Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 301375

1411 questions total · 19pages · All types, answers revealed

Page 4

Page 5 of 19

Page 6
301
Multi-Selecthard

Which TWO scenarios are appropriate uses of Microsoft Purview Audit (Standard)?

Select 2 answers
A.Investigating a user who accessed a sensitive file in SharePoint.
B.Searching the audit log for admin activities in the past 60 days.
C.Generating custom reports with PowerShell for all activities.
D.Tracking when sensitivity labels are applied to documents.
E.Retaining audit logs for 2 years for compliance purposes.
AnswersA, B

Audit (Standard) logs file access events.

Why this answer

Options B and D are correct. Audit (Standard) logs user and admin activities (B) and can be searched in the Purview compliance portal (D). Option A is wrong because detailed custom reports are part of Audit (Premium).

Option C is wrong because sensitivity label events may require Audit (Premium) for full details. Option E is wrong because Audit (Standard) has a 90-day retention.

302
MCQmedium

A user reports that they cannot access the company's HR application, which requires Microsoft Entra ID authentication. The user can access other apps that also use Entra ID. What is the most likely cause?

A.The user's account is disabled.
B.The tenant is blocked for all sign-ins.
C.The user's password expired.
D.A conditional access policy is blocking access to that specific app.
AnswerD

Conditional Access policies can target specific apps.

Why this answer

The user can access other Microsoft Entra ID-integrated apps, which rules out account-level issues like a disabled account or expired password. A conditional access policy can target specific applications, so it is the most likely cause of the block on just the HR app.

Exam trap

The trap here is that candidates often assume a user-specific issue (like disabled account or expired password) when they see a single user blocked, but the key clue is that other apps work, pointing to an app-specific conditional access policy rather than a global or user-level problem.

How to eliminate wrong answers

Option A is wrong because if the user's account were disabled, they would be unable to access any Entra ID-authenticated app, not just the HR app. Option B is wrong because a tenant-wide block would prevent all sign-ins for all users, not just this user's access to one app. Option C is wrong because an expired password would affect authentication to all apps using the same Entra ID tenant, not selectively block one app.

303
MCQhard

Your organization, Contoso Ltd., is a multinational company with offices in the US, EU, and Asia. You are the compliance administrator. The legal team requires that all documents containing personally identifiable information (PII) of EU citizens be retained for 10 years after the last modification. Additionally, any document classified as 'Highly Confidential' must be encrypted and have a custom header 'CONFIDENTIAL - DO NOT FORWARD' when shared externally. You also need to ensure that only users in the EU region can access documents containing EU PII. You have Microsoft Purview with the necessary licenses. You need to design a compliance solution that meets these requirements with minimal administrative overhead. What should you do?

A.Create a Data Loss Prevention (DLP) policy to block external sharing of PII; create a retention policy for 10 years on all content; use sensitivity labels for encryption
B.Create a retention label for 10-year retention based on PII content; create a sensitivity label 'Highly Confidential' with encryption and header; configure a conditional access policy in Microsoft Entra ID to restrict access to EU users for documents labeled 'Highly Confidential'
C.Use a single unified label that combines retention and sensitivity settings; then configure an auto-labeling policy to apply it; use a device compliance policy to restrict access
D.Create a retention policy for 10 years on all content; use sensitivity labels with encryption; then configure a DLP policy to add the header when shared externally
AnswerB

Retention label retains for 10 years; sensitivity label provides encryption and header; conditional access restricts by region.

Why this answer

Option A combines a retention label for 10-year retention, a sensitivity label with encryption and header, and a conditional access policy to restrict access based on region. This meets all requirements. Option B uses DLP, which does not enforce access control per region.

Option C uses a single label, but retention and sensitivity are separate; also conditional access is needed. Option D lacks encryption and header for external sharing.

304
MCQeasy

A company is moving its on-premises infrastructure to Azure. The CISO wants to understand the division of security responsibilities between the cloud provider and the customer. Which of the following models defines this division?

A.CIA triad (Confidentiality, Integrity, Availability)
B.Shared Responsibility Model
C.Zero Trust Model
D.Defense-in-Depth
AnswerB

This model clearly outlines which security controls are managed by Microsoft (e.g., physical security of datacenters) and which by the customer (e.g., user access and data classification).

Why this answer

The Shared Responsibility Model defines the division of security responsibilities between the cloud provider (Microsoft) and the customer. Microsoft is responsible for the security of the cloud (physical hosts, network, datacenters), while the customer is responsible for security in the cloud (data, identities, access management, and configurations). This model is foundational for understanding compliance and security ownership in Azure.

Exam trap

Microsoft often tests the distinction between security models (CIA triad, Zero Trust, Defense-in-Depth) and the Shared Responsibility Model, trapping candidates who confuse a security principle or architecture with the specific contractual division of security duties between cloud provider and customer.

How to eliminate wrong answers

Option A is wrong because the CIA triad (Confidentiality, Integrity, Availability) is a security model for designing and evaluating security controls, not a framework for dividing responsibilities between provider and customer. Option C is wrong because the Zero Trust Model is a security architecture that assumes no implicit trust and requires continuous verification of every request, not a model for assigning security duties between cloud provider and customer. Option D is wrong because Defense-in-Depth is a layered security strategy using multiple controls (physical, network, application, data) to protect resources, not a model that defines the split of responsibilities between the cloud provider and the customer.

305
MCQmedium

A company wants to allow its partners to access a specific SharePoint Online site using their own corporate credentials. The company does not want to manage partner accounts. Which Microsoft Entra feature should they use?

A.Microsoft Entra External ID
B.Microsoft Entra Privileged Identity Management
C.Microsoft Entra Identity Protection
D.Microsoft Entra Conditional Access
AnswerA

Allows external users to access resources with their own credentials.

Why this answer

Microsoft Entra External ID (formerly Azure AD B2B) allows organizations to grant external partners access to resources like SharePoint Online using their own corporate or social identities. This eliminates the need to create and manage separate user accounts for partners, as they authenticate through their home identity provider via federation or invitation redemption.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access after authentication) with the identity provider federation capability of External ID, mistakenly thinking policies alone can enable external authentication without a dedicated identity solution.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Privileged Identity Management (PIM) is used for just-in-time privileged role activation and access reviews within an organization, not for enabling external partner access with their own credentials. Option C is wrong because Microsoft Entra Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) for internal users, not for managing external partner authentication. Option D is wrong because Microsoft Entra Conditional Access enforces policies (e.g., MFA, device compliance) on sign-in events but does not itself provide the mechanism for external identities to authenticate using their own credentials; it works in conjunction with External ID.

306
Multi-Selectmedium

Which TWO of the following are components of the Microsoft Entra product family? (Choose two.)

Select 2 answers
A.Microsoft Defender for Identity
B.Microsoft Intune
C.Microsoft Purview
D.Microsoft Entra Permissions Management
E.Microsoft Entra ID
AnswersD, E

Permissions Management is a CIEM offering under Entra.

Why this answer

Option A and Option D are correct. Microsoft Entra ID is the identity service. Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) solution.

Option B is wrong because Microsoft Defender for Identity is part of Microsoft Defender XDR. Option C is wrong because Microsoft Purview is a separate governance service.

307
MCQmedium

A company uses Microsoft 365 and is concerned about phishing attacks targeting employees. They want to deploy a solution that can automatically analyze email messages for malicious links and attachments, and also provide click-time protection by rewriting URLs. Which Microsoft 365 Defender component should they use?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity
AnswerB

Defender for Office 365 includes Safe Links, Safe Attachments, and anti-phishing policies to protect email and collaboration tools.

Why this answer

Microsoft Defender for Office 365 (MDO) is the correct component because it is specifically designed to protect against email-borne threats such as phishing. It includes Safe Links and Safe Attachments features that automatically scan email messages for malicious links and attachments, and it rewrites URLs to provide click-time protection by checking the link against a dynamic threat intelligence feed at the moment of the click.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 with Microsoft Defender for Endpoint, mistakenly thinking endpoint protection includes email security, but MDO is the only solution that provides email-specific URL rewriting and attachment sandboxing.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on protecting endpoints (devices) from malware and advanced attacks, not on email-level phishing protection or URL rewriting. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that controls access to cloud applications and detects shadow IT, but it does not analyze email messages or rewrite URLs for phishing protection. Option D is wrong because Microsoft Defender for Identity monitors on-premises Active Directory signals to detect identity-based attacks like Kerberos abuse or lateral movement, not email phishing analysis or URL rewriting.

308
MCQhard

Your company uses Microsoft Purview Communication Compliance to detect and remediate inappropriate messages. You need to create a policy that monitors Microsoft Teams chats for potential harassment. Which type of policy should you create?

A.Data Loss Prevention (DLP) policy
B.Information Barriers policy
C.Communication Compliance policy
D.Retention policy
AnswerC

Communication Compliance policies are designed to detect and remediate inappropriate messages in Teams, email, etc.

Why this answer

Option D is correct because Communication Compliance policies can monitor Teams chats for offensive language. Option A is wrong because Information Barriers restrict communication between groups. Option B is wrong because DLP policies protect sensitive data.

Option C is wrong because Retention policies manage data lifecycle.

309
MCQmedium

A company uses Microsoft Sentinel to centralize security logs. They want to correlate AWS CloudTrail logs with Azure AD sign-in logs. Which Microsoft Sentinel feature should they use?

A.Workbooks
B.Playbooks
C.Analytics rules
D.Hunting
AnswerC

Analytics rules can correlate events across data connectors.

Why this answer

Analytics rules in Sentinel can correlate data from multiple sources. Option A is correct. Option B (Workbooks) visualize data.

Option C (Playbooks) automate responses. Option D (Hunting) is proactive threat search.

310
MCQeasy

Your organization uses Microsoft Purview Data Lifecycle Management. You need to ensure that content in a SharePoint site is retained for 3 years after the last modification date. What should you create?

