Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 751825

1411 questions total · 19pages · All types, answers revealed

Page 10

Page 11 of 19

Page 12
751
MCQmedium

You find the above JSON in a SharePoint document's metadata. Based on the exhibit, what is the effect of the label applied to the document?

A.The document is encrypted and can only be accessed by users in the finance@contoso.com group
B.The document is only marked as confidential but not encrypted
C.The document is encrypted and can be accessed by any user with the decryption key
D.The document will be retained for a specified period
AnswerA

The protection type 'user' with value 'finance@contoso.com' restricts access to that group.

Why this answer

Option A is correct because the label 'Confidential' has an 'encrypt' action with protection type 'user' and value 'finance@contoso.com', meaning the document is encrypted and access is restricted to the finance group. Option B is wrong because the encryption key is not specified for individual users. Option C is wrong because the label does not include a retention setting.

Option D is wrong because the label applies encryption, not just visual marking.

752
Multi-Selecthard

Which THREE capabilities are part of Microsoft Purview Data Lifecycle Management?

Select 3 answers
A.Retention labels
B.Data Loss Prevention policies
C.Retention policies
D.eDiscovery
E.Records management
AnswersA, C, E

Retention labels are used to apply retention settings to items.

Why this answer

Data Lifecycle Management includes retention policies, retention labels, and records management. DLP is data loss prevention, not lifecycle management. eDiscovery is discovery. So correct: A, B, D.

753
MCQeasy

An organization wants to automatically revoke access to cloud apps when an employee leaves the company. Which Microsoft Entra feature should they use?

A.Conditional Access
B.Automated user provisioning
C.Privileged Identity Management
D.Identity Protection
AnswerB

Automated provisioning can disable accounts and remove access upon termination.

Why this answer

Automated user provisioning (B) is the correct answer because it can automatically disable or remove a user's access to cloud apps when the user is deleted or deactivated in the HR system or on-premises directory. This feature synchronizes identity lifecycle events (e.g., termination) to connected SaaS applications, ensuring revocation of access without manual intervention.

Exam trap

The trap here is that candidates confuse Conditional Access (which blocks new sign-ins) with full deprovisioning, not realizing that Conditional Access does not terminate existing sessions or remove the user account from the cloud app.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces access policies based on signals like location or device compliance at sign-in time, but it does not automatically revoke access when an employee leaves; it blocks new sign-ins but does not terminate existing sessions or deprovision accounts. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time privileged role activation and approval workflows, but it is not designed to deprovision standard user access to cloud apps upon termination. Option D is wrong because Identity Protection detects risks like leaked credentials or anomalous sign-ins and triggers remediation like requiring MFA, but it does not handle lifecycle-based deprovisioning when an employee leaves.

754
MCQmedium

Your organization uses Microsoft Purview Compliance Manager to track compliance with regulatory standards. You need to create a custom assessment for a new internal policy. What should you do first?

A.Define the score calculation method for the assessment
B.Create control actions and assign them to the assessment
C.Create a custom template with your internal controls
D.Use an existing Microsoft template and modify the improvement actions
AnswerC

Custom assessments require a custom template first.

Why this answer

In Microsoft Purview Compliance Manager, assessments are built from templates that define the controls, improvement actions, and scoring parameters. To create a custom assessment for a new internal policy, you must first create a custom template that includes your own controls, because assessments cannot be created from scratch without a template. This template serves as the foundation for the assessment, allowing you to define the specific controls and actions that map to your internal policy.

Exam trap

The trap here is that candidates often confuse the order of operations, thinking they can directly create an assessment or modify an existing template, when the correct first step is always to create a custom template that contains the internal controls.

How to eliminate wrong answers

Option A is wrong because defining the score calculation method is a configuration step that occurs after the template and assessment are created, not the first step. Option B is wrong because control actions are assigned to controls within a template, not directly to an assessment; you must first have a template with controls defined. Option D is wrong because modifying an existing Microsoft template's improvement actions would alter the built-in regulatory template, which is not intended for custom internal policies; you should instead create a new custom template from scratch.

755
MCQhard

A legal team is preparing for litigation and needs to collect relevant data from Microsoft Teams chats, email, and SharePoint documents. They need to place a hold on the data to prevent deletion, review it, and then use advanced analytics such as relevance ranking and email threading to reduce the review set. Which Microsoft Purview solution should they use to perform these tasks?

A.Microsoft Purview eDiscovery (Standard)
B.Microsoft Purview Copilot
C.Microsoft Purview eDiscovery (Premium)
D.Microsoft Purview Compliance Manager
AnswerC

eDiscovery (Premium) builds on Standard by adding intelligent analytics including relevance, email threading, and near-duplicate detection, as well as advanced review workflows for large volumes of data.

Why this answer

Microsoft Purview eDiscovery (Premium) is the correct solution because it provides the full lifecycle of legal hold, collection, review, and advanced analytics such as relevance ranking, email threading, and predictive coding. These capabilities are specifically designed for complex litigation scenarios, whereas the Standard edition lacks the advanced analytics features needed to reduce the review set.

Exam trap

The trap here is that candidates confuse eDiscovery (Standard) with eDiscovery (Premium) because both support holds and searches, but only Premium includes the advanced analytics features explicitly mentioned in the question.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview eDiscovery (Standard) supports basic hold and search but does not include advanced analytics like relevance ranking or email threading. Option B is wrong because Microsoft Purview Copilot is an AI assistant for productivity, not a compliance solution for legal hold, collection, or analytics. Option D is wrong because Microsoft Purview Compliance Manager is used for assessing and managing compliance posture against regulations, not for eDiscovery workflows or data hold and review.

756
MCQmedium

A security architect explains the Zero Trust model to the board. They state that every access request must be fully authenticated and authorized based on identity, device health, location, and risk, regardless of whether the user is on the corporate network. Which Zero Trust principle does this statement represent?

A.Verify explicitly
B.Least privilege
C.Assume breach
D.Microsegmentation
AnswerA

Correct. This principle requires that every access request be fully authenticated and authorized using all signals before granting access.

Why this answer

The statement emphasizes that every access request must be authenticated and authorized based on identity, device health, location, and risk, regardless of network location. This directly aligns with the 'Verify explicitly' principle of Zero Trust, which mandates that authentication and authorization are performed for every request using all available data points, not just once at the perimeter.

Exam trap

The trap here is that candidates often confuse 'Verify explicitly' with 'Least privilege' because both involve access control, but 'Verify explicitly' is about the continuous authentication/authorization of every request, while 'Least privilege' is about limiting permissions after access is granted.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on limiting user access rights to only what is necessary to perform a task, not on the continuous verification of every request. Option C (Assume breach) is wrong because it deals with designing systems to minimize blast radius and segment access under the assumption that a breach has already occurred, not with the upfront verification of each request. Option D (Microsegmentation) is wrong because it is a network architecture technique that breaks the network into small, isolated segments to limit lateral movement, not a principle for authenticating and authorizing every access request.

757
MCQmedium

Your legal team needs to search for all emails from a specific executive that mention a project name 'ProjectX' for a litigation hold. Which Microsoft Purview tool should they use?

A.Microsoft Purview Communication Compliance
B.Microsoft Purview Data Loss Prevention
C.Microsoft Purview Audit
D.Microsoft Purview eDiscovery
AnswerD

eDiscovery allows searching and exporting content relevant to litigation.

Why this answer

Microsoft Purview eDiscovery (Standard or Premium) allows searching across Exchange, SharePoint, etc. for specific keywords and custodians. Option A is wrong because Audit only shows activity logs, not content. Option B is wrong because DLP is for policy enforcement.

Option D is wrong because Communication Compliance monitors communications for policy violations, not litigation searches.

758
MCQhard

Your organization uses Microsoft Sentinel. You need to create a custom analytics rule that triggers an incident when a specific user account logs in from an unusual geographic location. Which KQL function should you use to evaluate location?

A.search
B.ioc
C.evaluate
D.parse_json
AnswerB

The 'ioc' function can match IP addresses against threat intelligence including geographic context.

Why this answer

Option B is correct because the 'ioc' function is used for indicator of compromise matching, but more accurately, to evaluate location you would use 'geo_info_from_ip_address' or similar. However, among the options, 'ioc' is a placeholder; the actual function is 'geoip_lookup' but not listed. Given the choices, the best is 'ioc' as it can match IPs from threat intel including location.

Option A is wrong because 'parse_json' parses JSON, not location. Option C is wrong because 'search' is generic. Option D is wrong because 'evaluate' is used for plugins, not location.

759
MCQmedium

A compliance administrator creates the DLP policy shown in the exhibit. When a user shares a document containing a credit card number with an external partner, what is the expected outcome?

A.The document is blocked from being shared externally, and the user receives a notification.
B.The document is automatically deleted.
C.A sensitivity label is automatically applied.
D.The document is blocked from being shared both internally and externally.
AnswerA

The action 'BlockAccess' with 'BlockExternal' blocks external sharing, and 'NotifyUser' sends a notification.

Why this answer

The policy blocks access when sharing externally (BlockExternal) and notifies the user. Access is not blocked for internal sharing, and the document is not deleted or automatically labeled.

760
MCQeasy

A company wants to ensure that emails containing credit card numbers are blocked from being sent externally. Which Microsoft Purview solution should they use?

A.Sensitivity labels
B.Communication compliance
C.Information barriers
D.Data Loss Prevention (DLP) policy
AnswerD

DLP policies detect and block sharing of sensitive data.

Why this answer

Option B is correct because Microsoft Purview Data Loss Prevention (DLP) policies can detect sensitive information like credit card numbers and block external sharing. Option A is wrong because sensitivity labels classify data but do not prevent sharing. Option C is wrong because communication compliance monitors for policy violations but does not block data exfiltration.

Option D is wrong because information barriers restrict communication between specific groups, not sensitive data.

761
Multi-Selecteasy

Which TWO of the following are methods for implementing passwordless authentication in Microsoft Entra ID?

Select 2 answers
A.Windows Hello for Business
B.App passwords
C.Email one-time passcode
D.SMS-based one-time passcode (OTP)
E.FIDO2 security keys
AnswersA, E

Windows Hello for Business provides passwordless sign-in using biometrics or PIN.

