Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 676750

1411 questions total · 19pages · All types, answers revealed

Page 9

Page 10 of 19

Page 11
676
MCQhard

Your organization, Fabrikam Inc., is migrating from on-premises Active Directory to Microsoft Entra ID. You have a custom line-of-business (LOB) application that uses Windows Integrated Authentication (WIA) and requires Kerberos delegation. The application will be hosted on Azure VMs. You need to enable users to sign in to the LOB application using their Microsoft Entra ID credentials without exposing the application to the internet. Which approach should you use?

A.Deploy Microsoft Entra Domain Services and join the VMs to the managed domain. Configure the app to use Windows Integrated Authentication.
B.Use Microsoft Entra Application Proxy with Kerberos Constrained Delegation (KCD). Publish the app through Application Proxy and configure pre-authentication with Entra ID.
C.Set up a site-to-site VPN and join the Azure VMs to the on-premises domain. Configure the app to use Windows Integrated Authentication.
D.Install Azure AD Connect and sync users to Entra ID. Configure the app to use OAuth 2.0.
AnswerB

Application Proxy provides secure remote access and supports KCD for WIA apps.

Why this answer

Option B is correct because Microsoft Entra Application Proxy with Kerberos Constrained Delegation (KCD) allows you to publish an on-premises or Azure VM-hosted application that uses Windows Integrated Authentication (WIA) without exposing it to the internet. The Application Proxy service handles pre-authentication with Microsoft Entra ID, then uses KCD to obtain a Kerberos ticket on behalf of the user, enabling seamless sign-in with Entra ID credentials while keeping the application internal.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Domain Services with a full replacement for on-premises Active Directory, not realizing that it does not provide the Kerberos delegation path needed for Application Proxy to work with WIA, and they overlook the requirement to keep the application off the internet, which eliminates VPN-based options.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Domain Services provides a managed domain with Kerberos and NTLM support, but it does not integrate with Microsoft Entra ID for user authentication in the way required; users would still need to authenticate against the managed domain, not directly with their Entra ID credentials, and the application would be exposed to the internet unless additional measures are taken. Option C is wrong because setting up a site-to-site VPN and joining Azure VMs to the on-premises domain requires the application to be exposed to the internet or rely on the VPN for connectivity, and it does not enable users to sign in using their Microsoft Entra ID credentials—they would still need on-premises Active Directory credentials. Option D is wrong because installing Azure AD Connect and syncing users to Entra ID does not address the need for Kerberos delegation or Windows Integrated Authentication; configuring the app to use OAuth 2.0 would require rewriting the application to support modern authentication, which is not a migration approach for a legacy WIA app.

677
MCQmedium

A user reports that they cannot access a sensitive document in SharePoint Online. The document has a 'Highly Confidential' sensitivity label. You verify the label is applied correctly. What is the most likely reason for the access issue?

A.The label's encryption settings restrict access to specific users
B.The sensitivity label is missing
C.A DLP policy is blocking access
D.A retention policy is blocking access
AnswerA

Encryption can limit access.

Why this answer

Option C is correct because sensitivity labels can have encryption and rights management that restrict access. Option A is wrong because the label is applied correctly, not missing. Option B is wrong because retention policies do not block access.

Option D is wrong because DLP policies block sharing, not access by authorized users.

678
Multi-Selectmedium

Which TWO actions can be performed using Microsoft Purview Data Lifecycle Management?

Select 2 answers
A.Create a retention policy to keep financial records for 7 years
B.Monitor internal emails for policy violations
C.Create a deletion policy to remove old drafts after 30 days
D.Block sharing of sensitive files with external users
E.Automatically classify documents containing PII
AnswersA, C

Retention policies are a core feature of Data Lifecycle Management.

Why this answer

Data Lifecycle Management allows creating retention policies to keep content for a specified period and deletion policies to remove content after a period. It does not classify content (Information Protection) or monitor communications (Communication Compliance).

679
MCQeasy

A company uses a cloud-based Customer Relationship Management (CRM) system that is delivered as Software-as-a-Service (SaaS). According to the shared responsibility model, which security responsibility is primarily handled by the customer?

A.Physical security of the data center hosting the CRM
B.Managing user identities and controlling access to the CRM
C.Patching the underlying operating system of the CRM servers
D.Ensuring network security for the CRM application's backend
AnswerB

The customer is responsible for managing their own user identities, authentication, and authorization within the SaaS application, as well as configuring access policies.

Why this answer

In a SaaS model, the cloud provider is responsible for the security of the underlying infrastructure, including physical data centers, operating systems, and network controls. The customer retains responsibility for securing their own data and identities, which includes managing user accounts, enforcing authentication policies (e.g., Azure AD Multi-Factor Authentication), and controlling access to the CRM application via role-based access control (RBAC). Therefore, managing user identities and access is the customer's primary security responsibility.

Exam trap

The trap here is that candidates often assume the customer is responsible for all security aspects of a SaaS application, but SC-900 emphasizes that the provider handles infrastructure and platform security, leaving the customer with identity, data, and access management.

How to eliminate wrong answers

Option A is wrong because physical security of the data center is the sole responsibility of the cloud provider (Microsoft, in the case of Dynamics 365), not the customer. Option C is wrong because patching the underlying operating system of the CRM servers is part of the provider's responsibility for maintaining the SaaS platform's infrastructure. Option D is wrong because ensuring network security for the CRM application's backend, such as firewall rules and DDoS protection at the provider's network layer, is handled by the cloud provider, not the customer.

680
MCQmedium

Refer to the exhibit. You are a security analyst using Microsoft Sentinel. You run this KQL query. What does the query return?

A.High-severity alerts that do not have an incident assigned.
B.High-severity alerts that were closed within the last hour.
C.Incident IDs for high-severity alerts that have an open incident.
D.All incidents created in the last hour.
AnswerC

The query filters for high-severity alerts, joins with incidents, and filters out closed ones.

Why this answer

The query returns incident IDs for high-severity alerts that have an associated incident that is not closed. Option A is incorrect because it returns incidents with status not closed, not all. Option B is incorrect because it filters high severity.

Option C is incorrect because it joins alerts with incidents, not just alerts without incidents.

681
MCQhard

Your company uses Microsoft Defender for Cloud Apps to discover shadow IT. The security team wants to automatically block the use of a newly discovered high-risk cloud app across all users. What is the most efficient approach?

A.Create a Conditional Access policy to block the app for all users.
B.Manually add the app to the blocked list in the cloud discovery settings.
C.Create an app discovery policy with governance action to unsanction the app.
D.Configure session controls to monitor app usage.
AnswerC

A policy can automatically unsanction (block) the app.

Why this answer

Defender for Cloud Apps can generate a governance action to block the app via the API. Option A is incorrect because manual blocking is not automatic. Option C is incorrect because Conditional Access policies block at the identity level, not app level.

Option D is incorrect because session controls are for monitoring, not blocking.

682
MCQmedium

A healthcare organization must demonstrate compliance with HIPAA by assessing their current posture against regulatory controls, tracking improvement actions, and generating reports for auditors. Which Microsoft Purview solution should they use?

A.Microsoft Purview Information Protection
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Purview Compliance Manager
D.Microsoft Purview Insider Risk Management
AnswerC

Compliance Manager provides pre-built assessments for regulations like HIPAA, allows tracking of improvement actions, and generates compliance reports.

Why this answer

Microsoft Purview Compliance Manager is the correct solution because it provides a built-in assessment template for HIPAA, enabling the organization to assess its current compliance posture against regulatory controls, track improvement actions, and generate auditor-ready reports. It offers a compliance score, automated control mapping, and evidence collection workflows specifically designed for regulatory frameworks like HIPAA.

Exam trap

The trap here is that candidates confuse Compliance Manager (which assesses and tracks compliance posture) with Information Protection (which protects data) or Insider Risk Management (which detects risky behavior), because all three are Purview solutions but serve fundamentally different compliance lifecycle stages.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Information Protection focuses on classifying, labeling, and protecting sensitive data (e.g., encryption, rights management), not on assessing compliance posture or tracking improvement actions against regulatory controls. Option B is wrong because Microsoft Purview Data Lifecycle Management handles data retention, deletion, and archiving policies (e.g., retention labels, records management), not compliance assessment or audit reporting for HIPAA. Option D is wrong because Microsoft Purview Insider Risk Management detects and investigates risky user activities (e.g., data exfiltration, policy violations), not compliance posture assessment or improvement tracking against regulatory frameworks.

683
MCQhard

A company has a Microsoft Entra ID tenant with thousands of users. They need to ensure that only users with a 'Manager' attribute populated can access a sensitive app. Which approach should they use?

A.Use HR-driven provisioning to populate an on-premises attribute and sync it
B.Create a dynamic group rule that includes users with a non-empty Manager attribute, then target the group in a Conditional Access policy
C.Create an access package in Entitlement Management that requires manager approval
D.Create an Administrative Unit for users with managers and assign the app to that unit
AnswerB

Dynamic groups can automatically include users based on attributes like Manager.

Why this answer

Option B is correct because a dynamic group rule can evaluate the 'Manager' attribute and include only users where it is populated. This group can then be assigned to a Conditional Access policy that requires the group membership for access to the sensitive app, ensuring only users with a manager can authenticate.

Exam trap

The trap here is confusing attribute-based dynamic group membership with approval workflows or administrative delegation, leading candidates to choose Entitlement Management or Administrative Units instead of the correct Conditional Access and dynamic group combination.

How to eliminate wrong answers

Option A is wrong because HR-driven provisioning populates attributes from an HR system, but it does not enforce access control based on the Manager attribute; it merely syncs data. Option C is wrong because an access package in Entitlement Management with manager approval manages access requests and approvals, but it does not automatically restrict access based on whether the Manager attribute is populated; it requires manual approval. Option D is wrong because Administrative Units are for delegating administrative scope over users and groups, not for controlling application access via attribute-based membership.

684
MCQhard

Your organization is implementing Microsoft Purview Communication Compliance to detect potential regulatory violations. You need to configure a policy that alerts when employees discuss insider trading in emails and Microsoft Teams messages. The solution should minimize false positives. Which action should you take?

A.Include all message types without filtering
B.Use a trainable classifier and train it with sample data
C.Create a global keyword list of insider trading terms
D.Set the policy sensitivity threshold to 90%
AnswerB

Trainable classifiers learn from examples and improve detection accuracy.

Why this answer

Option B is correct because training trainable classifiers with relevant sample data improves accuracy and reduces false positives. Option A is wrong because increasing the sensitivity threshold reduces alerts, increasing false negatives. Option C is wrong because including all messages increases noise.

Option D is wrong because a global keyword list is less accurate than a trainable classifier.

685
MCQhard

Refer to the exhibit. An administrator runs the PowerShell cmdlet shown. What is the purpose of this command?

A.To show the dynamic membership rules of the Sales group.
B.To list all groups in the Sales department.
C.To list Azure AD roles assigned to the Sales group.
D.To display the display name and user principal name of members of the Sales group.
AnswerD

The cmdlet retrieves group members and selects name and UPN.

