is a separate MFA app. Option C is incorrect because FIDO2 security keys are another method but not Windows Hello.

Option D is incorrect because Conditional Access can require Windows Hello but does not integrate it.

45
MCQmedium

A company uses Microsoft Entra ID. The IT department has three teams: Helpdesk, Global Administrators, and Security Administrators. The company wants to allow the Helpdesk team to manage password resets and group memberships, but only for users who belong to the 'Sales' organizational unit. Which Microsoft Entra feature should the administrator use to define this delegated administrative scope?

A.Administrative Units
B.Privileged Identity Management (PIM)
C.Conditional Access policies
D.Identity Governance (Access Reviews)
AnswerA

Administrative Units allow you to delegate administrative tasks to specific groups of users, restricting their management scope to a subset of directory objects (e.g., users in a department). This is correct.

Why this answer

Administrative Units (AUs) in Microsoft Entra ID allow you to delegate administrative permissions scoped to specific organizational units, such as the 'Sales' OU. By placing Sales users into an AU and assigning the Helpdesk team roles like 'Helpdesk Administrator' or 'User Administrator' scoped to that AU, you precisely control which users they can manage for password resets and group memberships. This directly meets the requirement for delegated administrative scope without granting broader tenant-wide permissions.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with scope delegation, but PIM controls *when* a role is used (time-bound activation), not *where* it can be applied (scope), which is the core requirement of this question.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because PIM provides just-in-time activation and approval workflows for privileged roles, not the ability to scope administrative permissions to a specific organizational unit. Option C (Conditional Access policies) is wrong because Conditional Access controls authentication and access conditions (e.g., location, device compliance) for sign-ins, not delegated administration of user objects. Option D (Identity Governance with Access Reviews) is wrong because Access Reviews are used to periodically certify user access and group memberships, not to define the scope of administrative delegation.

46
Multi-Selecthard

Which TWO are capabilities of Microsoft Entra ID Governance? (Choose two.)

Select 2 answers
A.Entitlement Management
B.Self-service password reset
C.Identity Protection
D.Access Reviews
E.Conditional Access
AnswersA, D

Entitlement Management is part of Entra ID Governance.

Why this answer

Entitlement Management and Access Reviews are capabilities of Entra ID Governance. Conditional Access is a separate feature, Identity Protection is security, and SSPR is user self-service.

47
MCQmedium

A company uses Microsoft Entra ID. The security team wants to automatically respond to risky user behaviors, such as sign-ins from anonymous IP addresses or impossible travel between geographically distant locations within an unrealistic time frame. They need a solution that can automatically trigger actions like forcing a password reset or blocking sign-in for users identified as high risk. Which Microsoft Entra ID capability should they configure?

A.Microsoft Entra Conditional Access
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra Identity Governance
AnswerB

Identity Protection detects risks and allows you to configure automated responses such as requiring MFA, forcing password reset, or blocking access for high-risk users.

Why this answer

Microsoft Entra Identity Protection is the correct capability because it is specifically designed to detect and automatically respond to risky user behaviors, such as sign-ins from anonymous IP addresses or impossible travel. It uses machine learning to assign risk levels and can trigger automated actions like forcing a password reset or blocking sign-in for high-risk users, aligning directly with the security team's requirements.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, but Conditional Access is the enforcement mechanism that requires a risk signal from Identity Protection to trigger automated responses like blocking or password reset.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Conditional Access is a policy engine that enforces access controls based on conditions (e.g., location, device state), but it does not itself detect risky behaviors or assign risk levels; it relies on signals from Identity Protection to trigger actions like requiring MFA. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) focuses on just-in-time privileged role activation, access reviews, and auditing for administrative roles, not on detecting or responding to user sign-in risk behaviors. Option D is wrong because Microsoft Entra Identity Governance manages identity lifecycle processes such as access certifications, entitlement management, and provisioning, but it does not include risk detection or automated response to risky sign-ins.

48
MCQmedium

An organization wants to automatically retain emails for 7 years and then delete them. They also need to place a legal hold on specific users' mailboxes to preserve all emails during litigation. Which combination of Microsoft Purview features should they use?

A.Retention labels and eDiscovery
B.Retention policies and Litigation Hold
C.Data Lifecycle Management and Audit
D.Records Management and Data Loss Prevention
AnswerB

Retention policies can automatically retain and delete content across mailboxes, while Litigation Hold preserves all content in a user's mailbox for legal purposes.

