Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 9761050

1411 questions total · 19pages · All types, answers revealed

Page 13

Page 14 of 19

Page 15
976
MCQmedium

A company's security team discovers that several recent account compromises originated from attackers using legacy mail protocols (POP3, IMAP) which do not support multi-factor authentication. The team wants to immediately prevent any sign-in attempts using these protocols. Which Microsoft Entra ID feature should they configure to enforce this restriction?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Microsoft Entra Password Protection
AnswerA

Conditional Access policies allow administrators to block legacy authentication by targeting client apps that use legacy protocols. This is the correct feature to enforce the restriction.

Why this answer

Conditional Access in Microsoft Entra ID allows administrators to create policies that control access based on conditions such as client apps. By configuring a policy to block authentication requests from legacy authentication protocols (POP3, IMAP, SMTP, etc.), the security team can immediately prevent sign-in attempts that do not support multi-factor authentication, effectively mitigating the risk of account compromise via these outdated protocols.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based policies with the ability to block legacy protocols, but Identity Protection only triggers MFA or block based on risk scores, not on the protocol type itself.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because Identity Protection is a risk-based detection and remediation tool that identifies suspicious sign-ins and user risks, but it does not directly block specific authentication protocols like POP3 or IMAP. Option C (Privileged Identity Management (PIM)) is wrong because PIM is designed for just-in-time privileged role activation and access governance, not for controlling which authentication protocols can be used. Option D (Microsoft Entra Password Protection) is wrong because it enforces password policies (e.g., banning weak passwords) but does not block legacy authentication protocols or require MFA.

977
Multi-Selectmedium

Which TWO features are part of Microsoft Entra ID Governance? (Choose two.)

Select 2 answers
A.Entitlement Management
B.Access Reviews
C.Conditional Access
D.Self-Service Password Reset
E.Identity Protection
AnswersA, B

Manages access packages and requests.

Why this answer

Entitlement Management is a core feature of Microsoft Entra ID Governance that enables organizations to manage the lifecycle of access rights across internal and external users. It automates access requests, approvals, and assignments through configurable access packages, ensuring that users have the right access for the right duration. This directly supports governance by enforcing policies for who gets access, for how long, and under what conditions.

Exam trap

The trap here is that candidates often confuse security features (Conditional Access, Identity Protection) with governance features, but Entra ID Governance specifically focuses on managing the lifecycle of access—who gets access, for how long, and with periodic review—not on enforcing security controls or mitigating threats.

978
Matchingmedium

Match each Microsoft Defender product to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protect on-premises Active Directory

Secure email and collaboration tools

Protect cloud workloads and resources

Secure Internet of Things devices

SaaS application security

Why these pairings

These are specialized Defender products for different environments.

979
MCQmedium

An organization wants to enable passwordless authentication for its users by using a mobile app. Which Microsoft Entra ID authentication method should they implement?

A.Temporary Access Pass
B.Windows Hello for Business
C.FIDO2 security keys
D.Microsoft Authenticator (passwordless sign-in)
AnswerD

Microsoft Authenticator provides phone sign-in, a passwordless method via mobile app.

Why this answer

Microsoft Authenticator supports passwordless phone sign-in, allowing users to authenticate via app notification. FIDO2 security keys are hardware tokens. Windows Hello for Business uses biometrics.

Temporary Access Pass is for initial setup.

980
MCQmedium

A company uses Microsoft 365 and needs to automatically detect documents in SharePoint Online that contain personally identifiable information (PII) such as social security numbers. When such documents are detected, they want to apply a sensitivity label that encrypts the document and restricts access to only the compliance team. Which Microsoft Purview solution should they use?

A.Data Lifecycle Management
B.Records Management
C.Data Loss Prevention (DLP)
D.Communication Compliance
AnswerC

Correct. DLP policies can detect sensitive information and enforce actions like applying encryption or restricting access.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is the correct solution because it can automatically scan documents in SharePoint Online for sensitive information types (e.g., social security numbers) using built-in or custom sensitive info types. When a match is found, DLP policies can trigger an action to apply a sensitivity label that encrypts the document and restricts access, such as limiting it to the compliance team. This combines content detection with automated protection, which is exactly the scenario described.

Exam trap

The trap here is that candidates often confuse DLP with Data Lifecycle Management or Records Management, thinking those solutions handle content classification, but DLP is the only one that combines real-time content inspection with automated label application for protection.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management focuses on retaining or deleting content based on age or policy, not on detecting PII or applying sensitivity labels. Option B is wrong because Records Management is designed to mark content as records for legal or regulatory retention, not to scan for PII or enforce encryption via labels. Option D is wrong because Communication Compliance monitors internal and external communications (e.g., email, Teams) for policy violations like harassment or insider trading, not for scanning SharePoint documents for PII.

981
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Entra Identity Protection? (Choose three.)

Select 3 answers
A.Detect leaked credentials
B.Enable risk-based conditional access policies
C.Allow users to reset their own passwords
D.Provide just-in-time privileged access
E.Provide a risk investigation report
AnswersA, B, E

Identity Protection detects leaked credentials.

Why this answer

Option A is correct because Microsoft Entra Identity Protection continuously monitors user authentication patterns and compares password hashes against a database of known leaked credentials from public breach sources. When a match is detected, it flags the user or sign-in as risky, enabling automated remediation or blocking.

Exam trap

The trap here is that candidates confuse the risk-based Conditional Access integration (which is part of Identity Protection) with the password reset and JIT access features that belong to separate Microsoft Entra services like SSPR and PIM.

982
MCQmedium

An organization wants to allow users to reset their own passwords without help desk intervention. They also need to enforce multifactor authentication during the reset process. Which Microsoft Entra feature should they configure?

A.Microsoft Entra Self-Service Password Reset
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra Multifactor Authentication
AnswerA

Enables users to reset passwords and can enforce MFA.

Why this answer

Microsoft Entra Self-Service Password Reset (SSPR) allows users to reset their own passwords without help desk intervention. By integrating with Microsoft Entra Multifactor Authentication, SSPR can enforce MFA during the reset process, satisfying both requirements.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Multifactor Authentication as a standalone solution for password reset, when in fact it is only a component that must be integrated with SSPR to achieve both self-service reset and MFA enforcement.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Identity Protection is a risk-based detection and remediation tool that can trigger automated responses like requiring MFA or blocking sign-ins, but it does not directly provide self-service password reset capabilities. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged access and role activation, not general user password reset workflows. Option D is wrong because Microsoft Entra Multifactor Authentication is an authentication method that can be used as part of SSPR, but by itself it does not provide the self-service password reset functionality; it must be combined with SSPR to meet both requirements.

983
MCQmedium

A company uses Microsoft Entra ID. The IT team wants to provide remote employees with secure, single sign-on (SSO) access to a critical on-premises web application that uses password-based authentication, without requiring a VPN connection. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra Application Proxy
B.Microsoft Entra Connect
C.Microsoft Entra Domain Services
D.Microsoft Entra ID P2 license
AnswerA

Correct. Application Proxy provides secure remote access and SSO for on-premises web apps without needing a VPN.

Why this answer

Microsoft Entra Application Proxy enables secure remote access to on-premises web applications by publishing them through an external endpoint, without requiring a VPN. It supports password-based SSO by securely storing and replaying credentials to the legacy application, allowing users to authenticate once via Entra ID. This makes it the correct choice for providing SSO to a password-based on-premises app without a VPN.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Connect (a sync tool) with Application Proxy, mistakenly thinking that syncing identities alone provides remote access and SSO to on-premises apps.

How to eliminate wrong answers

Option B (Microsoft Entra Connect) is wrong because it is a synchronization tool that syncs on-premises directory objects to Entra ID, not a proxy for publishing applications or enabling remote SSO. Option C (Microsoft Entra Domain Services) is wrong because it provides managed domain services like LDAP and Kerberos for cloud-based VMs, not remote access to on-premises web apps. Option D (Microsoft Entra ID P2 license) is wrong because it is a licensing tier that adds Identity Protection and Privileged Identity Management, not a feature that directly enables remote access or SSO to on-premises apps.

984
MCQeasy

A security architect is designing a system where user access rights are reviewed and certified on a regular basis by data owners. The goal is to ensure that users continue to have only the permissions necessary to perform their job functions and that no excessive permissions exist. Which security principle is primarily being implemented through these regular reviews?

A.Defense in depth
B.Zero trust
C.Least privilege
D.Separation of duties
AnswerC

Least privilege means granting users the minimum level of access required. Regular access reviews are a key governance practice to uphold least privilege by detecting and removing excessive permissions.

Why this answer

Option C is correct because regular access reviews directly enforce the principle of least privilege by ensuring users retain only the permissions necessary for their current job functions. This process identifies and removes excessive permissions that may have accumulated over time, aligning with the core goal of minimizing the attack surface. In Microsoft 365, this is often implemented through Azure AD access reviews, where data owners certify or revoke user access.

Exam trap

The trap here is that candidates may confuse the periodic review of permissions with the zero trust model, but zero trust focuses on continuous verification at each access request rather than periodic certification of existing rights.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, encryption, antivirus) to protect assets, not a principle focused on limiting user permissions. Option B is wrong because zero trust is a security model that assumes no implicit trust and requires continuous verification of every access request, but it does not specifically address periodic certification of existing permissions by data owners. Option D is wrong because separation of duties divides critical tasks among multiple users to prevent fraud or error (e.g., one person requests access, another approves), whereas regular reviews focus on validating that current permissions are still appropriate, not on splitting responsibilities.

985
Multi-Selecteasy

A company wants to enforce multifactor authentication for all users. Which TWO Microsoft Entra ID features can be used together to achieve this?

Select 2 answers
A.Conditional Access
B.Identity Protection
C.Security defaults
D.Authentication methods (Settings)
E.Password protection
AnswersA, D

Correct: Can require MFA.

Why this answer

Conditional Access policies can require MFA, and Authentication methods management allows configuring MFA methods. Security defaults also enforce MFA but is not a feature to combine. Identity Protection is risk-based.

