Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 13511411

1411 questions total · 19pages · All types, answers revealed

Page 18

Page 19 of 19

1351
Multi-Selectmedium

Which TWO features are included in Microsoft Entra ID Identity Protection? (Choose two.)

Select 2 answers
A.Just-in-time privileged access
B.Sign-in risk detection
C.Cloud app discovery
D.Multi-factor authentication registration campaign
E.User risk detection
AnswersB, E

Identity Protection detects risky sign-ins.

Why this answer

Options A and B are correct. Identity Protection includes sign-in risk and user risk detection. Option C is wrong because it's a Conditional Access feature.

Option D is wrong because it's Privileged Identity Management. Option E is wrong because it's Microsoft Defender for Cloud Apps.

1352
MCQmedium

A security team needs to detect and investigate advanced attacks targeting on-premises Active Directory accounts, such as Pass-the-Hash (PtH) and Golden Ticket attacks. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Sentinel
AnswerC

Correct. Microsoft Defender for Identity is purpose-built to detect advanced threats targeting on-premises Active Directory, such as Pass-the-Hash, Golden Ticket, and compromised credentials.

Why this answer

Microsoft Defender for Identity (MDI) is specifically designed to detect advanced attacks targeting on-premises Active Directory, such as Pass-the-Hash (PtH) and Golden Ticket attacks. It uses behavioral analytics and machine learning to monitor AD traffic, Kerberos authentication, and NTLM protocol anomalies, identifying lateral movement and privilege escalation attempts that characterize these attacks.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Identity with Microsoft Sentinel or Defender for Endpoint, not realizing that only Defender for Identity provides dedicated, protocol-level detection for on-premises Active Directory attacks like PtH and Golden Ticket.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) focused on shadow IT discovery and data protection in SaaS applications, not on-premises AD attack detection. Option B is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that monitors devices for malware and suspicious processes, but it does not natively analyze Active Directory authentication protocols like Kerberos or NTLM for PtH or Golden Ticket patterns. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR platform that aggregates logs from multiple sources; while it can ingest AD security events, it lacks the specialized, real-time behavioral analytics for AD-specific attacks that Defender for Identity provides out of the box.

1353
MCQeasy

A healthcare organization must comply with HIPAA regulations regarding the protection of patient health information (PHI). Which cloud compliance concept ensures that the organization has controls in place to meet regulatory requirements?

A.Privacy management
B.Identity management
C.Security management
D.Compliance management
AnswerD

Compliance management involves implementing controls to meet regulatory requirements like HIPAA.

Why this answer

Compliance management is the discipline of ensuring that an organization adheres to regulations like HIPAA by implementing controls. Security management focuses on protecting assets from threats. Identity management deals with authentication and authorization.

Privacy management addresses personal data protection. The question specifically asks about meeting regulatory requirements.

1354
Multi-Selecthard

A company uses Microsoft Purview Data Lifecycle Management. To comply with regulatory requirements, the company must retain financial records for 7 years and then delete them. Which THREE actions should the company configure? (Select THREE.)

Select 3 answers
A.Create a data loss prevention policy
B.Create a retention policy for the entire SharePoint site
C.Create a retention label with a retention period of 7 years
D.Configure a disposition review to confirm deletion
E.Create an auto-labeling policy to apply the retention label to financial records
AnswersC, D, E

Retention labels define retention.

Why this answer

Options A, B, and D are correct: Create a retention label for 7 years, auto-apply the label to financial content, and configure a disposition review for deletion. Option C is wrong because a DLP policy is for preventing data loss, not lifecycle management. Option E is wrong because a retention policy is for the entire location, not specific content.

1355
Multi-Selecthard

Which TWO authentication methods in Microsoft Entra ID support passwordless sign-in?

Select 2 answers
A.Certificate-based authentication
B.Windows Hello for Business
C.FIDO2 security keys
D.SMS-based verification
E.Time-based one-time password (TOTP)
AnswersB, C

Uses biometrics or PIN for passwordless sign-in.

Why this answer

Windows Hello for Business is a passwordless authentication method in Microsoft Entra ID that uses biometric or PIN-based credentials tied to a user's device, leveraging asymmetric key pairs to authenticate without transmitting a password. It is considered passwordless because the user signs in with a gesture (e.g., fingerprint or PIN) that unlocks a private key stored in hardware, eliminating the need for a shared secret.

Exam trap

The trap here is that candidates often confuse multi-factor authentication methods (like SMS or TOTP) with passwordless authentication, failing to recognize that passwordless methods eliminate the password entirely as the first factor, whereas MFA methods still require a password as the primary credential.

1356
MCQhard

A security team needs to collect and analyze security logs from a hybrid environment consisting of on-premises Windows servers, Azure virtual machines, and AWS workloads. They want to correlate events, detect anomalous behavior, and create custom security alerts with automated response playbooks. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Office 365
D.Microsoft Defender for Identity
AnswerB

Sentinel is a scalable SIEM/SOAR that can collect logs from on-premises, Azure, and other clouds, correlate events, and enable custom alerts and playbooks.

Why this answer

Microsoft Sentinel is the correct solution because it is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution designed to ingest logs from hybrid and multi-cloud environments, including on-premises Windows servers, Azure VMs, and AWS workloads. It provides advanced correlation of events across these sources, built-in anomaly detection using machine learning, and the ability to create custom security alerts and automated response playbooks via Azure Logic Apps. This directly matches the requirement for collecting, analyzing, correlating, detecting anomalies, and automating responses.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM/CWPP tool) with a full SIEM solution, but Defender for Cloud lacks the log correlation, custom alert creation, and SOAR playbook capabilities that are exclusive to Microsoft Sentinel.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) that focuses on assessing and hardening security configurations across Azure, AWS, and GCP, but it does not provide native SIEM capabilities for log correlation, custom alert creation, or automated response playbooks. Option C is wrong because Microsoft Defender for Office 365 is specifically designed to protect email, SharePoint, OneDrive, and Teams from threats like phishing and malware, and it cannot ingest or analyze logs from on-premises Windows servers, Azure VMs, or AWS workloads. Option D is wrong because Microsoft Defender for Identity is an on-premises Active Directory security solution that uses signals from domain controllers to detect identity-based attacks, but it lacks the multi-source log ingestion, correlation, and SOAR capabilities required for a hybrid environment with AWS workloads.

1357
MCQmedium

A user reports that they cannot access the corporate portal after a password reset. The user can access other cloud apps. You verify that the user account is enabled and not locked. What should you check next?

A.Disable and re-enable the user account
B.Verify the user's registered authentication methods
C.Reinstall the corporate portal application
D.Check if the user is assigned a Microsoft Entra ID P2 license
AnswerB

Password reset may require re-registration of MFA methods.

Why this answer

The user can access other cloud apps, which rules out a global authentication or network issue. Since the account is enabled and not locked, the most likely cause is that the user's registered authentication methods (e.g., phone, authenticator app, or email) are missing, outdated, or not configured for the password reset flow. Microsoft Entra ID requires verified authentication methods to complete a password reset and subsequent sign-in, especially when the user is prompted for multifactor authentication or self-service password reset (SSPR) verification.

Exam trap

The trap here is that candidates often assume a password reset always works seamlessly, but the SC-900 exam tests the understanding that authentication methods must be registered and up-to-date for the reset to succeed, especially when the user is prompted for additional verification.

How to eliminate wrong answers

Option A is wrong because disabling and re-enabling the account would not resolve a missing or misconfigured authentication method; it only toggles the account status, which is already enabled. Option C is wrong because reinstalling the corporate portal application addresses client-side corruption, not an identity or authentication method issue that prevents access after a password reset. Option D is wrong because a Microsoft Entra ID P2 license is not required for basic password reset or authentication method registration; P2 adds advanced features like Identity Protection and Privileged Identity Management, but the core SSPR and MFA registration work with P1 or even free tier licenses.

1358
MCQhard

Your organization uses Microsoft Purview Information Protection to classify and protect documents. You have created a sensitivity label that applies encryption to documents marked as 'Confidential'. Users are able to apply the label manually. However, you need to ensure that all documents containing personally identifiable information (PII) are automatically labeled as 'Confidential' when they are saved to SharePoint Online. What should you configure?

A.Create an auto-labeling policy in Microsoft Purview that scans for PII sensitive info types and applies the 'Confidential' label.
B.Configure a default label for SharePoint libraries so that all documents are labeled 'Confidential'.
C.Create a Data Loss Prevention (DLP) policy that blocks sharing of PII.
D.Train users to apply the 'Confidential' label manually when they create documents with PII.
AnswerA

Auto-labeling policies can scan and apply labels automatically.

