Microsoft Security, Compliance, and Identity Fundamentals SC-900 (SC-900) — Questions 601675

1411 questions total · 19pages · All types, answers revealed

Page 8

Page 9 of 19

Page 10
601
Multi-Selecteasy

Which two scenarios are examples of using Microsoft Entra business-to-business (B2B) collaboration? (Choose two.)

Select 2 answers
A.A user from a partner organization is invited to access a SharePoint Online site.
B.An employee uses their Microsoft Entra ID to sign in to a third-party SaaS application.
C.Two internal departments share resources within the same tenant.
D.A vendor employee uses their own work email to access a Power BI dashboard shared by your company.
E.Customers use their Facebook accounts to sign in to a company's web application.
AnswersA, D

B2B collaboration allows inviting external users from partner organizations.

Why this answer

Option A is correct because Microsoft Entra B2B collaboration allows you to invite external users from partner organizations to access your company's resources, such as a SharePoint Online site. The invited user authenticates using their own home tenant credentials, and a B2B guest user object is created in your directory to represent them.

Exam trap

The trap here is confusing B2B collaboration (inviting external business partners with work/school accounts) with B2C collaboration (allowing consumers to sign in with social identities like Facebook or Google), leading candidates to incorrectly select Option E.

602
MCQhard

You are a compliance administrator for Contoso, a multinational company that uses Microsoft 365. The company has the following requirements: 1. Automatically retain all documents containing personally identifiable information (PII) for 7 years. 2. Prevent users from sharing PII via email with external recipients unless they provide a business justification. 3. Monitor and alert when users access sensitive data outside of business hours. 4. Generate a compliance score for GDPR and ISO 27001. You need to configure the appropriate Microsoft Purview solutions. For each requirement, match the correct solution. Which combination of solutions should you use?

A.Information Protection for retention; DLP for sharing; Data Lifecycle Management for monitoring; Compliance Manager for scoring
B.Data Lifecycle Management for retention; Communication Compliance for sharing; Insider Risk Management for monitoring; Compliance Manager for scoring
C.Data Lifecycle Management for retention; DLP for sharing; Insider Risk Management for monitoring; Compliance Manager for scoring
D.Information Protection for retention; eDiscovery for sharing; Insider Risk Management for monitoring; Compliance Manager for scoring
AnswerC

All requirements are correctly mapped.

Why this answer

Option B is correct because: Requirement 1 is met by a retention policy in Data Lifecycle Management; Requirement 2 is met by a DLP policy with user overrides; Requirement 3 is met by Insider Risk Management (abnormal access); Requirement 4 is met by Compliance Manager. Option A is wrong because Information Protection labels are for classification, not retention. Option C is wrong because Communication Compliance is for communications, not access monitoring.

Option D is wrong because eDiscovery is for legal discovery, not access monitoring.

603
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to detect anomalous user behavior such as impossible travel. Which type of policy should you configure?

A.Anomaly detection policy
B.Activity policy
C.App discovery policy
D.Session policy
AnswerA

Anomaly detection policies use machine learning to detect unusual patterns like impossible travel.

Why this answer

Anomaly detection policies in Defender for Cloud Apps use UEBA to detect behaviors like impossible travel, ransomware activity, and credential access. Option A is correct. Activity policies are used for specific activities, not behavior patterns.

Session policies control real-time access. App discovery policies identify cloud apps in use.

604
MCQmedium

A company uses Microsoft Entra ID and requires that all guest users from a partner organization must sign in using Microsoft Authenticator for MFA. The partner organization manages their own identities. What should you configure?

A.Enable Microsoft Entra ID Protection and configure MFA registration policy for guests
B.Use Microsoft Entra ID Governance to require access reviews for guests
C.Configure cross-tenant access settings to trust MFA from the partner's Microsoft Entra ID tenant
D.Create a Conditional Access policy that requires MFA for guest users
AnswerC

Cross-tenant access settings allow you to accept MFA claims from external tenants.

Why this answer

Option C is correct because cross-tenant access settings in Microsoft Entra ID allow you to trust MFA claims from an external partner's tenant. Since the partner manages their own identities, trusting their MFA ensures that guest users from that partner organization can satisfy MFA requirements using their own Microsoft Authenticator without needing to register again in your tenant.

Exam trap

The trap here is that candidates often assume a Conditional Access policy (Option D) is the standard way to enforce MFA for guests, but they overlook the cross-tenant trust mechanism that allows the partner to manage their own MFA without guest user registration in the resource tenant.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection's MFA registration policy applies to users in your own tenant, not to guest users from a partner organization that manages their own identities. Option B is wrong because access reviews are used to periodically review and certify guest access, not to enforce MFA authentication requirements. Option D is wrong because a Conditional Access policy requiring MFA for guest users would force them to register for MFA in your tenant, which contradicts the requirement that the partner organization manages their own identities and that guests sign in using their own Microsoft Authenticator.

605
Multi-Selecteasy

Which TWO scenarios are supported by Microsoft Entra B2B collaboration? (Choose two.)

Select 2 answers
A.Set up federation with social identity providers
B.Invite external users via email to access resources
C.External users authenticate using Google or Facebook accounts
D.External users sign in with their own Azure AD or Microsoft account
E.External users are provisioned with on-premises Active Directory accounts
AnswersB, D

B2B invitations can be sent via email.

Why this answer

Option B is correct because Microsoft Entra B2B collaboration allows you to invite external users via email to access your organization's resources. This is the core functionality of B2B collaboration, where an invitation email is sent to the external user, and upon accepting, they are granted access to the specified applications or resources.

Exam trap

The trap here is that candidates confuse Microsoft Entra B2B collaboration with Microsoft Entra B2C, mistakenly thinking B2B supports social identity providers like Google or Facebook as a primary authentication method, when in fact B2B is designed for business-to-business scenarios using enterprise identities.

606
MCQhard

A security architect is implementing a Zero Trust security model. The architect insists that the network perimeter should not be trusted and that security controls must be applied to all traffic, even within the corporate network. They also emphasize the need for continuous monitoring and detection of threats as if a breach has already occurred. Which Zero Trust principle is the architect primarily applying?

A.Verify explicitly
B.Least privilege access
C.Assume breach
D.Trust but verify
AnswerC

Assume breach is the Zero Trust principle that expects a breach may have already occurred, driving continuous monitoring, segmentation, and threat detection.

Why this answer

The architect's emphasis on not trusting the network perimeter and applying security controls to all traffic, combined with continuous monitoring as if a breach has already occurred, directly aligns with the 'Assume breach' principle of Zero Trust. This principle operates on the mindset that a breach is inevitable or has already happened, thus requiring constant verification and monitoring of all network traffic, even within the corporate network, rather than relying on a trusted internal zone.

Exam trap

Microsoft often tests the distinction between 'Assume breach' and 'Verify explicitly' by describing a scenario that includes both continuous monitoring and strict access controls, leading candidates to confuse the proactive verification requirement with the reactive breach-assumption mindset.

How to eliminate wrong answers

Option A is wrong because 'Verify explicitly' focuses on authenticating and authorizing every access request based on all available data points (e.g., user identity, device health, location), but it does not inherently assume that a breach has already occurred; it is about strict verification at each access attempt. Option B is wrong because 'Least privilege access' is about granting only the minimum permissions necessary for a user or system to perform a task, which is a separate pillar of Zero Trust that does not directly address the continuous monitoring and breach-assumption mindset described in the scenario. Option D is wrong because 'Trust but verify' is an outdated security model that assumes trust is granted initially and then verified periodically; Zero Trust explicitly rejects this approach by stating that no entity should be trusted by default, even inside the network.

607
MCQmedium

A company wants to reduce the risk of privileged account misuse. They need to provide temporary, time-bound access to administrative roles in Microsoft Entra ID (Microsoft Entra ID) and require approval from a manager before granting the access. Which Microsoft Entra capability should they use?

A.Conditional Access policies
B.Microsoft Entra Privileged Identity Management (PIM)
C.Identity Protection
D.Entra ID Governance (Access Reviews)
AnswerB

PIM provides just-in-time privileged access with approval workflows, time-limited roles, and auditing.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access by allowing administrators to activate roles for a limited, time-bound duration. It also supports approval workflows, requiring a manager's approval before role activation is granted, directly addressing the need for temporary, approved access to administrative roles.

Exam trap

The trap here is that candidates often confuse PIM with Conditional Access or Access Reviews, mistakenly thinking those services can enforce time-bound approvals, but only PIM combines JIT activation with an approval workflow for privileged roles.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies enforce access controls based on conditions like location or device compliance, but they do not provide time-bound role activation or approval workflows for privileged roles. Option C is wrong because Identity Protection detects and responds to identity-based risks (e.g., leaked credentials, sign-in anomalies), but it does not manage privileged role activation or require approval for role assignment. Option D is wrong because Entra ID Governance (Access Reviews) enables periodic review of existing role assignments to ensure they are still needed, but it does not provide temporary, time-bound activation with an approval process.

608
MCQmedium

Your organization uses Microsoft Purview Records Management to manage high-value contracts. You need to ensure that once a contract is declared as a record, it cannot be modified or deleted by any user, including administrators. Which type of record should you use?

A.Disposition review
B.Event-based retention policy
C.Retention label with default settings
D.Regulatory record
AnswerD

Regulatory records are immutable and cannot be deleted or modified by anyone.

Why this answer

Option C is correct because Regulatory records provide the highest level of protection and cannot be modified or deleted by anyone. Option A is wrong because regular retention labels do not lock content. Option B is wrong because event-based retention is for time-based triggers.

Option D is wrong because disposition review is for review before deletion.

609
MCQmedium

A financial services company uses Microsoft 365 and must comply with PCI DSS. They want to automatically prevent users from sending emails that contain credit card numbers to external recipients. If a user tries to send such an email, the system should block the message and notify the user with a policy tip. Which Microsoft Purview solution should they configure?

A.Data Loss Prevention (DLP)
B.Communication Compliance
C.Information Protection
D.Insider Risk Management
AnswerA

Microsoft Purview DLP policies can automatically detect sensitive data (e.g., credit card numbers) and take actions such as blocking the email and notifying the sender with a policy tip.

Why this answer

Data Loss Prevention (DLP) is the correct solution because it is specifically designed to detect and block sensitive data, such as credit card numbers, in transit (e.g., email). DLP policies can be configured with conditions to match credit card number patterns (using a built-in sensitive info type) and set actions to block the message and display a policy tip to the sender, meeting the PCI DSS compliance requirement.

