Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 451525

1411 questions total · 19pages · All types, answers revealed

Page 6

Page 7 of 19

Page 8
451
MCQhard

A financial services organization must prevent employees in the Research department from communicating via email or Microsoft Teams with employees in the Investment Banking department to avoid conflicts of interest. Additionally, they need to prevent any credit card numbers from being shared in emails sent to external recipients. Which combination of Microsoft Purview solutions should they implement?

A.Information Barriers and Data Loss Prevention
B.Communication Compliance and Insider Risk Management
C.Information Barriers and Communication Compliance
D.Data Lifecycle Management and Data Loss Prevention
AnswerA

Correct. Information Barriers block communications between defined groups, and Data Loss Prevention (DLP) prevents sensitive data like credit card numbers from being shared externally.

Why this answer

Information Barriers are designed to prevent communication and collaboration between specific groups to avoid conflicts of interest (e.g., research vs. investment banking). Data Loss Prevention (DLP) policies detect and protect sensitive information such as credit card numbers from being shared externally. Communication Compliance focuses on monitoring communications for regulatory compliance but does not block communications, and Insider Risk Management analyzes risky user activities but does not enforce segmentation.

452
MCQmedium

An organization adopts a security model that requires explicit verification of every access request, uses least privilege principles, and assumes that a breach has already occurred. Which security model does this describe?

A.Perimeter-based security
B.Defense in depth
C.Zero Trust
D.Shared responsibility
AnswerC

Zero Trust explicitly verifies every access, enforces least privilege, and assumes breach, matching the description.

Why this answer

Zero Trust is the correct answer because the model explicitly requires verification of every access request, enforces least privilege, and assumes breach. This aligns with the core Zero Trust principles of 'never trust, always verify,' continuous validation, and micro-segmentation, as opposed to traditional perimeter-based models that implicitly trust internal traffic.

Exam trap

The trap here is that candidates confuse 'defense in depth' with Zero Trust because both involve multiple security layers, but defense in depth does not require explicit verification of every request or the assumption of breach, which are unique to Zero Trust.

How to eliminate wrong answers

Option A is wrong because perimeter-based security relies on a trusted internal network and a hardened boundary, which contradicts the assumption of breach and explicit verification of every request. Option B is wrong because defense in depth is a layered security strategy that uses multiple controls (firewalls, antivirus, etc.) but does not inherently require explicit verification of every access request or assume a breach has already occurred. Option D is wrong because shared responsibility is a cloud security model that defines which security tasks are handled by the provider versus the customer, not a model for access verification or breach assumption.

453
MCQhard

A security team monitors user activities in third-party cloud apps like Box and Dropbox. They want to automatically detect when a user performs an anomalous file download after signing in from an unusual location, and then suspend the user's account and initiate an investigation. Which Microsoft security solution should they use?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Identity
D.Microsoft Defender for Endpoint
AnswerB

Defender for Cloud Apps is designed to secure cloud apps (e.g., Box, Dropbox) with anomaly detection and automated actions such as user suspension.

Why this answer

Microsoft Defender for Cloud Apps (MDCA) is the correct solution because it provides Cloud Access Security Broker (CASB) functionality, including anomaly detection for user activities across third-party cloud apps like Box and Dropbox. It can automatically detect anomalous file downloads after unusual sign-in locations using behavioral analytics and then trigger automated actions such as suspending the user account and initiating an investigation via integration with Microsoft 365 Defender.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Identity, thinking both handle user behavior, but MDCA focuses on cloud app usage while MDI focuses on on-premises identity attacks.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on protecting email and collaboration tools (Exchange Online, SharePoint, Teams) from threats like phishing and malware, not on monitoring user activities in third-party cloud apps like Box or Dropbox. Option C is wrong because Microsoft Defender for Identity is designed to detect on-premises Active Directory attacks (e.g., Kerberos abuse, lateral movement) using domain controller traffic, not user behavior in SaaS apps. Option D is wrong because Microsoft Defender for Endpoint protects endpoints (Windows, macOS, Linux) from malware and advanced attacks, not user activities in cloud apps.

454
MCQhard

Refer to the exhibit. A security analyst runs the KQL query in Microsoft Sentinel. The query returns sign-in logs with error code 50076. What does this error indicate?

A.The user did not pass multi-factor authentication.
B.The user account is disabled.
C.The user's password has expired.
D.The sign-in was blocked by a Conditional Access policy.
AnswerA

Error 50076 means MFA challenge failed.

Why this answer

Error code 50076 in Microsoft Entra sign-in logs specifically indicates that the user did not pass multi-factor authentication (MFA). This error is returned when the MFA challenge fails, such as when the user enters an incorrect verification code, denies the push notification, or the MFA session expires. It is a direct signal that the authentication attempt was not completed successfully due to MFA failure.

Exam trap

The trap here is that candidates confuse the error code for failing MFA (50076) with the error code for being blocked by a Conditional Access policy (53003), because both involve MFA enforcement, but the error codes indicate different stages of the authentication flow.

How to eliminate wrong answers

Option B is wrong because a disabled user account would generate error code 50057 (user account is disabled), not 50076. Option C is wrong because an expired password results in error code 50055 (password expired), not 50076. Option D is wrong because a sign-in blocked by a Conditional Access policy would return error code 53003 (blocked by Conditional Access), not 50076.

455
MCQmedium

A security analyst needs to investigate a phishing campaign that targeted multiple users. They want to correlate email threat data with user actions and device signals. Which Microsoft security solution should they use as the primary investigation console?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft 365 Defender
D.Microsoft Sentinel
AnswerC

It provides cross-domain incident correlation and investigation across email, endpoints, identities, and cloud apps.

Why this answer

Microsoft 365 Defender provides a unified investigation experience across email, endpoints, identities, and cloud apps. Option A is wrong because Microsoft Defender for Endpoint is for endpoint threats only. Option B is wrong because Microsoft Defender for Office 365 is for email only.

Option C is wrong because Microsoft Sentinel is a SIEM that can ingest data but is not the primary console for Defender incident investigation.

456
MCQeasy

A compliance officer needs to create a policy that prevents users from sharing files containing medical record numbers (MRN) via email. Which Microsoft Purview solution should they use?

A.Sensitivity labels
B.Data Loss Prevention (DLP)
C.eDiscovery
D.Insider risk management
AnswerB

DLP policies can block emails containing MRNs.

Why this answer

Data Loss Prevention (DLP) policies are designed to detect and block sharing of sensitive information like MRNs via email. Sensitivity labels classify content but do not enforce sharing restrictions. Insider risk management and eDiscovery are not for blocking sharing.

457
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID) and wants to allow users to sign in using biometrics (fingerprint or face) on their mobile devices instead of passwords. They want this to work for both iOS and Android devices. Which Microsoft Entra ID feature should they enable?

A.Passwordless authentication using Microsoft Authenticator
B.Microsoft Entra Connect Sync Health
C.Microsoft Entra ID Protection
D.Self-Service Password Reset (SSPR)
AnswerA

Microsoft Authenticator app can be configured for passwordless phone sign-in, enabling users to authenticate with a biometric gesture or PIN without entering a password.

Why this answer

Option A is correct because Microsoft Authenticator supports passwordless authentication using FIDO2-based biometric verification on mobile devices. This feature allows users to sign in with a fingerprint or face on both iOS and Android, eliminating the need for a password while leveraging the device's built-in biometric capabilities.

Exam trap

The trap here is that candidates may confuse Self-Service Password Reset (SSPR) with passwordless authentication, but SSPR only resets passwords and does not enable biometric sign-in without a password.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Connect Sync Health is a monitoring tool for synchronization health, not a feature for passwordless authentication. Option C is wrong because Microsoft Entra ID Protection is a security service that detects and responds to identity risks, not a mechanism for biometric sign-in. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their passwords, not to sign in without a password using biometrics.

458
MCQmedium

Refer to the exhibit. You are reviewing a Communication Compliance policy. What does this policy do when a user sends an email containing EU GDPR PII to privacy@contoso.com?

A.It blocks the email from being sent.
B.It notifies the policy owner and generates a case for investigation.
C.It automatically deletes the email after 30 days.
D.It applies a sensitivity label to the email.
AnswerB

The actions include NotifyPolicyOwner and GenerateCase.

Why this answer

Option C is correct because the policy actions are to notify the policy owner and generate a case for investigation. Option A is wrong because it does not block the email. Option B is wrong because it does not automatically delete.

Option D is wrong because it does not apply a label.

459
MCQeasy

Your company wants to use Microsoft Purview to classify and protect sensitive data in Microsoft 365. The compliance team needs to automatically detect credit card numbers in emails and apply a label that encrypts the email. What should they configure?

A.A trainable classifier for credit card numbers
B.A retention label for credit card information
C.A data loss prevention (DLP) policy
D.A sensitivity label with auto-labeling for sensitive information types
AnswerD

Auto-labeling can apply encryption based on sensitive data detection.

Why this answer

Sensitivity labels with auto-labeling can detect sensitive data and apply encryption automatically. Option B is incorrect because retention labels are for retention, not protection. Option C is incorrect because DLP policies block or warn, not label.

Option D is incorrect because trainable classifiers are for data classification, not automatic labeling.

460
MCQmedium

A security administrator needs to identify users who are repeatedly failing to authenticate from unusual locations. Which Microsoft 365 security feature provides this visibility?

A.Microsoft Purview Insider Risk Management
B.Microsoft Entra ID Protection
C.Microsoft Defender for Cloud Apps
D.Microsoft Sentinel
AnswerB

Correct: It detects risky sign-ins and user behavior.

Why this answer

Microsoft Entra ID Protection analyzes sign-in risks and can identify users with multiple failed attempts from atypical locations.

461
MCQmedium

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the default filters. You need to create a custom mail flow rule to block similar emails based on specific keywords in the subject line. Which tool should you use?

A.Microsoft 365 Defender portal
B.Microsoft Defender for Cloud Apps portal
C.Exchange admin center
D.Microsoft Entra admin center
AnswerC

Correct: EAC allows creation of mail flow rules (transport rules) to block based on subject keywords.