Why this answer

Option D is correct because auto-labeling policies in Microsoft Purview can scan documents for sensitive info types and apply labels automatically. Option A is wrong because manual labeling doesn't meet the automatic requirement. Option B is wrong because DLP policies block but do not apply labels.

Option C is wrong because default labeling applies to new documents but does not scan existing content.

1359
MCQeasy

A company uses Microsoft Defender for Cloud to improve their cloud security posture. They want to see an aggregated score that reflects how well their resources are protected against threats. Which feature in Defender for Cloud provides this?

A.Compliance dashboard
B.Security Score
C.Cloud Security Posture Management (CSPM)
D.Workload protections
AnswerB

Correct. The Security Score is an aggregated metric based on implemented security controls and recommendations, reflecting the overall security posture.

Why this answer

The Security Score in Microsoft Defender for Cloud aggregates findings from security assessments and controls into a single percentage score, reflecting how well resources are protected against threats. It is based on the Secure Score algorithm, which calculates the ratio of passed controls to total controls, weighted by the potential impact of each control. This provides a unified, quantitative measure of cloud security posture.

Exam trap

The trap here is that candidates confuse the broader Cloud Security Posture Management (CSPM) capability with the specific Security Score feature, but CSPM is the umbrella term for posture management, while Security Score is the concrete metric that provides the aggregated score.

How to eliminate wrong answers

Option A is wrong because the Compliance dashboard maps security controls to regulatory standards (e.g., SOC 2, ISO 27001) and shows compliance status, not an aggregated threat protection score. Option C is wrong because Cloud Security Posture Management (CSPM) is the overarching capability that includes security assessments, hardening recommendations, and the Security Score; the question asks for the specific feature that provides the aggregated score, not the broader capability. Option D is wrong because Workload protections focus on advanced threat detection and response for specific workloads (e.g., servers, databases) using tools like Just-In-Time VM access and adaptive application controls, not an aggregated security score.

1360
MCQeasy

Your organization uses Microsoft Entra ID for identity management. You need to require multi-factor authentication (MFA) for all users when accessing the Azure portal. Which feature should you use?

A.Privileged Identity Management
B.Identity Protection user risk policy
C.Entra ID P1 license
D.Conditional Access policy
AnswerD

Conditional Access allows you to require MFA for specific cloud apps.

Why this answer

Option C is correct because Conditional Access policies in Entra ID allow you to enforce MFA for specific applications. Option A is wrong because Entra ID P1 includes Conditional Access but the feature itself is Conditional Access. Option B is wrong because Identity Protection detects risks but does not enforce MFA directly.

Option D is wrong because Privileged Identity Management manages elevated roles, not MFA.

1361
MCQhard

A security team needs to detect and automatically respond to ransomware attacks on Windows servers and desktops. They require the solution to automatically isolate affected devices from the network and, if necessary, roll back files that have been modified by ransomware using a built-in recovery feature. Which Microsoft security solution provides these specific capabilities?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Office 365
D.Microsoft Defender for Identity
AnswerB

Correct. Defender for Endpoint provides endpoint detection and response (EDR), including automated investigation, device isolation, and the ability to roll back files modified by ransomware using cloud-delivered protection and continuous monitoring.

Why this answer

Microsoft Defender for Endpoint (MDE) provides automated investigation and remediation capabilities that include network containment (isolating a device from the network) and rollback of files modified by ransomware using its built-in recovery feature. This is achieved through MDE's endpoint detection and response (EDR) and automated investigation capabilities, which can trigger device isolation and file restoration from Volume Shadow Copy or MDE's own rollback mechanism.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud Apps (a CASB) with endpoint protection, or assume that Defender for Office 365 covers all ransomware scenarios, when in fact only Defender for Endpoint provides the specific combination of device isolation and file rollback on Windows endpoints.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) focused on securing cloud applications and data, not on endpoint-level ransomware detection, device isolation, or file rollback on Windows servers and desktops. Option C is wrong because Microsoft Defender for Office 365 protects email, SharePoint, OneDrive, and Teams from threats like phishing and malware, but it does not provide endpoint isolation or file rollback on Windows servers and desktops. Option D is wrong because Microsoft Defender for Identity monitors on-premises Active Directory for identity-based attacks (e.g., lateral movement, privilege escalation) and does not include endpoint device isolation or ransomware file recovery capabilities.

1362
Multi-Selecthard

A company uses Microsoft Entra ID. They want to implement two security baseline requirements: (1) Users must register for multifactor authentication (MFA) before they can use self-service password reset (SSPR). (2) Administrators must have just-in-time (JIT) access to Azure resources with approval required. Which two Microsoft Entra features should they use? (Choose two.)

Select 2 answers
A.Identity Protection
B.Conditional Access
C.Privileged Identity Management (PIM)
D.Combined registration for SSPR and MFA
AnswersC, D

PIM enables just-in-time administrative access with approval workflows, meeting requirement (2).

Why this answer

Privileged Identity Management (PIM) is the correct feature for requirement (2) because it provides just-in-time (JIT) access to Azure resources, requiring approval for role activation. PIM allows administrators to request time-bound, approved elevation of privileges, meeting the JIT and approval requirement exactly.

Exam trap

The trap here is that candidates confuse Conditional Access (which enforces MFA registration via policy) with the specific combined registration feature that directly ties SSPR and MFA enrollment into a single user experience, and they may overlook that PIM is the only feature that provides JIT access with approval for Azure resources.

1363
MCQmedium

A company uses Microsoft Entra ID. They want to require users to perform multifactor authentication (MFA) every 90 days on trusted devices, but force MFA for every sign-in on untrusted devices. Which Conditional Access session control must they configure to meet this requirement?

A.Sign-in frequency
B.Application enforced restrictions
C.Use app enforced restrictions
D.Persistent browser session
AnswerA

Sign-in frequency is a session control that determines how often a user must provide authentication credentials again, such as after a set number of days or hours. It can be configured differently for trusted and untrusted devices.

Why this answer

Sign-in frequency is the Conditional Access session control that allows administrators to define the time interval after which a user must re-authenticate, even on a trusted device. By setting the sign-in frequency to 90 days for trusted devices and requiring re-authentication for every sign-in on untrusted devices (by setting the frequency to 0 or 1), the requirement is met. This control directly manages the re-prompt interval for MFA, independent of the session token lifetime.

Exam trap

The trap here is that candidates confuse 'Persistent browser session' (which controls session persistence across browser closes) with 'Sign-in frequency' (which controls the re-authentication interval), leading them to choose the wrong option for MFA frequency requirements.

How to eliminate wrong answers

Option B is wrong because 'Application enforced restrictions' is not a valid Conditional Access session control; it is a generic term that does not exist in the Microsoft Entra Conditional Access policy settings. Option C is wrong because 'Use app enforced restrictions' is also not a valid session control; it is a misnomer and does not correspond to any configurable setting in Conditional Access. Option D is wrong because 'Persistent browser session' controls whether the browser session cookie persists after the browser is closed, not the frequency of MFA prompts; it affects session lifetime but not the re-authentication interval for MFA.

1364
Multi-Selectmedium

Which THREE of the following are capabilities of Microsoft Purview Information Protection?

Select 3 answers
A.Auto-labeling for sensitive data
B.Communication monitoring
C.Sensitivity labels
D.Encryption and rights protection
E.Retention policies
AnswersA, C, D

Auto-labeling is a feature of Information Protection.

Why this answer

A, C, D are correct. Sensitivity labels, auto-labeling, and encryption are key capabilities. B (retention policies) is Data Lifecycle Management.

E (communication monitoring) is Communication Compliance.

1365
MCQmedium

A company's IT department implements a policy for server administrators: they must submit an access request to perform privileged tasks on critical servers. Each request is approved by a manager, and the granted elevated permissions automatically expire after four hours. This approach reduces the risk of standing privileges being exploited. Which security concept is primarily being applied?

A.Just-in-time access
B.Least privilege
C.Defense in depth
D.Zero Trust
AnswerA

Correct. The scenario describes temporary, time-limited elevated access upon request, which is exactly just-in-time (JIT) access.

Why this answer

Option A is correct because just-in-time (JIT) access is a security concept that grants elevated permissions only when needed, for a limited duration, and requires approval. In this scenario, the policy requires an access request, manager approval, and automatic expiration after four hours, which directly aligns with JIT access to reduce the risk of standing privileges being exploited.

Exam trap

The trap here is that candidates confuse 'least privilege' (a static principle of minimal permissions) with 'just-in-time access' (a dynamic, time-bound activation mechanism), but the question's emphasis on 'request, approval, and automatic expiration' specifically points to JIT, not just the principle of least privilege.

