Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 76150

1411 questions total · 19pages · All types, answers revealed

Page 1

Page 2 of 19

Page 3
76
MCQeasy

A company uses Microsoft Intune to manage its devices. The security team wants to enforce that all devices running Windows 11 must have BitLocker enabled and a minimum operating system build version. Which Intune policy type should they use?

A.Configuration profile
B.Enrollment restriction
C.App protection policy
D.Compliance policy
AnswerD

Compliance policies enforce conditions like encryption and OS version.

Why this answer

Option A is correct because compliance policies enforce device compliance rules like BitLocker and OS version. Option B is wrong because configuration profiles configure settings, not compliance. Option C is wrong because app protection policies manage data on mobile apps.

Option D is wrong because enrollment restrictions limit device enrollment.

77
MCQmedium

An organization uses Microsoft 365. They need to prevent users from sharing credit card numbers in emails and Microsoft Teams messages. When a user attempts to share such sensitive information externally, the message should be blocked and the user should receive a policy tip notification. Which Microsoft Purview solution should they configure?

A.Data Lifecycle Management
B.Data Loss Prevention (DLP)
C.Insider Risk Management
D.Information Protection
AnswerB

DLP policies are designed to detect and prevent accidental sharing of sensitive information, with the ability to block and notify users.

Why this answer

Data Loss Prevention (DLP) is the correct solution because it is specifically designed to detect and protect sensitive information, such as credit card numbers, through deep content analysis using built-in sensitive information types. DLP policies can be configured to block the sharing of this data in emails and Microsoft Teams messages and to display a policy tip notification to the user, enforcing compliance in real time.

Exam trap

The trap here is that candidates often confuse Information Protection (sensitivity labels) with DLP, not realizing that DLP is the solution for actively blocking and notifying on sensitive data in transit, while Information Protection is for classification and persistent protection of data at rest.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management focuses on retaining, deleting, and managing the lifecycle of data based on policies, not on preventing the sharing of sensitive information in transit. Option C is wrong because Insider Risk Management is designed to detect, investigate, and act on risky user activities (e.g., data theft or policy violations) based on behavioral analytics, not to block specific content like credit card numbers in messages. Option D is wrong because Information Protection (e.g., sensitivity labels and encryption) is used to classify and protect data at rest and in use, but it does not natively block sharing of specific sensitive data types in emails or Teams messages with policy tips; that is a DLP function.

78
MCQmedium

A company uses Microsoft Entra ID. They want to ensure that only users with a specific role can reset passwords for other users in their organization. Which feature should they use?

A.Privileged Identity Management
B.Conditional Access
C.Administrative Units
D.Identity Protection
AnswerC

Administrative Units let you define a scope (e.g., all users in Sales) and assign administrative roles that are limited to that scope, such as password reset.

Why this answer

Administrative Units allow you to delegate administrative tasks, such as password resets, to users who have a specific role scoped to a subset of users. By assigning the Helpdesk Administrator role to an Administrative Unit, you ensure that only those users can reset passwords for members of that unit, meeting the requirement precisely.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with role-based delegation, but PIM controls when a role is active, not who can perform a specific action on a specific set of users.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) provides time-based and approval-based role activation to reduce standing access, but it does not scope password reset permissions to specific users; it manages role eligibility and activation. Option B is wrong because Conditional Access enforces access controls based on signals like location or device state, but it does not delegate or restrict who can perform administrative tasks like password resets. Option D is wrong because Identity Protection detects and responds to identity-based risks, such as leaked credentials or suspicious sign-ins, but it does not control which users have permission to reset passwords.

79
MCQeasy

A security architect is designing a defense strategy for the organization's network. The architect assumes that an attacker may already have breached the perimeter and is operating inside the network. Therefore, the design does not automatically trust any user or device, even if they are inside the corporate network, and requires continuous verification for every access request. Which security principle does this approach best represent?

A.Defense in depth
B.Zero Trust
C.Shared responsibility
D.Least privilege
AnswerB

Zero Trust is a security model that assumes no implicit trust and requires continuous verification of every access request, even from inside the network.

Why this answer

The Zero Trust security principle is based on the assumption that an attacker may already be inside the network, so no user or device is automatically trusted, regardless of location. This model requires continuous verification for every access request, enforcing strict identity verification and least-privilege access controls at each step. The scenario directly describes the core tenet of Zero Trust: 'never trust, always verify.'

Exam trap

The trap here is that candidates confuse Zero Trust with defense in depth because both involve multiple security layers, but Zero Trust specifically requires continuous verification and assumes breach, whereas defense in depth does not mandate per-request trust evaluation.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (firewalls, IDS/IPS, antivirus) to protect assets, but it does not inherently assume a breach or require continuous verification for every access request. Option C is wrong because shared responsibility is a cloud security model that delineates security obligations between the provider and customer, not a principle for internal network access decisions. Option D is wrong because least privilege restricts user permissions to the minimum necessary, but it does not address the continuous verification or the assumption of an active breach inside the network.

80
MCQhard

Refer to the exhibit. The exhibit shows an alert from Microsoft Defender XDR. The security team needs to determine if the file 'invoice.docm' is known malware and if other devices in the organization have this file. What should they do next?

A.Isolate the device DESKTOP-01 immediately
B.Trigger the automated investigation for this alert
C.Review the user jdoe's recent activities
D.Search in Advanced Hunting for the file's SHA256 hash across all devices
AnswerD

Advanced Hunting allows querying for the file hash across the organization to find other affected devices.

Why this answer

Option D is correct because the file SHA256 allows querying threat intelligence and hunting for the file across devices. Option A is wrong because the alert is already triggered. Option B is wrong because the device is already identified.

Option C is wrong because the user action is already captured.

81
Multi-Selecthard

Which THREE are benefits of using Microsoft Entra ID as an identity provider? (Choose three.)

Select 3 answers
A.Web application hosting
B.Conditional Access policies
C.Centralized database management
D.Multifactor authentication
E.Single sign-on to thousands of cloud apps
AnswersB, D, E

Enables policy-based access control.

Why this answer

Microsoft Entra ID (formerly Azure AD) is a cloud-based identity and access management service. Conditional Access policies (B) are a core feature that allow you to enforce access controls based on signals like user, location, and device state, making it a direct benefit of using Entra ID as an identity provider.

Exam trap

The trap here is that candidates confuse the identity provider's capabilities (like SSO, MFA, and Conditional Access) with unrelated Azure services (like App Service for hosting or Azure SQL for database management), leading them to select options that are not identity-specific.

82
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Purview? (Choose three.)

Select 3 answers
A.Data classification and labeling
B.Data lifecycle management and retention
C.Data loss prevention (DLP)
D.Identity protection and risk detection
E.Threat and vulnerability management
AnswersA, B, C

Purview classifies and labels sensitive data.

Why this answer

Microsoft Purview offers data classification, data loss prevention, and data lifecycle management. Option D is a Microsoft Entra feature; Option E is a Microsoft Defender feature.

83
MCQeasy

A company uses Microsoft Entra ID. The security manager wants to provide temporary, time-bound elevated access to the Global Administrator role only when needed, and require approval from a designated approver. Which Microsoft Entra ID capability should they use?

A.Microsoft Entra Conditional Access
B.Microsoft Entra Privileged Identity Management (PIM)
C.Microsoft Entra Identity Protection
D.Microsoft Entra Identity Governance (Access Reviews)
AnswerB

PIM provides just-in-time activation of privileged roles with workflows, time-bound access, and approval requirements, meeting all the stated needs.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access by allowing users to activate the Global Administrator role for a limited, time-bound duration only when needed, and it enforces approval workflows from designated approvers. This directly matches the security manager's requirement for temporary, approval-based elevation.

Exam trap

The trap here is that candidates confuse Conditional Access (which controls sign-in conditions) with PIM (which controls role activation), leading them to pick A because they think 'time-bound' refers to session timeout policies rather than role activation duration.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Conditional Access controls access based on conditions like location or device compliance, but it does not provide time-bound role activation or approval workflows for privileged roles. Option C is wrong because Microsoft Entra Identity Protection detects and responds to identity risks (e.g., leaked credentials, sign-in anomalies) but does not manage privileged role activation or approval. Option D is wrong because Microsoft Entra Identity Governance (Access Reviews) is used for periodic certification of group memberships or role assignments, not for on-demand, time-bound elevation with approval.

84
Multi-Selectmedium

Which THREE of the following are capabilities of Microsoft Defender for Office 365?

Select 3 answers
A.Safe Links protection in email and Office documents
B.Anti-phishing policies to protect against impersonation
C.Cloud discovery of unsanctioned SaaS apps
D.Device compliance policies for mobile devices
E.Safe Attachments scanning in email
AnswersA, B, E

Safe Links protects users from malicious URLs.

Why this answer

Safe Links is a core capability of Microsoft Defender for Office 365 that proactively scans URLs in email messages and Office documents (like Word, Excel, and PowerPoint) at the time of click. It rewrites links to route through Microsoft's protection infrastructure, blocking access to malicious or phishing websites in real time. This protects users from zero-hour threats that may not yet be detected by traditional signature-based filters.

Exam trap

The trap here is that candidates confuse the scope of Microsoft Defender for Office 365 with other Microsoft 365 security products, mistakenly attributing cloud discovery (Defender for Cloud Apps) or device compliance (Intune) to Defender for Office 365, which is strictly focused on email and Office document protection.