Why this answer

Exchange admin center (EAC) allows creating mail flow rules (transport rules) based on conditions like subject keywords. Option B is correct. Option A (Security & Compliance Center) includes policies but not mail flow rules.

Option C (Defender for Cloud Apps) is for cloud apps. Option D (Microsoft Entra admin center) is for identity.

462
Multi-Selecteasy

Which THREE of the following are components of the Zero Trust security model?

Select 3 answers
A.Use least privilege access
B.Single sign-on (SSO)
C.Network perimeter security
D.Assume breach
E.Verify explicitly
AnswersA, D, E

Limit user access with Just-In-Time and Just-Enough-Access.

Why this answer

The three core principles of Zero Trust are: verify explicitly, use least privilege access, and assume breach. Network perimeter security is a traditional model, not Zero Trust. Single sign-on is a convenience feature, not a core principle.

463
Multi-Selectmedium

Your organization is planning to use Microsoft Sentinel as a SIEM solution. Which TWO of the following are required components for Sentinel? (Select TWO.)

Select 2 answers
A.A Log Analytics workspace
B.A playbook for automated response
C.Data connectors to ingest security data
D.A workbook for dashboards
E.A KQL query for threat detection
AnswersA, C

Sentinel is built on Log Analytics workspaces.

Why this answer

Options A and C are correct: A Log Analytics workspace is the underlying data store, and data connectors are needed to ingest logs. Option B is wrong because a playbook is optional automation. Option D is wrong because a KQL query is used for analysis but not a required component.

Option E is wrong because a workbook is optional visualization.

464
Multi-Selecthard

Refer to the exhibit. An administrator deploys this Azure Resource Manager template. Which TWO of the following statements are true?

Select 2 answers
A.The template creates a resource group if it does not exist.
B.The policy assignment enforces encryption on existing SQL databases.
C.The template deploys a new SQL database.
D.The policy assignment audits whether SQL Database transparent data encryption is enabled.
E.The policy assignment can be deployed to a subscription or management group.
AnswersD, E

The policy definition ID maps to the built-in policy for SQL TDE auditing.

Why this answer

The policy definition ID corresponds to 'Audit if SQL Database encryption is not enabled'. The effect is 'AuditIfNotExists', so it audits but does not enforce. The assignment is at subscription/management group scope, not resource group.

It does not deploy a resource but assigns a policy.

465
MCQmedium

Your organization wants to automatically retain customer emails for 5 years after they are received, and then delete them. You need to configure the appropriate Microsoft Purview solution. What should you use?

A.eDiscovery case
B.Data loss prevention (DLP) policy
C.Sensitivity label
D.Retention label published automatically
AnswerD

Retention labels can be auto-applied and define retention and deletion.

Why this answer

Option B is correct because retention labels can be applied automatically based on conditions (like emails containing 'customer') and can specify both retention and deletion actions. Option A is wrong because data loss prevention policies prevent sharing but do not handle retention. Option C is wrong because sensitivity labels classify and protect content but do not manage retention.

Option D is wrong because eDiscovery is for searching and exporting content, not retention.

466
MCQmedium

A consulting firm is involved in a legal investigation. They need to preserve all emails and documents from two specific employees (custodians) related to a contract dispute. The data must be collected and stored in a secure location for legal review without modifying the original data. Which Microsoft Purview solution should they use?

A.Data Lifecycle Management
B.eDiscovery (Premium)
C.Audit (Premium)
D.Communication Compliance
AnswerB

Correct. eDiscovery (Premium) allows an organization to identify and preserve custodians, place holds, collect data from various sources, and place it in a review set for legal analysis without altering the original data.

Why this answer

eDiscovery (Premium) is the correct solution because it is specifically designed for legal investigations, allowing you to identify, preserve, collect, and analyze data from custodians (e.g., employees) without altering the original data. It places a legal hold on mailboxes and sites, ensuring that emails and documents related to the contract dispute are stored in a secure review location for legal review, meeting the requirement of non-modification.

Exam trap

The trap here is that candidates often confuse eDiscovery (Premium) with Audit (Premium) because both involve investigation, but Audit only logs events and does not preserve or collect the actual data for legal review.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management (DLM) focuses on automating retention and deletion policies based on data governance rules, not on preserving data for legal hold or custodian-based collection. Option C is wrong because Audit (Premium) provides detailed logging and investigation of user and admin activities, but it does not preserve or collect data for legal review; it only records events. Option D is wrong because Communication Compliance is designed to detect and remediate inappropriate communications (e.g., harassment, insider trading) using policies, not to preserve or collect data for a legal investigation involving specific custodians.

467
MCQmedium

A company wants to allow external business partners to access a specific SharePoint Online site using their own corporate identities (such as Google or Facebook accounts). The company also needs to enforce multi-factor authentication (MFA) for these external users. Which Microsoft Entra capability should the administrator configure?

A.Microsoft Entra Connect
B.Microsoft Entra External Identities (B2B collaboration)
C.Microsoft Entra Identity Protection
D.Microsoft Entra Privileged Identity Management (PIM)
AnswerB

B2B collaboration allows you to invite external users to your tenant using their own identities (e.g., Google, Facebook, or any Microsoft Entra ID tenant). Combined with Conditional Access, you can enforce MFA for those guest users.

Why this answer

Microsoft Entra External Identities (B2B collaboration) allows you to invite external users (including those with social identities like Google or Facebook) to access your organization's resources using their own identities. It supports conditional access policies, including the enforcement of multi-factor authentication (MFA) for guest users, which meets both requirements.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Connect (which handles hybrid identity sync) with External Identities (which handles guest user access), or they assume Identity Protection or PIM can be used to grant external access, when they are security monitoring and privilege management tools respectively.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Connect is used for synchronizing on-premises Active Directory identities to Microsoft Entra ID, not for inviting external users with social identities. Option C is wrong because Microsoft Entra Identity Protection is a risk-based detection and remediation tool for user identities, not a mechanism to invite external users or enforce MFA on guest access. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role assignments and access reviews, not external user invitations or MFA enforcement for guest users.

468
MCQeasy

A company deploys a web application on Azure virtual machines (VMs) in an Infrastructure-as-a-Service (IaaS) model. The company is responsible for managing the guest operating system, the application code, and the data stored on the VMs. According to the shared responsibility model, which of the following security responsibilities does Microsoft retain in this scenario?

A.Protecting the physical datacenter and the underlying hardware
B.Configuring the operating system firewall on each VM
C.Installing and patching the application software
D.Managing user access to the application
AnswerA

Microsoft retains responsibility for the physical security of datacenters, servers, storage, and networking hardware in all cloud models, including IaaS.

Why this answer

In an IaaS model, Microsoft retains responsibility for the physical datacenter, including physical security, the network infrastructure, and the underlying hardware (servers, storage, networking). This is because the customer manages the guest OS, application, and data, while Microsoft manages the physical layer up to the hypervisor. Option A correctly identifies this retained responsibility.

Exam trap

The trap here is that candidates often confuse 'security of the cloud' (Microsoft's responsibility for the physical infrastructure) with 'security in the cloud' (the customer's responsibility for their own configurations, applications, and data), leading them to incorrectly assign guest OS or application-level tasks to Microsoft.

How to eliminate wrong answers

Option B is wrong because configuring the guest OS firewall on each VM is the customer's responsibility, as they manage the guest operating system. Option C is wrong because installing and patching the application software is the customer's responsibility, as they own the application code and its deployment. Option D is wrong because managing user access to the application is the customer's responsibility, as they control identity and access management within their own application and Azure AD tenant.

469
MCQhard

A company runs Azure VMs and on-premises Windows servers. They need a solution that provides vulnerability assessment, regulatory compliance dashboard, and threat detection for their hybrid workloads. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerA

Defender for Cloud offers vulnerability assessment, compliance dashboards, and threat detection for both Azure and on-premises workloads via Azure Arc.

Why this answer

Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender) provides unified security management across hybrid cloud workloads. It includes vulnerability assessment for VMs, a regulatory compliance dashboard with built-in standards like SOC 2 and PCI DSS, and integrated threat detection using behavioral analytics and machine learning. This makes it the correct choice for the described requirements.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel's SIEM capabilities with Defender for Cloud's workload protection features, but Sentinel requires manual log ingestion and does not provide native vulnerability scanning or compliance dashboards for VMs.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a cloud-native SIEM and SOAR solution focused on log aggregation, incident response, and advanced threat hunting, not a built-in vulnerability assessment or compliance dashboard for VMs. Option C is wrong because Microsoft Defender for Identity is an on-premises identity security solution that detects threats using Active Directory signals, not a workload vulnerability or compliance tool. Option D is wrong because Microsoft Defender for Cloud Apps is a CASB for shadow IT discovery and app governance, not a solution for VM vulnerability assessment or regulatory compliance dashboards.

470
MCQhard

Your organization has a Microsoft Purview compliance portal. You need to audit who deleted a specific file from SharePoint Online last week. What should you do?

A.Use Content Search in eDiscovery
B.Search the unified audit log in Microsoft Purview
C.Configure a retention policy for SharePoint
D.Review the data classification dashboard
AnswerB

Audit log records user and admin activities.

Why this answer

Option C is correct because Microsoft Purview Audit (Premium) allows searching the unified audit log for events like file deletion. Option A is wrong because Content Search is for eDiscovery, not auditing. Option B is wrong because data classification is for labeling, not auditing.

Option D is wrong because retention policies preserve data but do not provide audit logs.

471
Multi-Selecthard

Which TWO of the following are benefits of using Microsoft Entra ID Governance?

Select 2 answers
A.Network segmentation for on-premises resources.
B.Automated access reviews for group memberships.
C.Synchronizing identities from on-premises Active Directory.
D.Lifecycle workflows for employee onboarding and offboarding.
E.Enforcing multi-factor authentication for all users.
AnswersB, D

Access reviews are a governance feature.

Why this answer

Options A and D are correct. Entra ID Governance includes access reviews and lifecycle workflows. Option B is wrong because MFA enforcement is Conditional Access.