Password protection is not MFA.

986
MCQmedium

A company wants to offer a secure sign-in experience for external customers who may use personal accounts from Facebook, Google, or any OpenID Connect provider. They also need to customize the sign-in pages with their company logo and colors. Which Microsoft Entra capability should they use?

A.Microsoft Entra ID (formerly Microsoft Entra ID) — free edition
B.Microsoft Entra External ID (formerly Microsoft Entra ID B2C)
C.Microsoft Entra Domain Services
D.Microsoft Entra Permissions Management
AnswerB

External ID is purpose-built for customer identity and access management, supporting multiple social identity providers and customizable sign-in pages.

Why this answer

Microsoft Entra External ID (formerly Azure AD B2C) is the correct choice because it is specifically designed for customer-facing identity scenarios, supporting social identity providers (Facebook, Google) and any OpenID Connect provider. It also provides full customization of sign-in pages, including company branding like logos and colors, which is not available in the free edition of Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse Microsoft Entra External ID with the free edition of Microsoft Entra ID, assuming that 'free' includes external identity support, but the free edition is strictly for internal users and lacks social identity federation and UI customization capabilities.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID (free edition) is intended for internal organizational users and does not support external customer identities with social or OpenID Connect providers, nor does it allow customization of sign-in pages for external users. Option C is wrong because Microsoft Entra Domain Services provides managed domain services (e.g., Kerberos, NTLM) for legacy applications, not identity federation or customer sign-in customization. Option D is wrong because Microsoft Entra Permissions Management is a cloud infrastructure entitlement management (CIEM) tool for managing permissions across multi-cloud environments, unrelated to customer authentication or branding.

987
MCQhard

A company deploys Microsoft Entra ID Protection. The security team wants to automatically block sign-ins from anonymous IP addresses. They configure a Conditional Access policy. Which assignment condition should they use?

A.User risk level condition with 'Medium'
B.Device condition with 'Compliant'
C.Sign-in risk level condition with 'High'
D.Location condition with 'Any IP'
AnswerC

Sign-in risk level condition includes 'Anonymous IP address' as a high risk detection.

Why this answer

Entra ID Protection provides risk detections like 'Anonymous IP address'. Conditional Access can use this as a condition. Option A is wrong because it's too broad; Option B is wrong because it's for compliance; Option D is wrong because it's for device trust.

988
MCQmedium

Your organization is implementing Microsoft Purview to manage data compliance. They need to automatically detect and protect credit card numbers in emails and documents. Which Microsoft Purview feature should they configure?

A.Data Lifecycle Management
B.Data Loss Prevention (DLP)
C.Insider Risk Management
D.Information Protection
AnswerB

DLP policies automatically detect sensitive information like credit card numbers and apply protective actions.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft Purview can automatically detect sensitive information like credit card numbers and apply protective actions, such as blocking or encrypting the content. Information Protection refers to sensitivity labels and encryption, but DLP is the feature that uses policies to detect and protect data in transit and at rest. Data Lifecycle Management handles retention and deletion.

Insider Risk Management focuses on user behavior.

989
MCQmedium

You are a security analyst using Microsoft Sentinel. You run the Kusto query shown in the exhibit. What does this query do?

A.Counts security alerts containing 'MFA' per day for the last 7 days
B.Lists all identities that triggered MFA alerts
C.Counts distinct users with MFA alerts per day
D.Counts alerts by severity over the last week
AnswerA

Summarize count() by AlertName and time creates a daily count.

Why this answer

Option B is correct. The query filters alerts with 'MFA' in the name over the last 7 days, counts them per day, and renders a timechart. Option A is wrong because it counts alerts, not distinct users.

Option C is wrong because it counts alerts, not identities. Option D is wrong because it doesn't filter by severity.

990
MCQmedium

Your organization is implementing a new policy to ensure that only authorized users can access sensitive financial data stored in Microsoft SharePoint Online. The security team wants to enforce multi-factor authentication (MFA) for all users accessing this data, but only when accessing from outside the corporate network. Which Microsoft Entra ID conditional access policy setting should you configure to meet this requirement?

A.Use app-enforced restrictions for SharePoint
B.Grant access requiring device to be marked as compliant when location is not trusted
C.Grant access requiring multi-factor authentication when the location is not trusted
D.Block access when the location is not trusted
AnswerC

This enforces MFA for external access while allowing internal access without MFA.

Why this answer

Option B is correct because conditional access policies allow you to grant access only when specific conditions are met, such as requiring MFA when the location is not trusted. Option A is wrong because blocking access from outside the network would prevent legitimate remote work. Option C is wrong because blocking access from non-compliant devices does not directly enforce MFA.

Option D is wrong because session controls, like app-enforced restrictions, do not enforce MFA at sign-in.

991
MCQmedium

A company uses Microsoft 365 and sanctioned cloud apps like Salesforce and Box. The security team wants to prevent users from downloading sensitive documents from these apps when accessing from unmanaged personal devices, while still allowing read-only access. They need real-time session monitoring and control. Which Microsoft security solution should they use?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Identity
D.Microsoft Defender for Endpoint
AnswerB

Defender for Cloud Apps can enforce session policies via Conditional Access App Control, allowing granular control over actions like download, upload, and copy based on user, device, and data sensitivity.

Why this answer

Microsoft Defender for Cloud Apps provides real-time session monitoring and control via its Conditional Access App Control feature. This allows administrators to enforce policies that block downloads or restrict access to sensitive data based on device compliance, such as blocking downloads from unmanaged personal devices while permitting read-only access. The solution integrates with sanctioned cloud apps like Salesforce and Box to apply these controls at the session level.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Office 365, assuming that Office 365 covers all cloud app security, but Defender for Office 365 is limited to Microsoft 365 services and cannot enforce session policies on third-party SaaS apps like Salesforce or Box.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on email and collaboration security (e.g., anti-phishing, anti-malware) and does not provide session-level control over third-party cloud apps like Salesforce or Box. Option C is wrong because Microsoft Defender for Identity is designed to detect identity-based threats (e.g., compromised accounts, lateral movement) using on-premises Active Directory signals, not to monitor or control user sessions in cloud apps. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that protects devices from malware and attacks, but it does not offer real-time session monitoring or conditional access controls for cloud app sessions.

992
Multi-Selectmedium

A company wants to automatically apply a 'Confidential' sensitivity label to any document that contains a credit card number, and also encrypt the document as part of the label. Which two components must be configured to achieve this? (Choose two.)

Select 2 answers
A.A sensitivity label with encryption settings
B.A DLP policy that detects sensitive info
C.An auto-labeling policy
D.A data classification dashboard
AnswersA, C

Correct. The sensitivity label must define the protection (encryption) that will be applied to documents containing credit card numbers.

Why this answer

Option A is correct because a sensitivity label must include encryption settings to automatically encrypt documents when the label is applied. The encryption is configured within the label's protection settings, which defines how content is protected (e.g., with a predefined template or user-defined permissions). Without encryption configured in the label, the automatic application would only assign the label without encrypting the document.

Exam trap

The trap here is that candidates often confuse DLP policies with auto-labeling policies, thinking DLP can apply labels and encryption, but DLP only detects and acts on content (e.g., block or notify) and does not apply sensitivity labels.

993
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Purview DLP policy JSON snippet. The policy is enabled and contains one rule. What is the effect of this rule?

A.Applies only to SharePoint, not Exchange.
B.Only audits the activity, does not block.
C.Blocks access and sends a policy tip to users.
D.Blocks access to content containing a credit card number in Exchange and SharePoint, without user notification.
AnswerD

The rule has 'BlockAccess' action and no notification settings.

Why this answer

The rule detects credit card numbers in Exchange Online and SharePoint Online. The action 'BlockAccess' will block access to the content. The rule does not include user notification, so users will not receive a policy tip.

The policy applies to all users (no user filter). Option A correctly describes this.

994
MCQeasy

Refer to the exhibit. An administrator runs the PowerShell command shown. What is the purpose of this command?

A.Delete all files modified by a user in the last 90 days
B.Modify permissions on files uploaded by a user
C.Search audit logs for file activities performed by a specific user
D.Block a user from uploading files
AnswerC

The command specifies operations and user IDs to search.

Why this answer

The command searches the unified audit log for file-related operations by a specific user in the last 90 days. Option A is correct. It does not delete files, modify permissions, or block the user.

995
Drag & Dropmedium

Sequence the steps to enable Microsoft Defender for Cloud Apps for an organization.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Enabling Defender for Cloud Apps involves signing in, connecting an app, configuring settings, granting permissions, and verifying connectivity.

996
MCQhard

Refer to the exhibit. A Microsoft Purview retention policy is configured as shown. Which statement about this policy is accurate?

A.The policy will delete items after 7 years from the date they were created.
B.The policy will retain items for 7 years from the last modification date.
C.The policy will delete items 7 years after they were last modified.
D.The policy will keep items for 7 years and then delete them.
AnswerC

Correct: 'ModificationAgeInDays' with 2557 days means deletion 7 years after last modification.

Why this answer

Option D is correct because the policy uses retention type 'ModificationAgeInDays' with a duration of 2557 days (7 years), meaning items will be deleted 7 years after they were last modified. Option A is wrong because the retention action is 'Delete', not 'Keep'. Option B is wrong because the duration is in days, not years directly.

Option C is wrong because the retention type is based on modification age, not creation age.

997
MCQmedium

A company uses Microsoft 365 and wants to automatically detect when employees attempt to share credit card numbers in emails or Microsoft Teams messages. The company also wants to block the message if it contains such sensitive data, and notify the sender with a policy tip. Which Microsoft Purview solution should the administrator configure?

A.Data Lifecycle Management
B.Data Loss Prevention (DLP)
C.Information Protection (Sensitivity labels)
D.Insider Risk Management
AnswerB

DLP policies detect sensitive information (e.g., credit card numbers) and enforce actions such as blocking, encrypting, or notifying users. This matches the scenario requirements.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is the correct solution because it is specifically designed to detect, block, and notify users when sensitive data—such as credit card numbers—is shared in emails or Teams messages. DLP policies can be configured with built-in sensitive information types (e.g., credit card number) and actions like blocking the message and sending a policy tip to the sender.

