Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 12011275

1411 questions total · 19pages · All types, answers revealed

Page 16

Page 17 of 19

Page 18
1201
MCQmedium

A company uses a hybrid environment with Azure virtual machines (IaaS) and on-premises Windows servers. The security team needs a single solution that continuously assesses the security posture of these workloads, provides a regulatory compliance dashboard with actionable recommendations, and enables threat detection. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Cloud
D.Microsoft Sentinel
AnswerC

Defender for Cloud delivers continuous assessment of security posture, regulatory compliance monitoring, and threat detection across Azure and hybrid workloads, making it the correct solution.

Why this answer

Microsoft Defender for Cloud is the correct answer because it provides a unified security management platform that continuously assesses the security posture of both Azure VMs (IaaS) and on-premises Windows servers via Azure Arc. It offers a regulatory compliance dashboard with actionable recommendations based on built-in standards like CIS, NIST, and Azure Security Benchmark, and integrates with Microsoft Defender for Cloud's workload protection plans to enable threat detection for these hybrid workloads.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a posture management and threat protection platform) with Microsoft Sentinel (a SIEM), but the question specifically asks for a single solution that includes a compliance dashboard and continuous assessment, which is a core feature of Defender for Cloud, not Sentinel.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) focused on shadow IT discovery and data protection for SaaS applications, not on assessing the security posture or providing a compliance dashboard for IaaS VMs and on-premises servers. Option B is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that focuses on device-level threat detection and response, but it does not provide a regulatory compliance dashboard or continuous security posture assessment across hybrid workloads. Option D is wrong because Microsoft Sentinel is a cloud-native SIEM and SOAR solution that ingests logs and alerts for threat detection and incident response, but it is not primarily designed for continuous security posture assessment or out-of-the-box regulatory compliance dashboards; it requires custom workbooks and analytics rules for compliance reporting.

1202
MCQmedium

Your company uses Microsoft Entra ID and wants to allow external partners to sign in using their own Google or Facebook accounts. Which feature should you enable?

A.Azure Active Directory Domain Services
B.Microsoft Entra B2C
C.Microsoft Entra B2B collaboration
D.External Identities (social identity providers)
AnswerD

External Identities allow federation with Google, Facebook, etc.

Why this answer

Option D is correct because External Identities (social identity providers) in Microsoft Entra ID allows you to configure Google and Facebook as identity providers for external users. This enables partners to sign in using their existing social accounts without needing a separate Microsoft account, leveraging OAuth 2.0 and OpenID Connect protocols for authentication.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration (which handles external organizational accounts) with External Identities (which includes social identity providers), leading them to incorrectly select B2B when the question explicitly mentions Google or Facebook accounts.

How to eliminate wrong answers

Option A is wrong because Azure Active Directory Domain Services (Azure AD DS) provides managed domain services like LDAP and Kerberos for legacy applications, not social identity federation. Option B is wrong because Microsoft Entra B2C is designed for customer-facing applications with extensive customization of sign-up and sign-in flows, not for simple partner access using existing social accounts. Option C is wrong because Microsoft Entra B2B collaboration enables external users to sign in with their own organizational accounts (e.g., Azure AD, Microsoft account) but does not natively support social identity providers like Google or Facebook without additional configuration through External Identities.

1203
MCQeasy

Your company needs to detect and prevent employees from sharing confidential product plans via email with external parties. Which Microsoft Purview solution should you configure?

A.Sensitivity labels
B.Communication compliance
C.Data Loss Prevention (DLP)
D.Retention policies
AnswerC

DLP detects and blocks sharing of sensitive data.

Why this answer

Option B is correct because DLP policies can detect sensitive information and block external sharing. Option A is wrong because sensitivity labels classify but do not block. Option C is wrong because communication compliance monitors for inappropriate content, not data exfiltration.

Option D is wrong because retention policies manage data lifecycle, not prevention.

1204
MCQeasy

A company implements a security measure to ensure that only authorized employees can view sensitive customer records. Which principle of the CIA triad does this measure primarily protect?

A.Confidentiality
B.Integrity
C.Availability
D.Accountability
AnswerA

Correct. Confidentiality prevents unauthorized access to information, which matches the requirement to limit access to authorized employees.

Why this answer

Confidentiality ensures that sensitive information is accessible only to authorized individuals. By restricting access to customer records to authorized employees, the company directly prevents unauthorized disclosure, which is the core goal of confidentiality in the CIA triad.

Exam trap

The trap here is that candidates often confuse confidentiality with integrity, thinking that preventing unauthorized changes is the same as preventing unauthorized viewing, but confidentiality is about secrecy, not data accuracy.

How to eliminate wrong answers

Option B (Integrity) is wrong because integrity focuses on protecting data from unauthorized modification or deletion, not on restricting access. Option C (Availability) is wrong because availability ensures that systems and data are accessible when needed, not who can view them. Option D (Accountability) is wrong because accountability is not a principle of the CIA triad; it is a separate concept related to auditing and traceability of actions.

1205
Multi-Selectmedium

Which THREE capabilities are provided by Microsoft Defender XDR? (Choose THREE.)

Select 3 answers
A.Cloud security posture management
B.Advanced hunting
C.Automated investigation and response
D.Incident management
E.Vulnerability management
AnswersB, C, D

Advanced hunting allows KQL queries across data sources.

Why this answer

Microsoft Defender XDR provides incident management (correlated alerts), automated investigation and response (self-healing), and advanced hunting (KQL queries). Vulnerability management is part of Defender for Endpoint, not the XDR platform. Cloud security posture management is from Defender for Cloud.

Defender XDR is for cross-domain threat protection.

1206
MCQhard

Refer to the exhibit. You are a compliance administrator managing a DLP policy in Microsoft Purview. The policy is set to 'enforce' mode but you notice that internal users can still share credit card numbers via email to external recipients. What is the most likely cause?

A.The policy is in test mode, not enforce mode
B.The policy is not applied to the user's mailbox
C.The condition requires a minimum count of 5
D.The action only blocks access to the content from external users, not sharing by internal users
AnswerD

blockOnlyExternal blocks external access but does not prevent internal users from sending to external recipients.

Why this answer

Option D is correct because the action 'blockAccess' with 'blockLevel' set to 'blockOnlyExternal' only blocks access from external users, but internal users can still share with external recipients. Option A is wrong because the policy is in enforce mode. Option B is wrong because the condition is met (content contains credit card numbers).

Option C is wrong because the policy applies to the whole tenant unless scoped.

1207
Multi-Selecteasy

Which TWO of the following are types of identity in Microsoft Entra ID? (Select two.)

Select 2 answers
A.Synchronized identity
B.Cloud-only identity
C.Guest identity
D.Managed identity
E.Hybrid identity
AnswersA, B

User account synchronized from on-premises Active Directory.

Why this answer

Options A and D are correct. Microsoft Entra ID supports cloud-only identities (A) and synchronized identities from on-premises (D). Option B is incorrect because 'Guest identity' is a type of external identity, but it is not a primary category.

Option C is incorrect because 'Hybrid identity' is a scenario, not a type. Option E is incorrect because 'Managed identity' is a specific Azure resource identity.

1208
MCQeasy

A company wants to automatically prevent users from sharing files containing personal data (e.g., passport numbers) via email. Which Microsoft Purview solution should they configure?

A.Communication Compliance
B.Data Loss Prevention (DLP)
C.Sensitivity labels
D.eDiscovery
AnswerB

DLP policies can detect sensitive data and block actions like email sharing.

Why this answer

Option C is correct because DLP policies can detect sensitive data and block sharing via email. Option A is wrong because sensitivity labels classify but do not block. Option B is wrong because eDiscovery is for search.

Option D is wrong because Communication Compliance monitors messages but does not block based on content.

1209
MCQmedium

Your organization uses Microsoft Defender XDR. You need to investigate a potential lateral movement attack where a compromised user account is used to access multiple workstations. Which feature should you use to visualize the attack path?

A.Attack graph
B.Microsoft Sentinel workbooks
C.Threat analytics in Microsoft 365 Defender
D.Incident queue
AnswerA

Attack graph visualizes lateral movement paths.

Why this answer

Option B is correct because the attack graph in Microsoft Defender XDR provides a visual representation of attack paths. Option A is wrong because the incident queue lists alerts, not attack paths. Option C is wrong because Microsoft Sentinel's workbooks are for custom visualization but not specifically for attack paths.

Option D is wrong because Microsoft 365 Defender's threat analytics provide threat reports, not attack paths.

1210
MCQmedium

A company uses Microsoft Entra ID. The security team needs to ensure that when users sign in to a critical financial application from an untrusted network, they must first complete multi-factor authentication (MFA). Additionally, the team wants to block the sign-in if the device is not marked as compliant by Microsoft Intune. Which conditional access grant control should they configure to meet both requirements?

A.Require multi-factor authentication AND Require device to be marked as compliant
B.Require multi-factor authentication only
C.Require one of the selected controls
D.Require device to be marked as compliant only
AnswerA

Conditional Access allows adding multiple grant controls; all must be satisfied for access to be allowed. This enforces both MFA and device compliance.

Why this answer

Option A is correct because Conditional Access grant controls allow you to require multiple conditions to be met simultaneously. By selecting 'Require multi-factor authentication' AND 'Require device to be marked as compliant', the policy ensures that both MFA and device compliance are enforced for the sign-in, meeting the security team's requirements.

Exam trap

The trap here is that candidates often confuse 'AND' (all controls required) with 'OR' (one of the selected controls), leading them to choose Option C, which would not enforce both MFA and device compliance simultaneously.

How to eliminate wrong answers

Option B is wrong because it only requires MFA, ignoring the device compliance requirement, so untrusted devices that are not compliant would still be allowed to sign in after MFA. Option C is wrong because 'Require one of the selected controls' would allow either MFA or device compliance, not both, which fails to block non-compliant devices. Option D is wrong because it only requires device compliance, missing the MFA requirement for untrusted networks, leaving the application vulnerable if a compliant device is used from an untrusted network without MFA.

1211
MCQhard

Refer to the exhibit. A Microsoft Purview DLP policy is configured in Test mode. An administrator notices that a user is still able to share a document containing a credit card number. What is the most likely reason?

A.The credit card number is not detected because low confidence threshold
B.The BlockAccess action is not supported for SharePoint Online
C.The policy is in Test mode, so actions are not enforced
D.The policy requires an administrator to approve the action
AnswerC

Test mode only logs, does not block.

Why this answer

Option B is correct because the policy is in Test mode, which means it will not enforce actions like BlockAccess; it only logs alerts. Option A is wrong because the rule is correctly configured to detect credit card numbers with high confidence. Option C is wrong because Test mode does not require approval; it simply doesn't enforce.

Option D is wrong because DLP policies can block access in SharePoint/OneDrive.

1212
MCQeasy

Your organization wants to centrally manage security policies for all devices (Windows, iOS, Android) and ensure they meet compliance requirements before accessing corporate resources. Which Microsoft solution should you use?

A.Microsoft Purview Compliance Manager
B.Microsoft Defender for Endpoint
C.Microsoft Intune
D.Microsoft Entra ID
AnswerC

Intune manages devices and enforces compliance policies.

