Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 901975

1411 questions total · 19pages · All types, answers revealed

Page 12

Page 13 of 19

Page 14
901
MCQmedium

Refer to the exhibit. An administrator created a retention label with the settings shown. What is the behavior of this label when applied to content?

A.It retains content for 5 years and then applies a disposition review.
B.It marks content as a regulatory record and prevents deletion.
C.It retains content for 7 years and then automatically deletes it.
D.It retains content indefinitely with no deletion.
AnswerC

2555 days = 7 years, and delete after retention is true.

Why this answer

Option C is correct because the retention duration is 2555 days (7 years) and deletion is enabled after retention. Option A is wrong because it does not specify deletion after 5 years. Option B is wrong because record type is standard, not regulatory.

Option D is wrong because the label is not locked.

902
MCQmedium

A security analyst needs to investigate a potential malware outbreak that started on an on-premises Windows server several days ago. They want to trace the attack timeline, see which files were modified, and understand how the attacker moved laterally across the network. Which Microsoft solution provides advanced endpoint detection and response (EDR) for on-premises servers?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Office 365
D.Microsoft Defender for Identity
AnswerB

Correct. Defender for Endpoint is the Microsoft EDR solution that covers on-premises servers, providing incident investigation, threat hunting, and lateral movement detection.

Why this answer

Microsoft Defender for Endpoint (MDE) provides advanced endpoint detection and response (EDR) capabilities, including behavioral-based detection, automated investigation, and threat analytics. For on-premises Windows servers, MDE can be deployed via Microsoft Defender for Cloud (formerly Azure Security Center) or directly, enabling full attack timeline reconstruction, file modification tracking, and lateral movement path analysis through its rich telemetry and incident graph.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud's 'servers' workload protection with the actual EDR engine, not realizing that Defender for Cloud merely enables MDE on servers but does not replace its dedicated endpoint detection and response capabilities.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform that can enable MDE on servers but does not itself provide the EDR functionality; it integrates with MDE for that purpose. Option C is wrong because Microsoft Defender for Office 365 protects email, SharePoint, OneDrive, and Teams from malicious content, not on-premises server endpoints or lateral movement analysis. Option D is wrong because Microsoft Defender for Identity is an identity-based threat detection solution that monitors Active Directory signals for attacks like pass-the-hash, not file-level or endpoint-level EDR on servers.

903
MCQmedium

You are responsible for Microsoft Purview Information Protection at a law firm that handles highly confidential client documents. The firm uses Microsoft 365 E5. You need to ensure that any document containing the phrase 'Attorney-Client Privileged' is automatically labeled with a 'Highly Confidential' sensitivity label and encrypted. Additionally, if a user attempts to send such a document via email outside the organization, the action should be blocked and the user should be prompted with a policy tip. You have already created the sensitivity label with encryption settings. What should you do next?

A.Create a DLP policy that detects the phrase and automatically applies the label, then blocks external sharing.
B.Create an auto-labeling policy for the label, and create a DLP policy that detects the label and blocks external sharing with a policy tip.
C.Create an auto-labeling policy for the label, and create a mail flow rule in Exchange to block external emails with that label.
D.Create a manual labeling policy and train users to apply the label, then create a DLP policy.
AnswerB

Auto-labeling automatically applies the label, and DLP blocks sharing and provides policy tip.

Why this answer

Correct: B. Create an auto-labeling policy for the label, and a DLP policy that detects the label and blocks external sharing with policy tip. Option A: Missing DLP policy.

Option C: Manual labeling is not automatic. Option D: DLP policy alone cannot auto-label.

904
Multi-Selecteasy

Which TWO Microsoft security solutions can be used to detect and respond to threats across email, endpoints, and identities? (Choose two.)

Select 2 answers
A.Microsoft Intune
B.Microsoft Defender for Cloud Apps
C.Microsoft Purview
D.Microsoft Sentinel
E.Microsoft Defender XDR
AnswersD, E

Sentinel provides SIEM and SOAR capabilities across multiple sources.

Why this answer

Microsoft Defender XDR (extended detection and response) and Microsoft Sentinel (SIEM/SOAR) can integrate signals across email, endpoints, and identities. Option A is incorrect because Defender for Cloud Apps focuses on cloud apps. Option C is incorrect because Intune is for management.

Option E is incorrect because Purview is for data protection, not threat detection.

905
MCQmedium

Your organization uses Microsoft Entra ID. You need to grant external partners limited access to a SharePoint site for 30 days. After 30 days, access should automatically expire. Which Microsoft Entra feature should you use?

A.Microsoft Entra access reviews
B.Microsoft Entra B2B guest user accounts
C.Microsoft Entra entitlement management
D.Microsoft Entra Conditional Access
AnswerC

Entitlement management allows creating access packages with expiration dates for external users.

Why this answer

Microsoft Entra entitlement management allows you to create access packages that grant external users time-limited access to resources like SharePoint sites. By configuring an access package with a 30-day expiration policy, access is automatically revoked when the policy expires, meeting the requirement exactly.

Exam trap

The trap here is that candidates confuse entitlement management (which handles time-bound resource access) with access reviews (which handle periodic recertification) or B2B guest accounts (which provide identity but not automatic expiration).

How to eliminate wrong answers

Option A is wrong because Microsoft Entra access reviews are used for periodic attestation of existing access, not for automatically expiring access after a fixed duration. Option B is wrong because Microsoft Entra B2B guest user accounts provide the identity for external users but do not include built-in time-limited access policies; expiration must be managed separately. Option D is wrong because Microsoft Entra Conditional Access enforces access controls based on conditions like location or device state, not for granting or expiring access to specific resources on a schedule.

906
MCQhard

Refer to the exhibit. You are reviewing an ARM template for an Azure resource. Assuming the resource is a Key Vault, what is the effect of the networkAcls configuration?

A.The Key Vault is accessible from any network.
B.The Key Vault is accessible only from the 10.0.0.0/24 subnet.
C.The Key Vault is accessible from all Azure services.
D.The Key Vault is not accessible from any network.
AnswerB

Correct: The IP rule allows that subnet, and default action denies all others.

Why this answer

The defaultAction is Deny, but an IP rule allows traffic from 10.0.0.0/24. So only that subnet can access the Key Vault. Option D is correct.

Option A is wrong because public network access is disabled, so it's not accessible from the internet. Option B is wrong because the IP rule allows the subnet. Option C is wrong because the default action is Deny, not Allow.

907
Multi-Selecthard

Which TWO Microsoft Purview solutions can help identify and protect sensitive data in Microsoft Teams? (Choose TWO.)

Select 2 answers
A.Communication Compliance
B.Information Protection
C.Data Lifecycle Management
D.Data Loss Prevention
E.Insider Risk Management
AnswersB, D

Information Protection applies labels to Teams files and messages to classify and protect.

Why this answer

Data Loss Prevention (DLP) can scan Teams messages for sensitive data and block sharing. Information Protection applies sensitivity labels to content in Teams. Insider Risk Management detects risky activities but does not directly identify or protect data.

Communication Compliance monitors for policy violations. Data Lifecycle Management manages retention, not protection.

908
Multi-Selecthard

A security administrator wants to use Microsoft Defender for Cloud to protect Azure VMs. Which two of the following should be enabled to meet the requirements? (Choose two.)

Select 2 answers
A.Just-in-Time (JIT) VM access
B.Azure Bastion
C.Adaptive network hardening
D.Vulnerability assessment
AnswersA, C

JIT VM access locks down inbound traffic to VMs, reducing exposure while enabling temporary access for administrators.

Why this answer

Just-in-Time (JIT) VM access reduces the attack surface by locking down inbound traffic to Azure VMs, only opening ports (e.g., RDP 3389, SSH 22) when requested and for a limited time after approval via Microsoft Defender for Cloud. This directly protects Azure VMs by preventing persistent exposure of management ports.

Exam trap

The trap here is that candidates confuse Azure Bastion (a secure connectivity service) with a security protection feature, or think vulnerability assessment is a protective control rather than a detection tool, leading them to select options that do not actively protect VMs from network-based attacks.

909
MCQmedium

Your company uses Microsoft Entra ID. You need to enforce that all users accessing the HR application must have a device that is compliant with company security policies. The device compliance is managed by Microsoft Intune. Which feature should you use to enforce this requirement?

A.Microsoft Intune device compliance policies
B.Microsoft Entra Conditional Access
C.Microsoft Entra Multifactor Authentication
D.Microsoft Entra device registration
AnswerB

Conditional Access policies can require that devices be marked as compliant to grant access.

Why this answer

Microsoft Entra Conditional Access is the correct feature because it allows you to create policies that evaluate conditions such as device compliance before granting access to applications. By integrating with Microsoft Intune, Conditional Access can check the device compliance status reported by Intune and block or allow access to the HR application accordingly. This enforces the requirement that only compliant devices can access the app, without requiring users to authenticate differently.

Exam trap

The trap here is that candidates confuse the creation of compliance policies (Intune) with the enforcement of those policies (Conditional Access), assuming that simply defining compliance rules automatically restricts access to applications.

How to eliminate wrong answers

Option A is wrong because Microsoft Intune device compliance policies define the compliance rules (e.g., encryption, OS version) but do not enforce access control to applications; they only mark devices as compliant or non-compliant. Option C is wrong because Microsoft Entra Multifactor Authentication adds an extra authentication factor but does not evaluate device compliance or enforce device-based access restrictions. Option D is wrong because Microsoft Entra device registration is the process of joining a device to the directory, which is a prerequisite for compliance but does not itself enforce access policies based on compliance status.

910
Multi-Selectmedium

A company uses Microsoft 365 E5 and wants to protect against advanced cyber threats. Which TWO capabilities of Microsoft Defender XDR should they implement?

Select 2 answers
A.Microsoft Intune
B.Microsoft Defender for Office 365
C.Microsoft Sentinel
D.Microsoft Defender for Cloud Apps
E.Microsoft Defender for Endpoint
AnswersB, E

Correct: Protects email and collaboration tools.

