Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 10511125

1411 questions total · 19pages · All types, answers revealed

Page 14

Page 15 of 19

Page 16
1051
MCQmedium

Your organization is implementing Microsoft Purview Data Loss Prevention (DLP) to protect credit card numbers. You need to ensure that when a user attempts to share a document containing a credit card number via email, the email is blocked and the user receives a policy tip. Which action should you configure in the DLP policy?

A.Notify user
B.Audit only
C.Block with user notification
D.Block override
AnswerC

Block with user notification prevents the email and shows a policy tip.

Why this answer

In Microsoft Purview DLP, the 'Block' action with user notification sends a policy tip and blocks the email. 'Block override' allows override with justification. 'Audit only' logs without blocking. 'Notify user' sends an email but does not block. Option B is correct because it blocks the email and shows a policy tip.

1052
Multi-Selectmedium

Which THREE actions can be performed using a Microsoft Purview Data Loss Prevention (DLP) policy?

Select 3 answers
A.Notify users via policy tip when they try to share sensitive data
B.Block sharing of sensitive data with external users
C.Automatically retain emails for 7 years
D.Encrypt emails containing sensitive data
E.Apply a sensitivity label automatically
AnswersA, B, E

DLP provides policy tips.

Why this answer

Options A, C, and D are correct. DLP policies can block sharing of sensitive data, notify users with policy tips, and automatically apply sensitivity labels. Option B is wrong because automatic retention is managed by retention policies, not DLP.

Option E is wrong because encryption is applied by sensitivity labels, not DLP directly.

1053
Multi-Selecthard

A SOC analyst is investigating a potential security incident in Microsoft Sentinel. Which three are valid methods to gather additional context about a user entity? (Choose three.)

Select 3 answers
A.Create an automation rule to assign the incident
B.Run an advanced hunting query in Microsoft 365 Defender
C.Open the entity page for the user in Microsoft Sentinel
D.Add the user to a watchlist
E.Run a playbook that queries external threat intelligence sources
AnswersB, C, E

Advanced hunting allows deep search across data sources.

Why this answer

Options A, C, and D are correct because entity pages, advanced hunting, and playbooks provide context. Option B is wrong because watchlists are static and not for investigation. Option E is wrong because automation rules are for incident handling, not investigation.

1054
Multi-Selectmedium

Which THREE capabilities are provided by Microsoft Defender for Cloud? (Choose three.)

Select 3 answers
A.Security recommendations for resources
B.Just-in-Time (JIT) VM access
C.Vulnerability assessment for virtual machines
D.Regulatory compliance assessment
E.Cloud Security Posture Management (CSPM)
AnswersA, C, E

Correct: Provides recommendations to improve security.

Why this answer

Microsoft Defender for Cloud provides Cloud Security Posture Management (CSPM), vulnerability assessment for VMs, and security recommendations. Option B (threat protection for Azure) is also a capability but is part of the broader 'Defender for Cloud' workload protection. However, the question asks for capabilities; CSPM, vulnerability assessment, and security recommendations are core.

Option D (Just-in-Time VM access) is a feature, but the three most common are A, C, E.

1055
MCQmedium

A company uses digital signatures to ensure that a sender cannot later deny having sent a message. Which security principle does this primarily address?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerD

Non-repudiation specifically addresses the inability to deny an action. Digital signatures provide cryptographic proof of origin and consent, ensuring the sender cannot deny sending the message.

Why this answer

Digital signatures use asymmetric cryptography (e.g., RSA or ECDSA) to bind a signer's identity to a message. The signature is created with the sender's private key and verified with their public key, providing cryptographic proof of origin. This directly enforces non-repudiation because the sender cannot plausibly deny having signed the message, as only they possess the private key.

Exam trap

The trap here is that candidates often confuse digital signatures with encryption, assuming they primarily provide confidentiality, when in fact signatures focus on authentication and non-repudiation, while encryption (e.g., using the recipient's public key) is what ensures confidentiality.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data, typically achieved through encryption (e.g., AES), not digital signatures. Option B is wrong because integrity ensures data has not been altered, which digital signatures also provide via hashing, but the question specifically asks about preventing denial of sending, which is non-repudiation. Option C is wrong because availability ensures systems and data are accessible when needed, often via redundancy or failover, and is unrelated to sender identity or signature verification.

1056
MCQeasy

An organization uses Microsoft 365 Defender and wants to automate the investigation and response to common email-based phishing attacks. They want the system to automatically take actions such as deleting malicious emails from user inboxes across the organization after analysis. Which Microsoft 365 Defender component provides this automated capability?

A.Azure AD Identity Protection
B.Microsoft Defender for Office 365
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Cloud Apps
AnswerB

This solution protects against email threats and includes automated investigation and response for phishing attacks.

Why this answer

Microsoft Defender for Office 365 includes automated investigation and response (AIR) capabilities specifically designed for email-based threats like phishing. When a phishing email is detected, AIR can automatically trigger remediation actions—such as soft-deleting or hard-deleting the malicious message from user mailboxes—based on predefined playbooks, without requiring manual intervention.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 with Microsoft Defender for Endpoint, mistakenly thinking endpoint protection can handle email threats, but only Defender for Office 365 includes the email-specific automated investigation and response (AIR) engine.

How to eliminate wrong answers

Option A is wrong because Azure AD Identity Protection focuses on detecting and responding to identity-based risks (e.g., compromised credentials, sign-in anomalies) and does not have the ability to delete emails from user inboxes. Option C is wrong because Microsoft Defender for Endpoint is designed to protect endpoints (devices) from malware and advanced attacks, not to analyze or remove emails from mailboxes. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that governs cloud application usage and data protection, but it does not provide automated email remediation for phishing attacks.

1057
Multi-Selectmedium

Your organization uses Microsoft Defender for Cloud to assess the security posture of its Azure resources. Which two actions can be taken to improve the Secure Score? (Choose two.)

Select 2 answers
A.Delete unused Azure resources to simplify management
B.Disable diagnostic logging for storage accounts
C.Implement security recommendations by remediating unhealthy resources
D.Disable non-critical virtual machines to reduce attack surface
E.Enable Microsoft Defender for Cloud plans for all supported resource types
AnswersC, E

Remediating recommendations directly increases Secure Score.

Why this answer

Options A and C are correct because enabling Defender plans and implementing recommendations improve Secure Score. Option B is wrong because disabling VMs reduces attack surface but does not improve score. Option D is wrong because removing resources may reduce score.

Option E is wrong because disabling logging reduces visibility.

1058
MCQhard

Refer to the exhibit. You are configuring a sensitivity label in Microsoft Purview. The label is set to automatically apply when credit card numbers are detected. However, users report that the label is not being applied to documents containing credit card numbers. What is the most likely cause?

A.The encryption is misconfigured
B.The label is not published to a label policy
C.The auto-labeling condition is incorrect
D.The user permissions are missing
AnswerB

Labels must be published via a label policy to be applied automatically.

Why this answer

Option B is correct because the auto-labeling rule requires a condition, but the label may not be published to users. However, the exhibit shows no policy assignment. The most likely cause is that the label is not published to a label policy (option B).

Option A is incorrect because encryption is configured. Option C is incorrect because the condition is valid. Option D is incorrect because user permissions are defined.

1059
MCQhard

Your organization, Contoso Ltd., has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. You are deploying Microsoft Defender for Identity (MDI) to protect against identity-based attacks. You have installed the MDI sensor on domain controllers and configured the service with the necessary permissions. After installation, you notice that MDI is not generating alerts for pass-the-hash attacks. You have verified that the sensors are healthy and that audit policies are correctly configured. You need to ensure that MDI can detect pass-the-hash attacks. What should you do?

A.Enable password hash synchronization in Microsoft Entra Connect
B.Install the Azure ATP agent on all servers
C.Enable Kerberos event logging on domain controllers
D.Configure multi-factor authentication for all users
AnswerA

PHS is required for MDI to detect pass-the-hash attacks.

Why this answer

Option A is correct because enabling password hash synchronization (PHS) in Entra Connect allows MDI to analyze NTLM hashes and detect pass-the-hash attacks. Option B is wrong because MFA registration does not affect MDI detection. Option C is wrong because Kerberos logging is not required for pass-the-hash detection.

Option D is wrong because Azure ATP agent is the legacy name; the MDI sensor is already installed.

1060
MCQeasy

Your company uses Microsoft 365 E5 and wants to provide a unified security dashboard showing alerts from endpoints, email, identity, and cloud apps. Which solution should you use?

A.Microsoft Defender XDR portal (security.microsoft.com)
B.Microsoft Sentinel
C.Microsoft Intune admin center
D.Microsoft Purview Compliance Portal
AnswerA

The XDR portal provides a unified view of alerts from endpoints, email, identity, and cloud apps.

Why this answer

Option C is correct because Microsoft Defender XDR (formerly Microsoft 365 Defender) provides a unified dashboard for alerts across domains. Option A is wrong because Microsoft Sentinel is a SIEM that ingests logs but not a simple dashboard. Option B is wrong because Microsoft Purview is for compliance.

Option D is wrong because Microsoft Intune is for device management.

1061
MCQeasy

Your organization needs to audit all changes to sensitive files in SharePoint Online for at least 180 days. Which Microsoft Purview feature should be enabled?

A.Microsoft Purview eDiscovery
B.Microsoft Purview Audit (Premium)
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview Data Lifecycle Management
AnswerB

Audit (Premium) provides extended retention up to 1 year.

Why this answer

Microsoft Purview Audit (Standard) retains audit logs for 90 days, but Audit (Premium) can retain for up to 1 year (or longer via custom retention). Option A is wrong because DLP does not audit changes. Option C is wrong because eDiscovery is for searching, not auditing.

Option D is wrong because Data Lifecycle Management is for retention of content, not logs.

1062
MCQmedium

A company uses Azure virtual machines (IaaS) and on-premises Windows servers. The security team needs a single solution that provides a continuous assessment of security posture, a regulatory compliance dashboard for NIST SP 800-53, and integrated threat detection for hybrid workloads (e.g., brute force attacks on SSH). Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Identity
D.Microsoft Sentinel
AnswerA

Defender for Cloud offers unified CSPM and threat protection for hybrid environments, including a regulatory compliance dashboard with built-in standards like NIST SP 800-53.

Why this answer

Microsoft Defender for Cloud is the correct choice because it provides continuous assessment of security posture (via the Secure Score), a regulatory compliance dashboard with built-in standards like NIST SP 800-53, and integrated threat detection for hybrid workloads, including brute force attacks on SSH for Azure VMs and on-premises servers. It unifies these capabilities across IaaS, on-premises, and other cloud environments, making it the single solution the security team needs.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (which covers infrastructure security posture and threat detection for workloads) with Microsoft Sentinel (a SIEM), but Sentinel requires manual configuration of data connectors and workbooks to achieve the same compliance dashboard and does not provide continuous posture assessment out of the box.

