CCNA Describe the concepts of security, compliance, and identity Questions

75 of 235 questions · Page 2/4 · Describe the concepts of security, compliance, and identity · Answers revealed

76
MCQhard

You are the security administrator for Contoso Corporation. The company uses Microsoft 365 E5 licenses, which include Microsoft Entra ID P2, Microsoft Purview, and Microsoft Defender XDR. Contoso has a hybrid identity environment with Microsoft Entra Connect syncing on-premises Active Directory to Microsoft Entra ID. The company recently experienced a data breach where an attacker compromised a user's credentials and exfiltrated sensitive customer data from SharePoint Online. The investigation revealed that the compromised user did not have MFA enabled and had admin consent to a malicious third-party OAuth app. To prevent future incidents, management has mandated the following requirements: (1) Enforce MFA for all users, especially those accessing sensitive data. (2) Block all OAuth apps that are not pre-approved by IT. (3) Detect and respond to identity-based threats in real-time. (4) Classify and protect sensitive data in SharePoint and Teams. You need to recommend a solution that meets all requirements. Which combination of Microsoft security solutions should you implement?

A.Conditional Access to enforce MFA, Microsoft Intune to block OAuth apps, Microsoft Defender for Endpoint to detect identity threats, and Microsoft Purview Audit to classify data.
B.Security defaults to enforce MFA, Microsoft Defender for Cloud to block OAuth apps, Microsoft Sentinel to detect identity threats, and Microsoft Purview Data Loss Prevention to classify data.
C.Microsoft Entra ID Protection to enforce MFA, Microsoft Defender for Identity to block OAuth apps, Microsoft Sentinel to detect identity threats, and Microsoft Purview Data Lifecycle Management to classify data.
D.Conditional Access to enforce MFA, Microsoft Defender for Cloud Apps to block unapproved OAuth apps, Microsoft Defender for Identity to detect identity threats, and Microsoft Purview Information Protection to classify and protect sensitive data.
AnswerD

This combination meets all requirements: Conditional Access enforces MFA, Defender for Cloud Apps blocks OAuth apps, Defender for Identity detects threats, and Purview Information Protection classifies data.

Why this answer

Conditional Access enforces MFA and can block OAuth apps; Defender for Cloud Apps provides OAuth app governance; Defender for Identity detects identity threats; Purview Information Protection classifies and protects data. Defender for Cloud is for cloud workload protection, not identity or OAuth. Intune is for device management.

Sentinel is a SIEM but not specific for identity threat detection. The correct combination covers all four requirements.

77
MCQeasy

A company stores sensitive customer data in an Azure SQL database. To protect this data, the database files are encrypted at rest using Transparent Data Encryption (TDE). Additionally, all network traffic between the application and the database is encrypted using TLS. Which security goal is primarily addressed by these encryption measures?

A.Integrity
B.Availability
C.Confidentiality
D.Non-repudiation
AnswerC

Encryption at rest and in transit protects data from being read by unauthorized parties, directly supporting confidentiality.

Why this answer

Transparent Data Encryption (TDE) encrypts data at rest, meaning the database files on disk are encrypted so that unauthorized access to the physical storage cannot read the data. TLS encrypts data in transit between the application and the database, preventing eavesdropping or interception over the network. Together, these measures primarily ensure that sensitive customer data remains secret and inaccessible to unauthorized parties, which is the core goal of confidentiality.

Exam trap

The trap here is that candidates confuse encryption (which protects confidentiality) with integrity or non-repudiation, because encryption can indirectly help detect tampering in some contexts, but the primary security goal of TDE and TLS is to keep data secret, not to verify its origin or prevent denial of actions.

How to eliminate wrong answers

Option A is wrong because integrity ensures data has not been tampered with or altered, which is not the primary goal of encryption at rest or in transit; encryption protects secrecy, not modification detection (which would require hashing or digital signatures). Option B is wrong because availability ensures systems and data are accessible when needed, which encryption does not directly address; in fact, encryption can sometimes add overhead but does not guarantee uptime. Option D is wrong because non-repudiation ensures that an action or transaction cannot be denied by the parties involved, typically achieved through digital signatures and audit logs, not through encryption of data at rest or in transit.

78
Multi-Selecteasy

Which TWO of the following are purposes of the 'Zero Trust' security model?

Select 2 answers
A.Explicitly verify every access request
B.Assume that everything is on an open network
C.Rely on a single perimeter firewall
D.Trust internal traffic implicitly
E.Assume that the network is always safe
AnswersA, B

Zero Trust requires explicit verification for every access attempt.

Why this answer

Zero Trust assumes breach and verifies each request as though it originates from an open network. It explicitly verifies every access request, regardless of source. It does not assume a trusted internal network; that is the traditional perimeter model.

It does not rely solely on a single perimeter firewall.

79
MCQmedium

Your organization uses Microsoft Purview to enforce retention policies. You need to retain all documents in a specific SharePoint site for 5 years after they are created, and then delete them permanently. What should you configure?

A.A DLP policy with a retention rule
B.A retention policy set to retain for 5 years and then delete
C.A retention label set to retain for 5 years and then delete
D.A sensitivity label with a retention setting
AnswerB

A retention policy can be applied to a SharePoint site with the specified action.

Why this answer

Option A is correct because a retention policy with 'Retain for 5 years then delete' will keep items for 5 years and then permanently delete them. Option B is wrong because a retention label is applied manually or automatically, but a policy can be scoped to a site. Option C is wrong because a DLP policy is for preventing data loss, not retention.

Option D is wrong because a sensitivity label is for classification, not retention.

80
MCQhard

Contoso Ltd. is a financial services company that must comply with strict regulatory requirements. They use Microsoft 365 E5, Microsoft Entra ID P2, Microsoft Purview, and Microsoft Defender for Cloud Apps. The compliance team needs to implement a data loss prevention (DLP) policy that detects and prevents the sharing of credit card numbers in Microsoft Teams messages. Additionally, they want to ensure that only users with a specific custom sensitivity label can access documents containing credit card numbers. The sensitivity label is named 'Financial-Confidential' and is applied automatically via auto-labeling. The DLP policy should block sharing of credit card numbers in Teams but allow users to override the block with a business justification. Which combination of actions should you configure in the Microsoft Purview DLP policy to meet these requirements?

A.Create a DLP policy in Microsoft Purview that blocks sharing of credit card numbers in Teams and does not allow overrides. Configure the policy to apply to all content.
B.Configure a session policy in Microsoft Defender for Cloud Apps that monitors Teams for credit card numbers and blocks sharing. Use the 'Block with override' action.
C.Create a DLP policy in Microsoft Purview that blocks sharing of credit card numbers in Teams and allows overrides with business justification. Configure the policy to apply to content containing the 'Financial-Confidential' sensitivity label.
D.Use the built-in DLP template for financial data in Microsoft Purview and enable the 'Block with override' action. Set the scope to Teams.
AnswerC

Meets all requirements.

Why this answer

Option B is correct. A custom DLP policy with a condition for credit card numbers and the action 'Block with override' will block sharing and allow override. Also, the sensitivity label condition ensures that only documents with 'Financial-Confidential' label are subject to the policy.

Option A is wrong because blocking without override does not allow business justification. Option C is wrong because using a built-in DLP template may not integrate with the custom sensitivity label. Option D is wrong because configuring the policy in Defender for Cloud Apps is unnecessary; Microsoft Purview is the correct administrative center for DLP.

81
MCQeasy

An organization is implementing a Zero Trust security model. Which principle requires that every access request must be fully authenticated, authorized, and verified based on all available signals, regardless of the user's network location?

A.Verify explicitly
B.Least privilege
C.Assume breach
D.Defense in depth
AnswerA

This principle states that authentication and authorization should be performed for every access request using all available signals.

Why this answer

The 'Verify explicitly' principle of Zero Trust mandates that every access request must be fully authenticated, authorized, and encrypted based on all available data points—including user identity, device health, location, and behavioral signals—regardless of whether the request originates from inside or outside the corporate network. This contrasts with traditional perimeter-based models that implicitly trust internal traffic.

Exam trap

The trap here is that candidates confuse 'Verify explicitly' with 'Least privilege' because both involve access control, but 'Verify explicitly' is about continuous authentication and authorization of every request, while 'Least privilege' is about limiting permissions after access is granted.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on limiting user permissions to the minimum necessary to perform a task, not on verifying every access request based on all signals. Option C (Assume breach) is wrong because it describes the mindset of designing systems to minimize blast radius and detect breaches, not the requirement to authenticate and authorize each request. Option D (Defense in depth) is wrong because it refers to layering multiple security controls (e.g., firewalls, antivirus, IDS) to protect assets, not the explicit verification of every access attempt.

82
MCQmedium

An organization adopts a security model that requires explicit verification of every access request, uses least privilege principles, and assumes that a breach has already occurred. Which security model does this describe?

A.Perimeter-based security
B.Defense in depth
C.Zero Trust
D.Shared responsibility
AnswerC

Zero Trust explicitly verifies every access, enforces least privilege, and assumes breach, matching the description.

Why this answer

Zero Trust is the correct answer because the model explicitly requires verification of every access request, enforces least privilege, and assumes breach. This aligns with the core Zero Trust principles of 'never trust, always verify,' continuous validation, and micro-segmentation, as opposed to traditional perimeter-based models that implicitly trust internal traffic.

Exam trap

The trap here is that candidates confuse 'defense in depth' with Zero Trust because both involve multiple security layers, but defense in depth does not require explicit verification of every request or the assumption of breach, which are unique to Zero Trust.

How to eliminate wrong answers

Option A is wrong because perimeter-based security relies on a trusted internal network and a hardened boundary, which contradicts the assumption of breach and explicit verification of every request. Option B is wrong because defense in depth is a layered security strategy that uses multiple controls (firewalls, antivirus, etc.) but does not inherently require explicit verification of every access request or assume a breach has already occurred. Option D is wrong because shared responsibility is a cloud security model that defines which security tasks are handled by the provider versus the customer, not a model for access verification or breach assumption.

83
Multi-Selecteasy

Which THREE of the following are components of the Zero Trust security model?

Select 3 answers
A.Use least privilege access
B.Single sign-on (SSO)
C.Network perimeter security
D.Assume breach
E.Verify explicitly
AnswersA, D, E

Limit user access with Just-In-Time and Just-Enough-Access.

Why this answer

The three core principles of Zero Trust are: verify explicitly, use least privilege access, and assume breach. Network perimeter security is a traditional model, not Zero Trust. Single sign-on is a convenience feature, not a core principle.