85
MCQmedium

A company uses Microsoft Entra ID. The security team wants to configure a policy so that when a user signs in from an unfamiliar location (not on the company's trusted IP ranges) or from an unfamiliar device, they are prompted for additional verification (e.g., MFA). However, if the sign-in is from a trusted location (e.g., office IP range) and a known device, no additional verification is required. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID Protection
B.Microsoft Entra Conditional Access
C.Microsoft Entra Privileged Identity Management (PIM)
D.Microsoft Entra Access Reviews
AnswerB

Conditional Access enables policies that evaluate conditions including user/group, location (via named locations), device state (compliant, domain-joined), and application. It can require MFA for untrusted locations/devices and allow access without MFA for trusted ones.

Why this answer

Microsoft Entra Conditional Access is the correct feature because it allows administrators to define policies that evaluate sign-in context—such as user location (via named locations with trusted IP ranges) and device state (compliant or hybrid Azure AD joined)—and then enforce actions like requiring MFA only when conditions are not met. This directly matches the requirement to prompt for additional verification from unfamiliar locations or devices while skipping it for trusted ones.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Protection with Conditional Access, but ID Protection provides risk signals (e.g., unfamiliar sign-in properties) that can be used by Conditional Access policies, not the policy engine itself that enforces location- and device-based MFA prompts.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection focuses on detecting and responding to identity risks (e.g., leaked credentials, anonymous IP addresses) and can trigger MFA based on risk level, but it does not natively evaluate trusted IP ranges or known device states for conditional access decisions without being combined with Conditional Access policies. Option C is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and access governance, not for controlling sign-in conditions based on location or device familiarity. Option D is wrong because Access Reviews are used to periodically review and certify group memberships, application access, or role assignments, not to enforce real-time authentication policies based on sign-in context.

86
Matchingmedium

Match each Microsoft security feature to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Detect and remediate identity-based risks

Discover and control cloud app usage

Classify and protect sensitive data

Protect devices from threats

Shadow IT discovery and threat protection

Why these pairings

These are core Microsoft 365 security features for identity, data, and endpoint protection.

87
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy JSON in Microsoft Entra ID. What will this policy do?

A.Block access when user risk is medium or high
B.Block sign-ins when sign-in risk is high
C.Require MFA when user risk is high
D.Block access when user risk is high
AnswerD

Policy blocks based on high user risk.

Why this answer

The policy JSON specifies `"userRiskLevels": ["high"]` and `"builtInControls": ["block"]`, meaning it blocks access when the user risk level is high. User risk reflects the likelihood that the user's identity is compromised, based on Microsoft's risk detection signals. Option D correctly identifies this behavior.

Exam trap

The trap here is confusing user risk with sign-in risk; candidates often pick 'block sign-ins when sign-in risk is high' because they overlook the `userRiskLevels` field in the JSON and assume the policy targets sign-in risk instead.

How to eliminate wrong answers

Option A is wrong because the policy only targets user risk level 'high', not 'medium or high'; Conditional Access policies require explicit risk level values. Option B is wrong because the policy evaluates user risk, not sign-in risk (which would use `signInRiskLevels` in the JSON). Option C is wrong because the policy's control is 'block', not 'require MFA'; requiring MFA would use `"mfa"` in the `builtInControls` array.

88
MCQeasy

Your organization is implementing a Zero Trust security model. Which Microsoft Entra ID capability helps verify the identity of users before granting access to resources?

A.Microsoft Entra ID Connect
B.Microsoft Entra ID Domain Services
C.Microsoft Entra ID Governance
D.Microsoft Entra ID Protection
AnswerD

Evaluates user and sign-in risks to enforce conditional access policies.

Why this answer

Microsoft Entra ID Protection (D) is the correct answer because it directly addresses the Zero Trust principle of 'verify explicitly' by using real-time risk detection and conditional access policies to verify user identity before granting access. It evaluates sign-in risk, user risk, and enforces policies like multi-factor authentication (MFA) or blocking access when suspicious activity is detected, ensuring that only legitimate users can access resources.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Protection with Microsoft Entra ID Governance, mistakenly thinking that governance policies (like access reviews) verify identity, when in fact governance manages permissions after access is granted, not the real-time verification required by Zero Trust.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Connect is a tool for synchronizing on-premises Active Directory objects to Microsoft Entra ID, not for verifying user identity at access time. Option B is wrong because Microsoft Entra ID Domain Services provides managed domain services like Kerberos and LDAP for legacy applications, but it does not perform identity verification or risk-based access control. Option C is wrong because Microsoft Entra ID Governance focuses on managing identity lifecycle, access reviews, and entitlement management, not on real-time identity verification or risk assessment during authentication.

89
MCQmedium

A security architect is designing a Zero Trust strategy. Which principle ensures that network location alone does not grant trust, and all access requests must be verified?

A.Verify explicitly
B.Least privilege
C.Assume breach
D.Segregation of duties
AnswerA

Correct. Verify Explicitly is the Zero Trust principle that requires continuous verification of every access request regardless of network location. It ensures that no implicit trust is granted based on being inside the corporate network.

Why this answer

The 'Verify explicitly' principle is the core of Zero Trust, stating that every access request must be authenticated and authorized based on all available data points—including user identity, device health, location, and data sensitivity—regardless of network location. This ensures that being on a corporate network does not automatically grant trust, as all requests are verified in real time.

Exam trap

The trap here is that candidates often confuse 'Least privilege' with 'Verify explicitly' because both involve access control, but 'Least privilege' is about limiting permissions after trust is established, not about verifying trust based on network location.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on limiting access rights to the minimum necessary for a user to perform their job, not on verifying every request regardless of network location. Option C (Assume breach) is wrong because it is a design mindset that assumes an attacker is already present, guiding segmentation and monitoring, but it does not directly address the verification of access requests based on network location. Option D (Segregation of duties) is wrong because it is a compliance and risk management principle that prevents conflicts of interest by dividing responsibilities among multiple people, not a Zero Trust verification principle.

90
MCQhard

A company uses Salesforce and Box as cloud apps. The security team discovers that a third-party OAuth app with excessive permissions was granted access to Salesforce data by a user. They want a solution that can detect such risky OAuth apps and automatically revoke their permissions based on policy. Which Microsoft security solution provides this capability?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Office 365
D.Microsoft Sentinel
AnswerA

Correct. Defender for Cloud Apps can discover and assess OAuth apps, and with its OAuth app policies, it can automatically revoke permissions for high-risk apps.

Why this answer

Microsoft Defender for Cloud Apps (MDCA) is a Cloud Access Security Broker (CASB) that provides visibility into third-party OAuth apps connected to cloud services like Salesforce and Box. It can detect OAuth apps with excessive permissions and automatically revoke them based on conditional access or app governance policies, making it the correct solution for this scenario.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Office 365, assuming the latter covers all cloud app security, when in reality MDCA is the dedicated CASB for multi-SaaS environments like Salesforce and Box.

How to eliminate wrong answers

Option B (Microsoft Defender for Endpoint) is wrong because it focuses on endpoint detection and response (EDR) for devices, not on monitoring or controlling OAuth permissions in SaaS applications. Option C (Microsoft Defender for Office 365) is wrong because it protects Exchange Online, SharePoint, and Teams from threats like phishing and malware, but does not manage OAuth app permissions in third-party SaaS apps like Salesforce. Option D (Microsoft Sentinel) is wrong because it is a Security Information and Event Management (SIEM) solution that ingests logs and generates alerts, but it lacks native capabilities to automatically revoke OAuth app permissions; it would require custom playbooks or integration with MDCA for such actions.

91
MCQeasy

You are the security administrator for a small business that uses Microsoft 365 Business Premium. The company wants to enable multi-factor authentication (MFA) for all users. You need to ensure that users are prompted for MFA when they sign in from unfamiliar locations or devices. The solution should be easy to deploy without additional licensing. Which of the following should you configure?

A.Create a conditional access policy in Microsoft Entra ID that requires MFA for all cloud apps
B.Enable security defaults in Microsoft Entra ID
C.Deploy the Microsoft Authenticator app and instruct users to enable it
D.Configure identity protection to enable risk-based MFA
AnswerB

Security defaults provide a baseline of security including MFA for all users, and are included in all licensing tiers.

Why this answer

Option B is correct because security defaults are a pre-configured set of security policies that include MFA based on risk. Option A is incorrect because conditional access policies require Azure AD Premium licenses, which are not included in Business Premium. Option C is incorrect because risk-based policies require Azure AD Premium P2.

Option D is incorrect because the Microsoft Authenticator app alone does not enforce MFA.

92
MCQhard

Your organization plans to migrate from on-premises Active Directory to Microsoft Entra ID. You need to design the identity synchronization strategy to support password hash synchronization and password writeback. Which tool should you use?

A.Microsoft Identity Manager
B.Active Directory Federation Services
C.Microsoft Entra Cloud Sync
D.Microsoft Entra Connect
AnswerD

Entra Connect supports password hash sync and writeback.

Why this answer

Microsoft Entra Connect is the correct tool because it supports both password hash synchronization and password writeback, which are required for the migration scenario. Password hash sync synchronizes a hash of the on-premises AD password to Entra ID, while password writeback enables password changes in the cloud to be written back to on-premises AD. Entra Connect is the primary hybrid identity tool that integrates on-premises directories with Microsoft Entra ID, offering these features natively.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Cloud Sync with Entra Connect, assuming Cloud Sync supports all the same features, but Cloud Sync lacks password writeback support, making it unsuitable for this requirement.