Why this answer

The PowerShell cmdlet `Get-AzureADGroupMember -ObjectId <SalesGroupObjectId>` retrieves the members of a specific Azure AD group. By default, it returns the members' display names and user principal names (UPNs), which are the primary identifiers for users in Microsoft Entra ID. Option D correctly identifies this purpose.

Exam trap

The trap here is that candidates confuse retrieving group members (Option D) with viewing dynamic membership rules (Option A), because both involve Azure AD groups, but the cmdlet names and parameters differ significantly.

How to eliminate wrong answers

Option A is wrong because the cmdlet `Get-AzureADGroupMember` retrieves members, not membership rules; dynamic membership rules are viewed using `Get-AzureADMSGroup` with the `-GroupType DynamicMembership` parameter. Option B is wrong because the cmdlet targets a single group by its ObjectId, not all groups in a department; listing groups by department would require `Get-AzureADGroup` with a filter on the `Department` attribute. Option C is wrong because Azure AD role assignments are retrieved using `Get-AzureADDirectoryRoleMember` or `Get-AzureADMSRoleAssignment`, not `Get-AzureADGroupMember`.

686
MCQhard

Refer to the exhibit. You are reviewing a Privileged Identity Management (PIM) configuration for a role in Microsoft Entra ID. The roleDefinitionId corresponds to a specific role. What is the effect of this configuration?

A.The user is permanently activated for the role for 1 hour.
B.The user is permanently assigned the role for 1 hour.
C.The user can activate the role without approval for up to 1 hour.
D.The user is eligible for the role indefinitely, but activation requires approval and lasts up to 1 hour.
AnswerD

Eligible assignment with no end date, approval required, activation max 1 hour.

Why this answer

Option D is correct because the configuration shown in the exhibit sets the role assignment to 'Eligible' with an activation duration of 1 hour and no approval required (the approval toggle is off). An 'Eligible' assignment means the user is not permanently active; they must activate the role when needed. The absence of an approval requirement means activation is self-service, and the 1-hour duration limits how long the activation lasts.

This matches the description of being eligible indefinitely, with activation requiring no approval and lasting up to 1 hour.

Exam trap

The trap here is that candidates confuse 'Eligible' with 'Active' assignments, assuming that an eligible assignment with no approval required means the user is automatically active, when in fact they must still manually activate the role.

How to eliminate wrong answers

Option A is wrong because 'permanently activated' implies the user is always active in the role, but the configuration shows an 'Eligible' assignment, not an 'Active' assignment. Option B is wrong because 'permanently assigned the role for 1 hour' is contradictory; a permanent assignment has no time limit, and the 1-hour duration applies only to activation, not to the assignment itself. Option C is wrong because while the user can activate without approval (as the approval toggle is off), the configuration shows an 'Eligible' assignment, not an 'Active' one; the user is not automatically activated and must perform an activation step.

687
MCQhard

Refer to the exhibit. You are deploying a custom assessment automation in Microsoft Defender for Cloud using Bicep. The deployment fails with an error that the resource type is not valid. What is the most likely reason?

A.The API version is not supported.
B.The property 'supportedCloud' should be 'supportedClouds' as an array.
C.The name property is missing.
D.The resource type is misspelled.
AnswerB

The correct property is 'supportedClouds' (plural) and expects an array.

Why this answer

The resource type 'Microsoft.Security/customAssessmentAutomations' is a valid type, but the API version '2021-07-01-preview' may not be correct. However, the more likely issue is that the property 'supportedCloud' should be 'supportedClouds' (plural) and the value should be an array. Option D is correct.

Option A is wrong because the resource type exists. Option B is wrong because the API version might be valid but not the latest. Option C is wrong because the name is valid.

688
MCQhard

Your organization uses Microsoft Purview Audit (Standard) and needs to investigate a data breach that occurred 120 days ago. You discover that the required audit logs are not available. What is the most likely reason?

A.The user does not have an appropriate license
B.Audit log retention is limited to 90 days for Audit (Standard)
C.The organization has insufficient storage
D.The audit logs were manually deleted by an administrator
AnswerB

Audit (Standard) retains logs for 90 days; beyond that, logs are purged.

Why this answer

Microsoft Purview Audit (Standard) retains audit logs for only 90 days. Option C is correct. Audit (Premium) retains logs for 1 year.

Licenses and storage are not the issue.

689
MCQeasy

Your company uses Microsoft Purview to govern data across on-premises and cloud sources. You need to classify sensitive data such as credit card numbers and social security numbers automatically. What should you create?

A.Data loss prevention policies
B.Sensitivity labels
C.Sensitive information types
D.Retention labels
AnswerC

Sensitive information types define patterns for automatic detection of sensitive data like credit card numbers.

Why this answer

Option B is correct because sensitive information types (like built-in types for credit card numbers and SSNs) are used in Microsoft Purview to automatically classify data. Option A is wrong because sensitivity labels are used for applying protection based on classification, but classification itself uses sensitive information types. Option C is wrong because retention labels are for data retention policies.

Option D is wrong because data loss prevention policies use classification but are not the classification mechanism itself.

690
MCQmedium

Your company uses Microsoft 365 E5 licenses and wants to prevent sensitive data from being shared externally via email. You need to configure a solution that automatically scans outgoing emails for credit card numbers and blocks them if detected. What should you use?

A.Microsoft Defender for Office 365 Safe Attachments policy
B.Microsoft Purview Data Loss Prevention (DLP) policy for Exchange Online
C.Microsoft Intune App Protection policy
D.Microsoft Entra ID Conditional Access policy
AnswerB

DLP policies can detect and block sensitive data in emails.

Why this answer

Option B is correct because Microsoft Purview Data Loss Prevention (DLP) policies can scan emails for sensitive data like credit card numbers and block them. Option A is wrong because Microsoft Defender for Office 365 focuses on threat protection, not DLP. Option C is wrong because Microsoft Entra ID is for identity and access management.

Option D is wrong because Microsoft Intune is for device management.

691
MCQeasy

A company configures its access control system so that each user can only access the data and perform actions that are strictly necessary for their job role. This configuration is a direct implementation of which security principle?

A.Defense in depth
B.Least privilege
C.Separation of duties
D.Zero Trust
AnswerB

Granting only the necessary permissions for a job role is the definition of least privilege.

Why this answer

The configuration described—granting each user only the access and actions strictly necessary for their job role—is the direct definition of the least privilege principle. In Microsoft identity and access management, this is implemented by assigning the minimum required permissions via Azure RBAC roles (e.g., Reader instead of Contributor) or using Azure AD Privileged Identity Management (PIM) for just-in-time access. This minimizes the attack surface by ensuring users cannot exceed their authorized scope.

Exam trap

The trap here is that candidates confuse least privilege with separation of duties, but separation of duties focuses on splitting permissions across multiple people to prevent collusion, whereas least privilege restricts each individual to the minimum necessary access.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy (e.g., firewall + antivirus + encryption) that uses multiple controls, not a single user-access restriction. Option C is wrong because separation of duties divides critical tasks among multiple users (e.g., one person requests a resource, another approves it) to prevent fraud, not to limit each user to their job-necessary access. Option D is wrong because Zero Trust is a broader security model (never trust, always verify) that includes least privilege as a component but also requires continuous authentication, device health checks, and micro-segmentation—not solely restricting access per job role.

692
MCQeasy

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to improve their secure score. What should they do?

A.Implement the security recommendations
B.Remove all virtual machines from the subscription
C.Increase the Azure budget
D.Disable Microsoft Defender for Cloud
AnswerA

Following recommendations directly improves secure score.

Why this answer

Option D is correct because a higher secure score is achieved by implementing security recommendations. Option A is wrong because disabling services lowers score. Option B is wrong because removing compute resources doesn't improve score.

Option C is wrong because increasing budget is unrelated.

693
MCQeasy

A financial services firm is required by regulatory bodies to monitor employee communications (email, Teams chats) for potential insider trading or market manipulation. They need a solution that allows them to define policies to detect messages containing specific keywords or phrases (e.g., 'confidential', 'insider info'), and then assign flagged messages to designated reviewers for investigation. Which Microsoft Purview solution should they use?

A.Microsoft Purview Communication Compliance
B.Microsoft Purview Insider Risk Management
C.Microsoft Purview eDiscovery (Standard or Premium)
D.Microsoft Purview Audit (Standard or Premium)
AnswerA

Correct. Communication Compliance allows policy-based detection of inappropriate or risky messages in communications and provides a review workflow for compliance officers.

Why this answer

Microsoft Purview Communication Compliance is the correct solution because it is specifically designed to detect policy violations in employee communications, such as email and Teams chats, by scanning for sensitive keywords or phrases like 'confidential' or 'insider info'. It then automatically flags and routes these messages to designated reviewers for investigation, directly meeting the regulatory requirement for monitoring potential insider trading or market manipulation.

Exam trap

The trap here is confusing Insider Risk Management (which focuses on behavioral analytics and user risk scores) with Communication Compliance (which directly scans communication content for specific text patterns), leading candidates to choose the wrong solution for keyword-based message monitoring.

How to eliminate wrong answers

Option B (Insider Risk Management) is wrong because it focuses on detecting risky user behaviors and activities (e.g., data exfiltration, unusual file access) rather than scanning the content of communications for specific keywords or phrases. Option C (eDiscovery) is wrong because it is used for searching and exporting content as part of legal or regulatory investigations after an incident has been identified, not for proactive policy-based monitoring and flagging of communications. Option D (Audit) is wrong because it logs user and admin activities for forensic review but does not analyze message content for policy violations or assign flagged items to reviewers.

694
Multi-Selectmedium

Which TWO actions can be performed using Microsoft Purview Communication Compliance? (Choose two.)

Select 2 answers
A.Automatically encrypt emails containing sensitive data
B.Review messages for potential regulatory compliance violations
C.Detect and review emails containing confidential information
D.Prevent the sharing of sensitive data with external users
E.Enforce retention policies for communications
AnswersB, C

Communication Compliance helps organizations detect compliance violations.

Why this answer

Options A and D are correct. Communication Compliance can detect and review sensitive information and ensure regulatory compliance. Option B is incorrect because automatic encryption is not a feature of Communication Compliance.

Option C is incorrect because retention policies are separate. Option E is incorrect because DLP policies are separate.

695
MCQmedium

A company wants to reduce help desk calls by allowing users to reset their own passwords. The security team requires that users verify their identity using a registered mobile phone or alternative email before resetting. Additionally, the company policy states that passwords cannot be reused until at least five new passwords have been used. Which Microsoft Entra ID features should they configure to meet these requirements?

A.Self-Service Password Reset (SSPR) and password protection policies (password history enforcement)
B.Self-Service Password Reset (SSPR) and Conditional Access policies
C.Multi-Factor Authentication (MFA) and password protection policies
D.Identity Protection and Authentication Strengths
AnswerA

SSPR handles the self-service reset with identity verification, while password protection policies (part of Entra ID authentication methods) enforce the history rule to prevent reuse.

Why this answer

Self-Service Password Reset (SSPR) allows users to reset their own passwords, reducing help desk calls. The security requirement for identity verification via registered mobile phone or alternative email is met by SSPR's authentication methods. The password history enforcement (preventing reuse until at least five new passwords have been used) is configured through password protection policies, specifically the 'password history' setting that enforces a minimum of 5 unique passwords before reuse.

