Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 12761350

1411 questions total · 19pages · All types, answers revealed

Page 17

Page 18 of 19

Page 19
1276
MCQmedium

A company uses Microsoft Entra ID and wants to enforce multifactor authentication (MFA) for all users accessing a sensitive customer relationship management (CRM) application, but only when the access request originates from outside the corporate network. Which component of a Conditional Access policy should the administrator configure to specify this location-based requirement?

A.Assignments
B.Conditions
C.Grant controls
D.Session controls
AnswerB

Conditions include sign-in risk, device platforms, locations, client apps, and other context. The location condition is used to target access based on network location.

Why this answer

The 'Conditions' section of a Conditional Access policy allows administrators to define the circumstances under which the policy is applied, including the location from which an access request originates. By configuring a location condition, you can specify that MFA is enforced only when users access the CRM application from outside the corporate network, using named locations or IP ranges. This is the correct component to enforce the location-based requirement.

Exam trap

The trap here is that candidates often confuse 'Assignments' (who/what) with 'Conditions' (when/where), mistakenly selecting Assignments because they think location is part of the user or app assignment, whereas Conditions specifically handle environmental factors like location, device state, and risk.

How to eliminate wrong answers

Option A is wrong because 'Assignments' define which users, groups, or applications the policy applies to, not the conditions under which it is triggered. Option C is wrong because 'Grant controls' specify what actions to take (e.g., require MFA, require compliant device) after the policy conditions are met, not the location condition itself. Option D is wrong because 'Session controls' manage session-level behaviors like app-enforced restrictions or sign-in frequency, not the location-based trigger for MFA enforcement.

1277
MCQeasy

A compliance administrator creates the above custom sensitive information type for detecting social security numbers (SSNs). What is required for a document to be classified as containing an SSN?

A.The document must contain either the SSN regex or a keyword
B.The document must contain the SSN regex with high confidence level
C.The document must contain a pattern matching the SSN regex and at least two keywords
D.The document must contain a pattern matching the SSN regex and at least one keyword
AnswerD

The rule has IdMatch for regex and Any with minMatches=1 for keyword.

Why this answer

Option A is correct because the pattern requires both a regex match (IdMatch) and at least one keyword (Any minMatches=1). Option B is wrong because it only needs one keyword. Option C is wrong because confidence level is just metadata.

Option D is wrong because it requires both regex and keyword.

1278
MCQhard

A multinational corporation wants to implement a Zero Trust security model. They plan to verify every access request explicitly, use least privilege access, and assume breach. Which Microsoft security solution should they use to enforce conditional access policies based on user, device, location, and risk?

A.Microsoft Sentinel
B.Microsoft Intune
C.Microsoft Entra Conditional Access
D.Microsoft Defender for Cloud Apps
AnswerC

It is the core service for implementing conditional access policies in a Zero Trust model.

Why this answer

Microsoft Entra Conditional Access is the service that enforces access policies based on signals like user, device, location, and risk. Option A is wrong because Microsoft Defender for Cloud Apps provides cloud app security but not the primary conditional access engine. Option C is wrong because Microsoft Intune manages devices but does not enforce access policies on its own.

Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution for security analytics, not access control.

1279
MCQeasy

You are a security administrator for a company that uses Microsoft 365. The compliance team needs to automatically classify and protect sensitive data such as credit card numbers in emails and documents. Which Microsoft Purview solution should you recommend?

A.Microsoft Purview Information Protection
B.Microsoft Purview Records Management
C.Microsoft Purview Insider Risk Management
D.Microsoft Purview Data Loss Prevention
AnswerD

DLP policies detect and protect sensitive data such as credit card numbers in emails and documents.

Why this answer

Option C is correct because Microsoft Purview Data Loss Prevention (DLP) policies automatically detect and protect sensitive data like credit card numbers. Option A is wrong because Information Protection focuses on classification and labeling, but DLP enforces actions. Option B is wrong because Insider Risk Management detects risky user activities, not data classification.

Option D is wrong because Records Management manages retention and disposition, not real-time protection.

1280
MCQeasy

Your company wants to use Microsoft Security Copilot to help analysts investigate security incidents. Which data source can Security Copilot ingest to provide contextual insights?

A.Alerts from Microsoft Defender XDR
B.Custom IoT device logs
C.Third-party threat intelligence feeds
D.On-premises firewall syslog
AnswerA

Security Copilot integrates with Microsoft 365 Defender.

Why this answer

Option C is correct because Microsoft Security Copilot can ingest alerts from Microsoft Defender XDR. Option A is wrong because Security Copilot does not directly ingest on-premises syslog. Option B is wrong because custom logs from IoT devices require a SIEM.

Option D is wrong because third-party threat feeds are not a primary ingestion source for Security Copilot.

1281
MCQeasy

A company uses Microsoft Entra ID. Employees often forget their passwords and contact the IT helpdesk to reset them. The company wants to reduce helpdesk costs by allowing users to reset their own passwords using a verified mobile phone number or email address. Which Microsoft Entra ID feature should the administrator enable?

A.Microsoft Entra ID Identity Protection
B.Self-Service Password Reset (SSPR)
C.Privileged Identity Management (PIM)
D.Conditional Access
AnswerB

SSPR enables users to reset their passwords using configured authentication methods like phone or email.

Why this answer

Self-Service Password Reset (SSPR) is the correct feature because it allows users to reset their own passwords without helpdesk intervention, using a verified mobile phone number or email address as authentication methods. This directly reduces helpdesk costs by shifting password reset responsibility to the user, while maintaining security through verification of registered contact methods.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with self-service password reset, because both involve 'management' of identities, but PIM is strictly for privileged role activation, not end-user password changes.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Identity Protection is a risk-based security tool that detects potential identity vulnerabilities and automated remediation, but it does not provide self-service password reset capabilities. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not end-user password resets. Option D is wrong because Conditional Access enforces access policies based on signals like user location or device state, but it does not enable users to reset their own passwords.

1282
MCQhard

Your organization uses Microsoft Purview for data governance. You need to ensure that when a user marks an email as 'Confidential' using a sensitivity label, the email is automatically encrypted and cannot be forwarded. What configuration is required?

A.Configure the sensitivity label with encryption and a rights management template that prohibits forwarding
B.Create a DLP policy that detects the 'Confidential' label and applies encryption
C.Use the Azure Information Protection unified labeling scanner
D.Apply a retention label that triggers encryption
AnswerA

Sensitivity labels support encryption and usage rights such as 'Do Not Forward'.

Why this answer

Option A is correct because sensitivity labels can be configured with encryption and rights management options like preventing forwarding. Option B is wrong because DLP policies can apply encryption but are not triggered by manual labeling alone. Option C is wrong because a retention label does not enforce encryption.

Option D is wrong because an Azure Information Protection scanner applies labels to on-premises files, not emails.

1283
MCQhard

A company's security team needs to detect and investigate potential data theft by employees who have legitimate access to sensitive data. They want a solution that uses heuristics and behavioral analytics to identify risky user actions such as data exfiltration to personal cloud storage. Which Microsoft Purview solution should they use?

A.Microsoft Purview Data Loss Prevention (DLP)
B.Microsoft Purview Insider Risk Management
C.Microsoft Purview Audit (Standard)
D.Microsoft Purview Information Barriers
AnswerB

Correct. Insider Risk Management uses built-in risk indicators and machine learning to identify activities that may pose insider risks, enabling investigation and response to incidents like data theft.

Why this answer

Microsoft Purview Insider Risk Management is the correct solution because it is specifically designed to detect, investigate, and act on risky user activities that may lead to data theft, using heuristics and behavioral analytics. It correlates signals from Microsoft 365 and Azure services to identify patterns like data exfiltration to personal cloud storage, which aligns directly with the scenario's requirements.

Exam trap

The trap here is that candidates often confuse the reactive, policy-based enforcement of Data Loss Prevention (DLP) with the proactive, behavioral detection of Insider Risk Management, assuming DLP can detect risky user actions when it actually only blocks or alerts on content matching static rules.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Loss Prevention (DLP) is a policy-based solution that prevents accidental or intentional sharing of sensitive data by enforcing rules on content, but it does not use heuristics or behavioral analytics to detect risky user actions; it relies on predefined policies and content inspection. Option C is wrong because Microsoft Purview Audit (Standard) provides logging and forensic investigation of user activities, but it lacks the proactive detection and behavioral analytics needed to identify risky patterns like data exfiltration; it is a passive logging tool, not an analytical detection solution. Option D is wrong because Microsoft Purview Information Barriers are used to prevent communication and collaboration between specific groups to avoid conflicts of interest, not to detect or investigate data theft by users with legitimate access.

1284
MCQmedium

A security team wants to discover all cloud apps being used by employees, including unsanctioned personal apps like unauthorized file-sharing services. They plan to analyze firewall logs to identify traffic patterns and assess each app's risk score. Which feature of Microsoft Defender for Cloud Apps should they enable?

A.Cloud Discovery
B.App Governance
C.Information Protection
D.Conditional Access App Control
AnswerA

Correct. Cloud Discovery uses log analysis to uncover all cloud apps in use and provides risk scores, helping to discover shadow IT.

Why this answer

Cloud Discovery is the correct feature because it analyzes traffic logs (e.g., from firewalls or proxies) to identify all cloud apps in use, including unsanctioned personal apps like unauthorized file-sharing services. It then assesses each app's risk score based on over 80 risk factors, such as encryption standards and data residency, enabling the security team to discover and evaluate shadow IT.

Exam trap

The trap here is that candidates often confuse Cloud Discovery with Conditional Access App Control, mistakenly thinking that real-time session policies can also discover unsanctioned apps, but discovery requires log analysis, not policy enforcement.