How to eliminate wrong answers

Option B is wrong because least privilege is a principle that ensures users have only the minimum permissions necessary to perform their tasks, but it does not inherently include time-bound or approval-based elevation; the scenario specifically describes temporary, approved access, which is JIT, not just least privilege. Option C is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, antivirus, encryption), not a single policy for temporary privileged access. Option D is wrong because Zero Trust is a security model that assumes no implicit trust and continuously verifies every request, but the scenario focuses on time-limited, approved elevation, not the broader Zero Trust principles of micro-segmentation or continuous verification.

1366
MCQeasy

A company subscribes to Microsoft 365 E5, a Software-as-a-Service (SaaS) offering. The IT department is responsible for configuring user accounts and managing data in Exchange Online and SharePoint Online. According to the shared responsibility model, which security responsibility is retained by Microsoft for this SaaS deployment?

A.Managing user access to the applications
B.Securing the underlying application code and platform
C.Configuring multi-factor authentication for users
D.Protecting data from unauthorized access by other tenants
AnswerB

As a SaaS provider, Microsoft is responsible for the security of the application code, runtime environment, and underlying infrastructure. The customer does not manage the platform.

Why this answer

In a SaaS model like Microsoft 365 E5, Microsoft retains responsibility for securing the underlying application code, platform, and physical infrastructure. This includes patching the operating system, hardening the application stack, and ensuring the runtime environment is secure. The customer is responsible for managing user identities, configuring access controls, and protecting their own data.

Exam trap

The trap here is that candidates often confuse customer-managed security controls (like MFA and user access) with Microsoft's inherent platform responsibilities, leading them to select options that are actually customer obligations under the SaaS model.

How to eliminate wrong answers

Option A is wrong because managing user access to applications (e.g., assigning roles, controlling permissions) is a customer responsibility, not Microsoft's, under the shared responsibility model for SaaS. Option C is wrong because configuring multi-factor authentication (MFA) for users is a customer task—Microsoft provides the MFA service, but the customer must enable and enforce it. Option D is wrong because protecting data from unauthorized access by other tenants is a foundational part of Microsoft's SaaS platform security (logical isolation via Azure Active Directory and tenant boundaries), and while Microsoft ensures this isolation, the customer also retains responsibility for their own data classification and protection measures; however, the question asks for a responsibility retained by Microsoft, and securing the platform code is a clearer, non-delegable Microsoft responsibility.

1367
MCQeasy

Your organization needs to control which users can access Microsoft Purview compliance portal. Which method should you use to grant access?

A.Add users to an Azure RBAC role
B.Configure Intune policy to allow access
C.Assign users to the Compliance Administrator role group in Microsoft Purview
D.Assign Microsoft 365 E5 licenses to users
AnswerC

Role groups in Purview grant access to the compliance portal.

Why this answer

Option A is correct because you assign the appropriate role group in Microsoft Purview compliance portal. Option B is incorrect because licenses are needed but do not alone grant access. Option C is incorrect because Azure RBAC manages Azure resources, not Purview.

Option D is incorrect because Intune manages devices, not access to Purview.

1368
MCQeasy

A company's security policy requires that all data transferred between the corporate data center and the cloud must be protected from unauthorized access during transmission. They use encryption protocols such as TLS to achieve this. Which security goal is primarily being addressed?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerA

Encrypting data during transmission ensures that only authorized parties can read the data, thereby maintaining confidentiality.

Why this answer

Confidentiality is the security goal that ensures data is not disclosed to unauthorized entities. By using encryption protocols such as TLS, the data in transit is rendered unreadable to any party that intercepts the traffic, directly protecting against unauthorized access during transmission.

Exam trap

The trap here is that candidates may confuse encryption with integrity, thinking that encryption alone prevents tampering, but encryption only provides confidentiality; integrity requires separate mechanisms like MACs or digital signatures, which TLS also includes but are not the primary goal stated in the question.

How to eliminate wrong answers

Option B (Integrity) is wrong because integrity focuses on ensuring data has not been altered or tampered with during transit, which is typically achieved through hashing or message authentication codes (e.g., HMAC), not solely by encryption. Option C (Availability) is wrong because availability concerns ensuring systems and data are accessible when needed, often addressed by redundancy and disaster recovery, not by encrypting data in transit. Option D (Non-repudiation) is wrong because non-repudiation provides proof of the origin or delivery of data, usually via digital signatures or audit logs, and is not the primary goal of encryption protocols like TLS.

1369
MCQeasy

A company implements a security strategy that includes multiple layers of controls: a perimeter firewall, an intrusion detection system, endpoint antivirus software, and multi-factor authentication for user access. The goal is that if one layer fails, another layer is in place to prevent or mitigate an attack. Which security principle does this approach best represent?

A.Defense in depth
B.Zero Trust
C.Least privilege
D.CIA triad
AnswerA

Correct. Defense in depth employs overlapping layers of security controls to protect assets and ensure resilience against attacks.

Why this answer

Defense in depth is a security strategy that layers independent defensive mechanisms so that if one layer fails, another layer is already in place to prevent or mitigate an attack. The scenario explicitly describes multiple layers (firewall, IDS, endpoint antivirus, MFA) working together, which is the core definition of defense in depth. This approach ensures no single point of failure can compromise the entire security posture.

Exam trap

The trap here is that candidates often confuse 'Defense in depth' with 'Zero Trust' because both involve multiple security controls, but Zero Trust is specifically about eliminating implicit trust and verifying every access request, not about layering defenses as a fail-safe mechanism.

How to eliminate wrong answers

Option B (Zero Trust) is wrong because Zero Trust is a security model that assumes no implicit trust and requires continuous verification of every access request, regardless of network location; it does not inherently describe a layered defense strategy. Option C (Least privilege) is wrong because least privilege is a principle that restricts users and systems to only the minimum permissions necessary to perform their functions, not a multi-layered control architecture. Option D (CIA triad) is wrong because the CIA triad (Confidentiality, Integrity, Availability) is a set of security objectives, not a design principle for implementing multiple layers of controls.

1370
Drag & Dropmedium

Arrange the steps to investigate a user compromise using Azure AD Identity Protection.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Identity Protection investigation involves accessing the portal, reviewing risks, selecting a user, analyzing events, and taking action.

1371
MCQeasy

Your organization is implementing Microsoft Purview to manage sensitive data. You need to ensure that documents containing credit card numbers are automatically detected and protected. Which Microsoft Purview solution should you configure?

A.eDiscovery (Premium)
B.Data Loss Prevention (DLP)
C.Audit (Standard)
D.Information Barriers
AnswerB

DLP policies detect sensitive content like credit card numbers and apply protection actions.

Why this answer

Option C is correct because Data Loss Prevention (DLP) policies can automatically detect sensitive information like credit card numbers and apply protective actions. Option A is wrong because Information Barriers restrict communication but do not classify content. Option B is wrong because eDiscovery is for legal discovery, not auto-detection.

Option D is wrong because Audit logs track activities but do not protect data.

1372
MCQmedium

A company has deployed Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. The security operations team wants a single, unified portal where they can view alerts from all these products, perform cross-domain investigations, and orchestrate automated response actions. Which Microsoft security solution should they use?

A.Microsoft Sentinel
B.Microsoft 365 Defender
C.Microsoft Defender for Cloud
D.Microsoft Defender for Endpoint
AnswerB

Correct. Microsoft 365 Defender is the unified portal that correlates alerts and incidents from Defender for Endpoint, Office 365, Identity, and Cloud Apps, enabling cross-domain investigations and automated response.

Why this answer

Microsoft 365 Defender is the correct answer because it is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. It provides a single portal (security.microsoft.com) where alerts from Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps are correlated into incidents, enabling cross-domain investigation and automated response via playbooks and the Microsoft 365 Defender API.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with the unified Microsoft 365 Defender portal, not realizing that Sentinel is an aggregator for multiple data sources, while Microsoft 365 Defender is the native unified console for the Defender product family itself.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM and SOAR solution that ingests logs and alerts from multiple sources, but it is not the unified portal for Microsoft 365 Defender products; it aggregates data from those products and others, requiring additional configuration and cost. Option C is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) focused on securing Azure, hybrid, and multi-cloud resources, not a unified incident response portal for the Microsoft 365 Defender product family. Option D is wrong because Microsoft Defender for Endpoint is specifically an endpoint detection and response (EDR) solution; while it has its own portal, it does not natively unify alerts from Defender for Office 365, Defender for Identity, and Defender for Cloud Apps into a single cross-domain investigation experience.

1373
Multi-Selecthard

Which TWO of the following are capabilities of Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Security information and event management (SIEM)
B.Security orchestration, automation, and response (SOAR)
C.Endpoint detection and response (EDR)
D.Vulnerability scanning
E.Data classification and labeling
AnswersA, B

Sentinel is a cloud-native SIEM solution for collecting and analyzing security data.

