CCNA Describe the concepts of security, compliance, and identity Questions

75 of 235 questions · Page 1/4 · Describe the concepts of security, compliance, and identity · Answers revealed

1
MCQhard

A company hosts a line-of-business application on an Azure virtual machine. The IT team is responsible for configuring the operating system, installing security updates, and managing the application code. An auditor asks who is responsible for the physical security of the data center where the virtual machine runs. According to the shared responsibility model for cloud services, who is responsible?

A.The customer
B.Microsoft
C.Both the customer and Microsoft equally
D.Neither – physical security is no longer needed in the cloud
AnswerB

For IaaS, Microsoft is responsible for the physical data center, including physical security, hardware maintenance, and network infrastructure. This is a core tenet of the shared responsibility model.

Why this answer

Under the shared responsibility model, Microsoft is responsible for the physical security of its Azure data centers, including access controls, surveillance, and environmental safeguards. The customer is responsible for securing the virtual machine's operating system, applications, and data, but not the physical infrastructure. Therefore, Microsoft retains responsibility for physical security even when the customer manages the guest OS and application.

Exam trap

The trap here is that candidates mistakenly think the customer is responsible for all security when they manage the OS and application, but physical security always remains the provider's responsibility under the shared responsibility model.

How to eliminate wrong answers

Option A is wrong because the customer is responsible for securing the OS, applications, and data on the VM, not the physical data center infrastructure. Option C is wrong because physical security is not shared equally; Microsoft retains sole responsibility for the physical data center, while the customer manages the virtualized components. Option D is wrong because physical security remains essential in cloud data centers; it is handled by the provider (Microsoft) rather than being eliminated.

2
MCQhard

A company deploys a custom application on Azure App Service (PaaS). Which of the following security responsibilities falls completely under the customer's scope according to the shared responsibility model?

A.Applying operating system patches to the virtual machines running the App Service
B.Configuring network security groups to filter traffic to the App Service
C.Managing the application code and its configuration
D.Ensuring physical security of the Azure data centers
AnswerC

Correct. The customer is responsible for securing their application, including code, configuration, authentication, and data handling within the app.

Why this answer

In the shared responsibility model for PaaS like Azure App Service, the customer is responsible for managing the application code and its configuration, including secrets, connection strings, and authentication settings. Microsoft manages the underlying platform, including the OS and runtime, so the customer's scope is limited to what they deploy and configure within the service.

Exam trap

The trap here is that candidates confuse PaaS with IaaS and assume they must manage OS patches or NSGs, but in PaaS, those are abstracted and Microsoft's responsibility, while the customer's focus is on application-level security.

How to eliminate wrong answers

Option A is wrong because applying OS patches to the virtual machines running App Service is Microsoft's responsibility, as the platform is abstracted and the customer has no direct access to the underlying VMs. Option B is wrong because configuring network security groups (NSGs) is not applicable to App Service; traffic filtering is done via App Service access restrictions or Azure Front Door/WAF, not NSGs, which are for IaaS VNets. Option D is wrong because ensuring physical security of Azure data centers is entirely Microsoft's responsibility under the shared model, never the customer's.

3
MCQeasy

Your organization is adopting a Zero Trust security model. You are tasked with implementing identity protection. The requirements are: enforce multi-factor authentication (MFA) for all users when accessing cloud applications, ensure that risky sign-ins are detected and blocked automatically, and provide administrators with a dashboard showing user risk levels. You have Microsoft Entra ID P2 licenses. What should you configure?

A.Configure Microsoft Sentinel to collect sign-in logs and create custom alerts for risky sign-ins.
B.Configure a Conditional Access policy to require MFA for all cloud apps, enable Identity Protection to detect and automatically block risky sign-ins, and use the Identity Protection dashboard.
C.Configure Privileged Identity Management for all users and enable MFA.
D.Configure Microsoft Defender for Cloud Apps to require MFA and detect risky sign-ins.
AnswerB

This combination meets all requirements.

Why this answer

Option A is correct because Conditional Access policy enforces MFA, Identity Protection detects and blocks risky sign-ins, and the Identity Protection dashboard shows risk. Option B is incorrect because Privileged Identity Management manages roles. Option C is incorrect because Microsoft Defender for Cloud Apps is for cloud app security, not identity risk.

Option D is incorrect because Microsoft Sentinel is a SIEM, not for identity protection.

4
MCQeasy

A security administrator is explaining authentication and authorization to new IT staff. Which statement correctly describes the difference between these two processes?

A.Authentication verifies what a user can do; authorization verifies who the user is.
B.Authentication verifies who the user is; authorization verifies what the user can do.
C.Both authentication and authorization verify the user's identity.
D.Authorization is always performed before authentication.
AnswerB

Authentication confirms the user's identity (e.g., password, biometric). Authorization determines what resources and actions the user is allowed to access.

Why this answer

Authentication is the process of verifying the identity of a user, device, or other entity, typically through credentials like a password, biometric, or certificate. Authorization determines what an authenticated entity is permitted to do, such as accessing specific resources or performing certain actions, often enforced via access control lists (ACLs) or role-based access control (RBAC). In Microsoft Entra ID, authentication occurs first (e.g., via OAuth 2.0 or SAML), and then authorization is evaluated using claims or directory roles.

Exam trap

The trap here is confusing the sequence and purpose of authentication versus authorization, leading candidates to reverse the definitions or assume authorization can occur without prior authentication.

How to eliminate wrong answers

Option A is wrong because it reverses the definitions: authentication verifies identity, not permissions, and authorization verifies permissions, not identity. Option C is wrong because authorization does not verify the user's identity; it only determines access rights after identity has been established. Option D is wrong because authentication must always be performed before authorization; you cannot authorize an unknown entity.

5
MCQeasy

A company operates an e-commerce website that must remain accessible during high-traffic holiday seasons. The IT team deploys additional web servers and implements automatic failover to a secondary data center if the primary site goes down. Which security principle is the company primarily addressing?

A.Confidentiality
B.Integrity
C.Availability
D.Authorization
AnswerC

Availability ensures that systems and data are accessible to authorized users when needed. The described measures (additional servers, failover) directly support high availability.

Why this answer

The company is ensuring that the e-commerce website remains operational even during high-traffic periods or after a primary site failure. Deploying additional web servers and implementing automatic failover to a secondary data center directly supports the availability principle, which ensures that systems and data are accessible when needed. This is a core tenet of the CIA triad, and in this scenario, the focus is on uptime and resilience, not on protecting data from unauthorized access or modification.

Exam trap

The trap here is that candidates often confuse availability with authorization, mistakenly thinking that controlling who can access the site (authorization) is the same as ensuring the site is up and running (availability).

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized access to data (e.g., encryption, access controls), not on maintaining system uptime or failover. Option B is wrong because integrity ensures data is not tampered with or altered in an unauthorized manner (e.g., hashing, checksums), which is unrelated to deploying redundant servers or automatic failover. Option D is wrong because authorization determines what authenticated users are allowed to do (e.g., role-based access control), not the operational continuity of the infrastructure.

6
MCQeasy

A security manager explains that the company's security strategy relies on multiple layers of controls, such as firewalls, antivirus software, and multi-factor authentication, so that if one layer fails, another can still prevent an attack. Which security principle does this strategy best represent?

A.Defense in depth
B.Least privilege
C.Zero Trust
D.Separation of duties
AnswerA

Defense in depth uses multiple overlapping layers of security controls to provide redundancy.

Why this answer

Defense in depth is the correct answer because it explicitly describes a layered security strategy where multiple independent controls (firewalls, antivirus, MFA) are deployed so that if one layer is bypassed or fails, subsequent layers still provide protection. This principle is foundational to modern security architecture and directly matches the scenario of using diverse controls to prevent a single point of failure.

Exam trap

The trap here is that candidates often confuse Zero Trust with defense in depth because both involve multiple controls, but Zero Trust is specifically about verifying every access request regardless of origin, whereas defense in depth is about layering independent controls to provide redundancy and depth.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on granting users only the minimum permissions needed to perform their tasks, not on layering multiple controls. Option C (Zero Trust) is wrong because, while it incorporates multiple verification points, its core principle is 'never trust, always verify' and assumes no implicit trust based on network location, rather than simply layering controls for redundancy. Option D (Separation of duties) is wrong because it divides critical tasks among multiple people to prevent fraud or error, not to provide overlapping security layers.

7
MCQhard

You run the above KQL query in Microsoft Sentinel. What is the purpose of this query?

A.To detect potential brute-force attacks against a specific user account
B.To find all users who signed in from multiple IP addresses
C.To identify sign-ins that failed multi-factor authentication
D.To list all IP addresses that accessed the tenant
AnswerA

A high number of sign-ins from a single IP suggests a brute-force attempt.

Why this answer

Option B is correct because the query counts sign-ins per IP address for a specific user in the last day and filters for IPs with more than 10 sign-ins, which could indicate a brute-force attempt. Option A is wrong because it groups by user, not IP. Option C is wrong because it does not check for MFA failures.

Option D is wrong because it focuses on a single user, not all users.

8
MCQeasy

A security administrator configures user accounts so that employees have only the permissions necessary to perform their job functions and no more. Which security concept is being applied?

A.Defense in depth
B.Least privilege
C.Separation of duties
D.Zero Trust
AnswerB

Least privilege is the practice of granting only the minimum necessary permissions required for a user or system to perform a function, directly matching the administrator's action.

Why this answer

The principle of least privilege dictates that users should be granted only the permissions necessary to perform their specific job functions and no more. By configuring accounts with minimal access rights, the administrator directly applies this concept to reduce the attack surface and limit potential damage from compromised credentials.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'separation of duties' because both involve limiting access, but separation of duties focuses on splitting tasks across multiple people to prevent collusion, not on minimizing individual permissions.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption) to protect assets, not a principle for assigning user permissions. Option C is wrong because separation of duties divides critical tasks among multiple users to prevent fraud (e.g., one person requests access, another approves), not limiting permissions per user. Option D is wrong because Zero Trust is a security model that assumes no implicit trust and requires continuous verification of every access request, not a specific permission-assignment principle.

9
MCQeasy

Which of the following is a primary purpose of Microsoft Entra ID Identity Protection?

