Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 376450

1411 questions total · 19pages · All types, answers revealed

Page 5

Page 6 of 19

Page 7
376
MCQmedium

A company maintains an on-premises Active Directory environment with over 10,000 domain-joined computers. The security team is concerned about advanced attacks that use stolen credentials to move laterally, such as pass-the-hash attacks or DCSync attacks targeting domain controllers. They need a solution that monitors on-premises Active Directory traffic and event logs to detect these identity-based threats and provides alerts for investigation. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Identity
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Cloud Apps
D.Microsoft Sentinel
AnswerA

Defender for Identity profiles network traffic and event logs from domain controllers to detect suspicious activities such as pass-the-hash and DCSync, providing alerts for security teams.

Why this answer

Microsoft Defender for Identity is the correct solution because it is specifically designed to monitor on-premises Active Directory traffic and event logs to detect advanced identity-based threats like pass-the-hash, pass-the-ticket, and DCSync attacks. It uses behavioral analytics and machine learning to identify suspicious activities, such as anomalous Kerberos ticket requests or replication attempts, and provides real-time alerts for investigation.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Identity with Microsoft Sentinel, assuming that a SIEM is always the best choice for threat detection, but Sentinel lacks the specialized Active Directory protocol-level analysis and behavioral models that Defender for Identity provides natively.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint devices (e.g., workstations, servers) for malware, file-less attacks, and vulnerability management, not on monitoring Active Directory traffic or detecting DCSync attacks. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that protects cloud applications (e.g., Office 365, AWS) and does not monitor on-premises Active Directory traffic or event logs. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution that aggregates logs from multiple sources, but it is not a dedicated identity threat detection tool; while it can ingest AD logs, it lacks the specialized Active Directory protocol analysis and behavioral models that Defender for Identity provides out-of-the-box.

377
MCQhard

Your organization uses Microsoft Defender XDR (formerly Microsoft 365 Defender). A user reports receiving a suspicious email with a link. The email was not blocked by Exchange Online Protection (EOP). Which feature should you use to investigate the link's reputation in real time?

A.Exchange Online Protection (EOP) filtering
B.Anti-phish policy
C.Safe Attachments policy
D.Safe Links policy
AnswerD

Safe Links protects and allows investigation of URLs in emails.

Why this answer

Option B is correct because Safe Links in Defender for Office 365 provides real-time link protection and investigation. Option A is incorrect because Safe Attachments is for file attachments. Option C is incorrect because anti-phish policies handle phishing detection but not link investigation.

Option D is incorrect because EOP is the baseline but not for real-time link analysis.

378
MCQmedium

Your company uses Microsoft Purview to protect sensitive data in SharePoint Online. You need to automatically apply a 'Confidential' sensitivity label to documents containing credit card numbers. What should you create?

A.An auto-labeling policy
B.A Data Loss Prevention (DLP) policy
C.A retention policy
D.An eDiscovery case
AnswerA

Auto-labeling policies apply labels based on patterns.

Why this answer

Option B is correct because auto-labeling policies in Microsoft Purview can automatically apply labels based on sensitive info types. Option A is wrong because a retention policy is for retention, not labeling. Option C is wrong because a DLP policy can block or warn but not auto-label.

Option D is wrong because an eDiscovery case is for search and legal hold.

379
MCQhard

A security analyst wants to create a custom detection rule that tracks a specific multi-stage attack pattern: a user receives a phishing email, clicks a link, and then a script is executed on their device. The analyst needs to write a Kusto Query Language (KQL) query to detect this pattern and schedule it to run automatically, generating alerts. Which Microsoft 365 Defender capability should they use?

A.Advanced hunting
B.Custom detection rules
C.Automation
D.Threat analytics
AnswerB

Correct. Custom detection rules allow you to create a KQL query from advanced hunting and schedule it to run automatically, generating alerts for matching events.

Why this answer

Custom detection rules in Microsoft 365 Defender allow security analysts to write KQL queries that run on a schedule and automatically generate alerts when the query returns results. This capability is specifically designed to detect multi-stage attack patterns, such as the phishing email → link click → script execution chain described, by querying advanced hunting data and triggering incident creation.

Exam trap

The trap here is that candidates confuse Advanced hunting (a query tool) with Custom detection rules (a scheduled alerting engine), assuming that writing a KQL query in Advanced hunting alone is sufficient for automated detection, when in fact it requires the custom detection rule framework to run on a schedule and generate alerts.

How to eliminate wrong answers

Option A is wrong because Advanced hunting is an interactive query interface for exploring raw data, but it does not natively support scheduled execution or automatic alert generation; it requires manual execution or integration with custom detection rules. Option C is wrong because Automation in Microsoft 365 Defender refers to automated investigation and response (AIR) playbooks that react to alerts, not to the creation of custom detection queries or scheduled alert rules. Option D is wrong because Threat analytics provides curated threat intelligence reports and pre-built detections from Microsoft, but it does not allow users to write custom KQL queries or schedule their own detection logic.

380
MCQmedium

A security team wants to discover which cloud applications (such as Dropbox, Salesforce, or unsanctioned file-sharing apps) are being used by employees, even if those apps are not sanctioned by IT. They need to analyze usage patterns, risk levels, and identify potential shadow IT. Which feature of Microsoft Defender for Cloud Apps should they enable?

A.App Connectors (API connectors)
B.Cloud Discovery
C.Conditional Access App Control
D.Microsoft Defender for Endpoint
AnswerB

Cloud Discovery uses traffic logs to identify all cloud apps in use, providing a comprehensive view of shadow IT.

Why this answer

Cloud Discovery is the correct feature because it analyzes traffic logs from firewalls and proxies to identify cloud app usage, including unsanctioned apps like Dropbox or Salesforce, without requiring API integration. It provides risk scores, usage patterns, and shadow IT detection by comparing discovered apps against Microsoft's cloud app catalog of over 31,000 apps.

Exam trap

The trap here is that candidates often confuse Cloud Discovery (passive log analysis for unsanctioned apps) with App Connectors (active API integration for sanctioned apps), assuming both can discover shadow IT, but only Cloud Discovery identifies apps not already connected via API.

How to eliminate wrong answers

Option A is wrong because App Connectors (API connectors) require explicit admin consent and API access to sanctioned apps, so they cannot discover unsanctioned or unknown shadow IT apps. Option C is wrong because Conditional Access App Control enforces real-time access policies on sanctioned apps via reverse proxy, not discovery of unsanctioned apps. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution focused on malware, vulnerabilities, and device threats, not cloud app discovery.

381
MCQmedium

Your company uses Microsoft Defender for Cloud Apps to discover shadow IT. You have discovered a new cloud app that employees are using to store corporate data. The app is not sanctioned. You need to sanction the app but also ensure that users cannot upload sensitive data to it. You have configured a session policy to monitor the app. What additional step should you take?

A.Create a file policy in Microsoft Defender for Cloud Apps that detects sensitive data and blocks uploads.
B.Block the app entirely by adding it to the blocked list.
C.Configure a Conditional Access policy to require device compliance for the app.
D.Use the session policy to block all uploads to the app.
AnswerA

File policies can block uploads of sensitive data.

Why this answer

Option C is correct because you need to create a file policy in Defender for Cloud Apps to block uploads of sensitive data. Option A is wrong because blocking the app is too restrictive. Option B is wrong because the session policy only monitors, not blocks.

Option D is wrong because blocking all uploads is too broad.

382
Multi-Selecteasy

Which TWO features are available in Microsoft Entra ID P2 licenses? (Choose two.)

Select 2 answers
A.Self-service password reset (SSPR)
B.Privileged Identity Management (PIM)
C.Multifactor authentication (MFA)
D.Identity Protection (risk-based policies)
E.Password hash synchronization
AnswersB, D

P2 feature for just-in-time access.

Why this answer

Options B and D are correct. P2 includes Identity Protection and Privileged Identity Management. Option A is wrong because MFA is in P1 and also included in P2 but it's not exclusively P2; however, typically MFA is in P1 and free? Actually MFA is available in all tiers but P2 adds risk-based MFA.

The question asks for features available in P2, and Identity Protection and PIM are key P2 features. Option C is wrong because password hash sync is free. Option E is wrong because self-service password reset is free or P1.

383
Multi-Selecteasy

Which THREE are capabilities of Microsoft Defender for Cloud?

Select 3 answers
A.Just-in-time (JIT) VM access
B.Vulnerability assessment for virtual machines
C.Cloud Security Posture Management (CSPM)
D.DDoS protection
E.SIEM and security orchestration
AnswersA, B, C

Reduces attack surface with managed access.

Why this answer

Just-in-time (JIT) VM access is a capability of Microsoft Defender for Cloud that reduces the attack surface by locking down inbound traffic to Azure VMs. It uses Network Security Group (NSG) rules to allow access only when requested by an authorized user, for a specified time window, and from a specific IP address. This prevents persistent open management ports like RDP (TCP 3389) or SSH (TCP 22) from being exposed to the internet.

Exam trap

The trap here is that candidates confuse the 'recommendations' or 'alerts' shown in Defender for Cloud (which may mention DDoS or SIEM integration) with Defender for Cloud's own native capabilities, leading them to incorrectly select D or E as direct features.

384
MCQeasy

A company wants to use Microsoft Entra ID (Azure AD) to enforce multi-factor authentication (MFA) for all users accessing sensitive applications. Which security feature should they implement?

A.Privileged Identity Management (PIM)
B.Conditional Access policies
C.Password Protection
D.Identity Protection policies
AnswerB

Conditional Access can require MFA for specific apps.

Why this answer

Conditional Access policies allow administrators to require MFA based on conditions like application sensitivity. Option B is incorrect because Identity Protection detects risk, not enforces MFA. Option C is incorrect because Privileged Identity Management (PIM) manages access for privileged roles.

Option D is incorrect because password protection prevents weak passwords.

385
MCQhard

Your organization has a Microsoft Entra ID tenant with 5,000 users. You need to implement a solution that automatically detects and remediates users with leaked credentials. Additionally, you need to require users to change their password when a high risk is detected. Which Microsoft Entra features should you configure?

A.Enable Microsoft Entra Identity Protection, configure a user risk policy to require password change when risk is medium or high.
B.Create an Access Review for all users and require them to confirm their access quarterly.
C.Enable Privileged Identity Management (PIM) and require multi-factor authentication for all role activations.
D.Configure a Conditional Access policy to require password change when sign-in risk is high.
AnswerA

Correct: Identity Protection detects leaked credentials and user risk policy forces password change.

Why this answer

Option A is correct because Microsoft Entra Identity Protection detects leaked credentials by monitoring for credential exposures on the dark web and other sources. Configuring a user risk policy to require a password change when risk is medium or high automatically remediates the detected risk by forcing the user to update their password, directly addressing the requirement for automatic detection and remediation.

