Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 826900

1411 questions total · 19pages · All types, answers revealed

Page 11

Page 12 of 19

Page 13
826
MCQhard

A compliance officer needs to evaluate their organization's security and compliance posture against multiple regulatory frameworks such as HIPAA, GDPR, and ISO 27001. The solution must provide a continuous assessment score, actionable improvement actions, and the ability to track implementation progress. Which Microsoft Purview solution should they use?

A.Microsoft Purview Information Protection
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview Compliance Manager
D.Microsoft Purview eDiscovery
AnswerC

Compliance Manager offers a compliance score, pre-built assessments for standards like GDPR and HIPAA, and tracks improvement actions to remediate gaps.

Why this answer

Microsoft Purview Compliance Manager is the correct solution because it provides a continuous compliance assessment score against multiple regulatory frameworks (including HIPAA, GDPR, and ISO 27001), offers actionable improvement actions, and enables tracking of implementation progress through a centralized dashboard. It maps controls to specific regulations and generates a compliance score based on implemented controls, making it the only option that meets all stated requirements.

Exam trap

The trap here is that candidates often confuse Compliance Manager with Information Protection or DLP because all three are Purview solutions, but only Compliance Manager provides multi-framework compliance scoring and improvement tracking, while the others focus on data classification or leakage prevention.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Information Protection focuses on classifying, labeling, and protecting sensitive data (e.g., via sensitivity labels and encryption), not on evaluating compliance posture against regulatory frameworks or providing a continuous assessment score. Option B is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to detect and prevent unauthorized sharing of sensitive data through policies and rules, not to assess compliance against multiple frameworks or track improvement actions. Option D is wrong because Microsoft Purview eDiscovery is used for identifying, preserving, and exporting electronic content for legal or investigative purposes, not for continuous compliance scoring or regulatory framework mapping.

827
MCQmedium

Your organization uses Microsoft Entra ID. You need to ensure that only users from the finance department can access a sensitive application, and they must be granted access dynamically based on their department attribute. What should you configure?

A.Create an administrative unit for the finance department.
B.Create a dynamic group with rule: user.department -eq "Finance".
C.Enable self-service group management.
D.Configure entitlement management with an access package for the finance application.
AnswerB

Dynamic groups automatically add or remove members based on attributes.

Why this answer

Option B is correct because a dynamic group in Microsoft Entra ID automatically adds or removes members based on a rule, such as `user.department -eq "Finance"`. This ensures that only users whose department attribute equals "Finance" are granted access to the sensitive application, and membership updates dynamically as the attribute changes, without manual intervention.

Exam trap

The trap here is that candidates often confuse administrative units (which manage administrative boundaries) with dynamic groups (which manage access based on attributes), leading them to select Option A instead of the correct dynamic group solution.

How to eliminate wrong answers

Option A is wrong because administrative units are used to delegate administrative scopes (e.g., managing users in a specific department), not to control access to applications dynamically based on user attributes. Option C is wrong because self-service group management allows users to create and manage their own groups, but it does not enforce dynamic membership rules based on the department attribute; it relies on manual or approval-based membership. Option D is wrong because entitlement management with access packages provides a governance framework for requesting and approving access, but it does not automatically assign membership based on a dynamic attribute like department; it typically requires manual assignment or approval workflows.

828
MCQhard

A company uses Microsoft Entra ID Privileged Identity Management (PIM) to manage elevated access to Microsoft Entra ID roles. They want to ensure that a user who activates a privileged role must provide a justification and receive approval from their manager before activation is complete. Which PIM configuration should be used?

A.Configure role settings to require multi-factor authentication on activation
B.Configure role settings to require approval on activation
C.Configure role settings to assign the user as permanently active
D.Configure role settings to require an Microsoft Entra ID compliant device
AnswerB

Correct. By requiring approval, PIM will route the activation request to designated approvers (often managers) who must approve before the role is activated. Justification is typically required regardless.

Why this answer

Option B is correct because Microsoft Entra ID Privileged Identity Management (PIM) allows administrators to configure role settings that require approval before a role is activated. By enabling the 'Require approval to activate' setting, a designated approver (such as the user's manager) must review and approve the activation request, ensuring that the justification is validated before access is granted.

Exam trap

The trap here is that candidates often confuse 'require approval' with 'require MFA' or 'require compliant device,' not realizing that only the approval setting introduces a separate review step by another person, which is explicitly needed for manager authorization.

How to eliminate wrong answers

Option A is wrong because requiring multi-factor authentication (MFA) on activation enforces additional identity verification but does not involve a separate approval workflow or manager review. Option C is wrong because assigning the user as permanently active eliminates the need for activation entirely, bypassing both justification and approval requirements. Option D is wrong because requiring a Microsoft Entra ID compliant device enforces device health policies but does not implement an approval process for role activation.

829
Drag & Dropmedium

Sequence the steps to configure a retention policy in Microsoft Purview compliance portal.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Retention policies require signing in, navigating to retention, creating a policy, selecting locations/conditions, and setting duration.

830
Multi-Selecthard

Which THREE of the following are core principles of the Zero Trust security model? (Choose three.)

Select 3 answers
A.Verify explicitly
B.Trust but verify
C.Assume breach
D.Least privilege
E.Single factor authentication
AnswersA, C, D

Zero Trust requires continuous verification of identities and devices.

Why this answer

Zero Trust principles include 'Verify explicitly', 'Least privilege', and 'Assume breach'. 'Trust but verify' is a traditional perimeter-based model. 'Single factor' contradicts explicit verification.

831
MCQeasy

A company uses a financial accounting system where the employee who creates a purchase order cannot also approve it. This policy is designed to prevent a single individual from committing fraud by both initiating and approving a transaction. Which security principle does this practice primarily implement?

A.Least privilege
B.Separation of duties
C.Defense in depth
D.Zero Trust
AnswerB

This principle distributes critical functions among different individuals to prevent any single person from having excessive control, reducing the risk of fraud or error.

Why this answer

The practice of requiring different individuals to create and approve purchase orders directly implements the separation of duties principle. This security control ensures that no single person has complete control over a sensitive financial transaction, thereby reducing the risk of fraud or error. In the context of identity and access management, separation of duties enforces that conflicting tasks are assigned to different users to prevent abuse of privileges.

Exam trap

The trap here is that candidates confuse separation of duties with least privilege, but least privilege limits the scope of permissions while separation of duties divides critical tasks to prevent a single point of failure or fraud.

How to eliminate wrong answers

Option A is wrong because least privilege focuses on granting users only the minimum permissions necessary to perform their job functions, not on splitting conflicting tasks among multiple users. Option C is wrong because defense in depth is a layered security strategy that combines multiple controls (e.g., firewalls, encryption, antivirus) to protect assets, not a specific control for segregating duties. Option D is wrong because Zero Trust is a security model based on 'never trust, always verify' and continuous authentication, not a principle that directly addresses the segregation of conflicting responsibilities.

832
MCQmedium

A multinational company deploys Microsoft Purview Data Loss Prevention (DLP) to protect credit card numbers. The compliance team reports that a DLP policy blocks a legitimate payment processing workflow. What should the compliance administrator do to allow the workflow while maintaining protection?

A.Add the payment processing server to the DLP policy’s allow list.
B.Configure a DLP policy tip that allows users to override the block with a business justification.
C.Reduce the minimum confidence level in the DLP policy.
D.Disable the DLP policy for the payment processing department.
AnswerB

Policy tips with override enable legitimate workflows while maintaining oversight.

Why this answer

Option D is correct because DLP policy tips allow users to override a block and provide a business justification, which can then be reviewed. Option A is wrong because disabling the policy leaves the data unprotected. Option B is wrong because adding the payment server to an allow list would bypass DLP entirely for that server.

Option C is wrong because lowering the confidence level would reduce detection accuracy, potentially allowing real violations.

833
Multi-Selecthard

An organization is using Microsoft Purview Compliance Portal to manage data lifecycle. Which THREE actions can be performed using retention labels?

Select 3 answers
A.Trigger a disposition review at the end of retention
B.Automatically delete content after a specified period
C.Apply a retention period to content
D.Block sharing of sensitive information via email
E.Mark content as a regulatory record
AnswersA, C, E

Correct: Labels can trigger review.

Why this answer

Retention labels can apply retention actions, mark as records, and trigger disposition review. They do not automatically delete data without a policy; instead, they work with retention policies. They cannot be used for DLP directly.

834
MCQmedium

A company requires that all users accessing a financial application from outside the corporate network must complete multi-factor authentication (MFA). The IT team is configuring a Microsoft Entra ID Conditional Access policy to enforce this requirement. Which component of the policy should be configured to apply the MFA requirement?

A.Conditions
B.Assignments
C.Session controls
D.Grant controls
AnswerD

Grant controls determine whether access is blocked or allowed and can require additional conditions like MFA, device compliance, or terms of use. Configuring 'Require multi-factor authentication' under Grant controls enforces the MFA requirement.

Why this answer

Grant controls are the component of a Conditional Access policy that enforce the actual access requirements, such as requiring multi-factor authentication (MFA). By configuring the 'Require multi-factor authentication' checkbox under Grant controls, the policy ensures that users must complete MFA before accessing the financial application. This is the correct setting to apply the MFA requirement.

Exam trap

The trap here is confusing Grant controls (which enforce the MFA requirement) with Conditions (which define the 'when' of the policy), leading candidates to incorrectly select Conditions because they think it controls the MFA trigger rather than the enforcement action.

How to eliminate wrong answers

Option A is wrong because Conditions define the signals or triggers (e.g., user risk, device platform, location) that determine when the policy applies, not the enforcement action like MFA. Option B is wrong because Assignments specify which users, groups, or applications are included in or excluded from the policy, not the access control requirement itself. Option C is wrong because Session controls manage user experience after access is granted (e.g., limiting session duration or enforcing app restrictions), not the initial authentication requirement like MFA.

835
MCQeasy

You need to provide external partners with access to your organization's SharePoint site. The partners must use their own credentials. Which Microsoft Entra feature should you use?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra Identity Governance
C.Privileged Identity Management
D.Microsoft Entra ID Protection
AnswerA

B2B allows external users to sign in with their own identities.

