Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 11261200

1411 questions total · 19pages · All types, answers revealed

Page 15

Page 16 of 19

Page 17
1126
MCQhard

A data analyst is planning to leave the company in two weeks and has access to a large volume of sensitive customer data. The compliance team wants to detect if the analyst starts downloading large amounts of files to a personal USB drive or sending sensitive content to an external email address. They need to set up a policy that alerts on such anomalous data exfiltration activities without blocking operations until a thorough investigation is completed. Which Microsoft Purview solution should they configure?

A.Microsoft Purview Insider Risk Management
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Purview Communication Compliance
D.Microsoft Purview eDiscovery (Standard)
AnswerA

Correct. Insider Risk Management is designed to detect and investigate potential data leaks by employees, including anomalous exfiltration behaviors, with alerting and case management.

Why this answer

Microsoft Purview Insider Risk Management is designed to detect, investigate, and act on risky user activities, including data exfiltration by departing employees. It uses predefined indicators such as downloading files to USB drives or sending emails to external addresses, and can generate alerts without automatically blocking operations, allowing for a thorough investigation first.

Exam trap

The trap here is that candidates often confuse Insider Risk Management with Communication Compliance, but Communication Compliance focuses on communication content (e.g., offensive language) rather than behavioral data exfiltration patterns like USB downloads or bulk external emails.

How to eliminate wrong answers

Option B is wrong because Data Lifecycle Management focuses on retaining, deleting, and archiving data based on policies, not on detecting anomalous user behavior like exfiltration. Option C is wrong because Communication Compliance monitors for policy violations in communications (e.g., harassment, insider trading) but does not specifically detect file downloads to USB drives or bulk external emailing of sensitive data. Option D is wrong because eDiscovery (Standard) is used for searching and exporting content for legal or investigative purposes, not for real-time alerting on suspicious data exfiltration activities.

1127
Multi-Selecteasy

Which TWO Microsoft security solutions can be used to centrally manage security policies across hybrid environments including on-premises and cloud? (Choose TWO.)

Select 2 answers
A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft Defender for Office 365
D.Microsoft Intune
E.Microsoft Defender for Cloud Apps
AnswersA, B

Sentinel ingests logs from on-premises and cloud sources for centralized monitoring.

Why this answer

Microsoft Defender for Cloud provides unified security management across multicloud and on-premises. Microsoft Sentinel is a SIEM/SOAR that aggregates security data from various sources. Defender for Cloud Apps focuses on SaaS applications.

Defender for Office 365 protects email. Intune manages endpoints. Defender for Cloud and Sentinel work across hybrid environments.

1128
MCQeasy

A company uses a cloud-based email service. The service provider ensures that the physical data centers are secure and that the email platform is patched and available. The company is responsible for managing user accounts and ensuring that employees use strong passwords. This division of responsibilities is an example of which concept?

A.Defense in depth
B.Shared responsibility model
C.Zero Trust
D.Principle of least privilege
AnswerB

Correct. The shared responsibility model clearly divides security obligations between the cloud provider and the customer.

Why this answer

The scenario describes a clear division of security responsibilities between the cloud service provider (securing physical data centers, patching the platform) and the customer (managing user accounts, enforcing strong passwords). This is the core definition of the shared responsibility model, which is a foundational concept in cloud computing (as defined by NIST SP 800-145 and adopted by major providers like Microsoft 365). The model explicitly delineates that the provider is responsible for 'security of the cloud' (physical hosts, network, hypervisor) while the customer is responsible for 'security in the cloud' (user identities, data, client endpoints).

Exam trap

The trap here is that candidates confuse the shared responsibility model with defense in depth because both involve multiple security layers, but the question specifically tests the contractual and operational division of security tasks between cloud provider and customer, not the stacking of controls.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, antivirus, encryption) to protect assets, not a division of responsibilities between two parties. Option C is wrong because Zero Trust is a security model based on 'never trust, always verify'—it assumes no implicit trust and requires continuous authentication for every access request, not a contractual split of duties. Option D is wrong because the principle of least privilege is an access control concept that grants users only the minimum permissions needed to perform their tasks, not a framework for dividing security obligations between a provider and a customer.

1129
MCQhard

Your company uses Microsoft 365 Copilot to assist employees with drafting emails and documents. The security team needs to ensure that when Copilot accesses sensitive data, it respects the organization's sensitivity labels and does not expose highly confidential information to unauthorized users. What should the security team configure?

A.Configure Microsoft Defender for Cloud Apps session policies
B.Apply Microsoft Purview sensitivity labels to data and enable Copilot data protection
C.Disable Copilot for all users
D.Create a data loss prevention policy that blocks Copilot
AnswerB

Sensitivity labels are honored by Copilot to protect data.

Why this answer

Option D is correct because Microsoft Purview sensitivity labels are integrated with Microsoft 365 Copilot to enforce data protection. Option A is wrong because Copilot is already integrated with Microsoft 365. Option B is wrong because data loss prevention policies block sharing but do not control Copilot access.

Option C is wrong because Microsoft Defender for Cloud Apps is for cloud app security, not Copilot.

1130
MCQmedium

You are a security administrator for Contoso Ltd. The company uses Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Entra ID. Recently, several users reported receiving phishing emails that bypassed the existing anti-phishing policies. The security team suspects that attackers are using sophisticated techniques to evade detection. You need to enhance the email security posture by implementing a solution that uses AI and machine learning to detect advanced phishing attempts, including those using social engineering and impersonation. Which Microsoft solution should you use?

A.Microsoft Sentinel
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity
AnswerB

Defender for Office 365 provides AI-driven protection against sophisticated phishing attacks, including impersonation and advanced threats.

Why this answer

Microsoft Defender for Office 365 includes advanced anti-phishing capabilities with AI and machine learning, such as impersonation protection and spoof intelligence. Microsoft Sentinel is a SIEM/SOAR, not an email security solution. Defender for Cloud Apps is a CASB.

Defender for Identity identifies threats via on-premises AD signals. Microsoft Purview focuses on compliance and data governance.

1131
MCQeasy

A company wants to restrict access to a sensitive SharePoint site based on the user's location and device compliance. Which Microsoft Entra ID feature should they configure?

A.Conditional Access
B.Privileged Identity Management
C.Entitlement Management
D.Identity Protection
AnswerA

Conditional Access policies allow location and device compliance conditions.

Why this answer

Conditional Access policies can enforce location and device compliance. Option A is correct. Option B (Identity Protection) is for risk detection.

Option C (PIM) is for role management. Option D (Entitlement Management) is for access packages.

1132
MCQmedium

A company uses Microsoft Entra ID. The compliance team requires that membership in highly privileged roles, such as Global Administrator, is reviewed quarterly. The review must be automated: role owners are sent an email notification with a list of current members to approve or deny. If a member does not respond within 30 days, their access should be automatically revoked. Which Microsoft Entra ID feature should the team use to set up this periodic review and automatic removal?

A.Access Reviews
B.Privileged Identity Management (PIM)
C.Conditional Access
D.Identity Protection
AnswerA

Correct: Microsoft Entra Access Reviews allow organizations to schedule recurring reviews of role memberships and automatically remove access for users who are not approved or who do not respond.

Why this answer

Access Reviews in Microsoft Entra ID is the correct feature because it is specifically designed for periodic, automated attestation of group or role memberships. It sends email notifications to designated reviewers, tracks responses, and can automatically remove users who do not respond within a defined period (e.g., 30 days). This directly meets the compliance requirement for quarterly reviews of Global Administrator membership with automatic revocation.

Exam trap

The trap here is confusing Privileged Identity Management (PIM) with Access Reviews, as both involve role management, but PIM handles activation and approval while Access Reviews handle periodic attestation and automatic removal.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because PIM focuses on just-in-time activation and approval workflows for privileged roles, not on periodic attestation reviews with automatic removal of non-responding members. Option C (Conditional Access) is wrong because it enforces access policies based on signals like location or device state, not on scheduled membership reviews or revocation. Option D (Identity Protection) is wrong because it detects and remediates identity-based risks (e.g., leaked credentials), not role membership governance or periodic attestation.

1133
MCQmedium

A user receives a sensitivity label that automatically marks the email as 'Confidential' and prevents forwarding. The label was applied without user intervention. Which mechanism most likely applied the label?

A.Azure Information Protection file policy
B.Auto-classification via DLP policy
C.Default label configured in Microsoft 365
D.Manual labeling by the user
AnswerB

DLP can auto-apply sensitivity labels when sensitive content is detected.

Why this answer

Auto-classification via DLP policy can automatically apply sensitivity labels based on sensitive content. Option B is wrong because manual labeling requires user action. Option C is wrong because file policy is for Windows File Explorer.

Option D is wrong because default label applies to unlabeled emails by default, but the scenario suggests the label was applied based on content.

1134
Drag & Dropmedium

Arrange the steps to configure multi-factor authentication (MFA) for a user in Azure AD.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

MFA configuration involves navigating to user settings, requiring re-registration, user registration, and policy enforcement.

1135
Multi-Selectmedium

Which THREE are capabilities of Microsoft Purview Data Loss Prevention (DLP)? (Choose three.)

Select 3 answers
A.Automatically classify and label data
B.Detect sensitive information in documents and emails
C.Block sharing of sensitive data with external users
D.Manage encryption keys for data at rest
E.Provide policy tips to users when they attempt to share sensitive data
AnswersB, C, E

DLP uses sensitive info types to detect data.

Why this answer

Options A, C, and D are correct. DLP can detect sensitive info, block sharing, and apply policies in Microsoft 365 apps. Option B is wrong because DLP does not classify automatically (auto-labeling is separate).

Option E is wrong because DLP does not manage encryption keys.

1136
MCQhard

A security operations center (SOC) team needs to ingest security logs from on-premises servers, Azure virtual machines, and SaaS applications like Salesforce. They want a cloud-native solution that uses machine learning to detect threats, provides a unified query language for hunting, and supports automated incident response through playbooks. Which Microsoft solution should they deploy?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft 365 Defender
D.Microsoft Defender for Endpoint
AnswerB

Microsoft Sentinel is the correct SIEM+SOAR solution that ingests logs from multiple sources, provides advanced threat detection via ML, and supports automation with playbooks.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) solution that ingests logs from on-premises servers, Azure VMs, and SaaS applications like Salesforce. It uses built-in machine learning to detect threats, offers the Kusto Query Language (KQL) for unified hunting, and supports automated incident response via playbooks built on Azure Logic Apps.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM tool) with a SIEM, or assume Microsoft 365 Defender can ingest third-party SaaS logs, but only Microsoft Sentinel provides a cloud-native SIEM with unified log ingestion, ML threat detection, and automated playbook response.

