Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 226300

1411 questions total · 19pages · All types, answers revealed

Page 3

Page 4 of 19

Page 5
226
Multi-Selecteasy

Which TWO Microsoft Purview solutions can be used to automatically classify sensitive data at rest?

Select 2 answers
A.Data Lifecycle Management
B.Communication Compliance
C.eDiscovery
D.Auditing
E.Information Protection
AnswersA, E

Retention labels can auto-classify data at rest.

Why this answer

Options A and B are correct. Information Protection includes auto-labeling policies that can classify data at rest. Data Lifecycle Management includes retention labels that can classify data based on conditions.

Option C is wrong because Communication Compliance monitors communications. Option D is wrong because eDiscovery is for search. Option E is wrong because Auditing tracks activities.

227
MCQmedium

A compliance officer needs to monitor internal emails for inappropriate language and potential data leaks. The officer wants to detect policy violations and allow users to report concerns. Which Microsoft Purview solution should be used?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview Communication Compliance
C.Microsoft Purview Audit
D.Microsoft Purview Information Protection
AnswerB

Communication Compliance monitors communications for policy violations and supports user reporting.

Why this answer

Communication Compliance in Microsoft Purview is designed to detect policy violations in communications, including emails, and provides a way for users to report concerns. Information Protection focuses on classification and protection. Data Lifecycle Management handles retention.

Audit logs record activities but do not proactively scan communications.

228
Multi-Selecteasy

Which TWO Microsoft Purview solutions can be used to manage data retention and deletion?

Select 2 answers
A.Retention policies
B.eDiscovery
C.Sensitivity labels
D.Retention labels
E.Data Loss Prevention (DLP)
AnswersA, D

Apply retention and deletion rules to content at the container level.

Why this answer

Retention policies and retention labels are used to manage data retention and deletion. Sensitivity labels classify and protect; DLP prevents data loss; eDiscovery searches content.

229
MCQmedium

A multinational organization uses Microsoft Entra ID. The IT help desk team is responsible for password resets and group management, but only for users located in the European region. The organization has created a group containing all European user accounts. Which Microsoft Entra feature should an administrator use to delegate these administrative tasks specifically to the help desk team, limited to the European user scope?

A.Administrative units
B.Access reviews
C.Conditional Access
D.Self-service password reset (SSPR)
AnswerA

Administrative units allow scoping of administrative roles (e.g., Helpdesk Administrator) to a specific subset of users, such as those in a particular region or department. This feature directly meets the requirement to delegate tasks limited to European users.

Why this answer

Administrative units (AUs) in Microsoft Entra ID allow administrators to delegate administrative permissions scoped to a specific subset of users, groups, or devices. By creating an AU containing only the European user group, the administrator can assign the help desk team roles (e.g., Helpdesk Administrator or User Administrator) limited to that AU, ensuring they can perform password resets and group management only for European users.

Exam trap

The trap here is that candidates often confuse delegation of administrative tasks with end-user self-service features (SSPR) or access control policies (Conditional Access), failing to recognize that Administrative Units are the dedicated Microsoft Entra feature for scoped role-based delegation.

How to eliminate wrong answers

Option B (Access reviews) is wrong because it is a governance feature for reviewing and recertifying access assignments, not for delegating administrative tasks with a scope. Option C (Conditional Access) is wrong because it enforces access control policies (e.g., MFA, location-based restrictions) at sign-in, not for delegating delegated administration or scoping permissions. Option D (Self-service password reset) is wrong because it allows end users to reset their own passwords without help desk intervention, not for delegating password reset tasks to a specific team with a limited scope.

230
MCQeasy

A company issues laptops to all employees with BitLocker full-disk encryption enabled. If a laptop is stolen, the data on the hard drive cannot be read without the recovery key. Which security principle does this measure primarily protect?

A.Integrity
B.Availability
C.Confidentiality
D.Non-repudiation
AnswerC

Confidentiality ensures that data is not disclosed to unauthorized individuals. BitLocker encryption renders the data unreadable without the proper key, directly protecting confidentiality.

Why this answer

BitLocker full-disk encryption ensures that data on a stolen laptop's hard drive is unreadable without the recovery key, directly protecting against unauthorized access. This aligns with the confidentiality principle, which safeguards sensitive information from disclosure to unauthorized parties.

Exam trap

The trap here is confusing encryption's role in confidentiality with integrity or availability, as candidates may mistakenly think encryption prevents data modification (integrity) or ensures access (availability), but it strictly prevents unauthorized reading.

How to eliminate wrong answers

Option A is wrong because integrity ensures data is not tampered with or altered, which BitLocker does not primarily address; it does not prevent modification of data once decrypted. Option B is wrong because availability ensures systems and data are accessible when needed, but encryption can hinder availability if keys are lost, not protect it. Option D is wrong because non-repudiation provides proof of origin or action (e.g., digital signatures), which BitLocker does not provide; it only encrypts data at rest.

231
MCQmedium

An organization wants to protect against spear-phishing attacks where attackers impersonate the company's CEO or other trusted domains to trick employees into transferring funds. They need a security solution that uses machine learning to detect and prevent such impersonation attempts in incoming emails. Which Microsoft 365 protection feature should they enable?

A.Anti-spam policy
B.Anti-phishing policy (impersonation protection)
C.Safe Links
D.Safe Attachments
AnswerB

Correct. Anti-phishing policies in Defender for Office 365 include impersonation protection, which uses AI to detect and block phishing that impersonates users or domains.

Why this answer

Anti-phishing policy with impersonation protection uses machine learning models to detect and block attempts to impersonate specific users (like the CEO) or trusted domains in incoming emails. This directly addresses the scenario of spear-phishing attacks that trick employees into transferring funds by mimicking trusted senders.

Exam trap

Microsoft often tests the distinction between anti-phishing policies (which include impersonation protection) and anti-spam policies, leading candidates to mistakenly choose anti-spam when the question explicitly mentions targeted impersonation rather than generic spam.

How to eliminate wrong answers

Option A is wrong because anti-spam policy focuses on bulk unsolicited email (spam) using content filters and IP reputation, not on detecting impersonation of specific individuals or domains. Option C is wrong because Safe Links protects users from clicking malicious URLs in emails or Office documents by scanning links at time of click, but it does not detect or prevent impersonation of trusted senders. Option D is wrong because Safe Attachments scans email attachments for malware using detonation in a sandbox environment, but it does not address the impersonation aspect of spear-phishing.

232
MCQmedium

You are a compliance officer for a law firm that uses Microsoft 365 E5 licenses. The firm must comply with GDPR. You need to implement a solution that automatically identifies personal data (e.g., email addresses) in SharePoint Online documents and applies a 'GDPR-Protected' sensitivity label. Additionally, you need to ensure that if a user attempts to share a labeled document externally, they receive a policy tip warning about GDPR compliance, but the share is not blocked. You have Microsoft Purview. What should you configure?

A.Create an auto-labeling policy to apply the 'GDPR-Protected' label to documents containing email addresses, and create a DLP policy for labeled documents that shows a policy tip when shared externally.
B.Create a retention policy to tag documents containing email addresses.
C.Create a sensitivity label policy that publishes the 'GDPR-Protected' label to users and train them to apply it manually.
D.Create a DLP policy that detects email addresses and shows a policy tip, but do not apply a label.
AnswerA

Auto-labeling applies the label automatically, and DLP provides the policy tip.

Why this answer

Option C is correct because auto-labeling applies the label, and a DLP policy with a policy tip (not block) warns users. Option A is incorrect because DLP alone cannot apply labels. Option B is incorrect because label policy only publishes labels.

Option D is incorrect because retention policy does not apply labels or provide DLP tips.

233
MCQmedium

An administrator needs to grant a vendor temporary access to an Azure subscription for exactly 48 hours. After that time, access must be automatically revoked. Which Microsoft Entra feature should be used?

A.Microsoft Entra External Identities
B.Microsoft Entra Privileged Identity Management
C.Microsoft Entra access reviews
D.Microsoft Entra Conditional Access
AnswerB

PIM enables just-in-time and time-bound role assignments that expire automatically.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) allows administrators to configure just-in-time (JIT) access with time-bound activation and automatic expiration. By setting a maximum activation duration of 48 hours for a role assignment, PIM ensures the vendor's access is automatically revoked after that period without manual intervention.

Exam trap

The trap here is that candidates often confuse PIM's just-in-time access with External Identities (B2B), assuming that inviting a guest user inherently includes time limits, but B2B invitations do not automatically expire unless combined with other features like access reviews or PIM.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra External Identities is used for inviting external users (B2B collaboration) or managing customer identities (B2C), but it does not provide time-bound access with automatic revocation. Option C is wrong because Microsoft Entra access reviews are periodic attestation workflows that require manual or scheduled review cycles, not a mechanism to enforce a precise 48-hour automatic expiration. Option D is wrong because Microsoft Entra Conditional Access enforces access policies based on conditions like location or device state, but it cannot grant or revoke role-based access to an Azure subscription with a specific time limit.

234
MCQhard

A financial services company is subject to regulations that require monitoring of employee communications for potential market manipulation. The compliance team needs to create policies that automatically detect messages containing phrases like 'insider info' or 'confidential trade' in Microsoft Teams chats and Exchange Online emails. Detected messages should be routed to designated reviewers for investigation, and the company wants a built-in Microsoft Purview solution to handle this process. Which Microsoft Purview solution should they use?

A.Microsoft Purview Communication Compliance
B.Microsoft Purview Insider Risk Management
C.Microsoft Purview Information Protection
D.Microsoft Purview Data Lifecycle Management
AnswerA

Communication Compliance enables organizations to detect policy violations in communications (e.g., insider trading) by scanning for specific phrases and assigning them to reviewers.

Why this answer

Microsoft Purview Communication Compliance is the correct solution because it is specifically designed to detect and investigate policy violations in organizational communications, such as Microsoft Teams chats and Exchange Online emails. It allows compliance teams to create custom policies that automatically scan for sensitive phrases like 'insider info' or 'confidential trade' and route flagged messages to designated reviewers for investigation, meeting the regulatory monitoring requirements.

Exam trap

The trap here is that candidates often confuse Insider Risk Management (which focuses on user behavior patterns) with Communication Compliance (which focuses on content scanning), leading them to select Option B when the question explicitly requires detection of specific phrases in messages.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Insider Risk Management focuses on identifying and analyzing risky user activities (e.g., data exfiltration or policy violations) based on behavioral analytics and indicators, not on scanning communications for specific phrases. Option C is wrong because Microsoft Purview Information Protection is designed to classify, label, and protect sensitive data (e.g., via encryption or access controls) but does not include automated detection of communication content for compliance policies. Option D is wrong because Microsoft Purview Data Lifecycle Management handles data retention, deletion, and archiving policies, not real-time monitoring or detection of specific phrases in communications.