How to eliminate wrong answers

Option B (App Governance) is wrong because it focuses on monitoring and managing OAuth-enabled apps that have been granted access to Microsoft 365 data, not on discovering unsanctioned cloud apps from firewall logs. Option C (Information Protection) is wrong because it deals with classifying, labeling, and protecting sensitive data (e.g., via sensitivity labels and DLP), not with discovering cloud app usage or analyzing traffic patterns. Option D (Conditional Access App Control) is wrong because it enforces real-time access policies (e.g., session controls) on sanctioned apps, but it does not perform discovery or risk assessment of unsanctioned apps from firewall logs.

1285
MCQmedium

A company requires all employees to provide a one-time passcode generated by an authenticator app in addition to their password when accessing the corporate VPN. This practice is an example of which security concept?

A.A. Authorization
B.B. Auditing
C.C. Authentication
D.D. Accounting
AnswerC

Authentication is the process of verifying the identity of a user or system, and using two factors (password + OTP) is a strong form of authentication.

Why this answer

Option C is correct because the requirement for a one-time passcode (OTP) from an authenticator app in addition to a password is a classic implementation of multi-factor authentication (MFA). Authentication is the process of verifying the identity of a user, device, or service, and this scenario uses two distinct factors: something you know (password) and something you have (the OTP generated by the app). This directly aligns with the security concept of authentication, not authorization, auditing, or accounting.

Exam trap

The trap here is that candidates often confuse authentication (proving identity) with authorization (granting permissions), especially when the question describes a 'gate' like VPN access, leading them to incorrectly select authorization.

How to eliminate wrong answers

Option A is wrong because authorization determines what an authenticated user is allowed to do (e.g., access a specific resource), not how they prove their identity. Option B is wrong because auditing refers to the logging and review of events for compliance or forensic purposes, not the act of verifying credentials. Option D is wrong because accounting (often part of AAA) tracks resource usage and consumption, such as session time or data transferred, not the verification of identity.

1286
MCQmedium

Your company uses Microsoft Purview Data Lifecycle Management. You need to ensure that emails in users' mailboxes are retained for 7 years for compliance, but users should be able to delete emails they no longer need before that period. Which configuration achieves this?

A.Configure a Data Loss Prevention policy
B.Place a litigation hold on the mailboxes
C.Apply a retention label with record locking
D.Apply a retention policy without a preservation lock
AnswerD

Without preservation lock, users can delete items, but the items are retained in a recoverable state.

Why this answer

A retention policy with preservation lock prevents deletion, but without lock, users can delete items before the retention period ends. Option B is correct. A retention label with record locking prevents deletion.

A DLP policy does not manage retention. An eDiscovery hold prevents deletion.

1287
MCQeasy

A company wants to enforce conditional access policies that require multifactor authentication (MFA) for all users accessing financial apps from outside the corporate network. Which Microsoft Entra ID license is minimally required to create conditional access policies?

A.Microsoft 365 Business Basic
B.Microsoft Entra ID P2
C.Microsoft Entra ID Free
D.Microsoft Entra ID P1
AnswerD

P1 includes Conditional Access and is the minimum required.

Why this answer

Microsoft Entra ID P1 includes Conditional Access. Option A is wrong because Free does not include Conditional Access. Option C is wrong because P2 includes Identity Protection but Conditional Access is in P1.

Option D is wrong because Microsoft 365 Business Basic includes Entra ID P1 but the question asks for the minimal license, which is Entra ID P1 standalone.

1288
MCQmedium

A company uses Microsoft Defender for Cloud Apps to protect its SaaS apps. The security team needs to detect when a user downloads more than 100 files from SharePoint Online within 10 minutes. Which policy type should they create?

A.Anomaly detection policy
B.Activity policy
C.Threat detection policy
D.Compliance policy
AnswerA

Anomaly detection policy uses machine learning to detect unusual user behavior like mass downloads.

Why this answer

Anomaly detection policies in Defender for Cloud Apps use behavioral analytics to detect unusual patterns like mass file download. Activity policy is for specific activities, but anomaly detection is better for this scenario. Option A is wrong because it's a generic term; Option B is wrong because it's for threat detection; Option D is wrong because it's for compliance.

1289
MCQhard

Refer to the exhibit. A Microsoft Purview retention policy is configured as shown. What will happen to emails after 365 days?

A.Emails will be deleted immediately
B.Emails will be retained for 365 days and then deleted
C.Emails will be retained and then reviewed for deletion
D.Emails will be kept indefinitely
AnswerB

KeepAndDelete retains for 365 days then deletes.

Why this answer

Option D is correct because the policy has 'KeepAndDelete' as the retention action, meaning items will be retained for 365 days and then deleted. Option A is wrong because the retention action is not just keep; it includes deletion. Option B is wrong because the policy does not specify a review.

Option C is wrong because deletion happens after 365 days, not immediately.

1290
MCQmedium

A company uses Microsoft Entra ID to manage identities. They want to enforce access policies based on user location, device compliance, and application sensitivity. Which Microsoft Entra ID capability should they use?

A.Microsoft Entra ID Protection
B.Conditional Access
C.Privileged Identity Management (PIM)
D.Microsoft Entra Connect Sync
AnswerB

Conditional Access allows administrators to create policies that evaluate conditions such as user group, location, device state, and application sensitivity to grant or deny access, enforce MFA, or block access.

Why this answer

Conditional Access is the correct capability because it allows administrators to create policies that enforce access controls based on conditions such as user location, device compliance, and application sensitivity. These policies evaluate signals at sign-in time and can require multi-factor authentication, block access, or grant limited access based on the defined conditions.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Protection (which deals with risk detection) with Conditional Access (which enforces policies based on conditions like location and device compliance), but ID Protection does not directly enforce location- or device-based access rules.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection focuses on detecting and remediating identity-based risks (e.g., leaked credentials, anonymous IP addresses) and does not directly enforce policies based on device compliance or application sensitivity. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time privileged access and role activation workflows, not location- or device-based access policies. Option D is wrong because Microsoft Entra Connect Sync is a tool for synchronizing on-premises directory objects to Entra ID and has no role in enforcing access policies.

1291
MCQeasy

Refer to the exhibit. You have a Data Loss Prevention (DLP) policy in Microsoft Purview. What will happen when a user tries to share a document containing a credit card number via email?

A.The email is blocked only if the recipient is external
B.The email is sent with a warning to the recipient
C.The email is sent but the user is not notified
D.The email is blocked and the user receives a notification
AnswerD

The action blocks access and sends a notification email.

Why this answer

Option B is correct because the rule blocks access and notifies the user. Option A is incorrect because the user is notified. Option C is incorrect because the document is blocked, not allowed with warning.

Option D is incorrect because the rule applies to all users.

1292
MCQhard

You are analyzing a PIM activation request. The roleDefinitionId corresponds to the Global Administrator role. What is the duration of the activation?

A.4 hours
B.8 hours
C.8 minutes
D.8 days
AnswerB

PT8H is ISO 8601 for 8 hours.

Why this answer

By default, the maximum activation duration for a Global Administrator role in Privileged Identity Management (PIM) is 8 hours. This is the longest allowed activation period for highly privileged roles like Global Administrator, ensuring elevated access is time-limited to reduce security risk.

Exam trap

The trap here is that candidates confuse the default activation duration for Global Administrator (8 hours) with the 4-hour default for other roles or the 8-minute activation window for temporary access passes, leading them to select the wrong option.

How to eliminate wrong answers

Option A is wrong because 4 hours is not the default maximum activation duration for Global Administrator; it is a possible custom duration but not the default. Option C is wrong because 8 minutes is far too short for a Global Administrator activation; PIM allows durations in hours, not minutes, for such roles. Option D is wrong because 8 days would violate the principle of just-in-time access; PIM enforces a maximum of 8 hours for Global Administrator to prevent persistent elevation.

1293
MCQhard

A multinational company uses a hybrid infrastructure with on-premises Active Directory and Azure resources. They have deployed Microsoft Defender for Cloud to protect their Azure workloads. They now want to extend threat detection to their on-premises Active Directory by collecting security events from domain controllers to detect attacks like Golden Ticket, DCSync, and malicious Kerberos activity. The solution should integrate with Microsoft Sentinel for automated response. Which security solution should they deploy on the on-premises domain controllers?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Sentinel
AnswerC

Defender for Identity is purpose-built for on-prem AD threat detection, capturing domain controller events to detect Kerberos attacks and privilege escalation.

Why this answer

Microsoft Defender for Identity (MDI) is the correct solution because it is specifically designed to monitor on-premises Active Directory signals, including security events from domain controllers, to detect advanced identity-based attacks such as Golden Ticket, DCSync, and malicious Kerberos activity. MDI integrates natively with Microsoft Sentinel to enable automated response workflows, fulfilling the requirement for extending threat detection to on-premises AD.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM/CWPP tool) with Microsoft Defender for Identity (an AD-focused identity threat detection tool), because both names include 'Defender' and both can integrate with Sentinel, but only MDI monitors on-premises Active Directory authentication events.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud workload protection platform (CWPP) focused on securing Azure, hybrid, and multi-cloud resources, not on-premises Active Directory domain controllers. Option B is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution for devices like servers and workstations, not for monitoring Active Directory authentication protocols or Kerberos attacks. Option D is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR platform that ingests logs and triggers responses, but it does not deploy agents on domain controllers to collect security events; it relies on data connectors from other sources like MDI.

1294
Multi-Selecteasy

Which TWO of the following are types of retention actions available in Microsoft Purview? (Choose two.)

Select 2 answers
A.Retain data for a specified period
B.Encrypt data at rest
C.Classify data as confidential
D.Delete data after a specified period
E.Search for data using eDiscovery
AnswersA, D

Retaining data is a core retention action.

Why this answer

Option A is correct because a retention policy can retain data for a specific period. Option D is correct because a retention policy can delete data after a specific period. Option B is wrong because encryption is not a retention action.

Option C is wrong because classification is done by sensitivity labels. Option E is wrong because eDiscovery is a search tool.