Exam trap

The trap here is confusing user risk (which detects leaked credentials and other user-level threats) with sign-in risk (which evaluates real-time session anomalies), leading candidates to incorrectly select Option D, which only addresses sign-in risk and not the required leaked credential detection.

How to eliminate wrong answers

Option B is wrong because Access Reviews are designed for periodic attestation of access rights, not for detecting or remediating leaked credentials or enforcing password changes based on risk. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and requires MFA for those activations, but it does not detect leaked credentials or enforce user password changes for general users. Option D is wrong because a Conditional Access policy can require a password change only when sign-in risk is high, but it does not automatically detect leaked credentials; sign-in risk evaluates real-time session anomalies, not leaked credential exposure, and the question specifically requires detection of leaked credentials, which is a user risk feature.

386
MCQmedium

A security operations team needs to protect Windows servers from ransomware and other advanced threats. They require a solution that provides endpoint detection and response (EDR), automated investigation, and the ability to isolate compromised machines from the network. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Identity
C.Microsoft Defender for Office 365
D.Microsoft Defender for Endpoint
AnswerD

Defender for Endpoint delivers endpoint detection and response, automated investigation, and device isolation for Windows servers and clients.

Why this answer

Microsoft Defender for Endpoint (MDE) is the correct solution because it provides endpoint detection and response (EDR), automated investigation and remediation, and network isolation capabilities specifically for Windows servers and endpoints. These features directly address the requirement to protect against ransomware and advanced threats by detecting suspicious behavior, automatically investigating alerts, and allowing admins to isolate compromised machines from the network to prevent lateral movement.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a cloud security posture tool) with Microsoft Defender for Endpoint (an endpoint protection platform), especially since both names include 'Defender' and 'Cloud' can be misassociated with server workloads.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) for Azure, on-premises, and multi-cloud environments; it does not provide endpoint-level EDR or machine isolation for Windows servers. Option B is wrong because Microsoft Defender for Identity is an identity-based security solution that detects threats using Active Directory signals and behavioral analytics; it does not include endpoint detection, automated investigation, or network isolation for servers. Option C is wrong because Microsoft Defender for Office 365 protects against threats in email, SharePoint, OneDrive, and Teams; it does not provide EDR or isolation capabilities for Windows server endpoints.

387
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Entra ID? (Select two.)

Select 2 answers
A.Antivirus and antimalware protection
B.Identity as a Service (IDaaS) for cloud applications
C.Provide network firewall services
D.Manage mobile devices and applications
E.Single sign-on (SSO) to thousands of SaaS applications
AnswersB, E

Microsoft Entra ID is a cloud-based identity service.

Why this answer

Microsoft Entra ID is a cloud-based identity and access management service, providing Identity as a Service (IDaaS) for cloud applications. It enables organizations to manage user identities and control access to resources, including thousands of pre-integrated SaaS applications through single sign-on (SSO). This makes option B correct because Entra ID's core function is identity management, not endpoint security or network infrastructure.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID with broader security suites like Microsoft 365 Defender or Azure security services, mistakenly attributing endpoint protection or network firewall capabilities to identity management.

388
MCQhard

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel. The JSON snippet shows a rule designed to create an incident when a high-severity alert is generated. However, the rule is not triggering. What is the most likely reason?

A.The logicAppResourceId is missing a required parameter.
B.The action should be of type 'Microsoft.SecurityInsights/AlertRule/Alert' instead.
C.Automation rules triggered on alert creation cannot create incidents; they can only run playbooks.
D.The trigger type is incorrect; it should be 'Microsoft.SecurityInsights/Incident'.
AnswerC

Alert-triggered automation rules can only run playbooks, not directly create incidents.

Why this answer

The JSON shows a trigger type 'Microsoft.SecurityInsights/AlertRule' which is used for automation rules that run on alert creation. However, the action type is 'Microsoft.SecurityInsights/AlertRule/Incident' which is intended to create an incident from an alert. The issue is that automation rules that trigger on alert creation cannot directly create incidents; they can only run playbooks.

To create an incident from an alert, you need to use an automation rule triggered on incident creation or use an analytics rule. Option B is correct. Option A is wrong because the syntax is correct.

Option C is wrong because the resource ID is present. Option D is wrong because the trigger is on alert, not incident.

389
MCQhard

Your company uses Microsoft Defender for Cloud to secure multicloud workloads. You need to ensure that regulatory compliance frameworks (e.g., SOC 2, ISO 27001) are continuously assessed and any drift is reported. What should you implement?

A.Regulatory compliance standards in Microsoft Defender for Cloud
B.Microsoft Sentinel analytics rules
C.Azure Policy initiatives
D.Microsoft Defender for Cloud Apps session policies
AnswerA

Defender for Cloud includes built-in compliance standards that continuously assess resources against frameworks like SOC 2 and ISO 27001.

Why this answer

Option A is correct because regulatory compliance standards in Defender for Cloud provide continuous assessment against frameworks. Option B is wrong because Azure Policy is used for policy enforcement, not assessment of compliance frameworks. Option C is wrong because Microsoft Sentinel is for SIEM/SOAR, not compliance assessment.

Option D is wrong because Defender for Cloud Apps focuses on cloud app security.

390
MCQhard

Refer to the exhibit. A security analyst is reviewing an alert from Microsoft 365 Defender. The alert is associated with an incident. What is the best first step to investigate this alert?

A.Open the associated incident to view all related alerts and entities.
B.Isolate the affected user's device immediately.
C.Mark the alert as resolved.
D.Run an automated simulation to test the alert.
AnswerA

Investigating the incident provides a holistic view of the attack.

Why this answer

The alert is tagged as 'Malware' and has an incident ID, indicating it is part of a larger incident. The best practice is to open the incident to see correlated alerts and entities. Option A is wrong because ignoring the incident loses context.

Option B is wrong because the alert is already high severity; mark as resolved later. Option D is wrong because running a simulation on a live alert is not appropriate.

391
MCQmedium

A company uses Microsoft Entra ID and wants to allow external business partners to request access to a specific application through an approval process. The access should be time-limited and automatically expired. Which Microsoft Entra ID feature should be configured?

A.Conditional Access
B.Entitlement management
C.Privileged Identity Management (PIM)
D.Self-service group management
AnswerB

Entitlement management uses access packages to allow users to request access, with approval workflows and automatic expiration, ideal for external partners.

Why this answer

Microsoft Entra entitlement management (part of Identity Governance) allows organizations to manage access for internal and external users through access packages, which include policies for requesting, approving, and automatically expiring access. Conditional Access is for enforcing policies during sign-in, PIM manages privileged roles, and self-service group management allows users to manage group membership but does not provide approval workflows or time-limited access for external users out-of-the-box.

392
MCQeasy

Your company wants to allow employees to use their corporate Microsoft Entra ID credentials to sign in to third-party SaaS applications like Salesforce and ServiceNow. Which Microsoft Entra feature should you configure?

A.Conditional Access policies.
B.Microsoft Entra B2B collaboration.
C.Microsoft Entra Identity Protection.
D.Enterprise applications with pre-integrated gallery apps.
AnswerD

Enterprise apps allow SSO configuration for SaaS apps.

Why this answer

Option D is correct because configuring a third-party SaaS application like Salesforce or ServiceNow as an Enterprise Application in Microsoft Entra ID allows you to set up federation using SAML 2.0 or OpenID Connect, enabling users to sign in with their corporate Entra ID credentials. The pre-integrated gallery apps provide pre-configured templates that simplify the setup of single sign-on (SSO) and user provisioning, making it the appropriate feature for this requirement.

Exam trap

The trap here is that candidates confuse Conditional Access (which controls access after authentication) with the actual SSO configuration feature, or they mistakenly think B2B collaboration is for internal users accessing external apps, when it is specifically for external users accessing internal resources.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies are used to enforce access controls (e.g., MFA, location restrictions) after SSO is configured, not to enable the initial sign-in with corporate credentials. Option B is wrong because Microsoft Entra B2B collaboration is designed for inviting external users (guests) from other organizations, not for enabling internal employees to use their corporate credentials for third-party SaaS apps. Option C is wrong because Microsoft Entra Identity Protection is a risk-based security tool that detects and responds to identity threats (e.g., leaked credentials, impossible travel), not a feature for configuring SSO or authentication to external applications.

393
MCQeasy

A company wants to use Microsoft Sentinel to collect security logs from on-premises servers and send them to Azure. Which data connector should they use?

A.Azure Monitor Agent (AMA)
B.Syslog connector
C.Microsoft Monitoring Agent (MMA)
D.Office 365 connector
AnswerA

AMA is the current recommended agent for collecting logs from servers.

Why this answer

Azure Monitor Agent (AMA) is the recommended agent for collecting logs from Windows and Linux machines and sending to Log Analytics workspaces for Sentinel. Option A is wrong because MMA is legacy. Option C is wrong because the Syslog connector is for Linux but AMA also supports Syslog.

Option D is wrong because the Office 365 connector is for cloud services.

394
MCQmedium

A company uses Microsoft Entra ID. The security team needs to grant temporary elevated access to the Global Administrator role for a specific task, such as configuring a new security policy. They want the user to request activation, which is then approved by a manager, and the privileges automatically expire after 4 hours. Which Microsoft Entra feature should they use?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Self-Service Password Reset (SSPR)
AnswerC

PIM allows just-in-time activation of privileged roles with approval and automatic expiration, matching the described requirements.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides just-in-time (JIT) privileged access, allowing users to request activation of roles like Global Administrator. The activation can require approval from a manager and is automatically deactivated after a configurable maximum duration (e.g., 4 hours), directly meeting the security team's requirements.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with Conditional Access, because both involve policies and access control, but PIM specifically handles just-in-time privileged role activation with approval and expiration, while Conditional Access focuses on access conditions for all users.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces policies based on signals like user location or device compliance, but it does not provide time-bound role activation with approval workflows. Option B is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials), not manage privileged role activation or expiration. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords, not to elevate or manage role assignments.

395
MCQmedium

A company is migrating its on-premises applications to Azure Infrastructure-as-a-Service (IaaS). According to the shared responsibility model, which of the following security responsibilities shifts from the customer to Microsoft during this migration?

A.Physical security of the data center infrastructure
B.Configuring network security groups (NSGs)
C.Patching the operating system on virtual machines
D.Managing user identities and access to the application
AnswerA

Microsoft secures the physical data centers with access controls, surveillance, and environmental protections. This responsibility is always with the cloud provider.

Why this answer

When migrating on-premises applications to Azure IaaS, the shared responsibility model shifts physical security responsibilities—such as data center access controls, environmental controls, and hardware security—from the customer to Microsoft. Microsoft is responsible for the physical security of all Azure data centers, including perimeter security, surveillance, and facility access management, which were previously the customer's responsibility in their own on-premises environment.