Exam trap

The trap here is that candidates often confuse Conditional Access with password policies, thinking that Conditional Access can enforce password history, when in fact password history is a separate setting under password protection policies, not a Conditional Access control.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies control access based on conditions like location or device compliance, but they do not enforce password history rules; password reuse restrictions are managed by password protection policies, not Conditional Access. Option C is wrong because Multi-Factor Authentication (MFA) provides an additional verification step during sign-in, but it does not include password history enforcement; password protection policies are required for that. Option D is wrong because Identity Protection detects risky sign-ins and user behavior, and Authentication Strengths define which authentication methods are acceptable, but neither feature enforces password history or self-service password reset capabilities.

696
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Entra ID? (Choose two.)

Select 2 answers
A.Device Management
B.Identity Protection
C.Endpoint Detection and Response
D.Privileged Identity Management
E.Information Protection
AnswersB, D

Identity Protection is a feature of Entra ID.

Why this answer

Microsoft Entra ID includes Identity Protection, which uses machine learning to detect and respond to identity-based risks such as compromised credentials and anomalous sign-in behavior. It provides automated risk remediation and conditional access policies to protect user accounts.

Exam trap

Microsoft often tests the distinction between identity management (Entra ID) and endpoint security (Defender for Endpoint) or device management (Intune), causing candidates to confuse overlapping security terms.

697
MCQmedium

Your organization uses Microsoft Purview to label and protect sensitive data. The compliance team wants to automatically apply a 'Confidential' label to documents containing personally identifiable information (PII) stored in SharePoint Online. What should they create?

A.A DLP policy to detect PII
B.A trainable classifier for PII
C.A retention label policy for PII
D.An auto-labeling policy for sensitivity labels
AnswerD

Auto-labeling applies labels automatically to detected sensitive data.

Why this answer

Auto-labeling policies can automatically apply sensitivity labels to documents based on sensitive information types. Option B is incorrect because retention labels are for retention. Option C is incorrect because trainable classifiers are for pattern detection but do not apply labels automatically.

Option D is incorrect because DLP policies block actions.

698
MCQhard

A financial services company is required by the Payment Card Industry Data Security Standard (PCI-DSS) to retain all documents containing credit card numbers for at least seven years. The compliance team has created a custom sensitive information type (SIT) to detect credit card numbers in Microsoft 365. They want to automatically apply a retention label (e.g., "7-Year Retention") to any document in SharePoint or OneDrive that matches this SIT. Which Microsoft Purview solution should they configure to apply the label automatically based on content?

A.Data Loss Prevention (DLP)
B.Insider Risk Management
C.Communication Compliance
D.Data Lifecycle Management
AnswerD

Data Lifecycle Management provides auto-apply retention label policies that can use sensitive information types (SITs) to classify and retain content automatically. This is the correct solution to apply a retention label based on content detection.

Why this answer

Data Lifecycle Management (DLM) in Microsoft Purview is the solution specifically designed for automatically applying retention labels based on conditions like sensitive information types (SITs). By creating a retention label policy with auto-labeling rules that reference the custom SIT for credit card numbers, DLM can automatically assign the '7-Year Retention' label to documents in SharePoint and OneDrive that contain PCI-DSS data, ensuring compliance with retention requirements.

Exam trap

The trap here is that candidates confuse Data Loss Prevention (DLP) with Data Lifecycle Management because both use sensitive information types, but DLP is for protection (blocking/sharing) while DLM is for governance (retention/deletion).

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) is focused on preventing unauthorized sharing or leakage of sensitive data through policies that block or warn users, not on automatically applying retention labels for lifecycle management. Option B is wrong because Insider Risk Management is designed to detect and investigate risky user activities (e.g., data exfiltration) using behavioral analytics, not to apply retention labels based on content matching. Option C is wrong because Communication Compliance monitors communications (e.g., email, Teams) for policy violations like harassment or insider trading, not for applying retention labels to documents in SharePoint or OneDrive.

699
MCQmedium

A company uses Microsoft Purview Information Protection to classify and protect sensitive data. They want to automatically apply a sensitivity label to documents containing credit card numbers. Which should you configure?

A.Use a manual labeling policy requiring users to apply labels
B.Create a trainable classifier for credit card patterns
C.Configure an auto-labeling policy with a sensitive info type for credit card numbers
D.Set up a data classification activity explorer to monitor credit card usage
AnswerC

Auto-labeling policies can use sensitive info types to automatically apply labels.

Why this answer

Option B is correct because auto-labeling policies can automatically apply sensitivity labels based on sensitive information types like credit card numbers. Option A is wrong because trainable classifiers are for more complex patterns. Option C is wrong because manual labeling requires user action.

Option D is wrong because activity explorer is a monitoring tool.

700
MCQmedium

A company uses Microsoft Entra ID. They want to configure a Conditional Access policy that requires multi-factor authentication (MFA) when a sign-in is assessed as medium or high risk by Microsoft's identity protection signals. For sign-ins with no detected risk, MFA should not be required. Which feature or service provides the risk assessment signals that can be consumed by Conditional Access policies?

A.Identity Protection
B.Privileged Identity Management (PIM)
C.Entitlement Management
D.Identity Governance
AnswerA

Correct. Identity Protection provides risk detection and assessment that can be directly used as a condition in Conditional Access policies.

Why this answer

Identity Protection is the Microsoft Entra service that analyzes billions of sign-in signals using machine learning to assign a risk level (low, medium, high) for each authentication attempt. Conditional Access policies can then consume these risk assessments directly as a condition, enabling granular MFA enforcement only when the sign-in risk is medium or high, while allowing low-risk sign-ins to proceed without MFA.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with Identity Protection because both involve 'identity' and 'security,' but PIM handles role activation and approval workflows, not risk-based sign-in analysis.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because PIM provides just-in-time privileged role activation and access reviews, not risk-based sign-in assessments. Option C (Entitlement Management) is wrong because it manages access packages and catalogs for external user governance, not real-time sign-in risk signals. Option D (Identity Governance) is wrong because it focuses on access certifications, lifecycle workflows, and compliance reporting, not the detection of risky sign-in behaviors.

701
MCQeasy

You are configuring Microsoft Entra ID for a new user. The user will need to access resources in multiple Microsoft cloud services (Office 365, Azure, Dynamics 365). Which Microsoft Entra edition is minimally required to provide single sign-on (SSO) across these services?

A.Microsoft Entra ID Free (included with Office 365)
B.Microsoft Entra ID P2
C.Microsoft Entra ID Free
D.Microsoft Entra ID P1
AnswerC

SSO across Microsoft cloud services is available in the Free edition.

Why this answer

Microsoft Entra ID Free (included with Office 365) provides SSO across Microsoft cloud services like Office 365, Azure, and Dynamics 365 because it supports federated identity and the same user identity is used across all these services. SSO is a core capability of the Free edition, requiring no additional licensing for this specific scenario. The question asks for the minimally required edition, and since Free supports SSO across these services, it is the correct choice.

Exam trap

The trap here is that candidates often assume SSO requires a premium edition like P1 or P2, but Microsoft Entra ID Free already provides SSO across Microsoft cloud services, and the question specifically asks for the minimally required edition.

How to eliminate wrong answers

Option A is wrong because it is the same as option C (Microsoft Entra ID Free) and is not a distinct edition; the correct answer is C, not A. Option B is wrong because Microsoft Entra ID P2 includes advanced features like Identity Protection and Privileged Identity Management, which are not required for basic SSO across Microsoft cloud services. Option D is wrong because Microsoft Entra ID P1 adds features like Conditional Access and dynamic groups, but these are not necessary for SSO; the Free edition already provides SSO.

702
MCQhard

Your organization uses Microsoft Entra ID P2 licenses. You need to implement a process to automatically remove users from a group if they have not signed in for 90 days. Which feature should you use?

A.Conditional Access policy
B.Privileged Identity Management
C.Access reviews in Identity Governance
D.Microsoft Entra ID Protection
AnswerC

Access reviews can automatically remove inactive users.

Why this answer

Access reviews in Identity Governance allow you to automate the review and removal of group memberships based on inactivity criteria, such as users who haven't signed in for 90 days. This feature is specifically designed for periodic attestation and lifecycle management of group memberships, leveraging Microsoft Entra ID P2 licenses.

Exam trap

The trap here is confusing Access Reviews (which handle membership lifecycle based on inactivity) with Conditional Access (which controls access at sign-in) or Privileged Identity Management (which focuses on privileged roles).

How to eliminate wrong answers

Option A is wrong because Conditional Access policies enforce access controls during sign-in (e.g., requiring MFA or blocking locations) but cannot automatically remove users from groups based on inactivity. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and assignment, not general group membership lifecycle based on sign-in activity. Option D is wrong because Microsoft Entra ID Protection detects and responds to identity risks (e.g., leaked credentials, impossible travel) but does not automate group membership removal based on inactivity.

703
MCQmedium

An organization needs to prevent users from sharing files containing trade secrets with external parties via email. The solution must allow internal sharing. Which Microsoft Purview capability should be configured?

A.Microsoft Purview Communication Compliance
B.Microsoft Purview Data Loss Prevention policies
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview Sensitivity Labels with encryption
AnswerB

DLP policies can block sharing of sensitive data via email and other channels.

Why this answer

Option B is correct because Microsoft Purview DLP can be configured to block external sharing of emails and attachments containing sensitive info. Option A is wrong because Sensitivity Labels control access and encryption but don't block sharing by themselves. Option C is wrong because Data Lifecycle Management handles retention.

Option D is wrong because Communication Compliance monitors for policy violations, not block sharing.

704
MCQmedium

A security analyst needs to query Microsoft 365 audit logs to find all activities where a user deleted a file from SharePoint Online in the last 24 hours. Which tool should they use?

A.Microsoft Sentinel
B.Microsoft Purview compliance portal audit search
C.Microsoft Graph PowerShell
D.Microsoft Defender for Cloud Apps
AnswerB

Provides native audit log search capabilities.

Why this answer

Microsoft Purview compliance portal audit search is the correct tool because it provides a dedicated, searchable interface for querying the Microsoft 365 unified audit log. This log records all user and admin activities, including file deletions from SharePoint Online, and supports time-based filters (e.g., last 24 hours) to retrieve specific events. It is purpose-built for compliance and security investigations without requiring additional licensing or complex scripting.

Exam trap

The trap here is that candidates may confuse Microsoft Sentinel (a SIEM) with a simple audit log search tool, but Sentinel is designed for advanced threat detection and correlation, not for direct, ad-hoc queries of the unified audit log without additional setup.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM that ingests audit logs from multiple sources, but it requires additional licensing and configuration to query Microsoft 365 audit logs; it is not the direct tool for a simple audit log query. Option C is wrong because Microsoft Graph PowerShell can retrieve audit log data via cmdlets like Search-UnifiedAuditLog, but it requires PowerShell scripting and module installation, making it less straightforward than the Purview portal for a one-off query. Option D is wrong because Microsoft Defender for Cloud Apps focuses on cloud app discovery, session controls, and anomaly detection, not on directly querying the unified audit log for historical file deletion events.