How to eliminate wrong answers

Option A (Microsoft Defender for Cloud) is wrong because it is a Cloud Security Posture Management (CSPM) and workload protection tool, not a SIEM; it lacks a unified query language for hunting across diverse log sources and does not natively support playbook-driven incident response. Option C (Microsoft 365 Defender) is wrong because it is an XDR (Extended Detection and Response) solution focused on Microsoft 365 endpoints, email, and identities, not designed to ingest logs from on-premises servers or third-party SaaS like Salesforce. Option D (Microsoft Defender for Endpoint) is wrong because it is an endpoint-specific EDR (Endpoint Detection and Response) tool, not a SIEM; it cannot aggregate logs from multiple sources or provide a unified hunting query language across on-premises, Azure, and SaaS environments.

1137
MCQmedium

A company uses Microsoft Entra ID. They frequently collaborate with an external partner organization. The IT team wants to allow the partner's users to access the company's internal SharePoint site using their existing corporate credentials from their own Microsoft Entra tenant. The partner users should not have to create separate guest accounts or remember another password. Which Microsoft Entra feature should the IT team configure?

A.Microsoft Entra B2C
B.Microsoft Entra B2B collaboration
C.Microsoft Entra Domain Services
D.Microsoft Entra Application Proxy
AnswerB

Correct. B2B collaboration lets external partners use their own work or school accounts to access your resources, enabling seamless collaboration without additional credentials.

Why this answer

Microsoft Entra B2B collaboration is the correct feature because it enables external users from a partner organization to access the company's internal SharePoint site using their own corporate credentials from their Microsoft Entra tenant. B2B collaboration creates a guest user object in the resource tenant without requiring separate guest accounts or additional passwords, leveraging cross-tenant trust and SAML/WS-Federation for authentication.

Exam trap

The trap here is that candidates often confuse B2B collaboration with B2C, thinking both are for external users, but B2C is for consumers with self-service sign-up, while B2B is for business partners using their existing corporate identities.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2C (Business-to-Consumer) is designed for customer-facing applications with self-service sign-up and social identity providers, not for granting external business partners access to internal resources using their existing corporate credentials. Option C is wrong because Microsoft Entra Domain Services provides managed domain services like LDAP and Kerberos for legacy applications, not cross-tenant collaboration or external user access. Option D is wrong because Microsoft Entra Application Proxy enables secure remote access to on-premises web applications for internal users, not for external partner users from another tenant.

1138
MCQmedium

Your organization wants to use Microsoft Entra ID to provide single sign-on (SSO) for a third-party SaaS application. What must you configure in Microsoft Entra ID?

A.Identity Protection policy
B.Conditional Access policy
C.Enterprise application registration
D.Self-service password reset
AnswerC

You register the SaaS app as an enterprise application and configure SSO.

Why this answer

Option A is correct because you need to add the SaaS app from the gallery and configure SSO. Option B is incorrect because Conditional Access is for access controls. Option C is incorrect because Identity Protection is for risk detection.

Option D is incorrect because self-service password reset is a different feature.

1139
MCQmedium

A multinational corporation must retain all financial records for 7 years and then permanently delete them. The compliance officer wants to ensure that even a global administrator cannot modify or delete the retention policy. Which Microsoft Purview solution and configuration should they use?

A.eDiscovery (Standard)
B.Compliance Manager
C.Data Lifecycle Management with a preservation lock
D.Information Protection with sensitivity labels
AnswerC

Data Lifecycle Management includes retention policies for automatic retention/deletion; a preservation lock secures the policy against tampering.

Why this answer

C is correct because Data Lifecycle Management with a preservation lock allows an organization to apply a retention policy that cannot be modified, deleted, or turned off by any administrator, including a global administrator. This ensures financial records are retained for exactly 7 years and then permanently deleted, meeting the compliance officer's requirement for immutable retention.

Exam trap

The trap here is that candidates often confuse retention policies with sensitivity labels or eDiscovery, not realizing that only a preservation lock provides the immutable, administrator-proof retention enforcement required for regulatory compliance.

How to eliminate wrong answers

Option A is wrong because eDiscovery (Standard) is used for searching and exporting content for legal or investigative purposes, not for enforcing mandatory retention or deletion policies. Option B is wrong because Compliance Manager is a risk assessment and compliance scoring tool, not a solution for configuring retention or deletion rules. Option D is wrong because Information Protection with sensitivity labels focuses on classifying and protecting data based on sensitivity (e.g., encryption, access restrictions), not on enforcing time-based retention and deletion with administrative lock.

1140
MCQeasy

Your organization uses Microsoft Entra ID to manage identities for employees and external partners. You need to ensure that external partners can access only specific applications and that their access expires automatically after 60 days. Which Microsoft Entra feature should you use?

A.Microsoft Entra B2B collaboration.
B.Conditional Access policies.
C.Microsoft Entra Identity Protection.
D.Microsoft Entra entitlement management.
AnswerD

Entitlement management with access packages can assign access and enforce expiration.

Why this answer

Microsoft Entra entitlement management allows you to create access packages that govern external partner access to specific applications, groups, and sites, with built-in time-limited access that automatically expires after a defined period (e.g., 60 days). This feature directly addresses the requirement to scope access to only specific applications and enforce automatic expiration, which is not natively handled by other Entra ID features.

Exam trap

The trap here is that candidates often confuse the invitation and authentication capabilities of B2B collaboration (Option A) with the full lifecycle and access governance provided by entitlement management, assuming B2B alone can enforce time-bound application access.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2B collaboration enables external user invitation and authentication but does not provide granular control over which specific applications they can access or enforce automatic time-bound expiration policies on its own. Option B is wrong because Conditional Access policies enforce access controls based on conditions (e.g., location, device state) but cannot automatically expire access after a fixed duration like 60 days; they are real-time evaluation rules, not time-limited access management. Option C is wrong because Microsoft Entra Identity Protection focuses on detecting and remediating identity-based risks (e.g., leaked credentials, suspicious sign-ins) and does not manage application-specific access or automatic expiration schedules.

1141
MCQeasy

You are the compliance administrator for a retail company that uses Microsoft 365 Business Premium. The company needs to: - Block customers' credit card numbers from being sent via email. - Retain all sales invoices for 3 years as per financial regulations. - Allow managers to search and export employee emails for HR investigations. - Ensure that only HR can access employee salary information. Which Microsoft Purview solutions should you use?

A.DLP, Information Barriers, eDiscovery, and sensitivity labels
B.DLP, Data Lifecycle Management, eDiscovery, and sensitivity labels
C.Insider Risk Management, Data Lifecycle Management, eDiscovery, and sensitivity labels
D.Communication Compliance, Data Lifecycle Management, eDiscovery, and sensitivity labels
AnswerB

All requirements are met.

Why this answer

Option A is correct because DLP blocks credit card sharing; Data Lifecycle Management retains invoices; eDiscovery exports emails; sensitivity labels restrict access to salary info. Option B is wrong because Communication Compliance is for monitoring, not blocking data. Option C is wrong because Information Barriers restrict communication, not access.

Option D is wrong because Insider Risk Management is for risk, not retention.

1142
MCQeasy

Refer to the exhibit. You are configuring a Microsoft Entra ID group. What does the exhibit represent?

A.A dynamic security group based on department attribute.
B.A Microsoft 365 group with dynamic membership.
C.A dynamic group based on user location.
D.A static security group with assigned members.
AnswerA

The rule uses user.department to automatically add members.

Why this answer

The JSON shows a dynamic group in Microsoft Entra ID with a membership rule that includes users whose department equals 'Marketing'. Option A is incorrect because it's a dynamic group, not assigned. Option C is incorrect because it's a security group, not a Microsoft 365 group (no mailEnabled).

Option D is incorrect because the rule is for department, not location.

1143
MCQmedium

Refer to the exhibit. A company has configured the above Conditional Access policy in Microsoft Entra ID. A user attempts to access Exchange Online from an untrusted location. What happens?

A.The user is granted access without MFA because the policy does not apply.
B.Access is blocked because the condition is not met.
C.The user is prompted for MFA because the policy applies to all users.
D.The user is blocked because the grant requires MFA.
AnswerA

Correct: The policy only applies to trusted locations.

Why this answer

The policy applies only to trusted locations. Since the user is from an untrusted location, the policy does not apply, so the user can access without MFA (assuming no other policies apply).

1144
MCQmedium

Your organization uses Microsoft Purview to manage compliance. You need to ensure that financial documents are automatically labeled as 'Financial' and retained for 7 years. Additionally, if a user tries to share a financial document externally, they must see a policy tip warning them and be blocked if they proceed. You also need to audit all access to financial documents. Which configuration should you implement?

A.Create a DLP policy to detect financial data and block external sharing; use default audit logging
B.Create a manual labeling policy for users to apply 'Financial' label; create a retention label for 7 years; create a DLP policy to warn on external sharing
C.Create a retention label 'Financial' with auto-apply based on sensitive info type; create a DLP policy to block external sharing
D.Create an auto-labeling policy to apply a sensitivity label 'Financial' with encryption; create a retention policy to retain all labeled content for 7 years; create a DLP policy to block external sharing of 'Financial' labeled content with a policy tip; enable audit logging
AnswerD

Auto-labeling applies label automatically; retention policy retains; DLP blocks sharing; audit logging tracks access.

Why this answer

Option A: Auto-labeling applies the sensitivity label; a retention policy retains for 7 years; DLP blocks external sharing with policy tip; audit logging is enabled by default. Option B: manual labeling is not automatic; Option C: retention label is not sensitivity; Option D: DLP alone does not automate labeling or retention.

1145
MCQmedium

Your organization uses Microsoft 365 and needs to identify internal users who are sending confidential data to external domains repeatedly. Which Microsoft Purview solution should you use?

A.Data Loss Prevention
B.Insider Risk Management
C.Audit (Premium)
D.Communication Compliance
AnswerB

Insider Risk Management uses analytics to detect patterns of risky behavior.

Why this answer

Option B is correct because Insider Risk Management can detect patterns of risky behavior like repeated data exfiltration. Option A is wrong because DLP blocks individual incidents but does not detect patterns. Option C is wrong because Audit logs show events but do not analyze patterns.

Option D is wrong because Communication Compliance monitors communications for policy violations, not exfiltration patterns.