How to eliminate wrong answers

Option A is wrong because Microsoft Identity Manager (MIM) is an on-premises identity management solution for managing users and groups across multiple directories, but it does not directly support password hash synchronization or password writeback to Entra ID; those features are specific to Entra Connect. Option B is wrong because Active Directory Federation Services (AD FS) is a federation service that provides single sign-on (SSO) and claims-based authentication, but it does not perform password hash synchronization or password writeback; it relies on federation trust rather than password sync. Option C is wrong because Microsoft Entra Cloud Sync is a lightweight agent designed for syncing users from on-premises AD to Entra ID, but it does not support password writeback; password writeback requires the full Entra Connect installation.

93
Matchingmedium

Match each Microsoft 365 compliance feature to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevent accidental sharing of sensitive info

Record user and admin activity

Keep or delete data for a specified time

Classify and protect content

Track compliance posture and recommendations

Why these pairings

These features help organizations manage compliance in Microsoft 365.

94
MCQeasy

A user logs into the company's network using their username and password. After successful login, the user attempts to open a financial report but receives an access denied message because they are not a member of the 'Finance' security group. Which security concept is best illustrated by the access denial?

A.Authentication
B.Authorization
C.Accounting
D.Non-repudiation
AnswerB

Authorization determines what a user can access based on permissions and group membership, which is exactly why the user was denied access.

Why this answer

The access denial occurs because the user lacks the necessary permissions to open the financial report, even though their identity was verified. This is the core function of authorization, which determines what resources an authenticated user can access. In this scenario, the user is authenticated but not authorized to access the report due to missing group membership.

Exam trap

The trap here is confusing authentication (verifying identity) with authorization (granting permissions), leading candidates to select 'Authentication' because they focus on the successful login rather than the subsequent access denial.

How to eliminate wrong answers

Option A is wrong because authentication is the process of verifying the user's identity (username and password), which already succeeded before the access denial. Option C is wrong because accounting (auditing) tracks user activities and resource usage for logging and compliance, not access control decisions. Option D is wrong because non-repudiation ensures a user cannot deny an action, typically achieved through digital signatures or audit logs, and is unrelated to permission checks.

95
MCQmedium

A company wants to prevent users from setting weak passwords that are commonly found in leaked databases. They use Microsoft Entra ID (Microsoft Entra ID). Which feature should they enable?

A.Microsoft Entra ID Protection
B.Microsoft Entra ID Password Protection
C.Microsoft Entra ID Privileged Identity Management
D.Microsoft Entra ID Conditional Access
AnswerB

Correct. This feature enforces password policies by banning common passwords from a global and custom list, reducing password-related risks.

Why this answer

Microsoft Entra ID Password Protection is the correct feature because it specifically blocks weak passwords by comparing them against a global list of commonly compromised passwords (e.g., from leaked databases) and an optional custom banned password list. This feature enforces password strength at the time of creation or reset, preventing users from setting passwords that appear in known breaches.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Protection (which alerts on leaked credentials after they are used) with Password Protection (which proactively blocks weak passwords at creation), leading them to choose the risk-detection feature instead of the prevention feature.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins) but does not enforce password policies or block weak passwords at creation. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time access and approval workflows for privileged roles, not password strength enforcement. Option D is wrong because Conditional Access evaluates sign-in conditions (e.g., location, device compliance) to grant or block access, but it does not validate or block weak passwords during password setting.

96
MCQeasy

A company uses a hashing algorithm to verify that a downloaded software file has not been tampered with during transmission. This practice primarily protects which security principle?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures data is accurate and unaltered. Hashing verifies that the file has not been modified.

Why this answer

Hashing algorithms, such as SHA-256, produce a fixed-size hash value that acts as a digital fingerprint of the file. By comparing the hash of the downloaded file with the hash provided by the publisher, any change to the file—even a single bit—results in a completely different hash, immediately detecting tampering. This directly protects the integrity of the data by ensuring it has not been altered during transmission.

Exam trap

The trap here is that candidates often confuse hashing with encryption and select 'Confidentiality' (Option A), not realizing that hashing is a one-way function that detects changes but does not hide the data.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data, typically achieved through encryption (e.g., AES, TLS), not hashing. Option C is wrong because availability ensures systems and data are accessible when needed, which is protected by redundancy, backups, and DDoS mitigation, not by verifying file integrity. Option D is wrong because non-repudiation provides proof of origin or delivery, often using digital signatures (e.g., RSA, ECDSA) that combine hashing with asymmetric encryption, whereas hashing alone cannot prove who created the hash.

97
MCQmedium

You run the Microsoft Graph PowerShell command in the exhibit. What information does this command retrieve about the user?

A.The user's license assignments
B.The user's last sign-in dates
C.The user's assigned roles
D.The user's group memberships
AnswerB

The SignInActivity property shows last interactive and non-interactive sign-in dates.

Why this answer

Option C is correct because the command uses Get-MgUser with the SignInActivity property to retrieve last sign-in times. Option A is wrong because it does not show group memberships. Option B is wrong because it shows sign-in times, not licenses.

Option D is wrong because it shows the user's details, not license assignments.

98
Multi-Selecteasy

Your organization wants to implement a Zero Trust security model. Which TWO principles are part of the Zero Trust model? (Select TWO.)

Select 2 answers
A.Assume breach
B.Grant access based on IP address
C.Verify explicitly
D.Rely on network perimeter security
E.Use implicit trust for internal traffic
AnswersA, C

Assume breach is a key principle of Zero Trust.

Why this answer

Options A and D are correct: Zero Trust assumes breach and verifies explicitly. Option B is wrong because implicit trust is not part of Zero Trust. Option C is wrong because network perimeter is the traditional model.

Option E is wrong because perimeter-based access is not Zero Trust.

99
MCQeasy

A security analyst needs to investigate a potential data exfiltration incident involving sensitive files being sent via email. Which Microsoft Purview solution provides the necessary monitoring?

A.Microsoft Purview Compliance Manager
B.Microsoft Purview Insider Risk Management
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview Audit
AnswerC

Correct: DLP monitors email for sensitive data.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policies monitor and control sensitive data in email and other locations.

100
MCQeasy

Your organization uses Microsoft Entra ID and wants to automatically block sign-ins from users located in countries that are not approved for business operations. Which Microsoft Entra ID feature should you configure?

A.Privileged Identity Management
B.Terms of Use
C.Conditional Access with Named Locations
D.Identity Protection user risk policy
AnswerC

Correct: Conditional Access policies can use Named Locations to block sign-ins from specific countries.

Why this answer

Conditional Access policies allow you to create location-based policies to block or grant access based on geographic locations. Option A is correct because Named Locations are used in Conditional Access to define countries. Option B (Identity Protection) detects risks but does not directly block by country.

Option C (Privileged Identity Management) manages roles. Option D (Terms of Use) presents agreements but does not block by location.

101
MCQeasy

A company regularly performs automated backups of its critical databases and has a disaster recovery plan to restore operations quickly after a system failure. Which security principle is primarily being addressed by these measures?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerC

Availability ensures systems and data are accessible when needed. Backups and disaster recovery plans directly support availability by enabling recovery from failures.

Why this answer

Automated backups and a disaster recovery plan directly support the Availability principle of the CIA triad by ensuring that critical databases can be restored and operations resumed quickly after a system failure. Availability guarantees that systems and data are accessible to authorized users when needed, and these measures minimize downtime and data loss.

Exam trap

The trap here is that candidates confuse 'backups and disaster recovery' with 'data protection' broadly, incorrectly selecting Confidentiality or Integrity, when the primary goal is to restore access and uptime, which is the essence of Availability.

How to eliminate wrong answers

Option A is wrong because Confidentiality focuses on preventing unauthorized access to data (e.g., through encryption or access controls), not on restoring data after failure. Option B is wrong because Integrity ensures data is not tampered with or altered (e.g., via hashing or checksums), whereas backups and DR do not inherently protect against unauthorized modifications. Option D is wrong because Non-repudiation provides proof of actions or transactions (e.g., through digital signatures or audit logs), not the ability to recover from system failures.

102
MCQhard

Your organization uses Microsoft Sentinel to detect threats. A security analyst needs to create a custom analytics rule that triggers an incident when a user accesses more than 1000 files from an external IP address within 5 minutes. Which rule type should the analyst configure?

A.Fusion rule
B.ML Behavior Analytics rule
C.Scheduled query rule
D.Near-real-time (NRT) query rule
AnswerC

Scheduled query rules allow custom KQL with time windows and aggregation.

Why this answer

Option B is correct because Scheduled query rules allow aggregation over time windows. Option A is wrong because NRT rules run every minute and cannot aggregate over 5 minutes. Option C is wrong because Fusion uses ML to correlate alerts.

Option D is wrong because ML Behavior Analytics is for UEBA anomalies.

103
MCQmedium

A user reports that they cannot access a critical application, receiving an error that their session has expired. The sign-in logs show the user was prompted for multifactor authentication (MFA) multiple times during the same session. What should an administrator review to reduce these interruptions?

A.Microsoft Entra tenant-wide MFA settings
B.Microsoft Entra Conditional Access session controls
C.Microsoft Entra Identity Protection policies
D.Microsoft Entra Privileged Identity Management settings
AnswerB

Session controls allow configuring sign-in frequency and persistent browser sessions to reduce MFA prompts.

