Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 151225

1411 questions total · 19pages · All types, answers revealed

Page 2

Page 3 of 19

Page 4
151
MCQeasy

Your organization wants to use Microsoft Entra ID to authenticate users from a partner company that uses its own identity provider. Which federation standard should you use?

A.OAuth 2.0
B.SCIM
C.OpenID Connect
D.SAML 2.0
AnswerD

SAML 2.0 is commonly used for federation between identity providers.

Why this answer

SAML 2.0 is the correct federation standard because it enables cross-organization authentication by allowing Microsoft Entra ID to trust assertions from a partner company's own identity provider. SAML 2.0 is specifically designed for enterprise federation scenarios where an external IdP authenticates users and sends a SAML assertion to Entra ID for access.

Exam trap

The trap here is that candidates confuse OpenID Connect (which is for modern app authentication) with SAML 2.0 (which is the standard for enterprise federation between separate identity providers), especially when the question mentions 'federation' and 'partner company using its own identity provider'.

How to eliminate wrong answers

Option A is wrong because OAuth 2.0 is an authorization framework, not an authentication protocol; it issues access tokens for delegated access but does not provide user identity assertions. Option B is wrong because SCIM (System for Cross-domain Identity Management) is a provisioning standard for automating user identity lifecycle management, not for authentication or federation. Option C is wrong because OpenID Connect is an authentication layer built on OAuth 2.0, but it is optimized for modern applications and social logins, not for the enterprise federation scenario where a partner company uses its own identity provider with SAML 2.0 assertions.

152
MCQhard

You are the security administrator for a large healthcare organization that uses Microsoft 365 E5. The organization must comply with HIPAA and GDPR regulations. You have implemented Microsoft Purview Information Protection with sensitivity labels to classify and protect patient data. Recently, the compliance team identified that some documents containing Protected Health Information (PHI) are being shared externally without protection. You need to prevent users from sharing documents classified as 'Highly Confidential' with external users unless the document is encrypted and labeled. Additionally, you must ensure that any external sharing of such documents is automatically blocked. You have the following options available. Which action should you take?

A.Configure auto-labeling for SharePoint to automatically apply the 'Highly Confidential' label to all documents containing PHI
B.Create a data loss prevention (DLP) policy in Microsoft Purview that detects the 'Highly Confidential' label and blocks sharing with external users
C.Configure a conditional access policy in Microsoft Entra ID to block external access to SharePoint sites containing PHI
D.Create a retention policy for SharePoint that prevents deletion of documents with the 'Highly Confidential' label
AnswerB

DLP policies can use sensitivity labels as conditions and take actions like blocking external sharing.

Why this answer

Option A is correct because a DLP policy can detect documents with the 'Highly Confidential' label and block external sharing. Option B is incorrect because auto-labeling applies labels but does not block sharing. Option C is incorrect because retention policies do not control sharing.

Option D is incorrect because conditional access policies do not inspect document labels.

153
MCQhard

An organization is deploying Microsoft Intune for mobile device management. They need to ensure that all iOS devices must have a passcode of at least 6 characters and the device must be encrypted. What should they configure?

A.A Conditional Access policy
B.A device configuration profile
C.An app protection policy
D.A device compliance policy
AnswerD

Compliance policies define required device settings.

Why this answer

Device compliance policies in Intune can require specific settings like passcode length and encryption. Option A is incorrect because Conditional Access uses compliance status. Option C is incorrect because configuration profiles push settings but do not enforce compliance.

Option D is incorrect because app protection policies manage apps, not devices.

154
MCQeasy

Your company uses Microsoft Defender for Endpoint. A report shows that several devices are missing critical security updates. What feature should you use to deploy the missing updates?

A.Microsoft Intune update rings for Windows
B.Microsoft Defender for Endpoint's threat and vulnerability management (TVM)
C.Microsoft Configuration Manager
D.Microsoft Update
AnswerA

Intune can deploy and manage Windows updates.

Why this answer

Option C is correct because Microsoft Intune can manage updates for Windows devices. Option A is wrong because Defender for Endpoint detects but does not deploy updates. Option B is wrong because Microsoft Update is a service, not a management tool.

Option D is wrong because Microsoft Configuration Manager is on-premises, but Intune is cloud-based and more likely for modern management.

155
MCQmedium

A company is implementing Microsoft Purview to classify sensitive data. They need to automatically detect credit card numbers in emails and apply a retention label. Which solution should they use?

A.eDiscovery
B.Data Loss Prevention (DLP) policies
C.Communication Compliance
D.Sensitivity labels
AnswerB

DLP policies can detect sensitive info types and trigger actions like applying retention labels.

Why this answer

Option B is correct because Microsoft Purview Data Loss Prevention (DLP) policies can automatically detect sensitive information like credit card numbers and apply actions such as retention labels. Option A is wrong because sensitivity labels are for classifying and protecting data, but they do not automatically detect patterns. Option C is wrong because eDiscovery is for searching content in legal investigations.

Option D is wrong because Communication Compliance is for monitoring communications for policy violations, not for automatic classification.

156
Multi-Selectmedium

Which TWO Microsoft Purview solutions can be used to discover and classify sensitive data in Microsoft 365? (Select two.)

Select 2 answers
A.Data Loss Prevention
B.Information Protection
C.Sensitivity labels
D.Audit
E.Data Classification
AnswersB, E

Information Protection includes sensitivity labels that classify data.

Why this answer

Data Classification and Information Protection are correct. Sensitivity labels (Option D) are part of Information Protection. DLPs (Option C) use classifications but do not discover.

Audit (Option E) tracks activities.

157
MCQeasy

A company assigns permissions to users based strictly on their job title (e.g., Sales Manager can edit documents, Sales User can only read). Which identity and access management concept is being implemented?

A.Least privilege
B.Role-Based Access Control (RBAC)
C.Defense in depth
D.Zero Trust
AnswerB

RBAC assigns permissions to users based on their defined roles or job functions. This matches the scenario where permissions are determined by job title.

Why this answer

Role-Based Access Control (RBAC) is the correct concept because it assigns permissions to users based on their job title or role within the organization. In this scenario, the Sales Manager role is granted edit permissions, while the Sales User role is restricted to read-only, which is a direct implementation of RBAC where access rights are tied to roles rather than individual users.

Exam trap

The trap here is that candidates often confuse least privilege with RBAC, thinking that assigning minimal permissions per role is the same as the principle of least privilege, but RBAC is specifically about organizing permissions by role, while least privilege is a broader security goal that can be achieved through RBAC or other methods.

How to eliminate wrong answers

Option A is wrong because least privilege is a security principle that grants users only the minimum permissions necessary to perform their job, but it does not inherently tie permissions to job titles; it focuses on limiting access rather than organizing permissions by role. Option C is wrong because defense in depth is a layered security strategy that uses multiple controls (e.g., firewalls, encryption, antivirus) to protect resources, not a method for assigning permissions based on job titles. Option D is wrong because Zero Trust is a security model that assumes no implicit trust and requires continuous verification for every access request, but it does not define how permissions are assigned based on job titles; it is a broader framework, not a specific access control mechanism.

158
MCQmedium

A company wants to allow external business partners to access its internal applications using their own corporate credentials (e.g., their Microsoft Entra ID or Google account), without creating separate user accounts in the company's directory. Which Microsoft Entra ID feature should they use?

A.Azure AD B2C (Business-to-Consumer)
B.B2B collaboration
C.Microsoft Entra Domain Services
D.Conditional Access
AnswerB

B2B collaboration allows external partners to sign in using their own work, school, or social identities, providing seamless access with minimal administrative overhead.

Why this answer

B2B collaboration allows the company to grant external business partners access to its internal applications using their own corporate identities (such as Microsoft Entra ID or Google accounts) without creating separate user accounts in the company's directory. It leverages federation trust and cross-tenant authentication, enabling partners to authenticate with their home organizations while accessing resources in the host tenant.

Exam trap

The trap here is confusing B2B collaboration (for business partners with existing corporate identities) with Azure AD B2C (for customers using social or local accounts), as both involve external users but serve fundamentally different scenarios.

How to eliminate wrong answers

Option A is wrong because Azure AD B2C is designed for customer-facing identity management with social or local accounts, not for business partner access using existing corporate credentials. Option C is wrong because Microsoft Entra Domain Services provides managed domain services like LDAP and Kerberos for legacy applications, not external identity federation. Option D is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, location) after authentication, not a feature for inviting external users with their own credentials.

159
MCQmedium

A company uses Microsoft Sentinel as its SIEM. The security team wants to automatically trigger a playbook when a high-severity incident is created. Which automation option should be used?

A.Azure Policy assignment
B.Microsoft Power Automate flow directly from Sentinel
C.Automation rule in Microsoft Sentinel
D.Azure Logic Apps HTTP trigger
AnswerC

Correct: Automation rules trigger playbooks automatically.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically run playbooks when incidents are created or updated, based on conditions like severity.

160
MCQmedium

A company stores financial reports in SharePoint Online that contain credit card numbers. The compliance team needs to automatically apply a sensitivity label that encrypts the documents when they detect credit card data. Which Microsoft Purview solution should they configure?

A.Information Protection
B.Data Loss Prevention
C.Data Lifecycle Management
D.Records Management
AnswerA

Sensitivity labels in Information Protection can auto-classify and encrypt documents based on sensitive content.

Why this answer

Microsoft Purview Information Protection (A) is the correct solution because it enables the creation of auto-labeling policies that can automatically apply a sensitivity label with encryption when credit card numbers are detected in SharePoint Online documents. This directly addresses the requirement to classify and protect sensitive data at rest based on content inspection.

Exam trap

The trap here is that candidates confuse the detection and blocking capabilities of Data Loss Prevention (DLP) with the automatic classification and encryption features of Information Protection, assuming DLP can also apply labels, when in fact DLP only monitors and controls data in motion or at rest without modifying the document's protection settings.

How to eliminate wrong answers

Option B (Data Loss Prevention) is wrong because DLP policies are designed to prevent accidental sharing or leakage of sensitive data by blocking or alerting on risky activities, not to automatically apply sensitivity labels with encryption to documents at rest. Option C (Data Lifecycle Management) is wrong because it focuses on retaining or deleting data based on age or compliance requirements, not on detecting and protecting specific sensitive content like credit card numbers. Option D (Records Management) is wrong because it deals with declaring documents as records for legal or regulatory retention, not with automatic classification or encryption of sensitive data.

