Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 526600

1411 questions total · 19pages · All types, answers revealed

Page 7

Page 8 of 19

Page 9
526
MCQhard

A company wants to monitor Microsoft Teams messages and corporate emails for policy violations related to potential harassment and inappropriate behavior. They need a solution that allows them to define policies with conditions (e.g., keywords, patterns), automatically flag suspicious conversations, and optionally send notifications to the sender or escalate to a reviewer. Additionally, they need the ability to train employees when a minor violation is detected. Which Microsoft Purview solution should they use?

A.Data Loss Prevention (DLP)
B.Communication Compliance
C.Information Protection
D.Audit
AnswerB

Correct. Communication Compliance provides policy-based monitoring of communications to detect regulatory and code-of-conduct violations, with flexible remediation including training messages.

Why this answer

Communication Compliance is the correct solution because it is specifically designed to detect policy violations in Microsoft Teams messages and corporate emails by scanning for keywords, patterns, and other conditions. It can automatically flag suspicious conversations, send notifications to the sender, escalate to a reviewer, and even train employees on minor violations through its built-in remediation workflows.

Exam trap

The trap here is that candidates often confuse Communication Compliance with Data Loss Prevention (DLP) because both involve policy-based scanning of communications, but DLP lacks the behavioral monitoring, notification, and training capabilities required for harassment and inappropriate behavior scenarios.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) focuses on preventing the unauthorized sharing of sensitive data (e.g., credit card numbers, PII) and does not provide the employee training or escalation workflows for behavioral policy violations like harassment. Option C is wrong because Information Protection (e.g., sensitivity labels, encryption) is used to classify and protect data based on sensitivity, not to monitor communications for inappropriate behavior or enforce training. Option D is wrong because Audit (e.g., Microsoft 365 Audit log) only records user and admin activities for forensic investigation and cannot define policies, flag conversations, or send notifications for policy violations.

527
MCQeasy

A hotel uses a key card system. Guests insert their card into the door lock, which reads the card's ID number. The system checks the ID number against a list of authorized rooms. If the ID matches an authorized room, the door unlocks. In this scenario, which concept is demonstrated when the system checks the ID number against the list of authorized rooms?

A.Identification
B.Authentication
C.Authorization
D.Non-repudiation
AnswerC

Authorization is the process of verifying that an authenticated identity is allowed to perform a specific action or access a resource. The system checking the card ID against a list of authorized rooms is a classic example of authorization.

Why this answer

The system checks the ID number against a list of authorized rooms to determine what action (unlocking the door) the guest is allowed to perform. This is the definition of authorization: granting or denying access rights based on verified identity. Authentication (proving who you are) has already occurred when the card was issued or when the system reads the ID; the check against the list is purely about permissions.

Exam trap

The trap here is that candidates confuse 'checking the ID' with authentication, but the scenario explicitly states the ID is already read and the check is against a list of authorized rooms, which is a permission check, not a proof-of-identity check.

How to eliminate wrong answers

Option A is wrong because identification is the act of claiming an identity (e.g., presenting the card ID), not verifying permissions. Option B is wrong because authentication is the process of verifying that the ID belongs to a valid entity (e.g., checking the card's cryptographic signature or PIN), not checking what that entity is allowed to do. Option D is wrong because non-repudiation ensures that a party cannot deny an action (e.g., using digital signatures or audit logs), which is not involved in a simple door lock check.

528
MCQmedium

A healthcare organization must comply with HIPAA. They need to automatically detect protected health information (PHI) such as medical record numbers in outgoing email, prevent users from sharing these emails with unauthorized external recipients, and apply a retention label that retains PHI emails for six years. Which Microsoft Purview solution should they use?

A.Microsoft Purview Data Loss Prevention (DLP)
B.Microsoft Purview Information Protection (sensitivity labels)
C.Microsoft Purview Data Lifecycle Management (retention policies)
D.Microsoft Purview Audit
AnswerA

DLP policies can be configured to scan Exchange Online emails for PHI, automatically block unauthorized sharing, and apply a retention label via an associated policy action. This meets all the stated requirements.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is the correct solution because it can automatically detect sensitive data like PHI (e.g., medical record numbers) in outgoing emails using built-in or custom sensitive info types, block unauthorized external sharing, and trigger a retention label action via auto-labeling policies to retain the emails for six years. DLP policies integrate with Exchange Online to inspect email content in transit, apply access restrictions, and enforce retention labels through Power Automate or auto-labeling rules.

Exam trap

The trap here is that candidates confuse the detection and blocking capability of DLP with the classification-only capability of Information Protection (sensitivity labels), or they incorrectly think Data Lifecycle Management alone can enforce access controls, when in fact DLP is the only solution that combines content inspection, real-time blocking, and label application in a single policy.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Information Protection (sensitivity labels) can classify and protect data with encryption or markings, but it cannot automatically detect PHI in outgoing email and block sharing with unauthorized external recipients—that requires DLP policy actions. Option C is wrong because Microsoft Purview Data Lifecycle Management (retention policies) can retain emails for six years, but it cannot detect PHI or prevent sharing; it only manages retention and deletion. Option D is wrong because Microsoft Purview Audit logs user and admin activities for forensic investigation, but it cannot detect PHI in real-time, block email sharing, or apply retention labels.

529
MCQeasy

A healthcare company stores patient records in an Azure SQL database. To protect the data, they enable Transparent Data Encryption (TDE) for the database and require all client connections to use TLS. Which security goal is being primarily addressed by these measures?

A.Integrity
B.Confidentiality
C.Availability
D.Non-repudiation
AnswerB

Confidentiality ensures that data is accessible only to authorized users. Encryption at rest (TDE) and in transit (TLS) protect the data from being read by unauthorized parties, directly addressing confidentiality.

Why this answer

Transparent Data Encryption (TDE) encrypts data at rest in the Azure SQL database, ensuring that even if the physical storage media is compromised, the data remains unreadable. Requiring TLS for client connections encrypts data in transit, preventing eavesdropping or interception. Both measures directly protect the confidentiality of patient records by preventing unauthorized access to the data.

Exam trap

The trap here is that candidates may confuse encryption (which protects confidentiality) with integrity or non-repudiation, especially when TLS is involved, but TLS primarily provides confidentiality and only secondary integrity via MACs, not the primary goal in this context.

How to eliminate wrong answers

Option A is wrong because integrity is about ensuring data has not been tampered with, which is typically addressed by hashing or digital signatures, not by encryption alone. Option C is wrong because availability refers to ensuring systems and data are accessible when needed, which is achieved through redundancy, backups, and disaster recovery, not encryption. Option D is wrong because non-repudiation ensures that an action cannot be denied, usually via digital signatures or audit logs, not by encrypting data at rest or in transit.

530
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Purview Communication Compliance? (Select TWO.)

Select 2 answers
A.Enforce company policies on communication channels
B.Detect offensive language in emails and Teams messages
C.Automatically apply sensitivity labels to documents
D.Prevent sharing of credit card numbers via email
E.Place legal holds on user mailboxes
AnswersA, B

Communication Compliance enforces communication policies.

Why this answer

Options A and D are correct because Communication Compliance can detect inappropriate content and enforce communication policies. Option B is wrong because auto-labeling is part of Information Protection. Option C is wrong because eDiscovery handles legal holds.

Option E is wrong because DLP prevents data loss.

531
MCQmedium

Your organization uses Microsoft Defender for Office 365. Users report receiving phishing emails that bypassed the default anti-phishing policy. What should you do to improve protection?

A.Create a custom anti-phishing policy.
B.Enable Safe Attachments.
C.Configure anti-malware policy.
D.Increase the spam confidence level (SCL) threshold.
AnswerA

Custom policies can include impersonation protection and advanced settings.

Why this answer

Correct: Create a custom anti-phishing policy with stricter settings. Option A: Increase spam confidence level is for spam, not phishing. Option C: Enable safe attachments is for attachment scanning.

Option D: Configure anti-malware policy is for malware.

532
MCQeasy

Your organization wants to enforce MFA for all users accessing the Azure portal. However, users accessing from the corporate office network should not be prompted for MFA. Which Conditional Access assignment should you configure?

A.Include all users, include trusted locations.
B.Include all trusted locations.
C.Include Azure portal app, exclude trusted locations.
D.Include all locations, exclude trusted locations.
AnswerD

This ensures MFA is required from untrusted locations, but not from corporate network.

Why this answer

Option D is correct because Conditional Access policies evaluate assignments based on conditions such as user, app, and location. To enforce MFA for all users accessing the Azure portal while excluding the corporate office network, you must include all users and the Azure portal app, then exclude trusted locations (the corporate network). This ensures MFA is required only when access originates from outside the trusted corporate network.

Exam trap

The trap here is that candidates often confuse 'include' and 'exclude' assignments, mistakenly thinking that including trusted locations will skip MFA, when in fact you must exclude trusted locations to bypass MFA from those networks.

How to eliminate wrong answers

Option A is wrong because it includes all users and includes trusted locations, which would require MFA even from the corporate network, contradicting the requirement to skip MFA from trusted locations. Option B is wrong because it only includes trusted locations, which does not specify which users or apps are targeted, leaving the policy incomplete and ineffective. Option C is wrong because it includes the Azure portal app but excludes trusted locations, yet it omits the user assignment (e.g., 'all users'), so the policy would not apply to any user.

533
MCQmedium

A multinational company uses Microsoft 365 and has a retention policy that automatically applies a 7-year retention label to any document containing a credit card number. The retention label must be automatically applied at the time the document is created or modified. Which Microsoft Purview solution should the administrator use to configure this automatic labeling rule?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview Retention Policy
C.Microsoft Purview Sensitivity Labels
D.Microsoft Purview eDiscovery
AnswerA

Data Lifecycle Management provides retention labels and auto-labeling policies that can automatically apply retention labels based on conditions such as sensitive information types, keywords, or trainable classifiers.

Why this answer

Microsoft Purview Data Lifecycle Management (formerly known as Microsoft 365 Records Management) is the correct solution because it provides the ability to create and apply retention labels automatically based on sensitive information types, such as credit card numbers, using auto-labeling policies. This ensures that the retention label is applied at the time of document creation or modification, meeting the requirement for automatic application without user intervention.

Exam trap

The trap here is that candidates confuse 'Retention Policy' (which applies at the container level) with 'Retention Labels' (which can be auto-applied at the item level), leading them to select Option B, but the question specifically requires automatic labeling based on content, which only Data Lifecycle Management supports.

How to eliminate wrong answers

Option B is wrong because a Microsoft Purview Retention Policy applies retention settings at the container level (e.g., entire site or mailbox) and cannot be configured to automatically apply a specific retention label based on content containing a credit card number; it lacks the granularity for content-based auto-labeling. Option C is wrong because Sensitivity Labels are designed for classification and protection (e.g., encryption, access restrictions) based on sensitivity, not for retention duration; while they can be auto-applied, they do not enforce a 7-year retention period by default. Option D is wrong because Microsoft Purview eDiscovery is used for searching, holding, and exporting content for legal or investigative purposes, not for configuring automatic retention label application based on content detection.