Why this answer

Microsoft Entra B2B collaboration is the correct feature because it enables external users (partners) to access your organization's resources using their own identities (e.g., work, social, or other Azure AD accounts). It leverages the existing Azure AD tenant to issue guest user objects and supports SAML/WS-Federation or OIDC for authentication, allowing partners to authenticate with their own credentials without requiring a separate account or password in your tenant.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration with Microsoft Entra B2C (not listed), or mistakenly think Identity Governance or PIM can handle external authentication, when in fact B2B collaboration is the only feature that allows external users to bring their own credentials for resource access.

How to eliminate wrong answers

Option B (Microsoft Entra Identity Governance) is wrong because it focuses on managing the lifecycle of identities and access rights (e.g., access reviews, entitlement management) but does not itself provide the mechanism for external users to authenticate with their own credentials. Option C (Privileged Identity Management) is wrong because it is designed to manage, control, and monitor privileged roles and just-in-time access within your own directory, not to enable external authentication. Option D (Microsoft Entra ID Protection) is wrong because it is a security tool that detects and remediates identity-based risks (e.g., leaked credentials, sign-in anomalies) and does not facilitate external user sign-in with their own credentials.

836
MCQhard

Fabrikam Inc., a global financial services company, uses Microsoft Purview to manage compliance. They have the following requirements: (1) Prevent users from sending emails containing credit card numbers (CCN) to external recipients; (2) automatically encrypt emails containing CCN; (3) notify users when an email is blocked; (4) allow users to override the block for business justifications; (5) generate incident reports for compliance teams. The company uses Microsoft 365 E5 licenses and has Exchange Online configured. The compliance team wants to implement a solution with minimal administrative overhead. What should the administrator configure?

A.Configure information barriers between the finance department and external recipients.
B.Create a Data Loss Prevention (DLP) policy in the Microsoft Purview compliance portal with conditions for CCN, and configure actions to block, encrypt, notify, and allow override.
C.Create a sensitivity label that automatically classifies emails with CCN and configure a label policy to encrypt them.
D.Enable Microsoft Purview Message Encryption and create a mail flow rule in Exchange to encrypt emails with CCN.
AnswerB

DLP policy meets all requirements with minimal overhead.

Why this answer

Option B is correct because a DLP policy can block, encrypt, notify, and allow override, with incident reports. Option A is wrong because sensitivity labels with auto-labeling classify but do not prevent sending. Option C is wrong because information barriers prevent communication between groups, not data exfiltration.

Option D is wrong because message encryption without DLP does not block or provide override.

837
MCQmedium

A security architect is implementing a Zero Trust strategy. They state that all access requests must be verified continuously, regardless of where the request originates (corporate network or remote). They also emphasize that access is granted based on a policy that evaluates user identity, device health, location, and risk in real-time. Which Zero Trust guiding principle does this scenario primarily illustrate?

A.Verify explicitly
B.Use least privilege access
C.Assume breach
D.Enforce session controls
AnswerA

Correct. The 'Verify explicitly' principle means always authenticating and authorizing based on all available signals—identity, device, location, risk—not just network location.

Why this answer

The scenario explicitly describes continuous verification of all access requests based on real-time signals (user identity, device health, location, risk). This directly maps to the 'Verify explicitly' Zero Trust principle, which mandates that every access attempt must be authenticated and authorized using all available data points before granting access, regardless of network location.

Exam trap

The trap here is that candidates often confuse 'Verify explicitly' with 'Assume breach' because both involve continuous monitoring, but 'Verify explicitly' is specifically about authenticating and authorizing every request, while 'Assume breach' is about containment and detection after a compromise.

How to eliminate wrong answers

Option B is wrong because 'Use least privilege access' focuses on limiting permissions to the minimum required for a task, not on continuous verification of every request. Option C is wrong because 'Assume breach' is about designing systems to minimize blast radius and detect intrusions, not about verifying each access request in real-time. Option D is wrong because 'Enforce session controls' refers to monitoring and restricting actions within an established session, not the initial or continuous verification of access requests.

838
MCQmedium

Your organization uses Microsoft Intune to manage mobile devices. You need to ensure that devices with a jailbroken or rooted OS cannot access corporate resources. What should you configure?

A.A device compliance policy in Microsoft Intune
B.An app protection policy in Microsoft Intune
C.A device configuration policy in Microsoft Intune
D.A conditional access policy in Microsoft Entra ID
AnswerA

Compliance policies can detect jailbroken devices.

Why this answer

Option A is correct because a compliance policy in Intune can detect jailbroken devices and mark them as noncompliant. Option B is wrong because a configuration policy sets settings, not compliance. Option C is wrong because an app protection policy manages app data, not device state.

Option D is wrong because a conditional access policy in Entra ID uses compliance results but does not detect jailbreak.

839
MCQeasy

Your organization uses Microsoft Entra ID. You need to ensure that users can reset their own passwords without help desk intervention, while maintaining security by requiring multi-factor authentication (MFA) during the reset process. Which feature should you enable?

A.Microsoft Entra Identity Protection.
B.Microsoft Entra Multi-Factor Authentication.
C.Conditional Access policies.
D.Microsoft Entra self-service password reset (SSPR).
AnswerD

SSPR allows users to reset passwords and can be configured to require MFA.

Why this answer

Microsoft Entra self-service password reset (SSPR) is the feature specifically designed to allow users to reset their own passwords without help desk intervention. When combined with Microsoft Entra Multi-Factor Authentication (MFA) as a registration and reset requirement, SSPR enforces MFA during the reset process, meeting both the self-service and security requirements.

Exam trap

The trap here is that candidates often confuse the authentication enforcement mechanism (MFA or Conditional Access) with the actual self-service reset feature, mistakenly selecting MFA or Conditional Access instead of SSPR, which is the only option that directly provides the password reset functionality.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Identity Protection is a risk-based detection and remediation service that can trigger automated responses (e.g., requiring MFA or blocking sign-ins) but does not itself enable users to reset passwords. Option B is wrong because Microsoft Entra Multi-Factor Authentication alone provides an additional verification step during authentication but does not include the self-service password reset capability. Option C is wrong because Conditional Access policies enforce access controls (e.g., requiring MFA or blocking locations) based on conditions, but they do not directly enable users to reset their own passwords.

840
Matchingmedium

Match each security control type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Warning signs or security policies

Firewall rules blocking unauthorized access

Intrusion detection system alerts

Patching a vulnerability after discovery

Requiring strong passwords via policy

Why these pairings

These are common categories of security controls.

841
Multi-Selectmedium

A law firm uses Microsoft 365 and has two legal teams working on opposing sides of the same lawsuit. The compliance officer needs to prevent any communication (email, Teams chat, file sharing) between the two teams. Additionally, the firm must block emails containing the case name from being sent outside the organization. Which two Microsoft Purview solutions should be configured to meet these requirements? (Choose two.)

Select 2 answers
A.Microsoft Purview Information Barriers
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Audit (Standard)
AnswersA, B

Information Barriers can prevent communication between defined user groups, which is exactly needed to separate the two legal teams.

Why this answer

Microsoft Purview Information Barriers (A) is correct because it is specifically designed to prevent communication and collaboration between two groups within an organization, such as legal teams on opposing sides of a lawsuit. It enforces policies that block email, Teams chat, and file sharing between the defined segments, directly meeting the first requirement.

Exam trap

The trap here is that candidates often confuse Communication Compliance (which reviews communications) with Information Barriers (which blocks communications), or they overlook that DLP is required for the outbound email blocking requirement while Information Barriers handles the internal team separation.

842
MCQmedium

A company uses Microsoft 365 and wants to deploy a security solution that can automatically detect and remediate advanced attacks on endpoints (workstations and servers), such as ransomware and fileless attacks. They also want to provide incident response teams with detailed forensic data and the ability to isolate an infected machine from the network. Which Microsoft security solution should they use?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerB

Defender for Endpoint provides EDR, automatic investigation, and isolation to protect devices from advanced attacks.

Why this answer

Microsoft Defender for Endpoint (MDE) is the correct solution because it provides endpoint detection and response (EDR) capabilities, including automatic detection and remediation of advanced attacks like ransomware and fileless attacks. It also offers detailed forensic data for incident response and the ability to isolate an infected machine from the network, meeting all the specified requirements.

Exam trap

The trap here is that candidates confuse the endpoint-focused capabilities of Microsoft Defender for Endpoint with the email/identity/cloud-specific scopes of the other Defender products, failing to recognize that only MDE provides automated endpoint remediation and network isolation for workstations and servers.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on protecting email, SharePoint, and Teams from threats like phishing and malware, not on endpoint-level attacks or machine isolation. Option C is wrong because Microsoft Defender for Identity monitors on-premises Active Directory and cloud identities for compromised credentials and lateral movement, but does not provide endpoint detection, forensic data, or network isolation for workstations and servers. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that governs and protects cloud applications, not endpoints; it cannot detect fileless attacks on workstations or isolate machines from the network.

843
MCQmedium

Your organization wants to ensure that only users with a specific sensitivity label can access a SharePoint site. Which Microsoft Purview feature should you configure?

A.Insider Risk Management
B.Communication Compliance
C.Data Lifecycle Management
D.Information Protection
AnswerD

Information Protection applies sensitivity labels that can enforce access controls on SharePoint sites.

Why this answer

Option B is correct because Microsoft Purview Information Protection allows you to apply sensitivity labels to content, and these labels can be used to control access to SharePoint sites via conditional access policies. Option A is wrong because Data Lifecycle Management focuses on retention and deletion, not access control. Option C is wrong because Insider Risk Management detects risky activities but does not directly enforce label-based access.

Option D is wrong because Communication Compliance monitors communications for policy violations.

844
MCQeasy

Your company uses Microsoft Entra ID to manage user identities. You need to ensure that users can sign in using their existing social media accounts. Which Microsoft Entra feature should you configure?

A.Microsoft Entra External ID
B.Microsoft Entra B2B collaboration
C.Conditional Access policies
D.Privileged Identity Management
AnswerA

External ID allows adding social identity providers like Facebook and Google.