Exam trap

The trap here is that candidates often confuse Information Protection (sensitivity labels) with DLP, not realizing that sensitivity labels classify and protect data at rest, while DLP actively monitors and controls data in motion (email and chat).

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management focuses on retaining, deleting, and managing data based on age or compliance requirements, not on real-time detection and blocking of sensitive data sharing. Option C is wrong because Information Protection (Sensitivity labels) is used to classify and protect data at rest (e.g., documents) with encryption or markings, but it does not natively inspect and block messages in transit in email or Teams. Option D is wrong because Insider Risk Management is designed to detect risky user activities (e.g., data theft, policy violations) based on analytics and alerts, not to automatically block messages containing sensitive data in real time.

998
Multi-Selectmedium

Which TWO Microsoft Purview solutions are primarily used for investigating and responding to compliance incidents?

Select 2 answers
A.Microsoft Purview eDiscovery
B.Microsoft Purview Audit
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview Data Loss Prevention
E.Microsoft Purview Insider Risk Management
AnswersA, B

eDiscovery is used to search and export content for investigations.

Why this answer

eDiscovery is used for legal investigations, and Audit is used for investigating user activities. DLP is for prevention, not investigation. Retention is for lifecycle management.

Insider Risk Management is for detecting risky activities, but it is more proactive than investigative.

999
MCQhard

A company stores HR documents in SharePoint Online. The compliance team wants to automatically apply a sensitivity label that encrypts the document whenever it contains a passport number. They do not want users to be able to override this classification. Which Microsoft Purview solution should they configure?

A.Data Loss Prevention (DLP) policy
B.Auto-labeling policy for sensitivity labels
C.Retention policy
D.Communication compliance policy
AnswerB

Auto-labeling policies automatically apply sensitivity labels, including encryption, based on conditions like the presence of passport numbers, and can be set to not allow override.

Why this answer

An auto-labeling policy for sensitivity labels can automatically apply a sensitivity label (e.g., 'Highly Confidential') that encrypts documents when they contain sensitive data like passport numbers. This policy can be configured to enforce mandatory labeling without allowing user override, meeting the compliance team's requirement. In contrast, a DLP policy can detect and block sharing of sensitive data but does not apply encryption labels automatically.

Exam trap

The trap here is that candidates often confuse DLP policies with auto-labeling, assuming DLP can also apply encryption labels, but DLP only detects and blocks actions—it does not automatically classify or encrypt content.

How to eliminate wrong answers

Option A is wrong because a Data Loss Prevention (DLP) policy is designed to detect and prevent the unauthorized sharing of sensitive information (e.g., via email or cloud apps) by blocking or alerting, but it does not automatically apply a sensitivity label that encrypts the document. Option C is wrong because a retention policy governs how long content is kept or deleted, not the classification or encryption of content based on sensitive data. Option D is wrong because a communication compliance policy monitors and analyzes communications (e.g., email, Teams) for policy violations like harassment or insider trading, not for automatic labeling or encryption of documents.

1000
MCQeasy

Your organization wants to use Microsoft Entra Verified ID to issue digital credentials to employees. Which Microsoft Entra service provides the ability to issue and verify verifiable credentials?

A.Microsoft Entra Entitlement Management
B.Microsoft Entra Verified ID
C.Microsoft Entra Identity Protection
D.Microsoft Entra Privileged Identity Management
AnswerB

Verified ID is the service for decentralized identity and verifiable credentials.

Why this answer

Microsoft Entra Verified ID is the specific service designed to issue and verify verifiable credentials based on decentralized identity standards such as W3C Verifiable Credentials and Decentralized Identifiers (DIDs). It enables organizations to create, issue, and cryptographically verify digital credentials without relying on a central authority, aligning with the scenario described.

Exam trap

The trap here is that candidates may confuse 'Verified ID' with other identity governance or security services like Entitlement Management or Identity Protection, but only Verified ID directly handles the issuance and verification of verifiable credentials using decentralized identity standards.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Entitlement Management focuses on automating access reviews, access packages, and lifecycle management for applications and groups, not on issuing or verifying verifiable credentials. Option C is wrong because Microsoft Entra Identity Protection is a security tool that detects identity-based risks like compromised accounts and sign-in anomalies, not a credential issuance or verification service. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role assignments and access approvals, not the creation or verification of digital credentials.

1001
MCQmedium

A security team manages a hybrid environment with on-premises Windows servers and Azure VMs. They need a solution that can detect lateral movement attacks, pass-the-hash attempts, and anomalous service account behavior on the on-premises Active Directory environment. They also want these alerts to be integrated into Microsoft Defender for Cloud for centralized monitoring. Which Microsoft security solution should they deploy on their on-premises domain controllers?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Identity
C.Microsoft Defender for Endpoint
D.Microsoft Intune
AnswerB

Defender for Identity is a cloud-based security solution that integrates with on-premises Active Directory to detect suspicious user and entity behavior, including lateral movement and pass-the-hash attacks.

Why this answer

Microsoft Defender for Identity (MDI) is the correct solution because it is specifically designed to monitor on-premises Active Directory traffic and detect advanced threats like lateral movement, pass-the-hash, and anomalous service account behavior. It integrates directly with Microsoft Defender for Cloud to provide centralized alerting and investigation across hybrid environments.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Identity with Microsoft Defender for Endpoint, assuming endpoint protection covers identity threats, but MDI is the only solution that directly monitors on-premises Active Directory for lateral movement and pass-the-hash attacks.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 protects against email-based threats (phishing, malware in attachments/links) and does not monitor on-premises Active Directory or detect lateral movement or pass-the-hash attacks. Option C is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices (Windows, Linux, macOS) and does not natively analyze on-premises AD domain controller traffic for identity-based attacks. Option D is wrong because Microsoft Intune is a cloud-based mobile device management (MDM) and mobile application management (MAM) solution; it does not provide security monitoring or threat detection for on-premises Active Directory.

1002
MCQmedium

A security operations team investigates a multi-stage attack that began with a phishing email, then moved to credential compromise, and finally to lateral movement on endpoints. They need a single pane of glass to view the entire attack story, including the initial email, the compromised user's sign-in activities, and processes on affected devices. Which Microsoft security solution provides this unified investigation experience?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft 365 Defender
D.Microsoft Defender for Identity
AnswerC

Microsoft 365 Defender unifies alerts and incidents from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps into a single view.

Why this answer

Microsoft 365 Defender (now Microsoft Defender XDR) provides a unified investigation experience by correlating signals across email, identity, and endpoint domains into a single incident view. This allows the security team to see the full attack story—from the initial phishing email in Defender for Office 365, to the compromised user's sign-in activities via Defender for Identity, and the lateral movement processes on endpoints through Defender for Endpoint—all within one console.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with Microsoft 365 Defender (an XDR), assuming that any cross-domain investigation requires a SIEM, when in fact Microsoft 365 Defender provides the native, pre-correlated attack story across email, identity, and endpoints without needing custom log ingestion.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a SIEM/SOAR solution that ingests logs from multiple sources but does not natively provide the pre-correlated, cross-domain attack story across email, identity, and endpoints in a single pane of glass; it requires custom analytics rules and data connectors to stitch the story together. Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform focused on cloud resources (VMs, databases, containers), not on investigating phishing emails, user sign-ins, or endpoint lateral movement. Option D is wrong because Microsoft Defender for Identity is an on-premises identity threat detection solution that monitors Active Directory signals (e.g., Kerberos, NTLM, LDAP) and can detect credential compromise and lateral movement, but it does not cover the initial phishing email or endpoint process details, and it lacks the unified incident view across all three domains.

1003
MCQmedium

A company uses Microsoft 365 and needs to automatically apply a retention label to documents that contain personally identifiable information (PII) in SharePoint Online. The label should retain the documents for 5 years and then delete them. Which Microsoft Purview solution should they use?

A.Microsoft Purview Information Protection
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview eDiscovery
AnswerC

Data Lifecycle Management provides retention labels that can be auto-applied based on sensitive information types and enforce retention and deletion rules.

Why this answer

Microsoft Purview Data Lifecycle Management (formerly known as Microsoft 365 Records Management) is the solution specifically designed to apply retention labels and policies that automatically retain content for a specified period and then delete it. In this scenario, the requirement to automatically apply a retention label to documents containing PII in SharePoint Online and then retain them for 5 years before deletion is a core capability of Data Lifecycle Management, which uses auto-labeling policies based on sensitive information types.

Exam trap

The trap here is that candidates often confuse the purpose of Data Lifecycle Management (retention and deletion) with Information Protection (sensitivity labels and encryption), especially since both use labels and can be auto-applied based on sensitive content.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Information Protection focuses on classifying and protecting data through sensitivity labels (e.g., encryption, marking), not on retention and deletion schedules. Option B is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to prevent accidental sharing of sensitive data by enforcing policies (e.g., blocking or warning), not to manage retention or deletion. Option D is wrong because Microsoft Purview eDiscovery is used for searching, holding, and exporting content for legal or investigative purposes, not for applying retention labels or managing lifecycle policies.

1004
MCQmedium

A company uses Microsoft Defender for Office 365 and wants to protect users from malicious attachments in email. They need a feature that scans email attachments in a sandbox environment before they are delivered to recipients. Which Defender for Office 365 feature should they use?

A.Safe Links
B.Safe Attachments
C.Anti-phishing policies
D.Anti-spam policies
AnswerB

Safe Attachments uses sandboxing to scan attachments for malicious content before they reach the user's inbox.

Why this answer

Safe Attachments is the correct feature because it specifically detonates email attachments in a sandbox environment before delivery, analyzing them for malicious behavior. This protects users from zero-day threats and advanced malware that signature-based detection might miss.