534
Multi-Selectmedium

Which TWO are capabilities of Microsoft Defender for Office 365?

Select 2 answers
A.Safe Attachments
B.Attack surface reduction rules
C.Multi-factor authentication enforcement
D.Safe Links
E.Device compliance policies
AnswersA, D

Safe Attachments scans email attachments for malware.

Why this answer

Safe Attachments is a core capability of Microsoft Defender for Office 365 that uses a detonation chamber environment to open and analyze email attachments in real time before delivery. If malicious behavior is detected, the attachment is blocked or replaced with a warning file, protecting users from zero-day threats and advanced malware.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Office 365 with Microsoft Defender for Endpoint or broader Microsoft 365 security features, leading them to select attack surface reduction rules (an endpoint protection feature) or device compliance policies (an Intune feature) instead of the email-specific Safe Attachments and Safe Links.

535
MCQeasy

A company wants to ensure that only authorized users can access sensitive financial data stored in Microsoft SharePoint Online. Which identity feature should they use to require a second form of verification?

A.Microsoft Authenticator
B.Self-service password reset
C.Conditional Access
D.Multi-factor authentication
AnswerD

MFA requires a second form of verification, such as a phone call or app notification.

Why this answer

Multi-factor authentication (MFA) is the correct answer because it requires a second form of verification, such as a phone call or app notification, in addition to a password. Conditional Access is a policy engine that can enforce MFA but is not itself a verification method. Self-service password reset and Microsoft Authenticator are features that support MFA but are not the overarching concept.

536
MCQeasy

Your organization wants to enable single sign-on (SSO) for users accessing Microsoft 365 apps from unmanaged devices while enforcing multifactor authentication (MFA). Which Microsoft Entra feature should you configure?

A.Self-Service Password Reset (SSPR)
B.Conditional Access
C.Privileged Identity Management (PIM)
D.Identity Protection
AnswerB

Conditional Access policies can enforce MFA and control access based on device compliance.

Why this answer

Conditional Access is the correct feature because it allows you to create policies that enforce specific access controls, such as requiring MFA, based on conditions like device state (unmanaged). By combining a device condition (e.g., 'Device is not compliant' or 'Device is unmanaged') with a grant control requiring MFA, you can achieve SSO for users while enforcing MFA on unmanaged devices. This directly addresses the requirement without affecting managed devices.

Exam trap

The trap here is that candidates often confuse Identity Protection (which detects risk) with Conditional Access (which enforces policy), or mistakenly think SSPR or PIM can enforce MFA on unmanaged devices, when only Conditional Access provides the conditional logic to tie device state to authentication requirements.

How to eliminate wrong answers

Option A is wrong because Self-Service Password Reset (SSPR) is a feature for users to reset their own passwords, not for enforcing MFA or controlling access based on device state. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time access and approval workflows for privileged roles, not device-based access policies or MFA enforcement for all users. Option D is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) but does not natively enforce MFA based on device management status; it can trigger Conditional Access policies but is not the policy engine itself.

537
MCQhard

Refer to the exhibit. The JSON shows a Microsoft Purview retention policy configuration. After applying this policy, an administrator notices that emails in user mailboxes older than one year are being permanently deleted instead of being retained. Which setting should the administrator check first to resolve this issue?

A.The 'RetentionType' is set to 'KeepAndDelete', which deletes after retention period.
B.The 'Locations' array does not include all necessary workloads.
C.The 'RetentionDuration' is too short for email retention.
D.The 'RetentionTrigger' should be 'When items were last modified' instead of 'created'.
AnswerA

KeepAndDelete deletes items after retention period.

Why this answer

Option C is correct because the 'RetentionType' set to 'KeepAndDelete' means items are retained for the duration and then permanently deleted. Option A is wrong because the location list is correct. Option B is wrong because the trigger is valid.

Option D is wrong because the duration is correctly set to 365 days.

538
MCQmedium

Your company is implementing data loss prevention (DLP) policies in Microsoft Purview. You need to prevent users from sharing credit card numbers via email. Which type of sensitive information type should you use in the DLP rule?

A.Custom keyword list
B.Built-in sensitive information type
C.Trainable classifier
D.Exact data match (EDM) based classification
AnswerB

Microsoft Purview includes a built-in type for credit card numbers.

Why this answer

Option B is correct because a built-in sensitive information type for credit card numbers is available. Option A is incorrect because an exact data match (EDM) is for custom databases. Option C is incorrect because a custom keyword list would be inefficient.

Option D is incorrect because a trainable classifier is for custom classification.

539
Multi-Selecthard

A security administrator uses Microsoft Entra ID Protection to identify and respond to identity-based risks. Which two types of risk detections can be reviewed in Microsoft Entra ID Protection? (Choose two.)

Select 2 answers
A.Sign-in risk
B.User risk
C.Application permission risk
D.Device compliance risk
AnswersA, B

Sign-in risk detections include events such as impossible travel, anonymous IP addresses, and unfamiliar sign-in properties, which are evaluated by Identity Protection.

Why this answer

Microsoft Entra ID Protection evaluates identity-based risks by analyzing two primary detection types: sign-in risk and user risk. Sign-in risk assesses the probability that a specific authentication attempt is unauthorized, while user risk evaluates the likelihood that a user account has been compromised based on aggregated suspicious activities.

Exam trap

The trap here is that candidates often confuse risk detection types with other security features like device compliance or application permissions, but Entra ID Protection specifically focuses on sign-in and user risk detections only.

540
MCQhard

Your company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive information. You need to create a policy that prevents users from sharing credit card numbers via email, but allows them to share internally with other employees. The policy should also notify the user when an attempt is made to share externally. What should you configure?

A.Create a DLP policy with the condition 'Content contains credit card number' and action 'Block access to content' for all recipients.
B.Create a DLP policy with the condition 'Content contains credit card number' and action 'Block external sharing' but allow internal sharing, and enable user notifications.
C.Create a DLP policy with the condition 'Content contains credit card number' and action 'Allow override' with a business justification.
D.Create a DLP policy with the condition 'Content contains credit card number' and action 'Notify user with policy tip' but no blocking.
AnswerB

This meets all requirements.

Why this answer

Option B is correct because it uses the credit card number sensitive info type, restricts external sharing, and allows internal sharing. Option A is wrong because it blocks all sharing. Option C is wrong because it only provides user education, not blocking.

Option D is wrong because it requires user override, but still blocks internal sharing.

541
MCQmedium

A company has a Microsoft Entra ID tenant and an on-premises Active Directory Domain Services (AD DS) forest. They need to synchronize user accounts, groups, and passwords from AD DS to Microsoft Entra ID. Due to network restrictions, they prefer a lightweight agent that can be deployed on-premises and supports staging mode for testing. Which identity synchronization tool should they use?

A.Microsoft Entra Connect Sync
B.Microsoft Entra Connect Health
C.Microsoft Entra Cloud Sync
D.Microsoft Identity Manager (MIM)
AnswerA

Entra Connect Sync is the recommended tool for synchronizing a single AD DS forest to Microsoft Entra ID, offering staging mode and full identity sync.

Why this answer

Microsoft Entra Connect Sync is the correct choice because it is the full-featured synchronization tool that supports staging mode for testing and can be deployed as a lightweight agent on-premises. It synchronizes user accounts, groups, and passwords from AD DS to Microsoft Entra ID, including password hash synchronization, pass-through authentication, and federation integration, making it ideal for complex on-premises environments with network restrictions.

Exam trap

The trap here is that candidates confuse 'Cloud Sync' as the lightweight agent because it is simpler, but they overlook that Cloud Sync does not support staging mode, which is explicitly required in the question.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Connect Health is a monitoring and analytics tool, not a synchronization engine; it provides health insights for Entra Connect Sync but does not perform identity sync itself. Option C is wrong because Microsoft Entra Cloud Sync is a lightweight agent that syncs from AD DS to Entra ID but does not support staging mode; it is designed for simpler scenarios and lacks the full staging and testing capabilities of Entra Connect Sync. Option D is wrong because Microsoft Identity Manager (MIM) is an on-premises identity management solution that can sync to Entra ID but is not a lightweight agent; it requires a full server deployment and does not natively support staging mode for Entra ID synchronization.

542
MCQmedium

Your company, Proseware, uses Microsoft Entra ID P2. You have a custom application that integrates with Microsoft Graph API to read user profiles. The application uses client credentials flow (application permissions). You need to ensure that the application can only read user profiles and not perform any other operations. Additionally, you want to review and approve the permissions periodically. What should you do?

A.Create a Conditional Access policy to restrict the app to read-only operations.
B.Enable Privileged Identity Management for the app and require approval for each API call.
C.Use delegated permissions for the application and assign users to the app role.
D.In Microsoft Entra ID, grant the application the User.Read.All permission and configure an access review for the application permissions.
AnswerD

This grants the minimal permission and enables periodic review.

Why this answer

Option D is correct because the application uses client credentials flow (application permissions), which requires granting an application permission like User.Read.All to read all user profiles. Configuring an access review for the application permissions in Microsoft Entra ID allows periodic review and approval of those permissions, meeting the requirement to ensure the app can only read user profiles and that permissions are reviewed periodically.

Exam trap

The trap here is that candidates may confuse Conditional Access policies or PIM with permission management, not realizing that application permissions in the client credentials flow are static and require access reviews for periodic oversight, not dynamic runtime controls.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies control user sign-in and access conditions, not the scope of permissions granted to an application; they cannot restrict an app to read-only operations after permissions are granted. Option B is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation, not for requiring approval on each API call; it does not restrict the permissions of an application or approve individual API calls. Option C is wrong because delegated permissions operate on behalf of a signed-in user and are not suitable for a client credentials flow (application permissions) which runs without a user context; assigning users to an app role does not change the permission type.

543
MCQhard

A government agency has extremely sensitive classified data that must be protected even from Microsoft. They require a solution where the encryption keys are stored and managed on-premises within their own hardware security module (HSM), ensuring that Microsoft cannot decrypt their data. Which Microsoft Purview solution should they implement?

A.Microsoft Purview Customer Key
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Purview Information Protection
D.Microsoft Purview Communication Compliance
AnswerA

Correct. Customer Key allows the customer to hold their own encryption keys, ensuring Microsoft cannot decrypt the data.

Why this answer

Microsoft Purview Customer Key is the correct solution because it allows customers to provide and manage their own encryption keys using a hardware security module (HSM) on-premises. This ensures that Microsoft cannot access the encrypted data, as the keys are stored outside of Microsoft's control, meeting the requirement for protecting classified data even from Microsoft.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Information Protection (which handles data classification and labeling) with encryption key management, but Information Protection does not provide customer-controlled keys stored on-premises to prevent Microsoft from decrypting data.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Data Lifecycle Management handles retention and deletion policies for data, not encryption key management or control over Microsoft's access. Option C is wrong because Microsoft Purview Information Protection focuses on classifying, labeling, and protecting data based on sensitivity, but it does not provide customer-managed encryption keys stored on-premises. Option D is wrong because Microsoft Purview Communication Compliance monitors communications for policy violations, such as insider trading or harassment, and has no role in encryption key management or preventing Microsoft from decrypting data.