Why this answer

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) solution that aggregates log data from across an organization to detect, investigate, and respond to threats. It also provides Security Orchestration, Automation, and Response (SOAR) capabilities through built-in playbooks and automation rules, enabling automated incident response workflows.

Exam trap

The trap here is that candidates confuse Microsoft Sentinel's ability to ingest and correlate EDR alerts with actually performing EDR functions, leading them to select 'Endpoint detection and response' as a Sentinel capability.

1374
MCQmedium

A company wants to improve password security across its Microsoft Entra ID tenant. The security team wants to prevent users from setting passwords that appear on Microsoft's global banned password list, which includes commonly compromised passwords. Additionally, they need to add a custom banned password containing the company name so that users cannot use variations of it. Which Microsoft Entra ID feature should they configure to enforce these password policies?

A.Conditional Access
B.Identity Protection
C.Password Protection
D.Multi-factor authentication (MFA)
AnswerC

Password Protection is the Entra ID feature that enforces both global and custom banned password lists. It prevents users from setting weak or easily guessable passwords, thereby reducing the risk of password-based attacks.

Why this answer

Password Protection in Microsoft Entra ID is the feature specifically designed to enforce both global and custom banned password lists. It prevents users from using commonly compromised passwords from Microsoft's global list and allows administrators to add custom terms, such as the company name, to block variations. This directly addresses the requirement to improve password security by blocking weak and organization-specific passwords.

Exam trap

The trap here is that candidates may confuse Identity Protection's 'leaked credentials' detection with the ability to block password creation, but Identity Protection only detects credentials that have already been compromised, not prevents users from setting weak passwords in the first place.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls based on signals like user location or device compliance, not password content or banned password lists. Option B is wrong because Identity Protection focuses on detecting and remediating identity-based risks, such as leaked credentials or suspicious sign-ins, not on preventing users from setting specific passwords. Option D is wrong because Multi-factor authentication (MFA) adds a second verification step during sign-in but does not control or validate the password content that users set.

1375
MCQhard

A company deploys Microsoft Defender for Cloud Apps. They want to detect when a user downloads more than 100 files from SharePoint in 10 minutes. Which policy type should they create?

A.File policy
B.Anomaly detection policy
C.App permission policy
D.Session policy
AnswerB

Anomaly detection policies use machine learning to detect unusual user behavior like mass downloads.

Why this answer

Option C is correct because an anomaly detection policy in Defender for Cloud Apps can identify unusual file download activities based on predefined thresholds. Option A is wrong because an app permission policy governs permissions granted to third-party apps. Option B is wrong because a session policy enforces real-time controls on user sessions.

Option D is wrong because a file policy monitors files based on metadata or content, not behavioral patterns.

1376
Multi-Selectmedium

Which THREE are features of Microsoft Defender for Cloud?

Select 3 answers
A.Just-in-time VM access
B.Secure Score
C.Data classification
D.Regulatory compliance dashboard
E.Incident investigation
AnswersA, B, D

JIT access reduces exposure by controlling VM access.

Why this answer

Just-in-time (JIT) VM access is a feature of Microsoft Defender for Cloud that reduces exposure to brute-force attacks by locking down inbound traffic to VMs. It allows you to control when specific ports (e.g., RDP port 3389 or SSH port 22) are opened on demand, based on role-based access control (RBAC) and approved requests, and automatically closes them after a configured time window.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud's security alerts and recommendations with the full incident investigation and hunting capabilities of Microsoft Sentinel, or they mistakenly associate data classification (a Purview feature) with Defender for Cloud's workload protection.

1377
MCQeasy

A security administrator is explaining the concept of defense in depth to a new team member. Which statement best describes this approach?

A.Using a single, strong firewall to block all external traffic
B.Layering multiple security controls across different areas of the IT environment
C.Relying solely on encryption to protect all data at rest and in transit
D.Implementing only physical security measures to protect the data center
AnswerB

This is correct. Defense in depth employs a layered approach, including physical, technical, and administrative controls, so that if one control fails, others still provide protection.

Why this answer

Defense in depth is a cybersecurity strategy that employs multiple layers of security controls across different areas of the IT environment (network, endpoint, application, data, and physical). This approach ensures that if one control fails, another is already in place to mitigate the threat, providing redundancy and reducing the risk of a single point of failure. Microsoft's security framework, including tools like Microsoft Defender for Cloud and Azure Firewall, operationalizes this concept by integrating protections at each layer.

Exam trap

The trap here is that candidates often confuse defense in depth with a single strong control (like a firewall or encryption), failing to recognize that the core principle is layering multiple independent controls to provide redundancy and depth.

How to eliminate wrong answers

Option A is wrong because relying on a single, strong firewall creates a single point of failure; defense in depth requires multiple overlapping controls, not a single barrier. Option C is wrong because encryption alone does not protect against threats like malware, unauthorized access, or denial-of-service attacks; it only secures data confidentiality and integrity, leaving other attack vectors unaddressed. Option D is wrong because physical security is only one layer of defense in depth; it ignores critical layers such as network segmentation, identity management (e.g., Azure AD Conditional Access), and endpoint protection (e.g., Microsoft Defender for Endpoint).

1378
Multi-Selecthard

Which THREE actions can be performed by Microsoft Purview Data Loss Prevention (DLP) policies?

Select 3 answers
A.Create audit reports of policy matches
B.Send notification to users
C.Block sharing of sensitive data
D.Automatically delete files containing sensitive data
E.Apply encryption via sensitivity labels
AnswersB, C, E

DLP can show policy tips and send email notifications.

Why this answer

DLP policies can block sharing, send notifications, and apply encryption (e.g., via sensitivity labels). DLP cannot automatically delete or move files; that is for retention policies. DLP does not create audit reports directly; audit logs are generated by the Audit feature.

1379
MCQhard

Refer to the exhibit. You run the cmdlet and get a list of risk detections. What does this cmdlet retrieve?

A.Users who have been flagged for risky sign-ins
B.All risk detections in the tenant
C.All sign-in logs with unfamiliar properties
D.Risk detections for the unfamiliar sign-in properties risk event type
AnswerD

The filter specifies riskEventType eq 'unfamiliarSignInProperties'.

Why this answer

The cmdlet `Get-MgRiskDetection` retrieves all risk detections in the tenant, but when combined with the `-Filter` parameter for `riskEventType eq 'unfamiliarSigninProperties'`, it specifically returns only those risk detections that match the unfamiliar sign-in properties risk event type. This is because the cmdlet supports filtering by the `riskEventType` property, which corresponds to the type of risk detection as defined by Microsoft Entra ID Protection.

Exam trap

The trap here is that candidates confuse retrieving risk detections (which are events) with retrieving risky users or sign-in logs, and they overlook the `-Filter` parameter that narrows the scope to a specific risk event type, leading them to choose the overly broad 'All risk detections' option.

How to eliminate wrong answers

Option A is wrong because `Get-MgRiskDetection` retrieves risk detection objects, not user objects; users flagged for risky sign-ins are retrieved using `Get-MgRiskyUser` or `Get-MgRiskDetection` with a different filter. Option B is wrong because the cmdlet in the exhibit includes a `-Filter` parameter that limits the results to a specific risk event type, not all risk detections in the tenant. Option C is wrong because sign-in logs with unfamiliar properties are a subset of risk detections, but the cmdlet retrieves risk detection objects (which include metadata like risk level, risk state, and detection timing), not raw sign-in logs; sign-in logs are retrieved via `Get-MgAuditLogSignIn`.

1380
MCQmedium

An organization uses Microsoft Entra ID. The security team wants to require multi-factor authentication (MFA) for users who sign in from sessions that Microsoft Entra ID Protection determines to have medium or high sign-in risk. Users signing in from low-risk sessions should not be prompted for MFA. Which feature should the security team configure?

A.Configure a Conditional Access policy with Sign-in risk as a condition and MFA as a grant control
B.Configure a user risk policy in Microsoft Entra ID Protection
C.Assign the Global Administrator role with Privileged Identity Management (PIM) activation requiring MFA
D.Create an access review in Microsoft Entra ID Governance
AnswerA

Conditional Access policies can evaluate sign-in risk from Identity Protection and require MFA only when the risk level matches the configured condition.

Why this answer

Option A is correct because a Conditional Access policy can use Sign-in risk (a condition from Microsoft Entra ID Protection) to require MFA as a grant control. This allows the security team to enforce MFA only for sessions with medium or high sign-in risk, while low-risk sessions are not prompted, exactly matching the requirement.

Exam trap

The trap here is confusing sign-in risk (session-level) with user risk (user-level), leading candidates to choose the user risk policy (Option B) instead of the Conditional Access policy with sign-in risk condition.