A.A static retention policy with a 3-year duration
B.An auto-labeling policy for sensitive data
C.A default retention label for the library
D.An adaptive retention policy based on a custom date property
AnswerD

Adaptive policies can use 'last modified' as the start of retention.

Why this answer

Option A is correct because adaptive retention policies can use a custom date property like 'last modified' to trigger retention. Option B is wrong because static policies apply to all content. Option C is wrong because default labels do not use custom dates.

Option D is wrong because auto-labeling is for classification.

311
MCQhard

A company is designing a Microsoft 365 Defender incident response workflow. They want to automatically isolate a compromised device when a ransomware alert is triggered. Which Microsoft 365 component should be used to execute the automated response action?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Sentinel
D.Microsoft Purview
AnswerA

It includes AIR capabilities that can automatically isolate devices upon alert.

Why this answer

Microsoft Defender for Endpoint includes automated investigation and remediation (AIR) capabilities that can isolate a device from the network when a ransomware alert is triggered. This is the correct component because it provides endpoint detection and response (EDR) with built-in playbooks for automatic containment actions like device isolation.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel's SOAR capabilities (which can trigger isolation via playbooks) with the native automated response engine in Defender for Endpoint, but Sentinel is an orchestrator, not the component that directly executes the endpoint isolation action.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Office 365 protects email and collaboration tools (e.g., phishing, malware in attachments) but does not have the ability to isolate endpoints or execute device-level automated response actions. Option C is wrong because Microsoft Sentinel is a SIEM/SOAR platform that can orchestrate response actions via playbooks, but it is not the native component for directly isolating a device; it would typically trigger a Defender for Endpoint action via an API. Option D is wrong because Microsoft Purview focuses on data governance, compliance, and information protection (e.g., DLP, retention labels) and has no endpoint isolation capabilities.

312
MCQhard

You are designing a compliance solution for a global company. You need to ensure that data stored in SharePoint Online is not accessible from a specific geographic region. Which Microsoft Purview feature should you use?

A.Compliance boundaries
B.Data loss prevention policy
C.Retention policy
D.Sensitivity labels
AnswerA

Compliance boundaries restrict data access to specific geographies.

Why this answer

Option B is correct because Compliance Boundaries in Microsoft Purview allow you to define data access restrictions based on geographical boundaries. Option A is wrong because retention policies manage lifecycle, not access. Option C is wrong because sensitivity labels classify data but do not restrict access by region.

Option D is wrong because DLP policies prevent sharing, not access.

313
MCQmedium

Refer to the exhibit. An administrator runs the PowerShell command against Microsoft Defender for Endpoint. The output shows an alert with Severity 'High' and Status 'New'. What should the administrator do next to investigate the alert?

A.Change the severity to Medium to reduce false positives
B.Resolve the alert as a false positive
C.Create a Microsoft Sentinel analytics rule from the alert
D.Investigate the alert details in the Microsoft Defender XDR portal
AnswerD

The portal provides detailed information and actions.

Why this answer

Option A is correct because the administrator should investigate the alert in the Microsoft Defender XDR portal to understand the context and determine next steps. Option B is wrong because severity is already high, so it's not about adjusting. Option C is wrong because the alert is new, not resolved.

Option D is wrong because the alert is already in Defender, no need to create a Sentinel rule first.

314
MCQeasy

A user reports that they are unable to sign in to a SaaS application that is configured for single sign-on (SSO) with Microsoft Entra ID. The user can sign in to other applications. What should you check first?

A.Confirm the user's account is not disabled.
B.Verify that the user has reset their password recently.
C.Ensure the user has an appropriate Microsoft 365 license.
D.Check if the user is assigned to the application in Microsoft Entra ID.
AnswerD

If the user is not assigned, they will be denied access even with valid credentials.

Why this answer

Option D is correct because the most common cause of SSO failure for a single application, when the user can sign in to other apps, is that the user has not been assigned to that specific application in Microsoft Entra ID. Without explicit assignment, the user cannot authenticate via SSO even if their account is active and licensed. This is a core requirement for application-level access control in Entra ID.

Exam trap

The trap here is that candidates confuse global authentication issues (like disabled accounts or password problems) with application-specific authorization, which is governed by user assignment in Entra ID, not by the user's overall account state or licensing.

How to eliminate wrong answers

Option A is wrong because if the user's account were disabled, they would be unable to sign in to any application, not just the one in question. Option B is wrong because a recent password reset does not affect SSO sign-in; SSO relies on the user's primary authentication token, and a password change would apply globally, not selectively block one app. Option C is wrong because Microsoft 365 licensing is unrelated to SSO access for a third-party SaaS application; licensing controls access to Microsoft 365 services, not Entra ID application assignments.

315
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Sentinel? (Select THREE.)

Select 3 answers
A.Security information and event management (SIEM)
B.User and entity behavior analytics (UEBA)
C.Mobile device management
D.Security orchestration, automation, and response (SOAR)
E.Data loss prevention
AnswersA, B, D

Sentinel is a cloud-native SIEM.

Why this answer

Correct: SIEM (B), SOAR (C), and UEBA (E). Option A: Device management is Intune. Option D: DLP is Purview.

316
MCQmedium

Your organization uses Microsoft Sentinel as a SIEM. You need to create a rule that triggers an incident when a user account is created in an Azure subscription and then logs in from an unfamiliar location within 24 hours. Which type of rule should you configure?

A.Anomaly detection rule
B.Scheduled query rule
C.Fusion rule
D.Near-real-time (NRT) rule
AnswerB

Scheduled rules can correlate events over time.

Why this answer

Option A is correct because a scheduled query rule can correlate two events based on time. Option B is wrong because anomaly detection rules use ML models. Option C is wrong because NRT rules run near real-time but not scheduled.

Option D is wrong because fusion rules use advanced ML.

317
MCQeasy

Your organization wants to classify documents based on whether they contain confidential business information like trade secrets. You need to use a classifier that learns from example documents. What should you use?

A.Trainable classifier
B.Exact data match
C.Data loss prevention policy
D.Sensitive information type
AnswerA

Trainable classifiers learn from example documents provided by the organization.

Why this answer

Option D is correct because trainable classifiers use machine learning based on seed documents. Option A is wrong because SITs use predefined patterns. Option B is wrong because exact data match requires exact values.

Option C is wrong because DLP policies are actions, not classifiers.

318
MCQmedium

Refer to the exhibit. You are reviewing a risk detection in Microsoft Entra Identity Protection. The risk event indicates 'unfamiliarFeatures' with medium risk level for user John Doe from IP 203.0.113.5. What is the most likely cause of this risk detection?

A.There was an impossible travel event detected.
B.John Doe's credentials were leaked on the dark web.
C.The sign-in originated from an anonymous IP address.
D.The sign-in was from an unfamiliar location or device.
AnswerD

UnfamiliarFeatures detects sign-ins from unfamiliar locations or devices.

Why this answer

Option D is correct because 'unfamiliarFeatures' indicates sign-in from a location or device that is not familiar to the user. Option A is wrong because leaked credentials would show 'leakedCredentials' risk event. Option B is wrong because anonymous IP address would be 'anonymousIpAddress' risk event.

Option C is wrong because impossible travel would show 'impossibleTravel' risk event.

319
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using their existing social media accounts, such as Google or Facebook, while maintaining security and compliance with conditional access policies. What should you configure?

A.Enable Microsoft Entra Permissions Management.
B.Deploy Microsoft Entra Verified ID.
C.Configure Microsoft Entra B2B collaboration for guest users.
D.Configure Microsoft Entra External ID with social identity providers.
AnswerD

External ID supports social identity providers and allows configuration of conditional access policies.

Why this answer

Option D is correct because Microsoft Entra External ID (formerly Azure AD External Identities) allows you to configure social identity providers such as Google and Facebook as external identity sources. This enables users to sign in with their existing social media accounts while still being subject to your tenant's conditional access policies, ensuring security and compliance.

Exam trap

The trap here is confusing Microsoft Entra B2B collaboration (for business guest users) with Microsoft Entra External ID (which includes social identity providers for consumer-facing apps), leading candidates to incorrectly select option C.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) tool for managing permissions across multi-cloud environments, not for configuring social identity providers. Option B is wrong because Microsoft Entra Verified ID is a decentralized identity solution based on verifiable credentials (W3C standards), not for integrating social media logins. Option C is wrong because Microsoft Entra B2B collaboration is designed for inviting external business partners as guest users using their work or school accounts, not for allowing end users to sign in with personal social media accounts.

320
Multi-Selecthard

Which THREE components are part of Microsoft Entra ID's identity governance? (Choose three.)

Select 3 answers
A.Self-Service Password Reset
B.Privileged Identity Management
C.Entitlement Management
D.Access Reviews
E.Conditional Access
AnswersB, C, D

PIM governs privileged roles.

Why this answer

Privileged Identity Management (PIM) is a core component of Microsoft Entra ID's identity governance because it provides just-in-time privileged access to Azure AD and Azure resources, with time-bound approvals and activation workflows. It enables organizations to manage, control, and monitor access to critical resources, reducing the risk of standing admin privileges.

Exam trap

The trap here is that candidates often confuse Conditional Access (a security control) with identity governance, or mistake Self-Service Password Reset (a user convenience feature) for a governance tool, when in fact governance focuses on managing who has access and for how long, not on how access is authenticated or enforced.

321
MCQmedium

Refer to the exhibit. An administrator runs this PowerShell command. What is the purpose of this command?

A.To set a retention policy for the HR site.
B.To apply a retention label to all files in the HR site.
C.To delete all files in the HR site that were accessed in the last 90 days.
D.To retrieve audit records of file access and modifications in the HR SharePoint site from the last 90 days.
AnswerD

The command searches for specific operations (FileAccessed, FileModified) on a specific site.

Why this answer

Option B is correct because the command searches the unified audit log for file access and modification events in the HR SharePoint site from the last 90 days. Option A is wrong because it does not delete files. Option C is wrong because it does not apply labels.

Option D is wrong because it does not set retention.

322
MCQeasy

A company uses Microsoft Intune to manage devices. They want to ensure that only devices with a specific minimum operating system version can access corporate email. What should they configure?