Why this answer

Microsoft Entra External ID (formerly Azure AD B2C) is the correct feature because it is specifically designed to enable external identities, including social identity providers like Google, Facebook, and Microsoft accounts, for customer-facing applications. It supports standards such as OAuth 2.0 and OpenID Connect to allow users to sign in with their existing social media accounts without needing a separate Microsoft Entra ID account.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration (for business partners) with Microsoft Entra External ID (for customers/consumers), mistakenly thinking B2B can also handle social identity providers, but B2B only supports organizational accounts (e.g., work/school) and not social logins.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra B2B collaboration is designed for business-to-business scenarios, allowing external business partners to access your organization's resources using their own corporate identities, not for consumers signing in with social media accounts. Option C is wrong because Conditional Access policies are used to enforce access controls (e.g., MFA, location) after authentication, not to configure identity providers or enable social sign-in. Option D is wrong because Privileged Identity Management (PIM) manages, controls, and monitors access to privileged roles within Microsoft Entra ID, and has no role in configuring external or social identity providers.

845
Multi-Selecthard

Which THREE Microsoft Purview solutions help protect sensitive data in Microsoft 365? (Choose three.)

Select 3 answers
A.Data Loss Prevention
B.Information Protection (sensitivity labels)
C.Insider Risk Management
D.Audit
E.eDiscovery
AnswersA, B, C

DLP prevents accidental sharing of sensitive data.

Why this answer

Microsoft Purview Data Loss Prevention, Information Protection (sensitivity labels), and Insider Risk Management all help protect sensitive data. Option B is incorrect because Audit is for logging, not protection. Option D is incorrect because eDiscovery is for discovery, not protection.

846
MCQmedium

Your organization uses Microsoft Sentinel. You need to create an analytics rule that triggers an incident when more than 10 failed sign-ins occur from a single IP address within 5 minutes. Which rule type should you use?

A.Fusion rule
B.Scheduled query rule
C.Near-real-time (NRT) rule
D.ML Behavior Analytics rule
AnswerB

Correct: Scheduled rules allow aggregation (e.g., count>10) over time windows.

Why this answer

Scheduled query rules run at intervals and can aggregate events. Option B is correct. Option A (NRT) provides near-real-time but limited aggregation.

Option C (ML Behavior Analytics) uses ML. Option D (Fusion) correlates alerts.

847
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to implement a solution that allows external partners to access resources using their own identity provider. Which Microsoft Entra feature should you use?

A.Microsoft Entra Permissions Management
B.Microsoft Entra Verified ID
C.Entra ID Governance
D.External ID
AnswerD

External ID enables external collaboration with self-service sign-up and support for external identity providers.

Why this answer

Option A is correct because Entra External ID (formerly Azure AD B2B) allows external users to authenticate using their own identity providers. Option B is wrong because Entra ID Governance focuses on identity lifecycle and access reviews. Option C is wrong because Microsoft Entra Verified ID is for decentralized identity verification.

Option D is wrong because Microsoft Entra Permissions Management is for managing permissions in multi-cloud environments.

848
Multi-Selectmedium

Which TWO of the following are examples of sensitive information types in Microsoft Purview? (Select TWO.)

Select 2 answers
A.Passport number
B.Public holiday list
C.Employee name
D.Internal project code name
E.Credit card number
AnswersA, E

Passport number is a predefined sensitive info type.

Why this answer

Options A and E are correct because credit card numbers and passport numbers are predefined sensitive info types. Option B is wrong because employee names are not a sensitive info type by default. Option C is wrong because public holidays are not sensitive.

Option D is wrong because project names are not sensitive info types.

849
MCQhard

A company uses Microsoft Purview to classify and protect data. They need to ensure that when a user attempts to share a file containing a credit card number externally, the file is blocked and the user is prompted with a policy tip. Which type of Microsoft Purview policy should they configure?

A.Retention policy
B.Insider Risk Management policy
C.Sensitivity label policy
D.Data Loss Prevention (DLP) policy
AnswerD

DLP policies can detect credit card numbers and block external sharing with a policy tip.

Why this answer

DLP policies can detect sensitive data like credit card numbers and enforce actions such as blocking sharing with a policy tip. Sensitivity labels require manual application or auto-labeling, but the block action is defined by DLP. Insider Risk Management focuses on risky user activities.

850
MCQhard

Refer to the exhibit. The Conditional Access policy shown is applied to all users accessing Office 365. A user with a compliant device but no MFA registered attempts to access Exchange Online. What will happen?

A.Access is blocked
B.Access is granted because the policy is only for Office 365 and the user uses Exchange Online
C.Access is granted after MFA registration prompt
D.Access is granted because the device is compliant
AnswerA

The policy requires both MFA and compliant device; MFA is not registered.

Why this answer

The Conditional Access policy requires MFA registration for all users accessing Office 365 cloud apps. Since the user has not registered MFA, the policy's grant control (Require MFA registration) is not satisfied, and the policy blocks access. The device compliance status is irrelevant because the policy does not include device compliance as a grant control.

Exam trap

The trap here is that candidates assume a compliant device automatically satisfies Conditional Access policies, but the policy explicitly requires MFA registration, and device compliance is irrelevant unless included as a grant control.

How to eliminate wrong answers

Option B is wrong because Exchange Online is included under Office 365 in the Conditional Access policy's cloud apps assignment, so the policy applies to Exchange Online access. Option C is wrong because the policy does not grant access with an MFA registration prompt; it blocks access when the MFA registration requirement is not met. Option D is wrong because the policy does not have a 'Require compliant device' grant control, so device compliance alone does not satisfy the policy's requirements.

851
MCQhard

Your organization uses Microsoft Purview eDiscovery to manage legal holds. You need to place a hold on mailboxes and OneDrive accounts for a specific user who is involved in a litigation. Which eDiscovery solution should you use?

A.Audit
B.Communication Compliance
C.Content search
D.eDiscovery (Standard)
AnswerD

eDiscovery (Standard) can place holds on Exchange mailboxes and OneDrive accounts.

Why this answer

Option C is correct because eDiscovery (Standard) supports core hold functionality. Option A is wrong because Content search is for search only, not hold. Option B is wrong because Audit is for logging.

Option D is wrong because Communication Compliance is for monitoring communications.

852
MCQhard

A security administrator needs to block legacy authentication protocols across all applications in Microsoft Entra ID. Which conditional access policy setting should they configure?

A.Under 'Grant', select 'Block access'
B.Under 'Conditions', configure 'Locations' to block all locations
C.Set 'Sign-in frequency' to 1 hour
D.Under 'Conditions', configure 'Client apps' to block legacy authentication
AnswerD

Specifically targets legacy authentication protocols.

Why this answer

Option D is correct because legacy authentication protocols (such as POP3, IMAP4, SMTP, and older Office clients) do not support modern authentication methods like MFA or conditional access. By configuring the 'Client apps' condition in a Conditional Access policy to block legacy authentication, the administrator can prevent these insecure sign-in attempts across all applications in Microsoft Entra ID.

Exam trap

The trap here is that candidates may confuse 'Block access' under 'Grant' (which is a general block) with the specific condition needed to target legacy protocols, or they may think that location or sign-in frequency settings can address protocol-level restrictions.

How to eliminate wrong answers

Option A is wrong because 'Block access' under 'Grant' is a control that blocks all access after conditions are evaluated, but it does not specifically target legacy authentication protocols; it would block all users regardless of client type. Option B is wrong because configuring 'Locations' to block all locations would prevent sign-ins from any geographic location, which is unrelated to blocking legacy authentication protocols. Option C is wrong because setting 'Sign-in frequency' to 1 hour controls session lifetime and reauthentication prompts, not the type of authentication protocol used during sign-in.

853
MCQeasy

An organization adopts a security model where they never trust a request by default, even if it comes from inside the corporate network. Every access request must be authenticated, authorized, and encrypted. They also assume that a breach will happen and design their systems to minimize the blast radius. Which security model does this describe?

A.A
B.B
C.C
D.D
AnswerC

Correct. Zero Trust is characterized by 'never trust, always verify', assumption of breach, and least-privilege access.

Why this answer

This scenario describes the Zero Trust security model, which operates on the principle of 'never trust, always verify.' It requires authentication, authorization, and encryption for every access request, regardless of origin (inside or outside the network), and assumes breach to minimize blast radius through microsegmentation and least-privilege access. Option C is correct because it aligns with the core tenets of Zero Trust as defined by NIST SP 800-207.

Exam trap

The trap here is that candidates often confuse Zero Trust with defense-in-depth or least-privilege, but Zero Trust uniquely requires explicit verification of every request and assumes breach, which is the key differentiator in this question.

How to eliminate wrong answers

Option A is wrong because it likely refers to a perimeter-based model (e.g., castle-and-moat), which trusts internal traffic by default and does not assume breach. Option B is wrong because it may represent a defense-in-depth model, which uses multiple layers of security but does not inherently distrust all requests or assume breach. Option D is wrong because it could indicate a least-privilege model, which focuses on minimal permissions but does not encompass the full Zero Trust principles of continuous verification, encryption, and blast radius reduction.

854
MCQmedium

A company uses Microsoft 365 and needs to comply with a regulatory requirement to retain all customer contracts for 5 years after the contract's end date, after which they must be automatically deleted. Additionally, the legal department needs the ability to preserve all documents related to an ongoing lawsuit, overriding any deletion timelines. Which Microsoft Purview solution should the company use?

A.Information Barriers
B.Data Lifecycle Management with retention labels and eDiscovery holds
C.Communication Compliance
D.Audit (Premium)
AnswerB

Data Lifecycle Management provides retention labels to retain and then delete content, while eDiscovery holds preserve content during litigation, overriding any deletion policies. Together they meet both requirements.

Why this answer

Data Lifecycle Management (DLM) with retention labels allows the company to apply a retention label to customer contracts that retains them for 5 years after the contract end date and then automatically deletes them. eDiscovery holds can be placed on all documents related to an ongoing lawsuit, which overrides any deletion timelines, ensuring that content is preserved until the hold is released. This combination directly meets both the regulatory retention and legal preservation requirements.

Exam trap

The trap here is that candidates may confuse eDiscovery holds with retention labels, thinking that retention labels alone can handle legal preservation, but they fail to recognize that eDiscovery holds are required to override deletion timelines for litigation purposes.

How to eliminate wrong answers

Option A is wrong because Information Barriers are used to prevent communication and collaboration between specific groups or users to avoid conflicts of interest, not to manage retention or legal holds. Option C is wrong because Communication Compliance is designed to detect and remediate inappropriate communications (e.g., harassment, insider trading) by analyzing messages, not to enforce retention schedules or preserve documents for litigation. Option D is wrong because Audit (Premium) provides detailed logging and investigation of user and admin activities, but it does not offer retention policies or the ability to override deletion with legal holds.