How to eliminate wrong answers

Option B (Microsoft Defender for Cloud Apps) is wrong because it is a Cloud Access Security Broker (CASB) focused on shadow IT discovery, app permissions, and data protection for SaaS applications, not on infrastructure-level security posture or compliance dashboards for NIST SP 800-53. Option C (Microsoft Defender for Identity) is wrong because it is an identity-based threat detection solution that monitors on-premises Active Directory signals (e.g., Kerberos, NTLM) for attacks like pass-the-hash, not for brute force attacks on SSH or VM-level security posture. Option D (Microsoft Sentinel) is wrong because it is a Security Information and Event Management (SIEM) solution that ingests logs from multiple sources for advanced analytics and incident response, but it does not natively provide a continuous security posture assessment or a built-in regulatory compliance dashboard for NIST SP 800-53 without additional workbooks and configurations.

1063
MCQhard

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the most likely purpose of this query?

A.To identify successful logins after multiple failures
B.To detect privilege escalation events
C.To detect accounts that have been locked out
D.To identify potential brute-force attack attempts
AnswerD

High number of failed logins from a single account is a common sign of brute-force attacks.

Why this answer

Option C is correct because the query counts failed login events (EventID 4625) per account and computer, filtering for accounts with more than 10 failures, which indicates a potential brute-force attack. Option A is wrong because the query does not check for account lockouts. Option B is wrong because the query does not check for successful logins.

Option D is wrong because the query does not check for privilege escalation.

1064
MCQmedium

A security operations team needs to protect their organization's Windows 10 and Windows 11 devices from advanced persistent threats (APTs), ransomware, and fileless malware. They also require a centralized dashboard to view device security posture, investigate incidents, and perform proactive threat hunting using advanced queries. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerA

Defender for Endpoint provides comprehensive endpoint protection, including EDR, threat hunting, and a centralized security operations console for Windows devices.

Why this answer

Microsoft Defender for Endpoint (MDE) is the correct solution because it provides endpoint detection and response (EDR) capabilities specifically designed to protect Windows 10 and Windows 11 devices against advanced persistent threats (APTs), ransomware, and fileless malware. It includes a centralized dashboard (Microsoft 365 Defender portal) for viewing device security posture, investigating incidents, and performing proactive threat hunting using advanced hunting queries based on Kusto Query Language (KQL).

Exam trap

The trap here is that candidates often confuse the scope of each Defender product, mistakenly selecting Defender for Office 365 or Defender for Identity because they see 'threat protection' in the question, but fail to recognize that the requirement specifically mentions endpoint devices (Windows 10/11) and advanced hunting queries, which are exclusive to Defender for Endpoint.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Office 365 focuses on protecting email, SharePoint, OneDrive, and Teams from threats like phishing and malware, not on endpoint device protection or advanced hunting for APTs and fileless malware. Option C is wrong because Microsoft Defender for Identity monitors on-premises Active Directory signals to detect identity-based attacks (e.g., pass-the-hash, Kerberoasting), not endpoint device security posture or fileless malware on Windows 10/11. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that protects cloud applications and data, not Windows endpoints, and does not provide device-level advanced hunting or EDR capabilities.

1065
MCQhard

A company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They need to prevent users from sharing credit card numbers via email, but allow sharing via Microsoft Teams messages. What should they configure?

A.Create a DLP policy scoped to Exchange Online with a block action, and a separate DLP policy scoped to Teams with an audit-only action
B.Create a single DLP policy that blocks credit card numbers in both Exchange and Teams
C.Configure an exception in the DLP policy for Teams using a rule exception
D.Use Microsoft Purview Insider Risk Management to block sharing in Teams
AnswerA

This allows blocking in email while only auditing in Teams, meeting the requirement.

Why this answer

Option A is correct because Microsoft Purview DLP allows you to create separate policies scoped to different workloads. By creating a DLP policy for Exchange Online with a block action, you prevent credit card numbers from being shared via email. A separate DLP policy scoped to Microsoft Teams with an audit-only action allows sharing in Teams while still logging the activity for monitoring.

Exam trap

The trap here is that candidates assume a single DLP policy with multiple locations can have different actions per location, but in reality, the action is applied uniformly across all selected locations unless separate policies are created.

How to eliminate wrong answers

Option B is wrong because a single DLP policy scoped to both Exchange and Teams would apply the same action (block) to both workloads, which would prevent sharing in Teams as well. Option C is wrong because DLP policies do not support rule exceptions that exempt an entire workload like Teams; exceptions are typically used for specific conditions like trusted domains or IP ranges. Option D is wrong because Microsoft Purview Insider Risk Management is designed to detect and investigate risky user activities, not to enforce real-time blocking of sensitive data sharing in Teams.

1066
MCQmedium

An organization is redesigning its security architecture based on the Zero Trust model. Which principle requires that every access request must be fully authenticated, authorized, and encrypted before granting access, regardless of the network location?

A.Assume breach
B.Least privilege
C.Verify explicitly
D.Trust but verify
AnswerC

This principle states that every access request should be fully authenticated, authorized, and encrypted, regardless of the network location or device.

Why this answer

The Zero Trust model is built on three core principles: verify explicitly, least privilege, and assume breach. The principle that mandates every access request—regardless of whether it originates from inside or outside the corporate network—must be fully authenticated, authorized, and encrypted before granting access is 'verify explicitly'. This means using strong authentication methods (e.g., multifactor authentication), continuous validation of authorization (e.g., Conditional Access policies), and enforcing encryption (e.g., TLS 1.3) for every request, not just those from untrusted locations.

Exam trap

Microsoft often tests the distinction between 'verify explicitly' and 'trust but verify', where candidates mistakenly choose 'trust but verify' because it sounds like a security principle, but the Zero Trust model explicitly rejects any form of implicit trust, requiring verification for every request regardless of network location.

How to eliminate wrong answers

Option A is wrong because 'assume breach' is a Zero Trust principle that focuses on minimizing the blast radius and segmenting access, not on the upfront verification of each request; it assumes a breach has already occurred and designs defenses accordingly. Option B is wrong because 'least privilege' is a principle that limits user and device access rights to only what is necessary to perform a task, but it does not address the requirement for full authentication, authorization, and encryption of every request. Option D is wrong because 'trust but verify' is an outdated security model that implicitly trusts users or devices inside the network perimeter and only verifies when necessary, which contradicts the Zero Trust mandate to never trust and always verify explicitly.

1067
MCQmedium

You are a consultant helping a client migrate from on-premises Active Directory to Microsoft Entra ID. The client has a large number of user accounts and wants to synchronize identities while allowing users to use their existing on-premises passwords. Which tool should you recommend?

A.Microsoft Entra Connect Sync (older version)
B.Microsoft Graph API with custom sync script
C.Microsoft Entra Connect with password hash synchronization
D.Microsoft Entra Connect Provisioning Agent
AnswerC

This tool synchronizes identities and hashes passwords, allowing seamless use of on-premises passwords.

Why this answer

Microsoft Entra Connect with password hash synchronization (PHS) is the correct tool because it synchronizes user identities from on-premises Active Directory to Microsoft Entra ID and allows users to keep their existing on-premises passwords by hashing and syncing password hashes to the cloud. This meets the client's requirement for identity synchronization without requiring password changes or additional infrastructure.

Exam trap

The trap here is that candidates often confuse the Microsoft Entra Connect Provisioning Agent (Option D) with the full Microsoft Entra Connect tool, mistakenly thinking the Provisioning Agent supports password hash synchronization, when in fact it only supports cloud sync without password writeback or PHS.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Connect Sync (older version) is the previous name for the tool, but the question specifies the 'older version' which lacks the integrated password hash synchronization feature and is deprecated; the current recommended tool is Microsoft Entra Connect with PHS. Option B is wrong because Microsoft Graph API with a custom sync script would require significant development effort, lacks built-in password hash synchronization, and does not natively support the seamless password sync required for users to keep their existing on-premises passwords. Option D is wrong because the Microsoft Entra Connect Provisioning Agent is designed for cloud sync scenarios (e.g., syncing from disconnected forests or lightweight scenarios) and does not support password hash synchronization, which is essential for allowing users to use their existing on-premises passwords.

1068
MCQmedium

A company has several on-premises web-based applications that need to be securely accessed by remote employees without requiring a VPN. The IT team wants to provide single sign-on (SSO) using Microsoft Entra ID. Which Microsoft Entra ID feature should they implement?

A.Microsoft Entra Application Proxy
B.Microsoft Entra Self-Service Password Reset (SSPR)
C.Microsoft Entra Privileged Identity Management (PIM)
D.Microsoft Entra Identity Protection
AnswerA

Correct. Microsoft Entra Application Proxy publishes on-premises web apps externally and provides secure remote access with single sign-on, eliminating the need for a VPN.

Why this answer

Microsoft Entra Application Proxy enables secure remote access to on-premises web applications without a VPN by acting as a reverse proxy. It integrates with Microsoft Entra ID to provide single sign-on (SSO) for users, leveraging pre-authentication and conditional access policies. This directly meets the requirement for VPN-less, SSO-enabled access.

Exam trap

The trap here is that candidates often confuse Application Proxy with a VPN solution or think SSPR or PIM can provide remote access, but only Application Proxy specifically proxies on-premises web apps with SSO integration.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Self-Service Password Reset (SSPR) is a password management feature that allows users to reset their own passwords, not a solution for remote application access or SSO. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) is used for managing, controlling, and monitoring access to privileged roles, not for proxying on-premises applications. Option D is wrong because Microsoft Entra Identity Protection is a risk-based security tool that detects and responds to identity threats, not a remote access or SSO mechanism.

1069
MCQmedium

A company uses Microsoft Entra ID (Azure AD). The IT team has created a security group named 'SalesTeam' that contains all sales department users. They want to ensure that only members of this group can access the company's CRM application, which is registered as an enterprise application in Entra ID. What should the IT team configure?

A.A Conditional Access policy that requires group membership
B.Self-service group management settings
C.Enterprise application user and group assignment
D.Application registration settings
AnswerC

Assigning the 'SalesTeam' group to the CRM enterprise application ensures that only members of that group can sign in and access that application.

Why this answer

Enterprise applications in Microsoft Entra ID can be configured to require user or group assignment, which restricts access to only assigned users or groups. By assigning the 'SalesTeam' security group to the CRM enterprise application, the IT team ensures that only members of that group can authenticate and access the application. This is the standard method for controlling access to gallery or custom enterprise applications in Entra ID.

Exam trap

The trap here is confusing Conditional Access (which controls conditions and grants during authentication) with user/group assignment (which controls the fundamental ability to authenticate to the application), leading candidates to select A when C is the direct and correct configuration for restricting access.

How to eliminate wrong answers

Option A is wrong because a Conditional Access policy can enforce group membership as a condition, but it does not by itself restrict access to the application; it only applies additional controls (like MFA or device compliance) after the user is already allowed to authenticate. Option B is wrong because self-service group management settings control how users can create or join groups, not how access to an enterprise application is restricted. Option D is wrong because application registration settings define the application's authentication configuration (e.g., redirect URIs, API permissions), not which users or groups can access the application.