Option C is wrong because network segmentation is not identity governance. Option E is wrong because identity synchronization is Microsoft Entra Connect.

472
Multi-Selecthard

Your company uses Microsoft Sentinel as a SIEM. You need to collect logs from a third-party firewall. Which THREE methods can you use?

Select 3 answers
A.Microsoft Defender for Cloud
B.Common Event Format (CEF)
C.Data connectors from Microsoft Sentinel
D.Syslog
E.Azure Monitor Agent
AnswersB, C, D

CEF is a standard format for security event logs, often used by firewalls.

Why this answer

Options A, C, and D are correct. Syslog (A) is a standard protocol for log forwarding. CEF (C) is a common log format for security devices.

Microsoft Sentinel Data Connectors (D) often include built-in connectors for common firewalls. Option B is wrong because Azure Monitor Agent is for Windows/Linux VMs, not network appliances. Option E is wrong because Microsoft Defender for Cloud is a security posture management tool, not a log collection method.

473
MCQeasy

Your organization uses Microsoft Entra ID Governance. You need to ensure that guest users' access to internal applications is automatically removed after 90 days. What should you configure?

A.Entitlement management
B.Access reviews
C.Identity Protection
D.Privileged Identity Management (PIM)
AnswerB

Access reviews can be configured to automatically remove access after a specified number of days.

Why this answer

Access reviews in Microsoft Entra ID Governance allow you to configure recurring reviews of guest user access to internal applications. By creating an access review with a duration of 90 days and enabling automatic removal of denied users, you ensure that guest access is automatically revoked after the review period ends. This directly meets the requirement for time-based automatic removal.

Exam trap

The trap here is that candidates confuse entitlement management's access package expiration with the automatic removal requirement, but entitlement management only removes access at the end of an access package assignment duration, not based on a recurring review cycle that can enforce removal after a specific number of days regardless of the access package lifecycle.

How to eliminate wrong answers

Option A is wrong because entitlement management manages access packages and catalogs for provisioning access, but it does not automatically remove access after a fixed duration without an associated access review policy. Option C is wrong because Identity Protection focuses on detecting and remediating identity-based risks (e.g., compromised accounts, sign-in anomalies), not on scheduling automatic removal of guest access. Option D is wrong because Privileged Identity Management (PIM) provides just-in-time privileged role activation and approval workflows, but it is designed for administrative roles, not for managing guest user access to internal applications with a 90-day removal policy.

474
MCQhard

Refer to the exhibit. You run an Advanced Hunting query in Microsoft Defender XDR. What is the primary purpose of this query?

A.Find IP addresses with failed logon attempts.
B.List all interactive logons from Office 365 applications.
C.Detect non-interactive logons to Office 365.
D.Identify accounts with high number of interactive logons, potentially indicating brute-force activity.
AnswerD

The query counts logons per user/IP and filters for >10, which can indicate brute-force attempts.

Why this answer

The query filters for interactive logon events to Office 365 over the past 7 days, groups by user and IP, and counts occurrences. It then filters for accounts with more than 10 logon events, which helps identify accounts with unusually high logon activity, potentially indicating brute-force attacks or compromised accounts. Option A is correct.

475
MCQhard

A security analyst needs to investigate a potential ransomware attack affecting multiple endpoints. They want to centralize detection and response across devices, email, and applications. Which Microsoft solution should they use?

A.Microsoft 365 Defender (now Microsoft Defender XDR)
B.Microsoft Sentinel
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Cloud
AnswerA

Microsoft Defender XDR correlates alerts across endpoints, email, identities, and apps for unified response.

Why this answer

Microsoft Defender XDR (formerly Microsoft 365 Defender) provides unified detection and response across endpoints, email, identities, and applications. Microsoft Sentinel is a SIEM for broader security data. Defender for Cloud is for cloud workloads.

Defender for Endpoint only covers endpoints.

476
Multi-Selectmedium

Which THREE of the following are features of Microsoft Purview Communication Compliance?

Select 3 answers
A.Automatically quarantine emails that contain malware
B.Provide policy tips to users when they send potentially non-compliant messages
C.Enforce multi-factor authentication for sensitive roles
D.Create custom keyword dictionaries to detect policy violations
E.Monitor Microsoft Teams chat messages for inappropriate language
AnswersB, D, E

Policy tips can educate users.

Why this answer

Microsoft Purview Communication Compliance helps detect policy violations in communications. Option A is correct because it can analyze Microsoft Teams messages. Option C is correct because it allows custom keyword dictionaries.

Option E is correct because it provides policy tips to users. Option B is wrong because it is a feature of Microsoft Defender for Office 365. Option D is wrong because it is a feature of Microsoft Entra ID.

477
MCQeasy

A security team is evaluating Microsoft security solutions to monitor user activities across multiple SaaS applications, including Salesforce and Dropbox, for signs of compromised accounts and data exfiltration. Which solution is specifically designed for this purpose?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Sentinel
D.Microsoft 365 Defender
AnswerA

Correct. Defender for Cloud Apps is designed as a CASB to monitor and protect SaaS applications like Salesforce and Dropbox from threats such as compromised accounts and data exfiltration.

Why this answer

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides deep visibility, data classification, and threat detection across SaaS applications like Salesforce and Dropbox. It uses behavioral analytics and anomaly detection to identify compromised accounts and data exfiltration by monitoring user activities and applying policies such as activity policies and app governance.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with a CASB, but Sentinel is a log aggregation and analysis platform, not a dedicated SaaS monitoring solution like Defender for Cloud Apps.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint devices (e.g., Windows, macOS, Linux) using EDR (Endpoint Detection and Response) and does not natively monitor user activities within SaaS applications like Salesforce or Dropbox. Option C is wrong because Microsoft Sentinel is a SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution that aggregates logs from multiple sources but is not specifically designed as a CASB for monitoring SaaS app user activities; it requires data ingestion from other tools. Option D is wrong because Microsoft 365 Defender is an integrated pre- and post-breach enterprise defense suite that covers identities, endpoints, email, and collaboration tools (e.g., Microsoft 365 apps) but does not extend to third-party SaaS applications like Salesforce or Dropbox without additional integration.

478
MCQeasy

A company wants to classify and label documents in SharePoint automatically based on sensitive content like social security numbers. Which Microsoft Purview solution should they use?

A.eDiscovery
B.Auto-labeling policy
C.Audit log
D.Data loss prevention policy
AnswerB

Auto-labeling policies automatically apply sensitivity labels to documents containing sensitive info.

Why this answer

Auto-labeling policies in Microsoft Purview automatically apply sensitivity labels to documents in SharePoint based on sensitive info types. Option B is incorrect because data loss prevention policies can apply labels but are primarily for preventing data leaks. Option C is incorrect because audit logs activities.

Option D is incorrect because eDiscovery is for searching and exporting data.

479
Multi-Selecteasy

Which TWO of the following are authentication methods supported by Microsoft Entra ID? (Select TWO.)

Select 2 answers
A.One-time password (OTP) tokens
B.Password
C.Smart card with PIN
D.Biometric (fingerprint/face)
E.FIDO2 security keys
AnswersB, E

Traditional password authentication.

Why this answer

Password is a fundamental authentication method supported by Microsoft Entra ID. It is the most common primary authentication factor used for user sign-in, where the user provides a username and password that is verified against the directory. Entra ID supports password-based authentication for cloud-only accounts, synchronized on-premises passwords via Password Hash Sync, and pass-through authentication.

Exam trap

The trap here is that candidates often confuse authentication methods supported by Microsoft Entra ID with those supported by on-premises Active Directory or device-level authentication, leading them to incorrectly select smart card with PIN or biometric as native Entra ID methods.

480
MCQeasy

A company has a document management system. The security policy requires that a user in the Sales department can only view documents related to sales and cannot access documents in the Finance or HR folders. Which security principle is being applied?

A.Availability
B.Least privilege
C.Defense in depth
D.Non-repudiation
AnswerB

Correct. Least privilege restricts permissions to only what is necessary for the job, which is exactly what is described in the scenario.

Why this answer

The security policy restricts a Sales user's access to only sales-related documents, explicitly denying access to Finance and HR folders. This aligns with the principle of least privilege, which mandates that users be granted only the minimum permissions necessary to perform their job functions. In Microsoft 365, this is implemented via role-based access control (RBAC) or sensitivity labels that enforce read-only access on specific SharePoint document libraries or folders.

Exam trap

Microsoft often tests least privilege by contrasting it with defense in depth, but the trap here is that candidates confuse a single access restriction (least privilege) with a multi-layered security strategy (defense in depth).

How to eliminate wrong answers

Option A is wrong because availability ensures systems and data are accessible when needed (e.g., uptime guarantees), not who can view specific folders. Option C is wrong because defense in depth is a layered security strategy (e.g., firewalls, encryption, MFA), not a single access control rule. Option D is wrong because non-repudiation prevents a user from denying an action (e.g., digital signatures or audit logs), not from viewing restricted documents.

481
MCQeasy

Your organization is implementing Microsoft 365 and needs to prevent sensitive data from being copied to USB drives. Which Microsoft Purview solution should you configure?

A.Audit logs
B.Communication Compliance
C.Sensitivity labels
D.Endpoint data loss prevention (Endpoint DLP)
AnswerD

Endpoint DLP can block copying to USB drives.

Why this answer

Option C is correct because Endpoint DLP can monitor and restrict actions on endpoints like copying to USB drives. Option A is wrong because Sensitivity labels classify but do not block actions. Option B is wrong because Audit logs track but do not block.

Option D is wrong because Communication Compliance monitors communications, not endpoint activities.

482
MCQmedium

A company wants to automatically classify documents containing credit card numbers and apply encryption at rest in SharePoint Online. Which Microsoft Purview feature should be used?

A.Sensitivity labels with auto-classification
B.eDiscovery
C.Microsoft Purview Audit
D.Data Loss Prevention (DLP) policies
AnswerA

Sensitivity labels can auto-classify sensitive data and apply encryption.

Why this answer

Sensitivity labels with auto-classification can detect credit card numbers and apply encryption. Option B is correct. Option A (DLP policies) prevent sharing but do not apply encryption.