Why this answer

For automatic retention and deletion, Retention policies in Microsoft Purview are ideal as they apply to entire mailboxes. To preserve emails for litigation, Litigation Hold can be enabled on specific user mailboxes, ensuring that no emails are deleted or altered. The combination of these two features meets both requirements.

49
Multi-Selecthard

Which THREE actions can Microsoft Sentinel perform as part of automated incident response using playbooks?

Select 3 answers
A.Block an IP address on a firewall
B.Install anti-malware software on a device
C.Reset a user's password
D.Create an incident in ServiceNow
E.Modify a network security group rule
AnswersA, C, D

Playbooks can trigger firewall blocking via connectors.

Why this answer

Option A is correct because playbooks can create incidents in other systems. Option B is correct because playbooks can block IP addresses. Option C is correct because playbooks can reset user passwords.

Option D is wrong because playbooks cannot directly modify firewall rules; they can trigger automation. Option E is wrong because playbooks cannot automatically install software.

50
MCQeasy

Your organization uses Microsoft Purview Communication Compliance to detect potential policy violations in Microsoft Teams chats. Which action can the policy automatically take when a violation is detected?

A.Revoke the user's access to Microsoft Teams
B.Block the user from sending messages
C.Notify the user and their manager via email
D.Automatically delete the violating message
AnswerC

Communication Compliance can automatically send notifications as a remediation action.

Why this answer

Communication Compliance policies can automatically take actions like sending a notification to the user or escalating to a manager. Option A is correct. Revoking access or blocking the user is not automatic; a DLP or conditional access policy would be needed.

Deleting the message is not an automatic action in Communication Compliance.

51
MCQeasy

Your organization is using Microsoft Entra ID. You want to provide a single sign-on (SSO) experience for users accessing multiple SaaS applications. Which feature should you implement?

A.Microsoft Entra ID as an identity provider
B.Microsoft Entra application proxy
C.Microsoft Entra myapps portal
D.Microsoft Entra Privileged Identity Management
AnswerA

Microsoft Entra ID supports federated SSO with many SaaS apps.

Why this answer

Microsoft Entra ID acts as an identity provider (IdP) to enable single sign-on (SSO) for SaaS applications. When configured as the IdP, Entra ID authenticates the user once and issues a security token (e.g., SAML 2.0 assertion or OpenID Connect token) that is accepted by the SaaS application, eliminating the need for repeated logins. This is the core mechanism for federated SSO across multiple cloud applications.

Exam trap

The trap here is that candidates confuse the My Apps portal (a user interface for launching apps) with the actual SSO authentication mechanism, but the portal itself does not perform authentication—it relies on Entra ID as the identity provider.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Application Proxy is a reverse proxy solution for publishing on-premises web applications externally, not for providing SSO to SaaS applications. Option C is wrong because the My Apps portal is a user-facing dashboard that aggregates access to applications, but it does not itself provide the SSO authentication mechanism; it relies on Entra ID as the IdP. Option D is wrong because Privileged Identity Management (PIM) is a feature for managing, controlling, and monitoring access to privileged roles, not for enabling SSO to SaaS applications.

52
MCQmedium

A company has on-premises Active Directory. They want to detect advanced attacks like Pass-the-Hash, DCSync, and malicious Kerberos activity using behavioral analytics. Which Microsoft security solution should they deploy on their domain controllers?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerC

Defender for Identity is specifically designed to detect identity-based attacks on on-premises AD using behavioral analytics.

Why this answer

Microsoft Defender for Identity (MDI) is the correct solution because it uses behavioral analytics and machine learning to detect advanced attacks specifically targeting on-premises Active Directory, such as Pass-the-Hash, DCSync, and malicious Kerberos activity. MDI monitors domain controller traffic, including Kerberos authentication and NTLM relay, to identify anomalous patterns indicative of these attacks.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Identity with Microsoft Defender for Endpoint, assuming endpoint protection covers domain controllers, but MDI is specifically designed for Active Directory security and behavioral analytics against identity-based attacks.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices like workstations and servers, not on monitoring domain controller traffic or Active Directory-specific attack vectors like DCSync. Option B is wrong because Microsoft Defender for Office 365 protects email and collaboration tools (e.g., Exchange Online, SharePoint) from threats like phishing and malware, not on-premises Active Directory attacks. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that monitors cloud applications and shadow IT, not on-premises domain controllers or Kerberos/NTLM traffic.