Why this answer

Option A is correct because Microsoft Intune is a cloud-based mobile device management (MDM) and mobile application management (MAM) solution. Option B is wrong because Microsoft Entra ID is for identity, not device management. Option C is wrong because Microsoft Defender for Endpoint is for endpoint detection and response, not configuration management.

Option D is wrong because Microsoft Purview is for data governance.

1213
Multi-Selectmedium

Which TWO of the following are features of Microsoft Defender for Cloud? (Choose two.)

Select 2 answers
A.Data classification and labeling
B.Security Information and Event Management (SIEM)
C.Cloud Workload Protection Platform (CWPP)
D.Mobile Threat Defense (MTD)
E.Cloud Security Posture Management (CSPM)
AnswersC, E

Defender for Cloud provides CWPP for workloads across clouds.

Why this answer

Microsoft Defender for Cloud is a Cloud Workload Protection Platform (CWPP) that provides unified security management and advanced threat protection for workloads running in Azure, on-premises, and other clouds. It also includes Cloud Security Posture Management (CSPM) capabilities, which continuously assess your environment against security benchmarks (e.g., CIS, NIST) and provide actionable recommendations to improve your security posture.

Exam trap

The trap here is that candidates often confuse the SIEM and SOAR capabilities of Microsoft Sentinel with the CWPP and CSPM functions of Defender for Cloud, or they mistakenly associate data classification (Purview) with Defender for Cloud's security recommendations.

1214
MCQmedium

A multinational organization uses Microsoft 365 and must demonstrate compliance with both GDPR and ISO 27001. The compliance team needs a centralized tool to assess their current compliance posture against these frameworks, receive prioritized improvement actions, and track the implementation of those actions over time. Which Microsoft Purview solution should they use?

A.Compliance Manager
B.Data Lifecycle Management
C.Audit
D.eDiscovery
AnswerA

Compliance Manager provides a central dashboard to assess compliance posture, manage improvement actions, and track progress against multiple regulations like GDPR and ISO 27001.

Why this answer

Compliance Manager is the correct solution because it provides a centralized dashboard that assesses an organization's compliance posture against frameworks like GDPR and ISO 27001. It offers prioritized improvement actions based on built-in assessments and tracks the implementation of those actions over time, directly meeting the requirements for a unified compliance management tool.

Exam trap

The trap here is that candidates may confuse Audit or Data Lifecycle Management as compliance tools, but they lack the centralized assessment and action tracking capabilities that Compliance Manager uniquely provides for framework-specific compliance management.

How to eliminate wrong answers

Option B (Data Lifecycle Management) is wrong because it focuses on managing the lifecycle of data (retention, deletion, and classification) rather than assessing compliance posture against specific frameworks or tracking improvement actions. Option C (Audit) is wrong because it provides logging and search capabilities for auditing user and admin activities, but it does not offer compliance posture assessments or prioritized improvement actions. Option D (eDiscovery) is wrong because it is designed for legal discovery processes to search and export content for litigation, not for assessing compliance frameworks or tracking remediation tasks.

1215
MCQeasy

Refer to the exhibit. A security analyst runs this Kusto Query Language (KQL) query in Microsoft Sentinel. What is being identified?

A.Multi-factor authentication failures.
B.Successful sign-ins in the last day.
C.Sign-in attempts from unknown IP addresses.
D.Sign-in attempts by disabled user accounts.
AnswerD

ResultType 50057 corresponds to 'User Account Disabled'.

Why this answer

The query filters sign-in logs from the last day with ResultType 50057, which indicates that the user account is disabled. Option B is wrong because ResultType 50057 is specifically for disabled accounts. Option C is wrong because successful sign-ins have ResultType 0.

Option D is wrong because MFA failure has different result types.

1216
MCQhard

A security architect is designing a Zero Trust security model for a hybrid organization. Which principle of Zero Trust requires that every access request must be fully authenticated and authorized regardless of the network location, and that access should be granted with the minimum level required?

A.Assume breach
B.Verify explicitly
C.Use least privileged access
D.Segment access
AnswerB

Verify explicitly means always authenticate and authorize based on all available data points (user identity, device health, location, etc.) before granting access, and then use least privilege.

Why this answer

B is correct because the 'Verify explicitly' principle of Zero Trust mandates that every access request must be fully authenticated and authorized based on all available data points—including user identity, device health, and location—before granting access. This principle directly requires that authentication and authorization occur for every request, regardless of network location, and that the resulting access is granted with the minimum level required, which is further enforced by the 'Use least privileged access' principle. In a hybrid organization, this ensures that even requests from inside the corporate network are treated with the same scrutiny as external requests.

Exam trap

The trap here is that candidates confuse 'Verify explicitly' with 'Use least privileged access' because both involve access control, but 'Verify explicitly' is specifically about the authentication and authorization step, while 'Use least privileged access' is about the scope of permissions after access is granted.

How to eliminate wrong answers

Option A is wrong because 'Assume breach' is a Zero Trust principle that focuses on minimizing the blast radius and segmenting access, not on the authentication and authorization of every request. Option C is wrong because 'Use least privileged access' is a separate Zero Trust principle that limits access rights to the minimum necessary, but it does not itself require that every request be fully authenticated and authorized. Option D is wrong because 'Segment access' is a principle that involves dividing the network into isolated zones to limit lateral movement, not the explicit verification of each access request.

1217
MCQhard

A healthcare organization runs a mix of workloads on Azure (Azure VMs, SQL Database) and on-premises (Windows Servers). They must continuously assess their compliance against the HIPAA and HITRUST regulatory frameworks. They want a unified dashboard that shows their compliance score against these standards and provides step-by-step recommendations to remediate violations. Which Microsoft Defender for Cloud capability should they use?

A.Regulatory compliance dashboard
B.Secure score
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Servers
AnswerA

The regulatory compliance dashboard in Defender for Cloud allows you to add built-in standards (HIPAA, HITRUST) and track compliance status with recommendations and scores.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a unified view of an organization's compliance posture against specific regulatory standards like HIPAA and HITRUST. It displays a compliance score for each selected framework and offers step-by-step remediation recommendations for identified violations, directly meeting the requirement for continuous assessment and guided remediation.

Exam trap

The trap here is that candidates often confuse the Secure score (which measures general security hygiene) with the Regulatory compliance dashboard (which measures adherence to specific regulatory frameworks), leading them to select Secure score when the question explicitly asks for compliance against HIPAA and HITRUST.

How to eliminate wrong answers

Option B (Secure score) is wrong because it measures the overall security posture based on security controls and recommendations, not compliance against specific regulatory frameworks like HIPAA or HITRUST. Option C (Microsoft Defender for Cloud Apps) is wrong because it is a Cloud Access Security Broker (CASB) focused on shadow IT discovery, data protection, and threat detection across SaaS applications, not on assessing compliance against healthcare regulatory standards. Option D (Microsoft Defender for Servers) is wrong because it provides threat detection and advanced protections for server workloads, but does not include a dashboard for regulatory compliance scoring or step-by-step remediation against HIPAA or HITRUST.

1218
MCQhard

Contoso uses Microsoft Sentinel. They want to automate response to a high-severity incident by blocking the source IP in Azure Firewall and sending a notification to the SOC team via email. Which feature should they use?

A.Create a hunting query.
B.Create an automation rule.
C.Enable Fusion.
D.Create a workbook.
AnswerB

Automation rules trigger playbooks for incident response.

Why this answer

Correct: Automation rules in Microsoft Sentinel run playbooks based on trigger conditions (e.g., incident creation). Option A: Workbooks are for visualization. Option B: Hunting queries are for proactive threat hunting.

Option D: Fusion is a correlation engine.

1219
MCQmedium

A multinational corporation must comply with several regulations including GDPR, ISO 27001, and NIST. They need a single solution that provides a compliance score, tracks their progress, and recommends specific improvement actions that can be assigned to different departments. Which Microsoft Purview solution meets these requirements?

A.A
B.B
C.C
D.D
AnswerA

Correct. Microsoft Purview Compliance Manager offers a compliance score, recommended improvement actions, and task assignment capabilities for regulatory compliance.

Why this answer

Microsoft Purview Compliance Manager provides a unified compliance score, tracks progress over time, and offers recommended improvement actions that can be assigned to specific departments. It supports multiple regulations like GDPR, ISO 27001, and NIST by mapping controls to these frameworks, making it the correct solution for the multinational corporation's needs.

Exam trap

The trap here is that candidates may confuse Compliance Manager with other Purview solutions like Audit or eDiscovery, which address different compliance needs (logging vs. scoring), but only Compliance Manager provides a centralized score and assignable improvement actions.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Audit (Standard or Premium) is focused on logging and investigating user and admin activity, not on providing a compliance score or tracking improvement actions. Option C is wrong because Microsoft Purview eDiscovery is designed for identifying, collecting, and exporting content for legal or investigative purposes, not for compliance scoring or action assignment. Option D is wrong because Microsoft Purview Data Lifecycle Management (formerly Records Management) handles retention and deletion policies, not compliance scoring or improvement recommendations.

1220
Multi-Selecteasy

Your company wants to protect sensitive data in Microsoft Teams. Which two Microsoft Purview features can help prevent accidental sharing of confidential information? (Choose two.)

Select 2 answers
A.Data Loss Prevention (DLP) policies for Teams
B.Audit log search for Teams
C.eDiscovery for Teams
D.Retention policies for Teams messages
E.Sensitivity labels for Teams sites and content
AnswersA, E

DLP policies can detect and block sharing of sensitive data.

Why this answer

Options A and D are correct because DLP policies and sensitivity labels protect data. Option B is wrong because retention policies manage lifecycle, not sharing. Option C is wrong because audit logs only record events.

Option E is wrong because eDiscovery is for legal discovery.

1221
MCQmedium

Your organization uses Microsoft Purview eDiscovery to manage legal cases. You need to place a hold on a user's mailbox to preserve data for an ongoing litigation. Which role do you need to assign to the eDiscovery manager?

A.Records Management
B.Information Protection
C.eDiscovery Manager (with the Legal Hold role enabled)
D.Compliance Administrator
AnswerC

The eDiscovery Manager role group includes the Legal Hold role, which allows placing holds.

Why this answer

Option D is correct because the eDiscovery Manager role group includes the ability to manage holds (the Legal Hold role). Option A is incorrect because Records Management is for retention labels. Option B is incorrect because Compliance Administrator has broad permissions but is not the recommended role for eDiscovery.

Option C is incorrect because Information Protection is for sensitivity labels.

1222
MCQeasy

Your organization wants to ensure that users cannot install applications from the Microsoft Store on their company-managed Windows devices. Which Microsoft Entra ID feature should you combine with Microsoft Intune to enforce this?

A.Conditional Access
B.Privileged Identity Management
C.Multifactor authentication
D.Identity Protection
AnswerA

Conditional Access can require devices to be compliant (via Intune) before granting access, and Intune policies can block app installations.

Why this answer

Option D is correct because Conditional Access can enforce device compliance policies managed by Intune, which can restrict app installations. Option A is wrong because identity protection is about risk. Option B is wrong because MFA is for authentication.