Option C (Audit) logs activities. Option D (eDiscovery) is for legal discovery.

483
MCQhard

Refer to the exhibit. The JSON shows a conditional access policy in Microsoft Entra ID. A user signs in from a trusted location using a browser. Which controls will be enforced?

A.MFA, terms of use acceptance, and application enforced restrictions.
B.MFA, terms of use acceptance, sign-in frequency every 1 hour, and Cloud App Security monitoring.
C.Only MFA and terms of use acceptance.
D.Only sign-in frequency and Cloud App Security monitoring.
AnswerB

All configured grant and session controls are applied.

Why this answer

Option B is correct because the conditional access policy in the exhibit grants access only when all specified conditions are met: the user is at a trusted location, the client app is a browser, and the grant controls include 'Require multi-factor authentication', 'Require terms of use acceptance', 'Sign-in frequency (every 1 hour)', and 'Use Cloud App Security for monitoring'. Since the user signs in from a trusted location using a browser, all grant controls are enforced simultaneously.

Exam trap

The trap here is that candidates often assume that a 'trusted location' bypasses all controls except MFA, but in reality, conditional access policies enforce every configured grant and session control regardless of the location condition being met.

How to eliminate wrong answers

Option A is wrong because it omits the 'Sign-in frequency every 1 hour' and 'Cloud App Security monitoring' controls that are explicitly listed in the policy. Option C is wrong because it incorrectly states that only MFA and terms of use acceptance are enforced, ignoring the sign-in frequency and Cloud App Security controls. Option D is wrong because it excludes MFA and terms of use acceptance, which are mandatory grant controls in the policy.

484
MCQhard

Refer to the exhibit. The KQL query is used in a Microsoft Sentinel analytics rule. What is the primary purpose of this rule?

A.To identify all files shared externally regardless of sensitivity
B.To automatically block external sharing of sensitive files
C.To detect when a file labeled 'Highly Confidential' is shared externally
D.To list all alerts generated by the rule
AnswerC

Correct: The query specifically targets files with that sensitivity label.

Why this answer

The query filters alerts for 'Sensitive file shared externally' and further refines to files with SensitivityLabel 'Highly Confidential'. It projects the file name and owner. Option C is correct.

Option A is too broad (any shared file). Option B mentions 'all alerts'. Option D is incorrect because the query does not block sharing.

485
MCQhard

Refer to the exhibit. You are configuring a Conditional Access policy that requires compliant device for access to Microsoft 365. The device shown in the exhibit is Azure AD joined, compliant, and managed. However, a user signing in from this device is still blocked. What is the most likely cause?

A.The device profile type is 'Workplace', which is not allowed.
B.The device is not compliant.
C.The device is not managed.
D.The Conditional Access policy requires Hybrid Azure AD joined device.
AnswerD

The device is Azure AD joined, not hybrid; if the policy requires hybrid, it would be blocked.

Why this answer

Option D is correct because the exhibit shows the device is Azure AD joined, compliant, and managed, yet the user is still blocked. This indicates the Conditional Access policy is configured to require a Hybrid Azure AD joined device, which is a stricter requirement than just being Azure AD joined. A Hybrid Azure AD joined device must be both domain-joined to on-premises Active Directory and registered with Azure AD, whereas an Azure AD joined device is only cloud-joined.

Since the device in the exhibit is only Azure AD joined, it does not satisfy the Hybrid Azure AD joined condition, causing the block.

Exam trap

The trap here is that candidates assume 'compliant' and 'managed' automatically satisfy all Conditional Access device requirements, but Microsoft distinguishes between Azure AD joined, Hybrid Azure AD joined, and registered devices, and policies can require a specific join type that the device does not meet.

How to eliminate wrong answers

Option A is wrong because 'Workplace' is not a valid device profile type in Azure AD; the exhibit shows the device is Azure AD joined, and the profile type field is irrelevant to the policy requirement. Option B is wrong because the exhibit explicitly states the device is compliant, so non-compliance cannot be the cause of the block. Option C is wrong because the exhibit states the device is managed (e.g., via Intune or MDM), so lack of management is not the issue.

486
MCQhard

Your organization uses Microsoft Entra ID with P2 licenses. You need to delegate the ability to manage role assignments in Entra ID without granting global admin rights. Which feature should you use?

A.Entitlement Management
B.Conditional Access
C.Administrative Units
D.Privileged Identity Management
AnswerD

PIM allows you to assign roles and delegate management.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID P2 enables just-in-time, time-bound, and approval-based role assignments, allowing you to delegate role management without granting permanent global admin rights. PIM provides role activation workflows and auditing, making it the correct feature for delegating role assignment management.

Exam trap

The trap here is confusing Administrative Units (which limit scope) with Privileged Identity Management (which manages role assignment delegation and activation), as both deal with role management but serve different purposes.

How to eliminate wrong answers

Option A is wrong because Entitlement Management is for managing access packages and resource access lifecycle, not for delegating role assignments in Entra ID. Option B is wrong because Conditional Access enforces access policies based on signals like user location or device compliance, but does not delegate role management. Option C is wrong because Administrative Units restrict administrative scope to specific organizational units (e.g., departments) but do not delegate the ability to manage role assignments themselves; they limit where a role applies, not who can assign roles.

487
MCQhard

An organization uses Microsoft Purview Compliance Manager to track compliance with regulations. The compliance officer needs to create a custom assessment for a new internal policy. What should they do?

A.Use the Microsoft 365 admin center to create a compliance assessment.
B.Create a new custom assessment in Compliance Manager and add custom controls.
C.Use the built-in 'Custom' template in Compliance Manager and modify it.
D.Import a new assessment template from the Microsoft Service Trust Portal.
AnswerB

Custom assessments enable tracking internal policies with custom controls.

Why this answer

Option A is correct because Compliance Manager allows creating custom assessments with custom controls and actions. Option B is wrong because assessment templates are not imported from external sources. Option C is wrong because the built-in templates are for standard regulations, not custom policies.

Option D is wrong because the Microsoft 365 admin center does not create compliance assessments.

488
MCQmedium

A company wants to prevent users from using common passwords like 'Password123' and custom banned passwords such as 'Contoso2024' during sign-up or password change. They also need to apply a common list of banned passwords across tenant-wide. Which Microsoft Entra feature should they configure?

A.Conditional Access
B.Microsoft Entra ID Password Protection
C.Identity Protection
D.Multifactor Authentication (MFA)
AnswerB

Microsoft Entra ID Password Protection blocks weak passwords by allowing administrators to define custom banned password lists and leveraging a global banned list.

Why this answer

Microsoft Entra ID Password Protection allows administrators to enforce both a global banned password list (Microsoft-managed) and a custom banned password list (tenant-specific). This feature blocks weak passwords like 'Password123' and custom entries like 'Contoso2024' during sign-up or password change operations, making it the correct choice for tenant-wide password policy enforcement.

Exam trap

The trap here is that candidates confuse Conditional Access (which controls access conditions) with password protection policies, or assume Identity Protection handles password bans when it actually focuses on risk detection, not password content enforcement.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or blocking sign-ins from certain locations) based on signals like user risk or device compliance, not for banning specific passwords. Option C is wrong because Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins) and does not manage password content policies. Option D is wrong because Multifactor Authentication (MFA) adds a second verification layer (e.g., phone call, app notification) but does not evaluate or block the use of common or custom banned passwords.

489
Multi-Selecteasy

Which TWO of the following are Microsoft Purview compliance solutions?

Select 2 answers
A.Microsoft Entra ID
B.Data Loss Prevention (DLP)
C.eDiscovery
D.Microsoft Intune
E.Microsoft Defender for Cloud
AnswersB, C

DLP is part of Microsoft Purview.

Why this answer

A, C are correct. Data Loss Prevention (DLP) and eDiscovery are core Purview solutions. B (Microsoft Defender for Cloud) is a security solution.

D (Microsoft Entra ID) is identity. E (Microsoft Intune) is endpoint management.

490
MCQhard

Refer to the exhibit. A sensitivity label is configured as shown. Which statement about the label's behavior is accurate?

A.When applied, users can choose who can access the document and what permissions they have.
B.The label disables encryption and only adds a header and footer.
C.The label automatically encrypts the document with a predefined template.
D.The label does not apply any protection; it only adds visual markings.
AnswerA

UserDefined means users set permissions.

Why this answer

Option C is correct because 'ProtectionType' is 'UserDefined', meaning users can specify encryption permissions. Option A is wrong because encryption is enabled, not disabled. Option B is wrong because protection type is user-defined, not predefined.

Option D is wrong because the label applies both encryption and marking.

491
MCQhard

Your company uses Microsoft Entra ID and wants to automatically assign licenses to new employees based on their department. Which feature should you use?

A.Privileged Identity Management
B.Access reviews
C.Dynamic groups and group-based licensing
D.Entitlement management
AnswerC

Dynamic groups automatically include users based on attributes; group-based licensing assigns licenses to the group.

Why this answer

Dynamic groups in Microsoft Entra ID allow you to automatically add or remove users based on attributes like department. Combined with group-based licensing, you can assign licenses (e.g., Microsoft 365 E5) to all members of that group, so when a new employee is added with the matching department attribute, they automatically receive the correct license without manual intervention.

Exam trap

The trap here is that candidates confuse Entitlement management (which manages access packages) with automatic license assignment, but Entitlement management does not natively assign licenses based on department attributes—it requires custom integration, whereas Dynamic groups with group-based licensing is the direct, built-in solution.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is used for just-in-time privileged role activation and access oversight, not for automatic license assignment. Option B is wrong because Access reviews are periodic attestations to verify that users still need access, not a mechanism to assign licenses automatically. Option D is wrong because Entitlement management handles access packages and approval workflows for resource access, not direct license assignment based on department attributes.

492
MCQeasy

Your organization wants to enforce multi-factor authentication (MFA) for all users accessing cloud applications. Which Microsoft Entra ID feature should you configure?

A.Configure Privileged Identity Management
B.Create a Conditional Access policy
C.Use Identity Protection
D.Enable MFA per user
AnswerB

Conditional Access policies can require MFA based on conditions.