53
Multi-Selecteasy

A user scans their fingerprint to unlock a corporate laptop. After unlocking, the user attempts to open a confidential database. The system checks the user's role and grants access because the user is a member of the 'Data Analyst' group. Which two security concepts are demonstrated in this scenario?

Select 2 answers
A.Authentication and authorization
B.Confidentiality and integrity
C.Identification and non-repudiation
D.Availability and accountability
AnswersA, B

Correct. The fingerprint scan authenticates the user, and the role check authorizes access to the database.

Why this answer

The fingerprint scan is a form of authentication, verifying the user's identity through a biometric factor. The subsequent check of the user's group membership ('Data Analyst') to grant access to the database is authorization, determining what resources the authenticated user can access. This scenario directly maps to the identity and access management (IAM) concepts of authentication (proving who you are) and authorization (what you are allowed to do).

Exam trap

The trap here is that candidates confuse 'identification' (claiming an identity, e.g., typing a username) with 'authentication' (proving that identity, e.g., fingerprint), and they may incorrectly select Option C because they see the fingerprint as identification rather than a proof factor.

54
MCQhard

Your organization uses Microsoft Purview to manage data classification. You need to ensure that a specific Azure Blob Storage account is automatically classified for sensitivity labels. Which step is required?

A.Register the storage account in Microsoft Purview Data Map and configure scanning
B.Create a sensitivity label and publish it to all users
C.Apply a DLP policy to the storage account
D.Enable Microsoft Purview Information Protection for Azure
AnswerA

The Data Map scans and classifies data in Azure sources.

Why this answer

Microsoft Purview Data Map scans Azure Blob Storage and can auto-classify files based on built-in or custom classifiers. Option B is wrong because DLP policies do not classify storage accounts directly. Option C is wrong because sensitivity labels are not auto-applied to storage without the scanner.

Option D is wrong because Information Protection is for files in Office 365, not Azure storage.

55
MCQmedium

Your organization uses Microsoft Purview Data Lifecycle Management to retain data for regulatory compliance. You need to ensure that all documents in a SharePoint site are retained for 7 years after they are last modified. What should you create?

A.An auto-labeling policy
B.A data loss prevention policy
C.An adaptive scope based on last modified date
D.A static scope for the SharePoint site
AnswerC

Adaptive scopes can dynamically include content based on properties like last modified date.

Why this answer

Option B is correct because adaptive scopes allow dynamic targeting based on metadata. Option A is wrong because static scopes target specific sites. Option C is wrong because auto-labeling policies apply labels automatically.

Option D is wrong because DLP policies protect data.

56
MCQmedium

A security analyst in your organization receives an alert from Microsoft Defender XDR indicating that a user's device may be infected with ransomware. The analyst needs to immediately isolate the device from the network to prevent further spread. What should the analyst do?

A.Revoke the user's session in Microsoft Entra ID
B.Use Microsoft Defender for Endpoint to initiate device isolation
C.Open Microsoft Sentinel and run a playbook
D.Use Microsoft Intune to wipe the device
AnswerB

Defender for Endpoint allows immediate isolation of the device.

Why this answer

Option B is correct because Microsoft Defender for Endpoint (part of Defender XDR) provides the ability to isolate a device from the network. Option A is wrong because Microsoft Sentinel is SIEM, not endpoint action. Option C is wrong because Microsoft Intune can wipe devices but is slower and not immediate isolation.

Option D is wrong because Microsoft Entra ID is for identity, not device isolation.

57
MCQmedium

Your company wants to use Microsoft Entra ID to provide single sign-on (SSO) to a SaaS application that supports SAML 2.0. What should you configure in Microsoft Entra ID?

A.Enable Microsoft Entra ID Domain Services
B.Add the application from the Microsoft Entra ID Gallery in Enterprise applications
C.Configure Microsoft Entra ID Governance
D.Register the application in App registrations
AnswerB

Enterprise applications provide pre-integrated SSO for SaaS apps.

Why this answer

Option B is correct because adding the SaaS application from the Microsoft Entra ID Gallery in Enterprise applications is the standard method to configure SAML 2.0-based single sign-on (SSO). The gallery provides pre-integrated templates that include the necessary SAML endpoints, certificates, and attribute mappings, enabling seamless federation between Entra ID and the external application.