705
MCQhard

A multinational corporation must comply with regulations that require them to keep financial records for 7 years and then permanently delete them. However, they are currently involved in litigation that requires preservation of all documents related to a specific project. They use Microsoft Purview. Which combination of features should they use to meet both requirements?

A.Data Lifecycle Management to retain for 7 years then delete, and eDiscovery (Premium) to place a legal hold on the project documents
B.Data Lifecycle Management to retain for 7 years then delete, and Sensitivity labels to mark documents
C.Audit (Premium) to log access and eDiscovery (Premium) to search
D.Information Protection to classify data and Data Lifecycle Management to retain
AnswerA

This combination correctly applies a retention-delete policy for financial records and uses legal hold to preserve the specific project documents during litigation.

Why this answer

Option A is correct because Data Lifecycle Management (DLM) allows you to create retention labels that enforce a 7-year retention period followed by automatic deletion, satisfying the regulatory requirement. eDiscovery (Premium) provides the ability to place a legal hold on specific documents, which overrides the deletion policy to preserve data relevant to ongoing litigation. This combination ensures both compliance with the retention/deletion mandate and the preservation obligation.

Exam trap

The trap here is that candidates often confuse Sensitivity labels (which mark or protect data) with retention labels (which enforce lifecycle policies), or assume eDiscovery alone can handle both retention and hold, missing the need for DLM to define the deletion schedule.

How to eliminate wrong answers

Option B is wrong because Sensitivity labels are used for classification and protection (e.g., encryption, marking) but do not provide legal hold functionality to override deletion policies. Option C is wrong because Audit (Premium) logs user activities but does not enforce retention or deletion, and eDiscovery (Premium) alone cannot set a retention schedule; it needs DLM for the lifecycle policy. Option D is wrong because Information Protection classifies data but does not enforce retention or deletion schedules, and DLM alone cannot place a legal hold to preserve documents during litigation.

706
MCQmedium

A company uses Microsoft 365 and allows employees to access corporate email and documents from their personal devices. The security team wants to protect against malicious links in emails and Microsoft Teams messages. When a user clicks a link, it should be checked in real-time to see if it leads to a known malicious site. If it does, access should be blocked. Which Microsoft security solution provides this capability?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity
AnswerB

Defender for Office 365 includes Safe Links and Safe Attachments to protect against phishing and malicious URLs in email and Teams.

Why this answer

Microsoft Defender for Office 365 includes Safe Links, which provides real-time URL scanning at the time of click. When a user clicks a link in an email or Teams message, the URL is rewritten and checked against a dynamic list of known malicious sites. If the link is determined to be malicious, access is blocked, and the user is redirected to a warning page.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 (which handles email and collaboration security) with Microsoft Defender for Endpoint (which handles device-level threats), leading them to choose the endpoint solution for a link-scanning scenario.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR), antivirus, and device-level threat protection, not on scanning links in email or Teams messages. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that provides visibility and control over cloud app usage, but it does not perform real-time link scanning in email or Teams. Option D is wrong because Microsoft Defender for Identity monitors on-premises Active Directory signals to detect identity-based attacks, such as lateral movement or privilege escalation, and does not inspect links in communications.

707
MCQeasy

A company implements multiple layers of security controls including a firewall, an intrusion detection system (IDS), antivirus software on endpoints, and regular security awareness training for employees. This approach is an example of which security concept?

A.Zero Trust
B.Defense in depth
C.Least privilege
D.Shared responsibility
AnswerB

Correct. Defense in depth is the practice of layering diverse security controls to protect against threats, so that a failure in one control does not lead to a complete breach.

Why this answer

Defense in depth is the correct answer because the company is implementing multiple layers of security controls (firewall, IDS, antivirus, and security awareness training) to protect assets. This layered approach ensures that if one control fails, another control is in place to mitigate the threat, which is the core principle of defense in depth.

Exam trap

The trap here is that candidates often confuse defense in depth with Zero Trust because both involve multiple controls, but Zero Trust specifically focuses on identity verification and least-privilege access, not just layered defenses.

How to eliminate wrong answers

Option A is wrong because Zero Trust is a security model that assumes no implicit trust and requires continuous verification of every access request, not simply the implementation of multiple security layers. Option C is wrong because least privilege is a principle that restricts users and systems to only the permissions necessary to perform their tasks, which is not demonstrated by the layered controls described. Option D is wrong because shared responsibility is a cloud computing model that delineates security obligations between the provider and customer, not an on-premises layered security approach.

708
MCQeasy

You are the security administrator for a company using Microsoft Defender XDR. A user reports receiving a suspicious email with a link. What Microsoft Defender XDR feature should you use to investigate the email's threat level?

A.Email & collaboration in Microsoft Defender XDR
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity
AnswerA

This provides email threat investigation.

Why this answer

Option C is correct because Email & collaboration in Microsoft Defender XDR provides detailed analysis of email threats. Option A is wrong because Microsoft Defender for Cloud Apps focuses on cloud app security, not email. Option B is wrong because Microsoft Defender for Identity focuses on identity threats.

Option D is wrong because Microsoft Defender for Endpoint focuses on endpoint threats.

709
MCQhard

A company wants to implement just-in-time (JIT) privileged access management for their Global Administrators in Microsoft Entra ID. They require that a user must request activation of the Global Administrator role, the request must be approved by a separate administrator, and the role will automatically expire after 4 hours. Additionally, they need an audit trail of all activations. Which Microsoft Entra feature should they use?

A.Microsoft Entra Conditional Access
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management (PIM)
D.Azure Role-Based Access Control (RBAC)
AnswerC

PIM provides just-in-time privileged access with features including role activation, approval workflows, time-bound assignments, and comprehensive auditing, exactly meeting the requirements.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access by allowing users to activate roles like Global Administrator on-demand, requiring approval from designated approvers, setting a maximum activation duration (e.g., 4 hours), and automatically deactivating the role upon expiry. It also maintains a full audit trail of all activations, approvals, and role assignments via the PIM audit history and Azure AD audit logs, meeting all the stated requirements.

Exam trap

The trap here is that candidates often confuse Azure RBAC (which manages Azure resource permissions) with PIM (which manages Microsoft Entra ID directory roles and JIT activation), leading them to select option D despite Azure RBAC lacking approval workflows and automatic expiry for directory roles.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Conditional Access enforces access policies based on signals like user location or device compliance, but it does not provide JIT role activation, approval workflows, or automatic role expiry. Option B is wrong because Microsoft Entra Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-in anomalies) but does not manage privileged role activation or approval processes. Option D is wrong because Azure Role-Based Access Control (RBAC) manages permissions for Azure resources (e.g., VMs, storage) using role definitions and assignments, but it does not support JIT activation, approval workflows, or time-bound expiry for Microsoft Entra ID directory roles like Global Administrator.

710
MCQmedium

A company uses Microsoft Entra ID. They want to enforce multifactor authentication (MFA) for all access to a sensitive HR application. However, they only want to require MFA when the sign-in risk is assessed as medium or high, and block access if the risk is high. Which Conditional Access components must the administrator configure to meet these requirements? (Choose the best answer)

A.Assignments (Users and cloud apps) and Session controls (Sign-in frequency)
B.Conditions (Sign-in risk) and Grant controls (Require multifactor authentication, Block access)
C.Conditions (Device platforms) and Grant controls (Require approved client app)
D.Grant controls (Require multifactor authentication) and Session controls (Application enforce restrictions)
AnswerB

Correct. The conditions specify when a policy applies (e.g., when risk is medium or high). Grant controls enforce the required actions: require MFA for medium/high risk and block for high risk. Block access is an available grant control.

Why this answer

Option B is correct because the scenario requires evaluating sign-in risk as a condition, which is configured under Conditions (Sign-in risk) in Conditional Access. The Grant controls then enforce 'Require multifactor authentication' for medium/high risk and 'Block access' for high risk, directly matching the requirements.

Exam trap

The trap here is that candidates confuse Conditions (sign-in risk) with Conditions (device platforms) or Session controls, overlooking that risk-based MFA requires both the risk condition and specific grant controls to enforce different actions per risk level.

How to eliminate wrong answers

Option A is wrong because Session controls like Sign-in frequency manage session lifetime, not risk-based MFA enforcement or blocking. Option C is wrong because Device platforms condition filters by OS type, not sign-in risk, and Require approved client app is a grant control for device compliance, not risk-based access. Option D is wrong because Grant controls alone (Require MFA) cannot differentiate risk levels, and Session controls (Application enforce restrictions) do not provide risk-based blocking or conditional MFA.

711
MCQeasy

A company is implementing a new security policy that requires every user to have only the minimum permissions necessary to perform their job duties. Which security principle does this policy align with?

A.Defense in depth
B.Zero Trust
C.Principle of least privilege
D.Separation of duties
AnswerC

The principle of least privilege means users get only the permissions required to perform their job, minimizing potential damage from errors or attacks.

Why this answer

The policy requiring every user to have only the minimum permissions necessary to perform their job duties directly aligns with the Principle of Least Privilege. This principle dictates that users, applications, and systems should be granted the minimal level of access rights needed to complete their tasks, reducing the attack surface and limiting potential damage from compromised accounts. In Microsoft 365, this is implemented through Role-Based Access Control (RBAC) roles and Azure AD roles, where administrators assign specific permissions rather than broad administrative roles.

Exam trap

The trap here is that candidates often confuse the Principle of Least Privilege with Zero Trust, but Zero Trust is a broader framework that includes least privilege as one of its core pillars, not the specific policy of minimizing permissions per user.

How to eliminate wrong answers

Option A is wrong because Defense in Depth is a layered security strategy that uses multiple controls (e.g., firewalls, encryption, antivirus) to protect resources, not a principle about limiting individual user permissions. Option B is wrong because Zero Trust is a security model based on the principle of 'never trust, always verify,' which includes least privilege as a component but is broader, encompassing continuous authentication, device health checks, and micro-segmentation. Option D is wrong because Separation of Duties is a control that prevents a single individual from performing conflicting tasks (e.g., both creating and approving a purchase order), which reduces fraud risk but does not specifically address minimizing permissions per user role.

712
MCQmedium

Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You need to synchronize user passwords and enable password writeback for self-service password reset. Which tool should you use?

A.Microsoft Entra admin center
B.Microsoft Entra Connect Sync
C.Active Directory Federation Services (AD FS)
D.Azure AD Connect (deprecated)
AnswerB

Entra Connect Sync synchronizes identities and supports password hash sync and writeback.

Why this answer

Microsoft Entra Connect Sync (formerly Azure AD Connect) is the correct tool because it synchronizes on-premises Active Directory objects, including password hashes, to Microsoft Entra ID and supports password writeback, which enables self-service password reset (SSPR) to write changed passwords back to on-premises AD. The question specifically requires both password synchronization and writeback, which are core features of Entra Connect Sync.

Exam trap

The trap here is that candidates may confuse the deprecated name 'Azure AD Connect' (Option D) with the current tool, or mistakenly think that AD FS (Option C) can handle password synchronization and writeback, when in fact AD FS only handles authentication federation and not directory synchronization or writeback operations.