Exam trap

The trap here is that candidates often confuse IaaS with PaaS or SaaS, mistakenly believing that Microsoft takes responsibility for OS patching or network security in IaaS, when in fact those remain customer responsibilities.

How to eliminate wrong answers

Option B is wrong because configuring network security groups (NSGs) remains the customer's responsibility under IaaS, as the customer controls network traffic filtering and segmentation for their virtual networks. Option C is wrong because patching the operating system on virtual machines is the customer's responsibility in IaaS, as Microsoft only manages the underlying hypervisor and physical hosts. Option D is wrong because managing user identities and access to the application is always the customer's responsibility, regardless of deployment model, as Microsoft provides identity services (like Azure AD) but the customer controls who has access and how permissions are configured.

396
MCQeasy

A user reports that they cannot access a sensitive document in SharePoint Online. The administrator checks the document's permissions and sees that the user is not listed directly, but a group they belong to has been granted access. Which identity concept describes this scenario?

A.Role-based access control (RBAC)
B.Privilege escalation
C.Group-based access control
D.Attribute-based access control (ABAC)
AnswerC

The user gains access through a group they belong to, which is group-based access control.

Why this answer

Group-based access control allows permissions to be assigned to groups rather than individuals, simplifying management. Option A is wrong because role-based access control is a specific type of group-based access using roles. Option B is wrong because attribute-based access control uses user attributes, not group membership.

Option D is wrong because privilege escalation refers to gaining higher permissions, not normal access via groups.

397
Multi-Selectmedium

Which TWO of the following are principles of the Zero Trust security model? (Select two.)

Select 2 answers
A.Verify explicitly
B.Perimeter-based security
C.Implicit trust
D.Trust but verify
E.Least privilege access
AnswersA, E

Always authenticate and authorize based on all data points.

Why this answer

Options B and D are correct. Zero Trust principles include 'Verify explicitly' and 'Use least privilege access' (or 'Assume breach' and 'Verify explicitly'). Actually the official principles are: Verify explicitly, Use least privilege, Assume breach.

So the correct two are B and D.

398
Multi-Selecthard

Which TWO of the following are required to use Microsoft Purview Audit (Premium)?

Select 2 answers
A.Unified audit log enabled in the Microsoft 365 Defender portal
B.An E5 or A5 license for each user
C.An Azure subscription for log storage
D.Power BI Pro licenses for all users
E.Microsoft Sentinel enabled
AnswersA, B

Audit logging must be turned on for Audit (Premium).

Why this answer

A, D are correct. Audit (Premium) requires an appropriate license (e.g., E5) and enabling unified audit logging. B (Azure subscription) is not required.

C (Microsoft Sentinel) is optional. E (Power BI) is unrelated.

399
MCQmedium

A security team needs to investigate a potential data leak where an employee may have emailed sensitive customer information to a competitor. They want to search the unified audit log for specific email activities, such as 'Send' or 'Forward', and generate a detailed report. Which Microsoft Purview solution should they use?

A.Microsoft Purview Compliance Manager
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview Audit (Standard or Premium)
D.Microsoft Purview eDiscovery (Premium)
AnswerC

Purview Audit enables searching the unified audit log for user and admin activities. Premium extends retention and provides additional APIs for investigation.

Why this answer

Microsoft Purview Audit (Standard or Premium) is the correct solution because it captures and logs specific email activities such as 'Send' and 'Forward' from Exchange Online. The security team can search the unified audit log for these operations and export a detailed report for investigation. Compliance Manager, DLP, and eDiscovery do not provide this direct audit log search capability for individual email actions.

Exam trap

The trap here is that candidates confuse Data Loss Prevention (DLP) with audit logging, assuming DLP can retrospectively search for past email actions, when in fact DLP only applies proactive policies and alerts, not historical audit log queries.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Compliance Manager is a risk-assessment and compliance-score tool, not an audit log search tool; it cannot retrieve specific email activities like 'Send' or 'Forward'. Option B is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to prevent data leaks by applying policies to block or alert on sensitive content, but it does not provide a searchable audit log of past email actions for forensic investigation. Option D is wrong because Microsoft Purview eDiscovery (Premium) is used for legal hold, collection, and review of content for litigation, not for searching the unified audit log for email send/forward events.

400
MCQmedium

A company uses Azure virtual machines and on-premises Windows servers. The security team wants a single solution that provides vulnerability assessment, a regulatory compliance dashboard (e.g., for ISO 27001), and integrated threat detection such as fileless malware and anomalous logins. Which Microsoft security solution should they use?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Cloud
C.Microsoft 365 Defender
D.Microsoft Sentinel
AnswerB

Defender for Cloud offers vulnerability assessment, compliance dashboards, and threat detection for Azure, on-premises, and multicloud workloads.

Why this answer

Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender) is the correct choice because it provides unified security management across Azure VMs and on-premises servers. It includes built-in vulnerability assessment (via Qualys or Microsoft Defender Vulnerability Management), a regulatory compliance dashboard with built-in standards like ISO 27001, and integrated threat detection for fileless malware, anomalous logins, and other advanced attacks. This single solution meets all the requirements listed in the question.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud with Microsoft 365 Defender, mistakenly thinking the latter covers all security workloads, but Microsoft 365 Defender is limited to Microsoft 365 services and does not manage Azure infrastructure or on-premises servers.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices, but it does not provide a regulatory compliance dashboard for standards like ISO 27001 or native vulnerability assessment across hybrid infrastructure. Option C is wrong because Microsoft 365 Defender is a suite that correlates signals from Microsoft 365 services (e.g., Defender for Endpoint, Defender for Office 365) and is not designed to manage security posture or compliance for Azure VMs and on-premises servers. Option D is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR solution for log collection and incident response, but it does not include built-in vulnerability assessment or a pre-configured regulatory compliance dashboard; those capabilities require additional integration and configuration.

401
MCQmedium

A company uses Microsoft Entra ID. The security team wants to provide just-in-time (JIT) administrative access to Azure resources. They require that administrators must request approval before gaining elevated privileges, and that the elevated access automatically expires after the task is completed. Which Microsoft Entra capability should they use?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Self-Service Password Reset (SSPR)
AnswerC

Correct. PIM enables just-in-time privileged access, requiring approval and setting time-bound access that automatically expires.

Why this answer

Privileged Identity Management (PIM) is the correct choice because it provides just-in-time (JIT) privileged access to Azure resources with time-bound activation, approval workflows, and automatic expiration. PIM allows administrators to request elevation for a specific role, which must be approved by designated approvers, and the elevated access automatically expires after the configured duration (e.g., 1–8 hours). This directly meets the security team's requirements for approval-based, time-limited administrative access.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access to apps and resources) with PIM (which controls time-bound elevation of roles), because both involve 'access' and 'conditions,' but only PIM provides JIT activation with approval and automatic expiration.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces access policies based on signals like user location or device compliance, but it does not provide JIT role activation, approval workflows, or automatic expiration of elevated privileges. Option B is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials or sign-ins from anonymous IPs), but it does not manage privileged role assignments or time-bound elevation. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords without administrator intervention, which is unrelated to granting or managing elevated administrative access to Azure resources.

402
MCQmedium

A company uses Microsoft 365 and must comply with a regulation that requires all business records, including emails and documents, to be retained for exactly 5 years. They need to automatically apply a retention label to any item that contains the keyword 'Contract' when the item is created or modified. Which Microsoft Purview solution should they use to configure this automatic labeling?

A.Data Lifecycle Management
B.Data Loss Prevention (DLP)
C.Audit
D.Compliance Manager
AnswerA

Data Lifecycle Management allows you to create retention labels and automatically apply them using label policies that include conditions like keywords. This meets the requirement for automatic labeling based on content.

Why this answer

Data Lifecycle Management (DLM) in Microsoft Purview enables automatic retention labeling based on sensitive content, such as keywords like 'Contract'. It uses auto-labeling policies to apply retention labels at the time of creation or modification, ensuring compliance with the 5-year retention requirement without manual intervention.

Exam trap

The trap here is that candidates often confuse Data Lifecycle Management with Data Loss Prevention (DLP), assuming DLP can apply retention labels, but DLP only enforces actions like blocking or warning, not retention labeling.

How to eliminate wrong answers

Option B is wrong because Data Loss Prevention (DLP) policies are designed to prevent unauthorized sharing or leakage of sensitive data, not to apply retention labels for lifecycle management. Option C is wrong because Audit in Microsoft Purview records user and admin activities for forensic analysis, but it cannot automatically label items based on content. Option D is wrong because Compliance Manager provides risk assessments and recommendations for regulatory compliance, but it does not apply retention labels or enforce retention policies.

403
MCQeasy

You run the above PowerShell command in your Microsoft Entra ID environment. What is the command retrieving?

A.Conditional access policies
B.Named locations
C.Role assignments
D.Token lifetime policies
AnswerD

The command filters for TokenLifetimePolicy type.

Why this answer

Option C is correct because the command gets all policies of type 'TokenLifetimePolicy', which are used to define token lifetimes. Option A is wrong because conditional access policies use a different type. Option B is wrong because named locations are not policies.

Option D is wrong because role assignments are not policies.

404
MCQmedium

A company uses Microsoft Entra ID. They want to require all users accessing the external vendor portal to accept a terms of use document before they are granted access. The acceptance must be revoked after 30 days, requiring the user to accept again. Which Conditional Access component should the administrator configure?

A.Assignments
B.Access controls (Grant)
C.Conditions
D.Session controls
AnswerB

Access controls (Grant) allow you to require multifactor authentication, device compliance, and terms of use acceptance.

Why this answer

The administrator needs to enforce a terms of use acceptance that expires after 30 days. In Conditional Access, the 'Access controls (Grant)' section includes the 'Require terms of use' option, which can be configured to require re-acceptance after a specified duration (e.g., 30 days). This directly meets the requirement by blocking access until the user accepts the current version of the terms of use document.

Exam trap

The trap here is that candidates often confuse 'Session controls' (which manage sign-in frequency or app restrictions) with the ability to enforce terms of use acceptance, but only the 'Grant' control can require a terms of use document to be accepted.

How to eliminate wrong answers

Option A is wrong because 'Assignments' define which users, groups, or applications the policy applies to, not the specific access requirements like terms of use acceptance. Option C is wrong because 'Conditions' define signals such as location, device state, or risk level that trigger the policy, but they do not enforce the acceptance of a terms of use document. Option D is wrong because 'Session controls' manage user experience during a session (e.g., app enforced restrictions, sign-in frequency), but they cannot enforce a terms of use acceptance requirement.

405
Drag & Dropmedium

Arrange the steps to configure Azure AD Privileged Identity Management (PIM) for a role in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

PIM setup involves first accessing PIM, then selecting a role, configuring settings, assigning eligible users, and managing approvals.