Why this answer

Option C is correct because adjusting session controls in Conditional Access policies can reduce repeated MFA prompts. Option A is wrong because Identity Protection focuses on risk detection. Option B is wrong because PIM is for role management.

Option D is wrong because the default tenant-wide MFA policy is not as granular as Conditional Access.

104
Multi-Selecteasy

A company wants to use Microsoft Defender for Cloud to secure their hybrid cloud environment. Which TWO resource types can be assessed by Defender for Cloud?

Select 2 answers
A.Azure Virtual Machines
B.AWS EC2 instances
C.On-premises servers connected via Azure Arc
D.Kubernetes clusters
E.On-premises SQL Server
AnswersA, C

Correct: Supported.

Why this answer

Defender for Cloud assesses Azure VMs and on-premises servers via Azure Arc. AWS accounts are not directly assessed; only Azure resources. SQL Server on-premises is not supported unless via arc.

Kubernetes is not a resource type listed.

105
MCQeasy

A small consulting company, Northwind Traders, uses Microsoft 365 Business Premium and wants to implement basic compliance solutions. They have 50 users and need to: (1) prevent employees from sharing customer credit card information via email; (2) retain all deleted emails for 1 year; (3) allow users to classify documents as 'Confidential' manually; (4) generate reports on policy violations. The company has limited IT staff and wants a quick, out-of-the-box solution. What should they configure?

A.Use Microsoft Intune to set data loss prevention policies and configure document classification.
B.Use Microsoft Purview to create a DLP policy for credit card info, a retention policy for deleted emails, and publish a sensitivity label for 'Confidential'.
C.Use Microsoft 365 Defender to block sharing of credit card data and configure email retention.
D.Use Microsoft Entra ID to create conditional access policies and enable retention.
AnswerB

Purview provides all required compliance capabilities.

Why this answer

Option D is correct because Microsoft Purview provides DLP policies, retention policies, and sensitivity labels out-of-the-box. Option A is wrong because Microsoft 365 Defender focuses on security, not compliance. Option B is wrong because Microsoft Entra ID is for identity.

Option C is wrong because Microsoft Intune is for device management.

106
MCQeasy

Your company is subject to GDPR and must be able to respond to data subject requests (DSRs) by finding all personal data of a specific user across Microsoft 365. Which Microsoft Purview solution should you use?

A.Communication Compliance
B.eDiscovery (Standard or Premium)
C.Privileged Access Management
D.Audit (Standard or Premium)
AnswerB

eDiscovery allows searches across all Microsoft 365 data for specific users.

Why this answer

Option B is correct because eDiscovery in Microsoft Purview is designed to search for content across Exchange, SharePoint, OneDrive, and Teams. Option A is wrong because Communication Compliance monitors for policy violations, not search. Option C is wrong because Audit logs track activities, not content.

Option D is wrong because Privileged Access Management protects administrative access.

107
MCQhard

A company uses Microsoft Sentinel as its SIEM. They need to create a custom analytics rule that runs every hour and queries for failed logins from a specific IP address. Which rule scheduling option should they configure?

A.Run every 5 minutes with a 5-minute query period
B.Run every 24 hours with a 24-hour query period
C.Run every 1 hour with a 5-minute query period
D.Run every 1 hour with a 1-hour query period
AnswerD

This runs hourly and queries the last hour's data, matching the requirement.

Why this answer

Analytics rules in Sentinel have run frequency and query period. Option A is wrong because it's too frequent; Option B is correct but the query period should be set to cover the data; Option C is wrong because it's for over a day; Option D is wrong because it's for real-time.

108
Multi-Selecthard

Your organization uses Microsoft Entra ID. Which THREE authentication methods can be used for passwordless sign-in?

Select 3 answers
A.Microsoft Authenticator (phone sign-in)
B.SMS-based verification
C.FIDO2 security keys
D.Windows Hello for Business
E.Time-based one-time password (TOTP)
AnswersA, C, D

Microsoft Authenticator can enable passwordless phone sign-in.

Why this answer

Microsoft Authenticator (phone sign-in) enables passwordless authentication by using a cryptographic key pair tied to the user's device. When signing in, the user approves a notification on their phone, and the Authenticator app signs the challenge with the private key, eliminating the need for a password.

Exam trap

The trap here is that candidates confuse second-factor methods like TOTP or SMS codes with passwordless authentication, but passwordless requires the primary authentication factor to be something you have (device or key) without needing a password at all.

109
MCQmedium

Refer to the exhibit. A legal team needs to preserve all documents in SharePoint and OneDrive for 5 years. The current policy retains for 1 year. What should the administrator do to meet the requirement?

A.Add Exchange Online to the locations.
B.Change the retention type to Delete.
C.Change the retention duration to 1825 days.
D.Change the retention action to KeepAndDelete.
AnswerC

1825 days equals 5 years, meeting the requirement.

Why this answer

Option C is correct because the policy retains for 365 days (1 year), but the requirement is 5 years. Changing the retention duration to 1825 days (5 years) meets the requirement. Option A is wrong because the policy already includes both locations.

Option B is wrong because changing to Delete would delete content. Option D is wrong because changing to KeepAndDelete would still delete after retention, but the duration is the issue.

110
Multi-Selecthard

Which THREE of the following are features of Microsoft Entra ID Protection?

Select 3 answers
A.Access reviews
B.User risk detection (e.g., leaked credentials)
C.Sign-in risk detection (e.g., anonymous IP addresses)
D.Entitlement management
E.Risk-based Conditional Access policies
AnswersB, C, E

ID Protection detects user risk events like leaked credentials.

Why this answer

Option B is correct because Microsoft Entra ID Protection includes user risk detection, which identifies accounts that may have been compromised based on signals such as leaked credentials, unusual activity, or password spray attacks. This feature helps administrators automatically respond to elevated user risk by triggering remediation actions like password reset or blocking sign-ins.

Exam trap

The trap here is that candidates confuse Entra ID Protection with Entra ID Governance features (Access reviews and Entitlement management), which are separate capabilities focused on lifecycle and compliance rather than risk detection and remediation.

111
MCQhard

A company is implementing Microsoft Purview Information Protection. They want to automatically apply a 'Confidential' sensitivity label to emails containing credit card numbers. Which policy should they configure?

A.Auto-labeling policy
B.Retention policy
C.Sensitivity label policy
D.Data loss prevention (DLP) policy
AnswerA

Auto-labeling policies apply labels automatically based on sensitive information types.

Why this answer

Option C is correct because auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels based on sensitive information types like credit card numbers. Option A is incorrect because sensitivity label policies publish labels for manual assignment. Option B is incorrect because DLP policies enforce actions but do not apply labels automatically.

Option D is incorrect because retention policies manage data retention, not labeling.

112
MCQmedium

A security operations center (SOC) team needs to collect security logs from Azure services, on-premises servers, and third-party firewalls. They want a cloud-native solution that provides advanced threat detection through analytics, machine learning, and the ability to hunt for threats across all data sources. Which Microsoft solution should they deploy?

A.Microsoft Defender for Cloud
B.Microsoft 365 Defender
C.Microsoft Sentinel
D.Microsoft Defender for Identity
AnswerC

Microsoft Sentinel is a scalable, cloud-native SIEM that collects data from any source, applies analytics and machine learning for threat detection, and supports proactive threat hunting.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) solution that ingests logs from Azure services, on-premises servers, and third-party firewalls. It provides advanced threat detection via built-in analytics, machine learning models, and a powerful query language (Kusto Query Language) for threat hunting across all data sources.

Exam trap

The trap here is confusing Microsoft Defender for Cloud (a CSPM/CWPP tool) with Microsoft Sentinel (a cloud-native SIEM), as both appear in the Azure portal and deal with security logs, but only Sentinel provides centralized log ingestion, analytics, and threat hunting across heterogeneous sources.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) focused on securing cloud workloads, not a SIEM for collecting and analyzing logs from diverse sources. Option B is wrong because Microsoft 365 Defender is an extended detection and response (XDR) solution that primarily protects Microsoft 365 workloads (email, endpoints, identities) and does not natively ingest third-party firewall logs or on-premises server logs as a central SIEM. Option D is wrong because Microsoft Defender for Identity is an identity-based threat detection solution that monitors on-premises Active Directory signals, not a general-purpose log collection and hunting platform for all data sources.

113
MCQhard

Your company uses Microsoft Defender for Cloud Apps. You notice that a user is downloading large volumes of data from a sanctioned cloud app that exceeds the normal pattern. Which action should you take to automatically block this activity?

A.Create a session policy to monitor and control downloads
B.Configure a cloud discovery policy
C.Create a Microsoft Purview DLP policy
D.Block the app in Defender for Cloud Apps
AnswerA

Session policies can block downloads based on activity policy.

Why this answer

Option B is correct because you can create a session policy that monitors user behavior and blocks downloads exceeding a threshold. Option A is wrong because cloud discovery identifies shadow IT, not blocking. Option C is wrong because DLP policies in Purview are for data classification, not block based on volume.

Option D is wrong because blocking the app entirely is too restrictive.

114
MCQhard

Your organization needs to ensure that emails containing personally identifiable information (PII) like passport numbers are automatically encrypted before being sent externally. What should you configure in Microsoft Purview?