Exam trap

The trap here is that candidates confuse App registrations (for custom apps using OAuth/OpenID Connect) with Enterprise applications (for pre-integrated gallery apps using SAML), leading them to select option D instead of the correct B.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Domain Services (formerly Azure AD DS) provides managed domain services like LDAP and Kerberos for legacy applications, not SAML-based SSO for SaaS apps. Option C is wrong because Microsoft Entra ID Governance focuses on identity lifecycle, access reviews, and entitlement management, not the direct configuration of SAML SSO for a specific application. Option D is wrong because App registrations is used for custom application development (OAuth 2.0/OpenID Connect), not for integrating pre-built gallery applications that support SAML 2.0; gallery apps are added via Enterprise applications.

58
MCQmedium

A multinational company stores customer data across multiple Azure regions. A new regulation requires that customer data must remain within the country's borders and cannot be transferred abroad. Which concept does this regulation primarily relate to?

A.Data Sovereignty
B.Data Residency
C.Data Retention
D.Data Classification
AnswerA

Correct. Data sovereignty ensures data is subject to the legal and regulatory requirements of the country where it resides, directly addressing the transfer restriction.

Why this answer

Data Sovereignty is the correct answer because the regulation mandates that customer data must remain within the country's borders and cannot be transferred abroad. This legal and compliance concept asserts that data is subject to the laws and governance structures of the nation where it is physically stored, directly addressing cross-border transfer restrictions.

Exam trap

The trap here is that candidates often confuse Data Sovereignty (legal/jurisdictional control) with Data Residency (physical storage location), but the regulation's explicit focus on 'cannot be transferred abroad' makes sovereignty the correct concept.

How to eliminate wrong answers

Option B (Data Residency) is wrong because it refers to the physical or geographic location where data is stored, not the legal requirement that data must stay within a specific country's jurisdiction. Option C (Data Retention) is wrong because it concerns policies for how long data is kept, not where it can be stored or transferred. Option D (Data Classification) is wrong because it involves categorizing data by sensitivity or criticality, not the legal or geographic constraints on data movement.

59
MCQhard

Refer to the exhibit. A Microsoft Purview Data Loss Prevention (DLP) policy is configured. What does this policy do?

A.It generates an alert if more than 10 emails with the Confidential label are sent to an external recipient.
B.It blocks all emails sent to external recipients with the Confidential label.
C.It prevents internal users from sending Confidential emails to each other.
D.It automatically applies the Confidential label to emails sent to external recipients.
AnswerA

The alert threshold is set to volume of 10.

Why this answer

Option B is correct because the policy alerts when more than 10 emails with the 'Confidential' label are sent to an external recipient. Option A is wrong because it blocks only after 10 emails. Option C is wrong because it monitors external recipients, not internal.

Option D is wrong because it does not involve SharePoint.

60
MCQeasy

A company uses Microsoft Entra ID. The security team wants to automatically block sign-ins from IP addresses that exhibit brute-force attack patterns. Which capability should they enable?

A.Microsoft Entra Identity Protection
B.Microsoft Entra Privileged Identity Management
C.Microsoft Entra External Identities
D.Microsoft Entra Conditional Access
AnswerA

Identity Protection uses machine learning to detect sign-in risks and can block them automatically.

Why this answer

Microsoft Entra Identity Protection is the correct capability because it uses machine learning and heuristic detection to automatically identify and block sign-ins from IP addresses exhibiting brute-force attack patterns, such as repeated failed authentication attempts. It can trigger risk-based policies, including blocking access or requiring multi-factor authentication, without manual intervention. This directly addresses the security team's requirement to automate the response to brute-force patterns.

Exam trap

The trap here is that candidates often confuse Conditional Access (which enforces policies based on conditions) with Identity Protection (which provides the risk detection signals), leading them to select D, even though Conditional Access alone cannot automatically detect brute-force patterns without Identity Protection's risk assessments.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Privileged Identity Management (PIM) is focused on managing, controlling, and monitoring access to privileged roles (e.g., Global Administrator) through just-in-time activation and approval workflows, not on detecting or blocking brute-force sign-in patterns. Option C is wrong because Microsoft Entra External Identities is designed for managing collaboration with external users (e.g., B2B and B2C scenarios), including identity providers and guest user access, and does not include automated brute-force detection or blocking. Option D is wrong because Microsoft Entra Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or blocking access) based on conditions like location or device state, but it does not natively detect brute-force attack patterns; it relies on signals from Identity Protection or other sources to trigger such responses.