1070
MCQmedium

A company is using Microsoft Entra ID to manage identities for a multi-tenant SaaS application. They want to allow users from partner organizations to access the application using their own corporate credentials, without needing to manage separate accounts. Which solution should they implement?

A.Microsoft Entra B2C
B.Microsoft Entra federation with the partner's identity provider
C.Microsoft Entra B2B collaboration
D.Microsoft Entra provisioning service
AnswerC

B2B collaboration allows partner users to access apps using their own identities.

Why this answer

Microsoft Entra B2B collaboration is the correct solution because it enables partner users to access the company's multi-tenant SaaS application using their own corporate credentials, without requiring separate accounts. B2B collaboration supports cross-tenant access by creating lightweight guest user objects in the resource tenant, which can authenticate via their home tenant's identity provider. This aligns with the requirement to allow partner organizations to use their existing credentials while avoiding account management overhead.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration with Microsoft Entra B2C, mistakenly thinking both handle external users, but B2C is for customer identities (social/local accounts) while B2B is for partner identities (corporate credentials).

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2C is designed for customer-facing identity management, allowing external users (e.g., consumers) to sign up and sign in with social or local accounts, not for partner organizations using their own corporate credentials. Option B is wrong because federation with a partner's identity provider typically establishes a trust between two organizations' identity systems, but it requires complex configuration and often involves setting up a federation trust (e.g., using SAML or WS-Federation) for the entire domain, which is overkill for simple guest access and does not natively support the lightweight, invitation-based model of B2B collaboration. Option D is wrong because the Microsoft Entra provisioning service automates the creation, update, and deletion of user accounts in SaaS applications (e.g., via SCIM), but it does not enable external users to authenticate with their own credentials; it manages identity lifecycle, not cross-tenant authentication.

1071
MCQhard

Your organization, Fabrikam Inc., uses Microsoft 365 E5 licenses. The security team is deploying Microsoft Purview to protect sensitive data. They need to ensure that when a user attempts to share a document containing credit card numbers with an external partner, the action is blocked and the user receives a policy tip. Additionally, the incident should be logged for investigation. You have already created a sensitivity label for credit card data and auto-labeled documents. Which Microsoft Purview feature should you configure to meet these requirements?

A.Enable Microsoft Purview Insider Risk Management to detect the sharing activity.
B.Implement Microsoft Purview Records Management with a retention label that prevents sharing.
C.Create a Data Loss Prevention (DLP) policy that applies to documents containing credit card numbers, with an action to block sharing and notify users via policy tip.
D.Configure a sensitivity label policy that blocks external sharing when the label is applied.
AnswerC

DLP policies can detect sensitive data and enforce actions like blocking and policy tips.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft Purview can detect sensitive information (e.g., credit card numbers) in documents and emails, block sharing, display policy tips, and generate incident reports. Sensitivity labels alone do not enforce restrictions on sharing. Records management handles retention.

Insider risk management detects risky user activities. Audit logs record events but do not block actions.

1072
Multi-Selecthard

Your company uses Microsoft Purview to meet data privacy regulations. You need to discover and classify personal data stored in Azure SQL Database. Which THREE tools or features can you use?

Select 3 answers
A.Microsoft 365 compliance center
B.Azure Information Protection
C.Microsoft Purview Data Estate Insights
D.Data Classification in Azure SQL Database
E.Microsoft Purview Data Map
AnswersC, D, E

Data Estate Insights provides reports on data classification and sensitivity.

Why this answer

Options A, C, and E are correct. Microsoft Purview Data Map (A) scans and catalogs data sources. Data classification in Azure SQL Database (C) is a built-in feature to classify columns.

Microsoft Purview Data Estate Insights (E) provides visibility into data estate. Option B is wrong because Azure Information Protection is for labeling files, not databases. Option D is wrong because Microsoft 365 compliance center is for Microsoft 365 data, not Azure SQL.

1073
MCQeasy

Your organization wants to automatically investigate and remediate email-based threats in Microsoft 365. Which security solution should you use?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Sentinel
AnswerB

Automated investigation and remediation for email threats.

Why this answer

Microsoft Defender for Office 365 is the correct solution because it is specifically designed to protect against email-based threats such as phishing, malware, and business email compromise (BEC). It provides automated investigation and remediation capabilities through features like Automated Investigation and Response (AIR) and Threat Explorer, which can automatically analyze and remediate malicious emails, attachments, and URLs in Exchange Online.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 with Microsoft Defender for Endpoint, assuming endpoint protection covers email threats, but email security is a separate workload requiring dedicated protection for Exchange Online and SharePoint Online.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on protecting endpoints (e.g., devices, servers) from threats like malware and ransomware, not on email-based threats. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that governs and protects cloud applications, not specifically email threats. Option D is wrong because Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution for enterprise-wide threat detection and response, not a dedicated email security solution.

1074
MCQeasy

A company implements a security model where no user or device is automatically trusted, even if they are inside the corporate network. Every access request must be authenticated, authorized, and encrypted before granting access, regardless of the request origin. This model is known as:

A.Defense in depth
B.Perimeter security
C.Zero Trust
D.Least privilege
AnswerC

Zero Trust is the correct model. It requires explicit verification of every access request, regardless of network location, and enforces least privilege and assumed breach principles.

Why this answer

Option C is correct because Zero Trust is a security model that explicitly assumes no implicit trust based on network location. Every access request must be authenticated, authorized, and encrypted, regardless of whether it originates from inside or outside the corporate network. This aligns with the core Zero Trust principle of 'never trust, always verify'.

Exam trap

The trap here is that candidates often confuse Zero Trust with Defense in depth, assuming that multiple layers of security automatically remove implicit trust, but Zero Trust specifically targets the assumption of trust based on network location.

How to eliminate wrong answers

Option A is wrong because Defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, antivirus) but does not inherently remove implicit trust from internal networks. Option B is wrong because Perimeter security relies on a strong network boundary (e.g., firewalls, VPNs) and trusts internal traffic once inside, which directly contradicts the described model. Option D is wrong because Least privilege is a principle of granting only the minimum necessary permissions, not a model that addresses authentication, authorization, and encryption for every request regardless of origin.

1075
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Defender for Cloud Apps? (Select TWO.)

Select 2 answers
A.Enforce device compliance policies
B.Provide threat analytics reports
C.Control access with Conditional Access App Control
D.Classify sensitive data across cloud apps
E.Discover shadow IT cloud apps
AnswersC, E

Conditional Access App Control provides session and access controls.

Why this answer

Correct: Discover shadow IT (A) and Control access via Conditional Access App Control (D). Option B: DLP is in Purview, not Defender for Cloud Apps. Option C: Device compliance is in Intune/Entra.

Option E: Threat analytics is in Defender for Endpoint/Office.

1076
MCQeasy

Your organization needs to retain all email communications with customers for 7 years due to regulatory requirements. Which Microsoft Purview solution should you use?

A.Sensitivity labels
B.eDiscovery (Standard)
C.Retention policies
D.Data Loss Prevention policies
AnswerC

Retention policies enforce data retention for a defined period.

Why this answer

Option A is correct because retention policies in Microsoft Purview allow you to retain data for a specified period. Option B is wrong because DLP is for preventing data loss, not retention. Option C is wrong because sensitivity labels classify data but do not enforce retention.

Option D is wrong because eDiscovery is for search and export, not setting retention.

1077
MCQmedium

A company has many guest users in Microsoft Entra ID who collaborate on a project in a specific SharePoint site. The compliance team needs to periodically verify that these guest users still require access to the site. If a reviewer does not respond within 30 days, the guest's access should be automatically removed. Additionally, the company wants to ensure that once access is removed, the guest user object is eventually deleted from the directory after 90 days. Which Microsoft Entra Identity Governance features should they use together?

A.Access Reviews configured to auto-apply results and delete guest users after a specified number of days
B.Entitlement Management access packages with an expiration policy
C.Lifecycle Workflows to schedule a periodic task
D.Privileged Identity Management (PIM) for guest roles
AnswerA

Access Reviews can automatically apply results (remove access) if no response, and the 'Delete users' setting within the review automatically removes guest objects after the configured days.

Why this answer

Access Reviews in Microsoft Entra ID can be configured to automatically apply results, removing guest access when a reviewer does not respond within a specified period (e.g., 30 days). Additionally, the 'Delete guest users not reviewed within' setting allows automatic deletion of the guest user object from the directory after a configurable number of days (e.g., 90 days). This directly meets both requirements: periodic verification of access and eventual cleanup of the directory object.

Exam trap

The trap here is that candidates confuse 'removing access' (which many features can do) with 'deleting the user object from the directory' (which only Access Reviews with the specific deletion setting can do), leading them to choose Entitlement Management or Lifecycle Workflows.

How to eliminate wrong answers

Option B is wrong because Entitlement Management access packages with an expiration policy can remove a user's assignment to a resource (like the SharePoint site) but do not automatically delete the guest user object from the directory after a specified number of days; they only expire the package assignment. Option C is wrong because Lifecycle Workflows are designed for automating joiner, mover, and leaver processes for employees, not for periodic guest access reviews or automatic deletion of guest objects. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time activation and approval for privileged roles, not periodic access reviews or automatic removal of guest user objects from the directory.

1078
MCQmedium

You are configuring Microsoft Entra ID Governance for your organization. You need to ensure that when a user's employment status changes to 'Terminated' in the HR system, their access to critical applications is automatically revoked within 24 hours. Additionally, managers must be able to request temporary access for a terminated user if needed. What should you implement?

A.Configure Microsoft Entra entitlement management with access packages for external users.
B.Use Microsoft Entra Privileged Identity Management (PIM) for all user accounts.
C.Create an access package with automatic assignment policies based on HR attributes and enable access reviews.
D.Implement Microsoft Entra ID Governance lifecycle workflows.
AnswerC

Automatic assignment can revoke access when HR attribute changes, and access reviews allow managers to request extensions.

Why this answer

Option C is correct because access packages in Microsoft Entra entitlement management can include automatic assignment policies that evaluate HR attributes (like employment status) to grant or revoke access. When a user's status changes to 'Terminated', the policy automatically removes their membership in the access package, revoking access to critical applications within the configured time frame (e.g., 24 hours). Additionally, access reviews allow managers to request temporary access for terminated users if needed, fulfilling both requirements.

Exam trap

The trap here is confusing lifecycle workflows (which handle account lifecycle events like creation and deletion) with entitlement management access packages (which handle resource access lifecycle and support manager-initiated temporary access requests).

How to eliminate wrong answers

Option A is wrong because configuring access packages for external users addresses guest access scenarios, not automated revocation based on HR attribute changes for internal employees. Option B is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and approval workflows, not for automating access revocation based on HR lifecycle events. Option D is wrong because lifecycle workflows handle user provisioning and deprovisioning tasks (like disabling accounts) but do not natively support manager-initiated temporary access requests for terminated users; that capability is specific to entitlement management access packages with access reviews.