A.Detect and remediate identity risks
B.Manage privileged roles
C.Classify and protect sensitive data
D.Manage device compliance policies
AnswerA

Identity Protection uses signals to detect risky sign-ins and users.

Why this answer

Option C is correct because Identity Protection detects and remediates identity-based risks. Option A is wrong because device management is Intune. Option B is wrong because privileged access is PIM.

Option D is wrong because data classification is Purview.

10
MCQhard

A company uses Microsoft Entra ID and has multiple departments with separate organizational units (OUs) in its on-premises Active Directory. The help desk team needs to be able to reset passwords for users only in the Finance department. What feature should be used to delegate this administrative scope?

A.Dynamic groups
B.Administrative Units
C.Conditional Access policies
D.Privileged Identity Management (PIM)
AnswerB

Administrative Units enable scoped administration by defining a subset of users or devices, allowing delegated access to resources within that scope only.

Why this answer

Administrative Units (AUs) in Microsoft Entra ID allow you to delegate administrative permissions over a subset of users, groups, or devices without granting broader tenant-wide access. By creating an AU for the Finance department and assigning the Helpdesk Administrator role scoped to that AU, the help desk team can reset passwords only for Finance users, matching the on-premises OU structure.

Exam trap

The trap here is confusing delegation of administrative scope (Administrative Units) with membership automation (Dynamic groups) or access control (Conditional Access), leading candidates to pick a feature that manages users rather than one that limits administrative permissions.

How to eliminate wrong answers

Option A is wrong because Dynamic groups are used for automatic membership based on user attributes (e.g., department), not for delegating administrative permissions or scoping role assignments. Option C is wrong because Conditional Access policies control access to resources based on conditions like location or device state, not for delegating password reset capabilities. Option D is wrong because Privileged Identity Management (PIM) provides just-in-time activation and approval workflows for privileged roles, but it does not by itself create a scoped administrative boundary; it requires an Administrative Unit or other scope to limit the role's effective permissions.

11
MCQhard

A company uses Microsoft Defender for Endpoint. An alert indicates that a device is communicating with a known malicious IP address. The security team wants to automatically block the IP address on all devices. Which action should they configure?

A.Custom detection rule
B.Automated investigation
C.Indicator of compromise (IoC)
D.Threat analytics report
AnswerC

IoC allows blocking IP addresses, domains, or URLs across devices.

Why this answer

Option B is correct because an indicator of compromise (IoC) in Defender for Endpoint can be used to block IP addresses. Option A is wrong because an automated investigation can resolve alerts but does not block IPs. Option C is wrong because a custom detection rule is for query-based detections.

Option D is wrong because a threat analytics report provides threat intelligence but does not take action.

12
Multi-Selecteasy

A user scans their fingerprint to unlock a corporate laptop. After unlocking, the user attempts to open a confidential database. The system checks the user's role and grants access because the user is a member of the 'Data Analyst' group. Which two security concepts are demonstrated in this scenario?

Select 2 answers
A.Authentication and authorization
B.Confidentiality and integrity
C.Identification and non-repudiation
D.Availability and accountability
AnswersA, B

Correct. The fingerprint scan authenticates the user, and the role check authorizes access to the database.

Why this answer

The fingerprint scan is a form of authentication, verifying the user's identity through a biometric factor. The subsequent check of the user's group membership ('Data Analyst') to grant access to the database is authorization, determining what resources the authenticated user can access. This scenario directly maps to the identity and access management (IAM) concepts of authentication (proving who you are) and authorization (what you are allowed to do).

Exam trap

The trap here is that candidates confuse 'identification' (claiming an identity, e.g., typing a username) with 'authentication' (proving that identity, e.g., fingerprint), and they may incorrectly select Option C because they see the fingerprint as identification rather than a proof factor.

13
MCQmedium

A multinational company stores customer data across multiple Azure regions. A new regulation requires that customer data must remain within the country's borders and cannot be transferred abroad. Which concept does this regulation primarily relate to?

A.Data Sovereignty
B.Data Residency
C.Data Retention
D.Data Classification
AnswerA

Correct. Data sovereignty ensures data is subject to the legal and regulatory requirements of the country where it resides, directly addressing the transfer restriction.

Why this answer

Data Sovereignty is the correct answer because the regulation mandates that customer data must remain within the country's borders and cannot be transferred abroad. This legal and compliance concept asserts that data is subject to the laws and governance structures of the nation where it is physically stored, directly addressing cross-border transfer restrictions.

Exam trap

The trap here is that candidates often confuse Data Sovereignty (legal/jurisdictional control) with Data Residency (physical storage location), but the regulation's explicit focus on 'cannot be transferred abroad' makes sovereignty the correct concept.

How to eliminate wrong answers

Option B (Data Residency) is wrong because it refers to the physical or geographic location where data is stored, not the legal requirement that data must stay within a specific country's jurisdiction. Option C (Data Retention) is wrong because it concerns policies for how long data is kept, not where it can be stored or transferred. Option D (Data Classification) is wrong because it involves categorizing data by sensitivity or criticality, not the legal or geographic constraints on data movement.

14
MCQeasy

A security architect is designing a defense strategy for the organization's network. The architect assumes that an attacker may already have breached the perimeter and is operating inside the network. Therefore, the design does not automatically trust any user or device, even if they are inside the corporate network, and requires continuous verification for every access request. Which security principle does this approach best represent?

A.Defense in depth
B.Zero Trust
C.Shared responsibility
D.Least privilege
AnswerB

Zero Trust is a security model that assumes no implicit trust and requires continuous verification of every access request, even from inside the network.

Why this answer

The Zero Trust security principle is based on the assumption that an attacker may already be inside the network, so no user or device is automatically trusted, regardless of location. This model requires continuous verification for every access request, enforcing strict identity verification and least-privilege access controls at each step. The scenario directly describes the core tenet of Zero Trust: 'never trust, always verify.'

Exam trap

The trap here is that candidates confuse Zero Trust with defense in depth because both involve multiple security layers, but Zero Trust specifically requires continuous verification and assumes breach, whereas defense in depth does not mandate per-request trust evaluation.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (firewalls, IDS/IPS, antivirus) to protect assets, but it does not inherently assume a breach or require continuous verification for every access request. Option C is wrong because shared responsibility is a cloud security model that delineates security obligations between the provider and customer, not a principle for internal network access decisions. Option D is wrong because least privilege restricts user permissions to the minimum necessary, but it does not address the continuous verification or the assumption of an active breach inside the network.

15
Matchingmedium

Match each Microsoft security feature to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Detect and remediate identity-based risks

Discover and control cloud app usage

Classify and protect sensitive data

Protect devices from threats

Shadow IT discovery and threat protection

Why these pairings

These are core Microsoft 365 security features for identity, data, and endpoint protection.

16
MCQmedium

A security architect is designing a Zero Trust strategy. Which principle ensures that network location alone does not grant trust, and all access requests must be verified?

A.Verify explicitly
B.Least privilege
C.Assume breach
D.Segregation of duties
AnswerA

Correct. Verify Explicitly is the Zero Trust principle that requires continuous verification of every access request regardless of network location. It ensures that no implicit trust is granted based on being inside the corporate network.

Why this answer

The 'Verify explicitly' principle is the core of Zero Trust, stating that every access request must be authenticated and authorized based on all available data points—including user identity, device health, location, and data sensitivity—regardless of network location. This ensures that being on a corporate network does not automatically grant trust, as all requests are verified in real time.

Exam trap

The trap here is that candidates often confuse 'Least privilege' with 'Verify explicitly' because both involve access control, but 'Least privilege' is about limiting permissions after trust is established, not about verifying trust based on network location.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on limiting access rights to the minimum necessary for a user to perform their job, not on verifying every request regardless of network location. Option C (Assume breach) is wrong because it is a design mindset that assumes an attacker is already present, guiding segmentation and monitoring, but it does not directly address the verification of access requests based on network location. Option D (Segregation of duties) is wrong because it is a compliance and risk management principle that prevents conflicts of interest by dividing responsibilities among multiple people, not a Zero Trust verification principle.

17
Matchingmedium

Match each Microsoft 365 compliance feature to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevent accidental sharing of sensitive info

Record user and admin activity

Keep or delete data for a specified time

Classify and protect content

Track compliance posture and recommendations

Why these pairings

These features help organizations manage compliance in Microsoft 365.

18
MCQeasy

A user logs into the company's network using their username and password. After successful login, the user attempts to open a financial report but receives an access denied message because they are not a member of the 'Finance' security group. Which security concept is best illustrated by the access denial?

A.Authentication
B.Authorization
C.Accounting
D.Non-repudiation
AnswerB

Authorization determines what a user can access based on permissions and group membership, which is exactly why the user was denied access.

Why this answer

The access denial occurs because the user lacks the necessary permissions to open the financial report, even though their identity was verified. This is the core function of authorization, which determines what resources an authenticated user can access. In this scenario, the user is authenticated but not authorized to access the report due to missing group membership.

Exam trap

The trap here is confusing authentication (verifying identity) with authorization (granting permissions), leading candidates to select 'Authentication' because they focus on the successful login rather than the subsequent access denial.

How to eliminate wrong answers

Option A is wrong because authentication is the process of verifying the user's identity (username and password), which already succeeded before the access denial. Option C is wrong because accounting (auditing) tracks user activities and resource usage for logging and compliance, not access control decisions. Option D is wrong because non-repudiation ensures a user cannot deny an action, typically achieved through digital signatures or audit logs, and is unrelated to permission checks.

19
MCQeasy

A company uses a hashing algorithm to verify that a downloaded software file has not been tampered with during transmission. This practice primarily protects which security principle?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures data is accurate and unaltered. Hashing verifies that the file has not been modified.

Why this answer

Hashing algorithms, such as SHA-256, produce a fixed-size hash value that acts as a digital fingerprint of the file. By comparing the hash of the downloaded file with the hash provided by the publisher, any change to the file—even a single bit—results in a completely different hash, immediately detecting tampering. This directly protects the integrity of the data by ensuring it has not been altered during transmission.