A.A retention label that encrypts the email
B.A DLP policy with the 'Encrypt' action
C.A communication compliance policy
D.An information barrier policy
AnswerB

DLP policies can automatically apply encryption to emails containing sensitive information.

Why this answer

Option B is correct because a DLP policy can automatically encrypt emails with sensitive data. Option A is wrong because retention labels manage retention. Option C is wrong because communication compliance policies monitor content.

Option D is wrong because information barriers restrict communication.

115
MCQmedium

A company has a SharePoint Online library containing legal contracts. They must satisfy a regulatory requirement that contracts cannot be modified or deleted after they are signed. Additionally, they need to retain the contracts for 10 years after the contract end date, after which they can be disposed of manually. Which Microsoft Purview solution should they implement?

A.Sensitivity labels
B.Records Management
C.Data Loss Prevention (DLP) policy
D.Data Lifecycle Management
AnswerB

Records Management allows you to mark items as records to prevent editing/deletion and assign retention labels with specific schedules and disposition actions.

Why this answer

Records Management in Microsoft Purview allows you to declare items as records, which locks them against modification or deletion (meeting the 'cannot be modified or deleted' requirement). It also supports event-based retention, enabling you to start a 10-year retention period from the contract end date and then allow manual disposal after that period expires.

Exam trap

The trap here is that candidates confuse Data Lifecycle Management (which handles retention and deletion) with Records Management (which adds immutability and legal hold capabilities), leading them to pick D when the question explicitly requires preventing modification and deletion, not just retention.

How to eliminate wrong answers

Option A is wrong because sensitivity labels classify and protect data based on sensitivity (e.g., confidentiality), but they do not prevent modification or deletion of content; they apply encryption, markings, or access controls, not immutable retention. Option C is wrong because Data Loss Prevention (DLP) policies detect and prevent accidental sharing of sensitive information via rules and actions (e.g., blocking email), but they do not enforce retention or lock items against edits/deletion. Option D is wrong because Data Lifecycle Management (now part of Microsoft Purview Data Lifecycle Management) automates retention and deletion based on policies, but it does not provide the 'locked as a record' capability that prevents modification or deletion; it can retain and delete but not make items immutable.

116
MCQmedium

A company uses Exchange Online. The security team wants to protect users from malware hidden in email attachments by detonating them in a secure sandbox environment before delivery. Which Microsoft Defender for Office 365 feature should they enable?

A.Safe Links
B.Safe Attachments
C.Anti-Phishing
D.Anti-Spoofing
AnswerB

Safe Attachments uses dynamic analysis in a sandbox to detonate attachments and determine if they are malicious, blocking or quarantining threatening attachments before delivery.

Why this answer

Safe Attachments is the correct feature because it specifically detonates email attachments in a secure, isolated sandbox environment to detect and block malware before the message reaches the user's inbox. This feature uses dynamic analysis to observe attachment behavior in real time, ensuring zero-day threats are identified and neutralized.

Exam trap

The trap here is that candidates often confuse Safe Links with Safe Attachments because both are part of Microsoft Defender for Office 365, but Safe Links deals with URLs while Safe Attachments deals with file payloads; the question explicitly mentions 'malware hidden in email attachments' which directly points to Safe Attachments.

How to eliminate wrong answers

Option A is wrong because Safe Links protects users from malicious URLs in emails and Office documents by scanning and rewriting links at the time of click, not by detonating attachments in a sandbox. Option C is wrong because Anti-Phishing policies protect against phishing attempts by analyzing sender identity and impersonation patterns, not by sandboxing file attachments. Option D is wrong because Anti-Spoofing is a subset of anti-phishing that validates sender authenticity using SPF, DKIM, and DMARC checks, and has no attachment sandboxing capability.

117
MCQeasy

Your organization is deploying Microsoft Entra ID. You need to ensure that users can sign in using their existing on-premises Active Directory credentials without creating new cloud passwords. Which feature should you configure?

A.Microsoft Entra Connect
B.Microsoft Entra Multifactor Authentication
C.Microsoft Entra Self-Service Password Reset
D.Microsoft Entra Privileged Identity Management (PIM)
AnswerA

Entra Connect syncs identities and enables password hash sync or pass-through authentication.

Why this answer

Microsoft Entra Connect is the correct feature because it synchronizes on-premises Active Directory identities to Microsoft Entra ID and enables password hash synchronization or pass-through authentication, allowing users to sign in with their existing on-premises credentials without creating new cloud passwords. This ensures a seamless hybrid identity experience where the same username and password work for both on-premises and cloud resources.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Connect with Microsoft Entra Multifactor Authentication, thinking that MFA alone can authenticate against on-premises credentials, but MFA only provides an additional verification step and does not handle primary authentication against on-premises Active Directory.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Multifactor Authentication adds a second layer of security but does not synchronize or authenticate on-premises credentials; it requires an existing identity in the cloud. Option C is wrong because Microsoft Entra Self-Service Password Reset allows users to reset their own passwords but does not enable sign-in with existing on-premises credentials; it relies on an already synchronized or cloud-only identity. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time access and role assignments, not credential synchronization or authentication against on-premises Active Directory.

118
Multi-Selectmedium

A company uses Microsoft Entra ID. They need to implement a Conditional Access policy for the finance application that requires multifactor authentication (MFA) when a user accesses the app from an unmanaged device. Additionally, they want to block access if the sign-in risk level is high. Which two grant controls should they configure in the policy? (Select two.)

Select 2 answers
A.Require multi-factor authentication
B.Block access
C.Require device to be marked as compliant
D.Require approved client app
AnswersA, B

Correct. This grant control forces users to complete MFA when the condition (unmanaged device) is met, satisfying the requirement for an extra verification step.

Why this answer

Option A is correct because the scenario explicitly requires multifactor authentication (MFA) when a user accesses the finance application from an unmanaged device. In Microsoft Entra ID Conditional Access, the 'Require multi-factor authentication' grant control enforces MFA as part of the policy, directly meeting this requirement. Option B is correct because the scenario also requires blocking access if the sign-in risk level is high.

The 'Block access' grant control is the appropriate control to deny authentication when a high-risk sign-in is detected, as it overrides any other grant controls.

Exam trap

The trap here is that candidates often confuse 'Require device to be marked as compliant' with 'unmanaged device' conditions, but unmanaged devices are not necessarily non-compliant; the policy specifically targets unmanaged devices for MFA, not compliance enforcement.

119
MCQmedium

An organization wants to ensure that its security team can quickly identify and respond to threats across all workloads, including identities, endpoints, email, and cloud apps. Which Microsoft security solution provides a unified incident management experience?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft Defender XDR
D.Microsoft Defender for Identity
AnswerC

Defender XDR unifies incidents from identities, endpoints, email, and cloud apps.

Why this answer

Microsoft Defender XDR (formerly Microsoft 365 Defender) provides a unified incident management experience across identities, endpoints, email, and cloud apps. Option A is wrong because Microsoft Sentinel is a SIEM that can ingest data from multiple sources but is not the native XDR solution. Option C is wrong because Microsoft Defender for Cloud protects cloud workloads, not all workloads.

Option D is wrong because Microsoft Defender for Identity focuses on identity threats only.

120
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Purview Compliance Manager?

Select 3 answers
A.Pre-built compliance assessments for regulations like GDPR
B.Scoring to track compliance progress over time
C.Audit log search for user access events
D.Improvement actions to remediate compliance gaps
E.Automated data discovery across cloud sources
AnswersA, B, D

Compliance Manager includes pre-built assessments.

Why this answer

Compliance Manager provides assessments, actions, and score tracking. It does not discover data (Data Map) or log access (Audit).

121
MCQmedium

Your company uses Microsoft Purview Information Protection to classify and protect sensitive data. You need to ensure that when a user sends an email containing a credit card number, the email is automatically encrypted and a custom footer is added. Which two components should you configure?

A.Data Loss Prevention (DLP) policy for credit card numbers
B.Sensitivity label with auto-classification for credit card numbers
C.Auto-labeling policy that applies the sensitivity label to emails
D.Retention label and policy for credit card data
AnswerB, C

The label can detect credit card numbers and apply encryption.

Why this answer

Option A is correct because a sensitive info type label can auto-classify credit card numbers. Option B is correct because an auto-labeling policy applies the protection and footer. Option C is wrong because DLP policies block or warn but do not encrypt.

Option D is wrong because retention policies manage lifecycle, not encryption.

122
Matchingmedium

Match each compliance term to its correct definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Where data is stored geographically

Data subject to laws of the country where it is stored

Process of identifying and delivering electronic information for legal cases

Preserve data for litigation purposes

Categorizing data based on sensitivity

Why these pairings

These are fundamental compliance concepts in Microsoft 365.

123
Multi-Selectmedium

Which THREE features are part of Microsoft Entra Identity Governance?

Select 3 answers
A.Microsoft Entra Connect
B.Privileged Identity Management
C.Access reviews
D.ID Protection
E.Entitlement management
AnswersB, C, E

PIM manages privileged roles.

Why this answer

Privileged Identity Management (PIM) is a core feature of Microsoft Entra Identity Governance because it provides just-in-time privileged access to Azure AD and Azure resources, with time-bound activation and approval workflows. It directly supports the governance principle of least privilege by ensuring users only have elevated permissions when needed and for a limited duration.