61
Multi-Selecthard

Which TWO actions can be performed using Microsoft Entra Identity Governance? (Choose two.)

Select 2 answers
A.Configure self-service password reset
B.Reset user passwords
C.Automate user lifecycle workflows
D.Create conditional access policies
E.Manage access reviews for groups and applications
AnswersC, E

Correct: Lifecycle workflows are part of Identity Governance.

Why this answer

Identity Governance includes access reviews and entitlement management. Option B (assign roles via PIM) is Privileged Identity Management, which is part of Identity Governance. Option C (lifecycle workflows) is also part of Identity Governance.

Option A (SSPR) is separate. Option E (Conditional Access) is not part of Identity Governance.

62
MCQmedium

A company uses Microsoft Defender for Cloud Apps. The security team discovers that a user has granted a third-party OAuth app with 'read all mail' and 'send mail as user' permissions. They want to automatically revoke the authorization for this risky app and block similar apps in the future. Which Defender for Cloud Apps feature should they use?

A.App Discovery
B.Conditional Access App Control
C.OAuth app policies
D.Cloud Discovery
AnswerC

Correct. OAuth app policies allow you to manage and revoke permissions for OAuth apps and set automatic governance actions.

Why this answer

OAuth app policies in Microsoft Defender for Cloud Apps allow security teams to automatically revoke permissions for risky third-party OAuth apps and block future similar apps. This feature specifically governs OAuth consent grants, such as 'read all mail' and 'send mail as user', by enabling automated governance actions like revoking permissions and blocking the app based on risk level.

Exam trap

The trap here is that candidates confuse App Discovery/Cloud Discovery (which identify unmanaged cloud app usage) with OAuth app policies (which specifically govern third-party app permissions and consent grants).

How to eliminate wrong answers

Option A is wrong because App Discovery is a feature for identifying Shadow IT by analyzing traffic logs to discover cloud apps in use, not for managing OAuth app permissions. Option B is wrong because Conditional Access App Control provides real-time session-level monitoring and control (e.g., blocking downloads) for managed apps, but it does not revoke or block OAuth app authorizations. Option D is wrong because Cloud Discovery is the underlying data collection mechanism for App Discovery, focusing on traffic analysis to identify cloud app usage, not on OAuth app governance.

63
MCQmedium

A company uses Microsoft Entra ID and wants to automatically detect potential security risks such as leaked credentials and suspicious sign-in patterns. They also need the ability to investigate these risks and configure automated responses based on risk levels. Which Microsoft Entra capability should they use?

A.Microsoft Entra ID Governance
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management (PIM)
D.Microsoft Entra Domain Services
AnswerB

Identity Protection is the correct service for detecting identity risks and enabling automated risk-based policies such as requiring MFA or password changes.

Why this answer

Microsoft Entra Identity Protection is the correct service because it automatically detects potential security risks such as leaked credentials and suspicious sign-in patterns, provides investigation tools (e.g., risk reports and detailed risk event logs), and enables automated responses like conditional access policies that block or require MFA based on risk levels. This directly matches the scenario's requirements for detection, investigation, and automated remediation.

Exam trap

The trap here is confusing Identity Protection (which handles user and sign-in risk detection and automated response) with Privileged Identity Management (PIM), which only manages privileged role activation and does not detect leaked credentials or suspicious sign-in patterns.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Governance focuses on managing identity lifecycle, access reviews, and entitlement management, not on detecting security risks like leaked credentials or suspicious sign-in patterns. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) is specifically for managing, controlling, and monitoring access to privileged roles (e.g., just-in-time access), not for detecting general user sign-in risks or leaked credentials. Option D is wrong because Microsoft Entra Domain Services provides managed domain services (e.g., LDAP, Kerberos, NTLM) for legacy applications, not risk detection or automated response capabilities.

64
MCQeasy

Your organization uses Microsoft Entra ID free tier. You need to synchronize user accounts from your on-premises Active Directory to the cloud. You also need to synchronize password hashes so that users can use the same password for cloud and on-premises resources. Which tool should you use?

A.Configure Microsoft Entra Domain Services to sync from on-premises.
B.Use Microsoft Graph API to create users and set passwords.
C.Install Microsoft Entra Connect and enable password hash synchronization.
D.Deploy Active Directory Federation Services (AD FS) to enable single sign-on.
AnswerC

Entra Connect synchronizes identities and password hashes.