544
MCQhard

A multinational corporation must comply with the EU General Data Protection Regulation (GDPR). They need to respond to a data subject access request (DSAR) by searching for personal data across Exchange Online, SharePoint Online, and OneDrive for Business. Which Microsoft Purview solution should they use?

A.Data Lifecycle Management
B.Audit (Premium)
C.eDiscovery (Premium)
D.Data Loss Prevention (DLP)
AnswerC

eDiscovery can search across mailboxes, sites, and OneDrive to find personal data for DSARs.

Why this answer

Option D is correct because eDiscovery (Premium) can search across multiple data sources including Exchange, SharePoint, and OneDrive for DSARs. Option A is wrong because Data Lifecycle Management does not search content. Option B is wrong because Audit logs do not provide content search.

Option C is wrong because Data Loss Prevention is for preventing data leaks, not searching.

545
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Purview classification rule. The rule is enabled and set to apply a sensitivity label. However, you notice that documents containing EU personal data are not being labeled automatically. What is the most likely cause?

A.The label ID is invalid
B.The rule does not include a condition to detect sensitive data
C.The rule status is Disabled
D.The rule is not scoped to SharePoint Online
AnswerB

Without a condition, the rule cannot match content.

Why this answer

Option C is correct because a classification rule requires a condition (such as a sensitive information type) to detect content. The exhibit shows no condition, so the rule will not trigger. Option A is wrong because the rule status is Enabled, not Disabled.

Option B is wrong because the label ID is present. Option D is wrong because there is no indication of a scope issue.

546
MCQeasy

An organization wants to ensure that only managed and compliant devices can access corporate email in Exchange Online. Which Microsoft Entra ID Conditional Access policy setting should they use?

A.Require device to be marked as compliant
B.Require approved client app
C.Require hybrid Azure AD joined device
D.Require multi-factor authentication
AnswerA

Ensures only compliant devices can access.

Why this answer

Correct: 'Require device to be marked as compliant' enforces compliance. Option B: 'Require MFA' is about authentication. Option C: 'Require approved client app' is for app-level.

Option D: 'Require hybrid Azure AD joined' is for domain-joined devices.

547
MCQhard

A company uses Microsoft Purview. A compliance officer applies a retention label to a set of legal documents and configures the label to mark the items as records. After the label is applied, a user attempts to delete one of these documents from SharePoint Online. What will be the outcome?

A.The user is allowed to delete the document, but a copy is retained in a preservation hold.
B.The user receives an access denied error and cannot delete the document.
C.The document is deleted and immediately purged from the recycle bin.
D.The delete action is allowed but an audit event is generated and the document is still retained for the specified period.
AnswerB

Correct. A record label makes the item a formal record, preventing users from deleting or modifying it.

Why this answer

When a retention label is configured to mark items as records, the items become immutable and locked. In SharePoint Online, records cannot be deleted by users; any attempt to delete a record results in an 'access denied' error because the retention policy overrides standard user permissions to enforce compliance.

Exam trap

The trap here is that candidates often confuse 'records' with 'regulatory records' or assume that retention labels only trigger audit events without blocking actions, but marking as a record strictly prohibits deletion and editing.

How to eliminate wrong answers

Option A is wrong because marking an item as a record does not allow deletion with a copy retained in a preservation hold; instead, deletion is blocked entirely. Option C is wrong because the document is not deleted at all—records cannot be deleted or purged, even from the recycle bin. Option D is wrong because the delete action is not allowed; records are locked to prevent any modification or deletion, and audit events are secondary to the enforced block.

548
MCQmedium

Your organization, Fabrikam, has recently merged with another company. You need to provide seamless access to resources for users from both companies while maintaining separate identity directories. The users from the acquired company have their own Microsoft Entra ID tenant. You need to enable them to access applications in your tenant using their existing corporate credentials, without creating new accounts. Additionally, you want to enforce conditional access policies from your tenant for these users. Which approach should you use?

A.Create new user accounts in your tenant for the acquired company's users and assign them access.
B.Set up a federation trust between your tenant and the other company's on-premises Active Directory.
C.Use Microsoft Entra B2C to create a custom identity provider for the other company.
D.Use Microsoft Entra B2B collaboration to invite users from the other tenant as guest users, and apply conditional access policies to guest users.
AnswerD

B2B collaboration supports cross-tenant access with existing credentials and policy enforcement.

Why this answer

Microsoft Entra B2B collaboration allows you to invite external users from another Microsoft Entra tenant to access your applications using their own corporate identities. This approach meets the requirement of not creating new accounts, and because guest users are represented as user objects in your tenant, you can enforce your own conditional access policies on them. Option D is correct because it directly addresses the need for seamless access with separate directories and policy control.

Exam trap

The trap here is confusing Microsoft Entra B2B collaboration (for business-to-business guest access with existing corporate identities) with Microsoft Entra B2C (for customer-facing identity management), leading candidates to incorrectly select option C.

How to eliminate wrong answers

Option A is wrong because creating new user accounts violates the requirement to use existing corporate credentials without creating new accounts. Option B is wrong because federation trust with on-premises Active Directory does not directly enable access to applications in your Microsoft Entra tenant for users from another Microsoft Entra tenant; it is used for hybrid identity scenarios with your own on-premises directory. Option C is wrong because Microsoft Entra B2C is designed for customer-facing identity management with social or local accounts, not for enabling access for users from another Microsoft Entra tenant using their existing corporate credentials.

549
MCQmedium

A company uses Microsoft 365 and many third-party SaaS apps like Salesforce and Box. The security team wants to detect when a user downloads a large number of files from a cloud storage app after hours, which may indicate data exfiltration. Which Microsoft security solution should be used to detect such anomalous behavior in cloud apps?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Identity
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Cloud
AnswerC

Defender for Cloud Apps provides cloud access security broker capabilities, including anomaly detection for third-party SaaS apps.

Why this answer

Microsoft Defender for Cloud Apps (MDCA) is the correct solution because it provides Cloud Access Security Broker (CASB) functionality, including anomaly detection policies that can identify unusual user behavior such as downloading a large number of files from a cloud storage app after hours. MDCA uses machine learning to establish a baseline of normal user activity and then triggers alerts when deviations like high-volume downloads occur, which is a classic indicator of data exfiltration.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Cloud, mistakenly thinking the latter covers SaaS app security, when in fact Defender for Cloud is focused on infrastructure workload protection (CSPM/CWPP) and not user behavior in cloud apps.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on protecting email and collaboration tools (Exchange Online, SharePoint, Teams) from threats like phishing and malware, not on detecting anomalous behavior across third-party SaaS apps like Salesforce or Box. Option B is wrong because Microsoft Defender for Identity monitors on-premises Active Directory and hybrid identities for attacks like pass-the-hash or Kerberos abuse, not user activity in cloud apps. Option D is wrong because Microsoft Defender for Cloud is designed for securing cloud workloads (VMs, containers, databases) in Azure and multi-cloud environments, not for detecting user-driven data exfiltration in SaaS applications.

550
MCQmedium

A company must ensure that sensitive data in SharePoint Online is automatically classified and protected. They want to use built-in Microsoft Purview capabilities. Which feature should they implement?

A.Audit logs
B.Sensitivity labels
C.Data Loss Prevention policies
D.Retention policies
AnswerC

Automatically detect and protect sensitive data.

Why this answer

Option C is correct because Microsoft Purview Data Loss Prevention (DLP) policies can automatically detect and protect sensitive data. Option A is wrong because sensitivity labels require manual or conditional application. Option B is wrong because retention policies focus on data lifecycle.

Option D is wrong because audit logs track activity but don't protect.

551
MCQeasy

A company uses Microsoft Entra ID. They want to allow employees to access the expense reporting application only from managed devices that are compliant with security policies and from trusted IP ranges. Additionally, if the user's sign-in risk is high, access must be blocked. Which of the following conditions should the administrator configure in a Conditional Access policy to enforce these requirements?

A.Only Device state and Locations
B.Only Sign-in risk and Device state
C.Device state, Locations, and Sign-in risk
D.Only Locations and Sign-in risk
AnswerC

All three conditions are needed: Device state for compliance, Locations for trusted IPs, and Sign-in risk for blocking high-risk sign-ins.

Why this answer

Option C is correct because the scenario requires three distinct conditions: device compliance (Device state), trusted network locations (Locations), and high sign-in risk (Sign-in risk). Conditional Access policies in Microsoft Entra ID allow combining these assignments to enforce granular access controls. Only by including all three can the administrator block access when the user's sign-in risk is high, while also requiring a managed device and trusted IP range.

Exam trap

The trap here is that candidates often assume only two conditions are needed (e.g., device and location, or risk and device) and overlook the third, but the question explicitly lists three distinct requirements that must all be enforced simultaneously.

How to eliminate wrong answers

Option A is wrong because it omits Sign-in risk, which is explicitly required to block access when sign-in risk is high. Option B is wrong because it omits Locations, which is needed to restrict access to trusted IP ranges. Option D is wrong because it omits Device state, which is required to enforce access only from managed devices that are compliant with security policies.

552
MCQmedium

A security administrator at an organization using Microsoft Entra ID needs to automatically detect user sign-ins that exhibit risky behavior, such as signing in from a suspicious IP address or using leaked credentials. The administrator also wants the system to automatically calculate a risk level for each user and take actions like requiring a password reset when risk is high. Which Microsoft Entra ID feature should the administrator use?

A.Identity Protection
B.Privileged Identity Management (PIM)
C.Conditional Access
D.Identity Governance
AnswerA

Identity Protection detects and handles risky sign-ins and user behavior, providing automated risk-based remediation.

Why this answer

Microsoft Entra ID Protection is the correct feature because it automatically detects risky sign-in behaviors—such as sign-ins from suspicious IP addresses, anonymous IP addresses, or leaked credentials—and calculates a user risk level. It can then automatically trigger remediation actions like requiring a password reset when the risk level is high, directly matching the administrator's requirements.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, but Conditional Access is the enforcement layer that uses risk signals from Identity Protection—it does not perform the detection or risk calculation itself.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because PIM focuses on just-in-time privileged role activation, access reviews, and approval workflows for administrative roles, not on detecting risky sign-in behaviors or calculating user risk levels. Option C (Conditional Access) is wrong because Conditional Access is a policy engine that enforces access controls based on signals (like risk from Identity Protection), but it does not itself detect risky behavior or calculate risk levels—it relies on Identity Protection for those signals. Option D (Identity Governance) is wrong because Identity Governance handles access lifecycle management, entitlement reviews, and compliance reporting, not real-time risk detection or automated remediation of risky sign-ins.

553
MCQmedium

A company wants to require multi-factor authentication (MFA) for all users accessing a financial application, but only when they sign in from outside the corporate network. Which Microsoft Entra ID feature should be used?

A.Identity Protection
B.Conditional Access
C.Privileged Identity Management (PIM)
D.Self-Service Password Reset (SSPR)
AnswerB

Conditional Access allows administrators to define policies that grant or block access based on conditions such as network location, requiring MFA when outside the corporate network.