A.Deploy an app protection policy for the email app
B.Create a device compliance policy specifying minimum OS version
C.Create a device configuration profile for OS settings
D.Configure a conditional access policy in Entra ID to block non-compliant devices
AnswerB

Compliance policies define OS requirements.

Why this answer

Option A is correct because compliance policies in Intune define rules for device compliance, including OS version. Option B is wrong because configuration policies set settings but don't enforce access. Option C is wrong because conditional access in Entra ID integrates with Intune compliance.

Option D is wrong because app protection policies manage app-level security.

323
MCQeasy

Your organization wants to audit all activities related to accessing sensitive files in Microsoft SharePoint. Which Microsoft Purview solution should you use?

A.Audit (Premium)
B.Data lifecycle management
C.Information barriers
D.Data loss prevention
AnswerA

Audit (Premium) logs all activities for security and compliance investigations.

Why this answer

Option C is correct because Audit (Premium) provides detailed logging of activities. Option A is wrong because DLP policies protect data. Option B is wrong because retention policies manage lifecycle.

Option D is wrong because information barriers restrict communication.

324
Drag & Dropmedium

Arrange the steps to conduct a data classification scan using Microsoft Purview Information Protection.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Data classification involves creating labels, publishing them, setting auto-labeling rules, running scans, and reviewing results.

325
MCQmedium

A healthcare organization uses Microsoft 365. They need to prevent employees from sharing emails or documents that contain patient medical record numbers (MRNs) with external recipients. If an attempt is made, the message should be blocked and the sender should receive a policy tip notification. Which Microsoft Purview solution should they configure?

A.Data Lifecycle Management
B.Records Management
C.Data Loss Prevention (DLP)
D.Information Protection
AnswerC

DLP policies can detect sensitive data like MRNs and automatically block sharing with external recipients while showing a policy tip to the sender.

Why this answer

Data Loss Prevention (DLP) is the correct solution because it is specifically designed to detect and block the sharing of sensitive information, such as patient medical record numbers (MRNs), with external recipients. DLP policies can be configured to scan emails and documents for patterns (e.g., regex for MRNs), block the transmission, and display a policy tip notification to the sender, meeting all requirements.

Exam trap

The trap here is that candidates often confuse Information Protection (sensitivity labels) with DLP, but labels alone do not block sharing or provide policy tips—they require DLP policies for enforcement.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management focuses on retaining and deleting data based on age or compliance requirements, not on preventing real-time sharing of sensitive data. Option B is wrong because Records Management is used to declare records, apply retention labels, and manage disposition, not to block external sharing or provide policy tips. Option D is wrong because Information Protection (e.g., sensitivity labels) applies classification and encryption but does not inherently block external sharing or trigger policy tip notifications; it requires integration with DLP for enforcement.

326
MCQmedium

Your organization is adopting Microsoft 365 Copilot for enterprise users. Which Microsoft Purview capability should you configure to prevent sensitive data from being inadvertently shared during Copilot interactions?

A.Customer Lockbox
B.Data Loss Prevention (DLP) policies
C.Sensitivity labels
D.eDiscovery
AnswerB

DLP can block sharing of sensitive data in Copilot.

Why this answer

Option B is correct because Microsoft Purview Data Loss Prevention (DLP) policies can be extended to cover Copilot interactions. Option A is wrong because Sensitivity labels are for classification, but DLP is the enforcement mechanism. Option C is wrong because eDiscovery is for search and export, not prevention.

Option D is wrong because Customer Lockbox is for access control, not data loss prevention.

327
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. Which Microsoft Entra ID feature should you use?

A.Conditional Access
B.Privileged Identity Management
C.Self-Service Password Reset
D.Identity Protection
AnswerA

Conditional Access can require compliant devices.

Why this answer

Option A is correct because Conditional Access in Microsoft Entra ID can enforce device compliance for access. Option B is wrong because Identity Protection handles risk, not compliance. Option C is wrong because Privileged Identity Management manages privileged roles.

Option D is wrong because Self-Service Password Reset is for password reset.

328
MCQmedium

A company uses Exchange Online. The security team wants to protect users from malicious email attachments. They need a solution that detonates attachments in a sandbox environment to check for malware behavior before the email is delivered to the recipient. Which Microsoft Defender for Office 365 feature should they enable?

A.Safe Attachments
B.Safe Links
C.Anti-phishing
D.Anti-spam
AnswerA

Safe Attachments uses a sandbox to detonate attachments and detect malware before delivery.

Why this answer

Safe Attachments is the correct feature because it specifically detonates email attachments in a virtual sandbox environment before delivery, analyzing behavior for malicious activity. This matches the requirement to check attachments for malware behavior prior to inbox arrival, a capability unique to Safe Attachments within Defender for Office 365.

Exam trap

The trap here is that candidates confuse Safe Attachments (sandbox detonation of attachments) with Safe Links (URL scanning at click-time), as both are part of Defender for Office 365 but address different threat vectors.

How to eliminate wrong answers

Option B is wrong because Safe Links protects users by scanning URLs in emails and documents at time-of-click, not by detonating attachments in a sandbox. Option C is wrong because Anti-phishing policies protect against phishing attempts by analyzing sender reputation and impersonation, not by sandboxing attachments. Option D is wrong because Anti-spam policies filter unwanted bulk mail and spam based on message content and sender reputation, not by detonating attachments for malware behavior analysis.

329
MCQhard

A security team needs to investigate a potential data breach that may involve unauthorized access to sensitive files in SharePoint Online and OneDrive for Business. They want to search the unified audit log for file access events, including accesses from mobile devices and third-party applications. Additionally, they need to create custom alert policies that trigger when specific high-privilege users download large volumes of files in a short period. Which Microsoft Purview solution should they use?

A.Microsoft Purview Audit (Premium)
B.Microsoft Purview eDiscovery (Premium)
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview Communication Compliance
AnswerA

Correct. Audit (Premium) offers custom alert policies, long retention, and detailed log access for activities across SharePoint, OneDrive, and third-party apps, enabling thorough incident investigations.

Why this answer

Microsoft Purview Audit (Premium) is the correct solution because it provides the deep, granular logging required to investigate data breaches, including file access events from mobile devices and third-party applications in SharePoint Online and OneDrive for Business. It also supports the creation of custom alert policies that can trigger on specific activities, such as high-privilege users downloading large volumes of files in a short period, by leveraging the unified audit log's rich schema and advanced detection capabilities.

Exam trap

The trap here is that candidates often confuse eDiscovery (Premium) with audit capabilities, but eDiscovery is for searching and preserving content for legal cases, not for real-time monitoring or alerting on access patterns.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview eDiscovery (Premium) is designed for legal discovery and holds, not for real-time monitoring or custom alert policies on file access patterns. Option C is wrong because Microsoft Purview Data Lifecycle Management focuses on retention, deletion, and classification of data, not on auditing or alerting for unauthorized access events. Option D is wrong because Microsoft Purview Communication Compliance is used to detect policy violations in communications (e.g., emails, Teams messages), not to audit file access or create alerts for download anomalies.

330
MCQeasy

A company wants to enable employees to securely access on-premises applications without needing a VPN. Which Microsoft Entra feature should they implement?

A.Identity Protection
B.B2B Collaboration
C.Application Proxy
D.Privileged Identity Management
AnswerC

Application Proxy publishes on-premises apps securely without VPN.

Why this answer

Microsoft Entra Application Proxy provides secure remote access to on-premises web applications by acting as a reverse proxy. It eliminates the need for a VPN by routing user traffic through the Entra ID service, which authenticates the user and then establishes a secure outbound connection to the on-premises application connector. This allows employees to access internal apps from anywhere using the same credentials and conditional access policies.

Exam trap

The trap here is that candidates often confuse Application Proxy with a VPN or assume that B2B Collaboration is needed for remote access, but the key differentiator is that Application Proxy is specifically designed for secure, VPN-less access to on-premises web apps through a reverse proxy architecture.

How to eliminate wrong answers

Option A is wrong because Identity Protection is a risk-based detection and remediation tool that identifies compromised identities and suspicious sign-ins, not a remote access solution for on-premises applications. Option B is wrong because B2B Collaboration enables external users (partners, vendors) to access your organization's resources using their own identities, but it does not provide a reverse proxy or secure channel to on-premises apps. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time and time-bound access to privileged roles in Azure AD and Azure resources, not general remote access to on-premises applications.

331
MCQmedium

Refer to the exhibit. A compliance administrator runs the PowerShell commands to create a DLP policy. Users complain that they are blocked from sending emails containing credit card numbers but cannot override the block. The administrator wants to allow override with a business justification. What should they do?

A.Change the SentInfo parameter to a different sensitive info type.
B.Remove the SharePoint location from the policy.
C.Enable the DLP policy by setting the Policy's Enabled parameter to $true.
D.Change the NotifyAllowOverride parameter to $true in the rule.
AnswerD

Setting NotifyAllowOverride to $true allows users to override the block with justification.

Why this answer

Option B is correct because the cmdlet sets NotifyAllowOverride $false, which prevents override. Changing it to $true allows override with justification. Option A is wrong because the policy applies to Exchange and SharePoint.

Option C is wrong because the policy is already enabled. Option D is wrong because the rule applies to credit card numbers.

332
MCQhard

Your organization is using Microsoft Entra ID with P2 licenses. You need to ensure that all guest users are reviewed for access quarterly, and if not approved, access is automatically removed. Which Microsoft Entra feature should you configure?

A.Microsoft Entra Privileged Identity Management
B.Microsoft Entra Identity Protection
C.Microsoft Entra Entitlement Management
D.Microsoft Entra Access Reviews
AnswerD

Access Reviews can be configured to automatically remove access if not approved.

Why this answer

Microsoft Entra Access Reviews (D) is the correct feature because it allows you to create recurring reviews for guest users, set the frequency to quarterly, and configure auto-apply settings to automatically remove access if the review is not approved. This directly meets the requirement for periodic attestation and automated remediation.