Option C is wrong because privileged identity management is for admin roles.

1223
MCQeasy

A company's security policy requires that customer data must only be accessible by authorized sales representatives. Which security principle does this requirement directly enforce?

A.Integrity
B.Availability
C.Confidentiality
D.Non-repudiation
AnswerC

Confidentiality is the principle of limiting access to data only to those who are authorized, which directly matches the requirement.

Why this answer

The principle of confidentiality ensures that information is accessible only to authorized individuals or systems. In this scenario, restricting access to customer data to only authorized sales representatives aligns with maintaining confidentiality. The other options are incorrect: Integrity ensures data is not improperly modified, Availability ensures systems are operational, and Non-repudiation ensures actions cannot be denied.

1224
MCQhard

A healthcare organization must comply with HIPAA. They need to automatically detect protected health information (PHI) in emails sent from Exchange Online, prevent users from sharing these emails with unauthorized external recipients, and apply a retention label that retains PHI emails for six years. Which Microsoft Purview solution should they configure?

A.Microsoft Purview Information Protection and Data Loss Prevention
B.Microsoft Purview eDiscovery
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Insider Risk Management
AnswerA

Information Protection auto-labels content with retention and classification, while DLP prevents unauthorized sharing. Together they meet all requirements.

Why this answer

Microsoft Purview Information Protection and Data Loss Prevention (DLP) is the correct solution because it combines sensitive data classification (to detect PHI via built-in HIPAA data classifiers) with policy-based enforcement (to block sharing with unauthorized external recipients) and can automatically apply a retention label (via auto-labeling policies) to retain PHI emails for six years. This directly addresses all three requirements: detection, prevention, and retention.

Exam trap

The trap here is that candidates may confuse Communication Compliance (which monitors for policy violations) with DLP (which enforces data protection actions), or assume eDiscovery handles retention and blocking, when in fact DLP is the only solution that combines detection, prevention, and retention label application in a single policy.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview eDiscovery is used for searching, holding, and exporting content for legal or investigative purposes, not for real-time detection or prevention of data sharing. Option C is wrong because Microsoft Purview Communication Compliance is designed to detect policy violations in communications (e.g., harassment, insider trading) and does not natively enforce DLP actions like blocking external sharing or applying retention labels. Option D is wrong because Microsoft Purview Insider Risk Management focuses on identifying risky user activities (e.g., data theft, sabotage) through behavioral analytics, not on automatically detecting PHI in emails or preventing external sharing.

1225
MCQeasy

A company wants to provide employees with single sign-on access to both Microsoft 365 and a third-party SaaS application. Which feature of Microsoft Entra ID should they use?

A.Identity Protection
B.Conditional Access
C.Federation
D.Privileged Identity Management
AnswerC

Federation enables SSO across multiple applications.

Why this answer

Option B is correct. Microsoft Entra ID's federation capabilities allow SSO across multiple applications, including third-party SaaS apps. Option A is wrong because Conditional Access controls access based on conditions, not SSO.

Option C is wrong because Privileged Identity Management manages admin roles, not SSO. Option D is wrong because Identity Protection detects risks, not SSO.

1226
MCQeasy

A user downloads a software update from a company's internal website. The update file is hashed, and the hash value is published on a separate secure page. After downloading, the user computes the hash of the downloaded file and compares it to the published hash. The two values match. Which security concept is primarily demonstrated by this comparison?

A.Confidentiality
B.Integrity
C.Availability
D.Authentication
AnswerB

Integrity ensures data has not been tampered with. Matching hashes indicates the file is unchanged, confirming its integrity.

Why this answer

Hashing is a one-way cryptographic function that produces a fixed-size digest from input data. By comparing the computed hash of the downloaded file to the published hash, the user verifies that the file has not been altered during transit or storage. This directly demonstrates the security concept of integrity, which ensures data has not been tampered with or corrupted.

Exam trap

The trap here is that candidates often confuse integrity with authentication, mistakenly thinking that verifying a hash proves the file's origin (authentication) rather than its unaltered state (integrity).

How to eliminate wrong answers

Option A is wrong because confidentiality is about protecting data from unauthorized access, typically achieved through encryption (e.g., AES, TLS), not through hash comparison. Option C is wrong because availability ensures that systems and data are accessible when needed, often via redundancy or disaster recovery, not by verifying file integrity. Option D is wrong because authentication verifies the identity of a user or system (e.g., via passwords, certificates, or multi-factor authentication), not the integrity of a file.

1227
MCQmedium

A company uses Microsoft Entra ID and wants to enforce multi-factor authentication (MFA) only for external guest users, while allowing internal employees to sign in without MFA. Which Conditional Access setting should be configured?

A.Require MFA for all users
B.Exclude internal users by group
C.Target the 'Guest or external users' identity type
D.Use Identity Protection's user risk policy
AnswerC

Conditional Access policies allow targeting specific identity types, including 'Guest or external users'. This ensures the MFA requirement applies only to external users.

Why this answer

Option C is correct because Conditional Access allows targeting the 'Guest or external users' identity type, which enables MFA enforcement exclusively for external guest users without affecting internal employees. This setting leverages the user type attribute in Microsoft Entra ID to differentiate between internal and external identities, providing granular control over authentication requirements.

Exam trap

The trap here is that candidates often confuse exclusion-based approaches (like excluding internal users by group) with direct targeting of guest identity types, leading them to choose Option B instead of the more precise and scalable Option C.

How to eliminate wrong answers

Option A is wrong because requiring MFA for all users would enforce MFA on both internal employees and external guests, which does not meet the requirement to restrict MFA only to guest users. Option B is wrong because excluding internal users by group would require manual group management and could miss dynamic membership changes, whereas the requirement is to target guest users specifically by their identity type, not by exclusion. Option D is wrong because Identity Protection's user risk policy is designed to respond to sign-in risk based on detected anomalies, not to enforce MFA based on user type (guest vs. internal), and it would not selectively apply MFA only to external guests.

1228
MCQeasy

A company uses Azure virtual machines for a production database. The security team wants to minimize the attack surface by blocking all inbound RDP (port 3389) traffic. However, administrators occasionally need to connect for maintenance. The team needs a solution that allows administrators to request temporary access to the RDP port, which is automatically revoked after a specified time. Which Microsoft Defender for Cloud feature should they use?

A.Adaptive application controls
B.Just-in-time (JIT) VM access
C.File Integrity Monitoring (FIM)
D.Security alerts
AnswerB

JIT locks down inbound traffic to VMs and allows authorized users to request temporary access to specific ports, which is automatically revoked after a set time.

Why this answer

Just-in-time (JIT) VM access is the correct feature because it specifically addresses the need to block inbound RDP (port 3389) traffic by default while allowing administrators to request temporary, time-bound access. When a request is approved, JIT dynamically modifies the network security group (NSG) to open the port for a specified duration, then automatically reverts the rule to deny all inbound traffic after the time expires. This directly minimizes the attack surface by eliminating persistent open management ports.

Exam trap

The trap here is that candidates may confuse 'just-in-time VM access' with 'adaptive application controls' because both are Defender for Cloud features that involve 'control' and 'access,' but JIT specifically manages network port access while adaptive controls manage application execution.

How to eliminate wrong answers

Option A is wrong because Adaptive application controls are used to create allowlists for applications running on Azure VMs, controlling which executables can run, not for managing network port access. Option C is wrong because File Integrity Monitoring (FIM) monitors changes to critical files, registries, and system configurations, not network traffic or port access. Option D is wrong because Security alerts are notifications generated by Defender for Cloud when threats are detected, not a mechanism to grant or revoke temporary network access.

1229
MCQeasy

A security administrator is explaining the shared responsibility model to a new team member. The company uses a Software-as-a-Service (SaaS) application such as Microsoft 365. For which of the following items is the customer primarily responsible under this model?

A.Physical security of the data center hosting the SaaS application
B.Patching the hypervisor that runs the SaaS infrastructure
C.Managing user access and classifying data stored in the service
D.Applying security updates to the SaaS application itself
AnswerC

The customer is responsible for their own data, including managing who has access, classifying information, and ensuring data is handled in accordance with compliance requirements.

Why this answer

In the shared responsibility model for SaaS like Microsoft 365, the customer is responsible for managing user access (e.g., configuring Azure AD roles, conditional access policies, and multi-factor authentication) and classifying data stored in the service (e.g., applying sensitivity labels via Microsoft Purview Information Protection). The provider manages the underlying infrastructure, including physical security, hypervisor patching, and application updates.

Exam trap

The trap here is that candidates often confuse operational tasks like patching or physical security with customer responsibilities, failing to recognize that in SaaS the provider handles all infrastructure and application maintenance, leaving only identity and data governance to the customer.

How to eliminate wrong answers

Option A is wrong because physical security of the data center is the sole responsibility of the cloud provider (Microsoft) in the SaaS model; the customer has no physical access or control. Option B is wrong because patching the hypervisor is an infrastructure-layer task managed entirely by the provider, as the customer only interacts with the application layer. Option D is wrong because applying security updates to the SaaS application itself is performed by the provider; the customer is only responsible for configuring application-level settings and managing their own data.

1230
MCQmedium

A company wants to protect its employees from phishing attacks delivered via email. The solution must analyze all URLs embedded in incoming emails in real-time. If a URL points to a known malicious site, the link should be blocked at the time of click. Additionally, the solution should sandbox URLs in attachments and provide time-of-click verification. Which Microsoft security solution should they implement?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Office 365
C.Microsoft Defender for Endpoint
D.Microsoft Cloud App Security
AnswerB

Correct. Defender for Office 365 includes Safe Links and Safe Attachments to protect against malicious URLs and attachments in email.

Why this answer

Microsoft Defender for Office 365 (MDO) is the correct solution because it provides Safe Links, which performs real-time URL scanning and time-of-click verification for URLs embedded in email messages and attachments. It also includes Safe Attachments, which detonates attachments in a sandbox environment to analyze embedded URLs. These capabilities directly address the requirement to block malicious links at click time and sandbox URLs in attachments.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud Apps (a CASB) with Defender for Office 365, because both have 'Defender' in the name and offer cloud security, but only Defender for Office 365 includes the specific Safe Links and Safe Attachments features required for email phishing protection.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps is a CASB (Cloud Access Security Broker) focused on shadow IT discovery, data loss prevention, and session controls for cloud applications, not on real-time email URL scanning or sandboxing of attachments. Option C is wrong because Microsoft Defender for Endpoint is an EDR (Endpoint Detection and Response) solution that protects devices from malware and advanced threats, but it does not provide email-level URL scanning or time-of-click verification for phishing links. Option D is wrong because Microsoft Cloud App Security is the previous name for Defender for Cloud Apps and shares the same CASB functionality; it does not include Safe Links or Safe Attachments for email protection.

1231
MCQeasy

A healthcare organization stores sensitive patient records in a cloud database. The database is encrypted at rest using AES-256. If an attacker gains access to the physical storage media, they cannot read the data. Which security concept does this encryption primarily provide?

A.Confidentiality
B.Integrity
C.Availability
D.Authorization
AnswerA

Correct: Encryption protects the data from unauthorized disclosure, which is the definition of confidentiality.