Why this answer

Conditional Access is the correct choice because it allows administrators to define policies that enforce multi-factor authentication (MFA) based on specific conditions, such as network location. In this scenario, a Conditional Access policy can be configured to require MFA only when users access the financial application from outside the corporate network, using the 'Locations' condition to distinguish trusted IP ranges from external sign-ins. This granular control directly addresses the requirement without affecting internal access.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based MFA triggers with Conditional Access's location-based MFA enforcement, assuming Identity Protection alone can enforce MFA based on network location, whereas it only provides risk signals that must be consumed by a Conditional Access policy.

How to eliminate wrong answers

Option A is wrong because Identity Protection is a risk-based tool that detects and responds to identity threats (e.g., leaked credentials, anomalous sign-ins) but does not natively enforce MFA based on network location; it can trigger MFA via Conditional Access integration, but it is not the feature itself. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not location-based MFA enforcement for all users. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords, not to enforce multi-factor authentication based on network conditions.

554
MCQhard

A multinational organization uses Microsoft Entra ID for identity management. The security team wants to implement a Conditional Access policy that blocks access from untrusted locations unless the user's device is marked as compliant by Microsoft Intune. However, users traveling to trusted partner locations should be allowed access even if their device is non-compliant. Which two conditions should be configured in the policy?

A.Locations: All trusted locations; Grant: Require compliant device.
B.Locations: All trusted locations; Grant: Block access.
C.Locations: All locations, exclude trusted locations; Grant: Require compliant device.
D.Locations: All locations; Grant: Require compliant device.
AnswerC

This blocks untrusted locations unless device is compliant, but allows trusted locations regardless of compliance.

Why this answer

Option C is correct because the policy must block access from untrusted locations unless the device is compliant, while allowing access from trusted partner locations even if the device is non-compliant. By setting 'Locations: All locations' and excluding trusted locations, the policy applies only to untrusted locations. Then, 'Grant: Require compliant device' ensures that only compliant devices can access from those untrusted locations, meeting both requirements.

Exam trap

The trap here is that candidates often confuse 'exclude trusted locations' with 'include trusted locations,' leading them to choose options that incorrectly apply the policy to trusted locations instead of untrusted ones.

How to eliminate wrong answers

Option A is wrong because it applies the policy to all trusted locations, which would block non-compliant devices from trusted partner locations, contradicting the requirement to allow access from trusted locations even if non-compliant. Option B is wrong because it blocks access from all trusted locations entirely, which does not allow any access from trusted partner locations, regardless of device compliance. Option D is wrong because it applies the policy to all locations without excluding trusted locations, meaning non-compliant devices would be blocked from trusted partner locations as well, failing the requirement to allow access from those locations.

555
MCQeasy

A company implements regular data backups and a disaster recovery plan to restore critical systems after an outage. Which security principle is primarily being addressed by these measures?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerC

Correct. Availability ensures that systems and data are accessible and usable when needed. Backups and disaster recovery are key controls to maintain availability.

Why this answer

Regular data backups and a disaster recovery plan directly ensure that critical systems and data can be restored and remain accessible after an outage. This aligns with the Availability principle of the CIA triad, which guarantees that authorized users have reliable access to resources when needed. In Azure, this is supported by services like Azure Backup and Azure Site Recovery, which provide automated backup and failover capabilities to maintain uptime.

Exam trap

The trap here is that candidates often confuse backups and disaster recovery with Confidentiality or Integrity, mistakenly thinking that protecting data copies implies preventing unauthorized access or tampering, rather than recognizing that the core goal is restoring access and system operation.

How to eliminate wrong answers

Option A is wrong because Confidentiality focuses on preventing unauthorized access to data (e.g., via encryption or access controls), not on restoring systems after an outage. Option B is wrong because Integrity ensures data is not tampered with or altered (e.g., via hashing or checksums), whereas backups address data recovery, not modification detection. Option D is wrong because Non-repudiation provides proof of origin or delivery of data (e.g., via digital signatures), which is unrelated to restoring system availability after a disaster.

556
MCQeasy

A company wants to allow employees to sign in using their Microsoft credentials (e.g., personal Outlook.com) to access internal applications. Which Microsoft Entra feature should be configured?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra device enrollment
C.Microsoft Entra hybrid identity
D.Microsoft Entra External ID
AnswerD

External ID supports consumer identities like Microsoft accounts.

Why this answer

Microsoft Entra External ID (formerly Azure AD External Identities) allows organizations to enable external users—including consumers with personal Microsoft accounts (e.g., Outlook.com)—to sign in to internal applications using their own credentials. This feature supports identity providers like Microsoft Accounts (MSA), Google, Facebook, and SAML/WS-Fed IdPs, making it the correct choice for allowing employees to use personal Outlook.com credentials for access.

Exam trap

The trap here is confusing Microsoft Entra B2B collaboration (which requires a business or school account) with Microsoft Entra External ID (which supports personal Microsoft accounts and social identities), leading candidates to incorrectly select B2B for consumer-facing scenarios.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2B collaboration is designed for business-to-business scenarios, enabling external business partners to access resources using their work or school accounts, not personal Microsoft accounts like Outlook.com. Option B is wrong because Microsoft Entra device enrollment is used to register devices (e.g., Windows, iOS, Android) for management and conditional access, not to configure external identity providers for sign-in. Option C is wrong because Microsoft Entra hybrid identity synchronizes on-premises Active Directory with Microsoft Entra ID for a unified identity across hybrid environments, but it does not enable external personal Microsoft accounts to sign in to internal applications.

557
MCQeasy

Your organization, Fabrikam Inc., uses Microsoft 365 and has Microsoft Purview licensed. You need to implement a compliance solution to monitor and prevent the sharing of confidential financial data via email. Specifically, you want to: (1) Detect when users send emails containing financial account numbers (e.g., credit card numbers) to external recipients. (2) Automatically block such emails with a policy tip notifying the sender. (3) Allow the sender to override the block if they provide a business justification. (4) Create a report of all blocked emails for compliance review. Which Microsoft Purview feature should you configure?

A.Microsoft Purview Communication Compliance
B.Microsoft Purview Message Encryption
C.Microsoft Purview Data Loss Prevention (DLP)
D.Microsoft Purview Data Lifecycle Management
AnswerC

Correct: DLP policies can detect sensitive data, block emails, show policy tips, and allow override with justification.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policies can detect sensitive information in emails and apply actions such as block with policy tip and allow override with justification. DLP also provides incident reports. Option A is for email encryption, not blocking.

Option B is for communication monitoring, not data protection. Option C is for retention, not real-time blocking.

558
MCQeasy

Your organization uses Microsoft Entra ID and needs to allow external partners to sign in using their own identity providers (e.g., Google or Facebook). Which Microsoft Entra feature should you configure?

A.Microsoft Entra Privileged Identity Management
B.Microsoft Entra External Identities (B2B collaboration)
C.Microsoft Entra Verified ID
D.Microsoft Entra Identity Protection
AnswerB

External Identities allows external users to sign in with their own identity providers.

Why this answer

Microsoft Entra External Identities (B2B collaboration) is the correct feature because it allows external partners to sign in using their own identity providers, such as Google or Facebook, through federation. B2B collaboration supports SAML/WS-Fed identity providers and social identity providers like Google, enabling guest users to access your organization's resources without needing a separate Microsoft account. This directly meets the requirement for external partner access with their own credentials.

Exam trap

The trap here is that candidates often confuse B2B collaboration with B2C (Azure AD B2C) or think PIM is needed for external access, but B2B collaboration is specifically designed for federating external identities from any IdP without requiring a separate directory.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Privileged Identity Management (PIM) is a feature for managing, controlling, and monitoring access to privileged roles within your own directory, not for enabling external identity providers. Option C is wrong because Microsoft Entra Verified ID is a decentralized identity solution based on verifiable credentials (W3C standards) for issuing and verifying claims, not for federating external sign-in with Google or Facebook. Option D is wrong because Microsoft Entra Identity Protection is a risk-based security tool that detects and responds to identity threats (e.g., leaked credentials, sign-in anomalies), not a feature for configuring external identity providers.

559
MCQhard

A legal department is preparing for litigation. They need to preserve all potentially relevant content in Exchange Online, SharePoint Online, and Teams to prevent deletion or modification. Additionally, they must search across these locations for specific keywords and export the results for external review. Which Microsoft Purview solution should they use?

A.eDiscovery (Standard)
B.Audit (Standard)
C.Data Lifecycle Management
D.Communication Compliance
AnswerA

eDiscovery (Standard) allows legal hold, search, and export of content across Exchange, SharePoint, Teams, and more for legal cases.

Why this answer

eDiscovery (Standard) is the correct solution because it provides the capabilities to place Exchange Online, SharePoint Online, and Teams content on legal hold to preserve it from deletion or modification, and it includes built-in search and export functions for litigation. This solution directly addresses the requirements for preservation, keyword search across multiple workloads, and export for external review.

Exam trap

The trap here is that candidates often confuse Audit (Standard) with eDiscovery because both are in the Purview compliance portal, but Audit only records events while eDiscovery provides the legal hold, search, and export actions required for litigation.

How to eliminate wrong answers

Option B (Audit (Standard)) is wrong because it only logs user and admin activities for security and compliance investigations, but it does not provide legal hold, content search, or export capabilities needed for litigation. Option C (Data Lifecycle Management) is wrong because it focuses on retention and deletion policies based on data governance rules, not on preserving content for a specific legal case or enabling search and export. Option D (Communication Compliance) is wrong because it is designed to detect and remediate inappropriate communications (e.g., harassment, insider trading) using policy templates, not to preserve all content for litigation or perform keyword search and export across multiple locations.

560
MCQmedium

A user reports frequent password reset requests. You suspect password spray attacks. Which Microsoft Entra ID feature should you use to investigate?

A.Identity Protection risk detections
B.Audit logs
C.Conditional Access policies
D.Multifactor authentication
AnswerA

Identity Protection detects password spray and other risks.

Why this answer

Identity Protection risk detections are the correct feature because they specifically analyze sign-in patterns and flag suspicious activities such as password spray attacks. A password spray attack involves an attacker trying a small number of common passwords against many accounts, and Identity Protection uses machine learning to detect this anomalous behavior and generate risk detections like 'Unfamiliar sign-in properties' or 'Malicious IP address'.

Exam trap

The trap here is that candidates confuse Audit logs (which show what happened) with Identity Protection risk detections (which analyze why it happened), leading them to pick Audit logs as the investigative tool for attack patterns.

How to eliminate wrong answers

Option B is wrong because Audit logs record administrative actions and configuration changes, not real-time sign-in risk analysis; they would show password reset events but not identify the attack pattern. Option C is wrong because Conditional Access policies enforce access controls based on conditions (e.g., require MFA), but they do not provide investigative insights into attack patterns like password spray. Option D is wrong because Multifactor authentication is a security control that adds a second verification step, not a detective tool for analyzing sign-in anomalies.

561
Multi-Selecthard

Which THREE actions can be performed using Microsoft Purview compliance portal?

Select 3 answers
A.Manage user licenses
B.Conduct eDiscovery searches
C.Create retention policies
D.Configure conditional access policies
E.Manage sensitivity labels
AnswersB, C, E

Search and export content for legal investigations.