84
Multi-Selecthard

Refer to the exhibit. An administrator deploys this Azure Resource Manager template. Which TWO of the following statements are true?

Select 2 answers
A.The template creates a resource group if it does not exist.
B.The policy assignment enforces encryption on existing SQL databases.
C.The template deploys a new SQL database.
D.The policy assignment audits whether SQL Database transparent data encryption is enabled.
E.The policy assignment can be deployed to a subscription or management group.
AnswersD, E

The policy definition ID maps to the built-in policy for SQL TDE auditing.

Why this answer

The policy definition ID corresponds to 'Audit if SQL Database encryption is not enabled'. The effect is 'AuditIfNotExists', so it audits but does not enforce. The assignment is at subscription/management group scope, not resource group.

It does not deploy a resource but assigns a policy.

85
MCQeasy

A company deploys a web application on Azure virtual machines (VMs) in an Infrastructure-as-a-Service (IaaS) model. The company is responsible for managing the guest operating system, the application code, and the data stored on the VMs. According to the shared responsibility model, which of the following security responsibilities does Microsoft retain in this scenario?

A.Protecting the physical datacenter and the underlying hardware
B.Configuring the operating system firewall on each VM
C.Installing and patching the application software
D.Managing user access to the application
AnswerA

Microsoft retains responsibility for the physical security of datacenters, servers, storage, and networking hardware in all cloud models, including IaaS.

Why this answer

In an IaaS model, Microsoft retains responsibility for the physical datacenter, including physical security, the network infrastructure, and the underlying hardware (servers, storage, networking). This is because the customer manages the guest OS, application, and data, while Microsoft manages the physical layer up to the hypervisor. Option A correctly identifies this retained responsibility.

Exam trap

The trap here is that candidates often confuse 'security of the cloud' (Microsoft's responsibility for the physical infrastructure) with 'security in the cloud' (the customer's responsibility for their own configurations, applications, and data), leading them to incorrectly assign guest OS or application-level tasks to Microsoft.

How to eliminate wrong answers

Option B is wrong because configuring the guest OS firewall on each VM is the customer's responsibility, as they manage the guest operating system. Option C is wrong because installing and patching the application software is the customer's responsibility, as they own the application code and its deployment. Option D is wrong because managing user access to the application is the customer's responsibility, as they control identity and access management within their own application and Azure AD tenant.

86
MCQhard

A security analyst needs to investigate a potential ransomware attack affecting multiple endpoints. They want to centralize detection and response across devices, email, and applications. Which Microsoft solution should they use?

A.Microsoft 365 Defender (now Microsoft Defender XDR)
B.Microsoft Sentinel
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Cloud
AnswerA

Microsoft Defender XDR correlates alerts across endpoints, email, identities, and apps for unified response.

Why this answer

Microsoft Defender XDR (formerly Microsoft 365 Defender) provides unified detection and response across endpoints, email, identities, and applications. Microsoft Sentinel is a SIEM for broader security data. Defender for Cloud is for cloud workloads.

Defender for Endpoint only covers endpoints.

87
MCQeasy

A company has a document management system. The security policy requires that a user in the Sales department can only view documents related to sales and cannot access documents in the Finance or HR folders. Which security principle is being applied?

A.Availability
B.Least privilege
C.Defense in depth
D.Non-repudiation
AnswerB

Correct. Least privilege restricts permissions to only what is necessary for the job, which is exactly what is described in the scenario.

Why this answer

The security policy restricts a Sales user's access to only sales-related documents, explicitly denying access to Finance and HR folders. This aligns with the principle of least privilege, which mandates that users be granted only the minimum permissions necessary to perform their job functions. In Microsoft 365, this is implemented via role-based access control (RBAC) or sensitivity labels that enforce read-only access on specific SharePoint document libraries or folders.

Exam trap

Microsoft often tests least privilege by contrasting it with defense in depth, but the trap here is that candidates confuse a single access restriction (least privilege) with a multi-layered security strategy (defense in depth).

How to eliminate wrong answers

Option A is wrong because availability ensures systems and data are accessible when needed (e.g., uptime guarantees), not who can view specific folders. Option C is wrong because defense in depth is a layered security strategy (e.g., firewalls, encryption, MFA), not a single access control rule. Option D is wrong because non-repudiation prevents a user from denying an action (e.g., digital signatures or audit logs), not from viewing restricted documents.

88
MCQeasy

Your organization wants to enforce multi-factor authentication (MFA) for all users accessing cloud applications. Which Microsoft Entra ID feature should you configure?

A.Configure Privileged Identity Management
B.Create a Conditional Access policy
C.Use Identity Protection
D.Enable MFA per user
AnswerB

Conditional Access policies can require MFA based on conditions.

Why this answer

Option B is correct because Conditional Access policies allow you to require MFA based on conditions like user, location, or device. Option A is incorrect because MFA per-user is a legacy method. Option C is incorrect because PIM manages role activation, not MFA enforcement.

Option D is incorrect because Identity Protection detects risks but does not directly enforce MFA.

89
MCQeasy

A security administrator is configuring permissions for a new cloud-based expense reporting application. The administrator assigns each employee only the permissions they need to perform their job functions. For example, employees in the Sales department can view expense reports but cannot approve or modify financial data. Which security principle is the administrator implementing?

A.Defense in depth
B.Least privilege
C.Separation of duties
D.Zero trust
AnswerB

This is the correct answer because the administrator is granting the minimal permissions required for each employee's role, directly applying the least privilege principle.

Why this answer

The administrator is granting each employee only the permissions necessary to perform their job functions, such as Sales being able to view but not approve or modify financial data. This directly implements the principle of least privilege, which restricts access rights to the minimum required for legitimate tasks. In cloud-based applications like expense reporting systems, least privilege reduces the attack surface and limits potential damage from compromised accounts.

Exam trap

The trap here is that candidates confuse least privilege with separation of duties, because both involve restricting access, but separation of duties specifically requires splitting conflicting tasks (e.g., submit vs. approve) across different users to prevent fraud, whereas least privilege focuses on minimizing permissions per user.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, encryption, intrusion detection) rather than a single permission assignment. Option C is wrong because separation of duties divides critical tasks among multiple users to prevent fraud (e.g., one person submits an expense, another approves it), but the scenario focuses on limiting permissions per role, not splitting tasks. Option D is wrong because zero trust is a security model that assumes no implicit trust and requires continuous verification of every request, whereas the scenario describes a static permission assignment based on job roles.

90
MCQhard

An organization implements a security policy where users must authenticate using a smart card and PIN. After successful authentication, the system checks whether the user's device is managed by the organization and complies with security baselines. If the device is compliant, the user is granted access to the corporate network. If not, access is denied. This approach most directly reflects which security model?

A.Defense in depth
B.Zero Trust
C.CIA triad
D.Least privilege
AnswerB

Zero Trust requires verifying every access attempt, including identity and device health. The policy of blocking access if the device is non-compliant is a core component of Zero Trust architecture.

Why this answer

The scenario explicitly enforces 'never trust, always verify' by requiring authentication (smart card + PIN) and then validating device compliance before granting network access. This directly aligns with the Zero Trust model's core principle of conditional access based on identity and device health, rather than implicit trust from network location.

Exam trap

The trap here is that candidates confuse Zero Trust with Defense in depth because both involve multiple security layers, but Zero Trust specifically requires per-request verification of identity and device health, whereas Defense in depth relies on static layers without dynamic device compliance checks.

How to eliminate wrong answers

Option A is wrong because Defense in depth is a layered security strategy (e.g., firewalls, IDS, antivirus) that does not specifically mandate per-request device compliance checks before granting network access. Option C is wrong because the CIA triad (Confidentiality, Integrity, Availability) is a high-level security objective, not an operational model that dictates authentication and device health verification as a prerequisite for access. Option D is wrong because Least privilege focuses on granting only necessary permissions (e.g., read-only vs. write), not on verifying device compliance before allowing network connectivity.

91
MCQeasy

A hotel uses a key card system. Guests insert their card into the door lock, which reads the card's ID number. The system checks the ID number against a list of authorized rooms. If the ID matches an authorized room, the door unlocks. In this scenario, which concept is demonstrated when the system checks the ID number against the list of authorized rooms?

A.Identification
B.Authentication
C.Authorization
D.Non-repudiation
AnswerC

Authorization is the process of verifying that an authenticated identity is allowed to perform a specific action or access a resource. The system checking the card ID against a list of authorized rooms is a classic example of authorization.

Why this answer

The system checks the ID number against a list of authorized rooms to determine what action (unlocking the door) the guest is allowed to perform. This is the definition of authorization: granting or denying access rights based on verified identity. Authentication (proving who you are) has already occurred when the card was issued or when the system reads the ID; the check against the list is purely about permissions.

Exam trap

The trap here is that candidates confuse 'checking the ID' with authentication, but the scenario explicitly states the ID is already read and the check is against a list of authorized rooms, which is a permission check, not a proof-of-identity check.

How to eliminate wrong answers

Option A is wrong because identification is the act of claiming an identity (e.g., presenting the card ID), not verifying permissions. Option B is wrong because authentication is the process of verifying that the ID belongs to a valid entity (e.g., checking the card's cryptographic signature or PIN), not checking what that entity is allowed to do. Option D is wrong because non-repudiation ensures that a party cannot deny an action (e.g., using digital signatures or audit logs), which is not involved in a simple door lock check.

92
MCQeasy

A healthcare company stores patient records in an Azure SQL database. To protect the data, they enable Transparent Data Encryption (TDE) for the database and require all client connections to use TLS. Which security goal is being primarily addressed by these measures?

A.Integrity
B.Confidentiality
C.Availability
D.Non-repudiation
AnswerB

Confidentiality ensures that data is accessible only to authorized users. Encryption at rest (TDE) and in transit (TLS) protect the data from being read by unauthorized parties, directly addressing confidentiality.

Why this answer

Transparent Data Encryption (TDE) encrypts data at rest in the Azure SQL database, ensuring that even if the physical storage media is compromised, the data remains unreadable. Requiring TLS for client connections encrypts data in transit, preventing eavesdropping or interception. Both measures directly protect the confidentiality of patient records by preventing unauthorized access to the data.

Exam trap

The trap here is that candidates may confuse encryption (which protects confidentiality) with integrity or non-repudiation, especially when TLS is involved, but TLS primarily provides confidentiality and only secondary integrity via MACs, not the primary goal in this context.