161
MCQhard

Your organization is implementing Microsoft Purview Information Protection and needs to ensure that files shared externally cannot be forwarded or printed. Which protection mechanism should be applied?

A.Azure Information Protection with rights management
B.Microsoft Purview Data Lifecycle Management retention policy
C.Sensitivity label with user-defined permissions
D.DLP policy with block action
AnswerA

AIP with RMS can restrict actions like forward, print, and copy on protected documents.

Why this answer

Azure Information Protection (AIP) unified labeling client with rights management can restrict actions like forward and print when a sensitivity label is applied. Option B is wrong because DLP policies block sharing but do not enforce usage restrictions after sharing. Option C is wrong because cipher suites are for encryption algorithms, not granular permissions.

Option D is wrong because retention policies do not control usage rights.

162
MCQmedium

A company uses Microsoft Entra ID. They want to enforce that users accessing the payroll application from outside the corporate network must use multifactor authentication and must access the app only from devices that are marked as compliant by Intune. Which Conditional Access component should they use to combine these requirements?

A.Conditions
B.Grant controls
C.Sign-in risk policy
D.Session controls
AnswerB

Correct. Grant controls allow you to require MFA, require compliant device, or other controls to be satisfied before access is granted.

Why this answer

B is correct because Grant controls in a Conditional Access policy allow administrators to specify the access requirements that must be satisfied before a user can access a resource. In this scenario, the requirement to enforce both multifactor authentication and device compliance (from Intune) is achieved by configuring the Grant control to 'Require multifactor authentication' and 'Require device to be marked as compliant', combined with the 'Require all the selected controls' option. This ensures that both conditions must be met simultaneously for access to the payroll application from outside the corporate network.

Exam trap

The trap here is that candidates confuse 'Conditions' (the 'when' and 'where' of the policy) with 'Grant controls' (the 'what must happen' to gain access), leading them to incorrectly select Conditions as the component that combines the requirements.

How to eliminate wrong answers

Option A is wrong because Conditions define the signals or triggers for the policy (e.g., user location, device platform, application), not the actions or requirements that must be met once the policy is triggered. Option C is wrong because Sign-in risk policy is a specific type of Identity Protection policy that responds to real-time risk detections (e.g., anonymous IP address, atypical travel) and is not designed to combine static requirements like MFA and device compliance for a specific application. Option D is wrong because Session controls enforce limitations on the user session after access is granted (e.g., app-enforced restrictions, sign-in frequency), not the pre-access requirements like MFA or device compliance.

163
MCQeasy

A company uses Microsoft Entra ID. They have a financial application that should only be accessible from Windows devices. The security team wants to create a Conditional Access policy to block access from other operating systems such as macOS or Linux. Which assignment condition should they configure?

A.Locations
B.Device platforms
C.Client apps
D.Sign-in risk
AnswerB

The Device platforms condition allows you to specify the operating system of the device. Setting it to 'Windows' will block access from macOS, Linux, and other platforms.

Why this answer

The Device platforms condition in a Conditional Access policy allows administrators to target specific operating systems (e.g., Windows, iOS, Android, macOS) or block others. By configuring this condition to only include Windows devices, the policy will block access from macOS, Linux, or any other non-Windows platform. This directly addresses the security team's requirement to restrict the financial application to Windows devices only.

Exam trap

The trap here is that candidates often confuse Device platforms with Client apps, thinking that blocking 'mobile apps' or 'browsers' would restrict the OS, but Client apps only controls the type of application client, not the underlying operating system.

How to eliminate wrong answers

Option A is wrong because Locations condition controls access based on geographic IP ranges or named locations (e.g., corporate network vs. external), not the operating system of the device. Option C is wrong because Client apps condition filters by application type (e.g., browser, mobile app, legacy authentication) and cannot distinguish between Windows, macOS, or Linux devices. Option D is wrong because Sign-in risk condition uses Microsoft Entra ID Protection to detect risky sign-in behaviors (e.g., anonymous IP, leaked credentials) and has no awareness of the device's operating system.

164
MCQmedium

An organization uses Microsoft Purview to manage data compliance. They need to automatically detect and protect credit card numbers stored in SharePoint Online. Which Microsoft Purview solution should they implement?

A.Microsoft Purview Audit
B.Microsoft Purview Data Loss Prevention
C.Microsoft Purview Information Protection
D.Microsoft Purview Data Lifecycle Management
AnswerB

DLP policies can detect credit card numbers using built-in sensitive info types and take protective actions.

Why this answer

Data Loss Prevention (DLP) policies can identify sensitive data like credit card numbers and apply protection actions such as blocking access. Information Protection (sensitivity labels) classifies data but does not automatically detect and protect specific patterns like credit card numbers without DLP integration.

165
MCQhard

A company stores sensitive financial data on on-premises Windows Server file shares. The compliance team needs to automatically discover files containing credit card numbers, classify them by applying a sensitivity label, and optionally enforce protection actions like encryption. They want this solution to run on the on-premises file servers without needing to manually scan. Which Microsoft Purview solution should the compliance team deploy?

A.Microsoft Purview Data Loss Prevention (DLP) for on-premises
B.Microsoft Purview Information Protection scanner
C.Microsoft Purview Audit
D.Microsoft Purview eDiscovery
AnswerB

Correct. The scanner discovers, classifies, and protects sensitive data on on-premises file servers by applying sensitivity labels and optionally encryption.

Why this answer

The Microsoft Purview Information Protection scanner is designed to run on on-premises Windows Server file shares to automatically discover, classify, and protect sensitive data. It uses content inspection to identify patterns like credit card numbers, applies sensitivity labels, and can enforce encryption without requiring manual scanning.

Exam trap

The trap here is confusing Data Loss Prevention (DLP) for on-premises, which monitors data in motion, with the Information Protection scanner, which handles data at rest classification and labeling.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Loss Prevention (DLP) for on-premises focuses on monitoring and preventing unauthorized data transfer (e.g., via email or USB), not on automatic discovery, classification, and labeling of files at rest. Option C is wrong because Microsoft Purview Audit is a logging and investigation tool for tracking user and admin activities, not for scanning or classifying file content. Option D is wrong because Microsoft Purview eDiscovery is used for legal discovery and holds, not for automated content classification or labeling.

166
MCQmedium

A company wants to automatically detect and alert the security team when a user sign-in appears to originate from a known compromised credential or from an anonymizing VPN service. The company wants to receive a risk score for each sign-in and be able to trigger automated remediation actions. Which Microsoft Entra ID feature should they enable?

A.Microsoft Entra ID Protection
B.Microsoft Entra Identity Governance
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra External Identities
AnswerA

Correct. Microsoft Entra ID Protection detects and responds to identity risks like leaked credentials and anonymous VPN usage.

Why this answer

Microsoft Entra ID Protection is the correct feature because it is specifically designed to detect and respond to identity-based risks, including sign-ins from compromised credentials and anonymizing VPN services (e.g., Tor). It assigns a risk score (low, medium, high) to each sign-in and user, and supports automated remediation actions such as requiring multi-factor authentication (MFA) or blocking sign-in via Conditional Access policies integrated with the risk detection.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Identity Protection because both involve 'risk' or 'security,' but PIM only manages privileged role activation and does not detect or score sign-in risks from compromised credentials or anonymizing VPNs.

How to eliminate wrong answers

Option B (Microsoft Entra Identity Governance) is wrong because it focuses on managing identity lifecycles, access reviews, and entitlement management, not on real-time risk detection or automated remediation of compromised sign-ins. Option C (Microsoft Entra Privileged Identity Management) is wrong because it is designed for just-in-time privileged access, role activation, and oversight of administrative roles, not for detecting risky sign-ins from anonymized sources or compromised credentials. Option D (Microsoft Entra External Identities) is wrong because it enables collaboration with external users (e.g., B2B and B2C scenarios) and does not include risk detection or scoring for sign-in events.

167
Multi-Selecteasy

An organization stores sensitive customer data in a cloud database. The security team uses encryption to protect the data while it is stored and while it is transmitted. They also implement role-based access control to ensure only authorized users can modify the data. Which two security principles are primarily being upheld by these actions?

Select 2 answers
A.Availability and integrity
B.Confidentiality and integrity
C.Confidentiality and availability
D.Privacy and accountability
AnswersB, C

Correct. Encryption ensures confidentiality by preventing unauthorized reading. Role-based access control ensures integrity by preventing unauthorized modifications.

Why this answer

Encryption at rest and in transit directly protects the confidentiality of sensitive customer data by preventing unauthorized access. Role-based access control (RBAC) ensures that only authorized users can modify the data, which upholds integrity by preventing unauthorized or accidental changes. Together, these actions primarily uphold the security principles of confidentiality and integrity.

Exam trap

The trap here is that candidates often confuse 'availability' with 'integrity' because both involve data protection, but encryption and RBAC do not guarantee system uptime or redundancy, which are required for availability.

168
MCQmedium

Your organization needs to retain all customer communications data for 7 years due to regulatory requirements. Which Microsoft Purview solution should you use?

A.Microsoft Purview Audit
B.Microsoft Purview eDiscovery
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview Data Lifecycle Management
AnswerD

Data Lifecycle Management provides retention policies and labels to retain data for a specified duration.

Why this answer

Microsoft Purview Data Lifecycle Management (formerly Records Management) enables retention policies and retention labels to retain data for a specified period. Option A is wrong because eDiscovery is for search and export, not retention. Option B is wrong because Audit is for logging activities.

Option D is wrong because Data Loss Prevention prevents data leaks, not retention.

169
MCQmedium

A company has an on-premises Active Directory domain and uses Microsoft Entra ID (Azure AD) for cloud applications. They purchase new Windows 10 laptops that are not yet joined to any domain. The IT admin wants users to be able to sign in with their existing on-premises credentials and automatically have the laptops joined to both the on-premises AD domain and Microsoft Entra ID. Which device identity option should the admin configure?

A.Microsoft Entra registered
B.Microsoft Entra joined
C.Microsoft Entra hybrid joined
D.On-premises domain join only
AnswerC

Correct. Hybrid join allows devices to be joined to both on-premises AD and Microsoft Entra ID.