Why this answer

The compliance portal allows managing sensitivity labels, creating retention policies, and conducting eDiscovery searches. Managing user licenses is done in Microsoft 365 admin center; setting up conditional access is in Microsoft Entra ID.

562
MCQhard

A company uses Microsoft 365 and many third-party SaaS apps like Salesforce and Box. The security team needs to discover which unsanctioned cloud apps employees are using (Shadow IT). They also want to get a risk score for each app and receive alerts when a high-risk app is used. Which Microsoft security solution should they use?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Identity
C.Microsoft Defender for Cloud Apps
D.Microsoft Purview Compliance Manager
AnswerC

Defender for Cloud Apps includes Cloud Discovery, which identifies used apps, assigns risk scores, and alerts on high-risk app usage.

Why this answer

Microsoft Defender for Cloud Apps (MDCA) is the correct solution because it is specifically designed for Cloud Access Security Broker (CASB) functions, including Shadow IT discovery, risk scoring of cloud apps, and policy-based alerts. It integrates with Microsoft 365 and third-party SaaS apps via API connectors and log collectors to identify unsanctioned app usage and assign a risk score based on factors like compliance, security controls, and industry standards.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud Apps with other Defender products (Endpoint or Identity) because they all share the 'Defender' branding, but only Cloud Apps provides CASB capabilities for Shadow IT discovery and app risk scoring.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices, not on discovering unsanctioned cloud app usage or providing app-specific risk scores. Option B is wrong because Microsoft Defender for Identity monitors on-premises Active Directory and hybrid identities for attacks like pass-the-hash, not cloud app discovery or Shadow IT. Option D is wrong because Microsoft Purview Compliance Manager is a compliance management tool for assessing regulatory posture and managing controls, not for discovering unsanctioned cloud apps or generating risk scores for third-party SaaS applications.

563
MCQeasy

A security administrator needs to identify and remediate misconfigurations in Azure resources that could lead to security breaches. They want a central dashboard that provides a secure score based on security controls and recommendations. Which Microsoft solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft 365 Defender
D.Microsoft Intune
AnswerA

Defender for Cloud provides a secure score and actionable recommendations to improve the security posture of cloud and hybrid resources.

Why this answer

Microsoft Defender for Cloud provides a centralized dashboard that continuously assesses Azure resources against security best practices, delivering a secure score based on implemented security controls and actionable recommendations. This directly matches the administrator's need to identify and remediate misconfigurations that could lead to breaches.

Exam trap

The trap here is confusing Microsoft Defender for Cloud's posture management and secure score with Microsoft Sentinel's threat detection capabilities, as both appear under the 'Microsoft security solutions' umbrella but serve fundamentally different purposes.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) solution focused on threat detection, investigation, and response across the enterprise, not on providing a secure score or resource misconfiguration dashboard. Option C is wrong because Microsoft 365 Defender is an extended detection and response (XDR) solution for Microsoft 365 workloads (e.g., email, endpoints, identities), not for Azure resource configuration assessment. Option D is wrong because Microsoft Intune is a Mobile Device Management (MDM) and Mobile Application Management (MAM) service for managing endpoints and compliance policies, not for evaluating Azure resource security posture.

564
MCQhard

A company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They want to prevent users from copying credit card numbers from an internal web application to a personal cloud storage app. Which DLP policy setting should they configure?

A.Browser DLP
B.Exchange DLP
C.Teams DLP
D.Endpoint DLP with clipboard control
AnswerD

Endpoint DLP can restrict clipboard operations on Windows devices.

Why this answer

Endpoint DLP policies can monitor and control clipboard operations, including copying sensitive data to unallowed apps. Option A is incorrect because browser DLP only covers browser-based activities. Option C is incorrect because email DLP covers email.

Option D is incorrect because Teams DLP covers Teams chats and channels.

565
MCQmedium

A compliance administrator creates a retention policy as shown in the exhibit. What is the overall effect of this policy on content in SharePoint Online?

A.Content is deleted immediately after 7 years from creation.
B.Content is automatically labeled after 7 years.
C.Content is retained indefinitely after 7 years.
D.Content is retained for 7 years and then automatically deleted.
AnswerD

The policy combines retention with a delete action at the end.

Why this answer

The policy retains content for 7 years from creation and then deletes it. 'RetentionAction' is 'Retain' and 'EndAction' is 'Delete'. Content is not permanently retained forever, nor is it deleted immediately. The policy applies to all locations specified.

566
MCQmedium

An organization uses Microsoft Intune to manage devices. They need to ensure that only devices with a minimum OS version can access corporate email. What should they configure?

A.App protection policy
B.Device enrollment restriction
C.Compliance policy and conditional access
D.Device configuration profile
AnswerC

Combination enforces access based on device compliance.

Why this answer

Option C is correct because combining a compliance policy (which checks the device OS version against a minimum requirement) with a Conditional Access policy (which blocks access if the device is non-compliant) is the standard Microsoft approach to enforce OS version requirements for accessing corporate email. The compliance policy marks devices below the minimum OS version as non-compliant, and the Conditional Access policy then denies access to Exchange Online or other corporate resources for those non-compliant devices.

Exam trap

The trap here is that candidates confuse Device enrollment restrictions (which set OS version limits at enrollment time) with Compliance policies (which enforce OS version requirements continuously after enrollment), leading them to pick Option B instead of C.

How to eliminate wrong answers

Option A is wrong because App protection policies (MAM) manage how data is handled within apps (e.g., preventing copy/paste or requiring PIN) and do not enforce device-level OS version requirements; they apply to apps regardless of device management. Option B is wrong because Device enrollment restrictions control which devices can enroll in Intune (e.g., by platform or OS version during enrollment) but do not enforce ongoing OS version compliance for already enrolled devices accessing email. Option D is wrong because Device configuration profiles configure device settings (e.g., Wi-Fi, VPN, certificates) but do not enforce compliance checks or block access based on OS version; they are not used for conditional access decisions.

567
MCQeasy

A security architect is explaining the evolution of the security perimeter. They state that because users access corporate resources from anywhere on any device, the traditional network perimeter is no longer sufficient. What does the architect identify as the new primary security perimeter?

A.The cloud infrastructure
B.The data center
C.The identity
D.The endpoint
AnswerC

Identity is the new perimeter because it authenticates and authorizes every access request regardless of location or device.

Why this answer

In modern zero-trust architectures, identity is the new primary security perimeter because it enables granular access control regardless of network location. Since users access corporate resources from anywhere on any device, authentication and authorization (via protocols like OAuth 2.0, SAML, and OpenID Connect) become the decisive factor for granting access, rather than the traditional network boundary. This shift is foundational to Microsoft's identity-centric security model, where Azure AD (now Microsoft Entra ID) acts as the control plane for all resource access.

Exam trap

The trap here is that candidates often confuse the endpoint (the device) with identity, but the endpoint is merely a vector for identity claims—without identity as the authoritative control point, device-based security alone cannot prevent unauthorized access from a different user on the same device.

How to eliminate wrong answers

Option A is wrong because cloud infrastructure is a deployment model, not a security perimeter; it still relies on identity and access controls to secure resources within it. Option B is wrong because the data center is a physical or virtual location that assumes a trusted network boundary, which is no longer sufficient when users and devices are outside that boundary. Option D is wrong because the endpoint is just one component of the security stack; without identity-based authentication and conditional access policies, an endpoint alone cannot enforce who or what can access corporate resources.

568
Multi-Selecteasy

Which TWO features are included in Microsoft Entra ID P2 licensing?

Select 2 answers
A.Passwordless authentication
B.Multifactor authentication (MFA)
C.Single sign-on (SSO) to SaaS apps
D.Microsoft Entra Privileged Identity Management
E.Microsoft Entra Identity Protection
AnswersD, E

PIM is a P2 feature.

Why this answer

Microsoft Entra ID P2 licensing includes Microsoft Entra Privileged Identity Management (PIM), which provides just-in-time privileged access, time-bound role assignments, and approval workflows to manage, control, and monitor access to Azure AD and Azure resources. PIM is a P2-only feature that helps reduce standing administrative privileges and enhances security posture.

Exam trap

The trap here is that candidates often confuse features available in Microsoft Entra ID P1 (like MFA, SSO, and passwordless) with P2-exclusive features, forgetting that P2 adds only advanced identity protection and privileged identity management on top of P1.

569
MCQmedium

A company uses Microsoft Teams and wants to ensure that messages containing offensive language are flagged for review. Which Microsoft Purview solution should be used?

A.Microsoft Purview Information Barriers
B.Microsoft Purview Communication Compliance
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview Audit
AnswerB

Communication Compliance uses classifiers to detect offensive language.

Why this answer

Option C is correct because Communication Compliance in Microsoft Purview detects offensive language in communications. Option A is wrong because DLP protects data from loss, not language. Option B is wrong because Information Barriers restrict communication between segments.

Option D is wrong because Audit logs activities but does not flag content.

570
Drag & Dropmedium

Order the steps to respond to a data breach using Microsoft 365 Defender incident response.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response typically starts with identification, isolation, investigation, containment, then remediation.

571
MCQmedium

Your organization is using Microsoft Sentinel as a SIEM. You want to automatically respond to a high-severity incident by opening a ticket in ServiceNow and notifying the security team via email. What should you create?

A.An automation rule
B.A workbook
C.An analytics rule
D.A watchlist
AnswerA

Automation rules run playbooks for response.

Why this answer

Option C is correct because automation rules in Microsoft Sentinel can trigger playbooks (Logic Apps) for incident response. Option A is wrong because analytics rules create incidents, not automated responses. Option B is wrong because workbooks are for visualization.

Option D is wrong because watchlists are for threat intelligence.

572
Multi-Selectmedium

Which TWO Microsoft Purview solutions can be used to protect sensitive data in Microsoft Teams?

Select 2 answers
A.Information barriers
B.Communication compliance
C.Data Loss Prevention (DLP)
D.Sensitivity labels
E.eDiscovery
AnswersC, D

DLP policies can block sharing of sensitive data in Teams.

Why this answer

Correct answers: A and B. DLP policies can prevent sharing of sensitive data in Teams messages. Sensitivity labels can classify and protect Teams files.

Option C is wrong because eDiscovery is for search and export, not protection. Option D is wrong because communication compliance monitors for policy violations but does not protect data. Option E is wrong because information barriers restrict communication between groups.

573
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to enable users to sign in using a QR code from the Microsoft Authenticator app. Which Microsoft Entra feature should you configure?

A.FIDO2 security keys
B.Temporary Access Pass
C.Passwordless sign-in with Microsoft Authenticator
D.My Security-info (https://aka.ms/mysecurityinfo)
AnswerC

Passwordless sign-in with Authenticator uses QR codes or number match for sign-in.

Why this answer

The Microsoft Authenticator app supports passwordless sign-in by allowing users to approve a notification or scan a QR code from the sign-in screen. This feature eliminates the need for a password and relies on the Authenticator app as a primary authentication method, which is configured under the Passwordless sign-in with Microsoft Authenticator option in Entra ID.