How to eliminate wrong answers

Option A is wrong because integrity is about ensuring data has not been tampered with, which is typically addressed by hashing or digital signatures, not by encryption alone. Option C is wrong because availability refers to ensuring systems and data are accessible when needed, which is achieved through redundancy, backups, and disaster recovery, not encryption. Option D is wrong because non-repudiation ensures that an action cannot be denied, usually via digital signatures or audit logs, not by encrypting data at rest or in transit.

93
MCQeasy

A company wants to ensure that only authorized users can access sensitive financial data stored in Microsoft SharePoint Online. Which identity feature should they use to require a second form of verification?

A.Microsoft Authenticator
B.Self-service password reset
C.Conditional Access
D.Multi-factor authentication
AnswerD

MFA requires a second form of verification, such as a phone call or app notification.

Why this answer

Multi-factor authentication (MFA) is the correct answer because it requires a second form of verification, such as a phone call or app notification, in addition to a password. Conditional Access is a policy engine that can enforce MFA but is not itself a verification method. Self-service password reset and Microsoft Authenticator are features that support MFA but are not the overarching concept.

94
MCQmedium

Your company is implementing data loss prevention (DLP) policies in Microsoft Purview. You need to prevent users from sharing credit card numbers via email. Which type of sensitive information type should you use in the DLP rule?

A.Custom keyword list
B.Built-in sensitive information type
C.Trainable classifier
D.Exact data match (EDM) based classification
AnswerB

Microsoft Purview includes a built-in type for credit card numbers.

Why this answer

Option B is correct because a built-in sensitive information type for credit card numbers is available. Option A is incorrect because an exact data match (EDM) is for custom databases. Option C is incorrect because a custom keyword list would be inefficient.

Option D is incorrect because a trainable classifier is for custom classification.

95
MCQeasy

A company implements regular data backups and a disaster recovery plan to restore critical systems after an outage. Which security principle is primarily being addressed by these measures?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerC

Correct. Availability ensures that systems and data are accessible and usable when needed. Backups and disaster recovery are key controls to maintain availability.

Why this answer

Regular data backups and a disaster recovery plan directly ensure that critical systems and data can be restored and remain accessible after an outage. This aligns with the Availability principle of the CIA triad, which guarantees that authorized users have reliable access to resources when needed. In Azure, this is supported by services like Azure Backup and Azure Site Recovery, which provide automated backup and failover capabilities to maintain uptime.

Exam trap

The trap here is that candidates often confuse backups and disaster recovery with Confidentiality or Integrity, mistakenly thinking that protecting data copies implies preventing unauthorized access or tampering, rather than recognizing that the core goal is restoring access and system operation.

How to eliminate wrong answers

Option A is wrong because Confidentiality focuses on preventing unauthorized access to data (e.g., via encryption or access controls), not on restoring systems after an outage. Option B is wrong because Integrity ensures data is not tampered with or altered (e.g., via hashing or checksums), whereas backups address data recovery, not modification detection. Option D is wrong because Non-repudiation provides proof of origin or delivery of data (e.g., via digital signatures), which is unrelated to restoring system availability after a disaster.

96
MCQeasy

A security architect is explaining the evolution of the security perimeter. They state that because users access corporate resources from anywhere on any device, the traditional network perimeter is no longer sufficient. What does the architect identify as the new primary security perimeter?

A.The cloud infrastructure
B.The data center
C.The identity
D.The endpoint
AnswerC

Identity is the new perimeter because it authenticates and authorizes every access request regardless of location or device.

Why this answer

In modern zero-trust architectures, identity is the new primary security perimeter because it enables granular access control regardless of network location. Since users access corporate resources from anywhere on any device, authentication and authorization (via protocols like OAuth 2.0, SAML, and OpenID Connect) become the decisive factor for granting access, rather than the traditional network boundary. This shift is foundational to Microsoft's identity-centric security model, where Azure AD (now Microsoft Entra ID) acts as the control plane for all resource access.

Exam trap

The trap here is that candidates often confuse the endpoint (the device) with identity, but the endpoint is merely a vector for identity claims—without identity as the authoritative control point, device-based security alone cannot prevent unauthorized access from a different user on the same device.

How to eliminate wrong answers

Option A is wrong because cloud infrastructure is a deployment model, not a security perimeter; it still relies on identity and access controls to secure resources within it. Option B is wrong because the data center is a physical or virtual location that assumes a trusted network boundary, which is no longer sufficient when users and devices are outside that boundary. Option D is wrong because the endpoint is just one component of the security stack; without identity-based authentication and conditional access policies, an endpoint alone cannot enforce who or what can access corporate resources.

97
Drag & Dropmedium

Order the steps to respond to a data breach using Microsoft 365 Defender incident response.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response typically starts with identification, isolation, investigation, containment, then remediation.

98
MCQhard

A user logs into a corporate laptop by inserting a smart card and entering a PIN. The user then attempts to open a confidential folder. The operating system checks the user's access rights and denies access. Which security concepts are demonstrated in this scenario?

A.Identification and authorization
B.Authentication and authorization
C.Authentication and accounting
D.Identification and authentication
AnswerB

The smart card and PIN authenticate the user. Then the operating system authorizes (or denies) access to the folder based on permissions.

Why this answer

The scenario demonstrates authentication (verifying the user's identity via smart card + PIN) and authorization (the OS checking access rights and denying access to the folder). Authentication confirms who the user is, while authorization determines what resources they can access. Option B correctly pairs these two concepts.

Exam trap

The trap here is that candidates confuse 'identification' with 'authentication' — the smart card + PIN is a multi-factor authentication process, not merely identification, and the access check is authorization, not accounting or identification.

How to eliminate wrong answers

Option A is wrong because identification alone (e.g., presenting a username) is not sufficient; the scenario includes a PIN and smart card, which are authentication factors, and the access check is authorization, not just identification. Option C is wrong because accounting (tracking resource usage, e.g., logging or auditing) is not demonstrated; no logs or usage records are mentioned. Option D is wrong because identification (e.g., claiming an identity) is not explicitly shown; the user authenticates via smart card + PIN, and the access check is authorization, not just authentication.

99
MCQhard

Your company is adopting a Zero Trust network architecture. You need to implement microsegmentation for workloads running in Azure. Which Azure service should you use?

A.Azure Network Security Groups (NSGs)
B.Azure Firewall
C.Azure App Service
D.Azure Front Door
AnswerA

NSGs filter traffic between subnets and VMs, enabling microsegmentation.

Why this answer

Option C is correct because Azure Network Security Groups (NSGs) provide microsegmentation by filtering traffic between subnets and VMs. Option A is wrong because Azure Firewall is a stateful firewall but not for microsegmentation within a VNet. Option B is wrong because App Service is PaaS.

Option D is wrong because Azure Front Door is a global load balancer.

100
Multi-Selecthard

A company wants to implement a Zero Trust security model. Which TWO of the following are core principles of Zero Trust?

Select 2 answers
A.Trust based on network location
B.Verify explicitly
C.Perimeter-based security
D.Implicit trust for internal users
E.Least privilege access
AnswersB, E

One of the three core principles of Zero Trust.

Why this answer

Options B and D are correct. Zero Trust principles are: verify explicitly (B), use least privilege access (D), and assume breach. Option A is incorrect because implicit trust is the opposite of Zero Trust.

Option C is incorrect because perimeter-based security is not a Zero Trust principle. Option E is incorrect because Zero Trust does not rely on network location for trust.

101
MCQeasy

A company wants to ensure that data is not altered during transmission between a client and a server. They use TLS encryption. Which security goal does this primarily address?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures that data is not modified or tampered with during transit, which directly matches the requirement.

Why this answer

TLS (Transport Layer Security) uses message authentication codes (MACs) and cryptographic hashing to ensure that data is not tampered with during transit. While TLS also provides confidentiality through encryption, the specific goal of preventing alteration during transmission is integrity. Therefore, option B is correct because integrity guarantees that the data received is exactly what was sent, unchanged by any intermediary.

Exam trap

The trap here is that candidates often assume TLS only provides confidentiality (encryption) and forget that TLS also explicitly ensures integrity through MACs or AEAD, leading them to incorrectly select 'Confidentiality' (Option A) when the question specifically asks about preventing alteration.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data (secrecy), not about detecting or preventing alteration; TLS achieves confidentiality through symmetric encryption, but the question specifically asks about preventing alteration. Option C is wrong because availability ensures that systems and data are accessible when needed, which is unrelated to data integrity during transmission; TLS does not address availability. Option D is wrong because non-repudiation prevents a party from denying an action (e.g., using digital signatures), whereas TLS does not inherently provide non-repudiation—it focuses on secure communication, not proof of origin.

102
MCQeasy

A user authenticates to a company's network by entering their password and then approving a push notification on their mobile phone. After authentication, the user attempts to access a shared folder containing financial reports. The access is denied because the user's account is not a member of the 'Finance' group. Which security concept is demonstrated when the user is denied access to the folder?

A.Authentication
B.Authorization
C.Non-repudiation
D.Accounting
AnswerB

Authorization controls what an authenticated user is allowed to do. Denying access to the folder due to missing group membership is an authorization decision.

Why this answer

Authorization is the security concept that determines what resources a user is allowed to access after their identity has been verified. In this scenario, the user successfully authenticated but was denied access to the financial reports folder because their account lacked the necessary permissions—specifically, membership in the 'Finance' group. This access control decision is the essence of authorization, which enforces policies based on identity attributes like group membership.

Exam trap

The trap here is that candidates confuse authentication (proving who you are) with authorization (what you are allowed to do), especially when the question includes a multi-factor authentication step that seems to 'grant' access, but the denial is purely an authorization failure.

How to eliminate wrong answers

Option A is wrong because authentication is the process of verifying the user's identity (e.g., password + push notification), which already succeeded before the folder access attempt. Option C is wrong because non-repudiation ensures that a user cannot deny having performed an action, typically using digital signatures or audit logs, and is not related to access control decisions. Option D is wrong because accounting (or auditing) tracks user activities and resource usage for compliance and billing, but does not enforce or deny access to resources.

103
MCQhard

A security architect is implementing a Zero Trust security model. The architect insists that the network perimeter should not be trusted and that security controls must be applied to all traffic, even within the corporate network. They also emphasize the need for continuous monitoring and detection of threats as if a breach has already occurred. Which Zero Trust principle is the architect primarily applying?

A.Verify explicitly
B.Least privilege access
C.Assume breach
D.Trust but verify
AnswerC

Assume breach is the Zero Trust principle that expects a breach may have already occurred, driving continuous monitoring, segmentation, and threat detection.