1146
MCQmedium

A financial services organization needs to prevent communication between its research analysts and investment bankers to comply with regulatory requirements. Which Microsoft Purview solution should the compliance team implement?

A.Data Loss Prevention (DLP)
B.Information Barriers
C.Data Lifecycle Management
D.Microsoft Purview eDiscovery
AnswerB

Information Barriers restrict communication and collaboration between user segments, ideal for separating analysts and bankers.

Why this answer

Information Barriers (IB) in Microsoft Purview is specifically designed to prevent communication and collaboration between certain user groups to comply with regulatory requirements, such as those in financial services that require separation between research analysts and investment bankers. IB policies enforce restrictions on Microsoft Teams, SharePoint, and OneDrive to block unauthorized communication and file sharing, directly addressing the need to avoid conflicts of interest.

Exam trap

Microsoft often tests the distinction between DLP and Information Barriers, where candidates mistakenly choose DLP because they think preventing communication is about protecting data, but DLP does not restrict person-to-person communication—it only restricts data sharing based on content classification.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) focuses on detecting and preventing the accidental or intentional sharing of sensitive data (e.g., credit card numbers, PII) via policies, not on restricting communication between specific user groups. Option C is wrong because Data Lifecycle Management (formerly known as retention policies) governs how long data is retained and when it is deleted, not who can communicate with whom. Option D is wrong because Microsoft Purview eDiscovery is used for searching and exporting content for legal or investigative purposes, not for proactively preventing communication between users.

1147
MCQmedium

A company uses Microsoft Entra ID and wants to automate the lifecycle of guest users. When a contractor's project ends, the guest account should be automatically blocked and then removed after 30 days. Which Microsoft Entra capability should they configure to manage this process?

A.Conditional Access
B.Entitlement Management
C.Privileged Identity Management
D.Identity Governance
AnswerB

Entitlement Management automates access requests, approvals, and lifecycle management, including automatic removal of guest accounts when access expires.

Why this answer

Entitlement Management in Microsoft Entra ID Governance allows organizations to automate the lifecycle of external identities, including guest users. By configuring an access package with a specific expiration policy (e.g., 30 days after project end), the system can automatically block and then remove the guest account when the entitlement expires, without manual intervention.

Exam trap

The trap here is that candidates confuse the broad category 'Identity Governance' (Option D) with the specific feature 'Entitlement Management' (Option B), but the question asks for the capability that directly configures the automated lifecycle, which is Entitlement Management.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces access controls based on signals like location or device compliance, but it does not automate the lifecycle or removal of guest accounts. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role assignments and approvals, not the lifecycle of guest users or their automatic removal. Option D is wrong because Identity Governance is the overarching category that includes Entitlement Management, but it is not the specific capability that directly configures automated guest lifecycle policies; Entitlement Management is the precise tool within Identity Governance for this task.

1148
MCQhard

A security operations center (SOC) receives a high volume of low-fidelity alerts from various security tools. They need a solution that can automatically correlate alerts into incidents, use built-in machine learning to reduce false positives, and provide a unified console for investigation and response across Azure, on-premises, and Microsoft 365. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Cloud Apps
AnswerB

Sentinel is a SIEM/SOAR that correlates alerts, reduces noise with ML, and provides a unified investigation and response console.

Why this answer

Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) solution that ingests high-volume, low-fidelity alerts from multiple sources, correlates them into incidents using built-in analytics and machine learning, and provides a unified console for investigation and response across Azure, on-premises, and Microsoft 365. Its fusion and anomaly detection rules specifically reduce false positives by learning normal behavior patterns, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud (a CSPM/CWPP) with a SIEM, or assume Defender for Endpoint can handle cross-environment correlation, when only Microsoft Sentinel provides the SIEM capabilities of alert aggregation, ML-based false-positive reduction, and a unified investigation console across Azure, on-premises, and Microsoft 365.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) focused on securing cloud resources and workloads, not a SIEM that correlates alerts into incidents or provides a unified SOC console across hybrid environments. Option C is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that protects devices and investigates endpoint-specific threats, but it does not aggregate alerts from multiple security tools or provide cross-domain incident correlation for Azure, on-premises, and Microsoft 365. Option D is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that focuses on shadow IT discovery and data protection for SaaS applications, not a SIEM that performs high-volume alert correlation and false-positive reduction via built-in machine learning.

1149
MCQmedium

A company uses Azure resources, on-premises servers, and third-party cloud apps. The security team wants a single solution to collect security logs from all these sources, detect threats using advanced analytics, and automate responses to incidents. Which Microsoft security solution should they use?

A.A
B.B
C.C
D.D
AnswerC

Correct. Microsoft Sentinel is designed to ingest logs from multiple sources, provide threat detection via analytics, and automate responses.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution that can ingest logs from Azure resources, on-premises servers via the Log Analytics agent or Azure Arc, and third-party cloud apps using connectors. It provides advanced analytics with built-in machine learning to detect threats and supports automated incident response through playbooks powered by Azure Logic Apps.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM tool) with a SIEM solution, failing to recognize that Sentinel is the only Microsoft service designed specifically for cross-source log aggregation, advanced threat detection, and automated incident response in a hybrid multi-cloud environment.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and workload protection platform, not a SIEM; it does not natively collect logs from on-premises servers or third-party cloud apps for unified threat detection and automated response. Option B is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) solution focused on endpoint compliance and app policies, not on collecting security logs or performing threat detection across hybrid environments. Option D is wrong because Microsoft Purview Compliance Manager is a compliance management tool that helps assess and manage regulatory compliance, not a security log collection or threat detection solution.

1150
MCQhard

Your organization uses Microsoft Purview Insider Risk Management. You need to create a policy that detects users exfiltrating sensitive data via email to external recipients. Which policy type should you configure?

A.Offensive language
B.Data leaks
C.Data theft
D.Security policy violations
AnswerB

Data leak policies are designed to detect accidental or intentional exfiltration of sensitive data.

Why this answer

Data leak policies in Insider Risk Management are designed to detect exfiltration of sensitive data. Option C is correct. Data theft policies focus on theft of intellectual property, not necessarily via email.

Security policy violations cover security rule breaches. Offensive language policies deal with harassment.

1151
MCQeasy

A company wants to classify and label data in Microsoft SharePoint Online automatically based on content containing passport numbers. Which Microsoft Purview feature should they use?

A.Audit log
B.Data classification dashboard
C.Data loss prevention (DLP) policy
D.Auto-labeling policy
AnswerD

Auto-labeling policies scan content and apply labels based on sensitive info types.

Why this answer

Correct: Auto-labeling policy in Purview applies labels automatically. Option B: DLP policy prevents sharing. Option C: Data classification dashboard shows classification results.

Option D: Audit logs are for activity tracking.

1152
MCQmedium

A company's security team has adopted a strategy that assumes a breach has already occurred. They implement network segmentation, apply strict least privilege access, continuously verify all access requests, and never trust users or devices solely because they are inside the network perimeter. This approach best describes which security model?

A.Zero Trust
B.Shared responsibility model
C.Defense in depth
D.Identity and Access Management (IAM)
AnswerA

Zero Trust is a security model that eliminates implicit trust and continuously validates every phase of a digital interaction. It assumes breach, verifies explicitly, and uses least privilege access.

Why this answer

The scenario explicitly describes the core tenets of the Zero Trust model: assume breach, enforce least privilege, segment networks, and never trust any user or device based solely on network location. Zero Trust, as defined by NIST SP 800-207, mandates continuous verification of every access request, treating every request as if it originates from an untrusted network, which directly matches the company's strategy.

Exam trap

The trap here is that candidates confuse 'Defense in depth' with Zero Trust because both involve multiple security controls, but Defense in depth does not require the 'assume breach' mindset or the elimination of implicit trust based on network perimeter, which is the defining characteristic of Zero Trust.

How to eliminate wrong answers

Option B (Shared responsibility model) is wrong because it describes the division of security responsibilities between a cloud provider and a customer (e.g., AWS or Azure), not a security architecture that assumes breach and verifies every request. Option C (Defense in depth) is wrong because it relies on multiple layers of security controls (e.g., firewalls, IDS/IPS) but does not inherently require the 'never trust, always verify' principle or the assumption of an existing breach; it is a layered approach, not a trust model. Option D (Identity and Access Management - IAM) is wrong because IAM is a subset of security controls focused on managing identities and access policies (e.g., Azure AD, RBAC), not a comprehensive security model that dictates network segmentation and continuous verification of all access requests.

1153
MCQmedium

An organization has Microsoft Sentinel and Microsoft Defender XDR. They want to automatically block a user's sign-in if a high-risk alert is triggered. Which Microsoft Entra feature integrates with these products to enforce access controls?

A.Conditional Access with Identity Protection integration
B.Microsoft Entra Access Reviews
C.Microsoft Entra Identity Protection
D.Microsoft Entra Privileged Identity Management
AnswerA

Conditional Access can block sign-ins based on risk.

Why this answer

Option A is correct because Conditional Access with Identity Protection integration allows organizations to create policies that automatically block sign-ins when Microsoft Sentinel or Microsoft Defender XDR triggers a high-risk alert. This integration leverages risk signals from Identity Protection to enforce real-time access controls, such as blocking authentication, without manual intervention.

Exam trap

The trap here is that candidates confuse Microsoft Entra Identity Protection (which only detects and reports risk) with Conditional Access (which enforces the actual block), leading them to select Identity Protection alone instead of the integrated Conditional Access solution.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Access Reviews are used for periodic attestation of group memberships, application access, and role assignments, not for real-time automated blocking based on risk alerts. Option C is wrong because Microsoft Entra Identity Protection alone detects and reports risk signals (e.g., leaked credentials, anonymous IP addresses) but does not enforce access controls; it requires integration with Conditional Access to take blocking actions. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not automated sign-in blocking based on security alerts.

1154
MCQmedium

A healthcare organization must comply with HIPAA regulations. They use Microsoft Purview to classify and label patient data. Which Microsoft Purview capability helps them enforce data protection policies automatically?

A.eDiscovery
B.Audit logs
C.Sensitivity labels
D.Data loss prevention (DLP) policies
AnswerD

DLP policies can automatically block or warn users when sensitive data is shared inappropriately.

Why this answer

Data loss prevention (DLP) policies in Microsoft Purview can automatically detect and protect sensitive data like health information. Option A is wrong because sensitivity labels apply classification but not automatic protection actions. Option B is wrong because audit logs record events but don't enforce policies.