1079
MCQhard

A company is implementing a Microsoft Entra ID tenant for a new subsidiary. They require that all users authenticate using passwordless methods, specifically the Microsoft Authenticator app. What is the minimum configuration required to enforce this?

A.Enable Microsoft Entra ID Protection and configure MFA registration policy
B.Turn on Security defaults
C.Configure Microsoft Entra Hybrid Join for all devices
D.Create a Conditional Access policy targeting all users that requires 'Require authentication strength' and select the 'Passwordless MFA' authentication strength
AnswerD

Conditional Access with authentication strength can enforce passwordless MFA, blocking password-based sign-ins.

Why this answer

Option D is correct because a Conditional Access policy with the 'Require authentication strength' setting allows you to select the 'Passwordless MFA' authentication strength, which enforces passwordless methods like the Microsoft Authenticator app. This is the minimum configuration that directly targets all users and mandates passwordless authentication, as opposed to broader or less specific settings.

Exam trap

The trap here is that candidates often confuse 'MFA registration' or 'Security defaults' with enforcing a specific authentication method, but neither restricts the method to passwordless only, which is the key requirement in the question.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection and MFA registration policy only enforce that users register for MFA, not that they use passwordless methods specifically. Option B is wrong because Security defaults enforce MFA using any method (including passwords), not exclusively passwordless authentication. Option C is wrong because Microsoft Entra Hybrid Join is a device state requirement for scenarios like Windows Hello for Business, but it does not enforce passwordless authentication via the Authenticator app and is not the minimum configuration for this requirement.

1080
MCQmedium

A company runs a consumer-facing e-commerce website and wants to allow customers to sign in using their existing social media accounts such as Google, Facebook, or LinkedIn. Which Microsoft Entra ID solution should they implement?

A.Microsoft Entra External ID (B2C)
B.Microsoft Entra External ID (B2B)
C.Microsoft Entra Identity Protection
D.Microsoft Entra Conditional Access
AnswerA

Correct. Azure AD B2C (now part of Microsoft Entra External ID) is designed for customer-facing apps and supports social identity providers such as Google, Facebook, and LinkedIn.

Why this answer

Microsoft Entra External ID (B2C) is the correct solution because it is specifically designed for consumer-facing applications, allowing customers to sign in using social identity providers (IdPs) like Google, Facebook, and LinkedIn via OAuth 2.0 and OpenID Connect protocols. It provides a customizable authentication experience for external users, distinct from B2B which targets organizational collaboration.

Exam trap

The trap here is that candidates confuse B2B with B2C, assuming 'External ID' covers all external users, but B2B strictly targets organizational partners (e.g., using their work accounts) while B2C is for consumer social logins.

How to eliminate wrong answers

Option B (Microsoft Entra External ID (B2B)) is wrong because B2B is designed for business-to-business collaboration, enabling external partners and employees from other organizations to access corporate resources using their own Entra ID or SAML/WS-Fed IdPs, not for consumer social logins. Option C (Microsoft Entra Identity Protection) is wrong because it is a risk-based security tool that detects compromised identities and suspicious sign-ins, not an authentication solution for social identity providers. Option D (Microsoft Entra Conditional Access) is wrong because it is a policy engine that enforces access controls (e.g., MFA, location) after authentication, not a mechanism to federate with social IdPs.

1081
MCQeasy

A user reports that they cannot access a sensitive document in SharePoint. The document has a sensitivity label of 'Highly Confidential' applied. The user is a member of the 'Finance' group, which has the label permission. However, the user is located in a country that is blocked by a conditional access policy. What is the most likely reason the user cannot access the document?

A.The user does not have the required sensitivity label permission
B.The user does not have a Microsoft 365 E5 license
C.A conditional access policy is blocking access based on the user's location
D.The document does not have a sensitivity label applied
AnswerC

Conditional access policies can block access from specific locations, overriding label permissions.

Why this answer

Option D is correct because conditional access policies can block access based on location, overriding label permissions. Option A is wrong because the user has the required label permission. Option B is wrong because the label is correctly applied.

Option C is wrong because licensing is not indicated as an issue.

1082
Multi-Selecthard

A company uses Microsoft Entra ID (Azure AD). The security team wants to create a Conditional Access policy that meets the following requirements: - Require multi-factor authentication (MFA) when users access a sensitive financial application from an untrusted network. - Additionally, require that the device accessing the app is compliant with company policies (e.g., encryption enabled). Which two conditions should the team configure in the Conditional Access policy? (Choose two.)

Select 2 answers
A.Location
B.Device state
C.Sign-in risk
D.Application
AnswersA, B

Location condition allows you to include or exclude access attempts based on IP address ranges (e.g., trusted vs untrusted).

Why this answer

Option A (Location) is correct because the policy requires MFA when users access the sensitive financial application from an untrusted network. In Microsoft Entra ID Conditional Access, the Location condition uses named locations (such as trusted IP ranges or countries) to determine whether a network is trusted or untrusted, enabling the policy to trigger MFA only when access originates from an untrusted location.

Exam trap

The trap here is that candidates often confuse the Application assignment (which defines the target app) with a condition, leading them to select Application as a condition instead of recognizing that Location and Device state are the two conditions that enforce the specific requirements.

1083
MCQhard

Your organization uses Microsoft Entra ID. You need to ensure that when a user is terminated, all access to SaaS applications is automatically revoked. What should you configure?

A.Configure a conditional access policy to block access for disabled users.
B.Use Privileged Identity Management to remove role assignments.
C.Schedule an access review for quarterly review of access.
D.Configure Microsoft Entra lifecycle workflows to disable the user and remove group memberships upon termination.
AnswerD

Lifecycle workflows automate user lifecycle events including offboarding tasks.

Why this answer

Option D is correct because Microsoft Entra lifecycle workflows automate the user offboarding process by disabling the user account and removing group memberships upon termination. This ensures that the user loses access to all SaaS applications that rely on Entra ID for authentication, as group membership removal revokes access tokens and disables sign-in.

Exam trap

The trap here is that candidates often confuse conditional access policies (which control sign-in conditions) with automated lifecycle actions, mistakenly thinking a policy can proactively revoke access upon termination without the underlying user state change.

How to eliminate wrong answers

Option A is wrong because a conditional access policy that blocks access for disabled users is reactive and does not automatically trigger upon termination; it only enforces a block if the user is already disabled, but does not handle the removal of group memberships or provisioning. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role assignments and does not revoke access to SaaS applications for non-privileged users or remove group memberships. Option C is wrong because scheduling an access review for quarterly review only provides periodic auditing and does not automatically revoke access upon termination; it is a manual or scheduled review process, not an immediate revocation mechanism.

1084
Multi-Selectmedium

Which THREE of the following are features of Microsoft Purview Data Loss Prevention (DLP)? (Choose three.)

Select 3 answers
A.Provide policy tips to users
B.Detect sensitive data in email messages
C.Apply sensitivity labels automatically
D.Retain data for a specified period
E.Monitor sensitive data on endpoints
AnswersA, B, E

Policy tips inform users about policy violations in real-time.

Why this answer

Options A, C, and D are correct. DLP can detect sensitive data in emails, monitor endpoints, and be customized with policy tips. Option B is wrong because sensitivity labels are part of Information Protection, not DLP directly.

Option E is wrong because retention policies are part of Records Management.

1085
MCQmedium

An organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They need to ensure that when a user tries to share a document containing a credit card number externally via email, the user sees a policy tip and the email is blocked. Which DLP rule action should they configure?

A.Notify user with policy tip only
B.Block the message and notify the user with a policy tip
C.Block the message only
D.Redirect the message to the compliance admin
AnswerB

This blocks the email and sends a policy tip to the user.

Why this answer

DLP rules can have actions like 'Block' and 'Notify user with policy tip'. Option A is wrong because it doesn't block; Option B is wrong because it doesn't notify; Option D is wrong because it doesn't block.

1086
MCQmedium

A financial organization needs to automatically detect emails containing the phrase 'Non-Public Material Information' and apply a retention policy that retains those emails for 7 years. They also need to train senders with a policy tip before sending, and if they still send the email, it should be encrypted and blocked from being forwarded outside the organization. Which Microsoft Purview solution should they use?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Audit
AnswerB

DLP can detect sensitive information, provide policy tips, and automatically encrypt, block, and apply retention labels to messages.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is the correct solution because it can automatically detect sensitive content (e.g., 'Non-Public Material Information') in emails, apply policy tips to train senders before sending, enforce encryption, and block forwarding outside the organization. DLP policies also integrate with retention labels to retain emails for a specified period, such as 7 years, by applying a retention label automatically when the sensitive content is detected.

Exam trap

The trap here is that candidates often confuse Data Lifecycle Management (retention only) with DLP (detection + action), or assume Communication Compliance handles all email content monitoring, but DLP is the only solution that combines real-time content detection, user training via policy tips, and automated enforcement actions like encryption and forwarding blocks.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Lifecycle Management focuses solely on retaining and deleting data based on policies, but it cannot detect sensitive content in real-time, apply policy tips, or enforce encryption and forwarding restrictions. Option C is wrong because Microsoft Purview Communication Compliance is designed to detect policy violations (e.g., harassment, insider trading) for review and remediation, not to automatically apply retention, encryption, or forwarding blocks on emails containing specific phrases. Option D is wrong because Microsoft Purview Audit provides logging and investigation of past activities, but it cannot proactively detect content, apply policy tips, encrypt emails, or block forwarding.

1087
MCQhard

A company uses Microsoft Defender for Endpoint on all workstations and Microsoft Defender for Office 365 for email protection. The security operations team wants a single console to see all incidents from both products, automatically investigate and respond to threats across endpoints and email, and integrate with Microsoft Sentinel for advanced hunting. Which Microsoft security solution should they use?

A.Microsoft 365 Defender
B.Microsoft Defender for Cloud
C.Microsoft Purview Compliance Portal
D.Microsoft Entra ID Protection
AnswerA

Microsoft 365 Defender (Defender XDR) correlates signals from multiple Microsoft Defender products into unified incidents and enables automated response across domains.

Why this answer

Microsoft 365 Defender is the correct solution because it provides a unified incident queue that aggregates alerts from Microsoft Defender for Endpoint and Microsoft Defender for Office 365, enabling automated investigation and response (AIR) across endpoints and email. It also natively integrates with Microsoft Sentinel for advanced hunting via the Microsoft 365 Defender connector, allowing the security operations team to correlate signals and perform cross-domain threat hunting.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (which protects cloud workloads) with Microsoft 365 Defender (which unifies endpoint, email, and identity security), leading them to select the cloud-focused option instead of the cross-workload unified solution.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) for Azure, on-premises, and multi-cloud environments; it does not unify endpoint and email incidents or provide the automated investigation and response across those workloads. Option C is wrong because Microsoft Purview Compliance Portal focuses on data governance, compliance, and risk management (e.g., data classification, eDiscovery, audit), not on security incident management or automated threat response. Option D is wrong because Microsoft Entra ID Protection (formerly Azure AD Identity Protection) detects identity-based risks such as leaked credentials and anomalous sign-ins, but it does not aggregate endpoint or email incidents, nor does it provide automated response across those domains.