Why this answer

The architect's emphasis on not trusting the network perimeter and applying security controls to all traffic, combined with continuous monitoring as if a breach has already occurred, directly aligns with the 'Assume breach' principle of Zero Trust. This principle operates on the mindset that a breach is inevitable or has already happened, thus requiring constant verification and monitoring of all network traffic, even within the corporate network, rather than relying on a trusted internal zone.

Exam trap

Microsoft often tests the distinction between 'Assume breach' and 'Verify explicitly' by describing a scenario that includes both continuous monitoring and strict access controls, leading candidates to confuse the proactive verification requirement with the reactive breach-assumption mindset.

How to eliminate wrong answers

Option A is wrong because 'Verify explicitly' focuses on authenticating and authorizing every access request based on all available data points (e.g., user identity, device health, location), but it does not inherently assume that a breach has already occurred; it is about strict verification at each access attempt. Option B is wrong because 'Least privilege access' is about granting only the minimum permissions necessary for a user or system to perform a task, which is a separate pillar of Zero Trust that does not directly address the continuous monitoring and breach-assumption mindset described in the scenario. Option D is wrong because 'Trust but verify' is an outdated security model that assumes trust is granted initially and then verified periodically; Zero Trust explicitly rejects this approach by stating that no entity should be trusted by default, even inside the network.

104
MCQhard

Your organization uses Microsoft Intune and Microsoft Entra ID. You need to enforce that only compliant and managed devices can access corporate email in Microsoft 365. Additionally, if a device is jailbroken, access should be blocked. You also want to provide a seamless sign-in experience for compliant devices. You have Microsoft Entra ID P1 licenses. What should you configure?

A.Configure Mobile Application Management (MAM) policies to restrict access.
B.Configure Azure AD Join for all devices and enable device registration.
C.Create a Conditional Access policy in Microsoft Entra ID that requires device compliance and use Intune compliance policies to block jailbroken devices, with seamless SSO.
D.Configure Microsoft Defender for Endpoint to detect jailbroken devices.
AnswerC

Conditional Access with device compliance ensures only compliant devices access email.

Why this answer

Option D is correct because Conditional Access can require device compliance (from Intune compliance policies) and allow SSO via seamless sign-in. Option A is incorrect because MAM without device enrollment does not manage device compliance. Option B is incorrect because Windows Defender for Endpoint is for threat protection.

Option C is incorrect because Azure AD Join alone does not enforce compliance policies.

105
Multi-Selecteasy

Which TWO of the following are identity-related security best practices recommended by Microsoft? (Choose two.)

Select 2 answers
A.Share passwords with team members for critical accounts
B.Implement Conditional Access policies
C.Use single sign-on (SSO) without MFA
D.Disable sign-in logs to reduce storage costs
E.Enable multi-factor authentication (MFA)
AnswersB, E

Conditional Access enforces access controls based on signals.

Why this answer

Options A and C are correct. Using Conditional Access policies and enabling MFA are key identity security best practices. Option B is wrong because sharing passwords is never recommended.

Option D is wrong because SSO reduces password use but is not a standalone best practice without MFA. Option E is wrong because disabling auditing reduces visibility.

106
MCQeasy

A company implements a sign-in process where a user must provide their password and then enter a temporary code sent to their mobile phone. Which security principle is this process primarily enforcing?

A.Authorization
B.Authentication
C.Accounting
D.Non-repudiation
AnswerB

Authentication verifies identity. Multi-factor authentication requires two or more forms of verification, such as a password and a code from a phone.

Why this answer

The process of verifying a user's identity by requiring both a password (something they know) and a temporary code sent to their mobile phone (something they have) is a classic implementation of multi-factor authentication (MFA). Authentication is the security principle that confirms the identity of a user, device, or system before granting access. This sign-in flow directly enforces authentication by combining two distinct factors to prove the user is who they claim to be.

Exam trap

The trap here is that candidates often confuse authentication (proving identity) with authorization (granting permissions), especially when the question describes a multi-step sign-in process that seems to 'allow access' — but the core principle being enforced is identity verification, not access control.

How to eliminate wrong answers

Option A is wrong because authorization determines what an authenticated user is allowed to do (e.g., access specific resources), not how they prove their identity. Option C is wrong because accounting (or auditing) tracks user activities and resource usage for logging and compliance, not the initial identity verification process. Option D is wrong because non-repudiation ensures that a user cannot deny having performed an action (often using digital signatures or logs), whereas this sign-in process focuses on proving identity at the point of entry.

107
MCQmedium

A company requires that all sensitive data in Microsoft Teams messages be automatically encrypted and labeled with a 'Confidential' tag. Which Microsoft Purview solution should they use?

A.Microsoft Purview Data Loss Prevention (DLP)
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Purview Information Protection
D.Microsoft Purview Compliance Manager
AnswerC

Sensitivity labels with auto-labeling can detect sensitive content and apply labels and encryption automatically.

Why this answer

Microsoft Purview Information Protection includes sensitivity labels that can be auto-applied to sensitive data in Teams messages. DLP policies can detect data but do not apply labels directly. Data Lifecycle Management handles retention.

Compliance Manager is for assessments.

108
MCQhard

A company is designing a data governance strategy using Microsoft Purview. They need to allow data owners to define custom attributes for data assets and control who can access those assets. Which Purview feature should they use?

A.Microsoft Purview Data Estate Insights
B.Microsoft Purview Data Policy
C.Microsoft Purview Data Catalog
D.Microsoft Purview Data Map
AnswerC

Data Catalog allows data owners to curate assets, add custom attributes, and manage access.

Why this answer

Microsoft Purview Data Catalog allows data owners to manage custom attributes and set access controls on data assets. Option A is wrong because Data Map is the underlying metadata store, not for end-user governance. Option B is wrong because Data Estate Insights provides monitoring, not governance.

Option D is wrong because Data Policy enables policies on data sources, not asset-level custom attributes.

109
Matchingmedium

Match each Azure security service to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enforce organizational standards and assess compliance

Define repeatable Azure resources and policies

Unified security management and threat protection

Cloud-native SIEM and SOAR solution

Securely store and manage secrets and keys

Why these pairings

These are core Azure security and compliance services.

110
MCQmedium

Your company uses Microsoft Defender for Cloud to assess security posture. A recommendation states that virtual machines should have just-in-time (JIT) network access enabled. What is the primary security benefit of enabling JIT?

A.It reduces the attack surface by opening ports only when necessary
B.It replaces the need for network security groups
C.It encrypts all network traffic between the VM and clients
D.It permanently blocks all inbound traffic to the VM
AnswerA

JIT reduces exposure by keeping ports closed and opening them only for authorized requests.

Why this answer

JIT network access reduces the attack surface by keeping network ports closed by default and opening them only when needed for legitimate traffic, based on user requests. It does not block all inbound traffic permanently; it allows authorized requests. It does not encrypt traffic or replace firewall rules; it complements them.

111
MCQeasy

A company implements multiple layers of security controls: firewalls at the perimeter, intrusion detection systems on internal segments, antivirus software on all workstations, and encryption for sensitive data at rest and in transit. This strategy is intended to ensure that if one control fails, others still provide protection. Which security concept does this approach represent?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Zero trust
AnswerB

Defense in depth uses multiple layers of security controls to protect resources, ensuring that failure of one layer does not lead to a complete breach.

Why this answer

Defense in depth is the correct concept because it involves implementing multiple layers of security controls (e.g., firewalls, IDS, antivirus, encryption) so that if one layer fails, subsequent layers continue to provide protection. This layered approach ensures redundancy and mitigates the risk of a single point of failure, aligning with the scenario described.

Exam trap

The trap here is that candidates often confuse defense in depth with zero trust, mistakenly thinking that multiple layers automatically imply a zero-trust architecture, but zero trust specifically requires explicit verification per request rather than just layered controls.

How to eliminate wrong answers

Option A is wrong because least privilege is a principle that restricts users or systems to only the minimum permissions necessary to perform their functions, not a strategy of overlapping security controls. Option C is wrong because separation of duties divides critical tasks among multiple individuals to prevent fraud or error, not to provide layered technical defenses. Option D is wrong because zero trust is a security model that assumes no implicit trust and requires continuous verification of every access request, which is a broader philosophy rather than the specific layered control strategy described.

112
MCQeasy

A company uses a cloud-based Customer Relationship Management (CRM) system that is delivered as Software-as-a-Service (SaaS). According to the shared responsibility model, which security responsibility is primarily handled by the customer?

A.Physical security of the data center hosting the CRM
B.Managing user identities and controlling access to the CRM
C.Patching the underlying operating system of the CRM servers
D.Ensuring network security for the CRM application's backend
AnswerB

The customer is responsible for managing their own user identities, authentication, and authorization within the SaaS application, as well as configuring access policies.

Why this answer

In a SaaS model, the cloud provider is responsible for the security of the underlying infrastructure, including physical data centers, operating systems, and network controls. The customer retains responsibility for securing their own data and identities, which includes managing user accounts, enforcing authentication policies (e.g., Azure AD Multi-Factor Authentication), and controlling access to the CRM application via role-based access control (RBAC). Therefore, managing user identities and access is the customer's primary security responsibility.

Exam trap

The trap here is that candidates often assume the customer is responsible for all security aspects of a SaaS application, but SC-900 emphasizes that the provider handles infrastructure and platform security, leaving the customer with identity, data, and access management.

How to eliminate wrong answers

Option A is wrong because physical security of the data center is the sole responsibility of the cloud provider (Microsoft, in the case of Dynamics 365), not the customer. Option C is wrong because patching the underlying operating system of the CRM servers is part of the provider's responsibility for maintaining the SaaS platform's infrastructure. Option D is wrong because ensuring network security for the CRM application's backend, such as firewall rules and DDoS protection at the provider's network layer, is handled by the cloud provider, not the customer.

113
MCQeasy

A company configures its access control system so that each user can only access the data and perform actions that are strictly necessary for their job role. This configuration is a direct implementation of which security principle?

A.Defense in depth
B.Least privilege
C.Separation of duties
D.Zero Trust
AnswerB

Granting only the necessary permissions for a job role is the definition of least privilege.

Why this answer

The configuration described—granting each user only the access and actions strictly necessary for their job role—is the direct definition of the least privilege principle. In Microsoft identity and access management, this is implemented by assigning the minimum required permissions via Azure RBAC roles (e.g., Reader instead of Contributor) or using Azure AD Privileged Identity Management (PIM) for just-in-time access. This minimizes the attack surface by ensuring users cannot exceed their authorized scope.