Exam trap

The trap here is that candidates often confuse hashing with encryption and select 'Confidentiality' (Option A), not realizing that hashing is a one-way function that detects changes but does not hide the data.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data, typically achieved through encryption (e.g., AES, TLS), not hashing. Option C is wrong because availability ensures systems and data are accessible when needed, which is protected by redundancy, backups, and DDoS mitigation, not by verifying file integrity. Option D is wrong because non-repudiation provides proof of origin or delivery, often using digital signatures (e.g., RSA, ECDSA) that combine hashing with asymmetric encryption, whereas hashing alone cannot prove who created the hash.

20
MCQeasy

A company regularly performs automated backups of its critical databases and has a disaster recovery plan to restore operations quickly after a system failure. Which security principle is primarily being addressed by these measures?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerC

Availability ensures systems and data are accessible when needed. Backups and disaster recovery plans directly support availability by enabling recovery from failures.

Why this answer

Automated backups and a disaster recovery plan directly support the Availability principle of the CIA triad by ensuring that critical databases can be restored and operations resumed quickly after a system failure. Availability guarantees that systems and data are accessible to authorized users when needed, and these measures minimize downtime and data loss.

Exam trap

The trap here is that candidates confuse 'backups and disaster recovery' with 'data protection' broadly, incorrectly selecting Confidentiality or Integrity, when the primary goal is to restore access and uptime, which is the essence of Availability.

How to eliminate wrong answers

Option A is wrong because Confidentiality focuses on preventing unauthorized access to data (e.g., through encryption or access controls), not on restoring data after failure. Option B is wrong because Integrity ensures data is not tampered with or altered (e.g., via hashing or checksums), whereas backups and DR do not inherently protect against unauthorized modifications. Option D is wrong because Non-repudiation provides proof of actions or transactions (e.g., through digital signatures or audit logs), not the ability to recover from system failures.

21
MCQhard

A company is implementing Microsoft Purview Information Protection. They want to automatically apply a 'Confidential' sensitivity label to emails containing credit card numbers. Which policy should they configure?

A.Auto-labeling policy
B.Retention policy
C.Sensitivity label policy
D.Data loss prevention (DLP) policy
AnswerA

Auto-labeling policies apply labels automatically based on sensitive information types.

Why this answer

Option C is correct because auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels based on sensitive information types like credit card numbers. Option A is incorrect because sensitivity label policies publish labels for manual assignment. Option B is incorrect because DLP policies enforce actions but do not apply labels automatically.

Option D is incorrect because retention policies manage data retention, not labeling.

22
MCQhard

Your company uses Microsoft Defender for Cloud Apps. You notice that a user is downloading large volumes of data from a sanctioned cloud app that exceeds the normal pattern. Which action should you take to automatically block this activity?

A.Create a session policy to monitor and control downloads
B.Configure a cloud discovery policy
C.Create a Microsoft Purview DLP policy
D.Block the app in Defender for Cloud Apps
AnswerA

Session policies can block downloads based on activity policy.

Why this answer

Option B is correct because you can create a session policy that monitors user behavior and blocks downloads exceeding a threshold. Option A is wrong because cloud discovery identifies shadow IT, not blocking. Option C is wrong because DLP policies in Purview are for data classification, not block based on volume.

Option D is wrong because blocking the app entirely is too restrictive.

23
MCQmedium

An organization wants to ensure that its security team can quickly identify and respond to threats across all workloads, including identities, endpoints, email, and cloud apps. Which Microsoft security solution provides a unified incident management experience?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft Defender XDR
D.Microsoft Defender for Identity
AnswerC

Defender XDR unifies incidents from identities, endpoints, email, and cloud apps.

Why this answer

Microsoft Defender XDR (formerly Microsoft 365 Defender) provides a unified incident management experience across identities, endpoints, email, and cloud apps. Option A is wrong because Microsoft Sentinel is a SIEM that can ingest data from multiple sources but is not the native XDR solution. Option C is wrong because Microsoft Defender for Cloud protects cloud workloads, not all workloads.

Option D is wrong because Microsoft Defender for Identity focuses on identity threats only.

24
MCQmedium

You work for a healthcare organization that uses Microsoft 365 E5 licenses. The organization must comply with HIPAA regulations. You need to ensure that electronic protected health information (ePHI) is classified and protected. Specifically, you want to automatically detect and apply a 'Highly Confidential' sensitivity label to documents containing medical record numbers, and also prevent users from sharing these documents externally via email. You have Microsoft Purview deployed. What should you implement first?

A.Create a DLP policy that blocks external sharing of any document with a custom keyword.
B.Create an auto-labeling policy that applies a sensitivity label to documents with medical record numbers.
C.Create a DLP policy that detects medical record numbers and blocks external sharing.
D.Create a sensitive information type for medical record numbers, then an auto-labeling policy to apply a sensitivity label, and finally a DLP policy to block external sharing of labeled documents.
AnswerD

This complete approach ensures classification and protection.

Why this answer

Option D is correct because you need to create a sensitive information type for medical record numbers, then use auto-labeling to apply the label, and finally a DLP policy to block external sharing. Option A is incorrect because without the sensitivity label, DLP cannot reference it. Option B is incorrect because DLP alone cannot apply labels.

Option C is incorrect because auto-labeling alone does not block sharing.

25
Multi-Selectmedium

An organization is migrating its on-premises applications to Azure Infrastructure-as-a-Service (IaaS). According to the shared responsibility model, which of the following security responsibilities remain with Microsoft? (Select two.)

Select 2 answers
A.Physical security of the datacenters
B.Network controls at the hypervisor layer
C.Patching the guest operating system on the VM
D.Configuring network security group (NSG) firewall rules
AnswersA, B

Correct. Microsoft is responsible for the physical security of its datacenters, including perimeter fencing, guards, biometric access, and environmental controls like cooling and power.

Why this answer

In the shared responsibility model for IaaS, Microsoft retains responsibility for the physical security of its datacenters, including access controls, surveillance, and environmental protections. Additionally, Microsoft manages security at the hypervisor layer, which includes network controls that isolate virtual machines from each other and from the underlying host. These responsibilities are inherent to the infrastructure provider and cannot be delegated to the customer.

Exam trap

The trap here is that candidates often confuse patching responsibilities, assuming Microsoft patches the guest OS in IaaS, or mistakenly think NSG configuration is a Microsoft responsibility because it is a built-in Azure feature.

26
Multi-Selecthard

Which THREE are capabilities of Microsoft Defender XDR?

Select 3 answers
A.Device compliance policy management
B.Automated investigation and remediation
C.Incident management across email, endpoints, and identities
D.Cross-domain threat hunting
E.Data classification and labeling
AnswersB, C, D

Defender XDR can automatically investigate and remediate threats.

Why this answer

Options A, C, and D are correct. Microsoft Defender XDR includes incident management, automated investigation, and cross-domain hunting. Option B is a capability of Microsoft Purview, not Defender XDR.

Option E is a capability of Microsoft Intune.

27
Multi-Selecteasy

An organization uses a system where users first provide a username and password (Step 1) and then the system checks whether the user has permission to view a specific folder (Step 2). Which two security concepts are demonstrated in this process? (Choose two.)

Select 2 answers
A.Authentication
B.Authorization
C.Accounting
D.Encryption
AnswersA, B

Step 1 verifies the user's identity via credentials, which is authentication.

Why this answer

Step 1 (username and password) is authentication, which verifies the identity of the user by validating credentials against an identity provider such as Azure AD or on-premises Active Directory. This confirms who the user is before any access decisions are made.

Exam trap

The trap here is that candidates often confuse authentication (identity verification) with authorization (permission enforcement), especially when both steps involve checking user identity or rights, but the question clearly separates the two distinct actions.

28
MCQhard

A company uses an on-premises Active Directory (AD) and wants to enable single sign-on (SSO) for users to access Microsoft 365 and a third-party SaaS application. They plan to use an external identity provider (IdP) that supports Security Assertion Markup Language (SAML) 2.0. Which identity concept does this implementation primarily rely on?

A.Federation
B.Provisioning
C.Synchronization
D.Directory extension
AnswerA

Correct. Federation enables organizations to trust identities from another identity provider or on-premises system, allowing SSO across different platforms using standards like SAML.

Why this answer

Federation is the correct answer because it establishes a trust relationship between the on-premises Active Directory and the external identity provider (IdP) using SAML 2.0, enabling users to authenticate once and gain access to both Microsoft 365 and the third-party SaaS application without re-entering credentials. This relies on the IdP issuing SAML assertions that are trusted by the relying parties (Microsoft 365 and the SaaS app), which is the core mechanism of federated identity.

Exam trap

The trap here is that candidates often confuse synchronization (e.g., Azure AD Connect) with federation, thinking that syncing user accounts alone enables SSO, but synchronization only copies identities without establishing the SAML trust required for federated authentication.

How to eliminate wrong answers

Option B (Provisioning) is wrong because provisioning refers to the automated creation, management, and deletion of user accounts and attributes in target systems (e.g., Microsoft 365), not to the authentication trust that enables SSO. Option C (Synchronization) is wrong because synchronization (e.g., Azure AD Connect) copies user objects and hashes from on-premises AD to Azure AD, but it does not establish a SAML-based trust with an external IdP for SSO; it is a prerequisite for some federation scenarios but not the primary concept. Option D (Directory extension) is wrong because directory extension involves adding custom attributes to the directory schema (e.g., via Microsoft Graph or Azure AD schema extensions), which is unrelated to authentication or SSO protocols like SAML.

29
MCQeasy

A company uses Azure SQL Database, which is a Platform as a Service (PaaS) offering. The security team is reviewing the shared responsibility model and wants to know who is responsible for applying operating system patches to the underlying infrastructure that hosts the database. Who is responsible for this task?

A.The customer is responsible for patching the OS on virtual machines but not for PaaS; however, the customer must patch the OS for Azure SQL Database.
B.Microsoft is responsible for managing and patching the operating system of the underlying infrastructure for PaaS services.
C.Both the customer and Microsoft share equal responsibility for patching the OS in a PaaS model.
D.The cloud service provider partner (e.g., a managed service provider) is responsible for OS patches in PaaS.
AnswerB

This is correct. With PaaS, Microsoft handles the underlying OS, including security patches, while the customer focuses on data and application security.