855
Multi-Selectmedium

Which TWO Microsoft Entra features can be used together to enforce risk-based conditional access?

Select 2 answers
A.Entra Verified ID
B.Conditional Access
C.Identity Protection
D.Self-Service Password Reset
E.Privileged Identity Management
AnswersB, C

Uses risk as a condition to enforce policies.

Why this answer

Conditional Access (B) is correct because it is the policy engine that enforces access decisions based on signals, including risk levels. Identity Protection (C) is correct because it detects and calculates user and sign-in risk in real time using machine learning. Together, Identity Protection provides the risk assessment, and Conditional Access enforces the policy (e.g., block or require MFA) based on that risk.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with risk-based access, but PIM controls role activation, not risk evaluation, while Identity Protection is the dedicated risk detection service.

856
MCQmedium

Fabrikam Inc. is a global manufacturing company that uses Microsoft Entra ID for identity management. They have recently experienced a security incident where an attacker compromised a user account and accessed sensitive intellectual property. The security team wants to implement identity protection measures to detect and respond to such attacks in the future. They need a solution that can automatically detect suspicious sign-in behavior, such as impossible travel and anomalous token issuance, and then take action to block the sign-in or require additional verification. Additionally, they want to integrate threat intelligence feeds to improve detection. Which Microsoft security solution should they use to meet these requirements?

A.Microsoft Defender for Identity
B.Microsoft Entra ID Protection
C.Microsoft Sentinel
D.Microsoft Defender for Cloud Apps
AnswerB

Detects sign-in risks and automates responses.

Why this answer

Option C is correct. Microsoft Entra ID Protection uses machine learning to detect risks like impossible travel and anomalous token issuance, and can automatically enforce policies such as requiring MFA or blocking sign-ins. It also integrates with threat intelligence.

Option A is wrong because Microsoft Defender for Identity focuses on on-premises Active Directory, not cloud sign-ins. Option B is wrong because Microsoft Sentinel is a SIEM, not an automated response tool for sign-in risks. Option D is wrong because Microsoft Defender for Cloud Apps is for cloud app discovery and control, not primarily for sign-in risk detection.

857
Multi-Selecteasy

Which TWO of the following are Microsoft Entra ID editions that include Identity Protection? (Choose two.)

Select 2 answers
A.Microsoft Entra External ID
B.Microsoft Entra ID Free
C.Microsoft Entra ID P1
D.Microsoft Entra ID P2
E.Microsoft Entra ID Governance
AnswersD, E

P2 includes Identity Protection.

Why this answer

Identity Protection is available in Azure AD Premium P2 and Microsoft Entra ID Governance (which includes P2 features). Free and P1 do not include Identity Protection.

858
MCQeasy

A security analyst is explaining the core principles of information security to a new team member. Which principle ensures that data is not modified by unauthorized parties?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures that data remains accurate and unaltered by unauthorized parties, preventing tampering.

Why this answer

The principle of integrity ensures that data remains accurate and unaltered during storage, processing, or transmission, except by authorized entities. In the context of information security, integrity is specifically concerned with preventing unauthorized modification, deletion, or creation of data. This is often enforced through mechanisms such as hashing (e.g., SHA-256), digital signatures, and checksums (e.g., CRC32) that detect any tampering.

Exam trap

The trap here is that candidates often confuse integrity with confidentiality, mistakenly thinking that encryption (which protects confidentiality) also prevents modification, but encryption alone does not guarantee data has not been altered—integrity requires separate controls like hashing or digital signatures.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized disclosure of data, typically through encryption (e.g., AES-256) or access controls, not on preventing modification. Option C is wrong because availability ensures that systems and data are accessible to authorized users when needed, often via redundancy (e.g., RAID) or disaster recovery, and does not address data integrity. Option D is wrong because non-repudiation provides proof of the origin or delivery of data (e.g., through digital signatures or audit logs) and cannot be repudiated later, but it does not directly prevent unauthorized modification.

859
MCQmedium

A company uses Microsoft Entra ID and Intune for device management. The security team wants to create a Conditional Access policy for a sensitive research application. They require that: 1) The user must use a device that is marked as compliant by Intune, and 2) The user must accept the company's terms of use before accessing the app. Which grant control combination should they configure in the policy?

A.Select 'Require device to be marked as compliant' and 'Require terms of use' and choose 'Require one of the selected controls'
B.Select 'Require multi-factor authentication' and 'Require terms of use' and choose 'Require all the selected controls'
C.Select 'Require device to be marked as compliant' and 'Require terms of use' and choose 'Require all the selected controls'
D.Select only 'Require terms of use' and configure device compliance as a condition
AnswerC

This correctly enforces both device compliance and terms of use acceptance because the 'Require all' setting ensures that both grant controls are satisfied.

Why this answer

Option C is correct because the policy requires both conditions—device compliance and terms of use—to be enforced simultaneously. In Microsoft Entra Conditional Access, when multiple grant controls are selected and set to 'Require all the selected controls', the user must satisfy every control to gain access. This matches the security team's requirement that the device must be compliant AND the terms of use must be accepted.

Exam trap

The trap here is that candidates often confuse 'Require one of the selected controls' with 'Require all the selected controls', mistakenly thinking that 'one of' is sufficient when the question explicitly states both conditions must be met.

How to eliminate wrong answers

Option A is wrong because 'Require one of the selected controls' would allow the user to satisfy either device compliance OR terms of use, not both, which violates the requirement that both must be met. Option B is wrong because it includes 'Require multi-factor authentication', which is not a requirement specified by the security team, and it omits 'Require device to be marked as compliant', which is explicitly required. Option D is wrong because configuring device compliance as a condition (e.g., in the 'Conditions' blade) is not the same as enforcing it as a grant control; grant controls are the actions that must be satisfied, and device compliance must be selected as a grant control to enforce the requirement.

860
MCQmedium

A company wants to securely grant external business partners access to internal SharePoint sites and Teams channels. The partners use various identity providers, including Google and Microsoft personal accounts. The company needs to manage these external identities in their Microsoft Entra ID directory and enforce access policies. Which Microsoft Entra capability should they use?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra B2C (Business-to-Consumer)
C.Microsoft Entra Connect
D.Microsoft Entra Identity Protection
AnswerA

B2B collaboration enables secure external sharing with guest accounts, supporting a wide range of identity providers and directory management.

Why this answer

Microsoft Entra B2B collaboration is designed to securely share applications and resources with external guest users from any identity provider, including Google and Microsoft personal accounts. It allows the company to manage these external identities in their Entra ID directory and enforce conditional access policies, meeting the requirement to grant partners access to SharePoint and Teams.

Exam trap

The trap here is confusing B2B collaboration (for business partners) with B2C (for customers), leading candidates to select B2C because it also supports external identities, but B2C is not designed for internal resource sharing like SharePoint or Teams.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra B2C is a customer-facing identity management service for external customers, not for business partners, and it does not integrate with internal resources like SharePoint or Teams. Option C is wrong because Microsoft Entra Connect is used to synchronize on-premises Active Directory identities to the cloud, not to manage external partner identities. Option D is wrong because Microsoft Entra Identity Protection is a risk-detection and remediation tool for user accounts, not a solution for inviting or managing external identities.

861
MCQeasy

Your company is adopting Microsoft Copilot for Microsoft 365 to improve productivity. The security team is concerned about data leakage, as Copilot can access emails, documents, and other content. You need to ensure that sensitive data, such as credit card numbers and social security numbers, is not inadvertently exposed by Copilot. The organization uses Microsoft Purview sensitivity labels and DLP. You need to configure a solution that automatically detects and prevents Copilot from accessing or generating content containing these sensitive data types. What should you do?

A.Configure Microsoft Defender for Cloud Apps to control Copilot
B.Disable Copilot for users who handle sensitive data
C.Apply sensitivity labels to all documents containing sensitive data
D.Create a DLP policy in Microsoft Purview that detects sensitive data types and blocks Copilot actions
AnswerD

DLP can monitor and block Copilot interactions with sensitive data.

Why this answer

Option C is correct because Microsoft Purview Data Loss Prevention policies can be configured to monitor Copilot interactions and block or warn when sensitive data is detected. Option A is wrong because sensitivity labels help but do not prevent Copilot from accessing data; DLP is needed. Option B is wrong because disabling Copilot is not a targeted solution.

Option D is wrong because Microsoft Defender for Cloud Apps is for cloud apps, not specifically for Copilot in Microsoft 365.

862
MCQeasy

Which Microsoft Entra ID feature allows an organization to provide external partners with access to its applications while maintaining control over authentication and governance?

A.Microsoft Entra ID Governance
B.Microsoft Entra Domain Services
C.Microsoft Entra External ID
D.Microsoft Entra Permissions Management
AnswerC

External ID supports B2B and B2C scenarios, allowing external users to access corporate apps with controlled authentication.

Why this answer

Microsoft Entra External ID (including B2B collaboration) enables secure sharing of apps with external users. It allows the organization to manage identities and enforce policies like MFA for guests.

863
MCQeasy

Your organization wants to enable passwordless authentication for users. Which Microsoft Entra ID feature should you use?

A.Conditional Access
B.Privileged Identity Management
C.Identity Protection
D.Passwordless authentication methods
AnswerD

Passwordless methods enable authentication without passwords.

Why this answer

Passwordless authentication methods is the correct feature because it is the specific Microsoft Entra ID capability that allows users to sign in without a password, using methods such as Windows Hello for Business, the Microsoft Authenticator app, FIDO2 security keys, or phone sign-in. This directly enables the organization's goal of passwordless authentication.

Exam trap

The trap here is that candidates may confuse Conditional Access (which can require passwordless methods as a grant control) with the actual feature that enables passwordless authentication, but Conditional Access only enforces policies, not the underlying authentication methods themselves.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or blocking sign-ins from untrusted locations) based on signals, but it does not itself provide or enable passwordless authentication methods. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews for Azure AD roles and Azure resources, not passwordless sign-in capabilities. Option C is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, impossible travel) using risk policies, but it does not configure or offer passwordless authentication methods.