235
MCQeasy

A security analyst is explaining the concept of 'Least Privilege' to a new team member. Which statement best describes the principle of least privilege?

A.Users should have only the permissions necessary to perform their job functions.
B.Users should have all permissions disabled by default.
C.Users should be given administrator rights to ensure they can perform any task.
D.Users should share one account with elevated privileges for their team.
AnswerA

This correctly defines least privilege: granting exactly the permissions needed to complete required tasks and nothing more.

Why this answer

Option A is correct because the principle of least privilege dictates that users should be granted only the minimum permissions necessary to complete their job functions. This reduces the attack surface and limits potential damage from accidental or malicious actions. In Microsoft 365, this is implemented through Role-Based Access Control (RBAC) and Azure AD roles, where permissions are scoped to specific administrative units or tasks.

Exam trap

The trap here is that candidates confuse 'least privilege' with 'default deny' (Option B), but least privilege is about granting the minimal necessary permissions after initial access, not disabling all permissions upfront.

How to eliminate wrong answers

Option B is wrong because disabling all permissions by default is not the principle of least privilege; it is a separate security concept called 'default deny' or 'zero trust,' which focuses on initial access rather than ongoing permission management. Option C is wrong because granting all users administrator rights violates least privilege by providing excessive permissions, increasing the risk of privilege escalation and security breaches. Option D is wrong because sharing one account with elevated privileges eliminates accountability, breaks non-repudiation, and violates the principle of least privilege by granting more access than any single user needs.

236
MCQeasy

A company implements a policy where each employee is granted only the permissions necessary to perform their specific job role. For example, a marketing specialist has read-only access to the customer database and cannot modify financial records. Which security principle is primarily being applied?

A.Defense in depth
B.Least privilege
C.Zero Trust
D.Separation of duties
AnswerB

Correct. Least privilege is the security concept of granting users only the permissions they need to do their job, which matches the scenario of restricting access based on job role.

Why this answer

The principle of least privilege dictates that users should be granted only the permissions necessary to perform their job functions. In this scenario, the marketing specialist receives read-only access to the customer database and no access to financial records, which directly aligns with limiting permissions to the minimum required. This reduces the attack surface and limits potential damage from accidental or malicious actions.

Exam trap

The trap here is that candidates confuse 'least privilege' with 'separation of duties' because both involve limiting permissions, but separation of duties focuses on splitting critical tasks across multiple users to prevent fraud, whereas least privilege restricts each user to the minimum permissions for their single role.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy that uses multiple controls (e.g., firewalls, antivirus, encryption) to protect resources, not a principle for assigning user permissions. Option C is wrong because Zero Trust is a security model that assumes breach and verifies every request explicitly, using concepts like micro-segmentation and continuous authentication, but it does not specifically dictate that permissions should be limited to the minimum required for a job role. Option D is wrong because separation of duties ensures that no single individual has control over all phases of a critical task (e.g., requiring two people to approve a payment), which prevents fraud and errors, but it does not restrict permissions to the minimum needed for a single role.

237
Multi-Selectmedium

Your organization uses Microsoft Entra ID. Which TWO features help protect against identity-based attacks by detecting and responding to risks?

Select 2 answers
A.Privileged Identity Management
B.Access reviews
C.Conditional Access
D.Entitlement management
E.Identity Protection
AnswersC, E

Conditional Access can enforce policies based on risk detected by Identity Protection.

Why this answer

Conditional Access is correct because it enforces policy-based access controls that evaluate real-time signals (e.g., user location, device compliance, sign-in risk) to block or challenge suspicious sign-in attempts, directly mitigating identity-based attacks. Identity Protection is correct because it uses machine learning to detect risk signals such as leaked credentials, anonymous IP addresses, and atypical travel, then automatically triggers remediation actions like requiring password reset or blocking access.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with Identity Protection, assuming PIM's role activation controls also detect attacks, when in fact PIM is purely a privileged access management tool with no risk detection capabilities.

238
MCQmedium

A company wants employees to be able to access corporate applications from their personal mobile devices, but only if those devices are enrolled in mobile device management (MDM) and have a PIN code set. Which Microsoft Entra capability should the administrator use to enforce these requirements?

A.Identity Protection
B.Conditional Access
C.Privileged Identity Management
D.Enterprise App Registration
AnswerB

Conditional Access can require that the device is marked as compliant (enrolled in MDM with a PIN) as a condition for granting access to corporate apps.

Why this answer

Conditional Access is the correct Microsoft Entra capability because it allows administrators to create policies that enforce specific requirements—such as device enrollment in MDM and a PIN code—before granting access to corporate applications. By configuring a Conditional Access policy with a grant control requiring 'Require device to be marked as compliant' (which depends on MDM enrollment and PIN compliance), the administrator can block access from personal devices that do not meet these conditions.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, thinking that risk-based policies (like requiring MFA for risky sign-ins) are the same as device compliance policies, but Identity Protection does not enforce device enrollment or PIN requirements.

How to eliminate wrong answers

Option A is wrong because Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) and does not enforce device-level requirements like MDM enrollment or PIN code. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not device compliance or mobile device management policies. Option D is wrong because Enterprise App Registration is used to register and configure applications for authentication with Microsoft Entra ID, not to enforce device enrollment or PIN requirements.

239
Multi-Selecteasy

Which TWO of the following are capabilities of Microsoft Defender for Cloud? (Choose two.)

Select 2 answers
A.Email security
B.Identity protection
C.Endpoint detection and response (EDR)
D.Cloud Workload Protection (CWP)
E.Cloud Security Posture Management (CSPM)
AnswersD, E

CWP provides threat detection for workloads in Defender for Cloud.

Why this answer

Options A and D are correct. Defender for Cloud provides cloud security posture management (CSPM) and cloud workload protection (CWP). Option B is wrong because endpoint detection is covered by Defender for Endpoint, not Defender for Cloud.

Option C is wrong because email security is covered by Defender for Office 365. Option E is wrong because identity protection is covered by Microsoft Entra ID Protection.

240
MCQhard

You are the compliance administrator for Contoso, a multinational corporation with headquarters in the US and subsidiaries in Europe and Asia. Contoso uses Microsoft 365 E5 and Microsoft Purview. The company handles personal data subject to GDPR and CCPA. You need to design a compliance solution that meets the following requirements: - Automatically classify and protect documents containing personal data in SharePoint Online and OneDrive for Business. - Ensure that data subject requests (DSRs) for access and deletion can be fulfilled within the regulatory timeframes. - Prevent accidental sharing of sensitive data via email and Teams. - Maintain an audit trail of all activities related to personal data for at least one year. - Manage data retention to comply with local laws that require different retention periods for different types of data. Which combination of Microsoft Purview solutions should you use?

A.Sensitivity labels with auto-labeling, DLP, eDiscovery, Data Lifecycle Management, and Audit (Premium)
B.Insider Risk Management, DLP, eDiscovery, and Data Lifecycle Management
C.Data Lifecycle Management, Information Barriers, DLP, and Audit (Premium)
D.Sensitivity labels, Communication Compliance, eDiscovery, and Audit (Standard)
AnswerA

All requirements are met: auto-labeling, DLP, DSR handling, retention management, and 1-year audit.

Why this answer

Option C is correct because sensitivity labels with auto-labeling classify and protect data; DLP prevents sharing; eDiscovery and Data Lifecycle Management handle DSRs and retention; Audit (Premium) provides 1-year audit retention. Option A is wrong because Communication Compliance is for monitoring, not DSRs. Option B is wrong because Information Barriers restrict communication, not retention.

Option D is wrong because Insider Risk Management is for risk detection, not compliance lifecycle.

241
MCQeasy

A security administrator is explaining the Zero Trust model to a new colleague. The administrator states that trust should never be granted based solely on network location, and every access request must be fully authenticated and authorized using all available signals. Which Zero Trust principle does this statement describe?

A.Assume breach
B.Verify explicitly
C.Use least privilege
D.Segment access
AnswerB

'Verify explicitly' requires continuous authentication and authorization for every request using all available signals, and does not grant trust based on network location alone.

Why this answer

The statement that trust should never be granted based solely on network location and that every access request must be fully authenticated and authorized using all available signals directly describes the 'Verify explicitly' principle of the Zero Trust model. This principle mandates that authentication and authorization are performed for every access attempt, regardless of the source (e.g., internal network, VPN, cloud), using all available data points such as user identity, device health, and location.

Exam trap

Microsoft often tests the distinction between 'Verify explicitly' and 'Assume breach' by presenting a scenario that emphasizes authentication and authorization signals, leading candidates to confuse the proactive verification step with the reactive breach containment strategy.

How to eliminate wrong answers

Option A is wrong because 'Assume breach' is a Zero Trust principle that focuses on minimizing the blast radius and segmenting access under the assumption that a breach has already occurred, not on the requirement to authenticate and authorize every request. Option C is wrong because 'Use least privilege' is a principle that limits user access rights to only what is necessary to perform their job, but it does not address the core concept of verifying every access request based on all signals. Option D is wrong because 'Segment access' refers to dividing the network into isolated zones to limit lateral movement, not the explicit verification of each access request using multiple signals.

242
MCQeasy

A company is involved in litigation and needs to search for specific emails and documents across Exchange Online, SharePoint Online, and Teams. They also need to place a hold on relevant content to prevent deletion. Which Microsoft Purview solution should they use?

A.Records Management
B.Data Lifecycle Management
C.eDiscovery
D.Data Loss Prevention
AnswerC

Correct. eDiscovery allows legal teams to search for relevant content, place holds, and export data for litigation purposes.

Why this answer

Microsoft Purview eDiscovery (specifically eDiscovery (Premium)) is the correct solution because it is designed for legal investigations, enabling organizations to search for content across Exchange Online, SharePoint Online, and Teams, and to place holds on that content to preserve it from deletion or alteration. This directly addresses the litigation requirement for both search and hold capabilities.

Exam trap

The trap here is that candidates often confuse Data Lifecycle Management (retention) with eDiscovery holds, not realizing that retention policies are for scheduled deletion/preservation, while eDiscovery holds are for legal preservation that overrides any deletion policies and includes search capabilities.

How to eliminate wrong answers

Option A is wrong because Records Management focuses on declaring records, applying retention labels, and managing disposition reviews for regulatory compliance, not on searching or placing holds for litigation. Option B is wrong because Data Lifecycle Management (formerly known as retention policies and labels) governs how long content is kept and when it is deleted, but it does not provide the search or hold functionality needed for eDiscovery in litigation. Option D is wrong because Data Loss Prevention (DLP) is designed to prevent accidental or unauthorized sharing of sensitive data through policies and alerts, not to search for or preserve content for legal purposes.

243
MCQmedium

A company wants to improve its security posture across Microsoft 365. The security team needs a central dashboard that provides a score based on current security configurations, gives recommendations for improving the score, and allows tracking of improvement actions over time. Which Microsoft security solution should they use?