1088
MCQeasy

Your company wants to provide a single sign-on experience for all cloud applications. Which Microsoft Entra ID feature should you implement?

A.B2B collaboration
B.Identity Protection
C.App registration and SSO configuration
D.Conditional Access
AnswerC

App registration allows apps to use Entra ID for authentication, enabling SSO.

Why this answer

App registration and SSO configuration in Microsoft Entra ID enables single sign-on (SSO) by registering each cloud application as an enterprise application and configuring federation protocols such as SAML 2.0, OpenID Connect, or OAuth 2.0. This allows users to authenticate once with their Entra ID credentials and access all configured cloud applications without repeated logins.

Exam trap

The trap here is that candidates often confuse Conditional Access (a policy enforcement tool) with SSO configuration, or they mistakenly think B2B collaboration is needed for internal app SSO, when in fact App registration and SSO configuration is the correct feature for enabling a unified sign-on experience.

How to eliminate wrong answers

Option A is wrong because B2B collaboration is designed for inviting external users (guests) from other organizations, not for providing SSO across cloud applications for internal users. Option B is wrong because Identity Protection is a security feature that detects and remediates identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs), not a mechanism for SSO. Option D is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, device compliance) after authentication, but it does not configure or enable SSO itself.

1089
MCQhard

Refer to the exhibit. A Microsoft Purview retention policy is configured as shown. A document in SharePoint is labeled as 'Highly Confidential' and was created 5 years ago. What will happen to this document?

A.The document will be retained for 7 years from the policy creation date
B.The document will be deleted immediately
C.The document will be retained for 7 years from now
D.The document will be retained for 2 more years
AnswerD

The document was created 5 years ago, so it will be retained for 2 more years to reach 7 years total.

Why this answer

Option D is correct because the retention policy retains items labeled as 'Highly Confidential' for 7 years from creation. Since the document was created 5 years ago, it will be retained until 7 years from creation (2 more years). Option A is wrong because the retention action is 'Retain', not delete.

Option B is wrong because the label meets the condition. Option C is wrong because the retention is based on creation date, not the policy's start.

1090
Multi-Selecthard

Which THREE actions can Microsoft Purview Data Loss Prevention (DLP) policies perform when a sensitive data match is detected?

Select 3 answers
A.Apply a retention label
B.Encrypt the content automatically
C.Block the sharing of the content
D.Send a notification to the user
E.Delete the content permanently
AnswersB, C, D

DLP can encrypt emails or documents to protect sensitive data.

Why this answer

Microsoft Purview DLP policies can automatically encrypt content when a sensitive data match is detected, typically using Azure Information Protection (AIP) or Microsoft 365 Message Encryption. This action helps protect the data by restricting access to authorized users only, even if the content is shared externally.

Exam trap

The trap here is that candidates often confuse DLP's native actions with other compliance features like retention labels or deletion, assuming DLP can delete or apply labels directly, but Microsoft explicitly limits DLP to blocking, encrypting, notifying, and auditing actions.

1091
MCQmedium

A company is subject to a legal investigation and must preserve all email communications related to the case for an indefinite period, even if users try to delete them. The compliance officer needs a solution that can place a hold on specific user mailboxes and prevent any permanent deletion of relevant content. Which Microsoft Purview feature should be used?

A.Retention labels
B.Litigation hold
C.Data loss prevention
D.Compliance Manager
AnswerB

Litigation Hold preserves all mailbox content, including deleted items, and prevents permanent deletion until the hold is removed.

Why this answer

Litigation hold is the correct feature because it places a hold on an entire mailbox, preserving all content including deleted items and versions, and prevents permanent deletion by users or automated processes. Unlike retention labels or policies, litigation hold applies to the entire mailbox and is designed specifically for legal investigations where indefinite preservation is required.

Exam trap

The trap here is that candidates often confuse retention labels or policies with litigation hold, not realizing that retention labels apply granularly to content while litigation hold applies to the entire mailbox and is specifically designed for legal preservation scenarios.

How to eliminate wrong answers

Option A is wrong because retention labels are applied to individual items or folders for classification and retention, but they do not prevent users from deleting items; they only ensure items are retained after deletion according to a policy. Option C is wrong because Data Loss Prevention (DLP) is designed to detect and prevent unauthorized sharing or leakage of sensitive data, not to preserve email content for legal holds. Option D is wrong because Compliance Manager is a risk assessment and compliance score tool that helps manage compliance posture, not a feature for placing holds on mailboxes.

1092
MCQmedium

A company has an on-premises web-based expense report application. The IT team wants to make this application accessible to remote employees over the internet without requiring a VPN. They need to use Microsoft Entra ID for authentication and apply Conditional Access policies such as requiring multi-factor authentication. Which Microsoft Entra ID feature should they implement?

A.Azure AD Application Proxy
B.Self-service password reset (SSPR)
C.Azure AD B2B collaboration
D.Azure AD Domain Services
AnswerA

Application Proxy publishes on-premises apps through the cloud, allowing remote users to access them securely with Entra ID authentication and Conditional Access.

Why this answer

Azure AD Application Proxy allows on-premises web applications to be published for remote access without a VPN. It integrates with Microsoft Entra ID for authentication and supports Conditional Access policies, including multi-factor authentication, by acting as a reverse proxy that forwards authenticated requests to the internal application.

Exam trap

The trap here is that candidates may confuse Azure AD Application Proxy with a VPN solution or think that Azure AD Domain Services is needed for authentication, but the key is that Application Proxy specifically publishes on-premises web apps with Entra ID authentication and Conditional Access support without requiring a VPN.

How to eliminate wrong answers

Option B is wrong because Self-service password reset (SSPR) is a feature for users to reset their own passwords, not for publishing on-premises applications or enabling remote access without a VPN. Option C is wrong because Azure AD B2B collaboration is designed for sharing applications and resources with external guest users from partner organizations, not for providing remote access to internal employees for an on-premises app. Option D is wrong because Azure AD Domain Services provides managed domain services like LDAP and Kerberos for Azure VMs, not a reverse proxy solution for web application access.

1093
MCQmedium

A company uses Microsoft Entra ID and Intune for device management. They want to ensure that only devices marked as compliant (e.g., updated, encrypted) can access the corporate HR portal. Which Conditional Access assignment condition should the administrator configure?

A.Locations
B.Device state
C.Client apps
D.Sign-in risk
AnswerB

Device state condition can be set to require a device to be compliant (as defined in Intune) or hybrid Microsoft Entra ID joined. This is the correct condition to enforce access based on device compliance.

Why this answer

The 'Device state' condition in Conditional Access allows administrators to require that only devices marked as compliant (via Intune compliance policies) can access resources. By configuring this condition, the HR portal will block access from non-compliant devices, enforcing security requirements like encryption and updates before granting access.

Exam trap

The trap here is that candidates may confuse 'Device state' with 'Sign-in risk' or 'Client apps', thinking device compliance is tied to user risk or application type, but Microsoft specifically separates device health from user risk and app context in Conditional Access.

How to eliminate wrong answers

Option A is wrong because 'Locations' controls access based on IP address ranges or geographic regions, not device compliance status. Option C is wrong because 'Client apps' filters access by application type (e.g., browser, mobile app), not device health or compliance. Option D is wrong because 'Sign-in risk' is part of Identity Protection and evaluates user authentication risk (e.g., leaked credentials), not device compliance.

1094
MCQhard

A financial services firm must comply with regulatory requirements that mandate supervisory review of communications between advisors and clients. They need to automatically capture emails and Microsoft Teams messages from a specific group of advisors, assign them to a supervisor for review, and flag messages containing potential code words for insider trading. Which Microsoft Purview solution should they use?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview Communication Compliance
C.Microsoft Purview Information Protection
D.Microsoft Purview Insider Risk Management
AnswerB

Communication Compliance enables organizations to capture communications, assign them to reviewers, and use built-in or custom classifiers to detect policy violations such as insider trading code words. It meets all described requirements.

Why this answer

Microsoft Purview Communication Compliance is the correct solution because it is specifically designed to capture and review communications (email, Teams messages) for regulatory compliance, such as supervisory oversight of advisor-client interactions. It can automatically flag messages containing sensitive keywords or patterns (e.g., potential code words for insider trading) and route them to designated supervisors for review, meeting the firm's regulatory mandate.

Exam trap

The trap here is that candidates often confuse the 'capture and review communications' requirement with Insider Risk Management (Option D), which focuses on behavioral analytics and risk scoring rather than direct communication capture and keyword-based flagging.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Lifecycle Management focuses on retaining, deleting, and managing data based on policies (e.g., retention labels, disposition review), not on capturing and reviewing communications for compliance or flagging specific content. Option C is wrong because Microsoft Purview Information Protection is used for classifying, labeling, and protecting sensitive data (e.g., encryption, rights management), not for supervisory review or automated flagging of communications. Option D is wrong because Microsoft Purview Insider Risk Management is designed to detect and investigate risky user activities (e.g., data exfiltration, policy violations) using analytics and behavioral indicators, not to capture and review communications for regulatory compliance or flag specific keywords.

1095
MCQmedium

Your organization must ensure that financial reports are protected with encryption and cannot be forwarded. Which two Microsoft Purview features should you combine?

A.Data Lifecycle Management and Data Loss Prevention
B.Retention policies and Records Management
C.Information Barriers and Communication Compliance
D.eDiscovery (Premium) and Audit (Standard)
E.Sensitivity labels with encryption and Data Loss Prevention
AnswerE

Sensitivity labels encrypt the document; DLP can block forwarding.

Why this answer

Option D is correct because sensitivity labels can apply encryption, and DLP can block forwarding. Option A is wrong because retention policies do not encrypt or block forwarding. Option B is wrong because eDiscovery and Audit are for discovery and logging.

Option C is wrong because Information Barriers restrict communication but not forwarding. Option E is wrong because Data Lifecycle Management manages retention, not forwarding.

1096
MCQhard

Tailspin Toys is a toy manufacturer with headquarters in the US and subsidiaries in Europe and Asia. You are the compliance administrator. The company must comply with the EU General Data Protection Regulation (GDPR). Requirements: 1) Personal data of EU residents must be retained only for as long as necessary (max 5 years after last interaction). 2) If a user tries to share personal data outside the EU, the action must be blocked. 3) Users must be able to manually mark documents as 'GDPR High Risk' which will encrypt them and add a watermark 'GDPR PROTECTED'. 4) All access to personal data must be audited. You have Microsoft Purview with E5 compliance licenses. What is the most efficient solution?