Exam trap

The trap here is that candidates confuse Microsoft Entra Connect (a synchronization tool) with Identity Governance features, or mistake ID Protection (a risk-detection service) for a governance capability, when the exam specifically tests the three pillars of Identity Governance: entitlement management, access reviews, and privileged identity management.

124
MCQhard

A company has Microsoft Entra ID with Conditional Access policies. Users report being prompted for MFA every time they access the company's CRM app from their corporate laptops. However, the policy is configured to require MFA only for untrusted locations. What is the most likely cause?

A.Users are authenticating via device code flow.
B.The Conditional Access policy has the 'Persistent browser session' setting enabled.
C.The policy is blocking legacy authentication.
D.The corporate laptops are not marked as compliant devices.
AnswerD

If devices are not compliant, Conditional Access may require MFA even from trusted locations.

Why this answer

The most likely cause is that the corporate laptops are not marked as compliant devices. Conditional Access policies can use device compliance as a condition; if the laptops are not compliant, they may be treated as untrusted, triggering MFA even if the location is trusted. Device compliance is determined by Microsoft Intune or another MDM, and without it, the policy's location condition may not override the device state.

Exam trap

The trap here is that candidates assume location is the only condition evaluated, but Conditional Access policies can combine multiple conditions, and device compliance often overrides location when devices are not trusted.

How to eliminate wrong answers

Option A is wrong because device code flow is an authentication method for devices without browsers (e.g., CLI tools) and does not inherently bypass location-based MFA conditions. Option B is wrong because the 'Persistent browser session' setting controls session lifetime, not the frequency of MFA prompts based on location; it would not cause repeated MFA on every access. Option C is wrong because blocking legacy authentication would prevent access entirely for non-modern auth clients, not cause repeated MFA prompts for users already using modern authentication.

125
MCQeasy

A user reports that they cannot access Microsoft 365 apps from a public Wi-Fi network. The admin sees a Conditional Access policy requiring a compliant device and a trusted location. Which component enforces this policy?

A.Microsoft Entra ID
B.Microsoft Defender for Cloud Apps
C.Microsoft Entra Conditional Access
D.Microsoft Intune
AnswerC

Enforces access policies based on conditions.

Why this answer

Microsoft Entra Conditional Access is the policy engine that evaluates conditions (e.g., location, device compliance) and enforces access decisions. When a user attempts to access Microsoft 365 apps, the Conditional Access policy is evaluated by Microsoft Entra ID, which then blocks or grants access based on the policy rules. The policy itself is defined in Microsoft Entra Conditional Access, but the enforcement point is the Microsoft Entra ID authentication and authorization service.

Exam trap

The trap here is that candidates often confuse the policy definition component (Microsoft Entra Conditional Access) with the enforcement component (Microsoft Entra ID), but the question asks for the component that 'enforces' the policy, which is Microsoft Entra ID itself, not the policy configuration interface.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID is the identity and authentication service that processes the Conditional Access policy, but it is not the component that 'enforces' the policy; the policy is defined in the Conditional Access feature of Microsoft Entra ID. Option B is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility and control over cloud app usage, but it does not enforce Conditional Access policies for initial sign-in to Microsoft 365 apps. Option D is wrong because Microsoft Intune is a Mobile Device Management (MDM) and Mobile Application Management (MAM) service that manages device compliance, but it does not enforce Conditional Access policies; it provides the compliance status that Conditional Access policies can use as a condition.

126
MCQhard

A company is planning to migrate from on-premises Active Directory to Microsoft Entra ID. They have a custom line-of-business application that uses Windows Integrated Authentication and requires Kerberos. Which approach should they use to enable hybrid identity?

A.Deploy Microsoft Entra Kerberos authentication and register the app
B.Use password hash synchronization (PHS) and configure the app for OAuth
C.Use pass-through authentication (PTA) and configure the app for SAML
D.Federate with Active Directory Federation Services (ADFS)
AnswerA

Entra Kerberos authentication enables Kerberos for hybrid apps.

Why this answer

Option A is correct because Microsoft Entra Kerberos authentication enables hybrid identity for legacy on-premises applications that require Kerberos and Windows Integrated Authentication. By deploying this feature, the app can authenticate users against Microsoft Entra ID while still receiving Kerberos tickets, allowing a seamless migration without modifying the application's authentication code.

Exam trap

The trap here is that candidates often assume that any hybrid identity scenario requires federation (ADFS) or that modern protocols like OAuth/SAML can always replace Kerberos, but Microsoft Entra Kerberos authentication is specifically designed to support legacy Kerberos-dependent apps without federation.

How to eliminate wrong answers

Option B is wrong because password hash synchronization (PHS) does not provide Kerberos tickets; it only synchronizes password hashes for cloud authentication, and configuring the app for OAuth would require the app to support OAuth, which it does not (it uses Windows Integrated Authentication). Option C is wrong because pass-through authentication (PTA) validates passwords on-premises but does not issue Kerberos tickets; SAML is a different protocol that the app does not support. Option D is wrong because federating with Active Directory Federation Services (ADFS) would add unnecessary complexity and is not the recommended modern approach for enabling Kerberos-based hybrid identity; Microsoft Entra Kerberos authentication is the simpler, cloud-native solution.

127
MCQmedium

You work for a healthcare organization that uses Microsoft 365 E5 licenses. The organization must comply with HIPAA regulations. You need to ensure that electronic protected health information (ePHI) is classified and protected. Specifically, you want to automatically detect and apply a 'Highly Confidential' sensitivity label to documents containing medical record numbers, and also prevent users from sharing these documents externally via email. You have Microsoft Purview deployed. What should you implement first?

A.Create a DLP policy that blocks external sharing of any document with a custom keyword.
B.Create an auto-labeling policy that applies a sensitivity label to documents with medical record numbers.
C.Create a DLP policy that detects medical record numbers and blocks external sharing.
D.Create a sensitive information type for medical record numbers, then an auto-labeling policy to apply a sensitivity label, and finally a DLP policy to block external sharing of labeled documents.
AnswerD

This complete approach ensures classification and protection.

Why this answer

Option D is correct because you need to create a sensitive information type for medical record numbers, then use auto-labeling to apply the label, and finally a DLP policy to block external sharing. Option A is incorrect because without the sensitivity label, DLP cannot reference it. Option B is incorrect because DLP alone cannot apply labels.

Option C is incorrect because auto-labeling alone does not block sharing.

128
MCQmedium

Your company is implementing records management for legal retention requirements. Documents must be locked and cannot be modified or deleted after a specific event. Which Microsoft Purview capability should you use?

A.Retention label configured as a regulatory record
B.Retention policy applied to a SharePoint site
C.Sensitivity label with encryption
D.Data Loss Prevention policy
AnswerA

Regulatory record labels lock content, preventing any changes or deletions.

Why this answer

A retention label that marks content as a regulatory record locks the content and prevents any modification or deletion. Option D is correct. A retention policy applies to containers, not individual items.

A sensitivity label does not enforce immutability. A DLP policy prevents sharing, not modification.

129
MCQeasy

An organization uses Microsoft Sentinel for security information and event management (SIEM) and security orchestration automated response (SOAR). They want to automatically respond to a specific incident by running a playbook. What should they configure?

A.Automation rule
B.Workbook
C.Hunting query
D.Analytics rule
AnswerA

Triggers playbooks automatically on incidents.

Why this answer

Option D is correct because automation rules in Sentinel trigger playbooks based on incidents. Option A is wrong because analytics rules generate alerts, not responses. Option B is wrong because workbooks visualize data.

Option C is wrong because hunting queries proactively search for threats.

130
Multi-Selectmedium

An organization is migrating its on-premises applications to Azure Infrastructure-as-a-Service (IaaS). According to the shared responsibility model, which of the following security responsibilities remain with Microsoft? (Select two.)

Select 2 answers
A.Physical security of the datacenters
B.Network controls at the hypervisor layer
C.Patching the guest operating system on the VM
D.Configuring network security group (NSG) firewall rules
AnswersA, B

Correct. Microsoft is responsible for the physical security of its datacenters, including perimeter fencing, guards, biometric access, and environmental controls like cooling and power.

Why this answer

In the shared responsibility model for IaaS, Microsoft retains responsibility for the physical security of its datacenters, including access controls, surveillance, and environmental protections. Additionally, Microsoft manages security at the hypervisor layer, which includes network controls that isolate virtual machines from each other and from the underlying host. These responsibilities are inherent to the infrastructure provider and cannot be delegated to the customer.

Exam trap

The trap here is that candidates often confuse patching responsibilities, assuming Microsoft patches the guest OS in IaaS, or mistakenly think NSG configuration is a Microsoft responsibility because it is a built-in Azure feature.

131
MCQmedium

A company runs workloads in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). The security team needs a single, unified dashboard to continuously assess the security posture of all cloud resources, identify misconfigurations, and receive prioritized recommendations for remediation. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Cloud Apps
C.Microsoft Sentinel
D.Microsoft Defender for Endpoint
AnswerA

Defender for Cloud offers multi-cloud CSPM, allowing assessment of resources in Azure, AWS, and GCP from a single dashboard with prioritized recommendations.

Why this answer

Microsoft Defender for Cloud is the correct solution because it provides a unified cloud security posture management (CSPM) dashboard that continuously assesses resources across Azure, AWS, and GCP. It identifies misconfigurations against industry benchmarks (e.g., CIS, NIST) and delivers prioritized, actionable recommendations to remediate risks, directly meeting the requirement for a single dashboard across multi-cloud environments.