Why this answer

Encryption at rest using AES-256 ensures that data stored on physical media is unreadable without the decryption key. If an attacker gains physical access to the storage media, the ciphertext cannot be deciphered, directly protecting the secrecy of the data. This aligns with the security goal of confidentiality, which prevents unauthorized disclosure of information.

Exam trap

The trap here is that candidates confuse encryption at rest with integrity controls, mistakenly thinking encryption prevents modification, when in fact encryption only ensures confidentiality and does not provide tamper detection.

How to eliminate wrong answers

Option B is wrong because integrity ensures data has not been tampered with or altered, typically via hashing or digital signatures, not encryption at rest. Option C is wrong because availability ensures systems and data are accessible when needed, often through redundancy or backups, not encryption. Option D is wrong because authorization controls what actions authenticated users can perform, whereas encryption at rest protects data confidentiality regardless of authorization status.

1232
MCQmedium

Refer to the exhibit. You are reviewing a Microsoft Purview DLP policy configuration for a compliance team. What is the effect of this policy?

A.The policy blocks access but allows users to override with a justification
B.The policy automatically applies encryption to the content
C.The policy sends a notification but does not block access
D.The policy automatically blocks access without user override
AnswerA

BlockWithOverride means the action is blocked but the user can provide a reason to override.

Why this answer

The policy contains a BlockAccess action with BlockWithOverride behavior, meaning the action is blocked but the user can override with a business justification. The NotifyUser action sends a custom notification. Option A is wrong because it does not block automatically; it allows override.

Option C is wrong because auto-apply is not an action listed. Option D is wrong because encryption is not configured.

1233
MCQmedium

A company wants to discover which cloud applications are being used by employees, assess the risk of those apps, and control data sharing in sanctioned apps like Box or Dropbox. Which Microsoft security solution should they implement?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Office 365
D.Microsoft Defender for Identity
AnswerB

Defender for Cloud Apps offers cloud app discovery (shadow IT), risk assessment, and the ability to apply DLP and governance policies to sanctioned and unsanctioned cloud apps.

Why this answer

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility into shadow IT by discovering cloud app usage, assessing risk based on over 80 risk factors, and enforcing data loss prevention (DLP) policies to control data sharing in sanctioned apps like Box or Dropbox. It integrates with cloud providers via API connectors to monitor and govern data in real time.

Exam trap

The trap here is confusing the CASB functionality of Defender for Cloud Apps with the endpoint-focused or email-specific protections of other Defender products, leading candidates to pick Defender for Office 365 because it also controls data sharing, but only within Microsoft 365, not third-party apps like Box or Dropbox.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices, not on discovering or controlling cloud application usage. Option C is wrong because Microsoft Defender for Office 365 protects email and collaboration tools like Exchange Online and SharePoint, but does not discover or assess risk for third-party cloud apps like Box or Dropbox. Option D is wrong because Microsoft Defender for Identity monitors on-premises Active Directory for identity-based threats using behavioral analytics, not cloud app discovery or data sharing control.

1234
MCQmedium

A company's security operations team needs to centralize security log collection from multiple sources including on-premises firewalls, AWS CloudTrail, and Azure Active Directory sign-in logs. They want to use built-in analytics to detect threats across all data sources and create automated response playbooks, such as isolating a compromised user account when a specific attack pattern is detected. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft 365 Defender
D.Microsoft Defender for Cloud Apps
AnswerB

Sentinel is designed for central log collection, threat detection using analytics, and automated response playbooks across heterogeneous sources.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) solution that ingests logs from diverse sources (on-premises firewalls via Syslog, AWS CloudTrail via REST API, and Azure AD via diagnostic settings) and provides built-in analytics rules to detect threats across all data. It also integrates with Azure Logic Apps to create automated playbooks (e.g., isolating a compromised user account) triggered by detected attack patterns, fulfilling the requirement for centralized log collection and automated response.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM for multi-source log ingestion and automated response) with Microsoft 365 Defender (an XDR for Microsoft ecosystem threats), failing to recognize that only Sentinel can ingest third-party logs like on-premises firewalls and AWS CloudTrail for centralized threat detection and playbook automation.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform focused on securing Azure, on-premises, and other cloud resources via recommendations and vulnerability assessments, not a centralized SIEM for log collection from multiple sources like firewalls and AWS CloudTrail. Option C is wrong because Microsoft 365 Defender is an extended detection and response (XDR) solution that primarily correlates signals from Microsoft 365 products (e.g., Defender for Endpoint, Defender for Office 365) and does not natively ingest third-party logs like on-premises firewalls or AWS CloudTrail. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that focuses on shadow IT discovery and data protection for SaaS applications, not a SIEM for collecting and analyzing logs from firewalls or AWS infrastructure.

1235
Matchingmedium

Match each Microsoft identity service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cloud-based identity and access management

Directory service for Windows domain networks

Collaboration with external partners

Customer identity and access management for apps

Integration of on-premises AD with Azure AD

Why these pairings

These are key identity services in Microsoft's identity platform.

1236
MCQeasy

A company has a SharePoint Online site that stores project documents. Due to legal requirements, all documents in this site must be retained for exactly 5 years from the date they were created, and then automatically deleted. No user should be able to permanently delete a document before the retention period ends. Which Microsoft Purview solution should the administrator configure?

A.Retention policy
B.Sensitivity label
C.Data loss prevention (DLP) policy
D.Audit policy
AnswerA

A retention policy in Microsoft Purview allows administrators to set a retention period (e.g., 5 years) and an action (such as automatic deletion) for content in SharePoint sites. Users cannot permanently delete the content until the retention period expires.

Why this answer

Option A is correct because a retention policy in Microsoft Purview can be configured to retain documents for exactly 5 years from creation and then automatically delete them. This policy enforces a mandatory retention period that prevents users from permanently deleting documents before the period ends, meeting the legal requirement.

Exam trap

The trap here is that candidates may confuse a retention policy with a sensitivity label or DLP policy, mistakenly thinking those can enforce time-based retention and deletion, when only a retention policy provides the necessary preservation lock and automatic deletion capabilities.

How to eliminate wrong answers

Option B is wrong because sensitivity labels classify and protect data based on sensitivity (e.g., encryption, markings), but they do not enforce time-based retention or automatic deletion. Option C is wrong because a Data Loss Prevention (DLP) policy detects and prevents accidental sharing of sensitive data, but it cannot enforce a fixed retention period or block permanent deletion. Option D is wrong because an audit policy logs user activities (e.g., deletions) for investigation, but it does not prevent deletion or enforce retention.

1237
MCQeasy

A user is locked out of their account due to multiple failed sign-in attempts. Which Microsoft Entra ID feature can automatically block suspicious sign-in attempts based on risk?

A.Self-Service Password Reset (SSPR)
B.Microsoft Entra ID Governance
C.Microsoft Entra ID Protection
D.Conditional Access
AnswerC

Automatically blocks sign-ins when risk level is high.

Why this answer

Microsoft Entra ID Protection uses machine learning and heuristic algorithms to detect and automatically block suspicious sign-in attempts based on risk signals such as anonymous IP addresses, atypical travel, or leaked credentials. When a user is locked out due to multiple failed attempts, Entra ID Protection can evaluate the sign-in risk and enforce a block or require multi-factor authentication before allowing access.

Exam trap

The trap here is that candidates often confuse Conditional Access with risk-based blocking, but Conditional Access is the policy engine that enforces the block, while Entra ID Protection is the service that actually detects and assesses the risk to trigger the automatic block.

How to eliminate wrong answers

Option A is wrong because Self-Service Password Reset (SSPR) allows users to unlock their accounts or reset passwords after being locked out, but it does not proactively block suspicious sign-in attempts based on risk. Option B is wrong because Microsoft Entra ID Governance focuses on managing identity lifecycles, access reviews, and entitlement management, not on detecting or blocking risky sign-in events. Option D is wrong because Conditional Access enforces policies based on conditions like location or device compliance after a sign-in attempt is made, but it does not inherently analyze risk signals to automatically block suspicious attempts; it typically relies on risk assessments from Entra ID Protection.

1238
MCQeasy

A company hosts a mission-critical customer portal on Azure virtual machines. To ensure continuous availability, they deploy the application across two separate Azure regions. If one region experiences a failure, traffic is automatically routed to the other region with minimal disruption. Which security goal is primarily being addressed by this architecture?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerC

Correct. Availability ensures that resources are accessible to authorized users when needed. Deploying across multiple regions with automatic failover is a classic implementation of availability.

Why this answer

Deploying a mission-critical application across two Azure regions with automatic traffic routing directly addresses the security goal of availability. This architecture ensures that if one region fails, the application remains accessible from the other region, minimizing downtime. Azure Traffic Manager or Azure Front Door can be used to route traffic based on priority or latency, providing high availability and disaster recovery.

Exam trap

The trap here is that candidates may confuse high availability (availability goal) with disaster recovery or think that multi-region deployment primarily protects data confidentiality or integrity, when in fact it is designed to ensure continuous service uptime.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on protecting data from unauthorized access, not on ensuring uptime or failover. Option B is wrong because integrity ensures data is not tampered with or altered, which is not the primary goal of multi-region deployment. Option D is wrong because non-repudiation provides proof of origin or delivery of data, often through digital signatures, and is unrelated to regional failover.

1239
MCQhard

You are investigating an alert in Microsoft 365 Defender. The KQL query in the exhibit retrieves evidence for alert-5678. What type of entities does this query filter for?

A.Registry entities
B.Process entities
C.Network entities
D.File entities
AnswerD

The query explicitly filters for EntityType == 'File'.

Why this answer

Option D is correct because the query filters where EntityType == 'File'. Option A is wrong because it filters for File, not Process. Option B is wrong because it filters for File, not Network.

Option C is wrong because it filters for File, not Registry.

1240
MCQeasy

Your organization uses Microsoft Entra ID. You need to enforce multi-factor authentication (MFA) for all users accessing the company's financial application. Which security feature should you use?

A.Security defaults
B.Privileged Identity Management
C.Identity Protection
D.Conditional Access
AnswerD

Conditional Access policies can require MFA for specific cloud applications.

Why this answer

Conditional Access policies in Microsoft Entra ID allow you to enforce MFA based on conditions like application, user, or location. Identity Protection detects risks but does not enforce access. Privileged Identity Management (PIM) manages roles.

Security defaults provide a baseline but do not allow per-application granularity. Option C is correct.

1241
MCQmedium

A company needs to ensure that employees cannot share sensitive financial reports with external parties via email. They want to automatically detect and block emails that contain the phrase 'Confidential-Financial' in the subject line or body, regardless of the recipient's domain. Which Microsoft Purview solution should they configure?

A.Data Loss Prevention (DLP)
B.Information Protection (sensitivity labels)
C.Data Lifecycle Management (retention policies)
D.Audit
AnswerA

DLP policies can be configured to detect custom phrases in emails and automatically block the email from being sent, protecting sensitive data from unauthorized sharing.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is the correct solution because it is specifically designed to detect and automatically block sensitive content—such as the phrase 'Confidential-Financial'—in emails, regardless of the recipient's domain. DLP policies can inspect subject lines and body text, then enforce actions like blocking delivery or notifying the user, making it ideal for preventing unauthorized external sharing of financial reports.