How to eliminate wrong answers

Option B is wrong because a user risk policy in Microsoft Entra ID Protection targets user-level risk (e.g., compromised credentials) and typically forces a password change, not MFA based on sign-in session risk. Option C is wrong because assigning the Global Administrator role with PIM activation requiring MFA only applies to privileged role activation, not to all user sign-ins based on sign-in risk. Option D is wrong because an access review in Microsoft Entra ID Governance is used for periodic review of group memberships or role assignments, not for real-time MFA enforcement based on sign-in risk.

1381
MCQhard

Refer to the exhibit. A Microsoft Purview administrator imported this JSON policy for automatic sensitivity labeling. After deployment, users report that emails containing German social security numbers are not being automatically labeled. What is the most likely cause?

A.The sensitive info type 'EU_Deutschland_SocialSecurityNumber' is not defined in the tenant.
B.Auto-labeling for emails requires 'applyWithOverride' behavior, not 'apply'.
C.The encryption setting prevents auto-labeling on emails.
D.The label is not published to users.
AnswerB

Correct: Exchange requires different behavior value.

Why this answer

The JSON defines a label with auto-labeling conditions based on the sensitive info type 'EU_Deutschland_SocialSecurityNumber'. However, the auto-labeling behavior is set to 'apply', which is only supported for SharePoint and OneDrive documents, not for Exchange emails. For emails, the behavior must be 'applyWithOverride' or 'applyWithNotify'.

Therefore, the auto-labeling will not apply to emails containing the sensitive type. Option B is correct. Option A is wrong because encryption is configured.

Option C is wrong because the label is published. Option D is wrong because the sensitivity type is valid.

1382
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Entra ID Governance?

Select 2 answers
A.Privileged Identity Management
B.Access Reviews
C.Entitlement Management
D.Conditional Access
E.Identity Protection
AnswersB, C

Access Reviews are a core ID Governance feature.

Why this answer

Access Reviews (B) are a core capability of Microsoft Entra ID Governance, enabling administrators to automate periodic reviews of group memberships, application access, and role assignments to ensure only the right people have access. Entitlement Management (C) is also a key governance feature, allowing organizations to manage the identity and access lifecycle at scale through access packages and policies. Both directly support identity governance by enforcing access controls and compliance requirements.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) as a standalone governance capability, but PIM is actually a subset of Entitlement Management and Access Reviews within Entra ID Governance, and the question specifically asks for the two capabilities that are directly governance-focused, not security or risk-based features.

1383
MCQmedium

A company uses Microsoft Entra ID. The security team wants to enforce a policy that prevents users from choosing commonly used weak passwords like 'Winter2024!' or 'Password@123', and also blocks customized variants based on organizational context (e.g., company name). Users must create passwords that meet standard complexity requirements. Which Microsoft Entra ID feature should they enable?

A.Password hash synchronization
B.Microsoft Entra ID Password Protection
C.Self-Service Password Reset
D.Conditional Access
AnswerB

Correct. Microsoft Entra ID Password Protection blocks weak passwords and their common variants, including custom banned lists. It is the appropriate feature for enforcing strong password choices beyond default complexity.

Why this answer

Microsoft Entra ID Password Protection (B) is the correct feature because it specifically enforces custom banned password lists that block weak passwords like 'Winter2024!' and organizational variants such as the company name. It works alongside standard password complexity requirements to prevent users from choosing passwords that appear on a global banned list or a tenant-specific custom list. This directly addresses the security team's need to block commonly used weak passwords and context-based variants.

Exam trap

The trap here is that candidates often confuse Self-Service Password Reset (SSPR) with password policy enforcement, but SSPR only facilitates password changes and does not block weak passwords; the actual blocking is done by Password Protection, which is a separate feature.

How to eliminate wrong answers

Option A is wrong because Password hash synchronization is a feature that syncs user password hashes from on-premises Active Directory to Microsoft Entra ID for hybrid identity scenarios; it does not enforce password policies or block weak passwords. Option C is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords but does not define or enforce password content restrictions like banned password lists. Option D is wrong because Conditional Access is a policy engine that controls access based on signals like user location, device state, or risk level; it does not validate password strength or block weak passwords during creation or change.

1384
MCQmedium

A healthcare organization must automatically detect documents containing patient health information (PHI) in SharePoint Online and apply a retention label that retains the documents for 10 years. Additionally, they want to prevent users from permanently deleting these documents during the retention period. Which Microsoft Purview solution should they use to achieve this?

A.Data Lifecycle Management
B.Records Management
C.Data Loss Prevention (DLP)
D.Communication Compliance
AnswerB

Correct. Records Management uses retention labels that can be configured to mark items as records. When an item is a record, it cannot be deleted, edited, or modified by users during the retention period. This satisfies the requirement to prevent permanent deletion.

Why this answer

Records Management (option B) is correct because it enables organizations to declare documents as records, which locks them against deletion or modification for a specified retention period. In this scenario, automatically detecting PHI in SharePoint Online and applying a retention label that both retains documents for 10 years and prevents permanent deletion is a core Records Management capability, as it uses retention labels configured to mark items as records (or regulatory records) to enforce immutability.

Exam trap

The trap here is that candidates often confuse Data Lifecycle Management (which handles retention and deletion but not immutability) with Records Management (which adds the critical 'lock as a record' capability to prevent deletion), leading them to incorrectly select option A.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management (DLP lifecycle) focuses on managing retention and deletion of content based on policies but does not inherently prevent users from permanently deleting documents during the retention period; it lacks the 'lock as a record' functionality that enforces immutability. Option C is wrong because Data Loss Prevention (DLP) is designed to detect and prevent unauthorized sharing or leakage of sensitive information (e.g., PHI), not to enforce retention or prevent deletion of documents. Option D is wrong because Communication Compliance is used to monitor and analyze communications (e.g., email, Teams) for policy violations, such as insider trading or harassment, and does not provide retention labeling or deletion prevention for documents.

1385
MCQmedium

A company uses Microsoft 365 and wants to protect against sophisticated phishing attacks that use malicious links in email. They also want real-time analysis of URLs at the time of click. Which Microsoft Defender for Office 365 feature provides this?

A.Safe Links
B.Safe Attachments
C.Anti-spam
D.Anti-malware
AnswerA

Correct. Safe Links proactively protects users from malicious URLs by scanning links at the time of click, blocking access to harmful sites.

Why this answer

Safe Links is the correct answer because it provides URL scanning and real-time click-time verification of links in email messages and Office documents. When a user clicks a link, Defender for Office 365 checks the URL against a dynamic list of known malicious sites and performs a real-time analysis to determine if the link is safe at that moment, protecting against sophisticated phishing attacks that use malicious links.

Exam trap

The trap here is that candidates often confuse Safe Links with Safe Attachments, but Safe Attachments focuses on file-based malware detonation, not on real-time URL analysis at the moment of click.

How to eliminate wrong answers

Option B (Safe Attachments) is wrong because it scans email attachments for malware by detonating them in a sandbox environment, not by analyzing URLs at the time of click. Option C (Anti-spam) is wrong because it filters incoming email based on spam criteria (e.g., bulk mail, spoofing) and does not perform real-time URL analysis at click time. Option D (Anti-malware) is wrong because it detects and removes known malware signatures from email and files, but it does not provide dynamic, click-time URL verification against phishing links.

1386
MCQeasy

A financial institution uses digital signatures to ensure that a transaction record has not been altered after it was processed. Which security principle is primarily addressed?

A.A. Confidentiality
B.B. Integrity
C.C. Availability
D.D. Non-repudiation
AnswerB

Integrity ensures that data has not been tampered with or altered, which is directly addressed by digital signatures.

Why this answer

Digital signatures use asymmetric cryptography (e.g., RSA or ECDSA) to create a hash of the transaction record, which is then encrypted with the sender's private key. Any alteration to the record after signing would cause the hash verification to fail, directly ensuring data integrity. This is why option B is correct.

Exam trap

The trap here is that candidates often confuse non-repudiation (which focuses on proving the origin of the signature) with integrity (which focuses on proving the data has not been altered), but the question's wording 'has not been altered' points directly to integrity.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data (e.g., via encryption), not about detecting tampering. Option C is wrong because availability ensures systems and data are accessible when needed, which is unrelated to verifying that a record has not been altered. Option D is wrong because non-repudiation prevents the sender from denying they signed the record, but the question specifically asks about detecting alteration after processing, which is integrity's primary role.

1387
MCQmedium

An organization uses Microsoft Entra ID for identity management and wants to allow external partners to access their resources using their own corporate credentials. Which feature should they enable?