A.Microsoft Secure Score
B.Microsoft Defender for Cloud Apps
C.Microsoft Purview Compliance Manager
D.Microsoft Intune
AnswerA

Correct. Secure Score provides a central dashboard for monitoring and improving security posture across Microsoft 365 services, with a score and recommendations.

Why this answer

Microsoft Secure Score is the correct solution because it provides a central dashboard that calculates a numerical score based on the tenant's current security configurations across Microsoft 365 services. It offers prioritized improvement actions, tracks progress over time, and allows security teams to monitor and manage their security posture in a single view.

Exam trap

The trap here is that candidates often confuse Microsoft Secure Score with Microsoft Purview Compliance Manager, because both provide a score and recommendations, but Secure Score focuses on security configurations while Compliance Manager focuses on regulatory compliance controls.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) focused on discovering and controlling cloud app usage, not on providing a centralized security posture score with improvement recommendations. Option C is wrong because Microsoft Purview Compliance Manager is designed for compliance management, offering a compliance score based on controls and regulations (e.g., GDPR, ISO 27001), not a security posture score based on security configurations. Option D is wrong because Microsoft Intune is a Mobile Device Management (MDM) and Mobile Application Management (MAM) solution for managing devices and apps, not a dashboard for tracking security improvement actions across the entire Microsoft 365 environment.

244
MCQmedium

A company uses Microsoft 365 and wants to automatically apply a 3-year retention label to any document that contains a patent number in the format PAT-XXXXXX. The label should be applied at the time the document is created or modified. Which Microsoft Purview solution should the administrator configure?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview Communication Compliance
C.Microsoft Purview Data Loss Prevention (DLP)
D.Microsoft Purview Audit (Premium)
AnswerA

Data Lifecycle Management supports auto-labeling policies that can automatically apply retention labels based on sensitive info types or trainable classifiers.

Why this answer

Option A is correct because Microsoft Purview Data Lifecycle Management (formerly known as Microsoft 365 Retention) allows administrators to create auto-apply retention labels based on sensitive information types, such as a custom regex for patent numbers. When configured with a 'created or modified' condition, the label is automatically applied at the time the document is saved or edited, ensuring compliance with the 3-year retention requirement.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention (DLP) with Data Lifecycle Management, assuming DLP can apply retention labels, but DLP only detects and protects data in transit or at rest without managing retention schedules.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Communication Compliance is designed to detect and remediate inappropriate communications (e.g., harassment, insider trading) in Exchange Online, Teams, and Yammer, not to apply retention labels based on document content. Option C is wrong because Microsoft Purview Data Loss Prevention (DLP) can detect sensitive data like patent numbers and trigger alerts or block actions, but it cannot automatically apply retention labels; DLP policies enforce data protection, not lifecycle management. Option D is wrong because Microsoft Purview Audit (Premium) provides detailed logging of user and admin activities for forensic investigation, but it has no capability to apply retention labels or manage data lifecycle policies.

245
MCQeasy

An organization is moving a virtual machine to Azure Infrastructure as a Service (IaaS). According to the shared responsibility model, which of the following security tasks is the customer responsible for?

A.Physical security of the datacenter
B.Applying security updates to the guest operating system
C.Maintaining the hypervisor
D.Power and cooling infrastructure
AnswerB

The customer is responsible for securing everything inside the VM, including the guest OS. This includes applying security updates and patches.

Why this answer

In an IaaS deployment, the customer retains responsibility for securing the guest operating system, including applying security updates. Microsoft manages the physical infrastructure and hypervisor, while the customer must patch and configure the OS running inside the virtual machine.

Exam trap

The trap here is that candidates often confuse IaaS with PaaS or SaaS, mistakenly thinking the provider handles all OS-level security, when in fact the customer is responsible for the guest OS in IaaS.

How to eliminate wrong answers

Option A is wrong because physical security of the datacenter is the sole responsibility of the cloud provider (Microsoft) under the shared responsibility model. Option C is wrong because maintaining the hypervisor is a provider-managed task; the customer has no access to the hypervisor layer. Option D is wrong because power and cooling infrastructure are part of the physical environment managed entirely by Microsoft.

246
MCQmedium

Refer to the exhibit. The JSON shows a conditional access policy. What is the effect of this policy?

A.Requires MFA for Office 365 from trusted locations.
B.Applies only to external guest users.
C.Blocks all access to Office 365 from trusted locations.
D.Requires a compliant device for Office 365.
AnswerA

Grant control requires MFA.

Why this answer

The policy assigns the 'Require multifactor authentication' grant to Office 365 cloud apps, and the condition restricts it to 'trusted locations' (typically corporate networks or compliant IP ranges). This means users accessing Office 365 from those trusted locations must complete MFA, while access from untrusted locations is not affected by this policy (it may be handled by other policies). Option A correctly describes this effect.

Exam trap

The trap here is that candidates confuse 'Require MFA' with 'Block access' or assume that trusted locations imply automatic access without MFA, when in fact the policy explicitly requires MFA even from trusted locations.

How to eliminate wrong answers

Option B is wrong because the policy targets 'All users' (not just external guest users) and does not include a filter for user type. Option C is wrong because the policy grants 'Require multifactor authentication' — it does not block access; blocking would require the 'Block access' control. Option D is wrong because the policy does not include a 'Require compliant device' grant; it only specifies MFA.

247
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Purview Information Protection policy in JSON format. The policy defines two sensitivity labels. What is the key difference between the 'Confidential' label and the 'Highly Confidential' label?

A.Only the 'Confidential' label applies encryption
B.The 'Highly Confidential' label restricts edit rights
C.The 'Highly Confidential' label allows printing
D.The 'Confidential' label is a parent label
AnswerB

Correct: 'Highly Confidential' only allows VIEW, while 'Confidential' allows VIEW and EDIT.

Why this answer

The 'Confidential' label grants VIEW and EDIT rights, while 'Highly Confidential' grants only VIEW. Option B is correct. Option A is incorrect because both have encryption.

Option C is incorrect because both are sublabels? Not necessarily. Option D is incorrect because the JSON does not mention sublabels.

248
Multi-Selectmedium

A security team uses Microsoft Defender XDR to respond to incidents. Which THREE components are part of Microsoft Defender XDR?

Select 3 answers
A.Microsoft Defender for Office 365
B.Microsoft Defender for Endpoint
C.Microsoft Sentinel
D.Microsoft Intune
E.Microsoft Defender for Identity
AnswersA, B, E

Correct: Part of XDR.

Why this answer

Defender for Endpoint, Office 365, and Identity are core components. Sentinel is separate, and Intune is MDM.

249
Multi-Selectmedium

Which TWO Microsoft Purview solutions can help an organization detect and remediate insider risks such as data theft or unauthorized sharing?

Select 2 answers
A.eDiscovery
B.Audit
C.Insider Risk Management
D.Communication Compliance
E.Data Loss Prevention
AnswersC, D

Insider Risk Management is designed to detect, investigate, and remediate insider risks.

Why this answer

Insider Risk Management and Communication Compliance are the two Purview solutions designed to detect and remediate insider risks. Data Loss Prevention prevents sharing but does not specifically address insider risk detection. eDiscovery is for legal discovery. Audit logs track activities but do not provide remediation workflows.

So correct: A and C.

250
MCQmedium

An organization uses Microsoft 365 Defender. The security team receives an alert about a potential malware outbreak on multiple endpoints, and they need an integrated view that correlates signals from various Microsoft security solutions. Which Microsoft 365 Defender portal component provides this unified view?

A.Microsoft Defender for Cloud
B.Microsoft 365 Defender portal (security.microsoft.com)
C.Azure Sentinel
D.Microsoft Defender for Identity
AnswerB

This portal provides a unified view of threats across endpoints, email, identities, and apps, with integrated incident response.

Why this answer

The Microsoft 365 Defender portal (security.microsoft.com) is the correct answer because it provides a unified view of alerts and incidents across Microsoft 365 Defender components, including Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. This integrated correlation enables security teams to see the full scope of a potential malware outbreak across multiple endpoints by combining signals from these solutions into a single incident timeline.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender portal with Azure Sentinel, mistakenly thinking a SIEM is required for correlation, whereas the Microsoft 365 Defender portal already provides built-in, cross-product correlation without needing a separate SIEM tool.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) focused on securing Azure, on-premises, and multi-cloud resources, not on providing a unified view of endpoint malware alerts from Microsoft 365 Defender. Option C is wrong because Azure Sentinel is a cloud-native SIEM and SOAR solution that ingests logs from various sources, but it is not the portal component that natively correlates signals from Microsoft 365 Defender solutions; that correlation happens within the Microsoft 365 Defender portal itself. Option D is wrong because Microsoft Defender for Identity is a specific component that protects on-premises Active Directory identities using behavioral analytics, but it does not provide the integrated, cross-solution view of alerts from multiple Microsoft security solutions.

251
MCQhard

Your organization uses Microsoft Entra ID. You need to ensure that when a user's account is disabled on-premises, their access to cloud apps is blocked within 5 minutes. Which hybrid identity configuration should you use?

A.Microsoft Entra Connect Sync with directory synchronization
B.Seamless Single Sign-On
C.Pass-through Authentication
D.Password Hash Synchronization
AnswerA

Entra Connect Sync synchronizes user attributes, including account enabled/disabled status, typically within minutes.

Why this answer

Microsoft Entra Connect Sync with directory synchronization is the correct choice because it enables password hash synchronization combined with the ability to synchronize account state changes (such as disabled accounts) from on-premises Active Directory to Microsoft Entra ID. When a user account is disabled on-premises, the next synchronization cycle (which can be triggered on-demand or runs every 30 minutes by default) updates the cloud account's status, and with the 'EnableAccidentalDeletionPrevention' and 'PasswordWriteback' features, you can configure the sync to occur within 5 minutes using the 'Set-ADSyncScheduler' cmdlet to reduce the sync interval. This ensures that the disabled state is reflected in Microsoft Entra ID, blocking access to cloud apps promptly.

Exam trap

The trap here is that candidates often confuse Password Hash Synchronization (PHS) with full directory synchronization, not realizing that PHS alone does not synchronize account disabled status or other user attributes beyond password hashes.

How to eliminate wrong answers

Option B is wrong because Seamless Single Sign-On (SSO) only provides automatic sign-in for users on domain-joined devices, but it does not synchronize account state changes or enforce access blocking when an on-premises account is disabled. Option C is wrong because Pass-through Authentication validates passwords against on-premises Active Directory in real-time, but it does not synchronize account disabled status; it only handles authentication, not account state propagation. Option D is wrong because Password Hash Synchronization alone synchronizes password hashes but does not synchronize account disabled status or other user attribute changes; it requires directory synchronization (Entra Connect Sync) to propagate account state.