Why this answer

Azure SQL Database is a Platform as a Service (PaaS) offering where Microsoft manages the underlying infrastructure, including the operating system. In the shared responsibility model for PaaS, Microsoft is responsible for applying OS patches to the host servers, while the customer manages the database configuration and data. Therefore, option B correctly identifies Microsoft as responsible for OS patching in this context.

Exam trap

The trap here is that candidates often confuse the shared responsibility model for PaaS with IaaS, mistakenly believing that because Azure SQL Database runs on VMs, the customer must patch the OS, when in fact Microsoft abstracts and manages the entire host OS layer in PaaS.

How to eliminate wrong answers

Option A is wrong because it incorrectly states that the customer must patch the OS for Azure SQL Database; in PaaS, Microsoft handles all infrastructure patching, and the customer has no access to the underlying OS. Option C is wrong because it claims equal shared responsibility for OS patching in PaaS, but the model assigns full responsibility to Microsoft for the host OS, with the customer responsible only for data and access management. Option D is wrong because it introduces a third-party partner as responsible, but in Azure PaaS, Microsoft directly manages the infrastructure, and no external partner is involved unless explicitly contracted for additional services.

30
Multi-Selecthard

Which TWO of the following are features of Microsoft Purview Audit?

Select 2 answers
A.Manages sensitivity labels for documents
B.Provides real-time threat detection
C.Automatically blocks malicious activities
D.Records user and admin activities in the unified audit log
E.Allows searching and investigating audit log entries
AnswersD, E

Audit logs all user and admin actions.

Why this answer

Microsoft Purview Audit provides detailed logging of user and admin activities, and allows searching the audit log for security investigations. It does not automatically block malicious activities (that's DLP or Defender), and it does not manage sensitivity labels (that's Information Protection). It does not provide real-time threat detection (that's Sentinel or Defender).

31
MCQeasy

A company assigns permissions to users based strictly on their job title (e.g., Sales Manager can edit documents, Sales User can only read). Which identity and access management concept is being implemented?

A.Least privilege
B.Role-Based Access Control (RBAC)
C.Defense in depth
D.Zero Trust
AnswerB

RBAC assigns permissions to users based on their defined roles or job functions. This matches the scenario where permissions are determined by job title.

Why this answer

Role-Based Access Control (RBAC) is the correct concept because it assigns permissions to users based on their job title or role within the organization. In this scenario, the Sales Manager role is granted edit permissions, while the Sales User role is restricted to read-only, which is a direct implementation of RBAC where access rights are tied to roles rather than individual users.

Exam trap

The trap here is that candidates often confuse least privilege with RBAC, thinking that assigning minimal permissions per role is the same as the principle of least privilege, but RBAC is specifically about organizing permissions by role, while least privilege is a broader security goal that can be achieved through RBAC or other methods.

How to eliminate wrong answers

Option A is wrong because least privilege is a security principle that grants users only the minimum permissions necessary to perform their job, but it does not inherently tie permissions to job titles; it focuses on limiting access rather than organizing permissions by role. Option C is wrong because defense in depth is a layered security strategy that uses multiple controls (e.g., firewalls, encryption, antivirus) to protect resources, not a method for assigning permissions based on job titles. Option D is wrong because Zero Trust is a security model that assumes no implicit trust and requires continuous verification for every access request, but it does not define how permissions are assigned based on job titles; it is a broader framework, not a specific access control mechanism.

32
MCQmedium

An organization uses Microsoft Purview to manage data compliance. They need to automatically detect and protect credit card numbers stored in SharePoint Online. Which Microsoft Purview solution should they implement?

A.Microsoft Purview Audit
B.Microsoft Purview Data Loss Prevention
C.Microsoft Purview Information Protection
D.Microsoft Purview Data Lifecycle Management
AnswerB

DLP policies can detect credit card numbers using built-in sensitive info types and take protective actions.

Why this answer

Data Loss Prevention (DLP) policies can identify sensitive data like credit card numbers and apply protection actions such as blocking access. Information Protection (sensitivity labels) classifies data but does not automatically detect and protect specific patterns like credit card numbers without DLP integration.

33
Multi-Selecteasy

An organization stores sensitive customer data in a cloud database. The security team uses encryption to protect the data while it is stored and while it is transmitted. They also implement role-based access control to ensure only authorized users can modify the data. Which two security principles are primarily being upheld by these actions?

Select 2 answers
A.Availability and integrity
B.Confidentiality and integrity
C.Confidentiality and availability
D.Privacy and accountability
AnswersB, C

Correct. Encryption ensures confidentiality by preventing unauthorized reading. Role-based access control ensures integrity by preventing unauthorized modifications.

Why this answer

Encryption at rest and in transit directly protects the confidentiality of sensitive customer data by preventing unauthorized access. Role-based access control (RBAC) ensures that only authorized users can modify the data, which upholds integrity by preventing unauthorized or accidental changes. Together, these actions primarily uphold the security principles of confidentiality and integrity.

Exam trap

The trap here is that candidates often confuse 'availability' with 'integrity' because both involve data protection, but encryption and RBAC do not guarantee system uptime or redundancy, which are required for availability.

34
Multi-Selecteasy

A company is implementing data classification in Microsoft Purview. Which THREE of the following are types of sensitive information that can be detected using built-in sensitive information types?

Select 3 answers
A.Passport numbers
B.Social security numbers
C.Credit card numbers
D.Favorite color
E.Project codenames
AnswersA, B, C

A built-in sensitive information type.

Why this answer

Options A, C, and D are correct. Built-in sensitive information types include credit card numbers (A), passport numbers (C), and social security numbers (D). Option B is incorrect because favorite color is not a built-in type.

Option E is incorrect because project codenames are not predefined types.

35
Multi-Selecthard

A security architect is designing a new security posture based on the Zero Trust model. The architect wants to ensure that every access request is fully authenticated, authorized, and encrypted before granting access, and that access is granted only to the minimum necessary resources. Which three principles of Zero Trust align with these requirements? (Choose three.)

Select 3 answers
A.Verify explicitly
B.Least privilege access
C.Assume breach
D.Network segmentation
AnswersA, B, C

Correct. This principle states that every access request must be fully authenticated, authorized, and encrypted before granting access.

Why this answer

Option A is correct because the 'Verify explicitly' principle of Zero Trust requires that every access request must be fully authenticated, authorized, and encrypted before granting access. This means using strong authentication mechanisms (e.g., multifactor authentication) and continuous validation of identity and device health, not just relying on network location or implicit trust.

Exam trap

The trap here is that candidates confuse 'Network segmentation' as a Zero Trust principle when it is actually a supporting control, not one of the three core pillars (Verify explicitly, Least privilege access, Assume breach) that Microsoft emphasizes in the SC-900 exam.

36
MCQeasy

A hospital encrypts patient data stored in a database using AES-256 encryption. If an attacker manages to copy the database file, they cannot read the protected information. Which security goal is primarily achieved by this encryption measure?

A.Confidentiality
B.Integrity
C.Availability
D.Auditability
AnswerA

Confidentiality ensures that sensitive data is not disclosed to unauthorized entities. Encryption transforms data into an unreadable format without the decryption key, thus protecting its confidentiality even if the physical storage is compromised.

Why this answer

AES-256 encryption ensures that even if an attacker gains unauthorized access to the database file, the data remains unreadable without the decryption key. This directly protects the secrecy of the patient data, which is the definition of confidentiality. In the context of the SC-900, encryption at rest is a primary mechanism for achieving confidentiality of stored data.

Exam trap

Microsoft often tests the distinction between confidentiality and integrity, where candidates mistakenly think encryption also verifies that data hasn't been changed, but encryption alone provides no tamper detection—that requires a separate integrity mechanism like HMAC or digital signatures.

How to eliminate wrong answers

Option B is wrong because integrity ensures data has not been tampered with or altered, typically verified through hashing or digital signatures, not encryption. Option C is wrong because availability ensures that data and systems are accessible when needed, which encryption does not directly address (in fact, losing the key can harm availability). Option D is wrong because auditability refers to the ability to track and log access or changes to data, which encryption alone does not provide; audit logs are a separate control.

37
MCQeasy

A company uses cryptographic hashes to verify that a downloaded software file has not been modified by an attacker during transmission. Which principle of the CIA triad is primarily being addressed?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures data has not been altered. Hashing provides a fingerprint of the original data; any modification changes the hash, thus verifying integrity.

Why this answer

Cryptographic hashing (e.g., SHA-256) produces a fixed-size digest from the file's contents. By comparing the computed hash with the publisher's published hash, any change to the file—even a single bit—yields a completely different digest, proving the file has not been tampered with. This directly protects the integrity of the data, ensuring it remains unaltered during transit.

Exam trap

The trap here is that candidates confuse 'hashing' with 'encryption' and incorrectly select Confidentiality, or they see 'verification of origin' and jump to Non-repudiation, forgetting that a bare hash only detects modification, not identity.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data, typically achieved through encryption (e.g., AES), not hashing; hashing does not hide the file's contents. Option C is wrong because availability ensures that systems and data are accessible when needed, often via redundancy or DDoS protection, which hashing does not address. Option D is wrong because non-repudiation provides proof of origin or action (e.g., digital signatures), whereas a simple hash alone cannot prove who created or sent the file—it only detects modification.

38
MCQeasy

A security analyst downloads a software installer from a vendor's website. To ensure the file has not been tampered with during transmission, the analyst compares the SHA-256 hash of the downloaded file against the hash published on the vendor's official site. This practice primarily validates which security goal?

A.Confidentiality
B.Integrity
C.Availability
D.Authentication
AnswerB

Integrity ensures data has not been altered by unauthorized parties. Comparing hashes validates integrity.

Why this answer

Comparing the SHA-256 hash of the downloaded installer against the vendor's published hash verifies that the file has not been altered during transmission. This directly validates integrity, which ensures data remains unchanged from its original source. Hashing is a one-way cryptographic function; any change in the file, even a single bit, produces a completely different hash value, making tampering detectable.

Exam trap

The trap here is that candidates confuse integrity with authentication, thinking that verifying a hash proves the file came from the vendor, but hashing alone does not authenticate the source—it only confirms the file has not changed since the hash was computed.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data, typically achieved through encryption (e.g., TLS), not through hash verification. Option C is wrong because availability ensures that systems and data are accessible when needed, often addressed by redundancy and disaster recovery, not by file integrity checks. Option D is wrong because authentication verifies the identity of a user or system (e.g., via certificates or passwords), whereas hash comparison confirms data integrity, not the identity of the source.