Why this answer

Windows Hello for Business is a passwordless authentication method in Microsoft Entra ID that uses biometric or PIN-based credentials tied to a user's device. It leverages asymmetric key pairs (public/private key cryptography) to authenticate users without transmitting passwords over the network, meeting the passwordless requirement.

Exam trap

The trap here is that candidates often confuse multi-factor authentication (MFA) methods like SMS OTP or app passwords with passwordless authentication, but passwordless requires eliminating the password as a primary factor, not just adding another layer.

762
MCQeasy

Your company, Contoso, uses Microsoft Entra ID for employee identity management. You need to ensure that when an employee leaves the company, their access to all SaaS applications is automatically revoked within 24 hours. The HR department updates the employee status in a cloud HR system (Workday). What should you do?

A.Ask HR to manually disable each user in Microsoft Entra ID after termination.
B.Configure Microsoft Entra ID provisioning from Workday to automatically disable users when their employment status changes.
C.Use Microsoft Graph API to write a custom application that polls Workday and disables users.
D.Create an Azure Automation runbook that runs daily and checks Workday for terminated employees, then disables them in Entra ID.
AnswerB

Correct: Workday-driven provisioning can automatically disable accounts based on HR status changes.

Why this answer

Option B is correct because Microsoft Entra ID supports automated user provisioning from Workday via the built-in Workday to Entra ID provisioning connector. When an employee's status changes to 'terminated' in Workday, the provisioning service automatically disables the corresponding user account in Entra ID, typically within 40 minutes (well under the 24-hour requirement). This eliminates manual intervention and ensures timely revocation of access to all SaaS applications integrated with Entra ID.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing custom development (C or D) or manual processes (A), failing to recognize that Microsoft provides a native, automated provisioning connector specifically designed for this exact HR-driven lifecycle scenario.

How to eliminate wrong answers

Option A is wrong because manually disabling users in Entra ID is inefficient, error-prone, and does not meet the automated 24-hour revocation requirement. Option C is wrong because using Microsoft Graph API to build a custom polling application is unnecessarily complex, requires development and maintenance overhead, and is not the recommended out-of-box solution when the native Workday provisioning connector exists. Option D is wrong because an Azure Automation runbook that polls Workday daily introduces latency (up to 24 hours) and requires custom scripting, whereas the native provisioning service provides near-real-time synchronization without additional infrastructure.

763
MCQhard

Refer to the exhibit. The exhibit shows an alert from Microsoft Defender for Endpoint. The SOC team needs to decode the PowerShell command to understand the malicious intent. Which tool or method should they use?

A.Search for the SHA256 hash in threat intelligence feeds
B.Decrypt the command using the device's decryption keys
C.Use PowerShell script block logging to capture the decoded command
D.Decode the Base64 string using a built-in decoder or online tool
AnswerD

The -EncodedCommand parameter uses Base64 encoding.

Why this answer

Option A is correct because the command is Base64 encoded (the string after -EncodedCommand). Decoding it reveals a download cradle. Option B is wrong because the command is not encrypted.

Option C is wrong because there is no script block to log. Option D is wrong because the hash is for identification, not decoding.

764
Multi-Selecteasy

Which TWO capabilities are part of Microsoft Entra ID? (Choose two.)

Select 2 answers
A.Application management
B.Single sign-on (SSO)
C.Cloud security posture management
D.Mobile device management (MDM)
E.Security information and event management (SIEM)
AnswersA, B

Entra ID provides application integration and access management.

Why this answer

Microsoft Entra ID includes application management capabilities that allow administrators to register, configure, and control access to enterprise applications. It also provides single sign-on (SSO) functionality, enabling users to authenticate once and access multiple applications without re-entering credentials, using protocols such as SAML 2.0, OAuth 2.0, and OpenID Connect.

Exam trap

The trap here is that candidates confuse Microsoft Entra ID's identity and access management capabilities with broader security tools like Defender for Cloud (CSPM) or Sentinel (SIEM), or with device management tools like Intune (MDM), because all are part of Microsoft's security portfolio but serve distinct functions.

765
Multi-Selecteasy

Which TWO are capabilities of Microsoft Intune? (Choose two.)

Select 2 answers
A.Mobile application management (MAM)
B.Identity protection
C.Security posture management
D.Data loss prevention
E.Mobile device management (MDM)
AnswersA, E

MAM manages apps and data on devices.

Why this answer

Intune provides mobile device management (MDM) and mobile application management (MAM). Option C is for Microsoft Purview; Option D is for Microsoft Defender for Cloud; Option E is for Microsoft Entra ID.

766
MCQeasy

You need to allow users to reset their own passwords without contacting the help desk. Which Microsoft Entra feature should you enable?

A.Microsoft Authenticator
B.Identity Governance
C.Self-service password reset
D.Conditional Access
AnswerC

SSPR enables users to reset passwords without help desk.

Why this answer

Self-service password reset (SSPR) is the Microsoft Entra feature that allows users to reset their own passwords without contacting the help desk. It is designed to reduce help desk costs and improve user productivity by enabling password changes or unlocks through a verified authentication method, such as email, phone, or security questions.

Exam trap

The trap here is that candidates often confuse the authentication app (Microsoft Authenticator) with the self-service password reset feature, thinking the app itself provides password reset capabilities, when in fact it only provides a second factor for authentication.

How to eliminate wrong answers

Option A is wrong because Microsoft Authenticator is a multi-factor authentication app that provides a second factor for sign-in, not a self-service password reset mechanism. Option B is wrong because Identity Governance focuses on managing user access rights, certifications, and lifecycle, not on enabling users to reset their own passwords. Option D is wrong because Conditional Access is a policy engine that enforces access controls based on conditions like location or device state, but it does not provide a direct password reset capability.

767
MCQhard

You are investigating a potential data leak. You need to find all emails that contain the word 'confidential' sent to external recipients in the last 30 days. Which Microsoft Purview tool should you use?

A.Communication Compliance
B.Audit Log Search
C.Content Search
D.Data loss prevention (DLP) policy
AnswerC

Content Search can find specific content in emails.

Why this answer

Option C is correct because Content Search in Microsoft Purview can search for specific keywords in emails and filter by date and recipients. Option A is wrong because Audit Log Search tracks activities, not content. Option B is wrong because DLP policies prevent leaks but do not provide historical search.

Option D is wrong because Communication Compliance monitors for policy violations but is not optimized for ad-hoc content search.

768
MCQhard

Refer to the exhibit. An administrator runs the Azure CLI commands shown. What is the purpose of these commands?

A.To create a new service principal.
B.To list all Azure subscriptions.
C.To log in to Azure as a user with MFA.
D.To authenticate a service principal for automated tasks.
AnswerD

Service principal authentication is used for automation.

Why this answer

The Azure CLI commands shown are used to authenticate a service principal for automated tasks. Specifically, `az login --service-principal -u <app-id> -p <password> --tenant <tenant-id>` authenticates using the service principal's credentials without interactive user login, enabling non-interactive automation or scripts.

Exam trap

The trap here is that candidates confuse the `az login` command with creating a service principal, but `az ad sp create-for-rbac` is the command for creation, while `az login --service-principal` is strictly for authentication.

How to eliminate wrong answers

Option A is wrong because the commands do not create a new service principal; they authenticate an existing one using its app ID and password. Option B is wrong because the commands do not list Azure subscriptions; they perform a login operation, and listing subscriptions would require a separate command like `az account list`. Option C is wrong because the commands use `--service-principal` with a password, which bypasses MFA; MFA is only triggered for interactive user logins, not service principal authentication.

769
MCQmedium

A security administrator receives an alert about a suspicious sign-in from an unfamiliar location. The user verified the sign-in as legitimate. Which Microsoft Entra ID feature should be used to reduce false positives for this user?

A.Passwordless authentication
B.Privileged Identity Management
C.Identity Protection confirm user safe
D.Conditional Access policies
AnswerC

This action suppresses future false-positive alerts for that user.

Why this answer

Entra ID Identity Protection allows marking a user as safe to reduce false positives. Option D is correct. Option A (Conditional Access) controls access but does not directly affect risk signals.

Option B (Privileged Identity Management) manages roles. Option C (Passwordless authentication) improves security but does not address false positives.

770
Multi-Selecthard

A healthcare organization is implementing Microsoft Purview Data Lifecycle Management to retain medical records for 7 years. Which THREE components must be configured to achieve this retention requirement?

Select 3 answers
A.Create a retention label policy to publish the label.
B.Create a retention label with a retention period of 7 years.
C.Apply a sensitivity label to classify the records.
D.Configure adaptive scopes to target the relevant users or sites.
E.Implement Data Loss Prevention (DLP) policies to prevent data exfiltration.
AnswersA, B, D

Publishing the label makes it available for application.

Why this answer

Option A is correct because a retention label with the appropriate duration is needed. Option B is correct because a retention label policy publishes the label. Option C is correct because adaptive scopes allow targeting specific users or content.

Option D is wrong because Data Loss Prevention policies are for preventing data leaks, not retention. Option E is wrong because sensitivity labels are for classification, not retention.

771
MCQmedium

A company runs workloads in Microsoft Azure and in Google Cloud Platform (GCP). The security team needs a single dashboard to view the security posture of both cloud environments, get recommendations for misconfigurations based on best practices, and track compliance with industry standards such as ISO 27001 and PCI DSS. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Endpoint
AnswerA

Defender for Cloud provides multicloud security posture management, including recommendations and compliance dashboards across Azure, AWS, and GCP.

Why this answer

Microsoft Defender for Cloud is the correct solution because it provides a unified dashboard for assessing and improving the security posture of multicloud environments, including Azure and GCP. It offers continuous assessment against best practices (e.g., the Microsoft cloud security benchmark), generates actionable recommendations for misconfigurations, and tracks compliance with industry standards like ISO 27001 and PCI DSS through built-in regulatory compliance dashboards.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM for threat detection) with Defender for Cloud (a CSPM for posture management), because both appear under the 'Microsoft security solutions' umbrella and both can ingest data from multiple clouds, but Sentinel is not designed for compliance tracking or misconfiguration recommendations.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution focused on threat detection, investigation, and response across the enterprise, not on providing a single dashboard for security posture assessment, misconfiguration recommendations, or compliance tracking against standards like ISO 27001. Option C is wrong because Microsoft Defender for Cloud Apps is a CASB (Cloud Access Security Broker) that focuses on discovering and controlling shadow IT, enforcing access policies, and protecting data across SaaS applications, not on assessing the security posture of cloud infrastructure workloads or tracking compliance with industry standards. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that protects devices (workstations, servers, mobile) from threats, but it does not provide a multicloud security posture dashboard or compliance tracking for cloud environments like GCP.