Why this answer

Microsoft Entra Connect is the correct tool for synchronizing on-premises Active Directory user accounts to Microsoft Entra ID (formerly Azure AD) and enabling password hash synchronization. Password hash synchronization allows users to use the same password for both on-premises and cloud resources by syncing a hash of the on-premises password to Entra ID, which is supported in the free tier of Entra ID.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Domain Services with Microsoft Entra Connect, thinking that Domain Services can sync from on-premises AD, when in fact it only syncs from Entra ID to the managed domain, not the other way around.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Domain Services (Azure AD DS) provides managed domain services like domain join and Group Policy, but it does not synchronize user accounts from on-premises AD to Entra ID; it syncs from Entra ID to the managed domain, not the reverse. Option B is wrong because the Microsoft Graph API can programmatically create users and set passwords, but it does not provide ongoing synchronization of existing on-premises AD accounts or password hash synchronization; it is an API for manual or scripted operations, not a sync tool. Option D is wrong because Active Directory Federation Services (AD FS) enables single sign-on (SSO) using federation, but it does not synchronize user accounts or password hashes; it relies on an existing identity store and is typically used for federated authentication, not sync.

65
MCQmedium

A company wants to protect against malware and phishing attacks in email and collaboration tools like Microsoft Teams. Which Microsoft security solution should they use?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Identity
AnswerA

Protects email and collaboration tools from malware and phishing.

Why this answer

Option B is correct because Microsoft Defender for Office 365 protects against threats in email and collaboration tools. Option A is wrong because Defender for Endpoint focuses on devices. Option C is wrong because Defender for Cloud Apps is a CASB.

Option D is wrong because Defender for Identity protects on-premises Active Directory.

66
MCQhard

You are the identity administrator for a large enterprise using Microsoft Entra ID. The company has 50,000 users and recently acquired a smaller company with 2,000 users that uses a third-party identity provider (IdP) based on SAML 2.0. The acquisition must be fully integrated within 30 days. The CISO mandates that all users must use MFA for any access to cloud applications. The acquired company's users currently do not use MFA. You need to choose an approach that minimizes changes to the acquired company's current authentication infrastructure while meeting the MFA requirement. The solution must also allow the acquired company's users to access resources in the parent tenant using their existing credentials. What should you do?

A.Configure B2B collaboration with the acquired company's IdP and enable MFA trust. In the parent tenant, create a Conditional Access policy that requires MFA for guest users.
B.Set up password hash synchronization from the acquired company's IdP to the parent tenant and enable MFA for all sync'ed users.
C.Create new user accounts in the parent tenant for the acquired company's users and assign them Microsoft Entra ID P2 licenses to enable MFA via Conditional Access.
D.Migrate all acquired company users to the parent tenant's on-premises Active Directory and sync them to Microsoft Entra ID. Enable MFA via Conditional Access.
AnswerA

This allows the acquired company to use their existing IdP, and MFA trust allows the parent tenant to accept the acquired company's MFA claims or enforce its own.

Why this answer

Option A is correct because B2B collaboration allows the acquired company's users to authenticate against their existing SAML 2.0 IdP using their current credentials, minimizing infrastructure changes. By enabling MFA trust, the parent tenant can rely on the MFA claims already issued by the third-party IdP if it supports MFA, but since it does not, you can enforce MFA in the parent tenant via a Conditional Access policy that requires MFA for guest users. This approach meets the CISO's mandate without requiring the acquired company to deploy MFA on their own IdP or migrate users.

Exam trap

The trap here is that candidates often assume B2B collaboration cannot enforce MFA for guest users, or they mistakenly think password hash synchronization is a valid option for a third-party SAML IdP, when in fact PHS is only applicable to on-premises Active Directory environments.

How to eliminate wrong answers

Option B is wrong because password hash synchronization (PHS) requires the acquired company's IdP to be integrated with Microsoft Entra ID via Azure AD Connect, which is designed for on-premises Active Directory, not a third-party SAML 2.0 IdP; PHS also does not allow users to authenticate with their existing IdP credentials. Option C is wrong because creating new user accounts in the parent tenant forces the acquired company's users to manage separate credentials, violating the requirement to use their existing credentials. Option D is wrong because migrating users to the parent tenant's on-premises AD is a complex, time-consuming process that cannot be completed within 30 days and fundamentally changes the acquired company's authentication infrastructure, contradicting the goal of minimizing changes.