406
MCQmedium

A legal team is handling a lawsuit and needs to gather all electronically stored information (ESI) related to a specific case from across Microsoft 365, including emails, Teams messages, and SharePoint documents. They need to place a hold on the custodians' data to prevent deletion or modification, and then collect, review, and export the data. Which Microsoft Purview solution should they use?

A.Microsoft Purview eDiscovery (Premium)
B.Microsoft Purview eDiscovery (Standard)
C.Microsoft Purview Audit (Premium)
D.Microsoft Purview Data Lifecycle Management
AnswerA

eDiscovery (Premium) provides a complete workflow for legal cases, including identifying custodians, placing legal holds on their mailboxes, SharePoint sites, and Teams, and performing advanced collection and review.

Why this answer

Microsoft Purview eDiscovery (Premium) is the correct solution because it provides end-to-end workflow for legal cases, including the ability to place legal holds on custodians' data across Exchange, Teams, SharePoint, and OneDrive to preserve ESI, and then collect, review, and export that data. The Premium tier adds advanced features like custodian management, review sets, and predictive coding, which are essential for complex litigation scenarios.

Exam trap

The trap here is that candidates confuse eDiscovery (Standard) with eDiscovery (Premium), assuming the Standard tier can handle custodian holds and advanced review, but only Premium provides the full legal hold and collection workflow required for complex litigation.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview eDiscovery (Standard) lacks custodian-based holds, advanced review sets, and predictive coding; it is designed for basic search and export, not for managing complex legal holds and multi-source collection. Option C is wrong because Microsoft Purview Audit (Premium) focuses on logging and investigating user and admin activities, not on placing holds or collecting and exporting ESI for litigation. Option D is wrong because Microsoft Purview Data Lifecycle Management is used for retention and deletion policies (e.g., managing data expiration), not for legal hold, collection, or review of ESI in active litigation.

407
MCQmedium

A company uses Microsoft 365 and needs to protect endpoints from ransomware attacks that encrypt files. The security team wants automated investigation and response capabilities for malware incidents on Windows devices. Which Microsoft security solution should they use?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Identity
D.Microsoft Defender for Endpoint
AnswerD

Defender for Endpoint provides endpoint protection, EDR, automated investigation, and response for devices, making it the correct choice.

Why this answer

Microsoft Defender for Endpoint (D) is the correct answer because it provides endpoint detection and response (EDR) capabilities, including automated investigation and remediation for malware incidents on Windows devices. It uses behavioral sensors, cloud analytics, and threat intelligence to detect ransomware encryption behavior and automatically contain or remediate affected endpoints, aligning with the requirement for automated response.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Office 365 (which protects email and collaboration) with endpoint protection, failing to recognize that automated investigation and response for Windows devices specifically requires an endpoint-focused solution like Microsoft Defender for Endpoint.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 protects email, SharePoint, and Teams from phishing and malware, not endpoints like Windows devices. Option B is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that governs cloud app usage and data, not endpoint-level ransomware protection. Option C is wrong because Microsoft Defender for Identity monitors on-premises Active Directory for identity-based attacks (e.g., Kerberos abuse), not file-encrypting ransomware on endpoints.

408
MCQeasy

You are configuring Microsoft Entra ID Governance. You need to ensure that when a user leaves the organization, their access to all SaaS applications is automatically revoked. Which Microsoft Entra feature should you use?

A.Microsoft Entra Conditional Access
B.Microsoft Entra Privileged Identity Management (PIM)
C.Microsoft Entra Access Reviews
D.Microsoft Entra Terms of Use
AnswerC

Access Reviews can automatically remove access when users leave or are disabled.

Why this answer

Microsoft Entra Access Reviews allows administrators to create recurring reviews of user access to SaaS applications. When a user leaves the organization, an automated access review can be configured to remove their access based on the review results, ensuring revocation of access to all assigned SaaS apps. This directly addresses the requirement for automatic revocation upon departure.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access during authentication) with lifecycle management features like Access Reviews, which handle ongoing governance and automatic removal of access after a user leaves.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Conditional Access enforces access policies based on conditions like location or device state at sign-in time, but it does not automatically revoke access when a user leaves the organization. Option B is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not the lifecycle-based revocation of access to SaaS applications for departing users. Option D is wrong because Microsoft Entra Terms of Use presents acceptance policies to users before accessing resources, but it does not automate access removal when a user leaves.

409
MCQeasy

A company configures its identity and access management system so that employees are granted only the permissions necessary to perform their job functions. For example, a sales representative has read-only access to the customer database and cannot modify financial records. Which security principle is being applied in this scenario?

A.Segregation of duties
B.Defense in depth
C.Least privilege
D.Zero Trust
AnswerC

Least privilege ensures users have only the permissions needed for their roles. The example of a sales rep having read-only access to customer data is a classic application of this principle.

Why this answer

The scenario describes granting employees only the permissions necessary to perform their job functions, which is the core definition of the least privilege principle. In Microsoft identity and access management, this is implemented by assigning the minimum required Azure RBAC roles or Microsoft Entra ID directory roles, ensuring users have no more access than needed. This directly reduces the attack surface and limits potential damage from compromised accounts.

Exam trap

The trap here is that candidates confuse least privilege with Zero Trust, but Zero Trust is a broader architectural model that includes least privilege as one component, not the specific principle being described in this scenario.

How to eliminate wrong answers

Option A is wrong because segregation of duties (also known as separation of duties) requires splitting critical tasks among multiple people to prevent fraud or error, not limiting permissions to the minimum needed. Option B is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, encryption, monitoring) across different layers, not a principle for granting specific permissions. Option D is wrong because Zero Trust is a security model based on 'never trust, always verify' and continuous authentication, not specifically about granting only necessary permissions.

410
MCQmedium

A security architect is explaining identity management concepts to the IT team. Which statement correctly describes the difference between authentication and authorization?

A.Authentication verifies what a user can do, while authorization verifies who the user is.
B.Authorization must always occur before authentication.
C.Authentication verifies the identity of a user, while authorization determines the resources they can access.
D.Authentication and authorization are synonymous terms in identity management.
AnswerC

Authentication confirms who you are, and authorization defines what you are allowed to do after your identity is verified.

Why this answer

Option C is correct because authentication is the process of verifying a user's identity (e.g., via password, biometric, or certificate), while authorization determines what resources or actions that authenticated identity is permitted to access. In Microsoft Entra ID, authentication occurs first via protocols like OAuth 2.0 or OpenID Connect, and authorization is then enforced through role-based access control (RBAC) or conditional access policies.

Exam trap

The trap here is that candidates often confuse the order or swap the definitions of authentication and authorization, leading them to pick Option A or B, but the key is remembering that authentication always precedes authorization and that they are distinct processes.

How to eliminate wrong answers

Option A is wrong because it reverses the definitions: authentication verifies who the user is, not what they can do, and authorization determines what a user can do, not who they are. Option B is wrong because authorization must always occur after authentication, not before; you cannot determine access rights without first confirming the user's identity. Option D is wrong because authentication and authorization are distinct concepts; authentication confirms identity, while authorization governs access permissions, and they are not synonymous.

411
Multi-Selectmedium

Which TWO features are part of Microsoft Entra ID P2 licensing? (Choose two.)

Select 2 answers
A.Conditional Access
B.Basic Mobility and Security
C.Microsoft Entra Identity Protection
D.Microsoft Entra Self-Service Password Reset
E.Microsoft Entra Privileged Identity Management
AnswersC, E

Identity Protection is a P2 feature.

Why this answer

Microsoft Entra ID P2 licensing includes advanced security features such as Microsoft Entra Identity Protection and Microsoft Entra Privileged Identity Management (PIM). Identity Protection uses machine learning to detect and remediate identity-based risks like leaked credentials and anomalous sign-in patterns, while PIM provides just-in-time privileged access and approval workflows. These capabilities are exclusive to P2 and are not available in P1 or free tiers.

Exam trap

The trap here is that candidates often confuse Conditional Access (a P1 feature) as a P2 exclusive because it is commonly paired with Identity Protection in security demos, but Conditional Access itself does not require P2 licensing.

412
MCQhard

A legal team is preparing for a lawsuit and needs to perform a detailed investigation of user activities across Microsoft 365 services. They need to view the 'before' and 'after' values whenever a critical item in SharePoint or Exchange is updated or deleted. The investigation requires high-volume export performance and the ability to search by specific activities like 'MailboxFolderAccess' and 'Send'. Which Microsoft Purview solution should be enabled and configured to meet these advanced auditing requirements?

A.Microsoft Purview Audit (Premium)
B.Microsoft Purview Audit (Standard)
C.Microsoft Purview eDiscovery (Standard)
D.Microsoft Purview Data Lifecycle Management
AnswerA

Audit (Premium) offers extended retention, high-volume export, and detailed logging of before/after values, enabling deep forensic investigation of user activities.

Why this answer

Microsoft Purview Audit (Premium) is required because it captures detailed 'before' and 'after' values for critical updates and deletions in SharePoint and Exchange, supports high-volume export performance, and allows searching for specific activities like 'MailboxFolderAccess' and 'Send'. These capabilities go beyond the Standard audit log, which only records basic event metadata without the old/new values and lacks the advanced search and export throughput needed for litigation.

Exam trap

The trap here is that candidates confuse Audit (Standard) with Audit (Premium), assuming Standard logs all details, but Standard only records basic metadata without before/after values or high-volume export, which are exclusive to Premium.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Audit (Standard) only logs basic audit events (who, what, when) without capturing the 'before' and 'after' values for updates or deletions, and it does not support high-volume export performance or the specific activity search granularity required. Option C is wrong because Microsoft Purview eDiscovery (Standard) is designed for content search, hold, and export of data for legal cases, not for real-time or historical auditing of user activities with before/after values; it relies on Audit logs for activity data but does not itself provide the advanced auditing features. Option D is wrong because Microsoft Purview Data Lifecycle Management focuses on retention, deletion, and classification policies for data governance, not on auditing user activities or capturing detailed change values.

413
MCQhard

A company operates in multiple countries and must comply with GDPR (EU) and CCPA (California). The compliance officer needs a single tool to assess the company's compliance posture against both regulations, get a consolidated compliance score, and receive prioritized improvement actions that can be assigned to responsible teams. The tool should also track progress over time. Which Microsoft Purview solution should the compliance officer use?

A.Microsoft Purview Compliance Manager
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview eDiscovery (Standard)
D.Microsoft Purview Insider Risk Management
AnswerA

Compliance Manager provides an end-to-end compliance management solution, including scoring, improvement actions, and task assignment for multiple regulations like GDPR and CCPA.

Why this answer

Microsoft Purview Compliance Manager is the correct solution because it provides a unified dashboard to assess compliance posture against multiple regulations like GDPR and CCPA. It offers a consolidated compliance score, prioritized improvement actions that can be assigned to responsible teams, and tracks progress over time through continuous assessments and automated control mapping.