Exam trap

The trap here is that candidates confuse least privilege with separation of duties, but separation of duties focuses on splitting permissions across multiple people to prevent collusion, whereas least privilege restricts each individual to the minimum necessary access.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy (e.g., firewall + antivirus + encryption) that uses multiple controls, not a single user-access restriction. Option C is wrong because separation of duties divides critical tasks among multiple users (e.g., one person requests a resource, another approves it) to prevent fraud, not to limit each user to their job-necessary access. Option D is wrong because Zero Trust is a broader security model (never trust, always verify) that includes least privilege as a component but also requires continuous authentication, device health checks, and micro-segmentation—not solely restricting access per job role.

114
MCQeasy

A company implements multiple layers of security controls including a firewall, an intrusion detection system (IDS), antivirus software on endpoints, and regular security awareness training for employees. This approach is an example of which security concept?

A.Zero Trust
B.Defense in depth
C.Least privilege
D.Shared responsibility
AnswerB

Correct. Defense in depth is the practice of layering diverse security controls to protect against threats, so that a failure in one control does not lead to a complete breach.

Why this answer

Defense in depth is the correct answer because the company is implementing multiple layers of security controls (firewall, IDS, antivirus, and security awareness training) to protect assets. This layered approach ensures that if one control fails, another control is in place to mitigate the threat, which is the core principle of defense in depth.

Exam trap

The trap here is that candidates often confuse defense in depth with Zero Trust because both involve multiple controls, but Zero Trust specifically focuses on identity verification and least-privilege access, not just layered defenses.

How to eliminate wrong answers

Option A is wrong because Zero Trust is a security model that assumes no implicit trust and requires continuous verification of every access request, not simply the implementation of multiple security layers. Option C is wrong because least privilege is a principle that restricts users and systems to only the permissions necessary to perform their tasks, which is not demonstrated by the layered controls described. Option D is wrong because shared responsibility is a cloud computing model that delineates security obligations between the provider and customer, not an on-premises layered security approach.

115
MCQeasy

A company is implementing a new security policy that requires every user to have only the minimum permissions necessary to perform their job duties. Which security principle does this policy align with?

A.Defense in depth
B.Zero Trust
C.Principle of least privilege
D.Separation of duties
AnswerC

The principle of least privilege means users get only the permissions required to perform their job, minimizing potential damage from errors or attacks.

Why this answer

The policy requiring every user to have only the minimum permissions necessary to perform their job duties directly aligns with the Principle of Least Privilege. This principle dictates that users, applications, and systems should be granted the minimal level of access rights needed to complete their tasks, reducing the attack surface and limiting potential damage from compromised accounts. In Microsoft 365, this is implemented through Role-Based Access Control (RBAC) roles and Azure AD roles, where administrators assign specific permissions rather than broad administrative roles.

Exam trap

The trap here is that candidates often confuse the Principle of Least Privilege with Zero Trust, but Zero Trust is a broader framework that includes least privilege as one of its core pillars, not the specific policy of minimizing permissions per user.

How to eliminate wrong answers

Option A is wrong because Defense in Depth is a layered security strategy that uses multiple controls (e.g., firewalls, encryption, antivirus) to protect resources, not a principle about limiting individual user permissions. Option B is wrong because Zero Trust is a security model based on the principle of 'never trust, always verify,' which includes least privilege as a component but is broader, encompassing continuous authentication, device health checks, and micro-segmentation. Option D is wrong because Separation of Duties is a control that prevents a single individual from performing conflicting tasks (e.g., both creating and approving a purchase order), which reduces fraud risk but does not specifically address minimizing permissions per user role.

116
MCQeasy

A security architect is adopting a new security model that assumes breach and verifies every access request. The model eliminates implicit trust and requires continuous validation. Which security model is being implemented?

A.Defense in Depth
B.Zero Trust
C.Least Privilege
D.Shared Responsibility
AnswerB

Zero Trust is based on the principle of 'never trust, always verify,' assumes breach, and verifies every access request regardless of location or network.

Why this answer

Zero Trust is the correct model because it explicitly assumes breach, eliminates implicit trust, and requires continuous validation of every access request. This aligns with the core Zero Trust principle of 'never trust, always verify,' which mandates that no user, device, or network is trusted by default, even if they are inside the corporate perimeter.

Exam trap

The trap here is that candidates often confuse Zero Trust with Least Privilege, but Zero Trust is a broader architectural model that includes continuous validation and breach assumption, whereas Least Privilege is only one component of access control.

How to eliminate wrong answers

Option A is wrong because Defense in Depth is a layered security strategy that uses multiple controls (e.g., firewalls, antivirus, IDS) to protect assets, but it does not inherently assume breach or require continuous verification of every access request. Option C is wrong because Least Privilege is a principle that grants users only the minimum permissions needed to perform their tasks, but it does not encompass the continuous validation or breach assumption aspects of the described model. Option D is wrong because Shared Responsibility is a cloud security model that defines which security tasks are handled by the cloud provider versus the customer, and it does not address the elimination of implicit trust or continuous access verification.

117
MCQeasy

Your organization uses Microsoft Defender XDR. The security team wants a central dashboard showing the overall security posture and recommended actions. Which tool should they use?

A.Microsoft Purview
B.Microsoft Entra ID
C.Microsoft Sentinel
D.Microsoft Secure Score
AnswerD

Microsoft Secure Score provides a centralized security posture dashboard.

Why this answer

Option D is correct because Microsoft Secure Score provides a dashboard with security recommendations and posture assessment. Option A is incorrect because Microsoft Entra ID is identity management. Option B is incorrect because Microsoft Sentinel is a SIEM.

Option C is incorrect because Microsoft Purview is for data governance.

118
MCQeasy

A small business uses Microsoft 365 Business Premium. The owner wants to ensure that employees can access their email and files from anywhere, but only from trusted devices that comply with company security policies (e.g., have antivirus enabled and are up-to-date). They have heard about Microsoft Intune but are not sure if it's included. You need to recommend a solution that enforces device compliance for accessing company data. What should you do?

A.Configure Conditional Access to require managed devices
B.Require all employees to use company-issued devices that are domain-joined
C.Use Microsoft Intune to create device compliance policies and a Conditional Access policy to require compliant devices
D.Enable Security Defaults in Entra ID
AnswerC

Intune is included in Business Premium and can enforce compliance.

Why this answer

Option C is correct because Microsoft 365 Business Premium includes Microsoft Intune, which can be used to create device compliance policies and a Conditional Access policy to require compliant devices. Option A is wrong because the basic security defaults do not enforce device compliance. Option B is wrong because requiring personal devices to be domain-joined is unrealistic for a small business.

Option D is wrong because Require Managed Devices is a Conditional Access grant, but it requires Intune enrollment, which is not mentioned.

119
MCQeasy

A security architect is designing a defense strategy for a company's IT infrastructure. The strategy includes deploying a network firewall, using an intrusion detection system, installing antivirus software on all endpoints, and requiring multi-factor authentication for all user accounts. The architect explains that if the firewall fails, the IDS can detect an intrusion, and if the IDS misses something, the antivirus might catch it, and MFA can protect even if credentials are compromised. Which security principle best describes this layered approach?

A.Defense in depth
B.Least privilege
C.Zero Trust
D.Shared responsibility
AnswerA

Defense in depth uses multiple overlapping security controls so that the failure of one layer does not leave the organization unprotected.

Why this answer

Defense in depth is the correct principle because it describes a layered security strategy where multiple independent controls (firewall, IDS, antivirus, MFA) are deployed so that if one layer fails, another layer can still prevent or detect an attack. This approach explicitly relies on redundancy and diversity of controls to provide resilience against failures or bypasses, as illustrated by the architect's explanation of how each subsequent layer compensates for potential gaps in the previous one.

Exam trap

The trap here is that candidates may confuse 'Defense in depth' with 'Zero Trust' because both involve multiple controls, but Zero Trust is specifically about continuous verification and micro-segmentation, not the layered redundancy described in the scenario.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on restricting user permissions to the minimum necessary for their role, not on deploying multiple overlapping security controls. Option C (Zero Trust) is wrong because it is a security model based on 'never trust, always verify' and continuous authentication/authorization for every access request, not specifically on layering independent defenses. Option D (Shared responsibility) is wrong because it is a cloud computing model that delineates security obligations between the provider and customer, not a strategy for stacking multiple on-premises or hybrid controls.

120
Multi-Selecteasy

Which TWO of the following are benefits of using Microsoft Entra ID for identity management? (Choose two.)

Select 2 answers
A.Storing passwords in plaintext
B.Conditional Access policies
C.Single sign-on (SSO)
D.Local authentication for all apps
E.On-premises authentication only
AnswersB, C

Policies enforce access based on conditions.

Why this answer

Correct answers are B and D: Single sign-on (SSO) allows users to access multiple apps with one login, and Conditional Access provides policy-based access controls. Option A is incorrect because on-premises only is not a benefit. Option C is incorrect because storing passwords in plaintext is not a benefit.

Option E is incorrect because local authentication is not a benefit of cloud identity.

121
MCQeasy

An organization adopts a Zero Trust security model. Which principle requires that every access request must be explicitly verified and granted least privilege regardless of the user's location or device?

A.Verify explicitly
B.Use least privilege access
C.Assume breach
D.Never trust, always verify
AnswerA

This principle states that every access request must be fully authenticated, authorized, and encrypted before granting access, regardless of network location or device.

Why this answer

The Zero Trust principle 'Verify explicitly' mandates that every access request—regardless of the user's location, device, or network—must be authenticated and authorized based on all available data points (e.g., user identity, device health, location, and real-time risk signals). This ensures that no implicit trust is granted, and least privilege is applied as a separate but complementary principle. In Microsoft's Zero Trust model, this is enforced through conditional access policies and continuous evaluation of session risk.

Exam trap

The trap here is that candidates confuse the popular phrase 'Never trust, always verify' with the official Microsoft Zero Trust principle 'Verify explicitly,' but the exam expects the exact terminology from the Microsoft documentation, not the generic slogan.