Exam trap

The trap here is that candidates often confuse Information Protection (labels/encryption) with DLP, but Information Protection does not provide real-time blocking of outbound data; it only applies protection after classification, whereas DLP actively monitors and blocks data in motion.

How to eliminate wrong answers

Option B is wrong because Communication Compliance is designed to detect and remediate inappropriate or policy-violating communications (e.g., harassment, insider trading), not to block sensitive data like credit card numbers in email. Option C is wrong because Information Protection (e.g., sensitivity labels and encryption) focuses on classifying and protecting data at rest or in transit via encryption, but it does not automatically block outbound emails containing credit card numbers or provide policy tips. Option D is wrong because Insider Risk Management is used to detect, investigate, and act on risky user activities (e.g., data theft, leaks) based on analytics, not to enforce real-time blocking of specific data patterns in email.

610
MCQeasy

A security analyst receives an alert from Microsoft Sentinel indicating a potential ransomware attack. The analyst needs to quickly understand the full scope of the attack, including all affected accounts and devices. Which Microsoft Sentinel feature should they use?

A.Analytics rules
B.Workbooks
C.Playbooks
D.Incident investigation
AnswerD

Incident investigation provides a graph view of entities and relationships to understand attack scope.

Why this answer

Incident investigation in Microsoft Sentinel provides a visual graph of entities and relationships, helping to understand the attack scope. Option A is wrong because Workbooks are for reporting; Option B is wrong because Playbooks are for automation; Option D is wrong because Analytics rules are for creating alerts.

611
MCQhard

Your organization has implemented Microsoft Entra ID Governance. You need to review and attest to the access rights of users in a specific group every quarter. The group contains both direct members and members from nested groups. Which Microsoft Entra feature should you use to automate this review?

A.Lifecycle workflows
B.Access reviews
C.Privileged Identity Management
D.Entitlement management
AnswerB

Access reviews can be configured to review group membership periodically.

Why this answer

Access Reviews in Microsoft Entra ID Governance allow you to create recurring reviews of group membership, including both direct members and transitive members from nested groups. This feature automates the attestation process by sending reviewers notifications and tracking their decisions, ensuring compliance with quarterly review requirements.

Exam trap

The trap here is confusing Entitlement Management (which handles access requests and packages) with Access Reviews (which handle periodic attestation), leading candidates to pick D when the question explicitly requires a recurring review and attestation workflow.

How to eliminate wrong answers

Option A is wrong because Lifecycle Workflows automate joiner-mover-leaver processes (e.g., provisioning/deprovisioning accounts), not periodic access attestation. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time activation and oversight of privileged roles, not recurring reviews of standard group membership. Option D is wrong because Entitlement Management manages access packages and catalogs for requesting resources, but does not natively provide recurring attestation workflows for existing group members.

612
MCQhard

Your organization uses Microsoft Intune and Microsoft Entra ID. You need to enforce that only compliant and managed devices can access corporate email in Microsoft 365. Additionally, if a device is jailbroken, access should be blocked. You also want to provide a seamless sign-in experience for compliant devices. You have Microsoft Entra ID P1 licenses. What should you configure?

A.Configure Mobile Application Management (MAM) policies to restrict access.
B.Configure Azure AD Join for all devices and enable device registration.
C.Create a Conditional Access policy in Microsoft Entra ID that requires device compliance and use Intune compliance policies to block jailbroken devices, with seamless SSO.
D.Configure Microsoft Defender for Endpoint to detect jailbroken devices.
AnswerC

Conditional Access with device compliance ensures only compliant devices access email.

Why this answer

Option D is correct because Conditional Access can require device compliance (from Intune compliance policies) and allow SSO via seamless sign-in. Option A is incorrect because MAM without device enrollment does not manage device compliance. Option B is incorrect because Windows Defender for Endpoint is for threat protection.

Option C is incorrect because Azure AD Join alone does not enforce compliance policies.

613
MCQmedium

Your organization has a Microsoft Entra ID tenant with 5,000 users. You need to implement a solution to allow external partners to access a specific SharePoint Online site. The partners must use their own email addresses to sign in. You want to enforce multifactor authentication for all external users. Additionally, you need to ensure that external users are automatically removed from the site after 90 days. You have the following requirements: 1. Use built-in Microsoft Entra features. 2. Minimize administrative effort. 3. The solution must support automatic expiration of access. What should you do?

A.Configure Microsoft Entra Cloud Sync to sync partner accounts from their on-premises AD.
B.Enable self-service sign-up for external users and configure an access review policy.
C.Configure Microsoft Entra B2B collaboration to invite partners, create a Conditional Access policy requiring MFA for guests, and set up an access review to remove inactive guests after 90 days.
D.Create guest accounts manually and use Azure AD Domain Services to enforce MFA.
AnswerC

B2B collaboration invites partners, Conditional Access enforces MFA, and access review automates removal.

Why this answer

Option C is correct because Microsoft Entra B2B collaboration allows external partners to sign in with their own email addresses, and a Conditional Access policy can enforce MFA for guest users. An access review policy can automatically remove external users after 90 days of inactivity, meeting the requirement for automatic expiration with minimal administrative effort using built-in features.

Exam trap

The trap here is that candidates may confuse self-service sign-up (Option B) with B2B collaboration, but self-service sign-up does not support MFA enforcement or automatic expiration, while B2B collaboration with access reviews does.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Cloud Sync is designed to sync users from on-premises AD to Entra ID, not to invite external partners with their own email addresses; it does not support automatic expiration of access. Option B is wrong because self-service sign-up allows users to create accounts on their own but does not provide a mechanism to enforce MFA for external users or automatically remove them after 90 days; access reviews require explicit configuration and are not part of self-service sign-up. Option D is wrong because manually creating guest accounts is not a built-in feature for automatic expiration, and Azure AD Domain Services (now Microsoft Entra Domain Services) is used for domain join and legacy authentication, not for enforcing MFA on external users; it does not address the automatic removal requirement.

614
MCQeasy

Your organization uses Microsoft Defender for Cloud to protect Azure virtual machines. You need to ensure that critical vulnerabilities identified on the VMs are automatically remediated using a just-in-time patching mechanism. What should you configure?

A.Enable adaptive application controls and just-in-time VM access in Defender for Cloud
B.Deploy Microsoft Intune for update management
C.Configure Azure Automation Update Management
D.Enable Azure Update Manager
AnswerA

Adaptive application controls and JIT access can be used to automate patching with least privilege.

Why this answer

Option B is correct because Microsoft Defender for Cloud's adaptive application controls and just-in-time VM access can be combined with update management to automate patching. Option A is wrong because Azure Update Manager does not provide just-in-time patching. Option C is wrong because Azure Automation Update Management requires manual scheduling.

Option D is wrong because Microsoft Intune is for endpoint management, not Azure VMs.

615
Multi-Selecteasy

Which TWO of the following are identity-related security best practices recommended by Microsoft? (Choose two.)

Select 2 answers
A.Share passwords with team members for critical accounts
B.Implement Conditional Access policies
C.Use single sign-on (SSO) without MFA
D.Disable sign-in logs to reduce storage costs
E.Enable multi-factor authentication (MFA)
AnswersB, E

Conditional Access enforces access controls based on signals.

Why this answer

Options A and C are correct. Using Conditional Access policies and enabling MFA are key identity security best practices. Option B is wrong because sharing passwords is never recommended.

Option D is wrong because SSO reduces password use but is not a standalone best practice without MFA. Option E is wrong because disabling auditing reduces visibility.

616
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Purview Information Protection? (Choose two.)

Select 2 answers
A.Classify and label sensitive data
B.Block external sharing of files
C.Detect malware in email attachments
D.Apply encryption based on sensitivity labels
E.Monitor user activities in real-time
AnswersA, D

Correct: Core capability of Information Protection.

Why this answer

Microsoft Purview Information Protection allows classification and labeling, and can apply encryption. Activity logging is part of Audit, and DLP is a separate solution.

617
MCQhard

Refer to the exhibit. You are reviewing Microsoft Entra sign-in logs for a user. The user successfully signed in from a mobile device running iOS, located in the US, with medium risk level. The sign-in did not require MFA. You have a Conditional Access policy that requires MFA for all users when sign-in risk is medium or higher. Why was MFA not triggered?

A.The Conditional Access policy may exclude 'Mobile Apps and Desktop clients' client apps.
B.The device is not compliant, so MFA was not required.
C.The sign-in risk level is medium, which is below the threshold.
D.The user is not assigned to the Conditional Access policy.
AnswerA

The policy might not apply to mobile app sign-ins, so MFA is not triggered.

Why this answer

Option A is correct because the Conditional Access policy can be configured to exclude specific client apps, such as 'Mobile Apps and Desktop clients'. If the policy excludes these client apps, the sign-in from an iOS mobile device would not be subject to the MFA requirement, even though the sign-in risk is medium. The sign-in logs confirm MFA was not required, indicating the policy did not apply to this client app type.

Exam trap

The trap here is that candidates assume a medium risk level always triggers MFA, overlooking the client apps exclusion condition that can bypass the policy for specific device types.

How to eliminate wrong answers

Option B is wrong because device compliance is not a condition in the described policy; the policy only requires MFA based on sign-in risk, not device compliance. Option C is wrong because the policy explicitly requires MFA when sign-in risk is medium or higher, and the sign-in risk is medium, so the threshold is met. Option D is wrong because the user successfully signed in, and the policy applies to 'all users' unless specifically excluded; the logs show the policy did not trigger, which points to a client app exclusion rather than user assignment.

618
MCQeasy

Your organization needs to prevent sensitive data in SharePoint Online from being shared externally. Which Microsoft Purview solution should you use?

A.Data Loss Prevention (DLP)
B.eDiscovery
C.Sensitivity labels
D.Insider Risk Management
AnswerA

DLP policies can block external sharing of sensitive data.

Why this answer

Data Loss Prevention (DLP) policies can detect and block sharing of sensitive data. Option A is correct. Option B is wrong because sensitivity labels classify data but do not enforce sharing restrictions by themselves.

Option C is wrong because insider risk management detects risky behavior, not external sharing. Option D is wrong because eDiscovery is for legal discovery.

619
MCQeasy

An organization uses Microsoft Defender for Endpoint (MDE). The security team wants to identify devices that have not received a security update in the last 30 days. Which report should they use?