Why this answer

Option C is correct because Microsoft Entra hybrid join allows devices to be joined to both an on-premises Active Directory domain and Microsoft Entra ID simultaneously. This enables users to sign in with their existing on-premises credentials and automatically have the laptops registered in both directories, meeting the requirement for a seamless single sign-on experience.

Exam trap

The trap here is that candidates often confuse 'Microsoft Entra joined' (cloud-only) with 'Microsoft Entra hybrid joined' (dual-joined), failing to recognize that the requirement for on-premises credentials and automatic dual join necessitates the hybrid option.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra registered devices are not joined to any domain; they are only registered in Entra ID for cloud-based access, lacking on-premises AD join. Option B is wrong because Microsoft Entra joined devices are joined solely to Entra ID, not to an on-premises AD domain, so they cannot use on-premises credentials for sign-in. Option D is wrong because an on-premises domain join only connects the device to the local AD, without any integration with Microsoft Entra ID, failing to meet the requirement for cloud join.

170
MCQmedium

A company uses Microsoft Entra ID. The IT help desk team needs to be able to reset passwords and manage user account properties, but only for users located in the United Kingdom. The organization has created a dynamic group that contains all UK users. Which Microsoft Entra feature should an administrator use to delegate these administrative permissions specifically to the help desk team, limited to the UK user scope?

A.Administrative Units
B.Conditional Access
C.Privileged Identity Management (PIM)
D.Access Packages
AnswerA

Administrative Units allow you to delegate administrative roles scoped to specific sets of users, groups, or devices. This enables the help desk to manage only UK users.

Why this answer

Administrative Units (AUs) in Microsoft Entra ID allow an administrator to delegate administrative permissions over a subset of users, groups, or devices, scoped to a specific organizational boundary. By creating an AU that contains the dynamic group of UK users, the administrator can assign the Helpdesk Administrator role scoped to that AU, granting the help desk team the ability to reset passwords and manage user account properties only for those UK users. This directly meets the requirement of delegating permissions limited to the UK user scope.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with scope delegation, assuming PIM can limit permissions to a subset of users, when in fact PIM only controls role activation timing and approval, not the scope of the role's authority.

How to eliminate wrong answers

Option B is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, device compliance) based on conditions like location or risk, not a delegation mechanism for administrative permissions. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time activation and approval workflows for privileged roles, but it does not scope permissions to a subset of users like UK users; it controls who can use a role, not where the role applies. Option D is wrong because Access Packages are part of Entitlement Management and are used to automate access requests and approvals for resources like groups or apps, not to delegate administrative permissions for user management tasks.

171
MCQmedium

You are reviewing a Conditional Access policy JSON. What is the result of this policy?

A.All users must complete MFA to access all cloud apps
B.Users from untrusted locations must complete MFA or use a compliant device to access Office 365
C.Users must complete MFA and use a compliant device from all locations
D.Users from trusted locations must complete MFA and use a compliant device
AnswerB

The policy excludes trusted locations and uses OR condition.

Why this answer

The policy JSON grants access to Office 365 if the user is from an untrusted location and either completes MFA or uses a compliant device. This matches option B exactly. The 'OR' condition between MFA and compliant device is key, and the scope is limited to Office 365, not all cloud apps.

Exam trap

The trap here is that candidates often misread the 'OR' condition as 'AND' or assume the policy applies to all cloud apps instead of the specific app (Office 365), leading them to choose options A or C.

How to eliminate wrong answers

Option A is wrong because the policy targets only Office 365, not all cloud apps, and it applies only to untrusted locations, not all users. Option C is wrong because the policy uses an 'OR' condition (MFA OR compliant device), not an 'AND', and it applies only to untrusted locations, not all locations. Option D is wrong because the policy targets untrusted locations, not trusted locations, and uses an 'OR' condition, not 'AND'.

172
Multi-Selecteasy

A company is implementing data classification in Microsoft Purview. Which THREE of the following are types of sensitive information that can be detected using built-in sensitive information types?

Select 3 answers
A.Passport numbers
B.Social security numbers
C.Credit card numbers
D.Favorite color
E.Project codenames
AnswersA, B, C

A built-in sensitive information type.

Why this answer

Options A, C, and D are correct. Built-in sensitive information types include credit card numbers (A), passport numbers (C), and social security numbers (D). Option B is incorrect because favorite color is not a built-in type.

Option E is incorrect because project codenames are not predefined types.

173
Multi-Selecthard

A security architect is designing a new security posture based on the Zero Trust model. The architect wants to ensure that every access request is fully authenticated, authorized, and encrypted before granting access, and that access is granted only to the minimum necessary resources. Which three principles of Zero Trust align with these requirements? (Choose three.)

Select 3 answers
A.Verify explicitly
B.Least privilege access
C.Assume breach
D.Network segmentation
AnswersA, B, C

Correct. This principle states that every access request must be fully authenticated, authorized, and encrypted before granting access.

Why this answer

Option A is correct because the 'Verify explicitly' principle of Zero Trust requires that every access request must be fully authenticated, authorized, and encrypted before granting access. This means using strong authentication mechanisms (e.g., multifactor authentication) and continuous validation of identity and device health, not just relying on network location or implicit trust.

Exam trap

The trap here is that candidates confuse 'Network segmentation' as a Zero Trust principle when it is actually a supporting control, not one of the three core pillars (Verify explicitly, Least privilege access, Assume breach) that Microsoft emphasizes in the SC-900 exam.

174
MCQmedium

An organization uses Microsoft Intune to manage devices. They want to ensure that only devices marked as compliant can access corporate email in Exchange Online. Which Conditional Access component should they configure?

A.Conditions -> Device state
B.Grant controls -> Require device to be marked as compliant
C.Sign-in risk policy
D.Session controls -> Use Conditional Access App Control
AnswerB

This Grant control enforces that only devices evaluated as compliant by Intune (or another MDM) can access the resource, directly meeting the requirement.

Why this answer

Option B is correct because the 'Require device to be marked as compliant' grant control in Conditional Access enforces that only Intune-compliant devices can access Exchange Online. This integrates with Microsoft Entra ID to check the device compliance status reported by Intune before granting access to corporate email.

Exam trap

The trap here is confusing 'Conditions -> Device state' (which filters by platform or state) with the actual compliance enforcement in 'Grant controls', leading candidates to choose Option A thinking it checks compliance directly.

How to eliminate wrong answers

Option A is wrong because 'Conditions -> Device state' is used to target specific device platforms or states (e.g., Windows, iOS) but does not enforce compliance; it only filters which devices the policy applies to. Option C is wrong because 'Sign-in risk policy' is part of Identity Protection and assesses user sign-in risk (e.g., leaked credentials), not device compliance. Option D is wrong because 'Session controls -> Use Conditional Access App Control' enforces session-level restrictions (e.g., blocking download) via Microsoft Defender for Cloud Apps, not device compliance checks.

175
MCQhard

You are reviewing a Microsoft Purview auto-labeling policy configuration. Based on the exhibit, what happens when a document contains a credit card number and is labeled 'Confidential'?

A.Access is allowed
B.Encryption is applied to the document
C.An administrator is notified
D.Access is blocked
AnswerD

The rule blocks access when condition met.

Why this answer

Option B is correct because the rule specifies action 'blockAccess' when condition 'contains Credit Card Number' and label 'Confidential'. Option A is wrong because it blocks, not allows. Option C is wrong because it does not apply encryption; it blocks access.

Option D is wrong because it does not notify admin.

176
MCQeasy

A hospital encrypts patient data stored in a database using AES-256 encryption. If an attacker manages to copy the database file, they cannot read the protected information. Which security goal is primarily achieved by this encryption measure?

A.Confidentiality
B.Integrity
C.Availability
D.Auditability
AnswerA

Confidentiality ensures that sensitive data is not disclosed to unauthorized entities. Encryption transforms data into an unreadable format without the decryption key, thus protecting its confidentiality even if the physical storage is compromised.

Why this answer

AES-256 encryption ensures that even if an attacker gains unauthorized access to the database file, the data remains unreadable without the decryption key. This directly protects the secrecy of the patient data, which is the definition of confidentiality. In the context of the SC-900, encryption at rest is a primary mechanism for achieving confidentiality of stored data.

Exam trap

Microsoft often tests the distinction between confidentiality and integrity, where candidates mistakenly think encryption also verifies that data hasn't been changed, but encryption alone provides no tamper detection—that requires a separate integrity mechanism like HMAC or digital signatures.

How to eliminate wrong answers

Option B is wrong because integrity ensures data has not been tampered with or altered, typically verified through hashing or digital signatures, not encryption. Option C is wrong because availability ensures that data and systems are accessible when needed, which encryption does not directly address (in fact, losing the key can harm availability). Option D is wrong because auditability refers to the ability to track and log access or changes to data, which encryption alone does not provide; audit logs are a separate control.

177
MCQeasy

A company uses cryptographic hashes to verify that a downloaded software file has not been modified by an attacker during transmission. Which principle of the CIA triad is primarily being addressed?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures data has not been altered. Hashing provides a fingerprint of the original data; any modification changes the hash, thus verifying integrity.

Why this answer

Cryptographic hashing (e.g., SHA-256) produces a fixed-size digest from the file's contents. By comparing the computed hash with the publisher's published hash, any change to the file—even a single bit—yields a completely different digest, proving the file has not been tampered with. This directly protects the integrity of the data, ensuring it remains unaltered during transit.

Exam trap

The trap here is that candidates confuse 'hashing' with 'encryption' and incorrectly select Confidentiality, or they see 'verification of origin' and jump to Non-repudiation, forgetting that a bare hash only detects modification, not identity.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data, typically achieved through encryption (e.g., AES), not hashing; hashing does not hide the file's contents. Option C is wrong because availability ensures that systems and data are accessible when needed, often via redundancy or DDoS protection, which hashing does not address. Option D is wrong because non-repudiation provides proof of origin or action (e.g., digital signatures), whereas a simple hash alone cannot prove who created or sent the file—it only detects modification.

178
MCQmedium

Your company uses Microsoft Defender for Cloud to secure Azure resources. You need to enable network security recommendations for all virtual networks. Which security policy should you enable?

A.Azure Security Benchmark
B.Adaptive network hardening
C.Network Security Group (NSG) flow logs
D.Just-in-time VM access
AnswerA

Azure Security Benchmark includes built-in policies for network security recommendations.