Why this answer

Microsoft Defender for Endpoint and Microsoft Defender for Office 365 are core components of Microsoft Defender XDR. Defender for Cloud Apps is a separate product, and Microsoft Sentinel is a SIEM. Microsoft Intune is for device management.

911
MCQhard

A security administrator receives an alert from Microsoft Sentinel about a possible brute-force attack against a virtual machine. The administrator wants to automatically block the attacker's IP address for 24 hours using a playbook. Which automation trigger should the playbook use?

A.Incident trigger
B.Alert trigger
C.Scheduled trigger
D.Action trigger
AnswerA

Incident triggers run playbooks when an incident is created, enabling automated response.

Why this answer

Option D is correct because a playbook triggered by an incident can automate response actions like blocking an IP. Option A is wrong because an alert trigger runs when an alert is generated, but the playbook should run on incident creation for a coordinated response. Option B is wrong because a scheduled trigger runs on a timer, not event-driven.

Option C is wrong because an action trigger is not a valid Sentinel trigger type.

912
MCQmedium

A company uses Microsoft Entra ID. They want to ensure that when users access the HR portal from an unmanaged personal device, they are prompted to sign a terms of use agreement and also required to perform multifactor authentication (MFA). Which Conditional Access control should they configure to enforce both requirements?

A.Session control - Use app enforced restrictions
B.Grant - Require MFA and Require terms of use
C.Grant - Require approved client app
D.Session control - Sign-in frequency
AnswerB

This grant control combination enforces both multifactor authentication and terms of use acceptance before access is granted, meeting the requirements.

Why this answer

The Grant control in Conditional Access allows you to require multiple conditions to be satisfied before granting access. By selecting both 'Require MFA' and 'Require terms of use' under Grant, the policy enforces that the user must complete both MFA and accept the terms of use when accessing the HR portal from an unmanaged device. This directly meets the requirement for both authentication and consent.

Exam trap

The trap here is that candidates often confuse Session controls (which manage behavior after access is granted) with Grant controls (which enforce requirements before access is granted), leading them to pick a session-based option like 'Sign-in frequency' instead of the correct Grant combination.

How to eliminate wrong answers

Option A is wrong because Session controls (like 'Use app enforced restrictions') only apply additional restrictions during an active session, such as blocking downloads, but they do not enforce pre-access requirements like MFA or terms of use acceptance. Option C is wrong because 'Require approved client app' restricts access to specific client applications (e.g., Microsoft apps) and does not enforce MFA or terms of use. Option D is wrong because 'Sign-in frequency' is a session control that re-prompts for authentication after a set time, but it does not enforce MFA or terms of use as a one-time requirement.

913
MCQeasy

Your organization uses Microsoft 365 and wants to classify and protect documents based on their content, such as credit card numbers. Which Microsoft Purview feature automatically classifies content based on sensitive information types?

A.Data Loss Prevention policy
B.Auto-labeling with sensitivity labels
C.Unified labeling client
D.eDiscovery
AnswerB

Auto-labeling can apply labels automatically based on conditions like sensitive info types.

Why this answer

Auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels based on sensitive information types like credit card numbers. Option A is correct. Unified labeling is the client, not automatic.

DLP blocks sharing. eDiscovery searches.

914
MCQhard

A multinational corporation needs to restrict data sharing in Microsoft Teams to comply with regional regulations. Users must not be able to share files with external domains from specific departments. What should the administrator configure?

A.Microsoft Intune device compliance policy
B.Microsoft Defender for Cloud Apps session policy
C.Data Loss Prevention (DLP) policy in Microsoft Purview
D.Sensitivity labels with container management in Microsoft Purview
AnswerD

Correct: Sensitivity labels can be configured to block external sharing for specific groups.

Why this answer

Microsoft Purview Information Protection and sensitivity labels can enforce encryption and access restrictions. Additionally, Microsoft Entra ID Conditional Access can block external sharing from specific groups, but the most direct is using sensitivity labels with container management for Teams.

915
MCQmedium

An organization uses Microsoft Purview Data Loss Prevention (DLP) to prevent sensitive data from being shared externally. They need to block sharing of credit card numbers in emails and Teams messages. What should they create?

A.A retention label to retain credit card data
B.A DLP policy with a rule that detects credit card numbers and blocks sharing
C.An audit policy to log credit card sharing
D.A sensitivity label that marks credit card data
AnswerB

DLP policies enforce actions on sensitive data.

Why this answer

Option A is correct because DLP policies can detect and block sensitive data like credit card numbers in email and Teams. Option B is wrong because sensitivity labels apply metadata but don't block sharing. Option C is wrong because retention labels manage retention.

Option D is wrong because audit policies log activity but don't block.

916
MCQmedium

A company must retain all customer service emails in Exchange Online for 7 years for regulatory purposes. After 7 years, the emails must be automatically deleted. Additionally, employees must not be able to permanently delete these emails before the retention period ends. Which Microsoft Purview solution should they configure?

A.Data Lifecycle Management (retention policies and labels)
B.Communication Compliance
C.eDiscovery (Premium)
D.Data Loss Prevention (DLP)
AnswerA

Retention policies and labels can enforce retention for 7 years and automatic deletion, and protect against premature deletion by users.

Why this answer

Data Lifecycle Management (DLM) via retention policies and labels in Microsoft Purview is the correct solution because it allows you to define a retention period of 7 years for Exchange Online emails and then automatically delete them. Additionally, DLM retention policies prevent users from permanently deleting emails before the retention period ends by locking the items in a 'preservation hold' state, ensuring regulatory compliance.

Exam trap

The trap here is that candidates confuse retention policies (which enforce deletion after a period) with eDiscovery holds (which preserve content indefinitely for legal cases), leading them to select eDiscovery (Premium) instead of Data Lifecycle Management.

How to eliminate wrong answers

Option B is wrong because Communication Compliance is designed to detect and remediate inappropriate or policy-violating communications (e.g., harassment, insider trading), not to enforce retention or deletion schedules. Option C is wrong because eDiscovery (Premium) is used for legal discovery and holds content for litigation, not for automated lifecycle management or deletion after a fixed period. Option D is wrong because Data Loss Prevention (DLP) prevents unauthorized sharing of sensitive data (e.g., credit card numbers) but does not manage retention periods or enforce deletion.

917
MCQhard

Your organization uses Microsoft Sentinel as its SIEM. You need to create an analytics rule that detects when a user account is created in Azure AD and then, within 10 minutes, that same account is used to grant admin consent to an application. You have a KQL query that joins AuditLogs and SigninLogs. However, the rule is generating too many false positives. You need to refine the query to reduce false positives. What should you do?

A.Change the rule to alert on every admin consent grant event regardless of account creation.
B.Remove the join with SigninLogs and only use AuditLogs.
C.Add a condition to exclude accounts that are known admin accounts or service accounts.
D.Increase the time window from 10 minutes to 30 minutes.
AnswerC

This filters out legitimate administrative activity.

Why this answer

Option C is correct because known admin or service accounts are often used for legitimate, automated admin consent grants, which can trigger false positives. By excluding these accounts from the detection logic, the rule focuses on anomalous behavior from non-privileged accounts, reducing noise while preserving the core detection of suspicious account creation followed by admin consent grant.

Exam trap

The trap here is that candidates may think widening the time window or simplifying the query will reduce false positives, but in reality, these changes either increase noise or break the correlation logic, whereas excluding known legitimate accounts directly addresses the root cause of false alerts.

How to eliminate wrong answers

Option A is wrong because alerting on every admin consent grant event would massively increase false positives, as many legitimate admin consent grants occur without a preceding account creation. Option B is wrong because removing the join with SigninLogs would eliminate the temporal correlation between account creation and the subsequent sign-in used for consent, breaking the detection logic entirely. Option D is wrong because increasing the time window from 10 to 30 minutes would allow more unrelated events to match, likely increasing false positives rather than reducing them.

918
MCQeasy

A company's security team configures network firewall rules so that only a dedicated jump server's IP address can initiate RDP connections to production servers. This is an example of which security principle?

A.Least privilege
B.Defense in depth
C.Zero Trust
D.Separation of duties
AnswerA

By restricting RDP access to only the jump server, the company is following the principle of least privilege, giving only the minimum access needed.

Why this answer

Restricting RDP access to only a dedicated jump server's IP address ensures that no other hosts or users can directly initiate remote desktop connections to production servers. This enforces the principle of least privilege by granting only the minimum necessary network access (the jump server) required for administrative tasks, reducing the attack surface and limiting lateral movement.

Exam trap

The trap here is that candidates confuse 'least privilege' (limiting access to what is necessary) with 'defense in depth' (multiple layers), because both involve restricting access, but least privilege focuses on the minimal permissions while defense in depth focuses on layered controls.

How to eliminate wrong answers

Option B (Defense in depth) is wrong because defense in depth involves multiple layers of security controls (e.g., firewalls, IDS, encryption) working together, not a single access restriction. Option C (Zero Trust) is wrong because Zero Trust assumes no implicit trust and requires continuous verification of every request, whereas this rule is a static IP-based allowlist that does not verify identity or session context. Option D (Separation of duties) is wrong because separation of duties divides critical tasks among different people to prevent fraud or error, not restrict network access to a specific source IP.

919
Multi-Selecteasy

Which TWO capabilities are provided by Microsoft Entra ID?

Select 2 answers
A.Multifactor authentication
B.Device management
C.Security incident detection
D.Single sign-on
E.Data classification
AnswersA, D

MFA is a built-in feature of Entra ID.

Why this answer

Options A and D are correct. Microsoft Entra ID provides single sign-on and multifactor authentication. Option B is incorrect because Azure Information Protection is a Microsoft Purview feature.

Option C is incorrect because Microsoft Intune is device management. Option E is incorrect because Microsoft Sentinel is a SIEM.

920
MCQmedium

A company uses Microsoft Entra ID. The IT department needs to ensure that membership in the 'Global Administrator' role is regularly reviewed. Every quarter, the designated reviewers (e.g., senior managers) receive an email asking them to confirm whether each user in the role should keep their assignment. After the review deadline, any member not approved is automatically removed. Which Microsoft Entra ID feature should they configure?