Option D is wrong because eDiscovery focuses on searching content for legal purposes, not automatic enforcement.

1155
MCQhard

Your organization is planning to deploy Microsoft Defender for Cloud Apps to discover shadow IT. You need to ensure that logs from your network proxy servers are ingested. Which method should you use to connect the logs?

A.Log collector
B.Conditional Access App Control
C.Microsoft Sentinel data connector
D.App connector API
AnswerA

Correct: Log collectors are deployed on-premises to forward proxy logs to Defender for Cloud Apps for shadow IT discovery.

Why this answer

Defender for Cloud Apps uses log collectors to ingest traffic logs from proxies and firewalls. Option D is correct. Option A (API connector) connects to cloud apps, not proxies.

Option B (Conditional Access) controls access. Option C (Microsoft Sentinel connector) is for SIEM ingestion, not Cloud App Discovery.

1156
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to allow external partners to access a specific SharePoint Online site without requiring them to have a Microsoft Entra ID account in your tenant. Which feature should you use?

A.Use Microsoft Entra B2B collaboration to invite partners as guest users.
B.Set up identity protection to allow external access.
C.Configure Microsoft Entra B2C for the partners.
D.Create guest user accounts for each partner.
AnswerA

B2B collaboration enables external partners to access resources using their own identities.

Why this answer

Microsoft Entra B2B collaboration is the correct feature because it allows you to invite external partners as guest users who can access resources like SharePoint Online using their own identity (e.g., a Microsoft account or a corporate account from another identity provider) without requiring a separate Microsoft Entra ID account in your tenant. This leverages the B2B collaboration protocol, which uses SAML/WS-Federation or OIDC for federation, enabling seamless access while maintaining centralized access control.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration with Microsoft Entra B2C, assuming both are for external users, but B2C is for customer-facing apps with self-service sign-up, while B2B is for granting access to business partners with existing identities.

How to eliminate wrong answers

Option B is wrong because Identity Protection is a security tool for detecting and responding to identity-based risks (e.g., compromised credentials, anomalous sign-ins) and does not provide a mechanism to grant external users access to resources. Option C is wrong because Microsoft Entra B2C is designed for customer-facing applications where users sign up and sign in with social or local accounts, not for granting external business partners access to internal resources like SharePoint Online. Option D is wrong because creating guest user accounts manually for each partner is inefficient and not a feature name; the correct feature is Microsoft Entra B2B collaboration, which automates the invitation and lifecycle management of guest users.

1157
MCQhard

Refer to the exhibit. You are reviewing a policy in Microsoft Defender for Cloud that monitors for unencrypted data uploads to an S3 bucket. The policy condition is shown. Which statement about this policy is correct?

A.The policy enforces encryption for objects uploaded to the 'documents' bucket.
B.The policy applies to all S3 buckets in the account.
C.The policy requires encryption with AWS KMS.
D.The policy denies all uploads to the bucket.
AnswerA

The condition requires server-side encryption with AES256, enforcing encryption for all uploads to that bucket.

Why this answer

The condition specifies that the request must have server-side encryption set to AES256. This is a security control to ensure data is encrypted at rest. The policy restricts uploads without encryption, but it allows uploads with AES256 encryption.

The resource is a wildcard under the 'documents' bucket. Option D correctly states that the policy applies to objects in the 'documents' bucket.

1158
MCQeasy

A user is unable to access a cloud app and receives a message that their sign-in was blocked by a Conditional Access policy. The admin wants to allow the user to self-remediate by meeting policy requirements. What should the admin enable?

A.Self-Service Password Reset
B.Multifactor Authentication registration
C.Identity Protection risk policies
D.Conditional Access policy feedback
AnswerD

Informs users why access was blocked and how to fix.

Why this answer

Option D is correct because enabling Conditional Access policy feedback allows users to receive guidance on why their sign-in was blocked and how to meet the policy requirements, such as using a compliant device or accessing from a trusted location. This feature provides actionable messages that enable self-remediation without admin intervention, directly addressing the scenario where the user needs to unblock themselves by satisfying the policy conditions.

Exam trap

The trap here is that candidates often confuse 'Conditional Access policy feedback' with other self-service features like SSPR or MFA registration, but the question specifically asks for the mechanism that provides users with actionable guidance on why they were blocked and how to meet the policy requirements, which is unique to policy feedback.

How to eliminate wrong answers

Option A is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords, but it does not address Conditional Access policy blocks that are unrelated to password issues, such as device compliance or location requirements. Option B is wrong because Multifactor Authentication (MFA) registration enables users to set up MFA, but the sign-in was blocked by a Conditional Access policy that may require additional conditions (e.g., compliant device, trusted IP) beyond MFA; enabling MFA registration alone does not guarantee the user can meet all policy requirements. Option C is wrong because Identity Protection risk policies are a separate feature that detects and responds to risky sign-ins (e.g., leaked credentials), but they do not provide the user with specific feedback on why a Conditional Access policy blocked them or how to self-remediate; risk policies automatically block or require MFA based on risk level, not user-driven feedback.

1159
MCQmedium

Refer to the exhibit. A security administrator is reviewing an Azure Resource Manager template for a virtual machine. What is the purpose of the 'identity' section shown?

A.It enables system-assigned managed identity for the VM.
B.It configures multi-factor authentication for the VM.
C.It creates a new managed identity named 'id1' in the resource group.
D.It assigns a user-assigned managed identity to the VM so it can access other Azure resources securely.
AnswerD

User-assigned managed identities allow VMs to authenticate to Azure services without secrets.

Why this answer

The identity section assigns a user-assigned managed identity to the virtual machine, allowing it to authenticate to Azure services without storing credentials. Option B is wrong because system-assigned managed identity would have 'type': 'SystemAssigned'. Option C is wrong because it does not create a new identity; it references an existing one.

Option D is wrong because it does not enable MFA.

1160
Multi-Selectmedium

Your company uses Microsoft Defender for Endpoint. You need to configure attack surface reduction (ASR) rules. Which TWO of the following are ASR rules?

Select 2 answers
A.Block executable content from email client and webmail
B.Allow only signed executables
C.Block inbound connections from the internet
D.Block untrusted fonts
E.Block Office applications from creating child processes
AnswersA, E

This is a built-in ASR rule.

Why this answer

Options A and C are correct. Blocking Office applications from creating child processes (A) and blocking executable content from email client (C) are ASR rules. Option B is a Windows Defender Firewall rule, not ASR.

Option D is an application control rule, not ASR. Option E is a network protection rule, not ASR.

1161
MCQmedium

Your company is using Microsoft Entra ID to manage identities. You want to allow users to reset their own passwords without help desk intervention, but only if they have registered for self-service password reset (SSPR). What should you configure?

A.Require all users to register for Microsoft Entra MFA.
B.Configure Microsoft Entra password protection.
C.Implement Privileged Identity Management (PIM).
D.Enable Self-Service Password Reset (SSPR) in Microsoft Entra ID.
AnswerD

SSPR allows users to reset passwords after registration.

Why this answer

Enabling Self-Service Password Reset (SSPR) in Microsoft Entra ID allows users to reset their own passwords without help desk intervention, provided they have registered for the feature. This directly meets the requirement of allowing password resets only for registered users, as SSPR requires prior registration to verify identity before a reset is permitted.

Exam trap

The trap here is that candidates often confuse enabling SSPR with requiring MFA registration, but MFA registration alone does not grant password reset capabilities—SSPR must be explicitly enabled and configured.

How to eliminate wrong answers

Option A is wrong because requiring all users to register for Microsoft Entra MFA is a separate security feature that adds multi-factor authentication but does not enable password reset functionality; MFA can be used as part of SSPR registration but is not sufficient alone. Option B is wrong because Microsoft Entra password protection is a feature that blocks weak passwords and common password attacks, but it does not provide self-service password reset capabilities. Option C is wrong because Privileged Identity Management (PIM) is designed for managing, controlling, and monitoring access to privileged roles, not for enabling end-user password self-service.

1162
MCQeasy

Refer to the exhibit. You are reviewing a conditional access policy in Microsoft Entra ID. The policy is enabled and applies to all cloud apps. Which users are affected by this policy?

A.All users who are members of any Azure AD administrative role
B.All users who are members of the Global Administrator role only
C.All users who are members of the Global Administrator or Exchange Administrator role
D.All users in the organization
AnswerC

Correctly interprets the includeRoles property.

Why this answer

Option D is correct because the property 'includeRoles' specifies that only users assigned the Global Administrator or Exchange Administrator roles are included. Option A is wrong because the policy does not apply to all users. Option B is wrong because it applies only to roles, not all users.

Option C is wrong because it does not apply to all admin roles, only the two specified.

1163
MCQmedium

You are an identity consultant for a mid-sized company with 5,000 employees. They use Microsoft Entra ID P1 and Microsoft Intune for device management. The company wants to implement passwordless authentication for all employees to improve security and user experience. Currently, users sign in with username and password plus MFA via the Microsoft Authenticator app. The company has a mix of Windows 10/11 devices (both domain-joined and Microsoft Entra joined) and iOS/Android mobile devices. They want to support passwordless sign-in on all platforms. The CTO is concerned about cost and wants to minimize additional licensing. Which passwordless method should you recommend?

A.Enable Windows Hello for Business for all devices
B.Deploy FIDO2 security keys to all employees
C.Implement SMS-based one-time passcodes
D.Use the Microsoft Authenticator app for passwordless sign-in
AnswerD

Authenticator app is free with existing licenses and supports all platforms.

Why this answer

The Microsoft Authenticator app supports passwordless sign-in using phone-based authentication, which works on both iOS and Android devices and can be used to sign into Windows 10/11 devices via the 'Sign in with phone' feature. This method leverages existing Microsoft Entra ID P1 licensing without requiring additional costs, as it is included with the current P1 license. It provides a seamless user experience by eliminating the need for hardware tokens or additional infrastructure, aligning with the CTO's cost-minimization goal.

Exam trap

The trap here is that candidates often assume Windows Hello for Business is the only Microsoft passwordless solution for Windows devices, overlooking that the Microsoft Authenticator app can provide passwordless sign-in across all platforms (Windows, iOS, Android) without additional licensing or hardware costs.

How to eliminate wrong answers

Option A is wrong because Windows Hello for Business requires either a domain-joined device with on-premises Active Directory or a Microsoft Entra joined device, and it does not support iOS/Android mobile devices, so it cannot cover all platforms as required. Option B is wrong because deploying FIDO2 security keys to 5,000 employees would incur significant hardware procurement and management costs, contradicting the CTO's directive to minimize additional licensing and expenses. Option C is wrong because SMS-based one-time passcodes are not a passwordless method; they still require a password as the primary authentication factor and are considered a form of MFA, not passwordless authentication.