Why this answer

Option D is correct because the 'Azure Security Benchmark' policy initiative includes many network security controls. Option A is wrong because 'Adaptive network hardening' is a recommendation, not a policy. Option B is wrong because 'Just-in-time VM access' is a feature.

Option C is wrong because 'Network Security Group (NSG)' is a resource, not a policy.

179
MCQhard

A multinational corporation must comply with GDPR and requires that personal data of EU users be retained for a maximum of 90 days after account closure. After that, all personal data must be permanently deleted. Which combination of Microsoft Purview capabilities should be used?

A.Configure an eDiscovery case to delete content after 90 days
B.Create a retention label with a retention period of 90 days and then delete the content automatically
C.Apply a sensitivity label that expires after 90 days
D.Use a Data Loss Prevention policy to block retention after 90 days
AnswerB

Retention labels can apply retention and then trigger deletion after the specified period.

Why this answer

A retention label applied automatically can retain data for 90 days, and then a deletion action at the end of the period ensures permanent deletion. Option A is correct. DLP does not handle deletion. eDiscovery is for search, not lifecycle management.

Sensitivity labels do not enforce deletion.

180
MCQhard

Your organization has implemented Microsoft Defender for Cloud to protect Azure resources. You are responsible for security posture management. You need to ensure that all Azure VMs have the latest security updates installed. You have enabled automatic VM patching via Azure Update Manager. However, some VMs are not receiving updates because they are not registered with the Update Manager. You need to identify which VMs are missing updates and ensure they are patched. What should you do?

A.Create an Azure Policy to enforce automatic updates on all VMs.
B.Use the Microsoft Defender for Cloud recommendation 'System updates should be installed on your machines' to identify VMs missing updates, then enable auto-patching for those VMs.
C.Review Microsoft Defender for Cloud security alerts for 'Missing system updates'.
D.Use Azure Update Manager's compliance view to export a list of VMs with missing updates.
AnswerB

This recommendation lists VMs missing updates.

Why this answer

Option A is correct because Microsoft Defender for Cloud provides a recommendation 'System updates should be installed on your machines' that identifies VMs missing updates. Option B is wrong because Azure Policy can enforce compliance but does not directly identify missing updates. Option C is wrong because Azure Update Manager's compliance view shows update status, but it may not show unregistered VMs.

Option D is wrong because security alerts are for threats, not missing updates.

181
MCQhard

Your organization uses Microsoft Entra ID and Microsoft Sentinel. You need to analyze sign-in logs to detect risky sign-ins that are not blocked by Conditional Access policies. Which Microsoft Entra feature provides risk detection and can feed into Sentinel?

A.Microsoft Entra Verified ID
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra Entitlement Management
AnswerB

Identity Protection detects risky sign-ins and users, and can be integrated with Sentinel.

Why this answer

Microsoft Entra Identity Protection is the correct feature because it specifically provides risk detection for sign-ins and users, including leaked credentials, anonymous IP addresses, and atypical travel. It can feed these risk detections directly into Microsoft Sentinel via a connector, enabling advanced analysis and automated response. Conditional Access policies can use Identity Protection's risk signals to block or require MFA, but Identity Protection itself identifies the risky sign-ins that policies may not block.

Exam trap

The trap here is that candidates may confuse Privileged Identity Management (PIM) with Identity Protection because both involve 'protection' and security, but PIM focuses on privileged role access, not sign-in risk detection.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Verified ID is a decentralized identity solution for verifiable credentials, not a risk detection or sign-in analysis feature. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time access and role activation, not sign-in risk detection. Option D is wrong because Microsoft Entra Entitlement Management handles access packages and governance for application access, not risk detection for sign-ins.

182
MCQhard

A large enterprise uses Microsoft Entra ID with P2 licenses. The security team wants to implement just-in-time (JIT) access for privileged roles and require approval for role activation. Additionally, they want to receive alerts when a role is activated outside business hours. Which feature should they use?

A.Microsoft Entra Identity Protection.
B.Conditional Access policies.
C.Microsoft Entra Privileged Identity Management (PIM).
D.Microsoft Entra entitlement management.
AnswerC

PIM provides JIT role activation with approval and alerts.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) is the correct feature because it provides just-in-time (JIT) activation of privileged roles, supports approval workflows for role activation, and can send alerts when roles are activated outside business hours. PIM is specifically designed for managing, controlling, and monitoring access to privileged roles in Microsoft Entra ID, including time-bound activation and notification settings.

Exam trap

The trap here is that candidates confuse Conditional Access policies (which control sign-in conditions) with PIM's role activation controls, but Conditional Access cannot manage role activation, approval, or time-based alerts for privileged roles.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Identity Protection is a tool for detecting and responding to identity-based risks (e.g., leaked credentials, sign-in anomalies) and does not provide JIT role activation, approval workflows, or alerts for role activation timing. Option B is wrong because Conditional Access policies enforce access controls based on conditions like location or device state but cannot manage privileged role activation, approval, or time-based alerts. Option D is wrong because Microsoft Entra entitlement management focuses on managing access packages and resource access for users and groups, not on privileged role activation with JIT, approval, or business-hours alerts.

183
MCQhard

Refer to the exhibit. The KQL query is run in Microsoft Defender for Endpoint. What is the purpose of this query?

A.To find devices with a high number of operations on potentially sensitive files.
B.To list all devices that have files named confidential.
C.To detect malware on devices.
D.To list all file creation events.
AnswerA

Correct: It identifies devices with many events on confidential-named files.

Why this answer

The query looks for devices where multiple file events (over 5) involving files with 'confidential' in the name and larger than 1000 bytes occurred in the last 7 days, grouped by device and action type.

184
MCQeasy

A security analyst downloads a software installer from a vendor's website. To ensure the file has not been tampered with during transmission, the analyst compares the SHA-256 hash of the downloaded file against the hash published on the vendor's official site. This practice primarily validates which security goal?

A.Confidentiality
B.Integrity
C.Availability
D.Authentication
AnswerB

Integrity ensures data has not been altered by unauthorized parties. Comparing hashes validates integrity.

Why this answer

Comparing the SHA-256 hash of the downloaded installer against the vendor's published hash verifies that the file has not been altered during transmission. This directly validates integrity, which ensures data remains unchanged from its original source. Hashing is a one-way cryptographic function; any change in the file, even a single bit, produces a completely different hash value, making tampering detectable.

Exam trap

The trap here is that candidates confuse integrity with authentication, thinking that verifying a hash proves the file came from the vendor, but hashing alone does not authenticate the source—it only confirms the file has not changed since the hash was computed.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data, typically achieved through encryption (e.g., TLS), not through hash verification. Option C is wrong because availability ensures that systems and data are accessible when needed, often addressed by redundancy and disaster recovery, not by file integrity checks. Option D is wrong because authentication verifies the identity of a user or system (e.g., via certificates or passwords), whereas hash comparison confirms data integrity, not the identity of the source.

185
MCQeasy

A company wants to use Microsoft Defender for Office 365 to protect against malicious links in email. Which feature should they enable?

A.Safe Attachments
B.Anti-malware policy
C.Safe Links
D.Anti-spam policy
AnswerC

Safe Links protects against malicious links in email and Office documents.

Why this answer

Safe Links is the Defender for Office 365 feature that provides time-of-click protection against malicious URLs. Option A is wrong because it's for attachments; Option C is wrong because it's for anti-malware; Option D is wrong because it's for anti-spam.

186
MCQmedium

Your organization uses Microsoft Purview to manage data governance. You need to ensure that sensitive financial data containing credit card numbers is automatically detected and labeled when stored in SharePoint Online. Which compliance solution should you configure?

A.Information Protection auto-labeling
B.eDiscovery (Premium)
C.Data Lifecycle Management
D.Audit (Premium)
AnswerA

Auto-labeling policies can detect sensitive information types like credit card numbers and apply sensitivity labels automatically.

Why this answer

Option B is correct because Microsoft Purview Information Protection includes sensitive information types and auto-labeling policies that can scan and apply sensitivity labels to content in SharePoint Online. Option A is incorrect because Data Lifecycle Management focuses on retention and deletion policies. Option C is incorrect because Audit solutions track activities but do not automatically label content.

Option D is incorrect because eDiscovery is for legal holds and searches, not automatic labeling.

187
MCQmedium

Your organization uses Microsoft Purview to enforce data loss prevention (DLP) policies. You need to ensure that when a user attempts to share a document containing credit card numbers via email, the document is blocked and the user receives a policy tip. What should you configure in the DLP policy?

A.Set the action to 'Audit only'
B.Set the action to 'Block with override'
C.Set the action to 'Block'
D.Set the action to 'Notify only'
AnswerB

'Block with override' blocks the action and displays a policy tip allowing the user to override.

Why this answer

Option B is correct because 'Block with override' allows the block action with a policy tip, enabling the user to override if necessary. Option A is wrong because 'Block' only blocks without a policy tip. Option C is wrong because 'Audit only' only logs the activity.

Option D is wrong because 'Notify only' sends a notification without blocking.

188
MCQmedium

Your organization uses Microsoft Purview to classify data. You need to automatically apply a 'Confidential' sensitivity label to any document that contains a Social Security number. What should you create?

A.An auto-labeling policy for sensitivity labels
B.A sensitivity label policy with manual labeling
C.A Data Loss Prevention (DLP) policy
D.A retention policy
AnswerA

Auto-labeling can automatically apply labels based on sensitive content detected.

Why this answer

Option D is correct because auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels based on sensitive info types like SSN. Option A is wrong because a manual label policy requires user action. Option B is wrong because a DLP policy blocks sharing but doesn't apply labels.

Option C is wrong because a retention policy manages data retention, not classification.

189
MCQhard

A multinational organization uses Microsoft Entra ID and wants to allow employees to sign in to a custom customer-facing application using their existing social identities (e.g., LinkedIn, Google). They also need to enforce a specific terms of use agreement and be able to revoke a user's access if their social account is compromised. Which Microsoft Entra capability should they configure?

A.Microsoft Entra External ID (B2C)
B.Microsoft Entra B2B collaboration
C.Microsoft Entra Identity Protection
D.Microsoft Entra Conditional Access
AnswerA

B2C is designed for customer-facing applications, supports social identity providers, and allows configuration of terms of use and revocation of user access, meeting all requirements.