1295
MCQmedium

A financial organization implements a security control that logs every access attempt to sensitive financial records, including who accessed the data, when it was accessed, and from which device. The logs are regularly reviewed by the security team. This control primarily addresses which security concept?

A.Confidentiality
B.Integrity
C.Availability
D.Accountability
AnswerD

Accountability means that actions can be traced back to a specific user. Logging access and reviewing logs provides an audit trail to hold users responsible for their actions.

Why this answer

Accountability ensures that actions affecting sensitive data can be traced uniquely to an individual. By logging who accessed the data, when, and from which device, the organization creates an audit trail that holds users responsible for their actions. This directly supports non-repudiation and forensic analysis, which are the core goals of accountability.

Exam trap

The trap here is that candidates confuse logging with confidentiality, thinking that tracking access prevents unauthorized viewing, when in fact logging only records the event and does not block the access itself.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized access to data (e.g., through encryption or access controls), not on logging who accessed it. Option B is wrong because integrity ensures data has not been altered or tampered with (e.g., via hashing or checksums), whereas logging does not protect against modification. Option C is wrong because availability ensures systems and data are accessible when needed (e.g., through redundancy or failover), and logging does not directly contribute to uptime or resilience.

1296
MCQmedium

A company is involved in a legal dispute and must preserve all emails and documents related to the case. The legal team needs to identify specific custodians (employees) and place a hold on their Exchange Online mailboxes and SharePoint sites to prevent any deletion or alteration of relevant content. Additionally, they need to collect the preserved data for review and analysis. Which Microsoft Purview solution should they use?

A.Microsoft Purview eDiscovery (Premium)
B.Microsoft Purview Audit
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview Communication Compliance
AnswerA

eDiscovery (Premium) provides end-to-end workflow for identifying, preserving, collecting, and reviewing data relevant to legal cases, including placing holds on custodians' data.

Why this answer

Microsoft Purview eDiscovery (Premium) is the correct solution because it provides end-to-end workflow for legal investigations: identifying and placing custodians on hold (via litigation hold on Exchange Online mailboxes and SharePoint sites), preserving content from deletion or alteration, and then collecting, reviewing, and analyzing the preserved data. This directly matches the scenario's requirements for legal hold and data collection for review.

Exam trap

The trap here is confusing the logging/auditing capability (Audit) with the preservation and collection workflow (eDiscovery), or assuming that retention policies (Data Lifecycle Management) can serve as a legal hold, when in fact they are designed for lifecycle management and do not support custodian-based holds or case-specific collection.

How to eliminate wrong answers

Option B (Microsoft Purview Audit) is wrong because it only logs and records user and admin activities (e.g., who accessed or deleted content) but does not place holds on data or allow collection for review. Option C (Microsoft Purview Data Lifecycle Management) is wrong because it focuses on retention and deletion policies based on data lifecycle (e.g., automatically deleting old emails), not on preserving data for a specific legal case or identifying custodians. Option D (Microsoft Purview Communication Compliance) is wrong because it is designed to detect and remediate inappropriate communications (e.g., harassment, insider trading) by analyzing messages, not for legal hold or eDiscovery collection.

1297
MCQeasy

A company wants to grant temporary, time-limited access to a critical Azure resource for an external consultant. Which Microsoft Entra feature should they use?

A.Entra Verified ID
B.Privileged Identity Management (PIM)
C.Identity Protection
D.Conditional Access
AnswerB

PIM provides just-in-time privileged access with expiration.

Why this answer

Privileged Identity Management (PIM) is the correct choice because it provides just-in-time (JIT) privileged access to Azure resources, allowing administrators to grant time-bound, temporary access that automatically expires. This aligns directly with the requirement for temporary, time-limited access for an external consultant, as PIM supports activation windows, approval workflows, and audit logging for such scenarios.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Conditional Access, thinking that Conditional Access can enforce time-limited access, but Conditional Access only controls sign-in conditions, not the duration of privileged role assignments.

How to eliminate wrong answers

Option A is wrong because Entra Verified ID is a decentralized identity verification solution using verifiable credentials (based on W3C standards) and does not provide time-limited access management to Azure resources. Option C is wrong because Identity Protection is a risk-detection and remediation service that identifies compromised identities or risky sign-ins, not a tool for granting or managing temporary access. Option D is wrong because Conditional Access enforces policies based on conditions like location or device state at sign-in time, but it does not grant or schedule time-limited privileged access to specific resources.

1298
MCQeasy

A user receives an encrypted email from their bank. They use their private key to decrypt the message. After reading it, they verify that the message content has not been altered during transit. Which security principle is primarily demonstrated by the verification that the content was not altered?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures data has not been altered. Verifying that the message content remains unchanged directly demonstrates integrity.

Why this answer

The verification that the message content has not been altered during transit directly demonstrates the principle of integrity. Integrity ensures that data remains unchanged from its source to its destination, typically enforced through cryptographic hashing or digital signatures. In this scenario, the user's ability to confirm that the email content was not tampered with relies on a hash or signature verification mechanism, which is the core function of integrity protection.

Exam trap

The trap here is that candidates often confuse integrity with non-repudiation, but non-repudiation proves the origin of the message (who sent it), whereas integrity proves the message was not altered—two distinct security goals.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized access to data (e.g., encryption), not on detecting changes to the content. Option C is wrong because availability ensures that systems and data are accessible when needed, which is unrelated to verifying content alteration. Option D is wrong because non-repudiation provides proof of the sender's identity and prevents them from denying having sent the message, but it does not directly verify that the content was not altered during transit.

1299
Multi-Selectmedium

Which TWO Microsoft Purview solutions can help protect sensitive data in Microsoft Teams?

Select 2 answers
A.Microsoft Purview Insider Risk Management
B.Microsoft Purview Audit
C.Microsoft Purview eDiscovery
D.Microsoft Purview Data Loss Prevention
E.Microsoft Purview Communication Compliance
AnswersD, E

DLP policies can extend to Teams to prevent sharing of sensitive data.

Why this answer

DLP can protect sensitive data shared in Teams, and Communication Compliance can detect inappropriate content. eDiscovery is for searching, not protection. Insider Risk Management is for risky behavior. Audit is for logging.

1300
Multi-Selectmedium

A user logs into a company's financial application using their Microsoft Entra ID credentials. After successful sign-in, the application displays a dashboard with data for only the regions the user is authorized to manage. Which two security concepts are demonstrated in this scenario? (Select all that apply.)

Select 2 answers
A.Authentication
B.Authorization
C.Accounting
D.Non-repudiation
AnswersA, B

The sign-in with credentials verifies the user's identity, which is authentication.

Why this answer

Authentication is demonstrated because the user proves their identity by logging in with Microsoft Entra ID credentials, confirming they are who they claim to be. Authorization is demonstrated because after authentication, the application restricts the dashboard to show only data for regions the user is permitted to manage, enforcing access control based on assigned permissions.

Exam trap

The trap here is that candidates confuse authentication (verifying identity) with authorization (granting permissions), and may incorrectly select accounting or non-repudiation because they associate logging in with tracking or non-denial, but the scenario explicitly describes identity verification and access restriction, not logging or signature-based proof.

1301
MCQmedium

Your organization is deploying Microsoft Defender for Cloud Apps to protect against cloud app threats. You need to ensure that users are prompted for authentication when accessing a sanctioned cloud app from an unmanaged device. Which policy type should you configure?

A.Activity policy
B.Access policy
C.Anomaly detection policy
D.Session policy
AnswerD

Session policies allow real-time monitoring and control of user sessions, including prompting for authentication from unmanaged devices.

Why this answer

Option B is correct because session policies (now called app session policies in Defender for Cloud Apps) allow you to monitor and control user sessions in real-time, including requiring authentication for access from unmanaged devices. Option A is wrong because access policies control access based on conditions but do not provide session-level control. Option C is wrong because activity policies trigger alerts and actions based on activities but not session-level authentication.

Option D is wrong because anomaly detection policies detect suspicious behavior but do not enforce access controls.

1302
MCQmedium

A security team needs to continuously assess the security posture of Azure resources, including virtual machines, storage accounts, and SQL databases. They also want to identify vulnerabilities in both Windows and Linux servers running in Azure and on-premises, and receive prioritized recommendations for remediation. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Sentinel
D.Microsoft Purview
AnswerA

Defender for Cloud provides vulnerability scanning and security posture assessment for Azure, on-premises, and multi-cloud workloads.

Why this answer

Microsoft Defender for Cloud is the correct solution because it provides continuous assessment of Azure resources (VMs, storage accounts, SQL databases) and hybrid workloads, including vulnerability scanning for Windows and Linux servers both in Azure and on-premises. It delivers prioritized remediation recommendations based on the secure score and integrated vulnerability assessment tools like Qualys or Microsoft Defender Vulnerability Management.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM and workload protection solution) with Microsoft Defender for Endpoint (an EDR solution), but the question's focus on assessing security posture of Azure resources and hybrid servers points specifically to Defender for Cloud's CSPM capabilities.

How to eliminate wrong answers

Option B (Microsoft Defender for Endpoint) is wrong because it focuses on endpoint detection and response (EDR) for devices, not on assessing the security posture of Azure resources like storage accounts or SQL databases, nor does it provide cloud-specific posture management. Option C (Microsoft Sentinel) is wrong because it is a SIEM/SOAR solution for security information and event management, not a tool for continuous security posture assessment or vulnerability scanning of Azure resources. Option D (Microsoft Purview) is wrong because it is a data governance and compliance solution for data classification and protection, not a security posture assessment or vulnerability management tool.

1303
MCQmedium

Your company is deploying Microsoft Defender for Cloud Apps. You need to detect and block the use of unsanctioned cloud apps that exhibit risky behavior. Which feature should you configure?

A.Azure Information Protection labels
B.Conditional Access policies
C.Cloud Discovery
D.Data Loss Prevention (DLP) policies
AnswerC

Cloud Discovery identifies unsanctioned apps and can block them through integration with network appliances.