Why this answer

Option B is correct because Conditional Access policies allow you to require MFA based on conditions like user, location, or device. Option A is incorrect because MFA per-user is a legacy method. Option C is incorrect because PIM manages role activation, not MFA enforcement.

Option D is incorrect because Identity Protection detects risks but does not directly enforce MFA.

493
MCQhard

A company uses Microsoft Entra ID and needs to regularly review membership of a group that grants access to a sensitive HR application. The identity team wants to automate quarterly reviews and automatically remove users who fail to respond or are denied by the reviewer. Which Microsoft Entra ID feature should they use?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Access Reviews
AnswerD

Access Reviews enables administrators to create recurring reviews of group memberships, application access, and role assignments. Unresponsive or denied users can be automatically removed based on review settings.

Why this answer

Option D is correct because Microsoft Entra Access Reviews are specifically designed to automate periodic attestation of group memberships, including the ability to automatically remove users who do not respond or are denied by the reviewer. This feature supports quarterly recurring reviews and integrates directly with Entra ID groups to enforce access governance for sensitive applications.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Access Reviews because both involve 'reviews,' but PIM only handles role activation and approval workflows, not recurring group membership attestation with automatic removal.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces real-time access policies based on signals like location or device compliance, but it does not perform periodic membership reviews or automate removal of users. Option B is wrong because Identity Protection focuses on detecting and remediating identity-based risks (e.g., compromised credentials, suspicious sign-ins), not on reviewing group membership assignments. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time privileged access and activation workflows for roles, but it does not automate recurring attestation of group memberships or remove non-responding users from standard security groups.

494
MCQmedium

A security operations team needs a solution that can detect and stop ransomware attacks on Windows servers and desktops in real time. They also want the ability to automatically isolate affected devices and, if necessary, roll back files modified by ransomware using a built-in recovery feature. Which Microsoft security solution provides these capabilities?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Cloud
AnswerB

Defender for Endpoint provides EDR, threat hunting, automated investigation, and remediation including device isolation and file rollback for ransomware.

Why this answer

Microsoft Defender for Endpoint (MDE) provides real-time detection and automated response to ransomware attacks on Windows servers and desktops. Its built-in attack surface reduction rules, endpoint detection and response (EDR), and automated investigation and remediation capabilities allow automatic device isolation. Additionally, MDE includes a file recovery feature that leverages Volume Shadow Copy to roll back files modified by ransomware, meeting all stated requirements.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Cloud (a cloud workload protection tool) with Microsoft Defender for Endpoint (an endpoint detection and response tool), failing to recognize that only MDE provides the specific combination of real-time endpoint protection, automated device isolation, and built-in file rollback for Windows servers and desktops.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on protecting email, SharePoint, and Teams from phishing, malware, and spam, not on endpoint-level ransomware detection or device isolation. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that provides visibility and control over cloud app usage, not real-time endpoint ransomware protection or file rollback. Option D is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform for cloud infrastructure (IaaS/PaaS), not designed for on-premises Windows servers and desktops or built-in file recovery.

495
MCQmedium

A company uses Microsoft Entra ID and wants to provide external business partners with access to a specific internal application. The partners already use Microsoft Entra ID in their own organization. The company wants the partners to use their existing corporate credentials to sign in, without creating new user accounts in the company's tenant. The company also wants to manage the access lifecycle, including automatically removing access after a project ends. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra B2C
C.Identity Protection
D.Privileged Identity Management (PIM)
AnswerA

Correct. B2B collaboration enables external partners to use their own corporate identities to access apps in your tenant, with full lifecycle management capabilities.

Why this answer

Microsoft Entra B2B collaboration is the correct feature because it allows external users from partner organizations who already have their own Microsoft Entra ID accounts to sign in using their existing corporate credentials, without requiring new user accounts in the company's tenant. It also supports access lifecycle management through features like entitlement management and access reviews, enabling automatic removal of access when a project ends.

Exam trap

The trap here is that candidates often confuse B2B collaboration (for business partners with existing corporate identities) with B2C (for customers using social or local accounts), leading them to select B2C when the scenario clearly describes partner organizations using their own corporate credentials.

How to eliminate wrong answers

Option B (Microsoft Entra B2C) is wrong because it is designed for customer-facing identity management, allowing external users to sign in with social or local accounts, not for business partner collaboration using existing corporate credentials. Option C (Identity Protection) is wrong because it is a risk-based security tool that detects and responds to identity threats, not a feature for inviting external users or managing access lifecycle. Option D (Privileged Identity Management) is wrong because it focuses on just-in-time privileged role activation and access reviews for internal admin roles, not on inviting external business partners or managing their access lifecycle.

496
MCQhard

A company is involved in a lawsuit. The legal team needs to preserve all emails, documents, and Teams messages from five key employees (custodians) that are related to a specific project. The data must be collected securely and provided for legal review without modifying the original data. Which Microsoft Purview solution should they use?

A.Data Lifecycle Management
B.eDiscovery (Premium)
C.Records Management
D.Communication Compliance
AnswerB

eDiscovery Premium provides end-to-end workflow for custodial holds, data collection, and review without modifying the original data.

Why this answer

eDiscovery (Premium) is the correct solution because it is specifically designed for legal investigations, allowing organizations to identify, preserve, collect, and export relevant data (emails, documents, Teams messages) from custodians without altering the original data. It supports legal hold, advanced search, and secure export for legal review, meeting the lawsuit requirements.

Exam trap

The trap here is that candidates confuse Data Lifecycle Management or Records Management with eDiscovery, but those solutions manage retention and deletion policies rather than providing the custodial hold, search, and export capabilities required for legal preservation and review.

How to eliminate wrong answers

Option A (Data Lifecycle Management) is wrong because it focuses on automating retention and deletion policies for compliance and governance, not on preserving data for legal hold or collecting it for litigation. Option C (Records Management) is wrong because it is used to classify and manage records for regulatory compliance, often with immutable retention, but it does not provide the custodial search, hold, and export capabilities needed for eDiscovery. Option D (Communication Compliance) is wrong because it is designed to detect and mitigate policy violations (e.g., insider trading, harassment) in communications, not to preserve and collect data for legal proceedings.

497
MCQmedium

A company wants to allow employees to securely access internal applications from their personal devices. The security policy requires that access is only granted if the device is compliant with company security policies (e.g., encryption enabled, password required, up-to-date operating system). Which Microsoft Entra ID capability should they use?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management
D.Microsoft Entra Verified ID
AnswerA

Correct. Conditional Access policies can require a device to be marked as compliant (via Intune) as a condition for granting access to applications.

Why this answer

Conditional Access in Microsoft Entra ID is the correct capability because it allows administrators to define policies that enforce device compliance before granting access to applications. By integrating with Microsoft Intune, Conditional Access can require that devices meet specific security policies—such as encryption, password requirements, and OS updates—before allowing access. This directly addresses the requirement to grant access only from compliant personal devices.

Exam trap

The trap here is that candidates often confuse Identity Protection (risk-based conditional access) with device compliance Conditional Access, but Identity Protection does not evaluate device health or compliance policies.

How to eliminate wrong answers

Option B is wrong because Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins), not on enforcing device compliance. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time access and approval workflows for privileged roles, not device-level security checks. Option D is wrong because Microsoft Entra Verified ID is a decentralized identity solution for verifiable credentials (e.g., digital IDs), not for device compliance enforcement.

498
MCQmedium

A company uses Microsoft Entra ID. A junior administrator needs to occasionally reset passwords for the IT department. The security team wants to grant this permission only for a limited time and require an approval from a senior administrator before the permission becomes active. All password reset actions must be audited. Which Microsoft Entra ID feature should they configure?

A.Entra ID Identity Protection
B.Entra ID Privileged Identity Management (PIM)
C.Entra ID Conditional Access
D.Entra ID Terms of Use
AnswerB

PIM enables just-in-time role activation with approval workflows, time limits, and detailed audit logs, exactly matching the requirement.

Why this answer

Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access, allowing the junior administrator to request a time-limited role for password reset that requires approval from a senior administrator. PIM also enables auditing of all role activations and actions, meeting the security team's requirements for limited duration, approval workflow, and auditability.

Exam trap

The trap here is that candidates often confuse PIM with Conditional Access, thinking that Conditional Access can enforce time-limited permissions, but Conditional Access controls access to resources based on conditions, not the activation or approval of privileged roles.

How to eliminate wrong answers

Option A is wrong because Entra ID Identity Protection is designed to detect and respond to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) and does not provide time-limited role activation or approval workflows. Option C is wrong because Conditional Access enforces access policies based on conditions like location or device state, but it cannot grant or limit administrative permissions for specific tasks like password reset. Option D is wrong because Entra ID Terms of Use is used to present and track acceptance of legal or policy documents before access, and it does not manage role activation, approval, or auditing of administrative actions.

499
MCQmedium

A company wants to gain visibility into the cloud applications that employees are using (e.g., unsanctioned SaaS apps), assess the risk level of each app based on multiple factors, and block access to high-risk applications. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Sentinel
AnswerC

Defender for Cloud Apps is a CASB that discovers all cloud apps, evaluates their risk, and allows you to control access (e.g., block, restrict).

Why this answer

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility into cloud application usage, assesses risk based on factors like compliance, app store ratings, and security controls, and can block access to high-risk apps via reverse proxy or API integration. This directly matches the requirement to discover unsanctioned SaaS apps and enforce access controls.

Exam trap

The trap here is confusing a CASB (Defender for Cloud Apps) with an EDR (Defender for Endpoint) or SIEM (Sentinel), as candidates often think 'visibility into apps' means endpoint monitoring or log analysis rather than cloud-specific app discovery and risk assessment.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices, not on discovering or blocking cloud applications. Option B is wrong because Microsoft Defender for Office 365 protects email and collaboration tools (e.g., Exchange, SharePoint) from threats like phishing and malware, not from unsanctioned SaaS app usage. Option D is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) solution for aggregating logs and detecting threats across the environment, not for real-time cloud app discovery and blocking.