A.Threat analytics report
B.Device health report
C.Vulnerability management dashboard
D.Microsoft Secure Score report
AnswerB

Device health report includes missing updates status.

Why this answer

Correct: Device health report in MDE shows missing updates. Option A: Threat analytics is for threat intelligence. Option B: Vulnerability management dashboard shows vulnerabilities but not specifically missing updates.

Option D: Secure Score is for overall posture.

620
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. What should you configure?

A.An app protection policy in Microsoft 365 admin center
B.A conditional access policy in Microsoft Entra ID
C.A conditional access policy in Azure AD
D.A device compliance policy in Intune
AnswerB

Conditional access policies can require devices to be marked as compliant before granting access.

Why this answer

Option C is correct because conditional access policies in Microsoft Entra ID can require compliant devices. Option A is incorrect because compliance policies define compliance but do not enforce access. Option B is incorrect because in Azure AD, now Entra ID, it's conditional access.

Option D is incorrect because the Microsoft 365 admin center does not configure device compliance enforcement.

621
MCQeasy

A company implements a sign-in process where a user must provide their password and then enter a temporary code sent to their mobile phone. Which security principle is this process primarily enforcing?

A.Authorization
B.Authentication
C.Accounting
D.Non-repudiation
AnswerB

Authentication verifies identity. Multi-factor authentication requires two or more forms of verification, such as a password and a code from a phone.

Why this answer

The process of verifying a user's identity by requiring both a password (something they know) and a temporary code sent to their mobile phone (something they have) is a classic implementation of multi-factor authentication (MFA). Authentication is the security principle that confirms the identity of a user, device, or system before granting access. This sign-in flow directly enforces authentication by combining two distinct factors to prove the user is who they claim to be.

Exam trap

The trap here is that candidates often confuse authentication (proving identity) with authorization (granting permissions), especially when the question describes a multi-step sign-in process that seems to 'allow access' — but the core principle being enforced is identity verification, not access control.

How to eliminate wrong answers

Option A is wrong because authorization determines what an authenticated user is allowed to do (e.g., access specific resources), not how they prove their identity. Option C is wrong because accounting (or auditing) tracks user activities and resource usage for logging and compliance, not the initial identity verification process. Option D is wrong because non-repudiation ensures that a user cannot deny having performed an action (often using digital signatures or logs), whereas this sign-in process focuses on proving identity at the point of entry.

622
MCQeasy

Your company is implementing a passwordless authentication strategy. You want users to be able to sign in using the Microsoft Authenticator app on their mobile devices. Which Microsoft Entra feature should you enable?

A.Windows Hello for Business
B.Passwordless phone sign-in with Microsoft Authenticator
C.FIDO2 security keys
D.Temporary Access Pass
AnswerB

This allows users to sign in using the Authenticator app on their phone.

Why this answer

Passwordless phone sign-in with Microsoft Authenticator allows users to sign in without entering a password by approving a notification or entering a number displayed on the screen. This directly aligns with the requirement to use the Microsoft Authenticator app on mobile devices for a passwordless authentication strategy.

Exam trap

The trap here is that candidates may confuse 'passwordless' with any non-password method, but the question specifically requires the Microsoft Authenticator app, which eliminates Windows Hello for Business (device-bound) and FIDO2 (hardware-bound) as valid options.

How to eliminate wrong answers

Option A is wrong because Windows Hello for Business is a biometric or PIN-based credential tied to a specific Windows device, not a mobile app-based solution. Option C is wrong because FIDO2 security keys are hardware-based external devices (e.g., USB keys) that require physical possession, not the Microsoft Authenticator app on a mobile phone. Option D is wrong because Temporary Access Pass is a time-limited passcode used for onboarding or recovery scenarios, not a persistent passwordless sign-in method using the Authenticator app.

623
MCQhard

A company receives a subject rights request (SRR) from a customer under GDPR, asking for the deletion of all personal data held about them. The compliance team needs a tool to orchestrate the discovery of this data across Microsoft 365 and other systems, and to track the response and fulfillment of the request. Which Microsoft Purview solution should they use?

A.Microsoft Purview eDiscovery
B.Microsoft Purview Audit
C.Microsoft Purview Data Lifecycle Management (retention labels)
D.Microsoft Priva (Privacy Management)
AnswerD

Microsoft Priva provides a centralized solution to handle subject rights requests, including automated data discovery across Microsoft 365 and other connected systems, and tracking the entire fulfillment process.

Why this answer

Microsoft Priva (Privacy Management) is the correct solution because it is specifically designed to help organizations manage subject rights requests (SRRs) under regulations like GDPR. It automates the discovery of personal data across Microsoft 365 and connected systems, provides a workflow to track the request lifecycle, and facilitates the fulfillment of actions such as deletion. This directly addresses the compliance team's need to orchestrate discovery and track response for an SRR.

Exam trap

The trap here is that candidates often confuse eDiscovery (which handles legal holds and litigation) with privacy management (which handles subject rights requests), but eDiscovery lacks the automated SRR workflow and privacy-specific orchestration that Priva provides.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview eDiscovery is focused on legal discovery for litigation or investigations, not on managing privacy subject rights requests; it lacks the automated workflow for SRR fulfillment and tracking. Option B is wrong because Microsoft Purview Audit is a logging and monitoring tool for auditing user and admin activities, not a solution for orchestrating data discovery or responding to deletion requests. Option C is wrong because Microsoft Purview Data Lifecycle Management (retention labels) is used to apply retention and deletion policies to data based on business or regulatory requirements, not to handle the end-to-end process of a subject rights request.

624
MCQmedium

A company requires that all sensitive data in Microsoft Teams messages be automatically encrypted and labeled with a 'Confidential' tag. Which Microsoft Purview solution should they use?

A.Microsoft Purview Data Loss Prevention (DLP)
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Purview Information Protection
D.Microsoft Purview Compliance Manager
AnswerC

Sensitivity labels with auto-labeling can detect sensitive content and apply labels and encryption automatically.

Why this answer

Microsoft Purview Information Protection includes sensitivity labels that can be auto-applied to sensitive data in Teams messages. DLP policies can detect data but do not apply labels directly. Data Lifecycle Management handles retention.

Compliance Manager is for assessments.

625
MCQhard

A company is designing a data governance strategy using Microsoft Purview. They need to allow data owners to define custom attributes for data assets and control who can access those assets. Which Purview feature should they use?

A.Microsoft Purview Data Estate Insights
B.Microsoft Purview Data Policy
C.Microsoft Purview Data Catalog
D.Microsoft Purview Data Map
AnswerC

Data Catalog allows data owners to curate assets, add custom attributes, and manage access.

Why this answer

Microsoft Purview Data Catalog allows data owners to manage custom attributes and set access controls on data assets. Option A is wrong because Data Map is the underlying metadata store, not for end-user governance. Option B is wrong because Data Estate Insights provides monitoring, not governance.

Option D is wrong because Data Policy enables policies on data sources, not asset-level custom attributes.

626
MCQhard

Your organization is implementing Microsoft Entra Internet Access (formerly Microsoft Entra Internet Access). You need to secure access to public internet apps by enforcing traffic routing through Microsoft's network. Which feature should you enable?

A.Conditional Access
B.Global Secure Access
C.DDoS protection
D.Network segmentation
AnswerB

Global Secure Access routes traffic through Microsoft's security perimeter.

Why this answer

Microsoft Entra Internet Access (part of Global Secure Access) routes traffic from users and devices through the Microsoft network to enforce security policies for public internet apps. Enabling Global Secure Access allows you to configure traffic forwarding profiles that redirect internet-bound traffic through Microsoft Entra Internet Access, ensuring consistent policy enforcement and threat protection.

Exam trap

The trap here is that candidates often confuse Conditional Access (an identity-based policy tool) with network-level traffic routing, not realizing that Global Secure Access is the specific feature designed to enforce traffic routing through Microsoft's network for internet-bound apps.

How to eliminate wrong answers

Option A is wrong because Conditional Access is an identity-driven policy engine that enforces access controls based on signals like user, device, and location, but it does not route traffic through Microsoft's network. Option C is wrong because DDoS protection (Azure DDoS Protection) mitigates distributed denial-of-service attacks at the network layer, not traffic routing or secure access to internet apps. Option D is wrong because network segmentation (e.g., virtual networks, subnets) isolates network traffic within an organization's infrastructure but does not redirect internet-bound traffic through Microsoft's network.

627
Multi-Selecthard

Which THREE are features of Microsoft Purview Data Loss Prevention (DLP)?

Select 3 answers
A.DLP policies for Exchange Online
B.Endpoint DLP for Windows 10/11
C.Policy tips in Outlook
D.Sensitivity label auto-classification
E.Insider risk management analytics
AnswersA, B, C

DLP policies can be applied to Exchange Online.

Why this answer

Microsoft Purview DLP includes policy tips to notify users, endpoint DLP to monitor devices, and integration with Microsoft 365 services. Option A is correct. Option B is correct.

Option C is correct. Option D is wrong because sensitivity labels are part of Microsoft Purview Information Protection, not DLP. Option E is wrong because insider risk management is a separate solution.

628
MCQhard

You are a compliance officer at a healthcare organization that uses Microsoft 365. The organization must comply with HIPAA regulations. You have Microsoft Purview, Microsoft Defender for Cloud Apps, and Microsoft Intune. You need to ensure that all devices accessing patient health information (PHI) are compliant with the organization's security policies, which require device encryption, a minimum OS version, and the use of a compliant mobile device management (MDM) provider. Currently, some devices are not managed by Intune. You need to enforce that only compliant devices can access PHI stored in SharePoint Online. What should you do?

A.Create a device compliance policy in Microsoft Intune and assign it to all users
B.Deploy an app protection policy in Microsoft Intune to restrict data access
C.Configure a conditional access policy in Microsoft Entra ID to require compliant devices
D.Create a DLP policy in Microsoft Purview to block access from non-compliant devices
AnswerC

Conditional access can require devices to be marked as compliant.

Why this answer

Option B is correct because conditional access policies in Microsoft Entra ID can require devices to be compliant (managed by Intune) and meet compliance policies before accessing SharePoint. Option A is wrong because DLP policies do not enforce device compliance. Option C is wrong because app protection policies apply to mobile apps but do not require device management.

Option D is wrong because device compliance policies require devices to be enrolled in Intune first; conditional access is needed to enforce the requirement.