Exam trap

The trap here is that candidates may confuse Compliance Manager's scoring and action assignment features with DLP's data protection policies, but DLP lacks the regulatory assessment and progress tracking capabilities required for this scenario.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to prevent accidental or unauthorized sharing of sensitive data through policies and alerts, not to assess compliance posture or provide a consolidated compliance score across regulations. Option C is wrong because Microsoft Purview eDiscovery (Standard) is used for identifying, preserving, and exporting electronic content for legal investigations, not for ongoing compliance assessment or improvement action tracking. Option D is wrong because Microsoft Purview Insider Risk Management focuses on detecting and mitigating internal risks like data theft or policy violations through analytics, not on providing a compliance score or prioritized actions for regulatory frameworks.

414
MCQhard

A company is implementing Microsoft Purview Information Protection. They want to automatically apply a 'Highly Confidential' sensitivity label to emails containing a specific credit card pattern. Which solution should they use?

A.Microsoft Sentinel
B.Microsoft Purview Data Loss Prevention
C.Microsoft Defender for Cloud Apps
D.Microsoft Purview Audit
AnswerB

DLP policies can automatically apply sensitivity labels based on sensitive data detection.

Why this answer

Microsoft Purview Data Loss Prevention policies include rules that can automatically apply sensitivity labels based on sensitive info types like credit card numbers. Option A is incorrect because Microsoft Purview Audit only logs activities. Option B is incorrect because Microsoft Defender for Cloud Apps focuses on app access control.

Option D is incorrect because Microsoft Sentinel is for SIEM/SOAR.

415
MCQhard

Refer to the exhibit. You run the PowerShell command to retrieve a conditional access policy's conditions. The output shows Applications: All, Users: All, and Locations: All trusted. You need to ensure that only trusted locations are used when accessing Microsoft 365. What change should you make?

A.Modify the Locations condition to include all trusted locations and exclude untrusted locations
B.Add a condition to block legacy authentication
C.Under Grant, require multi-factor authentication
D.Set sign-in frequency to 4 hours
AnswerA

This ensures access only from trusted locations.

Why this answer

Option C is correct because the current policy applies to all locations (including untrusted) but requires trusted? Actually the condition says Locations: All trusted, meaning it only applies to trusted locations? The stem says 'ensure that only trusted locations are used' meaning block untrusted. The exhibit says Locations: All trusted? That would apply only to trusted locations. To enforce only trusted locations, you should change Locations to 'All' and then grant access only from trusted locations.

Wait, re-reading: 'All trusted' likely means the condition includes all trusted locations? The right answer is to modify the condition to exclude untrusted locations. Option C is correct: modify the Locations condition to include trusted and exclude untrusted. Option A is wrong because blocking legacy auth doesn't affect locations.

Option B is wrong because grant controls are not about location. Option D is wrong because sign-in frequency doesn't control locations.

416
Multi-Selecteasy

Your organization uses Microsoft Purview to manage data sensitivity and compliance. Which TWO capabilities are provided by Microsoft Purview Information Protection?

Select 2 answers
A.Define retention labels to keep data for a specified period.
B.Detect and manage insider risk activities such as data theft by employees.
C.Enforce Data Loss Prevention (DLP) policies to prevent accidental sharing of sensitive data.
D.Create and publish sensitivity labels that can be applied to documents and emails.
E.Automatically classify data based on sensitive information types and machine learning models.
AnswersD, E

Sensitivity labels are a core capability of Information Protection.

Why this answer

Microsoft Purview Information Protection includes sensitivity labels and data classification. Data Loss Prevention (DLP) is a separate policy, and insider risk management is a different solution. Retention policies are part of Microsoft Purview Records Management.

417
MCQmedium

A company uses Microsoft Defender for Cloud Apps to secure its cloud applications. The security team wants to monitor and control data activities in a third-party cloud app (e.g., Box) in real time. Specifically, they need to block downloads of files that have a 'Confidential' sensitivity label when users access the app from unmanaged devices. Which capability of Microsoft Defender for Cloud Apps should they configure?

A.Cloud Discovery
B.App connector
C.Conditional Access App Control
D.Information protection
AnswerC

Correct. This feature provides session-level control to monitor and restrict data access in real time.

Why this answer

Conditional Access App Control (CAAC) is the correct capability because it enforces real-time session policies that can block downloads based on sensitivity labels and device compliance. By integrating with Microsoft Defender for Cloud Apps, CAAC intercepts user sessions to third-party apps like Box and applies granular controls, such as blocking file downloads when the device is unmanaged and the file carries a 'Confidential' label.

Exam trap

The trap here is confusing API-based app connectors (which control data at rest) with reverse proxy-based Conditional Access App Control (which controls data in motion during user sessions).

How to eliminate wrong answers

Option A is wrong because Cloud Discovery is used to identify shadow IT and assess the risk of cloud apps in the environment, not to enforce real-time data control policies. Option B is wrong because an App connector enables API-based monitoring and control of data at rest (e.g., file quarantine or governance actions), but it cannot block downloads in real time during a user session. Option D is wrong because Information protection refers to Microsoft Purview's sensitivity labels and encryption, which define the classification but do not themselves enforce session-level access controls like blocking downloads from unmanaged devices.

418
MCQhard

Refer to the exhibit. A Microsoft Purview retention policy is configured as shown. An HR manager wants to ensure that employee records are kept for at least 1 year after last modification. The policy is applied to Exchange, SharePoint, and OneDrive. What is the outcome?

A.The policy will not retain content; it will delete matching content after 365 days, which may not be intended
B.Employee records in Exchange are retained for 365 days after last modification, then deleted
C.Employee records in SharePoint are deleted after 365 days from last modification if they have Department=HR
D.The policy retains content for 365 days and then automatically moves to archive
AnswerA

The policy deletes instead of keeping, and the query may not work as expected.

Why this answer

The policy deletes content 365 days after last modification, but the content query filters only items where Department equals 'HR'. However, SharePoint items do not have a Department property by default; the query may not match any items, so the policy may have no effect. Also, the policy deletes rather than retains; a retention policy should use 'Keep' or 'KeepAndDelete'.

The design is flawed.

419
Multi-Selecthard

Which three features are available in Microsoft Entra ID P2 but not in P1? (Choose three.)

Select 3 answers
A.Access reviews
B.Privileged Identity Management (PIM)
C.Identity Protection risk-based policies
D.Conditional Access policies
E.Self-service password reset (SSPR) with writeback
AnswersA, B, C

Access reviews require P2.

Why this answer

Access reviews are a Microsoft Entra ID P2 feature that allows administrators to automate periodic reviews of group memberships, application access, and role assignments. This capability is not available in P1, which lacks the automated review workflows and attestation features that P2 provides for governance and compliance.

Exam trap

The trap here is that candidates often confuse Conditional Access policies as a P2-only feature, but they are actually available in P1, while P2 adds Identity Protection risk-based policies and PIM, not the base Conditional Access engine.

420
Multi-Selecteasy

Which TWO are features of Microsoft Entra ID?

Select 2 answers
A.Single sign-on (SSO)
B.Data loss prevention (DLP)
C.Cloud app discovery
D.Mobile device management (MDM)
E.Self-service password reset (SSPR)
AnswersA, E

Entra ID provides SSO for cloud applications.

Why this answer

Options A and D are correct. Microsoft Entra ID provides single sign-on (SSO) and self-service password reset (SSPR). Option B is a feature of Microsoft Purview.

Option C is part of Microsoft Intune. Option E is a feature of Microsoft Defender for Cloud Apps.

421
MCQeasy

Your organization uses Microsoft Purview to govern data in Azure Data Lake Storage. You need to create a data classification policy that automatically tags files containing personally identifiable information (PII) such as social security numbers. Which scanning solution should you use?

A.Microsoft Purview Information Protection
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview Audit
D.Microsoft Purview Data Map scanning
AnswerD

Data Map scans data sources and applies classification rules.

Why this answer

Option B is correct because Microsoft Purview Data Map scans and classifies data sources. Option A is wrong because Data Loss Prevention (DLP) is for data protection, not classification. Option C is wrong because Information Protection focuses on labels and encryption.

Option D is wrong because Audit logs record activities, not scan data.

422
MCQhard

A company runs Windows Server virtual machines (VMs) on-premises and in Azure. The security team wants a unified view of missing security updates and known vulnerabilities (CVEs) across all VMs. They want to enable agentless scanning for Azure VMs and deploy a lightweight agent for on-premises machines. The results should be consolidated in a single dashboard with prioritized remediation recommendations. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Sentinel
D.Microsoft Defender for Identity
AnswerA

Defender for Cloud includes vulnerability assessment capabilities that cover VMs in Azure and on-premises (via Azure Arc). It provides a single dashboard showing missing patches and CVEs with actionable recommendations, and supports both agentless and agent-based scanning.

Why this answer

Microsoft Defender for Cloud provides unified visibility into security vulnerabilities and missing updates across hybrid workloads, including on-premises and Azure VMs. It supports agentless scanning for Azure VMs (using the cloud-based scanner) and allows deployment of the Azure Monitor Agent (or legacy Log Analytics agent) for on-premises machines, consolidating findings in a single dashboard with prioritized remediation recommendations based on the Secure Score and integrated vulnerability assessment (e.g., Qualys or Microsoft Defender Vulnerability Management).

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a cloud security posture management and workload protection solution) with Microsoft Defender for Endpoint (an endpoint detection and response tool), assuming both provide identical vulnerability scanning capabilities, but only Defender for Cloud offers agentless scanning for Azure VMs and a unified hybrid dashboard for missing updates and CVEs.

How to eliminate wrong answers

Option B (Microsoft Defender for Endpoint) is wrong because it focuses on endpoint detection and response (EDR) for devices, including vulnerability management, but it does not natively provide agentless scanning for Azure VMs or a unified hybrid dashboard for missing updates and CVEs across both on-premises and Azure VMs in the way Defender for Cloud does. Option C (Microsoft Sentinel) is wrong because it is a SIEM/SOAR solution for security information and event management, not a vulnerability assessment or update management tool; it can ingest vulnerability data but does not perform agentless scanning or provide prioritized remediation recommendations natively. Option D (Microsoft Defender for Identity) is wrong because it is designed to detect and investigate on-premises Active Directory threats using signals from domain controllers, not to scan VMs for missing security updates or CVEs.

423
MCQhard

You are troubleshooting a Conditional Access policy in Microsoft Entra ID. The policy in the exhibit is not blocking some sign-ins that you expected to block. What is the most likely reason?

A.The policy only blocks based on user risk, not sign-in risk
B.The policy is not assigned to any users
C.The grant control is set to allow access
D.The policy excludes certain users
AnswerA

The conditions only include userRiskLevels, not signInRiskLevels.