A.Access Reviews
B.Privileged Identity Management (PIM)
C.Identity Protection
D.Conditional Access
AnswerA

Access Reviews allow administrators to create recurring reviews of membership in Entra ID roles or groups. Designated reviewers approve or deny each member, and after the review period ends, non-approved members are automatically removed.

Why this answer

Access Reviews in Microsoft Entra ID are specifically designed for periodic attestation of group memberships, application access, and role assignments. The scenario describes a quarterly review where designated reviewers receive email notifications and unapproved members are automatically removed after the deadline, which is the exact workflow that Access Reviews automate. This feature ensures compliance by requiring explicit confirmation for each user in the Global Administrator role.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with Access Reviews because both deal with privileged roles, but PIM handles activation and approval, while Access Reviews handle periodic attestation and removal of stale assignments.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because PIM focuses on just-in-time activation, approval workflows, and time-bound role assignments, not on periodic attestation reviews with automatic removal of unapproved members. Option C (Identity Protection) is wrong because it detects and remediates identity-based risks like leaked credentials or sign-ins from anonymous IP addresses, not role membership reviews. Option D (Conditional Access) is wrong because it enforces access control policies based on signals like user location or device compliance, not on reviewing and attesting existing role assignments.

921
MCQmedium

A security team wants to detect when a user downloads an unusually large number of files from a third-party cloud storage app (e.g., Box) after logging in from an unfamiliar location. They also want to automatically suspend the user's account if such behavior is detected. Which Microsoft security solution should they use?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Identity
D.Microsoft Defender for Endpoint
AnswerB

Defender for Cloud Apps provides visibility and control over third-party cloud apps, detects anomalies (e.g., impossible travel, mass download), and can automatically suspend users to stop potential data exfiltration.

Why this answer

Microsoft Defender for Cloud Apps (MDCA) is the correct solution because it provides Cloud Access Security Broker (CASB) capabilities, including anomaly detection for user behavior across third-party cloud apps like Box. It can detect activities such as an unusually large number of file downloads from an unfamiliar location using its built-in behavioral analytics and then automatically apply a governance action, such as suspending the user's account, via policy-driven automated responses.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Office 365, assuming that 'cloud apps' only refers to Microsoft 365 services, but MDCA specifically covers third-party SaaS apps like Box, Salesforce, and AWS, while Defender for Office 365 is limited to Microsoft's own collaboration suite.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on protecting email and collaboration tools within Exchange Online, SharePoint Online, and Teams, not on monitoring third-party cloud storage apps like Box for anomalous download behavior. Option C is wrong because Microsoft Defender for Identity is designed to detect on-premises Active Directory attacks (e.g., lateral movement, privilege escalation) using network traffic and event logs, not to monitor user activity in third-party SaaS applications. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that protects devices (Windows, macOS, Linux) from malware and advanced threats, not cloud app usage or user account suspension in SaaS platforms.

922
MCQhard

A multinational organization must comply with GDPR and local data residency requirements. The compliance team needs to ensure that personal data is not stored in regions outside the permitted locations. Which Microsoft Purview capability should they use to discover and map personal data across the organization's data estate?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview Compliance Manager
C.Microsoft Purview Data Map
D.Microsoft Purview Audit
AnswerC

Data Map discovers and maps data across the organization, identifying personal data locations.

Why this answer

Microsoft Purview Data Map provides automated data discovery and classification across on-premises, multi-cloud, and SaaS data sources, enabling organizations to understand where personal data resides. Data Lifecycle Management handles retention, not discovery. Audit logs record activities but do not map data.

Compliance Manager is for managing compliance assessments.

923
MCQmedium

A company wants to block all sign-ins using legacy authentication protocols because these protocols do not support multi-factor authentication (MFA). Which component of a Microsoft Entra ID Conditional Access policy should be configured to achieve this?

A.Cloud apps or actions
B.Conditions (Client apps)
C.Grant
D.Session
AnswerB

The Conditions section includes a Client apps filter that can block legacy authentication protocols, effectively enforcing the use of modern authenticating clients.

Why this answer

To block legacy authentication protocols, you configure the 'Client apps' condition in a Conditional Access policy. This setting allows you to target specific authentication clients, such as Exchange ActiveSync, POP3, IMAP, and SMTP, which do not support MFA. By selecting 'Exchange ActiveSync clients' and 'Other clients' under the Client apps condition, you can enforce a block on all sign-ins using these legacy protocols.

Exam trap

The trap here is that candidates often confuse 'Client apps' with 'Cloud apps or actions', thinking they need to select the specific legacy app (like Exchange Online) rather than the authentication client type, which is the correct way to block the protocol itself.

How to eliminate wrong answers

Option A is wrong because 'Cloud apps or actions' is used to specify which applications or user actions the policy applies to, not to filter by authentication protocol. Option C is wrong because 'Grant' controls access by requiring MFA, compliant device, or other controls, but it cannot directly block legacy authentication protocols; it only adds requirements after the protocol is used. Option D is wrong because 'Session' controls session-level policies like app-enforced restrictions or sign-in frequency, not the initial authentication protocol used.

924
MCQeasy

An organization wants to provide a secure way for external partners to access specific SharePoint sites without creating new user accounts. What Microsoft Entra B2B feature should they use?

A.Azure AD B2C
B.Direct federation
C.Azure AD Domain Services
D.B2B collaboration
AnswerD

Enables external user access using their own identities.

Why this answer

B2B collaboration is the correct Microsoft Entra B2B feature because it allows external partners to access specific SharePoint sites using their own identities (e.g., work or social accounts) without requiring new user accounts or passwords to be created in the organization's tenant. This is achieved through invitation-based redemption, where the partner user is represented as a guest user object in the directory, enabling fine-grained access control via SharePoint site sharing policies.

Exam trap

The trap here is that candidates confuse B2B collaboration (for external partner access with existing identities) with Azure AD B2C (for customer-facing identity management), or mistakenly think Direct federation is required for partner access when B2B collaboration already handles the invitation and redemption process without creating new accounts.

How to eliminate wrong answers

Option A is wrong because Azure AD B2C (Business-to-Consumer) is designed for customer-facing applications with self-service sign-up, not for granting external partners access to internal SharePoint sites without creating accounts. Option B is wrong because Direct federation is an authentication method that establishes a trust relationship with an external IdP for inbound SAML/WS-Fed federation, but it does not provide the invitation-based guest access model needed for ad-hoc partner access to SharePoint. Option C is wrong because Azure AD Domain Services provides managed domain services (e.g., LDAP, Kerberos) for legacy applications, not for external partner identity management or SharePoint access.

925
MCQhard

Refer to the exhibit. You run a Kusto query in Microsoft Defender XDR Advanced Hunting. What does this query return?

A.Top 10 high-severity alert titles by number of distinct affected devices
B.Top 10 alert titles by number of distinct devices, including all severities
C.Top 10 devices with the most high-severity alerts
D.Top 10 high-severity alert titles by total number of alerts
AnswerA

Query uses dcount on DeviceName for high-severity alerts.

Why this answer

The query filters for high-severity alerts, then summarizes by AlertTitle and counts distinct DeviceName values. It orders by that count descending and takes the top 10, so it returns the top 10 high-severity alert titles ranked by the number of distinct affected devices.

Exam trap

The trap here is that candidates confuse 'distinct devices' with 'total alerts' or 'devices with the most alerts', and overlook the explicit severity filter, leading them to choose options that ignore the high-severity filter or misidentify the aggregation column.

How to eliminate wrong answers

Option B is wrong because the query explicitly filters for high-severity alerts (where Severity == 'High'), so it does not include all severities. Option C is wrong because the query summarizes by AlertTitle, not by DeviceName; it returns alert titles, not device names. Option D is wrong because the query uses dcount(DeviceName) to count distinct devices, not a count of total alerts (which would use count()).

926
MCQhard

Refer to the exhibit. You are evaluating a Conditional Access policy in JSON format. The policy is assigned to a test user group. A user in that group tries to access Outlook Web App (OWA) from a browser. What is the effect of this policy?

A.Access is blocked because Exchange ActiveSync is included.
B.Access is blocked because the policy targets Office 365.
C.Access is allowed but MFA is required.
D.Access is allowed because the policy only blocks legacy authentication protocols.
AnswerD

Browser access to OWA uses modern authentication (HTTPS), not legacy, so it is not blocked.

Why this answer

The policy in the exhibit targets 'Office 365 Exchange Online' and includes a condition for 'Client apps: Exchange ActiveSync, Other clients'. However, the user is accessing Outlook Web App (OWA) from a browser, which uses modern authentication (HTTPS). The policy explicitly blocks legacy authentication protocols (Exchange ActiveSync and other clients that do not support modern auth).

Since OWA uses modern authentication, it is not affected by this policy, so access is allowed. Option D correctly identifies that the policy only blocks legacy authentication protocols, not modern browser-based access.

Exam trap

The trap here is that candidates mistakenly think any policy including 'Exchange ActiveSync' or 'Office 365' will block all access to Exchange Online, ignoring that the policy's effect depends on the client app type (legacy vs. modern) and the specific access method (browser vs. mobile app).

How to eliminate wrong answers

Option A is wrong because Exchange ActiveSync is included as a target, but the user is accessing OWA via a browser, not using Exchange ActiveSync; the policy blocks legacy protocols, but OWA uses modern authentication and is not blocked. Option B is wrong because the policy targets 'Office 365 Exchange Online' (a specific cloud app), not the entire 'Office 365' suite; the policy does not block all Office 365 apps, only legacy authentication for Exchange Online. Option C is wrong because the policy does not grant access with MFA; it is configured to block access for the specified client apps, not to require MFA.

The grant control is set to 'Block', not 'Require multifactor authentication'.

927
Multi-Selecteasy

Which TWO features are part of Microsoft Defender XDR?

Select 2 answers
A.Automated investigation and response
B.Cloud app discovery
C.Endpoint data loss prevention
D.Identity Protection
E.Incident management across workloads
AnswersA, E

XDR includes AIR capabilities.

Why this answer

Option A is correct because Microsoft Defender XDR includes incident management. Option C is correct because it includes automated investigation and response. Option B is wrong because cloud app security is part of Defender for Cloud Apps, not XDR.