Why this answer

Microsoft Entra External ID (B2C) is the correct choice because it is specifically designed for customer-facing applications that need to support social identity providers (like LinkedIn and Google) via OAuth 2.0 and OpenID Connect. It allows you to enforce a custom terms of use agreement during sign-up and provides the ability to revoke a user's access by disabling their account in the B2C directory or removing the social identity mapping, which directly addresses the requirement to respond to a compromised social account.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration (designed for external business partners accessing internal apps) with Microsoft Entra External ID (B2C) (designed for customer-facing apps with social identity providers), because both involve external users, but their use cases and capabilities are fundamentally different.

How to eliminate wrong answers

Option B (Microsoft Entra B2B collaboration) is wrong because it is designed for business-to-business scenarios, allowing external business partners to access your organization's internal resources (like SharePoint or Teams), not for customer-facing applications with social identity providers. Option C (Microsoft Entra Identity Protection) is wrong because it is a risk-based detection and remediation service for user sign-ins and identities, not a solution for managing external customer identities or enforcing terms of use agreements. Option D (Microsoft Entra Conditional Access) is wrong because it is a policy engine that enforces access controls (like MFA or device compliance) on sign-ins to your own resources, but it does not provide the ability to manage social identity providers or host a separate customer identity directory.

190
MCQmedium

Your organization uses Microsoft Entra ID and Microsoft Intune. You need to ensure that only devices that are enrolled in Intune and compliant with your organization's security policies can access corporate email. Which Microsoft Entra feature should you use?

A.Microsoft Entra Entitlement Management
B.Microsoft Entra Conditional Access
C.Microsoft Entra Privileged Identity Management (PIM)
D.Microsoft Entra Terms of Use
AnswerB

Conditional Access can enforce device compliance as a condition for access.

Why this answer

Microsoft Entra Conditional Access is the correct feature because it enforces policy-based access controls that evaluate device compliance status reported by Microsoft Intune. By configuring a Conditional Access policy to require 'Device to be marked as compliant,' only devices enrolled in Intune and meeting security policies can access corporate email, leveraging the integration between Entra ID and Intune.

Exam trap

The trap here is that candidates often confuse Conditional Access with Privileged Identity Management (PIM) because both involve access control, but PIM focuses on privileged roles, not device compliance enforcement.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Entitlement Management manages access packages and identity governance for resource access, not device-level compliance enforcement. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) controls just-in-time privileged role activation and access reviews, not device compliance checks. Option D is wrong because Microsoft Entra Terms of Use presents acceptance agreements to users but does not evaluate device enrollment or compliance status.

191
Matchingmedium

Match each identity term to its correct meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

An entity that can be authenticated

Proving you are who you claim to be

Determining what an authenticated user can do

Trust relationship between identity providers

Creating and managing user accounts and access

Why these pairings

These are fundamental identity concepts.

192
MCQmedium

A company manages Azure virtual machines and on-premises servers. The security team needs a single dashboard that provides a secure score and actionable recommendations to improve the security posture across both environments. Which Microsoft solution should be used?

A.Microsoft 365 Defender portal
B.Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Microsoft Defender for Cloud Apps
AnswerB

Defender for Cloud delivers security posture management with secure score and recommendations for Azure, on-premises, and multi-cloud environments.

Why this answer

Microsoft Defender for Cloud provides a unified dashboard that displays a secure score and actionable recommendations for Azure virtual machines, on-premises servers, and other cloud workloads. It integrates with Azure Arc to extend security monitoring to on-premises resources, enabling a single view of security posture across hybrid environments.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud (formerly Azure Security Center) with Microsoft 365 Defender, assuming the latter covers all security needs, but Microsoft 365 Defender is limited to Microsoft 365 workloads and does not assess Azure or on-premises infrastructure security posture.

How to eliminate wrong answers

Option A is wrong because Microsoft 365 Defender portal focuses on protecting Microsoft 365 workloads (e.g., email, endpoints, identities) and does not provide a secure score or recommendations for Azure VMs or on-premises servers. Option C is wrong because Microsoft Sentinel is a SIEM/SOAR solution for security information and event management, not a dashboard for secure score and posture recommendations. Option D is wrong because Microsoft Defender for Cloud Apps is a CASB (Cloud Access Security Broker) that focuses on shadow IT and app governance, not on infrastructure-level secure score or hybrid server recommendations.

193
MCQmedium

A company must retain all financial records for exactly 7 years and then automatically delete them. They need to automatically apply a retention label to any document that contains the words 'Invoice' or 'Statement'. Which Microsoft Purview solution should they use?

A.Data Lifecycle Management (retention labels with auto-apply)
B.Data Loss Prevention (DLP)
C.eDiscovery (Standard)
D.Audit
AnswerA

Retention labels with auto-apply policies can automatically label content based on keywords or sensitive info types, and enforce the specified retention and deletion settings.

Why this answer

Data Lifecycle Management (DLM) with auto-apply retention labels is the correct solution because it allows you to define a retention label that automatically applies to documents containing the keywords 'Invoice' or 'Statement' using a sensitive info type or trainable classifier. You can then configure the label to retain the data for exactly 7 years and trigger automatic deletion at the end of that period. This directly meets the requirement for both automated classification and lifecycle enforcement.

Exam trap

The trap here is that candidates confuse Data Lifecycle Management (which handles retention and deletion) with Data Loss Prevention (which handles security and access control), because both involve 'labels' and 'policies' in Microsoft Purview.

How to eliminate wrong answers

Option B is wrong because Data Loss Prevention (DLP) is designed to prevent unauthorized sharing or leakage of sensitive data through policies that block or warn users, not to manage retention or deletion schedules. Option C is wrong because eDiscovery (Standard) is used for searching and exporting content for legal or investigative purposes, not for applying retention labels or automating data lifecycle policies. Option D is wrong because Audit (Microsoft Purview Audit) provides logging and visibility into user and admin activities, but it cannot apply retention labels or enforce data retention/deletion rules.

194
Multi-Selectmedium

Your organization is planning to implement Microsoft Entra ID for identity and access management. Which TWO capabilities are provided by Microsoft Entra ID?

Select 2 answers
A.External identity management for customer-facing apps
B.Security event log analysis
C.Identity governance (e.g., access reviews)
D.Mobile device management (MDM)
E.Single sign-on (SSO) for cloud applications
AnswersC, E

Correct: Microsoft Entra ID includes access reviews and entitlement management as part of identity governance.

Why this answer

Microsoft Entra ID provides identity governance capabilities such as access reviews, which allow administrators to automate the process of reviewing and certifying user access to applications and groups. This ensures compliance and security by regularly validating that users have appropriate access rights. Single sign-on (SSO) is a core feature of Entra ID, enabling users to authenticate once and access multiple cloud applications without re-entering credentials, leveraging protocols like OAuth 2.0 and SAML 2.0.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID (workforce identity) with Microsoft Entra External ID (customer identity) or assume that log analysis and MDM are part of Entra ID, when they belong to separate Azure services like Sentinel and Intune.

195
MCQmedium

A company needs to ensure that only approved devices can access corporate resources. Which Microsoft Entra feature should they combine with Microsoft Intune?

A.Conditional Access
B.Application Proxy
C.Identity Protection
D.Privileged Identity Management
AnswerA

Conditional Access can require device compliance via Intune.

Why this answer

Conditional Access is the Microsoft Entra feature that enforces policies to grant or block access based on conditions such as device compliance. When combined with Microsoft Intune, which manages device compliance policies (e.g., requiring encryption, a specific OS version, or a healthy device health attestation), Conditional Access can block access from non-compliant or unapproved devices. This integration ensures that only devices marked as compliant by Intune can access corporate resources.

Exam trap

The trap here is that candidates often confuse Identity Protection (which deals with user risk) with device-based access control, but Conditional Access is the policy engine that enforces device compliance from Intune.

How to eliminate wrong answers

Option B is wrong because Application Proxy provides secure remote access to on-premises web applications without requiring a VPN, but it does not enforce device compliance or approval. Option C is wrong because Identity Protection detects and responds to identity-based risks (e.g., leaked credentials, impossible travel), but it does not control which devices are allowed to access resources. Option D is wrong because Privileged Identity Management manages just-in-time privileged role assignments and access reviews, not device-level access control.

196
MCQhard

A Microsoft 365 organization needs to classify and protect sensitive documents based on their content, such as passport numbers. They want the classification to be applied automatically without user intervention. Which Microsoft Purview solution should they use?

A.Unified labeling client
B.Data Loss Prevention (DLP) policies
C.Trainable classifiers
D.Auto-labeling with sensitivity labels
AnswerD

Auto-labeling automatically applies sensitivity labels based on content detection.

Why this answer

Auto-labeling in Microsoft Purview Information Protection uses policy rules to automatically apply sensitivity labels to documents containing sensitive info like passport numbers. Trainable classifiers are used for more complex patterns but require training. Data Loss Prevention (DLP) can detect and protect but does not label documents by default.

Unified labeling is a client-side feature requiring user action.

197
MCQeasy

A company subscribes to a cloud-based email service that is delivered as Software-as-a-Service (SaaS). According to the shared responsibility model, who is primarily responsible for the physical security of the data centers where the email data is stored?

A.The customer
B.The cloud provider
C.Both the customer and the cloud provider equally
D.Neither the customer nor the cloud provider
AnswerB

In SaaS, the cloud provider is responsible for physical security, including data center infrastructure, networking, and hardware.

Why this answer

In the shared responsibility model for SaaS, the cloud provider is responsible for the physical security of the data centers, including hardware, network infrastructure, and physical access controls. The customer is responsible for securing their own data, user access, and compliance within the service, but not the underlying physical infrastructure.

Exam trap

The trap here is that candidates often confuse the shared responsibility model for IaaS or PaaS with SaaS, incorrectly assuming the customer has some physical security duties, when in fact for SaaS the provider handles all physical and infrastructure security.

How to eliminate wrong answers

Option A is wrong because the customer does not have physical access to or control over the data center facilities; their responsibility is limited to data, accounts, and access management within the SaaS application. Option C is wrong because physical security is not shared equally; the cloud provider retains sole responsibility for the physical data center, while the customer handles logical security of their own data. Option D is wrong because the cloud provider is explicitly responsible for physical security under the shared responsibility model, so it is not the case that neither party is responsible.