864
MCQhard

A financial services organization needs to automatically classify and protect sensitive documents containing credit card information in SharePoint Online and OneDrive for Business. They want a purple-colored label to be applied automatically when the document is saved, and the document should be encrypted with a predefined template that restricts editing to internal users only. Which Microsoft Purview solution should they configure?

A.Sensitivity labels with auto-labeling
B.Data Loss Prevention (DLP) policies
C.Data Lifecycle Management (retention labels)
D.Audit (Unified Auditing)
AnswerA

Sensitivity labels can automatically classify and encrypt documents based on sensitive data patterns, applying a label and encryption exactly as described.

Why this answer

Sensitivity labels with auto-labeling in Microsoft Purview can automatically apply a purple-colored label to documents containing credit card information when saved in SharePoint Online or OneDrive for Business. This label can be configured with encryption using a predefined template that restricts editing to internal users only, meeting the organization's classification and protection requirements.

Exam trap

The trap here is that candidates confuse DLP policies with sensitivity labels, but DLP policies only block or warn on sharing actions and do not apply persistent encryption or visual markings like labels.

How to eliminate wrong answers

Option B is wrong because Data Loss Prevention (DLP) policies detect and prevent accidental sharing of sensitive data but do not apply persistent labels or encryption to documents; they enforce rules at the point of sharing or use. Option C is wrong because Data Lifecycle Management (retention labels) manage retention and deletion of content, not classification or encryption based on sensitive data patterns. Option D is wrong because Audit (Unified Auditing) logs user and admin activities for compliance and investigation but does not classify, label, or encrypt documents automatically.

865
MCQeasy

Your organization uses Microsoft Entra ID P1. You need to implement a solution that allows users to reset their own passwords without administrator intervention. The solution must also enforce a policy that requires users to verify their identity with two methods before resetting. What should you configure?

A.Configure Privileged Identity Management (PIM) to require approval for password reset.
B.Create an Identity Protection user risk policy to force password reset.
C.Configure a Conditional Access policy to require MFA for password changes.
D.Enable self-service password reset (SSPR) and configure the number of methods required to reset to 2.
AnswerD

SSPR provides password reset with customizable verification.

Why this answer

Option D is correct because self-service password reset (SSPR) in Microsoft Entra ID P1 allows users to reset their own passwords without administrator intervention. By configuring SSPR and setting the number of methods required to reset to 2, you enforce the policy that users must verify their identity with two authentication methods before resetting their password.

Exam trap

The trap here is that candidates often confuse Conditional Access MFA policies with SSPR's multi-method verification, not realizing that SSPR has its own separate configuration for the number of required verification methods, while Conditional Access policies apply to authentication events, not the password reset workflow.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is used for managing, controlling, and monitoring access to privileged roles, not for enabling self-service password reset or enforcing multi-method verification for password resets. Option B is wrong because Identity Protection user risk policies trigger automatic password resets based on detected user risk, but they do not allow users to initiate their own password resets without administrator intervention, nor do they enforce a specific number of verification methods for the reset process. Option C is wrong because a Conditional Access policy requiring MFA for password changes would force users to authenticate with MFA when changing their password, but it does not enable self-service password reset; it only secures the change action, not the reset flow, and does not configure the number of methods required for reset.

866
MCQmedium

The exhibit shows a sign-in failure for John Doe. The admin wants to allow the sign-in while still enforcing MFA. What should the admin do?

A.Modify the Conditional Access policy to exclude Azure PowerShell or to support MFA for this client.
B.Disable MFA for the user.
C.Assign a Microsoft Entra ID P2 license to the user.
D.Reset the user's password.
AnswerA

Azure PowerShell may not support MFA, so adjust policy.

Why this answer

The sign-in failure is likely caused by a Conditional Access policy that blocks legacy authentication protocols like Azure PowerShell, which do not support MFA natively. Option A is correct because modifying the policy to exclude Azure PowerShell or to require MFA for that client app allows the sign-in while still enforcing MFA for other protocols. This ensures the user can authenticate using a modern authentication flow that supports MFA.

Exam trap

The trap here is that candidates may think resetting the password or disabling MFA is the quick fix, but the core issue is that the Conditional Access policy is blocking a client that cannot perform MFA, not that the user's credentials or license are invalid.

How to eliminate wrong answers

Option B is wrong because disabling MFA for the user removes the security requirement entirely, contradicting the admin's goal to still enforce MFA. Option C is wrong because assigning a Microsoft Entra ID P2 license provides advanced features like Identity Protection and Privileged Identity Management, but it does not directly resolve a sign-in failure caused by a Conditional Access policy blocking a non-MFA-capable client. Option D is wrong because resetting the user's password does not address the underlying policy that blocks the sign-in; the failure is due to the client app not supporting MFA, not due to incorrect credentials.

867
MCQmedium

You are the security architect for a financial services company that uses Microsoft 365 E5. The company has recently deployed Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. The security team wants to detect when users are accessing corporate data from personal devices that are not managed by Microsoft Intune. You need to implement a solution that alerts the security team when a user accesses Microsoft 365 resources from an unmanaged device. The solution should also allow the user to continue working but with limited capabilities, such as preventing download of files. Which of the following should you configure?

A.Create a session policy in Microsoft Defender for Cloud Apps that monitors and controls access based on device compliance
B.Create a device compliance policy in Microsoft Intune that marks unmanaged devices as non-compliant
C.Create an app protection policy in Microsoft Intune that prevents data transfer from managed apps
D.Create a conditional access policy in Microsoft Entra ID that blocks access from unmanaged devices
AnswerA

Session policies can proxy user sessions and restrict actions like download for unmanaged devices.

Why this answer

Option A is correct because session policies in Microsoft Defender for Cloud Apps can control actions based on device management status. Option B is incorrect because conditional access policies can block access but do not provide granular control like preventing downloads. Option C is incorrect because compliance policies define compliance but do not enforce access restrictions.

Option D is incorrect because app protection policies apply to mobile apps, not browser sessions.

868
MCQeasy

A company uses a third-party SaaS project management application. The security team wants to monitor and control user sessions when employees access the application from personal, unmanaged devices. Specifically, they want to block the download of files to local drives and display a warning message to the user if they attempt to download. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Office 365
D.Microsoft Defender for Identity
AnswerA

Correct. Defender for Cloud Apps with Conditional Access App Control provides session-level monitoring and control for SaaS apps, enabling actions like blocking downloads.

Why this answer

Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) is the correct solution because it provides session-level controls via Conditional Access App Control. This allows the security team to monitor and control user sessions in real-time, including blocking file downloads to unmanaged devices and displaying custom warning messages, by proxying the SaaS application traffic through Defender for Cloud Apps.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Office 365, assuming all SaaS app protection falls under Office 365, but Defender for Cloud Apps is the cross-SaaS session control solution.

How to eliminate wrong answers

Option B (Microsoft Defender for Endpoint) is wrong because it focuses on endpoint detection and response (EDR) for devices, not on controlling user sessions within third-party SaaS applications. Option C (Microsoft Defender for Office 365) is wrong because it protects email and collaboration tools like Exchange Online and SharePoint, not general third-party SaaS project management applications. Option D (Microsoft Defender for Identity) is wrong because it detects on-premises Active Directory identity threats using domain controller traffic, not session-level controls for cloud apps.

869
MCQeasy

According to the Zero Trust security model, which principle assumes that a breach has already occurred and therefore requires segmenting access and monitoring for lateral movement?

A.Verify explicitly
B.Use least privilege
C.Assume breach
D.Trust but verify
AnswerC

Assume breach is the correct principle; it treats the network as already compromised, leading to segmentation and intense monitoring.

Why this answer

Option C is correct because the 'Assume breach' principle of the Zero Trust security model explicitly operates under the mindset that a breach has already occurred or is inevitable. This drives the need for segmenting access (e.g., micro-segmentation using network policies or Azure Virtual Network security groups) and continuous monitoring for lateral movement (e.g., using Microsoft Defender for Identity to detect pass-the-hash or Kerberos ticket attacks).

Exam trap

Microsoft often tests the distinction between 'Assume breach' and 'Verify explicitly' by presenting a scenario where a candidate might confuse the proactive verification of every request with the reactive assumption that a breach has already occurred, leading them to incorrectly select 'Verify explicitly' when the question specifically asks about segmentation and lateral movement monitoring.

How to eliminate wrong answers

Option A is wrong because 'Verify explicitly' mandates that every access request must be authenticated and authorized based on all available data points (e.g., user identity, device health, location), but it does not inherently assume a breach has occurred or drive segmentation for lateral movement. Option B is wrong because 'Use least privilege' ensures users and services have only the minimum permissions needed to perform their tasks (e.g., via Azure RBAC or Privileged Identity Management), but it is a principle of access control, not a breach assumption that triggers segmentation and lateral movement monitoring. Option D is wrong because 'Trust but verify' is an outdated model that assumes internal network trust, which contradicts Zero Trust's core premise of never trusting any entity by default; it does not assume a breach has already happened.

870
Multi-Selecthard

Which THREE are features of Microsoft Purview Data Lifecycle Management (formerly Records Management)? (Choose three.)

Select 3 answers
A.Retention policies
B.Data loss prevention
C.Sensitivity labels
D.Retention labels
E.Disposition review
AnswersA, D, E

Retention policies apply retention settings at the container level.

Why this answer

Data Lifecycle Management includes retention labels, retention policies, and disposition review. Option A is for Information Protection; Option E is for Microsoft 365 compliance center general features.

871
MCQhard

Your organization is using Microsoft Entra ID and has deployed Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with Intune policies can access corporate email via Microsoft Outlook for iOS and Android. Additionally, you need to prevent users from copying corporate data to personal apps on the same device. Which two Microsoft Entra features should you combine?

A.Conditional Access policy requiring hybrid Azure AD joined device, and Windows Autopilot.
B.Conditional Access policy requiring MFA, and Windows Hello for Business.
C.Conditional Access policy requiring approved client app, and Azure AD Application Proxy.
D.Conditional Access policy requiring compliant device, and Microsoft Intune app protection policy (MAM) to prevent data copy/paste to unmanaged apps.
AnswerD

Correct: Conditional Access enforces device compliance, and MAM protects corporate data.