A.Use a retention policy to delete all content after 5 years; create a DLP policy to block sharing of personal data outside EU; create a sensitivity label for manual application with encryption and watermark; enable audit logging
B.Create an auto-labeling policy to apply a 'Personal Data' sensitivity label; create a retention label 'GDPR Retention' to auto-apply to personal data and retain for 5 years; create a DLP policy to block sharing of labeled personal data outside EU; create a separate sensitivity label 'GDPR High Risk' for manual application with encryption and watermark; enable audit logging
C.Use a retention policy to delete personal data after 5 years; create a DLP policy to block cross-border sharing; use a sensitivity label with auto-labeling for personal data; enable audit logging
D.Create a DLP policy to block sharing of personal data outside EU; use a retention label for 5 years; use a single sensitivity label for both automatic and manual scenarios; enable audit logging
AnswerB

Auto-labeling applies sensitivity label; retention label retains personal data for 5 years; DLP blocks cross-border sharing; manual label provides encryption and watermark; audit logging tracks access.

Why this answer

Option A: retention policy for 5 years on all content (not specific to personal data), but the requirement is to retain personal data only as long as necessary; a retention label with auto-apply is more precise. DLP can block cross-border sharing. Sensitivity label for manual marking with encryption and watermark.

Audit logging is enabled by default. Option B: auto-labeling for sensitivity is good, but retention label for personal data is needed; also DLP is required. Option C: DLP cannot enforce retention.

Option D: auto-labeling for retention label is good, but sensitivity label is needed for manual marking; also DLP is required.

1097
MCQmedium

A user authenticates with a smart card and is then granted access to a specific database based on their job role in the finance department. Which security concept describes the process of determining what the authenticated user is allowed to do?

A.Authentication
B.Authorization
C.Accounting
D.Encryption
AnswerB

Authorization evaluates the user's role and permissions to decide whether they can access the specific database, matching the description.

Why this answer

Authorization is the security concept that determines what an authenticated user is permitted to do. In this scenario, after the user authenticates with a smart card, the system checks their job role in the finance department against access control lists (ACLs) or role-based access control (RBAC) policies to grant access to the specific database. This is distinct from authentication, which only verifies identity.

Exam trap

The trap here is confusing authentication with authorization; candidates often pick 'Authentication' because they focus on the smart card step, but the question explicitly asks about determining what the user is allowed to do, which is authorization.

How to eliminate wrong answers

Option A is wrong because authentication is the process of verifying the user's identity (e.g., via smart card credentials), not determining what they are allowed to do. Option C is wrong because accounting (or auditing) tracks and logs user activities for compliance and monitoring, but does not enforce permissions. Option D is wrong because encryption protects data at rest or in transit by converting it into ciphertext, but does not control access rights after decryption.

1098
MCQmedium

Your organization is implementing a Zero Trust security model. Which Microsoft Entra ID feature should you use to verify that users and devices meet specific health requirements before granting access to corporate resources?

A.Privileged Identity Management (PIM)
B.Identity Governance
C.Identity Protection
D.Conditional Access
AnswerD

Conditional Access evaluates signals like device compliance to enforce access controls.

Why this answer

Option B is correct because Conditional Access policies can enforce device compliance, MFA, and other health checks. Option A is wrong because Privileged Identity Management manages just-in-time admin roles. Option C is wrong because Identity Protection detects risks but doesn't enforce device health.

Option D is wrong because Identity Governance manages access reviews and lifecycle.

1099
MCQeasy

A company uses Microsoft 365 and several third-party SaaS apps. The security team wants to detect when a user signs in from a remote location that is significantly far from their typical sign-in location within a very short time, indicating possible account compromise. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Identity
C.Microsoft Defender for Office 365
D.Microsoft Defender for Endpoint
AnswerA

Defender for Cloud Apps includes anomaly detection policies like impossible travel that can detect sign-ins from geographically distant locations in a short time.

Why this answer

Microsoft Defender for Cloud Apps (MDCA) provides the 'impossible travel' detection capability, which analyzes sign-in events across both Microsoft 365 and third-party SaaS apps. It uses machine learning to establish a baseline of a user's typical sign-in locations and then alerts when two sign-ins occur from geographically distant locations within a time frame that makes physical travel impossible, indicating a potential account compromise.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Identity, assuming identity protection covers all sign-in anomalies, but MDCA specifically handles cross-cloud app behavioral analytics like impossible travel, while Defender for Identity is limited to on-premises AD and hybrid identity threats.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Identity focuses on on-premises Active Directory and hybrid identity threats (e.g., Kerberos attacks, DCSync), not cross-SaaS sign-in anomaly detection. Option C is wrong because Microsoft Defender for Office 365 protects email and collaboration workloads (e.g., phishing, malware in attachments), not user sign-in behavior across multiple SaaS apps. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution for devices (e.g., malware, fileless attacks), not for analyzing cloud app sign-in patterns.

1100
MCQeasy

An organization wants to use a cloud-based SIEM to collect security data from multiple sources, including on-premises servers and cloud applications. Which Microsoft solution should they choose?

A.Microsoft Sentinel
B.Microsoft Intune
C.Microsoft 365 Defender
D.Microsoft Defender for Cloud
AnswerA

Sentinel is a scalable SIEM that collects and analyzes security data from diverse sources.

Why this answer

Microsoft Sentinel is a cloud-native SIEM that can ingest data from various sources. Defender for Cloud is for cloud security posture management. Microsoft 365 Defender is for detection and response across Microsoft 365.

Intune is for device management.

1101
MCQeasy

Your organization wants to ensure that all external emails are automatically tagged with a disclaimer at the top of the email body. Which Microsoft Exchange Online feature should you configure?

A.Journal rule
B.Data loss prevention (DLP) policy
C.Safe Links policy
D.Mail flow rule (transport rule)
AnswerD

Mail flow rules can apply disclaimers to messages based on conditions.

Why this answer

Option C is correct because mail flow rules (transport rules) can add disclaimers to emails. Option A is incorrect because DLP policies do not add disclaimers. Option B is incorrect because Safe Links adds URL protection, not disclaimers.

Option D is incorrect because journaling archives emails.

1102
Multi-Selecthard

Which THREE of the following are features of Microsoft Purview Insider Risk Management?

Select 3 answers
A.Phishing simulation campaigns
B.Vulnerability scanning of network endpoints
C.Detection of repeated security policy violations by a user
D.Detection of unauthorized data exfiltration via email
E.Forensic evidence capturing user actions on devices
AnswersC, D, E

It can detect cumulative policy violations.

Why this answer

Insider Risk Management includes detecting data leaks, detecting security policy violations, and providing forensic evidence. Vulnerability scanning (D) is not part of Insider Risk Management; it's part of Defender for Cloud. Phishing simulation (E) is part of Attack Simulation Training.

1103
Multi-Selecteasy

Which TWO of the following are capabilities of Microsoft Entra ID?

Select 2 answers
A.Email filtering and anti-malware protection.
B.Identity and access management for cloud applications.
C.Single sign-on to SaaS applications.
D.Encryption of data at rest in Azure Storage.
E.Network firewall management.
AnswersB, C

Entra ID provides IAM for cloud apps.

Why this answer

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management (IAM) service. It provides authentication and authorization for cloud applications, including support for single sign-on (SSO) to thousands of pre-integrated SaaS applications like Salesforce, Office 365, and Workday. These are core IAM capabilities, not security functions like email filtering or network firewall management.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID's identity management role with broader security services like email protection or network security, leading them to select options that belong to other Azure or Microsoft 365 security products.

1104
MCQmedium

An organization uses Microsoft Defender for Cloud to secure its Azure workloads. They want to receive recommendations for improving the security posture of their virtual machines. What should they enable?

A.Microsoft Defender for Cloud Apps
B.Microsoft Sentinel
C.Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM)
D.Azure Policy
AnswerC

Correct: CSPM provides recommendations for improving security posture.

Why this answer

Microsoft Defender for Cloud provides security recommendations based on assessments. Enabling Defender for Cloud (with the foundational CSPM or enhanced security features) will generate recommendations.

1105
MCQmedium

An organization wants to protect against business email compromise (BEC) attacks where attackers impersonate the CEO to trick employees into transferring funds. Which Microsoft Defender for Office 365 capability should they configure to detect such impersonation?

A.Safe Attachments
B.Safe Links
C.Impersonation protection
D.Spoof intelligence
AnswerC

Impersonation protection is part of anti-phishing policies and allows you to define users (e.g., CEO) and domains to protect against impersonation.

Why this answer

Impersonation protection in Defender for Office 365 is specifically designed to detect and block business email compromise (BEC) attacks where an attacker spoofs a trusted sender, such as a CEO or CFO. It uses machine learning and sender intelligence to analyze email patterns and flag messages that impersonate internal or external high-value targets, making it the correct capability for this scenario.

Exam trap

The trap here is that candidates often confuse impersonation protection (user-level) with spoof intelligence (domain-level), assuming both handle the same type of attack, but impersonation protection is the only one that detects CEO fraud by analyzing sender identity rather than just domain authentication.

How to eliminate wrong answers

Option A is wrong because Safe Attachments protects against malware by detonating attachments in a sandbox, not against impersonation-based BEC attacks. Option B is wrong because Safe Links protects users from malicious URLs in emails and Office documents by checking links at click-time, not from sender impersonation. Option D is wrong because Spoof intelligence handles domain-level spoofing (e.g., forged From addresses using similar domains) but does not cover user-level impersonation of specific individuals like a CEO.

1106
MCQhard

Your company uses Microsoft Purview Information Protection to classify sensitive data. A user reports that when they try to share a document containing a credit card number via email, the email is blocked. Which Purview feature is most likely causing this behavior?

A.Data Loss Prevention (DLP) policy
B.Audit log
C.Sensitivity label
D.Retention label
AnswerA

DLP policies can detect credit card numbers and block sharing via email.

Why this answer

Option A is correct because Data Loss Prevention (DLP) policies can block emails containing sensitive data. Option B is wrong because sensitivity labels apply metadata but don't block actions. Option C is wrong because retention labels manage retention, not blocking.

Option D is wrong because audit logs record events but don't enforce blocks.

1107
MCQeasy

A company uses Microsoft Entra ID and wants to enable employees to reset their own passwords without needing to contact the help desk. They want to enforce multifactor authentication when the employee performs the reset. Which Microsoft Entra feature should they enable?

A.Microsoft Entra Self-Service Password Reset (SSPR)
B.Microsoft Entra ID Federation
C.Microsoft Entra Identity Protection
D.Microsoft Entra Privileged Identity Management (PIM)
AnswerA

Correct. SSPR enables users to reset their passwords without admin intervention, and can be configured to require MFA.

Why this answer

Microsoft Entra Self-Service Password Reset (SSPR) is the correct feature because it allows users to reset their own passwords without help desk intervention, and it can be configured to require multifactor authentication (MFA) during the reset process. This aligns directly with the scenario of enabling self-service password changes while enforcing MFA for security.