1164
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Purview eDiscovery? (Choose three.)

Select 3 answers
A.Block sharing of sensitive data via email
B.Export search results to a PST file
C.Place a legal hold on mailboxes and sites
D.Automatically delete emails older than 7 years
E.Search for content across Exchange Online, SharePoint Online, and OneDrive for Business
AnswersB, C, E

eDiscovery supports exporting results to PST.

Why this answer

Option B is correct because Microsoft Purview eDiscovery includes the capability to export search results to a PST file, allowing investigators to preserve and review mailbox content offline. This is a standard feature in both eDiscovery (Standard) and eDiscovery (Premium) for exporting Exchange Online data.

Exam trap

The trap here is that candidates confuse eDiscovery's search and hold capabilities with retention or DLP features, leading them to select options like automatic deletion or blocking sensitive data, which belong to separate Purview solutions.

1165
MCQeasy

A healthcare organization uses digital signatures on electronic medical records to ensure that the records have not been tampered with during transmission. Which security goal is primarily being addressed by this practice?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures data has not been altered by unauthorized parties. Digital signatures provide a mechanism to detect any changes, thus preserving integrity.

Why this answer

Digital signatures use asymmetric cryptography (e.g., RSA or ECDSA) to create a hash of the electronic medical record, which is then encrypted with the signer's private key. Any tampering with the record during transmission will cause the hash verification to fail, directly ensuring data integrity. This practice does not primarily address confidentiality (which requires encryption) or availability (which focuses on uptime).

Exam trap

The trap here is that candidates often confuse integrity with non-repudiation, but the question's focus on 'tampered with during transmission' directly points to integrity, not the ability to prove who signed it.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data, typically achieved through encryption (e.g., AES or TLS), not through digital signatures which do not hide the content. Option C is wrong because availability ensures that systems and data are accessible when needed, often via redundancy or disaster recovery, and digital signatures do not contribute to uptime. Option D is wrong because non-repudiation prevents the signer from denying their action, which is a secondary benefit of digital signatures, but the question specifically asks about tamper detection during transmission, which is the core integrity goal.

1166
Multi-Selectmedium

Which TWO components are part of the 'Zero Trust' security model? (Choose two.)

Select 2 answers
A.Least privilege
B.VPN access
C.Password complexity
D.Verify explicitly
E.Perimeter-based security
AnswersA, D

Limit access to only what is needed.

Why this answer

Correct answers are B and C: Verify explicitly assumes every access request is a potential threat, and Least privilege ensures users have only the minimum access needed. Option A is incorrect because perimeter security is a traditional model. Option D is incorrect because password complexity is a single factor.

Option E is incorrect because VPNs are network access methods, not Zero Trust principles.

1167
MCQmedium

A company uses Microsoft Defender for Cloud to secure their multi-cloud environment, which includes Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). They want a unified view of security posture, continuous assessment of resources, and recommendations to improve security across all clouds. Which feature of Defender for Cloud provides this capability?

A.Cloud Security Posture Management (CSPM)
B.Cloud Workload Protection (CWP)
C.Microsoft Secure Score
D.Regulatory Compliance Dashboard
AnswerA

CSPM provides posture management, secure score, and recommendations across multi-cloud environments, meeting all requirements.

Why this answer

Cloud Security Posture Management (CSPM) is the correct feature because it provides a unified, multi-cloud view of security posture, continuously assesses resources against security benchmarks (e.g., CIS, NIST), and generates actionable recommendations to harden configurations across Azure, AWS, and GCP. This directly matches the scenario's requirement for a single pane of glass for posture management and improvement across all three clouds.

Exam trap

The trap here is that candidates confuse Cloud Security Posture Management (CSPM) with Cloud Workload Protection (CWP), mistakenly thinking that workload protection includes posture assessment, when in fact CSPM is the dedicated feature for multi-cloud posture visibility and recommendations.

How to eliminate wrong answers

Option B (Cloud Workload Protection, CWP) is wrong because CWP focuses on threat detection and advanced defenses for workloads (e.g., just-in-time VM access, file integrity monitoring), not on providing a unified posture view or continuous assessment of resource configurations. Option C (Microsoft Secure Score) is wrong because Secure Score is a metric that quantifies an organization's security posture based on Defender for Cloud recommendations, but it is not the feature that performs the continuous assessment or generates the recommendations itself. Option D (Regulatory Compliance Dashboard) is wrong because this dashboard tracks compliance against specific standards (e.g., SOC 2, PCI DSS) using built-in assessments, but it does not provide the general, unified posture view and continuous assessment of all resources across multi-cloud environments.

1168
MCQhard

Refer to the exhibit. A user accesses a web app from a device that is Microsoft Entra joined but not Intune compliant. Which condition will be satisfied?

A.Domain joined
B.Neither condition
C.Compliant device
D.Both conditions
AnswerB

Microsoft Entra join is not domain join.

Why this answer

The device is Microsoft Entra joined, which satisfies the 'Domain joined' condition for Conditional Access, but it is not Intune compliant, so the 'Compliant device' condition is not met. Since the question asks which condition will be satisfied, and the device only meets one of the two, the correct answer is 'Neither condition' because the user is accessing a web app and the conditions are evaluated together as a single requirement (e.g., requiring both domain join and compliance). In Conditional Access, if a policy requires both conditions, the device must satisfy both to be granted access; here, it fails the compliance check, so neither condition is fully satisfied for the policy's intent.

Exam trap

The trap here is that candidates assume 'Domain joined' is satisfied because the device is Entra joined, but they overlook that the question implies both conditions are required, so neither is fully satisfied in the context of the policy evaluation.

How to eliminate wrong answers

Option A is wrong because 'Domain joined' alone is not the condition being evaluated; the device is Entra joined, which is a form of domain join, but the question's context implies both conditions are required, so satisfying only one does not make it the correct answer. Option C is wrong because the device is explicitly stated as 'not Intune compliant,' so the 'Compliant device' condition is not satisfied. Option D is wrong because the device does not satisfy both conditions; it is not Intune compliant, so 'Both conditions' cannot be true.

1169
MCQmedium

A company is migrating its on-premises workloads to Azure. The CISO wants to understand the division of security responsibilities between Microsoft and the customer across cloud service models. For which cloud service model does the customer have the most security responsibility?

A.Software as a Service (SaaS)
B.Platform as a Service (PaaS)
C.Infrastructure as a Service (IaaS)
D.On-premises
AnswerC

In IaaS, the customer manages the virtual machines, operating systems, applications, and data, while the provider manages the physical hosts and network. This gives the customer the most security responsibility among cloud service models.

Why this answer

In the Infrastructure as a Service (IaaS) model, the customer is responsible for securing the operating system, applications, data, and network configurations, while Microsoft only secures the physical datacenter, host servers, and hypervisor. This gives the customer the most security responsibility compared to PaaS or SaaS, where Microsoft manages more of the stack.

Exam trap

The trap here is that candidates often confuse 'most responsibility' with 'most control' and incorrectly pick on-premises (Option D), forgetting that the question explicitly asks about cloud service models, where IaaS gives the customer the greatest security responsibility among the cloud options.

How to eliminate wrong answers

Option A is wrong because in SaaS (e.g., Microsoft 365), Microsoft manages nearly the entire security stack including the application, runtime, and data storage, leaving the customer responsible only for data classification and account hygiene. Option B is wrong because in PaaS (e.g., Azure SQL Database), Microsoft secures the runtime, OS, and middleware, while the customer manages only the application code and data access. Option D is wrong because on-premises workloads give the customer 100% security responsibility, but the question asks about cloud service models, and on-premises is not a cloud model; the CISO specifically wants to understand division of responsibilities across cloud service models.

1170
Multi-Selectmedium

A healthcare organization uses Microsoft Purview to protect patient health information (PHI). They need to identify sensitive data stored in Microsoft SharePoint Online and prevent unauthorized sharing. Which two Purview solutions should they implement? (Select all that apply.)

Select 2 answers
A.Data Classification
B.Data Loss Prevention (DLP)
C.Insider Risk Management
D.Communication Compliance
AnswersA, B

Data Classification (including automatic sensitivity labeling) helps identify and label PHI content in SharePoint Online.

Why this answer

Data Classification (A) is correct because it enables the organization to identify and label sensitive data, such as PHI, stored in SharePoint Online. By applying sensitivity labels or retention labels, the organization can classify content based on its sensitivity, which is a prerequisite for applying protective actions. This allows them to discover where PHI resides and prepare it for further controls.

Exam trap

The trap here is that candidates often confuse Insider Risk Management with Data Loss Prevention, thinking it can prevent data leaks, when in fact it only provides detection and investigation capabilities, not proactive blocking of unauthorized sharing.

1171
MCQhard

A security analyst runs the above KQL query in Microsoft Sentinel. What is the primary purpose of this query?

A.Correlate MFA failures with other security events
B.Identify all users who had an MFA failure anomaly in the last 7 days
C.Identify users who have been blocked due to MFA failures
D.Identify users with more than 5 MFA failure anomalies in the last 7 days
AnswerD

The where clause filters for count > 5, so it returns users with excessive anomalies.

Why this answer

Option B is correct because the query counts alerts per user and filters for >5, indicating users with excessive MFA failures. Option A is wrong because it doesn't list all alerts. Option C is wrong because it doesn't correlate with other sources.

Option D is wrong because it doesn't identify blocked users.

1172
MCQhard

Your organization implements a Microsoft Entra ID tenant with a custom domain (contoso.com). You need to ensure that all users are assigned a unique user principal name (UPN) based on their email address. What should you do?

A.Configure the user naming attribute to use the email address as the UPN
B.Verify the custom domain in Microsoft Entra ID
C.Enable Microsoft Entra ID Domain Services
D.Use Microsoft Entra ID Connect to sync UPNs from on-premises
AnswerA

Setting the UPN to email ensures each user has a unique UPN based on email.

Why this answer

Option A is correct because configuring the user naming attribute to use the email address as the UPN directly assigns each user a unique UPN that matches their email address. This setting is available in the Microsoft Entra ID tenant under 'User settings' and ensures that the UPN suffix (the domain part) aligns with the verified custom domain (contoso.com). This approach satisfies the requirement without requiring additional synchronization or domain services.