252
MCQeasy

Your organization wants to prevent users from installing unapproved apps on company-managed Windows devices. Which Microsoft Intune feature should you use?

A.App control policies
B.Device configuration profiles
C.Conditional Access
D.Device compliance policies
AnswerA

Correct: App control policies (e.g., Windows Defender Application Control) block unapproved apps.

Why this answer

Intune app protection policies (APP) protect data, but app control policies (e.g., Windows Defender Application Control) prevent unapproved apps. Option D is correct. Option A (Conditional Access) controls access, not app installation.

Option B (Compliance policies) check settings. Option C (Device configuration) manages settings but not app installation control.

253
MCQeasy

An organization wants to classify and label data automatically based on sensitive content patterns such as credit card numbers. Which Microsoft Purview solution should they use?

A.eDiscovery
B.Data Loss Prevention (DLP)
C.Compliance Manager
D.Audit
AnswerB

DLP can automatically classify and label data based on sensitive info types.

Why this answer

Option C is correct because Microsoft Purview Data Loss Prevention (DLP) can automatically classify and label data based on sensitive content patterns. Option A is wrong because Microsoft Purview Compliance Manager is for compliance assessments. Option B is wrong because Microsoft Purview Audit is for logging activities.

Option D is wrong because Microsoft Purview eDiscovery is for legal discovery.

254
MCQmedium

A company has a hybrid environment with on-premises Active Directory. The security team wants to detect advanced attacks such as pass-the-hash, malicious Kerberos ticket activity, and abnormal service account behavior. They want alerts from the on-premises environment to be integrated into Microsoft Defender for Cloud for centralized monitoring. Which Microsoft security solution should they deploy on their domain controllers?

A.Microsoft Defender for Cloud (agentless)
B.Microsoft Defender for Identity
C.Microsoft Defender for Office 365
D.Microsoft Entra ID Protection
AnswerB

Defender for Identity installs sensors on domain controllers to monitor AD traffic and identify advanced attacks. It integrates alerts into Microsoft Defender for Cloud, providing unified visibility.

Why this answer

Microsoft Defender for Identity (MDI) is the correct solution because it is specifically designed to detect advanced on-premises Active Directory attacks like pass-the-hash, malicious Kerberos ticket activity (e.g., Golden Ticket, Silver Ticket), and abnormal service account behavior. It integrates directly with Microsoft Defender for Cloud to provide centralized monitoring and alerting, fulfilling the requirement for on-premises domain controller protection.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud (agentless) with Microsoft Defender for Identity, assuming the cloud-based solution can monitor on-premises AD attacks without understanding that MDI is the dedicated on-premises identity threat detection tool.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud (agentless) provides vulnerability assessment and security posture management for cloud workloads, but it does not natively detect on-premises AD attack patterns like pass-the-hash or Kerberos ticket abuse. Option C is wrong because Microsoft Defender for Office 365 protects email, SharePoint, and Teams from phishing and malware, not on-premises Active Directory or domain controller activities. Option D is wrong because Microsoft Entra ID Protection focuses on cloud-based identity risks (e.g., leaked credentials, risky sign-ins) for Azure AD, not on-premises AD domain controller behavior or Kerberos attacks.

255
MCQeasy

Your organization, Northwind Traders, uses Microsoft Intune to manage Windows 10 devices. You have created a compliance policy that requires devices to have BitLocker enabled. After assigning the policy, you notice that some devices are reporting as non-compliant due to BitLocker not being enabled. You have verified that the devices support BitLocker and that the policy is correctly assigned. You need to ensure that BitLocker is enabled on these devices automatically. What should you do?

A.Modify the compliance policy to allow non-compliant devices
B.Create an endpoint protection configuration profile to enable BitLocker
C.Create a Windows update ring policy
D.Use a PowerShell script to enable BitLocker manually
AnswerB

Configuration profiles can automatically enable BitLocker on devices.

Why this answer

Option A is correct because a device configuration profile for endpoint protection can enable BitLocker automatically. Option B is wrong because the compliance policy only reports compliance, it does not remediate. Option C is wrong because Windows Update policies do not configure BitLocker.

Option D is wrong because scripts are not the standard method for BitLocker enabling via Intune.

256
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Defender for Cloud Apps? (Choose TWO.)

Select 2 answers
A.Session control
B.Vulnerability management
C.Threat intelligence
D.Cloud discovery
E.Information protection
AnswersA, D

Session control provides real-time monitoring and control of app sessions.

Why this answer

Microsoft Defender for Cloud Apps provides cloud discovery (identifying cloud apps in use), and session control (real-time monitoring and control of app sessions). Information protection is part of Microsoft Purview, not Defender for Cloud Apps. Vulnerability management is part of Defender for Endpoint.

Threat intelligence is from Microsoft Sentinel or Defender Threat Intelligence.

257
Drag & Dropmedium

Order the steps to deploy Microsoft Intune for mobile device management.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Intune deployment includes setup, enrollment policies, compliance policies, app assignment, and enrollment.

258
Multi-Selecteasy

Which TWO Microsoft Purview compliance solutions are used to manage data retention and deletion?

Select 2 answers
A.Data Lifecycle Management
B.Data Loss Prevention
C.Records Management
D.Communication Compliance
E.Audit
AnswersA, C

Data Lifecycle Management manages retention and deletion of content.

Why this answer

Data Lifecycle Management (A) is correct because it enables organizations to apply retention and deletion policies to content based on its age or classification, automatically managing data across SharePoint, OneDrive, Exchange, and Teams. Records Management (C) is correct because it provides a solution for declaring records, applying retention labels that lock content to prevent modification or deletion, and managing disposition reviews for permanent deletion. Both solutions are part of Microsoft Purview's information governance capabilities, specifically designed to control data retention and deletion.

Exam trap

The trap here is that candidates may confuse Data Loss Prevention (DLP) with data retention because both involve data lifecycle concepts, but DLP is solely about preventing data breaches through policy enforcement, not about scheduling retention or deletion.

259
MCQmedium

A company wants to automatically classify sensitive documents in Microsoft 365 based on credit card numbers and retain them for 7 years. Which two Microsoft Purview solutions should they use together?

A.Sensitivity labels and retention policies
B.Microsoft Purview compliance portal and Microsoft 365 Defender
C.Insider risk management and communication compliance
D.Data Loss Prevention (DLP) and eDiscovery
AnswerA

Sensitivity labels classify documents containing credit card numbers, and retention policies enforce the 7-year retention.

Why this answer

Sensitivity labels classify and protect content, and retention policies ensure data is kept for the required period. Data Loss Prevention (DLP) prevents sharing but does not retain; eDiscovery is for search and export; insider risk management detects risky activities. Therefore, sensitivity labels and retention policies are the correct combination.

260
MCQmedium

Refer to the exhibit. You have a Conditional Access policy defined in Microsoft Entra ID. What is the effect of this policy?

A.Requires MFA for all external users accessing any cloud app
B.Requires MFA for guest users only
C.Requires MFA for all users accessing all cloud apps
D.Requires MFA for external users except those with global admin role
AnswerA

The policy targets all external users and all cloud apps with MFA requirement.

Why this answer

Option D is correct because the policy includes all external users and all cloud apps, requiring MFA. Option A is incorrect because it does not exclude any apps. Option B is incorrect because it includes all external users, not just guest users.

Option C is incorrect because it does not exclude external users with specific roles.

261
MCQmedium

An organization is subject to regulatory requirements that mandate retention of employee records for 5 years after termination. After the retention period, the records must be permanently deleted. The compliance team wants to automatically enforce this process across all Microsoft 365 locations (Exchange, SharePoint, Teams). Which Microsoft Purview solution should they configure?

A.Microsoft Purview Data Loss Prevention (DLP)
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Purview Records Management
D.Microsoft Purview Communication Compliance
AnswerB

This solution automates retention and deletion policies, ensuring content is kept for required periods and then permanently removed.

Why this answer

Microsoft Purview Data Lifecycle Management (formerly Microsoft 365 Retention) is the correct solution because it allows organizations to define retention and deletion policies that apply automatically across Exchange, SharePoint, and Teams. This solution enforces the 5-year retention period after termination and then permanently deletes the records, meeting the regulatory requirement without manual intervention.

Exam trap

The trap here is that candidates often confuse Data Lifecycle Management with Records Management, but Records Management is for declaring records and managing their disposition (e.g., with a retention label), while Data Lifecycle Management provides the automated, policy-based retention and deletion across all locations without requiring manual labeling.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to prevent unauthorized sharing or leakage of sensitive data, not to enforce retention or deletion schedules. Option C is wrong because Microsoft Purview Records Management is used for declaring records and managing their disposition, but it requires a retention label to be applied (often manually or via auto-labeling) and is not the primary tool for automated lifecycle policies across all locations; Data Lifecycle Management provides the underlying retention policy that Records Management can leverage. Option D is wrong because Microsoft Purview Communication Compliance is focused on monitoring and reviewing communications (e.g., for regulatory compliance or insider risk), not on data retention or deletion.

262
MCQmedium

A company manages Azure resources for multiple departments. The security team needs to grant IT administrators temporary, just-in-time access to high-privilege roles (e.g., Contributor, Owner) only when needed, with approval workflows. Which Microsoft Entra ID capability should they configure?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Entitlement Management (Identity Governance)
AnswerC

PIM provides time-based and approval-based role activation to manage, control, and monitor access to privileged resources. It supports just-in-time access for elevated roles.

Why this answer

Privileged Identity Management (PIM) is the correct Microsoft Entra ID capability because it provides just-in-time (JIT) activation of high-privilege roles like Contributor and Owner, with time-bound approvals and approval workflows. PIM allows administrators to request temporary elevation to a role, which must be approved by designated approvers, and the access automatically expires after the specified duration. This directly addresses the requirement for temporary, approval-based access to privileged roles.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Entitlement Management, because both involve access requests and approvals, but PIM is specifically for just-in-time privileged role activation, while Entitlement Management is for ongoing access to resources like groups and apps.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, device compliance) based on signals like user location or risk, but it does not provide JIT role activation or approval workflows for privileged roles. Option B is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-in anomalies) but does not manage role assignments or temporary elevation to high-privilege roles. Option D is wrong because Entitlement Management (Identity Governance) automates access requests and reviews for groups, apps, and SharePoint sites, but it is not designed for just-in-time activation of Azure RBAC roles like Contributor or Owner.

263
Multi-Selectmedium

Which TWO capabilities are provided by Microsoft Defender for Cloud Apps? (Choose two.)

Select 2 answers
A.Mobile device management
B.Device compliance enforcement
C.Session controls for real-time monitoring of app usage
D.Email filtering and anti-phishing
E.Cloud app discovery to identify shadow IT
AnswersC, E

Session controls allow real-time monitoring and control of user activities in cloud apps.