Exam trap

The trap here is that candidates confuse Entitlement Management (which creates access packages) with Access Reviews (which performs the actual recurring review and auto-removal), but only Access Reviews provides the quarterly schedule and automatic removal enforcement described in the scenario.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and approval workflows, not for periodic access reviews of guest users. Option B is wrong because Microsoft Entra Identity Protection focuses on detecting and remediating identity-based risks (e.g., leaked credentials, sign-in anomalies), not on scheduling and automating access reviews. Option C is wrong because Microsoft Entra Entitlement Management manages access packages and catalogs for resource provisioning, but it does not natively provide the recurring review and auto-removal cycle; it relies on Access Reviews for that functionality.

333
MCQmedium

Your organization is required to retain all HR-related documents for 7 years after an employee leaves. After that period, the documents must be permanently deleted. Which two Microsoft Purview features should you use together?

A.eDiscovery and audit logs
B.DLP policies and sensitivity labels
C.Sensitivity labels and auto-labeling
D.Retention labels and retention policies
AnswerD

Retention labels apply retention settings to items, and retention policies enforce rules at the location level.

Why this answer

Option B is correct because retention labels can be applied to documents and trigger a retention period, and retention policies enforce the rules at the location level. Option A is wrong because sensitivity labels classify, not retain. Option C is wrong because DLP is for protection, not retention.

Option D is wrong because eDiscovery is for search, not retention.

334
MCQhard

You are the identity administrator for a multinational company using Microsoft Entra ID. The company has a Microsoft 365 E5 subscription. The security team wants to enforce the following requirements: 1. All users must use multi-factor authentication (MFA) when accessing sensitive applications (e.g., finance app). 2. Users from the IT department must use passwordless authentication methods (e.g., Windows Hello for Business) when accessing any resource. 3. All access to sensitive applications must be logged and monitored for anomalous activity. 4. Guest users from partner organizations must be automatically reviewed quarterly to ensure they still need access. 5. The company wants to minimize administrative overhead by automating as much as possible. You need to design a solution that meets these requirements using Microsoft Entra ID capabilities. Which combination of actions should you take?

A.Configure Self-Service Password Reset (SSPR) for all users. Enable Microsoft Entra ID Protection. Create an access review for guests.
B.Use Microsoft Entra ID Protection to enforce MFA based on risk. Implement Privileged Identity Management (PIM) for IT. Configure access reviews for guests.
C.Enable security defaults to enforce MFA for all users. Configure Microsoft Entra ID Protection to monitor anomalies. Use Microsoft Entra ID Governance to automate guest access reviews.
D.Create Conditional Access policies: one requiring MFA for the finance app, another requiring passwordless authentication strength for IT. Enable Microsoft Entra ID Protection to log and monitor sign-in risks. Create an access review for guest users.
AnswerD

Meets all requirements: MFA for finance app, passwordless for IT, monitoring via ID Protection, and guest reviews.

Why this answer

Option D is correct because it uses Conditional Access policies to enforce MFA for the finance app and passwordless authentication strength for IT, meeting requirements 1 and 2. Microsoft Entra ID Protection logs and monitors sign-in risks for sensitive apps (requirement 3), and an access review for guest users automates quarterly reviews (requirement 4). This minimizes administrative overhead by leveraging automation, aligning with requirement 5.

Exam trap

The trap here is that candidates often confuse security defaults (which enforce MFA for all users but lack granularity) with Conditional Access policies (which allow targeted MFA and authentication strength requirements), and they may overlook that passwordless enforcement requires an authentication strength policy, not just MFA.

How to eliminate wrong answers

Option A is wrong because SSPR does not enforce MFA or passwordless authentication; it only allows self-service password reset, and Entra ID Protection alone cannot enforce MFA without a Conditional Access policy. Option B is wrong because PIM is for just-in-time privileged access management, not for enforcing passwordless authentication for all IT users; it also does not address the MFA requirement for the finance app. Option C is wrong because security defaults enforce MFA for all users, not just for sensitive apps, and they do not support passwordless authentication strength policies; Entra ID Governance is not a specific feature for automating guest access reviews (access reviews are part of Entra ID Governance, but the option incorrectly implies a separate product).

335
MCQhard

A multinational organization uses Microsoft Entra ID for identity management. External contractors need temporary elevated access to Azure resources for a critical project. The access must be time-bound (expires after 8 hours), require manager approval, and enforce multifactor authentication (MFA) when contractors activate the role. Which Microsoft Entra capability should they configure?

A.Privileged Identity Management (PIM)
B.Identity Protection
C.Conditional Access
D.Access Reviews
AnswerA

PIM allows administrators to define time-bound, just-in-time role assignments with approval requirements and can enforce MFA upon activation. This meets all the stated requirements.

Why this answer

Privileged Identity Management (PIM) is the correct choice because it provides just-in-time (JIT) privileged access to Azure resources with time-bound activation (e.g., 8-hour expiry), requires approval workflows (manager approval), and enforces multifactor authentication (MFA) during role activation. PIM is specifically designed to manage, control, and monitor access to critical resources through time-limited, approved, and MFA-protected role assignments.

Exam trap

The trap here is that candidates confuse Conditional Access (which enforces MFA at sign-in) with PIM's ability to enforce MFA specifically during role activation, or they mistakenly think Access Reviews can grant time-bound access, when in fact Access Reviews only validate existing access and do not provide JIT activation or approval workflows.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it focuses on detecting and remediating identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) and does not provide time-bound role activation, approval workflows, or MFA enforcement for privileged access. Option C (Conditional Access) is wrong because it enforces access policies (like MFA) based on signals (user, location, device) at sign-in time, but it does not manage role activation, time-bound expiry, or approval workflows for privileged roles. Option D (Access Reviews) is wrong because it is used to periodically review and certify existing group memberships or role assignments, not to grant temporary, time-bound elevated access with approval and MFA enforcement.

336
Drag & Dropmedium

Order the steps to create a conditional access policy in Azure AD.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Creating a conditional access policy requires admin sign-in, navigating to Conditional Access, creating a new policy, configuring assignments and controls, then enabling it.

337
MCQeasy

A security analyst is explaining the concept of 'defense in depth' to a new team member. Which of the following best describes the defense in depth strategy?

A.Using a single strong firewall to protect all network traffic
B.Implementing multiple layers of security controls to protect assets
C.Relying on user training as the primary security measure
D.Applying encryption only to data at rest
AnswerB

This is correct. Defense in depth involves multiple independent layers such as physical security, network security, host security, and data encryption.

Why this answer

Defense in depth is a cybersecurity strategy that employs multiple layers of security controls across different parts of an IT environment (network, endpoint, application, data) to ensure that if one layer fails, another layer is already in place to mitigate the threat. This approach is fundamental to Microsoft's security architecture, as seen in products like Microsoft Defender for Cloud, which integrates protections across workloads, and Azure Active Directory (now Microsoft Entra ID), which layers conditional access policies on top of identity verification. Option B correctly captures this layered, redundant approach rather than relying on a single point of defense.

Exam trap

The trap here is that candidates often confuse 'defense in depth' with 'layered security' but then incorrectly select a single-layer option like a strong firewall (A) because they think a robust perimeter is sufficient, failing to recognize that the strategy explicitly requires multiple independent and overlapping controls.

How to eliminate wrong answers

Option A is wrong because relying on a single strong firewall violates the core principle of defense in depth, which requires multiple independent layers of security; a single firewall creates a single point of failure that, if breached, exposes the entire network. Option C is wrong because user training, while valuable, is a single administrative control and not a layered strategy; defense in depth demands technical controls (e.g., network segmentation, endpoint detection, encryption) in addition to user awareness. Option D is wrong because applying encryption only to data at rest ignores the need to protect data in transit (e.g., via TLS/SSL) and data in use, leaving critical attack surfaces exposed; defense in depth requires encryption across all data states.

338
MCQhard

Your organization uses Microsoft Defender for Cloud to protect Azure subscriptions. You need to enforce that all storage accounts must have encryption at rest enabled. You have enabled Azure Policy to audit this configuration. However, you notice that some storage accounts are non-compliant. You need to automatically remediate non-compliant storage accounts. What should you do?

A.Create a Microsoft Defender for Cloud recommendation to enable encryption.
B.Use the compliance dashboard to manually enable encryption on non-compliant accounts.
C.Add a 'deployIfNotExists' policy to automatically enable encryption on storage accounts.
D.Change the policy effect from 'audit' to 'deny' to prevent creation of non-compliant accounts.
AnswerC

This remediates non-compliant accounts automatically.

Why this answer

Option C is correct because a 'deployIfNotExists' policy assignment in Azure Policy can automatically remediate non-compliant storage accounts by enabling encryption at rest. This policy effect triggers a remediation task that deploys the required configuration (e.g., setting the 'Encryption' property to 'Enabled' on the storage account resource) without manual intervention. The audit policy only reports non-compliance, while deployIfNotExists actively enforces the desired state.

Exam trap

The trap here is that candidates confuse 'deny' (which only blocks future non-compliant resources) with 'deployIfNotExists' (which remediates existing resources), or assume Defender for Cloud recommendations can automatically fix non-compliance without additional policy configuration.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud recommendations are advisory and do not automatically remediate resources; they require manual approval or integration with Azure Policy for automation. Option B is wrong because manually enabling encryption via the compliance dashboard is not an automated solution and contradicts the requirement for automatic remediation. Option D is wrong because changing the policy effect to 'deny' only prevents creation or modification of non-compliant storage accounts in the future, but does not remediate existing non-compliant accounts.

339
MCQmedium

A company uses Microsoft Entra ID. They want to ensure only current employees have access to a sensitive HR application. They implement a process where group membership for the HR app is reviewed quarterly by the HR manager, and any unnecessary access is automatically removed. Which Microsoft Entra feature should they use?

A.A
B.B
C.C
D.D
AnswerC

Correct. Access Reviews in Microsoft Entra ID Governance allow scheduled reviews and automatic removal of unnecessary access.