How to eliminate wrong answers

Option B is wrong because 'Use least privilege access' is a separate Zero Trust principle that limits user permissions to only what is needed for a task, but it does not address the requirement that every request must be explicitly verified regardless of location or device. Option C is wrong because 'Assume breach' is a principle focused on minimizing blast radius and segmenting access (e.g., using micro-segmentation and continuous monitoring), not on verifying every access request. Option D is wrong because 'Never trust, always verify' is a popular slogan summarizing Zero Trust philosophy, but it is not one of the three core principles defined by Microsoft (Verify explicitly, Use least privilege access, Assume breach); the question specifically asks for the principle that requires explicit verification and least privilege, and 'Verify explicitly' is the precise technical term.

122
MCQeasy

An attacker gains access to a company's email system and reads confidential customer emails. Which security principle has been compromised?

A.Integrity
B.Availability
C.Confidentiality
D.Non-repudiation
AnswerC

Correct. Confidentiality prevents unauthorized disclosure of information.

Why this answer

Confidentiality is the security principle that ensures data is accessible only to authorized users. When an attacker reads confidential customer emails without authorization, the confidentiality of that data has been breached, as the information was exposed to an unintended party.

Exam trap

The trap here is that candidates often confuse confidentiality with integrity, mistakenly thinking that any unauthorized access to data implies data modification, but the core violation in this scenario is the unauthorized disclosure of information, not its alteration.

How to eliminate wrong answers

Option A is wrong because integrity refers to the assurance that data has not been tampered with or altered; reading emails does not imply modification. Option B is wrong because availability ensures that systems and data are accessible when needed; the attacker reading emails does not prevent legitimate users from accessing the system. Option D is wrong because non-repudiation provides proof of the origin or delivery of data, typically through digital signatures or audit logs; the scenario involves unauthorized access, not a dispute over who sent or received a message.

123
MCQmedium

You find the above JSON in a SharePoint document's metadata. Based on the exhibit, what is the effect of the label applied to the document?

A.The document is encrypted and can only be accessed by users in the finance@contoso.com group
B.The document is only marked as confidential but not encrypted
C.The document is encrypted and can be accessed by any user with the decryption key
D.The document will be retained for a specified period
AnswerA

The protection type 'user' with value 'finance@contoso.com' restricts access to that group.

Why this answer

Option A is correct because the label 'Confidential' has an 'encrypt' action with protection type 'user' and value 'finance@contoso.com', meaning the document is encrypted and access is restricted to the finance group. Option B is wrong because the encryption key is not specified for individual users. Option C is wrong because the label does not include a retention setting.

Option D is wrong because the label applies encryption, not just visual marking.

124
MCQmedium

A security architect explains the Zero Trust model to the board. They state that every access request must be fully authenticated and authorized based on identity, device health, location, and risk, regardless of whether the user is on the corporate network. Which Zero Trust principle does this statement represent?

A.Verify explicitly
B.Least privilege
C.Assume breach
D.Microsegmentation
AnswerA

Correct. This principle requires that every access request be fully authenticated and authorized using all signals before granting access.

Why this answer

The statement emphasizes that every access request must be authenticated and authorized based on identity, device health, location, and risk, regardless of network location. This directly aligns with the 'Verify explicitly' principle of Zero Trust, which mandates that authentication and authorization are performed for every request using all available data points, not just once at the perimeter.

Exam trap

The trap here is that candidates often confuse 'Verify explicitly' with 'Least privilege' because both involve access control, but 'Verify explicitly' is about the continuous authentication/authorization of every request, while 'Least privilege' is about limiting permissions after access is granted.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on limiting user access rights to only what is necessary to perform a task, not on the continuous verification of every request. Option C (Assume breach) is wrong because it deals with designing systems to minimize blast radius and segment access under the assumption that a breach has already occurred, not with the upfront verification of each request. Option D (Microsegmentation) is wrong because it is a network architecture technique that breaks the network into small, isolated segments to limit lateral movement, not a principle for authenticating and authorizing every access request.

125
MCQeasy

A company wants to ensure that only users with appropriate permissions can access sensitive data stored in Microsoft SharePoint Online. Which principle should they implement?

A.Apply the principle of least privilege
B.Assign roles based on job function using role-based access control (RBAC)
C.Enable multi-factor authentication (MFA) for all users
D.Implement defense in depth
AnswerA

Directly answers the principle that limits permissions to only what is necessary.

Why this answer

The principle of least privilege ensures users have only the minimum permissions needed to perform their job, reducing the risk of unauthorized access. Option A is wrong because MFA adds extra authentication but does not limit permissions. Option B is wrong because RBAC is a method to implement least privilege, not the principle itself.

Option D is wrong because defense in depth is a layered security approach, not specifically about permission minimization.

126
Multi-Selecteasy

A company requires users to enter a password and then a temporary code from a mobile app to sign in. After signing in, a user attempts to open a confidential document but is denied because they are not a member of the 'Managers' group. Which two security concepts are primarily demonstrated in this scenario?

Select 2 answers
A.Authentication and Authorization
B.Identification and Non-repudiation
C.Encryption and Hashing
D.Accounting and Auditing
AnswersA, B

Correct. Entering credentials and then being denied access based on group membership are examples of authentication (proof of identity) and authorization (access rights).

Why this answer

The scenario demonstrates two distinct security concepts: authentication and authorization. The password plus temporary code from a mobile app (a form of multi-factor authentication) verifies the user's identity, which is authentication. The subsequent denial of access to the confidential document because the user is not a member of the 'Managers' group is authorization—the process of determining what resources an authenticated user is permitted to access.

In Microsoft Entra ID, authentication is handled via token issuance (e.g., SAML or OAuth 2.0), while authorization is enforced through role-based access control (RBAC) or directory role assignments.

Exam trap

The trap here is that candidates confuse authentication (proving identity) with authorization (granting access), and they may incorrectly select 'Identification and Non-repudiation' because they see the password entry as identification, but identification is the initial claim of identity (e.g., username), not the verification step shown in the scenario.

127
Multi-Selectmedium

Which THREE of the following are key concepts of identity management in Microsoft Entra ID?

Select 3 answers
A.Encryption
B.Federation
C.Least privilege
D.Authorization
E.Authentication
AnswersB, D, E

Federation allows users to authenticate using external identity providers.

Why this answer

Authentication verifies identity, authorization grants access, and federation allows using external identity providers. Single sign-on is a feature, not a core concept per se, but often listed. Least privilege is a security principle but not an identity management concept exclusive to Entra ID.

Encryption is unrelated.

128
MCQhard

A company stores application secrets and encryption keys in Azure Key Vault. They want to move from the older vault access policy model to a more scalable and granular permission model that integrates with Azure's role-based access control (RBAC). They also need to audit permissions using Azure Policy. Which access configuration should they choose for Azure Key Vault?

A.Use a single vault access policy with the Contributor role
B.Enable the Azure RBAC permission model for Key Vault
C.Assign a managed identity to the Key Vault
D.Use a service principal and configure vault access policies per application
AnswerB

Azure Key Vault supports an RBAC-based authorization model where permissions for data plane operations (get, list, set secrets/keys) can be assigned via Azure RBAC roles. This allows centralized management and Azure Policy auditing.

Why this answer

Option B is correct because enabling the Azure RBAC permission model for Key Vault replaces the older vault access policy model with Azure's native role-based access control, providing granular, scalable permissions that integrate directly with Azure Policy for auditing. This model allows you to assign roles like Key Vault Secrets User or Key Vault Crypto Officer at the management plane, enabling centralized permission management across multiple vaults and supporting Azure Policy compliance checks.

Exam trap

The trap here is that candidates confuse 'managed identity' (an authentication mechanism for resources) with the permission model itself, or assume that vault access policies are still the recommended approach for scalability, when in fact Azure RBAC is the modern, policy-auditable solution.

How to eliminate wrong answers

Option A is wrong because using a single vault access policy with the Contributor role is not a scalable or granular approach; the Contributor role grants broad management-plane access (e.g., deleting the vault) rather than fine-grained data-plane permissions for secrets and keys, and it does not leverage Azure RBAC for Key Vault. Option C is wrong because assigning a managed identity to Key Vault is not an access configuration for the vault itself; managed identities are used by Azure resources to authenticate to Key Vault, not to define the permission model for the vault. Option D is wrong because using a service principal with vault access policies per application still relies on the older vault access policy model, which is less scalable and does not integrate with Azure Policy for auditing permissions across multiple vaults.

129
MCQeasy

A company's IT department deploys a multi-layered security strategy that includes a perimeter firewall, network segmentation, endpoint antivirus software, data encryption, and employee security awareness training. Which security model does this approach represent?

A.Zero Trust
B.Least Privilege
C.Defense in Depth
D.Shared Responsibility
AnswerC

Defense in depth uses multiple overlapping security layers to reduce risk.

Why this answer

The described approach—combining perimeter firewalls, network segmentation, endpoint antivirus, encryption, and training—is the classic definition of Defense in Depth. This model layers multiple independent security controls so that if one layer fails (e.g., a firewall rule is misconfigured), subsequent layers (e.g., segmentation, antivirus) still protect the asset. It does not assume any single control is sufficient, which is the core principle of Defense in Depth.

Exam trap

The trap here is that candidates see 'firewall' and 'encryption' and immediately think Zero Trust, but Zero Trust requires explicit identity verification and micro-segmentation, not just a layered stack of traditional controls.

How to eliminate wrong answers

Option A is wrong because Zero Trust is a model that explicitly assumes no implicit trust and requires continuous verification of every access request (e.g., using conditional access policies and micro-segmentation), whereas the question describes a layered set of static controls without the 'never trust, always verify' mandate. Option B is wrong because Least Privilege is a principle that restricts users and processes to only the permissions necessary for their tasks (e.g., via RBAC or JIT access), not a multi-layered security architecture. Option D is wrong because Shared Responsibility is a cloud model that defines which security tasks are handled by the provider vs. the customer (e.g., AWS handles physical security while the customer manages IAM), not a layered on-premises or hybrid security strategy.

130
MCQhard

A security manager wants to ensure that an employee who sends an email cannot later deny having sent it. Which security concept and associated technology is best suited to achieve this?

A.Confidentiality, achieved through encryption
B.Integrity, achieved through hashing
C.Non-repudiation, achieved through digital signatures
D.Access control, achieved through permissions
AnswerC

Digital signatures provide authentication and integrity, and the sender cannot repudiate the signed data because only they possess their private key.

Why this answer

Non-repudiation ensures that a party cannot deny an action, such as sending an email. Digital signatures, which use asymmetric cryptography (e.g., RSA or ECDSA) and a hash of the message, provide cryptographic proof of the sender's identity and message integrity, making denial impossible.