Exam trap

The trap here is that candidates confuse Information Protection (sensitivity labels) with DLP, thinking labels alone can block emails, but labels only classify and encrypt—blocking requires a DLP policy to enforce actions based on label conditions or content matches.

How to eliminate wrong answers

Option B (Information Protection/sensitivity labels) is wrong because sensitivity labels classify and protect data by applying encryption or visual markings, but they do not automatically detect and block emails based on content patterns like a specific phrase; they require manual or automated labeling and rely on DLP to enforce blocking actions. Option C (Data Lifecycle Management/retention policies) is wrong because retention policies govern how long data is kept or when it is deleted, not real-time detection and blocking of sensitive content in transit. Option D (Audit) is wrong because auditing logs user activities for review but does not actively detect or block emails; it is a detective control, not a preventive one.

1242
MCQeasy

A company uses Microsoft 365. The compliance team needs to create a policy that automatically blocks outgoing emails that contain personally identifiable information (PII) such as social security numbers. However, they want to allow users to override the block with a business justification if necessary. Which Microsoft Purview solution should they configure?

A.Data Loss Prevention (DLP)
B.Communication Compliance
C.Records Management
D.Audit
AnswerA

DLP is designed to prevent accidental sharing of sensitive data by detecting and blocking content in email and other locations, with options for user override.

Why this answer

Data Loss Prevention (DLP) in Microsoft Purview is designed to detect and protect sensitive information, such as social security numbers, by automatically blocking outgoing emails that contain PII. DLP policies support user override with a business justification through policy tips and allow overrides, enabling compliance teams to balance security with business needs.

Exam trap

The trap here is that candidates confuse Communication Compliance with DLP because both involve monitoring communications, but Communication Compliance is for policy violations and insider risk, not for automated blocking of sensitive data with user overrides.

How to eliminate wrong answers

Option B (Communication Compliance) is wrong because it focuses on monitoring and analyzing communications for policy violations (e.g., harassment, insider trading) and does not provide automatic blocking of PII with user override capabilities. Option C (Records Management) is wrong because it manages the lifecycle of records (retention, deletion, disposition) and does not inspect or block email content for sensitive data. Option D (Audit) is wrong because it logs user and admin activities for forensic analysis but does not enforce real-time content blocking or allow user overrides.

1243
MCQmedium

A security team manages a hybrid environment with Azure VMs and on-premises Windows servers. They want a single dashboard that provides continuous assessment of security posture, actionable recommendations to harden configurations, and integration with Microsoft Defender for Cloud to detect threats. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Microsoft Defender for Endpoint
AnswerB

It provides a unified view of security posture across Azure, on-premises, and other clouds, with recommendations and threat detection.

Why this answer

Microsoft Defender for Cloud (MDC) is the correct solution because it provides a unified dashboard for continuous security posture assessment, actionable hardening recommendations based on the Secure Score, and native integration with Microsoft Defender for Cloud's threat detection capabilities. It supports hybrid environments, covering both Azure VMs and on-premises Windows servers via Azure Arc, and delivers the specific requirements of posture assessment, recommendations, and threat detection in a single pane of glass.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud (the posture management and CSPM tool) with Microsoft Defender for Endpoint (the EDR tool), because both have 'Defender' in the name and both provide security, but only MDC offers the single dashboard for continuous assessment and recommendations across hybrid workloads.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) focused on shadow IT discovery, data loss prevention, and app governance for SaaS applications, not on assessing the security posture of VMs or servers. Option C is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) solution that ingests logs for threat hunting and incident response, but it does not provide continuous posture assessment or hardening recommendations by itself. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that protects devices from malware and advanced threats, but it lacks the centralized posture assessment dashboard and configuration hardening recommendations for the entire hybrid infrastructure that MDC offers.

1244
MCQeasy

Your company wants to allow partners to use their own corporate credentials to access a specific SharePoint site. Which Microsoft Entra ID feature supports this?

A.App Registrations
B.B2C collaboration
C.Device Registration
D.B2B collaboration
AnswerD

B2B collaboration enables partners to use their own credentials.

Why this answer

Microsoft Entra ID B2B (business-to-business) collaboration allows you to invite external users from partner organizations to access your company's resources, such as SharePoint sites, using their own corporate credentials. This feature supports identity federation with the partner's Azure AD or other identity providers, enabling seamless single sign-on (SSO) without requiring the partner users to create new accounts in your tenant.

Exam trap

The trap here is that candidates often confuse B2B collaboration (for partner organizations with existing corporate identities) with B2C collaboration (for consumers using social or local accounts), leading them to select the wrong option when the question specifies 'partners' and 'corporate credentials'.

How to eliminate wrong answers

Option A is wrong because App Registrations are used to register and configure applications that integrate with Microsoft Entra ID for authentication and authorization, not to grant external users access to resources like SharePoint. Option B is wrong because B2C collaboration (Azure AD B2C) is designed for customer-facing applications where users sign up with social or local identities, not for partner organizations using their corporate credentials. Option C is wrong because Device Registration is used to register devices (e.g., Windows, iOS, Android) for management and conditional access policies, not to enable external user access to SharePoint.

1245
MCQmedium

A user reports that a sensitive document labeled 'Highly Confidential' was accidentally shared with an external vendor. You need to investigate how the sharing occurred. Which two Microsoft Purview tools should you use together?

A.Audit (Standard) and Content Explorer
B.Insider Risk Management and Information Barriers
C.eDiscovery (Premium) and Communication Compliance
D.Data Loss Prevention and Sensitivity labels
E.Records Management and Data Lifecycle Management
AnswerA

Audit logs show sharing events; Content Explorer shows the document's location and metadata.

Why this answer

Option D is correct because Audit logs track sharing events, and Content Explorer shows where sensitive documents are located. Option A is wrong because DLP would prevent sharing, not investigate. Option B is wrong because eDiscovery is for legal discovery.

Option C is wrong because Records Management is for records declaration. Option E is wrong because Insider Risk Management is for risky behavior, not specific document tracking.

1246
MCQmedium

A company uses Microsoft Entra ID and Intune to manage devices. They want to enforce a policy that allows access to financial data from SharePoint Online only when the user's device is compliant (e.g., encrypted, patched) AND the user authenticates from a trusted IP address range. Additionally, if the sign-in risk is assessed as medium or high by Identity Protection, the user must also perform multifactor authentication (MFA). Which Conditional Access components should the administrator configure?

A.Configure conditions for sign-in risk and locations, and use Grant controls to require MFA and device compliance.
B.Configure a session control to require device compliance and an assignment for sign-in risk to trigger MFA.
C.Use Microsoft Entra ID Protection to automatically enforce MFA and device compliance for all users regardless of location.
D.Configure a compliance policy in Intune and link it directly to SharePoint Online to block non-compliant devices.
AnswerA

This correctly identifies that conditions (sign-in risk and locations) are used to define when the policy applies, and Grant controls enforce the requirements. The Grant control 'Require all the selected controls' can combine device compliance and MFA.

Why this answer

Option A is correct because Conditional Access in Microsoft Entra ID allows combining multiple conditions (sign-in risk, locations) with grant controls (require MFA, require device compliance) to enforce the described policy. The administrator configures conditions for sign-in risk (medium/high) and locations (trusted IP range), then uses Grant controls to require MFA and device compliance, ensuring access is allowed only when all requirements are met.

Exam trap

The trap here is confusing session controls with grant controls, leading candidates to incorrectly select Option B, which misassigns device compliance as a session control instead of a grant control.

How to eliminate wrong answers

Option B is wrong because session controls (e.g., app enforced restrictions) cannot require device compliance; device compliance is a grant control, not a session control, and sign-in risk is a condition, not an assignment. Option C is wrong because Microsoft Entra ID Protection does not automatically enforce MFA and device compliance for all users regardless of location; it provides risk detection but relies on Conditional Access policies to apply controls. Option D is wrong because Intune compliance policies cannot be linked directly to SharePoint Online to block non-compliant devices; they require Conditional Access to enforce access restrictions based on compliance status.

1247
MCQmedium

A company needs to retain all customer emails for 7 years for regulatory compliance. After 7 years, they must be permanently deleted. They also need a legal hold for an ongoing investigation. Which Microsoft Purview solution should they use for the retention and deletion requirement?

A.Data Lifecycle Management
B.Records Management
C.Compliance Manager
D.eDiscovery
AnswerA

Data Lifecycle Management policies can automatically retain emails for 7 years and then delete them. Legal hold can be applied separately via eDiscovery.

Why this answer

Data Lifecycle Management (DLM) in Microsoft Purview is the correct solution because it allows you to define retention policies that automatically retain customer emails for a specified period (7 years) and then permanently delete them. This directly addresses the regulatory compliance requirement for retention and deletion without manual intervention.

Exam trap

The trap here is that candidates often confuse Records Management with Data Lifecycle Management, thinking that 'records' implies retention and deletion, but Records Management is specifically for declaring items as records with immutable preservation, not for automated lifecycle-based retention and deletion.

How to eliminate wrong answers

Option B (Records Management) is wrong because it focuses on declaring records for long-term preservation and disposition, not on automated lifecycle-based retention and deletion for compliance; it is more about managing records as evidence. Option C (Compliance Manager) is wrong because it is a risk assessment and compliance score tool that helps track compliance posture, not a solution for implementing data retention or deletion policies. Option D (eDiscovery) is wrong because it is used for searching and exporting content for legal investigations, not for setting retention or deletion rules; it can place holds but does not manage lifecycle deletion.

1248
MCQmedium

A company must retain all vendor contracts for 10 years to meet regulatory requirements. After 10 years, the contracts must be permanently destroyed with no possibility of recovery. The compliance team wants to automate this lifecycle and ensure that during the retention period, the contracts cannot be edited or deleted by users. Which Microsoft Purview solution should they use?

A.Data Lifecycle Management (DLM)
B.Records Management
C.eDiscovery (Premium)
D.Sensitivity Labels
AnswerB

Records Management uses retention labels that declare items as records, locking them against modifications or deletions during the retention period, and supports automated disposition review and permanent deletion.

Why this answer

Records Management in Microsoft Purview is designed to declare records (regulatory or legal) that must be retained for a specific period and then disposed of in a compliant manner. It enforces immutability during the retention period—users cannot edit or delete records—and supports a disposition review or automatic permanent deletion after the retention period ends, exactly matching the requirement for 10-year retention followed by destruction with no recovery.

Exam trap

Microsoft often tests the distinction between Data Lifecycle Management (which manages non-record content) and Records Management (which enforces immutability and disposition for regulatory records), so the trap here is assuming DLM can provide the required edit/delete prevention and automatic destruction, when only Records Management offers those capabilities.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management (DLM) manages the lifecycle of non-record content (e.g., aging out old data) but does not provide the immutability or disposition controls required for regulatory records; it allows users to edit or delete items during the retention period. Option C is wrong because eDiscovery (Premium) is used for searching, holding, and exporting content for legal or investigative purposes, not for automating retention and destruction lifecycles. Option D is wrong because Sensitivity Labels classify and protect data (e.g., encryption, visual markings) but do not enforce retention periods or automatic destruction; they can mark content as a record only when combined with a retention label from Records Management.