Why this answer

Option C is correct because the scenario describes a recurring review of group membership for the HR application, with automatic removal of unnecessary access. This is exactly what Microsoft Entra ID Governance's Access Reviews feature provides: scheduled reviews (e.g., quarterly) where a reviewer (the HR manager) attests to each member's continued need, and stale access is automatically revoked upon completion.

Exam trap

The trap here is that candidates often confuse Access Reviews with Privileged Identity Management (PIM) because both involve 'review' and 'access,' but PIM is specifically for privileged roles and time-bound activation, not for recurring attestation of standard application group memberships.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and approval workflows, not for recurring attestation of standard group membership for an application. Option B is wrong because Conditional Access policies enforce real-time access controls based on conditions (location, device, risk), but they do not provide periodic review or automatic removal of group memberships. Option D is wrong because Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins), not on scheduling and automating group membership attestation.

340
MCQmedium

A user successfully authenticates to a system using a smart card. After authentication, the system checks whether the user's device is compliant with security policies before granting access to the network. This additional check is an example of which security concept?

A.Authorization
B.Authentication
C.Accounting
D.Non-repudiation
AnswerA

Checking device compliance is a condition that must be met before access is granted; this is part of the authorization process.

Why this answer

Authorization is the correct answer because after the user is authenticated via smart card, the system evaluates whether the user's device meets security compliance policies before granting network access. This decision—allowing or denying access based on conditions—is the core function of authorization, which determines what resources or actions an authenticated identity is permitted to perform.

Exam trap

The trap here is confusing the initial identity verification (authentication) with the subsequent policy-based access decision (authorization), especially when both steps occur sequentially in a single login flow.

How to eliminate wrong answers

Option B (Authentication) is wrong because authentication is the process of verifying identity (e.g., via smart card credentials), not the subsequent check of device compliance. Option C (Accounting) is wrong because accounting tracks and logs user activities and resource usage for auditing or billing, not for enforcing access decisions. Option D (Non-repudiation) is wrong because non-repudiation ensures that a user cannot deny having performed an action, typically via digital signatures or logs, and is unrelated to device compliance checks.

341
MCQmedium

Your organization uses Microsoft Purview to manage insider risk. You need to create a policy that detects users who exfiltrate sensitive data by copying it to personal cloud storage services like Dropbox. Which solution should you use?

A.eDiscovery (Premium)
B.Audit (Premium)
C.Insider Risk Management
D.Communication Compliance
AnswerC

Insider Risk Management includes policies to detect data exfiltration to personal cloud services.

Why this answer

Option A is correct because Insider Risk Management policies can be configured to detect data theft by copying to personal cloud storage. Option B is wrong because Communication Compliance focuses on communications, not data exfiltration. Option C is wrong because eDiscovery searches content, does not detect risky behavior.

Option D is wrong because Audit logs record events but require manual analysis.

342
MCQeasy

Your organization needs to classify documents containing personally identifiable information (PII) like social security numbers. Which Microsoft Purview solution should you configure?

A.Information Protection
B.Records Management
C.Auditing
D.Communication Compliance
AnswerA

Information Protection classifies and protects sensitive data.

Why this answer

Option C is correct because Microsoft Purview Information Protection includes trainable classifiers and sensitive info types to automatically classify PII. Option A is wrong because Auditing tracks activities, not classification. Option B is wrong because Records Management is about retention and disposition.

Option D is wrong because Communication Compliance monitors communications for policy violations.

343
MCQeasy

You are designing an identity solution for a new company that will use Microsoft Entra ID. The company wants employees to use biometrics (fingerprint) on their mobile devices to sign in without typing a password. Which Microsoft Entra feature should you implement?

A.Windows Hello for Business
B.Microsoft Authenticator app (passwordless)
C.SMS-based sign-in
D.FIDO2 security keys
AnswerB

Microsoft Authenticator app supports passwordless sign-in using fingerprint or face on mobile devices.

Why this answer

The Microsoft Authenticator app (passwordless) allows users to sign in to Microsoft Entra ID using biometrics (fingerprint, face, or PIN) on their mobile device without entering a password. This feature uses the device's built-in biometric capabilities to verify the user's identity, making it the correct choice for the described scenario.

Exam trap

The trap here is that candidates may confuse Windows Hello for Business with mobile biometrics, but Windows Hello for Business is specifically tied to Windows devices and not to mobile phones or tablets.

How to eliminate wrong answers

Option A is wrong because Windows Hello for Business is designed for Windows devices (PCs, laptops) using biometrics like fingerprint or facial recognition, not for mobile devices. Option C is wrong because SMS-based sign-in uses a text message code, not biometrics, and still requires a password for initial setup. Option D is wrong because FIDO2 security keys are hardware-based external devices (e.g., USB keys) that require physical possession, not mobile device biometrics.

344
MCQmedium

A financial services company is required by regulation to prevent sensitive customer financial information from being shared externally via email. The compliance team wants to automatically scan all outgoing emails for patterns that match credit card numbers or account numbers. If a match is found, the email should be blocked and the sender should receive a policy tip. Which Microsoft Purview solution should be configured?

A.Microsoft Purview Audit
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Purview Data Loss Prevention (DLP)
D.Microsoft Purview eDiscovery
AnswerC

DLP policies can detect sensitive information such as credit card numbers in emails and apply actions like blocking the message and showing a policy tip to the sender, fulfilling the compliance requirement.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is the correct solution because it is specifically designed to detect and block sensitive information—such as credit card numbers and account numbers—in outgoing emails. DLP policies can scan email content and attachments for predefined sensitive information types, and when a match is found, the email can be blocked and a policy tip sent to the sender, meeting the compliance requirement.

Exam trap

The trap here is that candidates may confuse DLP with eDiscovery or Audit because all three involve compliance, but only DLP provides proactive, real-time blocking and notification for outbound sensitive data.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Audit logs user and admin activities but does not scan or block email content for sensitive data. Option B is wrong because Microsoft Purview Data Lifecycle Management focuses on retention and deletion policies for data, not on real-time inspection or blocking of outbound communications. Option D is wrong because Microsoft Purview eDiscovery is used for searching and exporting content for legal or investigative purposes, not for preventing data exfiltration via email.

345
MCQmedium

A user reports that they cannot access a cloud app even though they are in the correct location and have a valid license. The administrator suspects a Conditional Access policy might be blocking access. Which tool should the admin use to diagnose the issue?

A.Sign-in logs
B.My Apps portal
C.Conditional Access 'What If' tool
D.Audit logs
AnswerC

The 'What If' tool simulates a sign-in to evaluate which policies would apply.

Why this answer

The Conditional Access 'What If' tool is specifically designed to simulate how a Conditional Access policy would apply to a given user, application, and sign-in condition. It allows the admin to test policy effects without affecting the user's actual sign-in, making it the ideal diagnostic tool when a policy is suspected of blocking access.

Exam trap

The trap here is that candidates often confuse the Sign-in logs (which show what happened) with the 'What If' tool (which shows what would happen), leading them to choose the reactive log instead of the proactive simulation tool.

How to eliminate wrong answers

Option A is wrong because Sign-in logs show historical sign-in events and their status (success, failure, blocked), but they do not allow proactive simulation of Conditional Access policies to determine why a specific access attempt was blocked. Option B is wrong because the My Apps portal is an end-user interface for launching assigned applications, not a diagnostic tool for analyzing Conditional Access policy impacts. Option D is wrong because Audit logs track changes made to directory resources (e.g., policy modifications, user updates), not real-time sign-in attempts or Conditional Access policy evaluations.

346
MCQhard

A financial services organization must comply with a regulation that requires all communications related to trades (including emails and Teams messages) to be retained for a period of 7 years. During retention, no user may edit or delete these records. After the 7 years, the records must be disposed of with an irreversible deletion that is verified by a compliance officer. Which Microsoft Purview solution should the organization use to enforce both retention and regulatory disposition?

A.Microsoft Purview Records Management (regulatory retention label)
B.Microsoft Purview Data Lifecycle Management (standard retention label)
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Insider Risk Management
AnswerA

Records Management with a retention label marked as a regulatory record permanently locks the content, preventing any modification or deletion during the retention period. It also supports disposition workflows to require approval before permanent deletion.

Why this answer

Microsoft Purview Records Management with a regulatory retention label is the correct solution because it enforces immutable retention (no user edits or deletions) and mandates a disposition review by a compliance officer before irreversible deletion. Regulatory labels lock the retention policy at the highest level, preventing any user or administrator from shortening the retention period or bypassing the disposition workflow, which aligns with the 7-year retention and verified disposal requirement.

Exam trap

The trap here is that candidates confuse 'standard retention labels' (which allow edits and deletions by authorized users) with 'regulatory retention labels' (which enforce immutable retention and require disposition review), leading them to select Data Lifecycle Management instead of Records Management.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Data Lifecycle Management (standard retention label) allows users with sufficient permissions to modify or delete records during the retention period, and it does not enforce a compliance officer verification step for disposition. Option C is wrong because Microsoft Purview Communication Compliance is designed to detect and review policy violations (e.g., insider trading, harassment) in communications, not to enforce retention or regulatory disposition of records. Option D is wrong because Microsoft Purview Insider Risk Management focuses on identifying and investigating risky user activities (e.g., data exfiltration, policy violations), not on managing retention schedules or disposition workflows.

347
MCQmedium

An organization wants to protect its fleet of Windows 10 laptops from advanced malware and ransomware. The solution must detect suspicious behavior (e.g., a process encrypting files) and provide security teams with the ability to isolate an infected device from the network for investigation. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Office 365
AnswerB

Defender for Endpoint provides next-generation protection, endpoint detection and response (EDR), and device isolation capabilities for device security.