Option D is wrong because identity protection is part of Entra ID Protection. Option E is wrong because endpoint DLP is part of Microsoft Purview.

928
MCQhard

Your organization uses Microsoft Entra ID and Microsoft Intune. You need to ensure that only managed compliant devices can access corporate email via Outlook mobile app. What is the most efficient approach?

A.Create an app protection policy in Microsoft Intune for Outlook and assign it to all users
B.Enforce device compliance policies in Intune and create a Conditional Access policy that requires compliant device
C.Create a Conditional Access policy that requires MFA for the Outlook app
D.Create a Conditional Access policy that requires a compliant device and create an app protection policy for Outlook
AnswerD

Combining device compliance and app protection ensures only managed devices with data protection can access email.

Why this answer

Option D is correct because a Conditional Access policy requiring compliant device combined with an app protection policy provides both device management and data protection. Option A is wrong because device compliance alone does not protect data. Option B is wrong because MFA does not enforce device management.

Option C is wrong because only requiring app protection might allow unmanaged devices.

929
MCQhard

Your organization has a Microsoft Purview retention policy that retains SharePoint documents for 5 years. After 5 years, you want an administrator to review and approve deletion. Which configuration is required?

A.Configure a disposition review at the end of the retention period
B.Apply a retention label and enable disposition review
C.Use eDiscovery (Premium) to export and then delete
D.Set the retention policy to delete automatically after 5 years
AnswerA

Disposition review allows an administrator to review and approve deletion.

Why this answer

Option D is correct because disposition review allows manual review before permanent deletion. Option A is wrong because automatic deletion would delete without review. Option B is wrong because retention labels can be part of a disposition workflow but disposition review is the specific feature.

Option C is wrong because eDiscovery does not manage disposition.

930
MCQmedium

Your organization, Contoso Ltd., uses Microsoft 365 and Microsoft Defender XDR. You are a security administrator. Recently, a user named John Doe reported that his account is sending phishing emails internally. You suspect his account is compromised. You need to contain the threat immediately while preserving forensic data. The company has the following security solutions: Microsoft Entra ID P2, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft Sentinel, and Microsoft Purview. You need to prevent the compromised account from causing further damage. Which action should you take first?

A.Reset the user's password and require a password change
B.Revoke all refresh tokens for the user in Microsoft Entra ID
C.Disable the user account in Microsoft Entra ID
D.Create a mail flow rule in Exchange Online to block the user's emails
AnswerC

Disabling immediately blocks all authentication and access.

Why this answer

Option A is correct because disabling the user account in Microsoft Entra ID is the quickest way to stop the compromised account from sending emails. Option B is wrong because resetting password does not immediately revoke active sessions; tokens may still be valid. Option C is wrong while useful, revoking sessions is not as immediate as disabling the account; also, disabling the account is a stronger containment step.

Option D is wrong because creating a mail flow rule takes time and may not stop the account if it's already authenticated.

931
MCQhard

Your organization uses Microsoft Sentinel for SIEM. You receive an alert that a user account was compromised. You need to automatically disable the user's access across all cloud apps (SaaS) and reset their password. What should you use?

A.Create a Microsoft Sentinel automated response playbook
B.Use Microsoft Intune to remote wipe the user's device
C.Manually disable the user in Microsoft Entra ID and reset password
D.Configure a Microsoft Defender for Cloud Apps session policy
AnswerA

Playbooks can automate actions like disabling user and resetting password.

Why this answer

Option B is correct because Microsoft Sentinel can use automation rules with playbooks (Power Automate or Logic Apps) to trigger actions like disabling a user and resetting password in Microsoft Entra ID. Option A is wrong because manual response is not automated. Option C is wrong because Microsoft Defender for Cloud Apps can block access but not reset passwords.

Option D is wrong because Microsoft Intune manages devices, not user accounts.

932
MCQhard

A company deploys a custom web application on Azure App Service (PaaS). The application stores data in Azure SQL Database. The security team needs to identify which security responsibilities fall under the customer according to the Microsoft shared responsibility model. Which of the following is primarily the customer's responsibility for this PaaS deployment?

A.Physical security of the datacenter hosting the App Service
B.Patching the operating system of the App Service host machines
C.Managing user identities and access to the application
D.Network security for the Azure backbone connecting datacenters
AnswerC

The customer is responsible for managing identity and access to their application, including authentication, authorization, and user roles. Microsoft provides the platform but does not control who accesses the customer's app.

Why this answer

In a PaaS deployment like Azure App Service with Azure SQL Database, the customer is responsible for managing user identities and access to the application, including authentication, authorization, and role-based access control (RBAC). Microsoft manages the underlying infrastructure, including the host OS, physical datacenter security, and network backbone, but the customer must secure application-level access and data plane operations.

Exam trap

The trap here is that candidates often assume PaaS means Microsoft handles all security, but the customer still owns identity and access management for the application and data, which is a frequent exam distraction.

How to eliminate wrong answers

Option A is wrong because physical security of the datacenter is always Microsoft's responsibility under the shared responsibility model, regardless of service model. Option B is wrong because patching the operating system of the App Service host machines is managed by Microsoft as part of the PaaS abstraction; the customer only patches the application code and configuration. Option D is wrong because network security for the Azure backbone connecting datacenters is Microsoft's responsibility, as it is part of the core network infrastructure that the customer cannot control or configure.

933
MCQeasy

A company is migrating its on-premises applications to Azure. The CIO states that the company is fully responsible for managing the security of its own applications and data, while Microsoft is responsible for the security of the underlying physical infrastructure, such as hardware and data centers. This division of security responsibilities is an example of which concept?

A.Defense in depth
B.Shared responsibility model
C.Zero Trust
D.Least privilege
AnswerB

The shared responsibility model clearly delineates security responsibilities between the cloud provider (Microsoft) and the customer. In IaaS, the customer manages more (applications, data) while the provider secures the physical layer; in PaaS/SaaS, the provider takes on more responsibility.

Why this answer

The scenario directly describes the shared responsibility model, which delineates security obligations between the cloud provider and the customer. Microsoft secures the physical infrastructure (hardware, data centers, networking), while the customer is responsible for securing their own applications, data, and identity management. This division is a foundational concept in cloud computing, explicitly defined in Microsoft's documentation for Azure.

Exam trap

The trap here is that candidates confuse the shared responsibility model with defense in depth, because both involve multiple security layers, but the question specifically asks about the division of responsibilities between provider and customer, not the layering of controls.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, encryption, access controls) to protect resources, not a division of responsibilities between provider and customer. Option C is wrong because Zero Trust is a security model based on 'never trust, always verify'—it assumes breach and verifies every request, not a split of security duties. Option D is wrong because least privilege is an access control principle granting only necessary permissions, not a framework for allocating security responsibilities between parties.

934
MCQeasy

An organization wants to allow users to classify documents as 'Public', 'Internal', 'Confidential', or 'Highly Confidential' with different levels of protection. Which Microsoft Purview solution should they use?

A.Sensitivity labels
B.Data Loss Prevention (DLP)
C.Communication compliance
D.Retention policies
AnswerA

Users can apply different labels with varying protection.

Why this answer

Sensitivity labels allow users to manually classify documents with different levels of protection (e.g., encryption, markings). Retention policies manage retention, not classification. DLP prevents data loss.

Communication compliance monitors communications.

935
MCQmedium

A company stores critical financial reports in a SharePoint Online library. To ensure that the reports have not been tampered with, the security team compares a calculated hash of each file against a stored baseline. This verification process primarily protects which security goal?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures data is authentic and has not been modified. Comparing hashes directly verifies that the file content is unchanged.

Why this answer

The verification process uses hash comparison to detect unauthorized changes to files, which directly protects data integrity. Integrity ensures that data has not been altered or tampered with during storage or transit. In SharePoint Online, hashing (e.g., SHA-256) creates a unique fingerprint; if the calculated hash matches the stored baseline, the file is unchanged.

Exam trap

The trap here is confusing integrity with non-repudiation, as both involve cryptographic verification, but non-repudiation requires a digital signature (private key) to prove origin, whereas hash comparison alone only detects changes without identifying who made them.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access (e.g., encryption), not detecting tampering. Option C is wrong because availability ensures data is accessible when needed (e.g., uptime, redundancy), not verifying file integrity. Option D is wrong because non-repudiation provides proof of origin or action (e.g., digital signatures, audit logs), not detection of unauthorized modification.

936
MCQmedium

A company uses Microsoft Entra ID. They want to enforce a policy that requires members of the 'Finance' group to use multi-factor authentication and sign in from a compliant device when accessing the financial reporting application. However, they want to exclude members of the 'Finance Admins' group from these requirements. Which Microsoft Entra ID feature should they configure?

A.Identity Protection
B.Conditional Access
C.Privileged Identity Management (PIM)
D.Entitlement Management
AnswerB

Conditional Access policies enable you to define conditions (including user/group, app, device) and enforce controls like MFA and device compliance. Exclusions are supported.

Why this answer

Conditional Access is the correct feature because it allows administrators to define policies that enforce specific access requirements, such as multi-factor authentication and compliant device usage, based on conditions like group membership. In this scenario, the policy targets the 'Finance' group while excluding the 'Finance Admins' group, which is a core capability of Conditional Access policies in Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Conditional Access, thinking PIM can enforce MFA or device compliance, when in fact PIM only manages role activation and does not control sign-in conditions for specific applications.

How to eliminate wrong answers

Option A is wrong because Identity Protection is focused on detecting and responding to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IP addresses) and does not directly enforce MFA or device compliance based on group membership. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not general access policies for applications like the financial reporting app. Option D is wrong because Entitlement Management handles access packages and automated user lifecycle management for external and internal users, not conditional enforcement of MFA or device compliance.

937
MCQhard

A company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They want to receive alerts when a user attempts to share a file containing personally identifiable information (PII) via email. Which DLP rule component is used to define the notification action?

A.Actions
B.Conditions
C.Location
D.Exceptions
AnswerA

Actions define what happens when a match occurs, such as sending alerts.