Why this answer

Option A is correct because Conditional Access can require compliant devices, and app protection policies (MAM) can prevent data transfer to unprotected apps. Option B is wrong because Autopilot is for device provisioning. Option C is wrong because Windows Hello for Business is for passwordless sign-in.

Option D is wrong because Azure AD Application Proxy is for on-premises app access.

872
MCQmedium

Refer to the exhibit. A Microsoft Purview DLP policy is configured as shown. What will happen when a user tries to email an external recipient a document containing a credit card number?

A.The email will be sent but the attachment will be removed
B.The email will be blocked and the user will receive a notification
C.The email will be delivered and the admin will be alerted
D.The email will be sent and the event will be logged for audit
AnswerB

The policy includes BlockAccess and NotifyUser actions.

Why this answer

Option A is correct because the policy has actions to block access and notify the user. Option B is wrong because the email is blocked, not quarantined. Option C is wrong because the email is blocked, not sent.

Option D is wrong because there is no mention of logging; the policy blocks access.

873
MCQhard

A company has deployed Microsoft Defender for Identity and wants to detect pass-the-hash attacks in real time. Which alert type should they monitor?

A.Suspected Kerberoasting attack
B.Suspected Brute Force attack
C.Suspected Pass-the-Hash attack
D.Suspected Golden Ticket attack
AnswerC

Correct: Defender for Identity can detect pass-the-hash by monitoring NTLM authentication anomalies.

Why this answer

Microsoft Defender for Identity uses behavioral analytics to detect lateral movement and credential theft, including pass-the-hash attacks, and generates security alerts.

874
MCQhard

Refer to the exhibit. A security analyst runs this Microsoft Graph PowerShell command. What is the most likely purpose of this command?

A.To find users whose user principal name starts with 'j'.
B.To update the display names of users starting with 'j'.
C.To remove users whose user principal name starts with 'j'.
D.To list all users and their group memberships.
AnswerA

The filter filters users with userPrincipalName starting with 'j'.

Why this answer

The command uses Get-MgUser with a filter to retrieve users whose userPrincipalName starts with 'j', and selects specific properties. Option A is wrong because it does not show group membership. Option B is wrong because it does not perform any update.

Option D is wrong because it does not remove users.

875
MCQmedium

A company wants to automatically detect emails in Exchange Online that contain credit card numbers and apply encryption to those emails before they are sent. Which Microsoft Purview solution should the administrator configure?

A.Information Protection (sensitivity labels)
B.Data Loss Prevention (DLP)
C.Data Lifecycle Management
D.eDiscovery
AnswerB

DLP policies can inspect emails for sensitive data patterns (e.g., credit card numbers) and automatically apply encryption as a protective action.

Why this answer

Data Loss Prevention (DLP) in Microsoft Purview is specifically designed to detect sensitive information such as credit card numbers in emails and automatically apply protective actions like encryption. DLP policies can scan Exchange Online messages in transit and enforce rules to encrypt the email before it is sent, which directly meets the requirement.

Exam trap

The trap here is that candidates often confuse sensitivity labels (which can also apply encryption) with DLP, but sensitivity labels require manual or automatic classification based on label policies, not real-time content scanning of specific sensitive data patterns like credit card numbers in transit.

How to eliminate wrong answers

Option A is wrong because Information Protection (sensitivity labels) is used to classify and protect documents and emails based on manual or automatic labeling, but it does not natively scan for specific sensitive data patterns like credit card numbers and automatically trigger encryption on outbound emails. Option C is wrong because Data Lifecycle Management focuses on retaining, deleting, or archiving data based on age or policy, not on detecting sensitive content in transit and applying encryption. Option D is wrong because eDiscovery is used for searching and exporting content for legal or investigative purposes, not for real-time detection and protection of sensitive data in email flow.

876
MCQeasy

A compliance officer wants to automatically classify emails containing credit card numbers as 'Highly Confidential' and apply encryption. Which Microsoft Purview feature should be used?

A.Microsoft Purview Sensitivity Labels
B.Microsoft Purview Retention Labels
C.Microsoft Purview eDiscovery
D.Microsoft Purview Data Loss Prevention (DLP)
AnswerD

DLP policies can detect credit card numbers and automatically apply encryption and other actions.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policies can detect sensitive information like credit card numbers and automatically apply actions such as encryption. Option A is wrong because Sensitivity labels are manually applied or auto-classified via DLP, but DLP itself triggers the action. Option B is wrong because retention labels are for retention, not encryption.

Option D is wrong because eDiscovery is for search and export.

877
Multi-Selecteasy

Which TWO capabilities are part of Microsoft Entra ID Governance?

Select 2 answers
A.Entitlement Management
B.Identity Protection
C.Conditional Access
D.Self-Service Password Reset
E.Access Reviews
AnswersA, E

Manages access packages and requests.

Why this answer

Entitlement Management is a core capability of Microsoft Entra ID Governance because it enables organizations to manage the lifecycle of access for internal and external users through access packages, catalogs, and policies. It automates the request, approval, and assignment of access to groups, apps, and SharePoint sites, ensuring governance over who gets what and for how long. Access Reviews is also a key governance feature because it allows administrators to periodically review and certify user access, automatically removing stale or inappropriate permissions to maintain compliance.

Exam trap

The trap here is that candidates often confuse Identity Protection or Conditional Access with governance because they involve security controls, but Microsoft Entra ID Governance specifically focuses on the lifecycle management and periodic review of access rights, not on risk detection or policy enforcement at sign-in.

878
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. A security analyst needs to receive an alert whenever a user accesses a cloud app from a new IP address that is not in the organization's trusted IP range. What should the analyst configure?

A.A file policy
B.A session policy
C.An app permission policy
D.An anomaly detection policy
AnswerD

Anomaly detection policies can detect impossible travel, unfamiliar sign-in properties, and other suspicious behaviors including new IPs.

Why this answer

Option A is correct because anomaly detection policies in Defender for Cloud Apps can detect activities from unfamiliar locations/IPs. Option B is wrong because app permissions policies govern third-party app permissions, not access from IPs. Option C is wrong because session policies control real-time session monitoring, not alerting on new IPs.

Option D is wrong because file policies monitor file activities, not login locations.

879
MCQeasy

A security analyst receives an alert about a suspicious process on a device. The security solution automatically investigates the device, gathers evidence, and determines that a known malware variant was detected. It then presents an action plan to the analyst for remediation. Which Microsoft security solution provides this automated investigation and response capability?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Defender for Office 365
AnswerB

Correct. Microsoft Defender for Endpoint provides automated investigation and response for endpoint threats, enabling rapid triage and remediation of incidents on devices.

Why this answer

Microsoft Defender for Endpoint provides automated investigation and response (AIR) capabilities that automatically investigate alerts, gather evidence, and determine remediation actions. When a suspicious process is detected, Defender for Endpoint's AIR engine analyzes the device, identifies known malware variants, and presents an action plan to the security analyst for approval or execution.

Exam trap

Microsoft often tests the distinction between endpoint-focused security (Defender for Endpoint) and cloud/identity/email-focused solutions, so candidates mistakenly choose Defender for Cloud Apps or Defender for Identity when the scenario clearly describes on-device process investigation and automated response.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps focuses on cloud application security, shadow IT discovery, and data protection policies, not on-device process investigation and automated response. Option C is wrong because Microsoft Defender for Identity protects on-premises Active Directory environments by detecting identity-based attacks like Kerberos abuse, not by investigating suspicious processes on endpoints. Option D is wrong because Microsoft Defender for Office 365 secures email and collaboration tools against phishing and malware, but does not perform automated investigation of processes on devices.

880
MCQhard

Refer to the exhibit. You are evaluating a custom Azure Policy definition. The policy is intended to audit whether users assigned to a management role have MFA enabled. However, the policy is not triggering alerts for non-compliant users. What is the most likely cause?

A.The 'mfaEnabledPrincipals' parameter is not populated with the list of MFA-enabled users.
B.The policy mode is set to 'All' instead of 'Indexed'.
C.The policy only evaluates role assignments of type 'Microsoft.Authorization/roleAssignments' but not users.
D.The effect 'auditIfNotExists' should be 'deny' to trigger alerts.
AnswerA

Without this parameter, the existenceCondition cannot evaluate compliance.

Why this answer

The policy uses 'auditIfNotExists' but the existenceCondition checks if the principal ID is in the 'mfaEnabledPrincipals' parameter. This parameter must be populated with the list of principals that have MFA enabled, but the policy does not automatically detect MFA status. Option A is incorrect because the mode is 'All', which includes role assignments.

Option C is incorrect because the policy does check for role assignments. Option D is incorrect because the audit effect does not require remediation.

881
MCQhard

Your organization uses Microsoft Sentinel. You need to create a custom analytics rule that triggers an incident when a user executes a specific command on Azure VMs. Which data source should you connect to capture the command execution logs?

A.Office Activity log
B.Windows Security Events via Azure Monitor Agent
C.Azure AD audit logs
D.Azure Activity log
AnswerB

This captures command execution logs from the guest OS.

Why this answer

Option C is correct because Azure Activity logs capture resource management operations, but command execution on VMs is captured by Windows Event Logs or Syslog. However, the best answer here is Windows Security Events via the Azure Monitor agent, which is option C. Option A is incorrect because Azure Activity log does not capture guest OS commands.

Option B is incorrect because Office Activity logs are for Microsoft 365. Option D is incorrect because Azure AD audit logs are for identity events.

882
MCQmedium

Your company uses Microsoft Purview Information Protection. They want to automatically apply a 'Confidential' sensitivity label to documents containing a credit card number. What should they create?

A.A sensitivity label
B.A data loss prevention (DLP) policy
C.An auto-labeling policy
D.A retention label policy
AnswerC

Auto-labeling policies automatically apply labels based on conditions like sensitive info types.

Why this answer

Correct: Auto-labeling policy in Purview automatically labels documents based on sensitive info types. Option A: Sensitivity label alone defines the label but doesn't auto-apply. Option C: DLP policy prevents sharing but doesn't label.

Option D: Retention label is for retention, not sensitivity.