Exam trap

The trap here is that candidates confuse integrity (hashing) with non-repudiation, not realizing that a hash alone lacks sender identity binding—only a digital signature provides the cryptographic proof of origin needed to prevent denial.

How to eliminate wrong answers

Option A is wrong because confidentiality, achieved through encryption (e.g., AES, TLS), protects data from unauthorized access but does not provide proof of origin or prevent denial of sending. Option B is wrong because integrity, achieved through hashing (e.g., SHA-256), ensures data has not been altered but does not bind the hash to a specific sender, so it cannot prevent repudiation. Option D is wrong because access control, achieved through permissions (e.g., NTFS permissions, RBAC), restricts who can perform actions but does not provide cryptographic evidence linking an action to a specific user.

131
MCQmedium

A company uses a cloud-based SaaS (Software as a Service) application for customer relationship management. According to the shared responsibility model, which security responsibility is primarily handled by the customer?

A.Physical security of the data center hosting the application
B.Security of the underlying networking infrastructure
C.Managing user access and permissions for the application
D.Applying security patches to the application's code
AnswerC

The customer controls who uses the application and with what privileges. This is a customer responsibility regardless of the cloud service model.

Why this answer

In a SaaS model like a cloud-based CRM application, the customer is responsible for managing user access and permissions, including identity and access management (IAM), multi-factor authentication (MFA), and role-based access control (RBAC). The cloud provider handles the underlying infrastructure, platform, and application security, but the customer must control who can access the application and what they can do within it.

Exam trap

The trap here is that candidates often assume the customer is responsible for patching the application code in SaaS, but in reality, the provider handles all code-level patches, while the customer only manages user access and permissions.

How to eliminate wrong answers

Option A is wrong because physical security of the data center is the cloud provider's responsibility under the shared responsibility model for SaaS, as the customer has no physical access to the infrastructure. Option B is wrong because security of the underlying networking infrastructure, such as firewalls and network segmentation, is managed by the cloud provider in a SaaS deployment. Option D is wrong because applying security patches to the application's code is the cloud provider's responsibility in SaaS; the customer only manages configuration and user-level settings.

132
MCQeasy

A company's security team implements a system where every access attempt to sensitive data is recorded, including who accessed the data and when. The logs are regularly reviewed to detect unauthorized access and to hold users accountable for their actions. Which security goal is primarily being addressed by this logging practice?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerD

Non-repudiation provides proof of actions taken by users, such as data access. Logs create an audit trail that can be used to hold users accountable and prevent denial of actions.

Why this answer

Non-repudiation ensures that a user cannot deny having performed an action. By recording who accessed sensitive data and when, the logging practice creates an audit trail that can prove a specific user accessed the data at a specific time, thereby preventing the user from denying that access. This directly addresses the security goal of non-repudiation.

Exam trap

The trap here is that candidates confuse logging with confidentiality or integrity, thinking that recording access prevents unauthorized viewing or data modification, when in fact logging is about accountability and non-repudiation.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized access to data (e.g., through encryption or access controls), not on logging who accessed it. Option B is wrong because integrity ensures data has not been tampered with (e.g., through hashing or checksums), not on recording access events. Option C is wrong because availability ensures systems and data are accessible when needed (e.g., through redundancy or failover), not on tracking user actions.

133
MCQeasy

A company implements multiple layers of security controls, including firewalls, antivirus software, access controls, and security awareness training. Which security concept does this approach best represent?

A.Zero Trust
B.Defense in depth
C.Shared responsibility
D.Least privilege
AnswerB

Defense in depth uses multiple overlapping layers of security controls (e.g., network, endpoint, access, awareness) to protect assets, making it the correct concept.

Why this answer

Defense in depth is the correct concept because it involves layering multiple independent security controls—such as firewalls, antivirus, access controls, and training—so that if one layer fails, others continue to protect the asset. This approach reduces the likelihood of a single point of failure and is a foundational strategy in cybersecurity architecture.

Exam trap

The trap here is that candidates confuse the layered approach of defense in depth with the Zero Trust model, but Zero Trust is specifically about eliminating implicit trust and enforcing per-request verification, not just adding multiple security layers.

How to eliminate wrong answers

Option A is wrong because Zero Trust is a security model based on 'never trust, always verify' that requires continuous authentication and authorization for every access request, not simply the presence of multiple security layers. Option C is wrong because Shared responsibility is a cloud computing model that delineates security obligations between the provider and customer, not a strategy for deploying layered controls on-premises. Option D is wrong because Least privilege is a principle that grants users only the minimum permissions needed to perform their tasks, which is a specific access control practice, not a comprehensive layering strategy.

134
Drag & Dropmedium

Sequence the steps to configure a retention policy in Microsoft Purview compliance portal.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Retention policies require signing in, navigating to retention, creating a policy, selecting locations/conditions, and setting duration.

135
Multi-Selecthard

Which THREE of the following are core principles of the Zero Trust security model? (Choose three.)

Select 3 answers
A.Verify explicitly
B.Trust but verify
C.Assume breach
D.Least privilege
E.Single factor authentication
AnswersA, C, D

Zero Trust requires continuous verification of identities and devices.

Why this answer

Zero Trust principles include 'Verify explicitly', 'Least privilege', and 'Assume breach'. 'Trust but verify' is a traditional perimeter-based model. 'Single factor' contradicts explicit verification.

136
MCQeasy

A company uses a financial accounting system where the employee who creates a purchase order cannot also approve it. This policy is designed to prevent a single individual from committing fraud by both initiating and approving a transaction. Which security principle does this practice primarily implement?

A.Least privilege
B.Separation of duties
C.Defense in depth
D.Zero Trust
AnswerB

This principle distributes critical functions among different individuals to prevent any single person from having excessive control, reducing the risk of fraud or error.

Why this answer

The practice of requiring different individuals to create and approve purchase orders directly implements the separation of duties principle. This security control ensures that no single person has complete control over a sensitive financial transaction, thereby reducing the risk of fraud or error. In the context of identity and access management, separation of duties enforces that conflicting tasks are assigned to different users to prevent abuse of privileges.

Exam trap

The trap here is that candidates confuse separation of duties with least privilege, but least privilege limits the scope of permissions while separation of duties divides critical tasks to prevent a single point of failure or fraud.

How to eliminate wrong answers

Option A is wrong because least privilege focuses on granting users only the minimum permissions necessary to perform their job functions, not on splitting conflicting tasks among multiple users. Option C is wrong because defense in depth is a layered security strategy that combines multiple controls (e.g., firewalls, encryption, antivirus) to protect assets, not a specific control for segregating duties. Option D is wrong because Zero Trust is a security model based on 'never trust, always verify' and continuous authentication, not a principle that directly addresses the segregation of conflicting responsibilities.

137
MCQmedium

A security architect is implementing a Zero Trust strategy. They state that all access requests must be verified continuously, regardless of where the request originates (corporate network or remote). They also emphasize that access is granted based on a policy that evaluates user identity, device health, location, and risk in real-time. Which Zero Trust guiding principle does this scenario primarily illustrate?

A.Verify explicitly
B.Use least privilege access
C.Assume breach
D.Enforce session controls
AnswerA

Correct. The 'Verify explicitly' principle means always authenticating and authorizing based on all available signals—identity, device, location, risk—not just network location.

Why this answer

The scenario explicitly describes continuous verification of all access requests based on real-time signals (user identity, device health, location, risk). This directly maps to the 'Verify explicitly' Zero Trust principle, which mandates that every access attempt must be authenticated and authorized using all available data points before granting access, regardless of network location.

Exam trap

The trap here is that candidates often confuse 'Verify explicitly' with 'Assume breach' because both involve continuous monitoring, but 'Verify explicitly' is specifically about authenticating and authorizing every request, while 'Assume breach' is about containment and detection after a compromise.

How to eliminate wrong answers

Option B is wrong because 'Use least privilege access' focuses on limiting permissions to the minimum required for a task, not on continuous verification of every request. Option C is wrong because 'Assume breach' is about designing systems to minimize blast radius and detect intrusions, not about verifying each access request in real-time. Option D is wrong because 'Enforce session controls' refers to monitoring and restricting actions within an established session, not the initial or continuous verification of access requests.

138
MCQmedium

Your organization wants to ensure that only users with a specific sensitivity label can access a SharePoint site. Which Microsoft Purview feature should you configure?

A.Insider Risk Management
B.Communication Compliance
C.Data Lifecycle Management
D.Information Protection
AnswerD

Information Protection applies sensitivity labels that can enforce access controls on SharePoint sites.

Why this answer

Option B is correct because Microsoft Purview Information Protection allows you to apply sensitivity labels to content, and these labels can be used to control access to SharePoint sites via conditional access policies. Option A is wrong because Data Lifecycle Management focuses on retention and deletion, not access control. Option C is wrong because Insider Risk Management detects risky activities but does not directly enforce label-based access.

Option D is wrong because Communication Compliance monitors communications for policy violations.

139
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to implement a solution that allows external partners to access resources using their own identity provider. Which Microsoft Entra feature should you use?

A.Microsoft Entra Permissions Management
B.Microsoft Entra Verified ID
C.Entra ID Governance
D.External ID
AnswerD

External ID enables external collaboration with self-service sign-up and support for external identity providers.

Why this answer

Option A is correct because Entra External ID (formerly Azure AD B2B) allows external users to authenticate using their own identity providers. Option B is wrong because Entra ID Governance focuses on identity lifecycle and access reviews. Option C is wrong because Microsoft Entra Verified ID is for decentralized identity verification.

Option D is wrong because Microsoft Entra Permissions Management is for managing permissions in multi-cloud environments.

140
MCQhard

A company uses Microsoft Purview to classify and protect data. They need to ensure that when a user attempts to share a file containing a credit card number externally, the file is blocked and the user is prompted with a policy tip. Which type of Microsoft Purview policy should they configure?

A.Retention policy
B.Insider Risk Management policy
C.Sensitivity label policy
D.Data Loss Prevention (DLP) policy
AnswerD

DLP policies can detect credit card numbers and block external sharing with a policy tip.

Why this answer

DLP policies can detect sensitive data like credit card numbers and enforce actions such as blocking sharing with a policy tip. Sensitivity labels require manual application or auto-labeling, but the block action is defined by DLP. Insider Risk Management focuses on risky user activities.

141
MCQeasy

An organization adopts a security model where they never trust a request by default, even if it comes from inside the corporate network. Every access request must be authenticated, authorized, and encrypted. They also assume that a breach will happen and design their systems to minimize the blast radius. Which security model does this describe?