772
MCQmedium

Your organization uses Microsoft Entra ID and Microsoft Intune. You need to implement a solution that ensures only compliant devices can access corporate applications. Devices must be enrolled in Intune and meet compliance policies (e.g., disk encryption enabled, antivirus running). Additionally, you require that users must authenticate with multi-factor authentication (MFA) when accessing sensitive applications from non-compliant devices, even if the user is compliant. The solution must use a single policy where possible. What should you configure?

A.Create two conditional access policies: one to require device compliance for all users, and another to require MFA for sensitive applications.
B.Create a conditional access policy that blocks access from non-compliant devices, and configure MFA for all users.
C.Configure Intune compliance policies and enforce them via conditional access by requiring compliant device. For sensitive apps, add MFA requirement in the same conditional access policy.
D.Use Microsoft Entra ID Protection to enforce MFA based on risk, and Intune for device compliance.
AnswerC

A single conditional access policy can require both compliant device and MFA.

Why this answer

Option C is correct because it uses a single Conditional Access policy to enforce both device compliance (via Intune) and MFA for sensitive applications, meeting the requirement for a unified policy. Conditional Access policies can combine multiple conditions (e.g., device compliance status, application sensitivity) and grant controls (e.g., require compliant device, require MFA) in one policy, allowing granular access decisions based on device state and user authentication.

Exam trap

The trap here is that candidates assume device compliance and MFA must be in separate policies, but Conditional Access allows combining multiple grant controls in one policy, and the key is understanding that the policy's conditions (like device compliance state) can trigger different grant requirements within the same policy.

How to eliminate wrong answers

Option A is wrong because it creates two separate policies, violating the requirement to use a single policy where possible, and it does not specifically tie MFA to non-compliant devices accessing sensitive apps. Option B is wrong because it blocks all non-compliant devices entirely, preventing the scenario where users on non-compliant devices can still access sensitive apps after MFA, which is explicitly required. Option D is wrong because Microsoft Entra ID Protection focuses on user and sign-in risk (e.g., leaked credentials, anonymous IP), not device compliance; it cannot enforce MFA based on device compliance status, and it does not replace the need for a Conditional Access policy to combine device compliance and MFA controls.

773
MCQeasy

A company stores customer data in Microsoft 365 and needs to identify which data is subject to GDPR. Which Microsoft Purview solution should be used?

A.Data Lifecycle Management
B.Data Loss Prevention
C.Audit
D.Data Classification
AnswerD

Data Classification in Microsoft Purview helps discover and classify sensitive data, including personal data subject to GDPR.

Why this answer

Microsoft Purview Data Classification enables organizations to identify and classify sensitive data across their Microsoft 365 environment. This includes detecting personal data that may be subject to regulations like GDPR. The other options serve different purposes: lifecycle management for retention, DLP for protection, and audit for logging.

774
MCQeasy

A company wants to deploy a single security operations portal that provides a unified view of alerts and incidents from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Which Microsoft portal should the security team use?

A.Azure Portal
B.Microsoft 365 Defender portal
C.Microsoft 365 admin center
D.Azure Active Directory admin center
AnswerB

The Microsoft 365 Defender portal provides a single-pane-of-glass view for security alerts, incidents, and advanced hunting across Defender for Endpoint, Office 365, Identity, and Cloud Apps.

Why this answer

The Microsoft 365 Defender portal (https://security.microsoft.com) is the correct answer because it provides a unified security operations center (SOC) experience, aggregating alerts and incidents from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. This portal enables security teams to triage, investigate, and respond to cross-domain threats in a single pane of glass, leveraging automated incident correlation and advanced hunting capabilities.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender portal with the Azure Portal or the Microsoft 365 admin center, mistakenly thinking that security alerts are managed in the same place as Azure resources or tenant administration, when in fact the security portal is a dedicated, cross-workload console.

How to eliminate wrong answers

Option A is wrong because the Azure Portal (https://portal.azure.com) is designed for managing Azure resources, subscriptions, and services like Azure Security Center or Azure Sentinel, not for providing a unified view of Microsoft 365 Defender workloads. Option C is wrong because the Microsoft 365 admin center (https://admin.microsoft.com) is used for tenant-level administrative tasks such as user management, licensing, and service configuration, not for security incident response or alert aggregation. Option D is wrong because the Azure Active Directory admin center (https://aad.portal.azure.com) focuses on identity and access management, including user accounts, groups, and conditional access policies, and does not consolidate security alerts from Defender products.

775
MCQmedium

A multinational corporation uses Microsoft Entra ID. The IT department wants to allow regional IT administrators in Europe to manage users and groups only for their own region, without granting them permissions to manage users in other regions. Which Microsoft Entra ID feature should they use?

A.A. Conditional Access
B.B. Administrative Units
C.C. Privileged Identity Management
D.D. Identity Governance
AnswerB

Administrative Units allow you to define a subset of users, groups, or devices and assign administrative roles scoped only to that subset.

Why this answer

Administrative Units (AUs) in Microsoft Entra ID allow you to delegate administrative permissions scoped to a subset of users, groups, or devices. By creating an AU for the Europe region and assigning regional IT administrators to it, you restrict their management scope to only those objects within that AU, preventing them from managing users in other regions.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with scope delegation, not realizing that PIM controls when a role is activated, not where it can be applied.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls based on signals like user location or device state, not a mechanism for scoping administrative permissions. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time role activation and approval workflows, but does not limit the scope of a role to specific users or groups; it still requires an Administrative Unit to achieve regional scoping. Option D is wrong because Identity Governance covers access reviews, entitlement management, and lifecycle workflows, but does not natively provide the granular administrative scoping that Administrative Units offer.

776
MCQeasy

A company wants to ensure that only users with appropriate permissions can access sensitive data stored in Microsoft SharePoint Online. Which principle should they implement?

A.Apply the principle of least privilege
B.Assign roles based on job function using role-based access control (RBAC)
C.Enable multi-factor authentication (MFA) for all users
D.Implement defense in depth
AnswerA

Directly answers the principle that limits permissions to only what is necessary.

Why this answer

The principle of least privilege ensures users have only the minimum permissions needed to perform their job, reducing the risk of unauthorized access. Option A is wrong because MFA adds extra authentication but does not limit permissions. Option B is wrong because RBAC is a method to implement least privilege, not the principle itself.

Option D is wrong because defense in depth is a layered security approach, not specifically about permission minimization.

777
MCQhard

An organization uses Microsoft Purview Information Protection. They want to ensure that when a user manually applies a 'Highly Confidential' sensitivity label to a document, the label is automatically applied to any new content pasted from that document into another app. Which configuration should they enable?

A.Marking content as sensitive
B.Data Loss Prevention policies
C.Encryption with rights management
D.Auto-labeling policies
AnswerA

Marking content as sensitive tracks the sensitivity label when content is copied.

Why this answer

Option D is correct because Microsoft Purview Information Protection supports markdown of sensitive content, which tracks the label when content is copied. Option A is wrong because auto-labeling is for automated classification, not manual application. Option B is wrong because encryption is a protection action, not a tracking mechanism.

Option C is wrong because DLP policies do not track labels across copy-paste.

778
MCQeasy

A company wants to automatically classify and protect sensitive documents stored in SharePoint Online. The compliance administrator needs to create a policy that detects credit card numbers and applies encryption. Which Microsoft Purview solution should the administrator use?

A.Communication Compliance
B.Sensitivity labels with auto-labeling
C.Microsoft Entra ID
D.Data Lifecycle Management
AnswerB

Sensitivity labels with auto-labeling can automatically classify and encrypt documents based on sensitive content.

Why this answer

Sensitivity labels with auto-labeling in Microsoft Purview Information Protection can automatically classify and encrypt documents containing sensitive data like credit card numbers. Data Lifecycle Management (formerly retention) focuses on retention and deletion, not automatic protection. Communication Compliance monitors communications for policy violations.

Microsoft Entra ID is an identity service.

779
MCQmedium

Refer to the exhibit. You are reviewing a sensitivity label configuration in Microsoft Purview. Based on the exhibit, what is the result when a user applies this label to a document?

A.The label is automatically removed after one year
B.The document is automatically deleted after 30 days
C.The document is encrypted and a header/footer is added
D.The document can be printed but not edited
AnswerC

Encryption and markings are both configured.

Why this answer

The exhibit shows encryption enabled and header/footer markings. Encryption prevents unauthorized access, and markings add text. Option B is correct.

The label does not automatically delete the document or prevent printing. It does not remove the label after a period.

780
Multi-Selecteasy

A company requires users to enter a password and then a temporary code from a mobile app to sign in. After signing in, a user attempts to open a confidential document but is denied because they are not a member of the 'Managers' group. Which two security concepts are primarily demonstrated in this scenario?

Select 2 answers
A.Authentication and Authorization
B.Identification and Non-repudiation
C.Encryption and Hashing
D.Accounting and Auditing
AnswersA, B

Correct. Entering credentials and then being denied access based on group membership are examples of authentication (proof of identity) and authorization (access rights).

Why this answer

The scenario demonstrates two distinct security concepts: authentication and authorization. The password plus temporary code from a mobile app (a form of multi-factor authentication) verifies the user's identity, which is authentication. The subsequent denial of access to the confidential document because the user is not a member of the 'Managers' group is authorization—the process of determining what resources an authenticated user is permitted to access.

In Microsoft Entra ID, authentication is handled via token issuance (e.g., SAML or OAuth 2.0), while authorization is enforced through role-based access control (RBAC) or directory role assignments.

Exam trap

The trap here is that candidates confuse authentication (proving identity) with authorization (granting access), and they may incorrectly select 'Identification and Non-repudiation' because they see the password entry as identification, but identification is the initial claim of identity (e.g., username), not the verification step shown in the scenario.

781
MCQmedium

Your organization uses Microsoft 365 and wants to automatically quarantine suspicious emails before they reach users' inboxes. Which solution should you configure?

A.Microsoft Purview Data Loss Prevention
B.Microsoft Sentinel
C.Microsoft Intune
D.Microsoft Defender for Office 365
AnswerD

Defender for Office 365 quarantines malicious emails.