Why this answer

Option B is correct because Cloud Discovery in Microsoft Defender for Cloud Apps identifies shadow IT and can block unsanctioned apps. Option A is wrong because DLP policies are for data protection, not app discovery. Option C is wrong because Conditional Access controls access based on signals, but does not discover or block unsanctioned apps directly.

Option D is wrong because Azure Information Protection is for data classification and protection.

1304
MCQhard

Your organization uses Microsoft Entra ID Governance. You need to ensure that access to a critical application is reviewed every 90 days by the application owner. If the review is not completed, access should be revoked automatically. Which feature should you configure?

A.Terms of use
B.Access reviews
C.Privileged Identity Management
D.Entitlement management
AnswerB

Access reviews can be configured for recurring reviews with auto-revocation if not completed.

Why this answer

Access reviews in Microsoft Entra ID Governance allow you to create recurring reviews of group memberships or application assignments, with automatic revocation of access if the review is not completed. By configuring a review every 90 days and setting the 'Auto apply' action to 'Remove access', you ensure that the application owner must certify access or it is automatically revoked.

Exam trap

The trap here is that candidates confuse Entitlement management (which handles access packages and lifecycle) with Access reviews (which specifically handle recurring attestation and automatic revocation), leading them to pick D instead of B.

How to eliminate wrong answers

Option A is wrong because Terms of use are used to present legal or policy documents that users must accept before accessing applications, not to schedule recurring access reviews with automatic revocation. Option C is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and approval workflows, not for recurring attestation of access to a critical application. Option D is wrong because Entitlement management handles access packages and automated provisioning/deprovisioning based on policies, but it does not provide the recurring review cycle with automatic revocation if the review is not completed; that is the specific function of Access reviews.

1305
MCQmedium

Refer to the exhibit. You run the Azure PowerShell command for a storage account. What is the current network access configuration?

A.The storage account is accessible only from specific virtual networks.
B.The storage account is accessible from all networks.
C.The storage account is not accessible from any network.
D.The storage account is accessible only from specific IP addresses.
AnswerC

Correct: DefaultAction Deny with no rules blocks all traffic.

Why this answer

DefaultAction is Deny, and no rules are defined. This means all network traffic is denied by default. Option B is correct.

Option A says 'all networks' which would be Allow. Option C says only specific IPs, but IpRules is empty. Option D says only VNets, but VirtualNetworkRules is empty.

1306
MCQhard

A multinational company uses Microsoft Entra ID. They want to ensure that users from a specific country only access a sensitive application from compliant devices. Additionally, they want to block access if the sign-in risk is medium or high. Which combination of policies should they create?

A.A Conditional Access session policy to enforce sign-in frequency
B.A device compliance policy in Microsoft Intune
C.A Conditional Access policy requiring MFA from that country
D.A Conditional Access policy with conditions for location, device compliance, and sign-in risk
AnswerD

Conditional Access can combine multiple conditions including location, device compliance, and risk.

Why this answer

Option D is correct because a single Conditional Access policy can combine multiple conditions—such as location (country), device compliance (via integration with Intune), and sign-in risk—to enforce granular access controls. This allows the company to require compliant devices and block access when sign-in risk is medium or high, all within one policy.

Exam trap

The trap here is that candidates think they need separate policies for each condition (location, device compliance, risk), but Microsoft Entra ID allows combining all three conditions into a single Conditional Access policy, which is more efficient and aligns with the scenario's requirements.

How to eliminate wrong answers

Option A is wrong because sign-in frequency is a session control that re-prompts for authentication after a set time, not a condition to restrict access by location, device compliance, or risk. Option B is wrong because a device compliance policy in Intune defines compliance rules (e.g., encryption, OS version) but does not enforce access decisions or block based on sign-in risk; it only marks devices as compliant or non-compliant. Option C is wrong because requiring MFA from that country does not address device compliance or sign-in risk; it only adds an authentication step, not a block for medium/high risk or non-compliant devices.

1307
MCQeasy

A small business wants to enable single sign-on (SSO) for its employees using their existing on-premises Active Directory. They plan to migrate to cloud-based identity management. Which Microsoft service should they use to connect their on-premises directory to Microsoft Entra ID?

A.Microsoft Entra Connect
B.Microsoft Intune
C.Active Directory Federation Services (AD FS)
D.Microsoft Entra Cloud Sync
AnswerA

Entra Connect syncs identities and enables SSO with options like password hash sync and pass-through authentication.

Why this answer

Microsoft Entra Connect synchronizes on-premises Active Directory with Microsoft Entra ID, enabling SSO. Option A is wrong because Microsoft Entra Cloud Sync is a newer, simpler tool but not the primary one for full SSO. Option B is wrong because Active Directory Federation Services (AD FS) provides federation, not synchronization.

Option D is wrong because Microsoft Intune manages devices, not identity synchronization.

1308
MCQhard

Refer to the exhibit. You are creating a custom analytics rule in Microsoft Sentinel. What does this rule detect?

A.Sign-ins with high sign-in risk from any location
B.Sign-ins with medium or high risk from the US
C.Sign-ins from users with high user risk outside the US
D.Sign-ins with medium or high risk from outside the US
AnswerD

Matches the query logic.

Why this answer

The rule is configured with 'Risk level: Medium, High' and 'Location: Outside US'. This means it triggers only when both conditions are met: the sign-in risk is medium or high, and the location is outside the US. Option D correctly matches this combination, detecting sign-ins with medium or high risk from outside the US.

Exam trap

The trap here is confusing 'User risk' with 'Sign-in risk' — the rule explicitly uses sign-in risk, and candidates often misread the risk type or overlook the location filter, leading them to choose options that mix up these conditions.

How to eliminate wrong answers

Option A is wrong because the rule includes a location filter ('Outside US'), so it does not detect sign-ins from any location. Option B is wrong because the rule specifies 'Outside US' as the location, not 'from the US'. Option C is wrong because the rule uses 'Sign-in risk' (not 'User risk') as the risk type, and the location filter is 'Outside US', not 'outside the US' for user risk.

1309
MCQmedium

A company wants to gain visibility into which cloud applications are being used by employees (shadow IT) and assess the risk level of each app. They use Microsoft Defender for Cloud Apps. Which feature should they enable to discover and analyze these apps?

A.App Governance
B.Cloud Discovery
C.Conditional Access App Control
D.OAuth app policies
AnswerB

Cloud Discovery analyzes traffic logs to identify and assess the risk of cloud applications in use, helping to manage shadow IT.

Why this answer

Cloud Discovery is the correct feature because it analyzes traffic logs against the Microsoft Defender for Cloud Apps catalog of over 31,000 cloud apps to identify shadow IT usage. It provides risk scores based on factors like security certifications, data encryption, and compliance standards, enabling the company to assess each app's risk level.

Exam trap

The trap here is that candidates confuse Cloud Discovery (which finds unknown apps via traffic analysis) with Conditional Access App Control (which controls access to known apps), leading them to pick Option C for a discovery question.

How to eliminate wrong answers

Option A is wrong because App Governance is a policy and monitoring feature for managing OAuth-enabled apps (e.g., permissions and consent), not for discovering unknown cloud apps via traffic analysis. Option C is wrong because Conditional Access App Control is a reverse-proxy feature that enforces session policies on known apps in real time, not a discovery mechanism for shadow IT. Option D is wrong because OAuth app policies are used to control permissions for third-party OAuth apps connected to Microsoft 365, not to discover or analyze cloud applications in use.

1310
Multi-Selecteasy

Which TWO of the following are features of Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Identity governance and administration
B.Security information and event management (SIEM)
C.Security orchestration, automation, and response (SOAR)
D.Endpoint detection and response (EDR)
E.Data classification and labeling
AnswersB, C

Sentinel provides SIEM for log collection and analysis.

Why this answer

Microsoft Sentinel provides SIEM and SOAR capabilities. Option A is a capability; Option B is a capability; Option C is a Microsoft Entra feature; Option D is a Microsoft Defender feature; Option E is a Microsoft Purview feature.

1311
Multi-Selectmedium

Which THREE of the following are features of Microsoft Entra ID Protection?

Select 3 answers
A.Automatically notify users when their password is about to expire.
B.Ability to define risk-based Conditional Access policies.
C.Automated remediation of risky users by blocking sign-in.
D.Just-in-time privileged role activation.
E.Detection of sign-in risks from anonymous IP addresses.
AnswersB, C, E

Risk-based policies are a key feature.

Why this answer

Option B is correct because Microsoft Entra ID Protection provides risk detection signals that can be integrated into Conditional Access policies, enabling administrators to automatically enforce controls such as requiring multi-factor authentication or blocking access based on user or sign-in risk levels. This allows organizations to respond dynamically to detected threats without manual intervention.

Exam trap

The trap here is that candidates confuse the distinct Microsoft Entra services—Entra ID Protection (risk detection and remediation), Privileged Identity Management (PIM) for just-in-time access, and general password policy settings—leading them to select options that belong to other services.

1312
Multi-Selecteasy

Which TWO of the following are included in Microsoft Entra ID Protection?

Select 2 answers
A.Data loss prevention (DLP)
B.Privileged Identity Management (PIM)
C.Risk-based Conditional Access policies
D.Sign-in risk detections (e.g., anonymous IP address)
E.Passwordless authentication support
AnswersC, D

ID Protection integrates with Conditional Access to respond to risk.

Why this answer

Entra ID Protection includes risk-based conditional access and risk detections like sign-in risk. Privileged Identity Management (B) is a separate feature but related, and is included in Entra ID P2. Passwordless authentication (C) is a feature of Entra ID, not specifically Protection.

DLP (D) is Purview. Identity Governance (E) is Entra ID Governance.

1313
MCQeasy

A company uses Microsoft 365 and Microsoft Azure. The security team wants a single portal that provides a unified view of alerts and incidents from their endpoints, email, and cloud applications to accelerate threat investigation and response. Which Microsoft security solution should they use?