500
MCQmedium

A compliance administrator configures the above retention policy. A document created on January 1, 2025, in SharePoint Online will be retained until when?

A.Indefinitely
B.January 1, 2026
C.December 31, 2025
D.January 1, 2025
AnswerC

365 days from creation date (Jan 1, 2025) ends on Dec 31, 2025.

Why this answer

Option D is correct because the policy retains for 365 days from creation date (WhenCreated). January 1, 2025 + 365 days = December 31, 2025. Option A is wrong because it ignores the retention trigger.

Option B is wrong because retention is not indefinite. Option C is wrong because the duration is 365 days, not 365 days from end of year.

501
MCQhard

A security team needs to investigate a potential data breach in Microsoft 365. They require detailed forensic logs showing every instance of mailbox access, mailbox search performed by administrators, and changes to email forwarding rules in Exchange Online. The logs must be retained for 1 year. Which Microsoft Purview solution should they use?

A.Audit (Standard)
B.Audit (Premium)
C.eDiscovery (Standard)
D.eDiscovery (Premium)
AnswerB

Audit (Premium) logs high-value events like mailbox access and forwarding rule changes, and supports up to 1-year retention, making it the correct choice.

Why this answer

Audit (Premium) is required because the question specifies detailed forensic logs for mailbox access, administrator mailbox searches, and changes to email forwarding rules—all of which are high-value, user-specific events that are only captured by Audit (Premium). Audit (Standard) logs basic events but lacks the granularity for these specific operations, and it retains logs for only 90 days by default, whereas Audit (Premium) supports up to 1 year of retention. eDiscovery solutions are for searching and exporting content, not for continuous logging of administrative actions.

Exam trap

The trap here is that candidates confuse eDiscovery (which is for searching and exporting content) with auditing (which is for logging events), and they underestimate the specific event types that require Audit (Premium) over Audit (Standard).

How to eliminate wrong answers

Option A is wrong because Audit (Standard) does not log detailed mailbox access events, administrator mailbox searches, or changes to email forwarding rules; it only captures basic CRUD operations and has a default retention of 90 days, not 1 year. Option C is wrong because eDiscovery (Standard) is a content search and export tool, not a logging or auditing solution; it cannot provide forensic logs of mailbox access or rule changes. Option D is wrong because eDiscovery (Premium) is an advanced content search, review, and analytics tool for legal cases, not a continuous audit log solution; it does not generate or retain logs of administrative actions.

502
MCQmedium

Your company uses Microsoft Entra ID and wants to implement a passwordless authentication strategy for all users. You have a mix of Windows 10 devices, iOS devices, and Android devices. You need a solution that works across all platforms and does not require users to remember passwords. What should you implement?

A.Deploy FIDO2 security keys to all users and register them in Microsoft Entra ID.
B.Deploy Microsoft Authenticator with phone sign-in enabled for all users.
C.Implement certificate-based authentication using smart cards.
D.Enable Windows Hello for Business on all Windows devices.
AnswerB

Correct: Works across Windows, iOS, and Android without passwords.

Why this answer

Microsoft Authenticator with phone sign-in enabled provides a cross-platform passwordless authentication solution that works on Windows 10, iOS, and Android devices. It uses a key-based authentication model where the user's phone generates a cryptographic key pair, eliminating the need for passwords while supporting all required device types.

Exam trap

The trap here is that candidates often assume FIDO2 security keys (Option A) are the only true passwordless solution, but they overlook the cross-platform limitation and the fact that Microsoft Authenticator also implements FIDO2/WebAuthn, making it the more practical choice for heterogeneous device environments.

How to eliminate wrong answers

Option A is wrong because FIDO2 security keys require a USB or NFC interface, which is not supported on all iOS devices (iOS does not support FIDO2 over NFC for authentication in all scenarios), and deploying physical keys to all users is less scalable and platform-agnostic than a phone-based solution. Option C is wrong because certificate-based authentication using smart cards requires specialized hardware (smart card readers) and is not natively supported on iOS and Android devices without additional middleware, making it impractical for a cross-platform passwordless strategy. Option D is wrong because Windows Hello for Business is limited to Windows devices and does not address iOS or Android devices, failing the requirement for a solution that works across all platforms.

503
Multi-Selecthard

Which TWO Microsoft Entra features can help protect against credential attacks?

Select 2 answers
A.Microsoft Entra Connect
B.Self-service password reset
C.Microsoft Entra password protection
D.Access reviews
E.Smart lockout
AnswersC, E

Password protection blocks weak passwords.

Why this answer

Microsoft Entra password protection (C) helps defend against credential attacks by automatically blocking weak passwords and common variations of known compromised passwords, such as those from botnets or public password lists. Smart lockout (E) protects against brute-force attacks by locking an account after a configurable number of failed sign-in attempts, using intelligent heuristics to distinguish between legitimate users and attackers. Both features directly mitigate password-based attacks like password spraying and brute force.

Exam trap

The trap here is that candidates often confuse self-service password reset (SSPR) with a security feature that prevents attacks, when in reality SSPR is a convenience feature for password recovery, not a proactive defense against credential threats.

504
MCQeasy

Your organization uses Microsoft Purview Communication Compliance to detect potential harassment in Microsoft Teams messages. Which role is required to review and act on policy matches?

A.Communication Compliance admin
B.Communication Compliance analyst
C.Communication Compliance investigator
D.Compliance administrator
AnswerB

Analysts review policy matches and take action.

Why this answer

Communication Compliance roles: 'Communication Compliance admin' can create policies, 'Communication Compliance analyst' can review and act on matches, 'Communication Compliance investigator' has additional remediation capabilities, 'Compliance administrator' has broader compliance admin rights. Option B is correct for reviewing matches.

505
MCQeasy

A security administrator is configuring permissions for a new cloud-based expense reporting application. The administrator assigns each employee only the permissions they need to perform their job functions. For example, employees in the Sales department can view expense reports but cannot approve or modify financial data. Which security principle is the administrator implementing?

A.Defense in depth
B.Least privilege
C.Separation of duties
D.Zero trust
AnswerB

This is the correct answer because the administrator is granting the minimal permissions required for each employee's role, directly applying the least privilege principle.

Why this answer

The administrator is granting each employee only the permissions necessary to perform their job functions, such as Sales being able to view but not approve or modify financial data. This directly implements the principle of least privilege, which restricts access rights to the minimum required for legitimate tasks. In cloud-based applications like expense reporting systems, least privilege reduces the attack surface and limits potential damage from compromised accounts.

Exam trap

The trap here is that candidates confuse least privilege with separation of duties, because both involve restricting access, but separation of duties specifically requires splitting conflicting tasks (e.g., submit vs. approve) across different users to prevent fraud, whereas least privilege focuses on minimizing permissions per user.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, encryption, intrusion detection) rather than a single permission assignment. Option C is wrong because separation of duties divides critical tasks among multiple users to prevent fraud (e.g., one person submits an expense, another approves it), but the scenario focuses on limiting permissions per role, not splitting tasks. Option D is wrong because zero trust is a security model that assumes no implicit trust and requires continuous verification of every request, whereas the scenario describes a static permission assignment based on job roles.

506
MCQhard

A company runs a mix of on-premises servers and Azure virtual machines. They deploy Microsoft Defender for Endpoint on all servers. The security team wants to create custom queries to hunt for a specific attack pattern that involves a sequence of events across multiple machines, such as a PowerShell script being downloaded and then executed on several servers. They need to write their own detection rules based on advanced hunting data. Which Microsoft 365 Defender capability should they use?

A.Advanced hunting in Microsoft 365 Defender
B.Microsoft Defender for Cloud
C.Microsoft Defender for Office 365
D.Microsoft Sentinel
AnswerA

Advanced hunting enables security teams to build custom queries over data from endpoints, Office 365, identities, and apps. They can then create custom detection rules that trigger alerts based on these queries.

Why this answer

Advanced hunting in Microsoft 365 Defender provides a Kusto Query Language (KQL)-based query interface that allows security teams to create custom detection rules by searching raw data across endpoints, email, and identities. This capability directly supports the scenario of writing custom queries to hunt for multi-machine attack patterns, such as a PowerShell script download followed by execution, by correlating events like DeviceProcessEvents and DeviceFileEvents across multiple devices.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel's advanced hunting (which is also KQL-based but is a separate Azure service) with the advanced hunting capability native to Microsoft 365 Defender, leading them to select Sentinel even though the question explicitly asks for a Microsoft 365 Defender capability.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) that focuses on securing Azure, on-premises, and multi-cloud resources through recommendations and vulnerability assessments, not on providing a custom KQL-based hunting interface for endpoint-specific event sequences. Option C is wrong because Microsoft Defender for Office 365 is designed to protect against threats in email, SharePoint, OneDrive, and Teams, and does not include advanced hunting capabilities for endpoint processes or file events across servers. Option D is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR solution that ingests data from multiple sources and offers advanced hunting, but the question specifically asks for a Microsoft 365 Defender capability; Sentinel is a separate Azure service, not a component of Microsoft 365 Defender.

507
MCQhard

A multinational corporation must comply with the General Data Protection Regulation (GDPR). They use Microsoft Purview Compliance Manager to manage compliance activities. The compliance manager wants to automatically assign each control to the appropriate team member for remediation. What should they configure?

A.Create new assessments for each regulation
B.Configure improvement actions with owners
C.Set up connectors to import external risk data
D.Use the Microsoft 365 admin center to delegate tasks
AnswerB

Improvement actions represent individual controls that can be assigned to an owner for remediation, enabling automatic assignment and tracking.

Why this answer

To automatically assign each control to the appropriate team member for remediation in Microsoft Purview Compliance Manager, you must configure improvement actions with owners. Each improvement action can be assigned to a specific user who is responsible for implementing the remediation steps, and this assignment triggers automatic notifications and tracking within the compliance score.

Exam trap

The trap here is that candidates often confuse creating assessments (which organize controls) with the actual assignment of remediation tasks, leading them to choose Option A instead of understanding that improvement actions with owners are the mechanism for automatic assignment.