Why this answer

Option A is correct because Microsoft Defender for Office 365 (part of Microsoft 365 Defender) includes Safe Attachments and Safe Links that can quarantine malicious emails. Option B is wrong because Microsoft Purview focuses on compliance, not security. Option C is wrong because Microsoft Intune manages devices.

Option D is wrong because Microsoft Sentinel is a SIEM, not an email security solution.

782
MCQmedium

A compliance officer needs to create a policy that automatically detects and blocks the sharing of credit card numbers in emails and Teams messages. Which Microsoft Purview solution should be used?

A.Microsoft Purview Data Loss Prevention (DLP)
B.Microsoft Purview Communication Compliance
C.Microsoft Purview Audit
D.Microsoft Purview Information Protection
AnswerA

DLP can detect and block sensitive content in communications.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft Purview can be applied to emails and Teams messages to detect sensitive information like credit card numbers and block sharing. Communication Compliance monitors for policy violations but does not enforce blocking. Information Protection labels content.

Audit logs activities.

783
MCQmedium

Refer to the exhibit. Your company uses Microsoft Defender for Cloud. You find the policy snippet in your policy assignments. What is the primary goal of this policy?

A.To block deployment of virtual machines without a specific extension
B.To identify virtual machines missing vulnerability assessment
C.To ensure virtual machines have endpoint protection installed
D.To audit virtual machines that are not configured to send logs to Azure Monitor
AnswerD

The Microsoft Monitoring Agent collects logs and forwards them to Azure Monitor; the policy identifies VMs without this agent.

Why this answer

Option D is correct because the policy audits virtual machines to ensure they have the Microsoft Monitoring Agent extension installed, which is used for log collection and security monitoring. Option A is wrong because the effect is 'AuditIfNotExists', not 'Deny'. Option B is wrong because the policy checks for the Monitoring Agent, not Endpoint Protection.

Option C is wrong because the policy does not check for vulnerability assessment.

784
Multi-Selecthard

Which TWO Microsoft Purview features allow you to monitor and manage data across hybrid environments (on-premises and cloud)?

Select 2 answers
A.eDiscovery
B.Information Protection
C.Communication Compliance
D.Microsoft Purview Data Map
E.Microsoft Purview Data Estate Insights
AnswersD, E

Scans both on-prem and cloud data sources.

Why this answer

Options B and D are correct. Microsoft Purview Data Map provides a unified map of data assets across on-prem and cloud. Microsoft Purview Data Estate Insights gives visibility into data estate health and governance.

Option A is wrong because Information Protection is primarily cloud-focused. Option C is wrong because eDiscovery is for search. Option E is wrong because Communication Compliance monitors communications.

785
Multi-Selectmedium

Which THREE of the following are key concepts of identity management in Microsoft Entra ID?

Select 3 answers
A.Encryption
B.Federation
C.Least privilege
D.Authorization
E.Authentication
AnswersB, D, E

Federation allows users to authenticate using external identity providers.

Why this answer

Authentication verifies identity, authorization grants access, and federation allows using external identity providers. Single sign-on is a feature, not a core concept per se, but often listed. Least privilege is a security principle but not an identity management concept exclusive to Entra ID.

Encryption is unrelated.

786
MCQhard

A multinational corporation needs to enforce data residency requirements by storing data in specific geographic locations. They are using Microsoft Purview for data governance. Which capability should they leverage to meet this requirement?

A.Data loss prevention policies
B.Sensitivity labels with encryption
C.Azure Information Protection unified labeling
D.Microsoft Purview Multi-Geo
AnswerD

Multi-Geo provides data residency at the tenant level for core Microsoft 365 services.

Why this answer

Option D is correct because Microsoft Purview Multi-Geo enables data residency at the tenant level for Exchange Online, SharePoint, and OneDrive. Option A is wrong because sensitivity labels classify data but do not enforce storage location. Option B is wrong because DLP policies control data movement, not storage.

Option C is wrong because Azure Information Protection is for classification and protection, not data residency.

787
MCQhard

A company uses Microsoft Defender for Cloud to secure its hybrid cloud workload. The security team needs to ensure that all virtual machines (VMs) have Just-In-Time (JIT) VM access enabled. What should they use to enforce this across subscriptions?

A.Assign an Azure Policy initiative that requires JIT VM access
B.Use Azure Blueprints to deploy JIT access configuration
C.Enable the Defender for Cloud servers plan
D.Implement a Secure Score recommendation for JIT access
AnswerA

Azure Policy can enforce JIT access and remediate non-compliant resources.

Why this answer

Option B is correct because Azure Policy can enforce JIT VM access via a built-in initiative. Option A is wrong because Secure Score recommendations are advisory, not enforcement. Option C is wrong because Defender for Cloud plans enable features but don't enforce configuration.

Option D is wrong because Azure Blueprints are deprecated.

788
MCQmedium

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. You need to prevent users from sharing credit card numbers in emails to external recipients. Which DLP rule action should you configure?

A.Audit the activity only
B.Allow the message but notify the user
C.Block the message from being sent
D.Allow the message with a policy tip
AnswerC

Blocking the message prevents data loss by stopping the email from being sent.

Why this answer

Option A is correct because blocking the message from being sent is the appropriate action to prevent data loss. Option B is wrong because allowing override with justification does not prevent sharing. Option C is wrong because notifying the user without blocking still allows the email to be sent.

Option D is wrong because auditing alone does not block the action.

789
MCQeasy

Your organization wants to use Microsoft Entra ID to require multi-factor authentication (MFA) for all users when accessing a financial application. What should you configure?

A.Identity Protection policy
B.Conditional Access policy
C.Per-user MFA
D.MFA registration policy
AnswerB

Conditional Access policies grant access based on conditions, including requiring MFA.

Why this answer

Conditional Access policies allow you to enforce MFA based on application and user conditions. Option B is incorrect because MFA registration policy only enforces registration, not usage. Option C is incorrect because identity protection focuses on risk.

Option D is incorrect because per-user MFA is a legacy method; Conditional Access is the modern approach.

790
MCQhard

A company stores application secrets and encryption keys in Azure Key Vault. They want to move from the older vault access policy model to a more scalable and granular permission model that integrates with Azure's role-based access control (RBAC). They also need to audit permissions using Azure Policy. Which access configuration should they choose for Azure Key Vault?

A.Use a single vault access policy with the Contributor role
B.Enable the Azure RBAC permission model for Key Vault
C.Assign a managed identity to the Key Vault
D.Use a service principal and configure vault access policies per application
AnswerB

Azure Key Vault supports an RBAC-based authorization model where permissions for data plane operations (get, list, set secrets/keys) can be assigned via Azure RBAC roles. This allows centralized management and Azure Policy auditing.

Why this answer

Option B is correct because enabling the Azure RBAC permission model for Key Vault replaces the older vault access policy model with Azure's native role-based access control, providing granular, scalable permissions that integrate directly with Azure Policy for auditing. This model allows you to assign roles like Key Vault Secrets User or Key Vault Crypto Officer at the management plane, enabling centralized permission management across multiple vaults and supporting Azure Policy compliance checks.

Exam trap

The trap here is that candidates confuse 'managed identity' (an authentication mechanism for resources) with the permission model itself, or assume that vault access policies are still the recommended approach for scalability, when in fact Azure RBAC is the modern, policy-auditable solution.

How to eliminate wrong answers

Option A is wrong because using a single vault access policy with the Contributor role is not a scalable or granular approach; the Contributor role grants broad management-plane access (e.g., deleting the vault) rather than fine-grained data-plane permissions for secrets and keys, and it does not leverage Azure RBAC for Key Vault. Option C is wrong because assigning a managed identity to Key Vault is not an access configuration for the vault itself; managed identities are used by Azure resources to authenticate to Key Vault, not to define the permission model for the vault. Option D is wrong because using a service principal with vault access policies per application still relies on the older vault access policy model, which is less scalable and does not integrate with Azure Policy for auditing permissions across multiple vaults.

791
MCQhard

Your organization uses Microsoft Entra ID and has deployed Microsoft Entra ID Governance for entitlement management. You need to allow external partners to request access to a specific application, but only if they have a valid email address from an approved domain. Once approved, their access should automatically expire after 30 days. You also need to ensure that the partner's access is reviewed quarterly by the application owner. What should you configure?

A.Create an access package with a connected organization for the partner's domain, add the application as a resource, configure approval, set expiration to 30 days, and add a quarterly access review.
B.Create an access package with a connected organization for the partner's domain, add the application as a resource, configure approval, and set expiration to 30 days.
C.Create a dynamic group based on partner email domain and assign the application to the group with a 30-day expiration policy.
D.Add the partner as a guest user manually and assign the application directly with an expiration date.
AnswerA

Correct: This fully addresses all requirements.

Why this answer

Option A is correct because it combines all required components: a connected organization restricts access to approved partner domains, the access package includes the application as a resource, approval ensures authorization, a 30-day expiration enforces automatic access removal, and a quarterly access review satisfies ongoing compliance. Microsoft Entra ID Governance entitlement management uses access packages to bundle resources, policies, and reviews for external collaboration.

Exam trap

The trap here is that candidates often confuse access packages with simple group-based assignment or manual guest user creation, overlooking that entitlement management's connected organization and policy-driven lifecycle are required to meet domain validation, automatic expiration, and recurring review requirements simultaneously.

How to eliminate wrong answers

Option B is wrong because it omits the quarterly access review, which is explicitly required for ongoing compliance and periodic attestation by the application owner. Option C is wrong because dynamic groups do not support expiration policies or access reviews natively; they are for automatic membership based on attributes, not for time-bound external access with governance workflows. Option D is wrong because manually adding guest users and assigning applications directly bypasses entitlement management's automated approval, expiration, and review capabilities, and does not enforce domain validation or quarterly reviews.

792
MCQmedium

A security operations team uses multiple Microsoft security products, including Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Entra ID Protection. They want to aggregate alerts from these sources into a single dashboard, correlate them to create incidents, and use automated playbooks to respond to threats. The team also wants to query historical security data for threat hunting. Which Microsoft solution should they deploy?