Exam trap

The trap here is that candidates often confuse Identity Protection (which detects risky password changes) with SSPR (which enables the actual password reset), leading them to select Option C instead of A.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Federation is used to establish trust between an on-premises identity provider (e.g., AD FS) and Entra ID for single sign-on, not for self-service password reset with MFA enforcement. Option C is wrong because Microsoft Entra Identity Protection is a risk-based security tool that detects and responds to identity threats (e.g., risky sign-ins or leaked credentials), but it does not provide a self-service password reset capability. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not end-user password reset functionality.

1108
Multi-Selectmedium

Which TWO of the following are benefits of using Microsoft Entra ID for identity management?

Select 2 answers
A.Single sign-on (SSO) to cloud applications
B.Password hash synchronization
C.Multi-factor authentication (MFA)
D.Automated security incident detection
E.Replacement of on-premises Active Directory
AnswersA, C

Entra ID enables SSO across thousands of SaaS apps.

Why this answer

Single sign-on (SSO) and multi-factor authentication (MFA) are key benefits of Entra ID. Password hash synchronization is a feature of Entra Connect, not a direct benefit. On-premises Active Directory is a separate service.

Security incident detection is more aligned with Microsoft Sentinel or Defender.

1109
MCQhard

A company wants to allow external customers to sign in to their custom web application using their own social identities, such as Google or Facebook. They also need to support self-service registration and custom branding for the sign-in pages. Which Microsoft Entra External ID solution should they use?

A.Microsoft Entra ID B2B collaboration
B.Microsoft Entra ID B2C
C.Microsoft Entra ID guest accounts
D.Managed identities
AnswerB

Microsoft Entra ID B2C is designed for customer-facing applications. It supports social identity providers and custom policies for registration and branding.

Why this answer

Microsoft Entra ID B2C (Business-to-Consumer) is the correct solution because it is specifically designed for external customer identity and access management, supporting social identity providers (Google, Facebook, etc.) via OAuth 2.0 and OpenID Connect, self-service registration, and full customization of sign-in pages (branding, HTML, CSS). This aligns exactly with the requirements for a customer-facing web application with social sign-in and custom branding.

Exam trap

The trap here is that candidates often confuse B2B collaboration (for external partners) with B2C (for external customers), mistakenly thinking B2B can handle social identities and self-service registration, but B2B lacks those capabilities and is designed for federated business accounts.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID B2B collaboration is intended for business-to-business scenarios, allowing external partners to sign in with their own work or school accounts, not social identities like Google or Facebook, and it does not support self-service registration or custom branding for sign-in pages. Option C is wrong because Microsoft Entra ID guest accounts are a feature of B2B collaboration, used for inviting external users (typically with work/school accounts) to access resources in the tenant, lacking social identity provider support and self-service registration. Option D is wrong because managed identities are an Azure resource authentication mechanism for Azure services to authenticate to other Azure services without storing credentials, not a solution for external customer sign-in or identity management.

1110
MCQhard

A company runs containerized applications on Azure Kubernetes Service (AKS) and stores container images in Azure Container Registry. The security team wants to automatically scan container images for vulnerabilities every time a new image is pushed to the registry and receive recommendations for remediation. Which Microsoft security solution should they enable?

A.A. Microsoft Defender for Endpoint
B.B. Microsoft Defender for Identity
C.C. Microsoft Defender for Cloud
D.D. Microsoft Defender for Office 365
AnswerC

Defender for Cloud includes the Defender for Container Registries plan that automatically scans images for vulnerabilities and provides remediation recommendations.

Why this answer

Microsoft Defender for Cloud provides integrated vulnerability assessment for container images stored in Azure Container Registry. When enabled, it automatically scans each new image pushed to the registry, identifies known vulnerabilities (using the Qualys scanner or Microsoft's own threat intelligence), and generates actionable remediation recommendations. This directly meets the security team's requirement for automated scanning and remediation guidance.

Exam trap

The trap here is that candidates confuse 'Defender for Cloud' (which covers workload protection including containers) with 'Defender for Endpoint' (which is device-focused), leading them to incorrectly select A because they think container scanning is an endpoint function.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint is designed for endpoint detection and response (EDR) on devices (e.g., Windows, macOS, Linux servers), not for scanning container images in a registry. Option B is wrong because Microsoft Defender for Identity focuses on detecting identity-based threats (e.g., compromised accounts, lateral movement) in on-premises Active Directory and cloud identities, not container image vulnerability scanning. Option D is wrong because Microsoft Defender for Office 365 protects against email threats (phishing, malware, spoofing) and collaboration risks in Microsoft 365 apps, not container registries or image scanning.

1111
MCQeasy

A security administrator is using Microsoft Defender for Cloud to improve the security posture of Azure resources. The administrator wants to view a consolidated assessment of compliance with industry standards such as CIS and NIST. Which feature should be used?

A.Regulatory compliance dashboard
B.Secure Score
C.Azure Policy
D.Microsoft Sentinel
AnswerA

This dashboard directly provides compliance assessments against industry standards like CIS and NIST, showing which controls pass or fail.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a consolidated view of compliance with industry standards like CIS and NIST. It continuously assesses Azure resources against built-in compliance frameworks and displays the results in a dashboard, showing which controls are passing or failing. This directly meets the administrator's need to view a consolidated assessment of compliance with those specific standards.

Exam trap

The trap here is that candidates often confuse Secure Score (which shows overall security posture) with the Regulatory compliance dashboard (which specifically maps to industry standards), leading them to pick Secure Score when the question explicitly asks for compliance with CIS and NIST.

How to eliminate wrong answers

Option B (Secure Score) is wrong because Secure Score measures the overall security posture based on security recommendations, not compliance with specific industry standards like CIS or NIST. Option C (Azure Policy) is wrong because Azure Policy enforces and audits resource configurations using custom or built-in policies, but it does not provide a consolidated compliance dashboard against industry frameworks; it is a rule engine, not a compliance reporting tool. Option D (Microsoft Sentinel) is wrong because Microsoft Sentinel is a SIEM/SOAR solution for threat detection, investigation, and response, not a compliance assessment tool for Azure resources against standards like CIS or NIST.

1112
MCQmedium

An organization needs to detect and address potential policy violations in Microsoft Teams chat messages and channel conversations. They want to configure a policy that automatically scans for keywords related to confidential information and for sensitive data patterns like credit card numbers. When a violation is found, the policy should notify the user and their manager, and optionally escalate to a designated reviewer. Which Microsoft Purview solution should they configure?

A.Communication Compliance
B.Data Lifecycle Management
C.eDiscovery
D.Audit
AnswerA

Correct. Communication Compliance is designed to detect and remediate policy violations in communications, including Teams messages, with automated alerts and review workflows.

Why this answer

Communication Compliance is the correct solution because it is specifically designed to detect policy violations in Microsoft Teams messages and other communication channels by scanning for keywords and sensitive data patterns (e.g., credit card numbers). It can automatically notify the user and their manager, and optionally escalate violations to a designated reviewer for remediation, directly matching the organization's requirements.

Exam trap

The trap here is that candidates may confuse Communication Compliance with Data Loss Prevention (DLP) or eDiscovery, but DLP focuses on preventing data leaks (e.g., blocking sharing) rather than detecting and escalating policy violations with user/manager notifications, while eDiscovery is reactive and not designed for automated detection and notification workflows.

How to eliminate wrong answers

Option B (Data Lifecycle Management) is wrong because it focuses on retaining and deleting data based on policies (e.g., retention labels and retention policies), not on scanning for policy violations or sensitive content in communications. Option C (eDiscovery) is wrong because it is used for legal discovery and holds to search and export content for litigation or investigation, not for real-time detection and notification of policy violations. Option D (Audit) is wrong because it logs user and admin activities for security and compliance investigations, but it does not proactively scan messages for keywords or sensitive data patterns, nor does it provide notification or escalation workflows.

1113
MCQhard

A company wants to prevent users from sharing files containing personally identifiable information (PII) with external recipients. They also need to notify users if they attempt to share such files. Which Microsoft Purview solution should be configured?

A.Microsoft Purview Sensitivity Labels
B.Microsoft Purview Communication Compliance
C.Microsoft Purview eDiscovery
D.Microsoft Purview Data Loss Prevention
AnswerD

DLP policies can block sharing of sensitive data and notify users.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policies can detect sensitive data like PII and block sharing while showing a policy tip to the user. Option A is wrong because sensitivity labels alone do not block sharing. Option B is wrong because eDiscovery is not for prevention.

Option D is wrong because Communication Compliance is for inappropriate messages.

1114
MCQmedium

A company uses Microsoft 365 and wants to protect users from malicious attachments in email. The security team wants a solution that detonates attachments in a sandbox environment before delivery, and only allows the email through if the attachment is deemed safe. Which Microsoft security solution should they use?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Cloud Apps
D.Azure Firewall
AnswerA

Correct. Defender for Office 365's Safe Attachments feature detonates attachments in a sandbox to block malicious ones.

Why this answer

Microsoft Defender for Office 365 includes Safe Attachments, a feature that detonates email attachments in a virtual sandbox environment before delivery. It analyzes the attachment's behavior for malicious activity and only releases the email to the recipient's mailbox if the attachment is deemed safe, directly meeting the requirement for pre-delivery sandboxing.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 (which handles email security) with Microsoft Defender for Endpoint (which handles device security), leading them to select the wrong solution for email-specific threats.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices, not email attachment sandboxing. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) for controlling shadow IT and data protection across SaaS apps, not for email attachment detonation. Option D is wrong because Azure Firewall is a network-layer firewall that filters traffic based on IP/port rules, not capable of detonating email attachments in a sandbox.

1115
MCQhard

Your organization is using Microsoft Entra Permissions Management (CIEM). You need to identify overprivileged identities in AWS. Which capability should you use?

A.Audit trail
B.Permissions Analytics Report
C.Identity governance
D.Activity trail
AnswerB

This report analyzes permissions and identifies overprivileged identities.

Why this answer

Permissions Analytics Report is the correct capability because it specifically analyzes permissions across AWS, Azure, and GCP to identify overprivileged identities, unused permissions, and risky actions. It generates a detailed report that highlights identities with excessive permissions, enabling remediation to enforce least privilege. This aligns directly with the CIEM (Cloud Infrastructure Entitlement Management) goal of reducing privilege risks.

Exam trap

The trap here is that candidates confuse 'Permissions Analytics Report' with generic auditing features like Audit trail or Activity trail, assuming any logging tool can identify overprivileged identities, but only the report performs the specific analysis of permissions versus usage.

How to eliminate wrong answers

Option A is wrong because Audit trail in Microsoft Entra Permissions Management records historical changes to permissions and configurations, but it does not analyze or identify overprivileged identities; it is a logging feature. Option C is wrong because Identity governance in Microsoft Entra ID focuses on access reviews, entitlement management, and lifecycle workflows for users and groups, not on analyzing cloud infrastructure permissions across AWS. Option D is wrong because Activity trail tracks user actions and API calls in real-time or historically, but it does not assess permission levels or detect overprivileged identities; it is an auditing feature.