How to eliminate wrong answers

Option A is wrong because the Microsoft Entra admin center is a web-based management portal for configuring cloud settings, but it cannot perform the actual synchronization or writeback of passwords from on-premises AD; it relies on a sync engine like Entra Connect Sync. Option C is wrong because Active Directory Federation Services (AD FS) is a federation service used for single sign-on and claims-based authentication, not for synchronizing password hashes or enabling password writeback for SSPR. Option D is wrong because Azure AD Connect is the deprecated name for the tool that has been rebranded as Microsoft Entra Connect Sync; while it functionally could perform the task, the exam expects the current, correct name.

713
MCQhard

A company is planning to migrate from on-premises Active Directory to Microsoft Entra ID. They have multiple on-premises applications that use LDAP for authentication. They want to enable single sign-on (SSO) to these applications from the cloud without modifying the applications. Which approach should they use?

A.Microsoft Entra Domain Services
B.Federation with Active Directory Federation Services (AD FS)
C.Pass-through authentication
D.Password hash synchronization with Seamless SSO
AnswerA

Entra Domain Services provides LDAP, Kerberos, and NTLM authentication for legacy apps.

Why this answer

Microsoft Entra Domain Services provides managed domain services such as LDAP, Kerberos, and NTLM authentication without requiring you to deploy and manage domain controllers. Since the on-premises applications use LDAP for authentication and cannot be modified, Entra Domain Services can be used to lift and shift these applications into Azure while enabling SSO from the cloud, as it presents a compatible LDAP interface that the applications can continue to use.

Exam trap

The trap here is that candidates often confuse authentication methods (like Pass-through or Federation) with directory services, not realizing that legacy LDAP-based applications require a domain service that exposes an LDAP endpoint, not just a cloud authentication protocol.

How to eliminate wrong answers

Option B is wrong because Federation with AD FS requires modifying the applications to support SAML or WS-Federation, and it does not natively provide an LDAP interface for legacy applications. Option C is wrong because Pass-through authentication validates passwords against on-premises Active Directory but does not expose an LDAP endpoint for applications to authenticate against; it is an authentication method for cloud apps, not a replacement for LDAP directory services. Option D is wrong because Password hash synchronization with Seamless SSO enables cloud authentication for web-based apps using Kerberos tickets but does not provide an LDAP interface for legacy on-premises applications that require direct LDAP binds.

714
MCQmedium

Your organization uses Microsoft Entra ID. You need to ensure that guest users can access resources without requiring invitation redemption. Which feature should you enable?

A.Application Proxy
B.B2B Collaboration
C.B2B Direct Connect
D.Privileged Identity Management
AnswerC

B2B Direct Connect enables mutual trust without invitations.

Why this answer

Option C is correct because B2B Direct Connect allows guest users to access resources in your Microsoft Entra ID tenant without requiring them to redeem an invitation or accept a consent prompt. This feature establishes a mutual, two-way trust relationship between your tenant and an external Microsoft Entra ID tenant, enabling seamless resource access for users who already exist in the partner's directory.

Exam trap

The trap here is that candidates often confuse B2B Collaboration (which requires invitation redemption) with B2B Direct Connect (which does not), because both involve external users, but only Direct Connect eliminates the redemption step.

How to eliminate wrong answers

Option A is wrong because Application Proxy is used to publish on-premises web applications to external users via Microsoft Entra ID, not to manage guest user access or bypass invitation redemption. Option B is wrong because B2B Collaboration requires guest users to redeem an invitation (via email or direct link) to access resources, which contradicts the requirement of no invitation redemption. Option D is wrong because Privileged Identity Management (PIM) is a service for managing, controlling, and monitoring access to privileged roles within Microsoft Entra ID, not for enabling guest user access without invitation redemption.

715
MCQhard

A financial company needs to prevent any communication between their mergers and acquisitions (M&A) team and the trading desk across all Microsoft 365 channels, including email, Microsoft Teams, and SharePoint. They must ensure that no user in one group can send emails to or chat with users in the other group. Which Microsoft Purview solution should they implement?

A.Information Barriers
B.Communication Compliance
C.Data Lifecycle Management
D.Data Loss Prevention (DLP)
AnswerA

Correct. Information Barriers enforce restrictions between user segments to prevent unwanted communication and collaboration.

Why this answer

Information Barriers (IB) is the correct solution because it is specifically designed to prevent communication and collaboration between two user groups across Microsoft 365 services, including email, Teams, and SharePoint. By defining policies that block segments (e.g., M&A team and trading desk), IB enforces restrictions at the transport, chat, and document level, ensuring no email, chat, or file sharing occurs between the groups. This directly addresses the requirement to isolate the M&A team from the trading desk across all channels.

Exam trap

The trap here is that candidates often confuse Information Barriers with Communication Compliance, mistakenly thinking that monitoring and blocking are the same, but Communication Compliance only detects and reports violations after the fact, whereas Information Barriers proactively prevents communication from occurring.

How to eliminate wrong answers

Option B (Communication Compliance) is wrong because it is designed for monitoring and detecting policy violations (e.g., insider trading, harassment) after communication occurs, not for proactively blocking communication between groups. Option C (Data Lifecycle Management) is wrong because it focuses on retaining or deleting data based on age or classification, not on restricting communication between users. Option D (Data Loss Prevention) is wrong because it prevents sensitive data from being shared externally or with unauthorized users, but it does not block all communication between two internal groups across all channels.

716
MCQmedium

You are the compliance administrator for a healthcare organization that must comply with HIPAA. You need to automatically detect and prevent patients' protected health information (PHI) from being shared via email. Additionally, you need to retain all emails containing PHI for 6 years. You also need to allow users to manually classify documents as 'Medical Record' with encryption that expires after 30 days. Which combination of Microsoft Purview solutions should you implement?

A.Data Loss Prevention (DLP) policy to block PHI; retention policy for 6 years on emails containing PHI; sensitivity label with encryption and expiration
B.Data Loss Prevention (DLP) policy to block PHI; eDiscovery to retain emails; sensitivity label with encryption
C.Retention label for 6 years; sensitivity label with encryption; communication compliance to monitor sharing
D.Data Loss Prevention (DLP) policy to block PHI; auto-labeling policy to apply retention label; no manual label needed
AnswerA

DLP blocks sharing; retention policy retains; sensitivity label provides manual classification with encryption and expiration.

Why this answer

DLP detects and prevents sharing of PHI via email. A retention policy retains emails containing PHI for 6 years. A sensitivity label allows users to manually apply encryption with expiration.

Option B: DLP handles prevention, retention policy handles retention, sensitivity label handles manual classification. Option A: eDiscovery does not prevent sharing. Option C: only uses DLP, no retention or manual label.

Option D: retention label cannot expire encryption.

717
MCQeasy

A security architect is adopting a new security model that assumes breach and verifies every access request. The model eliminates implicit trust and requires continuous validation. Which security model is being implemented?

A.Defense in Depth
B.Zero Trust
C.Least Privilege
D.Shared Responsibility
AnswerB

Zero Trust is based on the principle of 'never trust, always verify,' assumes breach, and verifies every access request regardless of location or network.

Why this answer

Zero Trust is the correct model because it explicitly assumes breach, eliminates implicit trust, and requires continuous validation of every access request. This aligns with the core Zero Trust principle of 'never trust, always verify,' which mandates that no user, device, or network is trusted by default, even if they are inside the corporate perimeter.

Exam trap

The trap here is that candidates often confuse Zero Trust with Least Privilege, but Zero Trust is a broader architectural model that includes continuous validation and breach assumption, whereas Least Privilege is only one component of access control.

How to eliminate wrong answers

Option A is wrong because Defense in Depth is a layered security strategy that uses multiple controls (e.g., firewalls, antivirus, IDS) to protect assets, but it does not inherently assume breach or require continuous verification of every access request. Option C is wrong because Least Privilege is a principle that grants users only the minimum permissions needed to perform their tasks, but it does not encompass the continuous validation or breach assumption aspects of the described model. Option D is wrong because Shared Responsibility is a cloud security model that defines which security tasks are handled by the cloud provider versus the customer, and it does not address the elimination of implicit trust or continuous access verification.

718
MCQmedium

A company uses Microsoft Entra ID. They want to enforce that users accessing the finance app from outside the corporate network must use multifactor authentication (MFA) and access from a device marked as compliant. Additionally, if the user's sign-in risk is medium or higher, access must be blocked. Which component of a Conditional Access policy should the administrator configure to specify the 'Block access' action for high-risk sign-ins?

A.Grant controls
B.Conditions
C.Assignments
D.Session controls
AnswerA

Grant controls allow you to either 'Block access' or require specific conditions (e.g., MFA, compliant device) to grant access. The 'Block access' option is located here.

Why this answer

The 'Block access' action is specified within the Grant controls section of a Conditional Access policy. Grant controls allow administrators to either require specific conditions (like MFA or compliant device) to be met for access to be granted, or to explicitly block access entirely. By selecting 'Block access' in the Grant controls, the policy enforces that any user meeting the policy's conditions (such as high sign-in risk) is denied access.

Exam trap

The trap here is that candidates often confuse the 'Conditions' section (where sign-in risk is defined as a trigger) with the 'Grant controls' section (where the resulting action of blocking access is configured), leading them to incorrectly select Conditions instead of Grant controls.

How to eliminate wrong answers

Option B is wrong because Conditions define the signals or triggers for the policy (e.g., sign-in risk level, user location, device platform), not the resulting action. Option C is wrong because Assignments specify which users, groups, or applications the policy applies to, not the control action. Option D is wrong because Session controls enforce limitations on an active session (e.g., app-enforced restrictions, sign-in frequency) but do not include a 'Block access' action.

719
MCQeasy

Your organization uses Microsoft Defender XDR. The security team wants a central dashboard showing the overall security posture and recommended actions. Which tool should they use?

A.Microsoft Purview
B.Microsoft Entra ID
C.Microsoft Sentinel
D.Microsoft Secure Score
AnswerD

Microsoft Secure Score provides a centralized security posture dashboard.

Why this answer

Option D is correct because Microsoft Secure Score provides a dashboard with security recommendations and posture assessment. Option A is incorrect because Microsoft Entra ID is identity management. Option B is incorrect because Microsoft Sentinel is a SIEM.

Option C is incorrect because Microsoft Purview is for data governance.

720
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. What should you configure?

A.A device compliance policy
B.A conditional access policy
C.A device configuration policy
D.An app protection policy
AnswerB

Conditional access can require compliant device for access.

Why this answer

Conditional access policies in Microsoft Entra ID can require device compliance for accessing cloud apps like Exchange Online. Option D is correct. Option A is wrong because compliance policies only define compliance, they don't enforce access.

Option B is wrong because device configuration policies set settings, not access. Option C is wrong because app protection policies manage data, not device compliance.

721
MCQhard

Refer to the exhibit. A Conditional Access policy is defined as shown. Which client applications will be blocked?