Exam trap

The trap here is confusing Safe Attachments (which scans attachments in a sandbox) with Safe Links (which scans URLs), as both are part of Microsoft Defender for Office 365 but serve different protection purposes.

How to eliminate wrong answers

Option A is wrong because Safe Links protects users from malicious URLs in email and Office documents, not attachments. Option C is wrong because Anti-phishing policies protect against phishing attempts by analyzing sender reputation and impersonation patterns, not by scanning attachments in a sandbox. Option D is wrong because Anti-spam policies filter unwanted bulk email based on content and sender reputation, not by detonating attachments in a sandbox.

1005
MCQhard

Your organization, Contoso, uses Microsoft Entra ID P2. You have a Microsoft Entra tenant with several privileged roles including Global Administrator, Exchange Administrator, and SharePoint Administrator. The security team wants to enforce just-in-time (JIT) access for these roles, requiring users to request activation and get approval before they can use the role. Additionally, all activations must be logged and reviewed monthly. What should you configure?

A.Configure Microsoft Entra Privileged Identity Management (PIM) to require approval for role activation and enable access reviews.
B.Configure Conditional Access policies to require MFA for privileged roles.
C.Use Microsoft Entra Entitlement Management to create access packages for roles.
D.Create an Identity Protection risk policy to block risky sign-ins for privileged users.
AnswerA

PIM provides JIT activation with approval and reviews.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access by requiring users to activate their role assignments with approval from designated approvers. It also includes access reviews that can be scheduled to audit and confirm active role assignments, meeting the logging and monthly review requirements. This directly addresses the need for activation approval and periodic review of privileged role usage.

Exam trap

The trap here is confusing Conditional Access policies (which control sign-in conditions) with PIM (which controls role activation and approval workflows), leading candidates to select MFA enforcement instead of the JIT and review capabilities unique to PIM.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies enforce authentication requirements (like MFA) during sign-in but do not provide JIT activation workflows, approval processes, or scheduled access reviews for privileged roles. Option C is wrong because Entitlement Management manages access packages for resource access (e.g., groups, apps, sites) but does not handle role activation approval or time-bound JIT elevation for Entra ID administrative roles. Option D is wrong because Identity Protection risk policies block or require MFA for risky sign-ins, but they do not control role activation, require approval, or log/review privileged role usage.

1006
Multi-Selecteasy

Your organization is implementing Microsoft Purview to govern data across Microsoft 365 and Azure. Which TWO capabilities should you use to discover and classify sensitive data?

Select 2 answers
A.Microsoft Purview Information Protection
B.Microsoft Purview Data Map
C.Microsoft Purview eDiscovery
D.Microsoft Purview Audit
E.Microsoft Purview Data Lifecycle Management
AnswersA, B

Correct: Applies sensitivity labels to classify and protect data.

Why this answer

Microsoft Purview Data Map provides automated data discovery and classification across on-premises, multi-cloud, and SaaS data. Microsoft Purview Information Protection enables classification and labeling of sensitive data. Data Lifecycle Management focuses on retention and deletion, not discovery/classification.

Audit and eDiscovery are for investigation and legal holds, not initial discovery. Insider Risk Management detects risky user activities, not data classification.

1007
MCQhard

You are troubleshooting a Windows device that is reporting as non-compliant in Microsoft Intune. The exhibit shows the output of a PowerShell command run on the device. Based on the output, which component is likely misconfigured?

A.Microsoft Defender for Endpoint sensor onboarding
B.Antivirus protection
C.Antispyware protection
D.Microsoft Defender Antivirus real-time protection
AnswerA

The sensor onboarding status is not shown; the device may not be fully onboarded.

Why this answer

Option D is correct because the output shows that all Defender components are enabled, so the issue is likely not with Defender for Endpoint. The non-compliance could be due to missing updates, which are not shown. Option A is wrong because AMService is enabled.

Option B is wrong because Antispyware is enabled. Option C is wrong because Antivirus is enabled.

1008
MCQmedium

You are a compliance administrator for a multinational corporation that uses Microsoft Purview. The company must comply with the General Data Protection Regulation (GDPR). You need to implement a solution that allows data subjects to request access to their personal data stored in Exchange Online, SharePoint Online, and OneDrive for Business. The solution must provide a centralized portal for data subjects to submit requests and for privacy officers to manage the entire process, including searching for data, reviewing results, and exporting or redacting data. You also need to ensure that requests are automatically routed to the appropriate privacy officer based on the data subject's region. Microsoft Purview has been licensed for the entire organization. What should you configure?

A.Use Microsoft Purview Information Protection to manually classify and search for personal data.
B.Configure Microsoft Purview eDiscovery (Premium) cases with workflow automation and role-based access for privacy officers.
C.Configure Microsoft Purview eDiscovery (Standard) cases to manage each request manually.
D.Create retention labels and policies to retain personal data for GDPR compliance.
AnswerB

Correct: eDiscovery (Premium) provides case management, review, export, and automation for DSRs.

Why this answer

Microsoft Purview eDiscovery (Standard) allows for content searches across Exchange, SharePoint, and OneDrive, and can be used to manage GDPR data subject requests. However, the centralized portal and automated routing are features of Microsoft Purview eDiscovery (Premium), which includes case management, review sets, and advanced workflows. Therefore, the best option is to configure eDiscovery (Premium) cases with workflow automation.

Option A is too basic. Option C is for data retention, not subject access requests. Option D is for classification, not access requests.

1009
MCQmedium

A financial institution is deploying Microsoft Sentinel to monitor security events across its hybrid cloud environment. They want to correlate alerts from multiple sources and automate incident response. Which Microsoft Sentinel feature should they use to create automated workflows?

A.Workbooks
B.Analytics rules
C.Playbooks
D.Hunting queries
AnswerC

Playbooks are used to automate incident response by running predefined actions (like blocking an IP or notifying a team) when triggered by an alert or incident.

Why this answer

Playbooks in Microsoft Sentinel are built on Azure Logic Apps and allow you to automate incident response by defining a series of actions triggered by alerts. They can orchestrate tasks such as blocking IPs, opening tickets, or notifying teams, making them the correct choice for creating automated workflows.

Exam trap

The trap here is confusing the purpose of Analytics rules (alert generation) with Playbooks (automated response), as both are part of the detection and response pipeline but serve distinct roles.

How to eliminate wrong answers

Option A is wrong because Workbooks are used for visualizing and analyzing data through dashboards, not for automating workflows. Option B is wrong because Analytics rules define conditions for generating alerts from data sources, but they do not execute automated response actions. Option D is wrong because Hunting queries are ad-hoc searches for potential threats in raw log data, not for creating automated incident response workflows.

1010
MCQhard

Refer to the exhibit. You are evaluating a Microsoft Purview retention policy. The policy is applied to Exchange Online, SharePoint Online, and OneDrive for Business. What is the behavior of this policy?

A.Items are retained indefinitely and cannot be deleted
B.Items are deleted 365 days after last modification
C.Items are preserved with a lock and cannot be deleted by users
D.Items are automatically deleted 365 days after creation
AnswerD

RetentionDuration is 365, trigger is WhenCreated, action is Delete.

Why this answer

The policy retains items for 365 days from creation and then deletes them. Without preservation lock, users can delete items before 365 days, but the system retains them until the period ends. Option C is correct.

Option A is wrong because it says items are kept indefinitely. Option B is wrong because deletion triggers after 365 days. Option D is wrong because preservation lock is false.

1011
MCQhard

Refer to the exhibit. A Microsoft Graph PowerShell script is shown. What is the purpose of this script?

A.Register a phone authentication method for users.
B.Configure self-service password reset settings.
C.Reset passwords for all users named John.
D.Enable multifactor authentication for the users.
AnswerA

The script adds a phone authentication method.

Why this answer

The script uses the `New-MgUserAuthenticationPhoneMethod` cmdlet to register a phone number as an authentication method for a user in Microsoft Entra ID. This cmdlet specifically creates a phone authentication method, which can be used for multifactor authentication or self-service password reset, but its direct purpose is to register the phone method itself.

Exam trap

The trap here is that candidates confuse registering a phone authentication method with enabling MFA or configuring SSPR, because the phone method is a common component of both, but the cmdlet's specific purpose is only to register the method, not to enable the broader feature.

How to eliminate wrong answers

Option B is wrong because configuring self-service password reset (SSPR) settings requires cmdlets like `Update-MgPolicyAuthenticationMethodPolicy` or `Set-MgUserAuthenticationMethodPolicy`, not `New-MgUserAuthenticationPhoneMethod`. Option C is wrong because the script does not perform any password reset operation; it only registers a phone method, and it targets a single user by UserPrincipalName, not all users named John. Option D is wrong because enabling multifactor authentication (MFA) for users is done via Conditional Access policies or per-user MFA settings, not by registering a phone method; the cmdlet only adds a phone as an authentication method, which is a prerequisite but not the act of enabling MFA.

1012
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy in JSON format. What is the effect of this policy?

A.All users are blocked from accessing resources from untrusted locations.
B.All users must use MFA and accept terms of use when accessing from trusted locations.
C.All users must use MFA from all locations.
D.Guests must accept terms of use and use MFA from all locations.
AnswerB

The policy conditions include trusted locations and grant controls require MFA and terms of use.

Why this answer

The policy grants access only when the conditions of 'trusted locations' AND 'multifactor authentication' AND 'accept terms of use' are all met. Since the policy is configured to 'Grant access' with these three controls required, any user (including guests) attempting to access from a trusted location must satisfy all three requirements. Option B correctly captures this combination.

Exam trap

The trap here is that candidates often misinterpret the 'Grant' block as a block action, or assume the policy applies to all locations when the location condition explicitly scopes it to trusted locations only.

How to eliminate wrong answers

Option A is wrong because the policy does not block access from untrusted locations; it only defines the requirements for granting access, and if the location is not trusted, the policy simply does not apply (no explicit block action is set). Option C is wrong because the policy specifically restricts the MFA requirement to 'trusted locations' only, not all locations. Option D is wrong because the policy applies to 'All users', not just guests, and the terms of use and MFA are only required when accessing from trusted locations, not from all locations.