A.Microsoft 365 Defender portal
B.Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Microsoft Purview Compliance Manager
AnswerA

This portal unifies alerts from Defender for Endpoint, Office 365, Identity, and Cloud Apps into a single incident queue, enabling coordinated investigation and response.

Why this answer

Microsoft 365 Defender portal (now part of the Microsoft 365 Defender unified security operations platform) is designed to aggregate alerts and incidents from endpoints (Microsoft Defender for Endpoint), email (Microsoft Defender for Office 365), and cloud applications (Microsoft Defender for Cloud Apps) into a single queue. This unified view enables security teams to triage and investigate threats across these domains without switching between separate consoles, directly accelerating response times.

Exam trap

The trap here is that candidates often confuse Microsoft 365 Defender portal (a unified incident view for Microsoft 365 security products) with Microsoft Sentinel (a SIEM), not realizing that Sentinel requires additional setup and is not the out-of-the-box single portal for Microsoft's own security alerts.

How to eliminate wrong answers

Option B (Microsoft Defender for Cloud) is wrong because it focuses on securing cloud infrastructure (VMs, containers, PaaS) and provides alerts for those resources, not for endpoints, email, or cloud apps in a unified incident view. Option C (Microsoft Sentinel) is wrong because it is a cloud-native SIEM/SOAR that ingests logs from many sources, but it requires custom configuration and data connectors to unify alerts; it is not a pre-built single portal for Microsoft 365-native alerts and incidents. Option D (Microsoft Purview Compliance Manager) is wrong because it is a compliance management solution for assessing and managing regulatory compliance, not a security incident and alert aggregation tool.

1314
MCQmedium

A security operations team uses Microsoft Defender for Cloud and has connected their AWS and GCP accounts. They want to continuously assess the security posture of AWS EC2 instances against the CIS AWS Foundations Benchmark and receive prioritized recommendations. Which feature of Defender for Cloud should they use?

A.Cloud Security Posture Management (CSPM)
B.Microsoft Defender for Servers
C.Security Alerts
D.Workload protections
AnswerA

CSPM assesses resources against built-in benchmarks like CIS, provides a secure score, and offers recommendations for remediation. It works across Azure, AWS, and GCP.

Why this answer

Option A is correct because Cloud Security Posture Management (CSPM) in Microsoft Defender for Cloud is specifically designed to continuously assess the security posture of multi-cloud resources (including AWS EC2 instances) against industry benchmarks like the CIS AWS Foundations Benchmark. CSPM provides a compliance dashboard, prioritized recommendations, and automated remediation guidance, directly addressing the team's need for ongoing assessment and prioritized recommendations.

Exam trap

The trap here is that candidates often confuse CSPM with workload protections (Option D) or Microsoft Defender for Servers (Option B), mistakenly thinking that threat detection or server-specific plans automatically include compliance assessment, when in fact CSPM is the dedicated feature for multi-cloud posture management and benchmark compliance.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Servers is a workload protection plan that provides advanced threat detection, just-in-time VM access, and file integrity monitoring for servers, but it does not natively assess compliance against the CIS AWS Foundations Benchmark or provide continuous posture assessment for AWS EC2 instances. Option C is wrong because Security Alerts are generated from threat detection signals (e.g., suspicious activities or attacks) and are not designed to continuously assess security posture against a compliance benchmark like CIS AWS Foundations. Option D is wrong because Workload protections refer to the suite of threat detection and prevention capabilities (e.g., for servers, databases, containers) within Defender for Cloud, but they do not include the compliance assessment and posture scoring features that CSPM provides.

1315
Multi-Selecthard

Which THREE of the following are features of Microsoft Purview Compliance Manager?

Select 3 answers
A.Data Loss Prevention policies
B.Improvement actions with assigned owners
C.Audit log search
D.Compliance score
E.Pre-built assessments for regulations like GDPR
AnswersB, D, E

Actions can be assigned to users for tracking.

Why this answer

Option A is correct because Compliance Manager provides a compliance score. Option B is correct because it includes assessments for regulatory standards. Option D is correct because it tracks improvement actions.

Option C is wrong because auditing is a separate solution. Option E is wrong because DLP is separate.

1316
MCQhard

A security team is investigating a data exfiltration incident. They need to see detailed events such as when a user accessed a file, the exact action (read, write, delete), and the file name. They also need to perform custom searches across all users. Which Microsoft Purview audit solution should they use to meet these requirements?

A.Audit (Standard)
B.Audit (Premium)
C.eDiscovery (Standard)
D.Communication Compliance
AnswerB

Audit (Premium) logs detailed events including the specific action (e.g., FileAccessed, FileModified), object identifiers, and supports advanced queries, meeting the requirements.

Why this answer

Audit (Premium) is the correct choice because it provides detailed audit logs that include specific actions (read, write, delete), file names, and user access events, and it supports custom searches across all users via the Microsoft Purview compliance portal or Search-UnifiedAuditLog cmdlet. Audit (Standard) only captures basic metadata like who accessed a resource and when, but not the granular action or file name details required for data exfiltration investigation.

Exam trap

The trap here is that candidates often confuse Audit (Standard) with Audit (Premium), assuming both provide the same level of detail, but Microsoft explicitly reserves granular action-level logging (e.g., read/write/delete) and custom search capabilities for the Premium tier.

How to eliminate wrong answers

Option A is wrong because Audit (Standard) logs only basic events (e.g., user, timestamp, resource) without the granular action type (read/write/delete) or file name, making it insufficient for detailed exfiltration analysis. Option C is wrong because eDiscovery (Standard) is designed for legal hold, search, and export of content for litigation, not for real-time or historical audit log investigation of user actions on files. Option D is wrong because Communication Compliance focuses on monitoring and detecting policy violations in communications (e.g., email, Teams messages), not on file access events or audit logs.

1317
MCQeasy

Your company uses Microsoft Defender for Cloud Apps. You want to discover which cloud apps are being used in your organization and assess their risk levels. What should you use?

A.Cloud App Security Catalog
B.Cloud Discovery
C.Microsoft Purview Data Map
D.Microsoft Intune app inventory
AnswerB

Cloud Discovery analyzes traffic logs to discover apps and assess risk.

Why this answer

Microsoft Defender for Cloud Apps provides Cloud Discovery to analyze traffic logs and identify shadow IT. Option B is correct. Option A is wrong because Defender for Cloud Apps does not have a 'Cloud App Security Catalog' feature.

Option C is wrong because Microsoft Intune manages devices, not app discovery. Option D is wrong because Microsoft Purview is for data governance, not app discovery.

1318
MCQeasy

A compliance officer needs to search for emails containing trade secrets across all mailboxes in the organization. Which Microsoft Purview solution should they use?

A.eDiscovery (Premium)
B.Communication Compliance
C.Data Loss Prevention
D.Audit (Standard)
AnswerA

eDiscovery (Premium) provides search and export across mailboxes and sites.

Why this answer

Option A is correct because eDiscovery allows searching across mailboxes and sites for content. Option B is wrong because Audit is for activity logs, not content search. Option C is wrong because DLP is for preventing data loss, not searching.

Option D is wrong because Communication Compliance is for monitoring communications for policy violations.

1319
MCQhard

You are investigating an alert in Microsoft Sentinel. The exhibit shows the JSON output of an alert that was generated from a sign-in log. The alert is linked to an active incident. Which action should you take to prioritize the incident for investigation?

A.Change the incident severity to critical
B.Close the incident as a false positive
C.Delete the alert from the incident
D.Reassign the incident to another analyst
AnswerA

Increasing severity prioritizes the incident for investigation.

Why this answer

Option B is correct because increasing the incident severity to critical will ensure it is prioritized. Option A is wrong because closing the incident would stop investigation. Option C is wrong because changing assignment does not change priority.

Option D is wrong because deleting the alert does not resolve the incident.

1320
MCQeasy

Your company uses Microsoft Defender for Cloud to secure Azure resources. You need to assess compliance with the CIS benchmark. What should you enable?

A.Azure Policy
B.Regulatory compliance standards in Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Azure Firewall
AnswerB

Defender for Cloud can assess against CIS.

Why this answer

Option A is correct because regulatory compliance standards in Defender for Cloud include CIS benchmarks. Option B is wrong because Azure Firewall is a network security service, not compliance assessment. Option C is wrong because Microsoft Sentinel is a SIEM.

Option D is wrong because Azure Policy is used for compliance but within Defender for Cloud you enable regulatory compliance standards.

1321
MCQeasy

A user logs into a company's application using their username and password. After logging in, the application checks whether the user belongs to the 'Admin' role before granting access to the user management page. Which security concept is primarily illustrated by the role check?

A.Authentication
B.Authorization
C.Accounting
D.Non-repudiation
AnswerB

Authorization is the process of granting or denying access to resources based on the authenticated user's permissions. The role check determines if the user is authorized to access the user management page, making this the correct answer.

Why this answer

The role check after login determines what actions the authenticated user is allowed to perform, specifically whether they can access the user management page. This is the essence of authorization, which controls access to resources based on identity and assigned permissions. In Microsoft identity and access management, authorization is enforced via role-based access control (RBAC), where the application verifies the user's role claim (e.g., 'Admin') in the access token.

Exam trap

Microsoft often tests the distinction between authentication and authorization by presenting a scenario where a user is already logged in and then a permission check occurs, leading candidates to mistakenly select 'authentication' because they focus on the login step rather than the subsequent access control decision.

How to eliminate wrong answers

Option A is wrong because authentication is the process of verifying the user's identity (e.g., validating username and password), which has already occurred before the role check. Option C is wrong because accounting (or auditing) tracks user activities and resource usage for compliance or billing, not the enforcement of access rights. Option D is wrong because non-repudiation ensures that a user cannot deny an action they performed, typically achieved through digital signatures or audit logs, not by checking role membership.