A.Entra External ID
B.Identity Protection
C.Conditional Access
D.Privileged Identity Management
AnswerA

Entra External ID enables B2B collaboration with external identities.

Why this answer

Entra External ID (formerly Azure AD B2B) enables organizations to invite external partners to access resources using their own corporate credentials. This feature leverages federation protocols such as SAML, WS-Fed, or OpenID Connect to authenticate the partner's identity in their home tenant, eliminating the need for separate local accounts.

Exam trap

The trap here is that candidates often confuse Conditional Access (a policy engine) with the ability to invite external identities, mistakenly thinking policies alone can grant external access without a federation mechanism.

How to eliminate wrong answers

Option B is wrong because Identity Protection is a risk-detection service that monitors sign-in anomalies and user risk, not a feature for inviting external users with their own credentials. Option C is wrong because Conditional Access enforces policy-based access controls (e.g., MFA, location) after authentication, but does not itself enable external identity federation. Option D is wrong because Privileged Identity Management manages just-in-time privileged role activation and access reviews for internal users, not external partner authentication.

1388
Multi-Selecteasy

Which TWO Microsoft Purview solutions help organizations respond to data subject requests under GDPR?

Select 2 answers
A.eDiscovery
B.Information barriers
C.Data Lifecycle Management
D.Data Loss Prevention (DLP)
E.Communication compliance
AnswersA, C

Searches and exports data for subject access requests.

Why this answer

Correct answers: A and B. Data Lifecycle Management helps manage data retention and deletion, and eDiscovery helps search for and export personal data. Option C is wrong because DLP prevents data loss, not subject requests.

Option D is wrong because communication compliance monitors communications. Option E is wrong because information barriers restrict communication.

1389
MCQmedium

A company uses Microsoft 365 and stores many business documents in SharePoint Online and OneDrive. The security team wants to automatically detect and block malicious files (e.g., those containing ransomware or other malware) that are uploaded to these document libraries. Files should be scanned and held until proven safe. Which Microsoft security solution should they enable to provide this protection?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Identity
C.Microsoft Defender for Office 365
D.Microsoft Defender for Cloud
AnswerC

Defender for Office 365 includes Safe Attachments for SharePoint, OneDrive, and Teams, which scans and blocks malicious files in those locations. It also provides Safe Links and anti-phishing protection.

Why this answer

Microsoft Defender for Office 365 includes Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, which automatically scans files uploaded to these document libraries. If a file is detected as malicious (e.g., ransomware or malware), it is blocked and held in quarantine until it is proven safe, providing the exact protection described in the scenario.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 with Microsoft Defender for Endpoint, assuming endpoint protection covers cloud storage scanning, but Safe Attachments is a specific feature of Defender for Office 365 that protects SharePoint and OneDrive at the file level.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices, not on scanning files in cloud storage like SharePoint or OneDrive. Option B is wrong because Microsoft Defender for Identity monitors on-premises Active Directory signals to detect identity-based attacks, not file uploads in cloud document libraries. Option D is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection solution for Azure, AWS, and GCP resources, not for scanning files in Microsoft 365 document libraries.

1390
MCQmedium

Your organization uses Microsoft Purview eDiscovery (Premium) to manage a legal case. You need to place a hold on custodians' mailboxes and SharePoint sites to preserve relevant data. Which step must you first take in the eDiscovery workflow?

A.Export results
B.Create a case
C.Create a review set
D.Search for content
AnswerB

You must create a case first to manage the legal matter.

Why this answer

In eDiscovery (Premium), you first create a case, then add custodians, and then place holds on their data sources. Option B is correct. Creating a case is the first step.

Searching content and collecting to a review set comes after holds. Exporting is the final step.

1391
MCQhard

A financial services company needs to comply with GDPR and requires that personal data be automatically classified and protected when stored in Microsoft SharePoint and OneDrive. They also need to retain certain records for a minimum of 7 years. Which combination of Microsoft Purview capabilities should they use?

A.Sensitivity labels and data loss prevention (DLP) policies
B.Sensitivity labels and retention labels
C.Data loss prevention (DLP) policies and retention labels
D.eDiscovery and sensitivity labels
AnswerB

Sensitivity labels classify and protect data; retention labels enforce retention periods.

Why this answer

Sensitivity labels classify data and can apply encryption or markings. Retention labels enforce retention or deletion rules. Option A is wrong because retention labels do not automatically classify data.

Option B is wrong because DLP policies do not set retention. Option D is wrong because eDiscovery is for search and export, not classification or retention.

1392
MCQeasy

Which Microsoft Purview solution should you use to automatically retain or delete content based on regulations?

A.Records Management
B.Communication Compliance
C.Data Loss Prevention (DLP)
D.eDiscovery
AnswerA

Records Management uses retention labels and policies to retain or delete content.

Why this answer

Option B is correct because retention policies in Microsoft Purview manage data retention and deletion. Option A is incorrect because DLP prevents data leaks. Option C is incorrect because eDiscovery is for legal discovery.

Option D is incorrect because communication compliance monitors communications.

1393
MCQmedium

A company uses Microsoft Entra ID. The security team wants to enforce multifactor authentication (MFA) only when users sign in from devices that are not compliant with company security policies. They also want to block sign-ins from unknown geographic locations. Which Microsoft Entra feature should they configure?

A.Identity Protection
B.Privileged Identity Management (PIM)
C.Conditional Access
D.Self-Service Password Reset (SSPR)
AnswerC

Conditional Access enables granular access policies based on conditions like device compliance, location, and risk, meeting the requirements.

Why this answer

Conditional Access is the correct feature because it allows administrators to create policies that evaluate signals such as device compliance and geographic location before granting access. By configuring a policy that requires MFA for non-compliant devices and blocks sign-ins from unknown locations, the security team can enforce these specific conditions. This granular control is unique to Conditional Access, which integrates with Microsoft Entra ID to enforce access decisions based on real-time risk and context.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based conditional access with the broader Conditional Access feature, not realizing that Identity Protection only provides risk signals and requires Conditional Access to enforce the actual MFA or block action.

How to eliminate wrong answers

Option A is wrong because Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anonymous IP addresses) but does not natively enforce MFA based on device compliance or block sign-ins from unknown geographic locations; it can trigger Conditional Access policies but is not the feature to configure the rules themselves. Option B is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and access reviews, not for enforcing MFA or location-based blocking for regular user sign-ins. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords and does not provide any mechanism to enforce MFA or block sign-ins based on device compliance or geographic location.

1394
Multi-Selectmedium

Which two capabilities are provided by Microsoft Entra ID? (Choose two.)

Select 2 answers
A.Mobile device management (MDM)
B.Conditional Access policies
C.Identity protection with risk-based conditional access
D.Data loss prevention (DLP) for sensitive information
E.Cloud access security broker (CASB)
AnswersB, C

Conditional Access is a core Entra ID feature.

Why this answer

Conditional Access policies (B) are a core capability of Microsoft Entra ID, enabling administrators to enforce access controls based on signals like user location, device state, and application sensitivity. Identity Protection with risk-based conditional access (C) leverages machine learning to detect sign-in and user risks, automatically applying policies to block or require multi-factor authentication. Both are native to Microsoft Entra ID and integral to its identity and access management (IAM) framework.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID's identity-focused capabilities (Conditional Access, Identity Protection) with adjacent security services like Intune (MDM), Microsoft Purview (DLP), and Defender for Cloud Apps (CASB), which are separate products in the Microsoft security stack.

1395
MCQmedium

Your organization is deploying Microsoft Entra ID Governance. You need to automate the process of removing user access to a critical application when the user leaves the company. Which feature should you configure?

A.Privileged Identity Management
B.Entitlement Management
C.Access Reviews
D.Lifecycle Workflows
AnswerB

Entitlement Management can expire access packages automatically when a user is removed from a connected organization.

Why this answer

Option D is correct because Entitlement Management can automate access removal when a user's membership ends. Option A is wrong because Access Reviews require manual or scheduled reviews. Option B is wrong because Lifecycle Workflows automate user lifecycle but not access removal.

Option C is wrong because PIM manages just-in-time access, not removal of directly assigned access.

1396
Multi-Selecthard

Which THREE Microsoft Purview solutions support data classification and labeling? (Choose THREE.)

Select 3 answers
A.Information Protection
B.Insider Risk Management
C.Data Lifecycle Management
D.Communication Compliance
E.Data Loss Prevention
AnswersA, C, E

Information Protection provides classification and labeling capabilities.

Why this answer

Microsoft Purview Information Protection handles classification and labeling of data. Data Loss Prevention uses labels to enforce policies. Data Lifecycle Management uses labels for retention and deletion.

Communication Compliance monitors communications but does not directly classify or label data. Insider Risk Management identifies risky activities but does not classify data.