Why this answer

Option D is correct because DLP rules include actions like sending notifications to users or admins. Option A is wrong because conditions define what triggers the rule. Option B is wrong because exceptions override conditions.

Option C is wrong because the location specifies where the rule applies.

938
MCQhard

An organization uses Microsoft Entra ID Protection. A user's sign-in is flagged with a risk level of 'High' because of an anonymous IP address. The administrator wants to automatically block the sign-in while allowing the user to self-remediate. Which should be configured?

A.A Conditional Access policy requiring MFA for high-risk sign-ins
B.A user risk policy configured to require a password change
C.A sign-in risk policy configured to block access
D.An MFA registration policy for all users
AnswerC

Sign-in risk policies in Identity Protection can block sign-ins based on risk level (e.g., High). The user can later remediate their account via a user risk policy.

Why this answer

A sign-in risk policy in Microsoft Entra ID Protection can be configured to automatically block access when a sign-in is detected as high risk (e.g., from an anonymous IP address). This policy operates at the sign-in level, allowing the administrator to block the sign-in while still enabling the user to self-remediate (e.g., by signing in again after the risk is mitigated). Option C directly matches this requirement.

Exam trap

The trap here is confusing sign-in risk policies (which block or challenge at the sign-in event) with user risk policies (which require password changes after a compromise), leading candidates to choose a user risk policy when the scenario explicitly describes a sign-in-level risk from an anonymous IP.

How to eliminate wrong answers

Option A is wrong because requiring MFA for high-risk sign-ins does not block the sign-in; it only adds an authentication step, which does not prevent the initial high-risk sign-in from proceeding. Option B is wrong because a user risk policy requiring a password change addresses user-level risk (e.g., compromised credentials), not sign-in-level risk like an anonymous IP address, and it does not block the sign-in. Option D is wrong because an MFA registration policy ensures users register for MFA but does not block or remediate sign-in risks; it is a prerequisite, not a response to a detected risk.

939
MCQhard

You are reviewing a Conditional Access policy configuration in Microsoft Entra ID. Based on the exhibit, what is the effect of this policy?

A.Blocks sign-ins for users with high user risk
B.Blocks sign-ins that have a high sign-in risk level
C.Blocks all sign-ins for the assigned users
D.Requires multi-factor authentication for high-risk sign-ins
AnswerB

The policy blocks when signInRiskLevels is high.

Why this answer

Option C is correct. The policy blocks sign-ins with high sign-in risk level. Option A is wrong because user risk level is empty.

Option B is wrong because it does not require MFA. Option D is wrong because it only blocks high risk, not all.

940
MCQhard

You are deploying Microsoft Entra Verified ID to issue verifiable credentials for employee onboarding. Which component is required to issue credentials?

A.A public key infrastructure (PKI) certificate
B.A custom application registered in Microsoft Entra ID
C.A decentralized identifier (DID) for your organization
D.A blockchain node for the decentralized ledger
AnswerC

The DID acts as the issuer identifier.

Why this answer

Microsoft Entra Verified ID requires a decentralized identifier (DID) for your organization to issue verifiable credentials. The DID serves as the cryptographic anchor that proves your organization's authority to issue credentials, as it is registered on a decentralized ledger (ION) and linked to your public keys. Without a DID, the verifiable credentials cannot be cryptographically signed and verified by relying parties.

Exam trap

The trap here is that candidates often confuse the need for a custom app registration (Option B) as the core requirement, but the DID is the mandatory cryptographic identity anchor without which no credentials can be issued.

How to eliminate wrong answers

Option A is wrong because a public key infrastructure (PKI) certificate is not required; Entra Verified ID uses decentralized public key infrastructure (DPKI) based on DIDs and Verifiable Credentials (VCs), not traditional X.509 PKI certificates. Option B is wrong because while a custom application registered in Microsoft Entra ID is used to interact with the Verified ID API, it is not the component required to issue credentials—the DID is the foundational identity anchor. Option D is wrong because a blockchain node is not required; Microsoft uses the ION (Identity Overlay Network) as a Sidetree-based decentralized ledger, but the organization does not need to run a node—the DID is resolved via the ION network without direct node management.

941
MCQmedium

Your organization uses Microsoft Sentinel as a SIEM. You need to collect security events from on-premises servers. Which connector should you use?

A.Azure Monitor Agent (AMA)
B.Azure Security Center connector
C.Microsoft 365 Defender connector
D.Log Analytics workspace
AnswerA

AMA collects events from on-premises servers to Sentinel.

Why this answer

Option B is correct because the Azure Monitor Agent (AMA) is the recommended agent to collect events from Windows and Linux servers to Log Analytics workspaces, which feed into Sentinel. Option A is incorrect because Log Analytics is the workspace, not a connector. Option C is incorrect because Office 365 connector is for cloud services.

Option D is incorrect because Azure Security Center is now Defender for Cloud, which integrates but is not a connector.

942
MCQmedium

A company runs critical applications on Azure virtual machines and on-premises SQL servers. The security team wants to reduce VM attack surface by allowing just-in-time (JIT) access to RDP and SSH ports only when needed. Additionally, they need to monitor changes to important registry keys and system files on the SQL servers. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerA

Defender for Cloud offers JIT VM access and file integrity monitoring, fulfilling both requirements.

Why this answer

Microsoft Defender for Cloud provides just-in-time (JIT) VM access to reduce the attack surface by locking down inbound traffic to RDP (port 3389) and SSH (port 22) until a user requests access. It also includes adaptive application controls and file integrity monitoring (FIM) to track changes to registry keys and system files on both Azure VMs and on-premises SQL servers. This makes it the single solution that addresses both requirements.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Endpoint's broader device protection capabilities with the specific JIT and FIM features that are exclusive to Microsoft Defender for Cloud.

How to eliminate wrong answers

Option B (Microsoft Defender for Endpoint) is wrong because it focuses on endpoint detection and response (EDR) for devices, including antivirus and behavioral analysis, but does not natively provide JIT VM access or file integrity monitoring for registry keys and system files. Option C (Microsoft Defender for Identity) is wrong because it is designed to detect identity-based threats using on-premises Active Directory signals, not to manage VM network access or monitor file/registry changes. Option D (Microsoft Defender for Cloud Apps) is wrong because it is a cloud access security broker (CASB) that controls and monitors cloud app usage, not VM access or on-premises SQL server file integrity.

943
MCQmedium

Your company, Fabrikam, uses Microsoft 365 and has Microsoft Purview Information Protection deployed. You need to protect sensitive documents labeled as 'Confidential' so that they cannot be printed or copied when opened in Microsoft Word. You have created a sensitivity label with the appropriate encryption settings. However, users report that they can still print and copy content from these documents. You verify that the label is published and assigned to the correct users. What should you configure to enforce the protection?

A.Configure the sensitivity label to apply an Azure Rights Management template that restricts printing and copying
B.Implement conditional access policies to block access from unmanaged devices
C.Configure auto-labeling policies to apply the label automatically
D.Create a data loss prevention policy that blocks printing and copying
AnswerA

RMS templates define user permissions for protected content.

Why this answer

Option B is correct because rights management (RMS) templates define user rights like printing and copying. The label must be configured with an RMS template that denies these permissions. Option A is wrong because DLP policies detect and block actions but do not enforce rights within documents.

Option C is wrong because auto-labeling applies labels but does not enforce rights. Option D is wrong because conditional access policies control access, not usage rights.

944
MCQeasy

A company uses Microsoft Purview Information Protection to classify and label sensitive documents. The compliance team wants to automatically apply a 'Confidential' label to documents containing an employee's passport number. Which method should they use?

A.Manual labeling by users
B.Trainable classifiers
C.Auto-labeling policy
D.DLP policy
AnswerC

Auto-labeling policy can automatically apply labels based on sensitive info types.

Why this answer

Auto-labeling in Microsoft Purview uses sensitive info types to automatically apply labels based on content. Option B is wrong because it's manual; Option C is wrong because it's for classification, not labeling; Option D is wrong because it's for DLP.

945
MCQmedium

An organization wants to detect and respond to threats across their cloud infrastructure, including Azure, AWS, and GCP. Which Microsoft security solution should they centralize their security monitoring in?

A.Microsoft Purview
B.Microsoft Sentinel
C.Microsoft Defender for Cloud
D.Microsoft Defender for Cloud Apps
AnswerB

Provides SIEM across multi-cloud environments.

Why this answer

Option B is correct because Microsoft Sentinel is a cloud-native SIEM that can ingest logs from multiple clouds. Option A is wrong because Defender for Cloud focuses on Azure and hybrid workloads. Option C is wrong because Defender for Cloud Apps is a CASB.

Option D is wrong because Purview is for data governance.

946
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Purview Information Protection? (Select three.)

Select 3 answers
A.Rights management
B.eDiscovery
C.Data classification
D.Sensitivity labels
E.Data loss prevention policies
AnswersA, C, D

Protect data with encryption and usage restrictions.

Why this answer

Options A, B, and D are correct. Microsoft Purview Information Protection includes sensitivity labels (A), data classification (B), and rights management (D). Option C is incorrect because DLP is a separate solution.

Option E is incorrect because eDiscovery is a different solution.

947
MCQmedium

A user reports that they are repeatedly prompted for multifactor authentication when accessing Microsoft 365 apps from the same trusted device. What should you do to reduce the number of prompts?

A.Disable MFA for the user
B.Change the user's MFA method to text message
C.Configure 'Remember MFA' settings in Conditional Access
D.Reset the user's MFA registration
AnswerC

Remember MFA allows trusted sessions for a set period.

Why this answer

Option C is correct because the 'Remember MFA' setting in Conditional Access allows administrators to configure the session lifetime for MFA prompts on trusted devices. By extending the 'MFA reauthentication frequency' or enabling 'Remember Multifactor Authentication' for a longer period (e.g., 30 days), users will not be repeatedly challenged on the same device, reducing friction while maintaining security.

Exam trap

The trap here is that candidates often confuse 'changing the MFA method' (Option B) with reducing prompt frequency, not realizing that the method type has no impact on how often the prompt appears—only the session persistence settings control that.