39
MCQhard

A Microsoft 365 organization needs to classify and protect sensitive documents based on their content, such as passport numbers. They want the classification to be applied automatically without user intervention. Which Microsoft Purview solution should they use?

A.Unified labeling client
B.Data Loss Prevention (DLP) policies
C.Trainable classifiers
D.Auto-labeling with sensitivity labels
AnswerD

Auto-labeling automatically applies sensitivity labels based on content detection.

Why this answer

Auto-labeling in Microsoft Purview Information Protection uses policy rules to automatically apply sensitivity labels to documents containing sensitive info like passport numbers. Trainable classifiers are used for more complex patterns but require training. Data Loss Prevention (DLP) can detect and protect but does not label documents by default.

Unified labeling is a client-side feature requiring user action.

40
MCQeasy

A company subscribes to a cloud-based email service that is delivered as Software-as-a-Service (SaaS). According to the shared responsibility model, who is primarily responsible for the physical security of the data centers where the email data is stored?

A.The customer
B.The cloud provider
C.Both the customer and the cloud provider equally
D.Neither the customer nor the cloud provider
AnswerB

In SaaS, the cloud provider is responsible for physical security, including data center infrastructure, networking, and hardware.

Why this answer

In the shared responsibility model for SaaS, the cloud provider is responsible for the physical security of the data centers, including hardware, network infrastructure, and physical access controls. The customer is responsible for securing their own data, user access, and compliance within the service, but not the underlying physical infrastructure.

Exam trap

The trap here is that candidates often confuse the shared responsibility model for IaaS or PaaS with SaaS, incorrectly assuming the customer has some physical security duties, when in fact for SaaS the provider handles all physical and infrastructure security.

How to eliminate wrong answers

Option A is wrong because the customer does not have physical access to or control over the data center facilities; their responsibility is limited to data, accounts, and access management within the SaaS application. Option C is wrong because physical security is not shared equally; the cloud provider retains sole responsibility for the physical data center, while the customer handles logical security of their own data. Option D is wrong because the cloud provider is explicitly responsible for physical security under the shared responsibility model, so it is not the case that neither party is responsible.

41
MCQhard

A company uses Microsoft 365 E5. An employee's corporate laptop is infected with keylogging malware that captures the employee's credentials. The attacker uses these credentials to sign in to Exchange Online and forward sensitive emails to an external account. Under the shared responsibility model, who is primarily responsible for the security incident?

A.Microsoft is responsible because they provide the cloud service and must protect against all threats.
B.The customer is responsible because they control user devices, accounts, and access policies.
C.Both Microsoft and the customer share equal responsibility for all layers of the service.
D.Neither party is responsible because the employee bypassed security controls.
AnswerB

The customer must secure endpoints, enforce strong authentication (e.g., MFA), and control access to protect against credential theft and misuse.

Why this answer

Under the shared responsibility model, the customer is responsible for securing user devices, managing user accounts, and configuring access policies. In this scenario, the keylogging malware on the employee's corporate laptop is a customer-side endpoint security issue, and the attacker used stolen credentials to access Exchange Online. Microsoft is responsible for the security of the cloud infrastructure (e.g., physical data centers, network, and hypervisor), but not for threats originating from compromised customer-managed devices or user accounts.

Exam trap

The trap here is that candidates assume Microsoft is fully responsible for all security in a SaaS model, overlooking that the customer must secure user devices, enforce strong authentication (like MFA), and manage account hygiene.

How to eliminate wrong answers

Option A is wrong because Microsoft is not responsible for protecting against all threats; they secure the cloud infrastructure (e.g., Azure AD, Exchange Online service) but not customer-managed endpoints or user credentials. Option C is wrong because responsibility is not equal for all layers; the customer owns identity and device security, while Microsoft owns the underlying service platform. Option D is wrong because the employee did not bypass security controls; the malware captured credentials without bypassing any policy, and responsibility still lies with the customer to enforce controls like multi-factor authentication (MFA) and endpoint protection.

42
MCQhard

A company deploys a custom web application on Azure App Service (PaaS). The application stores user data in Azure SQL Database. The security team is responsible for securing the application code, managing authentication, and configuring TLS for data in transit. According to the Microsoft shared responsibility model, which security responsibility remains with Microsoft for this PaaS deployment?

A.Patching the operating system of the underlying physical and virtual hosts
B.Configuring the firewall rules for the web application
C.Managing user access to the application
D.Encrypting the application data at rest in Azure SQL Database
AnswerA

In PaaS, Microsoft is responsible for maintaining and patching the host OS and infrastructure, freeing the customer from managing these layers.

Why this answer

In a PaaS deployment like Azure App Service, Microsoft is responsible for the security of the underlying cloud infrastructure, including patching the operating system of the physical and virtual hosts that run the platform. This is a core tenant of the shared responsibility model, where the customer manages application-level security (code, authentication, TLS) while Microsoft manages the host OS and hypervisor.

Exam trap

The trap here is that candidates often assume 'data at rest encryption' is entirely Microsoft's responsibility in PaaS, but the shared responsibility model requires customers to manage key rotation, access policies, and compliance for encryption, making it a shared task rather than a sole Microsoft responsibility.

How to eliminate wrong answers

Option B is wrong because configuring firewall rules for the web application (e.g., network security groups or App Service access restrictions) is a customer responsibility, as it involves application-level network controls. Option C is wrong because managing user access to the application (e.g., authentication and authorization) is the customer's responsibility, as it pertains to identity and access management for the application's users. Option D is wrong because encrypting application data at rest in Azure SQL Database is a shared responsibility: Microsoft provides transparent data encryption (TDE) by default, but the customer is responsible for managing encryption keys and ensuring compliance with their own encryption policies.

43
MCQeasy

A company is implementing security controls to protect data during transmission between their on-premises database and a cloud storage service. They decide to use TLS encryption. Which security goal is primarily addressed by ensuring that data is not altered during transit?

A.Availability
B.Integrity
C.Confidentiality
D.Non-repudiation
AnswerB

Correct. Integrity ensures that data has not been altered during transit. TLS includes message authentication codes to verify that the data received is exactly what was sent, preventing unauthorized changes.

Why this answer

TLS encryption provides data integrity through message authentication codes (MACs) that detect any unauthorized modification during transit. The question specifically asks about ensuring data is not altered, which is the definition of integrity, not confidentiality or availability.

Exam trap

The trap here is that candidates often associate encryption solely with confidentiality and forget that TLS also provides integrity via MACs, so they incorrectly choose confidentiality when the question explicitly asks about preventing alteration.

How to eliminate wrong answers

Option A is wrong because availability refers to ensuring systems and data are accessible when needed, not preventing alteration during transmission. Option C is wrong because confidentiality protects data from unauthorized disclosure, not from modification; TLS does provide confidentiality via encryption, but the question specifically asks about preventing alteration. Option D is wrong because non-repudiation ensures that a party cannot deny having performed an action, typically achieved through digital signatures, not through TLS encryption alone.

44
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using their social media accounts, such as Google or Facebook. Which feature should you configure?

A.Privileged Identity Management
B.Identity Protection
C.External ID
D.Conditional Access
AnswerC

External ID allows configuration of social identity providers for customer-facing apps.

Why this answer

Option B is correct because Microsoft Entra External ID allows you to configure identity providers for social identities like Google and Facebook. Option A is incorrect because Conditional Access is about enforcing access policies, not enabling social sign-in. Option C is incorrect because Identity Protection detects identity-based risks.

Option D is incorrect because Privileged Identity Management manages role assignments.

45
MCQeasy

A company issues laptops to all employees with BitLocker full-disk encryption enabled. If a laptop is stolen, the data on the hard drive cannot be read without the recovery key. Which security principle does this measure primarily protect?

A.Integrity
B.Availability
C.Confidentiality
D.Non-repudiation
AnswerC

Confidentiality ensures that data is not disclosed to unauthorized individuals. BitLocker encryption renders the data unreadable without the proper key, directly protecting confidentiality.

Why this answer

BitLocker full-disk encryption ensures that data on a stolen laptop's hard drive is unreadable without the recovery key, directly protecting against unauthorized access. This aligns with the confidentiality principle, which safeguards sensitive information from disclosure to unauthorized parties.

Exam trap

The trap here is confusing encryption's role in confidentiality with integrity or availability, as candidates may mistakenly think encryption prevents data modification (integrity) or ensures access (availability), but it strictly prevents unauthorized reading.

How to eliminate wrong answers

Option A is wrong because integrity ensures data is not tampered with or altered, which BitLocker does not primarily address; it does not prevent modification of data once decrypted. Option B is wrong because availability ensures systems and data are accessible when needed, but encryption can hinder availability if keys are lost, not protect it. Option D is wrong because non-repudiation provides proof of origin or action (e.g., digital signatures), which BitLocker does not provide; it only encrypts data at rest.

46
MCQmedium

You are a compliance officer for a law firm that uses Microsoft 365 E5 licenses. The firm must comply with GDPR. You need to implement a solution that automatically identifies personal data (e.g., email addresses) in SharePoint Online documents and applies a 'GDPR-Protected' sensitivity label. Additionally, you need to ensure that if a user attempts to share a labeled document externally, they receive a policy tip warning about GDPR compliance, but the share is not blocked. You have Microsoft Purview. What should you configure?

A.Create an auto-labeling policy to apply the 'GDPR-Protected' label to documents containing email addresses, and create a DLP policy for labeled documents that shows a policy tip when shared externally.
B.Create a retention policy to tag documents containing email addresses.
C.Create a sensitivity label policy that publishes the 'GDPR-Protected' label to users and train them to apply it manually.
D.Create a DLP policy that detects email addresses and shows a policy tip, but do not apply a label.
AnswerA

Auto-labeling applies the label automatically, and DLP provides the policy tip.

Why this answer

Option C is correct because auto-labeling applies the label, and a DLP policy with a policy tip (not block) warns users. Option A is incorrect because DLP alone cannot apply labels. Option B is incorrect because label policy only publishes labels.