Exam trap

The trap here is that candidates confuse the QR code scanning capability of the Authenticator app with FIDO2 security keys, but the question specifically asks about using the Microsoft Authenticator app, not a separate hardware device.

How to eliminate wrong answers

Option A is wrong because FIDO2 security keys are hardware-based passwordless credentials that use public-key cryptography, not QR codes from the Microsoft Authenticator app. Option B is wrong because Temporary Access Pass is a time-limited passcode used for onboarding or recovery scenarios, not for QR-code-based sign-in. Option D is wrong because My Security-info (https://aka.ms/mysecurityinfo) is a user portal for managing authentication methods, not a feature that enables QR-code sign-in.

574
MCQmedium

A compliance officer needs to retain customer records for 7 years and then automatically delete them. However, during an ongoing legal case, the legal team must preserve specific documents indefinitely without affecting the retention policy for other documents. Which combination of Microsoft Purview solutions should the company use?

A.Data Lifecycle Management and eDiscovery
B.Records Management and Audit
C.Information Protection and Data Loss Prevention
D.Communication Compliance and Insider Risk Management
AnswerA

Data Lifecycle Management sets the retention and deletion policy. eDiscovery allows legal holds to preserve specific content for litigation without altering the retention policy.

Why this answer

Data Lifecycle Management (DLM) allows you to define retention policies (e.g., 7 years) and then automatically delete data at the end of that period. eDiscovery (specifically, eDiscovery holds) lets you place a legal hold on specific documents, preserving them indefinitely without altering the broader retention policy. Together, they meet both the automatic deletion requirement and the need to preserve documents during litigation.

Exam trap

The trap here is that candidates confuse Records Management (which can also apply retention and deletion) with Data Lifecycle Management, but Records Management lacks the legal hold capability that eDiscovery provides for preserving specific documents during litigation.

How to eliminate wrong answers

Option B (Records Management and Audit) is wrong because Records Management focuses on declaring records and applying retention labels, but it does not provide the ability to place a legal hold on specific documents during litigation; Audit only tracks activities and does not enforce retention or holds. Option C (Information Protection and Data Loss Prevention) is wrong because Information Protection deals with sensitivity labels and encryption, while Data Loss Prevention prevents unauthorized sharing—neither addresses retention, deletion, or legal holds. Option D (Communication Compliance and Insider Risk Management) is wrong because Communication Compliance monitors for policy violations in communications, and Insider Risk Management detects risky user activities; neither solution manages retention policies or legal holds.

575
MCQhard

A company is implementing Microsoft Purview Communication Compliance to detect inappropriate messages. They need to monitor Microsoft Teams channel messages and chat messages for potential policy violations. Which configuration is required?

A.Enable Microsoft Purview Data Loss Prevention (DLP) policies for Teams.
B.Set up an Exchange Online retention policy to retain Teams messages.
C.Deploy a third-party archiving solution for Teams messages.
D.Configure a Communication Compliance policy that includes Teams messages as the supervised communication channel.
AnswerD

Communication Compliance policies can supervise Teams messages by adding Teams as a channel.

Why this answer

Option A is correct because Communication Compliance policies must include a policy condition that selects Teams messages as the source. Option B is wrong because Communication Compliance supports Teams messages natively. Option C is wrong because enabling Teams-only mode is not required.

Option D is wrong because Exchange Online retention policies are not needed for Communication Compliance.

576
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to implement a solution that allows users to sign in using their social media accounts, such as Google or Facebook. What should you configure?

A.Microsoft Authenticator app for passwordless sign-in
B.Privileged Identity Management
C.External identities (B2B) with social identity providers
D.Self-service password reset
AnswerC

B2B collaboration supports social identity providers like Google and Facebook.

Why this answer

Option C is correct because external identities (B2B) allow social identity providers as external identity sources. Option A is incorrect because self-service password reset does not provide sign-in. Option B is incorrect because Privileged Identity Management is for managing privileged roles.

Option D is incorrect because Microsoft Authenticator is for MFA, not social identity.

577
MCQhard

A user logs into a corporate laptop by inserting a smart card and entering a PIN. The user then attempts to open a confidential folder. The operating system checks the user's access rights and denies access. Which security concepts are demonstrated in this scenario?

A.Identification and authorization
B.Authentication and authorization
C.Authentication and accounting
D.Identification and authentication
AnswerB

The smart card and PIN authenticate the user. Then the operating system authorizes (or denies) access to the folder based on permissions.

Why this answer

The scenario demonstrates authentication (verifying the user's identity via smart card + PIN) and authorization (the OS checking access rights and denying access to the folder). Authentication confirms who the user is, while authorization determines what resources they can access. Option B correctly pairs these two concepts.

Exam trap

The trap here is that candidates confuse 'identification' with 'authentication' — the smart card + PIN is a multi-factor authentication process, not merely identification, and the access check is authorization, not accounting or identification.

How to eliminate wrong answers

Option A is wrong because identification alone (e.g., presenting a username) is not sufficient; the scenario includes a PIN and smart card, which are authentication factors, and the access check is authorization, not just identification. Option C is wrong because accounting (tracking resource usage, e.g., logging or auditing) is not demonstrated; no logs or usage records are mentioned. Option D is wrong because identification (e.g., claiming an identity) is not explicitly shown; the user authenticates via smart card + PIN, and the access check is authorization, not just authentication.

578
MCQmedium

Refer to the exhibit. A user reports being unable to access Exchange Online from their personal laptop. The sign-in log shows failure due to device non-compliance. What should you configure to allow access while maintaining security?

A.Create a Conditional Access policy requiring compliant device
B.Reset the user's password
C.Block all personal devices
D.Enable MFA for the user
AnswerA

This policy will allow access only if the device is compliant.

Why this answer

The sign-in log indicates the failure is due to device non-compliance, meaning the user's personal laptop does not meet your organization's compliance policies (e.g., missing antivirus, encryption, or required updates). Creating a Conditional Access policy that requires a compliant device will block access from non-compliant devices while allowing access from compliant ones, maintaining security by enforcing device health checks before granting access to Exchange Online.

Exam trap

The trap here is that candidates often confuse device compliance with authentication factors like MFA or password resets, but the sign-in log explicitly states the failure is due to device non-compliance, so the solution must enforce device health, not just user identity verification.

How to eliminate wrong answers

Option B is wrong because resetting the user's password addresses credential compromise, not device compliance; the failure is due to the device not meeting compliance requirements, not an incorrect password. Option C is wrong because blocking all personal devices is overly restrictive and not necessary; Conditional Access can selectively allow compliant personal devices while blocking non-compliant ones, preserving user productivity. Option D is wrong because enabling MFA strengthens authentication but does not enforce device compliance; the sign-in failure is specifically due to device non-compliance, not a lack of multi-factor authentication.

579
MCQhard

A company needs to provide a developer with temporary, time-bound administrative access to Azure resources to debug a production issue. The access must require approval from the manager and automatically expire after 4 hours. Which Microsoft Entra capability should they use?

A.Privileged Identity Management (PIM)
B.Conditional Access
C.Identity Protection
D.Entitlement Management
AnswerA

PIM enables JIT activation of privileged roles with time limits, approval, and justification, perfectly matching the requirements.

Why this answer

Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access to Azure resources with time-bound activation, approval workflows, and automatic expiration. This directly matches the requirement for temporary, manager-approved administrative access that expires after 4 hours.

Exam trap

The trap here is confusing Entitlement Management (which manages access to apps/groups via access packages) with PIM (which manages time-bound role activation for Azure resources), leading candidates to pick D when the scenario explicitly requires Azure resource administrative access with automatic expiration.

How to eliminate wrong answers

Option B (Conditional Access) is wrong because it enforces access policies based on signals like location or device compliance, not time-bound role activation with approval. Option C (Identity Protection) is wrong because it detects and remediates identity-based risks like leaked credentials, not manages privileged access. Option D (Entitlement Management) is wrong because it governs access to applications and groups via access packages, not Azure resource roles with automatic expiration.

580
MCQmedium

A company uses Microsoft Purview Compliance Manager to improve their compliance posture. They are preparing for a SOC 2 audit and need to score compliance with SOC 2 controls, track improvement actions, and assign tasks to responsible teams. Which component of Compliance Manager should they use to assign and track specific actions to improve their compliance score?

A.Assessment
B.Control
C.Improvement action
D.Template
AnswerC

Improvement actions are detailed tasks that can be assigned to groups or individuals, tracked, and documented to demonstrate compliance progress.

Why this answer

Improvement actions in Compliance Manager are the specific, actionable tasks that directly impact your compliance score. They represent the steps you need to take (e.g., configuring a policy, enabling logging) to satisfy a control. By assigning these actions to responsible teams and tracking their completion status, you can systematically improve your score and demonstrate progress during a SOC 2 audit.

Exam trap

The trap here is that candidates confuse 'Control' (the requirement) with 'Improvement action' (the task to meet the requirement), leading them to select B, even though controls are not directly assignable or trackable as individual tasks.

How to eliminate wrong answers

Option A is wrong because an Assessment is a container that groups controls from a specific regulation (like SOC 2) and tracks your overall compliance score, but it does not provide the granular, assignable tasks needed to drive improvement. Option B is wrong because a Control is a specific requirement from the regulation (e.g., 'Access must be logged'), but it is not the actionable item you assign to a team; the control is satisfied by completing one or more improvement actions. Option D is wrong because a Template is a reusable blueprint that defines the controls and improvement actions for a regulation (e.g., SOC 2 template), but it is not the mechanism for assigning and tracking individual tasks.

581
Multi-Selecteasy

Which TWO of the following are capabilities of Microsoft Purview Data Loss Prevention?

Select 2 answers
A.Define retention periods for documents.
B.Search for content in Exchange Online mailboxes.
C.Block sharing of sensitive data via email.
D.Automatically apply sensitivity labels to content.
E.Provide policy tips to users when they attempt to share sensitive data.
AnswersC, E

DLP policies can block email sharing of sensitive info.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is designed to detect and prevent the accidental or intentional sharing of sensitive information. Option C is correct because DLP policies can block the sharing of sensitive data via email by inspecting content in transit and applying actions such as blocking the message. Option E is correct because DLP can display policy tips to users in real time, warning them before they share sensitive data and allowing them to override the block with justification.

Exam trap

The trap here is that candidates confuse DLP with other Microsoft Purview solutions: they may think DLP defines retention periods (Records Management), searches content (eDiscovery), or applies sensitivity labels (Information Protection), when in fact DLP focuses on preventing data loss through monitoring and blocking actions, not on lifecycle management or labeling.

582
MCQhard

Your company is adopting a Zero Trust network architecture. You need to implement microsegmentation for workloads running in Azure. Which Azure service should you use?

A.Azure Network Security Groups (NSGs)
B.Azure Firewall
C.Azure App Service
D.Azure Front Door
AnswerA

NSGs filter traffic between subnets and VMs, enabling microsegmentation.

Why this answer

Option C is correct because Azure Network Security Groups (NSGs) provide microsegmentation by filtering traffic between subnets and VMs. Option A is wrong because Azure Firewall is a stateful firewall but not for microsegmentation within a VNet. Option B is wrong because App Service is PaaS.