67
MCQeasy

Your organization wants to label emails and documents as 'Confidential' automatically based on content patterns. Which Microsoft Purview feature should you use?

A.Audit log
B.Retention labels
C.Auto-labeling (sensitivity labels)
D.Data Loss Prevention policy
AnswerC

Auto-labeling applies sensitivity labels automatically based on content.

Why this answer

Option C is correct because auto-labeling policies in Purview automatically apply sensitivity labels based on conditions. Option A is incorrect because retention labels are for retention, not classification. Option B is incorrect because DLP is for protecting data, not labeling.

Option D is incorrect because audit is for logging.

68
MCQmedium

Refer to the exhibit. You are reviewing the results of a Microsoft Purview eDiscovery search. Which statement is correct about the search results?

A.The search returned results from both Exchange Online and SharePoint Online
B.The search only returned results from Exchange Online
C.The document is an email message
D.The email has an attachment
AnswerA

The results include an email from Exchange and a document from SharePoint.

Why this answer

The search results contain both an email and a document, as seen from the sources. Option A is wrong because the document is from SharePoint, not a file server. Option C is wrong because the email does not have an attachment.

Option D is wrong because the document is a PowerPoint file, not an email.

69
MCQhard

Your company is implementing Microsoft Purview Data Loss Prevention (DLP). You need to prevent users from sharing sensitive data like credit card numbers via email with external recipients, but allow internal sharing. What should you configure?

A.Sensitivity labels with encryption
B.A DLP policy for Exchange Online with a condition 'content contains sensitive information type' and 'shared with people outside my organization'
C.Retention labels and policies
D.Conditional Access policies with session controls
AnswerB

DLP policies can block external sharing of sensitive data while allowing internal sharing.

Why this answer

Option A is correct because DLP policies can be scoped to specific locations (e.g., Exchange Online) and set conditions such as 'when shared with external users'. Option B is wrong because sensitivity labels are applied manually or automatically but do not enforce sharing restrictions. Option C is wrong because retention policies do not block sharing.

Option D is wrong because Microsoft Entra ID Conditional Access controls access, not data sharing.

70
MCQmedium

A security team needs to detect and investigate suspicious activities in their on-premises Active Directory environment, such as pass-the-hash attacks, Kerberoasting, and unusual service account behavior. They also want to integrate these alerts with Microsoft Defender for Cloud for a unified view across hybrid workloads. Which Microsoft security solution should they deploy on-premises?

A.Microsoft Defender for Identity
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Endpoint
AnswerA

Correct. Defender for Identity monitors on-premises AD and detects identity-based attacks like pass-the-hash and Kerberoasting.

Why this answer

Microsoft Defender for Identity (MDI) is the correct solution because it is specifically designed to detect and investigate advanced threats in on-premises Active Directory environments, including pass-the-hash attacks, Kerberoasting, and anomalous service account behavior. It uses behavioral analytics and integrates directly with Microsoft Defender for Cloud to provide a unified view across hybrid workloads, enabling security teams to correlate on-premises AD signals with cloud alerts.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Identity with Microsoft Defender for Endpoint, assuming endpoint protection covers AD attacks, but MDI is the only solution that specifically monitors Active Directory authentication and behavior on domain controllers.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Office 365 focuses on protecting email, SharePoint, OneDrive, and Teams from threats like phishing and malware, not on-premises Active Directory attacks. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that protects cloud applications and data, not on-premises AD environments. Option D is wrong because Microsoft Defender for Endpoint is designed for endpoint detection and response (EDR) on devices, not for monitoring Active Directory authentication protocols or service account behavior.

71
MCQmedium

You are reviewing a Microsoft Purview sensitivity label configuration. Based on the exhibit, what will happen when this label is applied to a document?

A.The document will be watermarked only.
B.The document will be encrypted and will expire after a set period.
C.The document will be encrypted with AES256, watermarked with 'CONFIDENTIAL', and sharing will be blocked.
D.The document will display a warning before sharing.
AnswerC

All three actions are specified in the label configuration.

Why this answer

Option A is correct because the label includes three actions: encrypt with AES256, apply a watermark, and block sharing. Option B is wrong because there is no expiration. Option C is wrong because it blocks sharing, not just warning.

Option D is wrong because it includes encryption and watermark, not just marking.