Option D is incorrect because retention policy does not apply labels or provide DLP tips.

47
MCQeasy

A security analyst is explaining the concept of 'Least Privilege' to a new team member. Which statement best describes the principle of least privilege?

A.Users should have only the permissions necessary to perform their job functions.
B.Users should have all permissions disabled by default.
C.Users should be given administrator rights to ensure they can perform any task.
D.Users should share one account with elevated privileges for their team.
AnswerA

This correctly defines least privilege: granting exactly the permissions needed to complete required tasks and nothing more.

Why this answer

Option A is correct because the principle of least privilege dictates that users should be granted only the minimum permissions necessary to complete their job functions. This reduces the attack surface and limits potential damage from accidental or malicious actions. In Microsoft 365, this is implemented through Role-Based Access Control (RBAC) and Azure AD roles, where permissions are scoped to specific administrative units or tasks.

Exam trap

The trap here is that candidates confuse 'least privilege' with 'default deny' (Option B), but least privilege is about granting the minimal necessary permissions after initial access, not disabling all permissions upfront.

How to eliminate wrong answers

Option B is wrong because disabling all permissions by default is not the principle of least privilege; it is a separate security concept called 'default deny' or 'zero trust,' which focuses on initial access rather than ongoing permission management. Option C is wrong because granting all users administrator rights violates least privilege by providing excessive permissions, increasing the risk of privilege escalation and security breaches. Option D is wrong because sharing one account with elevated privileges eliminates accountability, breaks non-repudiation, and violates the principle of least privilege by granting more access than any single user needs.

48
MCQeasy

A company implements a policy where each employee is granted only the permissions necessary to perform their specific job role. For example, a marketing specialist has read-only access to the customer database and cannot modify financial records. Which security principle is primarily being applied?

A.Defense in depth
B.Least privilege
C.Zero Trust
D.Separation of duties
AnswerB

Correct. Least privilege is the security concept of granting users only the permissions they need to do their job, which matches the scenario of restricting access based on job role.

Why this answer

The principle of least privilege dictates that users should be granted only the permissions necessary to perform their job functions. In this scenario, the marketing specialist receives read-only access to the customer database and no access to financial records, which directly aligns with limiting permissions to the minimum required. This reduces the attack surface and limits potential damage from accidental or malicious actions.

Exam trap

The trap here is that candidates confuse 'least privilege' with 'separation of duties' because both involve limiting permissions, but separation of duties focuses on splitting critical tasks across multiple users to prevent fraud, whereas least privilege restricts each user to the minimum permissions for their single role.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy that uses multiple controls (e.g., firewalls, antivirus, encryption) to protect resources, not a principle for assigning user permissions. Option C is wrong because Zero Trust is a security model that assumes breach and verifies every request explicitly, using concepts like micro-segmentation and continuous authentication, but it does not specifically dictate that permissions should be limited to the minimum required for a job role. Option D is wrong because separation of duties ensures that no single individual has control over all phases of a critical task (e.g., requiring two people to approve a payment), which prevents fraud and errors, but it does not restrict permissions to the minimum needed for a single role.

49
MCQeasy

A security administrator is explaining the Zero Trust model to a new colleague. The administrator states that trust should never be granted based solely on network location, and every access request must be fully authenticated and authorized using all available signals. Which Zero Trust principle does this statement describe?

A.Assume breach
B.Verify explicitly
C.Use least privilege
D.Segment access
AnswerB

'Verify explicitly' requires continuous authentication and authorization for every request using all available signals, and does not grant trust based on network location alone.

Why this answer

The statement that trust should never be granted based solely on network location and that every access request must be fully authenticated and authorized using all available signals directly describes the 'Verify explicitly' principle of the Zero Trust model. This principle mandates that authentication and authorization are performed for every access attempt, regardless of the source (e.g., internal network, VPN, cloud), using all available data points such as user identity, device health, and location.

Exam trap

Microsoft often tests the distinction between 'Verify explicitly' and 'Assume breach' by presenting a scenario that emphasizes authentication and authorization signals, leading candidates to confuse the proactive verification step with the reactive breach containment strategy.

How to eliminate wrong answers

Option A is wrong because 'Assume breach' is a Zero Trust principle that focuses on minimizing the blast radius and segmenting access under the assumption that a breach has already occurred, not on the requirement to authenticate and authorize every request. Option C is wrong because 'Use least privilege' is a principle that limits user access rights to only what is necessary to perform their job, but it does not address the core concept of verifying every access request based on all signals. Option D is wrong because 'Segment access' refers to dividing the network into isolated zones to limit lateral movement, not the explicit verification of each access request using multiple signals.

50
MCQeasy

An organization is moving a virtual machine to Azure Infrastructure as a Service (IaaS). According to the shared responsibility model, which of the following security tasks is the customer responsible for?

A.Physical security of the datacenter
B.Applying security updates to the guest operating system
C.Maintaining the hypervisor
D.Power and cooling infrastructure
AnswerB

The customer is responsible for securing everything inside the VM, including the guest OS. This includes applying security updates and patches.

Why this answer

In an IaaS deployment, the customer retains responsibility for securing the guest operating system, including applying security updates. Microsoft manages the physical infrastructure and hypervisor, while the customer must patch and configure the OS running inside the virtual machine.

Exam trap

The trap here is that candidates often confuse IaaS with PaaS or SaaS, mistakenly thinking the provider handles all OS-level security, when in fact the customer is responsible for the guest OS in IaaS.

How to eliminate wrong answers

Option A is wrong because physical security of the datacenter is the sole responsibility of the cloud provider (Microsoft) under the shared responsibility model. Option C is wrong because maintaining the hypervisor is a provider-managed task; the customer has no access to the hypervisor layer. Option D is wrong because power and cooling infrastructure are part of the physical environment managed entirely by Microsoft.

51
MCQeasy

An organization wants to classify and label data automatically based on sensitive content patterns such as credit card numbers. Which Microsoft Purview solution should they use?

A.eDiscovery
B.Data Loss Prevention (DLP)
C.Compliance Manager
D.Audit
AnswerB

DLP can automatically classify and label data based on sensitive info types.

Why this answer

Option C is correct because Microsoft Purview Data Loss Prevention (DLP) can automatically classify and label data based on sensitive content patterns. Option A is wrong because Microsoft Purview Compliance Manager is for compliance assessments. Option B is wrong because Microsoft Purview Audit is for logging activities.

Option D is wrong because Microsoft Purview eDiscovery is for legal discovery.

52
MCQmedium

Refer to the exhibit. You have a Conditional Access policy defined in Microsoft Entra ID. What is the effect of this policy?

A.Requires MFA for all external users accessing any cloud app
B.Requires MFA for guest users only
C.Requires MFA for all users accessing all cloud apps
D.Requires MFA for external users except those with global admin role
AnswerA

The policy targets all external users and all cloud apps with MFA requirement.

Why this answer

Option D is correct because the policy includes all external users and all cloud apps, requiring MFA. Option A is incorrect because it does not exclude any apps. Option B is incorrect because it includes all external users, not just guest users.

Option C is incorrect because it does not exclude external users with specific roles.

53
MCQeasy

Which Microsoft security solution provides centralized investigation and response across identities, endpoints, email, and cloud apps by correlating alerts from multiple sources?

A.Microsoft Defender XDR
B.Microsoft Purview
C.Microsoft Sentinel
D.Microsoft Intune
AnswerA

Defender XDR correlates alerts from identities, endpoints, email, and cloud apps.

Why this answer

Option C is correct because Microsoft Defender XDR correlates signals across domains. Option A is wrong because Microsoft Sentinel is a SIEM/SOAR, not a built-in XDR. Option B is wrong because Microsoft Intune manages endpoints.

Option D is wrong because Microsoft Purview focuses on compliance.

54
MCQmedium

A company deploys a virtual machine on Azure IaaS. According to the Microsoft shared responsibility model, which of the following security responsibilities is primarily the customer's responsibility?

A.Physical security of the data centers
B.Patching the guest operating system and applications
C.Ensuring the hypervisor is secured
D.Maintaining the network infrastructure
AnswerB

For IaaS, the customer manages the guest OS and applications, including patching.

Why this answer

In the Microsoft shared responsibility model, the customer is responsible for securing and patching the guest operating system and applications running on an Azure IaaS virtual machine. Microsoft manages the physical infrastructure, hypervisor, and network, while the customer controls the OS, applications, and data.

Exam trap

The trap here is that candidates often confuse IaaS with PaaS or SaaS, assuming Microsoft handles OS patching, but in IaaS the customer retains full control and responsibility for the guest OS and applications.

How to eliminate wrong answers

Option A is wrong because physical security of data centers is the sole responsibility of Microsoft as the cloud provider, not the customer. Option C is wrong because ensuring the hypervisor is secured is Microsoft's responsibility under the shared model, as the hypervisor is part of the virtualization layer managed by Azure. Option D is wrong because maintaining the network infrastructure, including physical switches and routers, is Microsoft's responsibility in IaaS, while the customer only manages virtual networks and configurations.

55
MCQeasy

A healthcare organization stores patient records in an encrypted database. Access to the database is restricted to authorized medical staff only. Which security principle is primarily being addressed by these measures?

A.Integrity
B.Availability
C.Non-repudiation
D.Confidentiality
AnswerD

Confidentiality is the principle of ensuring that data is only accessible to authorized users. Encryption and access controls are core mechanisms used to achieve confidentiality, making this the correct choice.

Why this answer

Confidentiality ensures that sensitive data, such as patient records, is accessible only to authorized individuals. Encryption renders the data unreadable to unauthorized parties, and access restrictions enforce that only authorized medical staff can decrypt and view the records. This directly aligns with the principle of confidentiality, which is a core pillar of the CIA triad.

Exam trap

The trap here is that candidates may confuse confidentiality with integrity, mistakenly thinking that encryption alone also prevents data tampering, but encryption does not inherently protect against unauthorized modification unless combined with integrity checks like hashing or digital signatures.