Why this answer

Microsoft Defender for Cloud Apps provides cloud app discovery (shadow IT) and session controls for real-time monitoring. Option B is incorrect because device management is Intune. Option D is incorrect because email security is Defender for Office 365.

Option E is incorrect because device compliance is Intune and Conditional Access.

264
MCQmedium

Your company uses Microsoft Defender for Identity to monitor on-premises Active Directory. You receive an alert about a potential lateral movement attack involving a service account. The alert indicates that the account was used to log in to multiple servers from a non-domain-joined machine. You need to investigate the alert and determine if the account is compromised. What should you do first?

A.Check if the account is a member of any privileged groups.
B.Immediately reset the service account password.
C.Review the account’s activity timeline in Microsoft Defender for Identity to see all logins and accessed resources.
D.Contact the user to verify if they performed the logins.
AnswerC

This helps determine if the activity is anomalous.

Why this answer

Option B is correct because checking the account’s recent activity in Microsoft Defender for Identity will show the timeline of events. Option A is wrong because resetting the password may lock out a legitimate user. Option C is wrong because checking group membership is not immediate.

Option D is wrong because the alert is about lateral movement, not a user report.

265
MCQmedium

A compliance officer needs to automatically detect documents containing passport numbers in SharePoint Online and apply a retention label that retains the documents for 10 years before deleting them. They also want to prevent users from permanently deleting these documents before the retention period ends. Which Microsoft Purview solution should they use to achieve this?

A.Microsoft Purview Information Protection
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Purview Data Loss Prevention (DLP)
D.Microsoft Purview Audit
AnswerB

Data Lifecycle Management provides retention labels and policies that can be auto-applied based on sensitive data types, manage retention periods, and hold until disposition is approved.

Why this answer

Microsoft Purview Data Lifecycle Management (formerly Microsoft 365 Retention) is the correct solution because it enables organizations to automatically apply retention labels to sensitive content—such as documents containing passport numbers—based on sensitive information types. It also enforces a retention period (10 years) and prevents users from permanently deleting documents before that period ends, meeting both the detection and preservation requirements.

Exam trap

The trap here is that candidates often confuse Data Lifecycle Management with Data Loss Prevention, assuming DLP handles retention, when in fact DLP only prevents data exfiltration and does not manage retention periods or deletion prevention.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Information Protection focuses on classifying and protecting data through sensitivity labels and encryption, not on managing retention periods or preventing permanent deletion. Option C is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to detect and prevent unauthorized sharing or leakage of sensitive data, not to enforce retention schedules or block permanent deletion. Option D is wrong because Microsoft Purview Audit provides logging and investigation of user and admin activities, but it does not automatically detect sensitive content or apply retention policies.

266
MCQhard

Refer to the exhibit. You are analyzing a Microsoft Purview Data Lifecycle Management retention policy. What is the outcome of this policy?

A.Content from the HR department in Exchange and SharePoint is retained for 365 days and then deleted
B.Content from the HR department in Exchange and SharePoint is deleted after 90 days
C.Content from all employees in Exchange and SharePoint is retained for 365 days
D.Content from the HR department in Exchange and SharePoint is retained for 365 days
AnswerD

The policy keeps content for 365 days.

Why this answer

The policy has a retention period of 365 days with Keep action, meaning content is kept for 1 year and then no action (since no expiration action is defined). Option A is wrong because retention period is 365 days, not 90. Option B is wrong because the action is Keep, not Delete.

Option D is wrong because the query only targets HR department, not all employees.

267
MCQmedium

An organization wants to protect its Azure PaaS services, such as Azure SQL Database and Azure Key Vault, by detecting and alerting on suspicious activities like SQL injection attempts or unusual access patterns. They also need to integrate these alerts into a central security information and event management (SIEM) system for further analysis. Which Microsoft security solution provides the threat detection capability described?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Identity
AnswerB

Defender for Cloud offers unified security management and advanced threat protection for Azure PaaS services, including SQL, Key Vault, and storage, with built-in threat detection alerts.

Why this answer

Microsoft Defender for Cloud provides unified security management and advanced threat protection across hybrid cloud workloads, including Azure PaaS services like Azure SQL Database and Azure Key Vault. It detects suspicious activities such as SQL injection attempts and unusual access patterns using built-in behavioral analytics and integrates alerts into a central SIEM system via Azure Monitor or directly to Microsoft Sentinel.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with the threat detection capability itself, but Sentinel ingests alerts rather than generating them for PaaS services, making Defender for Cloud the correct answer for native threat detection.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM and SOAR solution that ingests security data from various sources, but it does not natively detect threats within Azure PaaS services like SQL injection or unusual access patterns—it relies on other security solutions (e.g., Defender for Cloud) for such detections. Option C is wrong because Microsoft Defender for Endpoint is designed to protect endpoints (e.g., desktops, servers, mobile devices) from threats like malware and ransomware, not Azure PaaS services such as Azure SQL Database or Key Vault. Option D is wrong because Microsoft Defender for Identity focuses on detecting identity-based threats (e.g., lateral movement, privilege escalation) using on-premises Active Directory signals, not on monitoring Azure PaaS services for SQL injection or access anomalies.

268
MCQmedium

You are evaluating the Conditional Access policy JSON exhibit. The policy includes MFA for Exchange Online but excludes trusted locations. A user reports that they are prompted for MFA when accessing webmail from a trusted IP address. Which is the most likely cause?

A.The location condition is configured to include trusted locations
B.The policy targets high sign-in risk
C.The policy does not apply to Exchange Online
D.The policy requires device compliance
AnswerA

The policy includes trusted locations, so it applies MFA to them. It should exclude trusted locations.

Why this answer

The policy includes MFA for Exchange Online, but the location condition 'includeLocations' with 'AllTrusted' means it applies to trusted locations, not excludes them. For exclusion, the policy should use 'excludeLocations'. Option C is correct.

Options A and B are incorrect because the JSON does not include device compliance or risk. Option D is incorrect because the condition applies to the app.

269
MCQhard

A financial services company uses Microsoft Purview and must comply with a regulation that requires communication surveillance for market abuse. They need to capture all electronic communications (email, Teams chats) of traders and scan for specific keywords and trading patterns. Which Microsoft Purview solution is specifically designed for this?

A.Communication Compliance
B.Data Lifecycle Management
C.eDiscovery (Standard)
D.Insider Risk Management
AnswerA

Correct. Communication Compliance is designed for monitoring and reviewing electronic communications to detect risks like market abuse, regulatory violations, and inappropriate content.

Why this answer

Communication Compliance is the Microsoft Purview solution specifically designed to capture and analyze electronic communications (email, Teams chats) for regulatory compliance, such as detecting market abuse. It allows organizations to define policies that scan for specific keywords and trading patterns, automatically flagging messages that violate compliance rules. This directly addresses the requirement for communication surveillance in financial services under regulations like MiFID II or Dodd-Frank.

Exam trap

The trap here is confusing Communication Compliance with Insider Risk Management, as both deal with user behavior, but Communication Compliance is specifically for capturing and scanning communications for regulatory surveillance, while Insider Risk Management focuses on broader risk indicators like data theft or policy violations.

How to eliminate wrong answers

Option B (Data Lifecycle Management) is wrong because it focuses on retaining, deleting, or archiving data based on lifecycle policies, not on scanning communications for keywords or patterns. Option C (eDiscovery Standard) is wrong because it is designed for legal discovery and holds on content, not for proactive, real-time surveillance of communications for regulatory compliance. Option D (Insider Risk Management) is wrong because it detects risky user behavior (e.g., data exfiltration) using analytics and indicators, not specifically for capturing and scanning all trader communications for market abuse keywords and patterns.

270
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy includes locations condition "AllTrusted". What is the effect of this policy?

A.Users are required to perform MFA when accessing from untrusted locations.
B.Users are blocked from accessing apps from trusted locations.
C.Users are required to perform MFA when accessing from trusted locations.
D.Users are allowed access without MFA from trusted locations.
AnswerC

The policy targets trusted locations and requires MFA.

Why this answer

In Microsoft Entra ID Conditional Access, the 'AllTrusted' locations condition includes locations marked as trusted (e.g., corporate network IP ranges or MFA-trusted IPs). When a policy is configured with this condition and set to 'Require MFA', it enforces MFA specifically when users access from those trusted locations. This is often used to require step-up authentication even from within the corporate network, for example, when accessing sensitive applications.

Exam trap

The trap here is that candidates often assume trusted locations automatically bypass MFA, but Conditional Access policies can explicitly require MFA from trusted locations for step-up authentication.

How to eliminate wrong answers

Option A is wrong because 'AllTrusted' targets trusted locations, not untrusted ones; requiring MFA from untrusted locations would use 'AllUntrusted' or 'All locations' with an exclude. Option B is wrong because Conditional Access policies do not block access from trusted locations by default; blocking would require a 'Block access' grant control, not a location condition alone. Option D is wrong because allowing access without MFA from trusted locations is the default behavior when no policy targets them; this policy explicitly requires MFA, so it does not allow access without MFA.

271
MCQhard

A multinational corporation wants to detect scenarios where employees in the finance department are accessing and downloading customer credit card data from a CRM system and then emailing that data to personal accounts. The security team needs to define policies that identify this pattern of activity, analyze user behavior over time (e.g., building a user's baseline), and automatically escalate high-risk incidents for investigation. Which Microsoft Purview solution should they deploy?

A.Microsoft Purview Communication Compliance
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview Insider Risk Management
D.Microsoft Purview eDiscovery (Premium)
AnswerC

Insider Risk Management is designed to identify and investigate malicious and inadvertent insider risks by analyzing user activities, building baselines, and detecting anomalies across multiple indicators.

Why this answer

Microsoft Purview Insider Risk Management is designed to detect risky user activities that violate organizational policies, such as accessing sensitive data and exfiltrating it via email. It uses machine learning to establish user baselines over time and automatically escalates high-risk incidents for investigation, directly matching the scenario's requirements.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention (DLP) with Insider Risk Management because both deal with data protection, but DLP enforces rules on data in motion or at rest without analyzing user behavior baselines or detecting insider threat patterns over time.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Communication Compliance focuses on monitoring communications (e.g., email, Teams) for policy violations like harassment or inappropriate content, not on detecting data exfiltration patterns or building user baselines. Option B is wrong because Microsoft Purview Data Loss Prevention (DLP) prevents accidental or unauthorized sharing of sensitive data through policy enforcement (e.g., blocking emails), but it does not analyze user behavior over time or build baselines for anomaly detection. Option D is wrong because Microsoft Purview eDiscovery (Premium) is used for legal discovery and holds, searching, and exporting content for litigation or regulatory requests, not for real-time detection of risky user behavior or baseline analysis.

272
MCQmedium

A company uses Microsoft Entra ID. They want to require users to perform multifactor authentication (MFA) every 30 days on devices that are marked as compliant, but require MFA for every sign-in attempt on non-compliant devices. Which Conditional Access control should they configure to meet this requirement?