A.Browser-based applications accessing Office 365.
B.Exchange ActiveSync clients only.
C.Legacy authentication clients such as IMAP, POP, and SMTP.
D.Applications using modern authentication (e.g., Outlook for Windows with OAuth).
AnswerC

These are included in 'otherClients' and 'exchangeActiveSync'.

Why this answer

The policy targets 'Legacy authentication clients' such as IMAP, POP, and SMTP, which do not support modern authentication protocols like OAuth 2.0. These protocols rely on basic authentication and are blocked by Conditional Access policies configured to require modern authentication. Option C is correct because the policy explicitly blocks these legacy protocols.

Exam trap

The trap here is that candidates may confuse 'Exchange ActiveSync clients' (which can use modern authentication) with legacy protocols like IMAP/POP/SMTP, or assume that all browser-based apps are blocked, when the policy specifically targets legacy authentication clients only.

How to eliminate wrong answers

Option A is wrong because browser-based applications accessing Office 365 typically use modern authentication (e.g., OAuth 2.0 via the browser) and are not blocked unless the policy specifically targets browser-based apps. Option B is wrong because Exchange ActiveSync clients can use modern authentication (e.g., OAuth 2.0) and are not inherently blocked; the policy targets legacy authentication, not all ActiveSync clients. Option D is wrong because applications using modern authentication (e.g., Outlook for Windows with OAuth) are explicitly allowed by the policy, as it only blocks legacy authentication clients.

722
MCQeasy

Your company uses Microsoft Intune to manage devices. You need to ensure that only devices that are compliant with your security policies can access corporate email via Microsoft Outlook. What should you implement?

A.Windows Information Protection
B.Device compliance policies
C.App protection policies
D.Conditional Access policies
AnswerD

Conditional Access policies enforce access controls based on conditions like device compliance.

Why this answer

Option C is correct because Conditional Access policies in Entra ID can enforce device compliance as a condition for accessing cloud apps like Exchange Online. Option A is wrong because app protection policies protect data within apps but do not control access based on device compliance. Option B is wrong because device compliance policies define compliance requirements but do not enforce access control.

Option D is wrong because Windows Information Protection (WIP) protects corporate data on devices but does not control access to email.

723
Multi-Selectmedium

Which TWO Microsoft Entra ID features can be used to protect against credential theft? (Choose two.)

Select 2 answers
A.Passwordless authentication
B.Self-Service Password Reset (SSPR)
C.Microsoft Entra ID Domain Services
D.Microsoft Entra ID Connect
E.Conditional Access policies that require MFA
AnswersA, E

Eliminates password-related risks.

Why this answer

Passwordless authentication (Option A) eliminates the use of passwords entirely, removing the primary vector for credential theft such as phishing or password spraying. By relying on biometrics, FIDO2 security keys, or Microsoft Authenticator, there is no password to steal, directly mitigating credential theft attacks.

Exam trap

The trap here is that candidates often confuse SSPR (a recovery mechanism) with a preventive control, or mistakenly think Entra ID Connect or Domain Services offer security features they do not, when the question specifically asks for features that protect against credential theft.

724
Multi-Selecthard

Which THREE components are part of the Microsoft Entra External Identities suite?

Select 3 answers
A.Azure AD B2B (now Entra External ID)
B.Conditional Access
C.B2C (business-to-consumer)
D.B2B collaboration
E.Identity Protection
AnswersA, C, D

This is the core of External Identities.

Why this answer

Option A is correct because Azure AD B2B (now rebranded as Entra External ID) is a core component of the Microsoft Entra External Identities suite, enabling organizations to securely share applications and resources with external users (guests) while maintaining control over their own corporate data. This service allows external partners to use their own identity provider (e.g., Microsoft, Google, or SAML/WS-Fed IdPs) without requiring a separate account in the tenant.

Exam trap

The trap here is that candidates often confuse security features like Conditional Access or Identity Protection with the core identity management components of the External Identities suite, because Microsoft bundles these services under the broader Microsoft Entra umbrella, but the exam specifically tests which services directly handle external user identity lifecycle and collaboration.

725
MCQeasy

A small business uses Microsoft 365 Business Premium. The owner wants to ensure that employees can access their email and files from anywhere, but only from trusted devices that comply with company security policies (e.g., have antivirus enabled and are up-to-date). They have heard about Microsoft Intune but are not sure if it's included. You need to recommend a solution that enforces device compliance for accessing company data. What should you do?

A.Configure Conditional Access to require managed devices
B.Require all employees to use company-issued devices that are domain-joined
C.Use Microsoft Intune to create device compliance policies and a Conditional Access policy to require compliant devices
D.Enable Security Defaults in Entra ID
AnswerC

Intune is included in Business Premium and can enforce compliance.

Why this answer

Option C is correct because Microsoft 365 Business Premium includes Microsoft Intune, which can be used to create device compliance policies and a Conditional Access policy to require compliant devices. Option A is wrong because the basic security defaults do not enforce device compliance. Option B is wrong because requiring personal devices to be domain-joined is unrealistic for a small business.

Option D is wrong because Require Managed Devices is a Conditional Access grant, but it requires Intune enrollment, which is not mentioned.

726
MCQhard

You are reviewing a Microsoft Purview DLP policy rule represented in JSON. What is the effect of this rule?

A.It blocks the sending of an email if it contains 10 or more credit card numbers with high confidence
B.It notifies the user when a single credit card number is detected in email
C.It triggers a policy tip when a single credit card number is detected
D.It blocks access to a SharePoint site containing credit card numbers
AnswerA

The condition specifies instanceCount 10 and high confidence, and the action is BlockAccess.

Why this answer

Option A is correct because the JSON rule defines a condition where the DLP policy blocks email transmission when the count of credit card numbers detected with high confidence meets or exceeds 10. The 'BlockAccess' action in the rule enforces this by preventing the email from being sent, and the 'NotifyUser' action with 'NotifyOnly' set to false ensures the user is notified of the block. This matches the behavior of a Microsoft Purview DLP policy that uses a threshold-based condition with high confidence to block sensitive data sharing.

Exam trap

The trap here is that candidates often confuse the 'NotifyUser' action with a simple policy tip or notification, overlooking that the 'BlockAccess' action combined with a threshold count (10) means the email is blocked, not just flagged, and that the rule is scoped to Exchange, not SharePoint.

How to eliminate wrong answers

Option B is wrong because the rule specifies a minimum count of 10 credit card numbers (via the 'Count' parameter set to 10), not a single instance, and the action is 'BlockAccess' with notification, not merely a notification without blocking. Option C is wrong because a policy tip is a type of notification that appears in Outlook or other apps, but the rule's 'NotifyUser' action with 'NotifyOnly' set to false indicates a block occurs, not just a tip; a policy tip alone would require 'NotifyOnly' set to true. Option D is wrong because the rule's 'Location' is set to 'Exchange' (email), not SharePoint; DLP policies are location-specific, and this rule applies to email transport, not SharePoint site access.

727
Multi-Selecthard

An organization uses Microsoft Purview Audit to meet compliance requirements. Which TWO types of audit logs can be accessed?

Select 2 answers
A.Windows Security event logs
B.Azure Active Directory audit logs
C.Purview advanced audit logs
D.Microsoft 365 unified audit log
E.Azure SQL Database audit logs
AnswersC, D

Correct: Part of Purview Audit.

Why this answer

Microsoft 365 unified audit log covers most services. Purview audit also includes advanced audit features. Azure AD audit logs are separate.

Windows event logs are not directly. Azure SQL audit logs are separate.

728
MCQeasy

A company wants to automatically remove a user's access to all applications when the user leaves the organization. Which Microsoft Entra feature can help achieve this?

A.Access Reviews
B.Privileged Identity Management
C.Conditional Access
D.Identity Protection
AnswerA

Access reviews can remove access for inactive or departed users.

Why this answer

A is correct because Access Reviews in Microsoft Entra allow administrators to create recurring reviews of user access to applications and groups. When a user leaves the organization, an access review can be configured to automatically remove their access by either disabling the user or removing them from the assigned groups/applications based on the review outcome. This directly addresses the requirement to automatically remove access upon departure.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with access lifecycle management, mistakenly thinking PIM handles all access removal, when in fact PIM only manages privileged role activation and not general application access removal.

How to eliminate wrong answers

Option B is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and oversight, not for automatically removing a user's access to all applications when they leave; it focuses on managing and auditing privileged roles, not general application access. Option C is wrong because Conditional Access enforces policies based on signals like location or device compliance to grant or block access in real time, but it does not automatically remove a user's access when they leave the organization—it controls access conditions, not lifecycle-based removal. Option D is wrong because Identity Protection detects and responds to identity-based risks such as compromised credentials or suspicious sign-ins, but it does not handle the automated removal of access for departing users; it focuses on risk remediation, not lifecycle management.

729
Multi-Selecteasy

Which TWO Microsoft Purview solutions can help detect and prevent data exfiltration?

Select 2 answers
A.Microsoft Purview Insider Risk Management
B.Microsoft Purview Audit
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview Compliance Manager
E.Microsoft Purview eDiscovery
AnswersA, C

Correct: Insider Risk Management detects risky user activities that may lead to exfiltration.

Why this answer

Data Loss Prevention (DLP) and Insider Risk Management are both designed to detect and prevent data exfiltration. Option A (Audit) logs but does not prevent. Option E (Compliance Manager) manages compliance posture.

Option D (eDiscovery) is for legal discovery.

730
MCQmedium

Your organization recently deployed Microsoft Defender for Cloud Apps. You need to identify which users are using a personal Dropbox account to access corporate files. Which feature should you use?

A.Activity policies
B.Cloud Discovery
C.File policies
D.App permissions
AnswerB

Cloud Discovery analyzes traffic logs to identify shadow IT and unsanctioned cloud apps.

Why this answer

Option B is correct because Cloud Discovery identifies shadow IT usage, such as personal Dropbox. Option A is incorrect because file policies are for DLP, not discovery. Option C is incorrect because app permissions focus on OAuth apps.

Option D is incorrect because activity policies monitor activities but do not discover apps.

731
MCQeasy

A security architect is designing a defense strategy for a company's IT infrastructure. The strategy includes deploying a network firewall, using an intrusion detection system, installing antivirus software on all endpoints, and requiring multi-factor authentication for all user accounts. The architect explains that if the firewall fails, the IDS can detect an intrusion, and if the IDS misses something, the antivirus might catch it, and MFA can protect even if credentials are compromised. Which security principle best describes this layered approach?

A.Defense in depth
B.Least privilege
C.Zero Trust
D.Shared responsibility
AnswerA

Defense in depth uses multiple overlapping security controls so that the failure of one layer does not leave the organization unprotected.

Why this answer

Defense in depth is the correct principle because it describes a layered security strategy where multiple independent controls (firewall, IDS, antivirus, MFA) are deployed so that if one layer fails, another layer can still prevent or detect an attack. This approach explicitly relies on redundancy and diversity of controls to provide resilience against failures or bypasses, as illustrated by the architect's explanation of how each subsequent layer compensates for potential gaps in the previous one.