How to eliminate wrong answers

Option A is wrong because integrity focuses on protecting data from unauthorized modification or corruption, not on restricting access or ensuring secrecy. Option B is wrong because availability ensures that systems and data are accessible when needed by authorized users, but the measures described (encryption and access restrictions) primarily prevent unauthorized access, not downtime or resource unavailability. Option C is wrong because non-repudiation provides proof of the origin or delivery of data (e.g., through digital signatures or audit logs) and cannot be achieved solely by encryption and access controls.

56
Multi-Selectmedium

Which TWO of the following are components of the Microsoft Security Development Lifecycle (SDL)? (Choose two.)

Select 2 answers
A.Penetration testing
B.Data classification
C.Security training
D.Code signing
E.Threat modeling
AnswersC, E

Security training is a foundational SDL phase to educate developers.

Why this answer

The SDL includes 'Security training' and 'Threat modeling' as core phases. Penetration testing is part of security validation but is not an SDL phase. Code signing is for software distribution.

Data classification is a compliance activity.

57
MCQeasy

A company is moving its on-premises infrastructure to Azure. The CISO wants to understand the division of security responsibilities between the cloud provider and the customer. Which of the following models defines this division?

A.CIA triad (Confidentiality, Integrity, Availability)
B.Shared Responsibility Model
C.Zero Trust Model
D.Defense-in-Depth
AnswerB

This model clearly outlines which security controls are managed by Microsoft (e.g., physical security of datacenters) and which by the customer (e.g., user access and data classification).

Why this answer

The Shared Responsibility Model defines the division of security responsibilities between the cloud provider (Microsoft) and the customer. Microsoft is responsible for the security of the cloud (physical hosts, network, datacenters), while the customer is responsible for security in the cloud (data, identities, access management, and configurations). This model is foundational for understanding compliance and security ownership in Azure.

Exam trap

Microsoft often tests the distinction between security models (CIA triad, Zero Trust, Defense-in-Depth) and the Shared Responsibility Model, trapping candidates who confuse a security principle or architecture with the specific contractual division of security duties between cloud provider and customer.

How to eliminate wrong answers

Option A is wrong because the CIA triad (Confidentiality, Integrity, Availability) is a security model for designing and evaluating security controls, not a framework for dividing responsibilities between provider and customer. Option C is wrong because the Zero Trust Model is a security architecture that assumes no implicit trust and requires continuous verification of every request, not a model for assigning security duties between cloud provider and customer. Option D is wrong because Defense-in-Depth is a layered security strategy using multiple controls (physical, network, application, data) to protect resources, not a model that defines the split of responsibilities between the cloud provider and the customer.

58
Multi-Selectmedium

Which TWO of the following are components of the Microsoft Entra product family? (Choose two.)

Select 2 answers
A.Microsoft Defender for Identity
B.Microsoft Intune
C.Microsoft Purview
D.Microsoft Entra Permissions Management
E.Microsoft Entra ID
AnswersD, E

Permissions Management is a CIEM offering under Entra.

Why this answer

Option A and Option D are correct. Microsoft Entra ID is the identity service. Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) solution.

Option B is wrong because Microsoft Defender for Identity is part of Microsoft Defender XDR. Option C is wrong because Microsoft Purview is a separate governance service.

59
MCQmedium

Your organization uses Microsoft Sentinel as a SIEM. You need to create a rule that triggers an incident when a user account is created in an Azure subscription and then logs in from an unfamiliar location within 24 hours. Which type of rule should you configure?

A.Anomaly detection rule
B.Scheduled query rule
C.Fusion rule
D.Near-real-time (NRT) rule
AnswerB

Scheduled rules can correlate events over time.

Why this answer

Option A is correct because a scheduled query rule can correlate two events based on time. Option B is wrong because anomaly detection rules use ML models. Option C is wrong because NRT rules run near real-time but not scheduled.

Option D is wrong because fusion rules use advanced ML.

60
MCQeasy

A security analyst is explaining the concept of 'defense in depth' to a new team member. Which of the following best describes the defense in depth strategy?

A.Using a single strong firewall to protect all network traffic
B.Implementing multiple layers of security controls to protect assets
C.Relying on user training as the primary security measure
D.Applying encryption only to data at rest
AnswerB

This is correct. Defense in depth involves multiple independent layers such as physical security, network security, host security, and data encryption.

Why this answer

Defense in depth is a cybersecurity strategy that employs multiple layers of security controls across different parts of an IT environment (network, endpoint, application, data) to ensure that if one layer fails, another layer is already in place to mitigate the threat. This approach is fundamental to Microsoft's security architecture, as seen in products like Microsoft Defender for Cloud, which integrates protections across workloads, and Azure Active Directory (now Microsoft Entra ID), which layers conditional access policies on top of identity verification. Option B correctly captures this layered, redundant approach rather than relying on a single point of defense.

Exam trap

The trap here is that candidates often confuse 'defense in depth' with 'layered security' but then incorrectly select a single-layer option like a strong firewall (A) because they think a robust perimeter is sufficient, failing to recognize that the strategy explicitly requires multiple independent and overlapping controls.

How to eliminate wrong answers

Option A is wrong because relying on a single strong firewall violates the core principle of defense in depth, which requires multiple independent layers of security; a single firewall creates a single point of failure that, if breached, exposes the entire network. Option C is wrong because user training, while valuable, is a single administrative control and not a layered strategy; defense in depth demands technical controls (e.g., network segmentation, endpoint detection, encryption) in addition to user awareness. Option D is wrong because applying encryption only to data at rest ignores the need to protect data in transit (e.g., via TLS/SSL) and data in use, leaving critical attack surfaces exposed; defense in depth requires encryption across all data states.

61
MCQmedium

A user successfully authenticates to a system using a smart card. After authentication, the system checks whether the user's device is compliant with security policies before granting access to the network. This additional check is an example of which security concept?

A.Authorization
B.Authentication
C.Accounting
D.Non-repudiation
AnswerA

Checking device compliance is a condition that must be met before access is granted; this is part of the authorization process.

Why this answer

Authorization is the correct answer because after the user is authenticated via smart card, the system evaluates whether the user's device meets security compliance policies before granting network access. This decision—allowing or denying access based on conditions—is the core function of authorization, which determines what resources or actions an authenticated identity is permitted to perform.

Exam trap

The trap here is confusing the initial identity verification (authentication) with the subsequent policy-based access decision (authorization), especially when both steps occur sequentially in a single login flow.

How to eliminate wrong answers

Option B (Authentication) is wrong because authentication is the process of verifying identity (e.g., via smart card credentials), not the subsequent check of device compliance. Option C (Accounting) is wrong because accounting tracks and logs user activities and resource usage for auditing or billing, not for enforcing access decisions. Option D (Non-repudiation) is wrong because non-repudiation ensures that a user cannot deny having performed an action, typically via digital signatures or logs, and is unrelated to device compliance checks.

62
MCQhard

You are the security architect for a multinational organization that uses Microsoft 365 E5, Microsoft Entra ID P2, and Microsoft Purview. The company has 10,000 employees across five regions. The legal department requires that all documents containing personally identifiable information (PII) of European Union citizens be automatically labeled with a 'Highly Confidential' sensitivity label and encrypted. Additionally, any sharing of such documents with external users must be blocked unless the sender explicitly justifies the business need. The solution must minimize manual user intervention. You need to design a Microsoft Purview configuration. What should you do?

A.Use a unified labeling client policy to prompt users to classify documents containing PII
B.Create an auto-labeling policy that detects EU PII sensitive info types, applies the 'Highly Confidential' label with encryption, and configure a conditional access rule to block external sharing without justification
C.Create a trainable classifier for PII and configure a manual labeling policy
D.Configure a DLP policy that blocks all documents containing PII from being shared externally
AnswerB

Auto-labeling automatically applies labels and encryption; conditional access can block external sharing unless justified.

Why this answer

Option C is correct because auto-labeling policies can automatically apply sensitivity labels based on sensitive info types (like EU PII) and can be configured to block external sharing unless a justification is provided. Option A is wrong because trainable classifiers require training and are not the standard for automatic PII detection. Option B is wrong because manual labeling requires user intervention.

Option D is wrong because DLP policies do not apply labels; they only enforce actions.

63
MCQeasy

An organization implements a policy where users must provide two forms of verification, such as a password and a text message code, to access the corporate network. Which security concept does this demonstrate?

A.Authorization
B.Authentication
C.Accounting
D.Multifactor authentication
AnswerD

MFA is the correct term for requiring two or more verification factors to prove identity.

Why this answer

Multifactor authentication (MFA) requires two or more distinct factors (e.g., something you know like a password, and something you have like a text message code) to verify identity. This is correct because the policy explicitly demands two forms of verification, which is the defining characteristic of MFA, not just single-factor authentication.

Exam trap

The trap here is that candidates may confuse 'authentication' (the general process) with 'multifactor authentication' (a specific type), failing to recognize that the question explicitly describes two different verification methods, which is the hallmark of MFA.

How to eliminate wrong answers

Option A is wrong because authorization determines what resources a user can access after authentication, not the process of verifying identity. Option B is wrong because authentication is the broader process of proving identity, but the specific requirement for two forms of verification is MFA, not single-factor authentication. Option C is wrong because accounting (auditing) tracks user activities and resource usage for compliance and billing, not the verification process itself.

64
MCQmedium

A company uses digital signatures on all official emails sent to customers. The signature is created using the sender’s private key, allowing recipients to verify that the email truly came from the claimed sender and that it was not altered in transit. Which security goal is primarily achieved by the digital signature?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerD

Non-repudiation provides proof of origin that cannot be denied. A digital signature created with the sender's private key binds the message to the sender, achieving non-repudiation.

Why this answer

Digital signatures use asymmetric cryptography where the sender signs the email with their private key. The recipient can verify the signature using the sender's public key, which proves the identity of the sender and ensures the message has not been tampered with. This directly achieves non-repudiation because the sender cannot deny having sent the email, as only their private key could have created the signature.

Exam trap

The trap here is that candidates often confuse integrity with non-repudiation, but while digital signatures do ensure integrity, the primary security goal they achieve is non-repudiation because they provide cryptographic proof of the sender's identity that cannot be repudiated.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data, typically achieved through encryption (e.g., using the recipient's public key), not digital signatures which do not hide the message content. Option B is wrong because integrity is indeed provided by digital signatures (detecting tampering), but it is not the primary goal—non-repudiation is the primary goal, as integrity is a supporting property. Option C is wrong because availability ensures systems and data are accessible when needed, which is unrelated to the cryptographic proof of origin and integrity provided by digital signatures.