A.Microsoft Sentinel
B.Microsoft 365 Defender portal
C.Microsoft Defender for Cloud
D.Azure Monitor
AnswerA

Microsoft Sentinel is the appropriate SIEM + SOAR solution that can ingest alerts from multiple Microsoft security services, create incidents, and use automated playbooks. It also supports threat hunting with KQL.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution that ingests alerts from multiple sources, including Microsoft Defender for Endpoint, Defender for Office 365, and Entra ID Protection, into a single dashboard. It correlates these alerts into incidents using analytics rules and supports automated playbooks via Azure Logic Apps. Additionally, Sentinel provides a Kusto Query Language (KQL)-based workspace for querying historical security data, enabling threat hunting.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender portal (which does unify alerts and incidents from Defender products) with a full SIEM/SOAR solution, overlooking that it lacks native automated playbook orchestration and long-term historical data querying for threat hunting, which are core to Microsoft Sentinel.

How to eliminate wrong answers

Option B is wrong because the Microsoft 365 Defender portal (now unified in the Microsoft Defender portal) provides a unified view of alerts and incidents from Microsoft 365 Defender products (e.g., Defender for Endpoint, Office 365) but does not natively support custom automated playbooks or long-term historical data querying for threat hunting; it relies on Microsoft Sentinel for those capabilities. Option C is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) focused on securing Azure, on-premises, and multi-cloud resources, not a SIEM/SOAR solution for aggregating and correlating alerts from multiple security products into a single dashboard with automated playbooks and threat hunting. Option D is wrong because Azure Monitor is a monitoring and diagnostics service for Azure resources and applications, collecting metrics and logs for operational health, but it lacks native SIEM capabilities like incident correlation, automated playbooks, and dedicated threat hunting features; it is not designed to aggregate security alerts from multiple security products into a single security dashboard.

793
MCQeasy

Your organization uses Microsoft Entra ID to allow users to access cloud applications. You need to ensure that any sign-in from a known malicious IP address is blocked. Which feature should you configure?

A.Privileged Identity Management
B.Self-service password reset
C.Conditional Access policy with a location condition
D.Identity Protection risk policy
AnswerC

You can create a policy to block access from specific locations (IP ranges).

Why this answer

Conditional Access policies in Microsoft Entra ID allow you to enforce access controls based on conditions such as the user's location or IP address. By configuring a location condition that includes known malicious IP addresses, you can block sign-ins from those IPs. This is the correct feature because it directly evaluates the network location at sign-in time and applies a block grant control.

Exam trap

The trap here is that candidates often confuse Identity Protection risk policies (which use risk-based scoring) with Conditional Access location policies (which use explicit IP address conditions), leading them to select D instead of C.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not real-time sign-in blocking based on IP address. Option B is wrong because Self-service password reset (SSPR) allows users to reset their own passwords and does not evaluate or block sign-ins based on IP address. Option D is wrong because Identity Protection risk policies detect and respond to user or sign-in risk (e.g., leaked credentials, anonymous IP addresses) but are not designed to block a static list of known malicious IP addresses; they use risk-based scoring rather than explicit IP allow/block lists.

794
MCQmedium

A user is locked out of their account after multiple failed sign-in attempts. You need to reduce false lockouts while maintaining security. What should you do?

A.Require MFA for all users
B.Disable account lockout
C.Enable Smart Lockout
D.Increase lockout threshold to 20 attempts
AnswerC

Smart Lockout adapts to user behavior, reducing false lockouts.

Why this answer

Smart lockout learns user behavior and reduces false lockouts. Option A is wrong because disabling lockout reduces security. Option B is wrong because MFA doesn't prevent lockouts.

Option D is wrong because increasing threshold may increase risk.

795
Multi-Selecteasy

Which TWO of the following are types of identities that can be managed in Microsoft Entra ID? (Select two.)

Select 2 answers
A.Group objects
B.User identities
C.Service principal identities (application identities)
D.Policy objects
E.Device objects
AnswersB, C

Users are the primary identity type.

Why this answer

Option B is correct because user identities represent individual users who need access to resources, and they are the most fundamental identity type in Microsoft Entra ID. Option C is correct because service principal identities (application identities) are used to represent applications and automated tools, enabling them to authenticate and access resources securely.

Exam trap

The trap here is that candidates often confuse directory objects (like groups, devices, and policies) with identity principals, mistakenly thinking that any object stored in Entra ID is a type of identity that can be directly authenticated.

796
Multi-Selecthard

Which TWO capabilities are provided by Microsoft Defender for Cloud? (Choose two.)

Select 2 answers
A.Secure score and security recommendations
B.Endpoint detection and response (EDR)
C.Vulnerability assessment for VMs
D.Cloud Access Security Broker (CASB)
E.Security Information and Event Management (SIEM)
AnswersA, C

Core features for posture management.

Why this answer

Options A and D are correct. Defender for Cloud provides vulnerability assessment and security posture management. Option B is wrong because CASB is Defender for Cloud Apps.

Option C is wrong because SIEM is Sentinel. Option E is wrong because endpoint protection is Defender for Endpoint.

797
MCQeasy

A company's IT department deploys a multi-layered security strategy that includes a perimeter firewall, network segmentation, endpoint antivirus software, data encryption, and employee security awareness training. Which security model does this approach represent?

A.Zero Trust
B.Least Privilege
C.Defense in Depth
D.Shared Responsibility
AnswerC

Defense in depth uses multiple overlapping security layers to reduce risk.

Why this answer

The described approach—combining perimeter firewalls, network segmentation, endpoint antivirus, encryption, and training—is the classic definition of Defense in Depth. This model layers multiple independent security controls so that if one layer fails (e.g., a firewall rule is misconfigured), subsequent layers (e.g., segmentation, antivirus) still protect the asset. It does not assume any single control is sufficient, which is the core principle of Defense in Depth.

Exam trap

The trap here is that candidates see 'firewall' and 'encryption' and immediately think Zero Trust, but Zero Trust requires explicit identity verification and micro-segmentation, not just a layered stack of traditional controls.

How to eliminate wrong answers

Option A is wrong because Zero Trust is a model that explicitly assumes no implicit trust and requires continuous verification of every access request (e.g., using conditional access policies and micro-segmentation), whereas the question describes a layered set of static controls without the 'never trust, always verify' mandate. Option B is wrong because Least Privilege is a principle that restricts users and processes to only the permissions necessary for their tasks (e.g., via RBAC or JIT access), not a multi-layered security architecture. Option D is wrong because Shared Responsibility is a cloud model that defines which security tasks are handled by the provider vs. the customer (e.g., AWS handles physical security while the customer manages IAM), not a layered on-premises or hybrid security strategy.

798
MCQhard

A company deploys a sensitivity label as shown in the exhibit. The custom sensitive information type 'Custom_PII_Type' is configured to detect employee IDs. What happens when a user creates a new document in SharePoint Online that contains an employee ID?

A.The user is prompted to manually apply the label.
B.The document is blocked from being shared externally.
C.The document is automatically labeled 'Highly Confidential' and encrypted.
D.The document is deleted automatically.
AnswerC

Auto-labeling applies the label and encryption automatically.

Why this answer

The label has auto-labeling enabled, so it will automatically apply the label and encryption to the document when the condition is met. The user does not need to manually apply the label, and the document is not blocked or deleted.

799
MCQhard

A company uses Microsoft Entra ID and Intune for mobile device management. They want to enforce different access requirements for their finance application: when users access from an unmanaged personal device, they must perform multi-factor authentication (MFA). When they access from a corporate-managed device that is marked as compliant (e.g., joined to Azure AD, antivirus up-to-date, encryption enabled), MFA should not be required. Device compliance is reported by Intune. Which Microsoft Entra ID feature should they use to define these rules?

A.Identity Protection risk policies
B.Conditional Access policies
C.Privileged Identity Management (PIM)
D.Intune device compliance policies
AnswerB

Conditional Access evaluates conditions such as device compliance (reported by Intune) and can grant access with or without MFA based on the conditions. This is the correct tool.

Why this answer

Conditional Access policies in Microsoft Entra ID allow administrators to define granular access rules based on signals such as user, device, location, and application. In this scenario, the policy can be configured to require MFA when the device is not marked as compliant (e.g., unmanaged personal device) and to allow access without MFA when the device is reported as compliant by Intune. This is the correct feature because it directly evaluates device compliance status from Intune and enforces the specified access requirements.

Exam trap

The trap here is that candidates often confuse Intune device compliance policies (which define the rules for compliance) with Conditional Access policies (which enforce access decisions based on that compliance status), leading them to select Option D instead of the correct feature that actually enforces the MFA requirement.

How to eliminate wrong answers

Option A is wrong because Identity Protection risk policies focus on user and sign-in risk (e.g., leaked credentials, anonymous IP addresses) and do not evaluate device compliance status from Intune. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not device-based access rules for applications. Option D is wrong because Intune device compliance policies define the compliance criteria (e.g., encryption, antivirus) but do not enforce access decisions; they only report compliance status to Entra ID for Conditional Access to evaluate.

800
MCQmedium

A financial institution uses Microsoft 365 and needs to prevent employees from accidentally sharing sensitive financial data (e.g., account numbers) via email. They also need to inform the sender with a policy tip if they attempt to send such data and block the email if it's shared externally. Which Microsoft Purview solution should they use?

A.Data Loss Prevention (DLP)
B.Information Protection (Sensitivity labels)
C.Communication Compliance
D.Records Management
AnswerA

DLP policies can automatically identify, monitor, and protect sensitive information, including providing user notifications (policy tips) and blocking actions when sensitive data is shared in violation of policy.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is the correct solution because it is specifically designed to detect, warn, and block the accidental sharing of sensitive data—such as financial account numbers—via email. DLP policies can be configured with conditions that trigger a policy tip to inform the sender and automatically block the email if it is sent externally, meeting both requirements.

Exam trap

The trap here is that candidates often confuse Information Protection (sensitivity labels) with DLP, not realizing that sensitivity labels handle classification and encryption of data at rest, while DLP is the solution for monitoring and controlling data in motion (e.g., email) with real-time user notifications and blocking.

How to eliminate wrong answers

Option B (Information Protection / Sensitivity labels) is wrong because sensitivity labels are used to classify and protect data at rest (e.g., applying encryption or visual markings), but they do not natively inspect email content in transit or provide real-time policy tips and blocking actions for outgoing messages. Option C (Communication Compliance) is wrong because its primary purpose is to monitor and detect policy violations (e.g., insider trading, harassment) for review, not to proactively block emails or show policy tips to senders. Option D (Records Management) is wrong because it focuses on managing the lifecycle and retention of records for legal or regulatory compliance, not on preventing accidental data leakage via email.