1322
MCQmedium

Your company uses Microsoft Intune for device management. You need to ensure that all company data on a user's personally owned device is removed when the user is offboarded, but the user's personal data should remain. Which wipe action should you use?

A.Delete
B.Selective wipe
C.Full wipe
D.Retire
AnswerB

Selective wipe removes only company data from managed apps.

Why this answer

Option B is correct because selective wipe in Intune removes only company data from managed apps, leaving personal data intact. Option A is wrong because a full wipe resets the entire device. Option C is wrong because retire removes the device from management but does not automatically wipe data.

Option D is wrong because delete removes the device record without wiping.

1323
Multi-Selecteasy

A company uses Microsoft Defender for Cloud to secure its environment. Which TWO plans are available?

Select 2 answers
A.Cloud Security Posture Management (CSPM)
B.Defender for Servers
C.Microsoft Intune
D.Microsoft Sentinel
E.Microsoft Defender for Identity
AnswersA, B

Correct: Foundational plan.

Why this answer

Cloud Security Posture Management (CSPM) is a foundational plan in Microsoft Defender for Cloud that continuously assesses your Azure, hybrid, and multi-cloud resources against security benchmarks (e.g., CIS, NIST, Azure Security Benchmark) to identify misconfigurations and compliance gaps. It is available as a free, basic plan that provides secure score and recommendations, making it a core offering of Defender for Cloud.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel and Microsoft Defender for Identity as being 'plans' within Defender for Cloud because they are part of the broader Microsoft security ecosystem and integrate with Defender for Cloud, but they are separate services with their own licensing and management interfaces.

1324
MCQmedium

A company wants to detect and respond to advanced attacks targeting their on-premises Active Directory infrastructure, such as Kerberos Golden Ticket attacks, pass-the-hash, and brute-force attempts. The solution should integrate with Microsoft Sentinel and Microsoft 365 Defender for cross-domain investigations. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Identity
C.Microsoft Defender for Office 365
D.Microsoft Defender for Cloud Apps
AnswerB

This is the correct solution, as it is purpose-built to monitor on-premises Active Directory for advanced threats and integrates with Microsoft 365 Defender and Sentinel.

Why this answer

Microsoft Defender for Identity (MDI) is specifically designed to protect on-premises Active Directory by monitoring for advanced attacks like Kerberos Golden Ticket, pass-the-hash, and brute-force attempts. It integrates natively with Microsoft Sentinel and Microsoft 365 Defender to enable cross-domain investigations, correlating identity signals with endpoint and cloud data.

Exam trap

The trap here is that candidates often confuse Defender for Identity with Defender for Endpoint, assuming endpoint protection covers identity attacks, but MDI is the only solution that directly monitors Active Directory authentication protocols and domain controller traffic for advanced on-premises identity threats.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint devices (e.g., workstations, servers) and does not natively monitor Active Directory authentication protocols like Kerberos or NTLM for identity-based attacks. Option C is wrong because Microsoft Defender for Office 365 protects email and collaboration tools (e.g., Exchange Online, SharePoint) and has no visibility into on-premises Active Directory or Kerberos ticket attacks. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that monitors cloud application usage and shadow IT, not on-premises Active Directory authentication events.

1325
Multi-Selecthard

Which TWO Microsoft Entra ID capabilities help detect and remediate identity risks? (Select two.)

Select 2 answers
A.Identity Protection
B.Identity Governance
C.Password protection
D.Privileged Identity Management
E.Conditional Access
AnswersA, E

Identity Protection detects risk detections.

Why this answer

Identity Protection detects risks, and Conditional Access policies can enforce remediation. PIM (Option C) manages privileges. Password protection (Option D) prevents weak passwords.

Identity Governance (Option E) manages access lifecycle.

1326
Multi-Selecteasy

Which TWO Microsoft Purview solutions can be used to identify and protect sensitive data in Microsoft 365?

Select 2 answers
A.Data Loss Prevention (DLP)
B.Communication compliance
C.Insider risk management
D.Sensitivity labels
E.eDiscovery
AnswersA, D

Detect and prevent sharing of sensitive data.

Why this answer

Sensitivity labels classify and protect data. Data Loss Prevention (DLP) policies detect and prevent sharing of sensitive data. Insider risk management and eDiscovery are not primarily for data protection; communication compliance monitors communications.

1327
MCQmedium

Your company uses Microsoft Entra ID. You need to enable users to sign in to third-party SaaS applications using their corporate credentials without storing passwords in those apps. Which Microsoft Entra feature should you configure?

A.Configure single sign-on (SSO) using federation
B.Deploy Microsoft Entra Self-Service Password Reset
C.Configure conditional access policies with MFA
D.Enable Microsoft Entra Identity Protection
AnswerA

SSO with federation allows users to sign in once and access apps without password storage.

Why this answer

Option A is correct because configuring single sign-on (SSO) using federation allows users to authenticate against Microsoft Entra ID (their corporate identity provider) and then pass a security token to third-party SaaS applications. This eliminates the need for the SaaS app to store or manage user passwords, as authentication happens via standards like SAML 2.0 or WS-Federation, and the app trusts the token issued by Entra ID.

Exam trap

The trap here is that candidates often confuse Conditional Access or Identity Protection with the core mechanism for passwordless federation, not realizing that SSO via federation is the specific feature that removes password storage in the third-party app.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Self-Service Password Reset (SSPR) enables users to reset their own passwords, but it does not provide a mechanism to sign in to third-party SaaS apps without storing passwords in those apps. Option C is wrong because Conditional Access policies with MFA enforce additional security controls (like requiring multi-factor authentication) during sign-in, but they do not eliminate the need for password storage in the SaaS app itself. Option D is wrong because Microsoft Entra Identity Protection detects and responds to identity-based risks (e.g., leaked credentials, anomalous sign-ins), but it does not enable passwordless or federated authentication to third-party applications.

1328
Multi-Selecteasy

Which TWO are capabilities of Microsoft Entra ID Protection?

Select 2 answers
A.Risk-based conditional access policies
B.Device enrollment policies
C.Self-service password reset
D.Privileged role activation
E.Detection of leaked credentials
AnswersA, E

ID Protection allows you to create policies that block or require MFA based on risk level.

Why this answer

Option A is correct because Microsoft Entra ID Protection uses risk-based conditional access policies to automatically respond to detected risks, such as blocking access or requiring multi-factor authentication, based on real-time risk levels. Option E is correct because Entra ID Protection continuously monitors for leaked credentials by analyzing known credential breaches and flagging accounts whose credentials have been exposed, enabling proactive remediation.

Exam trap

The trap here is that candidates confuse Entra ID Protection with other Entra ID features like SSPR or PIM, but Entra ID Protection is specifically about risk detection and automated remediation, not password management or privileged access control.

1329
MCQeasy

A company wants to protect against ransomware by detecting and blocking malicious files in email attachments. Which Microsoft security solution should be used?

A.Microsoft Defender for Identity
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Office 365
D.Microsoft Defender for Endpoint
AnswerC

Correct: It provides email protection against ransomware and malware.

Why this answer

Microsoft Defender for Office 365 includes Safe Attachments and Safe Links to protect against malicious content in email.

1330
MCQeasy

A company has a hybrid identity environment with Active Directory synchronizing to Microsoft Entra ID. They want users to be able to reset their own on-premises passwords via the cloud SSPR portal. What is the minimum license required for this capability?

A.Microsoft Entra ID Free
B.Microsoft Entra ID P1
C.Microsoft Entra ID P2
D.Microsoft 365 Business Basic
AnswerB

P1 includes all features needed for SSPR with password writeback in hybrid environments.

Why this answer

Microsoft Entra ID P1 is the minimum license required for password writeback, which enables users to reset their on-premises Active Directory passwords via the cloud SSPR portal. This feature requires Microsoft Entra ID P1 or higher because it involves synchronizing password changes back to on-premises AD using Microsoft Entra Connect.

Exam trap

The trap here is that candidates often assume Microsoft Entra ID Free or a basic Microsoft 365 license is sufficient for SSPR, forgetting that password writeback to on-premises AD is a premium feature requiring at least P1.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Free does not include password writeback; it only supports cloud-only SSPR without on-premises writeback. Option C is wrong because Microsoft Entra ID P2 includes P1 features plus Identity Protection and Privileged Identity Management, but P1 already provides password writeback, so P2 is not the minimum. Option D is wrong because Microsoft 365 Business Basic includes Microsoft Entra ID Free, not P1, and thus lacks password writeback capability.

1331
MCQeasy

A company has enabled Microsoft Defender for Cloud. They want to assess their Azure resources for compliance with security benchmarks like CIS and Azure Security Benchmark, and view a secure score. Which feature of Defender for Cloud provides this capability?

A.Cloud Security Posture Management (CSPM)
B.Microsoft Defender for Servers
C.Microsoft Defender for App Service
D.Just-in-time (JIT) VM access
AnswerA

Correct. CSPM is the built-in module that provides continuous assessment of security posture, secure score, and compliance with benchmarks. It is enabled by default when you enable Defender for Cloud.

Why this answer

Cloud Security Posture Management (CSPM) is the Defender for Cloud feature specifically designed to assess Azure resources against industry security benchmarks such as CIS and the Azure Security Benchmark. It continuously evaluates your environment, provides a secure score based on compliance findings, and offers actionable recommendations to improve your security posture. This directly matches the scenario's requirement for benchmark compliance assessment and secure score visibility.

Exam trap

The trap here is that candidates often confuse workload protection plans (like Defender for Servers) with posture management features, assuming any 'Defender' plan includes compliance assessment, whereas CSPM is the dedicated feature for benchmarks and secure score.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Servers is a workload protection plan that provides advanced threat detection and just-in-time access for virtual machines, not a posture management or compliance benchmarking service. Option C is wrong because Microsoft Defender for App Service is a threat detection service focused on attacks targeting App Service applications, such as DDoS or injection attacks, and does not assess compliance with CIS or Azure Security Benchmark. Option D is wrong because Just-in-time (JIT) VM access is a feature that reduces the attack surface by controlling network access to VMs, but it does not perform compliance assessments or generate a secure score.