1013
MCQeasy

Your organization uses Microsoft Entra ID and wants to enforce multi-factor authentication (MFA) for all users. Which policy should you create?

A.Conditional Access policy
B.Identity Protection policy
C.Security defaults
D.Privileged Identity Management
AnswerA

Conditional Access policies can enforce MFA for all users.

Why this answer

Conditional Access policies are the correct mechanism to enforce MFA for all users because they allow granular, policy-driven access controls based on signals like user, location, device, and application. By creating a Conditional Access policy that requires MFA for all cloud apps, you can target all users and enforce MFA at authentication time, providing a flexible and scalable solution.

Exam trap

The trap here is that candidates confuse Security defaults (a simple, pre-configured baseline) with a customizable policy, but Security defaults is not a policy you 'create'—it is an all-or-nothing toggle that cannot be scoped or modified, whereas Conditional Access policies are the correct, granular tool for enforcing MFA.

How to eliminate wrong answers

Option B is wrong because Identity Protection policies are designed to detect and respond to risks (e.g., leaked credentials, sign-ins from anonymous IPs) and can automatically trigger MFA based on risk level, but they cannot enforce MFA for all users unconditionally. Option C is wrong because Security defaults is a baseline set of security configurations that includes enforcing MFA for all users, but it is a tenant-wide setting that cannot be customized or scoped; it is not a policy you 'create' but rather enable or disable. Option D is wrong because Privileged Identity Management (PIM) provides just-in-time privileged access and approval workflows for roles, not MFA enforcement for all users; it manages role activation, not authentication requirements.

1014
MCQmedium

Refer to the exhibit. A Microsoft Purview DLP policy is configured. When a user attempts to share a document containing a credit card number externally, what will happen?

A.The document is shared but the user is notified.
B.The sharing attempt is blocked and the user receives a notification.
C.The document is encrypted before sharing.
D.The policy has no effect because no severity level is set.
AnswerB

Both actions are specified in the policy rule.

Why this answer

The rule has both 'BlockAccess' and 'NotifyUser' actions, so the sharing will be blocked and the user will be notified. Option A is wrong because only notifying without blocking is not configured. Option B is wrong because the policy does not include encryption.

Option D is wrong because the policy is active and will block.

1015
MCQeasy

A healthcare organization needs to automatically classify documents containing patient health information (PHI) in Microsoft SharePoint. The solution should apply a 'Confidential - Healthcare' sensitivity label to any document that matches the HIPAA content pattern. Which Microsoft Purview feature should be used?

A.Retention label auto-apply
B.Manual sensitivity labeling
C.Data loss prevention (DLP) policy
D.Auto-labeling for sensitivity labels
AnswerD

Auto-labeling automatically classifies documents based on content patterns.

Why this answer

Option B is correct because auto-labeling in Microsoft Purview can apply sensitivity labels based on content patterns. Option A is wrong because manual labeling requires user action. Option C is wrong because DLP policies prevent sharing, not classify.

Option D is wrong because retention labels manage retention, not classification.

1016
MCQeasy

A company deploys firewalls, intrusion detection systems, and endpoint antivirus software at multiple layers of its network. This strategy is intended to ensure that if one security control fails, others still provide protection. Which security concept does this approach represent?

A.Defense in depth
B.Least privilege
C.Separation of duties
D.Zero trust
AnswerA

Defense in depth is the correct concept. It employs overlapping security controls so that if one layer is breached, subsequent layers continue to protect the system.

Why this answer

Defense in depth is a security strategy that layers multiple independent controls—such as firewalls, intrusion detection systems (IDS), and endpoint antivirus—across different network segments. The core principle is that if one layer is breached or fails, subsequent layers continue to provide protection, ensuring no single point of failure compromises the entire security posture.

Exam trap

The trap here is that candidates confuse 'defense in depth' with 'zero trust' because both involve multiple security controls, but zero trust is specifically about eliminating implicit trust through continuous verification, not about layering independent defenses.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on restricting user permissions to the minimum necessary for their role, not on layering multiple security controls. Option C (Separation of duties) is wrong because it divides critical tasks among multiple people to prevent fraud or error, not to create redundant security layers. Option D (Zero trust) is wrong because it assumes no implicit trust and continuously verifies every access request, but it does not inherently require multiple independent security layers; it is a model of continuous verification, not a layered defense strategy.

1017
MCQmedium

Contoso Pharmaceuticals is implementing Microsoft Purview to meet regulatory compliance (HIPAA and GDPR). They need to: (1) automatically classify and protect patient health information (PHI) and personally identifiable information (PII) in Exchange Online, SharePoint Online, and OneDrive for Business; (2) detect and prevent unauthorized sharing of sensitive data; (3) retain audit logs for 7 years; and (4) allow users to manually apply classification labels to documents. The company has 5,000 users and uses Microsoft 365 E5 licenses. The security team wants to minimize manual effort and ensure consistent protection. What should the compliance administrator configure first?

A.Configure Data Loss Prevention (DLP) policies to block sharing of content containing PHI and PII.
B.Create sensitivity labels with auto-labeling policies configured to detect PHI and PII, and publish them via label policies.
C.Set up retention policies for Exchange, SharePoint, and OneDrive to retain data for 7 years.
D.Enable auditing for all workloads and configure alert policies for unauthorized access.
AnswerB

Auto-labeling provides consistent classification and protection with minimal manual effort.

Why this answer

Option A is correct because sensitivity labels with auto-labeling for file types containing PHI/PII provide consistent automated classification and protection across the specified workloads. Option B is wrong because DLP policies can block sharing but do not classify or protect data inherently. Option C is wrong because retention policies handle retention, not classification or protection.

Option D is wrong because auditing is for logging, not classification.

1018
MCQhard

A financial services firm uses Microsoft Purview Information Barriers to prevent traders from communicating with investment bankers. A new employee in the trading department cannot access a SharePoint site used for compliance training. What should the administrator do?

A.Add the employee to the 'Traders' Microsoft 365 group.
B.Add the employee to the 'Traders' segment in Microsoft Purview Information Barriers.
C.Use the 'Override' option in the Information Barrier policy.
D.Disable the Information Barrier policy for the trading department.
AnswerB

Assigning the user to the correct segment allows access to permitted sites.

Why this answer

Option D is correct because Information Barriers enforce segments; adding the employee to the correct segment allows access. Option A is wrong because disabling barriers would remove protection. Option B is wrong because segment membership is not based on group membership by default.

Option C is wrong because overriding the block would violate the policy.

1019
Multi-Selecteasy

A company implements a security policy where employees must use a smart card to log into their workstations. After logging in, they can only access file shares that correspond to their department. Which two security concepts are demonstrated in this scenario?

Select 2 answers
A.Authentication and authorization
B.Identification and accounting
C.Authorization and non-repudiation
D.Confidentiality and integrity
AnswersA, C

Smart card login verifies identity (authentication). Restricting file share access based on department controls what the user can do (authorization).

Why this answer

The smart card login verifies the user's identity, which is authentication. The subsequent restriction to department-specific file shares controls what resources the user can access, which is authorization. Together, these two steps demonstrate the security concepts of authentication (proving who you are) and authorization (determining what you can do).

Exam trap

The trap here is that candidates confuse authentication with identification, or think that authorization alone covers the scenario, but the smart card login explicitly demonstrates authentication as a separate step before authorization is applied.

1020
MCQeasy

A company wants to block users from accessing phishing websites via Microsoft Edge. Which Microsoft security solution should they use?

A.Microsoft Defender for Endpoint
B.Microsoft Purview
C.Microsoft Intune
D.Microsoft Defender SmartScreen
AnswerD

This is the correct answer because Defender SmartScreen provides real-time protection against phishing and malicious websites.

Why this answer

Microsoft Defender SmartScreen protects against phishing and malicious websites. Option A is correct. Option B (Microsoft Defender for Endpoint) focuses on endpoint detection and response, not web filtering.

Option C (Microsoft Purview) is for data governance. Option D (Microsoft Intune) is for device management.

1021
MCQhard

A company wants to gain visibility into the use of unsanctioned cloud applications (shadow IT) within their organization. The security team has access to network proxy logs that show traffic to various cloud services. They want to use a Microsoft security solution to analyze these logs and identify which cloud apps are being used, by whom, and how much data is being consumed. Which capability of Microsoft Defender for Cloud Apps should they use?

A.App governance
B.Cloud Discovery
C.Conditional Access App Control
D.App Connectors
AnswerB

Cloud Discovery uses log data to discover and evaluate cloud app usage, helping identify shadow IT and providing insights into usage patterns.

Why this answer

Cloud Discovery in Microsoft Defender for Cloud Apps analyzes network proxy logs (or traffic logs from firewalls and proxies) to identify unsanctioned cloud app usage (shadow IT). It provides visibility into which cloud apps are being used, by which users, and how much data is consumed, directly matching the company's requirement to analyze logs for shadow IT detection.

Exam trap

The trap here is that candidates confuse Cloud Discovery (log analysis for shadow IT discovery) with App Connectors (API-based integration for managed apps), leading them to select App Connectors because they think 'connecting' to apps is needed to see usage.

How to eliminate wrong answers

Option A is wrong because App governance is a feature for monitoring and controlling app permissions and data access within Microsoft 365 (e.g., OAuth apps), not for analyzing network proxy logs to discover unsanctioned cloud apps. Option C is wrong because Conditional Access App Control is a reverse proxy capability that enforces access policies in real time for managed apps, not a log analysis tool for discovering shadow IT. Option D is wrong because App Connectors are used to connect Defender for Cloud Apps to specific cloud apps (e.g., Salesforce, AWS) via APIs for deep visibility and control, not for analyzing network proxy logs to discover unsanctioned apps.