801
MCQmedium

A company has a policy that prohibits employees from sharing confidential customer data with unauthorized parties. The compliance team needs to detect patterns of unusual user activity that may indicate insider data theft, such as downloading large volumes of data to a personal device or emailing sensitive files to external recipients. They also want to investigate the activity and take remediation actions like generating a case for litigation or notifying the user's manager. Which Microsoft Purview solution should they use?

A.Microsoft Purview Insider Risk Management
B.Microsoft Purview Data Loss Prevention
C.Microsoft Purview Audit
D.Microsoft Purview eDiscovery
AnswerA

Insider Risk Management detects risky user patterns and provides investigation and remediation workflows.

Why this answer

Microsoft Purview Insider Risk Management is designed specifically to detect, investigate, and remediate insider data theft scenarios. It uses predefined and customizable policies to identify patterns like large-volume downloads to personal devices or emailing sensitive files externally, and provides built-in remediation actions such as generating a case for litigation or notifying a user's manager.

Exam trap

The trap here is that candidates confuse Data Loss Prevention (DLP) with Insider Risk Management because both deal with data protection, but DLP is a preventive control for policy enforcement, whereas Insider Risk Management is a detective and investigative solution with remediation workflows.

How to eliminate wrong answers

Option B (Microsoft Purview Data Loss Prevention) is wrong because DLP focuses on preventing data exfiltration in real-time by blocking or alerting on policy violations, but it does not provide the investigative workflow, case management, or remediation actions like notifying a manager or generating a litigation case. Option C (Microsoft Purview Audit) is wrong because Audit only logs user and admin activities for forensic review; it does not proactively detect patterns of unusual activity or offer remediation actions. Option D (Microsoft Purview eDiscovery) is wrong because eDiscovery is used for legal hold, search, and export of content for litigation or investigation, not for detecting insider risk patterns or initiating remediation workflows.

802
MCQhard

A security manager wants to ensure that an employee who sends an email cannot later deny having sent it. Which security concept and associated technology is best suited to achieve this?

A.Confidentiality, achieved through encryption
B.Integrity, achieved through hashing
C.Non-repudiation, achieved through digital signatures
D.Access control, achieved through permissions
AnswerC

Digital signatures provide authentication and integrity, and the sender cannot repudiate the signed data because only they possess their private key.

Why this answer

Non-repudiation ensures that a party cannot deny an action, such as sending an email. Digital signatures, which use asymmetric cryptography (e.g., RSA or ECDSA) and a hash of the message, provide cryptographic proof of the sender's identity and message integrity, making denial impossible.

Exam trap

The trap here is that candidates confuse integrity (hashing) with non-repudiation, not realizing that a hash alone lacks sender identity binding—only a digital signature provides the cryptographic proof of origin needed to prevent denial.

How to eliminate wrong answers

Option A is wrong because confidentiality, achieved through encryption (e.g., AES, TLS), protects data from unauthorized access but does not provide proof of origin or prevent denial of sending. Option B is wrong because integrity, achieved through hashing (e.g., SHA-256), ensures data has not been altered but does not bind the hash to a specific sender, so it cannot prevent repudiation. Option D is wrong because access control, achieved through permissions (e.g., NTFS permissions, RBAC), restricts who can perform actions but does not provide cryptographic evidence linking an action to a specific user.

803
MCQmedium

A company uses Microsoft Defender for Endpoint to secure its devices, Microsoft Defender for Office 365 for email security, and Microsoft Defender for Identity for on-premises Active Directory. The security team wants a single console to view correlated incidents across these domains, where an incident might combine a suspicious email, a malicious file download, and a compromised account. Which Microsoft solution provides this unified incident view and automatic correlation?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft 365 Defender (now Microsoft Defender XDR)
D.Microsoft Purview Compliance Portal
AnswerC

Defender XDR automatically correlates alerts from Defender for Endpoint, Office 365, Identity, and Cloud Apps into unified incidents and provides a single console for investigation.

Why this answer

Microsoft 365 Defender (now Microsoft Defender XDR) is the correct answer because it provides a unified incident view across Microsoft Defender for Endpoint, Defender for Office 365, and Defender for Identity. It automatically correlates alerts from these domains—such as a suspicious email, a malicious file download, and a compromised account—into a single incident, enabling security teams to investigate and respond from one console.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with Microsoft 365 Defender (an XDR), mistakenly thinking Sentinel provides the same out-of-the-box cross-domain correlation, when in fact Sentinel requires manual configuration and is not the single console for native Defender product integration.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR platform that ingests logs from multiple sources, but it does not natively provide the automatic, built-in correlation across Defender for Endpoint, Office 365, and Identity; it requires custom analytics rules and data connectors to achieve similar correlation. Option B is wrong because Microsoft Defender for Cloud is focused on securing cloud workloads (IaaS, PaaS, and data services) and does not integrate email security or on-premises Active Directory signals into a unified incident view. Option D is wrong because Microsoft Purview Compliance Portal is designed for data governance, compliance, and risk management (e.g., data loss prevention, eDiscovery), not for security incident correlation across endpoint, email, and identity domains.

804
MCQmedium

Your company uses Microsoft Sentinel to manage security incidents. You need to automatically assign incidents to a specific analyst team based on the incident category (e.g., phishing incidents to the SOC team). What should you configure?

A.Create a watchlist mapping categories to teams and use it in analytics rules
B.Automation rule with a condition on incident category and an action to assign to the SOC team
C.Configure the analytics rule to set the incident owner in the rule query
D.Playbook triggered by incident creation that assigns the incident
AnswerB

Automation rules can set incident owner based on conditions.

Why this answer

Automation rules in Microsoft Sentinel allow you to define conditions based on incident properties (like category) and automatically take actions such as assigning the incident to a specific team. This is the correct and most efficient method for routing incidents by category without requiring custom code or external playbooks.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing a playbook (Option D) because they think automation rules cannot handle assignment, but Sentinel automation rules natively support the 'Assign incident' action without needing Logic Apps.

How to eliminate wrong answers

Option A is wrong because watchlists are used for correlating data or enriching alerts, not for triggering automated assignment actions based on incident categories. Option C is wrong because analytics rule queries generate alerts but cannot directly set the incident owner; ownership is managed at the incident level after creation. Option D is wrong because while a playbook triggered by incident creation could assign the incident, it is an over-engineered solution compared to the simpler, built-in automation rule, and playbooks require additional configuration and logic apps.

805
Matchingmedium

Match each authentication method to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Sign in without a password using biometrics or FIDO2

Require two or more verification methods

One credential for multiple applications

Policy-based access controls based on signals

Biometric or PIN-based sign-in for Windows

Why these pairings

These are key authentication concepts in Microsoft identity.

806
MCQmedium

Your organization is using Microsoft Entra ID with P2 licenses. You need to enforce a policy that requires administrators to request approval before activating their privileged roles, and approvals must expire after 8 hours. Additionally, you need to ensure that all privileged role activations are logged for auditing. Which combination of Microsoft Entra capabilities should you use?

A.Implement Identity Protection user risk policy to block high-risk admins, and use sign-in logs.
B.Configure Privileged Identity Management (PIM) for role activation with approval and expiration, and use PIM audit logs.
C.Create a Conditional Access policy requiring multi-factor authentication for admins, and use activity logs.
D.Set up Azure AD Access Reviews to require monthly review of privileged roles, and enable diagnostic settings.
AnswerB

Correct: PIM provides exactly these capabilities.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides just-in-time role activation with configurable approval workflows and expiration durations, meeting the requirement for administrators to request approval and for approvals to expire after 8 hours. PIM audit logs capture all activation events, including who approved, when, and for which role, fulfilling the auditing requirement. This combination directly addresses the policy needs without relying on unrelated capabilities like user risk policies or access reviews.

Exam trap

The trap here is that candidates often confuse Conditional Access policies (which control sign-in conditions) with PIM (which controls role activation), leading them to choose Option C because they think MFA enforcement is sufficient for privileged role security.

How to eliminate wrong answers

Option A is wrong because Identity Protection user risk policy blocks users based on risk level, not role activation approval or expiration, and sign-in logs do not capture privileged role activation events. Option C is wrong because Conditional Access policies enforce authentication requirements like MFA during sign-in, not role activation approval workflows or expiration, and activity logs lack the granularity of PIM-specific activation auditing. Option D is wrong because Azure AD Access Reviews are for periodic attestation of role membership, not for controlling activation with approval and expiration, and diagnostic settings export logs but do not enforce the approval or expiration policy.

807
MCQmedium

Your company, Wingtip Toys, uses Microsoft Entra ID with a free license. You have a third-party SaaS application that supports Security Assertion Markup Language (SAML) 2.0. You need to enable single sign-on (SSO) for users to access this application. However, the app requires attributes like department and employee ID in the SAML token. You also need to ensure that only users from a specific security group can access the app. What should you do?

A.Register the app using OpenID Connect and assign users to the app.
B.Add the app from the gallery using password-based SSO and configure group assignment.
C.Use Microsoft Entra Application Proxy to publish the app and configure pre-authentication.
D.Add the app from the gallery as a SAML application, configure claims mapping to include department and employee ID, and assign the app to the security group.
AnswerD

This meets all requirements.

Why this answer

Option D is correct because the scenario requires SAML 2.0 support, custom attribute claims (department and employee ID), and group-based access control. Adding the app from the gallery as a SAML application allows you to configure SAML-based SSO, map claims to include the required attributes, and assign the app to a specific security group to restrict access. This fully meets the requirements using Microsoft Entra ID's free license.

Exam trap

The trap here is that candidates may confuse SAML with OpenID Connect or password-based SSO, or incorrectly assume that Application Proxy is suitable for SaaS apps, when only a SAML gallery app supports custom attribute claims and group-based assignment for a third-party SaaS application.

How to eliminate wrong answers

Option A is wrong because OpenID Connect is an authentication protocol built on OAuth 2.0, not SAML 2.0, and it does not support the SAML token format or custom SAML attribute claims required by the app. Option B is wrong because password-based SSO does not use SAML tokens and cannot include custom attributes like department and employee ID in a token; it relies on form-fill or credential injection, not SAML assertions. Option C is wrong because Microsoft Entra Application Proxy is used for publishing on-premises apps, not for third-party SaaS applications, and it does not provide SAML token customization or gallery-based SAML configuration.