1397
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using their existing Facebook accounts without creating a separate Microsoft Entra ID account. What should you configure?

A.Configure Microsoft Entra ID Protection
B.Create a Microsoft Entra External ID tenant and add Facebook as an identity provider
C.Enable Microsoft Entra ID Domain Services
D.Configure Microsoft Entra ID Governance
AnswerB

Microsoft Entra External ID (B2C) allows adding social identity providers for customer-facing apps.

Why this answer

Option B is correct because Microsoft Entra External ID (formerly Azure AD B2C) is designed to allow external identities, such as social identity providers like Facebook, to authenticate users without requiring a separate Microsoft Entra ID account. By creating an External ID tenant and adding Facebook as an identity provider, you enable users to sign in using their existing Facebook credentials via OAuth 2.0 or OpenID Connect protocols.

Exam trap

The trap here is that candidates often confuse Microsoft Entra External ID (B2C) with Microsoft Entra ID (Azure AD) itself, assuming social identity providers can be added directly to a standard tenant, but only an External ID tenant supports social identity federation without requiring a separate Microsoft Entra ID account.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection is a security feature that detects and responds to identity risks (e.g., leaked credentials, sign-ins from anonymous IPs), not a mechanism for adding external identity providers like Facebook. Option C is wrong because Microsoft Entra ID Domain Services provides managed domain services (e.g., LDAP, Kerberos, NTLM) for legacy on-premises applications, not social identity federation. Option D is wrong because Microsoft Entra ID Governance focuses on managing identity lifecycle, access reviews, and entitlement management, not on configuring external authentication sources.

1398
MCQmedium

A company uses Microsoft Entra ID. The security team wants to grant temporary, time-bound administrative access to the Microsoft 365 user management role for IT support staff. The access should require an approval from a senior administrator, and all actions should be audited. Which Microsoft Entra ID feature should they configure?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Identity Governance
AnswerC

PIM provides JIT privileged access with activation, approval, and auditing, meeting all stated requirements.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides just-in-time (JIT) privileged access with time-bound role activation, approval workflows, and full auditing. This directly matches the requirement for temporary, approved administrative access to the Microsoft 365 user management role with audit trails.

Exam trap

The trap here is confusing Identity Governance (which handles access reviews and entitlement management for regular users) with Privileged Identity Management (which specifically handles just-in-time privileged role activation and approval).

How to eliminate wrong answers

Option A is wrong because Conditional Access controls authentication and access policies based on signals like location or device compliance, but it does not provide time-bound role activation or approval workflows for administrative roles. Option B is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-in anomalies) but does not manage privileged role assignments or approvals. Option D is wrong because Identity Governance focuses on access reviews, entitlement management, and lifecycle automation for regular users, not on just-in-time privileged role activation with approval.

1399
MCQeasy

A company is migrating its on-premises virtual machines to Azure Infrastructure-as-a-Service (IaaS). Which security responsibility primarily shifts from the customer to Microsoft during this migration?

A.Physical security of the data center
B.Patching the guest operating system
C.Managing user access to the virtual machines
D.Configuring the firewall rules for the virtual network
AnswerA

Correct. In IaaS, Microsoft is responsible for the physical data center security, including access control, surveillance, and environmental controls.

Why this answer

When migrating on-premises virtual machines to Azure IaaS, Microsoft takes over responsibility for the physical security of the data centers, including environmental controls, hardware maintenance, and physical access controls. This is a fundamental shift from the customer's responsibility under the shared responsibility model, where the customer previously managed the physical infrastructure on-premises.

Exam trap

The trap here is that candidates often confuse the shared responsibility model for IaaS with PaaS or SaaS, mistakenly thinking Microsoft handles guest OS patching or network configuration, when in fact those remain customer responsibilities in IaaS.

How to eliminate wrong answers

Option B is wrong because patching the guest operating system remains the customer's responsibility in an IaaS model, as Microsoft only manages the hypervisor and host OS. Option C is wrong because managing user access to the virtual machines (e.g., via Azure RBAC or local accounts) is always the customer's responsibility, as Microsoft has no knowledge of or control over who should access the VMs. Option D is wrong because configuring firewall rules for the virtual network (e.g., Network Security Groups or Azure Firewall policies) is a customer-managed task, as Microsoft only provides the networking infrastructure but does not define traffic rules.

1400
MCQeasy

A company deploys full disk encryption on all employee laptops to protect data in case a device is lost or stolen. Which security goal does this measure primarily address?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerA

Encryption protects data from unauthorized access, ensuring only authorized parties can read it.

Why this answer

Full disk encryption (FDE) ensures that data stored on the laptop's hard drive is unreadable without the correct decryption key. This directly protects the confidentiality of the data by preventing unauthorized access if the device is lost or stolen, as the encrypted data cannot be deciphered without the key.

Exam trap

The trap here is that candidates often confuse encryption with integrity or availability, mistakenly thinking encryption also prevents data tampering or ensures data is always accessible, but encryption only addresses unauthorized reading (confidentiality).

How to eliminate wrong answers

Option B (Integrity) is wrong because full disk encryption does not protect against unauthorized modification of data; it only prevents unauthorized reading. Option C (Availability) is wrong because encryption does not ensure data is accessible when needed; in fact, a lost key can reduce availability. Option D (Non-repudiation) is wrong because encryption does not provide proof of origin or action; non-repudiation is typically achieved through digital signatures or audit logs.

1401
MCQhard

AdventureWorks, a multinational manufacturing company, uses Microsoft Purview and Microsoft Communication Compliance to monitor and manage internal communications. They need to: (1) detect and review emails containing offensive language or harassment; (2) allow employees to report inappropriate messages; (3) retain reviewed messages for 5 years; (4) ensure that only designated reviewers can access the communication compliance data; (5) integrate with Microsoft Teams and Exchange Online. The company has 10,000 users and Microsoft 365 E5 licenses. The compliance team wants a solution that automates detection and provides secure review. What should they configure?

A.Create a Communication Compliance policy with conditions for offensive language, enable user reporting, and configure a retention policy for 5 years on the reviewer mailbox.
B.Enable mailbox auditing and create a custom script to search for offensive language.
C.Create a Data Loss Prevention (DLP) policy to block offensive language and enable eDiscovery for review.
D.Configure information barriers between departments and use audit logs for review.
AnswerA

Communication Compliance meets all requirements for detection, reporting, retention, and access control.

Why this answer

Option A is correct because Communication Compliance policies detect offensive language, allow user reporting, retain messages based on retention policies, and restrict access to reviewers. Option B is wrong because DLP does not detect offensive language. Option C is wrong because information barriers restrict communication, not detection.

Option D is wrong because auditing logs events but does not detect or review content.

1402
MCQeasy

A company uses Microsoft 365 and needs to prevent employees in the Mergers & Acquisitions (M&A) department from communicating with employees in the Trading department via Microsoft Teams chat, email, and SharePoint sharing. They must ensure that these restrictions are automatically enforced by Microsoft 365. Which Microsoft Purview solution should the administrator configure?

A.Microsoft Purview Information Barriers
B.Microsoft Purview Communication Compliance
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview eDiscovery (Premium)
AnswerA

Information Barriers allow you to restrict communication between defined groups to avoid conflicts of interest. This is the correct solution.

Why this answer

Information Barriers in Microsoft Purview are designed to prevent communication and collaboration between specified groups, helping organizations avoid conflicts of interest and comply with regulations.

1403
MCQmedium

A company is moving its on-premises database to Azure SQL Database. According to the shared responsibility model, which security tasks remain the responsibility of the customer?

A.Patching the physical servers hosting the database
B.Managing access controls and authentication for database users
C.Securing the hypervisor running the virtual machines
D.Hardening the network firewalls at the datacenter perimeter
AnswerB

The customer retains responsibility for managing user identities, permissions, and authentication to the database.

Why this answer

In the shared responsibility model for Azure SQL Database, Microsoft manages the physical infrastructure, including servers, storage, and network, while the customer is responsible for data and access management. Option B is correct because managing access controls and authentication for database users, such as configuring logins, users, and permissions via T-SQL or Azure Active Directory, falls squarely on the customer. Microsoft ensures the platform is patched and secure, but the customer must control who can access the database and what they can do.

Exam trap

The trap here is that candidates often confuse PaaS with IaaS and assume the customer is responsible for patching or hypervisor security, but in Azure SQL Database (PaaS), Microsoft handles all infrastructure layers, leaving the customer only with data and access control responsibilities.