629
MCQhard

A company runs critical applications on Windows Server virtual machines in Azure and on-premises. The security team wants to reduce the exposure of administrative ports (e.g., RDP, SSH) by requiring administrators to request just-in-time (JIT) access. The request should require approval from a central team, and the port should be opened only for a limited time. Which Microsoft security solution provides this JIT capability for both Azure and on-premises servers (when connected via Azure Arc)?

A.Microsoft Entra Privileged Identity Management (PIM)
B.Microsoft Defender for Identity
C.Microsoft Defender for Cloud (with just-in-time VM access)
D.Microsoft Defender for Cloud Apps
AnswerC

Defender for Cloud's JIT feature allows you to manage and approve temporary access to management ports (RDP, SSH) on Azure VMs and, via Azure Arc, on on-premises servers, thereby reducing the attack surface.

Why this answer

Microsoft Defender for Cloud's just-in-time (JIT) VM access capability reduces exposure to administrative ports (RDP, SSH) by locking down inbound traffic to Azure VMs and Azure Arc-enabled on-premises servers. It requires administrators to request access, which can be configured to require approval from a central team, and automatically opens the specified ports for a limited time before closing them again. This directly matches the scenario's need for JIT access with approval and time-limited port opening across hybrid environments.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with just-in-time VM access because both involve 'just-in-time' and 'approval,' but PIM controls role activation in Azure AD/Entra ID, not network-level port access to virtual machines.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time activation of Azure AD roles and Azure resource roles (e.g., Contributor), not network-level port access to VMs; it does not open or close RDP/SSH ports. Option B is wrong because Microsoft Defender for Identity is an on-premises Active Directory security solution that detects identity-based attacks (e.g., lateral movement, pass-the-hash) and does not provide any JIT network access control. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that controls access to SaaS applications (e.g., Office 365, Salesforce) and does not manage administrative port access to VMs.

630
Matchingmedium

Match each Azure security service to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enforce organizational standards and assess compliance

Define repeatable Azure resources and policies

Unified security management and threat protection

Cloud-native SIEM and SOAR solution

Securely store and manage secrets and keys

Why these pairings

These are core Azure security and compliance services.

631
MCQmedium

A company runs virtual machines in Azure and also maintains on-premises servers connected via Azure Arc. The security team needs a single dashboard to view security recommendations, detect misconfigurations, and track a secure score across both environments. They also want to enable advanced threat protection features such as just-in-time (JIT) VM access and file integrity monitoring for these workloads. Which Microsoft security solution should they implement?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Cloud Apps
AnswerA

Defender for Cloud provides a unified dashboard with secure score, recommendations, and advanced threat protection for hybrid workloads including on-premises servers via Azure Arc.

Why this answer

Microsoft Defender for Cloud provides a unified dashboard that displays security recommendations, misconfigurations, and a secure score across both Azure and on-premises workloads connected via Azure Arc. It also includes advanced threat protection features like just-in-time (JIT) VM access and file integrity monitoring, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM and workload protection platform) with Microsoft Sentinel (a SIEM), but the question explicitly asks for a single dashboard for security posture, secure score, and advanced threat protection features like JIT and file integrity monitoring, which are exclusive to Defender for Cloud.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a cloud-native SIEM and SOAR solution for security information and event management, not a dashboard for security posture management, secure score, or built-in JIT/file integrity monitoring. Option C is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices, not on providing a unified secure score or recommendations for Azure and Arc-connected servers. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) for controlling and protecting cloud applications, not for managing VM security configurations or on-premises server posture.

632
MCQmedium

A compliance officer needs to investigate a potential data exfiltration incident. They must search the unified audit log for all activities where users accessed a specific sensitive SharePoint site in the last 7 days. Additionally, they need to create a custom alert that triggers when more than 10 file downloads occur from that site within an hour. Which Microsoft Purview solution should they use?

A.Microsoft Purview Audit (Standard)
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview eDiscovery
D.Microsoft Purview Communications Compliance
AnswerA

Audit (Standard) allows searching the unified audit log for user and admin activities and creating alert policies to detect specific patterns like a spike in file downloads. This directly meets both requirements.

Why this answer

Microsoft Purview Audit (Standard) logs all user activities, including file accesses and downloads from SharePoint sites, for 90 days. The compliance officer can search the unified audit log for the specific site's activities over the last 7 days and create custom alert policies (e.g., threshold-based alerts for >10 downloads per hour) using the Microsoft 365 Defender portal. This makes Audit (Standard) the correct solution for both investigation and alerting.

Exam trap

The trap here is that candidates confuse the investigative and alerting capabilities of Audit (Standard) with the preventive controls of DLP, assuming DLP can retroactively search logs or create threshold-based alerts, when in fact DLP only applies real-time policies to content in transit or at rest.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to prevent data exfiltration by applying policies (e.g., blocking or warning on sensitive data sharing), not to search historical audit logs or create activity-based threshold alerts. Option C is wrong because Microsoft Purview eDiscovery is used for legal holds, content search, and export of data for litigation, not for real-time alerting or unified audit log searches for incident investigation. Option D is wrong because Microsoft Purview Communications Compliance focuses on monitoring internal and external communications (e.g., email, Teams) for policy violations like harassment or insider trading, not on SharePoint file download activity or audit log searches.

633
MCQhard

Your company is deploying Microsoft Entra ID Governance. They want to automate the review of guest user access to Microsoft Teams and remove access when guests leave the partner organization. Which feature should they implement?

A.Access reviews and connected organizations
B.Entitlement management
C.Terms of use
D.Password policies
AnswerA

Access reviews with connected organizations automate removal.

Why this answer

Access reviews in Microsoft Entra ID Governance allow you to create recurring reviews of guest user access to resources like Microsoft Teams. By configuring the review to include connected organizations, you can automatically remove guest access when the guest's identity is no longer associated with a partner organization, such as when they leave the partner company. This automation is achieved through the integration of access reviews with the connected organization's lifecycle, ensuring that guest access is revoked without manual intervention.

Exam trap

The trap here is that candidates often confuse entitlement management (which handles access requests and provisioning) with access reviews (which handle periodic attestation and automated removal), leading them to choose entitlement management instead of the correct feature for automated removal based on partner organization changes.

How to eliminate wrong answers

Option B is wrong because entitlement management is used to manage access packages and automate the request and approval process for resources, but it does not directly automate the removal of guest access based on the guest leaving a partner organization; that is the function of access reviews with connected organizations. Option C is wrong because terms of use are used to present and require acceptance of legal or policy documents before accessing resources, not to automate access removal based on organizational membership changes. Option D is wrong because password policies control password complexity, expiration, and lockout settings, and have no role in automating the review or removal of guest access based on partner organization membership.

634
MCQeasy

Your company uses Microsoft Purview to manage records. You need to ensure that financial records are retained for 7 years and then permanently deleted. Which type of policy should you create?

A.A retention policy with a retention period of 7 years and then delete
B.A sensitivity label set to 'Financial' with auto-labeling
C.A retention label that triggers a disposition review after 7 years
D.A DLP policy that blocks sharing of financial records
AnswerA

A retention policy can automatically delete content after the retention period.

Why this answer

Option C is correct because a retention policy with a retention period of 7 years and then deletion will meet the requirement. Option A is wrong because a retention label with a disposition review does not guarantee automatic deletion. Option B is wrong because a DLP policy prevents data loss, not retention.

Option D is wrong because a sensitivity label does not manage retention.

635
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID) to manage user access to cloud applications. The security team wants to enforce that users must provide a second form of authentication, such as a phone call or mobile app notification, in addition to their password. Which Microsoft Entra capability should they enable?

A.Conditional Access
B.Identity Protection
C.Multi-Factor Authentication
D.Privileged Identity Management
AnswerC

MFA is the feature that requires a second verification method, such as phone call or app notification, in addition to the password.

Why this answer

Multi-Factor Authentication (MFA) is the correct capability because it requires users to provide a second form of authentication (e.g., phone call, mobile app notification) in addition to their password. This directly addresses the security team's requirement for a second authentication factor, which is the core function of MFA in Microsoft Entra ID.

Exam trap

The trap here is that candidates may confuse Conditional Access (which can *require* MFA) with the actual MFA capability itself, but the question asks for the capability that *provides* the second form of authentication, not the policy that enforces it.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces conditions (e.g., location, device state) to grant access, but it does not itself provide a second authentication factor; it can require MFA as a control, but the capability to provide the second factor is MFA. Option B is wrong because Identity Protection uses risk signals (e.g., leaked credentials, anonymous IP addresses) to detect and respond to potential identity threats, but it does not enforce a second authentication factor; it can trigger MFA via Conditional Access, but the second factor itself is MFA. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not the enforcement of a second authentication factor for all users.

636
Multi-Selecteasy

Which THREE features are included in Microsoft Entra ID Free? (Choose three.)

Select 3 answers
A.Security reports and alerts
B.Self-service password reset with on-premises writeback
C.Conditional Access
D.Single sign-on for up to 10 apps per user
E.User provisioning from cloud HR apps
AnswersA, D, E

Free includes basic security reports.

Why this answer

Option A is correct because Microsoft Entra ID Free includes basic security reports and alerts that provide insights into sign-in activities and potential risks, such as sign-ins from unfamiliar locations or devices. These reports are part of the built-in Identity Security Reports, which are available at no additional cost in the Free tier.

Exam trap

The trap here is that candidates often confuse the Free tier's capabilities with premium features, mistakenly assuming that SSPR writeback or Conditional Access are included, when in fact they require P1 or P2 licensing.

637
MCQmedium

A company uses Microsoft Entra ID. The security team wants to automatically detect user behaviors that indicate possible compromise, such as leaked credentials, impossible travel, or anomalous login patterns. When a user is determined to be at high risk, the system should automatically require the user to reset their password the next time they sign in. Which Microsoft Entra capability should they use?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Identity Governance
AnswerB

Identity Protection includes user risk policies that can automatically require a password reset when risk is high, providing the desired automated remediation.

Why this answer

Identity Protection is the correct Microsoft Entra capability because it is specifically designed to automatically detect risky user behaviors such as leaked credentials, impossible travel, and anomalous sign-in patterns. It assigns a risk level to users and sign-ins, and can be configured with a Conditional Access policy to enforce actions like requiring a password reset at next sign-in when a user is deemed high risk. This directly matches the security team's requirement for automated detection and remediation.