1022
MCQhard

An organization's security team needs to investigate a security incident that occurred two months ago. They need to search the unified audit log for specific activities performed by a user, such as file access, email actions, and sign-in events, to understand the scope of the compromise. Which Microsoft Purview solution provides these audit log search capabilities?

A.Microsoft Purview eDiscovery
B.Microsoft Purview Audit
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview Communication Compliance
AnswerB

Audit provides the ability to search the unified audit log for historical user and administrator activities across Microsoft 365, meeting the investigation need.

Why this answer

Microsoft Purview Audit (specifically Audit (Standard) or Audit (Premium)) provides the ability to search the unified audit log for activities like file access, email actions, and sign-in events. This solution is designed for forensic investigation of user and admin activity within Microsoft 365, making it the correct choice for investigating a security incident that occurred two months ago.

Exam trap

The trap here is that candidates often confuse eDiscovery (which deals with legal holds and content search) with Audit (which deals with activity logs), leading them to select eDiscovery when the question specifically asks for searching user activities like file access and sign-in events.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview eDiscovery is used for identifying, collecting, and producing electronically stored information (ESI) for legal or regulatory cases, not for searching the unified audit log for user activity. Option C is wrong because Microsoft Purview Data Lifecycle Management focuses on retaining and deleting content based on compliance policies, not on auditing user actions. Option D is wrong because Microsoft Purview Communication Compliance is designed to detect and remediate inappropriate communications (e.g., harassment, sensitive info sharing), not to provide a general audit log search for security incidents.

1023
MCQeasy

A company subscribes to a SaaS human resources application hosted by an external provider. The provider is responsible for maintaining the physical data centers, network infrastructure, and the underlying application software. The company is responsible for managing user accounts, configuring user permissions, and classifying the data they upload. Which security model does this arrangement primarily describe?

A.Defense in depth
B.Zero Trust
C.Shared responsibility model
D.CIA triad
AnswerC

The shared responsibility model correctly defines the split of security tasks between the cloud provider and the customer based on the service model (IaaS, PaaS, SaaS). In this SaaS example, the provider handles infrastructure, and the customer handles data and access.

Why this answer

Option C is correct because the scenario explicitly describes a division of security responsibilities between the SaaS provider and the customer. The provider handles physical security, network infrastructure, and application software (security *of* the cloud), while the company manages user accounts, permissions, and data classification (security *in* the cloud). This is the core definition of the shared responsibility model, which is foundational to cloud computing and directly tested in SC-900.

Exam trap

The trap here is that candidates confuse the shared responsibility model with defense in depth or Zero Trust, because all three involve 'security layers' or 'trust boundaries,' but only the shared responsibility model specifically defines the split of security obligations between a cloud provider and a customer.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy (e.g., firewalls, IDS, encryption) applied within a single organization's own environment, not a model for dividing responsibilities between a provider and a customer. Option B is wrong because Zero Trust is a security framework based on 'never trust, always verify' (e.g., continuous authentication, micro-segmentation), not a model for allocating security duties between a cloud provider and a tenant. Option D is wrong because the CIA triad (Confidentiality, Integrity, Availability) is a set of security objectives, not a model that describes how security tasks are split between a provider and a customer.

1024
MCQmedium

An administrator notices that some users are being prompted for MFA even though they are inside the corporate network. The Conditional Access policy includes a condition for 'All locations' except trusted IPs. What is the most likely cause?

A.The corporate network's public IP address is not added to the trusted IPs list
B.The users have not registered for MFA
C.The users are not assigned to the policy but are in a nested group
D.The Conditional Access policy has session controls enabled
AnswerA

Without trusted IPs, the location is considered untrusted and MFA is required.

Why this answer

If the corporate network's public IP is not added to the trusted IPs list, users inside the network will be prompted for MFA because the location is not recognized as trusted. Option A is correct. Option B is wrong because if the IP is correctly configured, it should work.

Option C is wrong because MFA registration status doesn't affect the prompt if policy requires it. Option D is wrong because session control doesn't bypass MFA.

1025
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Purview that help organizations manage compliance? (Choose two.)

Select 2 answers
A.Microsoft Entra ID
B.Data Loss Prevention (DLP)
C.Microsoft Defender for Cloud
D.Insider Risk Management
E.Microsoft Intune
AnswersB, D

DLP helps prevent data leaks.

Why this answer

Option A is correct because Data Loss Prevention is a key compliance capability. Option B is correct because Insider Risk Management helps detect and manage insider risks. Option C is wrong because Microsoft Entra ID is an identity service, not a compliance solution.

Option D is wrong because Microsoft Defender for Cloud is a cloud security posture management solution. Option E is wrong because Microsoft Intune is a device management solution.

1026
MCQmedium

An organization uses Exchange Online and is concerned about phishing attacks that include malicious hyperlinks. They need a security solution that checks URLs at the time a user clicks them and blocks access to known malicious or suspicious websites. The solution must also provide real-time reputation analysis for link clicks. Which Microsoft security solution should they enable?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Sentinel
AnswerB

Microsoft Defender for Office 365 includes Safe Links and Safe Attachments to protect users from malicious content in email and Office apps. Safe Links specifically provides time-of-click protection for URLs.

Why this answer

Microsoft Defender for Office 365 (MDO) provides Safe Links, a feature specifically designed to protect against phishing attacks by scanning URLs at the time of click. It performs real-time reputation analysis against Microsoft's threat intelligence to block access to known malicious or suspicious websites. This directly addresses the requirement for click-time URL verification and blocking.

Exam trap

The trap here is that candidates confuse endpoint security (Defender for Endpoint) with email security (Defender for Office 365), overlooking that the question explicitly mentions Exchange Online and click-time URL analysis, which is a core Safe Links feature of MDO.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint device protection (antivirus, EDR, attack surface reduction) and does not include click-time URL scanning for Exchange Online emails. Option C is wrong because Microsoft Defender for Cloud Apps is a CASB that provides visibility and control over cloud app usage, not real-time link click protection for email. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution for security information and event management, not an inline email security feature for URL reputation analysis.

1027
MCQmedium

A company wants to monitor internal communications for inappropriate content such as harassment or threats, and also prevent employees from accidentally sharing credit card numbers via email. Which combination of Microsoft Purview solutions should they use?

A.Use Communication Compliance for both detecting harassment and preventing credit card sharing
B.Use Data Loss Prevention (DLP) for both detecting harassment and preventing credit card sharing
C.Use Communication Compliance for harassment detection and DLP for preventing sharing of credit card numbers
D.Use eDiscovery for both harassment detection and data leak prevention
AnswerC

Correct. Communication Compliance handles detection of inappropriate content like harassment, while DLP policies prevent unauthorized sharing of sensitive data such as credit card numbers.

Why this answer

Communication Compliance is designed to detect and investigate inappropriate internal communications (e.g., harassment, threats) by analyzing messages against customizable policies. Data Loss Prevention (DLP) is purpose-built to identify and prevent the accidental sharing of sensitive data, such as credit card numbers, by scanning content for predefined patterns (e.g., regex for credit card formats) and enforcing policy actions like blocking the email. Together, they address the two distinct requirements: Communication Compliance for behavioral monitoring and DLP for data protection.

Exam trap

The trap here is that candidates often confuse the overlapping capabilities of Communication Compliance and DLP, assuming one tool can handle both behavioral monitoring and data protection, when in fact each is specialized for a distinct compliance domain.

How to eliminate wrong answers

Option A is wrong because Communication Compliance is not designed to prevent the sharing of sensitive data like credit card numbers; it focuses on communication surveillance and policy violations, not data leak prevention actions. Option B is wrong because DLP is not intended for detecting harassment or threats in communications; it scans for sensitive data patterns (e.g., credit card numbers, PII) and enforces data handling policies, not behavioral monitoring. Option D is wrong because eDiscovery is used for legal discovery and holds, not for real-time monitoring or prevention of harassment or data leaks; it is an investigation tool, not a proactive compliance solution.

1028
MCQeasy

A company needs to automatically detect and protect sensitive information such as credit card numbers in emails sent from Exchange Online and documents stored in SharePoint Online. They want to create policies that can block emails if such data is detected, and also automatically encrypt documents with specific labels. Which Microsoft Purview solution should they use?

A.Microsoft Purview Information Protection
B.Microsoft Purview Data Loss Prevention
C.Microsoft Purview Audit
D.Microsoft Purview Compliance Manager
AnswerB

Correct. DLP policies can detect sensitive information types (e.g., credit card numbers) and automatically apply actions such as blocking email delivery or encrypting documents at rest.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is the correct solution because it is specifically designed to automatically detect sensitive information (e.g., credit card numbers) in Exchange Online emails and SharePoint Online documents, and then enforce protective actions such as blocking email transmission or applying encryption labels. DLP policies use sensitive information types and policy tips to identify and remediate data exposure risks across these workloads.

Exam trap

The trap here is that candidates often confuse Information Protection (labeling/encryption) with DLP (detection and enforcement), but DLP is the engine that triggers the protective actions, while Information Protection provides the labels and encryption mechanisms that DLP can apply.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Information Protection focuses on classifying, labeling, and protecting data at rest (e.g., applying sensitivity labels) but does not natively include the automated detection and blocking of sensitive data in transit or the enforcement of DLP actions like email blocking. Option C is wrong because Microsoft Purview Audit is solely for logging and investigating user and admin activities, not for detecting or protecting sensitive data in real time. Option D is wrong because Microsoft Purview Compliance Manager is a risk assessment and compliance management tool that helps track regulatory compliance posture, not a solution for detecting or protecting sensitive content in emails or documents.

1029
Multi-Selecteasy

A company wants to use Microsoft Intune to manage devices. Which TWO capabilities does Intune provide?

Select 2 answers
A.Mobile device management (MDM)
B.Compliance assessment for cloud resources
C.Endpoint detection and response
D.Mobile application management (MAM)
E.Identity and access management
AnswersA, D

Correct: Core feature.

Why this answer

Intune provides mobile device management (MDM) and mobile application management (MAM). Endpoint detection is from Defender, compliance assessment is from Defender for Cloud, and identity management from Entra ID.