A.Grant control: Require MFA
B.Session control: Sign-in frequency
C.Conditions: Device state
D.Session control: Application restrictions
AnswerB

Sign-in frequency session control allows the administrator to specify how often a user must re-authenticate. This can be set to every 30 days for compliant devices and to 0 (every time) for non-compliant devices to achieve the goal.

Why this answer

The requirement specifies different MFA frequency based on device compliance: every 30 days for compliant devices and every sign-in for non-compliant devices. This is achieved by configuring a Session control called 'Sign-in frequency' in a Conditional Access policy, which allows administrators to set the reauthentication interval (e.g., 30 days) and can be scoped to specific conditions like device state (compliant vs. non-compliant). Grant controls like 'Require MFA' enforce MFA but do not control the frequency of re-prompting.

Exam trap

The trap here is that candidates confuse 'Grant controls' (which enforce MFA) with 'Session controls' (which manage sign-in frequency), leading them to pick 'Require MFA' instead of 'Sign-in frequency' when the question specifically asks about controlling the frequency of MFA prompts.

How to eliminate wrong answers

Option A is wrong because 'Grant control: Require MFA' enforces MFA on every sign-in but cannot differentiate between compliant and non-compliant devices or set a reauthentication frequency like 30 days. Option C is wrong because 'Conditions: Device state' is a condition that filters which devices the policy applies to (e.g., compliant or non-compliant), not a control that enforces MFA frequency. Option D is wrong because 'Session control: Application restrictions' controls access to specific apps or data (e.g., using app protection policies) and does not manage MFA reauthentication intervals.

273
MCQmedium

Your organization uses Microsoft Purview to manage compliance. You need to create a policy that ensures data is retained for a specific period and then automatically deleted. Which solution should you use?

A.Microsoft Purview Audit
B.Microsoft Purview Compliance Manager
C.Microsoft Purview Information Protection
D.Microsoft Purview Data Lifecycle Management
AnswerD

Data Lifecycle Management manages retention and deletion.

Why this answer

Option A is correct because Data Lifecycle Management provides retention and deletion policies. Option B is wrong because Information Protection focuses on classification. Option C is wrong because Audit is for logging.

Option D is wrong because Compliance Manager is for risk assessment.

274
MCQhard

Your organization, Contoso, uses Microsoft Entra ID for identity management. The security team has recently identified that several users have had their credentials compromised. You need to implement a solution that automatically enforces a password change for high-risk users and blocks sign-ins from risky locations. Additionally, you want to allow users to self-remediate by changing their password when they are at medium risk. You have the following requirements: - Users detected as high risk must be blocked from signing in until an administrator resets their password. - Users detected as medium risk must be prompted to change their password via self-service password reset before they can access resources. - All risk detections must be logged and reported to the security team. - The solution must use built-in Microsoft Entra capabilities without third-party tools. Which of the following actions should you take to meet the requirements?

A.Create conditional access policies that block sign-ins based on location and require MFA for all users.
B.Configure Microsoft Entra ID Protection user risk policies: set a policy to block access for high user risk and a policy to require password change for medium user risk. Enable risk reporting.
C.Administratively assign users to administrative units and require administrators to review risk manually.
D.Use Microsoft Entra ID Governance to create an access package and require approval for access.
AnswerB

This directly meets all requirements.

Why this answer

Option B is correct because Microsoft Entra ID Protection provides built-in user risk policies that automatically block sign-ins for high-risk users and require a password change for medium-risk users, meeting the requirements for automated enforcement and self-remediation. Additionally, ID Protection includes risk reporting capabilities that log all risk detections for the security team, all without third-party tools.

Exam trap

The trap here is that candidates often confuse conditional access policies (which control access based on conditions like location or device) with Identity Protection risk policies (which specifically enforce actions based on user or sign-in risk levels), leading them to choose Option A instead of the correct risk-based policy configuration.

How to eliminate wrong answers

Option A is wrong because conditional access policies that block sign-ins based on location and require MFA do not automatically enforce password changes based on user risk level, nor do they provide the granular risk-based remediation (block vs. password change) required for high and medium risk. Option C is wrong because manually assigning users to administrative units and requiring administrators to review risk manually does not automate enforcement or allow self-remediation; it contradicts the requirement for automatic password change and blocking. Option D is wrong because Microsoft Entra ID Governance access packages and approval workflows are designed for managing resource access and entitlement, not for enforcing risk-based password changes or blocking sign-ins based on compromised credentials.

275
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID) to manage access to internal applications for employees and guest users. The compliance team requires that all guest users' access to a sensitive application must be reviewed every 90 days by the application owner. If the owner does not respond to the review request, the guest's access must be automatically revoked. Which Microsoft Entra ID feature should the company use?

A.Conditional Access
B.Identity Protection
C.Access Reviews
D.Privileged Identity Management (PIM)
AnswerC

Access Reviews allow administrators to create recurring reviews of access to groups, applications, or roles, and can be configured to automatically remove access if the reviewer does not respond.

Why this answer

Access Reviews in Microsoft Entra ID allow administrators to create recurring reviews of guest user access to applications, groups, or roles. The scenario requires a 90-day review cycle with automatic revocation if the owner does not respond, which is a built-in configuration option within an Access Review policy. This directly meets the compliance team's requirement for periodic attestation and automated removal of access.

Exam trap

The trap here is confusing Access Reviews with Privileged Identity Management (PIM), since both involve approvals and time-bound access, but PIM focuses on privileged role activation while Access Reviews handle recurring attestation of any user's access to resources.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces access policies based on signals like location or device state, but it does not provide periodic attestation or automatic revocation based on reviewer non-response. Option B is wrong because Identity Protection detects and remediates identity-based risks such as leaked credentials or sign-ins from anonymous IP addresses, but it does not schedule recurring access reviews or revoke access due to reviewer inaction. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time activation and approval workflows for privileged roles, but it is not designed for recurring attestation of guest user access to a sensitive application.

276
MCQhard

A company uses Microsoft Purview to manage data lifecycle. They configure a retention label that marks content as a regulatory record and apply it to sensitive documents. A user with edit permissions attempts to modify a document that has this label applied. What will be the outcome?

A.The user can edit the document but cannot delete it.
B.The user cannot edit or delete the document.
C.The user can edit the document if they have edit permissions, and any changes are recorded in the audit log.
D.The user can edit the document only after obtaining a legal hold.
AnswerB

Regulatory records are immutable; neither editing nor deletion is permitted, regardless of permissions.

Why this answer

When a retention label is configured as a regulatory record, it enforces the strictest retention and disposition controls. Regulatory records are immutable by design; once applied, no user—regardless of permissions—can edit or delete the content. This is because the label locks the document to prevent any modification or deletion until the retention period expires and a disposition review is completed.

Exam trap

The trap here is that candidates confuse 'regulatory record' with a standard retention label or a legal hold, assuming that edit permissions or audit logging still allow changes, when in fact regulatory records enforce complete immutability.

How to eliminate wrong answers

Option A is wrong because a regulatory record label prevents both editing and deletion, not just deletion. Option C is wrong because even with edit permissions, the label blocks all modifications; audit logging of changes is irrelevant since no changes can occur. Option D is wrong because a legal hold is a separate preservation mechanism (e.g., Litigation Hold or eDiscovery hold) and does not override the immutability of a regulatory record label; the user cannot edit the document under any circumstance while the label is active.

277
Multi-Selecteasy

Which TWO of the following are capabilities of Microsoft Defender for Cloud?

Select 2 answers
A.Enable just-in-time access to virtual machines
B.Centralize security event log analysis from multiple sources
C.Monitor domain controllers for malicious activity
D.Assess and improve the security posture of your cloud resources
E.Manage mobile devices and enforce compliance policies
AnswersA, D

Defender for Cloud includes just-in-time VM access.

Why this answer

Microsoft Defender for Cloud provides cloud security posture management (CSPM) and workload protection. Option B is correct because it offers CSPM via secure score. Option D is correct because it provides just-in-time VM access.

Option A is wrong because that is Microsoft Defender for Identity. Option C is wrong because that is Microsoft Sentinel. Option E is wrong because that is Microsoft Intune.

278
MCQeasy

Which Microsoft security solution provides centralized investigation and response across identities, endpoints, email, and cloud apps by correlating alerts from multiple sources?

A.Microsoft Defender XDR
B.Microsoft Purview
C.Microsoft Sentinel
D.Microsoft Intune
AnswerA

Defender XDR correlates alerts from identities, endpoints, email, and cloud apps.

Why this answer

Option C is correct because Microsoft Defender XDR correlates signals across domains. Option A is wrong because Microsoft Sentinel is a SIEM/SOAR, not a built-in XDR. Option B is wrong because Microsoft Intune manages endpoints.

Option D is wrong because Microsoft Purview focuses on compliance.

279
MCQeasy

A healthcare organization must comply with HIPAA regulations. They need to classify and protect medical records stored in Microsoft 365. Which Microsoft Purview solution should they use?

A.Microsoft Purview Audit
B.Microsoft Purview Priva
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview Information Protection
AnswerD

Information Protection provides sensitivity labels and data classification.

Why this answer

Option B is correct because Microsoft Purview Information Protection includes sensitivity labels and data classification for regulatory compliance. Option A is wrong because Data Lifecycle Management focuses on retention, not classification. Option C is wrong because Audit is for logging.

Option D is wrong because Priva is for privacy management.

280
MCQhard

You are investigating an alert in Microsoft Defender XDR. Based on the exhibit, what is the primary detection source for this alert?

A.Microsoft Sentinel
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerC

The detection source is explicitly stated.

Why this answer

The exhibit shows an alert from Microsoft Defender XDR with a detection source of 'Microsoft Defender for Identity'. Defender for Identity uses on-premises Active Directory signals and network traffic to detect identity-based threats like lateral movement, privilege escalation, and compromised credentials. The alert details indicate suspicious activity tied to an on-premises domain controller, which is the core focus of Defender for Identity.

Exam trap

The trap here is that candidates confuse Microsoft Defender XDR's unified alert interface with the underlying detection source, assuming that because the alert appears in the XDR portal, it must come from a more familiar product like Defender for Endpoint or Sentinel, rather than recognizing the identity-specific indicators (e.g., domain controller involvement, Kerberos anomalies) that point to Defender for Identity.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a SIEM/SOAR platform that ingests alerts from multiple sources but is not itself a primary detection source for this specific alert; the exhibit shows the detection source as Defender for Identity, not Sentinel. Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint-level threats (malware, fileless attacks, EDR) and would show a detection source like 'Microsoft Defender for Endpoint' in the alert, not the identity-based source shown. Option D is wrong because Microsoft Defender for Cloud Apps is a CASB focused on cloud application usage and shadow IT, not on-premises Active Directory identity attacks; its detection source would be 'Microsoft Defender for Cloud Apps'.