65
MCQhard

A company is planning to use Copilot for Microsoft 365. To ensure that Copilot responses are based only on data accessible to the user, which principle must be enforced?

A.Copilot automatically grants access to all data
B.User permissions and access controls are respected
C.All organizational data is indexed and available to Copilot
D.Data must be stored in a specific location
AnswerB

Copilot uses the user's existing permissions to access data.

Why this answer

Option B is correct because Copilot for Microsoft 365 uses the user's existing permissions to determine which content it can access. Option A is incorrect because Copilot does not universally index all data. Option C is incorrect because Copilot does not automatically grant access.

Option D is incorrect because Copilot does not bypass permissions.

66
MCQhard

A multinational corporation uses Microsoft Entra ID for identity management. They want to allow their external partners to use their own corporate credentials to access the company's resources, rather than creating guest accounts. Which Entra ID feature should they use?

A.Entra ID B2C
B.Entra ID Direct Federation
C.Entra ID Verified ID
D.Entra ID External ID
AnswerD

External ID allows partners to use their own corporate credentials via federation.

Why this answer

Entra ID External ID (formerly Azure AD B2B) enables external partners to use their own identity providers, including corporate credentials, to access your resources without needing separate guest accounts. This is achieved through federation. Entra ID B2C is for customer-facing applications.

Direct federation is a method within External ID. Entra ID Verified ID is for verifiable credentials.

67
MCQhard

You are a security administrator for Contoso Ltd., a global financial services company with 5,000 employees. The company uses Microsoft 365 E5 licenses and has deployed Microsoft Entra ID, Microsoft Defender XDR, Microsoft Purview, and Microsoft Intune. Recently, the security team identified a risk: employees are sharing sensitive financial reports via external email recipients without encryption. To address this, you need to implement a solution that automatically applies encryption to emails containing the sensitive information type 'U.S. Bank Account Number' when sent to external recipients. The solution must not block the email but should encrypt it. Additionally, you want to notify the sender with a policy tip that the email will be encrypted. You have access to the Microsoft Purview compliance portal. What should you configure?

A.Configure an email encryption rule in Microsoft Defender for Office 365.
B.Create a Data Loss Prevention (DLP) policy in Microsoft Purview that detects 'U.S. Bank Account Number' and applies encryption to emails sent to external recipients, with a policy tip.
C.Enable Microsoft Purview Message Encryption for all users.
D.Create a sensitivity label with encryption and publish it to all users, then train users to apply it manually.
AnswerB

DLP can automatically apply encryption and show policy tips.

Why this answer

Option A is correct because a DLP policy in Microsoft Purview can be configured to automatically encrypt emails when sensitive data is detected, and it can show policy tips. Option B is incorrect because sensitivity labels require manual application or auto-labeling, but DLP can enforce encryption automatically. Option C is incorrect because email encryption rules in Defender for Office 365 are not as flexible as DLP for this scenario.

Option D is incorrect because message encryption is a feature of Microsoft Purview, but DLP is the appropriate policy to automatically apply it based on conditions.

68
MCQmedium

A company is migrating its on-premises applications to Azure Infrastructure-as-a-Service (IaaS). According to the shared responsibility model, which of the following security responsibilities shifts from the customer to Microsoft during this migration?

A.Physical security of the data center infrastructure
B.Configuring network security groups (NSGs)
C.Patching the operating system on virtual machines
D.Managing user identities and access to the application
AnswerA

Microsoft secures the physical data centers with access controls, surveillance, and environmental protections. This responsibility is always with the cloud provider.

Why this answer

When migrating on-premises applications to Azure IaaS, the shared responsibility model shifts physical security responsibilities—such as data center access controls, environmental controls, and hardware security—from the customer to Microsoft. Microsoft is responsible for the physical security of all Azure data centers, including perimeter security, surveillance, and facility access management, which were previously the customer's responsibility in their own on-premises environment.

Exam trap

The trap here is that candidates often confuse IaaS with PaaS or SaaS, mistakenly believing that Microsoft takes responsibility for OS patching or network security in IaaS, when in fact those remain customer responsibilities.

How to eliminate wrong answers

Option B is wrong because configuring network security groups (NSGs) remains the customer's responsibility under IaaS, as the customer controls network traffic filtering and segmentation for their virtual networks. Option C is wrong because patching the operating system on virtual machines is the customer's responsibility in IaaS, as Microsoft only manages the underlying hypervisor and physical hosts. Option D is wrong because managing user identities and access to the application is always the customer's responsibility, regardless of deployment model, as Microsoft provides identity services (like Azure AD) but the customer controls who has access and how permissions are configured.

69
MCQeasy

A user reports that they cannot access a sensitive document in SharePoint Online. The administrator checks the document's permissions and sees that the user is not listed directly, but a group they belong to has been granted access. Which identity concept describes this scenario?

A.Role-based access control (RBAC)
B.Privilege escalation
C.Group-based access control
D.Attribute-based access control (ABAC)
AnswerC

The user gains access through a group they belong to, which is group-based access control.

Why this answer

Group-based access control allows permissions to be assigned to groups rather than individuals, simplifying management. Option A is wrong because role-based access control is a specific type of group-based access using roles. Option B is wrong because attribute-based access control uses user attributes, not group membership.

Option D is wrong because privilege escalation refers to gaining higher permissions, not normal access via groups.

70
Multi-Selectmedium

Which TWO of the following are principles of the Zero Trust security model? (Select two.)

Select 2 answers
A.Verify explicitly
B.Perimeter-based security
C.Implicit trust
D.Trust but verify
E.Least privilege access
AnswersA, E

Always authenticate and authorize based on all data points.

Why this answer

Options B and D are correct. Zero Trust principles include 'Verify explicitly' and 'Use least privilege access' (or 'Assume breach' and 'Verify explicitly'). Actually the official principles are: Verify explicitly, Use least privilege, Assume breach.

So the correct two are B and D.

71
MCQeasy

You run the above PowerShell command in your Microsoft Entra ID environment. What is the command retrieving?

A.Conditional access policies
B.Named locations
C.Role assignments
D.Token lifetime policies
AnswerD

The command filters for TokenLifetimePolicy type.

Why this answer

Option C is correct because the command gets all policies of type 'TokenLifetimePolicy', which are used to define token lifetimes. Option A is wrong because conditional access policies use a different type. Option B is wrong because named locations are not policies.

Option D is wrong because role assignments are not policies.

72
Drag & Dropmedium

Arrange the steps to configure Azure AD Privileged Identity Management (PIM) for a role in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

PIM setup involves first accessing PIM, then selecting a role, configuring settings, assigning eligible users, and managing approvals.

73
MCQeasy

A company configures its identity and access management system so that employees are granted only the permissions necessary to perform their job functions. For example, a sales representative has read-only access to the customer database and cannot modify financial records. Which security principle is being applied in this scenario?

A.Segregation of duties
B.Defense in depth
C.Least privilege
D.Zero Trust
AnswerC

Least privilege ensures users have only the permissions needed for their roles. The example of a sales rep having read-only access to customer data is a classic application of this principle.

Why this answer

The scenario describes granting employees only the permissions necessary to perform their job functions, which is the core definition of the least privilege principle. In Microsoft identity and access management, this is implemented by assigning the minimum required Azure RBAC roles or Microsoft Entra ID directory roles, ensuring users have no more access than needed. This directly reduces the attack surface and limits potential damage from compromised accounts.

Exam trap

The trap here is that candidates confuse least privilege with Zero Trust, but Zero Trust is a broader architectural model that includes least privilege as one component, not the specific principle being described in this scenario.

How to eliminate wrong answers

Option A is wrong because segregation of duties (also known as separation of duties) requires splitting critical tasks among multiple people to prevent fraud or error, not limiting permissions to the minimum needed. Option B is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, encryption, monitoring) across different layers, not a principle for granting specific permissions. Option D is wrong because Zero Trust is a security model based on 'never trust, always verify' and continuous authentication, not specifically about granting only necessary permissions.

74
MCQmedium

A security architect is explaining identity management concepts to the IT team. Which statement correctly describes the difference between authentication and authorization?

A.Authentication verifies what a user can do, while authorization verifies who the user is.
B.Authorization must always occur before authentication.
C.Authentication verifies the identity of a user, while authorization determines the resources they can access.
D.Authentication and authorization are synonymous terms in identity management.
AnswerC

Authentication confirms who you are, and authorization defines what you are allowed to do after your identity is verified.

Why this answer

Option C is correct because authentication is the process of verifying a user's identity (e.g., via password, biometric, or certificate), while authorization determines what resources or actions that authenticated identity is permitted to access. In Microsoft Entra ID, authentication occurs first via protocols like OAuth 2.0 or OpenID Connect, and authorization is then enforced through role-based access control (RBAC) or conditional access policies.

Exam trap

The trap here is that candidates often confuse the order or swap the definitions of authentication and authorization, leading them to pick Option A or B, but the key is remembering that authentication always precedes authorization and that they are distinct processes.

How to eliminate wrong answers

Option A is wrong because it reverses the definitions: authentication verifies who the user is, not what they can do, and authorization determines what a user can do, not who they are. Option B is wrong because authorization must always occur after authentication, not before; you cannot determine access rights without first confirming the user's identity. Option D is wrong because authentication and authorization are distinct concepts; authentication confirms identity, while authorization governs access permissions, and they are not synonymous.

75
Multi-Selecteasy

Which TWO are features of Microsoft Entra ID?

Select 2 answers
A.Single sign-on (SSO)
B.Data loss prevention (DLP)
C.Cloud app discovery
D.Mobile device management (MDM)
E.Self-service password reset (SSPR)
AnswersA, E

Entra ID provides SSO for cloud applications.

Why this answer

Options A and D are correct. Microsoft Entra ID provides single sign-on (SSO) and self-service password reset (SSPR). Option B is a feature of Microsoft Purview.

Option C is part of Microsoft Intune. Option E is a feature of Microsoft Defender for Cloud Apps.

Page 1 of 4 · 235 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Describe the concepts of security, compliance, and identity questions.