72
Multi-Selecteasy

Which TWO of the following are features of Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Security Information and Event Management (SIEM)
B.Data loss prevention
C.Endpoint detection and response
D.Identity governance
E.Security Orchestration, Automation, and Response (SOAR)
AnswersA, E

Correct: Core SIEM capability.

Why this answer

Microsoft Sentinel is a SIEM and SOAR solution that collects security data across the enterprise and uses AI to detect threats. It does not manage endpoints or provide identity governance.

73
MCQmedium

Refer to the exhibit. The exhibit shows an Azure Policy definition. A storage account named 'storagedev' is created with network ACLs set to allow all traffic (defaultAction: Allow) and no IP rules. What will happen when this policy is assigned?

A.The storage account will be created successfully
B.The policy will audit the storage account and mark it as non-compliant
C.The storage account creation will be denied
D.The storage account will be created, but the policy will modify the ACLs
AnswerC

The policy condition is met, and deny effect blocks creation.

Why this answer

Option D is correct because the condition matches (defaultAction Allow and no IP rules) and the effect is deny, so the storage account creation will be denied. Option A is wrong because deny effect blocks creation. Option B is wrong because audit would log but not block.

Option C is wrong because the condition is met.

74
MCQeasy

A company wants to reduce the attack surface on its Windows devices by blocking common techniques used by malware, such as preventing Office applications from creating child processes or blocking executable files from running from the %TEMP% folder. Which Microsoft Defender for Endpoint feature should be configured?

A.Microsoft Defender Antivirus
B.Attack surface reduction rules
C.Network protection
D.Controlled folder access
AnswerB

These rules target specific malware techniques, such as blocking Office applications from creating child processes and blocking executable files from running from common temporary folders.

Why this answer

Attack surface reduction (ASR) rules are a feature of Microsoft Defender for Endpoint that specifically target common malware behaviors, such as blocking Office applications from creating child processes and preventing executable files from running from the %TEMP% folder. These rules are designed to reduce the attack surface by enforcing policies that stop suspicious or malicious actions at the process level, without relying solely on signature-based detection.

Exam trap

The trap here is that candidates often confuse Attack surface reduction rules with Microsoft Defender Antivirus or Controlled folder access, assuming that any 'blocking' feature is part of the antivirus or that folder protection covers execution, when in fact ASR rules are the only feature that enforces behavior-based policies on process creation and execution from specific locations.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender Antivirus provides real-time antimalware protection through signature-based and behavior-based detection, but it does not include the granular, rule-based controls to block specific behaviors like Office apps spawning child processes or executables from %TEMP%. Option C is wrong because Network protection extends Defender for Endpoint's web protection to block outbound connections to malicious IPs/domains, but it does not control local process creation or file execution from specific folders. Option D is wrong because Controlled folder access protects folders from unauthorized changes by ransomware and other threats, but it does not block the execution of executables from %TEMP% or prevent Office apps from creating child processes.

75
MCQmedium

Your company uses Microsoft Entra ID. You need to monitor and detect suspicious sign-in activities, such as sign-ins from anonymous IP addresses or unfamiliar locations. Which Microsoft Entra feature provides this capability?

A.Microsoft Entra audit logs
B.Conditional Access
C.Microsoft Entra Connect
D.Microsoft Entra ID Protection
AnswerD

ID Protection uses machine learning to detect and respond to identity risks.

Why this answer

Microsoft Entra ID Protection is the correct answer because it is specifically designed to detect and respond to identity-based risks, including suspicious sign-in activities such as sign-ins from anonymous IP addresses (e.g., Tor network) and unfamiliar locations. It uses machine learning algorithms and heuristic detection to assign a risk level to each sign-in, enabling automated remediation or alerting.

Exam trap

The trap here is that candidates often confuse Conditional Access (a policy enforcement engine) with the detection capability itself, not realizing that Conditional Access relies on risk assessments from ID Protection to act on suspicious sign-ins.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra audit logs record all changes and activities within the tenant (e.g., user creation, role changes) but do not perform real-time risk detection or analysis of sign-in patterns. Option B is wrong because Conditional Access enforces access policies based on conditions (e.g., location, device state) but does not inherently detect suspicious activities; it relies on signals from other services like ID Protection. Option C is wrong because Microsoft Entra Connect is a tool for synchronizing on-premises Active Directory objects to Microsoft Entra ID and has no role in monitoring or detecting sign-in anomalies.

Page 1 of 19

Page 2