Exam trap

Microsoft often tests the distinction between detection and enforcement: candidates mistakenly choose Conditional Access because it enforces the password reset, but the question asks for the capability that automatically detects the risky behaviors, which is Identity Protection—Conditional Access is the enforcement mechanism, not the detection engine.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls based on conditions (e.g., location, device state), but it does not itself detect risky behaviors like leaked credentials or impossible travel; it relies on Identity Protection to provide the risk signals. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation, approval workflows, and access reviews for administrative roles, not on detecting user compromise behaviors or enforcing password resets for risky users. Option D is wrong because Identity Governance manages user lifecycle, access certifications, and entitlement management (e.g., access reviews, group membership), but it does not include risk detection or automatic remediation for compromised accounts.

638
MCQeasy

A company uses Microsoft Entra ID. A new IT support technician is hired and needs to be able to reset passwords for users but must not be allowed to delete user accounts or modify group memberships. Which built-in Microsoft Entra ID role should be assigned to this technician?

A.User Administrator
B.Password Administrator
C.Helpdesk Administrator
D.Global Administrator
AnswerB

Password Administrators can reset passwords, manage service requests, and monitor service health, but cannot delete users or manage groups, meeting the requirement exactly.

Why this answer

The Password Administrator role is the correct choice because it grants the specific permissions required to reset passwords for all users, including administrators, while explicitly excluding permissions to delete user accounts or modify group memberships. This role is designed for scenarios where a technician needs to perform password-related tasks without broader user management capabilities.

Exam trap

The trap here is that candidates often confuse the Password Administrator role with the Helpdesk Administrator role, mistakenly thinking the latter is more restrictive, when in fact the Helpdesk Administrator has broader user management capabilities including modifying user properties and managing support tickets.

How to eliminate wrong answers

Option A is wrong because the User Administrator role includes permissions to create, delete, and manage user accounts and groups, which exceeds the required scope and would allow the technician to delete user accounts or modify group memberships. Option C is wrong because the Helpdesk Administrator role, while it can reset passwords for non-administrator users and manage support tickets, also includes permissions to manage user accounts (e.g., modify user properties) and does not restrict the ability to delete accounts or modify group memberships as tightly as the Password Administrator role. Option D is wrong because the Global Administrator role has full access to all administrative features in Microsoft Entra ID, including the ability to delete user accounts and modify group memberships, which is far beyond the required permissions.

639
MCQhard

Refer to the exhibit. You are creating a Microsoft Purview sensitivity label for HR data. The JSON shows a label configuration. What is the likely effect of setting the sensitivity value to 90?

A.The label automatically encrypts the document
B.The label triggers auditing for 90 days
C.The label sets a 90-day retention period
D.The label will be applied with higher priority than labels with lower sensitivity values
AnswerD

Higher sensitivity values denote higher priority for auto-classification.

Why this answer

Option B is correct because in Microsoft Purview, higher sensitivity values indicate higher priority, and labels with higher sensitivity can auto-classify and override lower labels. Option A is wrong because sensitivity doesn't directly control encryption. Option C is wrong because sensitivity doesn't affect retention.

Option D is wrong because sensitivity doesn't determine audit logging.

640
MCQmedium

A company has several custom-developed web applications hosted on-premises. The company wants to provide employees with secure remote access to these applications without deploying a traditional VPN. Employees should be able to sign in using their existing Microsoft Entra ID credentials, and the solution should pass through multi-factor authentication policies. Which Microsoft Entra ID feature should they implement?

A.Microsoft Entra Application Proxy
B.Microsoft Entra Domain Services
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra Identity Protection
AnswerA

Correct. Application Proxy provides secure remote access to on-premises web apps using Entra ID authentication, supporting MFA and conditional access policies without requiring a VPN.

Why this answer

Microsoft Entra Application Proxy provides secure remote access to on-premises web applications by acting as a reverse proxy. It allows employees to sign in with their existing Microsoft Entra ID credentials and enforces conditional access policies, including multi-factor authentication, without requiring a traditional VPN.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Application Proxy with a traditional VPN or assume that Microsoft Entra Domain Services is needed for authentication, but the key requirement is secure remote access without VPN, which only Application Proxy fulfills by acting as a reverse proxy with Entra ID integration.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Domain Services provides managed domain services like LDAP, Kerberos, and NTLM for legacy applications, not reverse proxy-based remote access. Option C is wrong because Microsoft Entra Privileged Identity Management manages just-in-time privileged role assignments and access reviews, not remote application access. Option D is wrong because Microsoft Entra Identity Protection detects and responds to identity-based risks using signals like leaked credentials and anomalous behavior, but does not provide a reverse proxy for accessing on-premises apps.

641
Multi-Selectmedium

Which THREE of the following are features of Microsoft Entra ID Governance? (Select three.)

Select 3 answers
A.Access reviews
B.Privileged Identity Management (PIM)
C.Entitlement management
D.Self-service password reset
E.Multifactor authentication
AnswersA, B, C

Access reviews allow periodic review of user access rights.

Why this answer

Access reviews are a core feature of Microsoft Entra ID Governance, enabling administrators to periodically review and certify user access rights to ensure they remain appropriate. This supports compliance, security, and lifecycle management by automating attestation workflows.

Exam trap

The trap here is that candidates confuse security features like MFA and SSPR (which are part of Microsoft Entra ID's core authentication and protection capabilities) with governance features, which specifically focus on access lifecycle, attestation, and privileged role management.

642
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Defender XDR (formerly Microsoft 365 Defender)? (Choose three.)

Select 3 answers
A.Identity threat detection
B.Data classification and labeling
C.Endpoint detection and response (EDR)
D.Mobile device management (MDM)
E.Email and collaboration protection
AnswersA, C, E

Defender for Identity is part of XDR.

Why this answer

Options A, B, and D are correct. Microsoft Defender XDR includes Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. Option C is wrong because Microsoft Purview is a separate compliance solution.

Option E is wrong because Microsoft Intune is for device management, not part of XDR.

643
MCQmedium

A financial organization needs to automatically detect documents containing credit card numbers in SharePoint Online and apply a sensitivity label that encrypts the document and restricts editing to internal users. The label must also be automatically assigned when the sensitive content is detected. Which Microsoft Purview solution should they configure?

A.Data Loss Prevention (DLP)
B.Information Protection (Sensitivity Labels)
C.Audit (Unified Audit Log)
D.eDiscovery (Content Search)
AnswerB

Sensitivity labels with auto-labeling rules can detect sensitive content and automatically apply encryption, headers, and permissions.

Why this answer

Option B is correct because Microsoft Purview Information Protection (sensitivity labels) supports automatic labeling based on sensitive content types (e.g., credit card numbers) using built-in or custom sensitive info types. When configured with auto-labeling policies, the label can be applied automatically in SharePoint Online, enforcing encryption and restricting editing to internal users via rights management.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention (DLP) with auto-labeling, assuming DLP can apply sensitivity labels, but DLP only detects and blocks—it does not assign labels or enforce persistent protection like encryption and editing restrictions.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies detect and block or warn about sensitive data, but they do not automatically apply sensitivity labels or enforce encryption and editing restrictions; DLP focuses on preventing data exfiltration, not on persistent protection via labels. Option C is wrong because Audit (Unified Audit Log) records user and admin activities for forensic analysis but cannot automatically detect content or apply labels; it is a logging mechanism, not a protection or labeling solution. Option D is wrong because eDiscovery (Content Search) is used for searching and exporting content for legal or investigative purposes, not for automatic detection and labeling of sensitive data in real time.

644
MCQmedium

Your company uses Microsoft Defender for Cloud to assess security posture. A recommendation states that virtual machines should have just-in-time (JIT) network access enabled. What is the primary security benefit of enabling JIT?

A.It reduces the attack surface by opening ports only when necessary
B.It replaces the need for network security groups
C.It encrypts all network traffic between the VM and clients
D.It permanently blocks all inbound traffic to the VM
AnswerA

JIT reduces exposure by keeping ports closed and opening them only for authorized requests.

Why this answer

JIT network access reduces the attack surface by keeping network ports closed by default and opening them only when needed for legitimate traffic, based on user requests. It does not block all inbound traffic permanently; it allows authorized requests. It does not encrypt traffic or replace firewall rules; it complements them.

645
Multi-Selecthard

A company must comply with the General Data Protection Regulation (GDPR). They need a unified solution that provides a compliance score, actionable recommendations to improve their security posture, and the ability to track their progress over time. Additionally, they want to assign improvement actions to specific teams and automate the collection of evidence for controls. Which two Microsoft Purview solutions should the administrator use? (Select two.)

Select 2 answers
A.Compliance Manager
B.Data Lifecycle Management
C.Insider Risk Management
D.Audit (Premium)
AnswersA, D

Compliance Manager offers a compliance score, continuous assessment, recommended improvement actions, and evidence collection workflows.

Why this answer

Compliance Manager is correct because it provides a unified compliance score, actionable recommendations to improve security posture, and the ability to track progress over time. It also allows administrators to assign improvement actions to specific teams and automate evidence collection for controls, directly meeting all the stated GDPR compliance requirements.

Exam trap

The trap here is that candidates may confuse Audit (Premium) as a primary compliance management tool, but it only provides logging and investigation capabilities, not the scoring, recommendations, or task assignment features required by the question.

646
MCQeasy

A company wants to allow users to reset their own passwords from the login screen without contacting IT. Which Microsoft Entra ID feature enables this?

A.Conditional Access
B.Multifactor authentication
C.Self-Service Password Reset
D.Identity Protection
AnswerC

Correct: SSPR enables users to reset passwords without IT intervention.

Why this answer

Self-Service Password Reset (SSPR) is the Microsoft Entra ID feature that allows users to reset their own passwords from the login screen without contacting IT. It is specifically designed to reduce helpdesk workload by enabling password changes or unlocks through a verified authentication method, such as a phone call, text message, or the Microsoft Authenticator app.

Exam trap

The trap here is that candidates often confuse Conditional Access with SSPR because both appear in the login flow, but Conditional Access enforces policies after authentication, whereas SSPR is a separate feature for password recovery before authentication completes.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or blocking sign-ins from specific locations) based on signals like user, device, or location, but it does not provide password reset functionality. Option B is wrong because Multifactor Authentication (MFA) adds an extra layer of security by requiring a second verification factor during sign-in, but it does not enable users to reset their own passwords. Option D is wrong because Identity Protection uses machine learning to detect and respond to identity-based risks (e.g., leaked credentials or anomalous sign-ins), but it does not include a self-service password reset capability.