How to eliminate wrong answers

Option A is wrong because creating new assessments for each regulation organizes compliance requirements but does not assign individual controls to team members for remediation. Option C is wrong because setting up connectors to import external risk data brings in third-party signals but does not handle task assignment or ownership of controls. Option D is wrong because the Microsoft 365 admin center is used for user and tenant administration, not for assigning remediation tasks within Compliance Manager; task delegation is done directly within the improvement action settings.

508
MCQhard

Your organization uses Microsoft Entra ID with P2 licenses. You need to implement a policy that requires users to perform multifactor authentication (MFA) when accessing the finance application from an untrusted network, but not when accessing it from the corporate network. Which Microsoft Entra feature should you configure?

A.Microsoft Entra Entitlement Management
B.Microsoft Entra ID Protection MFA registration policy
C.Microsoft Entra Conditional Access policy
D.Microsoft Entra Privileged Identity Management (PIM)
AnswerC

Conditional Access can enforce MFA based on location (untrusted vs corporate network).

Why this answer

Microsoft Entra Conditional Access policies allow you to enforce MFA based on conditions such as network location. By configuring a policy that targets the finance application and includes a condition for 'untrusted networks' (e.g., any location other than the corporate network's trusted IP ranges), you can require MFA only when access originates from outside the corporate network. This is the correct feature for granular, condition-based access controls.

Exam trap

The trap here is that candidates often confuse the MFA registration policy (which only ensures users have registered MFA methods) with a Conditional Access policy that actually enforces MFA during sign-in based on conditions like network location.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Entitlement Management is used for managing access packages and identity governance (e.g., automated access requests and reviews), not for enforcing MFA based on network location. Option B is wrong because the Microsoft Entra ID Protection MFA registration policy only enforces that users register for MFA, not that they perform MFA during sign-in based on network conditions. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not location-based MFA enforcement for application access.

509
Multi-Selecthard

Which TWO are features of Microsoft Defender for Cloud Apps? (Choose two.)

Select 2 answers
A.Apply sensitivity labels to files
B.Investigate email-borne attacks
C.Vulnerability management for endpoints
D.Cloud Discovery to identify shadow IT
E.App governance for OAuth apps
AnswersD, E

Cloud Discovery discovers cloud app usage.

Why this answer

Options A and D are correct. Cloud Discovery identifies shadow IT. App governance controls OAuth apps.

Option B is wrong because sensitivity labels are in Purview. Option C is wrong because email attack investigation is in Defender for Office 365. Option E is wrong because endpoint vulnerability management is in Defender for Endpoint.

510
MCQmedium

A company uses Microsoft Entra ID. The security team wants to grant temporary, time-limited administrative access to Azure subscriptions only when needed, with an approval workflow. Which Microsoft Entra capability should they use?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Entra ID Governance
AnswerC

PIM enables just-in-time, time-bound privileged access with approval workflows, exactly matching the requirement.

Why this answer

Privileged Identity Management (PIM) is the correct choice because it provides just-in-time (JIT) privileged access to Azure AD and Azure resources, including Azure subscriptions. PIM supports time-bound role activation with an approval workflow, allowing the security team to grant temporary administrative access only when needed, which directly matches the requirement.

Exam trap

The trap here is that candidates confuse PIM with Conditional Access, thinking that Conditional Access can enforce time-limited access via session controls, but Conditional Access cannot grant or revoke Azure RBAC role assignments or require an approval workflow for role activation.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, device compliance) based on signals like user location or risk, but it does not provide time-limited role activation or an approval workflow for privileged access. Option B is wrong because Identity Protection focuses on detecting and remediating identity-based risks (e.g., leaked credentials, anomalous sign-ins) and does not manage role assignments or temporary privileged access. Option D is wrong because Entra ID Governance encompasses broader capabilities like access reviews, entitlement management, and lifecycle workflows, but the specific feature for time-limited, approval-based privileged access to Azure subscriptions is PIM, not governance as a whole.

511
MCQhard

An organization implements a security policy where users must authenticate using a smart card and PIN. After successful authentication, the system checks whether the user's device is managed by the organization and complies with security baselines. If the device is compliant, the user is granted access to the corporate network. If not, access is denied. This approach most directly reflects which security model?

A.Defense in depth
B.Zero Trust
C.CIA triad
D.Least privilege
AnswerB

Zero Trust requires verifying every access attempt, including identity and device health. The policy of blocking access if the device is non-compliant is a core component of Zero Trust architecture.

Why this answer

The scenario explicitly enforces 'never trust, always verify' by requiring authentication (smart card + PIN) and then validating device compliance before granting network access. This directly aligns with the Zero Trust model's core principle of conditional access based on identity and device health, rather than implicit trust from network location.

Exam trap

The trap here is that candidates confuse Zero Trust with Defense in depth because both involve multiple security layers, but Zero Trust specifically requires per-request verification of identity and device health, whereas Defense in depth relies on static layers without dynamic device compliance checks.

How to eliminate wrong answers

Option A is wrong because Defense in depth is a layered security strategy (e.g., firewalls, IDS, antivirus) that does not specifically mandate per-request device compliance checks before granting network access. Option C is wrong because the CIA triad (Confidentiality, Integrity, Availability) is a high-level security objective, not an operational model that dictates authentication and device health verification as a prerequisite for access. Option D is wrong because Least privilege focuses on granting only necessary permissions (e.g., read-only vs. write), not on verifying device compliance before allowing network connectivity.

512
MCQmedium

An organization decides to eliminate passwords for their employees. They deploy Windows Hello for Business on company-issued laptops, allowing users to sign in with a PIN or a biometric gesture (e.g., fingerprint). The IT team also enables Microsoft Authenticator and FIDO2 security keys as alternative sign-in methods. Which Microsoft Entra ID capability are they leveraging?

A.Microsoft Entra ID Protection
B.Conditional Access
C.Passwordless authentication
D.Self-Service Password Reset (SSPR)
AnswerC

Passwordless authentication in Microsoft Entra ID includes Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys, allowing users to sign in securely without a password.

Why this answer

The organization is implementing passwordless authentication by removing passwords and using Windows Hello for Business (PIN/biometrics), Microsoft Authenticator, and FIDO2 security keys. These methods replace the password with a cryptographic key pair bound to the device or user, satisfying the definition of passwordless authentication in Microsoft Entra ID.

Exam trap

The trap here is that candidates confuse the authentication method (passwordless) with the security policies that protect it (Conditional Access) or the risk detection that monitors it (Identity Protection), leading them to select a wrong answer that sounds related but is not the core capability being demonstrated.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection is a security tool that detects identity risks (e.g., leaked credentials, anomalous sign-ins) and enforces remediation, not a sign-in method. Option B is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or compliant devices) based on conditions, not an authentication method itself. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset forgotten passwords, which is irrelevant when passwords are eliminated entirely.

513
MCQhard

Refer to the exhibit. The Conditional Access policy is configured to block access for high-risk users. A user with a medium risk level attempts to sign in. What will happen?

A.Access is blocked
B.User is redirected to a password reset page
C.Access is granted
D.User is prompted for MFA
AnswerC

The policy condition is not met.

Why this answer

The Conditional Access policy is configured to block access for high-risk users only. Since the user has a medium risk level, the policy condition is not met, so the policy does not apply. Therefore, access is granted based on the default behavior of allowing sign-in when no Conditional Access policy is triggered.

Exam trap

The trap here is that candidates often assume any risk level triggers the block action, but Conditional Access policies only enforce controls when the condition exactly matches the configured risk level, not for lower or higher levels unless explicitly specified.

How to eliminate wrong answers

Option A is wrong because the policy specifically targets high-risk users, and a medium-risk user does not match the condition, so access is not blocked. Option B is wrong because a password reset page is triggered only by a policy that requires password change (e.g., user risk policy with 'Require password change' control), which is not configured here. Option D is wrong because MFA prompt would require a policy with 'Require multifactor authentication' control, which is not present in this configuration.

514
MCQmedium

Your organization has a Microsoft Purview Data Lifecycle Management policy that deletes emails after 3 years. A legal hold is placed on a user's mailbox. What happens to the emails?

A.Only emails created before the hold are deleted
B.Emails are preserved and not deleted despite the retention policy
C.Emails are deleted immediately to avoid conflicting policies
D.Emails are deleted after 3 years as per the retention policy
AnswerB

Legal hold preserves all content in the mailbox, overriding deletion policies.

Why this answer

Option A is correct because legal hold (litigation hold) preserves all mailbox content regardless of retention policies. Option B is wrong because retention policies do not override legal hold. Option C is wrong because the deletion is suspended.

Option D is wrong because the hold applies to the entire mailbox.

515
Matchingmedium

Match each compliance framework to its primary focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data protection and privacy for EU citizens

Information security management system standard

Cybersecurity risk management framework

Healthcare data privacy and security in the US

Service organization controls for data security

Why these pairings

These are common compliance frameworks relevant to Microsoft services.

516
Multi-Selectmedium

Which THREE are benefits of using Microsoft Purview Compliance Manager?

Select 3 answers
A.Create Data Loss Prevention policies.
B.View a compliance score that indicates your overall compliance posture.
C.Assign compliance tasks to other users in your organization.
D.Receive recommendations for improvement actions to achieve compliance.
E.Automatically apply sensitivity labels to documents.
AnswersB, C, D

Compliance Manager calculates a score based on implemented controls.

Why this answer

Options A, C, and D are correct. Compliance Manager provides a compliance score (A), suggests improvement actions (C), and allows you to assign tasks to others (D). Option B is wrong because Compliance Manager does not automatically apply labels.

Option E is wrong because it does not create DLP policies.

517
Multi-Selecteasy

Which TWO of the following are authentication methods supported by Microsoft Entra ID?

Select 2 answers
A.Passwordless phone sign-in with Microsoft Authenticator
B.Biometric only (fingerprint/face) without device
C.SMS sign-in
D.FIDO2 security keys
E.Certificate-based authentication
AnswersA, D

Authenticator app supports passwordless sign-in.