Exam trap

The trap here is confusing a cloud security posture management (CSPM) tool (Defender for Cloud) with a cloud access security broker (CASB) or a SIEM/SOAR solution, leading candidates to pick Defender for Cloud Apps or Sentinel because they also provide security visibility, but for different use cases.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) focused on shadow IT discovery, data loss prevention, and threat protection for SaaS applications (e.g., Office 365, Salesforce), not for assessing the security posture of IaaS/PaaS cloud resources across Azure, AWS, and GCP. Option C is wrong because Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution that ingests logs and alerts for threat detection and incident response, not a continuous posture assessment and misconfiguration identification tool. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution for devices (e.g., Windows, macOS, Linux) and mobile, not for assessing the security posture of cloud infrastructure resources like VMs, storage accounts, or databases across multiple cloud providers.

132
Multi-Selecthard

Which THREE are capabilities of Microsoft Defender XDR?

Select 3 answers
A.Device compliance policy management
B.Automated investigation and remediation
C.Incident management across email, endpoints, and identities
D.Cross-domain threat hunting
E.Data classification and labeling
AnswersB, C, D

Defender XDR can automatically investigate and remediate threats.

Why this answer

Options A, C, and D are correct. Microsoft Defender XDR includes incident management, automated investigation, and cross-domain hunting. Option B is a capability of Microsoft Purview, not Defender XDR.

Option E is a capability of Microsoft Intune.

133
MCQmedium

A university wants to provide its students with a verifiable digital transcript that the students can share with potential employers. The university uses Microsoft Entra Verified ID to issue credentials. When an employer wants to verify a student's transcript, they scan a QR code or receive a link. Which Microsoft Entra ID feature allows the university to issue these tamper-proof credentials and allows employers to verify them without contacting the university directly?

A.Microsoft Entra ID Protection
B.Microsoft Entra Domain Services
C.Microsoft Entra Verified ID
D.Microsoft Entra Permissions Management
AnswerC

Verified ID is used to issue and verify decentralized digital credentials.

Why this answer

Microsoft Entra Verified ID (option C) is the correct answer because it is the decentralized identity solution built on open standards (W3C Decentralized Identifiers and Verifiable Credentials) that allows the university to issue tamper-proof digital credentials. Employers can verify these credentials independently by scanning a QR code or following a link, without needing to contact the university, because the verification is done cryptographically against the issuer's public DID on a distributed ledger.

Exam trap

The trap here is that candidates may confuse 'Verified ID' with general identity protection or access management features, but the key differentiator is the decentralized, tamper-proof credential issuance and independent verification capability that only Verified ID provides.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection is a security tool that detects identity-based risks (e.g., leaked credentials, sign-in anomalies) and enforces conditional access policies; it does not issue or verify verifiable credentials. Option B is wrong because Microsoft Entra Domain Services provides managed domain services (e.g., LDAP, Kerberos, NTLM) for legacy applications and does not support decentralized identity or verifiable credential issuance. Option D is wrong because Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) solution that helps manage and audit permissions across multi-cloud environments; it has no role in issuing or verifying verifiable credentials.

134
MCQhard

A healthcare organization must comply with HIPAA regulations. They store patient health information (PHI) in SharePoint Online documents. The compliance team needs to automatically detect PHI (e.g., medical record numbers) in documents, apply a sensitivity label that encrypts the document, and prevent users from removing that label. Which Microsoft Purview solution should they configure?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview Information Protection
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Audit
AnswerB

Information Protection provides sensitivity labels that can be automatically applied based on sensitive data types (like PHI) and includes encryption and label protection settings to prevent removal.

Why this answer

Microsoft Purview Information Protection (option B) is correct because it provides the ability to automatically detect sensitive data types (such as PHI) using trainable classifiers or sensitive information types, apply a sensitivity label that enforces encryption, and configure label protection settings to prevent users from removing the label. This directly meets the HIPAA compliance requirement for automated detection, encryption, and label persistence on SharePoint Online documents.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Information Protection (which handles labeling and encryption) with Microsoft Purview Data Lifecycle Management (which handles retention and deletion), because both involve document policies, but only Information Protection can detect PHI and enforce encryption labels.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Lifecycle Management focuses on retention and deletion policies (e.g., retaining or deleting documents after a set period), not on detecting PHI or applying encryption labels. Option C is wrong because Microsoft Purview Communication Compliance is designed to monitor and review internal and external communications (e.g., email, Teams messages) for policy violations, not to scan SharePoint documents for PHI or apply sensitivity labels. Option D is wrong because Microsoft Purview Audit provides logging and investigation of user and admin activities (e.g., who accessed a document), but it does not detect PHI or enforce encryption or label removal prevention.

135
Multi-Selecteasy

Which TWO features are part of Microsoft Entra ID? (Select two.)

Select 2 answers
A.Privileged Identity Management
B.Microsoft Sentinel
C.Conditional Access
D.Identity Protection
E.Microsoft Intune
AnswersC, D

Conditional Access is an Entra ID feature.

Why this answer

Conditional Access and Identity Protection are part of Entra ID. PIM is also part of Entra ID, but the question asks for TWO; only A and C are correct. Intune is separate.

Sentinel is separate.

136
MCQhard

Contoso has a hybrid identity with AD DS synced to Microsoft Entra ID. They want to block legacy authentication protocols that bypass MFA. Which security solution should they use?

A.Microsoft Entra Password Protection
B.Microsoft Entra ID Protection
C.Microsoft Entra Connect Health
D.Conditional Access policy
AnswerD

Conditional Access can block legacy authentication by targeting client apps.

Why this answer

Correct: Conditional Access policy can block legacy authentication. Option A: Identity Protection detects risk but doesn't block protocols. Option B: Azure AD Connect has no such feature.

Option D: Password Protection blocks weak passwords.

137
Multi-Selecteasy

An organization uses a system where users first provide a username and password (Step 1) and then the system checks whether the user has permission to view a specific folder (Step 2). Which two security concepts are demonstrated in this process? (Choose two.)

Select 2 answers
A.Authentication
B.Authorization
C.Accounting
D.Encryption
AnswersA, B

Step 1 verifies the user's identity via credentials, which is authentication.

Why this answer

Step 1 (username and password) is authentication, which verifies the identity of the user by validating credentials against an identity provider such as Azure AD or on-premises Active Directory. This confirms who the user is before any access decisions are made.

Exam trap

The trap here is that candidates often confuse authentication (identity verification) with authorization (permission enforcement), especially when both steps involve checking user identity or rights, but the question clearly separates the two distinct actions.

138
MCQhard

A company uses an on-premises Active Directory (AD) and wants to enable single sign-on (SSO) for users to access Microsoft 365 and a third-party SaaS application. They plan to use an external identity provider (IdP) that supports Security Assertion Markup Language (SAML) 2.0. Which identity concept does this implementation primarily rely on?

A.Federation
B.Provisioning
C.Synchronization
D.Directory extension
AnswerA

Correct. Federation enables organizations to trust identities from another identity provider or on-premises system, allowing SSO across different platforms using standards like SAML.

Why this answer

Federation is the correct answer because it establishes a trust relationship between the on-premises Active Directory and the external identity provider (IdP) using SAML 2.0, enabling users to authenticate once and gain access to both Microsoft 365 and the third-party SaaS application without re-entering credentials. This relies on the IdP issuing SAML assertions that are trusted by the relying parties (Microsoft 365 and the SaaS app), which is the core mechanism of federated identity.

Exam trap

The trap here is that candidates often confuse synchronization (e.g., Azure AD Connect) with federation, thinking that syncing user accounts alone enables SSO, but synchronization only copies identities without establishing the SAML trust required for federated authentication.

How to eliminate wrong answers

Option B (Provisioning) is wrong because provisioning refers to the automated creation, management, and deletion of user accounts and attributes in target systems (e.g., Microsoft 365), not to the authentication trust that enables SSO. Option C (Synchronization) is wrong because synchronization (e.g., Azure AD Connect) copies user objects and hashes from on-premises AD to Azure AD, but it does not establish a SAML-based trust with an external IdP for SSO; it is a prerequisite for some federation scenarios but not the primary concept. Option D (Directory extension) is wrong because directory extension involves adding custom attributes to the directory schema (e.g., via Microsoft Graph or Azure AD schema extensions), which is unrelated to authentication or SSO protocols like SAML.

139
Multi-Selecthard

An organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. Which THREE actions can be taken automatically when a DLP policy matches?

Select 3 answers
A.Automatically notify the legal department
B.Delete the sensitive content
C.Show a policy tip to the user
D.Encrypt the sensitive content
E.Block the sharing of sensitive data
AnswersC, D, E

Correct: Policy tips educate users.

Why this answer

DLP can block sharing, show policy tips, and encrypt content. It does not delete content or automatically notify legal; notification is via admin alert or user tip.

140
MCQeasy

A company uses Azure SQL Database, which is a Platform as a Service (PaaS) offering. The security team is reviewing the shared responsibility model and wants to know who is responsible for applying operating system patches to the underlying infrastructure that hosts the database. Who is responsible for this task?