1249
MCQhard

A large enterprise is concerned about insider threats. The compliance team needs to detect and investigate potential data theft scenarios, such as when employees nearing their resignation date suddenly copy large amounts of sensitive data to USB drives or email confidential files to personal accounts. They require a solution that uses machine learning to identify risky activities and create alerts for investigation. Which Microsoft Purview solution should they deploy?

A.Data Lifecycle Management
B.Audit (Premium)
C.Insider Risk Management
D.Compliance Manager
AnswerC

Insider Risk Management uses machine learning to detect, investigate, and act on insider threats based on behavioral patterns.

Why this answer

Insider Risk Management is the correct solution because it uses machine learning to correlate signals from user activities (e.g., copying files to USB, emailing to personal accounts) with contextual indicators like resignation dates, enabling detection of potential data theft scenarios. It provides built-in alerting and investigation workflows specifically designed for insider threat use cases, unlike the other options which focus on retention, auditing, or compliance posture.

Exam trap

The trap here is that candidates often confuse Audit (Premium) with a detection solution, but Audit is purely a logging and search tool, not a proactive ML-based risk detection system like Insider Risk Management.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management handles retention and deletion policies for data, not real-time detection of risky user behavior. Option B is wrong because Audit (Premium) provides detailed logging and forensic search capabilities but lacks the machine learning models to proactively identify anomalous patterns like pre-resignation data exfiltration. Option D is wrong because Compliance Manager is a risk assessment and compliance score tool that evaluates controls against regulations, not a solution for detecting insider threats.

1250
MCQeasy

A company wants to allow employees to access corporate resources such as email and internal apps using their personal smartphones. The IT team does not want to fully manage or domain-join these devices but needs each device to have a simple identity that links the user's work account to the device. Which Microsoft Entra ID device identity option should they implement?

A.Microsoft Entra ID Registered
B.Microsoft Entra ID Joined
C.Hybrid Microsoft Entra ID Joined
D.Active Directory Joined
AnswerA

Microsoft Entra ID Registered is the appropriate option for personal devices that need a simple identity to access corporate resources without being fully managed.

Why this answer

Microsoft Entra ID supports three device identity options: Registered, Joined, and Hybrid Joined. Microsoft Entra ID Registered is designed for 'bring your own device' (BYOD) scenarios. A registered device is known to Azure AD but not fully managed; it simply links the user's work account to the device, often enabling single sign-on and conditional access.

Microsoft Entra ID Joined is for corporate-owned devices that are managed by MDM. Hybrid Joined requires an on-premises Active Directory. Active Directory Joined is a traditional on-premises domain join, not a cloud identity option.

1251
MCQeasy

A company wants to allow external customers to sign in to a custom web application using their existing Google or Facebook accounts. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID B2B collaboration
B.Microsoft Entra ID B2C
C.Microsoft Entra ID Identity Protection
D.Microsoft Entra ID Conditional Access
AnswerB

B2C is specifically designed for consumer identities and supports multiple identity providers including social accounts like Google and Facebook.

Why this answer

Microsoft Entra ID B2C (Business-to-Consumer) is the correct feature because it is specifically designed for customer-facing applications that need to support external identity providers like Google and Facebook. It allows users to sign in with their existing social accounts via OAuth 2.0 and OpenID Connect protocols, while providing customizable user journeys and branding. This is distinct from B2B collaboration, which is intended for business partner access to enterprise resources.

Exam trap

The trap here is that candidates often confuse B2B collaboration (for business partners) with B2C (for consumers), mistakenly thinking B2B can also support social identity providers like Google or Facebook, but B2B only supports enterprise identity providers (e.g., SAML/WS-Fed) and Microsoft accounts, not consumer social accounts.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID B2B collaboration is designed for external business partners to access enterprise applications and resources, not for consumer-facing social identity providers like Google or Facebook. Option C is wrong because Microsoft Entra ID Identity Protection is a risk-based security tool that detects and responds to identity threats, not a feature for enabling external authentication with social identity providers. Option D is wrong because Microsoft Entra ID Conditional Access is a policy engine that enforces access controls based on signals like user location or device state, but it does not provide the ability to federate with external social identity providers.

1252
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Defender for Cloud Apps alert. Based on the evidence, which action should you take first?

A.Mark the alert as benign
B.Suspend the user account
C.Isolate the device immediately
D.Request file upload for analysis
AnswerD

Uploading the file allows deep analysis to confirm if it is malicious.

Why this answer

Option B is correct because the evidence shows a suspicious file, and requesting file upload for analysis is a standard first step. Option A is incorrect because isolating the device may escalate unnecessarily. Option C is incorrect because suspending the user is premature.

Option D is incorrect because marking as benign without investigation is risky.

1253
Multi-Selectmedium

A security analyst is using Microsoft Sentinel to investigate an incident. Which THREE data sources can be ingested into Sentinel?

Select 3 answers
A.Power BI usage metrics
B.Azure Active Directory logs
C.Office 365 logs
D.Windows Security Events
E.Azure DevOps audit logs
AnswersB, C, D

Correct: Azure AD connector available.

Why this answer

Microsoft Sentinel can ingest logs from Office 365, Azure AD, and Windows Security Events via MMA/AMA. Azure DevOps is not a supported data connector. Power BI is not a log source.

1254
MCQmedium

Your organization uses Microsoft Entra ID and wants to provide a single sign-on (SSO) experience for a third-party SaaS application that supports SAML 2.0. The app must also enforce multifactor authentication (MFA) for external users. What should you configure?

A.Set up SAML-based federation in Microsoft Entra ID and assign a Conditional Access policy requiring MFA
B.Add the app as a Linked Sign-On application
C.Use password-based SSO in Microsoft Entra ID
D.Configure OAuth 2.0 authorization in Microsoft Entra ID
AnswerA

SAML federation provides SSO; Conditional Access enforces MFA.

Why this answer

Option B is correct because SAML-based federation provides SSO and can be combined with Conditional Access for MFA. Option A is wrong because OAuth 2.0 is for delegated access, not SAML SSO. Option C is wrong because password-based SSO does not support SAML.

Option D is wrong because Linked Sign-On uses existing IdP, not federation.

1255
MCQhard

A company's security operations center wants to detect advanced attacks targeting their on-premises Active Directory, such as Kerberos Golden Ticket attacks, pass-the-hash, and skeleton key malware. They need a solution that monitors domain controller traffic, correlates with entity behavior, and integrates with Microsoft Sentinel for incident response. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Identity
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Cloud
D.Microsoft Sentinel
AnswerA

Defender for Identity specializes in protecting on-premises Active Directory environments. It uses behavioral analytics and machine learning to detect suspicious activities such as abnormal Kerberos ticket requests, pass-the-hash attempts, and other identity-based attacks.

Why this answer

Microsoft Defender for Identity (MDI) is the correct solution because it is specifically designed to monitor on-premises Active Directory traffic, including domain controller network traffic, and uses entity behavior analytics to detect advanced attacks like Kerberos Golden Ticket, pass-the-hash, and skeleton key malware. It integrates natively with Microsoft Sentinel to enable automated incident response and investigation.

Exam trap

The trap here is that candidates confuse Microsoft Sentinel as the detection tool itself, when in fact Sentinel is the aggregation and response platform, while Defender for Identity is the dedicated on-premises AD threat detection solution.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint devices (workstations, servers) and does not monitor domain controller traffic or Active Directory-specific attacks like Golden Tickets. Option C is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection solution for Azure, AWS, and GCP resources, not for on-premises Active Directory monitoring. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR platform that ingests alerts from other security tools but does not itself monitor domain controller traffic or perform entity behavior analysis for AD attacks.

1256
MCQhard

Refer to the exhibit. A sensitivity label is configured as shown. A user applies the parent label to a document containing credit card numbers. What is the expected behavior?

A.The document gets the parent label's header and the sublabel's encryption and watermark
B.The document gets no protection because credit card numbers are only detected by auto-labeling
C.The document gets the parent label's encryption (ViewOnly) and header, but no watermark
D.The document gets the parent label's encryption and header, and auto-labeling applies the sublabel
AnswerC

Manual application applies parent label settings; auto-labeling is not invoked. Sublabel is not automatically applied.

Why this answer

The parent label has auto-labeling rules that automatically apply the label when credit card numbers are detected. Since the user manually applied the parent label, auto-labeling is not triggered; the manual label applies. The sublabel is not automatically applied because auto-labeling is configured only on the parent.

Therefore, the document gets the parent label's encryption (ViewOnly) and header, but no watermark.

1257
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Defender for Cloud Apps? (Choose three.)

Select 3 answers
A.Threat detection to identify malicious behavior in cloud apps
B.Cloud Discovery to identify shadow IT
C.Email scanning and remediation
D.Endpoint detection and response (EDR)
E.Information protection to apply labels to files stored in cloud apps
AnswersA, B, E

It detects anomalies and threats in cloud app usage.

Why this answer

Options A, B, and C are correct. Cloud Access Security Brokers (CASB) provide discovery, data protection, and threat detection. Option D is incorrect because endpoint detection is in Defender for Endpoint.

Option E is incorrect because email scanning is in Defender for Office 365.

1258
MCQeasy

A company wants to create a sensitivity label called 'Highly Confidential' in Microsoft 365. When applied to a document, the label should automatically encrypt the document and restrict access to employees in the finance department only. Which Microsoft Purview solution should the administrator use to configure this label?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview Information Protection
C.Microsoft Purview Compliance Manager
D.Microsoft Purview Audit
AnswerB

Information Protection includes sensitivity labels that can apply encryption and access restrictions.

Why this answer

Microsoft Purview Information Protection is the correct solution because it provides the ability to create and configure sensitivity labels that enforce protection actions such as encryption and access restrictions. When a 'Highly Confidential' label is applied, it can automatically encrypt the document using Azure Rights Management (Azure RMS) and restrict access to only members of the finance department via a defined permission policy.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Information Protection with Data Lifecycle Management, mistakenly thinking retention labels can enforce encryption, when in fact only sensitivity labels can apply protection actions like encryption and access control.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Lifecycle Management (formerly Data Lifecycle Management) focuses on retaining, deleting, and managing data based on retention policies and labels, not on applying encryption or access control. Option C is wrong because Microsoft Purview Compliance Manager is a risk assessment and compliance scoring tool that helps manage compliance posture, not a tool for configuring sensitivity labels or encryption. Option D is wrong because Microsoft Purview Audit provides auditing and logging of user and admin activities, not the ability to create or apply sensitivity labels with encryption and access restrictions.

1259
MCQmedium

An organization uses Microsoft Entra ID. The security team wants to require multi-factor authentication (MFA) for all users accessing sensitive data from outside the corporate network. Which Microsoft Entra capability should they configure?

A.Conditional Access
B.B2B Collaboration
C.Privileged Identity Management
D.Identity Protection
AnswerA

Conditional Access policies can require MFA based on location.