Why this answer

Passwordless phone sign-in with Microsoft Authenticator is a supported authentication method in Microsoft Entra ID. It allows users to sign in without a password by using a biometric or PIN gesture on their mobile device, leveraging the Microsoft Authenticator app to verify identity via a push notification or a time-based one-time passcode (TOTP). This method enhances security by reducing reliance on passwords and is part of Microsoft's passwordless authentication strategy.

Exam trap

The trap here is that candidates often confuse SMS as a primary authentication method when it is only a secondary verification factor for MFA, and they may incorrectly assume certificate-based authentication is natively supported in Entra ID without understanding its dependency on federation.

518
MCQhard

An organization is migrating from on-premises Active Directory to Microsoft Entra ID. They need to synchronize user passwords so that users can use the same password for both on-premises and cloud resources. Which authentication method should they choose?

A.Password Hash Synchronization
B.Seamless Single Sign-On
C.Pass-through Authentication
D.Federation with AD FS
AnswerA

Synchronizes password hashes for same password use.

Why this answer

Password Hash Synchronization (PHS) is the correct choice because it synchronizes a hash of the user's on-premises Active Directory password to Microsoft Entra ID, allowing users to authenticate with the same password for both on-premises and cloud resources. This method is specifically designed for password synchronization without requiring any additional infrastructure or real-time validation against on-premises systems.

Exam trap

The trap here is that candidates confuse 'synchronization' with 'single sign-on' or 'pass-through validation,' assuming that Seamless SSO or Pass-through Authentication also synchronize passwords, when in fact they do not transfer password hashes to the cloud.

How to eliminate wrong answers

Option B (Seamless Single Sign-On) is wrong because it does not synchronize passwords; it only provides automatic sign-in for domain-joined devices on corporate networks by using Kerberos delegation, but the actual password validation still relies on another method like PHS or Pass-through Authentication. Option C (Pass-through Authentication) is wrong because it validates passwords directly against on-premises Active Directory in real time without synchronizing password hashes to the cloud, which means it does not meet the requirement to synchronize passwords for offline or cloud-only authentication. Option D (Federation with AD FS) is wrong because it uses a federated trust with on-premises Active Directory Federation Services (AD FS) for authentication, requiring complex infrastructure and redirecting authentication to on-premises servers, rather than synchronizing password hashes to Microsoft Entra ID.

519
MCQhard

Your company has Microsoft Defender for Office 365 and wants to configure anti-phishing policies to protect against spear-phishing attacks targeting executives. Which policy setting should you enable to provide the highest level of protection?

A.Malware filter
B.Impersonation protection for users
C.Bulk email filtering
D.Spoof intelligence
AnswerB

Impersonation protection detects and blocks attempts to impersonate specific users.

Why this answer

Option C is correct because impersonation protection specifically protects against spear-phishing attacks targeting specific users like executives. Option A is wrong because spoof intelligence detects spoofed domains but not user impersonation. Option B is wrong because bulk email filtering reduces bulk mail but not targeted phishing.

Option D is wrong because malware filter handles attachments with malware, not phishing.

520
MCQmedium

A legal team needs to preserve all electronic documents related to an ongoing lawsuit. These documents reside in Exchange Online mailboxes, SharePoint Online sites, and OneDrive for Business accounts. The team also needs the ability to search across these locations for specific keywords and export the results for review. Which Microsoft Purview solution should they use?

A.Microsoft Purview eDiscovery (Premium)
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview Audit
AnswerA

eDiscovery (Premium) provides end-to-end workflow for legal investigations, including identifying and holding relevant data, searching for specific content using keywords and conditions, reviewing results with advanced analytics, and exporting data for external review. It is the appropriate solution for litigation holds and search.

Why this answer

Microsoft Purview eDiscovery (Premium) is the correct solution because it provides end-to-end workflow for preserving, searching, and exporting content from Exchange Online mailboxes, SharePoint Online sites, and OneDrive for Business accounts. It supports legal hold to preserve data, keyword search across these sources, and export of results for review, meeting all requirements of the legal team.

Exam trap

The trap here is that candidates confuse eDiscovery with Audit, thinking Audit can search and export content, but Audit only provides activity logs, not the ability to preserve or export the actual documents.

How to eliminate wrong answers

Option B (Microsoft Purview Data Lifecycle Management) is wrong because it focuses on retention and deletion policies for data governance, not on preserving data for legal cases or searching and exporting content. Option C (Microsoft Purview Data Loss Prevention) is wrong because it is designed to prevent unauthorized sharing or leakage of sensitive data, not to preserve or search documents for litigation. Option D (Microsoft Purview Audit) is wrong because it logs and tracks user activities and events, but does not provide the ability to place legal holds, search for keywords, or export content for review.

521
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Purview Information Protection?

Select 2 answers
A.Searching for content in eDiscovery
B.Preventing data loss via policies
C.Setting retention periods for content
D.Applying sensitivity labels to documents and emails
E.Encrypting content with Azure Rights Management
AnswersD, E

Sensitivity labels classify and protect content.

Why this answer

Option A is correct because sensitivity labels are a core part of Information Protection. Option D is correct because encryption with Azure Rights Management is a protection action. Option B is wrong because retention is part of data lifecycle management.

Option C is wrong because DLP is a separate solution. Option E is wrong because eDiscovery is for search.

522
MCQmedium

A company uses Microsoft Entra ID. The IT department wants to ensure that users are prompted to change their password only when there is a high likelihood that their credentials have been compromised, rather than forcing periodic password changes. They also want to block users from using common passwords from a custom list of banned passwords. Which Microsoft Entra features should they use?

A.Identity Protection and Password Protection
B.Conditional Access and Multi-Factor Authentication
C.Privileged Identity Management and Identity Governance
D.Access Reviews and Entitlement Management
AnswerA

Identity Protection can force password changes on high user risk, and Password Protection blocks weak passwords, including custom banned lists.

Why this answer

Identity Protection uses machine learning to detect leaked credentials and risky sign-in behaviors, triggering a password change prompt only when compromise is likely, not on a fixed schedule. Password Protection enforces custom banned password lists (e.g., common passwords or company-specific terms) at the time of password change or reset, blocking weak passwords in real time.

Exam trap

The trap here is that candidates confuse Identity Protection with Conditional Access, assuming risk-based policies are the same as password change triggers, or they think Password Protection is part of MFA or PIM, when in fact it is a separate feature focused solely on password content validation.

How to eliminate wrong answers

Option B is wrong because Conditional Access controls access policies (e.g., requiring MFA based on risk) but does not manage password change triggers or banned password lists; Multi-Factor Authentication adds a second verification factor but does not detect credential compromise or enforce password bans. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not password policies or compromise detection; Identity Governance handles access certifications and lifecycle, not password change logic. Option D is wrong because Access Reviews are for periodic recertification of group memberships or application access, and Entitlement Management manages access packages and catalogs; neither feature triggers password changes based on compromise likelihood or enforces custom banned password lists.

523
MCQeasy

You work at a mid-sized company that uses Microsoft Defender for Business (a subscription included with Microsoft 365 Business Premium). The company has 300 devices enrolled in Microsoft Intune. Recently, a malware outbreak occurred on several devices. You need to implement a solution that automatically remediates devices that are found to be infected with malware. The solution should isolate the device from the network and run a full scan. Which action should you take?

A.Create a Conditional Access policy to block access for devices with malware.
B.Create an Intune compliance policy to mark devices as non-compliant if malware is detected.
C.Enable automatic investigation and remediation in Microsoft Defender for Business.
D.Configure Microsoft Defender Antivirus to run a weekly scan.
AnswerC

Defender for Business automatically investigates and remediates threats including isolation and scan.

Why this answer

Correct: A. Defender for Business includes automated investigation and remediation capabilities. Option B: Intune compliance policies enforce compliance but do not automatically remediate malware.

Option C: Conditional Access controls access, not remediation. Option D: Antivirus policies set baseline but do not automate response.

524
MCQeasy

A security operations team uses Microsoft Sentinel to centralize security log analysis. They need to ingest logs from a third-party firewall that does not have a native connector. What should the team use to bring the firewall logs into Microsoft Sentinel?

A.Data connectors
B.Playbooks
C.Workbooks
D.Analytics rules
AnswerA

Data connectors are the feature that collects logs from various sources into Sentinel. For unsupported devices, Syslog or CEF connectors can be used.

Why this answer

Microsoft Sentinel uses data connectors to ingest logs from various sources, including third-party devices that lack native connectors. For a firewall without a built-in connector, the team can use the Common Event Format (CEF) connector or Syslog connector, which are both categorized as data connectors. These connectors allow the firewall to forward logs via Syslog or CEF over UDP/TCP, which Sentinel then parses and ingests into the Log Analytics workspace.

Exam trap

The trap here is that candidates confuse data connectors (which handle ingestion) with playbooks or workbooks (which handle response or visualization), leading them to select a post-ingestion tool instead of the correct ingestion method.

How to eliminate wrong answers

Option B is wrong because playbooks are automated response workflows based on Azure Logic Apps, used for incident response and remediation, not for log ingestion. Option C is wrong because workbooks are interactive dashboards for visualizing and analyzing data already in Sentinel, not a mechanism to bring data in. Option D is wrong because analytics rules are detection rules that generate alerts based on ingested data, not a method for importing logs.

525
MCQhard

A security operations center (SOC) team uses Microsoft Sentinel with User and Entity Behavior Analytics (UEBA) enabled. They notice an alert about a user accessing a sensitive HR application from an unusual IP address at 3 AM. What does UEBA primarily use to detect this anomaly?

A.Static rule-based thresholds defined by the SOC
B.Manual input from the SOC team
C.Historical behavior baselines and machine learning
D.Threat intelligence feeds from Microsoft
AnswerC

UEBA uses ML to learn normal patterns and flag anomalies.

Why this answer

UEBA builds a baseline of normal user behavior over time and uses machine learning to detect deviations. Option A is wrong because static rules do not adapt to user patterns. Option B is wrong because threat intelligence feeds are external.

Option C is wrong because manual analyst input is not the primary mechanism.

Page 6

Page 7 of 19

Page 8