Exam trap

The trap here is that candidates often confuse verifying a custom domain (Option B) with automatically assigning UPNs based on email addresses, but verification alone does not change how UPNs are generated; it only enables the domain to be used as a suffix.

How to eliminate wrong answers

Option B is wrong because verifying the custom domain in Microsoft Entra ID is a prerequisite for using that domain in UPNs, but it does not automatically assign UPNs based on email addresses; it only confirms domain ownership. Option C is wrong because enabling Microsoft Entra ID Domain Services provides managed domain services (e.g., LDAP, Kerberos) for legacy applications, but it does not affect UPN assignment for users. Option D is wrong because using Microsoft Entra ID Connect to sync UPNs from on-premises would only work if the on-premises UPNs already match email addresses; it does not configure the cloud tenant to automatically assign UPNs based on email addresses for cloud-only users.

1173
MCQmedium

A security operations center (SOC) team needs a centralized platform to collect logs from firewalls, servers, and cloud applications. They want to analyze these logs to detect threats, create custom alerts, and automate response actions using playbooks. The solution should also provide threat intelligence feeds and allow for advanced hunting with Kusto Query Language (KQL). Which Microsoft security solution should the team implement?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Endpoint
D.Microsoft Purview Compliance Manager
AnswerB

Correct. Sentinel is the intended SIEM/SOAR solution for centralized log collection, threat detection, automation, and hunting with KQL.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution. It provides a centralized platform for collecting logs from diverse sources (firewalls, servers, cloud apps), enables custom alert creation, automates response via playbooks (Azure Logic Apps), integrates threat intelligence feeds, and supports advanced hunting using Kusto Query Language (KQL).

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM/CWPP tool) with a full SIEM/SOAR solution, overlooking that Sentinel is the dedicated platform for centralized log collection, custom alerts, playbook automation, and KQL-based hunting.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP), not a centralized SIEM for log collection, custom alerts, playbook automation, or KQL-based hunting. Option C is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution focused on device-level threats, not a multi-source log aggregation and SIEM platform with playbooks and threat intelligence feeds. Option D is wrong because Microsoft Purview Compliance Manager is a compliance and risk management tool for assessing regulatory posture, not a security operations platform for log analysis, threat detection, or automated response.

1174
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Entra ID? (Select TWO.)

Select 2 answers
A.Mobile device management.
B.Self-service password reset.
C.Identity and access management for cloud applications.
D.Threat protection for endpoints.
E.Data loss prevention for documents.
AnswersB, C

SSPR is a feature of Microsoft Entra ID.

Why this answer

Microsoft Entra ID is a cloud-based identity and access management service. Self-service password reset (SSPR) is a built-in feature that allows users to reset their own passwords without administrator intervention, provided they meet configured authentication requirements. This capability is a core part of Entra ID's identity governance and security features.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID with broader Microsoft 365 or security suites, incorrectly attributing endpoint management (Intune), endpoint protection (Defender), or compliance features (Purview) to Entra ID, when Entra ID is strictly focused on identity and access management.

1175
MCQmedium

Your organization uses Microsoft Copilot for Security. You want to use natural language to generate a KQL query for threat hunting. What should you do?

A.Manually write the KQL query in the advanced hunting page.
B.Use the Copilot prompt bar in the Microsoft Defender portal.
C.Install the Copilot add-in for Sentinel.
D.Subscribe to Microsoft 365 Copilot.
AnswerB

The prompt bar allows natural language input to generate queries.

Why this answer

Microsoft Copilot for Security includes a prompt bar where you can ask questions in natural language to generate queries. Option B is correct. Option A is wrong because Copilot is integrated into the portal.

Option C is wrong because Copilot does not require a separate subscription. Option D is wrong because you don't need to write the query manually.

1176
MCQmedium

You work for a law firm that uses Microsoft 365 E5. The firm handles highly confidential client information and must comply with attorney-client privilege. You need to implement a compliance solution that: - Prevents unauthorized sharing of privileged documents via email. - Enables lawyers to easily classify documents as 'Privileged' and automatically encrypt them. - Allows the compliance team to monitor for accidental exposure of privileged information in Teams chats. - Ensures that privileged documents are retained for 7 years after case closure, then automatically deleted. - Provides the ability to search for privileged documents in case of a legal hold. What should you configure?

A.Sensitivity labels with encryption, DLP, Communication Compliance, Data Lifecycle Management, and eDiscovery
B.DLP, Communication Compliance, Data Lifecycle Management, and Audit (Standard)
C.Insider Risk Management, DLP, Data Lifecycle Management, and eDiscovery
D.Sensitivity labels, Information Barriers, Data Lifecycle Management, and eDiscovery
AnswerA

All requirements are covered: classification, encryption, DLP, monitoring, retention, and eDiscovery.

Why this answer

Option B is correct because sensitivity labels can classify and encrypt privileged documents; DLP prevents sharing; Communication Compliance monitors Teams; Data Lifecycle Management manages retention; eDiscovery handles legal hold. Option A is wrong because Information Barriers restrict communication between groups, not relevant for privilege. Option C is wrong because Audit (Standard) does not provide 7-year retention.

Option D is wrong because Insider Risk Management focuses on risk, not classification.

1177
Multi-Selecthard

Which THREE are features of Microsoft Entra ID Governance? (Choose three.)

Select 3 answers
A.Privileged Identity Management (PIM)
B.Conditional Access
C.Entitlement management
D.Lifecycle workflows
E.Access reviews
AnswersC, D, E

Entitlement management enables access package creation and management.

Why this answer

Entitlement management is a core feature of Microsoft Entra ID Governance that enables organizations to manage the identity and access lifecycle at scale. It allows administrators to create and manage access packages, which automate the process of requesting, approving, and assigning access to groups, applications, and SharePoint Online sites. This directly supports governance by ensuring users have the right access for the right duration.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) as a separate governance feature when it is actually a component of Entra ID Governance, but the exam specifically expects Entitlement management, Lifecycle workflows, and Access reviews as the three distinct features listed in the question.

1178
MCQmedium

A company uses Microsoft Entra ID. The IT department wants to automatically assign a Microsoft 365 E5 license to all users in the Sales department based on their department attribute. Which Microsoft Entra ID feature should they use?

A.Dynamic Groups
B.Administrative Units
C.Identity Protection
D.Access Reviews
AnswerA

Correct. Dynamic groups use rules based on user attributes (like department) to automatically add or remove members. Combined with group-based licensing, this automates license assignment.

Why this answer

Dynamic Groups in Microsoft Entra ID allow automatic user membership based on user attributes, such as the department attribute. By creating a dynamic group rule like `user.department -eq "Sales"`, the system automatically assigns the group membership and can then apply a Microsoft 365 E5 license via group-based licensing.

Exam trap

The trap here is that candidates may confuse Administrative Units with Dynamic Groups, thinking that delegating admin control over a department also handles license assignment, but Administrative Units only manage administrative boundaries, not automated provisioning.

How to eliminate wrong answers

Option B is wrong because Administrative Units are used to delegate administrative scope over specific subsets of users, groups, or devices, not for automatic license assignment based on attributes. Option C is wrong because Identity Protection is a security feature that detects and responds to identity-based risks, such as compromised credentials or suspicious sign-ins, and does not handle license provisioning. Option D is wrong because Access Reviews are used to periodically review and certify user access to resources, ensuring compliance, not for automatic license assignment.

1179
MCQmedium

A company uses Microsoft Defender for Cloud to secure their Azure environment. The security team needs to check whether their resources comply with the CIS (Center for Internet Security) benchmark. How can they view their compliance status against CIS in Defender for Cloud?

A.Use the secure score recommendations and look for CIS-related controls
B.Use the Regulatory Compliance dashboard and add the CIS standard as a compliance initiative
C.Use Azure Policy initiative assignments directly from the Policy service
D.Use the vulnerability assessment solution for machines to check CIS settings
AnswerB

Correct. The Regulatory Compliance dashboard in Defender for Cloud allows you to add built-in compliance initiatives, including CIS benchmarks, to view your compliance posture against that standard.

Why this answer

The Regulatory Compliance dashboard in Microsoft Defender for Cloud allows you to add built-in compliance standards like CIS as an initiative. Once added, the dashboard continuously assesses your Azure resources against the CIS benchmark controls and displays pass/fail status. This is the correct method because Defender for Cloud integrates with Azure Policy to evaluate compliance against regulatory standards.

Exam trap

The trap here is that candidates confuse secure score recommendations with regulatory compliance assessments, assuming that secure score covers all compliance standards, when in fact secure score is a separate metric based on security controls, not specific regulatory frameworks like CIS.

How to eliminate wrong answers

Option A is wrong because secure score recommendations are based on security best practices and built-in controls, not specific regulatory standards like CIS; they do not directly map to CIS benchmarks. Option C is wrong because Azure Policy initiative assignments from the Policy service can define compliance rules, but viewing the compliance status against CIS specifically requires the Regulatory Compliance dashboard in Defender for Cloud, which provides a pre-built view with continuous assessment and reporting. Option D is wrong because the vulnerability assessment solution for machines (e.g., Qualys or Microsoft Defender Vulnerability Management) checks for OS-level vulnerabilities and missing patches, not compliance with CIS benchmark settings across all resource types.

1180
MCQmedium

Your organization is deploying Microsoft Defender XDR to detect and respond to advanced threats. You need to ensure that security alerts from Microsoft Defender for Endpoint are automatically correlated with alerts from Microsoft Defender for Office 365. What should you configure?

A.Ensure that all Microsoft Defender services are onboarded to the same tenant and that the incidents feature is enabled
B.Configure a custom detection rule in Microsoft 365 Defender
C.Create an advanced hunting query to join alerts from different data sources
D.Enable Microsoft Sentinel and configure incident creation rules
AnswerA

Microsoft Defender XDR automatically correlates alerts from onboarded services into incidents when all services are in the same tenant and the feature is enabled by default.

Why this answer

Microsoft Defender XDR automatically correlates alerts from different Microsoft Defender services (e.g., Defender for Endpoint and Defender for Office 365) when they are onboarded to the same tenant and the incidents feature is enabled. This built-in correlation uses the Microsoft 365 Defender backend to fuse related alerts into a single incident, providing a unified view of the attack chain without additional configuration.

Exam trap

The trap here is that candidates may think additional tools like Sentinel or custom rules are needed for correlation, but Microsoft Defender XDR provides automatic cross-service correlation by default when all services are in the same tenant and incidents are enabled.