How to eliminate wrong answers

Option A is wrong because disabling MFA entirely removes the security control, which violates the principle of least privilege and exposes the account to credential theft. Option B is wrong because changing the MFA method to text message does not affect the frequency of prompts; it only changes the delivery mechanism, and the user would still be prompted repeatedly on the same device. Option D is wrong because resetting the user's MFA registration would force them to re-register all authentication methods, which does not address the prompt frequency issue and could actually increase prompts until the new methods are verified.

948
Multi-Selectmedium

Your organization uses Microsoft Entra ID. Which TWO capabilities are provided by Microsoft Entra ID Governance?

Select 2 answers
A.Entitlement management
B.Privileged Identity Management
C.Identity Protection
D.Access reviews
E.Conditional Access
AnswersA, D

Entitlement management is a key capability of Entra ID Governance for managing access packages.

Why this answer

Entitlement management is a core capability of Microsoft Entra ID Governance that enables organizations to manage the identity and access lifecycle at scale. It allows administrators to create and manage access packages, automate access requests, and enforce policies for internal and external users, ensuring the right people have the right access to the right resources.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with governance because both involve access control, but PIM is specifically for privileged roles (e.g., Global Administrator) while governance covers the broader lifecycle for all users and resources.

949
MCQeasy

A financial institution uses digital signatures to sign all transaction records. This ensures that the records have not been altered after signing. Which security goal does this primarily protect?

A.Confidentiality
B.Non-repudiation
C.Integrity
D.Availability
AnswerC

Integrity ensures data is accurate and has not been modified. Digital signatures detect any alteration, thus protecting integrity.

Why this answer

Digital signatures use asymmetric cryptography (e.g., RSA or ECDSA) to create a hash of the transaction record, which is then encrypted with the signer's private key. Any alteration to the record after signing would cause the hash verification to fail, directly protecting the integrity of the data. While digital signatures also support non-repudiation, the question specifically asks which goal is primarily protected by ensuring records have not been altered, which is integrity.

Exam trap

The trap here is that candidates confuse the secondary property of non-repudiation with the primary property of integrity, because digital signatures provide both, but the question's wording 'have not been altered after signing' directly points to integrity, not the ability to prove the signer's identity.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data, typically achieved through encryption (e.g., AES), not through digital signatures which do not hide the content. Option B is wrong because non-repudiation ensures the signer cannot deny having signed the document, which is a secondary benefit of digital signatures, but the question explicitly focuses on preventing alteration after signing, which is integrity. Option D is wrong because availability ensures systems and data are accessible when needed, often via redundancy or disaster recovery, and digital signatures do not address uptime or access.

950
MCQmedium

A company is involved in litigation and needs to preserve all Exchange Online mailboxes and SharePoint sites related to the case. The legal team also requires the ability to search, review, and export relevant content. Which Microsoft Purview solution should they use?

A.Microsoft Purview eDiscovery (Premium)
B.Microsoft Purview Communication Compliance
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview Audit (Premium)
AnswerA

eDiscovery (Premium) provides end-to-end workflow for legal holds, search, review, and export of content across Microsoft 365 services.

Why this answer

Microsoft Purview eDiscovery (Premium) is the correct solution because it provides end-to-end workflow for preserving, searching, reviewing, and exporting content from Exchange Online mailboxes and SharePoint sites. It supports legal hold placement on custodians and data sources, advanced search with keyword and proximity queries, review sets with analytics, and export in a format suitable for litigation. This directly matches the requirement to preserve all relevant mailboxes and sites while enabling the legal team to search, review, and export content.

Exam trap

The trap here is that candidates confuse eDiscovery (Premium) with Audit (Premium) because both involve searching, but Audit only searches activity logs, not the actual content of mailboxes and sites, and cannot place legal hold or export content.

How to eliminate wrong answers

Option B (Microsoft Purview Communication Compliance) is wrong because it is designed to detect and remediate inappropriate communications (e.g., harassment, insider trading) by analyzing messages and patterns, not for preserving and exporting content for litigation. Option C (Microsoft Purview Data Lifecycle Management) is wrong because it focuses on retention and deletion policies based on data lifecycle, not on preserving content for legal hold or providing search/review/export capabilities. Option D (Microsoft Purview Audit (Premium)) is wrong because it provides detailed audit log search and investigation of user and admin activities, but does not offer legal hold, content preservation, or export of mailbox and site content.

951
MCQmedium

A company must retain all HR documents stored in SharePoint Online for exactly 7 years. After 7 years, the documents must be automatically deleted. Additionally, employees must not be able to permanently delete these documents before the retention period ends. Which Microsoft Purview solution should they configure?

A.Data Lifecycle Management
B.Records Management
C.Data Loss Prevention
D.Audit
AnswerA

Data Lifecycle Management provides retention labels and policies that can automatically retain and then delete content after a specified period, and it prohibits users from purging the content during retention.

Why this answer

Data Lifecycle Management (DLM) in Microsoft Purview is designed to retain content for a specified period and then automatically delete it. By applying a retention policy with a 7-year retention period and a deletion action at the end, DLM ensures HR documents are kept exactly as required. Additionally, DLM prevents users from permanently deleting documents during the retention period by locking the retention settings, which overrides user delete permissions.

Exam trap

The trap here is that candidates often confuse Records Management with Data Lifecycle Management, assuming that 'records' automatically implies retention and deletion, but Records Management focuses on declaring records and managing disposition reviews, not automatic time-based deletion without user intervention.

How to eliminate wrong answers

Option B (Records Management) is wrong because Records Management is focused on declaring content as records for legal or regulatory compliance, often with immutability and disposition reviews, but it does not inherently enforce automatic deletion after a fixed period without additional configuration; it is more about managing records throughout their lifecycle with manual or review-based disposition. Option C (Data Loss Prevention) is wrong because DLP is designed to prevent sensitive information from being shared or leaked, not to manage retention or deletion schedules. Option D (Audit) is wrong because Audit provides logging and monitoring of user activities, but it does not enforce retention or deletion policies.

952
MCQeasy

Your organization wants to allow employees to use their personal mobile devices to access corporate resources, but you need to ensure that corporate data is protected if the device is lost or stolen. You also need to enforce a PIN policy on the device. Which combination of Microsoft Entra and Microsoft Intune features should you use?

A.Use Windows Autopilot to configure devices and then apply a device restriction policy.
B.Implement a Conditional Access policy requiring multi-factor authentication and trusted locations.
C.Enroll devices in Microsoft Intune MDM, create a device compliance policy requiring PIN, and configure a Conditional Access policy to allow only compliant devices.
D.Use Microsoft Intune app protection policies (MAM) without device enrollment, requiring PIN for managed apps.
AnswerC

Correct: MDM enrollment enables compliance policies and remote wipe of corporate data.

Why this answer

Option A is correct because MDM enrollment with compliance policies enforces PIN and allows selective wipe of corporate data. Option B is wrong because MAM without enrollment can enforce PIN but selective wipe is limited. Option C is wrong because Conditional Access alone does not enforce device policies.

Option D is wrong because Autopilot is for provisioning, not protection.

953
MCQhard

A security analyst is using Microsoft 365 Defender to investigate a sophisticated multi-stage attack. The analyst needs to query data across endpoints, email, and identity logs to identify the attacker's behavior patterns and correlate events. Which Microsoft 365 Defender capability should the analyst use?

A.Automated investigation and response
B.Threat analytics
C.Advanced hunting
D.Action center
AnswerC

Advanced hunting uses KQL to query raw data from multiple Microsoft 365 Defender components, enabling custom threat hunting and correlation across data sources.

Why this answer

Advanced hunting is the correct capability because it provides a Kusto Query Language (KQL)-based query interface that allows the security analyst to perform custom, cross-domain searches across data from endpoints (Microsoft Defender for Endpoint), email (Microsoft Defender for Office 365), and identity logs (Microsoft Defender for Identity). This enables the correlation of events and identification of attacker behavior patterns across a multi-stage attack, which is not possible with the other options.

Exam trap

The trap here is that candidates often confuse 'Advanced hunting' with 'Threat analytics' because both involve investigating threats, but Threat analytics is a passive reading tool for pre-built reports, while Advanced hunting is an active, custom query engine for raw data correlation.

How to eliminate wrong answers

Option A is wrong because Automated investigation and response (AIR) is designed to automatically respond to confirmed threats by running playbooks and taking remediation actions, not for manually querying and correlating raw data across multiple domains. Option B is wrong because Threat analytics provides curated threat intelligence reports and vulnerability information about known attackers and campaigns, but it does not allow custom queries across endpoint, email, and identity logs. Option D is wrong because the Action center is a centralized location to review and approve or reject pending remediation actions from automated investigations, not a tool for querying or hunting across data sources.

954
MCQmedium

A company uses Microsoft 365. The security team wants to protect users from clicking malicious URLs in email messages. The solution should rewrite all links in incoming emails so that when a user clicks them, the URL is checked in real time against a dynamic list of known malicious sites. Which Microsoft Defender for Office 365 feature should they enable?

A.Anti-phishing policies
B.Safe Attachments
C.Safe Links
D.Anti-spam policies
AnswerC

Safe Links rewrites URLs and checks them on click, providing protection against malicious links.

Why this answer

Safe Links is the correct feature because it is specifically designed to protect users from malicious URLs in email messages and Office documents. It rewrites all links in incoming emails so that when a user clicks them, the URL is checked in real time against a dynamic list of known malicious sites, providing time-of-click protection.

Exam trap

The trap here is that candidates often confuse Safe Links with Anti-phishing policies, but Anti-phishing policies handle impersonation and spoofing detection, not URL rewriting and real-time click verification.

How to eliminate wrong answers

Option A is wrong because Anti-phishing policies protect against phishing attempts by analyzing email content and sender reputation, but they do not rewrite URLs or provide real-time URL scanning at click time. Option B is wrong because Safe Attachments protects against malicious attachments by detonating them in a sandbox environment, not by rewriting or scanning URLs in email messages. Option D is wrong because Anti-spam policies filter out spam messages based on content and sender analysis, but they do not rewrite URLs or perform real-time URL checks.

955
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Purview Compliance Manager? (Choose three.)