Why this answer

Conditional Access is the correct capability because it allows administrators to define policies that enforce MFA based on specific conditions, such as network location. By configuring a policy that targets all users and applies the 'Require multi-factor authentication' grant control when the location is outside the corporate network, the security team can precisely meet the requirement. This policy evaluates the user's IP address against named locations defined in Entra ID before granting access to sensitive data.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based MFA trigger with the ability to enforce MFA based on a static network location, but Identity Protection only responds to risk events and does not allow direct configuration of location-based conditions.

How to eliminate wrong answers

Option B (B2B Collaboration) is wrong because it is designed for inviting external users (guests) from partner organizations, not for enforcing MFA on internal users based on network location. Option C (Privileged Identity Management) is wrong because it focuses on just-in-time privileged role activation and approval workflows, not on location-based MFA enforcement for all users. Option D (Identity Protection) is wrong because it detects and remediates risks like leaked credentials or sign-ins from anonymous IPs, but it does not directly enforce MFA based on a static network boundary; it can trigger MFA via Conditional Access policies but is not the capability that configures the location condition itself.

1260
MCQmedium

A company has implemented a security model where every access request is fully authenticated, authorized, and encrypted before granting access, regardless of where the request originates (corporate network or internet). The model assumes that no entity is inherently trustworthy and requires continuous verification. This model is known as:

A.Defense in depth
B.Least privilege
C.Zero Trust
D.Shared responsibility
AnswerC

Zero Trust is the correct answer because it is built on the principle of 'never trust, always verify' and assumes no implicit trust based on network location.

Why this answer

The described model—requiring full authentication, authorization, and encryption for every access request, treating no entity as inherently trustworthy, and demanding continuous verification—is the core definition of Zero Trust. This aligns with the NIST SP 800-207 standard, which explicitly states that Zero Trust assumes no implicit trust and enforces verification for every request, regardless of network location.

Exam trap

The trap here is that candidates often confuse Zero Trust with defense in depth, assuming that multiple security layers inherently imply no trust, but defense in depth does not require per-request authentication, authorization, and encryption from any location.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, antivirus) to protect assets, but it does not inherently assume zero trust or require continuous verification for every access request. Option B is wrong because least privilege is a principle that grants users only the minimum permissions needed to perform their tasks, but it does not mandate full authentication, authorization, and encryption for every request or continuous verification. Option D is wrong because shared responsibility is a cloud security model that delineates security obligations between the provider and customer (e.g., in Azure, Microsoft secures the infrastructure while the customer secures data and identities), but it does not define an access verification model like the one described.

1261
MCQmedium

Refer to the exhibit. The JSON shows a Microsoft Purview DLP policy. A user sends an email with a credit card number to an external recipient. What will happen?

A.The email is delivered normally because TeamsChatAndChannel is false.
B.The email is delivered but an alert is generated.
C.The email is blocked and the user receives a notification.
D.The email is encrypted before delivery.
AnswerC

Correct: Exchange is included, and the rule blocks access with user notification.

Why this answer

The policy is scoped to Exchange, SharePoint, and OneDrive, and includes a rule with BlockAccess action. Since Exchange is included, the email will be blocked and the user notified.

1262
MCQhard

A company is deploying a web application on Azure App Service. The security officer states that according to the shared responsibility model, the customer is responsible for managing access to the application and securing the application code. Which of the following responsibilities does Microsoft retain for Azure App Service?

A.Configuring network firewall rules for the App Service
B.Patching the underlying operating system of the App Service host
C.Managing user authentication and authorization
D.Applying encryption to the application data at rest
AnswerB

Microsoft is responsible for patching the host OS and underlying infrastructure as part of the PaaS shared responsibility model.

Why this answer

For Azure App Service, Microsoft retains responsibility for patching the underlying operating system of the host infrastructure. This is part of the shared responsibility model where the cloud provider manages the host OS and hypervisor, while the customer manages the application code, data, and access configurations.

Exam trap

The trap here is that candidates often confuse 'patching the underlying OS' with 'patching the application runtime' or 'configuring network security,' mistakenly thinking Microsoft handles all security tasks for PaaS services, when in fact the customer retains significant control over access and data protection.

How to eliminate wrong answers

Option A is wrong because configuring network firewall rules for the App Service (such as IP restrictions or Azure Front Door integration) is a customer responsibility, not Microsoft's. Option C is wrong because managing user authentication and authorization (e.g., using Azure AD or built-in authentication modules) is the customer's responsibility to configure within their application. Option D is wrong because applying encryption to application data at rest (e.g., using Azure SQL Transparent Data Encryption or storage encryption keys) is a customer-managed task, though Microsoft provides the underlying platform encryption.

1263
MCQmedium

A company runs a web application in Azure that is publicly accessible. They want to protect it against large-scale distributed denial-of-service (DDoS) attacks from multiple sources. Which Azure service is specifically designed for this purpose?

A.Azure Firewall
B.Azure DDoS Protection
C.Microsoft Defender for Cloud
D.Azure Application Gateway with Web Application Firewall (WAF)
AnswerB

This service offers always-on monitoring and automatic mitigation of DDoS attacks, protecting applications deployed in Azure.

Why this answer

Azure DDoS Protection is specifically designed to safeguard Azure resources against large-scale distributed denial-of-service (DDoS) attacks. It leverages the global scale of Microsoft's network to absorb and mitigate multi-gigabit attacks, providing always-on traffic monitoring and adaptive tuning. This service is the only option among the choices that is purpose-built for DDoS mitigation at the network and transport layers (L3/L4), and it also offers application-layer (L7) protection when combined with Application Gateway WAF.

Exam trap

The trap here is that candidates often confuse Azure Firewall or Application Gateway WAF as DDoS solutions, but those services handle different layers of defense—Azure Firewall for network filtering and WAF for application-layer attacks—whereas only Azure DDoS Protection is designed to absorb and mitigate large-scale volumetric attacks from multiple sources.

How to eliminate wrong answers

Option A is wrong because Azure Firewall is a stateful network firewall that filters traffic based on rules (e.g., IP addresses, ports, protocols) but does not provide dedicated DDoS mitigation; it cannot absorb volumetric attacks. Option C is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform that provides threat detection and security recommendations, not a DDoS mitigation service. Option D is wrong because Azure Application Gateway with WAF protects against application-layer attacks (e.g., SQL injection, cross-site scripting) but does not mitigate large-scale volumetric DDoS attacks at the network layer; it can be used in conjunction with Azure DDoS Protection but is not a standalone DDoS solution.

1264
MCQmedium

A company must retain all customer contracts for 10 years to comply with industry regulations. After 10 years, the contracts must be permanently deleted. Which Microsoft Purview solution should be used to automate this process?

A.Data Loss Prevention (DLP)
B.Data Lifecycle Management
C.eDiscovery
D.Information Protection
AnswerB

Data Lifecycle Management provides retention labels and policies to automatically retain data for a defined period and then delete it, meeting the regulatory requirement.

Why this answer

Data Lifecycle Management (DLM) in Microsoft Purview is the correct solution because it allows you to define retention labels and policies that automatically retain contracts for a specified period (10 years) and then trigger a permanent deletion disposition review or direct deletion. This aligns directly with the regulatory requirement to retain data for a fixed duration and then dispose of it securely.

Exam trap

The trap here is that candidates often confuse Data Lifecycle Management with Data Loss Prevention, mistakenly thinking DLP can delete data after a period, when DLP only blocks or alerts on data exfiltration, not manage retention schedules.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) is designed to detect and prevent the accidental sharing of sensitive data (e.g., via email or endpoints), not to manage retention or deletion schedules. Option C is wrong because eDiscovery is used for searching, holding, and exporting content for legal or investigative purposes, not for automating time-based retention and deletion. Option D is wrong because Information Protection focuses on classifying and protecting data with sensitivity labels (e.g., encryption, marking), not on lifecycle management or automated deletion after a retention period.

1265
MCQmedium

A company has an on-premises Active Directory and wants to synchronize user accounts to Microsoft Entra ID. They also need to enable password hash synchronization so users can sign in to cloud resources with the same password. Which Microsoft tool should they use?

A.Microsoft Entra Connect
B.Microsoft Entra ID Application Proxy
C.Microsoft Identity Manager
D.Microsoft Entra Domain Services
AnswerA

Microsoft Entra Connect is the correct tool for identity synchronization and supports password hash synchronization by default.

Why this answer

Microsoft Entra Connect is the correct tool because it is specifically designed to synchronize on-premises Active Directory user accounts to Microsoft Entra ID and supports password hash synchronization (PHS). PHS enables users to sign in to cloud resources using the same password as their on-premises environment by synchronizing a hash of the password hash to Entra ID.

Exam trap

The trap here is that candidates may confuse Microsoft Entra Connect with Microsoft Identity Manager (MIM), but MIM is a legacy tool for on-premises identity management and does not natively support password hash synchronization to Microsoft Entra ID.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Application Proxy provides secure remote access to on-premises web applications, not directory synchronization or password hash sync. Option C is wrong because Microsoft Identity Manager (MIM) is an on-premises identity management solution for managing identities across heterogeneous directories, but it is not the primary tool for synchronizing to Microsoft Entra ID and does not natively enable password hash synchronization to Entra ID. Option D is wrong because Microsoft Entra Domain Services provides managed domain services (e.g., Kerberos, LDAP) for cloud VMs, not user account synchronization or password hash sync from on-premises Active Directory.

1266
MCQeasy

What is the primary purpose of Microsoft Defender for Cloud Apps?

A.Monitor network traffic
B.Manage mobile devices
C.Protect on-premises servers
D.Secure cloud applications and data
AnswerD

Correct: It acts as a CASB for cloud apps.

Why this answer

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility, data controls, and threat protection for cloud applications.

1267
MCQmedium

A company needs to grant IT administrators temporary and time-limited access to privileged roles in Microsoft Entra ID (Azure AD). The access must require approval from a manager and be automatically revoked after the task is completed. Which Microsoft Entra ID feature should be used?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Entitlement Management
AnswerC

PIM provides just-in-time privileged access with time‑bound activation, approval workflows, and automatic expiration, fulfilling the requirement.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides just-in-time (JIT) privileged access by allowing administrators to activate eligible role assignments for a limited duration. It supports approval workflows (e.g., manager approval) and automatically deactivates the role when the activation time expires or the task is completed, meeting the requirement for temporary, time-limited, approved, and auto-revoked access.

Exam trap

The trap here is confusing Entitlement Management (which manages access packages for non-privileged resources) with PIM (which specifically handles time-limited privileged role activation with approval), leading candidates to choose D because they see 'approval' and 'temporary access' without recognizing the privileged role context.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces policies (e.g., MFA, location) at sign-in but does not provide time-limited role activation or approval workflows for privileged roles. Option B is wrong because Identity Protection detects and remediates identity risks (e.g., leaked credentials) but does not manage privileged role assignments or temporary access. Option D is wrong because Entitlement Management governs access packages and resource access for users (e.g., group memberships) but is not designed for temporary, approval-based activation of privileged directory roles.

1268
MCQeasy

Refer to the exhibit. A Microsoft Purview sensitivity label is configured as shown. What is the purpose of this label?