198
MCQeasy

Your organization needs to create a policy that prevents users from sharing credit card numbers in emails. Which Microsoft Purview solution should you configure?

A.Communication Compliance
B.Retention policy
C.eDiscovery
D.Data loss prevention (DLP) policy
AnswerD

DLP policies detect and block sensitive data sharing.

Why this answer

Option A is correct because Data Loss Prevention (DLP) policies can detect and block sharing of sensitive information like credit card numbers. Option B is wrong because Retention policies manage lifecycle. Option C is wrong because eDiscovery is for search.

Option D is wrong because Communication Compliance monitors for policy violations, not specific data types.

199
MCQmedium

A company is involved in a legal case and must preserve all emails and documents sent by a specific employee (custodian) that are related to a particular matter. The legal team needs to collect this data into a tamper-proof container for review, ensuring that no original items are modified or deleted. Which Microsoft Purview solution should they use?

A.Retention labels
B.eDiscovery (Standard)
C.eDiscovery (Premium)
D.Data Lifecycle Management
AnswerC

Correct. eDiscovery (Premium) provides end-to-end data preservation, collection, and analysis for legal cases, including custodian management, holds, and secure review sets.

Why this answer

eDiscovery (Premium) is the correct solution because it provides advanced capabilities for legal investigations, including the ability to place a legal hold on specific custodians (the employee) and preserve all relevant emails and documents in a tamper-proof container. This ensures that no original items are modified or deleted during the review process, meeting the requirements of the legal case.

Exam trap

The trap here is confusing eDiscovery (Standard) with eDiscovery (Premium) because both involve searching for content, but only Premium offers custodian management and legal hold capabilities required for preserving data in a tamper-proof container for legal cases.

How to eliminate wrong answers

Option A is wrong because retention labels are used for classifying and retaining data based on organizational policies, not for legal holds or collecting data into a tamper-proof container for eDiscovery. Option B is wrong because eDiscovery (Standard) lacks the advanced features like custodian management, legal hold, and the ability to collect data into a tamper-proof container for review; it is designed for basic search and export. Option D is wrong because Data Lifecycle Management focuses on automating retention and deletion of data based on policies, not on preserving data for legal cases or providing a tamper-proof container for review.

200
MCQhard

A multinational company needs to enforce multi-factor authentication for all users but exclude a break-glass emergency account. Which approach should they take in Microsoft Entra ID?

A.Use identity protection to require MFA only for high-risk users
B.Enable security defaults and add the break-glass account to a group that bypasses MFA
C.Enable per-user MFA for all users and turn off for the break-glass account
D.Create a Conditional Access policy requiring MFA for all users, excluding the break-glass account
AnswerD

Conditional Access allows excluding specific accounts from MFA requirements.

Why this answer

Option D is correct because Conditional Access policies in Microsoft Entra ID allow granular control over authentication requirements, including the ability to exclude specific users or groups. By creating a policy that requires multi-factor authentication (MFA) for all users but explicitly excludes the break-glass account, the company ensures security while maintaining emergency access. This approach is more flexible and scalable than per-user MFA or security defaults, which lack the ability to selectively bypass MFA for critical accounts.

Exam trap

The trap here is that candidates may confuse security defaults with Conditional Access, assuming security defaults can be customized with exclusions, when in fact security defaults are a fixed baseline that cannot be modified to exclude specific accounts.

How to eliminate wrong answers

Option A is wrong because Identity Protection's risk-based policies require MFA only for users flagged as high-risk, not for all users, which fails to enforce universal MFA as required. Option B is wrong because security defaults enforce MFA for all users globally and do not allow excluding specific accounts via group membership; adding a break-glass account to a group does not bypass MFA in security defaults. Option C is wrong because per-user MFA is a legacy, less secure approach that does not support modern Conditional Access exclusions; turning off MFA for the break-glass account via per-user settings is possible but lacks the centralized control and reporting of Conditional Access, and Microsoft recommends migrating away from per-user MFA.

201
MCQhard

A company uses Microsoft 365 E5. An employee's corporate laptop is infected with keylogging malware that captures the employee's credentials. The attacker uses these credentials to sign in to Exchange Online and forward sensitive emails to an external account. Under the shared responsibility model, who is primarily responsible for the security incident?

A.Microsoft is responsible because they provide the cloud service and must protect against all threats.
B.The customer is responsible because they control user devices, accounts, and access policies.
C.Both Microsoft and the customer share equal responsibility for all layers of the service.
D.Neither party is responsible because the employee bypassed security controls.
AnswerB

The customer must secure endpoints, enforce strong authentication (e.g., MFA), and control access to protect against credential theft and misuse.

Why this answer

Under the shared responsibility model, the customer is responsible for securing user devices, managing user accounts, and configuring access policies. In this scenario, the keylogging malware on the employee's corporate laptop is a customer-side endpoint security issue, and the attacker used stolen credentials to access Exchange Online. Microsoft is responsible for the security of the cloud infrastructure (e.g., physical data centers, network, and hypervisor), but not for threats originating from compromised customer-managed devices or user accounts.

Exam trap

The trap here is that candidates assume Microsoft is fully responsible for all security in a SaaS model, overlooking that the customer must secure user devices, enforce strong authentication (like MFA), and manage account hygiene.

How to eliminate wrong answers

Option A is wrong because Microsoft is not responsible for protecting against all threats; they secure the cloud infrastructure (e.g., Azure AD, Exchange Online service) but not customer-managed endpoints or user credentials. Option C is wrong because responsibility is not equal for all layers; the customer owns identity and device security, while Microsoft owns the underlying service platform. Option D is wrong because the employee did not bypass security controls; the malware captured credentials without bypassing any policy, and responsibility still lies with the customer to enforce controls like multi-factor authentication (MFA) and endpoint protection.

202
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID) and wants to configure self-service password reset (SSPR) for all users. The security team requires that users must verify their identity with at least two methods before resetting a password. Which SSPR setting should be configured?

A.Number of methods required to reset: 2
B.Require re-registration on every authentication
C.Enable combined registration for SSPR and MFA
D.Set password expiration to 0 days
AnswerA

This setting directly specifies how many authentication methods a user must complete to reset their password. Setting it to 2 meets the requirement.

Why this answer

Self-Service Password Reset (SSPR) in Microsoft Entra ID allows administrators to set the number of authentication methods required to reset a password. By setting 'Number of methods required to reset' to 2, users must provide two verification methods (e.g., email and phone) to confirm their identity.

Exam trap

Candidates might confuse combined registration (Option C) with the number of methods required for reset, overlooking the direct control for identity verification.

203
Multi-Selecthard

Which THREE of the following are capabilities provided by Microsoft Entra ID Protection? (Select three.)

Select 3 answers
A.Automated investigation and remediation of identity risks
B.Passwordless authentication options
C.Device compliance assessment
D.Detection of compromised credentials and risky sign-ins
E.Risk-based conditional access policies
AnswersA, D, E

ID Protection can automatically respond to risks.

Why this answer

Option A is correct because Microsoft Entra ID Protection includes automated investigation and remediation capabilities that respond to detected identity risks. When a risk is identified, such as a compromised user account, the service can automatically trigger actions like requiring a password reset or blocking sign-in attempts, reducing the need for manual intervention.

Exam trap

The trap here is that candidates may confuse the broader set of Microsoft Entra ID features (like passwordless authentication or device compliance) with the specific risk detection and response capabilities of Entra ID Protection, which is narrowly focused on identity risk management.

204
MCQhard

A company uses Microsoft Intune for mobile device management (MDM). They need to ensure that corporate data on personal devices is encrypted. Which configuration profile type should they deploy?

A.Email profile
B.Certificate profile
C.Compliance policy
D.Device restrictions profile
AnswerD

Device restrictions profile includes security settings like encryption.

Why this answer

Device restrictions profiles include settings for encryption. For iOS, this includes 'Encrypt device' setting. Option A is wrong because it's for email; Option B is wrong because it's for certificates; Option D is wrong because it's for compliance.

205
MCQhard

A company deploys a custom web application on Azure App Service (PaaS). The application stores user data in Azure SQL Database. The security team is responsible for securing the application code, managing authentication, and configuring TLS for data in transit. According to the Microsoft shared responsibility model, which security responsibility remains with Microsoft for this PaaS deployment?

A.Patching the operating system of the underlying physical and virtual hosts
B.Configuring the firewall rules for the web application
C.Managing user access to the application
D.Encrypting the application data at rest in Azure SQL Database
AnswerA

In PaaS, Microsoft is responsible for maintaining and patching the host OS and infrastructure, freeing the customer from managing these layers.

Why this answer

In a PaaS deployment like Azure App Service, Microsoft is responsible for the security of the underlying cloud infrastructure, including patching the operating system of the physical and virtual hosts that run the platform. This is a core tenant of the shared responsibility model, where the customer manages application-level security (code, authentication, TLS) while Microsoft manages the host OS and hypervisor.

Exam trap

The trap here is that candidates often assume 'data at rest encryption' is entirely Microsoft's responsibility in PaaS, but the shared responsibility model requires customers to manage key rotation, access policies, and compliance for encryption, making it a shared task rather than a sole Microsoft responsibility.

How to eliminate wrong answers

Option B is wrong because configuring firewall rules for the web application (e.g., network security groups or App Service access restrictions) is a customer responsibility, as it involves application-level network controls. Option C is wrong because managing user access to the application (e.g., authentication and authorization) is the customer's responsibility, as it pertains to identity and access management for the application's users. Option D is wrong because encrypting application data at rest in Azure SQL Database is a shared responsibility: Microsoft provides transparent data encryption (TDE) by default, but the customer is responsible for managing encryption keys and ensuring compliance with their own encryption policies.

206
MCQmedium

Refer to the exhibit. An administrator creates a DLP rule as shown. What is the expected outcome when a user tries to share a file containing a U.S. Social Security Number with an external recipient?

A.The sharing is blocked only if the user is not the file owner.
B.The sharing is allowed, but an audit event is generated.
C.The file is shared, but the user is notified and must provide justification.
D.The sharing is blocked, and the user receives a notification.
AnswerD

BlockAccess action with UserNotification true blocks and notifies.