Option D is wrong because Azure Front Door is a global load balancer.

583
MCQhard

A company uses Microsoft Entra ID. They have a critical application that requires additional security. The security team wants to enforce multifactor authentication (MFA) for every access to the application, but they also want users to reauthenticate with MFA if a session lasts longer than 60 minutes, regardless of device compliance. Which Conditional Access control should the administrator configure?

A.Grant control: Require multifactor authentication
B.Session control: Sign-in frequency
C.Session control: Application enforced restrictions
D.Grant control: Require device to be marked as compliant
AnswerB

Sign-in frequency as a session control forces users to reauthenticate after a specified time period, ensuring MFA is revalidated if the session exceeds 60 minutes.

Why this answer

The requirement to force reauthentication with MFA after a specific time period (60 minutes) is a session-level control, not a grant control. The 'Sign-in frequency' session control in Conditional Access allows administrators to define how often a user must reauthenticate, including re-prompting for MFA, regardless of device compliance. This directly meets the scenario's need for a time-based reauthentication policy.

Exam trap

The trap here is that candidates confuse 'Grant controls' (which enforce conditions at sign-in) with 'Session controls' (which manage behavior after sign-in), leading them to select 'Require multifactor authentication' instead of 'Sign-in frequency' for time-based reauthentication.

How to eliminate wrong answers

Option A is wrong because 'Grant control: Require multifactor authentication' enforces MFA at initial sign-in but does not enforce reauthentication after a session duration; it lacks the time-based re-prompting capability. Option C is wrong because 'Session control: Application enforced restrictions' relies on the application itself to enforce policies (e.g., via device-based conditional access in Exchange Online), not on Entra ID to force reauthentication after a fixed time. Option D is wrong because 'Grant control: Require device to be marked as compliant' checks device health at sign-in but does not enforce a session timeout or reauthentication frequency, and the scenario explicitly states 'regardless of device compliance'.

584
MCQeasy

A user reports they cannot access the company portal from their personal device. The device is not enrolled in Microsoft Intune. The admin wants to ensure only compliant devices can access corporate resources. What should the admin configure?

A.Conditional Access policy requiring device compliance
B.Enable password writeback
C.Enable Identity Protection sign-in risk policy
D.Microsoft Entra Privileged Identity Management
AnswerA

Conditional Access can require devices to be compliant via Intune.

Why this answer

A is correct because a Conditional Access policy can require device compliance before granting access to corporate resources. When the device is not enrolled in Microsoft Intune, it cannot report compliance status, so the policy blocks access. This ensures only managed, compliant devices can access the company portal.

Exam trap

The trap here is that candidates confuse device compliance policies with sign-in risk policies or identity governance features, mistakenly thinking risk-based controls or PIM can enforce device health, when only Conditional Access with Intune compliance can block non-enrolled personal devices.

How to eliminate wrong answers

Option B is wrong because password writeback is a feature for on-premises password synchronization to Entra ID, not for controlling device access. Option C is wrong because Identity Protection sign-in risk policy evaluates user sign-in risk (e.g., anonymous IP, leaked credentials), not device compliance. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation, not device-level access control.

585
Multi-Selecthard

A company wants to implement a Zero Trust security model. Which TWO of the following are core principles of Zero Trust?

Select 2 answers
A.Trust based on network location
B.Verify explicitly
C.Perimeter-based security
D.Implicit trust for internal users
E.Least privilege access
AnswersB, E

One of the three core principles of Zero Trust.

Why this answer

Options B and D are correct. Zero Trust principles are: verify explicitly (B), use least privilege access (D), and assume breach. Option A is incorrect because implicit trust is the opposite of Zero Trust.

Option C is incorrect because perimeter-based security is not a Zero Trust principle. Option E is incorrect because Zero Trust does not rely on network location for trust.

586
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Purview sensitivity label configuration. A user reports that a document containing a sensitive info type with confidence 80 was not automatically labeled. What is the most likely cause?

A.The user has overridden the label application.
B.The encryption is disabled.
C.The encryption template ID is missing.
D.The auto-labeling policy is not configured to apply this label.
AnswerD

The label definition alone does not apply labels; an auto-labeling policy must be created to use this label.

Why this answer

Option D is correct because the exhibit shows 'userOverrideEnabled': false, meaning users cannot override, but the auto-labeling minConfidence is 75, so a confidence of 80 should trigger labeling. However, the issue is that the user may have manually removed the label and auto-labeling does not reapply if userOverrideEnabled is false. Actually, re-reading: auto-labeling should apply if confidence >=75.

The exhibit does not show a problem. Wait, the question says 'not automatically labeled'. The exhibit shows auto-labeling configured with minConfidence 75.

Option A is wrong because the template ID is present. Option B is wrong because encryption is enabled. Option C is wrong because user override is false.

The correct answer is that auto-labeling requires a minimum confidence of 75, and 80 meets that. So the issue might be that the label is not published? However, the best answer is D: The auto-labeling policy may not be configured to apply this label. The exhibit only shows the label definition, not the auto-labeling policy that applies it.

So D is correct.

587
MCQhard

Your company uses Microsoft Purview to manage data across Azure, on-premises SQL Server, and Amazon S3. You need to create a unified map of all data sources and their sensitivity labels. Which Microsoft Purview feature should you use?

A.Microsoft Purview Data Sharing
B.Microsoft Purview Data Map
C.Microsoft Purview Data Estate Insights
D.Microsoft Purview Data Catalog
AnswerB

Data Map automatically scans and classifies data across sources, creating a unified map.

Why this answer

Microsoft Purview Data Map is the correct feature because it provides a unified, automated map of data assets across hybrid and multi-cloud environments (Azure, on-premises SQL Server, and Amazon S3). It automatically scans and classifies data sources, applies sensitivity labels, and maintains a centralized metadata repository, enabling a holistic view of the data landscape and its sensitivity.

Exam trap

The trap here is that candidates often confuse the Microsoft Purview Data Catalog (which is the searchable inventory) with the Data Map (which is the underlying metadata and classification engine), leading them to select Option D instead of B.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Sharing is a feature for securely sharing data in-place across organizations or within an organization, not for creating a unified map of data sources and sensitivity labels. Option C is wrong because Microsoft Purview Data Estate Insights provides monitoring, analytics, and reporting on data estate health and usage, but it does not create the foundational map of data sources and labels; it relies on the Data Map. Option D is wrong because Microsoft Purview Data Catalog is a component that builds on the Data Map to enable data discovery and search, but the core mapping and labeling of data sources is performed by the Data Map itself.

588
MCQeasy

A company wants to ensure that data is not altered during transmission between a client and a server. They use TLS encryption. Which security goal does this primarily address?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures that data is not modified or tampered with during transit, which directly matches the requirement.

Why this answer

TLS (Transport Layer Security) uses message authentication codes (MACs) and cryptographic hashing to ensure that data is not tampered with during transit. While TLS also provides confidentiality through encryption, the specific goal of preventing alteration during transmission is integrity. Therefore, option B is correct because integrity guarantees that the data received is exactly what was sent, unchanged by any intermediary.

Exam trap

The trap here is that candidates often assume TLS only provides confidentiality (encryption) and forget that TLS also explicitly ensures integrity through MACs or AEAD, leading them to incorrectly select 'Confidentiality' (Option A) when the question specifically asks about preventing alteration.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data (secrecy), not about detecting or preventing alteration; TLS achieves confidentiality through symmetric encryption, but the question specifically asks about preventing alteration. Option C is wrong because availability ensures that systems and data are accessible when needed, which is unrelated to data integrity during transmission; TLS does not address availability. Option D is wrong because non-repudiation prevents a party from denying an action (e.g., using digital signatures), whereas TLS does not inherently provide non-repudiation—it focuses on secure communication, not proof of origin.

589
MCQeasy

Your organization wants to use Microsoft Defender for Cloud Apps to detect anomalous user behavior across cloud applications. Which feature should you enable?

A.Anomaly detection policies
B.App connectors
C.Secure Score
D.Cloud Discovery
AnswerA

Anomaly detection policies use UEBA to detect unusual user behavior.

Why this answer

Option A is correct because Cloud App Security (now part of Defender for Cloud Apps) provides UEBA and anomaly detection. Options B, C, and D are incorrect: Secure Score is for security posture, Cloud Discovery is for discovering shadow IT, and app connectors are for API integration.

590
MCQmedium

A company uses Microsoft 365 and needs to classify and protect sensitive documents by applying encryption and visual markings (headers/footers) based on the content's sensitivity. They also want to automatically revoke access to documents that leave the organization. Which Microsoft Purview solution should they configure?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview Information Protection
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Audit
AnswerB

Information Protection uses sensitivity labels to classify, encrypt, and apply visual markings to documents, and can enforce revocation of access for external users.

Why this answer

Microsoft Purview Information Protection (B) is the correct solution because it provides the capabilities to classify and protect sensitive documents using sensitivity labels. These labels can enforce encryption and apply visual markings like headers and footers based on content sensitivity. Additionally, Information Protection supports automatic revocation of access to documents that leave the organization through features like rights management and conditional access policies.

Exam trap

The trap here is that candidates may confuse Data Lifecycle Management (retention/deletion) with Information Protection (classification/encryption), or mistakenly think Communication Compliance or Audit can enforce document-level protection and revocation.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Lifecycle Management focuses on retaining and deleting data based on policies, not on classifying, encrypting, or applying visual markings to documents. Option C is wrong because Microsoft Purview Communication Compliance is designed to detect and manage inappropriate communications (e.g., harassment, insider trading) within emails and messages, not to classify or protect document content with encryption or markings. Option D is wrong because Microsoft Purview Audit provides logging and investigation of user and admin activities, not the ability to classify, encrypt, or revoke access to documents.

591
MCQhard

Refer to the exhibit. You are reviewing Microsoft Entra sign-in logs. Which statement is true?

A.jdoe's sign-in had no risk detected.
B.jdoe's sign-in failed Conditional Access.
C.asmith's sign-in was likely from an application or service principal.
D.asmith's sign-in had a high risk level.
AnswerC

NonInteractiveUser sign-in type indicates a client application or service principal, not a user interactive session.

Why this answer

Option C is correct because the sign-in log entry for asmith shows an 'Application' sign-in type, which indicates the authentication was performed by an application or service principal rather than a user. In Microsoft Entra ID, sign-ins from applications or service principals are logged with a distinct sign-in type, and the exhibit displays 'Application' for asmith's entry, confirming this.

Exam trap

The trap here is that candidates may assume all sign-in logs represent user sign-ins and overlook the 'Sign-in type' column, leading them to misinterpret the risk level or Conditional Access status for a service principal entry.

How to eliminate wrong answers

Option A is wrong because the sign-in log for jdoe shows a 'Risk level' of 'Medium', indicating risk was detected, not 'No risk'. Option B is wrong because the sign-in log for jdoe shows 'Conditional Access' status as 'Success', not 'Failure', meaning Conditional Access policies were satisfied. Option D is wrong because the sign-in log for asmith shows a 'Risk level' of 'Low', not 'High'.