A.The customer is responsible for patching the OS on virtual machines but not for PaaS; however, the customer must patch the OS for Azure SQL Database.
B.Microsoft is responsible for managing and patching the operating system of the underlying infrastructure for PaaS services.
C.Both the customer and Microsoft share equal responsibility for patching the OS in a PaaS model.
D.The cloud service provider partner (e.g., a managed service provider) is responsible for OS patches in PaaS.
AnswerB

This is correct. With PaaS, Microsoft handles the underlying OS, including security patches, while the customer focuses on data and application security.

Why this answer

Azure SQL Database is a Platform as a Service (PaaS) offering where Microsoft manages the underlying infrastructure, including the operating system. In the shared responsibility model for PaaS, Microsoft is responsible for applying OS patches to the host servers, while the customer manages the database configuration and data. Therefore, option B correctly identifies Microsoft as responsible for OS patching in this context.

Exam trap

The trap here is that candidates often confuse the shared responsibility model for PaaS with IaaS, mistakenly believing that because Azure SQL Database runs on VMs, the customer must patch the OS, when in fact Microsoft abstracts and manages the entire host OS layer in PaaS.

How to eliminate wrong answers

Option A is wrong because it incorrectly states that the customer must patch the OS for Azure SQL Database; in PaaS, Microsoft handles all infrastructure patching, and the customer has no access to the underlying OS. Option C is wrong because it claims equal shared responsibility for OS patching in PaaS, but the model assigns full responsibility to Microsoft for the host OS, with the customer responsible only for data and access management. Option D is wrong because it introduces a third-party partner as responsible, but in Azure PaaS, Microsoft directly manages the infrastructure, and no external partner is involved unless explicitly contracted for additional services.

141
MCQhard

Your organization has multiple on-premises directories and wants to synchronize them to Microsoft Entra ID. However, you must avoid duplicate user objects. Which feature should you configure?

A.Password Hash Sync
B.Pass-through Authentication
C.Active Directory Federation Services
D.Source anchor attribute
AnswerD

Source anchor uniquely identifies objects across directories, preventing duplicates.

Why this answer

The source anchor attribute (often the objectGUID in on-premises directories) is used during synchronization to uniquely identify each object and prevent duplicates. By mapping each on-premises object to a single, immutable source anchor, Microsoft Entra Connect ensures that even if multiple directories contain the same user, only one corresponding object is created in Entra ID.

Exam trap

The trap here is that candidates often confuse features that handle authentication (Password Hash Sync, Pass-through Authentication, AD FS) with the identity-mapping mechanism (source anchor) that prevents duplicate objects during synchronization.

How to eliminate wrong answers

Option A is wrong because Password Hash Sync is a method for synchronizing user password hashes for authentication, not for preventing duplicate user objects. Option B is wrong because Pass-through Authentication validates passwords directly against on-premises Active Directory without synchronizing hashes, but does not address object deduplication. Option C is wrong because Active Directory Federation Services (AD FS) provides federated authentication using claims and does not handle object identity mapping or duplicate prevention during directory synchronization.

142
MCQmedium

An organization uses Microsoft Sentinel for SIEM. The security operations center (SOC) wants to automatically create an incident when a user account is compromised and suspicious activity is detected. Which Microsoft Sentinel feature should be used?

A.Analytics rules
B.Watchlists
C.Automation playbooks
D.Workbooks
AnswerA

Analytics rules create incidents from detections.

Why this answer

Analytics rules in Microsoft Sentinel can be configured to create incidents based on detection logic. Option A is incorrect because playbooks are for automated responses, not incident creation. Option B is incorrect because workbooks are for visualization.

Option D is incorrect because watchlists are for threat intelligence.

143
MCQhard

A user accidentally shared a confidential document with an external vendor. You need to revoke access immediately for all copies, even if the file has been downloaded. Which Microsoft Purview feature should you use?

A.Microsoft Purview Information Protection
B.Retention policy
C.Data loss prevention (DLP) policy
D.Audit log search
AnswerA

Information Protection enables revocation of access to protected documents.

Why this answer

Option D is correct because Microsoft Purview Information Protection allows the owner to revoke access to protected documents, including downloaded copies. Option A is wrong because DLP policies detect and block sharing but cannot revoke already shared files. Option B is wrong because retention policies manage lifecycle, not revocation.

Option C is wrong because audit logs record events but do not enforce revocation.

144
MCQmedium

Your organization uses Microsoft Intune for mobile device management. You need to ensure that users cannot copy corporate data from managed apps to personal apps. Which policy should you configure?

A.App Configuration Policy
B.App Protection Policy
C.Device Compliance Policy
D.Conditional Access Policy
AnswerB

APP can restrict data transfer between managed and unmanaged apps.

Why this answer

App Protection Policies (APP) in Intune protect data at the app level, with settings like 'Allow app to transfer data to other apps' set to 'None' or 'Policy managed apps only'. Compliance policies enforce device compliance. Configuration policies configure app settings.

Conditional Access can require managed apps but does not restrict data transfer. Option A is correct.

145
Multi-Selecthard

Which TWO of the following are capabilities of Microsoft Purview Insider Risk Management? (Select TWO.)

Select 2 answers
A.Identify anomalous user activities such as mass file downloads
B.Review communications for policy violations
C.Detect data exfiltration by departing employees
D.Conduct eDiscovery searches for legal cases
E.Block sharing of sensitive data via email
AnswersA, C

Insider Risk Management uses analytics to detect anomalous activities.

Why this answer

Options A and C are correct because Insider Risk Management can detect exfiltration and anomalous activities. Option B is wrong because DLP is a separate tool. Option E is wrong because Communication Compliance handles communications.

Option D is wrong because eDiscovery handles legal discovery.

146
Multi-Selecthard

Which TWO of the following are features of Microsoft Purview Audit?

Select 2 answers
A.Manages sensitivity labels for documents
B.Provides real-time threat detection
C.Automatically blocks malicious activities
D.Records user and admin activities in the unified audit log
E.Allows searching and investigating audit log entries
AnswersD, E

Audit logs all user and admin actions.

Why this answer

Microsoft Purview Audit provides detailed logging of user and admin activities, and allows searching the audit log for security investigations. It does not automatically block malicious activities (that's DLP or Defender), and it does not manage sensitivity labels (that's Information Protection). It does not provide real-time threat detection (that's Sentinel or Defender).

147
MCQhard

Refer to the exhibit. You are a compliance administrator running PowerShell to update a sensitivity label in Microsoft Purview. The command fails with an error that the label is not found. What is the most likely cause?

A.The -Settings parameter is deprecated.
B.The cmdlet Get-MgInformationProtectionPolicy does not return labels.
C.The user does not have permissions to view labels.
D.The label name is misspelled.
AnswerB

Labels are retrieved via Get-MgInformationProtectionSensitivityLabel.

Why this answer

The cmdlet Get-MgInformationProtectionPolicy retrieves the unified label policy. However, the labels are stored in a different location and are accessed via Get-MgInformationProtectionSensitivityLabel. The exhibit uses the wrong cmdlet.

Option C is correct. Option A is wrong because the label name is correct. Option B is wrong because the -Settings parameter syntax is acceptable.

Option D is wrong because the error indicates the label is not found, not permissions.

148
MCQeasy

Refer to the exhibit. An administrator creates a Conditional Access policy in Microsoft Entra ID. What will this policy do?

A.Block access for Global Administrators unless they use MFA
B.Require MFA for all users
C.Require MFA for Global Administrators accessing any application
D.Require MFA for users accessing the Microsoft Entra admin center only
AnswerC

The policy targets Global Administrators and includes all applications.

Why this answer

Option C is correct because the policy applies to all applications, for users with Global Administrator role, and requires MFA. Option A is wrong because it applies to all applications, not just specific. Option B is wrong because it applies to Global Administrators, not all users.

Option D is wrong because it requires MFA, not block.

149
MCQhard

A company wants to detect potentially malicious insider activities, such as employees copying large volumes of files to external drives or sending sensitive emails to personal accounts. The security team needs to investigate these activities with visual timelines and assign cases for review. Which Microsoft Purview solution should they use?

A.Insider Risk Management
B.Communication Compliance
C.eDiscovery (Premium)
D.Data Loss Prevention
AnswerA

Correct. Insider Risk Management correlates user activities (e.g., file copying, emailing) to detect risky behavior, provides visual timelines, and supports case investigation and management.

Why this answer

Microsoft Purview Insider Risk Management is designed to help detect, investigate, and act on malicious and inadvertent insider risks. It provides risk scoring, visual timelines of user activities, and case management workflows. Communication Compliance focuses on communication surveillance for regulatory compliance, eDiscovery is for legal discovery, and DLP prevents data loss but does not provide investigative timelines.

150
Multi-Selecteasy

Which THREE are features of Microsoft Entra ID? (Choose three.)

Select 3 answers
A.Firewall management
B.Multifactor authentication
C.Self-service password reset
D.Single sign-on
E.Anti-malware protection
AnswersB, C, D

MFA is a feature of Entra ID.

Why this answer

Microsoft Entra ID provides multifactor authentication (MFA) as a core identity security feature, requiring users to verify their identity using two or more methods such as a password plus a phone call or mobile app notification. This significantly reduces the risk of credential theft and unauthorized access.

Exam trap

The trap here is that candidates confuse Microsoft Entra ID with broader Azure security services, incorrectly assuming it includes network or endpoint protection features like firewall management or anti-malware, when in reality it is strictly an identity and access management solution.

Page 1

Page 2 of 19

Page 3