Why this answer

Microsoft Defender for Endpoint (MDE) is the correct solution because it provides endpoint detection and response (EDR) capabilities, including behavioral-based detection of advanced malware and ransomware (e.g., detecting a process encrypting files via machine learning and behavioral analytics). It also includes automated investigation and remediation features, such as the ability to isolate an infected device from the network (device isolation) to prevent lateral movement while allowing security teams to investigate.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a cloud workload protection tool) with endpoint protection, or they assume Defender for Office 365 covers all devices, when in fact only Defender for Endpoint provides the specific behavioral detection and device isolation for Windows 10 laptops.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) for Azure, on-premises, and multi-cloud environments, not designed to protect Windows 10 laptops or provide endpoint isolation. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that focuses on securing cloud applications (e.g., SaaS apps) and detecting shadow IT, not on endpoint-level malware detection or device isolation. Option D is wrong because Microsoft Defender for Office 365 protects email and collaboration tools (e.g., Exchange Online, SharePoint) from threats like phishing and malicious attachments, but does not include endpoint behavioral detection or network isolation for laptops.

348
Multi-Selecteasy

Which TWO of the following are benefits of using Microsoft Entra ID Conditional Access? (Choose two.)

Select 2 answers
A.Allow users to reset their own passwords
B.Block access from locations that are not trusted
C.Automatically grant temporary admin access
D.Enforce multi-factor authentication based on user risk
E.Eliminate the need for passwords entirely
AnswersB, D

Conditional Access can block based on location.

Why this answer

Options A and C are correct. A: Conditional Access can require MFA based on conditions. C: It can block access from untrusted locations.

Options B, D, and E are incorrect: B is a benefit of passwordless; D is a benefit of SSPR; E is a benefit of PIM.

349
Multi-Selectmedium

Which TWO Microsoft Purview solutions can be used to protect sensitive data in Microsoft Teams chats and channels? (Choose two.)

Select 2 answers
A.Microsoft Purview Communication Compliance
B.Microsoft Purview Data Loss Prevention (DLP) policies
C.Microsoft Purview Sensitivity Labels
D.Microsoft Purview Information Barriers
E.Microsoft Purview Retention Policies
AnswersA, B

Communication Compliance can detect inappropriate sharing of sensitive information.

Why this answer

Options A and D are correct. Microsoft Purview Data Loss Prevention (DLP) policies can prevent sharing of sensitive data in Teams. Microsoft Purview Communication Compliance can detect policy violations in chats.

Option B is wrong because Sensitivity Labels are applied to files, not chats. Option C is wrong because Retention Policies manage data retention, not protection. Option E is wrong because Information Barriers restrict communication between groups, but don't protect sensitive data per se.

350
MCQeasy

Refer to the exhibit. The JSON snippet shows a sensitivity label configuration. What is the purpose of the 'SensitiveInfoTypes' property in this label?

A.It sets the retention period for content with this label.
B.It defines the user groups that can apply this label manually.
C.It specifies the sensitive information types that trigger automatic labeling.
D.It configures the encryption settings for the label.
AnswerC

The sensitive info types list the conditions for auto-labeling when detected in content.

Why this answer

Option B is correct because 'SensitiveInfoTypes' defines the conditions that automatically apply the label based on detected sensitive data. Option A is wrong because condition sets are separate. Option C is wrong because it does not block access.

Option D is wrong because it does not create a retention policy.

351
MCQhard

You are the security architect for a multinational organization that uses Microsoft 365 E5, Microsoft Entra ID P2, and Microsoft Purview. The company has 10,000 employees across five regions. The legal department requires that all documents containing personally identifiable information (PII) of European Union citizens be automatically labeled with a 'Highly Confidential' sensitivity label and encrypted. Additionally, any sharing of such documents with external users must be blocked unless the sender explicitly justifies the business need. The solution must minimize manual user intervention. You need to design a Microsoft Purview configuration. What should you do?

A.Use a unified labeling client policy to prompt users to classify documents containing PII
B.Create an auto-labeling policy that detects EU PII sensitive info types, applies the 'Highly Confidential' label with encryption, and configure a conditional access rule to block external sharing without justification
C.Create a trainable classifier for PII and configure a manual labeling policy
D.Configure a DLP policy that blocks all documents containing PII from being shared externally
AnswerB

Auto-labeling automatically applies labels and encryption; conditional access can block external sharing unless justified.

Why this answer

Option C is correct because auto-labeling policies can automatically apply sensitivity labels based on sensitive info types (like EU PII) and can be configured to block external sharing unless a justification is provided. Option A is wrong because trainable classifiers require training and are not the standard for automatic PII detection. Option B is wrong because manual labeling requires user intervention.

Option D is wrong because DLP policies do not apply labels; they only enforce actions.

352
MCQmedium

Your organization has Microsoft Sentinel deployed. The security operations team needs to automatically respond to a security incident by opening an incident in ServiceNow and sending a notification to a Teams channel. What should you configure?

A.An automation rule with a playbook
B.A workbook
C.An analytics rule
D.A watchlist
AnswerA

Automation rules can run playbooks that integrate with ServiceNow and Teams to respond to incidents automatically.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel can trigger playbooks (based on Azure Logic Apps) that integrate with external systems like ServiceNow and Teams. Option B is wrong because analytics rules create alerts, not automated responses. Option C is wrong because workbooks provide visualizations, not automation.

Option D is wrong because watchlists are for correlation, not response.

353
MCQmedium

A company's security team discovers that most recent account compromises resulted from attackers exploiting legacy authentication protocols (POP3, IMAP, SMTP Auth) that do not support multi-factor authentication. The team wants to immediately block all sign-in attempts using these legacy protocols while still allowing modern authentication methods (e.g., OAuth 2.0). Which Microsoft Entra ID feature should they configure?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management
D.Multi-factor Authentication
AnswerA

Conditional Access policies can include a 'Block legacy authentication' condition. This allows administrators to create a policy that blocks all sign-ins from clients that do not support MFA, effectively stopping attacks that rely on legacy protocols while preserving modern authentication.

Why this answer

Conditional Access policies in Microsoft Entra ID can be configured to block authentication attempts from legacy protocols (POP3, IMAP, SMTP Auth) by targeting client apps that do not support modern authentication. This allows the security team to immediately enforce a block on all sign-ins using these protocols while still permitting modern OAuth 2.0-based methods, directly addressing the requirement without disabling MFA for users who can use modern clients.

Exam trap

The trap here is that candidates often confuse the 'block legacy authentication' capability with MFA or Identity Protection, assuming that enabling MFA alone will stop legacy protocol abuse, when in fact legacy protocols bypass MFA entirely and require a Conditional Access policy to be explicitly blocked.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it is a risk-based detection and remediation service that identifies compromised identities or risky sign-ins, but it cannot directly block specific authentication protocols like POP3 or SMTP Auth. Option C (Privileged Identity Management) is wrong because it focuses on just-in-time privileged role activation and access reviews, not on controlling authentication protocols or blocking legacy methods. Option D (Multi-factor Authentication) is wrong because legacy protocols do not support MFA challenges; enabling MFA alone does not prevent attackers from using these protocols to bypass MFA entirely.

354
MCQhard

A financial institution uses Microsoft 365 and must ensure that Microsoft support engineers cannot access the institution's content (e.g., Exchange Online mailboxes, SharePoint sites) without explicit approval from the institution's compliance officer. The compliance officer needs to review and approve or reject each access request. Which Microsoft Purview feature should be configured?

A.Customer Lockbox
B.Communication Compliance
C.Insider Risk Management
D.Data Lifecycle Management
AnswerA

Customer Lockbox ensures that Microsoft support cannot access customer data without explicit, auditable approval from the customer. This matches the requirement for approval by the compliance officer.

Why this answer

Customer Lockbox is the correct feature because it provides a controlled access approval process for Microsoft support engineers to access customer content. When a support case requires access to Exchange Online mailboxes or SharePoint sites, Customer Lockbox ensures the request is sent to the institution's compliance officer for explicit approval or rejection before access is granted, meeting the requirement for explicit approval.

Exam trap

The trap here is that candidates often confuse Customer Lockbox with Insider Risk Management, mistakenly thinking that controlling internal user access is the same as controlling Microsoft support access, but Customer Lockbox is specifically designed for external support engineer access approval workflows.

How to eliminate wrong answers

Option B is wrong because Communication Compliance is designed to detect and remediate inappropriate communications (e.g., offensive language, insider trading) within an organization, not to control Microsoft support access to customer content. Option C is wrong because Insider Risk Management focuses on identifying and mitigating internal risks from users within the organization (e.g., data theft, policy violations), not on managing external support engineer access requests. Option D is wrong because Data Lifecycle Management governs the retention, deletion, and archiving of data based on policies (e.g., regulatory compliance), not the approval workflow for support access to content.

355
MCQeasy

Refer to the exhibit. You run this PowerShell cmdlet. What is the outcome?

A.A guest user is created in Microsoft Entra ID and an invitation email is sent.
B.The external user is added as a member user without an invitation.
C.The external user is provisioned as a consumer account in Azure AD B2C.
D.The external user is added as a member user and cannot be a guest.
AnswerA

The cmdlet creates a B2B guest user and sends an invitation email.

Why this answer

The `New-MgInvitation` cmdlet creates a guest user in Microsoft Entra ID and sends an invitation email by default. This is the standard behavior for B2B collaboration, where the external user is assigned the 'Guest' user type and receives an email to accept the invitation and redeem their account.

Exam trap

The trap here is that candidates often confuse the `New-MgInvitation` cmdlet with `New-MgUser`, which creates a member user, and mistakenly think the invitation email is optional or that the user type can be changed to member without additional steps.

How to eliminate wrong answers

Option B is wrong because `New-MgInvitation` always sends an invitation email; it does not add the external user as a member user without an invitation. Option C is wrong because Azure AD B2C consumer accounts are created using separate B2C-specific cmdlets (e.g., `New-AzureADMSB2CUser`), not `New-MgInvitation`. Option D is wrong because the cmdlet explicitly creates a guest user, not a member user, and the guest user type cannot be changed to member via this cmdlet.

356
Multi-Selecthard

Which TWO Microsoft Security Copilot capabilities can help security analysts during incident response?