How to eliminate wrong answers

Option B is wrong because custom detection rules in Microsoft 365 Defender are used to create custom alerts based on advanced hunting queries, not to automatically correlate existing alerts from different services. Option C is wrong because advanced hunting queries are for manually searching and analyzing raw data across tables, not for enabling automatic correlation of alerts into incidents. Option D is wrong because Microsoft Sentinel is a separate SIEM solution that requires additional licensing and configuration; it is not required for native correlation within Microsoft Defender XDR, which handles this automatically when services are in the same tenant.

1181
Multi-Selectmedium

A company must implement data classification labels in Microsoft Purview to protect sensitive information. Which TWO actions are required to create and publish a sensitivity label?

Select 2 answers
A.Deploy the label using Microsoft Intune configuration profiles.
B.Define the label scope to include SharePoint and OneDrive.
C.Create the label in the Microsoft Purview compliance portal.
D.Publish the label using a label policy.
E.Configure auto-labeling rules in Microsoft 365 Defender.
AnswersC, D

Labels are created in the Purview compliance portal.

Why this answer

Option A is correct because labels are created in the Microsoft Purview compliance portal. Option D is correct because labels must be published via a label policy. Option B is wrong because auto-labeling is a separate feature, not a requirement for creating a label.

Option C is wrong because label creation doesn't require scoping. Option E is wrong because labels are not published via Microsoft Intune.

1182
MCQeasy

A company wants to allow employees to use their corporate Microsoft Entra ID credentials to sign in to third-party SaaS applications like Salesforce and ServiceNow. Which feature provides this capability?

A.Microsoft Entra federation with SaaS applications
B.Microsoft Entra B2B collaboration
C.Microsoft Entra Identity Protection
D.Microsoft Entra Privileged Identity Management
AnswerA

Federation allows users to sign in to third-party SaaS apps using their Entra ID credentials.

Why this answer

Microsoft Entra federation with SaaS applications (Option A) enables single sign-on (SSO) by establishing a trust relationship between Microsoft Entra ID and third-party SaaS apps like Salesforce and ServiceNow. This allows users to authenticate using their corporate Entra ID credentials via federation protocols such as SAML 2.0 or OpenID Connect, eliminating the need for separate credentials.

Exam trap

The trap here is that candidates often confuse B2B collaboration (external user access) with federation (corporate user SSO to external apps), leading them to select Option B instead of A.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra B2B collaboration is designed for inviting external users (e.g., partners or vendors) to access your organization's resources, not for enabling corporate users to sign in to third-party SaaS apps. Option C is wrong because Microsoft Entra Identity Protection is a security tool that detects and responds to identity-based risks (e.g., leaked credentials or anomalous sign-ins), not a feature for federated authentication. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) manages, controls, and monitors access to privileged roles within Azure AD and Azure resources, not for federating with external SaaS applications.

1183
Multi-Selecthard

Which THREE capabilities are included in Microsoft Purview Audit (Premium)?

Select 3 answers
A.Trainable classifiers
B.Access to high-value critical events
C.Custom alert policies
D.Higher bandwidth for API access
E.Longer retention of audit logs (up to 1 year)
AnswersB, D, E

Audit (Premium) logs high-value events like admin actions.

Why this answer

Correct answers: A, B, and C. Audit (Premium) provides longer retention (up to 1 year), high-value events, and higher bandwidth. Option D is wrong because custom alerts are part of Microsoft 365 Defender.

Option E is wrong because trainable classifiers are part of data classification, not audit.

1184
Multi-Selecteasy

A user logs into a company portal by entering a username and password. After successful login, the system checks if the user is a member of the 'Sales' group and then grants access to the sales dashboard. Which two security concepts are demonstrated in this process? (Choose all that apply.) (Choose two.)

Select 2 answers
A.Authentication
B.Authorization
C.Non-repudiation
D.Accounting
AnswersA, B

Correct. The user provided credentials (username/password) to prove their identity, which is authentication.

Why this answer

Authentication is demonstrated because the user proves their identity by providing a username and password, which the system verifies before allowing access. This is the process of validating credentials, typically against a directory service like Azure AD or an on-premises Active Directory, confirming the user is who they claim to be.

Exam trap

The trap here is that candidates often confuse authentication (verifying identity) with authorization (verifying permissions), and may incorrectly select non-repudiation or accounting because they sound like security concepts, but neither is involved in the simple login and group-check process described.

1185
MCQeasy

Your organization uses Microsoft Purview eDiscovery to manage legal holds. A legal hold has been placed on a user’s mailbox, but the user has left the company and their mailbox has been converted to a shared mailbox. You need to ensure that the legal hold remains effective. What should you do?

A.Convert the shared mailbox back to a user mailbox to keep the hold.
B.Create a new legal hold for the shared mailbox.
C.Verify that the legal hold is still listed in the eDiscovery case for the mailbox.
D.Remove the legal hold and reapply it to the shared mailbox.
AnswerC

The hold persists after conversion.

Why this answer

Option B is correct because converting a mailbox to a shared mailbox does not remove the hold; however, you should verify that the hold is still in place. Option A is wrong because the hold is already applied. Option C is wrong because you don't need to recreate the hold.

Option D is wrong because the hold is not automatically removed.

1186
MCQhard

Refer to the exhibit. A security analyst is reviewing a Microsoft Defender XDR alert. Which two tactics identified are most relevant? (This is a multiple-choice question asking which two tactics are shown, but the format is single answer. We need to adjust: The question asks: 'Which two tactics are identified?' The correct answer is the option listing both 'InitialAccess and LateralMovement'.)

A.LateralMovement and PrivilegeEscalation
B.LateralMovement and Exfiltration
C.InitialAccess and Persistence
D.InitialAccess and LateralMovement
AnswerD

These are the two tactics in the alert.

Why this answer

The exhibit shows "tactics": ["InitialAccess", "LateralMovement"]. Option A lists both. Option B includes Persistence, not shown.

Option C includes PrivilegeEscalation. Option D includes Exfiltration.

1187
MCQeasy

You run the PowerShell command shown in the exhibit. What is the purpose of this command?

A.Applies a sensitivity label to a document
B.Encrypts a document using Azure Information Protection
C.Removes a sensitivity label from a document
D.Exports audit logs for labeled documents
AnswerA

Set-AIPFileLabel assigns a label to the specified file.

Why this answer

Option A is correct. The command assigns a sensitivity label to a document. Option B is wrong because it does not remove a label.

Option C is wrong because it does not encrypt the file; labeling may include encryption but the command itself only assigns the label. Option D is wrong because it does not export audit logs.

1188
MCQmedium

Your organization uses Microsoft Defender for Office 365. A user reports receiving a suspicious email that appears to be from their CEO asking for a wire transfer. The email passed through the spam filter. What additional protection should be enabled to detect such attacks?

A.Safe Attachments policy
B.Anti-spam policy
C.Safe Links policy
D.Impersonation protection in anti-phishing policy
AnswerD

Impersonation protection detects emails that impersonate users or domains.

Why this answer

Impersonation protection in Microsoft Defender for Office 365 specifically detects emails that impersonate executives or domains. It can be configured in anti-phishing policies. Option A is incorrect because safe attachments protect against malicious attachments, not impersonation.

Option B is incorrect because safe links protect against malicious URLs. Option C is incorrect because anti-spam policies filter bulk mail, not targeted impersonation.

1189
Multi-Selectmedium

Which TWO are principles of the Zero Trust security model?

Select 2 answers
A.Verify explicitly
B.Trust everything inside the network
C.Assume breach
D.Use a VPN for remote access
E.Layer defenses
AnswersA, C

Zero Trust requires verifying every access request explicitly.

Why this answer

Options A and C are correct. Zero Trust principles include 'verify explicitly' and 'assume breach'. Option B is a traditional perimeter security approach.

Option D is a principle of defense in depth, not Zero Trust. Option E describes a traditional VPN-based approach.

1190
MCQmedium

Your organization uses Microsoft Purview to manage data lifecycle. You need to ensure that after a project ends, all related files are automatically deleted after 3 years. What should you configure?

A.Create a retention label with a retention period of 3 years and a disposition action of deletion
B.Configure a DLP policy to delete files after 3 years
C.Create an eDiscovery case and manually delete the files
D.Apply a sensitivity label marked 'Project' and configure auto-deletion
AnswerA

Retention labels can enforce deletion after a specified period.

Why this answer

Option A is correct because a retention label can be applied to project files, specifying retain for 3 years and then delete. Option B is wrong because a sensitivity label does not manage deletion. Option C is wrong because a DLP policy prevents sharing, not deletion.

Option D is wrong because eDiscovery is for search and export.

1191
MCQhard

A multinational corporation must comply with several regulatory frameworks, including GDPR, SOX, and HIPAA. The compliance officer wants to continuously assess the organization's compliance posture against these regulations, receive prioritized improvement actions, and track the implementation progress of those actions. Which Microsoft Purview solution should the compliance officer use?

A.Information Protection
B.Compliance Manager
C.Data Lifecycle Management
D.Insider Risk Management
AnswerB

Microsoft Purview Compliance Manager provides end-to-end compliance management, including assessments for multiple regulations, a compliance score, and actionable improvement actions with progress tracking. This directly addresses the compliance officer's needs.

Why this answer

Compliance Manager is the correct solution because it provides a centralized dashboard for continuously assessing compliance posture against multiple regulatory frameworks (GDPR, SOX, HIPAA), generates prioritized improvement actions based on built-in assessments, and tracks implementation progress of those actions through a task-based workflow. It uses automated control mapping and continuous monitoring to help organizations meet evolving compliance requirements.

Exam trap

The trap here is that candidates confuse Compliance Manager with Information Protection, thinking that protecting data automatically ensures compliance, but Compliance Manager is the only solution that provides continuous assessment and actionable improvement tracking across multiple regulations.

How to eliminate wrong answers

Option A is wrong because Information Protection focuses on classifying, labeling, and protecting sensitive data (e.g., encryption, rights management), not on assessing compliance posture or tracking improvement actions across multiple regulations. Option C is wrong because Data Lifecycle Management handles retention, deletion, and archiving of data based on policies, but does not provide compliance assessments or prioritized action tracking. Option D is wrong because Insider Risk Management is designed to detect, investigate, and act on risky user activities (e.g., data theft, policy violations), not to assess organizational compliance against regulatory frameworks.

1192
MCQmedium

A company wants to ensure that all users access corporate resources using multi-factor authentication (MFA). Which Microsoft Entra ID feature should they configure to enforce MFA for all users?