1116
MCQmedium

A company uses Microsoft Defender for Cloud to secure its Azure resources. The security team wants to receive a single recommendation for all resources that are missing just-in-time (JIT) VM access. Which Microsoft Defender for Cloud feature should they use?

A.Regulatory compliance dashboard
B.Security recommendations
C.Inventory
D.Security alerts
AnswerB

Security recommendations provide actionable steps to improve security posture, including enabling JIT.

Why this answer

Security recommendations in Defender for Cloud provide a list of best practices like enabling JIT. Option A is wrong because it's for alerts; Option B is wrong because it's for compliance; Option D is wrong because it's for inventory.

1117
MCQhard

A company uses Microsoft Entra ID with a custom line-of-business application that only supports SAML 2.0. They want to enable single sign-on for users. What should they configure in Microsoft Entra ID?

A.Kerberos delegation
B.OpenID Connect authentication
C.SCIM-based user provisioning
D.SAML-based single sign-on
AnswerD

SAML 2.0 is supported for enterprise applications.

Why this answer

D is correct because the custom line-of-business application explicitly supports SAML 2.0, and Microsoft Entra ID can be configured as an identity provider (IdP) to enable SAML-based single sign-on. This allows users to authenticate once in Entra ID and then access the application without re-entering credentials, using SAML assertions to pass authentication and authorization data.

Exam trap

The trap here is that candidates may confuse SCIM provisioning (Option C) with SSO, or assume OpenID Connect (Option B) is universally compatible, but the question explicitly states the application only supports SAML 2.0, making SAML-based SSO the only correct choice.

How to eliminate wrong answers

Option A is wrong because Kerberos delegation is used for Windows-integrated authentication (e.g., on-premises Active Directory) and requires Kerberos protocol support, which is not compatible with a SAML 2.0-only application. Option B is wrong because OpenID Connect (OIDC) is built on OAuth 2.0 and uses JSON Web Tokens (JWTs), not SAML 2.0; the application only supports SAML 2.0, so OIDC cannot be used. Option C is wrong because SCIM (System for Cross-domain Identity Management) is a provisioning protocol for automating user and group lifecycle management, not an authentication or SSO protocol; it does not enable single sign-on.

1118
MCQhard

A company uses Azure SQL Database for a critical line-of-business application. The security team wants to enable threat protection that specifically detects and alerts on SQL injection attempts and anomalous database access patterns. Which workload protection plan should they enable within Microsoft Defender for Cloud?

A.Azure Defender for Servers
B.Azure Defender for SQL
C.Azure Defender for App Service
D.Azure Defender for Storage
AnswerB

Azure Defender for SQL is the dedicated plan for Azure SQL databases and SQL servers on machines. It includes vulnerability assessments and threat detection for SQL injection and other database threats.

Why this answer

Azure Defender for SQL is the correct workload protection plan because it is specifically designed to detect and alert on SQL injection attempts and anomalous database access patterns for Azure SQL Database. It uses Microsoft's threat intelligence and machine learning to monitor database activity, providing targeted alerts for SQL-specific threats, unlike other Defender plans that focus on different resource types.

Exam trap

The trap here is that candidates may confuse Azure Defender for SQL with Azure Defender for App Service, mistakenly thinking SQL injection is a web application attack, but SQL injection targets the database layer, which is protected by the SQL-specific plan, not the App Service plan.

How to eliminate wrong answers

Option A is wrong because Azure Defender for Servers protects virtual machines and their operating systems, not Azure SQL Database, and it does not specialize in SQL injection detection. Option C is wrong because Azure Defender for App Service secures web applications and APIs, focusing on threats like DDoS or web app vulnerabilities, not database-level SQL injection. Option D is wrong because Azure Defender for Storage monitors storage accounts for anomalies like unusual access patterns or malware uploads, but it does not cover SQL databases or SQL injection attempts.

1119
MCQeasy

Your organization uses Microsoft Purview to classify documents containing health information. You need to ensure that only users with explicit permission can access these documents. Which Microsoft Purview capability should you use?

A.Audit logs
B.Retention policies
C.Data Loss Prevention
D.Sensitivity labels with encryption
AnswerD

Sensitivity labels can apply encryption and restrict access to authorized users.

Why this answer

Option B is correct because sensitivity labels can enforce encryption and permissions. Option A is wrong because DLP blocks sharing but does not manage access. Option C is wrong because audit logs track but do not control access.

Option D is wrong because retention policies manage time-based retention, not access.

1120
Multi-Selecthard

Which THREE are valid authentication methods in Microsoft Entra ID?

Select 3 answers
A.FIDO2 security keys
B.Password
C.Smart card (physical)
D.SMS-based verification
E.Microsoft Authenticator app
AnswersA, B, E

Passwordless authentication method.

Why this answer

FIDO2 security keys are a valid authentication method in Microsoft Entra ID because they provide passwordless, phishing-resistant authentication using public-key cryptography. Users register a hardware key that generates a key pair, and the private key never leaves the device, meeting strong authentication requirements for modern security.

Exam trap

The trap here is that candidates often confuse 'supported authentication methods' with 'secondary verification methods'—SMS is only a secondary factor, not a primary sign-in method, and smart cards require external federation, making them invalid as native Entra ID methods.

1121
MCQeasy

Which Microsoft cloud service provides a unified data governance solution that helps you manage and protect data across your entire data estate, including multi-cloud and on-premises?

A.Microsoft Defender for Cloud
B.Microsoft Intune
C.Microsoft Sentinel
D.Microsoft Purview
AnswerD

Purview provides data governance, classification, and lineage.

Why this answer

Option D is correct because Microsoft Purview is the unified data governance service. Option A is wrong because Microsoft Defender for Cloud focuses on security posture. Option B is wrong because Microsoft Intune manages endpoints.

Option C is wrong because Microsoft Sentinel is a SIEM.

1122
MCQhard

Your organization has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to ensure that when a user's on-premises account is disabled, their cloud account is automatically disabled within 5 minutes. Which configuration should you use?

A.Microsoft Entra Privileged Identity Management
B.Microsoft Entra Conditional Access with session controls
C.Microsoft Entra Connect with directory sync configured for 5-minute sync interval
D.Microsoft Entra Connect Health
AnswerC

By default, sync runs every 30 minutes, but you can configure it to sync every 5 minutes using the scheduler.

Why this answer

Option C is correct because Microsoft Entra Connect with directory synchronization configured for a 5-minute sync interval ensures that changes made to on-premises Active Directory (such as disabling a user account) are replicated to Microsoft Entra ID within that interval. This meets the requirement of automatically disabling the cloud account within 5 minutes of the on-premises change.

Exam trap

The trap here is confusing identity synchronization (Entra Connect) with identity governance or access control tools like PIM or Conditional Access, which do not handle the propagation of on-premises account status changes to the cloud.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time access and role activation, not the synchronization of user account status changes. Option B is wrong because Microsoft Entra Conditional Access with session controls enforces access policies based on conditions like location or device state, but it does not synchronize account disabled status from on-premises to the cloud. Option D is wrong because Microsoft Entra Connect Health monitors the health and performance of the sync infrastructure but does not control the sync interval or propagate account status changes.

1123
Multi-Selecthard

A healthcare organization subject to HIPAA regulations stores patient health information (PHI) in SharePoint Online and OneDrive. The compliance team needs to automatically detect and classify medical record numbers and other PHI when documents are uploaded. Detected sensitive content must be protected by encryption and restricted to authorized users only. Additionally, the team wants to prevent users from sharing such documents externally. Which TWO Microsoft Purview solutions should they combine to achieve these requirements? (Choose two.)

Select 2 answers
A.Microsoft Purview Data Loss Prevention (DLP)
B.Microsoft Purview Information Protection
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Data Lifecycle Management
AnswersA, B

DLP can be configured to detect sensitive health information (via sensitive info types) and trigger actions such as blocking sharing or applying a label. This meets the detection and prevention requirements.

Why this answer

Microsoft Purview Information Protection (B) enables automatic classification and labeling of sensitive data like medical record numbers and PHI based on sensitive info types or trainable classifiers. Microsoft Purview Data Loss Prevention (A) then enforces policies to apply encryption, restrict access to authorized users, and block external sharing of labeled documents. Together, they meet the requirements for detection, protection, and sharing prevention.

Exam trap

The trap here is that candidates may confuse Communication Compliance (which monitors communications) with DLP or Information Protection, or assume Data Lifecycle Management handles classification, but it only manages retention and deletion.

1124
MCQhard

A security operations center (SOC) wants to enrich their detection capabilities by automatically correlating internal network logs with external threat intelligence feeds containing known malicious IP addresses and domains. They need to ingest, normalize, and prioritize these indicators and generate alerts when matches are found. Which Microsoft security solution provides built-in capabilities for this purpose?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft Defender for Endpoint
D.Microsoft 365 Defender
AnswerA

Sentinel natively supports threat intelligence connectors and analytics rules to correlate feeds with log data.

Why this answer

Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) solution that provides built-in capabilities to ingest logs from internal network sources, normalize them using common data models, and automatically correlate them with external threat intelligence feeds (e.g., STIX/TAXII). It can prioritize indicators based on severity and generate real-time alerts when matches are found, making it the correct choice for this SOC requirement.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with Microsoft 365 Defender (an XDR), assuming that XDR covers all security operations needs, but XDR lacks the broad log ingestion and custom threat intelligence feed integration that a SIEM provides.

How to eliminate wrong answers

Option B (Microsoft Defender for Cloud) is wrong because it is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) focused on securing cloud resources, not a SIEM for ingesting and correlating internal network logs with external threat intelligence feeds. Option C (Microsoft Defender for Endpoint) is wrong because it is an endpoint detection and response (EDR) solution that protects individual devices, not a centralized platform for ingesting diverse network logs and threat intelligence. Option D (Microsoft 365 Defender) is wrong because it is an extended detection and response (XDR) solution that correlates signals across Microsoft 365 products (e.g., email, endpoints, identities), but it lacks the broad log ingestion and custom threat intelligence feed integration capabilities of a dedicated SIEM like Sentinel.

1125
MCQeasy

Your company is deploying Microsoft Defender for Office 365. The security team wants to automatically remove malicious attachments from emails before they reach user inboxes. Which protection feature should be configured?

A.Anti-spam policies
B.Safe Attachments policies
C.Anti-phishing policies
D.Safe Links policies
AnswerB

Safe Attachments scans and removes malicious attachments.

Why this answer

Safe Attachments in Defender for Office 365 detonates attachments in a sandbox and removes malicious ones before delivery. Option A is incorrect because Safe Links protects URLs, not attachments. Option B is incorrect because anti-phishing policies target phishing attempts.

Option D is incorrect because anti-spam policies handle spam, not malware.

Page 14

Page 15 of 19

Page 16