A.A
B.B
C.C
D.D
AnswerC

Correct. Zero Trust is characterized by 'never trust, always verify', assumption of breach, and least-privilege access.

Why this answer

This scenario describes the Zero Trust security model, which operates on the principle of 'never trust, always verify.' It requires authentication, authorization, and encryption for every access request, regardless of origin (inside or outside the network), and assumes breach to minimize blast radius through microsegmentation and least-privilege access. Option C is correct because it aligns with the core tenets of Zero Trust as defined by NIST SP 800-207.

Exam trap

The trap here is that candidates often confuse Zero Trust with defense-in-depth or least-privilege, but Zero Trust uniquely requires explicit verification of every request and assumes breach, which is the key differentiator in this question.

How to eliminate wrong answers

Option A is wrong because it likely refers to a perimeter-based model (e.g., castle-and-moat), which trusts internal traffic by default and does not assume breach. Option B is wrong because it may represent a defense-in-depth model, which uses multiple layers of security but does not inherently distrust all requests or assume breach. Option D is wrong because it could indicate a least-privilege model, which focuses on minimal permissions but does not encompass the full Zero Trust principles of continuous verification, encryption, and blast radius reduction.

142
MCQmedium

Fabrikam Inc. is a global manufacturing company that uses Microsoft Entra ID for identity management. They have recently experienced a security incident where an attacker compromised a user account and accessed sensitive intellectual property. The security team wants to implement identity protection measures to detect and respond to such attacks in the future. They need a solution that can automatically detect suspicious sign-in behavior, such as impossible travel and anomalous token issuance, and then take action to block the sign-in or require additional verification. Additionally, they want to integrate threat intelligence feeds to improve detection. Which Microsoft security solution should they use to meet these requirements?

A.Microsoft Defender for Identity
B.Microsoft Entra ID Protection
C.Microsoft Sentinel
D.Microsoft Defender for Cloud Apps
AnswerB

Detects sign-in risks and automates responses.

Why this answer

Option C is correct. Microsoft Entra ID Protection uses machine learning to detect risks like impossible travel and anomalous token issuance, and can automatically enforce policies such as requiring MFA or blocking sign-ins. It also integrates with threat intelligence.

Option A is wrong because Microsoft Defender for Identity focuses on on-premises Active Directory, not cloud sign-ins. Option B is wrong because Microsoft Sentinel is a SIEM, not an automated response tool for sign-in risks. Option D is wrong because Microsoft Defender for Cloud Apps is for cloud app discovery and control, not primarily for sign-in risk detection.

143
Multi-Selecteasy

Which TWO of the following are Microsoft Entra ID editions that include Identity Protection? (Choose two.)

Select 2 answers
A.Microsoft Entra External ID
B.Microsoft Entra ID Free
C.Microsoft Entra ID P1
D.Microsoft Entra ID P2
E.Microsoft Entra ID Governance
AnswersD, E

P2 includes Identity Protection.

Why this answer

Identity Protection is available in Azure AD Premium P2 and Microsoft Entra ID Governance (which includes P2 features). Free and P1 do not include Identity Protection.

144
MCQeasy

A security analyst is explaining the core principles of information security to a new team member. Which principle ensures that data is not modified by unauthorized parties?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures that data remains accurate and unaltered by unauthorized parties, preventing tampering.

Why this answer

The principle of integrity ensures that data remains accurate and unaltered during storage, processing, or transmission, except by authorized entities. In the context of information security, integrity is specifically concerned with preventing unauthorized modification, deletion, or creation of data. This is often enforced through mechanisms such as hashing (e.g., SHA-256), digital signatures, and checksums (e.g., CRC32) that detect any tampering.

Exam trap

The trap here is that candidates often confuse integrity with confidentiality, mistakenly thinking that encryption (which protects confidentiality) also prevents modification, but encryption alone does not guarantee data has not been altered—integrity requires separate controls like hashing or digital signatures.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized disclosure of data, typically through encryption (e.g., AES-256) or access controls, not on preventing modification. Option C is wrong because availability ensures that systems and data are accessible to authorized users when needed, often via redundancy (e.g., RAID) or disaster recovery, and does not address data integrity. Option D is wrong because non-repudiation provides proof of the origin or delivery of data (e.g., through digital signatures or audit logs) and cannot be repudiated later, but it does not directly prevent unauthorized modification.

145
MCQeasy

Which Microsoft Entra ID feature allows an organization to provide external partners with access to its applications while maintaining control over authentication and governance?

A.Microsoft Entra ID Governance
B.Microsoft Entra Domain Services
C.Microsoft Entra External ID
D.Microsoft Entra Permissions Management
AnswerC

External ID supports B2B and B2C scenarios, allowing external users to access corporate apps with controlled authentication.

Why this answer

Microsoft Entra External ID (including B2B collaboration) enables secure sharing of apps with external users. It allows the organization to manage identities and enforce policies like MFA for guests.

146
MCQeasy

According to the Zero Trust security model, which principle assumes that a breach has already occurred and therefore requires segmenting access and monitoring for lateral movement?

A.Verify explicitly
B.Use least privilege
C.Assume breach
D.Trust but verify
AnswerC

Assume breach is the correct principle; it treats the network as already compromised, leading to segmentation and intense monitoring.

Why this answer

Option C is correct because the 'Assume breach' principle of the Zero Trust security model explicitly operates under the mindset that a breach has already occurred or is inevitable. This drives the need for segmenting access (e.g., micro-segmentation using network policies or Azure Virtual Network security groups) and continuous monitoring for lateral movement (e.g., using Microsoft Defender for Identity to detect pass-the-hash or Kerberos ticket attacks).

Exam trap

Microsoft often tests the distinction between 'Assume breach' and 'Verify explicitly' by presenting a scenario where a candidate might confuse the proactive verification of every request with the reactive assumption that a breach has already occurred, leading them to incorrectly select 'Verify explicitly' when the question specifically asks about segmentation and lateral movement monitoring.

How to eliminate wrong answers

Option A is wrong because 'Verify explicitly' mandates that every access request must be authenticated and authorized based on all available data points (e.g., user identity, device health, location), but it does not inherently assume a breach has occurred or drive segmentation for lateral movement. Option B is wrong because 'Use least privilege' ensures users and services have only the minimum permissions needed to perform their tasks (e.g., via Azure RBAC or Privileged Identity Management), but it is a principle of access control, not a breach assumption that triggers segmentation and lateral movement monitoring. Option D is wrong because 'Trust but verify' is an outdated model that assumes internal network trust, which contradicts Zero Trust's core premise of never trusting any entity by default; it does not assume a breach has already happened.

147
MCQhard

Refer to the exhibit. A security analyst runs this Microsoft Graph PowerShell command. What is the most likely purpose of this command?

A.To find users whose user principal name starts with 'j'.
B.To update the display names of users starting with 'j'.
C.To remove users whose user principal name starts with 'j'.
D.To list all users and their group memberships.
AnswerA

The filter filters users with userPrincipalName starting with 'j'.

Why this answer

The command uses Get-MgUser with a filter to retrieve users whose userPrincipalName starts with 'j', and selects specific properties. Option A is wrong because it does not show group membership. Option B is wrong because it does not perform any update.

Option D is wrong because it does not remove users.

148
MCQhard

Your organization uses Microsoft Sentinel. You need to create a custom analytics rule that triggers an incident when a user executes a specific command on Azure VMs. Which data source should you connect to capture the command execution logs?

A.Office Activity log
B.Windows Security Events via Azure Monitor Agent
C.Azure AD audit logs
D.Azure Activity log
AnswerB

This captures command execution logs from the guest OS.

Why this answer

Option C is correct because Azure Activity logs capture resource management operations, but command execution on VMs is captured by Windows Event Logs or Syslog. However, the best answer here is Windows Security Events via the Azure Monitor agent, which is option C. Option A is incorrect because Azure Activity log does not capture guest OS commands.

Option B is incorrect because Office Activity logs are for Microsoft 365. Option D is incorrect because Azure AD audit logs are for identity events.

149
MCQmedium

A security architect is explaining the Zero Trust model to the board. The architect emphasizes that the network perimeter can no longer be considered a safe zone. Which statement best describes the modern primary security perimeter according to Zero Trust principles?

A.The corporate network firewall and VPN
B.The identity of the user and device
C.The physical on-premises data center
D.The endpoint antivirus and anti-malware solution
AnswerB

Identity is the fundamental building block of Zero Trust; it is used to verify every access request and enforce least privilege, forming the new perimeter.

Why this answer

In the Zero Trust model, the primary security perimeter is the identity of the user and device, not the network location. This is because Zero Trust assumes breach and requires explicit verification for every access request, regardless of whether it originates from inside or outside the corporate network. By treating identity as the new control plane, organizations enforce least-privilege access and continuous authentication, making the user and device identity the critical trust boundary.

Exam trap

The trap here is that candidates often confuse the Zero Trust model with traditional defense-in-depth layers, mistakenly selecting the corporate firewall or VPN as the primary perimeter, when in fact Zero Trust shifts the trust boundary to the identity of the user and device.

How to eliminate wrong answers

Option A is wrong because the corporate network firewall and VPN represent a traditional perimeter-based security approach, which Zero Trust explicitly rejects as the primary security boundary; in Zero Trust, network location does not grant implicit trust. Option C is wrong because the physical on-premises data center is a legacy concept of a trusted internal zone, whereas Zero Trust assumes that threats can exist anywhere, including inside the data center. Option D is wrong because endpoint antivirus and anti-malware solutions are only one component of endpoint protection and do not serve as the primary security perimeter; Zero Trust focuses on identity and device health as the core trust decision point.

150
MCQhard

A security administrator receives an alert from Microsoft Sentinel about a possible brute-force attack against a virtual machine. The administrator wants to automatically block the attacker's IP address for 24 hours using a playbook. Which automation trigger should the playbook use?

A.Incident trigger
B.Alert trigger
C.Scheduled trigger
D.Action trigger
AnswerA

Incident triggers run playbooks when an incident is created, enabling automated response.

Why this answer

Option D is correct because a playbook triggered by an incident can automate response actions like blocking an IP. Option A is wrong because an alert trigger runs when an alert is generated, but the playbook should run on incident creation for a coordinated response. Option B is wrong because a scheduled trigger runs on a timer, not event-driven.

Option C is wrong because an action trigger is not a valid Sentinel trigger type.

← PreviousPage 2 of 4 · 235 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Describe the concepts of security, compliance, and identity questions.