Why this answer

Option B is correct because the policy only blocks based on user risk level 'high', not sign-in risk. Sign-ins with high sign-in risk but low user risk are not blocked. Option A is wrong because there is no exclude clause.

Option C is wrong because the policy does block. Option D is wrong because the policy is not assigned to a user group in this snippet.

424
MCQhard

You are the security administrator for Contoso Corporation. The company uses Microsoft 365 E5 licenses, which include Microsoft Entra ID P2, Microsoft Purview, and Microsoft Defender XDR. Contoso has a hybrid identity environment with Microsoft Entra Connect syncing on-premises Active Directory to Microsoft Entra ID. The company recently experienced a data breach where an attacker compromised a user's credentials and exfiltrated sensitive customer data from SharePoint Online. The investigation revealed that the compromised user did not have MFA enabled and had admin consent to a malicious third-party OAuth app. To prevent future incidents, management has mandated the following requirements: (1) Enforce MFA for all users, especially those accessing sensitive data. (2) Block all OAuth apps that are not pre-approved by IT. (3) Detect and respond to identity-based threats in real-time. (4) Classify and protect sensitive data in SharePoint and Teams. You need to recommend a solution that meets all requirements. Which combination of Microsoft security solutions should you implement?

A.Conditional Access to enforce MFA, Microsoft Intune to block OAuth apps, Microsoft Defender for Endpoint to detect identity threats, and Microsoft Purview Audit to classify data.
B.Security defaults to enforce MFA, Microsoft Defender for Cloud to block OAuth apps, Microsoft Sentinel to detect identity threats, and Microsoft Purview Data Loss Prevention to classify data.
C.Microsoft Entra ID Protection to enforce MFA, Microsoft Defender for Identity to block OAuth apps, Microsoft Sentinel to detect identity threats, and Microsoft Purview Data Lifecycle Management to classify data.
D.Conditional Access to enforce MFA, Microsoft Defender for Cloud Apps to block unapproved OAuth apps, Microsoft Defender for Identity to detect identity threats, and Microsoft Purview Information Protection to classify and protect sensitive data.
AnswerD

This combination meets all requirements: Conditional Access enforces MFA, Defender for Cloud Apps blocks OAuth apps, Defender for Identity detects threats, and Purview Information Protection classifies data.

Why this answer

Conditional Access enforces MFA and can block OAuth apps; Defender for Cloud Apps provides OAuth app governance; Defender for Identity detects identity threats; Purview Information Protection classifies and protects data. Defender for Cloud is for cloud workload protection, not identity or OAuth. Intune is for device management.

Sentinel is a SIEM but not specific for identity threat detection. The correct combination covers all four requirements.

425
Multi-Selecthard

A company has deployed Microsoft 365 Defender to unify threat detection and response. Which two components are included within the Microsoft 365 Defender integrated solution? (Select all that apply.)

Select 2 answers
A.Microsoft Defender for Endpoint
B.Microsoft Defender for Cloud
C.Microsoft Defender for Office 365
D.Microsoft Sentinel
AnswersA, C

Defender for Endpoint is a core component of Microsoft 365 Defender, providing endpoint security and threat detection.

Why this answer

Microsoft 365 Defender is an integrated threat protection suite that unifies detection and response across an organization's Microsoft 365 environment. It includes Microsoft Defender for Endpoint, which provides endpoint detection and response (EDR) capabilities for devices, and Microsoft Defender for Office 365, which protects against email, phishing, and collaboration threats. These two components work together within the Microsoft 365 Defender portal to correlate alerts and automate response across endpoints and Office 365 workloads.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a cloud security solution) with Microsoft Defender for Cloud Apps (a CASB component of Microsoft 365 Defender), leading them to incorrectly select Defender for Cloud as part of the integrated solution.

426
MCQeasy

A company stores sensitive customer data in an Azure SQL database. To protect this data, the database files are encrypted at rest using Transparent Data Encryption (TDE). Additionally, all network traffic between the application and the database is encrypted using TLS. Which security goal is primarily addressed by these encryption measures?

A.Integrity
B.Availability
C.Confidentiality
D.Non-repudiation
AnswerC

Encryption at rest and in transit protects data from being read by unauthorized parties, directly supporting confidentiality.

Why this answer

Transparent Data Encryption (TDE) encrypts data at rest, meaning the database files on disk are encrypted so that unauthorized access to the physical storage cannot read the data. TLS encrypts data in transit between the application and the database, preventing eavesdropping or interception over the network. Together, these measures primarily ensure that sensitive customer data remains secret and inaccessible to unauthorized parties, which is the core goal of confidentiality.

Exam trap

The trap here is that candidates confuse encryption (which protects confidentiality) with integrity or non-repudiation, because encryption can indirectly help detect tampering in some contexts, but the primary security goal of TDE and TLS is to keep data secret, not to verify its origin or prevent denial of actions.

How to eliminate wrong answers

Option A is wrong because integrity ensures data has not been tampered with or altered, which is not the primary goal of encryption at rest or in transit; encryption protects secrecy, not modification detection (which would require hashing or digital signatures). Option B is wrong because availability ensures systems and data are accessible when needed, which encryption does not directly address; in fact, encryption can sometimes add overhead but does not guarantee uptime. Option D is wrong because non-repudiation ensures that an action or transaction cannot be denied by the parties involved, typically achieved through digital signatures and audit logs, not through encryption of data at rest or in transit.

427
MCQmedium

A company is subject to a legal hold for an ongoing investigation. The IT administrator must prevent the deletion of any documents related to this case across SharePoint Online and OneDrive, overriding any existing deletion policies. Which Microsoft Purview capability should the administrator use?

A.Data Lifecycle Management
B.eDiscovery (Premium)
C.Audit (Premium)
D.Communication Compliance
AnswerB

Correct. eDiscovery (Premium) allows administrators to place holds on content locations, preventing deletion for the duration of a legal case, overriding any existing deletion policies.

Why this answer

eDiscovery (Premium) is the correct choice because it provides legal hold capabilities that can preserve content in SharePoint Online and OneDrive for Business, overriding any deletion policies. When a legal hold is applied via eDiscovery, the system places a hold on the specified locations, preventing permanent deletion or modification of documents until the hold is released. This directly addresses the requirement to prevent deletion of case-related documents during an ongoing investigation.

Exam trap

The trap here is that candidates often confuse Data Lifecycle Management (which manages retention and deletion policies) with the legal hold capability, not realizing that only eDiscovery (Premium) can override existing policies to preserve content for an investigation.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management is used to define retention and deletion policies based on business or regulatory requirements, but it cannot override existing policies to enforce a legal hold for an investigation. Option C is wrong because Audit (Premium) provides detailed logging and investigation of user and admin activities, but it does not have the ability to place holds on content or prevent deletion. Option D is wrong because Communication Compliance is designed to detect and manage inappropriate communications (e.g., harassment, insider trading) by analyzing messages, not to preserve documents or enforce legal holds.

428
MCQeasy

A company wants to use Microsoft Intune to enforce that mobile devices have a PIN of at least 6 characters to access corporate resources. What should they configure?

A.Device compliance policy
B.Conditional access policy
C.App protection policy
D.Device configuration profile
AnswerA

Defines compliance rules like PIN length.

Why this answer

A device compliance policy in Microsoft Intune defines the rules that devices must meet to be considered compliant, such as requiring a PIN of at least 6 characters. When a device is marked non-compliant, Conditional Access can block access to corporate resources. This is the correct mechanism to enforce the PIN requirement at the device level before granting access.

Exam trap

The trap here is confusing the enforcement of device settings (Device Compliance Policy) with the configuration of settings (Device Configuration Profile) or app-level protection (App Protection Policy), leading candidates to select D or C instead of A.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies evaluate signals (like device compliance) to allow or block access, but they do not directly enforce device settings like PIN length; they rely on compliance policies to report that status. Option C is wrong because App Protection Policies (MAM) manage data protection within apps (e.g., copy/paste, encryption) and can require a PIN for app access, but they apply to apps on unmanaged devices and do not enforce device-level PIN requirements for all corporate resource access. Option D is wrong because Device Configuration Profiles push settings (e.g., Wi-Fi, VPN, email) to devices but do not enforce compliance or block access; they are for configuration, not conditional access enforcement.

429
MCQmedium

A company is involved in litigation. The legal team needs to preserve all relevant electronic documents that reside in Exchange Online, SharePoint Online, and OneDrive for Business. They must prevent users from deleting or modifying these documents while the lawsuit is active. Additionally, they need to search across these locations for specific keywords and export the results for review. Which Microsoft Purview solution should they use?

A.Microsoft Purview eDiscovery (Standard or Premium)
B.Microsoft Purview Audit
C.Microsoft Purview Data Lifecycle Management (retention policies/labels)
D.Microsoft Purview Data Loss Prevention (DLP)
AnswerA

Correct: eDiscovery provides the ability to place legal holds, search across Microsoft 365 services, and export content for review, meeting all the requirements.

Why this answer

Microsoft Purview eDiscovery (Standard or Premium) is the correct solution because it provides end-to-end workflow for legal holds (preservation), content search across Exchange Online, SharePoint Online, and OneDrive for Business, and export of results. The legal hold feature prevents deletion or modification by locking the original content, while the search and export capabilities meet the keyword search and review requirements.

Exam trap

The trap here is that candidates often confuse retention policies (Data Lifecycle Management) with legal holds, but retention policies are for scheduled lifecycle management, not for ad-hoc litigation holds that require immediate preservation and search across multiple workloads.

How to eliminate wrong answers

Option B (Microsoft Purview Audit) is wrong because Audit focuses on logging and investigating user and admin activities, not on preserving documents or preventing modification/deletion. Option C (Microsoft Purview Data Lifecycle Management) is wrong because retention policies/labels are designed for automated retention and deletion schedules, not for ad-hoc legal holds with search and export capabilities. Option D (Microsoft Purview Data Loss Prevention) is wrong because DLP is used to prevent unauthorized sharing or leakage of sensitive data, not to preserve content for litigation or enable keyword search and export.

430
MCQhard

Refer to the exhibit. You run the PowerShell command shown to investigate a potential data exfiltration incident. The output is empty. Which is the most likely reason?

A.The user does not have a mailbox
B.The command syntax is incorrect
C.The user did not download or access any files in the past 7 days
D.Audit logging is not enabled for the tenant
AnswerD

Without audit logging enabled, no events are recorded.

Why this answer

Option B is correct because Audit logging must be enabled to capture events. If disabled, the search returns empty. Option A is wrong because the command runs against the unified audit log, not a specific mailbox.

Option C is wrong because the command uses correct syntax. Option D is wrong because it would return events if logging is on, regardless of whether the user actually downloaded files.