1332
MCQeasy

Your organization needs to automatically detect and prevent accidental sharing of sensitive data in Microsoft Teams messages. Which Microsoft Purview solution should you use?

A.Retention policies
B.Data Loss Prevention (DLP)
C.eDiscovery
D.Sensitivity labels
AnswerB

DLP policies can detect sensitive data in transit and block sharing in Teams messages.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft Purview can detect and prevent accidental sharing of sensitive information in Teams messages. Option B is correct. Sensitivity labels and retention policies do not provide real-time prevention. eDiscovery is for search and export, not prevention.

1333
MCQhard

A compliance officer is tasked with continuously assessing the organization's compliance posture against GDPR and ISO 27001. The solution should generate a compliance score based on implemented controls, provide recommended improvement actions, and track remediation progress over time. Which Microsoft Purview solution should they use?

A.Audit (Premium)
B.Communication Compliance
C.Compliance Manager
D.Data Lifecycle Management
AnswerC

Compliance Manager provides built-in assessments, a compliance score, recommended actions, and supports ongoing tracking of improvement activities for standards like GDPR and ISO 27001.

Why this answer

Compliance Manager is the correct solution because it provides a continuous compliance score based on implemented controls, offers recommended improvement actions, and tracks remediation progress over time. It supports frameworks like GDPR and ISO 27001 by mapping controls to assessments and generating a dynamic score that reflects the organization's compliance posture.

Exam trap

The trap here is that candidates confuse Compliance Manager with Audit (Premium) because both involve compliance, but Audit is for log investigation, not for scoring or tracking control implementation against a framework.

How to eliminate wrong answers

Option A is wrong because Audit (Premium) focuses on capturing and analyzing audit logs for forensic investigation and security events, not on assessing compliance posture or generating a compliance score. Option B is wrong because Communication Compliance is designed to detect and remediate inappropriate communications (e.g., harassment, insider trading) and does not provide a compliance score or track control implementation against standards like GDPR or ISO 27001. Option D is wrong because Data Lifecycle Management handles data retention, deletion, and classification policies, but it does not assess compliance posture or generate a compliance score based on implemented controls.

1334
MCQhard

Your company uses Microsoft Entra ID and is implementing a zero-trust security model. You need to ensure that all access requests to sensitive applications are verified continuously, not just at the initial sign-in. Which Microsoft Entra ID capability should you use?

A.Conditional Access with session controls
B.Access reviews
C.Microsoft Entra Identity Protection
D.Privileged Identity Management
AnswerA

Conditional Access session controls enable continuous access evaluation, verifying access at every request.

Why this answer

Conditional Access with session controls enforces continuous access evaluation (CAE) by intercepting real-time signals—such as user risk, device compliance, or location changes—after the initial authentication. This ensures that access to sensitive applications is verified throughout the session, not just at sign-in, aligning with the zero-trust principle of 'verify explicitly and continuously.'

Exam trap

The trap here is that candidates often confuse periodic reviews (Access reviews) or risk detection (Identity Protection) with real-time enforcement, but only session controls under Conditional Access provide the continuous, event-driven verification required by zero-trust.

How to eliminate wrong answers

Option B is wrong because Access reviews are periodic attestation workflows that require manual or scheduled re-certification of group memberships or application access; they do not provide real-time, continuous verification of each access request. Option C is wrong because Microsoft Entra Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins) but does not enforce session-level controls or continuous verification of access to specific applications. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time activation and approval workflows for privileged roles, not continuous verification of all access requests to sensitive applications.

1335
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You need to discover shadow IT usage. Which feature should you enable?

A.File policies
B.Conditional Access App Control
C.Cloud Discovery
D.App catalog
AnswerC

Cloud Discovery identifies unsanctioned cloud apps used in the organization.

Why this answer

Option C is correct because Cloud Discovery analyzes traffic logs to identify shadow IT. Option A is incorrect because Conditional Access App Control is for enforcing policies on sanctioned apps. Option B is incorrect because the app catalog lists known cloud apps.

Option D is incorrect because file policies are for data protection.

1336
MCQmedium

Your organization requires that all external guest users must sign in using Microsoft Authenticator for MFA. What should you configure?

A.Conditional Access policy
B.Microsoft Entra B2B collaboration settings
C.Access reviews
D.ID Protection policies
AnswerA

Conditional Access can require MFA for guest users.

Why this answer

A Conditional Access policy is the correct choice because it allows you to enforce MFA requirements for specific users, including external guest users, based on conditions such as sign-in risk, location, or device state. By targeting the 'Guest or external users' directory role in a Conditional Access policy, you can require Microsoft Authenticator as the MFA method, overriding default settings. This provides granular control over authentication behavior for B2B collaboration guests.

Exam trap

The trap here is that candidates confuse the high-level B2B collaboration settings (which only control trust of MFA from the home tenant) with the ability to enforce a specific MFA method directly on guest users, which requires a Conditional Access policy.

How to eliminate wrong answers

Option B (Microsoft Entra B2B collaboration settings) is wrong because these settings control invitation, redemption, and cross-tenant access policies, but they do not directly enforce MFA methods like Microsoft Authenticator; they only set trust settings for MFA from the guest's home tenant. Option C (Access reviews) is wrong because access reviews are used to periodically review and recertify user access, not to enforce authentication methods or MFA requirements. Option D (ID Protection policies) is wrong because ID Protection policies focus on risk-based conditional access (e.g., sign-in risk, user risk) and can trigger MFA, but they do not allow you to specify a particular MFA method like Microsoft Authenticator; that is done via Conditional Access grant controls.

1337
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Purview Data Loss Prevention (DLP)? (Choose three.)

Select 3 answers
A.Detect credit card numbers in Exchange Online emails
B.Block network traffic from suspicious IP addresses
C.Detect sensitive information in Microsoft Teams messages
D.Detect malware in email attachments
E.Detect passport numbers in SharePoint Online documents
AnswersA, C, E

DLP can scan email content for sensitive info.

Why this answer

Options A, C, and D are correct. DLP can detect sensitive data in Exchange emails, SharePoint documents, and Teams messages. Option B is wrong because DLP does not block network traffic; that is a network security function.

Option E is wrong because DLP does not detect malware; that is Microsoft Defender for Endpoint.

1338
MCQmedium

A company uses Microsoft Entra ID. The security team needs to block all sign-in attempts from a list of known malicious IP addresses. They also want to block sign-ins that originate from anonymous proxy services. Which Microsoft Entra capability should they configure to meet these requirements?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management
D.Access Reviews
AnswerA

Conditional Access can use named locations to block sign-ins from specific IP ranges and also block access from anonymous IP addresses using the 'Anonymous IP' location condition.

Why this answer

Conditional Access policies in Microsoft Entra ID allow administrators to define conditions under which sign-ins are blocked or allowed. By configuring a policy that includes 'Locations' as a condition, you can specify a list of known malicious IP addresses and also enable the 'Anonymous IP address' risk detection to block sign-ins from anonymous proxy services. This directly meets the requirement to block sign-ins from both specific IPs and anonymous proxies.

Exam trap

The trap here is that candidates often confuse Identity Protection’s risk detection capabilities with the enforcement mechanism, mistakenly thinking Identity Protection alone can block sign-ins, when in fact it only identifies risks and requires Conditional Access to enforce the block.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because Identity Protection is a risk-based detection and remediation service that identifies suspicious sign-ins (e.g., from anonymous IPs) but does not itself enforce blocking; it relies on Conditional Access policies to take action. Option C (Privileged Identity Management) is wrong because PIM focuses on just-in-time privileged role activation and access governance, not on blocking sign-ins based on IP address or proxy services. Option D (Access Reviews) is wrong because Access Reviews are used to periodically audit and certify user access to resources, not to block sign-ins in real time based on location or network characteristics.

1339
MCQmedium

Your company is implementing a zero-trust security model. Which principle requires verifying every access request as though it originates from an untrusted network, even if the request comes from within the corporate network?

A.Least privilege
B.Trust but verify
C.Explicit verification
D.Assume breach
AnswerD

This principle assumes every request is from an untrusted source.

Why this answer

Option C is correct because 'Assume breach' is the zero-trust principle that treats every access request as potentially compromised. Option A is incorrect because 'Explicit verification' is a different principle. Option B is incorrect because 'Least privilege' limits access rights.

Option D is incorrect because 'Trust but verify' is not a zero-trust principle.

1340
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. Security team wants to be alerted when a user accesses a cloud app from a risky IP address. Which solution should you use to create a policy that triggers an alert based on this activity?

A.Create an activity policy.
B.Create a session policy.
C.Create an app discovery policy.
D.Create an access policy.
AnswerA

Activity policies monitor activities and trigger alerts based on conditions like risky IP.

Why this answer

Correct: Activity policy in Defender for Cloud Apps can monitor specific activities (e.g., logins) and trigger alerts based on risk factors like IP. Option A: Access policies control access, not alerting. Option C: Session policies control sessions.

Option D: App discovery policies are for discovering shadow IT.

1341
MCQeasy

A company wants to monitor employee communications for potential harassment or policy violations. Which Microsoft Purview solution should they use?

A.Data Loss Prevention (DLP)
B.eDiscovery
C.Communication compliance
D.Insider risk management
AnswerC

Monitors communications for policy violations like harassment.

Why this answer

Communication compliance monitors communications for inappropriate content. Insider risk management focuses on data theft and risky activities. DLP prevents data loss. eDiscovery is for legal discovery.

1342
MCQmedium

A financial company processes stock trades. To ensure that a trader cannot later deny having submitted a specific trade order, the system captures a digital signature from the trader for each order. Which security goal is being addressed by this practice?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerD

Non-repudiation ensures that an individual cannot deny having performed an action or sent a message. Digital signatures provide non-repudiation by binding the action to the signer.