281
MCQhard

A SOC analyst in Microsoft Sentinel needs to create a custom detection rule that triggers an incident when more than 10 failed logins occur from a single IP address within 5 minutes. Which rule type should they use?

A.Anomaly analytics rule
B.Near-real-time (NRT) analytics rule
C.Microsoft security analytics rule
D.Scheduled query analytics rule
AnswerD

Scheduled rules allow custom KQL with aggregation and threshold conditions.

Why this answer

Correct: Scheduled query rule allows custom KQL and schedule. Option A: NRT rule is for near-real-time but limited. Option B: Microsoft Security rule is for built-in detections.

Option D: Anomaly rule is for ML-based anomalies.

282
MCQhard

A company uses Microsoft Entra ID and a third-party SaaS application. They want to prevent users from downloading sensitive documents from the SaaS app when accessing from unmanaged personal devices, while still allowing read-only access. Which Conditional Access control should they apply to achieve this?

A.Require multifactor authentication (MFA)
B.Require compliant device (Intune compliance policy)
C.Use app control with Microsoft Defender for Cloud Apps session policy
D.Block access
AnswerC

Session policies in Microsoft Defender for Cloud Apps allow granular controls, such as blocking download while permitting read-only access, based on device state.

Why this answer

Option C is correct because Microsoft Defender for Cloud Apps (MDCA) session policies enable granular control over user actions within a SaaS app, such as blocking downloads while allowing read-only access. This is achieved through reverse proxy architecture that intercepts and enforces policies on HTTP/HTTPS traffic in real time, regardless of device compliance or identity provider status. Conditional Access with MDCA session control is the only option that provides app-level data protection without requiring device management or blocking access entirely.

Exam trap

The trap here is that candidates often confuse identity-based controls (like MFA or device compliance) with app-level data protection controls, not realizing that only MDCA session policies can enforce granular actions like 'block download' while still allowing read-only access within the app itself.

How to eliminate wrong answers

Option A is wrong because requiring multifactor authentication (MFA) only verifies identity and does not control what users can do within a SaaS app after authentication, such as downloading documents. Option B is wrong because requiring a compliant device via Intune compliance policy would block access entirely from unmanaged personal devices, rather than allowing read-only access while preventing downloads. Option D is wrong because blocking access would prevent all access, including the desired read-only capability, which is too restrictive for the requirement.

283
MCQmedium

A legal team is involved in a lawsuit and needs to ensure that all emails and documents related to the case are preserved in their original state, even if users edit or delete them. They also need the ability to search for these items and export them for legal review. Which Microsoft Purview solution should the compliance team configure to meet these requirements?

A.Microsoft Purview Compliance Manager
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Purview eDiscovery (Standard)
D.Microsoft Purview Audit (Standard)
AnswerC

eDiscovery (Standard) is designed for legal and investigative needs. It can place holds on content to preserve it, search across Exchange, SharePoint, Teams, and other locations, and export results for review.

Why this answer

Microsoft Purview eDiscovery (Standard) is the correct solution because it provides the ability to place a legal hold on content (preserving emails and documents in their original state even if users edit or delete them), perform searches across Exchange Online, SharePoint Online, OneDrive for Business, and Teams, and export the results for legal review. This directly meets the requirements of preservation, search, and export for litigation.

Exam trap

The trap here is that candidates often confuse Data Lifecycle Management (retention/deletion) with eDiscovery (preservation/search/export), or mistakenly think Audit (Standard) can preserve and export content when it only records metadata about activities.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Compliance Manager is a risk-assessment and compliance-score tool that helps organizations track their compliance posture against regulations; it does not provide legal hold, search, or export capabilities for content. Option B is wrong because Microsoft Purview Data Lifecycle Management focuses on retention and deletion policies (e.g., automatically deleting old emails or documents) and does not include the ability to place a legal hold or perform eDiscovery searches and exports. Option D is wrong because Microsoft Purview Audit (Standard) logs user and admin activities (e.g., who accessed a file) but does not preserve content in its original state, nor does it allow searching and exporting of the actual emails and documents for legal review.

284
Multi-Selecteasy

Which TWO Microsoft security solutions can be used to detect and respond to identity-based threats? (Choose two.)

Select 2 answers
A.Microsoft Defender for Cloud Apps
B.Microsoft Purview
C.Microsoft Defender for Identity
D.Microsoft Defender for Endpoint
E.Microsoft Entra ID Protection
AnswersC, E

Detects identity-based attacks.

Why this answer

Microsoft Defender for Identity (option C) is a cloud-based security solution that uses on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions. It specifically focuses on identity-based attacks such as pass-the-hash, Kerberos golden ticket, and brute-force attempts by analyzing network traffic and behavior.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps (a CASB) with identity threat detection, but it is primarily for cloud app security, not on-premises identity attacks, while Microsoft Defender for Identity and Entra ID Protection are the two dedicated identity-focused solutions.

285
MCQmedium

Your company uses Microsoft Defender for Endpoint. You need to investigate a potential malware outbreak on a specific device. Which feature should you use to get real-time visibility into running processes and network connections?

A.Threat analytics
B.Device inventory
C.Automated investigation
D.Live response
AnswerD

Live response provides a remote shell to collect real-time data.

Why this answer

Live response in Microsoft Defender for Endpoint allows security analysts to remotely connect to a device and run commands to collect forensic data. Option C is correct. Option A is wrong because device inventory is static.

Option B is wrong because threat analytics provides threat intelligence. Option D is wrong because automated investigation is for automatic response.

286
MCQmedium

A company deploys a virtual machine on Azure IaaS. According to the Microsoft shared responsibility model, which of the following security responsibilities is primarily the customer's responsibility?

A.Physical security of the data centers
B.Patching the guest operating system and applications
C.Ensuring the hypervisor is secured
D.Maintaining the network infrastructure
AnswerB

For IaaS, the customer manages the guest OS and applications, including patching.

Why this answer

In the Microsoft shared responsibility model, the customer is responsible for securing and patching the guest operating system and applications running on an Azure IaaS virtual machine. Microsoft manages the physical infrastructure, hypervisor, and network, while the customer controls the OS, applications, and data.

Exam trap

The trap here is that candidates often confuse IaaS with PaaS or SaaS, assuming Microsoft handles OS patching, but in IaaS the customer retains full control and responsibility for the guest OS and applications.

How to eliminate wrong answers

Option A is wrong because physical security of data centers is the sole responsibility of Microsoft as the cloud provider, not the customer. Option C is wrong because ensuring the hypervisor is secured is Microsoft's responsibility under the shared model, as the hypervisor is part of the virtualization layer managed by Azure. Option D is wrong because maintaining the network infrastructure, including physical switches and routers, is Microsoft's responsibility in IaaS, while the customer only manages virtual networks and configurations.

287
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Entra PIM activation request. The roleDefinitionId corresponds to the Global Administrator role. The request is for an 8-hour activation with a start time. What is the maximum allowed activation duration for Global Administrator in PIM?

A.4 hours
B.12 hours
C.24 hours
D.8 hours
AnswerD

The default maximum activation duration for Global Administrator is 8 hours.

Why this answer

Option D is correct because Microsoft Entra PIM enforces a maximum activation duration of 8 hours for the Global Administrator role. This limit is a built-in security control to reduce the risk window for highly privileged access, and any activation request exceeding 8 hours will be automatically rejected.

Exam trap

The trap here is that candidates confuse the default maximum activation duration for most roles (4 hours) with the Global Administrator's higher limit (8 hours), or they incorrectly assume all roles share the same 24-hour maximum.

How to eliminate wrong answers

Option A is wrong because 4 hours is the default maximum activation duration for most eligible roles, but Global Administrator has a higher limit of 8 hours. Option B is wrong because 12 hours exceeds the enforced maximum of 8 hours for Global Administrator; PIM does not allow any role to be activated for longer than its configured maximum, and 12 hours is not a valid option for any built-in role. Option C is wrong because 24 hours is the maximum activation duration allowed for some roles like Security Administrator or User Administrator, but Global Administrator is capped at 8 hours due to its critical privilege level.

288
MCQeasy

Your company is implementing Microsoft Entra ID and wants to ensure that users can sign in using their existing social media accounts. Which feature should you configure?

A.B2B collaboration
B.Conditional Access
C.External Identities
D.Identity Protection
AnswerC

External Identities support social identity providers like Google and Facebook.

Why this answer

External Identities in Microsoft Entra ID allows you to configure identity providers for social media accounts (e.g., Google, Facebook) so users can sign in with their existing credentials. This is done by enabling federation with social identity providers via the External Identities blade, which uses OAuth 2.0 and OpenID Connect protocols to authenticate users without creating a separate Microsoft account.

Exam trap

The trap here is that candidates confuse B2B collaboration (which is for business partners) with External Identities (which includes social identity providers), because both involve external users, but only External Identities supports social login providers like Google and Facebook.

How to eliminate wrong answers

Option A is wrong because B2B collaboration is specifically for inviting external business partners (e.g., from other Azure AD tenants) to access your resources, not for allowing social media account sign-ins. Option B is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, location) after authentication, not a feature for configuring social identity providers. Option D is wrong because Identity Protection is a risk-based detection and remediation service (e.g., leaked credentials, sign-in anomalies), not a feature for adding social identity providers.

289
MCQeasy

A healthcare organization stores patient records in an encrypted database. Access to the database is restricted to authorized medical staff only. Which security principle is primarily being addressed by these measures?

A.Integrity
B.Availability
C.Non-repudiation
D.Confidentiality
AnswerD

Confidentiality is the principle of ensuring that data is only accessible to authorized users. Encryption and access controls are core mechanisms used to achieve confidentiality, making this the correct choice.

Why this answer

Confidentiality ensures that sensitive data, such as patient records, is accessible only to authorized individuals. Encryption renders the data unreadable to unauthorized parties, and access restrictions enforce that only authorized medical staff can decrypt and view the records. This directly aligns with the principle of confidentiality, which is a core pillar of the CIA triad.

Exam trap

The trap here is that candidates may confuse confidentiality with integrity, mistakenly thinking that encryption alone also prevents data tampering, but encryption does not inherently protect against unauthorized modification unless combined with integrity checks like hashing or digital signatures.

How to eliminate wrong answers

Option A is wrong because integrity focuses on protecting data from unauthorized modification or corruption, not on restricting access or ensuring secrecy. Option B is wrong because availability ensures that systems and data are accessible when needed by authorized users, but the measures described (encryption and access restrictions) primarily prevent unauthorized access, not downtime or resource unavailability. Option C is wrong because non-repudiation provides proof of the origin or delivery of data (e.g., through digital signatures or audit logs) and cannot be achieved solely by encryption and access controls.

290
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email via the Outlook mobile app. Which policy type should you configure?