647
MCQeasy

A company wants to automatically detect and remediate compliance issues such as sharing sensitive data externally. Which Microsoft Purview solution should they use?

A.Microsoft Purview Records Management
B.Microsoft Purview Data Loss Prevention
C.Microsoft Purview eDiscovery
D.Microsoft Purview Audit
AnswerB

DLP policies detect and prevent unauthorized sharing.

Why this answer

Option D is correct because Microsoft Purview Data Loss Prevention prevents unauthorized sharing of sensitive data. Option A is wrong because eDiscovery is for legal discovery. Option B is wrong because Audit is for logging.

Option C is wrong because Records Management is for managing records.

648
MCQhard

A multinational corporation stores highly sensitive intellectual property in SharePoint Online. To meet regulatory requirements, they need an additional layer of encryption beyond Microsoft's baseline encryption. The company wants to manage their own encryption keys using Azure Key Vault, so that if they remove the key from the service, the data becomes unreadable. Which Microsoft Purview solution should they implement?

A.Double Key Encryption
B.Customer Key
C.Information Rights Management
D.Customer Lockbox
AnswerB

Correct. Microsoft Purview Customer Key allows customers to provide and manage their own encryption keys using Azure Key Vault, providing an additional layer of encryption on top of the baseline. Data is encrypted using these keys, and the customer can control key access.

Why this answer

Customer Key (Option B) is the correct solution because it provides the ability to control and manage the encryption keys used to encrypt data at rest in Microsoft 365, including SharePoint Online. By using Azure Key Vault to store the keys, the organization can revoke access at any time, rendering the data unreadable—a key requirement for meeting regulatory obligations. This goes beyond Microsoft's baseline encryption by adding a customer-controlled layer of encryption.

Exam trap

The trap here is that candidates often confuse Customer Key with Double Key Encryption, mistakenly thinking DKE is required for customer-managed keys in Azure Key Vault, when in fact Customer Key is the correct solution for managing encryption keys at rest across Microsoft 365 workloads.

How to eliminate wrong answers

Option A is wrong because Double Key Encryption (DKE) uses two keys—one held by Microsoft and one held by the customer—but it is designed for protecting the most sensitive data with a key that never leaves the customer's control, not for managing encryption keys via Azure Key Vault for all data at rest; it also does not allow key removal to make data unreadable in the same way Customer Key does. Option C is wrong because Information Rights Management (IRM) applies usage restrictions (e.g., preventing copy, print, or forward) to documents and emails, but it does not provide customer-managed encryption keys or the ability to render data unreadable by key removal. Option D is wrong because Customer Lockbox provides a controlled approval process for Microsoft engineers to access customer data during support requests, but it does not involve encryption key management or data encryption at rest.

649
MCQeasy

A company implements multiple layers of security controls: firewalls at the perimeter, intrusion detection systems on internal segments, antivirus software on all workstations, and encryption for sensitive data at rest and in transit. This strategy is intended to ensure that if one control fails, others still provide protection. Which security concept does this approach represent?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Zero trust
AnswerB

Defense in depth uses multiple layers of security controls to protect resources, ensuring that failure of one layer does not lead to a complete breach.

Why this answer

Defense in depth is the correct concept because it involves implementing multiple layers of security controls (e.g., firewalls, IDS, antivirus, encryption) so that if one layer fails, subsequent layers continue to provide protection. This layered approach ensures redundancy and mitigates the risk of a single point of failure, aligning with the scenario described.

Exam trap

The trap here is that candidates often confuse defense in depth with zero trust, mistakenly thinking that multiple layers automatically imply a zero-trust architecture, but zero trust specifically requires explicit verification per request rather than just layered controls.

How to eliminate wrong answers

Option A is wrong because least privilege is a principle that restricts users or systems to only the minimum permissions necessary to perform their functions, not a strategy of overlapping security controls. Option C is wrong because separation of duties divides critical tasks among multiple individuals to prevent fraud or error, not to provide layered technical defenses. Option D is wrong because zero trust is a security model that assumes no implicit trust and requires continuous verification of every access request, which is a broader philosophy rather than the specific layered control strategy described.

650
MCQhard

Refer to the exhibit. You run a KQL query in Microsoft Sentinel to investigate ransomware alerts. The query returns: AlertSeverity High: 5, Medium: 3, Low: 2. The security team wants to automate a response for all high-severity ransomware alerts. What should you configure?

A.Create an analytics rule for ransomware
B.Create a hunting query for ransomware
C.Create a workbook to display ransomware alerts
D.Create an automation rule that triggers a playbook for high-severity ransomware incidents
AnswerD

Automation rules enable automated response.

Why this answer

Option D is correct because an automation rule can trigger a playbook for high-severity incidents. Option A is wrong because analytics rules generate alerts, not automate responses. Option B is wrong because hunting queries are proactive.

Option C is wrong because workbooks visualize data.

651
MCQmedium

Your organization uses Microsoft Purview Audit to investigate a security incident. You need to search for activities performed by a specific user over the past 90 days. Which solution should you use?

A.Microsoft Purview Audit (Standard)
B.Microsoft Purview Audit (Premium)
C.Microsoft Defender XDR Advanced Hunting
D.Microsoft Purview eDiscovery (Standard)
AnswerA

Audit Standard retains audit logs for 90 days by default.

Why this answer

Option C is correct because Audit (Standard) provides 90-day retention for audit logs. Option A is wrong because Audit (Premium) provides longer retention but is not required. Option B is wrong because Content Search is for eDiscovery.

Option D is wrong because Advanced Hunting is for Microsoft 365 Defender.

652
MCQmedium

You are reviewing a Microsoft Purview DLP policy configuration as shown in the exhibit. What is the expected behavior when a user sends an email containing a credit card number to an external recipient?

A.The email is delivered, but the user receives a warning.
B.The email is delivered, and the user is asked to provide a business justification.
C.The email is blocked, but only if the recipient is external and internal recipients are allowed.
D.The email is blocked, and the user receives a policy tip notification.
AnswerD

The policy blocks external sharing and notifies the user.

Why this answer

The policy has a rule that blocks access for external sharing when credit card numbers are detected. Option A is correct because the policy blocks the email and notifies the user with a policy tip. Option B is wrong because the policy blocks external sharing.

Option C is wrong because the policy does not allow override. Option D is wrong because the policy does not allow internal sharing.

653
MCQeasy

Your organization wants to protect against phishing attacks by verifying the sender's identity for incoming emails. Which Microsoft Defender for Office 365 feature should you configure?

A.Anti-malware policy
B.Safe Links policy
C.Anti-phishing policy with SPF/DKIM/DMARC settings
D.Safe Attachments policy
AnswerC

Anti-phishing policies include email authentication checks.

Why this answer

Option C is correct because SPF, DKIM, and DMARC are email authentication protocols in Defender for Office 365. Option A is wrong because Safe Attachments checks attachments. Option B is wrong because Safe Links checks URLs.

Option D is wrong because Anti-malware policies scan for malware.

654
MCQhard

A large enterprise uses a variety of cloud applications, including sanctioned apps like Microsoft 365 and unsanctioned apps that employees adopted without IT approval. The security team wants to discover all cloud applications in use, assess each app's risk score based on more than 80 risk factors, and control data sharing within sanctioned apps to prevent data leakage. Additionally, they need to identify which users are using a new, unknown file-sharing service. Which Microsoft security solution should be deployed to meet these requirements?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Endpoint
D.Microsoft Purview Data Loss Prevention (DLP)
AnswerB

Defender for Cloud Apps is a CASB that discovers all cloud apps, assesses their risk using 80+ factors, and allows control over sanctioned apps.

Why this answer

Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) is a Cloud Access Security Broker (CASB) that provides visibility into both sanctioned and unsanctioned cloud apps through its Cloud Discovery feature. It assesses risk scores based on over 80 risk factors (e.g., encryption standards, data residency, and compliance certifications) and enables data sharing controls via session policies (e.g., Conditional Access App Control) to prevent data leakage. It also supports anomaly detection to identify users of new, unknown file-sharing services by analyzing traffic logs from network appliances or endpoints.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM tool for Azure) with Microsoft Defender for Cloud Apps (a CASB), or they assume that Purview DLP alone can discover and risk-assess unsanctioned apps, when in fact DLP only controls data after the app is already identified and integrated.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and workload protection solution focused on securing Azure resources (e.g., VMs, containers, SQL), not on discovering or controlling cloud applications. Option C is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that protects devices from malware and advanced threats, but it lacks native CASB capabilities for discovering unsanctioned cloud apps or assessing their risk scores. Option D is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to prevent accidental sharing of sensitive data across endpoints, email, and cloud apps via content inspection, but it does not discover unknown cloud apps or provide risk scoring for those apps.

655
MCQmedium

Refer to the exhibit. The JSON snippet shows an app registration in Microsoft Entra ID. The password credential endDateTime is set to 2025-12-31. What will happen when that date is reached?

A.The secret will renew automatically.
B.The app will be unable to authenticate using that secret.
C.The app registration will be automatically deleted.
D.The app will be blocked from signing in.
AnswerB

The secret expires and cannot be used for authentication.

Why this answer

When the password credential (client secret) reaches its endDateTime, the secret expires and becomes invalid. Microsoft Entra ID does not automatically renew secrets; the application must use a valid secret to authenticate. Once expired, any authentication attempt using that secret will fail, preventing the app from obtaining tokens.

Exam trap

The trap here is that candidates may assume secrets auto-renew or that the app registration is deleted, but Microsoft Entra ID treats secrets as static credentials that must be manually managed before expiration.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID does not automatically renew client secrets; the secret must be manually rotated or renewed by an administrator or via automation. Option C is wrong because an expired secret does not trigger deletion of the app registration; the registration remains intact and can be updated with a new secret. Option D is wrong because the app itself is not blocked from signing in; only the specific expired secret becomes invalid, and the app can still authenticate using a different valid secret or certificate.

656
MCQeasy

You are a security administrator for a company using Microsoft Entra ID P2. The company has a critical application that should only be accessible by a specific group of users (the 'Finance' group). You need to ensure that any access to this application is automatically logged and that an administrator is notified when a user outside the Finance group attempts to access it. Additionally, the CEO wants a quarterly review of all users who have access to this application. Which combination of features should you use?