Why this answer

Non-repudiation ensures that a party cannot deny having performed a specific action. By capturing a digital signature from the trader for each trade order, the system creates cryptographic proof that the trader indeed submitted that order. This prevents the trader from later claiming they did not authorize the trade, directly addressing the non-repudiation goal.

Exam trap

The trap here is that candidates often confuse integrity with non-repudiation, but integrity only ensures data hasn't been tampered with, while non-repudiation specifically provides cryptographic proof of origin and action.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized access to data, not on proving who performed an action. Option B is wrong because integrity ensures data has not been altered, but does not provide proof of origin or prevent denial of action. Option C is wrong because availability ensures systems and data are accessible when needed, which is unrelated to proving the authenticity of a submitted order.

1343
Multi-Selecthard

Which THREE of the following are valid components of Microsoft Entra Conditional Access? (Select THREE.)

Select 3 answers
A.Users and groups
B.Session
C.Conditions (e.g., locations, device platforms)
D.Cloud apps or actions
E.Grant
AnswersA, C, D

A condition that specifies who the policy applies to.

Why this answer

Option A is correct because 'Users and groups' is a fundamental assignment component in Microsoft Entra Conditional Access policies. It specifies which identities the policy applies to, such as specific users, groups, directory roles, or all users. Without this assignment, the policy cannot target any identities, making it a mandatory building block for any Conditional Access rule.

Exam trap

The trap here is that candidates often confuse 'Grant' and 'Session' as top-level components when they are actually sub-options under 'Access controls', leading them to select them instead of the correct assignment components like 'Users and groups', 'Conditions', and 'Cloud apps or actions'.

1344
MCQeasy

A company secures its network by deploying a firewall at the perimeter, an intrusion prevention system on internal segments, endpoint antivirus on all workstations, and encrypting sensitive data at rest and in transit. This layered approach ensures that if one control fails, others still provide protection. Which security concept does this strategy best represent?

A.Least privilege
B.Defense in depth
C.Zero Trust
D.Separation of duties
AnswerB

Correct. Defense in depth uses multiple, overlapping security controls (firewalls, IPS, antivirus, encryption) so that failure of one does not compromise the entire security posture. This is exactly what the company is implementing.

Why this answer

The strategy described uses multiple independent security controls—firewall, IPS, endpoint antivirus, and encryption—so that if one layer fails, others continue to protect the asset. This is the core definition of defense in depth, which creates overlapping layers of protection rather than relying on a single point of failure.

Exam trap

The trap here is that candidates confuse Zero Trust with defense in depth because both involve multiple controls, but Zero Trust specifically requires identity-based verification and micro-segmentation rather than relying on layered perimeter defenses.

How to eliminate wrong answers

Option A is wrong because least privilege restricts user access rights to only what is necessary for their role, not the layering of security controls. Option C is wrong because Zero Trust assumes no implicit trust and requires continuous verification of every access request, whereas the described strategy focuses on layered perimeter and endpoint defenses without explicitly eliminating trust assumptions. Option D is wrong because separation of duties divides critical tasks among multiple people to prevent fraud or error, not to provide overlapping technical security controls.

1345
MCQeasy

A hospital stores patient medical records electronically. An attacker gains access to the system and modifies patient diagnoses. Which principle of the CIA triad has been violated?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures that data is not altered or destroyed by unauthorized parties. The attacker modified patient diagnoses, so integrity is violated.

Why this answer

The CIA triad's Integrity principle ensures that data is not modified by unauthorized parties. In this scenario, the attacker altered patient diagnoses, which directly violates data integrity. Confidentiality (unauthorized disclosure) and Availability (denial of service) are not the primary concerns here.

Exam trap

The trap here is that candidates may confuse 'access' with 'confidentiality' and choose A, but the key is the modification of data, which is a clear integrity violation, not just unauthorized viewing.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized access to data, not unauthorized modification; the attacker did access the system, but the core violation is the alteration of records. Option C is wrong because availability ensures systems and data are accessible when needed; the attacker did not disrupt access to the records. Option D is wrong because non-repudiation is a security concept that prevents a party from denying an action (e.g., using digital signatures or audit logs), not a core principle of the CIA triad; it is not directly violated by data modification.

1346
MCQmedium

Your organization uses Microsoft Sentinel. You need to create a custom analytics rule that triggers an incident when a user fails to sign in more than five times within an hour. Which rule type should you use?

A.Scheduled query rule
B.Fusion rule
C.Near-real-time (NRT) analytics rule
D.Machine learning (ML) behavioral analytics rule
AnswerA

Scheduled query rules can run KQL queries on a schedule and trigger based on result counts over defined time windows.

Why this answer

Option D is correct because scheduled query rules allow custom KQL queries and can trigger based on conditions like count of events. Option A is incorrect because NRT rules are for near-real-time, but scheduled rules are more appropriate for aggregation. Option B is incorrect because fusion rules use machine learning for multistage attacks.

Option C is incorrect because ML behavioral analytics detect anomalies, not fixed thresholds.

1347
MCQmedium

A security team wants to monitor and proactively defend against cyber threats across their entire infrastructure, including Azure virtual machines, on-premises servers, and AWS workloads. They need a unified solution that provides endpoint detection and response (EDR), vulnerability management, and threat hunting capabilities. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Sentinel
D.Microsoft Defender for Cloud Apps
AnswerB

Defender for Endpoint is designed for EDR, vulnerability management, and threat hunting on endpoints including servers and cloud VMs, making it the right choice for unified threat defense across hybrid workloads.

Why this answer

Microsoft Defender for Endpoint (B) is the correct answer because it provides unified endpoint detection and response (EDR), vulnerability management, and threat hunting across heterogeneous environments, including Azure VMs, on-premises servers, and AWS workloads. It extends beyond Windows to support Linux and macOS endpoints, and can be onboarded via Microsoft Defender for Cloud for multi-cloud visibility, making it the single solution that meets all the stated requirements.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM/CWPP) with Microsoft Defender for Endpoint (an EDR), mistakenly thinking that Defender for Cloud alone provides endpoint-level detection and response, when in fact it relies on Defender for Endpoint for those capabilities.

How to eliminate wrong answers

Option A (Microsoft Defender for Cloud) is wrong because it is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) that focuses on securing cloud resources and workloads, but it does not provide native endpoint detection and response (EDR) or vulnerability management for endpoints; it relies on Defender for Endpoint for those capabilities. Option C (Microsoft Sentinel) is wrong because it is a cloud-native SIEM and SOAR solution that ingests logs and alerts for security information and event management, but it does not perform endpoint-level EDR, vulnerability scanning, or threat hunting directly on endpoints. Option D (Microsoft Defender for Cloud Apps) is wrong because it is a cloud access security broker (CASB) that focuses on shadow IT discovery, data loss prevention, and threat protection for SaaS applications, not endpoint detection and response or vulnerability management for servers and VMs.

1348
MCQmedium

Your organization is using Microsoft Defender for Cloud to secure a multi-cloud environment including Azure and AWS. You need to identify misconfigurations that could lead to security breaches. Which feature should you use?

A.Cloud Security Posture Management (CSPM)
B.Cloud Workload Protection (CWP)
C.Regulatory compliance dashboard
D.Security score
AnswerA

CSPM identifies misconfigurations and provides recommendations to improve security posture.

Why this answer

Option A is correct because Microsoft Defender for Cloud's security posture management (CSPM) continuously assesses resources against security benchmarks and identifies misconfigurations. Option B is wrong because workload protections focus on threats, not configuration. Option C is wrong because the security score provides a score but not specific misconfigurations.

Option D is wrong because regulatory compliance checks against standards, not general misconfigurations.

1349
MCQmedium

A financial services firm must monitor employee communications (email and Microsoft Teams) for potential insider trading. The compliance team wants to automatically detect messages containing specific financial keywords (e.g., 'non-public material information') and flag them for review. They also need to be able to remove violating messages from recipients' inboxes. Which Microsoft Purview solution should they configure?

A.Data Lifecycle Management
B.Communication Compliance
C.Insider Risk Management
D.Audit
AnswerB

Communication Compliance detects policy violations in messages and allows actions like removal.

Why this answer

Communication Compliance is the correct solution because it is specifically designed to detect and remediate inappropriate communications, including insider trading signals. It can automatically scan emails and Microsoft Teams messages for configurable sensitive information types (e.g., 'non-public material information') and enforce actions like removing violating messages from recipients' inboxes.

Exam trap

The trap here is confusing Communication Compliance (which detects and remediates message content) with Insider Risk Management (which focuses on behavioral analytics and risk scoring), leading candidates to choose the latter despite its inability to perform keyword-based message removal.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management focuses on retaining and deleting data based on policies (e.g., legal hold, expiration), not on real-time detection or remediation of message content. Option C is wrong because Insider Risk Management analyzes user behavior patterns (e.g., unusual data exfiltration) to identify potential insider threats, but it does not directly scan communications for specific keywords or remove messages from inboxes. Option D is wrong because Audit provides logging and investigation of past activities (e.g., who accessed what), not proactive detection or automatic removal of violating messages.

1350
MCQeasy

Your organization wants to protect sensitive documents from being copied to unauthorized cloud services. Which Microsoft Purview capability should you use?

A.Audit log
B.Data Loss Prevention (DLP) policy
C.Retention policy
D.Sensitivity label
AnswerB

DLP can block sharing of sensitive data to unauthorized cloud services.

Why this answer

Option B is correct because DLP policies can detect and prevent sharing of sensitive data to unauthorized services. Option A is incorrect because audit logs only record activity, not block. Option C is incorrect because sensitivity labels classify data but do not block sharing.

Option D is incorrect because records management focuses on retention.

Page 17

Page 18 of 19

Page 19