A.Device configuration policies
B.App protection policies
C.Device compliance policies
D.Conditional Access policies in Microsoft Entra ID
AnswerD

Conditional Access policies can require device compliance to grant access to cloud apps.

Why this answer

Option D is correct because Conditional Access policies in Microsoft Entra ID can enforce device compliance before granting access to cloud apps like Outlook. Option A is wrong because compliance policies define what compliance means but do not enforce access control. Option B is wrong because app protection policies (MAM) protect data within apps but do not require device compliance.

Option C is wrong because device configuration policies configure device settings, not access control.

291
MCQeasy

Refer to the exhibit. You are configuring an access package in Microsoft Entra Entitlement Management. Based on the policy, which users can request access to the HR App?

A.Any user in the organization can request access, but guests require manager approval.
B.Only administrators can assign access.
C.Only users in the HR department can request access.
D.Only guest users can request access.
AnswerA

UserManaged allows requests; approval required for guests.

Why this answer

Option A is correct because the access package policy shown in the exhibit is configured with 'For users in your directory' as the scope and 'Specific connected organization' is not selected, meaning any internal user can request. The policy also has 'Approval' set to 'Manager approval' only for 'Guest users', so internal users do not require approval, while guests do. This matches the description that any user in the organization can request, but guests need manager approval.

Exam trap

The trap here is that candidates may misinterpret the approval setting as applying to all users, when in fact it is configured only for guest users, leading them to incorrectly select an option that implies restricted access or exclusive guest access.

How to eliminate wrong answers

Option B is wrong because the policy allows users to request access directly; it does not restrict assignment to administrators only. Option C is wrong because the policy scope is set to 'All users' (or 'For users in your directory'), not limited to the HR department. Option D is wrong because the policy allows both internal users and guest users to request access, not exclusively guests.

292
MCQhard

A global enterprise has a hybrid environment that includes on-premises Active Directory, Azure resources, Amazon Web Services (AWS), and Google Cloud Platform (GCP). The security team needs a single solution to collect security logs from all these sources, detect threats using advanced analytics and threat intelligence, and automate incident response via playbooks. They already have Microsoft Defender for Cloud protecting their Azure workloads. Which Microsoft security solution should they add to meet these requirements?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft Defender for Identity
D.Microsoft Cloud App Security
AnswerA

Microsoft Sentinel is a scalable, cloud-native SIEM and SOAR that can ingest logs from on-premises, Azure, AWS, GCP, and many other sources. It provides threat detection and automated response via playbooks, making it the correct solution for the described need.

Why this answer

Microsoft Sentinel is a cloud-native SIEM and SOAR solution that ingests logs from a wide range of sources, including on-premises, Azure, AWS, and GCP. It provides advanced analytics, threat detection, and automated response through playbooks. Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection solution; while it does collect some logs and can send alerts to Sentinel, it does not provide the full SIEM/SOAR capabilities needed for multi-cloud aggregation and automation beyond Azure.

Microsoft Defender for Identity focuses on on-premises AD threats but not multi-cloud. Microsoft Cloud App Security is a CASB for SaaS apps, not a SIEM for infrastructure logs.

293
MCQhard

A company uses a third-party SaaS CRM application. The security team needs to monitor user sessions in real-time when sales representatives access the CRM from personal, unmanaged devices. The goal is to prevent the download of sensitive customer data to local drives. The solution should block download actions and show a warning to the user. Which Microsoft security solution should the team deploy to enforce these session controls?

A.Microsoft Defender for Cloud Apps
B.Microsoft 365 Defender
C.Microsoft Sentinel
D.Microsoft Defender for Endpoint
AnswerA

Correct: Defender for Cloud Apps, with Conditional Access App Control, can monitor user sessions in real time and enforce granular controls like block download actions for unmanaged devices.

Why this answer

Microsoft Defender for Cloud Apps (MDCA) provides session-level controls via its Conditional Access App Control feature. This allows real-time monitoring and control of user sessions in third-party SaaS apps like CRM, enabling actions such as blocking downloads and displaying warnings based on device compliance (e.g., unmanaged devices). The solution integrates with Azure AD Conditional Access to enforce these policies at the session layer without modifying the underlying SaaS application.

Exam trap

The trap here is that candidates often confuse the broad detection and response capabilities of Microsoft 365 Defender or Defender for Endpoint with the specific session-level enforcement provided by Defender for Cloud Apps, which is the only solution that can intercept and control user actions inside a third-party SaaS application in real time.

How to eliminate wrong answers

Option B is wrong because Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that correlates signals across endpoints, identities, email, and apps, but it does not provide granular, real-time session-level controls for third-party SaaS applications. Option C is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR solution for security information and event management, not a tool for enforcing real-time session policies or blocking downloads in a SaaS app. Option D is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) and device-level protection, not on controlling user sessions within a third-party SaaS CRM application.

294
MCQmedium

Refer to the exhibit. An analyst runs a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

A.To retrieve the most recent 10 malware alerts.
B.To find the single highest severity alert.
C.To count the total number of malware alerts in the last 24 hours.
D.To list all computers with malware alerts.
AnswerA

The query orders by time descending and takes 10.

Why this answer

The query filters alerts with AlertName 'Malware detected', projects relevant columns, orders by time descending, and takes the top 10. This retrieves the 10 most recent malware alerts. Option A is wrong because it does not count.

Option B is wrong because it retrieves multiple alerts, not just one. Option D is wrong because it does not aggregate by computer.

295
MCQeasy

Your organization uses Microsoft Entra ID. A user reports that they are unable to access any Microsoft 365 services because they forgot their password. Which self-service tool should they use?

A.Self-Service Password Reset (SSPR)
B.Password reset admin portal
C.Identity Protection
D.Privileged Identity Management
AnswerA

SSPR enables users to reset their own passwords if configured.

Why this answer

Option C is correct because SSPR allows users to reset their own password. Option A (Password reset admin portal) is for administrators. Option B (Identity Protection) detects risks.

Option D (Privileged Identity Management) manages privileged roles.

296
MCQeasy

An organization wants to protect against password spray attacks by automatically blocking sign-ins from suspicious IP addresses. Which Microsoft Entra feature should they use?

A.Microsoft Entra Self-Service Password Reset
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra Multifactor Authentication
AnswerB

Detects and blocks risky sign-ins based on IP reputation.

Why this answer

Option A is correct because Identity Protection uses risk detection to block suspicious sign-ins from known malicious IP addresses. Option B is wrong because SSPR deals with password reset. Option C is wrong because MFA adds verification but does not automatically block based on IP.

Option D is wrong because PIM manages admin roles.

297
Multi-Selectmedium

Which TWO of the following are components of the Microsoft Security Development Lifecycle (SDL)? (Choose two.)

Select 2 answers
A.Penetration testing
B.Data classification
C.Security training
D.Code signing
E.Threat modeling
AnswersC, E

Security training is a foundational SDL phase to educate developers.

Why this answer

The SDL includes 'Security training' and 'Threat modeling' as core phases. Penetration testing is part of security validation but is not an SDL phase. Code signing is for software distribution.

Data classification is a compliance activity.

298
MCQmedium

Your organization uses Microsoft Entra ID and needs to block sign-ins from legacy authentication protocols to reduce risk. Which feature should you use?

A.Security defaults
B.Privileged Identity Management
C.Identity Protection
D.Conditional Access
AnswerD

Conditional Access can block legacy authentication by targeting client apps.

Why this answer

Conditional Access policies in Microsoft Entra ID allow you to block sign-ins from legacy authentication protocols by targeting client apps that use protocols like POP3, IMAP, SMTP, or older Office clients that do not support modern authentication. This is the correct feature because it provides granular, policy-based control to explicitly deny authentication requests that use legacy protocols, directly addressing the requirement to reduce risk from these less secure methods.

Exam trap

The trap here is that candidates often confuse Security defaults (which do block legacy authentication by default) with the ability to customize or target that block, but the question asks for a feature to 'block sign-ins from legacy authentication protocols' in a way that can be tailored to organizational needs, which only Conditional Access supports.

How to eliminate wrong answers

Option A is wrong because Security defaults provide a baseline set of security policies (like requiring MFA for all users and blocking legacy authentication) but are a fixed, non-customizable feature intended for small organizations; they cannot be selectively applied or fine-tuned to block legacy authentication for specific users or scenarios. Option B is wrong because Privileged Identity Management (PIM) is focused on just-in-time privileged access management, role activation, and approval workflows for administrative roles, not on controlling authentication protocols used during sign-in. Option C is wrong because Identity Protection uses risk-based policies (e.g., user risk, sign-in risk) to block or require MFA, but it does not have a direct setting to block legacy authentication protocols; it relies on Conditional Access policies to enforce such blocks.

299
MCQeasy

A compliance administrator needs to generate a report showing all user activities related to accessing highly sensitive documents in SharePoint. Which Microsoft Purview solution should they use?

A.Audit (Standard or Premium)
B.eDiscovery
C.Data Loss Prevention
D.Communication Compliance
AnswerA

Audit logs record user activities like file access.

Why this answer

Option A is correct because Audit logs capture user activities such as access to files. Option B is wrong because DLP is for prevention, not reporting. Option C is wrong because eDiscovery is for content search.

Option D is wrong because Communication Compliance is for communications monitoring.

300
MCQmedium

A company uses Microsoft Entra ID and wants to automatically detect and remediate over-privileged roles in their Azure subscriptions and AWS accounts. They need to get a unified view of permissions across multiple clouds. Which Microsoft Entra capability should they use?

A.Microsoft Entra Identity Protection
B.Microsoft Entra Permissions Management
C.Microsoft Entra Verified ID
D.Microsoft Entra ID Governance
AnswerB

Permissions Management (CIEM) gives a unified view of permissions across Azure, AWS, and GCP, and helps detect and fix over-privileged roles.

Why this answer

Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) solution that provides visibility into permissions across multi-cloud environments, including Azure and AWS. It automatically detects over-privileged roles and can remediate them by enforcing least-privilege access policies, making it the correct choice for the described requirement.

Exam trap

The trap here is that candidates confuse Microsoft Entra ID Governance with Permissions Management because both deal with 'permissions,' but Governance handles identity lifecycle and access reviews within Entra ID, not multi-cloud infrastructure permission analysis or automated remediation.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Identity Protection focuses on detecting identity-based risks such as compromised credentials and sign-in anomalies, not on managing cloud infrastructure permissions. Option C is wrong because Microsoft Entra Verified ID is a decentralized identity solution for verifiable credentials, unrelated to cloud permission management. Option D is wrong because Microsoft Entra ID Governance covers identity lifecycle, access reviews, and entitlement management within Microsoft Entra ID, but it does not provide multi-cloud permission visibility or automated remediation for over-privileged roles in AWS or Azure subscriptions.

Page 3

Page 4 of 19

Page 5