592
MCQeasy

A user authenticates to a company's network by entering their password and then approving a push notification on their mobile phone. After authentication, the user attempts to access a shared folder containing financial reports. The access is denied because the user's account is not a member of the 'Finance' group. Which security concept is demonstrated when the user is denied access to the folder?

A.Authentication
B.Authorization
C.Non-repudiation
D.Accounting
AnswerB

Authorization controls what an authenticated user is allowed to do. Denying access to the folder due to missing group membership is an authorization decision.

Why this answer

Authorization is the security concept that determines what resources a user is allowed to access after their identity has been verified. In this scenario, the user successfully authenticated but was denied access to the financial reports folder because their account lacked the necessary permissions—specifically, membership in the 'Finance' group. This access control decision is the essence of authorization, which enforces policies based on identity attributes like group membership.

Exam trap

The trap here is that candidates confuse authentication (proving who you are) with authorization (what you are allowed to do), especially when the question includes a multi-factor authentication step that seems to 'grant' access, but the denial is purely an authorization failure.

How to eliminate wrong answers

Option A is wrong because authentication is the process of verifying the user's identity (e.g., password + push notification), which already succeeded before the folder access attempt. Option C is wrong because non-repudiation ensures that a user cannot deny having performed an action, typically using digital signatures or audit logs, and is not related to access control decisions. Option D is wrong because accounting (or auditing) tracks user activities and resource usage for compliance and billing, but does not enforce or deny access to resources.

593
MCQmedium

A company uses Microsoft Entra ID. They want to ensure that users who are traveling to a high-risk country, based on the sign-in IP address, are prompted for multi-factor authentication before accessing the company's CRM application. Which Microsoft Entra ID feature should they configure?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management
D.Azure AD Join
AnswerA

Correct. Conditional Access policies can include location conditions (e.g., named locations with trusted IPs or countries) to require actions like MFA based on where the sign-in originates.

Why this answer

Conditional Access is the correct feature because it allows administrators to create policies that evaluate sign-in signals—such as the user's location derived from the IP address—and enforce access controls like requiring multi-factor authentication (MFA) before granting access to a specific application (e.g., the CRM app). By configuring a Conditional Access policy with a location condition targeting high-risk countries, the company can ensure that only users signing in from those IP ranges are prompted for MFA, while other sign-ins proceed normally.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based MFA (which uses machine learning on user behavior) with Conditional Access's location-based MFA (which uses static IP-to-country mapping), leading them to select Identity Protection when the question explicitly specifies a high-risk country based on IP address rather than a risk score.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it focuses on detecting and remediating identity-based risks (e.g., leaked credentials, impossible travel) and can trigger MFA via integration with Conditional Access, but it does not directly enforce MFA based on a static IP address location—it requires a risk level condition, not a geographic location condition. Option C (Privileged Identity Management) is wrong because it is designed for just-in-time privileged role activation and access reviews, not for applying MFA based on sign-in location or IP address. Option D (Azure AD Join) is wrong because it is a device identity and management feature that registers devices to Entra ID for SSO and compliance, and it has no capability to enforce MFA based on geographic location of the sign-in IP.

594
MCQeasy

A company needs to allow external business partners to securely access internal SharePoint Online sites and Teams channels. The partners use various identity providers, including Microsoft Entra ID and Google. The company wants to manage these external users in their directory and assign access policies. Which Microsoft Entra ID capability should they use?

A.Microsoft Entra B2C (Business to Customer)
B.Microsoft Entra External ID (B2B Collaboration)
C.Microsoft Entra Domain Services
D.Microsoft Entra Identity Protection
AnswerB

B2B Collaboration allows external partners to use their own identities to access internal apps and resources, with management in your directory.

Why this answer

Microsoft Entra External ID (B2B Collaboration) is the correct capability because it allows the company to invite external business partners (B2B users) from any identity provider, including Microsoft Entra ID and Google, into their own Microsoft Entra directory. This enables the company to manage these external users in their directory, assign conditional access policies, and grant them secure access to internal SharePoint Online sites and Teams channels without requiring a separate application or customer-facing identity system.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2C (for customers) with B2B Collaboration (for business partners), leading them to select B2C because both involve external users, but B2C is for consumer-facing apps, not for granting access to internal resources like SharePoint and Teams.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2C (Business to Customer) is designed for customer-facing applications where external users sign in with social or local identities, not for managing business partners in the company's directory with access to internal resources like SharePoint and Teams. Option C is wrong because Microsoft Entra Domain Services provides managed domain services like LDAP, Kerberos, and NTLM for legacy applications, not for inviting and managing external business partners. Option D is wrong because Microsoft Entra Identity Protection is a security tool that detects identity-based risks and vulnerabilities, not a capability for inviting or managing external users.

595
MCQmedium

A security team wants to discover all cloud applications being used by employees, including unsanctioned file sharing and collaboration apps. They plan to analyze traffic logs from their network firewall to identify usage patterns and assess each app's risk level. Which feature of Microsoft Defender for Cloud Apps should they enable?

A.Cloud Discovery
B.App Connectors
C.Conditional Access App Control
D.Information Protection
AnswerA

Cloud Discovery uses log analysis to uncover all cloud app activity and assess risk, making it the correct feature for this scenario.

Why this answer

Cloud Discovery is the correct feature because it analyzes traffic logs from network firewalls and proxies to identify all cloud applications in use, including unsanctioned ones. It uses the Microsoft Defender for Cloud Apps catalog to assess each app's risk level based on factors like security posture, compliance certifications, and industry standards. This directly matches the scenario of discovering unsanctioned file sharing and collaboration apps from firewall logs.

Exam trap

The trap here is that candidates confuse Cloud Discovery (passive log analysis for unsanctioned app discovery) with App Connectors (active API integration for sanctioned app monitoring), leading them to choose B because they think 'connecting to apps' is needed to discover them.

How to eliminate wrong answers

Option B (App Connectors) is wrong because App Connectors are used to connect directly to sanctioned cloud apps (like Office 365, Salesforce) via APIs to pull data for monitoring and governance, not to discover unsanctioned apps from firewall logs. Option C (Conditional Access App Control) is wrong because it enforces real-time access policies on sanctioned apps using reverse proxy, not for discovering unknown apps from traffic logs. Option D (Information Protection) is wrong because it focuses on classifying and protecting sensitive data within files and emails, not on discovering cloud app usage patterns from network traffic.

596
Multi-Selecthard

Which TWO of the following are supported identity types for Microsoft Entra External ID? (Select two.)

Select 2 answers
A.OAuth 2.0 token identities
B.Social identities (e.g., Google, Facebook)
C.X.509 certificate-based identities
D.Enterprise identities from SAML/WS-Federation identity providers
E.Biometric identities (fingerprint, face)
AnswersB, D

External ID allows social identity providers.

Why this answer

Microsoft Entra External ID supports social identities (like Google and Facebook) as external identity providers, allowing users to sign in with their existing social accounts. This is a core feature of External ID, enabling B2B and B2C scenarios without requiring users to create new Microsoft accounts.

Exam trap

The trap here is that candidates confuse authentication methods (like biometrics or certificates) with identity provider types, or assume OAuth 2.0 tokens are an identity type rather than a protocol used to exchange identity information.

597
MCQeasy

You need to ensure that sensitive documents in Microsoft SharePoint Online are automatically classified and protected when they contain credit card numbers. What should you configure?

A.A sensitivity label with auto-labeling for Microsoft Purview Information Protection
B.A retention policy for SharePoint
C.A data loss prevention (DLP) policy
D.A retention label for regulatory compliance
AnswerA

Auto-labeling in sensitivity labels can automatically classify and protect documents based on sensitive info types.

Why this answer

Option A is correct because a sensitivity label with auto-labeling can be configured to detect sensitive info types like credit card numbers. Option B is incorrect because retention labels manage retention, not protection. Option C is incorrect because DLP policies can block or alert but do not apply labels automatically.

Option D is incorrect because a retention policy is for retention, not classification.

598
MCQmedium

Your company is implementing data loss prevention (DLP) policies in Microsoft Purview. You need to create a policy that prevents users from sharing credit card numbers via email to external recipients. The policy should only apply to users in the Finance department. Which action should you take?

A.Create a retention label and apply auto-labeling for Finance
B.Create a sensitivity label and publish it to Finance users
C.Copy the default DLP template for financial data and modify it
D.Create a DLP policy, select the Finance user location, and add the credit card number condition
AnswerD

DLP policies can be scoped to specific users and include sensitive info types like credit card numbers.

Why this answer

Option C is correct because DLP policies in Microsoft Purview can be scoped to specific user groups via location selection. Option A is wrong because sensitivity labels are for classification, not DLP enforcement. Option B is wrong because retention labels are for data retention, not DLP.

Option D is wrong because the policy should be created from scratch, not copied from a template that may not match the requirement.

599
Multi-Selectmedium

Which THREE of the following are capabilities of Microsoft Entra ID Governance?

Select 3 answers
A.Self-service password reset
B.Access reviews
C.Privileged Identity Management
D.Entitlement management
E.Conditional access
AnswersB, C, D

Access reviews are part of identity governance.

Why this answer

Access reviews are a core capability of Microsoft Entra ID Governance, enabling organizations to periodically review and certify user access to resources, groups, and applications. This ensures compliance with internal policies and regulatory requirements by automating the attestation process and removing stale or excessive permissions.

Exam trap

The trap here is that candidates often confuse security features like Conditional Access or SSPR with governance capabilities, but Microsoft Entra ID Governance specifically focuses on identity lifecycle management, access reviews, entitlement management, and privileged identity management, not on authentication or policy enforcement.

600
MCQmedium

A company with Microsoft 365 wants employees to access corporate applications from their personal Android and iOS devices. The security team requires that these devices be enrolled in mobile device management (MDM) for compliance policies, and that company data can be selectively wiped from the device without affecting personal data. Which Microsoft Entra device identity type should they configure for these personal devices?

A.Microsoft Entra registered
B.Microsoft Entra joined
C.Microsoft Entra hybrid joined
D.Microsoft Entra managed
AnswerA

Correct. Microsoft Entra registered is designed for personal devices (BYOD) and supports MDM enrollment and selective wipe.

Why this answer

Microsoft Entra registered is the correct device identity type for personal (BYOD) devices because it supports enrollment in MDM for compliance policies and enables selective wipe of company data without affecting personal data. This identity type registers the device with Entra ID without requiring organizational ownership, allowing users to access corporate applications while maintaining personal data separation.

Exam trap

The trap here is that candidates often confuse 'Microsoft Entra joined' with 'Microsoft Entra registered' because both involve device identity, but Entra joined implies full organizational control and no selective wipe capability, making it unsuitable for BYOD scenarios.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra joined is designed for organization-owned devices that are fully managed by the organization, not for personal BYOD devices, and it does not support selective wipe of only company data. Option C is wrong because Microsoft Entra hybrid joined requires on-premises Active Directory domain join and is intended for organization-owned devices that need both on-premises and cloud access, not for personal devices. Option D is wrong because 'Microsoft Entra managed' is not a valid device identity type in Microsoft Entra; the valid types are Entra registered, Entra joined, and hybrid Entra joined.

Page 7

Page 8 of 19

Page 9