Exam trap

The trap here is that candidates may confuse 'Defense in depth' with 'Zero Trust' because both involve multiple controls, but Zero Trust is specifically about continuous verification and micro-segmentation, not the layered redundancy described in the scenario.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on restricting user permissions to the minimum necessary for their role, not on deploying multiple overlapping security controls. Option C (Zero Trust) is wrong because it is a security model based on 'never trust, always verify' and continuous authentication/authorization for every access request, not specifically on layering independent defenses. Option D (Shared responsibility) is wrong because it is a cloud computing model that delineates security obligations between the provider and customer, not a strategy for stacking multiple on-premises or hybrid controls.

732
MCQmedium

An organization needs to automatically apply a 'Confidential' label to documents that contain EU personal data, and also encrypt those documents. Which Microsoft Purview feature should they configure?

A.Data Loss Prevention (DLP) policy
B.Retention label policy
C.Data classification service
D.Auto-labeling policy
AnswerD

Automatically applies sensitivity labels based on conditions, and labels can include encryption.

Why this answer

Auto-labeling policies can be configured to automatically apply sensitivity labels based on sensitive info types like EU personal data. Sensitivity labels support encryption. Data classification is a prerequisite, but auto-labeling is the feature that applies the label automatically.

733
MCQmedium

A company uses Microsoft Sentinel for security operations. They want to automatically create an incident and assign it to a senior analyst when a high-severity alert is generated. Which feature should they use?

A.Analytics rule
B.Automation rule
C.Workbook
D.Playbook
AnswerB

Automation rules can create incidents and assign them automatically.

Why this answer

Automation rules in Microsoft Sentinel allow you to define automated responses to incidents, including creating incidents, assigning them, and running playbooks. Option A is incorrect because analytics rules generate alerts, not manage incident actions. Option B is incorrect because playbooks are triggered by automation rules but don't create incidents themselves.

Option D is incorrect because workbooks provide visualization, not automation.

734
MCQmedium

An organization uses Microsoft Entra ID. They want to automatically detect when a user's sign-in shows a high risk of compromise (e.g., impossible travel, anonymous IP address) and immediately require the user to reset their password. Which Microsoft Entra capability should they use?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Access Reviews
AnswerB

Correct. Microsoft Entra ID Protection provides risk detection and risk-based policies that can automatically require a user to change their password when high user risk is detected.

Why this answer

B is correct because Microsoft Entra ID Identity Protection uses machine learning to detect risk signals such as impossible travel and anonymous IP addresses. When a user's sign-in is flagged as high risk, Identity Protection can be configured to automatically trigger a password reset as a remediation action, enforcing the principle of least privilege and reducing the window of compromise.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, but Conditional Access is the policy enforcement layer that can use Identity Protection risk detections as a condition, not the detection and remediation engine itself.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or blocking sign-in) based on conditions, but it does not itself detect risk signals or automatically trigger password resets; it relies on Identity Protection risk detections as a condition. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not user sign-in risk detection or password reset automation. Option D is wrong because Access Reviews are used for periodic attestation of group memberships or role assignments, not for real-time risk-based sign-in detection or password reset enforcement.

735
MCQmedium

Your company uses Microsoft Entra ID with P2 licenses. You want to require approval for users to activate the Global Administrator role. Which feature should you configure?

A.Privileged Identity Management (PIM)
B.Identity Protection
C.Conditional Access
D.Access reviews
AnswerA

PIM enables approval workflows for role activation.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID P2 provides just-in-time privileged access, including the ability to require approval for role activation. By configuring PIM for the Global Administrator role, you can enforce that users must request activation and receive approval before gaining the role's permissions, ensuring least-privilege and auditability.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls sign-in conditions) with PIM's approval workflow, but Conditional Access cannot enforce a multi-step approval process for role activation; only PIM provides that capability.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it focuses on detecting and responding to identity risks (e.g., compromised accounts, risky sign-ins) and does not manage role activation workflows or approval requirements. Option C (Conditional Access) is wrong because it enforces access policies based on conditions like location or device state, but it does not provide approval-based role activation; it controls sign-in access, not role elevation. Option D (Access reviews) is wrong because it periodically recertifies existing role assignments, ensuring they are still needed, but it does not enforce an approval step for activating a role in real time.

736
Multi-Selecteasy

Which TWO Microsoft Entra features can be used to enforce multifactor authentication (MFA)?

Select 2 answers
A.Self-Service Password Reset
B.Security defaults
C.Identity Protection
D.Privileged Identity Management
E.Conditional Access
AnswersB, E

Security defaults enforce MFA for all users.

Why this answer

Security defaults is a baseline security policy that Microsoft automatically enables for eligible tenants, enforcing MFA registration and requiring MFA for all users during sign-in. It provides a simple, pre-configured way to enforce MFA without requiring additional licensing or configuration of Conditional Access policies.

Exam trap

The trap here is that candidates often confuse Identity Protection or PIM as direct MFA enforcement features, when in reality they are risk-detection or privilege-management services that rely on Conditional Access to actually enforce MFA.

737
MCQmedium

You are a security administrator for a company that uses Microsoft 365. The company has a Microsoft Purview Data Loss Prevention (DLP) policy that blocks sharing of Social Security Numbers (SSNs) externally. Recently, a user accidentally sent an email containing SSNs to an external partner after overriding the policy by selecting a business justification. Management wants to prevent users from overriding the policy for SSNs. You need to update the DLP policy to ensure that users cannot override the block for SSNs. What should you do?

A.Modify the rule to set 'Allow override' to 'No' in the policy tip configuration.
B.Increase the rule priority to ensure it is enforced before other rules.
C.Remove the policy tip from the rule to prevent users from overriding.
D.Change the action from 'Block with override' to 'Block' and remove the policy tip.
AnswerA

This disables the override option while keeping the policy tip.

Why this answer

Option A is correct because the 'Allow override' setting in the policy tip configuration directly controls whether users can bypass a DLP block action by providing a business justification. Setting this to 'No' prevents any override for the rule that blocks SSNs, ensuring that the block is enforced without exception. This is the specific mechanism in Microsoft Purview DLP to disable user overrides for a given rule.

Exam trap

The trap here is that candidates may think removing the policy tip or changing the action to 'Block' is necessary, but the correct approach is to keep the policy tip and disable the override setting, which is a subtle but distinct configuration in the DLP rule properties.

How to eliminate wrong answers

Option B is wrong because increasing rule priority only affects the order in which rules are evaluated, not the ability to override a rule; it does not change the override behavior. Option C is wrong because removing the policy tip would hide the notification from users, but the underlying 'Block with override' action would still allow override via other methods (e.g., Outlook client override prompts). Option D is wrong because changing the action to 'Block' and removing the policy tip would indeed prevent override, but this is not the intended method—the correct approach is to keep the policy tip and set 'Allow override' to 'No', which maintains user awareness while disabling the override capability.

738
Multi-Selecthard

A security team is using Microsoft Entra ID Protection. They want to automatically block sign-ins from known malicious IP addresses, but if a user's account is compromised (e.g., leaked credentials), they want to force the user to change their password upon next sign-in. Which two risk policies should they configure? (Select all that apply.)

Select 2 answers
A.Sign-in risk policy set to 'Block access' for High risk
B.User risk policy set to 'Allow access' with 'Require password change' for High risk
C.MFA registration policy
D.Conditional Access policy with a custom block rule
AnswersA, B

This policy automatically blocks sign-ins from high-risk scenarios, such as anonymous IP addresses.

Why this answer

Option A is correct because the sign-in risk policy in Microsoft Entra ID Protection can be configured to automatically block access when a sign-in is detected as high risk, such as from a known malicious IP address. This policy evaluates real-time risk signals during authentication and enforces the specified action (e.g., 'Block access') without requiring additional Conditional Access policies.

Exam trap

The trap here is that candidates might confuse the sign-in risk policy and user risk policy with Conditional Access policies or MFA registration, but the question explicitly asks for risk policies within Entra ID Protection, not generic Conditional Access or registration policies.

739
MCQeasy

Your company uses Microsoft Intune to manage mobile devices. You need to ensure that company data on personal devices is protected if the device is lost or stolen. What should you configure?

A.Compliance policy with device health requirements
B.Conditional Access policy requiring compliant devices
C.Full wipe action
D.Selective wipe action
AnswerD

Selective wipe removes only managed company data, preserving personal data.

Why this answer

Selective wipe (Option D) is the correct configuration because it removes only corporate data from a personal device while preserving the user's personal apps, photos, and settings. In Microsoft Intune, a selective wipe targets managed app data and company email profiles via Exchange ActiveSync, leaving the device usable for personal purposes. This is the appropriate action for protecting company data on a lost or stolen BYOD device without overstepping into the user's private information.

Exam trap

The trap here is that candidates often confuse 'selective wipe' with 'full wipe' or assume that a Conditional Access policy alone can retroactively protect data already on a device, when in fact only a selective wipe actively removes company data from a lost or stolen personal device.

How to eliminate wrong answers

Option A is wrong because a compliance policy with device health requirements (e.g., requiring encryption or a minimum OS version) does not actively remove data; it only marks the device as noncompliant and can trigger Conditional Access blocks, but it does not wipe or protect data after loss. Option B is wrong because a Conditional Access policy requiring compliant devices blocks access from noncompliant devices but does not remove existing company data already stored on the device; it is a preventive control, not a remediation action. Option C is wrong because a full wipe resets the entire device to factory defaults, deleting all personal data, which is inappropriate for personal devices in a BYOD scenario and violates user privacy; it is intended for corporate-owned devices.

740
MCQmedium

A company has multiple Azure virtual machines running various workloads. They want a central solution that continuously assesses their security posture, identifies vulnerabilities, and provides recommendations to harden the environment. Which Azure service should they use?

A.Azure Firewall
B.Microsoft Defender for Cloud
C.Azure DDoS Protection
D.Microsoft Sentinel
AnswerB

Microsoft Defender for Cloud (formerly Microsoft Defender for Cloud) provides continuous assessment, security recommendations, and vulnerability management for Azure resources, including virtual machines.

Why this answer

Microsoft Defender for Cloud is the correct service because it provides continuous security posture assessment, vulnerability identification, and actionable hardening recommendations across Azure, on-premises, and multi-cloud environments. It integrates with Azure Policy and uses the Secure Score to quantify security posture, making it the central solution described in the scenario.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a posture management and workload protection platform) with Microsoft Sentinel (a SIEM/SOAR for threat detection), because both are security services under the 'Defender' umbrella, but Sentinel focuses on log-based threat hunting rather than continuous vulnerability assessment and hardening recommendations.

How to eliminate wrong answers

Option A is wrong because Azure Firewall is a stateful network firewall that filters traffic based on rules (e.g., source/destination IP, port, protocol) but does not perform continuous security posture assessment or vulnerability scanning. Option C is wrong because Azure DDoS Protection is a dedicated service that mitigates Distributed Denial-of-Service attacks at the network layer (L3/L4) and does not assess vulnerabilities or provide hardening recommendations. Option D is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution that ingests logs and alerts for threat detection and incident response, not a continuous posture assessment and vulnerability management tool.

741
MCQmedium

Your company uses Microsoft Purview Data Lifecycle Management. You need to automatically delete all emails in users' mailboxes that are older than three years, except for emails that have a legal hold. What should you configure?