Select 3 answers
A.Automated testing of controls
B.Manage user identities
C.Improvement actions
D.Create data loss prevention policies
E.Compliance score
AnswersA, C, E

Controls can be tested automatically.

Why this answer

Correct answers are A, C, and E: Compliance Manager provides a compliance score, automated testing of controls, and improvement actions. Option B is incorrect because creating DLP policies is not a Compliance Manager capability. Option D is incorrect because managing user identities is in Microsoft Entra ID.

956
MCQhard

An organization has deployed Microsoft Entra ID Governance and wants to automate the process of revoking access to a critical application when an employee leaves the company. Which feature should they configure?

A.Microsoft Entra ID Governance Lifecycle Workflows
B.Microsoft Entra Privileged Identity Management
C.Microsoft Entra Access Reviews
D.Microsoft Entra Terms of Use
AnswerA

Automatically remove access based on HR events.

Why this answer

Microsoft Entra ID Governance Lifecycle Workflows enable automated workflows triggered by HR events like employee termination. When an employee leaves, a lifecycle workflow can be configured to automatically remove the user from the application's access group or disable their account, ensuring immediate revocation of access without manual intervention.

Exam trap

The trap here is confusing automated offboarding (Lifecycle Workflows) with periodic access review (Access Reviews) or privileged role management (PIM), as candidates often think any governance feature can handle termination-based revocation.

How to eliminate wrong answers

Option B is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval, not automated offboarding workflows for standard application access. Option C is wrong because Access Reviews are periodic attestation processes that require manual or scheduled review decisions, not automated revocation triggered by a lifecycle event like termination. Option D is wrong because Terms of Use present acceptance policies to users but do not enforce any automated access revocation actions.

957
MCQhard

A company uses Microsoft Defender for Cloud to secure its hybrid cloud environment. They need to continuously assess compliance with regulatory standards like ISO 27001 and receive recommendations for remediation. Which feature should they enable?

A.Defender for Cloud’s regulatory compliance dashboard
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Identity
D.Defender for Cloud’s Secure Score
AnswerA

The regulatory compliance dashboard tracks compliance against standards and provides remediation steps.

Why this answer

Microsoft Defender for Cloud's regulatory compliance dashboard provides continuous assessments against standards like ISO 27001 and offers recommendations. Secure Score is a security posture metric. Defender plans are for workload protection.

Workload protections are specific to resources.

958
MCQmedium

Your organization uses Microsoft Sentinel. You need to create an automation rule that automatically closes a low-severity incident after 24 hours of inactivity. Which action should you include in the rule?

A.Run playbook
B.Create incident
C.Add comment
D.Change status to Closed
AnswerD

The action changes the incident status to Closed after 24 hours of inactivity.

Why this answer

Automation rules in Microsoft Sentinel can change incident status. The 'Change status' action can set an incident to 'Closed'. 'Run playbook' triggers a playbook but does not close directly. 'Create incident' creates a new incident. 'Add comment' adds a comment. Option B is correct to change status to closed.

959
MCQmedium

A company uses Microsoft Entra ID and wants to ensure that guest users who are inactive for 90 days have their access to internal resources automatically revoked. Additionally, a manager must review all guest accounts annually. Which Microsoft Entra feature should be used to implement these requirements?

A.Microsoft Entra Identity Governance Access Reviews
B.Conditional Access policies
C.Privileged Identity Management (PIM)
D.Self-Service Password Reset (SSPR)
AnswerA

Access reviews allow managers to periodically certify guest accounts, and can be configured to automatically remove guests who are not re-approved or have been inactive.

Why this answer

Microsoft Entra Identity Governance Access Reviews enables administrators to create recurring reviews of guest user access and automatically remove access for inactive users. By configuring an access review with a duration of 90 days and enabling automatic revocation, guest users who have not signed in for that period will have their access removed. Additionally, the annual manager review requirement is met by scheduling a recurring review for all guest accounts, ensuring compliance with governance policies.

Exam trap

The trap here is that candidates often confuse Conditional Access policies with identity governance features, mistakenly thinking that Conditional Access can enforce inactivity-based revocation, when in fact it only controls access at sign-in time and cannot perform periodic reviews or automatic removal of stale accounts.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies enforce real-time access controls based on conditions like location or device state, but they cannot automatically revoke access based on inactivity duration or schedule periodic manager reviews. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time activation and approval for privileged roles, not guest user access reviews or inactivity-based revocation. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords and does not provide any mechanism for reviewing or revoking guest access based on inactivity.

960
MCQhard

You are reviewing a Microsoft Sentinel KQL query. What is the primary purpose of this query?

A.Identify all users who have attempted to log on to Microsoft Teams more than 10 times in the last 7 days and who are global administrators
B.Identify users with high logon attempts to Teams and high failed sign-ins, possibly indicating a brute-force attack
C.Identify users with high failed sign-ins and check if they have conditional access policies applied
D.Identify users with high successful logon attempts to Teams and correlate with failed sign-ins to detect account compromise
AnswerB

The query correlates high Teams logon attempts with high failed sign-ins, a common brute-force indicator.

Why this answer

Option C is correct because the query joins IdentityLogonEvents (Teams logon attempts) with AADNonInteractiveUserSignInLogs (failed non-interactive sign-ins) and sorts by high failed sign-ins. This identifies users with many Teams logon attempts and many failed sign-ins, which could indicate brute-force attacks. Option A is incorrect because it does not filter for admin roles.

Option B is incorrect because the focus is on failed sign-ins, not successful ones. Option D is incorrect because it does not include any information about conditional access policies.

961
Multi-Selecthard

Which THREE of the following are identity protection features in Microsoft Entra ID Protection?

Select 3 answers
A.Self-service password reset
B.Risk detections such as leaked credentials and anonymous IP address
C.Conditional access policies
D.Investigation and remediation of risk incidents
E.Risk policies for user risk and sign-in risk
AnswersB, D, E

These are types of risk detections.

Why this answer

Option B is correct because Microsoft Entra ID Protection uses risk detections, such as leaked credentials and anonymous IP addresses, to identify potential identity compromises. Leaked credentials are detected by comparing user credentials against known breach databases, while anonymous IP addresses (e.g., Tor exit nodes) are flagged as risky sign-in attributes. These detections are foundational to the service's ability to assess sign-in and user risk levels.

Exam trap

The trap here is that candidates often confuse conditional access policies (option C) as a feature of ID Protection, when in fact ID Protection provides risk detections and risk policies that can be used as conditions within conditional access, but the policies themselves are not a feature of ID Protection.

962
Multi-Selectmedium

Which TWO capabilities are provided by Microsoft Defender for Cloud Apps?

Select 2 answers
A.Email security
B.Cloud Discovery to identify shadow IT
C.Data loss prevention for cloud apps
D.Endpoint detection and response
E.Identity protection
AnswersB, C

Cloud Discovery identifies unsanctioned cloud app usage.

Why this answer

Option A is correct because Defender for Cloud Apps provides cloud discovery to identify shadow IT. Option C is correct because it offers DLP capabilities for cloud apps. Option B is wrong because endpoint detection is provided by Defender for Endpoint.

Option D is wrong because identity protection is provided by Entra ID Protection. Option E is wrong because email security is provided by Defender for Office 365.

963
Multi-Selectmedium

Which TWO Microsoft Purview features can be used to automatically classify and protect sensitive data in documents?

Select 2 answers
A.Data loss prevention policies
B.eDiscovery (Premium)
C.Trainable classifiers
D.Retention labels
E.Sensitive information types
AnswersC, E

Trainable classifiers use machine learning to classify content based on examples.

Why this answer

Trainable classifiers (C) use machine learning to intelligently identify sensitive content based on context and patterns, enabling automatic classification. Sensitive information types (E) are predefined or custom patterns (e.g., credit card numbers, SSNs) that detect specific data types, which can then trigger protection actions like encryption or access restrictions. Both features work together to automatically classify and protect sensitive data in documents.

Exam trap

Microsoft often tests the misconception that Data loss prevention policies (A) perform automatic classification, when in fact they enforce actions based on pre-existing classifications or sensitive information types, not the classification itself.

964
MCQhard

A legal team is preparing for an internal investigation related to a potential policy violation. They need to identify all relevant documents stored in Exchange Online and SharePoint Online, but there are millions of items across the organization. The team wants to use a machine learning model that learns from a set of manually reviewed relevant and non-relevant documents to predict relevance and prioritize review. Which Microsoft Purview solution provides this capability?

A.Microsoft Purview Data Loss Prevention (DLP)
B.Microsoft Purview Audit (Premium)
C.Microsoft Purview eDiscovery (Advanced)
D.Microsoft Purview Insider Risk Management
AnswerC

eDiscovery (Advanced) includes predictive coding, which uses machine learning to identify relevant documents and accelerate the review process.

Why this answer

Microsoft Purview eDiscovery (Advanced) provides predictive coding capabilities that use machine learning to analyze a seed set of manually reviewed relevant and non-relevant documents. The model learns from this training to predict the relevance of millions of items across Exchange Online and SharePoint Online, prioritizing review for internal investigations. This directly matches the need for a machine learning model to identify and prioritize relevant documents.

Exam trap

The trap here is that candidates often confuse Insider Risk Management (which also uses machine learning for risk detection) with eDiscovery's predictive coding, but Insider Risk Management targets behavioral patterns and alerts, not document relevance prediction for legal hold and review.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to detect and prevent accidental sharing of sensitive data based on predefined policies, not to predict document relevance for eDiscovery investigations. Option B is wrong because Microsoft Purview Audit (Premium) provides detailed logging and forensic analysis of user and admin activities, but it does not include machine learning models to predict relevance of documents for legal review. Option D is wrong because Microsoft Purview Insider Risk Management focuses on identifying and mitigating risky user activities (e.g., data theft, policy violations) through behavioral analytics, not on predicting document relevance for eDiscovery.

965
MCQmedium

A company uses Microsoft Entra ID. They want to require multi-factor authentication (MFA) for users who sign in from locations with a high risk score, as determined by Microsoft's analysis of the sign-in's IP address and other behavioral signals. Which Microsoft Entra ID feature should they configure?