How to eliminate wrong answers

Option A is wrong because patching the physical servers hosting the database is the responsibility of Microsoft, not the customer, as Azure SQL Database is a Platform as a Service (PaaS) offering where Microsoft handles all underlying hardware and OS patching. Option C is wrong because securing the hypervisor running the virtual machines is also Microsoft's responsibility in the PaaS model; the customer never has access to the hypervisor and cannot be responsible for its security. Option D is wrong because hardening the network firewalls at the datacenter perimeter is managed by Microsoft as part of the physical network infrastructure; the customer only configures Azure network security groups or firewall rules at the logical level, not the physical datacenter perimeter.

1404
MCQmedium

A security administrator needs to enforce that all Microsoft 365 documents containing credit card numbers are automatically encrypted before being shared externally. Which Microsoft Purview solution should they use?

A.Microsoft Purview Audit
B.Microsoft Purview Communication Compliance
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview Information Protection
AnswerC

Correct: DLP policies can detect sensitive data and apply encryption automatically.

Why this answer

Data Loss Prevention (DLP) policies can detect sensitive information like credit card numbers and automatically apply encryption. Option C is correct. Option A (Information Protection) applies labels but does not auto-encrypt based on content.

Option B (Audit) logs events. Option D (Communication Compliance) monitors communications.

1405
MCQmedium

A healthcare organization uses Microsoft 365 and must comply with HIPAA regulations. They need to assess their current compliance posture, identify gaps, and implement improvement actions. They want a tool that provides a compliance score based on best practices and regulatory frameworks, and offers recommended actions to improve the score. Which Microsoft Purview solution should they use?

A.Compliance Manager
B.Insider Risk Management
C.Communication Compliance
D.Audit
AnswerA

Compliance Manager assesses compliance against standards and recommends actions to improve the score.

Why this answer

Compliance Manager is a Microsoft Purview solution that helps organizations assess their compliance posture against various regulations (including HIPAA) by providing a compliance score and actionable improvement recommendations. Insider Risk Management detects risky user activities. Communication Compliance monitors communications for policy violations.

Audit provides logging capabilities but does not assess compliance posture or provide a score.

1406
MCQhard

During a security incident, a SOC analyst needs to investigate a compromised user account that accessed multiple cloud apps. Which Microsoft Defender XDR feature provides a unified view of the attack timeline across endpoints, identities, and cloud apps?

A.Incident response
B.Microsoft Secure Score
C.Advanced hunting
D.Action center
AnswerA

Incidents aggregate related alerts from all workloads.

Why this answer

Incident response in Microsoft Defender XDR correlates alerts across domains. Option A is correct. Option B (Advanced hunting) is for custom queries.

Option C (Secure Score) is for posture improvement. Option D (Action center) is for remediation actions.

1407
MCQmedium

A company runs Azure SQL databases containing customer transaction data. The security team needs to detect and alert on suspicious database access patterns, such as SQL injection attempts or access from unusual locations. Which Microsoft security solution should they enable?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Office 365
D.Microsoft Sentinel
AnswerA

Defender for Cloud includes advanced threat protection for Azure SQL databases, detecting suspicious activities like SQL injection and unusual access patterns.

Why this answer

Microsoft Defender for Cloud provides advanced threat protection for Azure SQL databases, including anomaly detection for suspicious activities like SQL injection and unusual access patterns. It uses machine learning to baseline normal database behavior and triggers alerts when deviations occur, such as access from atypical geographic locations or malicious query patterns.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Cloud's database-specific threat detection with Microsoft Sentinel's broader SIEM capabilities, but the question explicitly asks for a solution that detects and alerts on suspicious database access patterns, which is a built-in feature of Defender for Cloud, not Sentinel.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint focuses on protecting endpoints (e.g., workstations, servers) from malware and advanced attacks, not on monitoring database access patterns or SQL injection attempts. Option C is wrong because Microsoft Defender for Office 365 is designed to secure email and collaboration tools (e.g., Exchange Online, SharePoint) against phishing and malware, not Azure SQL databases. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution for aggregating and analyzing security logs from multiple sources, but it does not natively provide the built-in, database-specific threat detection for Azure SQL that Defender for Cloud offers; Sentinel would require additional configuration and data ingestion to achieve similar detection.

1408
MCQhard

Refer to the exhibit. A security analyst runs the KQL query in Microsoft Defender for Endpoint. The query returns no results. What is the most likely cause?

A.The device has a risk score of zero
B.The device runs macOS
C.The analyst lacks permissions to view the device
D.The device is not onboarded to Defender for Endpoint
AnswerD

If the device is not onboarded, no DeviceInfo record exists.

Why this answer

The table name is DeviceInfo, but in Microsoft Defender for Endpoint the correct table is DeviceInfo (it exists). However, the query may fail if the device is not onboarded. Option C is correct.

Option A (risk score) would still show if device exists. Option B (OS) is not a filter. Option D (permissions) would cause an error, not empty results.

1409
MCQeasy

Refer to the exhibit. The JSON shows a Conditional Access policy. What is the primary purpose of this policy?

A.Block legacy authentication protocols
B.Require MFA for all applications
C.Disable the policy for emergency access
D.Allow only iOS devices
AnswerA

The policy blocks client app types that use legacy protocols.

Why this answer

The policy targets 'Block legacy authentication' by applying a condition that blocks authentication attempts using legacy protocols (e.g., POP3, IMAP4, SMTP, ActiveSync) which do not support modern authentication methods like MFA. This is a common security measure to prevent credential-stuffing and password-spray attacks that exploit the lack of MFA enforcement in legacy protocols.

Exam trap

The trap here is that candidates often confuse 'blocking legacy authentication' with 'requiring MFA' — the policy blocks the protocol entirely rather than prompting for an additional factor, which is a distinct control in Conditional Access.

How to eliminate wrong answers

Option B is wrong because the policy does not require MFA; it explicitly blocks authentication entirely, not just requiring an additional factor. Option C is wrong because the policy does not include any exclusion for emergency access accounts (e.g., break-glass accounts) — it applies to all users unless a separate exclusion is configured. Option D is wrong because the policy does not filter by device platform (iOS) — it targets authentication protocol, not device type.

1410
MCQmedium

A global company uses Microsoft Teams and SharePoint Online. They need to automatically detect and prevent sharing of intellectual property files containing 'Project X' with external users. What should they configure?

A.Microsoft Entra ID Access Reviews
B.Microsoft Purview Sensitivity Labels
C.Microsoft Purview Data Loss Prevention policy for SharePoint and OneDrive
D.Microsoft Defender for Cloud Apps Session Policy
AnswerC

DLP policies can detect and block sharing of sensitive content.

Why this answer

Option D is correct because Microsoft Purview DLP policies can monitor and block sharing of sensitive content in Teams and SharePoint. Option A is wrong because sensitivity labels manually classify, but don't automatically block. Option B is wrong because Microsoft Defender for Cloud Apps focuses on SaaS app security, not DLP.

Option C is wrong because Microsoft Entra ID Access Reviews are for identity governance.

1411
MCQmedium

Your company is implementing a hybrid identity solution with Microsoft Entra ID. Users report that they can sign in to Microsoft 365 but cannot access on-premises applications that are configured for integrated Windows authentication. You need to ensure seamless single sign-on (SSO) for both cloud and on-premises resources. What should you implement?

A.Implement Passthrough Authentication.
B.Deploy Active Directory Federation Services (AD FS).
C.Enable Microsoft Entra seamless SSO.
D.Configure password hash synchronization.
AnswerC

Seamless SSO provides automatic sign-in for domain-joined devices, covering both cloud and on-premises.

Why this answer

Microsoft Entra seamless SSO (Seamless SSO) is the correct choice because it automatically signs users in when they are on corporate devices connected to the corporate network, using Kerberos delegation to provide single sign-on for both cloud resources (like Microsoft 365) and on-premises applications configured for Integrated Windows Authentication (IWA). This eliminates the need for users to re-enter credentials when accessing on-premises apps after authenticating to the cloud.

Exam trap

The trap here is that candidates often confuse Passthrough Authentication or password hash synchronization with providing SSO for on-premises applications, but neither includes the Kerberos delegation required for Integrated Windows Authentication, which is the specific need in this scenario.

How to eliminate wrong answers

Option A is wrong because Passthrough Authentication validates passwords against on-premises Active Directory but does not provide the Kerberos-based SSO needed for Integrated Windows Authentication to on-premises applications; it only handles cloud authentication. Option B is wrong because Active Directory Federation Services (AD FS) is a more complex, on-premises federation solution that can provide SSO, but it is overkill for this scenario and not the simplest or recommended approach when Seamless SSO can achieve the same goal with less infrastructure. Option D is wrong because password hash synchronization only synchronizes password hashes to the cloud for cloud authentication and does not enable Kerberos-based SSO for on-premises IWA applications.

Page 18

Page 19 of 19