Why this answer

Option B is correct because the action is 'BlockAccess' and user notification is enabled, so the user is notified and the action is blocked. Option A is wrong because the rule does not specify 'Override' with justification. Option C is wrong because the rule blocks access, not just logs.

Option D is wrong because the rule applies to sharing with external recipients.

207
MCQeasy

Your company uses Microsoft Defender for Cloud to assess the security posture of Azure resources. The security team wants to identify resources that are missing system updates. Which feature should they use?

A.Just-in-time VM access
B.Vulnerability assessment solutions
C.Adaptive application controls
D.Secure Score recommendations
AnswerD

Secure Score includes recommendations for missing updates.

Why this answer

Defender for Cloud's Secure Score includes recommendations for missing system updates. Option B is incorrect because vulnerability assessment is for vulnerabilities, not updates. Option C is incorrect because just-in-time access is for management ports.

Option D is incorrect because adaptive application controls allowlist applications.

208
MCQmedium

Your company uses Microsoft Entra ID with P1 licenses. You need to implement a policy that blocks access to Microsoft 365 from countries that are not authorized, except for users who are members of a specific security group. Which Microsoft Entra feature should you use?

A.Microsoft Entra Identity Protection.
B.Microsoft Entra entitlement management.
C.Microsoft Entra B2B collaboration.
D.Conditional Access policy with location condition and group exclusion.
AnswerD

Conditional Access can block by location and exclude specific groups.

Why this answer

D is correct because Conditional Access policies in Microsoft Entra ID allow you to define access controls based on location conditions, such as blocking access from specific countries. You can then exclude a security group from the block, ensuring that members of that group can still access Microsoft 365 from unauthorized countries. This directly meets the requirement of blocking access except for users in a specific group.

Exam trap

The trap here is that candidates often confuse Identity Protection (which deals with risk-based policies) with Conditional Access (which handles broader access controls like location), leading them to select A instead of D.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Identity Protection is a feature for detecting and responding to identity risks (e.g., leaked credentials, sign-ins from anonymous IPs), not for implementing location-based access blocks with group exclusions. Option B is wrong because Microsoft Entra entitlement management is used to manage access packages and identity governance (e.g., automated access reviews and assignment of resources), not for enforcing real-time location-based access policies. Option C is wrong because Microsoft Entra B2B collaboration is designed to enable external users (guests) to access your organization's resources, not to block or allow internal users based on geographic location.

209
MCQmedium

Your organization uses Microsoft Purview to label documents. Users report that some documents are automatically labeled as 'Confidential' even though the content is public. Which action should you take to resolve this issue?

A.Enable auditing to track label usage
B.Disable auto-labeling in all sensitivity label policies
C.Review and adjust the auto-labeling rules in the sensitivity label policies
D.Require users to manually apply labels
AnswerC

Adjusting the rules ensures only truly confidential content is auto-labeled.

Why this answer

Option B is correct because automatic labeling uses sensitivity label policies and auto-labeling rules to classify content. If incorrectly labeled, the auto-labeling rules or conditions should be reviewed and adjusted. Option A is wrong because disabling auto-labeling removes the feature but does not fix the rule.

Option C is wrong because manual labeling requires user action, which may not be desired. Option D is wrong because auditing shows what happened but does not change labeling behavior.

210
MCQhard

A financial services company must comply with a regulation that requires all audit-related documents to be retained for 7 years and then permanently deleted. The compliance officer wants to ensure that even if a user modifies or deletes a file, the original content is preserved for the full 7 years, and at the end of the period the files are automatically destroyed without any manual approval. The company uses Microsoft 365 and stores these documents in SharePoint Online and Microsoft Teams. Which Microsoft Purview solution should the compliance officer configure?

A.Microsoft Purview Retention Labels with a disposition review that requires manual approval at the end of the retention period
B.Microsoft Purview Retention Policy with a record label to mark items as regulatory records
C.Microsoft Purview Data Lifecycle Management using a retention policy configured to retain items for 7 years and then delete them automatically
D.Microsoft Purview eDiscovery with a hold policy to preserve the documents indefinitely
AnswerC

A retention policy can be set to retain content for a specified period and then automatically delete it, meeting both the preservation and automatic deletion requirements without manual steps.

Why this answer

Option C is correct because Microsoft Purview Data Lifecycle Management allows you to create a retention policy that retains items for a fixed period (7 years) and then automatically deletes them without any manual intervention. This meets the regulatory requirement for automatic destruction at the end of the retention period, and the policy applies to both SharePoint Online and Microsoft Teams, preserving the original content even if a user modifies or deletes the file.

Exam trap

The trap here is that candidates often confuse retention policies with record labels or eDiscovery holds, mistakenly thinking that marking items as records or placing them on hold satisfies the automatic deletion requirement, but these options either require manual approval or preserve data indefinitely, failing the 'automatically destroyed' condition.

How to eliminate wrong answers

Option A is wrong because a disposition review requires manual approval at the end of the retention period, which contradicts the requirement for automatic destruction without manual approval. Option B is wrong because a retention policy with a record label (regulatory record) preserves content indefinitely or for a set period but does not automatically delete files without manual review; regulatory records also prevent deletion but do not enforce automatic destruction. Option D is wrong because eDiscovery with a hold policy preserves documents indefinitely, which violates the 7-year retention and automatic deletion requirement.

211
Multi-Selecthard

Which THREE of the following are features of Microsoft Purview Communication Compliance? (Choose three.)

Select 3 answers
A.Detect offensive language in emails and Teams messages
B.Monitor communications to ensure compliance with financial regulations
C.Prevent data loss by blocking sensitive data
D.Use trainable classifiers to identify policy violations
E.Search for content across Exchange, SharePoint, and Teams
AnswersA, B, D

Communication Compliance includes built-in classifiers for offensive language.

Why this answer

Option A is correct because Communication Compliance can detect inappropriate language. Option B is correct because it can monitor for regulatory compliance. Option C is correct because it can analyze content with trainable classifiers.

Option D is wrong because DLP is a separate solution. Option E is wrong because eDiscovery is a separate solution.

212
Multi-Selectmedium

Which THREE Microsoft Purview features can be used to protect data in Microsoft 365? (Select three.)

Select 3 answers
A.eDiscovery
B.Data Loss Prevention
C.Insider Risk Management
D.Microsoft Defender for Cloud Apps
E.Sensitivity labels
AnswersB, C, E

DLP prevents unauthorized sharing.

Why this answer

Data Loss Prevention, Sensitivity labels, and Insider Risk Management are Purview features. Defender for Cloud Apps (Option D) is a separate product. eDiscovery (Option E) is for discovery, not protection.

213
MCQhard

An organization must prove to an auditor that only authorized users have accessed sensitive HR files over the past year. The compliance team needs to generate a report of all access events to these files. Which Microsoft Purview solution should be used?

A.Microsoft Purview Audit (Premium)
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Purview Compliance Manager
D.Microsoft Purview Information Protection
AnswerA

Audit (Premium) logs all access events and enables searching and reporting.

Why this answer

Microsoft Purview Audit (Premium) logs and allows searching for access events. It provides reports on user activity. Information Protection labels files but does not log access.

Data Lifecycle Management handles retention. Compliance Manager assesses compliance but does not provide access logs.

214
MCQhard

Refer to the exhibit. User2 attempts to activate the Global Administrator role. What must happen before User2 gains the role?

A.User3 must approve the activation request
B.An approver defined in PIM must approve the request
C.User1 must approve the activation request
D.User2 must pass MFA
AnswerB

PIM requires approval from designated approvers.

Why this answer

User2 is attempting to activate the Global Administrator role via Privileged Identity Management (PIM). In PIM, role activation requires approval from a designated approver (User3 in this scenario) before the role is granted. Option B correctly identifies that an approver defined in PIM must approve the request, which is the required step for activation.

Exam trap

The trap here is that candidates may assume MFA is the only requirement for activation, but the exhibit clearly shows an approval workflow is in place, making the approval step the immediate prerequisite before the role is granted.

How to eliminate wrong answers

Option A is wrong because User3 is the designated approver, but the statement 'User3 must approve the activation request' is too specific—it implies User3 is the only possible approver, whereas PIM allows multiple approvers or a group; the correct requirement is that an approver defined in PIM must approve. Option C is wrong because User1 is not mentioned as an approver in the exhibit; the exhibit shows User3 as the approver, so User1 has no role in this approval. Option D is wrong because while MFA may be required as part of the activation process (depending on policy), the question specifically asks what must happen before User2 gains the role, and the exhibit shows the approval step is the immediate prerequisite; MFA is often a separate prerequisite but not the direct answer to this scenario.

215
MCQmedium

An organization uses Microsoft Entra ID to manage user access. The security policy requires that membership in the 'Finance - Sensitive Data' group must be reviewed every quarter by the group owner to confirm that each member still requires access. The group owner must approve or deny each membership, and any denied memberships should be automatically removed. Which Microsoft Entra ID feature should be configured to automate this process?

A.Microsoft Entra ID Access Reviews
B.Microsoft Entra ID Privileged Identity Management (PIM)
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Protection
AnswerA

Correct. Access Reviews enable periodic attestation of group memberships and application access with automatic removal of denied users.

Why this answer

Microsoft Entra ID Access Reviews is the correct feature because it enables periodic review of group memberships, where the group owner can approve or deny each member's continued access. When a member is denied, Access Reviews can be configured to automatically remove that user from the group, satisfying the security policy's requirement for quarterly reviews and automatic removal of denied memberships.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Access Reviews because both involve approvals, but PIM handles time-bound role activation for privileged roles, not recurring membership reviews for standard groups.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because PIM is designed for just-in-time privileged role activation and approval workflows for elevated roles, not for recurring membership reviews of a standard security group like 'Finance - Sensitive Data'. Option C (Conditional Access) is wrong because Conditional Access enforces access policies based on signals like location or device compliance at sign-in time, but it does not provide a mechanism for periodic group membership review or automatic removal. Option D (Identity Protection) is wrong because Identity Protection detects and remediates identity-based risks such as leaked credentials or suspicious sign-ins, but it does not manage group membership review cycles or owner approvals.

216
MCQmedium

A compliance officer wants a central dashboard to assess the organization's compliance posture against regulatory standards such as GDPR and ISO 27001. They need actionable recommendations to improve their compliance score and track progress over time. Which Microsoft Purview solution should they use?