A.Conditional Access
B.Privileged Identity Management
C.Identity Protection
D.Security defaults
AnswerA

Conditional Access policies can require MFA for all users based on conditions like user risk or location.

Why this answer

Conditional Access policies allow granular control over authentication requirements, including MFA enforcement. Security defaults provide basic MFA but are less flexible. Identity Protection detects risks but does not enforce MFA directly.

Privileged Identity Management manages roles, not MFA enforcement.

1193
Multi-Selecthard

Which THREE of the following are included in Microsoft Defender XDR (Extended Detection and Response)? (Choose three.)

Select 3 answers
A.Microsoft Defender for Identity
B.Microsoft Defender for Endpoint
C.Microsoft Azure Information Protection
D.Microsoft Defender for Office 365
E.Microsoft Defender for Cloud
AnswersA, B, D

Correct: Part of XDR.

Why this answer

Microsoft Defender XDR unifies Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and more. Azure Information Protection is not part of XDR.

1194
Multi-Selectmedium

Which TWO are capabilities of Microsoft Defender for Cloud Apps? (Choose two.)

Select 2 answers
A.Endpoint detection and response (EDR)
B.Identity protection for user accounts
C.Data classification of on-premises files
D.Session control to monitor user activity in cloud apps
E.Cloud Discovery to identify shadow IT
AnswersD, E

Session control allows real-time monitoring and control of app sessions.

Why this answer

Option D is correct because Microsoft Defender for Cloud Apps includes session control capabilities, which allow administrators to monitor and control user activity in real time within cloud applications. This is achieved through reverse proxy integration, enabling granular access policies and data loss prevention (DLP) actions during active sessions.

Exam trap

The trap here is that candidates confuse the broad 'security solutions' umbrella and attribute endpoint or identity features to Defender for Cloud Apps, when in fact each Microsoft security product (Defender for Endpoint, Entra ID Protection, Purview) has a distinct scope and integration point.

1195
MCQmedium

Your company is implementing a hybrid identity solution with Microsoft Entra ID. You need to ensure that password changes on-premises are synchronized to the cloud within minutes. Which feature should you enable?

A.Password Hash Synchronization
B.Pass-through Authentication
C.Seamless Single Sign-On
D.Password Writeback
AnswerD

Password Writeback synchronizes password changes from on-premises to cloud within minutes.

Why this answer

Password Writeback (D) is the correct feature because it enables password changes made on-premises in Active Directory to be written back to Microsoft Entra ID in near real-time, typically within minutes. This ensures that the cloud password hash is updated promptly, maintaining synchronization for hybrid identity scenarios. The other options do not handle the synchronization of password changes from on-premises to the cloud.

Exam trap

The trap here is that candidates often confuse Password Writeback (which syncs on-premises changes to the cloud) with Password Hash Synchronization (which syncs cloud changes to on-premises or provides one-way sync), leading them to select PHS when the question specifically asks for on-premises-to-cloud synchronization of password changes.

How to eliminate wrong answers

Option A is wrong because Password Hash Synchronization (PHS) syncs password hashes from on-premises to the cloud but does not write back changes made on-premises; it is a one-way sync that occurs every few minutes by default, not triggered by individual password changes. Option B is wrong because Pass-through Authentication (PTA) validates passwords against on-premises Active Directory without storing password hashes in the cloud, so it does not synchronize password changes to the cloud. Option C is wrong because Seamless Single Sign-On (SSO) provides automatic sign-in for domain-joined devices but does not handle password synchronization or writeback.

1196
MCQeasy

A company uses Microsoft 365. The compliance department requires that all financial documents be retained for 10 years and then automatically deleted, while marketing documents must be retained for 3 years and then deleted. Additionally, they want to apply a default retention policy to all SharePoint Online sites. Which Microsoft Purview solution should the company use?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview eDiscovery
C.Microsoft Purview Compliance Manager
D.Microsoft Purview Data Loss Prevention (DLP)
AnswerA

Data Lifecycle Management is designed for creating retention policies and labels to control how long content is retained and when it is deleted.

Why this answer

Microsoft Purview Data Lifecycle Management (formerly Microsoft 365 Retention) is the correct solution because it allows organizations to define retention and deletion policies based on content type and location. In this scenario, the company needs to apply different retention periods (10 years for financial documents, 3 years for marketing documents) and a default retention policy for all SharePoint Online sites, which is exactly what Data Lifecycle Management's retention policies and labels provide.

Exam trap

The trap here is that candidates often confuse eDiscovery (which holds content for legal reasons) with Data Lifecycle Management (which automates retention and deletion based on time), leading them to select eDiscovery when the question clearly asks for automated retention and deletion schedules.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview eDiscovery is used for legal discovery and litigation hold, not for automated retention and deletion based on time periods. Option C is wrong because Compliance Manager is a risk assessment and compliance score tool that helps track regulatory compliance posture, not a solution for applying retention or deletion policies. Option D is wrong because Data Loss Prevention (DLP) is designed to prevent unauthorized sharing or leakage of sensitive data through policies, not to manage retention schedules or automatic deletion.

1197
MCQmedium

You are designing a compliance solution for a healthcare organization that must comply with HIPAA. You need to ensure that patient health information (PHI) is encrypted at rest in Microsoft 365. What should you use?

A.Microsoft Purview Message Encryption
B.Data Loss Prevention (DLP) policies
C.Sensitivity labels
D.Customer Key
AnswerA

Encrypts email messages with PHI.

Why this answer

Option A is correct because Microsoft Purview Message Encryption allows encrypting email messages containing PHI. Option B is wrong because DLP detects but does not encrypt. Option C is wrong because sensitivity labels can mark content but do not enforce encryption by default.

Option D is wrong because Customer Key provides additional encryption but is not the primary method for email encryption.

1198
MCQmedium

A company uses Microsoft 365 and Azure. They want a unified security solution that provides threat protection across email, endpoints, identities, and cloud apps, with automated investigation and response capabilities. Which Microsoft solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft 365 Defender
C.Microsoft Sentinel
D.Microsoft Entra ID Protection
AnswerB

Correct. Microsoft 365 Defender is an extended detection and response (XDR) solution that provides coordinated protection across the Microsoft 365 ecosystem, including email, endpoints, identities, and cloud apps.

Why this answer

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that coordinates detection, prevention, investigation, and response across email, endpoints, identities, and cloud apps. It provides automated investigation and response (AIR) capabilities through its integrated components (e.g., Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps), making it the correct choice for the described requirements.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM/CWPP tool for cloud workloads) with Microsoft 365 Defender (a unified XDR solution for the Microsoft 365 ecosystem), or they mistakenly think Microsoft Sentinel (a SIEM) provides the same built-in, cross-domain automated investigation and response as Microsoft 365 Defender.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) focused on securing Azure, on-premises, and multi-cloud workloads, not a unified solution for email, endpoints, identities, and cloud apps with automated investigation and response. Option C is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR solution that ingests logs and alerts from multiple sources for threat detection and response, but it is not a unified security solution that natively provides threat protection across email, endpoints, identities, and cloud apps with built-in automated investigation and response like Microsoft 365 Defender. Option D is wrong because Microsoft Entra ID Protection is an identity protection service that detects and remediates identity-based risks (e.g., leaked credentials, anomalous sign-ins), but it does not provide threat protection across email, endpoints, or cloud apps, nor does it offer automated investigation and response across those domains.

1199
MCQmedium

A company is required by a compliance regulation to retain all user and admin activity audit logs for 2 years. They also need the ability to perform faster, historical searches on this audit data. Which Microsoft Purview solution should they use?

A.Microsoft Purview Audit (Standard)
B.Microsoft Purview Audit (Premium)
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview eDiscovery (Premium)
AnswerB

Audit (Premium) offers up to 1 year of retention by default, extendable to 2 years, and includes faster queries and higher API bandwidth.

Why this answer

Microsoft Purview Audit (Premium) provides a 2-year retention capability for audit logs, which meets the compliance regulation requirement. Additionally, it offers faster, historical searches through features like high-bandwidth access to the Audit Log Search API and intelligent insights, enabling efficient querying of large volumes of audit data. Standard Audit only retains logs for 90 days by default and lacks the performance optimizations for historical searches.

Exam trap

The trap here is that candidates confuse the 90-day default retention of Audit (Standard) with the 2-year requirement, or mistakenly think Data Lifecycle Management or eDiscovery can fulfill audit log retention and search needs, when only Audit (Premium) combines long-term retention with high-performance historical search capabilities.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Audit (Standard) retains audit logs for only 90 days by default (extendable to 1 year with manual configuration), not the required 2 years, and does not provide the enhanced search performance for historical data. Option C is wrong because Microsoft Purview Data Lifecycle Management focuses on retention and deletion policies for content (e.g., documents, emails) based on labels, not on auditing user and admin activity logs or enabling faster historical searches. Option D is wrong because Microsoft Purview eDiscovery (Premium) is designed for legal investigations and content search across Exchange, SharePoint, and Teams, not for long-term retention and high-performance querying of audit logs.

1200
MCQmedium

A healthcare organization must comply with HIPAA regulations. They need to automatically detect and classify sensitive health information such as medical record numbers stored in SharePoint Online and OneDrive. When detected, the solution should apply encryption and restrict access to only authorized personnel. Which Microsoft Purview solution should they configure?

A.Information Protection
B.Data Lifecycle Management
C.Audit
D.eDiscovery
AnswerA

Information Protection provides sensitivity labels that can automatically classify and protect data based on patterns like medical record numbers, applying encryption and permissions.

Why this answer

Microsoft Purview Information Protection (specifically sensitivity labels and auto-labeling policies) can automatically detect sensitive health information like medical record numbers using built-in sensitive information types (e.g., U.S. HIPAA-defined types). When detected, it can apply encryption via Rights Management and restrict access to authorized personnel, meeting HIPAA compliance requirements.

Exam trap

The trap here is that candidates often confuse Data Lifecycle Management (retention/deletion) with Information Protection (classification/encryption), or assume Audit/eDiscovery can enforce access controls, when they only provide logging or search capabilities.

How to eliminate wrong answers

Option B (Data Lifecycle Management) is wrong because it focuses on retention and deletion policies, not on detecting, classifying, or encrypting sensitive data. Option C (Audit) is wrong because it logs user and admin activities but does not perform automatic detection, classification, or encryption of content. Option D (eDiscovery) is wrong because it is used for searching and exporting content for legal or investigative purposes, not for proactive classification and protection of sensitive data.

Page 15

Page 16 of 19

Page 17