1030
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. Which policy should you configure?

A.Device compliance policy in Microsoft Intune
B.Enrollment restrictions in Microsoft Intune
C.App protection policy in Microsoft Intune
D.Conditional Access policy in Microsoft Entra ID
AnswerD

Conditional Access enforces access controls based on device compliance.

Why this answer

Conditional Access policies in Microsoft Entra ID evaluate signals such as device compliance status from Intune before granting access to cloud apps like Exchange Online. By configuring a Conditional Access policy that requires device compliance, only devices marked as compliant by Intune can access corporate email. This is the correct mechanism because Conditional Access acts as the gatekeeper that enforces the compliance requirement at the authentication and authorization layer.

Exam trap

The trap here is that candidates often confuse the policy that defines compliance (Intune Device Compliance) with the policy that enforces access based on that compliance (Entra ID Conditional Access), leading them to pick Option A instead of D.

How to eliminate wrong answers

Option A is wrong because a Device compliance policy in Microsoft Intune defines the security requirements (e.g., encryption, OS version) and marks a device as compliant or non-compliant, but it does not enforce access control to corporate email on its own. Option B is wrong because Enrollment restrictions in Microsoft Intune control which devices can enroll into management (e.g., by platform or manufacturer), not whether already enrolled devices can access email. Option C is wrong because App protection policies in Microsoft Intune manage data protection within apps (e.g., preventing copy/paste or requiring PIN) but do not evaluate device compliance or block access to email based on the device's overall compliance state.

1031
MCQeasy

A company wants to collect security logs from on-premises servers, cloud applications, and network devices into a central repository, and then use advanced analytics detect threats and automate incident response. Which Microsoft security solution should they deploy?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft 365 Defender
D.Azure Firewall
AnswerA

Microsoft Sentinel provides SIEM and SOAR capabilities, allowing centralized log collection, threat detection, and automated response across hybrid environments.

Why this answer

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. It collects security logs from diverse sources like on-premises servers, cloud apps, and network devices into a central Log Analytics workspace, then uses built-in analytics and machine learning to detect threats and automate incident response via playbooks.

Exam trap

The trap here is that candidates confuse Microsoft Sentinel (a SIEM/SOAR) with Microsoft Defender for Cloud (a CSPM/CWPP), thinking both do log collection and threat detection, but only Sentinel provides a unified SIEM repository with advanced analytics and automated response across hybrid and multi-cloud sources.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP), not a SIEM; it focuses on assessing and hardening cloud resources, not central log collection and advanced threat analytics across hybrid environments. Option C is wrong because Microsoft 365 Defender is an Extended Detection and Response (XDR) solution that correlates signals across Microsoft 365 products (e.g., Defender for Endpoint, Defender for Office 365), but it does not ingest logs from third-party network devices or on-premises servers into a single SIEM repository. Option D is wrong because Azure Firewall is a managed network firewall service that filters traffic based on rules; it provides logging for its own traffic but cannot aggregate logs from multiple sources or perform threat detection analytics.

1032
MCQmedium

Your company has a Microsoft 365 E5 subscription and uses Microsoft Teams for collaboration. The security team needs to ensure that guest users invited to Teams channels are required to pass multi-factor authentication (MFA) before accessing company resources. Currently, guest users are invited via Entra ID External ID but MFA is not enforced. You need to enforce MFA for all guest users. The solution should apply to all guest users across all applications. What should you configure?

A.Create a Conditional Access policy in Entra ID that targets all guest users and requires MFA
B.Set the guest user access level in Teams to allow only authenticated users
C.Configure Entra ID External ID to require MFA for all external users
D.Enable MFA for each guest user account individually
AnswerA

Conditional Access policies can be scoped to guest users and require MFA for all apps.

Why this answer

Option A is correct because a Conditional Access policy targeting all guest users and requiring MFA is the standard way to enforce MFA for guests across applications. Option B is wrong because it adds a step for all external users, which is broader than needed. Option C is wrong because it does not enforce MFA.

Option D is wrong because the per-user MFA option is deprecated and less flexible.

1033
MCQmedium

An organization uses Microsoft Intune to manage devices. They want to ensure that only devices that are compliant with security policies (e.g., encryption enabled, latest patches) can access corporate email. Which Microsoft Entra feature should they use to enforce this requirement?

A.Conditional Access in Microsoft Entra ID
B.Microsoft Defender for Endpoint
C.Device compliance policies in Microsoft Intune
D.Azure AD Join
AnswerA

Conditional Access can block or allow access based on device compliance status.

Why this answer

Conditional Access policies can require that devices be marked as compliant by Intune before granting access. Option A is wrong because device compliance policies in Intune set the compliance state but do not enforce access. Option C is wrong because Azure AD Join is a device identity, not an access enforcement mechanism.

Option D is wrong because Microsoft Defender for Endpoint provides threat detection, not access control.

1034
MCQmedium

A financial services company uses Microsoft Purview to manage compliance. They need to automatically apply a 'Confidential' label to all documents containing financial data in SharePoint. What should they configure?

A.Auto-labeling policy for sensitivity labels
B.Data classification dashboard
C.Trainable classifiers for manual labeling
D.Data Loss Prevention (DLP) policy
AnswerA

Auto-labeling applies labels automatically based on content.

Why this answer

Option C is correct because auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels based on sensitive information types. Option A is wrong because manual labeling requires user action. Option B is wrong because DLP detects but does not apply labels.

Option D is wrong because data classification dashboard provides visibility, not automatic labeling.

1035
MCQmedium

A company has discovered that many account compromise attacks are using legacy authentication protocols (e.g., IMAP, POP3, SMTP) which do not support multi-factor authentication. They want to block all sign-ins that use these protocols to reduce risk. Which Microsoft Entra ID feature should they use to enforce this block?

A.Conditional Access
B.Identity Protection
C.Azure AD Application Proxy
D.Privileged Identity Management (PIM)
AnswerA

Correct. A Conditional Access policy can be configured to block all sign-ins from legacy authentication protocols by targeting the 'Other clients' app type and setting the access control to block.

Why this answer

Conditional Access policies in Microsoft Entra ID can be configured to block access from legacy authentication protocols (such as IMAP, POP3, and SMTP) by targeting the 'Client apps' condition. Since these protocols do not support modern authentication methods like MFA, blocking them directly reduces the attack surface for account compromise. This is the correct feature to enforce the block.

Exam trap

The trap here is that candidates may confuse Identity Protection's risk-based policies with Conditional Access's protocol-level controls, assuming that blocking legacy authentication is a risk-detection feature rather than a conditional access rule.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it is designed to detect and respond to risky sign-ins and users (e.g., leaked credentials, anonymous IP addresses), not to block specific authentication protocols. Option C (Azure AD Application Proxy) is wrong because it provides secure remote access to on-premises web applications, not control over authentication protocols. Option D (Privileged Identity Management) is wrong because it manages just-in-time privileged access and role activation, not the blocking of legacy authentication protocols.

1036
Multi-Selecthard

Which TWO of the following are capabilities of Microsoft Defender for Office 365?

Select 2 answers
A.Scan email attachments in a sandbox environment before delivery
B.Protect against spear-phishing attacks using impersonation protection
C.Enforce device compliance policies for mobile devices
D.Place a legal hold on mailboxes for eDiscovery
E.Monitor user behavior for compromised accounts
AnswersA, B

Safe Attachments does this.

Why this answer

Option A is correct because Microsoft Defender for Office 365 includes Safe Attachments, which detonates email attachments in a virtual sandbox environment before delivery to the user's mailbox. This allows the service to analyze the file for malicious behavior without risking the recipient's device.

Exam trap

The trap here is that candidates confuse the broader Microsoft 365 Defender suite (which includes Defender for Office 365, Defender for Endpoint, Defender for Identity, and Defender for Cloud Apps) with the specific capabilities of Defender for Office 365 alone, leading them to select features like UEBA or device compliance that belong to other security products.

1037
MCQmedium

Your organization uses Microsoft Purview Records Management to manage high-value records that must not be deleted. You need to apply a label that marks content as a regulatory record. What label type should you use?

A.Data loss prevention policy
B.Retention label configured for regulatory records
C.Retention label configured for record
D.Sensitivity label
AnswerB

Regulatory records provide the highest level of protection, preventing deletion and modification.

Why this answer

Option A is correct because regulatory records are a specific disposition type. Option B is wrong because retention labels can have different actions. Option C is wrong because sensitivity labels classify but don't manage records.

Option D is wrong because DLP is not for records.

1038
MCQhard

An organization has a Microsoft Purview Data Lifecycle Management policy that retains all documents for 5 years. However, legal requires that documents related to a specific lawsuit be preserved indefinitely. What should you do?

A.Configure information barriers
B.Place the relevant sites on litigation hold
C.Apply a retention label with indefinite retention
D.Create a DLP policy to block deletion
AnswerB

Litigation hold preserves content indefinitely for legal purposes.

Why this answer

Option B is correct because a litigation hold in eDiscovery (Premium) preserves content indefinitely, overriding retention policies. Option A is wrong because retention labels are for scheduled retention, not indefinite preservation. Option C is wrong because DLP policies do not preserve content.

Option D is wrong because information barriers restrict communication, not preserve data.

1039
MCQhard

The exhibit shows a Conditional Access policy named 'Block Legacy Auth'. The admin notices that the policy is not blocking legacy authentication as intended. Based on the output, what is the most likely reason?

A.The policy name is incorrect.
B.The policy does not have any client app types configured to block.
C.The policy is assigned to no users.
D.The policy is disabled.
AnswerB

ClientAppTypes is empty, so the policy does not target any client apps.

Why this answer

The policy is not blocking legacy authentication because it lacks configured client app types. Conditional Access policies require explicit selection of client apps (e.g., Exchange ActiveSync, other clients) to target legacy authentication protocols like POP3, IMAP, and SMTP. Without this configuration, the policy has no conditions to enforce, so it cannot block any authentication attempts.