A.Microsoft Purview Information Protection
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Purview Compliance Manager
D.Microsoft Purview Audit
AnswerC

Compliance Manager offers a compliance score, detailed assessments, and recommended actions to improve adherence to various regulations.

Why this answer

Microsoft Purview Compliance Manager is the correct solution because it provides a central dashboard that assesses an organization's compliance posture against regulatory standards like GDPR and ISO 27001, offers actionable recommendations to improve the compliance score, and tracks progress over time through continuous assessments and improvement actions.

Exam trap

The trap here is that candidates often confuse Compliance Manager with Information Protection or Audit, mistakenly thinking that data protection or logging alone provides compliance assessment and scoring, but only Compliance Manager offers a centralized dashboard with actionable recommendations and progress tracking against regulatory frameworks.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Information Protection focuses on classifying, labeling, and protecting sensitive data (e.g., encryption and access controls), not on assessing compliance posture against regulatory standards or providing a compliance score. Option B is wrong because Microsoft Purview Data Lifecycle Management handles data retention, deletion, and records management policies, not compliance scoring or actionable recommendations for regulatory standards. Option D is wrong because Microsoft Purview Audit provides detailed logging and investigation of user and admin activities, but it does not offer a compliance score, regulatory assessments, or improvement recommendations.

217
Multi-Selecteasy

Which TWO of the following are features of Microsoft Purview Data Loss Prevention (DLP)? (Select TWO.)

Select 2 answers
A.Detect and block malware
B.Apply sensitivity labels
C.Manage user access rights
D.Provide policy tips to users
E.Monitor and prevent sharing of sensitive data
AnswersD, E

DLP can show policy tips when users attempt to share sensitive data.

Why this answer

Correct: Monitor and prevent sharing of sensitive data (A) and Provide policy tips to users (D). Option B: Threat protection is Defender. Option C: Sensitivity labels are Information Protection.

Option E: Identity governance is Entra ID Governance.

218
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to ensure that only devices with a passcode can access corporate email. What should you configure?

A.Device configuration policy
B.Enrollment restrictions
C.Device compliance policy
D.App protection policy
AnswerC

Compliance policies require devices to meet security requirements like passcode.

Why this answer

Compliance policies in Intune define the conditions devices must meet to be considered compliant, such as requiring a passcode. Conditional Access policies then enforce access based on compliance. Option B is incorrect because app protection policies manage data within apps, not device-level requirements.

Option C is incorrect because device configuration policies set device settings but do not enforce compliance. Option D is incorrect because enrollment restrictions control which devices can enroll.

219
MCQeasy

A company is implementing security controls to protect data during transmission between their on-premises database and a cloud storage service. They decide to use TLS encryption. Which security goal is primarily addressed by ensuring that data is not altered during transit?

A.Availability
B.Integrity
C.Confidentiality
D.Non-repudiation
AnswerB

Correct. Integrity ensures that data has not been altered during transit. TLS includes message authentication codes to verify that the data received is exactly what was sent, preventing unauthorized changes.

Why this answer

TLS encryption provides data integrity through message authentication codes (MACs) that detect any unauthorized modification during transit. The question specifically asks about ensuring data is not altered, which is the definition of integrity, not confidentiality or availability.

Exam trap

The trap here is that candidates often associate encryption solely with confidentiality and forget that TLS also provides integrity via MACs, so they incorrectly choose confidentiality when the question explicitly asks about preventing alteration.

How to eliminate wrong answers

Option A is wrong because availability refers to ensuring systems and data are accessible when needed, not preventing alteration during transmission. Option C is wrong because confidentiality protects data from unauthorized disclosure, not from modification; TLS does provide confidentiality via encryption, but the question specifically asks about preventing alteration. Option D is wrong because non-repudiation ensures that a party cannot deny having performed an action, typically achieved through digital signatures, not through TLS encryption alone.

220
MCQeasy

The exhibit shows that a user was added to the Global Administrator role. Which Microsoft Entra feature should be used to provide just-in-time access to this role?

A.Privileged Identity Management
B.Conditional Access
C.Self-Service Password Reset
D.Identity Protection
AnswerA

Enables just-in-time privileged role access.

Why this answer

Privileged Identity Management (PIM) is the Microsoft Entra feature specifically designed to provide just-in-time (JIT) privileged access to roles like Global Administrator. PIM enables time-bound activation, approval workflows, and audit logging, ensuring users have elevated permissions only when needed and for a limited duration.

Exam trap

The trap here is that candidates confuse Conditional Access (which controls access to resources) with Privileged Identity Management (which controls elevation to administrative roles), leading them to select Conditional Access when the question explicitly asks for just-in-time role access.

How to eliminate wrong answers

Option B is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, location) based on signals, but it does not provide time-bound role activation or JIT elevation to privileged roles. Option C is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords without administrator intervention, but it has no capability to grant or manage privileged role assignments. Option D is wrong because Identity Protection is a risk-detection service that identifies compromised identities and risky sign-ins, but it does not offer JIT role activation or privileged access management.

221
MCQmedium

A company uses Microsoft Entra ID. Their sales team wants to use a third-party customer relationship management (CRM) application that requires the 'Sign in and read user profile' permission and also a high-risk permission to 'Read all users' full profiles'. The security team wants to allow users to request access to this application, but they want to require an administrator to review and approve the high-risk permission request before consent is granted. Which Microsoft Entra ID feature should they configure?

A.Admin consent workflow
B.Conditional Access
C.Identity Protection
D.Privileged Identity Management (PIM)
AnswerA

Admin consent workflow enables users to request admin approval for permissions that require admin consent. An admin can then review and approve or deny the request.

Why this answer

The admin consent workflow in Microsoft Entra ID allows end users to request consent for applications that require permissions, while requiring administrator approval for high-risk permissions. In this scenario, the CRM app requests both a low-risk permission ('Sign in and read user profile') and a high-risk permission ('Read all users' full profiles'), and the security team wants admin review for the high-risk one. The admin consent workflow enables this by letting users initiate the request, then routing it to designated administrators for approval or denial, ensuring that high-risk permissions are not granted without oversight.

Exam trap

The trap here is that candidates often confuse the admin consent workflow with Privileged Identity Management (PIM) because both involve administrative approval, but PIM handles role activation, not application consent requests.

How to eliminate wrong answers

Option B (Conditional Access) is wrong because it controls access based on conditions like location or device state, not the consent process for application permissions. Option C (Identity Protection) is wrong because it detects and remediates identity-based risks such as compromised accounts or sign-in anomalies, not application permission requests. Option D (Privileged Identity Management (PIM)) is wrong because it manages just-in-time privileged role assignments and activation, not the consent workflow for application permissions.

222
MCQhard

Refer to the exhibit. A security analyst in your SOC runs the provided KQL query in Microsoft Sentinel to identify users with repeated MFA or suspicious sign-in alerts. The query returns no results even though alerts exist. What is the most likely issue?

A.The 'extend' operator fails because 'Entities' array is empty.
B.The alert names do not contain the strings 'MFA' or 'Suspicious sign-in'.
C.The TimeGenerated filter is too restrictive; alerts older than 7 days are excluded.
D.The 'has' operator is case-sensitive and the alert names are in uppercase.
AnswerB

If alert names use different terms, the filter will exclude them.

Why this answer

The query uses the 'has' operator which is case-insensitive, but the alert names in the environment might use different wording (e.g., 'Azure AD MFA' instead of 'MFA'). Option A is incorrect because the query uses 'has' which is case-insensitive. Option C is incorrect because the time range is 7 days.

Option D is incorrect because the query correctly uses 'extend'.

223
MCQmedium

A financial organization is required by regulation to keep all customer transaction records for 10 years. After 10 years, the records must be permanently deleted. In addition, during the retention period, records must not be modifiable or deletable by any user, including administrators. Which Microsoft Purview solution should they use to meet these requirements?

A.Retention labels (unlocked)
B.Records Management
C.Information Protection with sensitivity labels
D.Data Lifecycle Management
AnswerB

Records Management uses retention labels with a disposition review, and when a label is marked as a record, content cannot be modified or deleted. After the retention period, a disposition review can trigger permanent deletion.

Why this answer

Records Management in Microsoft Purview is designed to meet regulatory requirements by allowing organizations to declare records or regulatory records. When a record is declared, it becomes immutable—no user, including administrators, can modify or delete it during the retention period. The 10-year retention and mandatory deletion after that period are enforced through a retention label configured as a record, which locks the item and triggers permanent deletion upon expiration.

Exam trap

The trap here is that candidates often confuse Data Lifecycle Management with Records Management, not realizing that only Records Management provides the immutability lock required to prevent modification or deletion by administrators during the retention period.

How to eliminate wrong answers

Option A is wrong because unlocked retention labels do not enforce immutability; they allow users to modify or delete the labeled content, which fails the requirement that records must not be modifiable or deletable by any user. Option C is wrong because Information Protection with sensitivity labels focuses on classifying and protecting data through encryption and access controls, not on enforcing immutable retention or mandatory deletion after a fixed period. Option D is wrong because Data Lifecycle Management manages retention and deletion policies but does not provide the immutability lock required to prevent modification or deletion by administrators during the retention period.

224
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using their social media accounts, such as Google or Facebook. Which feature should you configure?

A.Privileged Identity Management
B.Identity Protection
C.External ID
D.Conditional Access
AnswerC

External ID allows configuration of social identity providers for customer-facing apps.

Why this answer

Option B is correct because Microsoft Entra External ID allows you to configure identity providers for social identities like Google and Facebook. Option A is incorrect because Conditional Access is about enforcing access policies, not enabling social sign-in. Option C is incorrect because Identity Protection detects identity-based risks.

Option D is incorrect because Privileged Identity Management manages role assignments.

225
Multi-Selecthard

Which THREE Microsoft Defender XDR components are included in the unified security operations platform? (Select three.)

Select 3 answers
A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud
C.Microsoft Defender for Identity
D.Microsoft Defender for Endpoint
E.Microsoft Defender for IoT
AnswersA, C, D

Email and collaboration protection is included.

Why this answer

Defender for Endpoint, for Office 365, and for Identity are part of Defender XDR. Defender for Cloud (Option D) is separate. Defender for IoT (Option E) is not included in the core XDR platform.

Page 2

Page 3 of 19

Page 4