883
MCQmedium

You are the identity architect for a global organization with 100,000 users across 50 countries. The company uses Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps. Recently, the security team identified that several compromised user accounts were used to exfiltrate data from a cloud storage app. The CISO wants to implement a solution that detects anomalous behavior (e.g., impossible travel, mass download) and automatically blocks the user session when such behavior is detected. The solution must also provide the ability to investigate and remediate after the fact. Which Microsoft Entra feature should you use in conjunction with Defender for Cloud Apps to meet these requirements?

A.Microsoft Entra Conditional Access session controls with Defender for Cloud Apps integration
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra access reviews
AnswerA

Session controls allow real-time monitoring and blocking of user sessions based on behavior.

Why this answer

Microsoft Entra Conditional Access session controls integrate directly with Defender for Cloud Apps to enable real-time session monitoring and blocking. When anomalous behaviors like impossible travel or mass downloads are detected by Defender for Cloud Apps, the session control can automatically block the user session, while also providing full investigation and remediation capabilities through the Defender for Cloud Apps portal. This meets the CISO's requirement for both automated blocking and post-incident analysis.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based conditional access policies (which block sign-ins at the authentication level) with the session-level controls needed for real-time monitoring and blocking within an already-established cloud app session.

How to eliminate wrong answers

Option B (Microsoft Entra Identity Protection) is wrong because it focuses on risk-based detection and automated remediation of identities (e.g., requiring password reset or blocking sign-in), but it does not provide session-level controls or integration with Defender for Cloud Apps for real-time session blocking and investigation of cloud app activities. Option C (Microsoft Entra Privileged Identity Management) is wrong because it is designed for managing, controlling, and monitoring privileged role assignments and just-in-time access, not for detecting anomalous user behavior or blocking sessions in cloud apps. Option D (Microsoft Entra access reviews) is wrong because it is a governance tool for periodically reviewing group memberships, application access, and role assignments, not a real-time detection or session control mechanism.

884
MCQeasy

A company uses Microsoft 365 and wants to automatically classify documents based on sensitive information types like Social Security numbers. Which Microsoft Purview feature should be used?

A.Microsoft Purview Communication Compliance
B.Microsoft Purview Data Classification
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview Sensitivity Labels
AnswerB

Data Classification uses built-in sensitive info types and trainable classifiers to identify content.

Why this answer

Option C is correct because Microsoft Purview Data Classification uses trainable classifiers and sensitive info types to auto-classify content. Option A is wrong because Sensitivity labels are for manual or automatic labeling, but classification is the broader term. Option B is wrong because DLP policies prevent data loss but don't classify by default.

Option D is wrong because Communication Compliance monitors communications, not classification.

885
MCQhard

You are analyzing sign-in logs in Microsoft Sentinel. Based on the KQL query in the exhibit, what is the purpose of this query?

A.Identify users who have attempted to sign in with a disabled account more than 10 times in the last 7 days.
B.Identify all sign-in attempts from a specific IP address.
C.Identify impossible travel activity across different locations.
D.Identify locations with the highest number of failed sign-ins.
AnswerA

Result type 50057 indicates user account disabled, and the query filters for attempts over 10.

Why this answer

Option B is correct because the query filters for result type 50057 (user account disabled) and counts attempts per user, then filters for more than 10 attempts. This could indicate a user trying to sign in with a disabled account. Option A is wrong because it filters for a specific error, not all attempts.

Option C is wrong because it counts by user, not IP. Option D is wrong because it does not analyze impossible travel.

886
MCQmedium

A company uses Microsoft Purview to map their data estate. They need to classify data stored in Azure SQL Database and Amazon S3. What should they use?

A.Microsoft Intune
B.Microsoft Sentinel
C.Microsoft Defender for Cloud
D.Microsoft Purview Data Map
AnswerD

Scans and classifies data across sources.

Why this answer

Option B is correct because Purview can scan and classify data across on-premises and multi-cloud sources. Option A is wrong because Defender for Cloud focuses on security posture. Option C is wrong because Sentinel is for SIEM.

Option D is wrong because Intune is for device management.

887
MCQmedium

Your organization uses Microsoft Purview to manage data classification. You need to ensure that sensitive data containing social security numbers is automatically labeled when stored in SharePoint Online. What should you configure?

A.Use the data classification dashboard in Microsoft Purview
B.Create a retention label policy
C.Configure a data loss prevention (DLP) policy
D.Create an auto-labeling policy for sensitivity labels
AnswerD

Auto-labeling policies automatically apply sensitivity labels based on sensitive info types.

Why this answer

Option A is correct because auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels to documents containing sensitive information types such as social security numbers. Option B is wrong because retention labels are for retention, not classification. Option C is wrong because DLP policies detect and prevent sharing but do not apply labels automatically.

Option D is wrong because data classification dashboards provide visibility but do not apply labels.

888
MCQmedium

A company runs workloads in Azure and Amazon Web Services (AWS). The security team wants a single, unified dashboard to assess the security posture of all cloud resources, get prioritized recommendations for misconfigurations, and enable just-in-time (JIT) virtual machine access across both cloud environments. Which Microsoft security solution should they use?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Cloud
D.Azure Policy
AnswerC

Microsoft Defender for Cloud provides unified security management and threat protection across hybrid and multi-cloud workloads, including AWS, with features like security posture assessment, recommendations, and just-in-time VM access.

Why this answer

Microsoft Defender for Cloud is the correct solution because it provides a unified dashboard for assessing security posture across multi-cloud environments, including Azure and AWS. It delivers prioritized recommendations for misconfigurations using the Microsoft cloud security benchmark and supports just-in-time (JIT) VM access to reduce attack surfaces by controlling inbound traffic on demand.

Exam trap

The trap here is confusing Microsoft Defender for Cloud (a CSPM and workload protection platform) with Microsoft Sentinel (a SIEM), leading candidates to choose Sentinel because it also aggregates logs from multiple clouds, but it lacks the specific posture assessment dashboard and JIT VM access features described in the question.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM and SOAR solution focused on threat detection, investigation, and response, not a unified dashboard for security posture assessment and JIT VM access. Option B is wrong because Microsoft Defender for Cloud Apps is a CASB that provides visibility and control over SaaS applications, not multi-cloud infrastructure posture management or JIT VM access. Option D is wrong because Azure Policy is an Azure-native service for enforcing compliance rules and tagging, but it does not support AWS resources or provide JIT VM access capabilities.

889
MCQmedium

A company wants to provide external consultants with access to a specific application using their LinkedIn or Google accounts. Which Microsoft Entra feature allows this?

A.Microsoft Entra Conditional Access
B.Microsoft Entra External ID
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra Identity Protection
AnswerB

Supports social identity providers for external collaboration.

Why this answer

Microsoft Entra External ID (formerly Azure AD External Identities) is the correct feature because it enables external users—such as consultants—to sign in using their own identity providers (IdPs) like LinkedIn or Google via federation. This allows the company to grant access to a specific application without creating separate Microsoft Entra accounts for each consultant, leveraging social identity providers through OpenID Connect or OAuth 2.0 protocols.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access after authentication) with the ability to authenticate external users, or they mistakenly think PIM or Identity Protection can directly enable social identity provider sign-in.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Conditional Access is a policy engine that enforces access controls (e.g., MFA, location) after authentication, but it does not enable external identity providers like LinkedIn or Google for sign-in. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role assignments and access reviews for internal users, not external authentication with social IdPs. Option D is wrong because Microsoft Entra Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, anomalous sign-ins) but does not provide the federation capability to allow external consultants to authenticate via LinkedIn or Google.

890
MCQhard

Your organization uses Microsoft Entra ID Governance. You need to ensure that when a user leaves the company, all their access to critical applications is automatically removed. Which feature should you use?

A.Access Reviews with automatic removal
B.Privileged Identity Management
C.Identity Protection
D.Entitlement Management
AnswerA

Access Reviews can automatically remove access when a user leaves.

Why this answer

Access Reviews with automatic removal is the correct feature because it allows administrators to define recurring reviews of user access to critical applications and, upon completion, automatically remove access for users who are no longer approved. This directly addresses the requirement of removing all access when a user leaves the company, as the review process can be triggered by the user's departure or scheduled to run regularly, ensuring that stale access is revoked without manual intervention.

Exam trap

The trap here is that candidates often confuse Entitlement Management (which handles access packages and provisioning) with the actual removal mechanism, forgetting that Access Reviews provide the specific 'automatic removal' trigger based on reviewer decisions, while Entitlement Management alone does not enforce removal without a review or lifecycle workflow.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because it focuses on just-in-time activation and oversight of privileged roles (e.g., Global Administrator), not on removing all access to critical applications for departing users. Option C (Identity Protection) is wrong because it detects and remediates identity-based risks like compromised accounts or sign-ins from unusual locations, not on lifecycle-based access removal. Option D (Entitlement Management) is wrong because it manages access packages and catalogs for provisioning access, but it does not inherently include the automated removal of access upon user departure unless combined with Access Reviews or a separate lifecycle workflow.

891
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate Microsoft 365 resources. You have configured a Conditional Access policy in Microsoft Entra ID that requires devices to be marked as compliant. However, some users report that they can still access email on their non-compliant Android devices. You need to troubleshoot and resolve the issue. What should you do?

A.Change the Conditional Access policy to block access for non-compliant devices instead of requiring compliance.
B.Check the Conditional Access policy is enabled and includes 'Office 365 Exchange Online' as a cloud app, and that the users have the appropriate licenses for Intune.
C.Ensure that the Android devices are enrolled in Microsoft Intune and have a compliance policy assigned.
D.Verify that the Conditional Access policy includes the users who are accessing email.
AnswerB

This ensures the policy is correctly scoped and users are licensed.

Why this answer

Option D is correct because the Conditional Access policy must be scoped to include all cloud apps, and the user must have the Intune license assigned. Option A is wrong because the device must be enrolled in Intune for compliance to be evaluated. Option B is wrong because the user must be in scope.

Option C is wrong because the policy should grant access only if compliant, not block non-compliant.

892
MCQmedium

A financial services company uses Microsoft 365 and must prevent employees from emailing credit card numbers in plain text. The compliance team wants to automatically detect credit card numbers in outgoing emails and block them before delivery. They also want to allow users to override the block with a business justification. Which Microsoft Purview solution should they configure?