808
MCQmedium

A security team wants to receive a unified security posture assessment for their hybrid workloads including Azure VMs, on-premises SQL servers, and AWS EC2 instances. They need to get actionable recommendations to harden configurations and improve their overall security score. Which Microsoft security solution provides this capability?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Sentinel
D.Microsoft Defender for Cloud Apps
AnswerA

Defender for Cloud provides CSPM across multi-cloud and hybrid environments, offering recommendations and a unified secure score.

Why this answer

Microsoft Defender for Cloud provides a unified security posture assessment across hybrid and multi-cloud workloads, including Azure VMs, on-premises SQL servers, and AWS EC2 instances. It continuously assesses configurations against security baselines (e.g., Azure Security Benchmark, CIS controls) and generates a secure score with actionable recommendations to harden resources. This aligns directly with the requirement for a single dashboard covering all listed workload types.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud (a posture management and CSPM tool) with Microsoft Sentinel (a SIEM), because both can ingest multi-cloud data, but only Defender for Cloud provides the unified secure score and actionable hardening recommendations for hybrid workloads.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices (e.g., workstations, servers) against threats like malware and ransomware, not on unified posture assessment or secure score for hybrid workloads. Option C is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR for threat detection, investigation, and response across logs and alerts, not a posture assessment tool for configuration hardening. Option D is wrong because Microsoft Defender for Cloud Apps is a CASB for shadow IT discovery, app permissions, and data protection in SaaS applications, not for assessing the security posture of VMs, SQL servers, or EC2 instances.

809
MCQeasy

Your company uses Microsoft Defender XDR. You need to integrate threat intelligence from external sources to enrich alerts and automate response actions. Which feature should you use?

A.Automation rules
B.Threat analytics
C.Advanced hunting
D.Threat intelligence integration
AnswerD

Threat intelligence integration allows importing custom TI from external sources to enrich alerts.

Why this answer

Option C is correct because Microsoft Defender XDR supports threat intelligence integration via APIs and SIEM connectors, allowing ingestion of external threat intel. Option A is wrong because automation rules are for response actions, not ingestion. Option B is wrong because advanced hunting queries are for investigation.

Option D is wrong because threat analytics provides built-in intelligence, not external ingestion.

810
MCQmedium

A company uses a cloud-based SaaS (Software as a Service) application for customer relationship management. According to the shared responsibility model, which security responsibility is primarily handled by the customer?

A.Physical security of the data center hosting the application
B.Security of the underlying networking infrastructure
C.Managing user access and permissions for the application
D.Applying security patches to the application's code
AnswerC

The customer controls who uses the application and with what privileges. This is a customer responsibility regardless of the cloud service model.

Why this answer

In a SaaS model like a cloud-based CRM application, the customer is responsible for managing user access and permissions, including identity and access management (IAM), multi-factor authentication (MFA), and role-based access control (RBAC). The cloud provider handles the underlying infrastructure, platform, and application security, but the customer must control who can access the application and what they can do within it.

Exam trap

The trap here is that candidates often assume the customer is responsible for patching the application code in SaaS, but in reality, the provider handles all code-level patches, while the customer only manages user access and permissions.

How to eliminate wrong answers

Option A is wrong because physical security of the data center is the cloud provider's responsibility under the shared responsibility model for SaaS, as the customer has no physical access to the infrastructure. Option B is wrong because security of the underlying networking infrastructure, such as firewalls and network segmentation, is managed by the cloud provider in a SaaS deployment. Option D is wrong because applying security patches to the application's code is the cloud provider's responsibility in SaaS; the customer only manages configuration and user-level settings.

811
MCQhard

An organization uses Microsoft Intune to manage devices. They need to ensure that only devices with a compliant antivirus solution can access corporate email. Which policy type should be configured?

A.App protection policy in Microsoft 365
B.Conditional Access policy in Microsoft Entra ID
C.Device compliance policy in Intune
D.Security baseline in Microsoft Defender for Cloud
AnswerB

Correct: Conditional Access can require device compliance, which includes antivirus requirements set in Intune compliance policies.

Why this answer

Conditional Access policies can grant access based on device compliance, and compliance policies in Intune can require antivirus to be installed and active.

812
MCQeasy

A company's security team implements a system where every access attempt to sensitive data is recorded, including who accessed the data and when. The logs are regularly reviewed to detect unauthorized access and to hold users accountable for their actions. Which security goal is primarily being addressed by this logging practice?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerD

Non-repudiation provides proof of actions taken by users, such as data access. Logs create an audit trail that can be used to hold users accountable and prevent denial of actions.

Why this answer

Non-repudiation ensures that a user cannot deny having performed an action. By recording who accessed sensitive data and when, the logging practice creates an audit trail that can prove a specific user accessed the data at a specific time, thereby preventing the user from denying that access. This directly addresses the security goal of non-repudiation.

Exam trap

The trap here is that candidates confuse logging with confidentiality or integrity, thinking that recording access prevents unauthorized viewing or data modification, when in fact logging is about accountability and non-repudiation.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized access to data (e.g., through encryption or access controls), not on logging who accessed it. Option B is wrong because integrity ensures data has not been tampered with (e.g., through hashing or checksums), not on recording access events. Option C is wrong because availability ensures systems and data are accessible when needed (e.g., through redundancy or failover), not on tracking user actions.

813
MCQmedium

A healthcare organization uses Microsoft 365 and wants to prevent users from sending emails that contain patient health information (PHI) to external recipients. Which Microsoft Purview solution should they implement?

A.Data Lifecycle Management
B.Data Loss Prevention (DLP)
C.Insider Risk Management
D.eDiscovery
AnswerB

DLP policies can inspect content in emails and files for sensitive data, and then block or warn users according to the configured rules.

Why this answer

Data Loss Prevention (DLP) is the correct solution because it is specifically designed to detect and prevent the unauthorized sharing of sensitive data, such as patient health information (PHI), via email and other channels. DLP policies can be configured with sensitive information types (e.g., HIPAA-defined PHI patterns) to automatically block or warn users when they attempt to send such data to external recipients.

Exam trap

The trap here is that candidates may confuse Insider Risk Management (which investigates suspicious behavior) with DLP (which proactively prevents data loss), leading them to choose Option C because they think 'insider' implies an employee sending PHI externally.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management focuses on retaining, deleting, and archiving data based on compliance or business requirements, not on preventing the transmission of sensitive data. Option C is wrong because Insider Risk Management is designed to identify, triage, and investigate risky user activities (e.g., data theft or policy violations) after the fact, not to proactively block outbound emails containing PHI. Option D is wrong because eDiscovery is used for searching, preserving, and exporting content for legal or investigative purposes, not for real-time prevention of data leakage.

814
MCQeasy

A company implements multiple layers of security controls, including firewalls, antivirus software, access controls, and security awareness training. Which security concept does this approach best represent?

A.Zero Trust
B.Defense in depth
C.Shared responsibility
D.Least privilege
AnswerB

Defense in depth uses multiple overlapping layers of security controls (e.g., network, endpoint, access, awareness) to protect assets, making it the correct concept.

Why this answer

Defense in depth is the correct concept because it involves layering multiple independent security controls—such as firewalls, antivirus, access controls, and training—so that if one layer fails, others continue to protect the asset. This approach reduces the likelihood of a single point of failure and is a foundational strategy in cybersecurity architecture.

Exam trap

The trap here is that candidates confuse the layered approach of defense in depth with the Zero Trust model, but Zero Trust is specifically about eliminating implicit trust and enforcing per-request verification, not just adding multiple security layers.

How to eliminate wrong answers

Option A is wrong because Zero Trust is a security model based on 'never trust, always verify' that requires continuous authentication and authorization for every access request, not simply the presence of multiple security layers. Option C is wrong because Shared responsibility is a cloud computing model that delineates security obligations between the provider and customer, not a strategy for deploying layered controls on-premises. Option D is wrong because Least privilege is a principle that grants users only the minimum permissions needed to perform their tasks, which is a specific access control practice, not a comprehensive layering strategy.

815
MCQeasy

A company wants to prevent employees from accidentally sharing a document containing personally identifiable information (PII) with external users. The document is stored in OneDrive for Business. Which Microsoft Purview solution should they use?

A.Microsoft Purview Communication Compliance
B.Microsoft Purview Information Protection
C.Microsoft Purview Audit
D.Microsoft Purview Data Loss Prevention (DLP)
AnswerD

DLP policies can detect PII and block external sharing.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft Purview can detect sensitive content and block sharing with external users. Information Protection labels can classify but rely on DLP to enforce restrictions. Communication Compliance monitors communications.

Audit logs record sharing events but do not prevent them.

816
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID) for identity management. They want to automatically block sign-ins from users whose credentials have been compromised and require them to change their password before access is granted. Which Microsoft Entra ID capability should they use?

A.Microsoft Entra ID Protection
B.Conditional Access policies
C.Privileged Identity Management (PIM)
D.Self-Service Password Reset (SSPR)
AnswerA

Identity Protection detects risks like leaked credentials and can enforce policies to block sign-ins and require password changes.

Why this answer

Microsoft Entra ID Protection is the correct capability because it automatically detects compromised credentials by analyzing telemetry from Microsoft's Threat Intelligence and the wider ecosystem. When a user's credentials are found in a known leak, Entra ID Protection can enforce a policy that blocks sign-in and requires the user to change their password via an integrated remediation workflow, directly addressing the scenario.

Exam trap

The trap here is that candidates often confuse Conditional Access policies with risk-based policies, but Conditional Access alone cannot detect compromised credentials or enforce password changes—it requires Entra ID Protection as the risk signal source.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies are a decision engine that enforces access controls based on signals (like location or device state), but they do not inherently detect compromised credentials or trigger password changes; they rely on other services like Entra ID Protection for risk signals. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation, access reviews, and auditing for administrative roles, not on detecting or remediating compromised user credentials. Option D is wrong because Self-Service Password Reset (SSPR) allows users to voluntarily reset their own passwords, but it does not automatically block sign-ins or force a password change based on compromised credential detection; it requires user initiation.

817
MCQmedium

An organization uses Microsoft Entra ID and wants to require users to re-authenticate every 4 hours when accessing a critical financial application, even if the user already has an active sign-in session. Which Conditional Access control should be configured?