A.Identity Protection
B.Conditional Access
C.Privileged Identity Management
D.Entitlement Management
AnswerA

Identity Protection includes sign-in risk policies that can automatically require MFA based on risk level detected during sign-in.

Why this answer

Identity Protection is the correct feature because it provides risk-based detection and remediation, including the ability to automatically enforce MFA when a sign-in is flagged with a high risk score. It uses machine learning models to analyze signals such as anonymized IP addresses, atypical travel, and leaked credentials to assign a risk level. This directly matches the requirement to require MFA based on Microsoft's analysis of the sign-in's IP address and behavioral signals.

Exam trap

The trap here is that candidates often confuse Conditional Access as the feature that evaluates risk, when in fact Conditional Access is the policy engine that enforces controls, but Identity Protection is the service that generates the risk scores used as conditions.

How to eliminate wrong answers

Option B (Conditional Access) is wrong because while it can enforce MFA based on conditions like location or device, it does not natively evaluate Microsoft's risk score; it requires integration with Identity Protection policies to use risk as a condition. Option C (Privileged Identity Management) is wrong because it focuses on just-in-time privileged role activation and access reviews, not on risk-based MFA enforcement for all users. Option D (Entitlement Management) is wrong because it manages access packages and approval workflows for external users and groups, not sign-in risk detection or MFA enforcement.

966
Multi-Selecthard

Which THREE capabilities are part of Microsoft Entra ID Governance? (Choose three.)

Select 3 answers
A.Privileged Identity Management (PIM)
B.Passwordless authentication
C.Entitlement management
D.Identity lifecycle management
E.Access reviews
AnswersC, D, E

Manages access packages and assignments.

Why this answer

Entitlement management is a core capability of Microsoft Entra ID Governance that enables organizations to manage access to applications, groups, and SharePoint sites through automated access request workflows, approval processes, and periodic reviews. It directly supports the governance principle of ensuring users have only the access they need, when they need it.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) as a separate governance capability rather than recognizing it as a component within the broader identity lifecycle management and access review workflows, leading them to select it alongside the three correct answers.

967
Multi-Selectmedium

Which TWO conditions can be used in a Microsoft Entra Conditional Access policy? (Choose two.)

Select 2 answers
A.MFA registration status
B.Password complexity
C.Device platform
D.User risk level
E.Login frequency
AnswersC, D

Device platform is a condition.

Why this answer

Option C is correct because Device platform is a standard condition in Microsoft Entra Conditional Access policies, allowing administrators to target policies based on the operating system (e.g., Windows, iOS, Android). Option D is correct because User risk level is a condition derived from Microsoft Entra ID Protection, reflecting the probability that a user's identity has been compromised, and can be used to trigger step-up authentication or block access.

Exam trap

The trap here is that candidates confuse conditions (e.g., device platform, user risk) with grant controls (e.g., require MFA, sign-in frequency) or configuration settings (e.g., password complexity), leading them to select options that are not valid conditions in the Conditional Access policy editor.

968
MCQhard

A compliance officer needs to identify and monitor potentially risky user activities, such as users copying large amounts of data to external devices or sharing sensitive files with unauthorized recipients. They want to create a policy that detects these activities and automatically escalates them for investigation. Which Microsoft Purview solution should they use?

A.Microsoft Purview Insider Risk Management
B.Microsoft Purview Audit
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Compliance Manager
AnswerA

Insider Risk Management detects risky activities like data exfiltration, assigns risk scores, and can automatically generate cases for investigation.

Why this answer

Microsoft Purview Insider Risk Management is specifically designed to detect and investigate malicious or inadvertent insider risks based on activities like data exfiltration, unusual file sharing, or violations of corporate policies. It uses indicators and adaptive policies to assign risk scores and trigger alerts for review. Audit (option B) only provides logging and does not have built-in risk analysis.

Communication Compliance (option C) focuses on inappropriate communications, not data-related risks. Compliance Manager (option D) assesses compliance posture but does not detect risky user activities. Therefore, Insider Risk Management is the correct solution.

969
MCQhard

A manufacturing company experiences repeated ransomware attacks targeting their on-premises file servers. They have Microsoft 365 E5 and want to implement a solution to detect and automatically respond to such threats across hybrid environments. What should they deploy?

A.Microsoft Defender for Identity
B.Microsoft Purview Communication Compliance
C.Microsoft Defender for Office 365
D.Microsoft Defender for Cloud Apps
AnswerA

It monitors on-premises Active Directory and detects attacker behavior.

Why this answer

Option C is correct because Microsoft Defender for Identity is designed to protect on-premises Active Directory and detect attacks like ransomware. Option A is wrong because Microsoft Defender for Cloud Apps focuses on SaaS applications. Option B is wrong because Microsoft Defender for Office 365 protects cloud email and collaboration.

Option D is wrong because Microsoft Purview is for data governance and compliance.

970
MCQhard

An organization wants to implement a zero-trust security model. They plan to require multi-factor authentication (MFA) for all users accessing sensitive applications, but only when the sign-in risk is medium or higher. Which Microsoft Entra ID capability should they use?

A.Microsoft Entra ID Privileged Identity Management (PIM)
B.Microsoft Entra ID Conditional Access policy with risk condition
C.Microsoft Defender for Cloud Apps access policy
D.Microsoft Entra ID Protection risk detection policy
AnswerB

Conditional Access policies can use sign-in risk to trigger MFA.

Why this answer

Option A is correct because Conditional Access policies can evaluate sign-in risk (from Identity Protection) and require MFA when risk is medium or higher. Option B is wrong because Identity Protection itself detects risk but doesn't enforce policies. Option C is wrong because Privileged Identity Management (PIM) manages privileged roles.

Option D is wrong because Microsoft Defender for Cloud Apps provides app control, not risk-based MFA.

971
MCQhard

A tenant administrator runs the PowerShell cmdlet shown in the exhibit. The output shows that some compliance policies have IsAssigned = $false. What does this indicate?

A.The compliance policy is scheduled to be assigned in the future
B.The compliance policy is not assigned to any user or device group
C.The compliance policy has been evaluated and found non-compliant
D.The compliance policy is a built-in policy that cannot be assigned
AnswerB

IsAssigned indicates assignment status.

Why this answer

The `IsAssigned` property in the output of a compliance policy PowerShell cmdlet (such as `Get-DeviceCompliancePolicy`) directly indicates whether the policy has been assigned to any user or device group. When `IsAssigned = $false`, it means the policy exists in the tenant but has not been linked to any group via an assignment, so it is not being enforced on any devices. This is a core concept in Microsoft Intune and Microsoft 365 compliance: a policy must be assigned to a group to take effect.

Exam trap

The trap here is that candidates confuse `IsAssigned` with compliance evaluation status or policy type, mistakenly thinking it indicates future scheduling, non-compliance, or built-in restrictions, rather than understanding it simply reflects whether the policy has been assigned to a group.

How to eliminate wrong answers

Option A is wrong because a future scheduled assignment would still show `IsAssigned = $true` once the assignment is configured; the property reflects the existence of an assignment, not its activation time. Option C is wrong because `IsAssigned` has nothing to do with compliance evaluation results—non-compliant devices are tracked via the `ComplianceStatus` property, not `IsAssigned`. Option D is wrong because built-in policies (like default compliance policies) can still be assigned and would show `IsAssigned = $true` if they are; the property does not indicate whether a policy is built-in or custom.

972
Multi-Selecteasy

Which TWO of the following are valid uses for Microsoft Purview eDiscovery?

Select 2 answers
A.Placing legal holds on content
B.Classifying content with sensitivity labels
C.Reviewing audit logs for user activity
D.Applying retention policies to prevent deletion
E.Searching for content across mailboxes and sites
AnswersA, E

Legal hold is a key feature of eDiscovery.

Why this answer

Option A is correct because eDiscovery can search across Exchange, SharePoint, and OneDrive. Option C is correct because eDiscovery supports legal holds. Option B is wrong because DLP is for prevention.

Option D is wrong because sensitivity labels are for classification. Option E is wrong because audit logs are for activity tracking.

973
MCQeasy

An organization wants to automatically retain all financial documents for seven years and then delete them. Which Microsoft Purview solution should be used to create the retention policy?

A.Microsoft Purview Information Protection
B.Microsoft Purview Audit
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview Communication Compliance
AnswerC

Data Lifecycle Management provides retention and deletion policies.

Why this answer

Data Lifecycle Management (formerly Microsoft 365 retention policies) allows organizations to define retention and deletion rules for content. Information Protection focuses on classification and protection. Communication Compliance monitors communications.

Audit logs record activities.

974
MCQhard

A healthcare organization stores patient records in SharePoint Online. The compliance officer needs to ensure that records containing Protected Health Information (PHI) are retained for 7 years per regulatory requirements. Which Microsoft Purview solution should they implement?

A.Microsoft Purview Audit
B.Microsoft Purview eDiscovery
C.Microsoft Purview Records Management
D.Microsoft Purview Data Lifecycle Management
AnswerC

Records Management labels content as records and applies retention schedules.

Why this answer

Option D is correct because Microsoft Purview Records Management allows labeling documents as records and applying retention policies. Option A is wrong because Data Lifecycle Management manages non-record content. Option B is wrong because Audit is for logging, not retention.

Option C is wrong because eDiscovery is for search and export, not retention enforcement.

975
MCQhard

Your organization is subject to GDPR and must respond to data subject deletion requests within 30 days. You have identified all personal data in Microsoft 365. Which Microsoft Purview solution should you use to permanently delete the data?

A.Retention policies to preserve the data
B.Data Lifecycle Management (disposition review)
C.Data Loss Prevention to block the data
D.eDiscovery (Premium) to export the data
AnswerB

Disposition review allows administrators to permanently delete content after review.

Why this answer

Option C is correct because Data Lifecycle Management (disposition review) allows permanent deletion of content after review. Option A is wrong because eDiscovery can export data but not delete. Option B is wrong because DLP prevents data loss, not deletion.

Option D is wrong because retention policies keep data, not delete permanently.

Page 12

Page 13 of 19

Page 14