Select 2 answers
A.Provide guided response steps
B.Generate incident summary reports
C.Provision user accounts
D.Configure firewall rules
E.Automatically block malicious emails
AnswersA, B

Copilot offers recommendations.

Why this answer

Microsoft Security Copilot is an AI-powered security analysis tool that integrates with Microsoft 365 Defender and Sentinel. It can provide guided response steps (option A) by suggesting playbook actions and remediation workflows based on the incident context, and it can generate incident summary reports (option B) by synthesizing data from alerts, entities, and investigations into a concise narrative. These capabilities directly assist analysts in understanding and responding to incidents more efficiently.

Exam trap

The trap here is that candidates may confuse Security Copilot's analytical and advisory capabilities with automated remediation actions (like blocking emails or configuring firewalls), which are handled by separate Microsoft security products such as Defender for Office 365 or Azure Firewall policies.

357
MCQeasy

An organization implements a policy where users must provide two forms of verification, such as a password and a text message code, to access the corporate network. Which security concept does this demonstrate?

A.Authorization
B.Authentication
C.Accounting
D.Multifactor authentication
AnswerD

MFA is the correct term for requiring two or more verification factors to prove identity.

Why this answer

Multifactor authentication (MFA) requires two or more distinct factors (e.g., something you know like a password, and something you have like a text message code) to verify identity. This is correct because the policy explicitly demands two forms of verification, which is the defining characteristic of MFA, not just single-factor authentication.

Exam trap

The trap here is that candidates may confuse 'authentication' (the general process) with 'multifactor authentication' (a specific type), failing to recognize that the question explicitly describes two different verification methods, which is the hallmark of MFA.

How to eliminate wrong answers

Option A is wrong because authorization determines what resources a user can access after authentication, not the process of verifying identity. Option B is wrong because authentication is the broader process of proving identity, but the specific requirement for two forms of verification is MFA, not single-factor authentication. Option C is wrong because accounting (auditing) tracks user activities and resource usage for compliance and billing, not the verification process itself.

358
MCQmedium

A company uses Microsoft Entra ID and wants to allow users to reset their own passwords without help desk intervention. However, they want to ensure that only users who have already registered for multifactor authentication (MFA) can use self-service password reset (SSPR). Which Microsoft Entra feature should the administrator configure to enforce this requirement?

A.Conditional Access
B.Self-Service Password Reset (SSPR) settings
C.Identity Protection
D.Privileged Identity Management
AnswerB

SSPR settings include authentication method requirements. The administrator can require users to register for MFA as part of the SSPR registration process or require MFA as one of the authentication methods.

Why this answer

Option B is correct because Self-Service Password Reset (SSPR) settings in Microsoft Entra ID include a configuration option to require users to register for multifactor authentication (MFA) before they can use SSPR. By enabling the 'Require users to register when they sign in' setting under SSPR, the administrator ensures that only MFA-registered users can reset their own passwords, meeting the requirement without additional policies.

Exam trap

The trap here is that candidates often confuse Conditional Access (which enforces MFA during sign-in) with the SSPR registration requirement, but Conditional Access does not control the SSPR registration prerequisite—only the SSPR settings can enforce that users must be MFA-registered before using password reset.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA during sign-in) but does not directly control SSPR registration requirements; it cannot enforce that only MFA-registered users can use SSPR. Option C is wrong because Identity Protection is designed to detect and respond to identity risks (e.g., leaked credentials, anomalous sign-ins) and does not manage SSPR registration or usage restrictions. Option D is wrong because Privileged Identity Management (PIM) provides just-in-time privileged role activation and access reviews, not password reset registration enforcement.

359
MCQmedium

A company uses digital signatures on all official emails sent to customers. The signature is created using the sender’s private key, allowing recipients to verify that the email truly came from the claimed sender and that it was not altered in transit. Which security goal is primarily achieved by the digital signature?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerD

Non-repudiation provides proof of origin that cannot be denied. A digital signature created with the sender's private key binds the message to the sender, achieving non-repudiation.

Why this answer

Digital signatures use asymmetric cryptography where the sender signs the email with their private key. The recipient can verify the signature using the sender's public key, which proves the identity of the sender and ensures the message has not been tampered with. This directly achieves non-repudiation because the sender cannot deny having sent the email, as only their private key could have created the signature.

Exam trap

The trap here is that candidates often confuse integrity with non-repudiation, but while digital signatures do ensure integrity, the primary security goal they achieve is non-repudiation because they provide cryptographic proof of the sender's identity that cannot be repudiated.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data, typically achieved through encryption (e.g., using the recipient's public key), not digital signatures which do not hide the message content. Option B is wrong because integrity is indeed provided by digital signatures (detecting tampering), but it is not the primary goal—non-repudiation is the primary goal, as integrity is a supporting property. Option C is wrong because availability ensures systems and data are accessible when needed, which is unrelated to the cryptographic proof of origin and integrity provided by digital signatures.

360
MCQmedium

A company uses Microsoft 365 E5 and is concerned about advanced phishing attacks that use adversary-in-the-middle (AiTM) techniques to steal session cookies and bypass multifactor authentication. Which Microsoft Defender for Office 365 feature should they configure to specifically protect against this type of attack?

A.Safe Attachments
B.Safe Links
C.Anti-Phishing (advanced policies)
D.Campaign Views
AnswerC

Advanced anti-phishing policies in Defender for Office 365 include protection against adversary-in-the-middle (AiTM) attacks through impersonation analysis, advanced thresholds, and real-time signal detection. This helps block phishing aimed at hijacking sessions.

Why this answer

Advanced anti-phishing policies in Defender for Office 365 include protection against adversary-in-the-middle (AiTM) attacks by using machine learning models and impersonation detection to analyze and block phishing attempts that aim to steal session cookies and bypass multifactor authentication. This feature specifically detects and mitigates sophisticated phishing techniques that traditional anti-spam or link-checking mechanisms might miss, such as real-time credential harvesting and session hijacking via proxy servers.

Exam trap

The trap here is that candidates often confuse Safe Links (which protects against malicious URLs) with the broader anti-phishing protection needed for AiTM attacks, not realizing that AiTM attacks exploit the authentication process itself rather than just the URL, requiring advanced impersonation and proxy detection capabilities found only in anti-phishing policies.

How to eliminate wrong answers

Option A is wrong because Safe Attachments protects against malware in email attachments by detonating them in a sandbox, but it does not address session cookie theft or AiTM phishing techniques. Option B is wrong because Safe Links provides time-of-click protection against malicious URLs, but it focuses on blocking known malicious links at the point of click, not on detecting the proxy-based credential and session cookie interception used in AiTM attacks. Option D is wrong because Campaign Views is a reporting and analysis tool that provides visibility into phishing campaigns after they have been detected, not a proactive protection feature that prevents AiTM attacks.

361
MCQmedium

A company uses Microsoft Entra ID and Intune for mobile device management. They want to grant access to a confidential project management site only from devices that are encrypted and have the latest anti-malware updates. Which Conditional Access assignment should they configure to enforce this requirement?

A.Sign-in risk
B.Device state
C.User risk
D.Application
AnswerB

Correct. Device state policies can require a device to be marked as compliant, which enforces that it meets Intune-defined requirements like encryption and up-to-date anti-malware.

Why this answer

Option B (Device state) is correct because Conditional Access policies can use the 'Device state' condition to require that devices are marked as compliant or are hybrid Azure AD joined. Compliance is determined by Intune compliance policies, which can enforce requirements like encryption and up-to-date anti-malware. By setting the 'Device state' condition to 'Compliant device' or 'Hybrid Azure AD joined device', access to the confidential site is granted only to devices meeting those security baselines.

Exam trap

The trap here is that candidates confuse 'Device state' (which enforces device compliance like encryption and anti-malware) with 'Sign-in risk' or 'User risk', which are identity-focused risk detections unrelated to device health.

How to eliminate wrong answers

Option A (Sign-in risk) is wrong because sign-in risk is a real-time detection of anomalous sign-in behavior (e.g., impossible travel, anonymous IP) and does not evaluate device encryption or anti-malware status. Option C (User risk) is wrong because user risk assesses the likelihood that a user's identity has been compromised based on historical events (e.g., leaked credentials), not device health attributes. Option D (Application) is wrong because the Application condition specifies which cloud apps the policy applies to, not the device compliance state; it controls scope, not device security posture.

362
MCQmedium

Your organization uses Microsoft Purview eDiscovery to manage a legal case. You need to place a hold on emails for specific users, but you want to allow the system to apply the hold automatically. Which eDiscovery solution should you use?

A.Microsoft Purview eDiscovery (Standard)
B.Microsoft Purview Audit (Premium)
C.Microsoft Purview Communication Compliance
D.Microsoft Purview eDiscovery (Premium)
AnswerD

eDiscovery Premium supports automatic hold.

Why this answer

Option A is correct because eDiscovery (Premium) provides automatic hold capabilities. Option B is wrong because eDiscovery (Standard) requires manual hold. Option C is wrong because Audit does not provide holds.

Option D is wrong because Communication Compliance is for regulatory communications.

363
MCQhard

A company is planning to use Copilot for Microsoft 365. To ensure that Copilot responses are based only on data accessible to the user, which principle must be enforced?

A.Copilot automatically grants access to all data
B.User permissions and access controls are respected
C.All organizational data is indexed and available to Copilot
D.Data must be stored in a specific location
AnswerB

Copilot uses the user's existing permissions to access data.

Why this answer

Option B is correct because Copilot for Microsoft 365 uses the user's existing permissions to determine which content it can access. Option A is incorrect because Copilot does not universally index all data. Option C is incorrect because Copilot does not automatically grant access.

Option D is incorrect because Copilot does not bypass permissions.

364
MCQeasy

Your organization uses Microsoft Defender for Endpoint. You need to investigate a potential malware outbreak on several endpoints. Which feature allows you to search for indicators of compromise (IOCs) across all endpoints?