431
MCQmedium

A law firm, Wingtip Toys, uses Microsoft Purview to manage client data. They need to: (1) retain all documents related to client cases for 10 years after case closure; (2) automatically apply a 'Case' retention label to documents in specific SharePoint sites based on metadata; (3) allow case managers to manually label documents; (4) ensure that after 10 years, documents are deleted; (5) preserve data for legal hold purposes when litigation occurs. The firm has Microsoft 365 E5 licenses. The compliance team wants to minimize manual effort. What should they configure?

A.Create auto-apply retention labels for 'Case' documents with a retention period of 10 years and delete action, and enable litigation hold on relevant sites.
B.Create sensitivity labels with auto-labeling for case documents, and configure records management.
C.Create a default retention policy for all SharePoint sites with a 10-year retention period and delete action.
D.Create a Data Loss Prevention (DLP) policy to block sharing of case documents, and enable eDiscovery holds.
AnswerA

Auto-apply labels automate retention, and litigation hold preserves data during litigation.

Why this answer

Option A is correct because auto-apply retention labels based on metadata automate retention, and litigation hold preserves data during litigation. Option B is wrong because DLP policies do not manage retention. Option C is wrong because retention policies apply to all content in a location, not selectively.

Option D is wrong because sensitivity labels do not enforce retention.

432
MCQhard

Your organization is implementing Microsoft Purview Data Loss Prevention (DLP). You need to prevent users from sharing sensitive credit card numbers via email. The DLP policy must trigger automatically when a user attempts to send an email containing a credit card number. Which DLP configuration should you use?

A.Create a DLP policy with a condition that matches the Credit Card Number sensitive info type and an action to block the email
B.Configure Double Key Encryption for the Exchange Online mailbox
C.Configure a Safe Links policy in Microsoft Defender for Office 365
D.Use Microsoft Purview Customer Key for encryption
AnswerA

This is the correct DLP configuration to block emails with credit card numbers.

Why this answer

Option C is correct because a DLP policy with a rule that uses a sensitive info type (Credit Card Number) and an action to block the email is the standard approach. Option A is wrong because Microsoft Defender for Office 365 is for anti-phishing and malware, not DLP. Option B is wrong because Customer Key is for encryption, not DLP.

Option D is wrong because Double Key Encryption is for protecting data with two keys, not for blocking sharing.

433
Multi-Selecteasy

Which TWO of the following are purposes of the 'Zero Trust' security model?

Select 2 answers
A.Explicitly verify every access request
B.Assume that everything is on an open network
C.Rely on a single perimeter firewall
D.Trust internal traffic implicitly
E.Assume that the network is always safe
AnswersA, B

Zero Trust requires explicit verification for every access attempt.

Why this answer

Zero Trust assumes breach and verifies each request as though it originates from an open network. It explicitly verifies every access request, regardless of source. It does not assume a trusted internal network; that is the traditional perimeter model.

It does not rely solely on a single perimeter firewall.

434
MCQhard

Your organization is implementing Microsoft Defender for Office 365 to protect against phishing attacks. You need to ensure that when a user clicks a malicious link in an email, the user is warned and the action is blocked. Which policy should you configure?

A.Safe Attachments policy
B.Safe Links policy
C.Anti-spam policy
D.Anti-phishing policy
AnswerB

Safe Links provides time-of-click protection, blocking and warning users when they click malicious links.

Why this answer

Option B is correct because Safe Links in Defender for Office 365 provides real-time time-of-click protection against malicious links. Option A is wrong because Safe Attachments scans attachments, not links. Option C is wrong because anti-phishing policies protect against spoofing and impersonation but do not block links at click time.

Option D is wrong because anti-spam policies filter spam, not malicious links.

435
MCQhard

As a compliance administrator for Contoso Ltd., you are responsible for implementing Microsoft Purview solutions to meet regulatory requirements. The organization operates in the healthcare sector and handles Protected Health Information (PHI). Your key objectives are: (1) Automatically detect PHI in documents stored in SharePoint Online and OneDrive for Business using built-in sensitive information types. (2) Apply a 'Highly Confidential - PHI' sensitivity label that encrypts the content and adds a custom header. (3) Ensure that the label is automatically applied when PHI is detected, with a policy that allows users to override the label with justification. (4) Audit all label application activities for compliance reporting. (5) Retain documents containing PHI for a minimum of 7 years. You have access to Microsoft Purview compliance portal. Which action should you take FIRST to achieve these objectives?

A.Create an auto-labeling policy in Microsoft Purview that applies the sensitivity label to documents containing PHI.
B.Enable auditing in Microsoft Purview by turning on Audit logging.
C.Create a sensitivity label named 'Highly Confidential - PHI' with encryption and header, and publish it to users and groups.
D.Create a retention label and policy to retain documents containing PHI for 7 years.
AnswerC

Correct: The label must be created and published before it can be applied automatically.

Why this answer

The first step is to create the sensitivity label with the required encryption and header settings and publish it so that it can be used in auto-labeling policies. Auto-labeling policies can then be configured to apply the label based on sensitive info types, with user override. Retention labels and policies are separate and can be configured later.

Audit is enabled by default but should be verified. Therefore, option C is the correct first action.

436
MCQeasy

Your organization is implementing a data loss prevention (DLP) policy to prevent sensitive data from being shared via email. Users in the finance department need to send financial reports to external auditors. What should you configure?

A.Add the auditors' domains to a DLP allow list
B.Configure a DLP policy with an override option allowing users to justify the sharing
C.Assign a sensitivity label that automatically encrypts the email
D.Configure a DLP policy with a block action for all external sharing
AnswerB

DLP policies can include user overrides with justification for specific scenarios.

Why this answer

Option C is correct because DLP policies can be configured with overrides that allow users to justify the action, which is appropriate for legitimate business needs. Option A is wrong because a block action would prevent all sharing. Option B is wrong because an allow list is not a standard DLP configuration.

Option D is wrong because sensitivity labels are used for classification, not DLP actions.

437
MCQmedium

A company uses Microsoft Sentinel for security information and event management (SIEM). The security team needs to detect and automatically respond to a potential privilege escalation attack where an attacker attempts to add a new user to the Global Administrator role in Microsoft Entra ID. What should the security team configure?

A.Deploy a device compliance policy in Microsoft Intune
B.Configure a data classification label in Microsoft Purview
C.Create a policy in Microsoft Defender for Cloud Apps
D.Create an analytics rule with an automated playbook in Microsoft Sentinel
AnswerD

Sentinel can detect the event and trigger a playbook for automated response.

Why this answer

Option D is correct because Microsoft Sentinel can create analytics rules to detect the event and automated response using playbooks. Option A is wrong because Microsoft Defender for Cloud Apps handles cloud app security, not Entra ID role changes. Option B is wrong because Microsoft Purview is for data governance.

Option C is wrong because Microsoft Intune manages devices, not identity roles.

438
MCQmedium

Your organization uses Microsoft Entra ID to manage identities. You need to ensure that users receive a notification when their password is about to expire. Which feature should you configure?

A.Self-service password reset (SSPR)
B.Password expiration notifications
C.Identity Protection
D.Privileged Identity Management
AnswerB

Entra ID can email users before password expires.

Why this answer

Password expiration notifications is the correct feature because it directly sends email notifications to users when their password is nearing expiration. This feature is configured in the Microsoft Entra admin center under 'Password expiration notifications' and allows you to set the number of days before expiration that users are notified. It is a simple, built-in mechanism that does not require additional licensing or complex configuration.

Exam trap

The trap here is that candidates confuse 'password expiration notifications' with 'self-service password reset' (SSPR), assuming that SSPR includes proactive alerts, when in fact SSPR is a reactive reset tool and does not send expiration warnings.

How to eliminate wrong answers

Option A is wrong because Self-service password reset (SSPR) allows users to reset their own passwords when forgotten or expired, but it does not proactively send notifications about upcoming password expiration. Option C is wrong because Identity Protection is a risk-based security feature that detects and responds to identity threats, such as leaked credentials or suspicious sign-ins, and does not handle password expiration notifications. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time access and role activation for privileged roles, and has no capability to send password expiration alerts.

439
MCQmedium

Your organization uses Microsoft Purview to enforce retention policies. You need to retain all documents in a specific SharePoint site for 5 years after they are created, and then delete them permanently. What should you configure?

A.A DLP policy with a retention rule
B.A retention policy set to retain for 5 years and then delete
C.A retention label set to retain for 5 years and then delete
D.A sensitivity label with a retention setting
AnswerB

A retention policy can be applied to a SharePoint site with the specified action.

Why this answer

Option A is correct because a retention policy with 'Retain for 5 years then delete' will keep items for 5 years and then permanently delete them. Option B is wrong because a retention label is applied manually or automatically, but a policy can be scoped to a site. Option C is wrong because a DLP policy is for preventing data loss, not retention.

Option D is wrong because a sensitivity label is for classification, not retention.

440
MCQhard

Refer to the exhibit. An administrator runs this KQL query in Microsoft Purview Audit. What is the purpose of this query?

A.To find the total number of file uploads by all users in the last 30 days
B.To find files larger than a certain size uploaded by a specific user
C.To list all files deleted by a specific user in the last 30 days
D.To identify file types that a specific user uploaded more than 10 times in the last 30 days
AnswerD

The query groups by file type and counts only those with count > 10.

Why this answer

Option B is correct because the query filters for file uploads by a specific user in the last 30 days, groups by file type, and counts files with more than 10 uploads per type. Option A is wrong because it's for a single user, not all users. Option C is wrong because it's for uploads, not deletions.

Option D is wrong because there is no file size filter.

441
MCQmedium

Your organization uses Microsoft Entra ID and Microsoft Defender for Cloud Apps. You want to monitor and control the use of cloud apps by enforcing session policies, such as preventing downloads from unmanaged devices. Which integration should you use?

A.Microsoft Purview
B.Microsoft Sentinel
C.Microsoft Intune
D.Microsoft Defender for Cloud Apps
AnswerD

Defender for Cloud Apps provides session policies via Conditional Access App Control.

Why this answer

Microsoft Defender for Cloud Apps is the correct integration because it provides Cloud Access Security Broker (CASB) functionality, enabling session policies via reverse proxy to control user actions like blocking downloads from unmanaged devices. These policies are enforced in real-time by inspecting and modifying traffic to cloud apps based on device compliance signals from Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse Microsoft Intune's device management capabilities with the real-time session enforcement provided by Defender for Cloud Apps, assuming Intune can directly block downloads from unmanaged devices in cloud apps, which it cannot.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview focuses on data governance, compliance, and information protection (e.g., DLP, retention labels), not on real-time session control of cloud app usage. Option B is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) and SOAR tool for threat detection and response, not for enforcing granular session policies on cloud apps. Option C is wrong because Microsoft Intune is a Mobile Device Management (MDM) and Mobile Application Management (MAM) service that manages devices and apps, but it does not provide the reverse proxy session-level controls needed to enforce policies like preventing downloads from unmanaged devices in cloud apps.