A.Grant access to the application via B2B collaboration and configure auditing.
B.Use Identity Protection to detect access attempts from non-Finance users and send alerts.
C.Assign the application to the Finance group using Privileged Identity Management, and enable sign-in logs.
D.Create a Conditional Access policy that restricts access to the Finance group, configure audit logging for the application, and set up an access review for the Finance group.
AnswerD

Conditional Access enforces access restriction, audit logs capture activity, and access reviews provide periodic recertification.

Why this answer

Option A is correct because Conditional Access can block access from non-Finance users, and access reviews provide quarterly recertification. Option B is wrong because PIM is for privileged roles. Option C is wrong because Identity Protection does not manage group-based access.

Option D is wrong because B2B collaboration is for external users.

657
Multi-Selecteasy

Which THREE are features of Microsoft Entra ID Protection? (Choose THREE.)

Select 3 answers
A.Privileged role management
B.Sign-in risk detection
C.Detection of leaked credentials
D.Risk-based conditional access
E.Identity governance
AnswersB, C, D

Identity Protection detects risky sign-ins such as from anonymous IP addresses.

Why this answer

Sign-in risk detection is a core feature of Microsoft Entra ID Protection. It uses real-time and offline machine learning models to evaluate each sign-in attempt for anomalies such as impossible travel, anonymous IP addresses, or atypical locations, assigning a risk level (low, medium, high). This allows organizations to automatically respond to suspicious sign-ins before compromise occurs.

Exam trap

The trap here is that candidates often confuse Entra ID Protection (focused on risk detection and remediation) with Entra ID Governance (focused on identity lifecycle and access controls), leading them to select Privileged role management or Identity governance as features of ID Protection.

658
MCQmedium

A company uses Microsoft 365 and requires that users access corporate email and SharePoint from managed devices that meet security policy requirements, such as having encryption enabled and antivirus software running. The security team wants to enforce this access control within Microsoft Entra ID so that unmanaged devices are blocked. Which Microsoft Entra ID feature should they configure?

A.Identity Protection
B.Conditional Access
C.Access Reviews
D.Privileged Identity Management
AnswerB

Conditional Access policies can require that devices be marked as compliant or domain-joined before granting access to cloud apps like Exchange Online and SharePoint.

Why this answer

Conditional Access is the Microsoft Entra ID feature that enforces access control policies based on conditions such as device compliance, location, and user risk. By configuring a policy that requires devices to be marked as compliant (e.g., with encryption enabled and antivirus running) and blocking access from unmanaged devices, the security team can meet the stated requirement. This is the correct choice because Conditional Access directly integrates with Microsoft Intune device compliance policies to evaluate device health before granting access to corporate email and SharePoint.

Exam trap

The trap here is that candidates often confuse Identity Protection (which handles risk-based signals like leaked credentials) with Conditional Access (which enforces broader policies including device compliance), leading them to select A instead of B.

How to eliminate wrong answers

Option A is wrong because Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, sign-in anomalies) and does not enforce device-level security requirements like encryption or antivirus status. Option C is wrong because Access Reviews are used to periodically audit and recertify user access rights to groups, applications, or roles, not to block unmanaged devices based on security policy compliance. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and oversight, not device-level access controls for general users accessing email or SharePoint.

659
MCQmedium

A legal team is managing a large litigation case involving over two million documents in SharePoint Online and Exchange Online. They want to reduce the time required for manual review by using a machine learning model that learns from a seed set of relevant and non-relevant documents and then predicts the relevance of the remaining documents. Which Microsoft Purview solution provides this advanced analytical capability?

A.Communication Compliance
B.eDiscovery (Standard)
C.eDiscovery (Premium)
D.Audit (Premium)
AnswerC

eDiscovery (Premium) builds on Standard with advanced features like predictive coding, text analytics, and near-duplicate identification to streamline large-scale document review.

Why this answer

eDiscovery (Premium) in Microsoft Purview provides advanced analytics capabilities, including predictive coding, which uses machine learning models trained on a seed set of relevant and non-relevant documents to automatically predict the relevance of the remaining content. This directly addresses the legal team's need to reduce manual review time for over two million documents in SharePoint Online and Exchange Online.

Exam trap

The trap here is that candidates often confuse eDiscovery (Standard) with eDiscovery (Premium) because both involve searching and holding content, but only Premium includes the advanced analytics and machine learning capabilities described in the scenario.

How to eliminate wrong answers

Option A is wrong because Communication Compliance is designed to detect and remediate inappropriate communications (e.g., harassment, insider trading) using policy templates and classifiers, not to perform predictive relevance scoring on litigation documents. Option B is wrong because eDiscovery (Standard) offers basic search and hold capabilities but lacks the machine learning-based predictive coding and advanced analytics found in eDiscovery (Premium). Option D is wrong because Audit (Premium) provides detailed logging and investigation of user and admin activities, not document relevance prediction or review analytics.

660
MCQmedium

Your company uses Microsoft Entra ID. You need to ensure that when a user's account is compromised and used to send spam, the account is automatically blocked from signing in. Which feature should you configure?

A.Microsoft Entra Conditional Access policy to block sign-ins from high-risk users
B.Microsoft Entra Privileged Identity Management
C.Microsoft Entra Identity Protection with a user risk policy to block high-risk users
D.Microsoft Entra Self-Service Password Reset
AnswerC

Identity Protection's user risk policy can automatically block sign-ins when risk is high.

Why this answer

Microsoft Entra Identity Protection uses machine learning to detect user risk, such as when an account is compromised and used to send spam. A user risk policy can be configured to automatically block sign-ins for high-risk users, directly addressing the requirement to block the compromised account from signing in.

Exam trap

The trap here is that candidates often confuse Conditional Access policies with Identity Protection user risk policies, but the question specifically asks for the feature that automatically blocks based on compromise (spam), which is the user risk policy in Identity Protection, not a general Conditional Access policy.

How to eliminate wrong answers

Option A is wrong because a Conditional Access policy can block sign-ins based on risk, but it requires a license (e.g., P2) and is typically used in conjunction with Identity Protection; however, the question specifically asks for the feature that automatically blocks based on compromise (spam), which is directly the user risk policy in Identity Protection. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time access and approval workflows for privileged roles, not automatic blocking of compromised accounts. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords, but it does not automatically block sign-ins when an account is compromised.

661
MCQeasy

A company wants to ensure that only users with specific IP addresses can access its critical applications. Which Microsoft Entra feature should they configure?

A.Identity Protection
B.Privileged Identity Management
C.Conditional Access
D.Self-Service Password Reset
AnswerC

Conditional Access policies can restrict access based on IP address ranges.

Why this answer

Conditional Access is the correct feature because it allows administrators to create policies that enforce access controls based on conditions such as IP address location. By configuring a Conditional Access policy with a 'Locations' condition that includes only trusted IP address ranges, the company can block or grant access to critical applications based on the user's network location. This directly meets the requirement to restrict access to specific IP addresses.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based conditional access (which uses IP reputation) with the explicit IP address location control provided by Conditional Access policies, leading them to select Identity Protection instead.

How to eliminate wrong answers

Option A is wrong because Identity Protection is designed to detect and respond to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) but does not provide granular IP address-based access control policies. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not network-level access restrictions based on IP addresses. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords without administrator intervention, and it has no capability to restrict application access by IP address.

662
MCQeasy

Your organization has deployed Microsoft Intune for mobile device management. You need to ensure that users can only access corporate resources from devices that are compliant with your security policies. Which policy type should you configure?

A.A Conditional Access policy
B.An app protection policy
C.A compliance policy
D.A configuration policy
AnswerA

Conditional Access policies can block or grant access based on device compliance status from Intune.

Why this answer

Option D is correct because Conditional Access policies in Microsoft Entra ID can integrate with Intune compliance policies to block non-compliant devices. Option A is wrong because compliance policies define the compliance criteria but do not block access by themselves. Option B is wrong because configuration policies manage settings, not access control.

Option C is wrong because app protection policies manage data in apps, not device-level access.

663
MCQhard

Your organization uses Microsoft Purview Communication Compliance to detect harassing messages. You receive an alert for a message that appears to be a joke between colleagues. What should you do to prevent similar false positives?

A.Train users not to joke about sensitive topics
B.Delete the alert and ignore future similar messages
C.Refine the policy conditions to exclude certain keywords or users
D.Turn off the policy and use a different solution
AnswerC

Refining conditions reduces false positives while maintaining detection.

Why this answer

Option C is correct because you can refine the policy conditions to reduce false positives, such as excluding certain words or users. Option A is wrong because turning off the policy would stop detection entirely. Option B is wrong because training users may not address the policy configuration.

Option D is wrong because the correct action is to adjust the policy, not delete it.

664
MCQmedium

Your organization uses Microsoft Entra ID with P2 licenses. You need to review and approve role activations for the Global Administrator role on a weekly basis. Which feature should you use?

A.Microsoft Entra Identity Protection
B.Microsoft Entra Conditional Access
C.Microsoft Entra Privileged Identity Management (PIM)
D.Microsoft Entra Access Reviews
AnswerC

PIM manages just-in-time role activation with approval workflows.

Why this answer

Option A is correct because Microsoft Entra Privileged Identity Management (PIM) allows you to manage and approve role activations. Option B is wrong because Identity Protection is for risk. Option C is wrong because Access Reviews can review assignments but not activations.

Option D is wrong because Conditional Access controls access conditions.

665
MCQmedium

Your organization uses Microsoft Sentinel for security operations. You need to ensure that when a high-severity incident is created, a Microsoft Teams message is sent to the SOC team automatically. What should you configure?

A.Create an automation rule that triggers on incident creation and runs a playbook.
B.Create a playbook and attach it to an analytics rule.
C.Modify the analytics rule to include an automated response.
D.Configure a workbook to send email alerts.
AnswerA

Automation rules can trigger on incident creation and execute a playbook to send a Teams message.

Why this answer

Automation rules in Microsoft Sentinel allow you to trigger automated responses, such as sending a Teams message, based on incident creation conditions. Playbooks are run by automation rules, but the rule itself defines the trigger. Option B is correct because automation rules are the mechanism to trigger playbooks on incident creation.

Option A is wrong because playbooks are the actions, not the trigger. Option C is wrong because analytics rules create incidents but do not directly send notifications. Option D is wrong because workbooks are for visualization, not automation.

666
MCQmedium

A company runs a production Kubernetes cluster in Azure. The security team needs to continuously monitor the cluster for misconfigurations, such as containers running with privileged access or secrets exposed in environment variables. They also want to detect runtime threats like crypto-mining containers. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Cloud Apps
AnswerA

Correct. Defender for Cloud includes CSPM and workload protection for AKS, offering both configuration recommendations and runtime threat detection for containers.