A.Grant control 'Require multi-factor authentication'
B.Session control 'Sign-in frequency'
C.Session control 'Persistent browser session'
D.Grant control 'Require device to be marked as compliant'
AnswerB

Correct. The sign-in frequency session control allows administrators to set the time interval after which a user must re-authenticate, even if the session is still active.

Why this answer

The 'Sign-in frequency' session control in Conditional Access allows administrators to specify the time interval after which a user must re-authenticate, even if they have an active session. By setting this to 4 hours, the organization ensures that users re-authenticate before accessing the critical financial application, overriding any existing session tokens.

Exam trap

The trap here is confusing session controls (which manage token lifetime and re-authentication behavior) with grant controls (which enforce conditions at initial sign-in), leading candidates to select 'Require multi-factor authentication' thinking it will force periodic re-authentication.

How to eliminate wrong answers

Option A is wrong because 'Require multi-factor authentication' is a grant control that enforces an additional verification factor at sign-in, but it does not enforce a re-authentication interval; once MFA is satisfied, the session persists until token expiry. Option C is wrong because 'Persistent browser session' controls whether the browser keeps the user signed in after closing, not the frequency of re-authentication during an active session. Option D is wrong because 'Require device to be marked as compliant' ensures the device meets compliance policies (e.g., OS updates, antivirus), but it does not enforce a time-based re-authentication requirement.

818
MCQeasy

A company wants to automatically detect and remediate inappropriate messages in Microsoft Teams. Which Microsoft Purview solution should be configured?

A.Microsoft Purview eDiscovery
B.Microsoft Purview Insider Risk Management
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview Communication Compliance
AnswerD

Communication Compliance detects and remediates inappropriate messages.

Why this answer

Microsoft Purview Communication Compliance helps detect offensive language, harassment, and policy violations in Teams, Exchange, etc. Option A is wrong because eDiscovery is for searching content. Option B is wrong because DLP is for sensitive data, not inappropriate language.

Option D is wrong because Insider Risk Management focuses on data theft and leaks.

819
MCQeasy

You are viewing an application registration in Microsoft Entra ID. What can you conclude about this app?

A.The app is disabled and cannot be used
B.The app is a single-tenant application that is enabled but has no app roles defined
C.The app has custom roles for role-based access
D.The app is multi-tenant and can be used by other tenants
AnswerB

SignInAudience indicates single-tenant and AppRoles is empty.

Why this answer

The application registration shows 'App roles' with a value of 0, which means no app roles are defined. The 'Supported account types' setting indicates 'Accounts in this organizational directory only', confirming it is a single-tenant application. The 'Enabled for users to sign-in?' toggle is set to 'Yes', so the app is enabled and can be used.

Exam trap

The trap here is that candidates often confuse a disabled app (where the 'Enabled for users to sign-in?' toggle is set to 'No') with an app that has no app roles defined, leading them to incorrectly select option A when the app is actually enabled but lacks roles.

How to eliminate wrong answers

Option A is wrong because the 'Enabled for users to sign-in?' toggle is set to 'Yes', meaning the app is enabled and can be used. Option C is wrong because the 'App roles' count is 0, indicating no custom roles are defined; custom roles would require at least one app role to be listed. Option D is wrong because the 'Supported account types' is set to 'Accounts in this organizational directory only', which explicitly restricts the app to a single tenant, not multi-tenant.

820
MCQmedium

Your organization uses Microsoft Purview to manage records. For legal reasons, you need to preserve all documents related to a specific litigation case and prevent any modification or deletion. Which feature should you use?

A.Retention labels
B.eDiscovery (Premium) legal hold
C.Data Loss Prevention
D.Audit logs
AnswerB

Legal hold preserves content and prevents modification or deletion.

Why this answer

Option D is correct because eDiscovery (Premium) allows you to place a legal hold on content. Option A is wrong because DLP is for data loss prevention. Option B is wrong because retention labels retain but do not prevent modification.

Option C is wrong because audit logs track activity but do not prevent changes.

821
MCQhard

A company wants to monitor employee communications in Microsoft Teams and Exchange Online for potential policy violations such as harassment or inappropriate sharing of confidential information. They need a solution that allows them to define policies, review flagged messages, and manage investigations. Which Microsoft Purview solution should they use?

A.Communication Compliance
B.Insider Risk Management
C.Information Barriers
D.Audit (Standard or Premium)
AnswerA

Correct. Communication Compliance is purpose-built for detecting and reviewing policy violations in communications (e.g., harassment), with policy creation and investigation capabilities.

Why this answer

Communication Compliance is the correct Microsoft Purview solution because it is specifically designed to monitor communications (e.g., emails in Exchange Online and messages in Microsoft Teams) for policy violations such as harassment or inappropriate sharing of confidential information. It allows administrators to define customizable policies, automatically flag messages that match sensitive information types or offensive language, and manage investigations through a built-in review workflow.

Exam trap

The trap here is confusing Communication Compliance with Insider Risk Management, as both deal with compliance and risk, but Insider Risk Management is focused on user behavior and data theft, not on monitoring communication content for policy violations like harassment or inappropriate sharing.

How to eliminate wrong answers

Option B (Insider Risk Management) is wrong because it focuses on detecting, investigating, and acting on risky user activities (e.g., data exfiltration, malicious insiders) rather than monitoring communications for policy violations like harassment. Option C (Information Barriers) is wrong because it is used to restrict communication and collaboration between specific groups or users to prevent conflicts of interest, not to monitor or review flagged messages for compliance. Option D (Audit (Standard or Premium)) is wrong because it provides logging and forensic investigation of user and admin activities across Microsoft 365, but it does not include policy-based detection, flagging, or review of communication content for harassment or confidential information sharing.

822
MCQeasy

Your organization is implementing Microsoft Purview to manage data governance. You need to classify sensitive data such as social security numbers automatically. What should you create?

A.Data loss prevention policy
B.Retention label
C.Sensitive information type
D.Trainable classifier
AnswerC

Sensitive information types are patterns that automatically detect sensitive data like SSNs.

Why this answer

Option A is correct because sensitive information types (SITs) detect patterns like SSNs. Option B is wrong because retention labels manage retention. Option C is wrong because DLP policies use SITs but are not the classification mechanism.

Option D is wrong because trainable classifiers require training data.

823
MCQhard

A security operations team uses Microsoft 365 Defender and wants to detect, investigate, and automatically respond to advanced identity-based attacks targeting on-premises Active Directory, such as Pass-the-Hash (PtH) and Golden Ticket attacks. They also need to integrate these alerts into Microsoft Sentinel for central incident management. Which Microsoft security solution provides these capabilities?

A.Microsoft Defender for Identity
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Office 365
AnswerA

Defender for Identity is specifically designed to protect on-premises Active Directory from advanced identity attacks and provides automated investigation and response.

Why this answer

Microsoft Defender for Identity (MDI) is the correct answer because it is specifically designed to detect, investigate, and automatically respond to advanced identity-based attacks targeting on-premises Active Directory, including Pass-the-Hash (PtH) and Golden Ticket attacks. It uses behavioral analytics and machine learning to identify suspicious activities such as anomalous Kerberos ticket requests and NTLM authentication anomalies. MDI also natively integrates with Microsoft Sentinel, allowing alerts to be ingested for central incident management.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Identity with Microsoft Defender for Cloud Apps, assuming both handle identity threats, but only MDI specifically targets on-premises Active Directory attacks like PtH and Golden Ticket.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud Apps focuses on securing cloud applications (SaaS) and shadow IT, not on-premises Active Directory attacks like PtH or Golden Ticket. Option C is wrong because Microsoft Defender for Endpoint protects endpoints (devices) from malware and file-based threats, but it does not specialize in detecting identity-based attacks on Active Directory. Option D is wrong because Microsoft Defender for Office 365 secures email and collaboration tools (e.g., Exchange Online, SharePoint), not on-premises identity infrastructure.

824
MCQeasy

Your organization wants to use Microsoft Defender for Cloud to secure Azure virtual machines. Which feature should they enable to get vulnerability assessment without additional agents?

A.File integrity monitoring
B.Just-in-time VM access
C.Adaptive application controls
D.Vulnerability assessment
AnswerD

Agentless scanning for VMs.

Why this answer

Microsoft Defender for Cloud includes a built-in vulnerability assessment solution for Azure virtual machines that does not require any additional agents. When enabled, it uses the Qualys scanner integrated directly into the platform to continuously scan for vulnerabilities, providing findings without the need to deploy or manage separate agents on the VMs.

Exam trap

The trap here is that candidates may confuse 'vulnerability assessment' with other security controls like file integrity monitoring or adaptive application controls, not realizing that Defender for Cloud offers a dedicated, agentless vulnerability scanning capability specifically for VMs.

How to eliminate wrong answers

Option A is wrong because File integrity monitoring (FIM) tracks changes to critical files, registries, and system settings, not vulnerability scanning. Option B is wrong because Just-in-time (JIT) VM access reduces the attack surface by controlling network access to VMs, not by assessing vulnerabilities. Option C is wrong because Adaptive application controls create allowlists for running applications to prevent malware, not to scan for software vulnerabilities.

825
MCQeasy

An organization wants to allow users to reset their own passwords without help desk intervention. Which Microsoft Entra feature should they enable?

A.Conditional Access
B.Self-service password reset
C.Privileged Identity Management
D.Identity Protection
AnswerB

SSPR enables users to reset their own passwords.

Why this answer

Self-service password reset (SSPR) is the Microsoft Entra feature specifically designed to allow users to reset their own passwords without requiring help desk intervention. It enforces security through authentication methods (e.g., phone, email, security questions) and can be configured to meet organizational policies. This directly addresses the scenario of reducing help desk workload for password resets.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access after authentication) with SSPR (which handles the password reset process itself), leading them to select A because they think 'self-service' implies a policy-based control.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or blocking sign-ins from untrusted locations) based on signals like user, device, or location — it does not provide a mechanism for users to reset their own passwords. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation, approval workflows, and access reviews for elevated roles; it does not handle end-user password resets. Option D is wrong because Identity Protection uses risk detection (e.g., leaked credentials, anonymous IP addresses) to trigger automated responses like blocking sign-ins or requiring MFA — it does not enable users to reset their own passwords.

Page 10

Page 11 of 19

Page 12