A.Microsoft Purview Data Loss Prevention (DLP)
B.Microsoft Purview Information Protection
C.Microsoft Purview Records Management
D.Microsoft Purview Insider Risk Management
AnswerA

DLP policies can detect sensitive data (like credit card numbers) in emails and block them before delivery, with the option for users to override the block with a business justification.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is the correct solution because it is specifically designed to detect sensitive data, such as credit card numbers, in transit (e.g., email) and enforce actions like blocking the message. DLP policies can be configured with user override options that require a business justification, meeting the compliance team's requirement for automatic detection and conditional blocking.

Exam trap

The trap here is that candidates often confuse Information Protection (labeling) with DLP (enforcement), thinking that applying a sensitivity label automatically blocks emails, but DLP is required for the blocking and override functionality described in the scenario.

How to eliminate wrong answers

Option B (Microsoft Purview Information Protection) is wrong because it focuses on classifying and labeling sensitive data (e.g., applying sensitivity labels) but does not automatically block emails based on content detection; it requires DLP to enforce actions. Option C (Microsoft Purview Records Management) is wrong because it manages retention and disposition of records, not real-time detection or blocking of sensitive data in email traffic. Option D (Microsoft Purview Insider Risk Management) is wrong because it analyzes user behavior and activities to identify potential insider threats, not to scan and block specific data patterns in outgoing emails.

893
Multi-Selectmedium

Which THREE components are part of Microsoft Defender XDR? (Choose three.)

Select 3 answers
A.Microsoft Purview
B.Microsoft Defender for Office 365
C.Microsoft Sentinel
D.Microsoft Defender for Identity
E.Microsoft Defender for Endpoint
AnswersB, D, E

Part of the XDR suite.

Why this answer

Options A, B, and C are correct. Defender XDR includes Defender for Office 365, Defender for Endpoint, and Defender for Identity. Option D is wrong because Sentinel is a separate product.

Option E is wrong because Purview is for data governance.

894
Multi-Selectmedium

A company uses Microsoft Purview to manage data compliance. They need to meet regulatory requirements that mandate retention of financial records for 7 years and deletion of personal data after 3 years. Which THREE capabilities should they configure?

Select 3 answers
A.Microsoft Purview Information Protection
B.Microsoft Purview Records Management
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview Communication Compliance
E.Microsoft Purview eDiscovery
AnswersA, B, C

Correct: Can apply sensitivity labels that enforce retention and deletion.

Why this answer

Microsoft Purview Data Lifecycle Management includes retention labels and policies to keep data for required periods and deletion policies to remove data after specified time. Microsoft Purview Records Management enables marking records as regulatory records to prevent deletion during retention. Microsoft Purview Information Protection can apply sensitivity labels that trigger retention, but the primary tools for retention and deletion are Data Lifecycle Management and Records Management. eDiscovery is for search and export, not lifecycle management.

Communication Compliance is for monitoring communications, not retention.

895
Multi-Selecthard

Which THREE of the following are features of Microsoft Purview Compliance Manager? (Select THREE.)

Select 3 answers
A.Record declaration and disposition reviews
B.Compliance score and templates for custom assessments
C.Pre-built assessments for common regulations like GDPR
D.Trainable classifiers to identify sensitive content
E.Microsoft-managed improvement actions for regulations
AnswersB, C, E

Compliance Manager provides templates and compliance scores.

Why this answer

Options A, B, and E are correct because Compliance Manager includes actions, assessments, and templates. Option C is wrong because trainable classifiers are for auto-labeling. Option D is wrong because records management is a separate feature.

896
MCQmedium

A security architect is explaining the Zero Trust model to the board. The architect emphasizes that the network perimeter can no longer be considered a safe zone. Which statement best describes the modern primary security perimeter according to Zero Trust principles?

A.The corporate network firewall and VPN
B.The identity of the user and device
C.The physical on-premises data center
D.The endpoint antivirus and anti-malware solution
AnswerB

Identity is the fundamental building block of Zero Trust; it is used to verify every access request and enforce least privilege, forming the new perimeter.

Why this answer

In the Zero Trust model, the primary security perimeter is the identity of the user and device, not the network location. This is because Zero Trust assumes breach and requires explicit verification for every access request, regardless of whether it originates from inside or outside the corporate network. By treating identity as the new control plane, organizations enforce least-privilege access and continuous authentication, making the user and device identity the critical trust boundary.

Exam trap

The trap here is that candidates often confuse the Zero Trust model with traditional defense-in-depth layers, mistakenly selecting the corporate firewall or VPN as the primary perimeter, when in fact Zero Trust shifts the trust boundary to the identity of the user and device.

How to eliminate wrong answers

Option A is wrong because the corporate network firewall and VPN represent a traditional perimeter-based security approach, which Zero Trust explicitly rejects as the primary security boundary; in Zero Trust, network location does not grant implicit trust. Option C is wrong because the physical on-premises data center is a legacy concept of a trusted internal zone, whereas Zero Trust assumes that threats can exist anywhere, including inside the data center. Option D is wrong because endpoint antivirus and anti-malware solutions are only one component of endpoint protection and do not serve as the primary security perimeter; Zero Trust focuses on identity and device health as the core trust decision point.

897
MCQeasy

A user reports that they cannot sign in to Microsoft Entra ID because they forgot their password. Which Microsoft Entra ID feature allows them to reset their password without contacting IT support?

A.Microsoft Entra ID Connect
B.Microsoft Entra ID Protection
C.Microsoft Entra ID Domain Services
D.Self-Service Password Reset (SSPR)
AnswerD

Enables users to reset passwords using registered methods.

Why this answer

Self-Service Password Reset (SSPR) is the Microsoft Entra ID feature that allows users to reset their own forgotten passwords without needing to contact IT support. It works by verifying the user's identity through pre-configured authentication methods (e.g., phone, email, security questions) before permitting the password change. This directly addresses the user's inability to sign in due to a forgotten password.

Exam trap

The trap here is that candidates may confuse Microsoft Entra ID Protection (which deals with risk detection) with SSPR, because both involve security and user authentication, but only SSPR enables the user to directly reset their own password without IT intervention.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Connect is a tool used to synchronize on-premises Active Directory identities to Microsoft Entra ID, not a password reset feature. Option B is wrong because Microsoft Entra ID Protection is a security service that detects and responds to identity risks (e.g., leaked credentials, sign-ins from anonymous IPs), but it does not provide a mechanism for users to reset their own passwords. Option C is wrong because Microsoft Entra ID Domain Services provides managed domain services (e.g., Kerberos, LDAP) for Azure VMs, not self-service password reset capabilities.

898
MCQhard

A financial services firm has a strict compliance requirement to prevent insider trading. The firm must ensure that employees in the Investment Banking division cannot communicate or share documents via Microsoft Teams and SharePoint Online with employees in the Equity Research division. The solution must automatically block all communication and collaboration between the two groups, and any attempts to share must be denied. Which Microsoft Purview solution should they implement?

A.Information Barriers
B.Communication Compliance
C.Insider Risk Management
D.Sensitivity Labels
AnswerA

Information Barriers allow administrators to define policies that block communication and collaboration between defined user segments, ensuring compliance with ethical walls and insider trading regulations.

Why this answer

Information Barriers (A) is the correct solution because it is specifically designed to prevent communication and collaboration between defined user groups within Microsoft Teams, SharePoint Online, and other Microsoft 365 services. It enforces policies that automatically block unauthorized communications and document sharing, which directly meets the firm's compliance requirement to segregate Investment Banking and Equity Research divisions to prevent insider trading.

Exam trap

The trap here is that candidates often confuse Information Barriers with Communication Compliance, mistakenly thinking that monitoring and reviewing communications (Option B) can prevent insider trading, but only Information Barriers provide the proactive, automatic blocking required by the scenario.

How to eliminate wrong answers

Option B (Communication Compliance) is wrong because it is designed to monitor and review communications for policy violations (e.g., inappropriate language or regulatory breaches) after they occur, not to proactively block all communication and sharing between groups. Option C (Insider Risk Management) is wrong because it focuses on detecting, investigating, and acting on risky user activities (e.g., data exfiltration or policy violations) based on analytics and alerts, not on enforcing static, automatic blocks between entire divisions. Option D (Sensitivity Labels) is wrong because they are used to classify and protect data through encryption and visual markings, but they do not inherently block communication or collaboration between specific user groups; they require additional policies (like conditional access) to enforce restrictions.

899
MCQmedium

A security analyst needs to detect and investigate compromised identities in on-premises Active Directory. They want to monitor for lateral movement, reconnaissance, and credential theft using behavioral analytics. Which Microsoft security solution is designed specifically for this purpose?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud
C.Microsoft Defender for Identity
D.Microsoft Sentinel
AnswerC

Defender for Identity uses behavioral analytics and integrates with on-premises AD to detect compromised identities, lateral movement, and other attack patterns.

Why this answer

Microsoft Defender for Identity (MDI) is a cloud-based security solution that leverages on-premises Active Directory signals to identify, detect, and investigate advanced threats like lateral movement, reconnaissance, and credential theft. It uses behavioral analytics and machine learning to profile user and entity behavior, alerting on suspicious activities such as Pass-the-Hash, DCSync, and Kerberoasting without requiring agents on domain controllers.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Identity with Microsoft Sentinel, assuming Sentinel's SIEM capabilities automatically cover identity-based behavioral analytics, but Sentinel lacks the native, agentless Active Directory behavioral profiling that MDI provides.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on email and collaboration threats (phishing, malware in attachments, and malicious links) and does not monitor on-premises Active Directory or lateral movement. Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform for Azure, AWS, and GCP resources, not for on-premises Active Directory identity threats. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution that can ingest logs from various sources, but it is not purpose-built for detecting compromised identities via behavioral analytics on Active Directory; it requires additional configuration and data connectors to achieve similar functionality.

900
MCQhard

An organization uses Microsoft Purview Compliance Manager. They need to track their progress against a specific regulatory standard and assign improvement actions to different teams. Which component should they use?

A.Compliance Manager assessments
B.eDiscovery
C.Data Loss Prevention
D.Audit logs
AnswerA

Assessments in Compliance Manager allow tracking against standards and assigning improvement actions.

Why this answer

Option B is correct because Compliance Manager provides assessments and improvement actions for regulatory standards. Option A is wrong because DLP is for data loss prevention. Option C is wrong because eDiscovery is for search.

Option D is wrong because Audit is for logging.

Page 11

Page 12 of 19

Page 13