Why this answer

Microsoft Defender for Cloud provides Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) capabilities. It continuously assesses Kubernetes clusters against the CIS Kubernetes Benchmark, detecting misconfigurations like privileged containers and exposed secrets in environment variables, and uses behavioral analytics to detect runtime threats such as crypto-mining containers.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel's log aggregation capabilities with the proactive, agent-based posture management and runtime detection that Defender for Cloud provides specifically for Kubernetes workloads.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) solution that ingests logs and alerts from multiple sources, but it does not natively perform continuous Kubernetes configuration scanning or runtime threat detection on clusters. Option C is wrong because Microsoft Defender for Endpoint is designed to protect endpoints (workstations, servers, mobile devices) from malware and advanced attacks, not to monitor Kubernetes cluster configurations or detect container runtime threats. Option D is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that focuses on shadow IT discovery, data protection, and threat detection for SaaS applications, not on Kubernetes workload protection or container misconfiguration scanning.

667
MCQmedium

A company uses a mix of Azure virtual machines and on-premises Windows and Linux servers. The security team wants a single, integrated solution that can continuously assess these servers for missing security updates, weak operating system configurations, and common vulnerabilities. The solution should provide prioritized remediation recommendations. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Identity
D.Microsoft 365 Defender
AnswerA

Correct. Defender for Cloud provides integrated vulnerability assessment and security posture management for Azure, on-premises, and multi-cloud workloads, including patch and configuration recommendations.

Why this answer

Microsoft Defender for Cloud provides a unified infrastructure security management solution that continuously assesses hybrid workloads, including Azure VMs and on-premises Windows/Linux servers. It integrates with Azure Policy and Microsoft Defender Vulnerability Management to detect missing security updates, weak OS configurations, and common vulnerabilities, then delivers prioritized remediation recommendations based on risk scores.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a workload protection and compliance tool) with Microsoft 365 Defender (an endpoint and identity protection suite), leading them to choose the broader-sounding but incorrect option for a specific vulnerability assessment requirement.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution focused on log collection, threat detection, and incident response across the enterprise, not on continuous vulnerability assessment and configuration compliance of servers. Option C is wrong because Microsoft Defender for Identity is an identity-based security solution that uses on-premises Active Directory signals to detect advanced threats like lateral movement and privilege escalation, not for assessing OS-level vulnerabilities or missing updates. Option D is wrong because Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that covers endpoints, email, identities, and cloud apps, but it does not natively provide the continuous vulnerability assessment and configuration compliance scanning for hybrid servers that Defender for Cloud offers.

668
MCQhard

Refer to the exhibit. You are analyzing a Microsoft Sentinel workspace using KQL. The query returns no results, but you know that malware alerts have been generated today. What is the most likely reason?

A.The table does not contain a 'AlertSeverity' column.
B.The 'order by' clause is invalid.
C.The time range is too short.
D.The column name 'AlertName' is incorrect.
AnswerD

The correct column might be 'AlertName' but some tables use 'Title'.

Why this answer

The query uses the table 'SecurityAlert', but in Microsoft Sentinel, alerts are stored in the 'SecurityAlert' table only from some sources. However, for analytics rule alerts, the data is in the 'SecurityIncident' table or the specific alert table. The most common issue is that the table name is incorrect; the correct table for alerts from analytics rules is 'SecurityAlert' but sometimes the data is in 'Alert' or the table name might be case-sensitive.

However, a more common mistake is that the column name should be 'AlertSeverity' but it's correct. The likely issue is that the alerts are stored in a different table, such as 'SecurityIncident' or 'Syslog'. Option B is correct because the query filters by AlertName, but the actual column might be 'AlertName' or 'Title'.

In Sentinel, the standard column is 'AlertName'. Option A is wrong because the time filter is valid. Option C is wrong because the column exists.

Option D is wrong because the syntax is fine.

669
MCQmedium

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to ensure that users can use the same password on-premises and in the cloud without having to sync password hashes. Additionally, you want to prevent accounts from being locked out after a few bad password attempts in the cloud. Which Microsoft Entra feature should you implement?

A.Use password hash synchronization and set up custom lockout policies.
B.Deploy password writeback and enable Microsoft Entra smart lockout.
C.Implement federation with Active Directory Federation Services (AD FS).
D.Implement pass-through authentication and configure on-premises lockout thresholds.
AnswerB

Correct: Password writeback enables on-premises password changes from the cloud, and smart lockout prevents cloud lockouts.

Why this answer

Option B is correct because password writeback enables password changes made in the cloud to be written back to on-premises Active Directory, ensuring the same password is used without syncing password hashes. Microsoft Entra smart lockout prevents accounts from being locked out after a few bad password attempts in the cloud by intelligently recognizing and blocking malicious sign-in attempts while allowing legitimate users to continue, without locking the on-premises account.

Exam trap

The trap here is that candidates often confuse pass-through authentication with password writeback, thinking that pass-through authentication alone prevents cloud lockouts, but it does not—smart lockout is required to decouple cloud lockout from on-premises lockout thresholds.

How to eliminate wrong answers

Option A is wrong because password hash synchronization requires syncing password hashes to the cloud, which contradicts the requirement to avoid syncing password hashes, and custom lockout policies in Entra ID do not prevent cloud lockouts from affecting on-premises accounts. Option C is wrong because federation with AD FS still requires password hash synchronization or pass-through authentication for cloud authentication, and it does not inherently prevent cloud lockouts from locking on-premises accounts. Option D is wrong because pass-through authentication validates passwords against on-premises Active Directory but does not prevent cloud lockouts; on-premises lockout thresholds would still cause account lockout after a few bad attempts in the cloud.

670
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Defender XDR? (Choose two.)

Select 2 answers
A.Correlate alerts from multiple domains into a single incident
B.Data loss prevention for sensitive information
C.Centralized log analytics for custom queries
D.Identity governance and access reviews
E.Automated investigation and response across domains
AnswersA, E

Defender XDR correlates alerts across endpoints, email, etc.

Why this answer

Microsoft Defender XDR correlates alerts from multiple domains—such as endpoint, email, identity, and cloud apps—into a single incident. This cross-domain correlation is a core capability of the XDR (Extended Detection and Response) solution, enabling security teams to see the full attack story in one place.

Exam trap

The trap here is that candidates confuse the broad security portfolio—such as DLP, SIEM, and identity governance—with the specific cross-domain correlation and automated response capabilities that define Microsoft Defender XDR.

671
Multi-Selectmedium

Which TWO Microsoft Purview features can be used to classify and label sensitive data in Microsoft 365?

Select 2 answers
A.Auto-labeling policies
B.Data Loss Prevention policies
C.Retention policies
D.Sensitivity labels
E.Audit policies
AnswersA, D

Automatically apply sensitivity labels.

Why this answer

Auto-labeling policies (A) are correct because they allow organizations to automatically apply sensitivity labels to data based on conditions such as sensitive information types or pattern matching, enabling classification and labeling without manual user intervention. Sensitivity labels (D) are correct because they are the core mechanism in Microsoft Purview for classifying and protecting sensitive data by applying persistent labels that can enforce encryption, access restrictions, and visual markings across Microsoft 365 services.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention policies with classification and labeling, but DLP policies only enforce actions based on existing labels or sensitive info types, not create or apply the labels themselves.

672
Multi-Selectmedium

A security administrator is configuring Microsoft Entra ID Conditional Access. Which THREE conditions can be included in a policy?

Select 3 answers
A.User risk
B.Location
C.Authentication strength
D.Application
E.Device platform
AnswersB, D, E

Correct: Condition.

Why this answer

Device platform, location, and application are standard conditions. User risk is from Identity Protection. Authentication strength is a control, not a condition.

673
Multi-Selecteasy

Which TWO features are part of Microsoft Purview Information Protection?

Select 2 answers
A.Communication monitoring
B.Retention policies
C.Automatic classification based on sensitive content
D.Sensitivity labels
E.Audit log investigation
AnswersC, D

Automatic classification is a key capability of Information Protection.

Why this answer

Information Protection includes sensitivity labels and automatic classification. Data Lifecycle Management is a separate solution. Communication Compliance is separate.

Audit is separate.

674
MCQhard

Your company uses Microsoft Defender for Endpoint. A security analyst reports that a device is showing multiple alerts for the same malware variant, but the alerts are being automatically suppressed after the initial detection. What is the most likely reason for this behavior?

A.Alert suppression is enabled to reduce noise from repeated detections
B.The alerts are classified as low severity
C.The device is not properly onboarded to Microsoft Defender for Endpoint
D.Automatic investigation and remediation resolved the alerts
AnswerA

Defender for Endpoint automatically suppresses duplicate alerts for the same malware to reduce alert fatigue.

Why this answer

Option C is correct because alert suppression is a built-in feature to reduce alert fatigue for repeated detections. Option A is incorrect because suppression is not due to low severity—it's based on duplicate detection. Option B is incorrect because automatic investigation and remediation may run, but suppression is separate.

Option D is incorrect because suppression is not a configuration error.

675
MCQeasy

Your organization needs to monitor and respond to security threats across on-premises, cloud, and hybrid environments. Which Microsoft solution provides a unified SIEM and SOAR capability?

A.Microsoft Defender XDR
B.Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Microsoft Intune
AnswerC

Correct: Sentinel provides SIEM and SOAR across environments.

Why this answer

Microsoft Sentinel is the correct answer because it is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) solution. It provides unified threat monitoring, detection, and response across on-premises, cloud, and hybrid environments by ingesting data from various sources, using built-in analytics, and enabling automated playbooks.

Exam trap

The trap here is that candidates often confuse Microsoft Defender XDR (an XDR tool) with a full SIEM/SOAR solution, but Sentinel is the only Microsoft offering that provides both SIEM and SOAR capabilities natively.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender XDR is an extended detection and response (XDR) solution that correlates alerts across endpoints, email, identities, and cloud apps, but it does not provide the full SIEM data ingestion and SOAR orchestration capabilities of Sentinel. Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) that focuses on securing cloud resources, not a unified SIEM/SOAR solution. Option D is wrong because Microsoft Intune is a cloud-based endpoint management and mobile device management (MDM) service, with no SIEM or SOAR functionality.

Page 8

Page 9 of 19

Page 10