442
MCQmedium

A company uses Microsoft Defender for Cloud Apps to monitor SaaS app usage. The security team wants to receive an alert when a user downloads more than 10 files from SharePoint Online within 5 minutes. Which type of policy should they create?

A.Session policy
B.Anomaly detection policy
C.OAuth app policy
D.File policy
AnswerB

Anomaly detection policies identify unusual user behavior, such as mass downloads, based on learned baselines.

Why this answer

Anomaly detection policies use machine learning to detect unusual user behavior based on historical baselines, such as mass file downloads. Activity policies are rule-based but require explicit thresholds; however, the scenario describes behavior that is best detected by an anomaly detection policy because it adapts to typical usage patterns. Option A is wrong because session policies control real-time access.

Option C is wrong because OAuth app policies govern app permissions. Option D is wrong because file policies apply to specific files or metadata.

443
MCQmedium

Your company uses Microsoft Sentinel to centralize security event monitoring. You need to create a custom analytics rule that triggers an alert when a user account is created outside of business hours. Which rule type should you use?

A.Microsoft Security incident creation rule
B.Anomaly analytics rule
C.Near-real-time (NRT) analytics rule
D.Scheduled query analytics rule
AnswerD

Scheduled query rules allow custom KQL queries to detect specific events.

Why this answer

Option D is correct because scheduled query rules run on a schedule and can detect patterns like account creation outside business hours. Option A is wrong because NRT rules are for near-real-time detection but are limited in logic. Option B is wrong because Microsoft Security incident creation rules create incidents from other alerts.

Option C is wrong because Anomaly rules use ML for behavioral anomalies, not specific conditions.

444
Multi-Selecteasy

Which THREE of the following are retention actions in Microsoft Purview Data Lifecycle Management? (Select THREE.)

Select 3 answers
A.Delete the content after a specified period
B.Automatically archive the content
C.Apply a sensitivity label to the content
D.Retain the content for a period and then delete it
E.Retain the content for a specified period
AnswersA, D, E

Delete is a retention action.

Why this answer

Options A, B, and D are correct because retain, delete, and retain and then delete are standard retention actions. Option C is wrong because archive is not a retention action; it's a separate feature. Option E is wrong because label is a classification action.

445
MCQhard

An organization uses Microsoft Entra ID for identity management. They want to implement a risk-based conditional access policy that requires multi-factor authentication (MFA) when sign-in risk is medium or high. Which policy settings should they configure?

A.Assign 'User risk' condition to 'Medium and above' and grant 'Require MFA'
B.Assign 'Device compliance' condition to 'Compliant' and grant 'Require MFA'
C.Assign 'Location' condition to 'All trusted locations' and grant 'Require MFA'
D.Assign 'Sign-in risk' condition to 'Medium and above' and grant 'Require MFA'
AnswerD

Sign-in risk directly addresses suspicious sign-in patterns.

Why this answer

Option D is correct because the scenario explicitly requires a risk-based conditional access policy that triggers MFA based on sign-in risk level. In Microsoft Entra ID, the 'Sign-in risk' condition evaluates the likelihood that the authentication attempt is not legitimate, using signals such as anonymous IP addresses, atypical travel, or malware-linked IPs. By setting this condition to 'Medium and above' and granting 'Require MFA', the policy enforces MFA only when the sign-in risk is assessed as medium or high, directly matching the requirement.

Exam trap

The trap here is confusing 'User risk' (which targets compromised user accounts) with 'Sign-in risk' (which targets suspicious authentication attempts), leading candidates to incorrectly select Option A when the question specifically asks about sign-in risk.

How to eliminate wrong answers

Option A is wrong because 'User risk' condition evaluates the risk level of the user account (e.g., leaked credentials, suspicious activity), not the risk of the current sign-in session; this would address compromised accounts rather than risky sign-ins. Option B is wrong because 'Device compliance' condition checks whether the device meets compliance policies (e.g., BitLocker enabled, OS updates), which is unrelated to sign-in risk; this would enforce MFA based on device health, not risk level. Option C is wrong because 'Location' condition with 'All trusted locations' would typically exclude trusted locations from requiring MFA, or apply MFA only from untrusted locations, which does not align with a risk-based approach based on sign-in risk signals.

446
Multi-Selectmedium

Your organization is deploying Microsoft Purview. You need to automatically apply a sensitivity label to documents that contain passport numbers. Which TWO components must you configure?

Select 2 answers
A.Sensitive information type for passport numbers
B.Retention label
C.Data loss prevention (DLP) policy
D.Auto-labeling policy
E.Trainable classifier
AnswersA, D

Sensitive information types define the pattern to detect passport numbers.

Why this answer

Options A and D are correct. Sensitive information types (A) define the pattern for passport numbers, and auto-labeling policies (D) apply the label automatically. Option B is wrong because DLP policies prevent data loss but do not apply labels.

Option C is wrong because retention labels manage retention, not sensitivity. Option E is wrong because trainable classifiers are for machine learning-based classification, not for simple pattern matching like passport numbers.

447
Multi-Selecthard

You are a security architect for a large enterprise using Microsoft Entra ID. You need to implement a solution that enforces least-privilege access and reduces lateral movement. Which THREE Microsoft Entra capabilities should you include in your design?

Select 3 answers
A.Identity Protection
B.Password hash synchronization
C.Privileged Identity Management (PIM)
D.Conditional Access policies
E.Microsoft Defender for Cloud Apps
AnswersA, C, D

Correct: Identity Protection detects and remediates identity-based risks, helping to reduce lateral movement.

Why this answer

Identity Protection is correct because it uses machine learning to detect and automatically respond to identity-based risks, such as leaked credentials or anomalous sign-in patterns, which directly reduces the attack surface and limits lateral movement by blocking or challenging risky authentications before an attacker can pivot.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps (a CASB for SaaS app governance) with a core Entra ID capability, or mistakenly think password hash synchronization provides a security benefit beyond authentication synchronization.

448
MCQhard

Contoso Ltd. is a financial services company that must comply with strict regulatory requirements. They use Microsoft 365 E5, Microsoft Entra ID P2, Microsoft Purview, and Microsoft Defender for Cloud Apps. The compliance team needs to implement a data loss prevention (DLP) policy that detects and prevents the sharing of credit card numbers in Microsoft Teams messages. Additionally, they want to ensure that only users with a specific custom sensitivity label can access documents containing credit card numbers. The sensitivity label is named 'Financial-Confidential' and is applied automatically via auto-labeling. The DLP policy should block sharing of credit card numbers in Teams but allow users to override the block with a business justification. Which combination of actions should you configure in the Microsoft Purview DLP policy to meet these requirements?

A.Create a DLP policy in Microsoft Purview that blocks sharing of credit card numbers in Teams and does not allow overrides. Configure the policy to apply to all content.
B.Configure a session policy in Microsoft Defender for Cloud Apps that monitors Teams for credit card numbers and blocks sharing. Use the 'Block with override' action.
C.Create a DLP policy in Microsoft Purview that blocks sharing of credit card numbers in Teams and allows overrides with business justification. Configure the policy to apply to content containing the 'Financial-Confidential' sensitivity label.
D.Use the built-in DLP template for financial data in Microsoft Purview and enable the 'Block with override' action. Set the scope to Teams.
AnswerC

Meets all requirements.

Why this answer

Option B is correct. A custom DLP policy with a condition for credit card numbers and the action 'Block with override' will block sharing and allow override. Also, the sensitivity label condition ensures that only documents with 'Financial-Confidential' label are subject to the policy.

Option A is wrong because blocking without override does not allow business justification. Option C is wrong because using a built-in DLP template may not integrate with the custom sensitivity label. Option D is wrong because configuring the policy in Defender for Cloud Apps is unnecessary; Microsoft Purview is the correct administrative center for DLP.

449
MCQmedium

An organization runs workloads in Azure, an on-premises data center, and multiple third-party cloud environments. The security team needs a single, cloud-native solution that provides a unified view of the security posture across all these environments, along with a secure score and actionable recommendations. They also want to protect these workloads with advanced threat detection. Which Microsoft security solution should they implement?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft 365 Defender
D.Microsoft Defender for Endpoint
AnswerB

Microsoft Defender for Cloud provides cloud security posture management (CSPM) and cloud workload protection (CWP) across hybrid and multi-cloud environments. It delivers a secure score, actionable recommendations, and advanced threat detection for servers, containers, databases, and more.

Why this answer

Microsoft Defender for Cloud is the correct choice because it provides a unified cloud-native security posture management (CSPM) solution that covers Azure, on-premises, and multi-cloud environments (including AWS and GCP). It delivers a secure score based on security controls and actionable recommendations via Azure Policy, and includes advanced threat detection (e.g., fileless attack detection, network anomaly detection) for workloads across these environments.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with a CSPM tool, but Sentinel does not provide a secure score or native multi-cloud posture recommendations; Defender for Cloud is the dedicated CSPM and workload protection solution.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR solution focused on log ingestion, threat hunting, and incident response, not a unified security posture management tool with a secure score and CSPM recommendations. Option C is wrong because Microsoft 365 Defender is a suite for protecting Microsoft 365 services (Exchange, SharePoint, Teams) and endpoints, not designed for multi-cloud workload security posture or cross-environment secure score. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution for devices (Windows, macOS, Linux), not a multi-cloud workload protection platform with CSPM capabilities.

450
MCQeasy

An organization is implementing a Zero Trust security model. Which principle requires that every access request must be fully authenticated, authorized, and verified based on all available signals, regardless of the user's network location?

A.Verify explicitly
B.Least privilege
C.Assume breach
D.Defense in depth
AnswerA

This principle states that authentication and authorization should be performed for every access request using all available signals.

Why this answer

The 'Verify explicitly' principle of Zero Trust mandates that every access request must be fully authenticated, authorized, and encrypted based on all available data points—including user identity, device health, location, and behavioral signals—regardless of whether the request originates from inside or outside the corporate network. This contrasts with traditional perimeter-based models that implicitly trust internal traffic.

Exam trap

The trap here is that candidates confuse 'Verify explicitly' with 'Least privilege' because both involve access control, but 'Verify explicitly' is about continuous authentication and authorization of every request, while 'Least privilege' is about limiting permissions after access is granted.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on limiting user permissions to the minimum necessary to perform a task, not on verifying every access request based on all signals. Option C (Assume breach) is wrong because it describes the mindset of designing systems to minimize blast radius and detect breaches, not the requirement to authenticate and authorize each request. Option D (Defense in depth) is wrong because it refers to layering multiple security controls (e.g., firewalls, antivirus, IDS) to protect assets, not the explicit verification of every access attempt.

Page 5

Page 6 of 19

Page 7