A.To prevent sharing with external users via DLP
B.To automatically apply the label based on content
C.To encrypt the document and add a visual marking
D.To automatically retain the document for a specific period
AnswerC

Encryption is enabled and header/footer markings are defined.

Why this answer

Option B is correct because the label enables encryption and adds a header/footer marking. Option A is wrong because the label does not specify retention. Option C is wrong because the label does not have a DLP policy linked.

Option D is wrong because the label does not include any auto-labeling configuration.

1269
MCQhard

You are the identity administrator for Contoso Ltd., a global company with over 10,000 employees. The company uses Microsoft Entra ID P2 and Microsoft Intune. Employees use both company-owned and personal devices. The security team requires that all access to corporate applications be protected with multifactor authentication (MFA). However, to minimize user friction, they want to exempt MFA for users who are on the corporate network and using compliant devices. Additionally, for users with privileged roles (e.g., Global Administrator), MFA must always be required regardless of location or device. You need to configure a Conditional Access policy to meet these requirements. Which of the following approaches should you take?

A.Create two Conditional Access policies: Policy 1 targets all users except privileged roles, requires MFA, and excludes trusted locations and compliant devices. Policy 2 targets privileged roles and requires MFA with no exclusions.
B.Create one Conditional Access policy that targets all users and requires MFA. Create a second policy that targets privileged roles and excludes trusted locations.
C.Create one Conditional Access policy that targets all users, requires MFA, and excludes trusted locations and compliant devices. Do not create any additional policies.
D.Create one Conditional Access policy that targets all users and requires MFA. Use Microsoft Intune compliance policies to exempt compliant devices from MFA.
AnswerA

This meets all requirements.

Why this answer

Option A is correct because it uses two separate Conditional Access policies to handle the two distinct user groups. Policy 1 targets all users except privileged roles, requires MFA, and excludes trusted locations and compliant devices, which satisfies the requirement to minimize friction for users on the corporate network with compliant devices. Policy 2 targets privileged roles and requires MFA with no exclusions, ensuring that Global Administrators and other privileged role members always must perform MFA regardless of location or device compliance.

Exam trap

The trap here is that candidates often think a single policy with exclusions can handle all users, forgetting that privileged roles require unconditional MFA, which necessitates a separate policy with no exclusions to override the more permissive exclusions applied to regular users.

How to eliminate wrong answers

Option B is wrong because it creates a second policy that targets privileged roles and excludes trusted locations, which would exempt privileged role users from MFA when they are on the corporate network, violating the requirement that MFA must always be required for privileged roles. Option C is wrong because it creates only one policy targeting all users with exclusions for trusted locations and compliant devices, which would incorrectly exempt privileged role users from MFA when they meet those conditions. Option D is wrong because Intune compliance policies cannot be used to exempt devices from MFA in a Conditional Access policy; MFA enforcement is controlled by Conditional Access policies, not by compliance policies.

1270
MCQmedium

An organization needs to grant its IT administrators temporary access to the Global Administrator role. The access should require a separate approval from a designated manager before activation, and the permissions should automatically expire after 4 hours. Which Microsoft Entra ID feature should they configure?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Access Reviews
AnswerC

PIM is designed for just-in-time privileged access, supporting approval-based activation with configurable time limits and automatic expiration.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides just-in-time (JIT) privileged access, allowing IT administrators to activate the Global Administrator role for a limited time (e.g., 4 hours) only after receiving approval from a designated manager. This directly meets the requirement for temporary, approval-based, and auto-expiring permissions.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Conditional Access, mistakenly thinking that Conditional Access can enforce time-limited role activation, when in fact PIM is the only feature that provides just-in-time privileged access with approval and automatic expiration.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces policies based on signals like location or device state to control access to resources, but it does not provide time-limited role activation or require separate manager approval for role elevation. Option B is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials) but does not manage privileged role activation or approval workflows. Option D is wrong because Access Reviews allow administrators to periodically review and certify group memberships or role assignments, but they do not provide temporary, approval-based activation with automatic expiration.

1271
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. A security analyst notices anomalous file downloads from a SharePoint site by a user flagged as high risk. What should the analyst configure to automatically block such activity?

A.Configure a file policy
B.Configure an access policy
C.Configure an app permission policy
D.Configure a session policy
AnswerD

Session policies allow real-time monitoring and control of user activities within apps, such as blocking downloads.

Why this answer

Session policies in Microsoft Defender for Cloud Apps provide real-time control over user activities, including blocking downloads based on risk level. Option A is incorrect because app permissions manage consent, not real-time monitoring. Option B is incorrect because file policies are for static file classification.

Option D is incorrect because access policies control initial access, not ongoing session activities.

1272
MCQmedium

Refer to the exhibit. You are reviewing Microsoft Entra role assignments for a user. The first assignment has a roleDefinitionId of '62e90394-69f5-4237-9190-012177145e10' at scope '/'. The second assignment has a roleDefinitionId of '194ae4cb-b126-40b2-bd5b-6091b380977d' at a subscription scope. What can you infer?

A.The user has the Global Administrator role at the tenant level.
B.The user can only read Azure AD objects.
C.The second role is assigned at the subscription scope.
D.The user is a Global Administrator with full access to all Azure AD and Azure resources.
AnswerA

Role ID 62e90394... is the Global Administrator role, assigned at tenant scope.

Why this answer

The roleDefinitionId '62e90394-69f5-4237-9190-012177145e10' corresponds to the Global Administrator role in Microsoft Entra ID. The scope '/' indicates the tenant root scope, meaning the assignment applies to the entire tenant. Therefore, the user is a Global Administrator at the tenant level, which grants them broad administrative access across all Azure AD and Azure resources.

Exam trap

The trap here is that candidates often assume the Global Administrator role automatically grants full access to all Azure resources, but in reality, Azure AD roles and Azure RBAC roles are separate authorization systems, and a Global Administrator must be explicitly assigned an Azure RBAC role (like Contributor or Owner) to manage Azure resources.

How to eliminate wrong answers

Option B is wrong because the Global Administrator role provides full read and write access to Azure AD objects, not just read-only. Option C is wrong because while the second assignment is indeed at a subscription scope, this is a true statement but does not address the question's inference about the user's overall role; the key inference is the Global Administrator role from the first assignment. Option D is wrong because although Global Administrators have full access to Azure AD, they do not automatically have full access to all Azure resources; access to Azure resources requires additional role assignments (e.g., Owner or Contributor) at the subscription or resource scope.

1273
MCQeasy

A company wants to provide secure external access to a partner application without creating user accounts manually. They need to allow partners to authenticate using their existing corporate identities (e.g., from other organizations) and configure policies for access. Which Microsoft Entra feature should they use?

A.Microsoft Entra Identity Protection
B.Microsoft Entra External ID (B2B collaboration)
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra Domain Services
AnswerB

This feature enables partners to use their own identities to sign in, and you can apply policies to manage access.

Why this answer

Microsoft Entra External ID (B2B collaboration) allows organizations to securely share applications and resources with external partners by letting them authenticate using their own corporate identities (e.g., from other Azure AD tenants, Microsoft accounts, or social identity providers). It eliminates the need to manually create and manage user accounts for partners, while enabling you to apply conditional access policies for granular control over external access.

Exam trap

The trap here is that candidates often confuse B2B collaboration (External ID) with B2C (External Identities for customer-facing apps) or think that Privileged Identity Management is needed for external access, but the question specifically asks about allowing partners to use their existing corporate identities without manual account creation, which is the core purpose of B2B collaboration.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Identity Protection is a risk-based security tool that detects and responds to identity threats (e.g., leaked credentials, sign-in anomalies) for users within your tenant, not a feature for inviting external partners or federating with their existing identities. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) manages, controls, and monitors access to privileged roles within your own directory (e.g., just-in-time admin access), not for enabling external partner authentication or collaboration. Option D is wrong because Microsoft Entra Domain Services provides managed domain services (e.g., LDAP, Kerberos, NTLM) for legacy on-premises applications in the cloud, not for external identity federation or B2B guest access.

1274
MCQmedium

Your company uses Microsoft Entra ID. Security policy requires that all external guest users must be reviewed and their access approved by their sponsor every 90 days. If not approved, access should be automatically removed. Which feature should you use?

A.Microsoft Entra Conditional Access
B.Microsoft Entra B2B collaboration settings
C.Microsoft Entra entitlement management
D.Microsoft Entra access reviews
AnswerD

Access reviews allow scheduling periodic reviews and can automatically remove access if not approved.

Why this answer

Microsoft Entra access reviews (Option D) allow you to configure recurring reviews of guest users' access, with automatic removal of access if not approved. This directly meets the requirement for a 90-day review cycle with automatic enforcement, as access reviews can be scoped to guest users and integrated with entitlement management or groups.

Exam trap

The trap here is that candidates confuse entitlement management (which creates access packages) with the actual review and removal mechanism, but access reviews are the specific feature that enforces periodic attestation and automatic cleanup.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Conditional Access controls access based on conditions like location or device state, but it does not provide periodic review or automatic removal of access based on approval. Option B is wrong because Microsoft Entra B2B collaboration settings manage invitation policies and external user properties, but they lack the recurring review and auto-removal workflow. Option C is wrong because Microsoft Entra entitlement management manages access packages and catalogs, but the actual review and removal process is implemented through access reviews, not entitlement management alone.

1275
MCQhard

A company runs critical Windows virtual machines on Azure. To reduce the attack surface, the security team wants to block all inbound RDP (port 3389) traffic from the internet by default. When a security engineer needs to connect via RDP for troubleshooting, they must request access through a portal, and the RDP port will be opened for a limited time (e.g., 4 hours) only to their source IP address. Which Microsoft security solution should they use to implement this control?

A.Microsoft Defender for Cloud's Just-in-time (JIT) VM access
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Endpoint
D.Azure Network Security Groups (NSGs) with application security groups
AnswerA

Defender for Cloud's JIT VM access provides exactly this capability: controls inbound traffic to VMs, reduces exposure, and grants temporary access with approval.

Why this answer

Microsoft Defender for Cloud's Just-in-time (JIT) VM access is the correct solution because it specifically provides time-limited, request-based opening of inbound ports (such as RDP port 3389) to approved source IP addresses, reducing the attack surface by keeping ports closed by default. This aligns directly with the requirement to block all inbound RDP from the internet by default and allow temporary access only through a portal request.

Exam trap

The trap here is that candidates may confuse network-level controls (NSGs) with a managed security service that automates temporary access, leading them to choose Option D without realizing NSGs lack the time-limited, request-based workflow that JIT provides.

How to eliminate wrong answers

Option B (Microsoft Defender for Cloud Apps) is wrong because it is a cloud access security broker (CASB) focused on controlling and monitoring user access to SaaS applications, not on managing inbound network ports to Azure VMs. Option C (Microsoft Defender for Endpoint) is wrong because it is an endpoint detection and response (EDR) solution for securing devices against malware and threats, not a network-level port management tool. Option D (Azure Network Security Groups with application security groups) is wrong because while NSGs can block or allow traffic, they do not provide time-limited, request-based just-in-time access; they require manual rule changes and do not integrate with a portal-based approval workflow.

Page 16

Page 17 of 19

Page 18