A.Incidents and alerts
B.Advanced hunting
C.Threat analytics
D.Device inventory
AnswerB

Advanced hunting uses KQL to search for IOCs across endpoints in Defender for Endpoint.

Why this answer

Option C is correct because Advanced hunting in Microsoft Defender for Endpoint enables KQL queries to search for IOCs across endpoints. Option A is wrong because the Device page shows details, not search. Option B is wrong because the Threat analytics dashboard provides threat intelligence, not interactive search.

Option D is wrong because alerts are for incidents, not for searching IOCs.

365
MCQhard

A multinational corporation uses Microsoft Entra ID for identity management. They want to allow their external partners to use their own corporate credentials to access the company's resources, rather than creating guest accounts. Which Entra ID feature should they use?

A.Entra ID B2C
B.Entra ID Direct Federation
C.Entra ID Verified ID
D.Entra ID External ID
AnswerD

External ID allows partners to use their own corporate credentials via federation.

Why this answer

Entra ID External ID (formerly Azure AD B2B) enables external partners to use their own identity providers, including corporate credentials, to access your resources without needing separate guest accounts. This is achieved through federation. Entra ID B2C is for customer-facing applications.

Direct federation is a method within External ID. Entra ID Verified ID is for verifiable credentials.

366
Multi-Selecteasy

Which TWO capabilities are part of Microsoft Entra ID Protection? (Choose two.)

Select 2 answers
A.Passwordless authentication
B.Risk-based conditional access policies
C.Just-in-time privileged access
D.Reports on risky users and sign-ins
E.Conditional access policies for device compliance
AnswersB, D

ID Protection allows policies based on user risk level.

Why this answer

Options B and D are correct. Entra ID Protection includes risk-based policies and reporting for risky users. Option A is incorrect because passwordless authentication is a feature of Entra ID, but not specifically ID Protection.

Option C is incorrect because privileged identity management is Microsoft Entra Privileged Identity Management (PIM). Option E is incorrect because conditional access is a broader feature, but ID Protection provides risk-based conditional access.

367
MCQmedium

Your organization uses Microsoft Entra ID with P1 licenses. You need to provide a temporary access pass for a new employee to set up their account without a password. Which Microsoft Entra feature should you use?

A.Microsoft Entra Temporary Access Pass
B.Microsoft Entra Privileged Identity Management
C.Microsoft Entra Identity Protection
D.Microsoft Entra Verified ID
AnswerA

TAP is a time-limited passcode for passwordless onboarding.

Why this answer

The Temporary Access Pass (TAP) is a time-limited passcode issued by an administrator that allows a user to register passwordless authentication methods (e.g., Microsoft Authenticator, FIDO2 security key) without needing an existing password. This directly meets the requirement for a new employee to set up their account without a password, and it is available with Microsoft Entra ID P1 licenses.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with any 'temporary' access feature, but PIM grants temporary privileged roles, not a passwordless onboarding token.

How to eliminate wrong answers

Option B is wrong because Privileged Identity Management (PIM) is used for just-in-time privileged role activation and access reviews, not for issuing temporary credentials for passwordless onboarding. Option C is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-in anomalies) but does not provide a mechanism to create a temporary pass for initial setup. Option D is wrong because Verified ID is a decentralized identity solution for issuing and verifying verifiable credentials (e.g., diplomas, IDs) and is unrelated to temporary access passes for passwordless registration.

368
MCQmedium

Your company uses Microsoft Entra ID. You need to enforce that all users register for MFA within 14 days of account creation. Which feature should you use?

A.Identity Protection
B.MFA registration campaign
C.Conditional Access
D.Security defaults
AnswerB

The registration campaign policy can require users to register MFA within a set number of days.

Why this answer

The MFA registration campaign is specifically designed to nudge users to register for MFA within a configurable time frame after account creation. It sends targeted notifications and enforces registration by blocking access until the user completes MFA setup, directly meeting the 14-day requirement.

Exam trap

The trap here is that candidates often confuse Conditional Access (which enforces MFA at sign-in) with the registration campaign (which enforces the initial MFA setup process), not realizing that Conditional Access cannot force a user to register within a specific number of days—it only blocks access if MFA is absent.

How to eliminate wrong answers

Option A is wrong because Identity Protection is a risk-based detection and remediation tool (e.g., detecting leaked credentials or risky sign-ins), not a mechanism to enforce MFA registration deadlines. Option C is wrong because Conditional Access policies can require MFA during sign-in but cannot enforce a registration deadline or send reminder prompts; they only block access if MFA is not already registered. Option D is wrong because Security defaults enforce MFA registration for all users but do not allow a custom 14-day grace period—they require registration at first sign-in with no configurable delay.

369
MCQeasy

A company wants to automatically apply a 'Confidential' sensitivity label to all documents containing credit card numbers. Which Microsoft Purview feature should be used to create the auto-labeling policy?

A.Microsoft Purview Data Loss Prevention
B.Microsoft Purview Communication Compliance
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview Auto-labeling policies
AnswerD

Auto-labeling policies apply sensitivity labels automatically based on conditions.

Why this answer

Option D is correct because auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels based on sensitive info types. Option A is wrong because DLP policies protect data, not label. Option B is wrong because Data Lifecycle Management handles retention.

Option C is wrong because Communication Compliance monitors communications.

370
Multi-Selectmedium

Which THREE capabilities does Microsoft Purview provide to help meet regulatory compliance requirements?

Select 3 answers
A.Audit logging
B.Data classification
C.Retention policies
D.Insider risk management
E.Communication compliance
AnswersA, B, C

Track user and admin activities for compliance.

Why this answer

Microsoft Purview offers audit logging, retention policies, and data classification. Communication compliance and insider risk management are related to compliance but are not core capabilities for meeting regulatory requirements like audit, retention, and classification.

371
MCQmedium

Your organization uses Microsoft Purview Information Barriers to prevent certain user groups from communicating with each other. You need to test the configuration before fully enforcing it. What should you do?

A.Run the Information Barriers policy in test mode
B.Define user segments in the Microsoft Purview compliance portal
C.Enable audit logging and then run the policy application
D.Use the Compliance Manager assessment for Information Barriers
AnswerA

Test mode allows you to see which communications would be blocked without actually blocking them.

Why this answer

Option C is correct because Information Barriers can be run in test mode to evaluate policy matches without blocking. Option A is wrong because segmentation is the process of defining groups, not testing. Option B is wrong because the policy application must be run; enabling audit does not test the barrier.

Option D is wrong because there is a dedicated test mode for Information Barriers.

372
MCQeasy

Your organization wants to automatically retain all customer emails for 7 years and then delete them. Which Microsoft Purview feature should you configure?

A.Data Lifecycle Management retention policy
B.Information Protection sensitivity labels
C.Audit log retention
D.eDiscovery hold
AnswerA

Retention policies can specify retention and deletion periods for content.

Why this answer

Option A is correct because Data Lifecycle Management includes retention and deletion policies for Exchange Online. Option B is wrong because Information Protection is about classification. Option C is wrong because Audit is for logging.

Option D is wrong because eDiscovery is for search and hold.

373
MCQhard

You are a security administrator for Contoso Ltd., a global financial services company with 5,000 employees. The company uses Microsoft 365 E5 licenses and has deployed Microsoft Entra ID, Microsoft Defender XDR, Microsoft Purview, and Microsoft Intune. Recently, the security team identified a risk: employees are sharing sensitive financial reports via external email recipients without encryption. To address this, you need to implement a solution that automatically applies encryption to emails containing the sensitive information type 'U.S. Bank Account Number' when sent to external recipients. The solution must not block the email but should encrypt it. Additionally, you want to notify the sender with a policy tip that the email will be encrypted. You have access to the Microsoft Purview compliance portal. What should you configure?

A.Configure an email encryption rule in Microsoft Defender for Office 365.
B.Create a Data Loss Prevention (DLP) policy in Microsoft Purview that detects 'U.S. Bank Account Number' and applies encryption to emails sent to external recipients, with a policy tip.
C.Enable Microsoft Purview Message Encryption for all users.
D.Create a sensitivity label with encryption and publish it to all users, then train users to apply it manually.
AnswerB

DLP can automatically apply encryption and show policy tips.

Why this answer

Option A is correct because a DLP policy in Microsoft Purview can be configured to automatically encrypt emails when sensitive data is detected, and it can show policy tips. Option B is incorrect because sensitivity labels require manual application or auto-labeling, but DLP can enforce encryption automatically. Option C is incorrect because email encryption rules in Defender for Office 365 are not as flexible as DLP for this scenario.

Option D is incorrect because message encryption is a feature of Microsoft Purview, but DLP is the appropriate policy to automatically apply it based on conditions.

374
MCQeasy

Your organization's security team wants to automatically investigate and respond to sophisticated email threats like business email compromise (BEC) without manual intervention. Which Microsoft 365 security solution should you use?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Defender for Office 365
AnswerD

Defender for Office 365 provides automated investigation and response for email threats like BEC.

Why this answer

Option C is correct because Microsoft Defender for Office 365 includes automated investigation and response capabilities for email threats. Option A is wrong because Defender for Identity focuses on on-premises identity threats. Option B is wrong because Defender for Endpoint is for endpoint security.

Option D is wrong because Defender for Cloud Apps is for cloud app security.

375
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Defender for Cloud Apps?

Select 2 answers
A.Information protection for files in Microsoft 365
B.Session controls to monitor and control app access in real time
C.Cloud discovery to identify shadow IT
D.Identity governance and access reviews
E.Vulnerability assessment for Azure virtual machines
AnswersB, C

Session controls are a key CASB feature.

Why this answer

Microsoft Defender for Cloud Apps provides session controls that leverage reverse proxy architecture to monitor and control user app access in real time, enabling conditional access policies for cloud apps. Cloud discovery uses traffic logs from network appliances or Windows endpoints to identify shadow IT by analyzing app usage and risk scores.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Cloud (formerly Azure Security Center) or Microsoft Purview, leading them to select options like vulnerability assessment or information protection that belong to other services.

Page 4

Page 5 of 19

Page 6