A.A retention policy with a retention action of 'Delete items' and an adaptive scope for Exchange mailboxes
B.A data loss prevention (DLP) policy for Exchange
C.A retention label with auto-labeling for all Exchange emails
D.A sensitivity label with mandatory labeling
AnswerA

Retention policies can automatically delete items after a specified period, and adaptive scopes allow targeting all mailboxes.

Why this answer

Option A is correct because a retention policy with retention action 'Delete items' and an adaptive scope can target all mailboxes. Option B is incorrect because a retention label with auto-labeling is for classification, not automatic deletion. Option C is incorrect because a DLP policy does not delete items.

Option D is incorrect because a sensitivity label does not delete items.

742
Multi-Selecthard

Which TWO of the following are examples of Microsoft Copilot for Security use cases?

Select 2 answers
A.Configuring firewall rules in Azure
B.Answering a natural language question about a KQL query
C.Resetting a user's password in Entra ID
D.Creating a new DLP policy in Microsoft Purview
E.Summarizing an incident investigation in natural language
AnswersB, E

Copilot can explain and generate KQL queries from natural language.

Why this answer

Copilot for Security can generate incident summaries and suggest remediation steps (A) and provide natural language queries for KQL (C). Creating DLP policies (B) is a Purview task. Resetting passwords (D) is an IT admin task.

Configuring network firewalls (E) is infrastructure.

743
MCQhard

A healthcare organization uses Microsoft Entra ID and needs to enforce that only users from the United States and Canada can access patient records. Access attempts from all other locations must be blocked. Which Microsoft Entra ID Conditional Access condition should be configured to meet this requirement?

A.Device state
B.Sign-in risk
C.Locations
D.Client apps
AnswerC

The Locations condition in Conditional Access allows you to define named locations based on IP ranges or countries, and then grant or block access accordingly.

Why this answer

Option C is correct because the Locations condition in Microsoft Entra ID Conditional Access allows administrators to define named locations (e.g., countries or IP ranges) and then grant or block access based on those locations. By configuring a policy that blocks access from all countries except the United States and Canada, the organization can enforce geographic restrictions on patient record access.

Exam trap

The trap here is that candidates often confuse the Locations condition with Sign-in risk, mistakenly thinking that blocking by country is a risk-based control rather than a straightforward geographic restriction.

How to eliminate wrong answers

Option A is wrong because Device state controls access based on whether a device is marked as compliant or hybrid Azure AD joined, not based on geographic location. Option B is wrong because Sign-in risk is a condition that detects suspicious sign-in behavior (e.g., anonymous IP, leaked credentials) and is used for risk-based policies, not for blocking by country. Option D is wrong because Client apps condition filters access by application type (e.g., browser, mobile app, legacy auth), not by the user's physical or network location.

744
Multi-Selecteasy

Which TWO of the following are benefits of using Microsoft Entra ID for identity management? (Choose two.)

Select 2 answers
A.Storing passwords in plaintext
B.Conditional Access policies
C.Single sign-on (SSO)
D.Local authentication for all apps
E.On-premises authentication only
AnswersB, C

Policies enforce access based on conditions.

Why this answer

Correct answers are B and D: Single sign-on (SSO) allows users to access multiple apps with one login, and Conditional Access provides policy-based access controls. Option A is incorrect because on-premises only is not a benefit. Option C is incorrect because storing passwords in plaintext is not a benefit.

Option E is incorrect because local authentication is not a benefit of cloud identity.

745
MCQmedium

A company uses Microsoft Entra ID (Azure AD). They have a cloud-based HR system (e.g., Workday) that contains employee records. They want to automate the process of creating user accounts in Microsoft Entra ID for new hires and deactivating accounts for terminated employees based on information from the HR system. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra Connect
B.Microsoft Entra Application Provisioning
C.Self-Service Password Reset (SSPR)
D.Microsoft Entra Access Reviews
AnswerB

This feature can automate user lifecycle management from HR systems like Workday to Microsoft Entra ID.

Why this answer

Microsoft Entra Application Provisioning (specifically HR-driven provisioning) is the correct feature because it automates the creation, update, and deactivation of user accounts in Microsoft Entra ID based on changes in an external HR system like Workday. It uses SCIM (System for Cross-domain Identity Management) protocol to synchronize employee lifecycle events from the HR source to Entra ID, enabling fully automated user provisioning without manual intervention.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Connect (hybrid sync from on-prem AD) with HR-driven provisioning, but the question specifies a cloud-based HR system (Workday) with no on-premises AD involvement, making Application Provisioning the correct choice.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Connect is used for hybrid identity synchronization from on-premises Active Directory to Microsoft Entra ID, not for direct HR system integration. Option C is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords and does not automate user account creation or deactivation based on HR data. Option D is wrong because Microsoft Entra Access Reviews are used for periodic attestation of user access rights and group memberships, not for provisioning or deprovisioning user accounts.

746
MCQmedium

A security team wants to discover which cloud applications are being used by employees, including unsanctioned file-sharing and collaboration apps. They plan to upload network traffic logs from their firewall to analyze app usage and risk levels. Which feature of Microsoft Defender for Cloud Apps should they enable?

A.App Governance
B.Cloud Discovery
C.Conditional Access App Control
D.Information Protection
AnswerB

Cloud Discovery ingests firewall and proxy logs to reveal cloud app usage, identify unsanctioned apps, and assess risk scores.

Why this answer

Cloud Discovery is the correct feature because it analyzes network traffic logs (uploaded from firewalls or proxies) to identify which cloud applications are in use, including unsanctioned file-sharing and collaboration apps. It provides a risk score for each discovered app, enabling the security team to assess usage and enforce governance policies.

Exam trap

The trap here is that candidates confuse Cloud Discovery (which analyzes uploaded logs to find unsanctioned apps) with Conditional Access App Control (which enforces policies on already-discovered apps), leading them to pick Option C instead of B.

How to eliminate wrong answers

Option A is wrong because App Governance focuses on monitoring and managing OAuth-enabled apps that have access to Microsoft 365 data, not on analyzing firewall logs to discover unsanctioned cloud apps. Option C is wrong because Conditional Access App Control enforces access policies in real-time for cloud apps (e.g., blocking downloads), but it does not perform discovery of apps from uploaded traffic logs. Option D is wrong because Information Protection deals with classifying, labeling, and protecting sensitive data (e.g., via sensitivity labels), not with discovering cloud app usage from network traffic.

747
MCQeasy

An organization adopts a Zero Trust security model. Which principle requires that every access request must be explicitly verified and granted least privilege regardless of the user's location or device?

A.Verify explicitly
B.Use least privilege access
C.Assume breach
D.Never trust, always verify
AnswerA

This principle states that every access request must be fully authenticated, authorized, and encrypted before granting access, regardless of network location or device.

Why this answer

The Zero Trust principle 'Verify explicitly' mandates that every access request—regardless of the user's location, device, or network—must be authenticated and authorized based on all available data points (e.g., user identity, device health, location, and real-time risk signals). This ensures that no implicit trust is granted, and least privilege is applied as a separate but complementary principle. In Microsoft's Zero Trust model, this is enforced through conditional access policies and continuous evaluation of session risk.

Exam trap

The trap here is that candidates confuse the popular phrase 'Never trust, always verify' with the official Microsoft Zero Trust principle 'Verify explicitly,' but the exam expects the exact terminology from the Microsoft documentation, not the generic slogan.

How to eliminate wrong answers

Option B is wrong because 'Use least privilege access' is a separate Zero Trust principle that limits user permissions to only what is needed for a task, but it does not address the requirement that every request must be explicitly verified regardless of location or device. Option C is wrong because 'Assume breach' is a principle focused on minimizing blast radius and segmenting access (e.g., using micro-segmentation and continuous monitoring), not on verifying every access request. Option D is wrong because 'Never trust, always verify' is a popular slogan summarizing Zero Trust philosophy, but it is not one of the three core principles defined by Microsoft (Verify explicitly, Use least privilege access, Assume breach); the question specifically asks for the principle that requires explicit verification and least privilege, and 'Verify explicitly' is the precise technical term.

748
MCQeasy

An attacker gains access to a company's email system and reads confidential customer emails. Which security principle has been compromised?

A.Integrity
B.Availability
C.Confidentiality
D.Non-repudiation
AnswerC

Correct. Confidentiality prevents unauthorized disclosure of information.

Why this answer

Confidentiality is the security principle that ensures data is accessible only to authorized users. When an attacker reads confidential customer emails without authorization, the confidentiality of that data has been breached, as the information was exposed to an unintended party.

Exam trap

The trap here is that candidates often confuse confidentiality with integrity, mistakenly thinking that any unauthorized access to data implies data modification, but the core violation in this scenario is the unauthorized disclosure of information, not its alteration.

How to eliminate wrong answers

Option A is wrong because integrity refers to the assurance that data has not been tampered with or altered; reading emails does not imply modification. Option B is wrong because availability ensures that systems and data are accessible when needed; the attacker reading emails does not prevent legitimate users from accessing the system. Option D is wrong because non-repudiation provides proof of the origin or delivery of data, typically through digital signatures or audit logs; the scenario involves unauthorized access, not a dispute over who sent or received a message.

749
MCQmedium

A company wants to allow its employees to reset forgotten passwords or unlock their accounts without contacting the help desk. The solution must verify the user's identity using a phone call or mobile app notification before allowing the action. Which Microsoft Entra ID feature should be enabled?

A.Microsoft Entra ID Protection
B.Self-Service Password Reset (SSPR)
C.Privileged Identity Management (PIM)
D.Conditional Access
AnswerB

SSPR enables users to reset passwords or unlock accounts after authenticating through approved methods like phone call or mobile app notifications.

Why this answer

B is correct because Self-Service Password Reset (SSPR) enables users to reset forgotten passwords or unlock accounts without help desk intervention. It supports identity verification via phone call or mobile app notification (Microsoft Authenticator), meeting the stated requirement exactly.

Exam trap

The trap here is confusing SSPR with Conditional Access or ID Protection, as both involve authentication controls, but only SSPR directly provides the self-service password reset and account unlock functionality with phone call or app notification verification.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection is a risk-detection and remediation service (e.g., risky sign-ins, leaked credentials), not a self-service password reset or account unlock feature. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not end-user password reset or account unlock. Option D is wrong because Conditional Access enforces access policies (e.g., MFA, device compliance) at sign-in, but does not provide a self-service mechanism for password reset or account unlock.

750
MCQhard

Refer to the exhibit. A compliance administrator is configuring role-based access control (RBAC) in Microsoft Purview compliance portal. Which role group would provide the permissions shown?

A.Compliance Administrator
B.Security Reader
C.Data Classification
D.Information Protection
AnswerD

Information Protection role group includes the listed permissions.

Why this answer

The permissions (Sensitive Info Types, Data Classifiers, Content Explorer) are part of the Information Protection role group. Option A is correct. Option B (Data Classification) is a role within Information Protection, not a group.

Option C (Compliance Administrator) is a higher-level role. Option D (Security Reader) is read-only.

Page 9

Page 10 of 19

Page 11