Exam trap

The trap here is that candidates assume a Conditional Access policy with 'Block access' grant will automatically block all authentication, but they overlook the critical requirement to explicitly configure client app types to cover legacy protocols.

How to eliminate wrong answers

Option A is wrong because the policy name is irrelevant to its functionality; Conditional Access policies enforce based on conditions and controls, not names. Option C is wrong because the policy is assigned to 'All users' as shown in the exhibit, so user assignment is not the issue. Option D is wrong because the policy is enabled (status 'On' in the exhibit), so a disabled state is not the reason for failure.

1040
MCQeasy

An organization wants to allow users to sign in using their mobile phone number and a verification code. Which Microsoft Entra ID feature enables this?

A.FIDO2 security keys
B.App passwords
C.SMS-based authentication
D.Password hash synchronization
AnswerC

SMS-based authentication uses phone number for sign-in.

Why this answer

Microsoft Entra ID supports SMS-based authentication. Option D is correct. Option A (FIDO2) uses hardware keys.

Option B (Password Hash Sync) is for sync. Option C (App passwords) is for legacy apps.

1041
Multi-Selectmedium

Which THREE components are part of Microsoft Entra Permissions Management (CIEM)?

Select 3 answers
A.Activity trail
B.Audit trail
C.Identity Protection
D.Access reviews
E.Permissions Analytics Report
AnswersA, B, E

Tracks user and resource activity.

Why this answer

Activity trail (A) is correct because Microsoft Entra Permissions Management (CIEM) captures a detailed log of all user actions and resource access events across multi-cloud environments (AWS, Azure, GCP). This trail is essential for forensic analysis and identifying anomalous behavior, directly supporting the CIEM goal of providing visibility into permissions usage.

Exam trap

The trap here is that candidates confuse the CIEM components (Activity trail, Audit trail, Permissions Analytics Report) with broader Microsoft Entra features like Identity Protection or Access reviews, which serve different governance and security functions.

1042
MCQhard

Your organization uses Microsoft Purview to classify sensitive data. You need to create a custom sensitive information type that detects employee IDs matching the pattern 'EMP-XXXXX' (where X is a digit). Which rule pack element must you define?

A.Keyword list
B.Regular expression
C.Data store reference
D.Function
AnswerB

A regex pattern can detect the 'EMP-XXXXX' pattern.

Why this answer

Option D is correct because a regex pattern is used to define custom patterns in sensitive information types. Option A is incorrect because a keyword list is for exact keywords. Option B is incorrect because a function is for built-in functions.

Option C is incorrect because a data store reference is for external data sources.

1043
Multi-Selectmedium

Which TWO capabilities are provided by Microsoft Entra Identity Protection?

Select 2 answers
A.Enforcing session timeouts for applications
B.Self-service password reset
C.Detecting sign-in risks such as anonymous IP addresses
D.Automatically remediating risk by blocking sign-ins
E.Managing privileged role assignments
AnswersC, D

Identity Protection detects various sign-in risks.

Why this answer

Microsoft Entra Identity Protection provides risk detection capabilities, including the ability to detect sign-in risks such as sign-ins from anonymous IP addresses (e.g., Tor browser). This is a core feature that allows organizations to identify potentially compromised credentials or malicious sign-in attempts based on real-time signals.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk detection and automated remediation with other Entra features like Conditional Access (session controls) or Privileged Identity Management (role assignments), leading them to select options that describe those separate services.

1044
MCQeasy

A company uses Microsoft 365 and wants to protect its users from clicking malicious links in phishing emails. The security team needs a solution that rewrites URLs in email messages to check the link at the time of click, and blocks access if the link is malicious. Which Microsoft security solution should they use?

A.Azure Firewall
B.Microsoft Defender for Office 365
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Identity
AnswerB

Microsoft Defender for Office 365 provides Safe Links and Safe Attachments features to protect against malicious links and attachments in emails and Office documents. Safe Links rewrites URLs and checks them at click time.

Why this answer

Microsoft Defender for Office 365 includes Safe Links, a feature specifically designed to protect users from malicious URLs in email messages. Safe Links rewrites URLs at the time of delivery, and when a user clicks a link, it checks the destination in real time against threat intelligence; if the link is malicious, access is blocked. This directly matches the requirement to rewrite URLs and perform click-time verification.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 (which includes Safe Links and Safe Attachments for email security) with Microsoft Defender for Endpoint (which protects devices) or Azure Firewall (which protects network traffic), leading them to select a solution that does not address the specific email URL rewriting requirement.

How to eliminate wrong answers

Option A is wrong because Azure Firewall is a network-layer firewall that filters traffic based on IP addresses, ports, and protocols; it does not rewrite URLs in email messages or perform click-time link inspection. Option C is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR), antivirus, and vulnerability management on devices; it does not rewrite URLs in email or provide click-time URL protection. Option D is wrong because Microsoft Defender for Identity monitors on-premises Active Directory signals to detect identity-based attacks (e.g., lateral movement, privilege escalation); it does not inspect or rewrite URLs in email messages.

1045
MCQmedium

A law firm needs to retain client documents for 10 years after case closure, but automatically delete drafts after 30 days. Which two Microsoft Purview solutions should be combined?

A.Microsoft Purview Data Loss Prevention and eDiscovery
B.Microsoft Purview eDiscovery and Audit
C.Microsoft Purview Audit and Data Loss Prevention
D.Microsoft Purview Records Management and Data Lifecycle Management
AnswerD

Records Management for regulatory records and Data Lifecycle Management for non-records.

Why this answer

Option B is correct because Records Management handles retention for records (client documents), and Data Lifecycle Management handles retention for non-record content (drafts). Option A is wrong because eDiscovery is for search, not retention. Option C is wrong because Audit logs events.

Option D is wrong because DLP is for protection.

1046
MCQeasy

Your company wants to use Microsoft Defender for Identity to detect security threats from on-premises Active Directory. What is a prerequisite for deploying Defender for Identity?

A.Obtain Microsoft 365 E3 licenses
B.Install a sensor on each user's workstation
C.Install a sensor on a domain controller
D.Configure Azure AD Connect
AnswerC

The sensor monitors domain controller traffic to detect threats.

Why this answer

Microsoft Defender for Identity requires a domain controller or AD FS server to be installed with the sensor. Option C is correct. Option A is wrong because the sensor must be installed on a domain controller, not a workstation.

Option B is wrong because Azure AD Connect sync is not required. Option D is wrong because Microsoft 365 E5 license is needed, but the sensor is installed on DCs.

1047
MCQeasy

Your organization uses Microsoft Entra ID to manage user identities. A new employee named John joins the company and needs access to Microsoft 365 apps. You want to ensure John's identity is verified using a phone call. Which authentication method should you configure?

A.Time-based one-time password (TOTP)
B.Email one-time passcode
C.Text message (SMS)
D.Phone call (voice call)
E.FIDO2 security key
AnswerD

Phone call is a supported authentication method for user verification.

Why this answer

The question explicitly requires verification using a phone call. The Phone call (voice call) authentication method in Microsoft Entra ID delivers an automated voice call to the user's registered phone number, prompting them to press a key to confirm their identity. This directly matches the requirement, making D the correct choice.

Exam trap

The trap here is that candidates may confuse 'phone call' with 'text message (SMS)' because both involve a phone, but the question explicitly specifies 'phone call (voice call)', not a text-based code delivery.

How to eliminate wrong answers

Option A is wrong because Time-based one-time password (TOTP) uses a software or hardware token to generate a code, not a phone call. Option B is wrong because Email one-time passcode sends a code via email, which is not a phone-based voice call. Option C is wrong because Text message (SMS) delivers a code via text, not a voice call.

Option E is wrong because FIDO2 security key is a hardware-based passwordless authentication method that uses public-key cryptography, not a phone call.

1048
MCQeasy

Your organization needs to monitor Microsoft Teams chats for inappropriate language and alert compliance officers. Which Microsoft Purview solution should you implement?

A.Communication Compliance
B.eDiscovery
C.Auditing
D.Information Protection
AnswerA

Communication Compliance detects policy violations in communications.

Why this answer

Option B is correct because Communication Compliance is designed to detect offensive language in communications. Option A is wrong because Information Protection classifies data. Option C is wrong because Auditing tracks activities.

Option D is wrong because eDiscovery is for legal investigations.

1049
MCQhard

An organization needs to automatically apply a 'Highly Confidential' sensitivity label to all documents that contain a specific custom sensitive information type. The label should be applied when the document is created or modified. Which feature of Microsoft Purview Information Protection should be used?

A.Manual sensitivity labeling
B.Data Loss Prevention (DLP) policies
C.Auto-labeling policies
D.Communication Compliance policies
AnswerC

Auto-labeling policies automatically apply labels based on conditions.

Why this answer

Auto-labeling policies in Microsoft Purview Information Protection can automatically apply sensitivity labels based on conditions, including custom sensitive information types, when documents are created or modified. Manual labeling requires user action. DLP blocks sharing but does not apply labels.

Communication Compliance monitors communications.

1050
MCQmedium

Your organization uses Microsoft Entra ID P2 and wants to reduce the risk of identity compromise by requiring multifactor authentication (MFA) for all users, but excluding users when they are on the corporate network. Which policy type should you configure?

A.Conditional Access policy
B.Self-service password reset (SSPR) policy
C.Identity Protection risk policy
D.Privileged Identity Management (PIM) activation policy
AnswerA

Conditional Access can require MFA for all users except when from trusted IPs (corporate network).

Why this answer

Conditional Access policies allow you to enforce MFA based on network location, user, and device conditions. Option D is correct because the policy can target all users and exclude trusted IPs. Option A is wrong because Identity Protection detects risk but does not directly enforce MFA by location.

Option B is wrong because Privileged Identity Management (PIM) manages just-in-time access for privileged roles, not general MFA. Option C is wrong because self-service password reset (SSPR) does not enforce MFA.

Page 13

Page 14 of 19

Page 15